Bruce A. Locke wrote:
> Some of us (or at least I am) are wondering if NAC isn't completely
> pointless these days.
> 
> NAC was worth its weight in gold in forcing XP users to upgrade to XP
> SP2 which brought major security upgrades to the XP platform ...
> 
> ...  How much time has been spent on
> trying to figure out why Windows and CCA disagree on what patches are
> installed?  ...
> 
> What do we gain from NAC that isn't gained from user education
> efforts, DMCA enforcement and basic security monitoring of a network?
> Cisco NAC is a miserable educational tool unless you prefer your
> education to involve pissing off users with incomprehensible
> behaviors from the agent and having them seethe at you and your help
> desk.

All good points. When we installed Perfigo in 2004, and for the
following couple of years, we saw dramatic advances in both user
education and numbers of systems cleaned, updated, and put on the
network with little involvement on our parts, a clear success. I've been
a strong Perfigo booster in the past.

Now the nature of the threat has changed, and I still think a NAC system
can provide good user remediation and education (particularly in the P2P
arena) and security monitoring on my network as well as provide a clear
link between ethernet interface and registered user that we also need to
maintain. CCA is no longer an obviously good fit for our situation,
however, so this summer we'll be migrating to a different product. Those
of you with Cisco networks end to end may have a different
implementation and different feelings on the matter.

-- 
Celebrating the 150th anniversary of the publication of the Origin of
Species.
-- Cal Frye, Network Administrator, Oberlin College
   Mudd Library, x.56930 -- CIT will NEVER ask you for your password!

   www.calfrye.com,  www.pitalabs.com

"Education is when we read the fine print.  Experience is what we get if
we don't"  --Pete Seeger.