NAC Framework Components
The initial release of the Cisco NAC Framework became available in June 2004 and continues to evolve in phases. The functions of the solution architecture remain consistent; however, as each phase is introduced, more capabilities and deeper integration are added to the NAC Framework architecture. To stay up to date with NAC and partner products, refer to the URL www.cisco.com/go/nac.
NAC Framework includes the following main components, as shown in Figure 6-1:
Figure 6-1 NAC Framework Components
- Endpoint security application
- Posture agent
- Network access devices
- Cisco Policy server
- Optional servers that operate as policy server decision points and audit servers
- Optional management and reporting tools are highly recommended (not shown)
The next sections describe the main components in more detail.
Endpoint Security Application
An endpoint security application is security software that resides on a host computer. Depending on the application, it can provide host-based intrusion prevention system (HIPS), antivirus scanning, personal firewall, and other host security functions. Cisco Security Agent is a HIPS example.
NAC partners provide NAC-enabled security applications that use a posture plug-in that communicates their credentials and state with a posture agent, both residing on the same endpoint. Many endpoint security applications provide antivirus capabilities, and some provide additional identity-based services. For a list of NAC partners, refer to www.cisco.com and search for "Network Admission Control Current Participants."
A posture agent is middleware or broker software that collects security state information from multiple NAC-enabled endpoint security applications, such as antivirus clients. It communicates the endpoint device's compliance condition. This condition is referred to as the posture of an endpoint. The posture information is sent to Cisco Secure Access Control Server (ACS) by way of the Cisco network access device.
The Cisco Trust Agent is Cisco's implementation of the posture agent. Cisco has licensed the trust-agent technology to its NAC partners so that it can be integrated with their security software client products. The trust agent is free and is also integrated with the Cisco Security Agent. Cisco Trust Agent can work with Layer 3 Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), and Cisco Trust Agent (CTA) version 2 can also work with Layer 2 with Extensible Authentication Protocol over 802.1x (EAPo802.1x) or Extensible Authentication Protocol over LAN (EAPoLAN).
Network Access Devices
Network access devices that enforce admission control policy include Cisco routers, switches, wireless access points, and security appliances. These devices demand endpoint security credentials and relay this information to policy servers, where network admission control decisions are made. Based on customer-defined policy, the network will enforce the appropriate admission control decision—permit, deny, quarantine, or restrict. Another term for this device is security policy enforcement point (PEP).
A policy server evaluates the endpoint security information relayed from network access devices (NADs) and determines the appropriate admission policy for enforcement. The Cisco Secure ACS, an authentication, authorization, and accounting (AAA) RADIUS server, is the foundation of the policy server system and is a requirement for NAC. Cisco Secure ACS is where the admission security policy is created and evaluated to determine the endpoint device's compliance condition or posture.
Optionally, Cisco Secure ACS may work in concert with other policy and audit servers to provide the following additional admission validations:
- Identity—User authentication can be validated with an external directory server and the result is communicated to Cisco Secure ACS. Examples include Microsoft Active Directory and one-time password (OTP) servers.
- Posture—Third-party, vendor-specific credentials such as antivirus and spyware can be forwarded using the Host Credential Authorization Protocol (HCAP) to NACenabled Policy Validation Servers (PVS) for further evaluation. This enables businesses to leverage existing policies maintained in their PVS to validate and forward the software compliance result to Cisco Secure ACS, ensuring that a consistent policy is applied across the entire organization.
Audit—Determines the posture for a NAC Agentless Host (NAH), which is a host without the presence of a posture agent such as Cisco Trust Agent. The Audit server works out of band and performs several functions:
- - Collects posture information from an endpoint.
- - Acts as a posture validation server to determine compliance of an endpoint and determine the appropriate compliance result in the form of a posture.
- - Communicates the result to Cisco Secure ACS using Generic Authorization Message Exchange (GAME) over an HTTPS session. GAME uses an extension of Security Assertion Markup Language (SAML), a vendorneutral language enabling Web services to exchange authentication and authorization information.
The optional validation policy servers communicate the user authentication status or compliance status or both to Cisco Secure ACS, which makes the final determination as to the admission policy for the endpoint. Policy decision point is a term used to describe the function Cisco Secure ACS performs.
Management and Reporting Tools
In addition to the required NAC components, a management system is recommended to manage and monitor the various devices. Reporting tools are available to operation personnel to identify which endpoints are compliant and, most importantly, which endpoints are not compliant. Examples include Cisco Security MARS and CiscoWorks Security Information Manager Solution (SIMS).