However, reporting was limited, and we found troubleshooting host problems difficult. There's no way to remove individual hosts from the system short of deleting the entire database and starting over. Integrating switches can be time consuming. We also had some issues with the ActiveX client getting into what we can only describe as a bad state, requiring us to delete the ActiveX object from the browser and start anew.
We were unable to open or close an 802.1X-enabled port from within the UI--a basic feature for an access control product. And when using 802.1X enforcement, there's no way to handle guest machines that lack an 802.1X supplicant, other than configuring a default guest VLAN. The problem is, clients that end up in this guest VLAN won't be assessed by SafeAccess. Also, the assessment criteria that shipped with the product are a bit limited. StillSecure does create custom checks, but there's generally a two-week turnaround. On the plus side, SafeAccess supports centralized management, and we could separate management functions from enforcement duties.
TRIPLE THREAT SafeAccess is primarily out-of-band network access control, but it does provide for a variety of enforcement methods: in-band, as in front of a VPN or remote-access concentrator; DHCP, enforcing access control through DHCP addressing assignment; and 802.1X, using a combination of 802.1X authentication and VLAN assignment. An enforcement point can use only one method at a time, though we could use multiple points simultaneously.
SafeAccess host assessment is via persistent agents, dissolvable agents using ActiveX, or agentless assessment using Windows Domain credentials to query a host. We tested all three methods. Unlike other NAC vendors that license Opswat's Endpoint Security Integration SDK, StillSecure writes its own assessment policies, giving it control over how application and configuration status is derived. While we could create checks for required and forbidden software and services, there is no way to check if a particular application is running. We used the 802.1X enforcement method because it's the most secure, and our infrastructure supports 802.1X.