We are about half way through our deployment. While I am not involved with the network side of things it is a pain in the a$$ and I would not recommend any Network Access Control that requires a client. It has done nothing but cause more work really. We are using Cisco's Secure Services Client. It now take longer to boot and log into any PC. If there is a problem with a remote machine it now takes one extra step to check the logs to make sure NAC has not failed and check the client to make sure it actually works. Even though the software is installed does not mean it actually works on the PC. We had problems with licensing and had to get Cisco involved to give us a new configuration file to apply. If we ever need to upgrade the software it will be a pain because it has to be uninstalled before upgrading because of this configuration file that was applied at installation.
If you have any Cisco 7910 phones, they fail to release the MAC address when a computer is unplugged and therefore you cannot use another computer on the phone until it is reset. We have a lot of laptops that come and go. Doing a MAC bypass is a pain because while I do not have access to the routers I need to be able to add MAC address (custom solution). Since our users never tell us beforehand that someone, vendor, etc is coming in, it is always a problem. Oh ya, computers with virtual PCs, there is another problem and custom setup on the port. Don't forget about those managed UPS's. I can't seem to get in installed on our image before sysprep because when I do after sysprep it searches for the domain for 30 minutes before letting you log on. Ya ya, I know you can force the domain list in the registry but it is another problem that came up. After talking to some friends the idea was brought up to do a ACL list sync'ed with AD instead of a client based solution. In theory the ACL list sounded pretty easy and controllable with the same downsides of vendor's coming in and all. The theory was a little over my head on the network side so I will not say much on the chance that I would be wrong. One positive, There are no rouge PCs on our network. Bob From: Burgess, Jeffrey [mailto:jburg...@liberty-bank.com] Sent: Tuesday, April 28, 2009 11:13 AM To: NT System Admin Issues Subject: NAC - Network Access Control Anyone here using a NAC solution? What are you using and how do you like it? I'm looking at a few but would like to see what others are using and how they like it. Specifically in how useful it is for out of band devices (Devices not owned by your company, I.E. Vendor laptops etc...) I like ForeScout so far and I'm also looking at Cisco and Symantec. What do you have? Jeffrey T. Burgess Sr. Systems Engineer Liberty Bank 315 Main St. Middletown CT, 06457 (860) 704-2196 jburg...@liberty-bank.com "Ambition is the last refuge of failure." - Oscar Wilde ********************************************************************** Unless you have received this email through the Liberty Bank secure email system, before you respond, please consider that any unencrypted e-mail that is sent to us is not secure. If you send regular e-mail to Liberty Bank, please do not include any private or confidential information such as social security numbers, unlisted telephone numbers, bank account numbers, personal income information, user names, passwords, etc. If you need to provide us with such information, please telephone us at (888)570-0773 during business hours or write to us at 315 Main St. Middletown, CT 06457. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this message you are hereby notified that any use, review, retransmission, dissemination, distribution, reproduction or any action taken in reliance upon this message is prohibited and may be unlawful. If you received this in error, please contact the sender and delete the material from any computer without disclosing it. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of the Bank. Thank you. ********************************************************************** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
