Firstly, if this is the wrong section of the forum please let me know which section would be better :)
Something along the following lines has landed in my inbox and I'm trying to work out the best way to tackle it.
We are talking along the lines of 17 medium sized sites connected via a WAN. From the outside everything is restricted by firewalls. We are looking at a way to control access of "trusted" internal users and what applications/servers they have access to. From a networks point of view I'm trying to find the best product that will meet our needs. We've had a quick look at Network Admission Control (NAC) (formerly Cisco Clean Access). Yes, it can control who/what has access to the network but can it then be configured to allow configured accounts to have only access to certain systems and not others? Are there any other products that we should take a look at?
I'm still getting into CSA, but this could perhaps help...You can define user settings for certain rule modules, and you can also define network sets, so it may be possible to have a policy that says if user in Group A is trying to access any IP address outside Group A, deny connection. But, since my company is not trying to implement that, I can't say for certain it would work.
Thanks for your post. This is the correct section :)
Cisco Clean Access can do what you're looking for. Everthing on CCA is based on User Roles. Based on the user authentication, CCA puts the user into a particular user role (Employee, staff, student, faculty, contractor, guest etc)
Based on the user role, you can configure the privileges the user in a particular user role has. You can configure what systems or subnets a particular user role has access to. This is completely configurable based on L3/L4 acls configured on CCA.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...