Chapter 7. Network Admission Control Appliance

In Chapter 6 you learned about the Network Admission Control (NAC) framework that is implemented with Cisco IOS routers and Catalyst LAN switches. Because NAC Framework is implemented with routers and switches, it leverages the existing network infrastructure.

This chapter describes the NAC appliance, which is also marketed as Cisco Clean Access (CCA). The NAC appliance offers a dedicated NAC deployment option that provides admission control functions including authentication, posture validation, and remediation. The NAC appliance is composed of a server and manager component. The NAC appliance server implements the admission control features, whereas the NAC appliance manager configures the policies on the NAC appliance servers. The NAC appliance also features an optional client agent for the Windows end stations within the network. The client agent provides additional security posture validation options, including Windows registry value, file, service, and application checks. The client agent can also assist the remediation process to help the end station download the necessary software updates to authenticate and safely join the network.

There are several deployment options for the NAC appliance. The NAC appliance server can be deployed in-band or out-of-band. An in-band deployment ensures that all data from the authenticated client flows through the NAC appliance server. An out-of-band deployment allows the NAC appliance server to be removed from data flow from the client after a successful authentication and subsequent network scans for posture validation.