CISCO-NAC-NAD-MIB
This MIB module is for the configuration of a Network Access Device (NAD) on the Cisco Network Admission Control (NAC) system. EndPoint -------------- NAD ------- AAA ------ PVS (SecurApp) EAPoUDP/802.1x RADIUS HCAP (Plugin) (PA) Cisco NAC system The Cisco Network Admission Control (NAC) security solution offers a systems approach to customers for ensuring endpoint device compliancy and vulnerability checks prior to production access to the network. Cisco refers to these compliancy checks as posture validations. The intent of this systems approach is to prevent the spread of works, viruses, and rogue applications across the network. This systems approach requires integration with third party end point security applications, as well as endpoint security servers. The Network Access Device (NAD) enforces network access control privileges by controlling which endpoint devices have access to network destinations and services reachable through that NAD. Endpoint devices that do not have the PA installed, enabled, or cannot otherwise respond to the NAD posture challenges are considered non-responsive hosts. Upon recognition of an incoming endpoint device at L2 or L3, the NAD issues a challenge to the endpoint device for posture credentials. Endpoint devices with a PA will recognize the challenge and respond with the necessary posture credentials. The NAD acts as a relay agent between the endpoint device and AAA server for all messages in the posture validation exchange. Once the validation is complete, the NAD enforces the access policy profile downloaded from the AAA Server, e.g. (i) provide full access (ii) deny all access through the NAD restrict access (quarantine) or (iii) some intermediate level of network access restriction or quarantine. Between posture revalidations, the NAD may issue periodic status queries to determine that the each endpoint device using the NAD is still the same device that was first postured, and that the endpoint device's posture credentials have not changed. This mechanism is a challenge response protocol that does not involve the AAA Server nor does it require the posture plugins to resend any credentials. It is used to trigger a full posture revalidation with the AAA Server when the endpoint device's credentials have changed (e.g. to revalidate the host endpoint device after remediation), or a new host endpoint device connects with a previously authorized IP address. The NAD supports a local exception list based on IP, MAC address or device type so that certain endpoint devices can bypass the posture validation process based on system administrator configuration. Also, the NAD may be configured to query the AAA server for access policies associated with endpoint devices that do not have a Posture Agent installed, clientless host endpoint devices. Posture Validation occurs when a NAC-enabled network access device (NAC) detects an endpoint device attempting to connect or use its network resources and it issues the endpoint device a posture challenge. An endpoint device with a resident posture agent will respond to the challenge with sets of posture credentials from one or more posture plugins which can detail the state of the various hardware and software components on the endpoint device. The posture agent response is forwarded by the network access device to an AAA server which may in turn delegate parts of the decision to posture validation server. Evaluation of the credentials against posture validation policies results in an authorization decision or posture token, representing the endpoint device's relative compliance to the network compliance policy. The AAA server then sends the respective network access profile to the network access device for enforcement of the endpoint device authorization. The Cisco Technology consists of the following: Endpoint Device - Any host attempting to connect or use the resource of a network. - e.g., a personal computer, personal data digital assistant, or data server, or other network attached device. NAD - Network Access Device that enforces network access control policies through layer 2 or layer 3 challenge-responses with a network enabled Endpoint device. PC - Posture Credentials that describe the state of an application and/or operating system that is running on an endpoint device at the time a layer 2 or layer 3 challenge response is issued by a NAD. PP - Posture Plugin. A module implemented by an application or agent provider that is responsible for supplying the relevant posture credentials for the application or agent. PA - Posture Agent. Host agent software that serves as a broker on the host for aggregating credential from potentially multiple posture plugins and communicating with the network. CTA - Cisco Trust Agent. Cisco's implementation of the posture agent. EAP - Extensible Authentication Protocol. An extension to PPP. EOU - Extensible Authentication Protocol over UDP. ACS/AAA - Cisco Secure Access Control Server. The primary authorization server that is the network policy decision point and is extended to support posture validation. PVS - Posture Validation Server. UCT - Un Conditional Transition. Clientless - Client without Cisco Posture Agent.