￿In the Cisco NAC solution, the EAP header is extended with posture data and the admission process is based on policies governing the network admission decision. Those policies consider all of the attributes provided by the posture agent (Cisco Trust Agent) to determine the client’s health and security compliance status.

￿In the generic 802.1x, the identity credential is used for authentication.

￿In the Cisco NAC solution, the posture credential of the client device is used for authentication.

IEEE 802.1x and NAC can be combined easily to provide a stepped-up level of security in corporate networks. The selected authentication and network admission protocols will determine which client software or supplicants are loaded on the client.

Note: In this section we used the term authentication to discuss the differences and similarities between IEEE 802.1x and the Cisco NAC process.

Regarding 802.1x, we can accurately speak of authentication because we are considering individuals providing credentials to gain access to protected resources. In the Cisco NAC process we examine a posture status of a client machine in order to grant general network access — a process not usually considered an authentication.

Posture agent

The posture agent is a software agent residing on the client capable of communicating with the NAC-enabled network device before the client is granted network access. It aggregates security posture information from the NAC-compliant applications running on the network client and sends it to the posture verification server. In the present solution, the role of the posture agent is performed by Cisco Trust Agent. Third-party applications including the IBM Tivoli Security Compliance Manager client register with the posture agent using a plug-in. More information can be found in 3.2.1, “Network client” on page 52.

Network identity provisioning

With the posture-based Network Admission Control, the client requires a set of software components to be able to connect to the network. It is feasible to assign different security policies to the different groups of clients and check for compliance with complex rules concerning all of the clients’ attributes. However, all clients running the same version of an operating system, for example, typically are unified in terms of which security policy applies for these clients. Looking at the generic design, the NAC solution makes no differentiation between who the clients belong to or who is actually trying to connect to the network.

24Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 41 Page 43
Page 42
Image 42
IBM Tivoli and Cisco manual Posture agent, Network identity provisioning
Page 41 Page 43
Top Page Image Contents