Deployment Models

Cisco NAC Framework is a flexible solution providing protection to connected endpoints regardless of network connectivity. As shown in Figure 6-5, it operates across all access methods including campus switching, wired and wireless, WAN and LAN links, IP Security (IPSec) connections, and remote access links.

Figure 6-5. NAC Deployment Scenarios

Source: Cisco Systems, Inc.³

The first NAC Framework deployment rule of thumb is to use the NAC-enabled NAD closest to the endpoints for checking compliance, helping enforce a least-privilege principle. The second rule is that compliance checking for an endpoint should occur at one NAD (closest to the endpoint), not throughout the network. The NAD might not be capable of performing compliance checks or enforcing the admission policy. Examples include non-Cisco devices or an older NAD that does not support NAC. As a result, NAC deployments will vary.

The following sections describe common NAC deployment scenarios.

LAN Access Compliance

NAC monitors desktops and servers within the office, helping to ensure that these endpoints comply with corporate antivirus and operating system patch policies before granting them LAN access. This reduces the risk of worm and virus infections spreading within an organization by expanding admission control to Layer 2 switches.

NAC Framework can also check wireless hosts connecting to the network to ensure that they are properly patched. The 802.1x protocol can be used in combination with device and user authentication to perform this validation using the NAC-L2-802.1x method. Some businesses might not want to use the 802.1x supplicant, so instead they may choose to use the NAC-L2-IP method using either IP or MAC.

NAC can be used to check the compliance of every endpoint trying to obtain network access, not just those managed by IT. Managed and unmanaged endpoints, including contractor and partner systems, may be checked for compliance with antivirus and operating system policy. If the posture agent is not present on the interrogated endpoint, a default access policy can be enforced limiting the endpoint to a specific subnet, thus limiting its ability to infect other devices on the entire network.

WAN Access Compliance

NAC Framework can be deployed at branch or home offices to ensure that endpoints comply with the latest antivirus and operating system patches before allowing them access to WAN or Internet connections to the corporate network. Alternatively, compliance checks can be performed at the main office before access is granted to the main corporate network.

Remote Access Compliance

NAC Framework helps to ensure that remote and mobile worker endpoints have the latest antivirus and operating system patches before allowing them to access company resources through IP Security (IPsec) and other virtual private network (VPN) connections.