tuesdaynight

Having a free minute on my hands, I decided to go back through some of my older posts and assign some tags.  Innocent enough.  The only problem is that the Twitter plugin I use here at Tuesdaynight treats those edits as new posts, adding them to my stream of tweets.  Sorry ’bout that, those of you following me at Twitter.

I really like the current capabilities and promise of NAC. I do, however, have a problem with the abbreviation, specifically, the “A” in NAC. Which do people mean when they say NAC: “network admission control” or “network access control”? To me, there are big differences between the two.

NAC as Network Access Control
If you have an identity background, when you hear NAC, you think, “Oh, this is web access control for the network.” If that’s the case, then NAC needs to have some features that mirror WAC. For example:
• Identifying the user is key.
• There needs to be a centralized policy store that describes access control.
• There needs to be a fine level of granularity of those policies.
• There needs to be some modicum of single sign-on.
• There’s going to be some form of the proxy versus plug-in fight.

User authentication has always been a part of web access control, and network access control should be no different. WAC vendors have all sorts of mechanisms to authenticate the user either directly or through other authentication providers. NAC vendors do, but, I conjecture, not in the same way. There are two flavors here: explicit and implicit. Explicit NAC authentication involves the end-user in an authentication event. Forcing the user to authenticate to RADIUS is a form of this. Implicit authentication uses authenticated credentials from something higher in the stack (like the operating system) and not involving the end-user in an extra authentication event.  Continue reading "NAC stands for what? Part 1"...