Filter
Top Products
456 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
assessment). It can also be deployed in Layer-2 mode (users are L2-adjacent
to CAS) or Layer-3 (users are multiple L3 hops away from the CAS) mode.
Clean Access Agent (CAA)
This ia a read-only agent that resides on Windows clients. The Clean Access
Agent checks applications, files, services, or registry keys to ensure that
clients meet your specified network and software requirements prior to
gaining access to the network. (Note that there is no client firewall restriction
with Clean Access Agent vulnerability assessment. The Agent can check the
client registry, services, and applications even if a personal firewall is installed
and running.)
Clean Access Policy Updates
These are regular updates of pre-packaged policies/rules that can be used to
check the up-to-date status of operating systems, antivirus (AV), antispyware
(AS), and other client software.
In-band versus out-of-band
Customers often ask which deployment modes are most appropriate for their
networks. In fact, an organization can deploy both, each geared toward certain
types of access (in-band for supporting wireless users and out-of-band for wired
users, for example). The Cisco Clean Access Manager is designed to support
both in-band and out-of-band Cisco Clean Access servers, as well as the
switches associated with the out-of-band portion of the network.
With the Cisco Clean Access in-band deployment, the Clean Access Server is
always inline with user traffic — before, during, and after authentication, posture
assessment, and remediation. The server can be used to securely control
authenticated and unauthenticated user traffic by managing traffic policies based
on protocol/port or subnet, providing bandwidth policy management based on
shared or per-user, or using time-based sessions and heartbeat controls.
In-band deployment supports any edge access device as long as the MAC
address and IP address of the client machine are visible to the Clean Access
Server. Because the server is in-band with traffic, the in-band deployment mode
is ideal for environments with the following characteristics:
Shared media ports
Bandwidth throttling by role required
Wireless access points
Voice over IP (VoIP) phones
Network infrastructure built with products other than Cisco products
In an out-of-band deployment of Cisco Clean Access, the Clean Access Server is
in-band only during the process of authentication, posture assessment, and
remediation. Once the user's device has successfully logged on, its traffic then
bypasses the Clean Access Server and traverses the switch port directly. In the