EAP-TNC support or any other method to enforce some security policies on client?

Alan Buxey alan.buxey at gmail.com
Mon Mar 19 18:50:11 CET 2018


Cisco, Aruba..and plenty of other vendors all have commercial offerings in
the NAC space. Most have eg dissolvable clients and the like but all of
them have weaknesses , either some platforms have little or no support, or
they require certain other technology to be adopted too (eg the vendors
other appliances for DNS or proxy) and their particular radius server,  per
client licence or only works with 2 of the common browsers

It's all rather a mess

alan

On Mon, 19 Mar 2018, 14:32 Brian Julin, <BJulin at clarku.edu> wrote:

>
> Alan DeKok <aland at deployingradius.com>:
>
> >  NAC is largely dead.  If the end system is up to date, then it's as
> secure as we can make it.  If the system isn't up to date, then it should
> be brought up to date.
>
> ...which is why the only thing we are really expecting NAC to do is:
> ensure the system auto-update
> feature is on, ensure AV is installed and up to date, and ensure the local
> firewall is on.  Given
> that, we are still using in-house scripts, because unless the NAC agent is
> ready to roll
> when the next OSX or Windows release rolls out and unless that NAC agent
> also helps
> us install VPN and WiFi profiles, it is more trouble than it is worth.
> (Well, unless you ask
> the guy who has to update the in-house scripts, but his perspective is a
> bit biased :-)
>
> That said, not all OS vendors are completely on top of every zero day, so
> if you have
> information they have not reacted to yet and can demand a tweak on the
> client machines
> to temporarily work around it through the agent, that's a worthwhile
> capability to aspire to.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list