Cisco's NAC gets a Major Upgrade, including Mac OS posture assessment and support for 1.4 million clients
By jheary on Sun, 10/26/08 - 11:30pm.
The added support for using an external authentication server to authenticate NAC admins is pretty self explanatory so I wont go into detail on it except to say it supports radius, ldap, and Kerberos.
The last new NAC 4.5 feature I want to highlight is the death of the software only NAC Appliance solution. This has been rumored for a long time and with 4.5 it finally is happening. Basically, anyone using their own hardware to run NAC Appliance will not be able to upgrade to NAC 4.5 or beyond. This will encourage that small subset of Cisco NAC customers who have not migrated to Cisco hardware to do so soon.
There are lots of other features I didn’t cover in the NAC 4.5 release. To read about them and obtain more detail on the ones I did mention here are some good resources for you to continue your research.
Cisco NAC Appliance 4.5 Release Notes
Cisco NAC Appliance 4.5 Video Datasheet
Configuration Guide for NAC Manager 4.5
The opinions and information presented here are my personal views and not those of my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Cisco enters the crowded AV and DLP client market
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere
* Cisco targets Symantec, McAfee with its new antivirus client
* Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.
- About Cisco Security Expert
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
- Archives
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
Sponsored Links
- Drive down operating expenses and mitigate risk with app centralization - Live May 12.- Juniper Networks
- The Next Generation of Content Security Has Arrived! Learn More!- Websense, Inc.
- Reduce costs by 49%, Increase capacity utilization by 33%. Make the HP LeftHand SAN work for you.- HP LeftHand SAN
- Connexion saves costs with Microsoft & Novell- Novell Microsoft
- Masters of Virtualization and Cloud Computing- Trend Micro
- Hitachi IT Operations Analyzer—30-day free trial- Hitachi Data Systems
- Are you gambling with your data? It is at risk. Find out and protect it.- Ultrium LTO
- CA ARCserve r12.5 is More Than Backup! Download Trial Version Today- CA
- Take the Netezza TwinFin TestDrive!- Netezza
- Getting to One 10-minute Webcast, Cloud Computing: Beyond the Hype- Novell
-
Network World, Inc
The Leader in Network Knowledge
Death of software-only could be death of Cisco NAC for us
The new features in 4.5 are certainly admirable. What is not admirable, however, is the astronomical cost of moving to the appliance model for Cisco. This is one reason our institution is going to consider moving away from the Cisco solution.
Cost?
Can you outline what solution you have right now and what are the items required to move to the appliance model If you are using NAC Framework currently, can you not simply add in a single appliance to handle the 802.1x items in the Cisco NAC appliance solution? My enterprise did a test of the NAC Framework and found that managing all the vendor servers and the API's between Cisco and those vendors to be quite a task. The NAC Appliance with it's automated ruleset updates has already been approved as our next step in our NAC plans.
hidden option to purchase HW only
If you are currently a cisco software NAC customer then you can work with your Cisco Account team or Cisco reseller to get hooked up with the HW only appliance. this allows you to move your NAC licenses over. The HW only appliances are about the same cost as a high end server. You will not find these parts on the pricing tool, they are hidden. Thus the need to contact cisco or reseller. If you have any issues please unicast an email directly to me and I can get to help.
Thanks,
Jamey
A great step forward
The new enhancements to the NAC solution set Cisco ahead of the other vendors we've been evaluating within my company. The breadth of Cisco's solution, including the 802.1x story with the NAC Appliance is the core reason we're planning to POC the Cisco solution. From our understand, a single CAM and a Server can handle 3500 users with 802.1x. Does that sound accurate? In which case, we can use our current Cisco LAN solution and provide a "drop-in" appliance to handle the port-based 802.1x NAC solution.
802.1x and supplicant
I'm glad you like the new NAC features. Remember that if you move to a 802.1x solution and you are running XP you will need to purchase a supplicant. the built-in one does not do the job. cisco has one called CSSC (cisco secure services client) and juniper has one called odyssey. Those are the major players.
-jamey
OOB user logoff, switchport not move back to auth vlan
When the OOB user logoff from Windows, but the workstation is not disconnect from the network, the switchport get moved back to the authentication vlan. Is there a solution or is the NAC capable of doing that?