Value Is in the NAC Partners
One of the big challenges is that businesses typically use different technologies, often supplied by many vendors, to provide different methods of protection, and they often work independently of each other. Wouldn’t it be nice to use a common framework that allows the many vendor technologies to plug in and interoperate with the networking infrastructure that controls access to only compliant hosts and valid users?
As the adoption of IBNS matures, businesses will want to increase their admission policy requirements to include more identity enforcement besides user authentication. It will involve using more applications and technologies to monitor and enforce acceptable use of their resources as well as to enforce acceptable behavior.
The value that NAC Framework provides over all other network admission methods comes from the many vendors who are NAC partners. Cisco believes in working with standards bodies such as the Internet Engineering Task Force (IETF) to make NAC available and work with many vendors.
From its inception, NAC Framework has allowed third-party vendor integration. It supports a variety of partner products and technologies using standards-based, flexible application program interfaces (APIs) that allow third parties to contribute solutions to a NAC Framework environment. Besides the options available today, a variety of new applications can be created as part of the NAC posturing process. Posture plug-ins can be created to allow communication between the vendor’s client application and the Cisco Trust Agent. The Cisco Trust Agent can be customized to pass credentials for any type of characteristic by way of the Host Credentials Authorization Protocol (HCAP) or the Generic Authorization Message Exchange (GAME) Protocol to policy servers that decide the compliance level of a device or user. The policy server can send actions that are enforced by the NADs or even the vendor’s client application.
NAC Framework uses the following security protocols:
- Standardized protocols such as Extensible Authentication Protocol (EAP), Protected EAP (PEAP), 802.1X, and RADIUS services
are used for communications between network components and a variety of hosts.
EAP–Flexible Authentication via Secure Tunneling (EAP-FAST) is a Cisco-authored protocol that allows multiple credential types, such as user identity and posture credentials, to be chained together in a single authentication packet. This allows NAC-L2-802.1X to perform both user and machine identity authentication as well as posture validation.
- At the time of this writing, the following NAC protocols are Cisco proprietary. Some of these protocols are going through
the formal process of becoming standardized and could be standard by the time you read this:
- — EAP–type-length value (EAP-TLV) is an EAP extension that carries posture credentials and posture notifications between the host computer’s posture plug-in agent and the Cisco policy server.
- — GAME is a proprietary protocol used by partner audit servers to scan a host that has no Cisco Trust Agent installed to determine software compliance. An audit server uses GAME to communicate compliance directly to a Cisco Secure ACS, which in turn enforces the appropriate security policy on the host.
- — HCAP is available for NAC partners to allow their external policy servers to interoperate with the Cisco Secure ACS and to be part of the admission policy decision.
Cisco also provides an API for Cisco Trust Agent, HCAP, and GAME that is available to licensed vendors. NAC partner vendors can write custom applications using the API to evaluate almost anything for admission.
NAC is simply the conduit that allows your infrastructure to police your information highway with the requirements of your choice.