Cisco, Aruba..and plenty of other vendors all have commercial offerings in the NAC space. Most have eg dissolvable clients and the like but all of them have weaknesses , either some platforms have little or no support, or they require certain other technology to be adopted too (eg the vendors other appliances for DNS or proxy) and their particular radius server, per client licence or only works with 2 of the common browsers It's all rather a mess alan On Mon, 19 Mar 2018, 14:32 Brian Julin, <BJulin@clarku.edu> wrote:
Alan DeKok <aland@deployingradius.com>:
NAC is largely dead. If the end system is up to date, then it's as secure as we can make it. If the system isn't up to date, then it should be brought up to date.
...which is why the only thing we are really expecting NAC to do is: ensure the system auto-update feature is on, ensure AV is installed and up to date, and ensure the local firewall is on. Given that, we are still using in-house scripts, because unless the NAC agent is ready to roll when the next OSX or Windows release rolls out and unless that NAC agent also helps us install VPN and WiFi profiles, it is more trouble than it is worth. (Well, unless you ask the guy who has to update the in-house scripts, but his perspective is a bit biased :-)
That said, not all OS vendors are completely on top of every zero day, so if you have information they have not reacted to yet and can demand a tweak on the client machines to temporarily work around it through the agent, that's a worthwhile capability to aspire to.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html