IBM Tivoli and Cisco manual

devices seeking to access network computing resources, thereby limiting damage from viruses and worms.

Using NAC, organizations can provide network access to endpoint devices such as PCs, PDAs, and servers that are verified to be fully compliant with an established security policy. NAC can also identify noncompliant devices and deny them access, place them in a quarantined area, or give them only restricted access to computing resources.

NAC is part of the Cisco Self-Defending Network, an initiative to increase network intelligence in order to enable the network to automatically identify, prevent, and adapt to security threats.

Network Admission Control offers the following benefits:

￿Comprehensive span of control – All of the access methods that hosts use to connect to the network are covered, including campus switching, wireless access, router WAN links, IP Security (IPSec) remote access, and dialup.

￿Extension of existing technologies and standards – NAC extends the use of existing communications protocols and security technologies, such as Extensible Authentication Protocol (EAP), 802.1x, and RADIUS services.

￿Extension of existing network and security software investments – NAC combines existing investments in network infrastructure and security technology to provide a secure admission-control solution.

Network Admission Control is a strategic program in which Cisco shares technology features with approved program participants. Participants design and sell third-party client and server applications that incorporate these features that are compatible with the Network Admission Control (NAC) infrastructure.

Network Admission Control can operate at Layer 3 or Layer 2. In Cisco terms, Layer 3 NAC uses EAP transported on UDP packets and is called EAPoverUDP,

or EOU. In Layer 2 NAC the Extensible Authentication Protocol (EAP) is transported on 802.1x frames and is called EAPoverLAN or EAPOL.

16Building a Network Access Control Solution with IBM Tivoli and Cisco Systems