Network A d m i s s i on C on trol ( NA C ) Pascal D e lp r at p d e lp r at @ ci sco . co m

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

1

Agenda
NAC Concepts


NAC Appl i a nce O v er v i ew


NAC F r a m ew or k O v er v i ew
NAC / NAP
Q & A

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

2

N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

3

P er i m et er S ec u r i t y I s N o t E no u gh T h r ea t v ector s h a v e ch a ng ed : f r i end l y u ser s ca n b e th e w ea k est l i nk i n y ou r netw or k ’s secu r i ty C om p l i cat ed b y :

User types: em pl o yees, c o n tra c to rs g u ests, pa rtn ers D ev m a n A c c L A N

i c e types: l a pto ps, P D A s, d esk to ps a g ed , u n m a n a g ed ess types: rem o te/ V P N , w i rel ess , b ra n c h o f f i c es ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

Does each user have:

➾ Windows Updates? ➾ A nti-v ir u s sof twar e? ➾ A nti-spy war e sof twar e?

4

W h at I s N et w o r k Adm i s s i o n C o nt r o l ? N etw th e n n etw po l i c

o rk A d m i ssi o n C o n tro l ( N A C ) i s a so l u ti o n th a t u ses etw o rk i n f ra stru c tu re to en su re a l l d ev i c es seek i n g o rk a c c ess c o m pl y w i th a n o rg a n i z a ti o n ’s sec u ri ty y

iden t it y

Please enter username:

device s ecu r it y

N A C

n et w o r k s ecu r it y Si

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

Si

5

N et w o r k Adm i s s i o n C o nt r o l NAC Appliance and NAC Framework N A C

A ppl ianc e ( C l ean A c c ess)

T h e b est tu r nk ey appl ianc e pr odu c t f or al l v er tic al s

REMEDIATION

Cl e a n A cce ss A g e n t

DIS C OV ERY ENF ORC EMENT

N A C

AU TH ENTIC ATION P OL IC Y

A d d r es s im m ed ia t e p a inp oint s w it h C C A

F r am ewor k

REMEDIATION ( V ENDOR)

POLICY

Cisco T r u st A g e n t

DIS C OV ERY ENF ORC EMENT

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

Cisco S e cu r e AU TH ENTIC ATION A CS P OL IC Y (A A A )

C is c o C o n fid e n tia l

T h e b est tec h nol og ic al appr oac h f or E nter pr ise Begin Long-T er m E nt er p r is e S ol u t ion w it h int egr a t ed p r od u c t a nd s er v ic es

6

N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

7

N AC

Ap p l i anc e O v er v i ew : C o m p o nent s


Cis co Clean Acces s S erv er

Serves as an in-b and o r o u t -o f -b and d evic e f o r net w o rk ac c ess c o nt ro l


Cis co Clean Acces s M anag er

C ent ral iz es m anag em ent f o r ad m inist rat o rs, su p p o rt p erso nnel , and o p erat o rs


Cis co Clean Acces s Ag ent

O p t io nal l ig h t w eig h t c l ient f o r d evic e-b ased reg ist ry sc ans in u nm anag ed enviro nm ent s


R u le-s et U pdat es

Sc h ed u l ed au t o m at ic u p d at es f o r ant i-viru s, c rit ic al h o t -f ix es and o t h er ap p l ic at io ns ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

8

N AC

Ap p l i anc e O v er v i ew : C o m p o nent s

C rit ic al W ind o w s U p d at es

W i n d ow s V i st a, X P , 2 0 0 0 , 9 8 , M E

Anti-V ir u s U p d a te s

Anti-Sp y w a r e U p d a te s

O th e r 3

rd

P a r ty C h e c k s

Customers can easily add customized checks ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

9

C i s c o N AC

Ap p l i anc e P ar t ner s h i p s

Cisco N A C is committed to p rotecting customer’s inv estments in p artner ap p lications N A C

A ppl ianc e S u ppor ts P ol ic ies f or 2 5 0 + A ppl ic ations, I nc l u ding T h ese V endor s:

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

10

N AC

Ap p l i anc e O v er v i ew : P r o c es s F l o w T H E G O A L 1 . E nd u ser attem pts to ac c ess a Web pag e or u ses an optional c l ient

Netw o r k access is b lo ck ed u ntil w ir ed o r w ir eless end u ser pr o vides lo g in inf o r m atio n

2 . User is

r edir ec ted to a l og in pag e

NAC Appliance validates u ser nam e and passw o r d, also per f o r m s device and netw o r k scans to assess vu lner ab ilities o n th e device

3 a. D ev ic e is nonc om pl iant or l og in is inc or r ec t

U ser is denied access and assig ned to a q u ar antine r o le w ith access to o nline r em ediatio n r eso u r ces

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

Au th enti c ati o n S erv er

NAC Ap p l i anc e S erv er

Q u aranti ne R o le

NAC Ap p l i anc e M anag er Intranet/ Netw o rk

3 b . D ev ic e is “c l ean”

M ach ine g ets o n “cer tif ied devices list” and is g r anted access to netw o r k

11

N AC

Ap p l i anc e O v er v i ew : Agent

L o g in S c reen

Scan is performed

(types of checks depend on user role)

Scan fail s

R emediat e

4 .

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

12

N AC

Ap p l i anc e O v er v i ew : W eb L o gi n L og in S c r een

S c an is per f or m ed

( t y p e s of ch e ck s d e p e n d on u se r r ol e / O S )

C l ic k -th r ou g h r em ediation

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

13

Adm i n C o nt r o l w i t h R eal -T i m e I nf o r m at i o n A DM I N

U S E R

L og s can b e v iew ed l ocal l y or sent v ia Sy sl og t o an off-b ox col l ect ion eng ine for cu st om report s ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

14

N AC

C h ec k s f o r E ndp o i nt S ec u r i t y Ap p s

N A C A ppl iance is preconfig u red w it h ch eck s for popu l ar ant iv iru s, ant i-spy w are, and ot h er h ost secu rit y appl icat ions, l ik e C SA

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

15

C AS : V i r t u al G at ew ay & R eal I P G at ew ay
Clean Acces s S erv ers at t h e mos t b as ic lev el can pas s t raf f ic in one of t wo way s : B r id g e d M o d e = V ir tu a l G a te w a y R o u te d M o d e

= R e a l I P G a te w a y / N AT G a te w a y


Any CAS can b e conf ig u red f or eit h er met h od, b u t a CAS can only b e one at a t ime


G at eway mode s elect ion af f ect s t h e log ical t raf f ic pat h
D oes not af f ect wh et h er a CAS is in L ay er 2 mode, L ay er 3 mode, I n B and or O u t of B and

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

16

C AS : V i r t u al G at ew ay
Direct Bridging: Frame Comes I n, Frame G oes O u t
V L A N I Ds are eith er p assed th rou gh u ntou ch ed or map p ed f rom A to B


DH CP and Cl ient R ou tes p oint directl y to netw ork dev ices on th e T ru sted side
CA S is an I P p assiv e b u mp in th e w ire, l ik e a transp arent f irew al l ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

17

C AS : R eal I P / N AT G at ew ay
CA S is R ou ting, P ack et Comes I n, P ack et G oes O u t
V L A N I Ds terminate at th e CA S , no p ass-th rou gh or map p ing


DH CP and Cl ient R ou tes u su al l y p oint to th e CA S f or /3 0
CA S is an activ e I P rou ter, can al so N A T ou tb ou nd p ack ets * * ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

18

C AS : E dge D ep l o y m ent
E a sie st d e p lo y m e nt o p tio n to u nd e r sta nd
C AS is lo g ic a lly inline , a nd P h y sic a lly inline


Su p p o r ts a ll C a ta ly st Sw itc h e s
V L AN I D s a r e p a sse d str a ig h t th r o u g h w h e n in V G W 1 0
1 0


I nsta lla tio ns w ith m u ltip le Ac c e ss L a y e r c lo se ts c a n b e c o m e c o m p le x

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

19

C AS : C ent r al D ep l o y m ent
M os t common deploy ment opt ion


CAS is log ically inline, NO T ph y s ically inline


S u pport s 6 5 0 0 / 4 5 0 0 / 3 7 5 0 / 3 5 6 0


V L AN I D s are mapped wh en in V G W : 1 1 0  1 0
E as ies t ins t allat ion


M os t s calab le in larg e env ironment s ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

20

C AS : L ay er 2 M o de
Client is L ay er 2 Adj acent t o t h e CAS


M AC addres s is u s ed as a u niq u e ident if ier
S u pport s b ot h V G W and R eal I P G W


S u pport s b ot h I n B and and O u t of B and
M os t common deploy ment model f or L ANs ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

21

C AS : L ay er 3 M o de
Client is NO T L ay er 2 Adj acent t o t h e CAS


I P Addres s is u s ed as a u niq u e ident if ier
S u pport s b ot h V G W and R eal I P G W
S u pport s I n B and M ode* *


Needed f or W AN and V P N deploy ment s

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

22

C AS : I n B and
E as ies t deploy ment opt ion


CAS is I nline ( in t h e dat a pat h ) b ef ore and af t er pos t u re as s es s ment
S u pport s any s wit ch , any h u b , any AP


R ole B as ed Acces s Cont rol G u es t , Cont ract or, E mploy ee
ACL Filt ering and B andwidt h T h rot t ling ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

23

C AS : O u t o f B and
M u lt i-G ig T h rou g h pu t deploy ment opt ion


CAS is I nline f or P os t u re As s es s ment O nly
S u pport s mos t common Cis co S wit ch es * *
P ort V L AN B as ed and R ole B as ed Acces s Cont rol


ACL Filt ering and B andwidt h T h rot t ling f or P os t u re As s es s ment O nly ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

24

C AM : C o nf i gu r at i o n Servers are centrally managed through the CAM

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

25

C AM : O u t o f B and

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

26

C AM : P r e-C o nf i gu r ed C h ec k s

Automati c up dates f or p re-conf i gured check s

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

27

C AM : L o ggi ng and M anagem ent

F i ne tune Admi ni strati ve ri ghts and p ri vi leges

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

28

N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

29

N AC

F r am ew o r k Ar c h i t ec t u r e S u b j ec t

E nf or c em ent

( Ma n a g e d o r U n m a n a g e d h o s t)

D ec ision & R em ediation A CS

L A N

D ir e ct or y S e rv e r P ost u r e V a l id a t ion S e r v e r ( s) A u d it S e rv e r

W A N

P a t ch S e rv e r R e p or t in g S e rv e r

R em ot e

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

30

N AC

Adm i s s i o n F l o w

H ost A ttem pting N etwor k A c c ess

K ey :

C isc o S ec u r e A C S

N etwor k A c c ess D ev ic es ( N A D s)

C red enti al s

No ti f i c ati o n 8

S tatu s 9

L D A P , O T P

3

EAPo802.1x EAPoU D P

C isc o T r u st A g ent ( C T A )

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

E A P

P ol ic y S er v er D ec ision P oints & A u dit 4a Id enti ty

1 T raf f i c tri g g ers c h al l eng e 2 C red enti al s

O ptional M andator y

5 C o m p l i ant?

H CA P

R A D IU S

7 E nf o rc em ent

4b P o s tu re

6 Au th o ri z ati o n

4c Au d i t G A M E : H T T P S

C is c o C o n fid e n tia l

D ir e ct or y S e rv e r

P ol icy V e n d or S e rv e r (P V S )

A u d it S e rv e r (A S )

31

N AC

C o m p l i anc e: Q u ar ant i ne t o H eal t h y

H ost A ttem pting N etwor k A c c ess

C isc o S ec u r e A C S

N etwor k A c c ess D ev ic es ( N A D s)

5a Id enti ty

2 R ev al i d ati o n / S tatu s -Q u ery 4

3 C red enti al s

C red enti al s EAPo802.1x EAPoU D P

10

H eal th y !

C isc o T r u st A g ent ( C T A )

9 No ti f i c ati o n

1 U p d ate AV

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

6 C o m p l i ant

E A P

8 7 E nf o rc em ent Au th o ri z ati o n: ( V L AN, AC L , H E AL T H Y U R L red i rec t)

C is c o C o n fid e n tia l

P ol ic y S er v er D ec ision P oints

Au th enti c ati o n P as s

5b P o s tu re

DAT s v al i d

D ir e ct or y S e rv e r

A n t i-V ir u s P ol icy S e rv e r

32

N AC

Agent l es s H o s t ( N AH )

H ost A ttem pting N etwor k A c c ess

C isc o S ec u r e A C S

N etwor k A c c ess D ev ic es ( N A D s)

1 T raf f i c tri g g ers c h al l eng e

2

No C T A

7

6 E nf o rc em ent ( V L AN, AC L , U R L red i rec t)

Q U AR ANT INE !

N O

C isc o T r u st A g ent ( C T A )

4 C o m p l i ant?

A u dit

3a Au d i t A u d it S e rv e r

5 Au th o ri z ati o n: Q U AR ANT INE

3c

W i nd o w s X P S P 2 W i nd o w s F i rew al l No v u l nerab i l i ti es 3b Au d i t

N ot e: N A H in 8 0 2 . 1 x cu rrent l y u nsu pport ed! ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

33

C i s c o N AC

P ar t ner P r o gr am


The NAC Partner Program is a third-p arty -tec hnol ogy integration p rogram


O v er 7 0 indu stry l eading sec u rity and management p rogram p artic ip ants w ith 2 5 c ertif ied, ship p ing sol u tions.
S p ec if ic API s are av ail ab l e f or p rodu c t integration in areas of assessment, remediation, and monitoring/ rep orting of an integrated NAC sol u tion


U sef u l f or NAC c u stomers w ith ex isting or p l anned inv estments in these p artners’ p rodu c ts
F or a c omp l ete p artner l ist, see: w w w . c isc o. c om/ go/ nac / p rogram

A sse ssm e n t

R e m e d ia t ion Cisco T r u st A g e n t

A u d it

AU TH ENTIC ATION P OL IC Y

DIS C OV ERY

P ol icy

A A A ( A CS )

ENF ORC EMENT ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

34

N AC

P r o gr am

P ar t i c i p ant s

http://w w w . c i s c o . c o m /g o /n a c /pr o g r a m

S H IP P IN G

DE V E L O P I N G ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

35

E AP ( E x t ens i b l e Au t h ent i c at i o n P r o t o c o l )  R F C

3 7 4 8 ( o b so l et es 2 2 8 4 ) h t t p : / / w w w . iet f . o rg / rf c / rf c 3 7 4 8 . t x t

 T ransp o rt s au t h ent ic at io n inf o rm at io n in t h e f o rm

o f E A P p ay l o ad s

 E st ab l ish es and m anag es c o nnec t io n; al l o w s au t h ent ic at io n b y enc ap su l at ing vario u s t y p es o f au t h ent ic at io n ex c h ang es  P reval ent E A P t y p es

E AP-TL S : u ses x . 5 0 9 v 3 PK I c ertif ic ates and the TL S mec hanism f or au thentic ation

PE AP: p rotec ted E AP tu nnel mode E AP enc ap su l ator; tu nnel s other E AP ty p es in an enc ry p ted tu nnel ( TL S ) E AP-F AS T: designed to not req u ire c ertif ic ates; tu nnel s other E AP ty p es in an enc ry p ted tu nnel ( TL S )

 E A P t y p ic al l y ru ns d irec t l y o ver d at a l ink l ay ers su c h as P o int -t o -P o int P ro t o c o l ( P P P ) o r I E E E 8 0 2 , w it h o u t req u iring I P E A P P ay l oad 8 0 2 . 1 x H ead er E t hern et H ead er ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

E A P P ay l oad R A DI U S U DP I P H ead er 36

W h at D o es E AP D o ?
T r a nsp o r ts a u th e ntic a tio n inf o r m a tio n in th e f o r m

o f E AP p a y lo a d s


E sta b lish e s a nd m a na g e s c o nne c tio n; a llo w s a u th e ntic a tio n b y e nc a p su la ting v a r io u s ty p e s o f a u th e ntic a tio n e x c h a ng e s
P r e v a le nt E AP ty p e s

E AP-TL S : u ses x . 5 0 9 v 3 PK I c ertif ic ates and the TL S mec hanism f or au thentic ation

PE AP: p rotec ted E AP tu nnel mode E AP enc ap su l ator; tu nnel s other E AP ty p es in an enc ry p ted tu nnel ( TL S ) E AP-F AS T: designed to not req u ire c ertif ic ates; tu nnel s other E AP ty p es in an enc ry p ted tu nnel ( TL S )

E A P P ay l oad 8 0 2 . 1 x H ead er E t hern et H ead er ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

E A P P ay l oad R A DI U S U DP I P H ead er 37

IE E E 8 0 2 .1 x
Standard set by the IEEE 802.1 working group


Is a f ram ework designed to address and prov ide port-based ac c ess c ontrol using authentic ation


P rim aril y 802.1x is an enc apsul ation def inition f or EA P ov er IEEE 802 m edia—EA P O L ( EA P ov er L A N ) is the key protoc ol


L ayer 2 protoc ol f or transporting authentic ation m essages ( EA P ) between suppl ic ant ( user/ P C ) and authentic ator ( switc h or ac c ess point)
A ssum es a sec ure c onnec tion


A c tual enf orc em ent is v ia M A C -based f il tering and port-state m onitoring ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

38

NAC Assessment Methods W AN

NAC

In te r n e t

R em o te Ac c es s

NAC

NAC L 2 IP NAC L 2 80 2. 1x

L 3 IP

L 3 IP

N A C

L AN

N A C N A C

N A C

N A C

NAC L 2 80 2. 1x

W i rel es s


M ethods to p erf orm a p ostu re assessment

In-b and : ob ta i n a ppli ca ti on sta te v i a C T A (a n a g ent), a nd a ssess i t i n the poli cy system O u t-o f -b and : dyna m i c a ssessm ent (a udi t) of endpoi nt, m a i nly for ‘A g entless’ endpoi nts E x c ep ti o ns : crea te sta ti c ex cepti on ha ndli ng for know n a ssets (M A C , I P , port)


NAC assessment methods

NAC L 3 IP : a t a la yer 3 hop v i a I P , such a s the peri m eter, W A N , or di stri b uti on la yer NAC L 2 IP : a t a la yer 2 sw i tch port v i a I P , i ndependent 8 0 2 . 1 x NAC L 2 80 2. 1x : v i a 8 0 2 . 1 x a t a n L 2 connecti on poi nt (sw i tch port or w i reless A P )


Agentl ess assessment u sef u l f or dy namic asset identif ic ation & risk

C a lled NAC Ag entl es s H o s t, “non-responsi v e a udi t”, or out-of-b a nd a ssessm ent M ost A g entless technolog i es req ui re I P connecti v i ty to endpoi nt (sca nni ng , log i n, or w eb dow nloa d), others ti e i nto i nv entory da ta b a se system s ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

39

N AC

L 3 IP

A ssess P ost u re ( O nl y ) at t h e P erimet er u sing E A P oU D P H o s t

Netw o rk Ac c es s Dev i c e

No n-res p o ns i v e Au d i t S erv er

P o lic y V al i d ati o n S erv er

G AME

S e cu r it y A p p

E AP o U DP

CT A

R ADIU S

H C AP AAA


U se C a se Sc e na r io s: L 3 p erim et er: W A N

ed g e, ex t ranet , V P N / rem o t e ac c ess

I nt erio r net w o rk seg m ent at io n: no n-p ro d u c t io n/ l ab net w o rk s, int erd ep art m ent , d ist rib u t io n l ay er, d at a c ent er ac c ess

R em o t e A c c ess – I P sec and d ial -in rem o t e ac c ess ag g reg at io n ing ress


T r ig g e r : I P p a c k e ts f o r w a r d e d f r o m ne w so u r c e I P a d d r e ss
E nf o r c e m e nt: AC L s ( L 3 / 4 c o ntr o ls) & U R L r e d ir e c tio n ( p r o v id e s N AH fe e d b a c k )
M a y b e u se d se r ia lly f o r u se r & d e v ic e v a lid a tio n ( e . g . I P se c , a u th -p r o x y ) ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

40

N AC

L 2 IP

A ssess P ost u re ( O nl y ) at t h e A ccess-L ay er u sing E A P oU D P H o s t

S e cu r it y A p p

Netw o rk Ac c es s Dev i c e CT A

No n-res p o ns i v e Au d i t S erv er

E AP o U DP

P o lic y V al i d ati o n S erv er

G AME

R ADIU S

H C AP AAA

 U se C ase Sc enario : assess p o st u re at t h e L A N

 T rig g er: L ay er 3 via D H C P & A R P req u est s f ro m  E nf o rc em ent :

St at ic V L A N

ac c ess l ay er

new so u rc es

assig nm ent

A C L s ( L 3 / 4 c o nt ro l s) & U R L red irec t io n ( p ro vid es N A H

T h ere are d if f erent A C L t ec h no l o g ies ( P o rt A C L s, V L A N A C L s)

f eed b ac k )

A C L s, P o l ic y -B ased

 C an b e p erf o rm ed af t er 8 0 2 . 1 x au t h ent ic at io n ( t o t al l y ind ep end ent )  M ic ro so f t 8 0 2 . 1 x su p p l ic ant u se-c ase ( u nt il it su p p o rt s N A C ) ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

41

N AC

L 2 8 0 2 .1 x

I denti ty a nd P ostu r e Assessment H o s t

S e cu r it y A p p


U
T
E V
P
M
E

Netw o rk Ac c es s Dev i c e P ost u r e P l u g in

C T A

E AP o 80 2. 1x

P o lic y V al i d ati o n S erv er R ADIU S

H C AP AAA

se C a se s: th e L AN a c c e ss la y e r u p o n w ir e d o r w ir e le ss link r ig g e r : L 2 link u p v ia 8 0 2 . 1 x p r o to c o l nf o r c e m e nt: Sta tic V L AN a ssig nm e nt o r AC L s ( L 3 / 4 : P o r t AC L s, L AN AC L s, P o lic y -B a se d AC L s & U R L r e d ir e c tio n) o stu r e a sse ssm e nt tr ig g e r e d a nd p e r f o r m e d a t L 2 in 8 0 2 . 1 x a y u se u se r a nd / o r d e v ic e a u th e ntic a tio n w ith 8 0 2 . 1 x AP -F AST r e q u ir e d f o r I d e ntity + P o stu r e a sse ssm e nt ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

42

N AC

M et h o d C o m p ar i s o n F ea t u re

T ri g g er m ec h a n i s m M a c h i n e I d en t i t y

N AC -L 2 -8 0 2 . 1 x Da t a L i n k Up √ √

U s er I d en t i t y

√

Pos t u re V L AN

√

a s s i g n m en t

U R L -R ed i rec t i on

D ow n l oa d a b l e AC L s

Pos t u re S t a t u s Q u eri es

R ea u t h en t i c a t i on / R eva l i d a t i on D evi c e

EAP over

F o r w a r d Pa c k e t

√

√

√

√

√

√

√

√

√

S w itc h o r A P

C is c o C o n fid e n tia l

N AC -L 3 -I P

DH C P o r A R P

6 5 0 0 -o n l y ( PB A C L s )

8 0 2 .1 x

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

N AC -L 2 -I P

S w itc h

UDP

√ √

R o u te r UDP

43

8 0 2 . 1 x E x t ens i o ns F eat u re 8 0 2 . 1 x G u e st V L AN 8 0 2 . 1 x Au th -F a il V L AN

8 0 2 .1 x V V ID 8 0 2 . 1 x I na c c e ssib le Au th B y p a ss 8 0 2 . 1 x W a k e -o n-L AN M AC -Au th -B y p a ss ( M AB ) W e b -Au th P r o x y

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

U se C ase N o su p p lic a nt, G u e sts, U nm a na g e d , O ld O Se s G u e sts, T e m p o r a r y Ac c e ss

I P P h o ne s AAA Se r v e r D o a c c e ss, d isa ste W o L C o m p a tib N o su p p lic a nt, N o su p p lic a nt, w ith id e ntity

w n: m inim u m r re c o v e ry ility ( N o t P X E ) Ap p lia nc e s G u e st o r U se r

44

N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

45

N AC

and M i c r o s o f t N AP I nt egr at i o n C l i ent

Partner System Health Agents (SHAs) N AP Agent (Q A) E AP Ho st Q E C E APo U D P

E APF ast

E A PF A S T 8 0 2 .1 x o rU D P

N A D s ( S w i tc h es R o u ters )

R A D I U S

C is c o A C S

H C A P

M S N PS

Partner Po l i c y S erv er

No NAC NAD e n h a n c e m e n ts r e q u ir e d

8 0 2 .1 x

C o mp o nents p art o f V i sta O / S

H C E P

H eal th R eg i s trati o n A u th o ri ty ( H R A )

R A D I U S


NAC/NAP interoperability ensures investment protection and future proofing
CCA Ag ent w ill support V ista platform


CT A w ill not be supported on V ista/L ong h orn server – use native O S supplicant
M icrosoft to distribute Cisco client NAC interoperability plug -in components via W indow s U pdate/W S U S - S implified client installation
S upports h eterog eneous CT A/Q uarantine Ag ent environments ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

46

N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A P a sc a l D e lp r a t p d e lp r a t@

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

c isc o . c o m

C is c o C o n fid e n tia l

47


R e tr o u v e z c h a q u e m o is l’a c tu a lité C isc o su r C isc o M a g , la ne w sle tte r d e C isc o F r a nc e Ab o nne m e nt : w w w . c isc o . f r / g o / c isc o m a g


Sém ina ir e L e r ése a u J e u d i2 4 m l’I nstitu t O

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

so lu tio ns : d e C a m p u s a i 2 0 0 7 e n m a tinée à c éa no g r a p h iq u e - P a r is

48

©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .

C is c o C o n fid e n tia l

49