I. Background of NAC (cont'd)

An 802.1X network requires the following three components to operate:

    1. NAC Agent - acts as the client side. It is loaded onto the user's device and is used to request network access.

    2. NAC Network Device - network infrastructure used to perform authentication, such as network switches or wireless access points.

    3. NAC Server - receives Remote Authentication Dial In User Service (RADIUS) messages and uses it to verify the authentication credentials against a backend authentication database.

An NAC agent on the endpoint device presents the network credential to the NAC-compatible network device. The network device would pass it to the NAC server, and the server would check and validate the network credential. Once validated, a network port on the NAC-compatible network device would be opened and made available for the user to access the network.

Agent-less NAC Model

The other type of NAC solution does not require a permanent software agent to be installed on the endpoint device. Information about the endpoint device is gathered by vulnerability assessment from the network or temporary software installed on the endpoint device.

  • Network-based NAC

    By leveraging vulnerability assessment tool such as Nessus vulnerability scanner, assessments on the endpoint device can be performed by gathering information such as the responses of the endpoint device. This model applies to traditional PC-type end systems, but is especially helpful in supporting the more diverse end system environments where nonuser-based end systems and end systems with non-traditional operating systems are present.

  • Applet-based / Dissolvable Agent-based NAC

    This type of NAC is similar to the agent-based NAC solutions. Instead of a permanent software agent to be installed on the endpoint device, a Java applet, an ActiveX control or a dissolvable software agent is downloaded to a user endpoint device when accessing a web page from the protected network. Local assessment is performed by the temporary agent on the endpoint device.

Do Universities need NAC?

The education sector has been a huge customer of the existing NAC solutions in the market across the globe, together with government, health care and financial institutions.

Some vendors considered that the reason would be the large number of unmanaged devices in colleges and universities. They are mainly student computers which need some way to check they have fundamental protection.

 
Reference:
http://www.juniper.net/us/en/local/pdf/whitepapers/2000216-en.pdf
http://www.networkworld.com/newsletters/2007/0716nac2.html
http://www.enterasys.com/company/literature/nac-wp.pdf