Chapter 5. Solution design
99
ABBC will institute posture-based network admission. Systems deemed in
noncompliance will be quarantined and allowed to access only the remediation
network. Figure 5-1 shows a conceptualized view of the functional requirements.
Figure 5-1 NAC solution conceptual functional requirements
The steps of the basic flow are:
1. The workstation, whether local or remote, attempts to access the ABBC
network. IEEE802.1x credentials are supplied.
2. A
compliance check
is initiated by the Cisco Network Admission Control
enabled device (for example, a router, switch, or Clean Access Server). This
enforcement device requests the posture status from the client, then queries
the Cisco NAC server (may be Cisco Secure Access Control Server or Clean
Access Manager) policy to make an access decision. If the system meets the
posture policy criteria, it is allowed access to the production network. For
illustration purposes we assume that the system does not meet the criteria,
and we continue through the flow.
3. Having failed the posture compliance check, the client workstation is denied
access to the production network. The workstation is now considered to be in
quarantined
status and is allowed to access only a subset of the network
(what we are calling the remediation network).
Remediation
Production
4
4
2
2
3
3
Cisco
NAC
Server
Tivoli
Security
Compliance
Manager
Compliance
Check
1
1
Workstation
-Tivoli SCM Client
-Cisco NAC Agent
-
Posture Policy
Tivoli
Configuration
Manager
Summary of Contents for Tivoli and Cisco
Page 2: ......
Page 16: ...xiv Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 18: ...xvi Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 20: ...2 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 30: ...12 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 56: ...38 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 94: ...76 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 110: ...92 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 142: ...124 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 225: ...Chapter 6 Compliance subsystem implementation 207 Figure 6 77 Client connection window...
Page 456: ...438 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 458: ...440 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 504: ...486 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 513: ...Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 514: ......
Page 515: ......