Skip Links

Go to page content
Go to site-wide navigation
Go to Contact Us page

Network World


	• • • •	Authentication: A snap with XP End point security: Cisco TCG deliver Enforcement: Tools fall short Management: Can be a headache

NAC enforcement tools fall short

In complex networks, proprietary schemes are required

By Joel Snyder, Network World
April 19, 2007 12:09 AM ET

The “C” in NAC stands for Control: defining access to network resources based on the valid authentication and end-point security posture of the user. Up until this point in our testing, CNAC and TCG/TNC were friendly bedfellows, offering very similar functionality with many of the same high and low points in their results.

When we got to the control part of the picture we found that there’s not just white and yellow cheese out there: it’s more akin to there being 246 flavors from which to choose.

In this leg of our comparison, our use scenarios weren’t important, because once you get to the control part, everyone – employees, guests and agentless devices – are all the same. So here we honed in on the dizzying array of options each side gave us.

Click to see: How we set up Cisco NAC

Even though Cisco offers a proprietary framework, it still is the world’s largest network hardware manufacturer. So the list of enforcement choices runs for pages. We started with LAN switches and 802.1X authentication, which gave us virtual LAN (VLAN)-based access controls. If you’re happy with VLANs, Cisco has about half-dozen families of current LAN switches, and two or three times that in recently retired hardware that’s still perfectly CNAC capable. Plus, all of the Cisco wireless equipment, from standalone access points to Airespace wireless switches, could be enforcement points as well.

Related Content

Many Cisco switches also have packet filtering capabilities, and a CNAC deployment can also employ packet filters. Even when we added these packet filters, we weren’t stretching the limits of CNAC enforcement. Cisco has what it calls “Layer-2 IP” and “Layer-3 IP” NAC clients, which forgo authentication in favor of end-point security and enforcement measures. These NAC client modes work with switches as well as IOS routers for additional enforcement options. We did not test Layer-2 IP or Layer-3 IP client modes, because of the lack of authentication, but Cisco engineers told us that authenticating versions of those clients are under development but could not say when they would be released.

Click to see: How we set up TCG-TNC NAC

Cisco’s ASA series of firewall/VPN appliances can also be NAC enforcement points. We configured an ASA5100 to be part of our CNAC deployment, which allowed us to require end-point security assessment before we’d let someone onto our network through an IPsec VPN tunnel.

Policy tools lacking

While there is no shortage of outstanding control points there is a shortage of policy tools to make use of all this power. Because CNAC requires Cisco ACS, we could only express the most primitive of policies because of its inherent limitations.

For example, users cannot be placed in multiple groups and have overlapping access to resources. Trying to define policy that might combine VLANs, packet filters, VPNs and end-point security would be nearly impossible for anything but the most basic of networks in the ACS user interface. And for every different security policy in our network, we had to make four to 10 additions in ACS.

The good news is that when we conducted tests of each advanced CNAC access control individually all were successful. When we added packet filters and other controls, they were pushed from the Cisco ACS server to the network enforcement point, and we were, indeed, locked down.