Table of Contents
Advertisement
If the client is not Security Compliance Manager policy–enabled, it is
access to the corporate network and may be allowed only
the Internet or may be
When a client is quarantined, the user is given a choice to either
manually using the provided instructions or to use an
process by clicking a button on the pop-up window (if the Tivoli Configuration
Manager infrastructure exists).
Untrusted LAN
Compliant
Non-compliant
Clientless
Figure 2-3 Basic overview of NAC functionality
In general, any admission control solution can base the admission decision on a
number of factors. Authentication decisions are identity-based and the admission
decisions are based on who is attempting access. Posture decisions are
integrity-based and depend on the integrity of the device being used for access.
Posture-based
NAC is designed to protect the network from threats introduced by
noncompliant workstations. Workstation-related information is presented to the
authorization server. It describes the current state of the hardware, operating
system, and installed applications (for example, the list of patches installed,
version of installed antivirus or personal firewall software, version of virus
definition file, the date of the last full scan). With Layer 3 NAC, it is not
straightforward to tie the identity-based and posture-based admission decisions
together. Since they operate in two different time frames with regard to network
denied access
to all networks.
Healthy
Remediation LAN
Quarantined
Remediation
TCM
Server
Denied
Chapter 2. Architecting the solution
denied
restricted access
remediate
automated remediation
Trusted LAN
Corporate
Resources
to
21
Advertisement
Table of Contents
