Before evaluating each approach, it's important to understand the components used in these NNV and enforcement technologies, and to keep in mind the complications surrounding specific use cases. We went over the high-level node-validation components in "But Will It Work?," page 34, and we'll continue to use the agent, authorization server and enforcement point terminology. Expanding on that list, the concept of a managed versus an unmanaged node, or "asset," is worth noting. The managed designation denotes, as in the network-management world, a device you have administrative access to or control over, while an unmanaged asset typically is something on the network that is up and running, over which you don't have easy--or any--administrative control.
In the node-validation world, a managed asset is something supported with an agent, while an unmanaged node or asset is unsupported by the agent technology, for example, a Mac OS X client in a network that only has Windows agents, or is not actively running an agent.
Also noteworthy is how all these approaches tie back to existing directory and user stores. Most approaches rely on RADIUS as an underlying communications channel to talk to back-end directory services. This is critical: No sane organization will want to maintain user and group mappings in yet another location. This communication is established by the authorization and authentication server (Cisco Secure Access Control Server in the Cisco model, Juniper Infranet Controller in its model) after it receives communications from endpoint agents. Authorization servers act almost like proxies, in a sense, but do so by translating and relaying protocols, sometimes in multiple stages. In Cisco's Layer 2 NAC model, for example, the agent passes posture information to the switch over 802.1x frames; the switch then relays the data payload from that communication to the Cisco Secure ACS server (the authorization component) over RADIUS; the Secure ACS server might then make additional queries using LDAP or HCAP (Host Credential Authorization Protocol) to additional back-end, third-party servers. Cisco's Layer 3 NAC uses a similar model, but forwards posture information to the routers using EAP (Extensible Authorization Protocol) over UDP. Keep in mind that for all this to work flawlessly, all components must be up, running, available and communicating. Fun, huh? Although we didn't have any problems in our tests, organizations must gain technical expertise in multiple new areas to support this technology.
When all's said and done, Juniper and Cisco share two architectural musts: First, if the authentication and authorization communication pathways and servers aren't available, you'll face real problems; placement and redundancy of the authorization components is critical. Without access to authorization servers the entire model breaks. Second, first-level support teams must see into the infrastructure for troubleshooting. In comparison, the model that ConSentry uses, while less functional, dodges the availability bullet in that it doesn't rely on external authentication stores to grant or deny access; it simply pulls credentials off the wire and makes decisions based on its rule sets. Once again, use-case considerations are critical.
Cisco has announced Phase II of its NAC technology, which brings NNV functionality to its switching line, and we were fortunate to be able to evaluate a number of the components before they rolled out. Cisco's initiative touches dozens of product lines, and consists of new functionality in switches, routers, authentication servers and host agents. We found Cisco further along than the other vendors--it's shipping its second generation of the technology this month, it has enforcement capabilities in both its routing and switching product lines, and it has more than a dozen partners shipping NAC-enabled products.
Verizon is demoing crowd analytics technology that uses 5G along with AI and mobile edge computing to give stadium operators insights into the flow of fans throughout a venue.
As we move closer to fully realizing the potential of Wi-Fi 7, it becomes evident that the RF, signaling, and throughput tests are not merely procedural checkpoints but the pillars of excellence in wireless communication.
With low earth orbit (LEO) satellites fast becoming the norm and 3GPP unifying telecom standards around the globe, the satellite IoT and machine-to-machine (M2M) sector ought to be looking at a bright horizon. But is this the case?
