NAC

[Alan DeKok]

Stefan Winter wrote:
> It is actually quite important. If you are in a roaming scenario where your 
> EAP session goes to your home ISP, it makes no sense to tie the posture 
> information into the EAP session - it's the *access network* at the roaming 
> place that needs to know how healthy your computer is. The home ISP at the 
> other end of the world doesn't care that much.

  It cares a little.  It may want to require certain software updates,
too.  But the local network cares more.

> My general preference is that any NAC solution should keep *authentication* 
> (EAP session) and *health assessments* in seperate channels.

  That makes sense, but not everyone sees it that way, unfortunately.

> BTW, are you following the discussions in the IETF concerning NAC and friends 
> (the "nea" - network endpoint assassment wg)? If this wg produces 
> implementable results, your solution should be in line with it to ensure 
> interoperability...

  I'm sure you've seen my messages on NEA... I have serious doubts about
 it.  For a number of reasons.

> It's another topic that I'm overall sceptical of NAC, IMO a network should 
> only reactively shut a client down *after* it did something wrong, not 
> proactively sniff around the local environment and lock it away at once. But 
> NAC is here to stay I guess. :-(

  I understand it's useful to set requirements for network access.  "You
need a username, password, and a system that isn't susceptible to
viruses".  The pro-active scanning is nearly impossible to implement
correctly.  NEA largely seems like a group of people who want to
standardize a pre-existing solution, and are surprised that there are
people with different points of view.

  Alan DeKok.