NAC
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 12 12:40:16 CEST 2007
On Wed, 2007-07-11 at 08:33 +0200, Alan DeKok wrote:
> Stefan Winter wrote:
> > It is actually quite important. If you are in a roaming scenario where your
> > EAP session goes to your home ISP, it makes no sense to tie the posture
> > information into the EAP session - it's the *access network* at the roaming
> > place that needs to know how healthy your computer is. The home ISP at the
> > other end of the world doesn't care that much.
>
> It cares a little. It may want to require certain software updates,
> too. But the local network cares more.
Interesting question (well - I think it's interesting) - would the local
network trust the home network to tell it what the posture of the client
is? Maybe by attribute on the Access-Accept?
I think many roaming scenarios (e.g. eduroam federation) could probably
get by usefully on that.
Access-Accept
Endpoint-Posture = "os:vendor=Microsoft"
Endpoint-Posture = "os:product=Windows XP"
Endpoint-Posture = "os:patchage=91230"
Endpoint-Posture = "av:defage=31353"
Endpoint-Posture = "av:vendor=Symantec"
etc.
Of course I could be talking rubbish ;o)
More information about the Freeradius-Users
mailing list