https://community.cisco.com/t5/network-security/nac-questions-quick-help-required/m-p/1250933#M788287 <P>kindly help me out to understand some concept of NAC as its very urgent:</P><P></P><P>1) what does actually hapens before the user provide the credentials to NAC, how DHCP handle the host either NAC give it bogus ip....etc</P><P></P><P>2)if the user is authenticated and scanned how NAC accomodate if the have any virus after it ...in inband and out-of-band both cases?</P><P></P><P>3)in OOB how server actually work on switch port, how its work, what it does ?</P><P></P><P>4)is there any alert mechanism in NAC other then profiler?</P><P></P><P>5)what benefits i have if i use guest server ?</P><P></P><P>6)is NAC detect new system by mac-address or links-up or by dhcp request ?</P><P></P><P>7)is mac spoofing for system/printer can mitigate by NAC server ?</P><P></P><P>8)can we only buy NAC software ?</P><P></P><P>9)what is the difference b/w NAC agent,trust agent and nessus ? is cca is any other agent ?</P><P></P><P>thanks in advance i hope sooner reply </P> Fri, 21 Feb 2020 11:30:23 GMT sal_jam82 2020-02-21T11:30:23Z https://community.cisco.com/t5/network-security/nac-questions-quick-help-required/m-p/1250933#M788287 <P>kindly help me out to understand some concept of NAC as its very urgent:</P><P></P><P>1) what does actually hapens before the user provide the credentials to NAC, how DHCP handle the host either NAC give it bogus ip....etc</P><P></P><P>2)if the user is authenticated and scanned how NAC accomodate if the have any virus after it ...in inband and out-of-band both cases?</P><P></P><P>3)in OOB how server actually work on switch port, how its work, what it does ?</P><P></P><P>4)is there any alert mechanism in NAC other then profiler?</P><P></P><P>5)what benefits i have if i use guest server ?</P><P></P><P>6)is NAC detect new system by mac-address or links-up or by dhcp request ?</P><P></P><P>7)is mac spoofing for system/printer can mitigate by NAC server ?</P><P></P><P>8)can we only buy NAC software ?</P><P></P><P>9)what is the difference b/w NAC agent,trust agent and nessus ? is cca is any other agent ?</P><P></P><P>thanks in advance i hope sooner reply </P> Fri, 21 Feb 2020 11:30:23 GMT https://community.cisco.com/t5/network-security/nac-questions-quick-help-required/m-p/1250933#M788287 sal_jam82 2020-02-21T11:30:23Z https://community.cisco.com/t5/network-security/nac-questions-quick-help-required/m-p/1250934#M788290 <HTML><HEAD></HEAD><BODY><P>1.) depends on out of band vs in band deployment. Out of band typically user is given a /30 network ip and switched once posture assessment and role assignment happen. In band typically the standard dhcp servers give the address out and they are given a valid address. However they are placed in a role that can be set up to restrict traffic as detailed as necessary.</P><P>2.) Typically nac would not be looking if the user has a virus or not but rather if the user is running AV software with the latest definitions or not</P><P>3.) See answer to question 1</P><P>7.) use profiler for that - nac will probably not help you in most situations where a user tries to bypass nac by using a different mac-address (such as whitelisted printer)</P><P>9.) the cca agent is software installed on a windows or linux system. nessus is a scanning tool that can be used to do additional scanning of a device (even if not used with / before nac assessment)</P><P></P></BODY></HTML> Thu, 11 Jun 2009 01:36:30 GMT https://community.cisco.com/t5/network-security/nac-questions-quick-help-required/m-p/1250934#M788290 greg.washburn 2009-06-11T01:36:30Z https://community.cisco.com/t5/network-security/nac-questions-quick-help-required/m-p/1250935#M788292 <HTML><HEAD></HEAD><BODY><P>thanks alot for this greg.washburn for reply can you tell me from where i shuld get answer's of remaining question ?</P></BODY></HTML> Thu, 11 Jun 2009 14:41:10 GMT https://community.cisco.com/t5/network-security/nac-questions-quick-help-required/m-p/1250935#M788292 sal_jam82 2009-06-11T14:41:10Z https://community.cisco.com/t5/network-security/nac-questions-quick-help-required/m-p/1250936#M788297 <HTML><HEAD></HEAD><BODY><P>3) the nac server will modify the switchort vlan assignment by using snmp write</P><P></P><P>5) it simplifies and adds more options for guest access to the network.</P><P>check this for much more details: <A class="jive-link-custom" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html" target="_blank">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html</A></P><P></P><P>6) it can be done by either mac-address or linkup, but we usually use mac-address as when you use ip phones the switchport never goes down and up. but in both cases, a device on nac is identified by its mac address.</P><P></P><P>7) to mitigate mac spoofing you have to use NAC Profiler.</P><P></P><P><span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span> i believe you can. all you need to buy is the nac licenses.</P></BODY></HTML> Fri, 12 Jun 2009 14:00:50 GMT https://community.cisco.com/t5/network-security/nac-questions-quick-help-required/m-p/1250936#M788297 halim.abouzeid 2009-06-12T14:00:50Z