NAC for all wired and wireless networks

[Steve Werby <smwerby () VCU EDU>]

We are researching alternatives for assessing endpoint security of end 
user devices (not servers) connecting to our wired and wireless 
networks.  We're primarily concerned with desktops and laptops and 
assessing 1. OS patch level and 2. an acceptable antivirus product is 
installed, running and that the software and virus definitions are recent.

Student workstations and a large percentage of employee workstations are 
not centrally managed.  Authentication is required to access our 
wireless networks, but is not currently required to access our wired 
networks.  Because of this, a network solution is a better fit than an 
endpoint solution.  The university has roughly 32,000 students and 
10,000 employees.

We currently use Cisco NAC on our residential network only.  Deploying 
that across the enterprise is cost-prohibitive and Cisco is recommending 
a different solution than what we have deployed.

Have you deployed a solution or compensating controls with similar 
scope?  Have you researched alternatives?  Any details you can provide 
concerning your deployments, research or experience pursuing solutions 
would be helpful, as would pointers to any particular institutions 
you're aware of who have successfully deployed a solution.

I'm also particularly interested in whether you have any experience with 
PacketFence (http://www.packetfence.org/en/home.html), which is an open 
source NAC.

--
Steve Werby
Information Security Officer
Virginia Commonwealth University
VCU Information Security - http://infosecurity.vcu.edu/
News, Tips & More - http://www.twitter.com/vcuinfosec
Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf