IBM Tivoli and Cisco User Manual

Chapter 2. Architecting the solution

21

If the client is not Security Compliance Manager policy–enabled, it is

denied

access to the corporate network and may be allowed only

restricted access

to

the Internet or may be

denied access

to all networks.

When a client is quarantined, the user is given a choice to either

remediate

manually using the provided instructions or to use an

automated remediation

process by clicking a button on the pop-up window (if the Tivoli Configuration
Manager infrastructure exists).

Figure 2-3 Basic overview of NAC functionality

In general, any admission control solution can base the admission decision on a
number of factors. Authentication decisions are identity-based and the admission
decisions are based on who is attempting access. Posture decisions are
integrity-based and depend on the integrity of the device being used for access.

Posture-based

NAC is designed to protect the network from threats introduced by

noncompliant workstations. Workstation-related information is presented to the
authorization server. It describes the current state of the hardware, operating
system, and installed applications (for example, the list of patches installed,
version of installed antivirus or personal firewall software, version of virus
definition file, the date of the last full scan). With Layer 3 NAC, it is not
straightforward to tie the identity-based and posture-based admission decisions
together. Since they operate in two different time frames with regard to network

Compliant

Clientless

Non-compliant

Untrusted LAN

Remediation LAN

Trusted LAN

Healthy

TCM

Server

Corporate

Resources

Quarantined

Denied

Remediation