Technically you could trunk each port (802.1q) , have all ethernet
adapters with 802.1q support and push
the VLAN on the driver via AD ...there is your NAC in AD...
A bit of a spanning tree nightmare, but what a heck!
;-)
On Mar 6, 2009, at 1:35 PM, Peter P Morrissey wrote:
OK, got yah. You're talking about securing a wired port and you're
right. NAC would do that and AD would not.
Pete Morrissey
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]
] On Behalf Of Scholz, Greg
Sent: Friday, March 06, 2009 12:30 PM
To: [email protected]
Subject: Re: [WIRELESS-LAN] NAC polling: Wired AND Wireless
I agree with all your purposes of NAC.
But no I don't agree that the AD controls are the same or more than
NAC
because all you need to do to get on the "network" is unplug the AD
machine and plug in whatever you want.
Greg
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Peter P
Morrissey
Sent: Friday, March 06, 2009 12:09 PM
To: [email protected]
Subject: Re: [WIRELESS-LAN] NAC polling: Wired AND Wireless
I would challenge the "AD is NAC in and of itself" statement also :-)
AD is system access control, not network. "
[PM] Technically you are correct, but I think you have to step back to
the purpose of NAC, then look at how AD can serve the purpose.
This of course makes the assumption that the AD machines are locked
down, and in that case I think it is better than NAC.
In my mind NAC is used for:
1) Network Access Control
2) IP to user tracking
3) Posture checking of the endpoint to either insure that it is
secure.
While AD isn't technically network access control, you still can't get
on the network until you log into AD, and is there anyone that you
would
want on AD that you wouldn't want to also provide access to your
network?
If you can lock down an AD machine with the correct security posture,
and prevent people from installing potentially harmful apps, aren't
you
doing pretty much everything most NAC systems can do and in some cases
more?
Pete Morrissey
**********
Participation and subscription information for this EDUCAUSE
Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://www.educause.edu/groups/
.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://www.educause.edu/groups/
.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
