cisco nac appliance
TRANSCRIPT
-
8/12/2019 Cisco NAC Appliance
1/13
Cisco NACAppliance Overview
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 1
-
8/12/2019 Cisco NAC Appliance
2/13
What Is NAC?
NetworkAdmission
Bettercriteria
Authenticate& Authorize
Scan &Evaluate
Control
network
access
Update &Remediate
Quarantine& Enforce
Where Is ItComingFrom?
What SystemIs It?
Whats thePreferred
Whats On It?Is It Running?
Who Owns It?
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 2
or Fix It?
-
8/12/2019 Cisco NAC Appliance
3/13
NAC Server Foundation:
NAC Servers at the most basic level can pass traffic inone of two ways:
Bridged Mode = Virtual Gateway
=
Any NAC Server can be configured for either method,but a NAC Server can only be one at a time
Gateway mode selection affects the logical traffic path
mode, Layer 3 mode, In Band or Out of Band
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 3
-
8/12/2019 Cisco NAC Appliance
4/13
Direct Bridging: Frame Comes In,Frame Goes Out
VLAN IDs are either passed
from A to B
directly to network devices on theTrusted side
NAC Server is an IP passivebump in the wire, like atrans arent firewall
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 4
-
8/12/2019 Cisco NAC Appliance
5/13
NAC Server Foundation: Layer 2 Mode
NAC Servers have two client access deploymentmodels
Layer 2 Mode
Any NAC Server can be configured for either method,
but a NAC Server can only be one at a time
Deployment mode selection is based on whether theclient is Layer 2 adjacent to the NAC Server
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 5
-
8/12/2019 Cisco NAC Appliance
6/13
NAC Server Foundation:
NAC Servers have two traffic flow deployment models
In BandOut of Band
Any NAC Server can be configured for either method,but a NAC Server can only be one at a time
remove the NAC Server from the data path
Assessment
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 6
-
8/12/2019 Cisco NAC Appliance
7/13
Easiest deployment option
NAC Server is Inline (inthe data path) before and
Supports any switch, any
Role Based AccessControl Guest, Contractor,
Employee
ACL Filtering and
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 7
an w ro ng
-
8/12/2019 Cisco NAC Appliance
8/13
Multi-Gig Throughputep oymen op on
NAC Server is Inline forPosture AssessmentOnly
Port VLAN Based and
Control
ACL Filtering and
an w t rott ng orPosture AssessmentOnly
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 8
-
8/12/2019 Cisco NAC Appliance
9/13
NAC Manager (Clean Access Manager)
Centralizes management for administrators,support personnel, and operators
Serves as enforcement point for network
access control
NAC Agent (Clean Access Agent)
Optional lightweight client for device-based
Rule-set Updates
-
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 9
,critical hot-fixes and other applications
-
8/12/2019 Cisco NAC Appliance
10/13
User Machine Server
Manager
DHCP Request Pre-connect (1099)
URL Redirect to Weblogin
Download NAC Agent Agent download (80)
Connect request (1099)
Connect Response (8955, 8956)
Open Web browser (if no agent)
Connect via TCP (443)
UDP Discover (8905, 8906)
Download Policy to AgentAgent checks and rules, XML (443)
User Login (443)
Certified and Logged On
Agent Performs Posture Assessment
Server Performs Access Enforcement
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 10
epor
Session and heartbeat timer (443)Logged out
-
8/12/2019 Cisco NAC Appliance
11/13
-
for Critical Hotfixes
Pre-configured AVchecks for Windows
OneCare
WSUS Integration
Checks against WSUS serverCheck based on SeverityChecks for MS Office updates
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 11
-
8/12/2019 Cisco NAC Appliance
12/13
. Wireless Out-of-band
FIPS Com liance
Double-Byte Support
Run Agent as a Service
NAC Radius - Phase 1
-
Mac Posture Agent
Abil ity to import/export polic ies in the CAM.
IPv6 pass-through Support
Faster/easier way to incorporate Opswat support and include additional Opswat API's.
Support for CAM/CAS Radius accounts
Support for SNMP Traps on NAC Appliance's
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 12
-
8/12/2019 Cisco NAC Appliance
13/13
2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 13