Solution Profile: Cisco NAC Appliance

Cisco Systems offers two distinct NAC solutions.

Its NAC Framework enables organizations to create a comprehensive, universal and highly automated infrastructure for enforcing endpoint security compliance and controlling network admission policies. While Cisco provides the central NAC policy controller and NAC-enabled network systems more than 50 vendors provide complementary endpoint security and management software that integrates with the Cisco products. Deploying and managing a Cisco NAC Framework is a major undertaking which requires a substantial investment in hardware, software, services and manpower. View NAC Framework Profile.

In contrast, the NAC Appliance, formerly called Cisco Clean Access, enables organization to rapidly deploy relatively self-contained endpoint assessment, policy management, and remediation services without requiring changes to switches and routers. The NAC Appliance capabilities are much narrower than a full-blown NAC Framework implementation and the required effort, time and costs are naturally much lower.

Which Cisco NAC solution should you choose?

Cisco recommends the NAC Appliance unless one of the following conditions exist:

Extensive integration with 3rd party NAC-enabled products is required
The NAC solution must be 802.1x-enabled
The delpoyment of the NAC Appliance is NOT technologically feasible
The Ciscos Secure Access Control Server (ACS) is the required NAC policy server

Functional Description

The NAC Appliance provides the following primary functions:

Challenges all users with a log-on screen whenever they attempt to access the network
Acts as a proxy for all types of user authentication
Authenticates devices using MAC addresses and link them to the users
Restricts device traffic to NAC-related activities until authorization is granted
Performs either network- or agent-based scans to verify security policy compliance
Runs compliance checks on all devices including non-user devices (e.g., printers)
Restricts non-compliant endpoints to a quarantine LAN and notifies users of connection status and required action
Does NOT selectively control user access privileges with role-based policies

additional notes:

Compliance checking can be scheduled to occur every time access is attempted or at pre-determined time intervals; this requirement and the type of compliance checking can be varied by user role (e.g., executive, general employee, guest)

The NAC Appliance can be deployed in the network either inline or out-of-band (in the latter case it communicates with any switch over SNMP)

Network scanning works on all devices; the agent scan is only available on Windows

All remediation steps are manual for the user with the exception of the Cisco Security Agent which can be "updated" automatically. The Cisco Security Agents resides on endpoints, protecting them from day-zero attacks through host intrusion prevention technology.

Rogue devices are blocked by MAC address filtering which blocks IP spoofing

NAC enforcement can be located anywhere - at the edge, LAN/LAN, and WAN/LAN points in the network

802.1x support is NOT required

the Cisco NAC Appliance is pre-packaged with automatic checks from most major antivirus and antispyware vendors, as well as with Microsoft updates. Custom checks are easily added.

The Cisco Security Agent is free.

Redundant NAC Appliance configurations are available and should be viewed as essential

In the case of a failed Windows hotfix, the Cisco NAC Appliance can automatically launch the Windows AutoUpdate tool. If the Cisco NAC Appliance detects an infection or vulnerability, it can push a fix tool to the user (Symantec's MyDoom Fix Tool, for example) and require that user to use it before accessing the network. In addition, any registry setting that is detected can trigger the download of software or scripts that secure the user's device to meet established security policies. the Cisco NAC Appliance is preconfigured with an update mechanism that supports critical Windows updates and antivirus definition updates from most major antivirus vendors.

Key Solution Components

The Cisco Clean Access solution consists of three components:

Cisco Clean Access Server. This is an in-band or out-of-band device that acts as the first challenge for any end user trying to access the network. The Cisco Clean Access Server challenges the end user with a login page or requires the download of a Cisco Clean Access Agent before permitting access to the network.

Cisco Clean Access Manager. This server manages Cisco Clean Access Servers remotely, globally, or individually and enables administrators to establish user roles, device checks, and remediation requirements. It also acts as the authentication proxy to the authentication servers that reside on the back end.

Cisco Clean Access Agent. This is an optional client-side component of the Cisco Clean Access system. It is a read-only client that delivers device-based registry scans. The agent also can act as a remediation "wizard," automating the otherwise Web-based "click-through" process of cleaning a machine. It is downloadable and provisioned over the Internet.

Since Cisco provides a large amount of technical information about the NAC Appliance on its own web site these details are not repeated on Secure Access Central.

How The Cisco NAC Appliance Works

In the following example a remote user is accessing the network using either a VPN concentrator or an SSL VPN gateway. The Clean Access Server is deployed inline upstream of these perimeter security systems.


	NAC Clients	Cisco Network Access Devices	NAC Servers
Key NAC Solution Components	Clean Access Manager Clean Access Server Clean Access Agent	L2 LAN Switches L3 LAN Switches (LAN Routers) WAN/LAN Routers Firewalls Secure Access Gateways (e.g. SSL VPN GW)	3rd Party Authentication Internal/external update sites

Image Source: Cisco Systems

When a user attempts to connect to the network the request is intercepted by the Clean Access Server (CAS) which challenges the user for his credentials and collects the endpoints MAC address.
When the user responds the authentication credentials are forwarded by the CAS which then passes them along to an authentication server for validation.
If the endpoint is on the certified device list the user is authorized to access the network.
If the endpoint is not on the certified device list it is either an unmanaged device or a managed one that is not currently certified.

Depending on the user roles and checking policies that have been defined either a network scan will run against the device or the user will be required to download the Clean Access Agent (CTA) which will perform a client-based scan.

In both cases the CSA will forward the scan results to the Cisco Access Manager (CMA) which will compare them to its policies and communicate its decision the CSA. The CSA will notify the user that access has been authorized - with or without qualification - or instruct the user on how to correct all compliance problems.

Cisco NAC Appliance Product Reference Table

The following table summarizes the key capabilities of the Cisco NAC Appliance. Information on the Cisco NAC Framework is provided for comparative purposes.

Product Names
Product Family	Cisco NAC Framework	Cisco Clean Access
Policy Manager	Secure Access Control Server (ACS)	Clean Access Manager
Enforcement Controller	Secure Access Control Server (ACS)	Clean Access Server
Compliance Checker	Cisco Trusted Agent (CTA)	Clean Access Server, Clean Access Agent
Access Control Point	NAC-enabled Catalyst™ switches	Clean Access Server (inline install)
	Wireless Access Points	Catalyst switches (out-of-band install)
	NAC-enabled routers
Policy Enforcement Usage Scenarios
Endpoint Device	Not Supported	Not Supported
Edge LAN Workgroup (Wired & Wireless)	L2 LAN Switch	Clean Access Server or L2 LAN Switch
Distribution LAN	L3 LAN Switch (LAN Router)	L3 LAN Switch (LAN Router)
Remote Access	WAN/LAN Router	Clean Access Server
Data Center	L3 LAN Switch (LAN Router)	Not Applicable
Supported Network Access Devices	Cisco Only	Any Vendor
Authentication & Compliance Services
User Interface	Captive Portal	Captive Portal
User Authentication Proxy	Password; OTP (requires 802.1x)	Password
> User Directory Support	RADIUS, Active Directory, LDAP Directories, Novell	RADIUS, Active Directory, LDAP Directories
> 802.1x Support	LAN Switches & Endpoint (Wired CTA only)	Not Required
Device Authentication	Use Authenticated MAC Address (Requires 802.1x)	User-Authenticated MAC Addresses
Compliance Checking Rule Sets	Large 3rd Party SW Rule Set Plus API	Large 3rd Party SW Rule Set Plus API
Posture Checking	Client (CTA), Network Scanner (non-Cisco Solution)	Network Scanner & Endpoint Client (Windows agent only)
Quarantine Method		Role-based (inline), VLAN (out-of-band)
Endpoint NAC Software
Agent Type	Installed Client (CTA + 3rd Party Plug-ins)	None or Installed Client (Windows only)
Device Support	Windows & Linux	All Endpoints (network scan only)
Additional Security Services
Identity-Based Traffic Analysis & Reporting	None	None
Intrusion Protection	Endpoint (Option) - Windows only	None
User/Group Authorization Policy Manager	Granular access control to individual network resources	Role- and Resource-based (Works with only some Cisco switches)
Rogue Device Protection	User-Authenticated MAC Address	Requires 3rd Party product