IBM Tivoli and Cisco 사용자 설명서
Appendix A. Hints and tips
457
meantime, the Clean Access Manager provides port-level or role-level control by
assigning ports to specific VLANs, assigning users to specific roles that map to
specific VLANs, and providing a time-based session time out per role. Cisco
Clean Access out-of-band is most appropriate for high-throughput, highly routed
environments such as campuses, branch offices, and extranets. It is not suitable
for use with shared media devices, such as hubs and wireless access points. The
out-of-band deployment mode is ideal for environments with the following
characteristics:
assigning ports to specific VLANs, assigning users to specific roles that map to
specific VLANs, and providing a time-based session time out per role. Cisco
Clean Access out-of-band is most appropriate for high-throughput, highly routed
environments such as campuses, branch offices, and extranets. It is not suitable
for use with shared media devices, such as hubs and wireless access points. The
out-of-band deployment mode is ideal for environments with the following
characteristics:
Healthy user traffic does not flow through CAS.
Posture-based VLAN segmentation.
Voice over IP (VoIP) phones.
NAC Appliance integration
At the time of writing, Cisco is offering two separate Network Admission Control
solutions: NAC Framework and NAC Appliance. Applications that are compatible
with NAC Framework do not work with NAC Appliance, as the interfaces are
currently dissimilar. Cisco has stated their intention to make NAC Framework and
NAC Appliance solutions compatible, but at the current time this is not the case.
Most of the content of this publication up to this point has been relevant to the
NAC Framework, but does not necessarily apply to NAC Appliance.
solutions: NAC Framework and NAC Appliance. Applications that are compatible
with NAC Framework do not work with NAC Appliance, as the interfaces are
currently dissimilar. Cisco has stated their intention to make NAC Framework and
NAC Appliance solutions compatible, but at the current time this is not the case.
Most of the content of this publication up to this point has been relevant to the
NAC Framework, but does not necessarily apply to NAC Appliance.
However, NAC Appliance has been deployed by a larger set of customers than
NAC Framework simply due to its lower cost factor and deployment footprint. In
order to provide Cisco NAC Appliance customers access to the compliance and
remediation capabilities that we currently provide for NAC Framework, this
integration has been prototyped to prove the concept. This integration is
designed to provide an easy migration from NAC Appliance to NAC Framework
solutions as customers expand their NAC deployments. In fact, with this design
the Tivoli Compliance and Remediation solution can be simultaneously deployed
with both NAC Framework and NAC Appliance if so desired. This allows
customers to develop compliance policies and remediation objects for the Tivoli
subsystems, and that investment will be protected regardless of which alternative
they select.
NAC Framework simply due to its lower cost factor and deployment footprint. In
order to provide Cisco NAC Appliance customers access to the compliance and
remediation capabilities that we currently provide for NAC Framework, this
integration has been prototyped to prove the concept. This integration is
designed to provide an easy migration from NAC Appliance to NAC Framework
solutions as customers expand their NAC deployments. In fact, with this design
the Tivoli Compliance and Remediation solution can be simultaneously deployed
with both NAC Framework and NAC Appliance if so desired. This allows
customers to develop compliance policies and remediation objects for the Tivoli
subsystems, and that investment will be protected regardless of which alternative
they select.
This section describes the integration of the current Tivoli Compliance and
Remediation components with NAC Appliance. Many of the components used to
perform this integration are not in production at the time of this writing and hence
are not currently supported. However, this integration delivers an automated
remediation capability and the ability to monitor clients after they have been
admitted to the network. The value that these features add to a NAC Appliance
solution is significant enough to warrant the description of this integration herein,
with the expectation that production-quality versions of these components will
become generally available.
Remediation components with NAC Appliance. Many of the components used to
perform this integration are not in production at the time of this writing and hence
are not currently supported. However, this integration delivers an automated
remediation capability and the ability to monitor clients after they have been
admitted to the network. The value that these features add to a NAC Appliance
solution is significant enough to warrant the description of this integration herein,
with the expectation that production-quality versions of these components will
become generally available.