Cisco NAC, Cisco ACS and Cicso ASA

[Daveyd123]

Currently we have a failover pair of ASA 5510s. I am looking into a solution to provide AAA services to our SSL VPN users and well as some sort of Network Control..ie scanning the VPN computer for latest Windows updates, virus definitions, etc.

My question is, do I need to purchase both a NAC appliance and ACS software to do what I want...or will the ASA handle everything?

Hope I made sense

 

[Supergrrover]

You will need a separate box (not the ASA) for the AAA and the NAC (or virtualize it.)

This is something I actually haven't set up but here is the Cisco doc on it.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

Let me know how it goes. I'm curious.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Daveyd123]

If I were to get a NAC appliance, would I also need to buy ACS sotware as well or would the NAC appliance give me AAA functionality with an ACS server?

 

[brianinms]

You can purchase ACS as either software or server. You are much better off with the server. For NAC you will need a CLean Access Server and a Clean Access Manager.

 

[Daveyd123]

Does the NAC appliance provide AAA? I do not want to buy an ACS server and a NAC server if the NAC does everything

 

[brianinms]

No, the NAC appliance doesn't offer AAA.

 

[Supergrrover]

Do you need ACS for a specific reason or will just a linux AAA server handle what you need?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Daveyd123]

I was just going to stick with all Cisco products since we are a Cisco shop...no other reason really

 

[brianinms]

Unless you need other features ACS offers than you could use IAS on a Windows domain controller and utilize the same passwords.

 

[Daveyd123]

I originally tried the IAS server and had a lot of difficulties with it. I have a lot of different SSL VPN users each with different ASA Group Policies. I couldn't get it to work