Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

question about cisco nac agent

When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?

Please answer me early. Thank you for your answer.

New Member

Re: question about cisco nac agent

If the client station does not have an agent running (either full agent or web agent) then scanning and remediation cannot take place.

Devices without an agent can still be given access to the network via Filters, but without the agent, scanning and remediation will not take place.

New Member

Re: question about cisco nac agent

Dear michael, Thank you for your answer. Because I see agent is optional, if I don't like to use agent, I think that NAC server can scan and remediate. If NAC Server can't scan and remediate, Nac agent is required.

That is my ideas. Anyone has another ideas.

I'm looking for your answer.

Thank you very much.

Re: question about cisco nac agent

The NAC Agent will allow you to access the computer from inside the host firewall, you can also review using the network scanner to assess the computer from outside the firewall.

The agent is optional and it is absence will limit your capabilities to scan and remediate.

Check out the NAC Chalk Talks.

Thank You,

Dan Laden

New Member

Re: question about cisco nac agent

Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.

We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:

1) You have to decide which vulnerabilities you want to scan for.

2) The more plug-ins you enable, the longer (obviously) the scan takes.

3) There are configuration steps for many of the plug-ins

4) Your users will still need to go to a login page in order to be scanned.

5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.

From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).

It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.

Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.

Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

CreatePlease login to create content