Network Access Control Solution

Hi All,

I have done much research on Network Access Control (NAC) and will now ask the experts for their thoughts on how to help me in the way I would like to see NAC handled on my network.


Preventing unauthorised "anythings" from:

1. Getting an IP address from my DHCP server, Period.
2. Ensuring those users with enough smarts to add (an IP they found not in use) to their "anything" not being able to communicate to the network as it has not been authorised by the "gateway NAC Server" by the MAC being added by IT STaff.

Being "authorised" to me would mean the device would have its MAC added to a "list" and referenced or an agent installed on the workstations which poses an issue for printers, scanners and other misc legit devices.

My basic thinking would have been to

1. Add reservations using known MAC's
2. Add the rest of the IP's not in use to a Windows Box TCP/IP thus making them "in use" ??

A DHCP exclusion range would not stop a device connecting that had put in valid IP details.

Does anyone know of open source or commecial software that fits this bill? or a method?


Who is Participating?
I try to avoid dot1x and NACs that are in DHCP mode...... Here's why.....

dot1x is complicated if you are running different hardware - in my case we have all cisco equipment - but at my location we use a lot of unmanaged linksys workgroup switches to enable more ports in a room (very hard to manage......)

DHCP works well but - the workaround is to configure a static ip address which then bypasses your nac.

The solution I ended up getting was forescout NAC which has built in IPS/IDS and NAC all in the box.  

It runs on linux (so very very very customizable), you can push various scripts, perform host checks, features have virtual firewalling (can isolate a host within a segment from other hosts within the same segment), built in honeypots that integrate with IDS/IPS - very very low cost.......  

Also has usb storage device detection and ability to disable.

I've had it for about a month so far and it's been working really great.

I always like to advertise FreeNac., if you're running Cisco gear. Also to play devil's advocate, why would you base your NAC control solely off of MAC address when it can be easily faked with various Windows programs or from the command line on mac/linux clients?

You should deploy dot1x, it allows you to authenticate users/systems to access your network. Unauthorized users can be segemented to guest or unauthorized vlans where you can implement seperate security policies.

harbor235 ;}
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Also - forescout works by spanning all vlans....  I have a 6509 core switch and we just spanned all vlans and configured the NAC to check network traffic.
AI-SYDAuthor Commented:
reviewing thanks for adding comments
Rich RumbleSecurity SamuraiCommented:
Symantec's NAC solution is a good one, the software cost's but the windows DHCP NAC Component is actually thrown in for free, just install on your windows dhcp servers.
802.1x can be very effective, and there are some bypass's such as mac address cloning... but that causes some havoc on the network depending on what mac was cloned, a printer mac address being cloned wouldn't be a big deal, you could easily poison arp this way with no major side effects
Having a cert installed on the pc's is the best way to use 802.1x, and you can still allow "dumb" devices such as network printers and faxes to be access by either excluding them or by saying only this mac on this port.
So with 802.1x you can have the mac address alone be good enough, you can have the mac as well as a username/password authentication scheme, or you can have a cert be present in the 802.1x client and do a combination of the above.
The cisco feature "port security" is a MAC address only feature you can use also:
but "port secured" ports cannot be configured 802.1x, nor can trunks, span ports or etherchannel (unless etherchannel is removed first)

802.1x tries to address the static IP issue if you have no DHCP or you have a NAC-DHCP that only allows the known good MAC's to gain an IP.
Most NAC's try to help your administration needs by having you install a client on your known good hardware and from there you don't need to maintain a MAC white-list the client will vouch for the PC and still need the user to authenticate as they normally do, and some NAC's go further and do some checking on the host to see if its properly patched and has the latest AV dat's. And if not, the host isn't allowed to login on the normal subnet/vlan until those issues are remediated. And the host is allowed to connect to a subnet/vlan that only allows it to get dat's or allows it to get patches.

Cisco's nac is complex but works well with their equipment, Symantec's NAC requires synamtec AV (SEP [endpoint protection]they call it) so both are on the costly side. You can again, run 802.1x in a variety of ways, and you can disable/shutdown unused ports etc...
If you don't want to use neither dot1x nor DHCP mode then I think what you need is either in line mode or SNMP/CLI mode.

The in line mode is to place NAC appliance between access switches & distribution layer any traffic that not comply with your policy will be blocked. because of the location of the appliance in the network and there is no agent, the solution will check only application traffic (it will not check application installed in a host). the best on this is Consentry

For SNMP/CLI mode, you will connect the NAC server in the core and give it a right permissions on all edge switches to configure switchs based in the policy. Bradford Networks is good in this field.

note that more than 50% of imelpmented NAC soultions are mixed by more than mode or vendor.

AI-SYDAuthor Commented:
I will attempt to resolve this issue with in two weeks, still in progress and an important task.
AI-SYDAuthor Commented:
Bump, any other input would be appreciated. thanks
Rich RumbleSecurity SamuraiCommented:
I've actually ditched Symantec in the 11th hour, their hardware started to fail all over the place, called customers after bugging and bugging them for testimonials, and no customer (10 in total) had anything good to say about the hardware. And no one was running NAC the way we thought it should work, which we came to find out is because symantec's nac can't run they way a NAC should. Cisco failed our Proof Of Concept as well, for different reasons.
We have tested in the past 5 days, a product that is working much better, and doesn't require 802.1x. As described above by me, 802.1x is a protocol that ensures folks can't assign static ip's to themselves without first authenticating with a username/password. Same for dhcp, they don't get a dhcp ip either until they have validated.
PacketFence, the product I think we will be going with, doesn't rely on 802.1x (which can be a costly affair if you have older network gear). PacketFence can ue 802.1x as well as SnmpTraps, which has the main benefit of not needing to have the latest and greatest switch gear. 
So far I'm impressed with this opensource offering, it is linux based, but using the VM-Player image it was very easy to setup.
AI-SYDAuthor Commented:
I appreciate all responses so far and have aimed to have this questions closed in 1 month, I appreciate everyone patience but it takes time to test the suggestions made.

If you have a suggestion please submit it.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.