IBM Tivoli and Cisco manual Cisco NAC and Ieee, Acs

access, this is an acceptable solution. Users are authenticated and placed into a default network based on their identity. It is not until the user attempted access across a NAC-enabled router that the integrity check was performed.

With Layer 2 NAC, identity enforcement via 802.1x delivers access control by checking authorization of the user to connect to the network. The identity can be verified based on different means, such as user name/password or PKI public certificates, but more importantly, it allows both identity and posture to be validated before network access is granted. This allows users to be assigned into specific networks based on their identity and assigned groups with posture-based checking, providing an additional way to control a user’s traffic.

Figure 2-4 Layer 3 and Layer 2 NAC overview

Cisco NAC and IEEE 802.1x

An interesting terminology question to ask is: How does this solution relate to the IEEE 802.1x protocol? In this section we explain the basic difference and how

these two solutions can complement each other.

IEEE 802.1x is an identity-based network authentication protocol used at Layer 2 level to allow or disallow a specific user to connect to the network based on user or machine credentials.

22Building a Network Access Control Solution with IBM Tivoli and Cisco Systems