We have been using Cisco NAC for a number of years. We particularly like to see its improvement on OS detection. Right now NAC can only detect OS by inspecting http traffic. So non-Agent users have to open browser each time to get network access. This is a headache for WPA/WPA2 wireless users because they don't have to authenticate using web. From what I read, ISE support multiple inline posture assessment methods(like DHCP fingerprinting). That would address our concerns. Has anyone tried the OS detection using DHCP? Does it work well?  

---
Dennis Xu
Network Analyst, Computing and Communication Services
University of Guelph
5198244120 x 56217

----- Original Message -----
From: "Eric Kenny" <[log in to unmask]>
To: [log in to unmask]
Sent: Monday, April 9, 2012 9:02:42 AM
Subject: Re: NAC -> ISE


We have been demoing ISE for a while now.  The biggest challenge for us was
to integrate with our LDAP backend without requiring supplicants to be
installed on clients to support EAP-GTC.  To overcome this we managed to
setup ISE to authenticate against RADIUS instead (which is not exactly a
straightforward process) and that allows us to use the standard
EAP-MSCHAPv2/PEAP supplicant installed on Windows.

In Mac OS 10.7 (Lion) Apple changed the way you configure 802.1x settings.
Now the user cannot configure anything.  All configuration has to be done
with Apple’s “iPhone configuration utility” and then the profile needs to
be loaded on the client.

As Bruce mentioned, the license cost is quite substantial.  Cisco will tell
you that your current NAC licenses will transfer over as “Advanced ISE
Licenses” 1 for 1, however, that is only valid for 3 years, at which point
you need to purchase new licenses.  Additionally, any devices in your MAC
filter list will also eat up licenses.

Eric J. Kenny
Network Analyst
Marist College
3399 North Rd.
Poughkeepsie, NY 12601
845.575.3820