Figure 4-3 Armando Banking Brothers network environment for NAC Appliance

When a user connects to the network controlled by NAC Appliance, the CAM is advised of a linkup notification sent by the user’s switch. The CAM checks its certified user list. If the MAC address is already present on the CAM as a certified user, and the credentials supplied at login are authenticated by the CAM, the user will be granted access to the network on their Access VLAN, which in this case is VLAN 20. If the MAC address is not present, or the credentials supplied are incorrect, the CAM will send an SNMP-write string to the user’s switch, changing the switchport membership from VLAN 20 to VLAN 120. The user’s IP address will remain the same, but he will be forced to go through the CAS. The CAS checks policy compliance and remediation. Once the CAS advises the CAM that the client is compliant, the CAM sends another SNMP-write to the user’s switch, changing the switch membership from VLAN 120 back to VLAN 20. The user, now compliant, has access to the core network, bypassing the CAS.

84Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 102
Image 102
IBM Tivoli and Cisco manual