(imported topic written by franco91)
Hi all,
Can any body give some Tec-Guide how implement NAC with BES?
So far, i know that BESClient just provide the ‘info’ to the CTA(Cisco Trust Agent)!
Where to configuring the action (block, quarantine, etc…) taken base on fixlet or policy that we create?
Thanks
frank
(imported comment written by Harald.Zarakowitis)
I´m also interested in this. Anybody actually use NAC over BigFix? The few posts in the forum are all unanswered, which leaves the impression that not even BigFix has to say something about this. 
(imported comment written by BenKus)
Hi franco / Harald,
The BigFix NAC solution works with multiple vendors (including Cisco NAC) to be the “brains” behind the decisions to grant network access… The Cisco Trust Agent itself doesn’t have any clue about patch status, if the AV scanner is running, if the AntiSpyware is up-to-date, if the password policy is appropriate, and so on… but the BigFix Agent has all this knowledge and thus the Cisco Agent can ask the BigFix Agent “Is this computer compliant to this policy?” and if the answer is No, the Cisco Agent can restrict network access.
Due to the complexities of setting up Cisco NAC itself, we will usually work directly with the Cisco engineer to set up BigFix with Cisco NAC and so you will need to contact your sales engineer to get more information about this.
Ben
(imported comment written by Harald.Zarakowitis)
Ben Kus
Hi franco / Harald,
Due to the complexities of setting up Cisco NAC itself, we will usually work directly with the Cisco engineer to set up BigFix with Cisco NAC and so you will need to contact your sales engineer to get more information about this.
Ben
Ok that answers my next question…An evaluation of the client compliance module is not possible or worthwhile due to the complexity?
(imported comment written by BenKus)
Hey Harald,
I wouldn’t say that at all… The BigFix side of things is actually quite straightforward to set up… There are Fixlets that prepare the agent to talk to the NAC Agent and there is a wizard that you can use to set the policies to use… The reason we ask for a Cisco+BigFix team to install it is that the Cisco NAC stuff on the back end can be quite complicated with the posture plugin setup and other server configuration.
Do you already have Cisco NAC working and are just looking to add BigFix or are you looking at both at once?
Ben
(imported comment written by Harald.Zarakowitis)
Hi Ben,
we implemented a Cisco NAC test installation which works fine. Currently it is linked with a Trend Micro Policy Server for external posture validation. However, I think the current capabilities of the Cisco solution for patch validation are a little bit awkward and since we use BigFix anyway I´d like to see what BigFix can offer us.
We´d like to install anoter BigFix server which supports the NAC capabilities and see how that works.
If you can provide me with the necessary information how to start, I´m sure I can figure out the rest alone.
Harald
(imported comment written by BenKus)
Hi Harald,
I will have one of our sales engineers in Europe contact you… Here is some more information for your reference:
http://support.bigfix.com/bes/sites/clientcompliance.html
http://support.bigfix.com/bes/sites/clientcompliancecisconac.html
Ben
(imported comment written by motola91)
Hi Ben,
I just got this link http://www.bigfix.com/content/endpoint-firewall-nac showing bigfix woriking as an Endpoint Firewall/NAC. Is this related to Bigfix Client Complience for NAC or not, as I don’t see more detailed information on that link? Is it really bigfix can be worked as a NAC enforcer?
(imported comment written by Jim_Hansen91)
There are a couple of different ways that BigFix can facilitate and support NAC efforts.
Compliment to existing NAC infrastructures. One of the biggest challenges that NAC solutions have always faced is having the ability to effectively assess an endpoint to determine if it truly meets policy requirements before letting the endpoint on the network. The NAC specific solutions struggle to keep up with the constantly changing policies (patch, etc.) and they do not have the ability to remediate the non-compliant components and bring systems into compliance. BigFix, of course, does. Customers that have used BigFix as an augment to their preferred NAC solution will use BigFix as the policy assessment, enforcement, and remediation engine. Since BigFix operates in real-time and since we can provide continuous assessment of the endpoints against evolving policies, BigFix is an ideal compliment. Rather than having complex, out of date rules with the NAC solution, you can have the NAC solution check for one thing – “is BigFix installed.” If so, you can presume that the endpoint is up to date.
Self-Quarantine. This is a secondary capability offered as part of the “BigFix Client Compliance (IPSec Framework)” site that will allow you to further assess the endpoint and ensure that it is up to date. Sometimes referred to as the “poor mans NAC” this solution can be use to assess an endpoint against the desired policies. If the system does not meet the policy expectations, the system can be placed into quarantine such that all incoming and outgoing traffic (or other rules) is blocked except for connectivity to the BigFix server, allowing you to continue monitoring and affecting change. This capability is also used for incident response and zero day mitigation as well and can help you quickly and easily quarantine an environment to prevent virus outbreak or other malware based issues. The “BigFix Client Compliance (IPSec Framework)” site was recently updated (see here - http://forum.bigfix.com/viewtopic.php?id=4527) to support not only the IPSec rules, but also the local Windows Firewall as well.
Hopefully this helps. If you have any questions, please feel free to post them or reach out to us and we can try and help further.