Manuals / IBM / Computer Equipment / Network Card

IBM Tivoli and Cisco manual

Models: Tivoli and Cisco

1 516
Download 516 pages 58.69 Kb
Page 130
Image 130

those users that are in breach of these requirements, and how to remediate them back to a compliant state.

Terms that are used include:

￿Network Access Profile

A Network Access Profile is a means to classify access requests according to AAA clients' IP addresses, membership in a network device group, protocol types, or other specific RADIUS attribute values sent by the network device through which the user connects.

A Network Access Profile is comprised of three components: Authentication, Posture Validation and Authorization.

￿RADIUS Authorization Components

Shared RADIUS Authorization Components (RACs) are configurable sets of RADIUS attributes that may be assigned to user or user group sessions dynamically based on a policy.

￿Posture validation

An internal posture validation policy returns a posture token after checking the rules set for the policy. Internal policies are reusable and can be used for posture validation for more than one Network Access Profile.

By supporting Layer 2 NAC we can enforce endpoint compliance on the LAN by using Cisco switches. There are two methods of NAC enablement: NAC L2 IP, which uses EAPoUDP; and NAC L2 802.1x, which uses an IEEE 802.1X supplicant embedded in the Cisco Trust Agent to provide machine and user authentication. This is the most secure form of L2 NAC, as now we are checking who is connecting to our networks as well as what is connecting to our networks.

In our scenario, we focus on the NAC L2 802.1x implementation of NAC. We have defined some user groups and users who have been assigned to those groups.

When a user connects to the network, she is prompted for the IEEE 802.1x credentials, in the form of a user name and password. Upon entering these credentials, the user is then mapped to the respective user group. The ACS then receives the posture credentials from the Cisco Trust Agent installed on the client. Based on the System Posture Token, the user is then mapped to a Shared RADIUS Authorization Component. Part of this Shared RADIUS Authorization Component is the VLAN that the user is assigned to.

An example of this is as follows. Jim is a member of the Engineering Group.

When Jim logs on, he successfully authenticates to IEEE 802.1x. His posture assessment is Healthy, so Jim is mapped to the Healthy_Engineering_RAC

(VLAN 12). Should Jim pass his IEEE 802.1x authentication, but receive a

112Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 129 Page 131
Page 130
Image 130
IBM Tivoli and Cisco manual
Page 129 Page 131