EAP-TNC support or any other method to enforce some security policies on client?

Brian Julin BJulin at clarku.edu
Mon Mar 19 15:12:16 CET 2018

Bogdan Rudas wrote:

> Since TNC  ignored by Microsoft, could are there other solutions to enforce
> compliant and quarantine violators, agent-based solutions, MDM and so in
> during network authentication?

There are scores of commercial offerings.  All have their plusses and minuses.
There are no clear dominant winners in this market.  I'm hopeful Aruba
ClearPass and its sub-tools will eventually consolidate into something a bit
more usable than its current state (they are integrating their separate
onboarding and posture modules more fluently into ClearPass
but it seems to be taking some time to re-emerge as a well documented and
supported feature set.)

Android and Microsoft have been less than helpful in bringing their clients
and supplicants and provisioning capabilities up to snuff in a way that helps
these products do what they want to do.  Apple has been a bit better at this,
but could still use to do a few things.   All the OS and  infrastructure companies
want to get you married to their own byzantine suite of products that expect you
yank up whatever else you are doing and follow some one-size-fits-all network
design which may or may not actually fit your business needs, but will most
certainly cost you money at some point down the road.

On the other hand, the third-party products and those infrastructure products
that truly aim to support competitor's equipment have done nearly nothing to
integrate onboarding with NAC agent installation, which is especially annoying
in a college setting where just by asking students to install a resident agent
is already pushing it, and you run the risk of having your students seek an alternative
ISP or just camp out on your guest network.   Nevermind if the process involves
several minutes installing 4 separate packages for all your
certs/supplicant settings/more-capable-than-builtin-clients.  Sure you can script that
yourself, but then you have to maintain that script through OS upgrades...
which... well avoiding that is kind of the reason why you pay money to third party
NAC vendors in the first place because you could just as well script a NAC agent.

I've actually been researching this market for work and I have not seen a single
compelling case by any of these vendors that their NAC product won't be
a giant time vampire.  Currently we are subsisting on the Enterasys/Extreme
product which holds together very well as long as we try not to use too
many features, but we haven't even gotten to roll out the agents after years of
owning the product because some part of it has always managed to break
every time we have tried, and the bugfixes take months if not years to arrive.

Many in the industry have thrown up their hands at this situation and now walk
around spouting nonsense about NAC being old fashioned and the new
fancy is doing dynamic policy enforcement based on network scans and reactive
firewall events... which of course you should do, but it is no substitute for NAC,
and doesn't help you with the onboarding part either.

Good luck.  If you happen upon a product that looks promising, feel free to
let me know.  I'll either be grateful, or tell you all the things I know of that are
wrong with it.

More information about the Freeradius-Users mailing list