Cisco Cisco NAC Appliance 4.1.0
1-2
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 1 Introduction
Cisco NAC Appliance Components
•
Standards-based architecture— Uses HTTP, HTTPS, XML, and Java Management Extensions
(JMX).
(JMX).
•
User authentication—Integrates with existing backend authentication servers, including Kerberos,
LDAP, RADIUS, and Windows NT domain.
LDAP, RADIUS, and Windows NT domain.
•
VPN concentrator integration—Integrates with Cisco VPN concentrators (e.g. VPN 3000, ASA) and
provides Single Sign-On (SSO).
provides Single Sign-On (SSO).
•
Active Directory SSO—Integrates with Active Directory on Windows Servers to provide Single
Sign-On for Clean Access Agent users logging into Windows systems.
Sign-On for Clean Access Agent users logging into Windows systems.
•
Clean Access compliance policies—Allows you to configure client vulnerability assessment and
remediation via use of Clean Access Agent or Nessus-based network port scanning.
remediation via use of Clean Access Agent or Nessus-based network port scanning.
•
L2 or L3 deployment options—The Clean Access Server can be deployed within L2 proximity of
users, or multiple hops away from users. You can use a single CAS for both L3 and L2 users.
users, or multiple hops away from users. You can use a single CAS for both L3 and L2 users.
•
In-band (IB) or out-of-band (OOB) deployment options— Cisco NAC Appliance can be deployed
in-line with user traffic, or out-of-band to allow clients to traverse the Clean Access network only
during vulnerability assessment and remediation while bypassing it after certification (posture
assessment).
in-line with user traffic, or out-of-band to allow clients to traverse the Clean Access network only
during vulnerability assessment and remediation while bypassing it after certification (posture
assessment).
•
Traffic filtering policies—Role-based IP and host-based policies provide fine-grained and flexible
control for in-band network traffic.
control for in-band network traffic.
•
Bandwidth management controls—Limit bandwidth for downloads or uploads.
•
High availability—Active/Passive failover (requiring two servers) ensures services continue if an
unexpected shutdown occurs. You can configure pairs of Clean Access Manager (CAM) machines
and/or CAS machines in high-availability mode.
unexpected shutdown occurs. You can configure pairs of Clean Access Manager (CAM) machines
and/or CAS machines in high-availability mode.
Cisco NAC Appliance Components
Cisco NAC Appliance is a network-centric integrated solution administered from the Clean Access
Manager web console and enforced through the Clean Access Server and (optionally) the Clean Access
Agent. Cisco NAC Appliance checks client systems, enforces network requirements, distributes patches
and antivirus software, and quarantines vulnerable or infected clients for remediation before clients
access the network. Cisco NAC Appliance consists of the following components (in
Manager web console and enforced through the Clean Access Server and (optionally) the Clean Access
Agent. Cisco NAC Appliance checks client systems, enforces network requirements, distributes patches
and antivirus software, and quarantines vulnerable or infected clients for remediation before clients
access the network. Cisco NAC Appliance consists of the following components (in
):
•
Clean Access Manager (CAM)—Administration server for Clean Access deployment. The secure
web console of the Clean Access Manager is the single point of management for up to 20 Clean
Access Servers in a deployment (or 40 CASes if installing a SuperCAM). For Out-of-Band (OOB)
deployment, the web admin console allows you to control switches and VLAN assignment of user
ports through the use of SNMP.
web console of the Clean Access Manager is the single point of management for up to 20 Clean
Access Servers in a deployment (or 40 CASes if installing a SuperCAM). For Out-of-Band (OOB)
deployment, the web admin console allows you to control switches and VLAN assignment of user
ports through the use of SNMP.
Note
The CAM web admin console supports Internet Explorer 6.0 or above only, and requires
high encryption (64-bit or 128-bit). High encryption is also required for client browsers for
web login and Clean Access Agent authentication.
high encryption (64-bit or 128-bit). High encryption is also required for client browsers for
web login and Clean Access Agent authentication.
•
Clean Access Server (CAS)—Enforcement server between the untrusted (managed) network and
the trusted network. The CAS enforces the policies you have defined in the CAM web admin
console, including network access privileges, authentication requirements, bandwidth restrictions,
and Clean Access system requirements. It can be deployed in-band (always inline with user traffic)
the trusted network. The CAS enforces the policies you have defined in the CAM web admin
console, including network access privileges, authentication requirements, bandwidth restrictions,
and Clean Access system requirements. It can be deployed in-band (always inline with user traffic)