Table of Contents
Advertisement
Chapter 41
Configuring Network Admission Control
The following devices that support NAC on the network perform these roles:
•
•
•
AAA Down Policy
The AAA down policy is a method of allowing a host to remain connected to the network if the AAA
server is not available. Typical deployments of NAC use Cisco Secure ACS to validate the client posture
and to pass policies back to the Network Access Device (NAD). If the AAA server cannot be reached
when the posture validation occurs, instead of rejecting the user (that is, not providing the access to the
network), an administrator can configure a default AAA down policy that can be applied to the host.
This policy is advantageous for the following reasons:
•
•
When the AAA server is down, the AAA down policy is applied only if there is no existing policy
Note
associated with the host. Typically, during revalidation when the AAA server goes down, the policies
being used for the host are retained.
OL-11439-03
Endpoint system or client—This is a device (host) on the network such as a PC, workstation, or
server that is connected to a switch access port through a direct connection, an IP phone, or a
wireless access point. The host, which is running the Cisco Trust Agent (CTA) software, requests
access to the LAN and switch services and responds to requests from the switch. This endpoint
system is a potential source of virus infections, and its antivirus status needs to be validated before
the host is granted network access.
The CTA software is also referred to as the posture agent or the antivirus client.
Switch (edge switches)—This is the network access device that provides validation services and
policy enforcement at the network edge and controls the physical access to the network based on the
access policy of the client. The switch relays Extensible Authentication Protocol (EAP) messages
between the endpoints and the authentication server.
For Catalyst 6500 series switches, the encapsulation information in the EAP messages can be based
on the User Datagram Protocol (UDP). When using UDP, the switch uses EAP over UDP
(EAPoUDP) frames, which are also referred to as EoU frames.
Authentication server—This device performs the actual validation of the client. The authentication
server validates the antivirus status of the client, determines the access policy, and notifies the switch
whether the client is authorized to access the LAN and switch services. Because the switch acts as
the proxy, the EAP message exchange between the switch and authentication server is transparent
to the switch.
In this release, the switch supports the Cisco Secure Access Control Server (ACS) Version 4.0 or
later with RADIUS, authentication, authorization, and accounting (AAA), and EAP extensions.
The authentication server is also referred to as the posture server.
While AAA is unavailable, the host will still have connectivity to the network, although it may be
restricted.
When the AAA server is again available, a user can be revalidated, and the user's policies can be
downloaded from the ACS.
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
Understanding NAC
41-3
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
