Hi, > I think many roaming scenarios (e.g. eduroam federation) could probably > get by usefully on that. > > Access-Accept > Endpoint-Posture = "os:vendor=Microsoft" > Endpoint-Posture = "os:product=Windows XP" > Endpoint-Posture = "os:patchage=91230" > Endpoint-Posture = "av:defage=31353" > Endpoint-Posture = "av:vendor=Symantec"
painful. imagine keeping that file updated with what you think are the correct levels for revisions.... i see why Cisco quickly jumped off the software NAC bandwagon! ;-) no, what you need is a third-party program which is fed the Posture values by freeradius (think ntlm_auth or LDAP/SQL queries) and returns an OKAY, QUARANTINE or FAIL etc message which can then be acted upon. the 3rd party program would be a dedicated GPL open source tool community driven that is easily managed and gets the info about each AV vendor and patch level etc and can be further programmed to accept registry values and running software processes via same/additional client tools installed on the connecting machine (if such a tool is installed). OR it can be a proprietary software tool from a major vendor...that can accept the same queries and calls. your choice. the NAC part, though, would be 'trivial' as far as the RADIUS server is concerned. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
