Filter
Top Products
Chapter 5. Solution design 99
ABBC will institute posture-based network admission. Systems deemed in
noncompliance will be quarantined and allowed to access only the remediation
network. Figure 5-1 shows a conceptualized view of the functional requirements.
Figure 5-1 NAC solution conceptual functional requirements
The steps of the basic flow are:
1. The workstation, whether local or remote, attempts to access the ABBC
network. IEEE802.1x credentials are supplied.
2. A
compliance check is initiated by the Cisco Network Admission Control
enabled device (for example, a router, switch, or Clean Access Server). This
enforcement device requests the posture status from the client, then queries
the Cisco NAC server (may be Cisco Secure Access Control Server or Clean
Access Manager) policy to make an access decision. If the system meets the
posture policy criteria, it is allowed access to the production network. For
illustration purposes we assume that the system does not meet the criteria,
and we continue through the flow.
3. Having failed the posture compliance check, the client workstation is denied
access to the production network. The workstation is now considered to be in
quarantined status and is allowed to access only a subset of the network
(what we are calling the remediation network).
Remediation
Production
4
4
2
2
3
3
Cisco
NAC
Server
Tivoli
Security
Compliance
Manager
Compliance
Check
1
1
Workstation
-Tivoli SCM Client
-Cisco NAC Agent
-Posture Policy
Tivoli
Configuration
Manager