Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
0
Helpful
4
Replies

question about cisco nac agent

mylove142
Level 1
Level 1

‎03-05-2009 05:54 PM - edited ‎02-21-2020 03:20 AM

When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?

Please answer me early. Thank you for your answer.

0 Helpful
4 Replies 4

michael_dean
Level 1
Level 1

‎03-06-2009 07:54 AM

If the client station does not have an agent running (either full agent or web agent) then scanning and remediation cannot take place.

Devices without an agent can still be given access to the network via Filters, but without the agent, scanning and remediation will not take place.

0 Helpful

mylove142
Level 1
Level 1
In response to michael_dean

‎03-06-2009 06:38 PM

Dear michael, Thank you for your answer. Because I see agent is optional, if I don't like to use agent, I think that NAC server can scan and remediate. If NAC Server can't scan and remediate, Nac agent is required.

That is my ideas. Anyone has another ideas.

I'm looking for your answer.

Thank you very much.

0 Helpful

Daniel Laden
Level 4
Level 4
In response to mylove142

‎03-06-2009 07:04 PM

The NAC Agent will allow you to access the computer from inside the host firewall, you can also review using the network scanner to assess the computer from outside the firewall.

The agent is optional and it is absence will limit your capabilities to scan and remediate.

Check out the NAC Chalk Talks.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

Thank You,

Dan Laden

0 Helpful

michael_dean
Level 1
Level 1
In response to mylove142

‎03-09-2009 10:42 AM

Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.

We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:

1) You have to decide which vulnerabilities you want to scan for.

2) The more plug-ins you enable, the longer (obviously) the scan takes.

3) There are configuration steps for many of the plug-ins

4) Your users will still need to go to a login page in order to be scanned.

5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.

From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).

It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.

Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.

Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card