Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
21222324252627282930
1-2
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 1 Introduction
FIPS Compliance in the Cisco NAC Appliance Network
Other key features of Cisco NAC Appliance include:
Standards-based architecture—Uses HTTP, HTTPS, XML, and Java Management Extensions
(JMX).
User authentication—Integrates with existing backend authentication servers, including Kerberos,
LDAP, RADIUS, and Windows NT domain.
VPN concentrator integration—Integrates with Cisco VPN concentrators (e.g. VPN 3000, ASA) and
provides Single Sign-On (SSO).
Active Directory SSO—Integrates with Active Directory on Windows Servers to provide Single
Sign-On for Cisco NAC Agent users logging into Windows systems. (Cisco NAC Web Agent does
not support SSO.)
Cisco NAC Appliance compliance policies—Allows you to configure client posture assessment and
remediation via use of Agent.
The Cisco NAC Web Agent performs posture assessment, but does not provide a medium for
remediation. The user must manually fix/update the client machine and “Re-Scan” to fulfill posture
assessment requirements with the Web Agent.
The Cisco NAC Agent does not support Nessus-based network scanning.
Layer 2 or Layer 3 deployment options—The Clean Access Server can be deployed within L2
proximity of users, or multiple hops away from users. You can use a single CAS for both L3 and L2
users.
In-Band (IB) or Out-of-Band (OOB) deployment options—Cisco NAC Appliance can be deployed
in-line with user traffic, or Out-of-Band to allow clients to traverse the network only during posture
assessment and remediation while bypassing it after certification (posture assessment).
Traffic filtering policies—Role-based IP and host-based policies provide fine-grained and flexible
control for In-Band network traffic.
Bandwidth management controls—Limit bandwidth for downloads or uploads.
High availability—Active/Passive failover (requiring two servers) ensures services continue if an
unexpected shutdown occurs. You can configure pairs of Clean Access Manager (CAM) machines
and/or CAS machines in high-availability mode.
Note Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not
support high availability.
FIPS Compliance in the Cisco NAC Appliance Network
Cisco NAC Appliance Release 4.7(0), 4.8, and 4.9 support Federal Information Processing Standard
(FIPS) 140-2 Common Criteria EAL2 compliance for new installations on new Cisco NAC-3315,
NAC-3355, and NAC-3395 hardware appliance platforms and Cisco NAC-3310, NAC-3350, and
NAC-3390 platforms in which you have installed a field-replaceable FIPS card as described in the Cisco
NAC Appliance FIPS Field-Replaceable Unit Installation Guide. In order to provide FIPS compliance
in your Cisco NAC Appliance network, both CAM(s) and CAS(s) must use the new hardware platforms
and be FIPS compliant.
To enable FIPS 140-2 compliance in Cisco NAC Appliance, the CAMs/CASs must have an encryption
card installed that handles the primary FIPS “level 2” compliance functions and manages private keys
for the system. To also enhance network security and adhere to FIPS 140-2 compliance, Cisco NAC