Network World - As the most important supplier of network infrastructure to enterprises, Cisco's NAC products are a natural point of curiosity for network managers. Unfortunately, though, Cisco's approach to NAC has been riddled with in-fighting, false starts, delayed product releases, and a good dose of chaos and confusion.
Standards wars end, replaced by uneasy truce
At the heart of Cisco's NAC problems were two separately developed and separately maintained products, completely incompatible yet solving the same problem for the same customers. During the several years it took Cisco to deal with the internecine warfare between these two product groups, customers have been dazed and confused as to which is best for them
The first NAC products came through the acquisition of Perfigo, a start-up that had developed a wireless access gateway during the days before widespread availability of WPA authentication and encryption. First called Cisco Clean Access, and recently renamed Cisco NAC Appliance, the product line evolved completely separately from Cisco's other network infrastructure products and has only the lightest integration with Cisco switching devices. Originally an in-line device that protected wireless and VPN links best, the Perfigo products were extended to include edge enforcement for wired enterprise networks based on Cisco switches.
While Perfigo's product line was racking up impressive sales, the switching and routing side of Cisco teamed with the Cisco Secure Access Control Server (a RADIUS and TACACS server) group to develop and market the Cisco NAC Framework, a NAC solution that includes modifications to Cisco switches and routers, the Cisco Trust Agent end-point client, and the ACS RADIUS server, which acts as a back end for both authentication and posture checking.
While the NAC Framework doesn't require 802.1X for authentication and posture checking, it does allow for 802.1X and is extremely similar, architecturally, to the NAC frameworks proposed by the Trusted Computing Group, Microsoft, and the IETF. (The Cisco Trust Agent includes some 802.1X technology through the acquisition of MeetingHouse Data Communications.)
Cisco sold the products in competition with each other during 2006 and 2007, until an internal truce between the two product groups was arranged and Cisco announced that the two product lines would somehow be combined into a single super-NAC product.
Because of Cisco's marketing muscle and control of enterprise networks, third-party partners have been strong supporters of both of Cisco's NAC products, offering a variety of end-point security alternatives to Cisco's own Cisco Security Agent end-point security protection client. In 2006, Microsoft and Cisco also linked their NAC products during the development of Windows Server 2008, offering several integration scenarios that allow enterprises to easily mix Cisco and Microsoft clients and servers in both Cisco-centric and Microsoft-centric NAC deployments.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
