Hi Adam, My personal opinion is that NAC as a generic term has gotten almost too ambiguous to be useful. The Wikipedia entry for NAC says this:
Initially 802.1X was also thought of as NAC. Some still consider 802.1X as > the most simple form of NAC, but most people think of NAC as something more. I'm not sure by your description whether you want to continue to use traditional NAC components after you "go straight 802.1x and Packet Fence." Can you elaborate on where you want to get with remediation and enforcement? I think many have found enforcing remediation of NAC to be problematic with an increasingly protected and sophisticated user base. Whether or not to do posture assessment and enforce remediation seems to me to be the main determinant of how much one needs to spend, rather than the vendor of the solution chosen. As I've mentioned before, Cisco ISE-Base is about 15k for 10k endpoints (with no cost to install an ISE failover unit), and also not NAC, at least on the understanding that only 802.1x and guest registration portals do not a NAC make. I have no brief for Cisco or any particular vendor, but this is at least one example of a major vendor with a cost-effective option for those not wishing to do posture assessment, remediation, and other traditional NAC things. Mark On Thu, Apr 26, 2012 at 10:06 AM, Adam T. Ferrero <a...@temple.edu> wrote: > ** ** > > We have been using Packet Fence successfully since last summer. We > reviewed it and a few other commercial offerings. It is our first NAC > implementation and was prompted by the installation of 675 new wireless > access points in our Residence Halls. We wanted a way to enforce a few > rules on the students living on campus. Previously we have been running > our own custom processes to ensure those rules (wildcard dns, captive > portal, custom executables, all non 802.1x stuff).**** > > ** ** > > Since it was six figures less expensive than the next best commercial > alternative and we have a talented staff that could support it, it wasn’t a > difficult choice. It is a commercial open source offering, so we pay > Inverse a few dollars so that we can call for help when we get stuck.**** > > ** ** > > We did a two months of testing, then a one building pilot for two weeks > and then deployed to all locations last fall (we rushed it). During the > winter intersession we added support to enterprise wide guest wireless > credentialing (displacing another commercial solution). We have needed to > continue to scale it upward just because of our size, but now we are > architected so that we can do that fairly easily (with hardware load > balancing). Next we need to enable the statement of health checking within > Packet Fence. We integrated Packet Fence with our custom solution and > executables to figure that out presently, but want to go straight 802.1x > and Packet Fence.**** > > ** ** > > I’ve been very happy with the selection and with the support from > Inverse. I’d be happy to share more experiences.**** > > ** ** > > Adam Ferrero**** > > Executive Director Network Services**** > > Temple University, Computer Services**** > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
