1. When I deploy NAC, a PC or user device is on the certified list. If User device is infected by virus, NAC Server can recognize device which is infected and prevent PC or not when I deploy out-of-band (not in-band)?
2. When I deploy out-of-band, cisco nac appliance can configure bandwidth for group users or not?
I would not think of the NAC server as an antivirus product. Instead think of it as a posture assessment device that verifies the pc has antivirus running and up to date. Therefore, assuming the antivirus software catches the example virus and the pc has went thru the NAC's posture assessment the pc's installed antivirus software will handle the remediation of the virus.
To your second question, yes. In out-of-band deployments a role / group of users can be bandwidth controlled.
The principle point is that all users being assessed by the NAC machine must be routed thru the device. Given all users are routed thru the device you are able to control / throttle those users /devices.
1) Answer: No. Clean Access (NAC Appliance) will not detect when a system is infected with a virus, regardless of which deployment (In-Band or Out of Band) is used.
2) Answer: No. When deployed out of band, once the posture is completed, the client traffic no longer goes through the Clean Access server so there is no way to apply bandwidth or any other controls to it via Clean Access. In order to apply bandwidth or access restrictions via CCA, the CCA server would have to be in-band.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...