Cisco NAC: Strong in-line enforcement

Vendor: CiscoProduct: NAC AppliancePricing (1,000 users): $36,000Strengths: Powerful in-line NAC for wireless and VPN environmentsWeaknesses: Limited tools for fine-grained access control

Review: The two components of Cisco NAC Appliance are the NAC Manager, which controls policy, and the NAC Server, which responds to user traffic and enforces policy.

Cisco's NAC goes off track, customers taken aback

NAC Appliance can act either as a purely in-line or as an edge-enforcing NAC solution. Each NAC Server only operates in one of those two modes. When in-line, the NAC Appliance filters user traffic, applies access control policies, and checks endpoint security status. In-line mode is recommended by Cisco for wireless and VPN environments.

When the NAC Server is put into edge-enforcing mode, it uses SNMP to manage VLANs on Cisco switches. Before a device is posture-checked and authenticated, the NAC Server can put itself in-line and present a captive portal for authentication and to push the Clean Access Agent (an endpoint security checking tool) to Windows and Mac OS X clients.

Once authentication and posture checking are complete, the NAC Server sends SNMP configuration commands to the edge switch to enforce access controls by moving the user to an appropriate VLAN (such as remediation VLAN, guest VLAN, or production VLAN).

NAC Servers also support less intrusive authentication and posture checking options, using authentication information captured from network traffic and using a persistent endpoint security agent. Other network topologies can also be supported when the NAC Server cannot easily be placed directly in the path between end users and the network (such as at remote offices).

NAC Appliance is mostly focused on authentication and end-point security checking; the tools for defining network access controls, especially when edge enforcement is being used, are very limited in scope. Some common features of NAC products, such as direct support for MAC-based authentication for VoIP devices or printers, are not built into the NAC Appliance. Instead, Cisco expects that you will use features built-in to their switches.

However, Cisco does sell their NAC Profiler, an OEM version of Great Bay Software's Beacon product line, which integrates tightly into the NAC Appliance, and helps to build exception lists for devices (such as VoIP phones or printers) to simplify NAC rollout.

Cisco has sold many NAC Appliances specifically to handle the problem of wireless access controls. Cisco also offers a packaging of the NAC Appliance Server in a small Network Module that can be placed in its ISR branch router product line.

This makes deployment based on the NAC Appliance easy in environments where an extra server is a big deal. (Technically, this is not supported in the most current version of the NAC software, but Cisco claims that it will re-enable this capability in a future version.)

While Cisco's overall NAC strategy is in flux, a NAC Appliance investment is likely to come with substantial purchase protection — just be sure to keep your SMARTnet contract up to date.

Return to main test.

Read more about wide area network in Network World's Wide Area Network section.

This story, "Cisco NAC: Strong in-line enforcement" was originally published by Network World.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon