On 11/07/07, Alan DeKok <aland@deployingradius.com> wrote:
It's another topic that I'm overall sceptical of NAC, IMO a network should only reactively shut a client down *after* it did something wrong, not proactively sniff around the local environment and lock it away at once. But NAC is here to stay I guess. :-(
I understand it's useful to set requirements for network access. "You need a username, password, and a system that isn't susceptible to viruses". The pro-active scanning is nearly impossible to implement correctly. NEA largely seems like a group of people who want to standardize a pre-existing solution, and are surprised that there are people with different points of view.
Regarding some comments made earlier in NEA list, wouldn't an approach similar to microsoft ("statements of health" or SoH) would be a better solution ? In this case, the client would just send its status (SoH) and get an answer from the server (+ network access granted/isolated/denied). Granted, it is really a "microsoft-standard" (no implementation, but there are already backward compatibility requirements with previous version) - but the idea in general ? dago