Filter
Top Products
112 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
those users that are in breach of these requirements, and how to remediate them
back to a compliant state.
Terms that are used include:
Network Access Profile
A Network Access Profile is a means to classify access requests according to
AAA clients' IP addresses, membership in a network device group, protocol
types, or other specific RADIUS attribute values sent by the network device
through which the user connects.
A Network Access Profile is comprised of three components: Authentication,
Posture Validation and Authorization.
RADIUS Authorization Components
Shared RADIUS Authorization Components (RACs) are configurable sets of
RADIUS attributes that may be assigned to user or user group sessions
dynamically based on a policy.
Posture validation
An internal posture validation policy returns a posture token after checking the
rules set for the policy. Internal policies are reusable and can be used for
posture validation for more than one Network Access Profile.
By supporting Layer 2 NAC we can enforce endpoint compliance on the LAN by
using Cisco switches. There are two methods of NAC enablement: NAC L2 IP,
which uses EAPoUDP; and NAC L2 802.1x, which uses an IEEE 802.1X
supplicant embedded in the Cisco Trust Agent to provide machine and user
authentication. This is the most secure form of L2 NAC, as now we are checking
who is connecting to our networks as well as what is connecting to our networks.
In our scenario, we focus on the NAC L2 802.1x implementation of NAC. We
have defined some user groups and users who have been assigned to those
groups.
When a user connects to the network, she is prompted for the IEEE 802.1x
credentials, in the form of a user name and password. Upon entering these
credentials, the user is then mapped to the respective user group. The ACS then
receives the posture credentials from the Cisco Trust Agent installed on the
client. Based on the System Posture Token, the user is then mapped to a Shared
RADIUS Authorization Component. Part of this Shared RADIUS Authorization
Component is the VLAN that the user is assigned to.
An example of this is as follows. Jim is a member of the Engineering Group.
When Jim logs on, he successfully authenticates to IEEE 802.1x. His posture
assessment is
Healthy, so Jim is mapped to the Healthy_Engineering_RAC
(VLAN 12). Should Jim pass his IEEE 802.1x authentication, but receive a