This document provides a high-level overview of a network access control (NAC) system. It shows various devices, including switches, access points, and client systems connected to the network. It also depicts the various components used for network access control, including posture validators, client brokers, network access authorities, and enforcement points that control network access based on device authentication and policy compliance checks.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
2007lv Nac Big Pic[1]
1. 010
Gigamon 1010
0101
net monitor 010
Port
Port M Mon
onitor itor WildPackets
Trend Cisco
Cross-VLAN Firewall LANDesk internal
Devices Spectrum Extreme Sentriant NG analyzer
DHC
Micro CSA P info
Packet Filters sensor
Posture Validators
De
Trend Cisco Cisco Juniper
Introduction to NAC authe vice
LANDesk
VLANs
Micro CSA CTA IDP EAP- Server Broker & ntica
Switches and APs with full framework tion Great Bay
FAST Network Access Authority
Posture Collectors capability doing VLAN assignment Beacon
LDAP
Cisco ACS
Device
Client Broker & Network Access Requestor
be Netw phones database
ha or
vio k
Cisco Cisco printers
r in
Cisco NAC-Capable Client fo
Enterasys Extreme badge readers
Extreme HP Wave
Q1 PatchLink internal
Production
HP Trapeze Systems
Switches APs Cisco CCA
Posture Validators non-NAC clients
S
Wave Systems Juniper UAC
PatchLink
DIU
EAP- Server Broker &
LD
/RA
Contractor
Network Enforcement Point
Posture Collectors JEAP Network Access Authority
AP
EAP
Juniper UAC
Client Broker & Network Access Requestor
Quarantine
Enforcement Spectrum
TCG TNC-Capable Client
User
internal
Guest
Edge Enforcement
authentication
Active
Posture Validators
Cisco
Trend Microsoft Directory
Auth by 802.1X Enterasys
EAP- Server Broker &
Micro System Health Agent Extreme
Enforcement by: User
PEAP Network Access Authority
HP
Posture Collectors VLAN database
Switches Trapeze
ACL / Filter ID Engines Ignition
RADIUS router
QOS
AP
Client Broker & Network Access Requestor (proxy) LD
APs
Microsoft NAP-Capable Client
internal
Network Enforcement Point
Posture Validators
EA
P/R
Internet
Windows
AD
EAP- Server Broker &
Unix
Axis Camera Non-Edge Enforcement
HP Printer
IUS
TTLS Network Access Authority
Mac
802.1X/TLS 802.1X/TLS Cisco CCA
OSC Radiator
802.1X Clients without Posture Collectors Juniper ScreenOS
posture
Cisco
Captive Portals
Enterasys
Lockdown Extreme Extreme Sentriant Trend
Proxy Access Requestor internal
HP AG Micro
Network
EA
Posture Validators
NAC-capable
Linksys Network
P/
Old switches Juniper
RA
switches
Attached Storage
Access Control
DI
and hubs firewall EAP- Server Broker &
Pingtel Phone
US
PEAP Network Access Authority
Las Vegas 2007
Non 802.1X Clients Microsoft NPS
Data center