Cisco's NAC goes off track, customers taken aback

As the most important supplier of network infrastructure to enterprises, Cisco's NAC products are a natural point of curiosity for network managers. Unfortunately, though, Cisco's approach to NAC has been riddled with in-fighting, false starts, delayed product releases, and a good dose of chaos and confusion.

At the heart of Cisco's NAC problems were two separately developed and separately maintained products, completely incompatible yet solving the same problem for the same customers. During the several years it took Cisco to deal with the internecine warfare between these two product groups, customers have been dazed and confused as to which is best for them

The first NAC products came through the acquisition of Perfigo, a start-up that had developed a wireless access gateway during the days before widespread availability of WPA authentication and encryption. First called Cisco Clean Access, and recently renamed Cisco NAC Appliance, the product line evolved completely separately from Cisco's other network infrastructure products and has only the lightest integration with Cisco switching devices. Originally an in-line device that protected wireless and VPN links best, the Perfigo products were extended to include edge enforcement for wired enterprise networks based on Cisco switches.

While Perfigo's product line was racking up impressive sales, the switching and routing side of Cisco teamed with the Cisco Secure Access Control Server (a RADIUS and TACACS server) group to develop and market the Cisco NAC Framework, a NAC solution that includes modifications to Cisco switches and routers, the Cisco Trust Agent end-point client, and the ACS RADIUS server, which acts as a back end for both authentication and posture checking.

While the NAC Framework doesn't require 802.1X for authentication and posture checking, it does allow for 802.1X and is extremely similar, architecturally, to the NAC frameworks proposed by the Trusted Computing Group, Microsoft, and the IETF. (The Cisco Trust Agent includes some 802.1X technology through the acquisition of MeetingHouse Data Communications.)

Cisco sold the products in competition with each other during 2006 and 2007, until an internal truce between the two product groups was arranged and Cisco announced that the two product lines would somehow be combined into a single super-NAC product.

Because of Cisco's marketing muscle and control of enterprise networks, third-party partners have been strong supporters of both of Cisco's NAC products, offering a variety of end-point security alternatives to Cisco's own Cisco Security Agent end-point security protection client. In 2006, Microsoft and Cisco also linked their NAC products during the development of Windows Server 2008, offering several integration scenarios that allow enterprises to easily mix Cisco and Microsoft clients and servers in both Cisco-centric and Microsoft-centric NAC deployments.

In the meanwhile, Cisco has released new versions of products in both their NAC Framework and NAC Appliance lines, but has reduced the volume and aggressiveness of their marketing efforts in NAC. (Cisco declined to actively participate in our head-to-head test of NAC products, but we tested them anyway.) Customers who approach Cisco for NAC solutions are being directed towards the NAC Appliance, so it is assumed by outside observers that the features of NAC Framework will be added to NAC Appliance.

Cisco hasn't given us a peek at their super-NAC product, or committed to a ship date. While Cisco remains enthusiastic about its ability to wow the world of NAC, smaller and more agile companies are bringing innovative solutions to the market — and cutting into Cisco's NAC business. If you need NAC now, you might not want to wait for Cisco to ship its super-NAC product.

Tags cisconetwork access control (NAC)

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joel Snyder

Network World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?