Filter
Top Products
Chapter 3. Component structure 59
Posture validation and policy enforcement (flow 3)
This section contains details about how a client in a live environment connects to
the network and how its posture is validated by the ACS. After validation the
client is provided access based on client posture.
Client network access (3a)
The network client initiates IP traffic that crosses a NAC-enabled route point
or connects to a switch running 802.1X. The NAD initiates an EAP session,
forwarding the EAP identity of the NAC-client computer to Cisco Secure ACS.
The ACS initiates a PEAP (Protected Extensible Authentication Protocol)
session with the NAC-client computer, so that all NAC communications are
encrypted and trusted.
Posture query (3b)
If various conditions are met, the NAD initiates posture validation. The NAD
applies a default access policy to the client network traffic and initiates an
EAP session with the client. The NAD queries the client for posture
credentials.
Posture status reply (Cisco Trust Agent - NAD) (3c)
The Cisco Trust Agent, running on the network client, receives the security
posture credential request and in turn requests security posture credentials
from the NAC-compliant applications (in this case, Security Compliance
Manager client). The security posture credentials are requested and received
through posture plug-ins provided by IBM. When the Cisco Trust Agent
queries for posture credentials, the Security Compliance Manager client
component responds with the posture credentials that were collected in 2b.
The Cisco Trust Agent sends this information to the NAD.
Posture status reply (NAD - ACS) (3d)
The NAD transfers the posture credentials to the Cisco Secure ACS using
EAP over RADIUS (EAPoRADIUS).
Posture evaluation (3e)
Cisco Secure ACS evaluates the security posture credentials using rules in
the local database. The result of the evaluation is an
application posture
token
. If applications are used other than Security Compliance Manager,
there could be multiple application posture tokens.
Cisco Secure ACS consolidates the application posture tokens into an overall
system posture token. The system posture token is typically the worst-case
scenario for all application posture tokens. The system posture token can
have one of the following values:
–Healthy
– Checkup