Specifications

1-4

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 1 Introduction

Cisco NAC Appliance Components

Cisco NAC Appliance is a network-centric integrated solution administered from the Clean Access

Manager web console and enforced through the Clean Access Server and (optionally) the Agent. Cisco

NAC Appliance checks client systems, enforces network requirements, distributes patches and antivirus

software, and quarantines vulnerable or infected clients for remediation before clients access the

network. Cisco NAC Appliance consists of the following components (in Figure 1-1):

• Clean Access Manager (CAM)—Administration server for Cisco NAC Appliance deployment.

The secure web console of the Clean Access Manager is the single point of management for up to

20 Clean Access Servers in a deployment (or 40 CASs if installing a SuperCAM). For Out-of-Band

(OOB) deployment, the web admin console allows you to control switches and VLAN assignment

of user ports through the use of SNMP.

Note The CAM web admin console supports Internet Explorer 6.0 or above only, and requires

high encryption (64-bit or 128-bit). High encryption is also required for client browsers for

web login and Agent authentication.

• Clean Access Server (CAS)—Enforcement server between the untrusted (managed) network and

the trusted network. The CAS enforces the policies you have defined in the CAM web admin

console, including network access privileges, authentication requirements, bandwidth restrictions,

and Cisco NAC Appliance system requirements.

You can install a CAS as either a stand-alone appliance (like the Cisco NAC-3300 series) or as a

network module (Cisco NME-NAC-K9) in a Cisco ISR chassis and deploy it In-Band (always inline

with user traffic) or Out-of-Band (inline with user traffic only during authentication/posture

assessment). The CAS can also be deployed in Layer 2 mode (users are L2-adjacent to CAS) or

Layer 3 mode (users are multiple L3 hops away from the CAS).

You can also deploy several CASs of varying size/capacity to fit the needs of varying network

segments. You can install Cisco NAC-3300 series appliances in your company headquarters core,

for example to handle thousands of users and simultaneously install one or more Cisco NAC network

modules in ISR platforms to accommodate smaller groups of users at a satellite office, for example.

• Cisco NAC Appliance Agents—Optional read-only persistent or temporal Agents that reside on

client machines. Cisco NAC Appliance Agent check applications, files, services, or registry keys to

ensure that client machines meet your specified network and software requirements prior to gaining

access to the network.

Note There is no client firewall restriction with client posture assessment via the Agent. The

Agent can check the client registry, services, and applications even if a personal firewall is

installed and running.

• Cisco NAC Appliance Updates—Regular updates of pre-packaged policies/rules that can be used

to check the up-to-date status of operating systems, antivirus (AV), antispyware (AS), and other

client software. Provides built-in support for AV vendors and AS vendors.