Cisco NAC

The purpose of NAC:

Allow only authorized and compliant
systems to access the network
To enforce network security policy

Solucin
embebida

NAC Framework
Software module
embedded within NACenabled products
Integrated framework
leveraging multiple Cisco
and NAC-aware vendor
products

Cisco NAC Appliance

In-band Cisco NAC
Appliance solution can
be used on any switch or
router platform
Self-contained, turnkey
solution

Solucin
con equipo

The NAC Framework

Hosts Attempting
Network Access

Network
Access
Devices

Policy Server
Decision Points
and Remediation

Enforcement

Credentials

AAA
Server Credentials

Credentials
EAP/UDP,
Cisco
Trust
Agent

EAP/802.1x
Notification

HTTPS

RADIUS
Access Rights
Comply?

Vendor
Servers

NAC Components
Cisco NAS
Serves as an in-band or out-of-band
device for network access control

Cisco NAM
Centralizes management for
administrators, support personnel,
and operators

M
G
R

Cisco NAA
Optional lightweight client for
device-based registry scans in
unmanaged environments

Rule-set updates
Scheduled automatic updates for
antivirus, critical hotfixes, and other
applications

Cisco NAC Appliance Process

1.

THE GOAL

Host attempts to access a web page or

uses an optional client.
Network access is blocked until wired or
wireless host provides login information.

M
G
R

2.

Host is
redirected to a login page.
Cisco NAC Appliance validates
username and password, also
performs device and network
scans to assess vulnerabilities
on device.

3a.

Device is noncompliant
or login is incorrect.

Authentication
Server

Cisco NAM

Cisco NAS

3.

Intranet/
Network

The host is authenticated and

optionally
scanned for posture compliance

Quarantine
Role

Host is denied access and assigned

to a quarantine role with access to online
remediation resources.

3b.

Device is clean.
Machine gets on certified
devices list and is granted
access to network.