Compliance check, Quarantined – IBM Tivoli and Cisco User Manual

Chapter 5. Solution design

99

ABBC will institute posture-based network admission. Systems deemed in
noncompliance will be quarantined and allowed to access only the remediation
network. Figure 5-1 shows a conceptualized view of the functional requirements.

Figure 5-1 NAC solution conceptual functional requirements

The steps of the basic flow are:

1. The workstation, whether local or remote, attempts to access the ABBC

network. IEEE802.1x credentials are supplied.

2. A

compliance check

is initiated by the Cisco Network Admission Control

enabled device (for example, a router, switch, or Clean Access Server). This
enforcement device requests the posture status from the client, then queries
the Cisco NAC server (may be Cisco Secure Access Control Server or Clean
Access Manager) policy to make an access decision. If the system meets the
posture policy criteria, it is allowed access to the production network. For
illustration purposes we assume that the system does not meet the criteria,
and we continue through the flow.

3. Having failed the posture compliance check, the client workstation is denied

access to the production network. The workstation is now considered to be in

quarantined

status and is allowed to access only a subset of the network

(what we are calling the remediation network).

Remediation

Production

4

4

2

2

3

3

Cisco
NAC
Server

Tivoli
Security
Compliance
Manager

Compliance

Check

1

1

Workstation
-Tivoli SCM Client
-Cisco NAC Agent

-

Posture Policy

Tivoli
Configuration
Manager