Table of Contents
Advertisement
Figure 4-3 Armando Banking Brothers network environment for NAC Appliance
When a user connects to the network controlled by NAC Appliance, the CAM is
advised of a linkup notification sent by the user's switch. The CAM checks its
certified user list. If the MAC address is already present on the CAM as a
certified user, and the credentials supplied at login are authenticated by the
CAM, the user will be granted access to the network on their Access VLAN,
which in this case is VLAN 20. If the MAC address is not present, or the
credentials supplied are incorrect, the CAM will send an SNMP-write string to the
user's switch, changing the switchport membership from VLAN 20 to VLAN 120.
The user's IP address will remain the same, but he will be forced to go through
the CAS. The CAS checks policy compliance and remediation. Once the CAS
advises the CAM that the client is compliant, the CAM sends another
SNMP-write to the user's switch, changing the switch membership from VLAN
120 back to VLAN 20. The user, now compliant, has access to the core network,
bypassing the CAS.
84
Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
Advertisement
Table of Contents
