Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

1-20

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 1 Introduction

Managing Users

The Clean Access Manager makes it easy to apply existing authentication mechanisms to users on the

network (Figure 1-4). You can customize user roles to group together and define traffic policies,

bandwidth restrictions, session duration, client posture assessment, and other policies within Cisco NAC

Appliance for particular groups of users. You can then use role-mapping to map users to these policies

based on VLAN ID or attributes passed from external authentication sources.

When the Clean Access Server receives an HTTP request from the untrusted network, it checks whether

the request comes from an authenticated user. If not, a customizable secure web login page is presented

to the user. The user submits his or her credentials securely through the web login page, which can then

be authenticated by the CAM itself (for local user testing) or by an external authentication server, such

as LDAP, RADIUS, Kerberos, or Windows NT. If distributing the Agent, users download and install the

Agent after the initial web login, then use the Agent after that for login/posture assessment.

Figure 1-4 Authentication Path

You can configure and impose posture assessment and remediation on authenticated users by configuring

requirements for the Agent and/or network port scanning.

Note The Cisco NAC Web Agent performs posture assessment, but does not provide a medium for

remediation. The user must manually fix/update the client machine and “Re-Scan” to fulfill posture

assessment requirements with the Web Agent.

With IP-based and host-based traffic policies, you can control network access for users before

authentication, during posture assessment, and after a user device is certified as “clean.”

With IP-based, host-based, and (for Virtual Gateway deployments) Layer 2 Ethernet traffic policies, you

can control network access for users before authentication, during posture assessment, and after a user

device is certified as “clean.”

Note Layer 2 Ethernet traffic control only applies to Clean Access Servers operating in Virtual Gateway mode.

Clean Access

Server

Clean Access

Manager

Username: jsmits

Password: xxxxxxx

Switch

eth1

Trusted network

Authentication

sources (e.g. LDAP, Kerberos)

Local users:

user list:

jjacobi

jrahim

klane

External users:

tableUsers:

jamir

jdornan

jsmits

183468

Untrusted network

eth0