In case we want to enable dot1x authentication on the wired network without using host checker,do we still need NAC solution or just simple AAA server to authenticate the host and dynamic VLAN assignment? Any added value for the NAC solution in this case?
Asked
Active
Viewed 1,596 times
2 Answers
2
The solution of NAC basic use two features. Posture and Profilling.
In the case of not using Host Checker(Agent) you are "losing" posture features - check patchs, av, registry and otheres stuff.
Using only a radius server you are "losing" the profilling of the endpoint. This may have huge impact - that depends of the size of your network.
If its a small network, withou many kinds of endpoints - Notebooks, Cellphones, cams etc. I should be ok.
But if you have a medium large network it s going to be difficult to manage and control all kinds of endpoints. That exactily what profilling do for you.
PedroMC
- 21
- 1
1
Any added value for the NAC solution in this case?
Part of the answer to that depends on why you are implementing dot1x.
One parallel I find useful is Trusted Network Connect, which the Strongswan TNC docs provides some use cases.
To repeat the core concerns from the progenitor's overview of TNC:
Compliance
- Network and Endpoint Visibility
- Who and what’s on my network?
- Endpoint Compliance
- Are devices on my network secure?
- Is user/device behavior appropriate?
Access Control
- Network Enforcement
- Block unauthorized users, devices, or behavior
- Grant appropriate levels of access to authorized users/devices
Orchestration
- Security System Coordination
- Share real-time information about users, devices, threats, etc.
802.1x covers the network enforcement part of that list, NAC provides the possibility to cover others.
I suspect a big part of your 'need' for NAC would be about how much you have compliance needs, and whether you have enough control over the endpoints that matter to make creating and maintaining a set of NAC policies worth the effort.
iwaseatenbyagrue
- 3,631
- 1
- 12
- 24