How Cisco NAC fares against the competition

During Joel Snyder’s Network World Chat on “The truth about NAC,” he discussed how Cisco’s NAC fares against the competition. Here are a few of the highlights. The full transcript can be found here.

Set your calendars to the upcoming chats by world famous messaging expert Michael Osterman, on Sept. 19, 2 p.m. EDT.

  Can the NAC solution be deployed with a wireless access point from one vendor and a RADIUS server from another vendor? Or it is an end-to-end solution? Thanks.

Definitely you shouldn't be locked into a single vendor. Of course, this is going to depend on the choice of NAC solution, but in our test lab we use Aruba and Airespace (cough cough) Cisco wireless stuff, and have great success with other policy decision point vendors, including Microsoft and Juniper. I don't see a huge requirement to get it all from a single vendor, and, in fact, with the exception of Cisco, I don't think that any NAC vendor really covers both wireless and the PDP (RADIUS) side. So multi-vendor is very much a reality. You're not from Cisco, are you? :-)

What are your thoughts about in-band versus out-of-band NAC solutions (pro's/con's each way)?   I'll have to throw a definition here, and see if you agree: in-band I think of as a box, like maybe a Vernier / Consentry / Nevis or even Cisco CCA (in in-line mode, which is one option), which controls all access. Out-of-band is what I like to call "edge enforcement," more 802.1X-y. Hybrid is more half-way, like Lockdown or CCA in that mode. Anyway, given those definitions: edge is really where I think we want to go for big enterprise deployments. It scales, it handles the load, and it doesn't depend on a single point to do enforcement. In-band I think of more for the occasional guest access -- drop one of those boxes in between your guests and let it handle that load.  BAM, problem solved, that was easy, etc.  Of course, that doesn't mean that the in-band guys can't handle the load, but you really want to aim for edge enforcement if it fits, and go for in-band if it doesn't. And there are zillions of places where in-band fits better. 

On standards, what is your opinion on these so-called consortiums that propose to be about standards, but on a closer look you can tell they are vendor-led and self-serving. NAP and TCG come to mind? 

Your question reveals a certain bias, but, even with that, I think that standards are totally key. Without a good set of standards, this is a technology that will fail miserably. Think PKI and, to some extent, IPsec VPN for remote access. Too much squabbling among the vendors, and too little "put aside our differences and move forward." I think that TCG/TNC is the one to watch; Microsoft (NAP) has joined in and is on the bus. The only one who is lagging behind TCG/TNC right now is Cisco and that's largely a personality difference as far as I can tell.

Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.