IBM Tivoli and Cisco manual Campus internal enforcement

Advantages of this kind of deployment are:

￿Policy enforcement load distribution across the various routers

￿Protection against virus infection between branch offices if the network has a mesh topology

Factors that must be considered for branch egress enforcement are:

￿Branch routers must support NAC

￿Some additional administrative effort required during deployment

Campus internal enforcement

In this deployment option, the office policy compliance is enforced on all switches to which the users connect. Two modes of posture checking users exist within switches: 802.1x and EAP/UDP.

802.1x involves passing posture and, if desired, user authentication information in an EAP-based 802.1x frame. The response from ACS is a VLAN name or number associated with the posture state of the user, which would be healthy or quarantine.

EAP/UDP passes only posture information in an UDP datagram. ACS responds with a port-based ACL (PACL) that provides enforcement of users’ healthy or quarantine state.

Note: At the time of this writing PACLs are not supported in an 802.1x NAC Framework on all Cisco devices. However, it is Cisco’s stated intention to make this functionality available on all devices in the near future. Due to considerations that will affect the client software required on each endpoint, this book uses a reference architecture in which 802.1X is used for both authentication and admission control. This architecture delivers a valid network deployment even without PACLs and will be able to constrain traffic in a more granular fashion once PACLs are available.

The NAC Framework can work in IP Communications environments. For 802.1x environments, Cisco IP Phones must be used. For EAP/UDP environments, both Cisco and Non-Cisco IP Phones may be used.

68Building a Network Access Control Solution with IBM Tivoli and Cisco Systems