The second type I've run across requires an agent to be installed and run on the client side which then checks with some sort of server piece for authorization. This can be a better solution but becomes a support headache as you install 1,000s of clients and what happens when you have a workstation that isn't support by the client? You then have to make an exception for that workstation and defeat the whole purpose of your NAC project. There are probably several other issues with this one but in my limited testing I didn't get to run across many others.
The final type I've run across is popularly referred to as a "captive portal". Essentially a server piece picks up (ususally from a switch) when you connect, moves you to an isolation VLAN where you can only get to a portal page. Typically this portal page can be integrated with Active Directory or any other authentication mechanism of choice and allows a user to login which authorizes them to be on the network and do whatever they wish and are allowed to do. The drawbacks here is you give over control of your switch to some automated device which can be scary and you have to trust it to do its job 100% effectively. Out of all these NAC "solutions" I've been testing this is by far my favorite one even though it makes users aware of the system. To be fair though a lot of vendors (and Open Source NAC projects) allow for some hybrid of these so as always your mileage may vary.
Have any different experiences with NAC? Let me know about them with a comment here!
Posts
0 comments:
Post a Comment