beautypg.com

1 network admission control – IBM Tivoli and Cisco User Manual

Page 59

background image

Chapter 3. Component structure

41

The logical components are:

Network Admission Control
Compliance
Remediation

The following sections provide function and architecture details for each
component.

3.1.1 Network Admission Control

Network Admission Control (NAC) is the Cisco component of the solution that
provides enforcement by restricting traffic based on the client's posture. Cisco
NAC can be implemented via NAC Framework or NAC Appliance. NAC
Framework provides NAC functionality within the infrastructure, posturing at the
network access device, where as NAC Appliance provides posturing on an
appliance. Both NAC Framework and NAC Appliance can be integrated
simultaneously into the network. An overview introducing the concepts of NAC
Framework and NAC Appliance can be found in Appendix B, “Network Admission
Control” on page 471.

Network Admission Control Framework

The Network Admission Control Framework consists of the following
subcomponents:

Posture validation server
Policy enforcement device
Admission control client

Posture validation server

The

posture validation server

validates the client posture against network access

policy. In our solution the Cisco Secure Access Control Server (ACS) acts as the
posture validation server. The Cisco Secure ACS performs these functions:

It enables administrators to create polices that are used as validation criteria
for clients trying to access the network.

It validates the security posture credentials received from a client machine.
The validation process compares the client’s current posture with a
predefined desired posture.

It forwards the appropriate network access policy for the client to a network
access device, such as a switch, router, VPN concentrator, Adaptive Security
Appliance or access point, to restrict traffic flow based on the client’s posture.

The Cisco Secure ACS is an

authentication, authorization, accounting

(AAA)

server that provides a centralized authentication and policy deployment platform

See also other documents in the category IBM Hardware: