[unisog] Printers, printers, printers

Nagel, Lonnie lnagel at SFCCMO.EDU
Wed Dec 12 20:26:20 GMT 2007

We installed the Cisco NAC (Network Access Control)appliance which
consists of NAC Server box and a NAC Management box.  Keep in mind that
the entire solution is software based but does require it's own server
boxes.  (At least 2).  

The basic premise is that you move all open/unused ports into a VLAN
that was set up specifically for this purpose and use the appliance as
the subnet gateway.  

Once a user plugs a device into one of these ports he is immediately
redirected to the NAC server appliance which will initially require the
user to download and install the NAC client.  After that is done the
user's platform is subjected to the configured access requirements of
the server.  These might include things like making sure that the user
has a qualified AV program installed, making sure that that AV program
has current updates, making sure that the user has up to date Microsoft
Updates.  You can set up as many or a few requirements as you wish all
the way up to implementing a Nessus scan to verify that the platform is
virus/worm free to begin with. 

All of this functionality is enforced by the server box and configured
by the management box. You can get as granular as you wish.  We started
out slow and are only requiring current AV and AV updates for now.

The server box also integrates with your AD (and or radius) server so
that once the user platform has passed all the requirements, he is then
required to authenticate onto the network.

There are also mac filters that you can set up on the server so that
none of this is required for specific devices (ie network printers,
access points, etc.) The server interface also shows a current listing
of all logged in users, users that are having trouble logging in, and
users that are in different roles such as quarantine which allows
limited access in order to let the user do a self-remediation by getting
the proper upgrades/updates from various sites (Norton, McAfee,
Microsoft, etc,).

The entire process works pretty slick although the learning curve is a
little steep.  (especially on the initial install - you might want to
look at having a VAR assist)

This product (as are many Cisco products) was purchased by Cisco and
enhanced from there.  I believe it's original name was Perfigo. 

There are other NAC packages available - notably I would have really
liked to look harder at a product called Bradford Campus Manager which
does not require the client download. We are a Cisco shop however and
the entire package was purchased along with a major network upgrade so
the pricing was favorable.  (although still expensive - I think you
might want to prepare yourself for the 25 - 50K range if you want to get
into a setup like this).

Hope this answers many of your questions - get back to me if you need

* Lonnie Nagel * Network Manager * State Fair Community College *
Sungard Higher Education Managed Services * 3201 W 16th Street *
* Sedalia, MO  65301 * 660-596-7314 * lnagel at sfccmo.edu *
www.sungardhe.com *
CONFIDENTIALITY: This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Rick Hayter
Sent: Wednesday, December 12, 2007 1:06 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Printers, printers, printers

Nagel, Lonnie wrote:
> We installed a NAC appliance last summer. [...] 

Care to share a little more information about your NAC?

Rick Hayter, Dir. Admin. Computing
University of Dallas, 1845 E. Northgate
Irving, TX 75062  972-721-5227
<public key: rhayter at acm.org at pgp.mit.edu>
unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list