Fair enough regarding "NAC". Our custom "Get Connected" process has been in place for over a decade for wired Residence Hall connectivity. We have switch ports on a fixed vlan and we have two IP subnets on that vlan (call them registration and student). When the dhcp request comes across initially for a new student, they get an address on the registration vlan side. There they are served a dns server that wildcards everything to our captive portal registration page.
Students log into that page and download a custom executable (for Windows or Macs). That executable is smart enough to detect antivirus software, remove it and install our own managed AV. Only after that is installed can they get to the final step of the registration. Through database and scripts behind the scenes, we then register the mac address of that device. After a certain time interval, their dhcp renews give them an IP address on the student IP subnet and off they go. That is all wired. For wireless we have a hybrid with WPA2/802.1x radius calls hitting Packet Fence and placing folks in registration or student vlans. Registration still goes to our custom "Get Connected" page. What comes next is very simple posture assessments. We just want to make sure that there is antivirus installed and the definitions are not ridiculously out of date. Exact rules have yet to be determined, but the notion is simple enough (caveat - not much about NAC is simple). So, for wired I prefer that we use 802.1x on the switch ports and actually detect whether AV is running and current before placing them on the student vlan. We would want those folks to be able to get themselves remediated on their own too (your AV is out of date, so we will allow you to get the updates but not much else until then). It would eliminate our upkeep on the custom "Get Connected" processes (which is web servers, scripts, databases and executables). They have served us very well for almost 5,000 beds / semester, but I think we have a more elegant option available today. We did not look at Cisco Identity Services Engine so I cannot comment there. The solutions we looked at (just a handful seriously), were all very expensive. We were comparing six digits and up against very low five digits. It fit the bill for us. Residence Hall wireless and enterprise wide guest wireless credentialing with the hope of posture assessments in the future. Time will tell how we do there. Adam ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
