NAC (Network Access Control) - ET

We're doing a proposal for a customer who is requesting NAC services on their LAN switches. They would like to control which computers are able to access the network (by mac address). Other NAC services would also be helpful such as:
 - Check computer for AV software prior to connecting to network.
 - Connect guest computers (non authorized PCs) to separate LAN

I dont know much about NAC. So far i found two; HP Identity Driven Management Software and Bradford Networks. Does anyone have experience with these or others?

Typically we use HP switches so would prefer to stick with those however are open to others.
LVL 2
tabushAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SouljaSr.Net.EngCommented:
I have experience with Cisco ISE, but don't know how well it would work with HP switches.
Rich RumbleSecurity SamuraiCommented:
I've tested them all, I swear it. Far and away the "best" is ForeScout, but that isn't saying too much. PacketFence is a free open source solution that was better than most commercial offerings you'll find on Gartner's MQ.

Scanning for patches and AV is going to make the admins happy on one hand, sad on the other. The happy part, you get a great inventory, esp with forescout, but the sad part is you cannot do anything to the users machines directly using the NAC products. Especially guests, or non-company hosts. Would you let another Admin from a separate and probably unrelated business patch and "secure" you user's computers? Do not go down the "remediation" path, all NAC systems fail. The only thing you can do with nac is a glorified inventory.
I'll bring in my computer, your NAC scan's it, sees I have AV patched updated, the OS is updated too. I use a "free" AV I got from a russian site, has all the same settings and registry entries, does no real scanning. Nac is only a CYA technology, and it doesn't cover you *** that well. a user can turn off their AV, or a virus can, or a user can be infected while updated and fully patched. NAC does nothing other than inventory in the end.
I tell my customers, you've gone this long without it, keep it that way. Ban BYOD, it's your network, you do not have to let everyone else dictate what you allow on your network... Setup a internet only guest wifi, and give them that. People can then check their email over webmail/gmail etc... There is no reason to let people on your FULL internal network. NAC can automate some tasks for guests, and lock them down, but what for, all they need is internet, so cut out the middle man.
http://www.experts-exchange.com/Security/Misc/A_12736-Bring-Your-Own-Device-Security-NAC-MDM.html
-rich

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.