Stefan Winter wrote:
It is actually quite important. If you are in a roaming scenario where your EAP session goes to your home ISP, it makes no sense to tie the posture information into the EAP session - it's the *access network* at the roaming place that needs to know how healthy your computer is. The home ISP at the other end of the world doesn't care that much.
It cares a little. It may want to require certain software updates, too. But the local network cares more.
My general preference is that any NAC solution should keep *authentication* (EAP session) and *health assessments* in seperate channels.
That makes sense, but not everyone sees it that way, unfortunately.
BTW, are you following the discussions in the IETF concerning NAC and friends (the "nea" - network endpoint assassment wg)? If this wg produces implementable results, your solution should be in line with it to ensure interoperability...
I'm sure you've seen my messages on NEA... I have serious doubts about it. For a number of reasons.
It's another topic that I'm overall sceptical of NAC, IMO a network should only reactively shut a client down *after* it did something wrong, not proactively sniff around the local environment and lock it away at once. But NAC is here to stay I guess. :-(
I understand it's useful to set requirements for network access. "You need a username, password, and a system that isn't susceptible to viruses". The pro-active scanning is nearly impossible to implement correctly. NEA largely seems like a group of people who want to standardize a pre-existing solution, and are surprised that there are people with different points of view. Alan DeKok.