NAC

[Thomas Dagonnier]

On 12/07/07, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>  On Wed, 2007-07-11 at 08:33 +0200, Alan DeKok wrote:
> > Stefan Winter wrote:
> > > It is actually quite important. If you are in a roaming scenario where your
> > > EAP session goes to your home ISP, it makes no sense to tie the posture
> > > information into the EAP session - it's the *access network* at the roaming
> > > place that needs to know how healthy your computer is. The home ISP at the
> > > other end of the world doesn't care that much.
> >
> >   It cares a little.  It may want to require certain software updates,
> > too.  But the local network cares more.

I still can't imagine those use cases (they probably exist, but I just
don't see them)

The home network can always check the security when entering the home
network via VPN (for example).
As for local access, it can't relied upon to guarantee that the
endpoint will always be secure when connecting to any other local
network - NAC won't be everywhere.

On 12/07/07, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
> > need be. It still *can* be tied into EAP, but it's optional. IMO, the way to
>
> I think it's unlikely NAC and roaming will work at the same time, in the
> near future. As far as I can tell, the interest in NAC from customers is
> for compliance within the enterprise.


> One possible option I can think is the Cisco EAP-over-UDP solution - one
> could perform EAPOL back to your home institute to gain IP connectivity,
> then EAPoU to submit posture information to the *local* network - which
> then unblocks or restricts you at the IP level.

yes, it was the example of "separated channels" I can think of, but as
any similar solution based on layer 3, it won't solve all problems,
and in particular, can't isolate on a particular network without
making some VLAN reconfiguration or chokepoint. for this, there's very
few room because the VLAN would be given after the 802.1x
authentification.


On 12/07/07, A.L.M.Buxey at lboro.ac.uk <A.L.M.Buxey at lboro.ac.uk> wrote:
> no, what you need is
> a third-party program which is fed the Posture values by freeradius
> (think ntlm_auth or LDAP/SQL queries) and returns an OKAY, QUARANTINE
> or FAIL etc message which can then be acted upon. the 3rd party program
> would be a dedicated GPL open source tool community driven that is
> easily managed and gets the info about each AV vendor and patch level etc
> and can be further programmed to accept registry values and running
> software processes via same/additional client tools installed on the connecting
> machine (if such a tool is installed).

well, that's the idea behing TNC (or at least that's what they
described in the architecture document as an example).
- Network Access Authority [freeradius, for example] first authentify the user
- then pass the TNC messages to the server (back & forth)
- TNC server make sure everything's ok
- then given recommandation to NAA
- Which sends the answer.

as for implementation, that's what is done by FHH (see dataflows on
page 28 of http://tnc.inform.fh-hannover.de/wiki/media/7/76/Overview_of_AR_and_PDP_in_TNC%40FHH_by_Martin_Schmiedel_%28english%29.pdf
). In fact, it's not fed really the posture values by freeradius, but
the TNC messages. It also cannot be multiplexed by default.

I don't know that much about EAP roaming (not edu), so I can't say it
may solve roaming issues, but that's doesn't seem undoable

dago