This MIB module is for the configuration of a Network
Access Device (NAD) on the Cisco Network Admission
Control (NAC) system.

EndPoint  -------------- NAD ------- AAA ------ PVS
(SecurApp) EAPoUDP/802.1x     RADIUS      HCAP
(Plugin)
(PA)

              Cisco NAC system

The Cisco Network Admission Control (NAC) security
solution offers a systems approach to customers for
ensuring endpoint device compliancy and vulnerability
checks prior to production access to the network. Cisco
refers to these compliancy checks as posture
validations.  The intent of this systems approach is to
prevent the spread of works, viruses, and rogue
applications across the network. This systems approach
requires integration with third party end point security
applications, as well as endpoint security servers.

The Network Access Device (NAD) enforces network access
control privileges by controlling which endpoint devices
have access to network destinations and services
reachable through that NAD.  Endpoint devices that do
not have the PA installed, enabled, or cannot otherwise
respond to the NAD posture challenges are considered
non-responsive hosts.  Upon recognition of an incoming
endpoint device at L2 or L3, the NAD issues a challenge
to the endpoint device for posture credentials. Endpoint
devices with a PA will recognize the challenge and
respond with the necessary posture credentials.  The NAD
acts as a relay agent between the endpoint device and
AAA server for all messages in the posture validation
exchange.  Once the validation is complete, the NAD
enforces the access policy profile downloaded from the
AAA Server, e.g. (i) provide full access (ii) deny all
access through the NAD restrict access (quarantine) or
(iii) some intermediate level of network access
restriction or quarantine.  Between posture
revalidations, the NAD may issue periodic status queries
to determine that the each endpoint device using the NAD
is still the same device that was first postured, and
that the endpoint device's posture credentials have not
changed. This mechanism is a challenge response protocol
that does not involve the AAA Server nor does it require
the posture plugins to resend any credentials. It is
used to trigger a full posture revalidation with the AAA
Server when the endpoint device's credentials have
changed (e.g. to revalidate the host endpoint device
after remediation), or a new host endpoint device
connects with a previously authorized IP address.  The
NAD supports a local exception list based on IP, MAC
address or device type so that certain endpoint devices
can bypass the posture validation process based on
system administrator configuration. Also, the NAD may be
configured to query the AAA server for access policies
associated with endpoint devices that do not have a
Posture Agent installed, clientless host endpoint
devices.

Posture Validation occurs when a NAC-enabled network
access device (NAC) detects an endpoint device
attempting to connect or use its network resources and
it issues the endpoint device a posture challenge.  An
endpoint device with a resident posture agent will
respond to the challenge with sets of posture
credentials from one or more posture plugins which can
detail the state of the various hardware and software
components on the endpoint device.  The posture agent
response is forwarded by the network access device to an
AAA server which may in turn delegate parts of the
decision to posture validation server. Evaluation of the
credentials against posture validation policies results
in an authorization decision or posture token,
representing the endpoint device's relative compliance
to the network compliance policy.  The AAA server then
sends the respective network access profile to the
network access device for enforcement of the endpoint
device authorization.

The Cisco Technology consists of the following:

Endpoint Device - Any host attempting to connect or use
the resource of a network. - e.g., a personal computer,
personal data digital assistant, or data server, or
other network attached device.

NAD - Network Access Device that enforces network
access control policies through layer 2 or layer 3
challenge-responses with a network enabled Endpoint
device.

PC - Posture Credentials that describe the state of
an application and/or operating system that is running
on an endpoint device at the time a layer 2 or layer 3
challenge response is issued by a NAD.

PP - Posture Plugin.  A module implemented by an
application or agent provider that is responsible for
supplying the relevant posture credentials for the
application or agent.

PA - Posture Agent.  Host agent software that serves as
a broker on the host for aggregating credential from
potentially multiple posture plugins and communicating
with the network.

CTA - Cisco Trust Agent.  Cisco's implementation of
the posture agent.

EAP - Extensible Authentication Protocol.  An extension
to PPP.

EOU - Extensible Authentication Protocol over UDP.

ACS/AAA - Cisco Secure Access Control Server.  The
primary authorization server that is the network policy
decision point and is extended to support posture
validation.

PVS - Posture Validation Server.

UCT - Un Conditional Transition.

Clientless - Client without Cisco Posture Agent.

Tag - Tag is a policy specifier which is mapped  to a 
policy template based on specific rules. The Tag allows 
network administrators to define enforcement policies
on local device and have a RADIUS server specify the
policy Template to be enforced.