How to speak NAC?

Started by NetworkGroover, May 01, 2015, 12:48:11 PM

Previous topic - Next topic

NetworkGroover

Hey guys,

Just curious how a NAC solution actually speaks to a switch for quarantining & remediation, etc.?  I saw mention in Cisco documentation of leveraging SNMP, but honestly I'm too lazy to go digging through a bunch of data sheets to find one piece of simple information I can get from someone who actually works with it.

So is it SNMP or is there some proprietary sauce involved?  A little of both?  Like, could you have a Cisco NAC appliance do quarantine & remediation with Juniper, Brocade, etc. switches?  I understand what happens at a high level, but looking for "devil's in the details" type stuff.

If there's a to-the-point blog/article somewhere that goes over this in detail, you can point me that way too to save some typing.  Thanks.
Engineer by day, DJ by night, family first always

deanwebb

Cisco ISE will use SNMP read for devices connecting/disconnecting and use RADIUS commands for the 802.1X assignments. These protocols are pretty standard stuff.

ForeScout CounterACT will use SNMP read and write as well as leverage various vendors' CLI commands for its work. It will also do 802.1X.

Cisco keeps things pretty tight with the SNMP and 802.1X standards, while ForeScout makes appeals to multi-vendor environments with abilities to talk to those specific vendors' switches and WLCs. However, the SNMP and 802.1X are fairly widely used, so ISE can talk to other vendors' gear, as well.

There can be issues between the commands sent by a NAC system and the receiving switch's ability to interpret them, so be sure that all the switches are at least on the minimal code level to support the NAC system and, more likely, up to a fairly recent code version for best results with NAC.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

NetworkGroover

#2
Quote from: deanwebb on May 01, 2015, 03:43:48 PM
Cisco ISE will use SNMP read for devices connecting/disconnecting and use RADIUS commands for the 802.1X assignments. These protocols are pretty standard stuff.

ForeScout CounterACT will use SNMP read and write as well as leverage various vendors' CLI commands for its work. It will also do 802.1X.

Cisco keeps things pretty tight with the SNMP and 802.1X standards, while ForeScout makes appeals to multi-vendor environments with abilities to talk to those specific vendors' switches and WLCs. However, the SNMP and 802.1X are fairly widely used, so ISE can talk to other vendors' gear, as well.

There can be issues between the commands sent by a NAC system and the receiving switch's ability to interpret them, so be sure that all the switches are at least on the minimal code level to support the NAC system and, more likely, up to a fairly recent code version for best results with NAC.

Heh, so it sounds like the answer is testing is needed to confirm.
Engineer by day, DJ by night, family first always

deanwebb

True.

We just had an incident with ForeScout when all the wireless phones were moved from one VLAN to another. On the first VLAN, they all had one OS Fingerprint. On the new VLAN, they had a totally different OS Fingerprint... Same WLC, just a different SSID.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.