Re: NAC for all wired and wireless networks

["Aaron S. Thompson" <athompson () BERKLEE EDU>]

Hi All:

Our design has four flavors of wireless and touches a few of the topics that we are all reviewing.

Berklee-Staff
Berklee-Student
Berklee-Sponsored
Berklee-Guest

All are campus wide with Staff and Student being unrestricted utilizing 802.1x (TTLS-WPA2-EAS) for authentication and 
encryption.  We have found little need for any kind of posture checking as we are 99% OS X.

Berklee-Sponsored is a captive portal type connection that requires a specific LDAP privilege for a staff member to 
authenticate the connection.  This is centrally controlled and utilizes a trust model for identity concerns with email 
receipts, heavy logging and tracking.

Berklee-Guest is similar but it's a generic internet connection with traffic restrictions/shaping and the sponsorship 
privilege is open to any Faculty, Staff or Student.

There is a capability to have posture checking, quarantine and remediation services if your interested.

This is all done via open source with no controller at a very low cost. (minus access points!)  The system is very 
scaleable and maintains max throughput of the access points.  We use FreeRadius, OpenLDAP and PacketFence.

If anyone would like to know more on what we are doing feel free to let me know.

Regards,

Aaron

-
Aaron Thompson
Network Services Manager
Network and Telecommunications

Berklee College of Music
1140 Boylston Street, MS-186 NETT
Boston, MA 02215-3693
617.747.8656  athompson () berklee edu  www.berklee.edu
On Jul 6, 2010, at 1:54 PM, Steve Werby wrote:

> We are researching alternatives for assessing endpoint security of end user devices (not servers) connecting to our 
> wired and wireless networks.  We're primarily concerned with desktops and laptops and assessing 1. OS patch level and 
> 2. an acceptable antivirus product is installed, running and that the software and virus definitions are recent.
>
> Student workstations and a large percentage of employee workstations are not centrally managed.  Authentication is 
> required to access our wireless networks, but is not currently required to access our wired networks.  Because of 
> this, a network solution is a better fit than an endpoint solution.  The university has roughly 32,000 students and 
> 10,000 employees.
>
> We currently use Cisco NAC on our residential network only.  Deploying that across the enterprise is cost-prohibitive 
> and Cisco is recommending a different solution than what we have deployed.
>
> Have you deployed a solution or compensating controls with similar scope?  Have you researched alternatives?  Any 
> details you can provide concerning your deployments, research or experience pursuing solutions would be helpful, as 
> would pointers to any particular institutions you're aware of who have successfully deployed a solution.
>
> I'm also particularly interested in whether you have any experience with PacketFence 
> (http://www.packetfence.org/en/home.html), which is an open source NAC.
>
> -- 
> Steve Werby 
> Information Security Officer 
> Virginia Commonwealth University 
> VCU Information Security - http://infosecurity.vcu.edu/ 
> News, Tips & More - http://www.twitter.com/vcuinfosec 
> Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf

Attachment: smime.p7s
Description: