Yesterday, I spent about four hours yesterday configuring a Cisco Aironet 1240AG access point, a Cisco 3750 switch, and an HP Procurve switch to authenticate hosts using 802.1X against a Windows 2003 Enterprise Server AD deployment. During the deployment I was reading the docs for the switches (yeah, yeah, shocking), and noted that the 802.1X configurations could be set with default actions like putting the port into a default VLAN, if an 802.1X authentication failed or there was no supplicant on the host (there are some other features I will dive into at a later date). So I have to wonder, if you can run 802.1X and you simply want to keep outsiders on a guest VLAN with limited resources, do you really need a NAC system?
I was sitting down to read some news and check email when Dan Clark from Lockdown Networks IM'd me. We chat about amplifiers, coffee, geek stuff. While we were talking, I asked him the question I posed above and he pointed out some obvious issues with my simple scenario like the access decision is rarely a binary one, not all organizations have 802.1X capabilities everywhere, and sometimes organizations want to intercede in a session perhaps to force a user to accept a EULA. These are all good points and if your goal is a more complex policy decision than employee/guest, a NAC system maybe in your future. But if you needs are simple, look to what you already have.
The Desktop Problem
I have read the NAC materials from vendors, gotten the vendor briefings, taken the products for a test. I get it. In very simple terms we can lump computers into two groups-those that are managed like corporate owned computers and computers that are unmanaged that are brought in by guests and contractors. Managed computers should be under IT's control and as such, with proper desktop management practices should be able to keep them up to date and patched. If that is the case, then the risk of infection is vastly reduced. If you follow the practice of least user privilege-taking users out of the local Administrators group, for example-will also go a long way to blocking the most egregious issues.
There is a whole industry dedicated to desktop management covering topics as diverse as asset management, patch management, application management, rights management, data management, configuration management, and back-up management. If your laptops are properly managed, then the chances of getting infected while off-site should be pretty low and with desktop management practices in place, you get all the benefits of managed systems.
A NAC solution in this case can be used as a check in a check and balance system. For example, the patch management product says all hosts have a certain patch, but this particular host reports the patch doesn't exist, so let's take some action like starting an update or notifying desktop support. There are lots of interesting things you can do.
The Guest Problem
Guests pose a unique problem depending on the level of access they need. A simple policy might state that guests can only access the Internet. By putting unauthenticated computers on specific VLAN, they will be segregated from the corporate LAN. But contractors, consultants, system engineers, and others often need access to corporate resources and will come equipped with their own hardware. Simply telling them they can't use their equipment may not be possible or even desirable.
