cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

438
Views
4
Helpful
2
Replies
smhussain
Beginner

NAC Design question

Hi,

Looking for some advice on Implementing NAC across the enterprise. The environment uses laptops, desktops and thin-clients (Vmware VIEW, VDI) which connect to ESX servers where the actual machines reside (running Windows 7 and Windows XP operating systems).

So the question is can I use NAC server to posture assess/authenticate the thin-clients users?

This is what I am thinking:

·        NAC – OOB would not be supported in this design since the ESX connection to the switch would be a trunk link. Also the thin-client connection to the switch also always stays up.

·        NAC – Inband would be supported but could potentially be a bottle neck because the customer has a 10 gig backbone network.

I am thinking if I can use two different NAC appliances as part of the solution.

·        Use one appliance in Inband mode and use it for the ESX servers. Use the profiler to exempt the thin-clients from authentication since they basically have nothing running on them and they cannot authenticate to the NAC server.

·        The second NAC appliance will be configured as Out of Band and all the remaining regular users (with physical laptops, desktops) gets authenticated to this NAC server.

This way the NAC bottleneck would only be limited to the thin-clients users who connect to the VM’s running on the ESX server.

Is this a viable option for NAC’ing the VM clients running on ESX servers.

2 REPLIES 2
Federico Ziliotto
Cisco Employee

Hello,

As long as the thin clients are seen as standard physical clients by the CAS (so VMware is not doing anything special with MAC/IP addresses), then what you mentioned could be a valid design option.

The NAC Profiler in particular can be a good plus to categorize your thin clients and automatically manage the filters on the CAM.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Yes the thin-clients will be seen as standard devices on the network.

Each Virtual Machines running on VMware ESX server (that the thin-clients will connect to) will also have unique MAC and IP address.

Thanks,
Syed

Content for Community-Ad