We deployed the Symantec NAC solution (with Microsoft RADIUS, Cisco and Alcatel switches/WAPs) at my last project.
Possibly overkill, but it did allow for both user and certificate based authN, dynamic allocation of VLANs (based on AD OUs, cert CNs, health checking etc.), both wireless/wired, and custom rules (deployed on the RADIUS server) for specific BUs. Also, allowed for additional dynamic VLANs (e.g. to support VMs running on the clients, or daisy-chained VOIP handsets). Suffice to say, it was a PITA to get working (it was both operationally challenging to manage, plus we ran into several bugs in products), but in the end works pretty well, from what I understand. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Thursday, 24 April 2014 7:58 AM To: ntsysadm Subject: Re: [NTSysADM] NAC and NAP technologies Thanks, MBS... Yeah, Microsoft is pushing NAP in the direction of System Center, but for smaller environments, this seems like overkill. ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market... On Wed, Apr 23, 2014 at 4:49 PM, Michael B. Smith <[email protected]<mailto:[email protected]>> wrote: System Center can do that, of course, as well as presenting a pretty good MDM solution when combined with Intune. However, it is far more about "block vs allow". I'm not aware of a way to move network segments, although you can do just about anything with PowerShell. I've deployed it several times in medium-scale networks (a few thousand devices). From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Andrew S. Baker Sent: Wednesday, April 23, 2014 4:39 PM Subject: [NTSysADM] NAC and NAP technologies I'm in the midst of evaluating some network access control/protection tools, including PacketFence and Microsoft NAP. Is anyone using any of these technologies today? (Microsoft NAP is deprecated as of 2012-R2, as they look to nudge us over to System Center) Any recommendations? I'm looking for the ability to manage what devices show up on the network, and move them to appropriate network segments or block them from the network outright. Some health checking would be nice, on top of all that. Agent vs agentless doesn't really matter. Mostly Microsoft networks, with Android/iOS mobile devices. Thanks! ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...
