Wednesday, September 8, 2010

Cisco NAC vs. 802.1X


Access Control is on the rise. A recent Gartner survey indicates that 50% of enterprises plan to implement 802.1X in their wired networks by 2011. Gartner believes that momentum will increase strongly, and that actual enterprise adoption will reach 70% by 2011. With that said, we have a lot of organizations evaluating the differences between Cisco NAC and Cisco 802.1X. Before we dive into the details of either solution, I thought it would be appropriate to compare the two.

Cisco NAC Overview

Cisco NAC Appliance (formerly Cisco Clean Access) was designed to use your organization's network infrastructure to enforce security policy compliance on all devices that attempt to gain access. You can use the Cisco NAC Appliance to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users before they can access the network.

  • Recognize users, their devices, and their roles in the network
  • Evaluate whether machines are compliant with security policies
  • Enforce security policies by blocking, isolating, and repairing noncompliant machines
  • Provide easy and secure guest access
  • Simplify non-authenticating device access
  • Audit and report whom is on the network
Cisco NAC Components
  • NAC Manager - Central Policy Management
  • NAC Server - Enforcement Point
  • NAC Agent - Used for Authentication, Posture Assessment, and Remediation
  • NAC Profiler - Endpoint Discovery/Profiling and Behavior Monitoring
  • NAC Guest Server - Secure Guest Provisioning
Figure 1 - NAC Appliance Components

Authentication & Authorization

NAC can be deployed using in-band(IB) or out-of-band(OOB) modes. OOB is typically used for LAN deployments, while IB is used for VPN/Wireless deployments. 

With IB, authentication is performed at the NAC Server by forcing traffic through the CAS. Traffic is forced through the cas using VLANs or Routing(PBR, VRF, etc.). Authorization (after the user goes through authentication and posture assessment)  is performed through ACLs on the NAC Server.

With OOB, authentication differs based on whether the user is Layer 2 or Layer 3 adjacent to the NAC Server. If the user is layer 2 adjacent, then VLANs are typically used and SNMP is used as the control plane to assign the appropriate VLAN. If the user is layer 3 adjacent to the NAC Server, SNMP will be used to assign VLANs, but authentication segmentation is typically performed by using ACLs or VRFs. Authorization is performed using dynamic VLAN assignment.

802.1X Overview

802.1X is a port based authentication and access control protocol that allows for authentication & authorization of wired and wireless devices. 802.1X enforces policy compliance, controlling port access and tracking users. It asks the following questions:
  • Who are you? - Machine and/or User Authentication
  • Where can you go? - Based on authentication, the user is placed in the correct VLAN or a PBACL is used.
  • What service level do you receive? - The user can be given a per-user access control list to explicitly restrict or allow access to specific resources on the network, or given specific QoS priority on the network.
  • What are you doing? - Using the identity and location of the user, tracking and accounting can be better managed.

  • IEEE/Industry Standard (RFC3380, IEEE )
  • Recognize users, their devices, and their roles in the network
  • Provide easy and secure guest access
  • Simplify non-authenticating device access
  • Audit and report whom is on the network
802.1X Components
  • Cisco ACS Server - Central Policy Management
  • Network Switches - Enforcement Point
  • 802.1X Supplicant - Client that provides credentials (Could be stand-alone or OS Supplicant)
  • NAC Profiler - Endpoint Discovery/Profiling and Behavior Monitoring
  • NAC Guest Server - Secure Guest Provisioning
Figure 2 - 802.1X Components


During authentication, traditional 802.1X keeps the port in a down state until authentication has been performed. If the newly created "Open Mode" or "Low Impact" mode is being used a vlan or PBACL can be used to enforce access restrictions.

For authorization, 802.1X uses VLANs or Port-Based ACLs(PBACLs) to enforce access-restrictions for devices. Policy can be different between the machine and user sessions. The switch acts as the enforcement point and uses RADIUS as a control plane with Cisco ACS.

Comparison of Cisco NAC & 802.1X 

Above you should notice some major differences between the two access control methods, but I would like to take you a little deeper and call out some of the major differences.


If you have a requirement of performing detailed posture assessment and remediation within the next 12 months than you must go with Cisco NAC Appliance. 802.1X does not perform posture and the two access control methods do not work together.

One major question that comes up regarding posture is determining whether a device is owned or furnished by the organization. With NAC, you can perform Active-Directory SSO or check for specific files/registry keys to determine if it is an asset. With 802.1X you can use Machine Authentication using certificates to determine if the asset is owned by your organization. So even though you cannot perform posture assessments, you can check whether the devices is your by validating a certificate that is issued only to authorized machines.

Components & Control Plane

The use of ACS Servers vs. NAC Appliances is a major difference. The use of RADIUS vs. SNMP is another. Does it really matter? In most cases, NO it does not. In some cases, administrators prefer to use ACS because they are experts in using it.

Some organizations "refuse" to install another agent onto their desktop, so having the option of running a supplicant that is native to the Operating System is a huge benefit of 802.1X.

Switch Requirements

Cisco NAC Appliance has a list of OOB supported switches and the list is very comprehensive. This means there is less chance you will have to upgrade hardware or IOS. In order to take advantage of the newer features that make 802.1X very easy to deploy, the switch support for 802.1X is a little more demanding of recent versions of code. Cisco has innovated around easing deployment of 802.1X and because of this, Cisco Switches are recommended(Stay tuned to the blog for more posts around these features).

802.1X is a standard and is supported on most switches vs. NAC OOB which requires Cisco switches

Network Changes

NAC network changes include SNMP configuration, new VLAN configuration, VRF and/or ACL configuration.

802.1X requires a standard access port template on each port, AAA configuration, radius configuration and potentially ACL Configuration.

NAC requires more initial configuration to perform authentication than 802.1X.

Deployment Methodology

With NAC cutover, authentication is a must on day 1 and posture is typically implemented in audit mode. If a user does not have a way of authenticating(no agent, not logged into domain, etc) the user would be stopped.

With 802.1X cutover, open authentication allows administrators to deploy with zero worries day 1. If a user does not have a supplicant or the MAC is not configured for MAB, the switchport will remain open.


The bottom line is that both deployments have their advantages. NACs ability to assess an endpoints compliance with policy and 802.1Xs ability to deploy day 1 without any headaches gives both options valid arguments. The real decision should be based on your environment.... Do you need posture? Do you have all 2900XLs? Can you install an Agent?

SOURCE: Multiple Sites on CISCO.COM

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

1 comment:

  1. Thanks for the great info and comparison Jamie.