meantime, the Clean Access Manager provides port-level or role-level control by assigning ports to specific VLANs, assigning users to specific roles that map to specific VLANs, and providing a time-based session time out per role. Cisco Clean Access out-of-band is most appropriate for high-throughput, highly routed environments such as campuses, branch offices, and extranets. It is not suitable for use with shared media devices, such as hubs and wireless access points. The out-of-band deployment mode is ideal for environments with the following characteristics:

￿Healthy user traffic does not flow through CAS.

￿Posture-based VLAN segmentation.

￿Voice over IP (VoIP) phones.

NAC Appliance integration

At the time of writing, Cisco is offering two separate Network Admission Control solutions: NAC Framework and NAC Appliance. Applications that are compatible with NAC Framework do not work with NAC Appliance, as the interfaces are currently dissimilar. Cisco has stated their intention to make NAC Framework and NAC Appliance solutions compatible, but at the current time this is not the case. Most of the content of this publication up to this point has been relevant to the NAC Framework, but does not necessarily apply to NAC Appliance.

However, NAC Appliance has been deployed by a larger set of customers than NAC Framework simply due to its lower cost factor and deployment footprint. In order to provide Cisco NAC Appliance customers access to the compliance and remediation capabilities that we currently provide for NAC Framework, this integration has been prototyped to prove the concept. This integration is designed to provide an easy migration from NAC Appliance to NAC Framework solutions as customers expand their NAC deployments. In fact, with this design the Tivoli Compliance and Remediation solution can be simultaneously deployed with both NAC Framework and NAC Appliance if so desired. This allows customers to develop compliance policies and remediation objects for the Tivoli subsystems, and that investment will be protected regardless of which alternative they select.

This section describes the integration of the current Tivoli Compliance and Remediation components with NAC Appliance. Many of the components used to perform this integration are not in production at the time of this writing and hence are not currently supported. However, this integration delivers an automated remediation capability and the ability to monitor clients after they have been admitted to the network. The value that these features add to a NAC Appliance solution is significant enough to warrant the description of this integration herein, with the expectation that production-quality versions of these components will become generally available.

Appendix A. Hints and tips 457

Page 474 Page 476
Page 475
Image 475
IBM Tivoli and Cisco manual NAC Appliance integration
Page 474 Page 476
Top Page Image Contents