Results 1 to 3 of 3
  1. #1
    Senior Member
    Join Date
    Dec 2004

    NAC Appliance and NAC Framework - ambiguous quires

    I have gone through couple of resources about Network Admission Control (NAC)

    I am looking for a correction to my understanding, because I got little bit confused

    There are two admission control solution choices :
    1 NAC Appliance (standalone box)
    2 NAC Framework

    NAC Framework (2) includes the following main components :
    a- Endpoint security application
    b- Posture agent
    c- Network access devices
    d- Cisco Policy server [Cisco Secure Access Control Server (CS ACS)]
    e- Optional servers that operate as policy server decision points and audit servers
    f- Optional management and reporting tools are highly recommended

    Q1- NAC Appliance it standalone box ,,,,does that mean that NAC appliance includes (built-in) all the necessary (not optional) components , which are belong to NAC Framework (please see above) ?

    Q2- The architecture of NAC Framework includes many different components from Cisco and other vendors (third party),,,,,,What about NAC appliance does it also include same components from other vendors (third party) ?

    Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?

    Q4- If I am looking to implement (install) NAC Appliance within my network do I need to use CS ACS (I guess we do not need to use CS ACS, see link below) or I have to use other components ?
    Customers are recommended to consider the NAC Framework only when one of the following applies:
    Cisco Secure Access Control Server (ACS) is required as the central policy server in the NAC deployment
    Q5- The initial release of cisco NAC Framework became available June 2004 ,,,,what about NAC Appliance ? (i.e is it new technology )?

    Q6- I could not get what does he mean by : words " in-band " and " inline " in the below quote ?
    NAC Appliance must be deployed as an in-band deployment to support WLANs. In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation.
    Last edited by zillah; March 18th, 2007 at 05:06 PM.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    First of all, Cisco NAC is not meeting the promises they deliver. This is true even if you update all of your IOS code to meet the baseline required for their "self healing network".

    If I were you, I'd look at a company called Forescout. http://www.forescout.com

    They make an appliance based solution that hangs off of spanning ports. The appliance receives updates a number of ways but the most common is simply by hanging the device off your network on a management interface where it will get updates via your management console.

    I've tested this solution out and I'd place this in production WAY before I'd consider Cisco. Cisco, in my opinion, is still about a year away from being able to meet the promises they've made.

    Oh and...

    I could not get what does he mean by : words ? in-band ? and ? inline?
    These are terms used to describe the placement of the NAC in regards to your network architecture. For example, inline means that the traffic must pass through the device (in one interface and out another). Typically this config is used when you're going to do some sort of IPS. In band simply means that the NAC is architected into your current network. In contrast, out of band means that it communicates and/or is configured outside of your current network. An example of out of band would be a management rail which is used to manage devices on a network completely separate from your production network.

    Last edited by thehorse13; March 18th, 2007 at 12:49 PM.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Senior Member
    Join Date
    Dec 2004
    Thanks TH13 for your input


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts