Does Cisco recommend putting NAC/CTA on a server?

mwong · ‎04-24-2005

Does Cisco have any recommendations on putting CTA on servers and using NAC?

This is more in anticipation of NAC on switches.

If you have good physical security over how servers connect to and disconnect from a switch, and you have good control over server patches and virus signature updates, then I can only think of using NAC for monitoring, as I would never want to quarantine a server just because it lapsed in its posture.

Will NAC be able to monitor some VLAN's/ports, and enforce on other VLAN's/ports?

thomas.chen · ‎04-28-2005

ACS will have to be installed in order for NAC to function properly without the CTA agents.

pcomeaux · ‎04-28-2005

Hey there -

Q1 - Does Cisco have any recommendations on putting CTA on servers and using NAC?

PC - You can use NAC to monitor and/or enforce your policy. If there are some IP addresses that you would like to exempt from NAC, you can do so today on the IOS routers. When NAC is available as a feature in Layer 2 switches, you will likely be able to enable NAC/802.1x on a per port basis.

A benefit of NAC is to reduce the risk of unpatched/unknown users entering your network who do not meet your minimum technical requirements. Server are likely under tight control and the risk of these machines not meeting your minimum technical requirements is likely quite small, as you suggest.

Q2 - Will NAC be able to monitor some VLAN's/ports, and enforce on other VLAN's/ports?

Yes, today with NAC enabled routers, you can exempt certain IP addresses. When NAC is available on the switches, you will likely be able enable this feature on a per port basis.

Hope this helps,

peter