[unisog] Printers, printers, printers

Nagel, Lonnie lnagel at SFCCMO.EDU
Thu Dec 13 13:42:02 GMT 2007

We are currently looking at the NAC profiler piece in order to reduce
the management overhead of NAC but as of yet have not pulled the trigger
on it. 

I too would be interested in hearing from any of you who have experience
with it.  Pros, cons, etc.

Are there any specific reasons why you would prefer an OOB deployment
over an IB deployment? 

In our original implementation we started out with 1 server configured
as and 1 as IB. It became apparent very quickly,to me anyway, that
(cisco) OOB is far from ready for prime time.  

The major issue I had with it was the necessity of it needing to do an
ipconfig release/renew for every logon.  The time frame for all of this
to happen seemed to take in inordinate amount of time (especially on
clunkers up in the residence halls.) We also seemed to be having issues
where the switch ports were not reverting back to the unauthenticated
VLAN when a user simply pulled the plug on the ethernet connection.
Additionally, we have several portable wireless laptop carts that get
rolled around campus (kinda of like portable labs) and these wireless
deployments will only work with an IB configuration as the APs
themselves need to be set up in the filter list. 

We have since reconfigured the OOB box for IB operation and there seems
to be zero issues with this configuration.  Logon consistently happens
in 3 seconds or less which includes the PC scan for required installs. 

I have not implemented Nessus as of yet and would be interested in
hearing from anyone who is currently using that piece of it and its
effect on logon times.

Additionally, we have placed an ASA firewall between our core network
and the residence halls which allows only access to our AD server and
the internet (our ISP provides external DNS hosting).  So in essence we
have simply become an ISP that requires network authentication in order
for our dorm residents to get internet access. 

This has turned out to be a very interesting thread.

* Lonnie Nagel * Network Manager * State Fair Community College *
Sungard Higher Education Managed Services * 3201 W 16th Street *
* Sedalia, MO  65301 * 660-596-7314 * lnagel at sfccmo.edu *

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Stein, Greg
Sent: Wednesday, December 12, 2007 3:35 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Printers, printers, printers

Interesting.  We ditched Clean Access to go with Bradford.  The main
reason was due to our switches being HP Procurves and that forced us to
use Clean Access as an In-Band NAC.  After fighting with Bradford for
the past semester I would stick with CCA if you have it setup OOB.  We
are using the persistent agent with Campus Manager so the enforcement is
very similar to what we had with CCA. Setup/Configuration/reliability
has not been very good with the Bradford system. YMMV I guess. NAC
solutions still seem to be a little green.

Best of luck.

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Nagel, Lonnie
Sent: Wednesday, December 12, 2007 2:26 PM
To: rhayter at udallas.edu; UNIversity Security Operations Group
Subject: Re: [unisog] Printers, printers, printers


This product (as are many Cisco products) was purchased by Cisco and
enhanced from there.  I believe it's original name was Perfigo. 

There are other NAC packages available - notably I would have really
liked to look harder at a product called Bradford Campus Manager which
does not require the client download. We are a Cisco shop however and
the entire package was purchased along with a major network upgrade so
the pricing was favorable.  (although still expensive - I think you
might want to prepare yourself for the 25 - 50K range if you want to get
into a setup like this).

unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list