How to speak NAC?

NetworkGroover · May 01, 2015, 12:48:11 PM

Hey guys,

Just curious how a NAC solution actually speaks to a switch for quarantining & remediation, etc.? I saw mention in Cisco documentation of leveraging SNMP, but honestly I'm too lazy to go digging through a bunch of data sheets to find one piece of simple information I can get from someone who actually works with it.

So is it SNMP or is there some proprietary sauce involved? A little of both? Like, could you have a Cisco NAC appliance do quarantine & remediation with Juniper, Brocade, etc. switches? I understand what happens at a high level, but looking for "devil's in the details" type stuff.

If there's a to-the-point blog/article somewhere that goes over this in detail, you can point me that way too to save some typing. Thanks.

deanwebb · May 01, 2015, 03:43:48 PM

Cisco ISE will use SNMP read for devices connecting/disconnecting and use RADIUS commands for the 802.1X assignments. These protocols are pretty standard stuff.

ForeScout CounterACT will use SNMP read and write as well as leverage various vendors' CLI commands for its work. It will also do 802.1X.

Cisco keeps things pretty tight with the SNMP and 802.1X standards, while ForeScout makes appeals to multi-vendor environments with abilities to talk to those specific vendors' switches and WLCs. However, the SNMP and 802.1X are fairly widely used, so ISE can talk to other vendors' gear, as well.

There can be issues between the commands sent by a NAC system and the receiving switch's ability to interpret them, so be sure that all the switches are at least on the minimal code level to support the NAC system and, more likely, up to a fairly recent code version for best results with NAC.

NetworkGroover · May 04, 2015, 09:54:45 AM

Quote from: deanwebb on May 01, 2015, 03:43:48 PM
Cisco ISE will use SNMP read for devices connecting/disconnecting and use RADIUS commands for the 802.1X assignments. These protocols are pretty standard stuff.

ForeScout CounterACT will use SNMP read and write as well as leverage various vendors' CLI commands for its work. It will also do 802.1X.

Cisco keeps things pretty tight with the SNMP and 802.1X standards, while ForeScout makes appeals to multi-vendor environments with abilities to talk to those specific vendors' switches and WLCs. However, the SNMP and 802.1X are fairly widely used, so ISE can talk to other vendors' gear, as well.

There can be issues between the commands sent by a NAC system and the receiving switch's ability to interpret them, so be sure that all the switches are at least on the minimal code level to support the NAC system and, more likely, up to a fairly recent code version for best results with NAC.

Heh, so it sounds like the answer is testing is needed to confirm.

deanwebb · May 04, 2015, 11:02:36 AM

True.

We just had an incident with ForeScout when all the wireless phones were moved from one VLAN to another. On the first VLAN, they all had one OS Fingerprint. On the new VLAN, they had a totally different OS Fingerprint... Same WLC, just a different SSID.

How to speak NAC?

NetworkGroover

deanwebb

NetworkGroover

deanwebb