NAC up your alley? Framework Continued…

When we last left off we were discussing a Cisco NAC Framework scenario using a router. We had discussed the required configuration on the ACS server with ACLs and Attribute Definition Files. But we cannot just get away with only configuring the ACS server and NADs. You must also think about the hosts themselves. Our goal here with NAC is to check for specific software on our hosts.

In order to accomplish this we’ll need some software on the host called Cisco Trust Agent (CTA). Luckily this agent is free from Cisco with a valid CCO account.  CTA is going to be installed on your users’ PCs and is providing middleware services on the host. That means that once the ACS is configured to check for software on the host, the ACS will be querying CTA to check if your host is in compliance. If the host is not in compliance, then a pop-up appears on your users’ PC with a configurable message.

The nice thing here is that we can be pushing down ACLs to the router on the fly giving this user specific access to network resources for remediation (fixing/patching their host). Unfortunately there are quite a few negative components to this tale.

The first being that this technology is slowly (it’s almost gone now) being phased out in lieu of the NAC Appliance. (I mean why use something you already have when you can spend an enormous amount of payola with Cisco on new equipment?)

The second negative is that NAC Framework only performs compliance checking and not any authentication. That means we are not really trying to determine if we have rogue devices on the network but more of determining if the newly introduced host is in compliance (software installed or running). In order to provide authentication alongside NAC Framework we would need to also utilize 802.1x (which is a great idea to use anyway).

A third drawback is that ACS configuration is just not a fun thing. I mean, we would have to find these ADFs from vendors – if they even have them – and then go ahead and configure ACS. This is a nightmare!! I’m not saying it’s not doable, but it’s just a nightmare from an operations standpoint.

So the following is just a summary of what we talked about with NAC Framework:

  • Uses existing network equipment (ASAs, Routers, Switches that support PACLs, Concentrators, ACS)
  • Checks to determine if the host is running the appropriate software in order to enter onto the network
  • User interface is archaic
  • ACS updating is not scalable…and lightly put, a nightmare
  • No authentication is available unless using 802.1x (this is huge)
  • Nice benefit is that there is really nothing new to purchase

Agree? Disagree? Leave a comment and let us know.

Author: Jim Thomas

In this article

Join the Conversation