Stefan Winter wrote: > It is actually quite important. If you are in a roaming scenario where your > EAP session goes to your home ISP, it makes no sense to tie the posture > information into the EAP session - it's the *access network* at the roaming > place that needs to know how healthy your computer is. The home ISP at the > other end of the world doesn't care that much.
It cares a little. It may want to require certain software updates, too. But the local network cares more. > My general preference is that any NAC solution should keep *authentication* > (EAP session) and *health assessments* in seperate channels. That makes sense, but not everyone sees it that way, unfortunately. > BTW, are you following the discussions in the IETF concerning NAC and friends > (the "nea" - network endpoint assassment wg)? If this wg produces > implementable results, your solution should be in line with it to ensure > interoperability... I'm sure you've seen my messages on NEA... I have serious doubts about it. For a number of reasons. > It's another topic that I'm overall sceptical of NAC, IMO a network should > only reactively shut a client down *after* it did something wrong, not > proactively sniff around the local environment and lock it away at once. But > NAC is here to stay I guess. :-( I understand it's useful to set requirements for network access. "You need a username, password, and a system that isn't susceptible to viruses". The pro-active scanning is nearly impossible to implement correctly. NEA largely seems like a group of people who want to standardize a pre-existing solution, and are surprised that there are people with different points of view. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html