Switch support by Cisco NAC

PWCSinfosec · ‎07-02-2009

We are in the beginning stages of looking to implement NAC. Our network consists of 88 locations all on the same LAN. We want to implement OOB however we have run into a snag where there are an average of 20-30 unmanaged switches at each location that will need to be replaced. Replacing them with Cisco's cheapest switch the 2900 will blow the project cost sky high. Has anyone had any luck using a cheaper non-cisco switch?

michael_dean · ‎07-02-2009

Very doubtful. The OOB option uses SNMP to control the switches, so the cheaper switches would have to support the very same SNMP MIBs (with each OID having the same functionality as a Cisco product).

To use non-Cisco switches, you have to use In-Band (IB) mode.

Without knowing how your network is designed, this question may not be relevant, but could you put an in-band NAC server (with fail-over) at the connection point of each site back to your main site or your core?

PWCSinfosec · ‎07-06-2009

Thanks for the response, I was afraid that was going to be the answer. We considered the inband NAC server at each location, however we have 85 locations, so that gets expensive.

michael_dean · ‎07-06-2009

That would be expensive. Do all of the locations connect back to a central site? If so, what about putting the CAS, in-band, at the central site and use policy routing to route the traffic through it?

That's what we are doing and it allows us to serve multiple sites with a single in-band CAS (or failover pair of CASes).

srue · ‎07-06-2009

If all the locations go through the central site for most of their network access, it doesn't matter - eg servers, Internet, WAN. InBand would be fine in that situation.

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/switch_spt.html