Installing Cisco NAC with a VoIP network

Security guru Joel Snyder from Opus One starred as the guest of a live Network World chat on Tuesday where he discussed the state of network access control. Questions regarding Cisco vs. Microsoft were asked, as were questios about implementing Cisco NAC within a network supporting Cisco VoIP. Here are Joel's responses. (Click here for the full transcript and read why Joel thinks Microsoft is winning the NAC war.)

Leo: Can you comment on the relationship between Microsoft and Cisco on NAC now and project it in the future? Truly cooperative and division of labor? Or collision ahead?

Joel_Snyder: Hard to say. There are a lot of personalities involved. I'd say that right now we've got two titans who are hard-pressed to cooperate trying to figure out a modus vivendi. Even if there is a lot of joy together, it is inevitable that Microsoft and Cisco will have different interests in the long run. I don't see a big collision, because Microsoft's primary interest is in the desktop and Cisco has no intention of competing there. Things like NPS might go by the wayside as Cisco readies new versions of their NAC management solution and completely re-architects ACS and the CCA stuff. What I personally see is that Cisco owns 74% of the switch market and MS owns 95% (or more) of the desktop market and that's not going to change too much in the long run. So I would look to Cisco for leadership in the areas that they are strong: switching, wiring closets, etc., and Microsoft for leadership in the areas that they are absolutely top in: desktop. Having either cross into the other's territory seems like danger.

Moderator-Julie Pre-submitted question: We have a full Cisco switch/routed/firewalled/VoIP network and are warming to Cisco NAC as an infrastructure based NAC deployment: a) Will NAC work from behind a Cisco phone/unmanaged switch? b) If "a)" is possible what happens if some devices on an unmanaged switch are 802.1x and some are not? c) How does NAC work with wireless (i.e devices like phones/pc's moving from one WAP to another)?

Joel_Snyder: Whoa, dude. What is this, get-it-all-in-one-question week? Let me give you the fast answers, and you can write back in if you need more detail. (a) yes, but you may have restrictions on what ACL and VLAN you can do. See David Newman's 10Gig Switch test for a specific discussion of the restrictions. (b) It depends on what you want to do with them. If you want to drop them on a guest VLAN, no problem, although now you're crossing the streams and that sounds like a bad idea. (Try to imagine all life as you know it stopping instantaneously and every molecule in your body exploding at the speed of light.) (c) 802.1X is 802.1X. That's the beauty of it all. GO between wired, 802.11, 802.16, whatever. You will have a re-auth in some wireless gear, which is perhaps bad. This is a good argument for an integrated wireless management system (in your case, probably the Airespace stuff, but Aruba and Aerohive would do the same).

For more NAC insight from Opus One, visit the Interop Labs NAC resource center. Also, don't forget to read the full chat transcript.

More from Cisco Subnet:

Nortel attacks Cisco with green calculator
Cisco's growth: reliant on its service provider and SMB sales
Congratulations Michael Morris, winner of a prestigious NPA award!
Africa IT job shortage looming, Cisco says
Is Vyatta as fast, cheap and wonderful as it claims to be?
CCNP lab essentials
Jeff Doyle: Understanding MPLS

Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

20 useful sites for Cisco networking professionals
This month's Cisco Subnet giveaways
Network World's IT Buyer's Guide: Cisco products
Subscribe to Network World's Cisco Alert, which includes a weekly digest of all Cisco Subnet items