Network Access Control restricts access to the network based on identity or security posture. When a network device (switch, router, wireless access point, dhcp server, telephone, camera, nas, automate machine, etc.) is configured for NAC, it can force user or machine authentication prior to granting access. In addition, guest access can be redirected to a quarantine area for remediation of any problems that may have caused authentication failure. Today, Cisco Identity Engine Services is capable of granting an access by first analysis of contextual environment of the user, the server or any other devices trying a connection to the network. Here are some of these contextual checks (who, what, when, where, how) usable:
- What ? Switch, wifi access, router, firewall, PCs, mobiles, servers, ip telephone, ip camera
- Who ? User identity, his rights, his name, AD policy, strong authentication, digital certificates
- Where ? Lan, Wlan, private WAN, or remote access using public internet or mobile network
- How ? Internal software profile check; OS check, registry, uptodate AV, used connections
- How ? External profiling by traffic analysis; for machines, automates, phones, cameras, servers
- When ? Date and time available window for the login or the normal utilization
Depending on these contextual parameters, the access is granted on the correct lan (vlan), denied or tolerated to a special remediation area for correcting the problem detected by the posture check, thus keeping insecure nodes from infecting the network.
The more the network is based on Cisco devices, the easier it is to implement Cisco ISE in his full feature approach.
Dedicated solution: CISCO ISE http://www.cisco.com/go/ise