NAC authentication with XP clients is a snap

Complications arise when dealing with agentless devices and guest access

足球竞猜app软件 |

Previous 1 2 Page 2

Page 2 of 2

While waiting for IF-MAP to be released, we brought in QRadar, a SIM from Q1 Labs, to solve the guest and agentless device problem. We set up a QRadar appliance and linked it to the Juniper UAC policy decision point using the TCG/TNC protocols. The idea behind QRadar’s link to TCG/TNC is outstanding: as you discover that something is wrong with a device, you should act to block or quarantine that device as soon as possible. As a SIM, QRadar is in a unique position to know when a system starts to go “bad” by the alerts and logs that it sets off throughout the network. Unfortunately, while the QRadar link to the Juniper UAC was a direct one using TCG/TNC protocols, the actual act of marking a system as “bad” was a manual operation, requiring the operator to select a device and set its status.

We also ran into conceptual problems related to network layers. When a system is detected as bad using QRadar, the common identifying information is the IP address on that system, and possibly the user credentials. However, during the 802.1X authentication, when QRadar would be queried for pertinent information about the system, the IP address is not known because it hasn’t been assigned yet. Hoping the user is sitting in front of the same system that was misbehaving could lead to false positives.

Lessons learned form NAC authentication

From a framework point of view, CNAC and TCG/TNC are in great shape when it comes to the mainstream case of authenticating users on Windows laptops. Everything works great at this juncture, and except for a huge pile of uncertainty when it comes to Vista (see story,What about Vista), it’s all shipping and ready to implement today.

Adding users who have 802.1X but don’t have the Cisco CSSC or Juniper UAC client revealed a crack in Juniper’s shipping product that we had to patch by adding in a second RADIUS server. The CNAC realm covered that scenario more gracefully with its ability to handle different types of RADIUS queries at the same time.

When we added complexity with additional scenarios, we quickly discovered that NAC calls for more hardware and software than just a RADIUS server and some client tools. Many of the capabilities of the NAC network are just as dependent on configuration flexibility within the switches and wireless devices we selected.

Bringing in outside sources of information, as we did with QualysGuard, QRadar and Beacon, looks like a great way to help add security to a NAC deployment and to reduce the amount of custom configuration required in networks with many embedded devices. However, the level of integration and quality of information is basic at this stage. While there seems to be strong interest in integrating these products with both CNAC and TCG/TNC frameworks, what we saw needs more functionality to truly smooth deployment woes.

Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go tom.banksfrench.com/alliance.

Main story:What can NAC do for you now?

See other stories in this package:

NAC enforcement tools fall short

Cisco, TCG deliver on basic end point security

NAC management can be a headache