Overview of Dynamic NAC Features

Combine the strengths of Infrastructure NAC with an easy to deploy software approach
. Compliant PC’s act like “Neighborhood Watch”
. The existing normal PC’s become the infrastructure (enforcers) to quarantine rogues
. Enforcers manage ARP to control and limit a Rogue ability to send/receive traffic on the network
. Enforcers watch for new endpoints, using ARP redirection to protect the network and community

DNAC Strengths
. Zero network upgrades or changes (Low TCO)
. Scales cost effectively across multiple subnets
. Authentication agnostic (Windows Domain, 802.1x, other)
. Friendly fail-open design
. Extremely responsive quarantine and remediation mechanisms

These are the comparison that we can see between Tradional NAC and Software Based NAC

	Traditional Infrastructure based		Software based
	In-line NAC	Cisco NAC V1 V2 802.1x NAC	Host based NAC (CAF)	Dynamic NAC
Enforcement Type	Appliance in line	Switch based	Client Self enforcement	Other compliant PC’s
Supports LAN Enforcement	Yes – but requires multiple appliances	YES	YES	YES
Supports Remote Access VPN’s	YES	NO	YES	NO
Network needs Re-architecting	YES	Extensive	None	None
Detects Rogue Users \ Devices	NO	YES	NO	YES

. Traditional Infrastructure NAC is too difficult to deploy. Too many switch NAC need to deploy for a large scale deployment.

. Software NAC solutions are easy to deploy and have many key weaknesses

. The DNAC solution method offers a hybrid approach – Strong enforcement with ease of installation. It doesn't involve any re-achitecting the exsting network infrastructure.

Dynamic NAC and Infrastructure NAC comparison

	DNAC	DNAC + 802.1x authentication	Infrastructure NAC
Client Software	DNAC Client	DNAC Client + Supplicant	NAC client + Supplicant
Server Software	Policy server	RADIUS server + policy server	RADIUS server + policy server
Minimum switch requirements	-	802.1x authentication	802.1x authentication with VLAN assignment
Ongoing port config	-	Config 802.1x ports	Config 802.1x ports
Ongoing switch config	-	-	New VLAN and subnet, router ACL, DHCP, RADIUS
One time network Reconfiguration	-	-	New VLANs and subnets, router ACL, DHCP, RADIUS, RADIUS VLAN assignment

One time network configuration and ongoing switch config are generally difficult to deploy since it involve configuration for Radius server, DHCP server and VLAN subnetting.

For 802.1x implementions, it is considered as an acceptable method for most NAC deployment. It offers better security enforment and easy to deploy.

Client and server software based considered as normal acceptable deployment.