beautypg.com

3 implementation architecture, Enforce – IBM Tivoli and Cisco User Manual

Page 119

background image

Chapter 5. Solution design

101

recommend that a process be in place for the normal notification and distribution
of required workstation updates and corporate policies; for all but the most
extreme cases, the life cycle management process includes a grace period.

The deployment of the NAC, along with the IBM Integrated Solution for Cisco
Networks, enables ABBC to

enforce

policy by blocking the network access of

noncompliant systems after the expiration of this grace period. Figure 5-2
illustrates a client system in violation of the password quality check. Note that the
remediation handler interface provides the user with a description of the violation
and the steps necessary to resolve the issue. These may or may not include
calling the remote remediation server in order to download appropriate software
and execute the actions to get the workstation back to the compliant state.

Figure 5-2 Remediation process

5.3 Implementation architecture

Network Admission Control (NAC) is not a single product; NAC is an
industry-wide collaboration sponsored by Cisco Systems. As such, a NAC
implementation requires a multivendor collection of physical and logical
components.

As referenced in Figure 5-3 on page 102, the major Cisco components include a
client-side Cisco Trust Agent, a Cisco Network Access Device (NAD) running a
NAC-enabled version of Cisco’s IOS, and a Cisco Secure Access Control Server
(ACS) running Version 4.0 or later software. The major IBM components of the

SCM
Client

Production

Network

SCM
Remediation
Handler
Interface

TCM Server

Remediation
Request

Remediation
Updates &
Actions

Attempt

Allow

Deny

Quarantine
Notification

Cisco NAC