That's interesting, Jeff. Your history is very similar to ours here at Liberty University, but we are taking a slightly different approach.
We were one of Cisco's first CCA customers after their takeover of Perfigo. Some of our people visited Perfigo during our evaluation of the product. That was before I worked here. We found CCA to be a management nightmare with a large number of servers. The summer after Windows Vista was released, our semester startup was a nightmare. CCA was requiring patches that had been superseded earlier in the week during patch Tuesday. These patches were no longer available. Cisco TAC was not any help. Our only option was to manually customize the CCA rules to not require those patches. We then started investigating alternative NAC solutions. As we started evaluating Aruba Networks branded Bradford solution, it was obvious that to deploy that solution, we would need to replace our Cisco fat AP wireless infrastructure. After almost 2 years of evaluation, we deployed Aruba's 802.11n wireless solution along with their rebranded Bradford NAC. Our NAC initially went from 32 CCA servers in high availability mode to 4 Aruba ECS server in HA mode. Due to scaling issues, that number increased to 10 servers and some of our NAC manageability issues returned. We started looking seriously at NAC alternatives, in addition to NAC solutions. In tandem with this project was an Internet bandwidth management & chargeback requirement. We looked closely at PacketFence and impulse point SafeConnect NAC solutions. We decided that wired & wireless 802.1x would be needed to properly identify traffic for bandwidth chargeback We tested PacketFence mainly with Cisco wired switches because they appeared to have better support for the Cisco switches than Aruba wireless. Their solution initially did not work with our Cisco 3750 access switches, even though they are officially supported. We ended up submitting a patch after we were told they did not even have any of these switches for testing. A year ago, when we looked at SafeConnect, they did not have a user self-registration solution. We liked their product for both Aruba wireless & Cisco wired, but the lack of the user self-registration feature for non-802.1x devices led us elsewhere. One of our preferred vendors, Aruba Networks, subsequently purchased the Avenda NAC solution and renamed it to ClearPass Policy Manager. This summer we are deploying ClearPass as our RADIUS, mac authentication, and registration solution. Although ClearPass is a NAC, we will not be using that feature and did not need to license it. We will initially use Cloudpath XpressConnect for 802.1x provisioning until Aruba's solution is improved. ClearPass will feed connection data to our Procera PacketLogic solution for bandwidth management. Rather than NAC, we will be using the Aruba Networks firewall roles to restrict student users from staff. On the wired side, we will be using ACLs to restrict internal student access. The Cloudpath initial provisioning solution allows us to perform a one-time NAC check. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 From: Jeff Kell [mailto:[email protected]] Sent: Thursday, April 26, 2012 9:26 PM Subject: Re: PacketFence On 4/26/2012 4:13 PM, Mark Duling wrote: I think many have found enforcing remediation of NAC to be problematic with an increasingly protected and sophisticated user base. Whether or not to do posture assessment and enforce remediation seems to me to be the main determinant of how much one needs to spend, rather than the vendor of the solution chosen. We are at somewhat of a crossroads, and about to embark on an experiment... We were an early Perfigo customer, following the fallout from Slammer/Blaster/Nachi/etc. We carried over to the Cisco takeover, and stuck with Cisco until the release of Windows Vista, which was not supported by our CCA version (and not maintenance-upgradeable either, it was a large re-licensing/repurchase path, and the "new" version did not support all of our "old" switches, so there was a 6-figure "update" projected). We then went with Bradford. After an initial learning curve / implementation smoothing, it took the place of CCA rather well, and relaxed the Cisco end-to-end dependence that CCA required. It did a spectacular job of network tracking and management (it's hard to tie a time, MAC, IP, hostname, switchport, and userID together in one place, and searchable to boot). The "posture assessment" worked well for OS / AV, but in today's world, that is hardly sufficient given the plethora of exploit kits targeting Flash, Java, Acrobat, Shockwave, etc. The "remediation" is the klunky part, and if you enforce it brute-force captive-portal style, you are due for some serious feedback if not outright outrage. The current versions of the software allow for "delayed" forced remediation, so you get an obvious indication that you are out of compliance (icon in system tray bleeps at you like the windows update one does) for a configurable number of days before remediation is enforced. But just "getting out of remediation" is somewhat un-intuitive. You have to remediate yourself, more or less, but the icon remains "at-risk" until you navigate to the portal page and initiate a re-scan (users typically expect that to reflect their status in "real-time" and get confused when it doesn't change after they patch). We ditched forced remediation over a year ago, but still very much use the tracking, and even do role-based port security based on registration to separate various user groups, printers, special devices, and so forth on their own vlans. For security incidents, e.g., IPS/IDS detected infections, you still have the "quarantine" mechanism available to you. Quarantine overrides everything and keeps infected machines in their own captive portal, regardless of where they connect; and if the device is registered, it carries over to every network interface on the box (e.g., wired, wireless laptop). Our current "experiment" is looking at IBM's Tivoli Endpoint Manager (a.k.a. BigFix) to handle the remediation cases for university-owned equipment. With the BigFix agent in place on the machine, you can have it do the remediation steps automatically (you just push the needed "fixlets" to the device yourself). We hope this will provide the "missing link" in the whole policy / posturing / endpoint compliance picture while incorporating the common third-party applications as well. Will see how it goes :) If anybody else has "been there, done that, go the T-Shirt" I'd be interested in any stories you can share, good, bad, or otherwise. Jeff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
