Denise Helfrich - Cisco Network Admission Control, Volume I: NAC Framework Architecture and Design

Denise Helfrich, Lou Ronnau, Jason Frazier, Paul Forbes

Cisco Press
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

Cisco Network Admission Control, Volume I

NAC Framework Architecture and Design

Denise Helfrich, Lou Ronnau, Jason Frazier, Paul Forbes

Copyright 2007 Cisco Systems, Inc.

Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

First Printing December 2006

Library of Congress Cataloging-in-Publication Number: 2005923482

ISBN: 1-58705-241-5

This book is designed to provide information about Network Admission Control Framework Release 2 components and identifies steps to prepare, plan, and design NAC Framework. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.

Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at . Please make sure to include the book title and ISBN in your message.

We greatly appreciate your assistance.

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales.

For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419

For sales outside the U.S., please contact: International Sales

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Asia Pacific Headquarters
Cisco Systems, Inc.
168 Robinson Road
#28-01 Capital Tower
Singapore 068912
www.cisco.com
Tel:+65 6317 7777
Fax:+65 6317 7799

Europe Headquarters
Cisco Systems International BV
Haarlerbergpark
Haarlerbergweg 13-19
1101 CH Amsterdam
The Netherlands
www-europe.cisco.com
Tel: +31 0 800 020 0791
Fax: +31 0 20 357 1100

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices .

2006 Cisco Systems, Inc. All rights reserved. CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0609R)

Denise Helfrich is currently a technical program sales engineer developing and supporting global online labs for the Worldwide Sales Force Delivery. For the previous six years, she was a technical marketing engineer in the Access Router group, focusing on security for Cisco Systems. She is the author of many Cisco training courses, including Network Admission Control. She has been active in the voice/networking industry for over 20 years.

Lou Ronnau, CCIE No. 1536, is currently a technical leader in the Applied Intelligence group of the Customer Assurance Security Practice at Cisco Systems. He is the author of many Cisco solution guides along with Implementing Network Admission Control: Phase One Configuration and Deployment. He has been active in the networking industry for over 20 years, the last 12 years with Cisco Systems.

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco Systems. He is a systems architect and one of the founders of Cisco's Identity-Based Networking Services (IBNS) strategy. Jason has authored many Cisco solution guides and often participates in industry forums such as Cisco Networkers. He has been involved with network design and security for seven years.

Paul Forbes is a technical marketing engineer in the Office of the CTO, within the Security Technology Group. His primary focus is on the NAC Partner Program, optimizing the integration between vendor applications and Cisco networking infrastructure. He is also active in other security architecture initiatives within the Office of the CTO. He has been active in the networking industry for ten years, as both a customer and working for Cisco.

David Anderson, CCIE No. 7660, is an engineer in Cisco's Security Technology CTO Group. In his current role, he is working on next-generation security solutions for identity management, admission control, and security policy enforcement. He has worked on a variety of products and solutions during his seven years at Cisco. This work has included dial-access, disaster recovery, business continuance, application optimization, data center design, security architectures, and network admission control. David has authored and contributed to multiple design guides and white papers on these subjects. He has also presented these topics at conferences and forums in multiple countries. David currently holds both CCIE and CISSP certifications.