NAC
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Jul 12 13:39:43 CEST 2007
Hi,
> I think many roaming scenarios (e.g. eduroam federation) could probably
> get by usefully on that.
>
> Access-Accept
> Endpoint-Posture = "os:vendor=Microsoft"
> Endpoint-Posture = "os:product=Windows XP"
> Endpoint-Posture = "os:patchage=91230"
> Endpoint-Posture = "av:defage=31353"
> Endpoint-Posture = "av:vendor=Symantec"
painful. imagine keeping that file updated with what you think
are the correct levels for revisions.... i see why Cisco quickly
jumped off the software NAC bandwagon! ;-) no, what you need is
a third-party program which is fed the Posture values by freeradius
(think ntlm_auth or LDAP/SQL queries) and returns an OKAY, QUARANTINE
or FAIL etc message which can then be acted upon. the 3rd party program
would be a dedicated GPL open source tool community driven that is
easily managed and gets the info about each AV vendor and patch level etc
and can be further programmed to accept registry values and running
software processes via same/additional client tools installed on the connecting
machine (if such a tool is installed). OR it can be a proprietary
software tool from a major vendor...that can accept the same queries
and calls. your choice. the NAC part, though, would be 'trivial' as far
as the RADIUS server is concerned.
alan
More information about the Freeradius-Users
mailing list