We have been using Cisco NAC for a number of years. We particularly like to see its improvement on OS detection. Right now NAC can only detect OS by inspecting http traffic. So non-Agent users have to open browser each time to get network access. This is a headache for WPA/WPA2 wireless users because they don't have to authenticate using web. From what I read, ISE support multiple inline posture assessment methods(like DHCP fingerprinting). That would address our concerns. Has anyone tried the OS detection using DHCP? Does it work well?
--- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 ----- Original Message ----- From: "Eric Kenny" <[email protected]> To: [email protected] Sent: Monday, April 9, 2012 9:02:42 AM Subject: Re: NAC -> ISE We have been demoing ISE for a while now. The biggest challenge for us was to integrate with our LDAP backend without requiring supplicants to be installed on clients to support EAP-GTC. To overcome this we managed to setup ISE to authenticate against RADIUS instead (which is not exactly a straightforward process) and that allows us to use the standard EAP-MSCHAPv2/PEAP supplicant installed on Windows. In Mac OS 10.7 (Lion) Apple changed the way you configure 802.1x settings. Now the user cannot configure anything. All configuration has to be done with Apple’s “iPhone configuration utility” and then the profile needs to be loaded on the client. As Bruce mentioned, the license cost is quite substantial. Cisco will tell you that your current NAC licenses will transfer over as “Advanced ISE Licenses” 1 for 1, however, that is only valid for 3 years, at which point you need to purchase new licenses. Additionally, any devices in your MAC filter list will also eat up licenses. Eric J. Kenny Network Analyst Marist College 3399 North Rd. Poughkeepsie, NY 12601 845.575.3820
