Filter
Top Products
24 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
In the Cisco NAC solution, the EAP header is extended with posture data and
the admission process is based on policies governing the network admission
decision. Those policies consider all of the attributes provided by the posture
agent (Cisco Trust Agent) to determine the client’s health and security
compliance status.
In the generic 802.1x, the identity credential is used for authentication.
In the Cisco NAC solution, the posture credential of the client device is used
for authentication.
IEEE 802.1x and NAC can be combined easily to provide a stepped-up level of
security in corporate networks. The selected authentication and network
admission protocols will determine which client software or supplicants are
loaded on the client.
Posture agent
The posture agent is a software agent residing on the client capable of
communicating with the NAC-enabled network device before the client is granted
network access. It aggregates security posture information from the
NAC-compliant applications running on the network client and sends it to the
posture verification server. In the present solution, the role of the posture agent is
performed by Cisco Trust Agent. Third-party applications including the IBM Tivoli
Security Compliance Manager client register with the posture agent using a
plug-in. More information can be found in 3.2.1, “Network client” on page 52.
Network identity provisioning
With the posture-based Network Admission Control, the client requires a set of
software components to be able to connect to the network. It is feasible to assign
different security policies to the different groups of clients and check for
compliance with complex rules concerning all of the clients’ attributes. However,
all clients running the same version of an operating system, for example, typically
are unified in terms of which security policy applies for these clients. Looking at
the generic design, the NAC solution makes no differentiation between who the
clients belong to or who is actually trying to connect to the network.
Note: In this section we used the term authentication to discuss the
differences and similarities between IEEE 802.1x and the Cisco NAC process.
Regarding 802.1x, we can accurately speak of authentication because we are
considering individuals providing credentials to gain access to protected
resources. In the Cisco NAC process we examine a posture status of a client
machine in order to grant general network access — a process not usually
considered an authentication.