Cisco NAC Appliance hits on basic enforcement, but lags in advanced features

Cisco’s NAC Appliance 4.1 (formerly called Cisco Clean Access) provides basic NAC functionality like antivirus and patch status checks, but remains behind many of the other vendors in this space due to the inability to perform assessment checks beyond initial connection.

Cost: Pricing starts at $18,000 for Clean Access Server and Clean Access Manager.

Cisco’s NAC Appliance 4.1 (formerly called Cisco Clean Access) provides basic network-access-control functionality, such as antivirus and patch-status checks, but remains behind many of the other vendors in this space because of the inability to perform assessment checks beyond initial connection.

We reviewed CCA 3.4 in 2005 and beyond increased coverage for the antivirus market and new support for Windows Update services, we can’t point to any significant enhancements in the endpoint assessment or reporting areas between the two versions. Cisco’s biggest changes occurred in the authorization/authentication arena with the addition of single sign-on with Active Directory and integration with its Cisco VPN Concentrator product. From an enforcement perspective, Cisco now includes the ability to launch a remediation program if an endpoint fails its integrity check. None of these additions are particularly innovative, but rather are features that exist across the set of products tested.

The product has two main components and agent software. The Clean Access Manager provides centralized management features, while the Clean Access Server (CAS) provides the distributed enforcement capabilities. You can have multiple CASs deployed across your network, all managed through the single platform, which is a fairly typical scalability standard across the field of NAC products tested.

For testing, we placed the appliance running CAS in-line between the access and distribution layers of the network, which is typical of the in-line products tested.

Many other LAN-deployment options are available, such as placing it in an -based network (see how that works in the NAC architecture test) or running it out-of-band, where it controls an access switch. Cisco NAC Appliance can also tap into Cisco’s VPN Concentrator to provide posture assessments and enforcement for remote-access users, which provides single sign-on for users. We verified this integration with only. Cisco also claims integration.

Guest access is provided through a captive-portal Web-logon process. When a user authenticates as a “guest,” after successful authentication, those users are placed into the appropriate role defined for guests, which dictates what access they should have on the network.

Authentication is available through Active Directory, , , 802.1X or a local repository residing within the Cisco product itself. For testing, we configured integration with Active Directory. This setup was the most complex of the products tested, and we had to make changes to our Active Directory environment to enable DES encryption from AD’s standard RC4 encryption.

As with most NAC products, if authentication is unsuccessful a “failed’ message appears and when successful, an endpoint assessment ensues.

Endpoints running Cisco’s Clean Access persistent agent software receive a pop-up window requiring them to provide authentication credentials. If the single sign-on feature is enabled, the user is not prompted to provide credentials. For guests, a captive portal is used for logging in and distributing Cisco’s dissolvable agent. The overall user experience is on par with the other products tested.

Cisco NAC Appliance supports an extensive list of antivirus products, ranging from Ahn Lab to Zone Labs, as well as Windows security patches. Integrated systems vulnerability assessments are provided via Nessus. Custom checks are available and are easy to define, but difficult to use. Cisco displays all available checks in one, long list, which is time-consuming to scroll through in order to find the specific one you want to apply.

Posture assessment is performed only when the client initially connects to the network. The Cisco Clean Access persistent agent is predeployed to endpoint system by standard enterprise tools, while the dissolvable one is pushed out automatically upon authentication. The agent software gathers minimal information about each endpoint – user name, role as well as IP and MAC addresses. We did notice system-performance degradation when the persistent agent doing its posture assessment. Even with just a single agent configured, CPU use spiked to greater than 90% for a brief period.

Enforcement and remediation is provided by limiting access or blocking it via firewall rules, changing a VLAN port in out-of-band deployment or actively changing the VLAN tag on packets with an in-line deployment, launching a program (limited to local systems only), providing a URL link and integrating with Windows System Update Service to get missing windows patches.

When a system failed the posture assessment in our testing, the Clean Access Agent displayed an alert with the message configured in accordance with our applicable policy rule. In that message the user clicked the button to open a link to download missing software, Sophos AV, in this instance. This overall process is very typical to the rest of the products tested.

Policies are created via a multistep process using a Web-based management interface. While this process allows for some flexibility, which would be necessary in an enterprise network – such as the ability to create different policy combinations for different endpoint populations – it’s one that takes awhile to understand and leaves a lot of room for error. Individual checks are defined by an administrator for a specific item, such as Sophos AV running the latest version. Checks are then combined into a rule, such as one that says Sophos, McAfee and Symantec are all current for access. Rules are then mapped to a requirement, such as AV software must be running. You then assign requirements to a role, such as ensuring that all “guest” systems are running an AV program with current signatures, but you don’t care which one.

The management GUI, while better than some in the test in terms of overall design and presentation, is not intuitive. Multiple layers of tabs make it difficult to pinpoint exactly where configuration items are. The documentation – both hard copy and online – is very good, though, and helps answer questions quickly.

In terms of status reports – you can tap into syslog to check the status of currently connected devices. Cisco also offers a text table summarizing the current number of online users assigned to each role (for example, Quarantine, Employee or Contractor).

Historical reporting is almost nonexistent. You cannot report on posture-assessment results directly from the product. Posture-assessment details are provided as events, and Cisco makes available an API that can be tapped in order to pull the data from the Cisco NAC system into a separate analysis tool. You can run queries against the data, looking for bulk details about users, operating systems, IP addresses and antivirus software, but you are not able to export the results for use in any type of graphical reports.

Cisco provides basic NAC functionality, but has not yet moved into postconnect assessment. Most of the other products we tested provide regular posture assessments after initial network connect.

< Previous story: CheckPoint | Next story: ConSentry >

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022