Hi, > of course, a "a GPLed, ActiveX / Java / other browser-based endpoint > posture assessment client, for use in fallback non-802.1x (walled-garden) > mode." could also work after 802.1x
It is actually quite important. If you are in a roaming scenario where your EAP session goes to your home ISP, it makes no sense to tie the posture information into the EAP session - it's the *access network* at the roaming place that needs to know how healthy your computer is. The home ISP at the other end of the world doesn't care that much. My general preference is that any NAC solution should keep *authentication* (EAP session) and *health assessments* in seperate channels. I'm happy that Cisco is following that line of thinking in their NAC solution, by offering a web-based or downloadable client *after* the EAP session if need be. It still *can* be tied into EAP, but it's optional. IMO, the way to go. Anyone implementing a NAC solution (i.e.: you) should keep this in mind, I'm glad you do. BTW, are you following the discussions in the IETF concerning NAC and friends (the "nea" - network endpoint assassment wg)? If this wg produces implementable results, your solution should be in line with it to ensure interoperability... It's another topic that I'm overall sceptical of NAC, IMO a network should only reactively shut a client down *after* it did something wrong, not proactively sniff around the local environment and lock it away at once. But NAC is here to stay I guess. :-( Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html