Q. What is the difference between the Cisco Clean Access NAC Appliance and NAC Framework?
A. NAC Framework uses new and existing Cisco network infrastructure and NAC partner products for NAC deployments at Layer 2 and Layer 3,including virtual private networks (VPN) and wireless.
NAC Appliance uses the Cisco Clean Access solution to provide customers with a self contained product that integrates with the network infrastructure. NAC Appliance provides admission control and posture assessment capabilities in network infrastructure that does not support NAC Framework.
Q. What are the NAC Posture States? What do they indicate?
A.
- Healthy—Host is compliant; no restrictions on network access.
- Checkup—Host is within policy but an update is available. Used to proactively remediate a host to the Healthy state.
- Transition—Host posturing is in process; give interim access pending full posture validation. This is applicable during the host boot process when all services might not be running or audit results are not yet available.
- Quarantine—Host is out of compliance; restrict network access to a quarantine network for remediation. The host is not an active threat but is vulnerable to a known attack or infection
- Infected—Host is an active threat to other endpoint devices; network access should be severely restricted or totally denied all network access.
- Unknown—Host posture cannot be determined. Quarantine the host, and audit or remediate until a definitive posture can be determined.
Q. What is EAP?
A.
- EAP is a request-response protocol defined in RFC 2284.
- EAP is used to exchange identity and authentication credentials between a peer and a AAA server. Cisco NAC uses EAPoUDP and EAPoLAN for NAC L2 IP and NAC L2 802.1x.
Q. What is the port number for EAPoUDP?
A. EAPoUDP uses UDP port 21862
Q. What is EAP-FAST?
A.
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is a TLS-based EAP method.
EAP-FAST uses symmetric key algorithms to achieve a tunneled authentication process. The tunnel establishment process relies on a Protected Access Credential (PAC) that can be provisioned and managed dynamically by EAP-FAST through AAA server.
- Phase 1: Use PAC to mutually authenticate the client and server and establish a secure tunnel.
- Phase 2: Perform client authentication in the established tunnel.
- Optional Phase 0: Used infrequently to enable the client to be dynamically provisioned with a PAC.
Q. How is EAP-FAST different from PEAP?
A. PEAP provides various strengths, but requires digital certificates, and is not supported on every client device. Like PEAP, EAP-FAST is a tunneled protocol that supports a variety of authentication methods, but it does not require digital certificates and is designed to run on nearly every client device.
Q. Do I need a supplicant for NAC L2 IP?
A. No, NAC L2 IP uses EAP over UDP to perform posture checking similar to that of NAC L3 IP.
Q. What is NAC L2 802.1x?
A. This NAC enabled 802.1x deployment method allows user identity, machine identity, and posture validation to be gathered in the 802.1x access control conversation. NAC L2 802.1x uses the EAP-FAST method to exchange this information between the client and server.
Q. Does the current Windows XP supplicant from Microsoft support NAC?
A. No, NAC L2 802.1x, uses EAP-FAST as the EAP method. It has been modified to carry user and machine credentials in a TLS tunnel while also providing posture checking through CTA The MS Windows 802.1x supplicant does not support EAP-FAST and provides no support for posture validation. You can use the MS supplicant to perform user authentication and NAC L2 IP as a supplemental method to provide posture validation if you can not use a NAC enabled supplicant.
Q. What is GAME?
A. Generic Authorization Message Exchange. The protocol used for communication between ACS and a partner audit server through an https session extending Security Assertion Markup Language (SAML).