What is the Cisco NAC architecture?

Cisco's NAC Framework is an architecture designed to help multiple hardware and software components work together to protect your network from adverse client attacks. This article mainly introduces the NAC Framework architecture.

What is a Cisco NAC Framework component?

Cisco's NAC Framework tries to solve a complicated problem, so it must be a complicated solution. Fully implementing the NAC Framework is not a simple task, because the entire architecture contains too many different components from Cisco and other vendors. For example, the architecture contains the NAC Policy Manager and multiple network systems, authentication servers, patch and patch servers, and third-party security software verification servers. Figure A shows how the components of the entire framework work:

Figure A working method of the NAC Architecture

About Cisco NAC Framework

Whether it is for security management personnel or network management personnel, it is not easy to make all the components in the work harmonious. But it doesn't matter. Cisco's NAC architecture has been supported by most mainstream terminal security companies, security access gateways, and patch repair servers.

How Does Cisco NAC Framework work?

After talking about this, what can Cisco NAC Framework do? The following is how it works:
1. If a PC attempts to access the network, it must first be verified and its policy is verified to be consistent with the rules. The attempt by the PC to log on will trigger the NAC process.

2. The PC host runs Cisco trusted proxy Cisco Trust Agent (CTA ).

3. An Ethernet switch attempts to establish a connection to a PC.

4. Extended Authentication Protocol Extensible Authentication Protocol (EAP) is enabled. creden on PC computers are sent to Cisco Secure Access Control Server (ACS) on Cisco Secure Access Control Server ).

5. Until the entire process is completed, the potential bad terminal of the PC host) only sends the credential from the trusted proxy Cisco Trust Agent to the network. The PC itself cannot communicate with the network.

6. The trusted proxy Cisco Trust Agent communicates creden。 through a secure channel, so they are not visible to the ads.

7. The Secure Access Control Server ACS Server can pass the credential to other servers. For example, most of these creden。 are sent to Windows AD servers. Of course, the credential will also be sent to other servers, such as LDAP or one-time password server.

8. Based on the feedback from one or more verification servers, the ACS server can allow, deny, or isolate the PCs that request access to the network. In addition, the ACS server can set different network access levels.

9. In terms of verifying security policy consistency, Cisco NAC Framework uses network and proxy-based scanning methods.

10. Cisco NAC Framework can implement consistency detection for various devices.

11. The Cisco NAC Framework can notify the user of the connection status. If any problem occurs, it can correct the problem by upgrading the PC patch, firewall or other settings. In addition, the pop-up window or similar functions can be used to notify the PC if it has gained network access. For example, you may see a pop-up window marked as: "Your computer does not have the necessary upgrade patch, so you do not have the network access permission. To obtain the network access permission, visit the following address [URL] to obtain the computer upgrade patch ." Figure B helps us better understand the process:

Figure B connection process

You may have noticed that the 802.1X network authentication protocol is usually used to verify the devices trying to access the network. Therefore, the switch connected to the network must support 802.1X. Otherwise, the device cannot be isolated before verification and scanning.