Manuals / IBM / Computer Equipment / Network Card

IBM Tivoli and Cisco manual

Models: Tivoli and Cisco

1 516
Download 516 pages 58.69 Kb
Page 78
Image 78

Quarantine

Infected

Unknown

￿Posture notification (3f)

After the ACS has determined the posture token it performs these actions: a. Cisco Secure ACS sends the system posture token to the network client.

b. The Cisco Secure ACS sends the network client an action to be taken that is the result of the client being assigned to a group complying to a particular policy level. If a customer uses the IBM Integrated Security

Solution for Cisco Networks with Configuration Manager integration and

the client happens to get a token “quarantine,” the results parameter will be the remediation URL pointing to the Configuration Manager server.

c.Cisco Secure ACS sends the NAD device the RADIUS attributes as configured in the mapped user group, including ACLs or RACs as per network access policy and attribute-value pairs. The optional user notification can be used to display meaningful messages to the client that correspond to the posture token assigned to the network client. The access policy depends on the policy defined by the organization’s network policy.

d.When the Cisco Secure ACS sends the system posture token to the NAC-client computer, the ACS ends the PEAP session with the client.

e.Cisco Secure ACS logs the results of the posture validation request.

￿Network policy enforcement (3g)

The NAD device enforces network access as dictated by Cisco Secure ACS in its RADIUS response. By configuring group mapping, you define authorizations and, therefore, network access control, based on the system posture token determined as a result of posture evaluation.

To fully control what resources users have access to under all conditions, a mapping of default user groups, posture tokens, and access restrictions is specified in ACS. In general, each user will be assigned to a default user group based on his authentication. Each user group is mapped to several posture tokens, and each combination of user group to posture token can be assigned either a RADIUS Access Control set or a downloadable IP ACL filter.

60Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 77 Page 79
Page 78
Image 78
IBM Tivoli and Cisco manual
Page 77 Page 79