Cisco NAC General Observations

Unanswered Question
Sep 22nd, 2009
User Badges:

Hi,


We are currently doing a parallel trial of Cisco NAC against another NAC solution. When we embarked on this pilot we envisioned that the Cisco Product would be similar to other cisco appliances.


To be honest with our current experience of the product we find the following which causes some concern.

1) Cisco Nac does not have its own support sub-forum and is bundled in the general catagory which leads one to believe that it is a much removed ancillary product

2) Even the the product was bought from Perfigo much of the previous product is evident

3) The logging setup available on the device is bordering on satisfactory and does not conform to typically appliance logging setups on most other cisco appliances

4) The interface while functional (which is a positive) is a little crude and dated. Ie event logs dont automatically refresh,

5) No admin integration with TACACS

6) I have not got SNMP to work(which should be simple), and reading what mibs are available via SNMP dont give me much hope that I will actually retrieve much valuable information. From our NMS we would like to see stats like number of users and in which role they are.

7) The logging that is available does not log breaches of policy violation. For example if your policy is not to allow users in a role to go to google.co.uk and they do it does not log anywhere.

8) Very little if any management information, graphs , trends, reports are.


All this said the product was extremely easy to setup in comparison to other solutions. Installation manual was enough to set up a basic solution in a day.


What we dont want to do is go forth with a product which does not get the amount of R&D budget to make it and keep it a market leader and find ourselves with something that does not integrate and evolve over time.


Regards


Miron


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Faisal Sehbai Tue, 09/22/2009 - 07:22
User Badges:
  • Gold, 750 points or more

Miron,


1) I would argue that the level of help and responses you get on the product should be a criteria and not where it is placed in the forum hierarchy


2) Not sure what you mean here


3) You can log to syslog and then slice/dice it there. I do agree that there is room for improvement in the logging we have, and I believe much is being done to alleviate this pain in the upcoming 4.7 release due out in a few months.


4) Agree.


5) 4.5 allows for Radius authentication for administrators to a central db


6) That is true. SNMP monitoring of devices is not that detailed.


7) So you're looking to see who tries to breach your policy? i.e. tries to go to google.co.uk if you have disallowed it? If so, yes that information isn't logged anywhere right now.


8) You'll see improvement for that in 4.7


My understanding is that Cisco is one of the biggest players in this arena, and they don't wish to squander this away or stop supporting/developing NAC at all.


I would also argue that many of the improvements that we see in this product come from suggestions of customers who find things lacking, make us aware, and then they get added to the solution. In that regard, if you were to bring this post and the points mentioned therein to your account team, there's a good chance some of this will be there in the next versions.


HTH,

Faisal

mironduplessis Tue, 09/22/2009 - 08:05
User Badges:

Hey mate,


1) I would agree with you in some respects however as someone with limited use of the system it is notable that it doesnt have its own group. While this is rather pedantic of me it gives me the impression(maybe incorrect) that the product is not considered as a core product in the product portfolio. I have seen similar with other vendors that focus all there support and forums on there big money winners and the ancillary products have less attention.

2) Was just an observation in that if significant R&D is allocated to a product you would expect that in a relatively short period that the code and feel of the product would be all Cisco and without remanents of the past manufacturer. Might give me the impression that only minor tweaks have been done since acquistion(only my view:-)

3) Yep I have it logging to syslog already which is fine, but just different to what I expected:-)

4)NA

5)I can see you can use radius, however would be nice to have the option of Tacacs which is the standard across the product line(in general)

6)NA

7)No response

8)Would be good to see.


I believe that Cisco is in the Gartners magic quadrant of the for NAC however the synopis of Cisco as a provider for NAC left some questions. Also in times of belt tighting if a product is not part of your core sellers then they may be at risk of reduced dev funding. Im under the impression that there is no current NAC solution that ticks all the boxes yet and that NAC industry and market in general is relatively small. I would presume that the R&D into areas like Cisco Storage,VOIP,Switching, Routing benefit from increased funding due the value on the market.


If I was blue sky thinking the Cisco NAC solution(within reason) I would be thinking of an appliance like the ASA with the look and feel of that GUI, do filter and policy rules were the same as you would do for a firewall. Essentially adding a good compliance and authenticaion element to the ASA:-)


I would also hope that any good ideas or feature requests that are raised on these types of forums are fed back into the system for deliberation.


Kind Regards


Miron

Faisal Sehbai Thu, 09/24/2009 - 20:42
User Badges:
  • Gold, 750 points or more

Miron,


Some of the questions and concerns raised here are definitely above my pay grade :-) so I won't comment on them.


All I can offer you is my perspective as a TAC engineer, and what I see is that Cisco is serious in maintaining and enhancing their NAC offerings. There are missteps and corrections also for those missteps, which is part of the growth pains.


Your comments and suggestions are very welcome!


Thanks,

Faisal

cammaher Mon, 10/26/2009 - 17:32
User Badges:

Hi Miron,


Firstly - what a coincidence - I was searching the Cisco forums for Cisco NAC and Trend issues and your post come up first! Hope all is going well over there at Kings.


We have implemented Cisco NAC here at my work for use with our remote access system. The big problem I am seeing is that it doesn't seem to interact very well with an external policy on a Trend AV Server. Have you have any experience with that setup?

Basically we have v7.3 of Trend AV and v4.1 on the ACS and am finding that every 4th or 5th client does not get a posture validation and in the lgos it says 'Posture Validation failed on external policy'.


Hope to hear from you soon.


Thanks,

Cam

Faisal Sehbai Mon, 10/26/2009 - 21:17
User Badges:
  • Gold, 750 points or more

Cam,


Think you're mixing your two NACs there. CCA doesn't work with ACS and external policy servers. That was the NAC Framework product which is being sidelined more in favor of CCA now.


HTH,

Faisal

Actions

This Discussion