6.1. Deployment Scenarios and Topologies

When deploying Cisco NAC, companies have options as to the type of Cisco NAC solutions that they would like to deploy. The following are the two options:

  • Cisco Clean Access

  • Cisco Network Admission Control Framework

Many of the companies with which I speak are only really aware of the framework option. You'll also hear a lot of FUD about how if you want to deploy Cisco NAC you need to only use all Cisco routers and switches, and so on. That's really not the case, depending upon which type of solution you are seeking.

Cisco's own documentation clearly states that the Cisco NAC appliance is the recommended method of deployment for most customers.

6.1.1. Cisco Clean Access

Cisco Clean Access is Cisco's appliance-based NAC solution. The solution consists of appliances, and these appliances handle virtually all of the NAC functions. The following are the core components of Cisco Clean Access:

  • Clean Access Manager (CAM)

  • Clean Access Server (CAS)

  • Clean Access Agent (CAA)

The main brains of Cisco Clean Access are controlled by the CAM. This is where the configuration takes place, and it is the central console of the NAC solution.

CASs are deployed strategically and act as the gateway between devices entering the network. The CASs receive their instructions from the CAM and act as the intermediary.

The CAA is the software that is installed on the endpoints attempting to gain access to the network. This agent communicates directly to the CAS.

Of these three main components, all Cisco Clean Access deployments must have at least the CAM and CAS. The agent is optional, although it will provide the greatest level of granularity and detail when it comes to analyzing a device.

The CASs can be deployed in two different ways: In-Band mode and Out-of-Band (OOB) mode. The decision on which method to use depends on the network where the solution will be implemented. It is possible to deploy the solution in a mixed mode, where both In-Band and Out-of-Band are used. The following list shows the criteria that Cisco recommends in determining what mode fits different scenarios:

  • In-Band mode:

    • Shared media ports

    • Bandwidth throttling by role is required

    • Wireless access points (WAPs) are used

    • Voice over IP (VoIP) phones are used

    • The network infrastructure consists of non-Cisco equipment

  • Out-of-Band mode:

    • High throughput

    • Highly routed

    • Campuses, branch offices, and extranets

    • Not suitable with shared media devices (such as hubs and WAPs)

There are two key criteria that are of particular note. First is the existence of Cisco networking equipment. If a network doesn't contain Cisco networking equipment, then Out-of-Band isn't an option. Second is the use of WAPs. Since many companies are seeking a NAC solution to help control wireless access, it is important to note that In-Band mode would be used for this functionality.

NOTE

With Out-of-Band mode, it is important to ensure that the Cisco equipment on the network is supported with the Clean Access solution. The list of supported devices can be found at www.cisco.com/en/US/partner/products/ps6128/prod_release_notes_list.html.

In-Band and Out-of-Band can be somewhat confusing to understand, though the concept is really quite easy. With Out-of-Band, the device actually controlling the network access is a Cisco switch. It controls the access by assigning the system to various VLANS, based upon the security posture of the device. The switch knows what VLANS to put the device into by communicating with the CAM via Simple Network Management Protocol (SNMP). This process is illustrated in a simplified manner in Figure 6-1.

Figure 6-1. The Out-of-Band process

With In-Band mode, there isn't a Cisco switch that is playing the role of the traffic cop. The traffic cop is played by the Clean Access Server. The server can restrict and quarantine the system in In-Band mode by using Access Control Lists (ACLs). Figure 6-2 shows a simplified representation of how In-Band mode operates.

6.1.2. The Cisco NAC Guest Server

The Cisco NAC Guest Server was created to help manage guest network access. Rather than have every guest contact the IT department to be granted a username and password for network access, the guest can get this information from a corporate sponsor. The corporate sponsor can then create the guest account information and provide it to the guest.

Figure 6-2. The In-Band process

The corporate sponsor doesn't decide on the policies and restrictions to be placed on the guest; this is the role of security and IT. The corporate sponsor can be just about any employee (or employees) that the enterprise would like to perform this administrative task. The sponsor would log in to the Guest Server with the proper credentials, and then enter the guest's information and a timeframe for when the account is allowed access. The sponsor would then provide this information to the guest user.

The Guest Server does not take the place of NAC appliances. It is simply a tool that helps with the provisioning of guest access accounts. The Guest Server relies on a network enforcement device. The network enforcement device can be the following:

  • A Cisco NAC appliance

  • Cisco wireless LAN controller

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.26.230