Posture validation and policy enforcement (flow 3)

This section contains details about how a client in a live environment connects to the network and how its posture is validated by the ACS. After validation the client is provided access based on client posture.

￿Client network access (3a)

The network client initiates IP traffic that crosses a NAC-enabled route point or connects to a switch running 802.1X. The NAD initiates an EAP session, forwarding the EAP identity of the NAC-client computer to Cisco Secure ACS. The ACS initiates a PEAP (Protected Extensible Authentication Protocol) session with the NAC-client computer, so that all NAC communications are encrypted and trusted.

￿Posture query (3b)

If various conditions are met, the NAD initiates posture validation. The NAD applies a default access policy to the client network traffic and initiates an EAP session with the client. The NAD queries the client for posture credentials.

￿Posture status reply (Cisco Trust Agent - NAD) (3c)

The Cisco Trust Agent, running on the network client, receives the security posture credential request and in turn requests security posture credentials from the NAC-compliant applications (in this case, Security Compliance Manager client). The security posture credentials are requested and received through posture plug-ins provided by IBM. When the Cisco Trust Agent queries for posture credentials, the Security Compliance Manager client component responds with the posture credentials that were collected in 2b. The Cisco Trust Agent sends this information to the NAD.

￿Posture status reply (NAD - ACS) (3d)

The NAD transfers the posture credentials to the Cisco Secure ACS using EAP over RADIUS (EAPoRADIUS).

￿Posture evaluation (3e)

Cisco Secure ACS evaluates the security posture credentials using rules in the local database. The result of the evaluation is an application posture token. If applications are used other than Security Compliance Manager, there could be multiple application posture tokens.

Cisco Secure ACS consolidates the application posture tokens into an overall system posture token. The system posture token is typically the worst-case scenario for all application posture tokens. The system posture token can have one of the following values:

Healthy

Checkup

Chapter 3. Component structure 59

Page 77
Image 77
IBM Tivoli and Cisco manual Posture validation and policy enforcement flow