Filter
Top Products
68 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
Advantages of this kind of deployment are:
Policy enforcement load distribution across the various routers
Protection against virus infection between branch offices if the network has a
mesh topology
Factors that must be considered for branch egress enforcement are:
Branch routers must support NAC
Some additional administrative effort required during deployment
Campus internal enforcement
In this deployment option, the office policy compliance is enforced on all switches
to which the users connect. Two modes of posture checking users exist within
switches: 802.1x and EAP/UDP.
802.1x involves passing posture and, if desired, user authentication information
in an EAP-based 802.1x frame. The response from ACS is a VLAN name or
number associated with the posture state of the user, which would be healthy or
quarantine.
EAP/UDP passes only posture information in an UDP datagram. ACS responds
with a port-based ACL (PACL) that provides enforcement of users’ healthy or
quarantine state.
The NAC Framework can work in IP Communications environments. For 802.1x
environments, Cisco IP Phones must be used. For EAP/UDP environments, both
Cisco and Non-Cisco IP Phones may be used.
Note: At the time of this writing PACLs are not supported in an 802.1x NAC
Framework on all Cisco devices. However, it is Cisco’s stated intention to
make this functionality available on all devices in the near future. Due to
considerations that will affect the client software required on each endpoint,
this book uses a reference architecture in which 802.1X is used for both
authentication and admission control. This architecture delivers a valid
network deployment even without PACLs and will be able to constrain traffic in
a more granular fashion once PACLs are available.