https://community.cisco.com/t5/network-security/nac-design-question/m-p/1619854#M785905 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>As long as the thin clients are seen as standard physical clients by the CAS (so VMware is not doing anything special with MAC/IP addresses), then what you mentioned could be a valid design option.</P><P>The NAC Profiler in particular can be a good plus to categorize your thin clients and automatically manage the filters on the CAM.</P><P></P><P>Regards,</P><P></P><P>Fede</P><P></P><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></BODY></HTML> Fri, 14 Jan 2011 13:53:28 GMT Federico Ziliotto 2011-01-14T13:53:28Z https://community.cisco.com/t5/network-security/nac-design-question/m-p/1619853#M785858 <P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";} </style> <![endif]--></P><P class="MsoNormal">Hi,</P><P class="MsoNormal"></P><P class="MsoNormal">Looking for some advice on Implementing NAC across the enterprise. The environment uses laptops, desktops and thin-clients (Vmware VIEW, VDI) which connect to ESX servers where the actual machines reside (running Windows 7 and Windows XP operating systems).</P><P class="MsoNormal"></P><P class="MsoNormal">So the question is can I use NAC server to posture assess/authenticate the thin-clients users?</P><P class="MsoNormal"></P><P class="MsoNormal"><STRONG>This is what I am thinking:</STRONG></P><P class="MsoNormal"></P><P class="MsoListParagraph" style="text-indent: -0.25in;"><!--[if !supportLists]--><SPAN style="font-family: Symbol;"><SPAN>·<SPAN style="font: 7pt &amp;quot;Times New Roman&amp;quot;;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><!--[endif]-->NAC – OOB would not be supported in this design since the ESX connection to the switch would be a trunk link. Also the thin-client connection to the switch also always stays up.</P><P class="MsoListParagraph" style="text-indent: -0.25in;"><!--[if !supportLists]--><SPAN style="font-family: Symbol;"><SPAN>·<SPAN style="font: 7pt &amp;quot;Times New Roman&amp;quot;;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><!--[endif]-->NAC – Inband would be supported but could potentially be a bottle neck because the customer has a 10 gig backbone network.</P><P class="MsoNormal"></P><P class="MsoNormal"><STRONG>I am thinking if I can use two different NAC appliances as part of the solution. </STRONG></P><P class="MsoListParagraph" style="text-indent: -0.25in;"><!--[if !supportLists]--><SPAN style="font-family: Symbol;"><SPAN>·<SPAN style="font: 7pt &amp;quot;Times New Roman&amp;quot;;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><!--[endif]-->Use one appliance in Inband mode and use it for the ESX servers. Use the profiler to exempt the thin-clients from authentication since they basically have nothing running on them and they cannot authenticate to the NAC server.</P><P class="MsoListParagraph" style="text-indent: -0.25in;"><!--[if !supportLists]--><SPAN style="font-family: Symbol;"><SPAN>·<SPAN style="font: 7pt &amp;quot;Times New Roman&amp;quot;;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><!--[endif]-->The second NAC appliance will be configured as Out of Band and all the remaining regular users (with physical laptops, desktops) gets authenticated to this NAC server.</P><P class="MsoNormal"></P><P class="MsoNormal">This way the NAC bottleneck would only be limited to the thin-clients users who connect to the VM’s running on the ESX server.</P><P class="MsoNormal"></P><P class="MsoNormal">Is this a viable option for NAC’ing the VM clients running on ESX servers.</P><P></P> Fri, 21 Feb 2020 12:13:13 GMT https://community.cisco.com/t5/network-security/nac-design-question/m-p/1619853#M785858 smhussain 2020-02-21T12:13:13Z https://community.cisco.com/t5/network-security/nac-design-question/m-p/1619854#M785905 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>As long as the thin clients are seen as standard physical clients by the CAS (so VMware is not doing anything special with MAC/IP addresses), then what you mentioned could be a valid design option.</P><P>The NAC Profiler in particular can be a good plus to categorize your thin clients and automatically manage the filters on the CAM.</P><P></P><P>Regards,</P><P></P><P>Fede</P><P></P><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></BODY></HTML> Fri, 14 Jan 2011 13:53:28 GMT https://community.cisco.com/t5/network-security/nac-design-question/m-p/1619854#M785905 Federico Ziliotto 2011-01-14T13:53:28Z https://community.cisco.com/t5/network-security/nac-design-question/m-p/1619855#M785935 <HTML><HEAD></HEAD><BODY><P>Yes the thin-clients will be seen as standard devices on the network.</P><P>Each Virtual Machines running on VMware ESX server (that the thin-clients will connect to) will also have unique MAC and IP address.</P><P></P><P>Thanks,<BR />Syed</P></BODY></HTML> Sat, 15 Jan 2011 17:06:50 GMT https://community.cisco.com/t5/network-security/nac-design-question/m-p/1619855#M785935 smhussain 2011-01-15T17:06:50Z