Filter
Top Products
61-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 61 Configuring Identity Policies
Network Admission Control on Cisco IOS Routers
• Cisco 1700 Series Modular Access Routers (1710, 1720, 1750)
• Cisco 1600 Series (1601, 1602, 1603, 1604, 1605)
• Cisco ASR 1000 Series Aggregation Services Routers (all models)
• Cisco 800 Series (801, 803, 805, 811, 813, 828, 851, 857, 871, 876, 877, 878)
• Cisco SOHO 90 Series Secure Broadband Routers (91, 96, 97)
• Cisco SOHO 77 Series (71, 76, 77 ADSL, 77 H ADSL, 78)
Understanding NAC Components
NAC contains the following components:
• Cisco Trust Agent (CTA)—The CTA acts as the NAC client. It provides posture credentials for the
endpoint device on which it is installed, including the type of operating system and the version of
antivirus software installed.
• Network access device (NAD)—The NAD initiates posture validation with the CTA when its
Intercept ACL is triggered. It relays posture credentials received from the CTA to a AAA server. In
return, the NAD receives configuration information from the AAA server, which it enforces on the
selected interface. The NAD also:
–
Periodically polls the CTA to confirm that it is communicating with the same client at this IP
address.
–
Revalidates all current sessions.
–
Sends username and password information from devices lacking a CTA (clientless hosts) to the
AAA server for authentication.
–
Supports an exception list of predefined actions applied to specific devices, based on the device
IP address or MAC address.
When you configure NAC policies in Security Manager, you are configuring the behavior of the Cisco
IOS router acting as the NAD.
• AAA server—The AAA server obtains and validates posture credentials received from the CTA and
returns the access policy to be enforced on the NAD. The AAA server must be a Cisco Secure Access
Control Server (ACS), running the RADIUS protocol. Existing ACS authorization support can be
used to provide access to clientless hosts. Posture validation rules and the access policies resulting
from those rules are configured on the ACS.
Related Topics
• Understanding NAC System Flow, page 61-9
• Network Admission Control on Cisco IOS Routers, page 61-8
Understanding NAC System Flow
As shown in Figure 61-2, the system flow for NAC is:
1. An IP packet from a connecting device triggers the Intercept ACL configured on the NAD.
2. The NAD triggers posture validation with the CTA configured on the device using the Extensible
Authentication Protocol over User Datagram Protocol, otherwise known as EAP over UDP, or
simply EoU.