Cisco’s NAC Framework is an architectural design for how
multiple hardware and software components can work together to protect your
network from unhealthy clients. Those clients could be PC’s without the latest
security patches, the latest anti-virus definitions, or a personal firewall
enabled. In this article, I’ll attempt to explain the complex NAC Framework as
clearly as possible.

What are the
components of the Cisco NAC Framework?

Cisco’s NAC Framework attempts to solve a complex problem,
and is consequently a complex solution. A full-blown implementation of the NAC
Framework is not an easy task because the architecture includes lots of
different components from Cisco and other vendors. For example, there is a NAC
policy manager, multiple network systems, an audit server, a remediation server,
and third-party security software posture validation servers. Figure A shows
how the framework would work:

Figure A

The
Cisco NAC Framework.

It’s quite a challenge for both security and network
personnel to make sure that above-mentioned components work cohesively.
Irrespective of that, the Cisco-led NAC initiative is supported by majority of
vendors associated with endpoint security, secure access gateways, and
remediation servers.

How does the Cisco
NAC Framework work?

So what can the Cisco NAC Framework do for you? Well, a lot.
Here’s how it works:

  • If a PC host is attempting
    to access the network, it must be authenticated and audited for policy
    compliance. This attempt triggers a NAC Process.
  • The PC host is running the
    Cisco Trust Agent (CTA).
  • The Network Access Device
    (NAD) is the Ethernet switch attempting to initiate the network access on
    behalf of the PC host.
  • The Extensible
    Authentication Protocol (EAP) is used and the host credentials are sent to
    a Cisco Secure Access Control Server (ACS).
  • Until the entire process
    is complete, the PC host (your potentially malicious computer) is only
    passing credentials through from the Cisco Trust Agent to the network. The
    PC host cannot really communicate on the network.
  • The Cisco Trust Agent
    passes credentials through a secure tunnel so that the NAD cannot see
    them.
  • The ACS Server can pass
    the credentials to other servers. For example, much of the time today,
    these credentials are sent to Windows AD servers who can verify the
    credentials used. However, the credentials could also go to other servers,
    like LDAP or one-time-password servers.
  • Based on the response of
    one or more authentication servers, the ACS server can grant, deny, or
    quarantine the PC host requesting network access. Additionally, the ACS
    Server can assign different levels of network access.
  • To verify security policy
    compliance of the PC host, Cisco NAC Framework conducts network and
    agent-based scans.
  • The Cisco NAC Framework
    can implement compliance checks on all types of devices.
  • The Cisco NAC Framework
    notifies users of connection status, and if there’s any problem, it
    automatically corrects problems by updating the machine’s patches,
    firewall, or other settings. Optionally, the host PC can be notified
    whether his or her credentials allowed them network access with a pop-up
    window or similar function. For example, the user could get a message: “Your computer is lacking the
    necessary updates and therefore is not granted access to the network. In
    order to resume normal network access, please update your computer now at
    the following location: [URL].”

Figure B helps better explain the process:

Figure B

The connection process.

You should note that usually the 802.1X network
authentication protocol is used to authenticate the devices to the network. The
switch that the NAD is connected to must support 802.1X, or the device cannot
be truly quarantined until it is authenticated and scanned.

What are the components
of Cisco’s NAC Framework?

Now that you understand how the framework works, you should
learn a little bit about the components of the framework. These are as follows:

  • Posture: The posture of a host is a set of credentials and
    attributes that define the state or health of a user’s computer and the
    applications on that computer.
  • Cisco Trusted Agent: Cisco Trusted Agent (CTA) is one of the
    integral components of Cisco NAC Framework. The CTA is termed a posture
    agent. Cisco Trusted Agent is basically an installed software client whose
    main responsibility is to collect state information from security software
    on the endpoint (the NAD). In addition, it also communicates the “posture”
    (or what it learns) to the Cisco ACS Policy Server.

It’s worth mentioning in this regard that Cisco Trusted
Agent only communicates with client applications that are NAC-enabled by Cisco
partners. There are around 50 vendors in the market actively participating in
the NAC initiative. It includes, leading patch management vendors, client
security vendors, and antivirus vendors.

  • Network Access Devices (NAD): The NAD
    is, most commonly, the switch that the PC is connected to. However, it could
    also be a router, VPN concentrators, or other similar network access device.
    Many vendors switch manufacturers support the Cisco NAC Framework.
  • AAA Policy Server: The AAA policy
    server is the Cisco Secure Access Control Server (or ACS). The main function of
    the ACS Server is to act as the policy decision point in NAC deployments. Apart
    from that, Cisco Secure Access Control Server also evaluates user credentials
    and calculates the security posture of network endpoints.

Frequently, the Cisco Secure ACS Server sends out per-user
authorization to Cisco access devices with the help of downloaded access
control lists. If you’re running non-Cisco access devices, don’t worry: Cisco
Secure Access Control Server sends out per user authorization in this scenario
as well. 

The Cisco ACS Server is a Cisco application that runs on a
Windows or Linux Server. ACS Servers can be scaled to very large
implementations. Even without NAC, the Cisco ACS system operates as a
centralized RADIUS or TACACS+ server. In general, the Cisco Secure Access
Control Server manages the authorization, accounting, and authentication of
users who access corporate information in a network.

The main advantage of Cisco Secure Access Control Server is
that it gives you an authority to control user access to the network. You also
get the power to authorize different kinds of network services for users. If
you want to keep a record of all network user actions, you can do so easily
with Cisco Secure Access Control Server.

  • Directory Servers: The Directory Servers offers user IDs,
    authorization privileges, and group membership information.
  • Posture Validation Server: As already mentioned, Cisco Secure Access Control Server has an ability to
    pass posture data to application-specific posture validation servers,
    which are normally given by third-party security vendors. Posture
    Validation Server judges whether endpoint software is up to the mark or
    not. On the basis of Posture Validation Server evaluation, Cisco Secure
    Access Control Server allows or disallows user access to networks.
  • Remediation Servers: It’s the job of remediation servers to
    bring devices back into compliance. The best part about remediation
    servers is that they can be as straightforward as a Web server that
    supports software downloads. Apart from that, remediation servers can
    automatically evaluate devices and if needed also supply mandatory
    software updates.

Parts of the greater
whole

Cisco’s NAC Framework is an architectural design for how
multiple hardware and software components can work together to protect your
network from unhealthy clients. While the Framework isn’t as easy to use as
the Cisco NAC Appliance, it does offer the benefit of bringing together
offerings from various third-party security companies. At this point, you
should understand the different components of the Cisco NAC Framework —
posture agent (Cisco Trust Agent), posture validation server (Cisco ACS
Server), Network Access Device (NAD) — the Cisco switch, and the remediation
server (where users will go to get the firewall, OS, or AV software needed to
get the PC host in compliance).