NAC Environment

The following figure shows all of the elements in a NAC Environment.

note-icon Note:

Beginning in Intel AMT Release 9.0 NAC is no longer supported.

Posture Validation occurs when an endpoint device requests access to a network. Through a Layer 2 transport, a Cisco Network Access Device (NAD) (Access Point or switch) retrieves posture credentials from the client device.

How the endpoint device is admitted into the network is then based on the level of compliance with existing network policy rules. These posture credentials are typically based on the state of the device operating system as well as applications such as Anti-Virus, Intrusion Detection System and Firewall. For example, this enables customers to implement an Anti-Virus policy such as “Restricted access unless the AV application from vendor XXX, version YYY is enabled using the latest scan engine version and signature file version.”

The decision is made by a server (AAA). For each component of the posture, the AAA does one of the following (depending on its configuration):

   AAA performs local posture validation of posture credentials.

   AAA server relays the credentials to the PVS, which performs the validation and returns an APT containing the status of the part it has validated.

The AAA collects the status of all the components and decides on the network access for the endpoint (SPT).

The following figure shows the Intel AMT context in passive mode.

1.  The Intel AMT device generates the posture in response to a periodic posture request from the User Notification Service (UNS).

2.  The UNS stores the posture locally.

3.  The Cisco Trusted Agent (CTA), the posture agent, requests a posture periodically from the Intel-supplied posture plug-in (PP). The PP retrieves the last saved posture and returns it to the CTA.

4.  The CTA sends the posture to the ACS whenever it detects a change in the posture or when a time interval has expired or when the ACS requests a posture update.

5.  The ACS checks the posture and also sends it to the PVS for validation.

See Also:

   Configuring the User Notification Service

Copyright © 2006-2013, Intel Corporation. All rights reserved.