Figure 2-5illustrates a possible NAC deployment scenario.

Branch Office

 

 

 

 

 

 

 

 

 

 

 

 

AAA Server (ACS)

 

EAP/UDP

 

 

 

 

 

SCM

 

 

 

 

 

 

Server

 

 

 

 

 

 

 

1

Branch

4

 

 

 

 

 

Router

 

 

 

 

 

 

 

 

 

Edge Router

Campus FW

RADIUS

 

 

 

(posture)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5

 

Internet

 

 

 

 

EAP 802.1x

 

 

 

 

 

(wireless)

 

 

EAP/UDP

 

 

 

 

 

 

 

3

2

Dial-in

RA IPsec

 

 

 

 

 

 

 

 

 

 

NAS

VPN

 

 

 

 

 

 

 

 

6

 

 

 

 

 

 

EAP 802.1x (wired)

 

 

Mobile

 

 

 

 

Corporate

 

 

 

 

 

 

Network

 

 

Users

 

 

 

 

 

Figure 2-5 NAC deployment scenario

Typical candidates for NAC protection are networks (both wireless and wired) used by the mobile users to connect to the intranet while visiting the office [1], as well as the dial-up and VPN networks used to connect remotely [2,3]. (Especially in a dial-up and VPN environment, NAC enables posture control of the users (clients) connecting to the intranet where the other methods of enforcing compliance are limited.) In the next step, all branch office networks [4] can be protected with NAC. Finally, the solution can be extended to cover all wireless networks [5] and the stationary networks in the main campus [6].

A second factor strongly influencing project scope is the availability of automated remediation. As the number of quarantined clients increases, the number of help desk calls grows, raising the total cost of ownership (TCO) for the solution.

Chapter 2. Architecting the solution

27

Page 45
Image 45
IBM Tivoli and Cisco manual Internet