Network Admission Control

Many of the threats that impair networks are caused by users who access the network with devices that have system vulnerabilities or outdated security precautions. Enforcing security policies at the point of network login is a way to ensure that these devices do not compromise network security, regardless of their origin, type, or ownership.

Cisco Network Admission Control (NAC) is a solution that uses the network infrastructure to enforce security policies on all devices seeking to access network computing resources.
NAC minimizes the risks associated with noncompliant devices, resulting in more resilient and secure networks.
In addition, NAC has the ability to perform user authentication at the network level, so that only those with proper user credentials are permitted access to the network.


Basic components


Policy enforcement is more than scanning incoming devices for active infections. It is a way for companies to uniformly apply requirements to users and devices without impairing productivity.
Effective policy enforcement must:
  • Identify and authenticate: Uniquely identify users and devices and create an association between them.
  • Scan and enforce postures: Assess and enforce a consistent policy across the entire network.
  • Quarantine and remediate: Act on posture assessment results to isolate devices and bring them into compliance.
  • Manage and configure: Easily create comprehensive, specific policies that map quickly to user groups and roles.


Cisco® NAC Appliance, formerly known as Cisco Clean Access, is a self-contained policy enforcement product that allows network administrators to authenticate, authorise, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether machines are compliant with security policies and repairs these vulnerabilities before permitting access to the network.

The Cisco NAC solution relies on three main components:
  • Clean Access Server
  • A device that enforces assessment and access privileges based on endpoint compliance.
  • Clean Access Manager
  • A centralised, web-based console for establishing roles, checks, rules, and policies.
  • Clean Access Agent (optional)
  • A thin, read-only agent that enhances vulnerability assessment functions and streamlines remediation.


Key advantages


Cisco NAC Appliance is the most deployed solution on the market today, with more than 600 customers spanning large and small organisations. Unlike many other solutions, which require different products for different scenarios, a single NAC Appliance deployment applies to every type of case—whenever policy compliance is needed for LAN, remote access/VPN, wireless, branch office, or extranet users.

Cisco NAC Appliance is more than a proactive tool for increasing network security:
  • Protects business interests by securing infrastructure, sensitive corporate information and intellectual property within the company. IT departments will be able to mitigate confidentiality-related threats caused by disappearing security boundaries, unauthorised access and internal attacks.
  • Safeguards the organisation’s credibility, brand name and public image by preventing malicious activities and attacks from crippling the network.
  • Improves employee productivity by reducing and eliminating vulnerability-based exploits and attacks. With this control, customers can prevent large-scale infrastructure disruptions, productivity losses and direct financial losses.
  • Helps organisations adhere to privacy protection and regulatory compliance requirements, such as Sarbanes-Oxley and HIPAA. Organisations that cannot meet the legal requirements of compliance legislation risk their relationships with end customers and regulatory authorities.


Cisco NAC Appliance Features

Authentication Integration with Single Sign-On


Cisco NAC Appliance serves as an authentication proxy for most forms of authentication, natively integrating with Kerberos, Lightweight Directory Access Protocol (LDAP), RADIUS, Active Directory, S/Ident and others. To minimize the inconvenience to end users, NAC Appliance supports single sign-on for VPN clients, wireless clients and Windows Active Directory domains. Administrators can maintain multiple user profiles with different permission levels through the use of role-based access control.

Vulnerability Assessment


Cisco NAC Appliance supports scanning of all Windows-based operating systems, Mac OS, Linux machines and non-PC networked devices such as game consoles, personal digital assistants, printers, and IP phones. It conducts network-based scans or can use custom-built scans as required. Cisco NAC Appliance can check for any application as identified by registry key settings, services running or system files.

Device Quarantine


Cisco NAC Appliance can place noncompliant machines into quarantine, preventing the spread of infection while maintaining access to remediation resources. Quarantine can be accomplished by using subnets as small as /30 or by using a quarantine VLAN.

Automatic Security Policy Updates


Automatic security policy updates provided by Cisco as part of the standard software maintenance package deliver predefined policies for the most common network access criteria, including policies that check for critical operating system updates, common antivirus software virus definition updates, and common antispyware definition updates. This eases the management cost on network administrators, who can rely on Cisco NAC Appliance to constantly maintain updated policies.

Centralised Management


The web-based management console allows administrators to define the types of scans required for each role as well as the related remediation packages necessary for recovery. One management console can manage several servers.

Remediation and Repair


The quarantine capabilities of Cisco NAC Appliance give devices access to remediation servers that can provide operating system patches and updates, virus definition files or endpoint security solutions such as Cisco Security Agent. Administrators can enable self-remediation through the optional Cisco NAC Appliance Agent, auto-launch Windows Updates, or specify a series of web pages with remediation instructions.

Flexible Deployment Modes


Cisco NAC Appliance offers the broadest array of deployment modes to fit into every customer network. Customers can deploy the product as a virtual or real-IP gateway, at the edge or centrally, with Layer 2 or Layer 3 client access, and in-band or out-of-band with network traffic.

Why choose S&T?


S&T has an experienced and skilled team of professionals, each of whom has several years of experience building security infrastructures. S&T has the Cisco Advanced Security Partner and Cisco Gold Partner qualifications and employs the highest qualified Cisco experts (even Security CCIE). S&T is able to maintain the required partnership with otherwise competing vendors to ensure up-to-date and integrated support, which is critical to effectively deploy, manage and gain value from a NAC system in a heterogenous environment.

Network Admission Control is not simply a technical tool which is deployed in your environment and then left alone. S&T also has the knowledge and experience to help you to implement the necessary policy and process components, and also to train and support your staff to use NAC highly effectively in your organisation.

Test us!


We are more than happy to start implementing a Proof-of-Concept installation on your premises. Within one week we will be able to demonstrate to you the key components and capabilities of our NAC solution. Previous Proof-of-Concept installations have also proved to be very helpful from the perspective of identifying what value a NAC system could offer you.