EAP-TNC support or any other method to enforce some security policies on client?

Brian Julin BJulin at clarku.edu
Mon Mar 19 15:32:02 CET 2018

Alan DeKok <aland at deployingradius.com>:

>  NAC is largely dead.  If the end system is up to date, then it's as secure as we can make it.  If the system isn't up to date, then it should be brought up to date.

...which is why the only thing we are really expecting NAC to do is: ensure the system auto-update
feature is on, ensure AV is installed and up to date, and ensure the local firewall is on.  Given
that, we are still using in-house scripts, because unless the NAC agent is ready to roll
when the next OSX or Windows release rolls out and unless that NAC agent also helps
us install VPN and WiFi profiles, it is more trouble than it is worth.  (Well, unless you ask
the guy who has to update the in-house scripts, but his perspective is a bit biased :-)

That said, not all OS vendors are completely on top of every zero day, so if you have
information they have not reacted to yet and can demand a tweak on the client machines
to temporarily work around it through the agent, that's a worthwhile capability to aspire to.

More information about the Freeradius-Users mailing list