Sign in or 
| Version | User | Scope of changes |
|---|---|---|
| Feb 27 2008, 12:00 PM EST (current) | robboyd | 1 word added, 1 word deleted |
| Feb 27 2008, 11:06 AM EST | robboyd |
Changes
Key: Additions Deletions
Segment 3: Topology and Design
VPN and Wireless mean at least one thing for sure; Inband mode. Do we have to use ONLY Cisco wireless stuff to have a solid NAC solution?
No of course not. NAC is very flexible and
So lots of options here.
What really makes NAC Appliance an awesome solution is that it serves as an authentication proxy for most forms of authentication, natively integrating with Kerberos, Lightweight Directory Access Protocol (LDAP), RADIUS, Active Directory, S/Ident, and others. To minimize the inconvenience to end users, Cisco NAC Appliance supports single sign-on for VPN clients, wireless clients, and Windows Active Directory domains. Admins can maintain multiple user profiles with different permission levels through the use of roles-based access control. This makes the dream of Single Sign On (SSO) a reality for all of us!!!
For VPN the NAC Appliance integrates with Cisco VPN Concentrators and the Cisco ASA. NAC Appliance can enable Single Sign-On (SSO) capability for VPN users. This functionality is achieved with the use of RADIUS accounting. The appliance can acquire the IP address of the client from either Framed_IP_address or Calling_Station_ID RADIUS attributes for SSO purposes. VPN users do not need to login to the web browser or the Clean Access Agent because the RADIUS accounting information sent to the CAS/CAM by the VPN Concentrator provides the user ID and IP address of users who log into the VPN Concentrator (RADIUS Accounting Start Message). In order to do this, you need to add the Cisco VPN device as an authentication server.
Blogger:
Jamie Sanbower from Force3 maintains a nice Cisco NAC Blog
We brought up a question he left for us here on the wiki:
"I would like to get a better explanation for the Pro/Cons around the different deployment options for deploying L3 OOB in a campus environment. [specifically] Why chose ACLs/VRF/PBR for your deployments and why? What are the deciding factors?"
VPN and Wireless mean at least one thing for sure; Inband mode. Do we have to use ONLY Cisco wireless stuff to have a solid NAC solution?No of course not. NAC is very flexible and
and all wireless users can be subject to NAC Appliance compliance (that sounds like the start of a SchoolHouse Rock Video... "Appliance Compliance without Defiance..." Hey Robb...
Anyway...when connecting through any Wi-Fi access point we can enforce our will and power upon all the users <insert/ evil laugh here>. The following wireless products are supported by NAC Appliance:
• Any 802.11 Wi-Fi access point including: –Cisco Aironet access points deployed in stand alone mode-Cisco Aironet 350, 1100, 1130AG, 1200, 1230AG, 1240AG, and 1300 series access points. –Cisco Aironet lightweight access points deployed with a Cisco Wireless LAN Controller (Access points-Cisco Aironet 1000, 1130AG, 12001, 1230AG, 1240AG and 1500 series access points and Cisco-2000 or 4400 series wireless LAN controllers as well as the Cisco Catalyst 6500 Series Wireless Services Module (WiSM), the Cisco Catalyst 3750G Integrated Wireless LAN Controller and the Cisco Wireless LAN Controller Module for Integrated Services Routers). Cisco Aironet lightweight access points are configured for NAC Appliance compliance via Web-based setup on the wireless LAN controller. • Any 802.11 Wi-Fi client device including: –Cisco Aironet client devices –Cisco Compatible client devicesAnyway...when connecting through any Wi-Fi access point we can enforce our will and power upon all the users <insert/ evil laugh here>. The following wireless products are supported by NAC Appliance:
So lots of options here.
What really makes NAC Appliance an awesome solution is that it serves as an authentication proxy for most forms of authentication, natively integrating with Kerberos, Lightweight Directory Access Protocol (LDAP), RADIUS, Active Directory, S/Ident, and others. To minimize the inconvenience to end users, Cisco NAC Appliance supports single sign-on for VPN clients, wireless clients, and Windows Active Directory domains. Admins can maintain multiple user profiles with different permission levels through the use of roles-based access control. This makes the dream of Single Sign On (SSO) a reality for all of us!!!
For VPN the NAC Appliance integrates with Cisco VPN Concentrators and the Cisco ASA. NAC Appliance can enable Single Sign-On (SSO) capability for VPN users. This functionality is achieved with the use of RADIUS accounting. The appliance can acquire the IP address of the client from either Framed_IP_address or Calling_Station_ID RADIUS attributes for SSO purposes. VPN users do not need to login to the web browser or the Clean Access Agent because the RADIUS accounting information sent to the CAS/CAM by the VPN Concentrator provides the user ID and IP address of users who log into the VPN Concentrator (RADIUS Accounting Start Message). In order to do this, you need to add the Cisco VPN device as an authentication server.
Blogger:
Jamie Sanbower from Force3 maintains a nice Cisco NAC Blog
We brought up a question he left for us here on the wiki:
"I would like to get a better explanation for the Pro/Cons around the different deployment options for deploying L3 OOB in a campus environment. [specifically] Why chose ACLs/VRF/PBR for your deployments and why? What are the deciding factors?"
