Filter
Top Products
Chapter 2. Architecting the solution 21
If the client is not Security Compliance Manager policy–enabled, it is
denied
access to the corporate network and may be allowed only
restricted access to
the Internet or may be
denied access to all networks.
When a client is quarantined, the user is given a choice to either
remediate
manually using the provided instructions or to use an
automated remediation
process by clicking a button on the pop-up window (if the Tivoli Configuration
Manager infrastructure exists).
Figure 2-3 Basic overview of NAC functionality
In general, any admission control solution can base the admission decision on a
number of factors. Authentication decisions are identity-based and the admission
decisions are based on who is attempting access. Posture decisions are
integrity-based and depend on the integrity of the device being used for access.
Posture-based NAC is designed to protect the network from threats introduced by
noncompliant workstations. Workstation-related information is presented to the
authorization server. It describes the current state of the hardware, operating
system, and installed applications (for example, the list of patches installed,
version of installed antivirus or personal firewall software, version of virus
definition file, the date of the last full scan). With Layer 3 NAC, it is not
straightforward to tie the identity-based and posture-based admission decisions
together. Since they operate in two different time frames with regard to network
Compliant
Clientless
Non-compliant
Untrusted LAN
Remediation LAN
Trusted LAN
Healthy
TCM
Server
Corporate
Resources
Quarantined
Denied
Remediation