Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC

Stefan Winter stefan.winter at restena.lu
Wed Jul 11 08:11:25 CEST 2007 

Hi,

> of course, a "a GPLed, ActiveX / Java / other browser-based endpoint
> posture assessment client, for use in fallback non-802.1x (walled-garden)
> mode." could also work after 802.1x

It is actually quite important. If you are in a roaming scenario where your 
EAP session goes to your home ISP, it makes no sense to tie the posture 
information into the EAP session - it's the *access network* at the roaming 
place that needs to know how healthy your computer is. The home ISP at the 
other end of the world doesn't care that much.
My general preference is that any NAC solution should keep *authentication* 
(EAP session) and *health assessments* in seperate channels.
I'm happy that Cisco is following that line of thinking in their NAC solution, 
by offering a web-based or downloadable client *after* the EAP session if 
need be. It still *can* be tied into EAP, but it's optional. IMO, the way to 
go. Anyone implementing a NAC solution (i.e.: you) should keep this in mind, 
I'm glad you do.
BTW, are you following the discussions in the IETF concerning NAC and friends 
(the "nea" - network endpoint assassment wg)? If this wg produces 
implementable results, your solution should be in line with it to ensure 
interoperability...

It's another topic that I'm overall sceptical of NAC, IMO a network should 
only reactively shut a client down *after* it did something wrong, not 
proactively sniff around the local environment and lock it away at once. But 
NAC is here to stay I guess. :-(

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070711/7d93b737/attachment.pgp>

More information about the Freeradius-Users mailing list