I agree with all your purposes of NAC. But no I don't agree that the AD controls are the same or more than NAC because all you need to do to get on the "network" is unplug the AD machine and plug in whatever you want.
Greg -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Peter P Morrissey Sent: Friday, March 06, 2009 12:09 PM To: [email protected] Subject: Re: [WIRELESS-LAN] NAC polling: Wired AND Wireless I would challenge the "AD is NAC in and of itself" statement also :-) AD is system access control, not network. " [PM] Technically you are correct, but I think you have to step back to the purpose of NAC, then look at how AD can serve the purpose. This of course makes the assumption that the AD machines are locked down, and in that case I think it is better than NAC. In my mind NAC is used for: 1) Network Access Control 2) IP to user tracking 3) Posture checking of the endpoint to either insure that it is secure. While AD isn't technically network access control, you still can't get on the network until you log into AD, and is there anyone that you would want on AD that you wouldn't want to also provide access to your network? If you can lock down an AD machine with the correct security posture, and prevent people from installing potentially harmful apps, aren't you doing pretty much everything most NAC systems can do and in some cases more? Pete Morrissey ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
