NAC internal network security

Posted on 2015-02-08
Last Modified: 2015-04-19
Dear Experts,

I am planning to implement internal network security like NAC. please suggest me any best NAC solution.
Cisco NAC or others comparison features and how to implement it.

Question by:nainasipra
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 62

Expert Comment

ID: 40599215
A side note that microsoft dropped their NAC from 2012 lineup....
LVL 42

Expert Comment

ID: 40599285
What are you hoping to achieve? Standard 802.1x is a good baseline technology that is basically free to implement if your switches support it. 802.1x is not NAC, and does not do endpoint health checking and remediation.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40599732
ForeScout is the best NAC there is right now, but NAC isn't all it's cracked up to be...
LVL 63

Accepted Solution

btan earned 500 total points
ID: 40600004
if we will to reference Dec 14 Gartner Magic Quadrant (MQ) for NAC, Forescout, Cisco and Aruba Networks are the Leaders, some point of comparison

Aruba ClearPass - Strong in BYOD And support EMM solution), has its own CA support several OS systems and very much into the education vertical. Also it has a guest network with granular policies to manage Apple and Chrome on guest log on to via its NAC enforcement (drilling into time/location etc).However, Sing sign on may not be its strong point for auto login. and it seems more prevalent for wireless rather than wired network.

ForeScout CounterACT - Strong contender with wide API fabric integration with various SIEMS, Adv threat device and security solution. Likewise BYOD is another of its strength with several EMM support  (in fact it carries one EMM offering, ForScout Mobile or with a EMM-Lite version). Quite established and widely deployed due to its versatility and granular polices controls and enforcement options. But this appliance will need to be at remote site for post admission threat protection hence can be costly with Enterprise running many such sites. Another minor point is the more common use of SPAN port for deployment which you need to ensure your network devices support that w/o affecting the performance and availability

Cisco Identity Service Engine (ISE) - Big also in BYODand run its own CA tpp and good for those Enterprise w/o own internal CA or need to hassle with another 3rd party CA. It uses endpoint profiling collected from the Csico switches, controllers such that it eliminate need for additional "sensor" to gather the profiling info required for NAC and assessment. Recently, they go into something called pxGrid which is to share info among the network and security  solution, partners include Splunk, NetIQ, Tenable etc, and of course Cisco's owned Sourcefire support that. Also has strong Guest enforcement. The caveat is ISE can be duplicative for the Cisco wireless aspect since Cisco has their own NAC per se called Meraki). ISE provide basic auth compared to the Meraki coverage (and we know why ISE go that "plain" basic as not to outshine ...) . Cisco has TrustSec role identity policies but I am not so savvy how this is widely used and supported per se. Its ASA should have supported that just last mid year and kinda of early adoption has not really is new and forefront but we probably looking at strong and resilience cum established deployment...

Looks like ForeScout - > Cisco -> Aruba may be my suggestion if cost is not factor (which I am also not savvy into that). As a whole, basic NAC should be performing below...
>Authentication :- the user to login or authenticate before network access is granted;
>Host posture assessment :- up-to-date operating system security patches, anti-virus software, anti-Spyware software;
>Quarantine and Remediation :- amount of network access is typically determined based on the user’s identity and the security posture of their host;
>Authorization :- enforce only resource given based on right and privileged of the login identity;
>Automated hotfix/version updating - auto updating checks is to remove the huge burden of manually having to track down

.. There are more expected for NAC like central mgmt, HA, Adaptive Auth, and etc but list is long ... good to get the technical sales from candidate to run through the comparison as they will have latest development ...

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question