Cisco's NAC goes off track, customers taken aback
As the most important supplier of network infrastructure to enterprises, Cisco's NAC products are a natural point of curiosity for network managers. Unfortunately, though, Cisco's approach to NAC has been riddled with in-fighting, false starts, delayed product releases, and a good dose of chaos and confusion.
At the heart of Cisco's NAC problems were two separately developed and separately maintained products, completely incompatible yet solving the same problem for the same customers. During the several years it took Cisco to deal with the internecine warfare between these two product groups, customers have been dazed and confused as to which is best for them
The first NAC products came through the acquisition of Perfigo, a start-up that had developed a wireless access gateway during the days before widespread availability of WPA authentication and encryption. First called Cisco Clean Access, and recently renamed Cisco NAC Appliance, the product line evolved completely separately from Cisco's other network infrastructure products and has only the lightest integration with Cisco switching devices. Originally an in-line device that protected wireless and VPN links best, the Perfigo products were extended to include edge enforcement for wired enterprise networks based on Cisco switches.
While Perfigo's product line was racking up impressive sales, the switching and routing side of Cisco teamed with the Cisco Secure Access Control Server (a RADIUS and TACACS server) group to develop and market the Cisco NAC Framework, a NAC solution that includes modifications to Cisco switches and routers, the Cisco Trust Agent end-point client, and the ACS RADIUS server, which acts as a back end for both authentication and posture checking.
While the NAC Framework doesn't require 802.1X for authentication and posture checking, it does allow for 802.1X and is extremely similar, architecturally, to the NAC frameworks proposed by the Trusted Computing Group, Microsoft, and the IETF. (The Cisco Trust Agent includes some 802.1X technology through the acquisition of MeetingHouse Data Communications.)
Cisco sold the products in competition with each other during 2006 and 2007, until an internal truce between the two product groups was arranged and Cisco announced that the two product lines would somehow be combined into a single super-NAC product.
Because of Cisco's marketing muscle and control of enterprise networks, third-party partners have been strong supporters of both of Cisco's NAC products, offering a variety of end-point security alternatives to Cisco's own Cisco Security Agent end-point security protection client. In 2006, Microsoft and Cisco also linked their NAC products during the development of Windows Server 2008, offering several integration scenarios that allow enterprises to easily mix Cisco and Microsoft clients and servers in both Cisco-centric and Microsoft-centric NAC deployments.
In the meanwhile, Cisco has released new versions of products in both their NAC Framework and NAC Appliance lines, but has reduced the volume and aggressiveness of their marketing efforts in NAC. (Cisco declined to actively participate in our head-to-head test of NAC products, but we tested them anyway.) Customers who approach Cisco for NAC solutions are being directed towards the NAC Appliance, so it is assumed by outside observers that the features of NAC Framework will be added to NAC Appliance.
Cisco hasn't given us a peek at their super-NAC product, or committed to a ship date. While Cisco remains enthusiastic about its ability to wow the world of NAC, smaller and more agile companies are bringing innovative solutions to the market — and cutting into Cisco's NAC business. If you need NAC now, you might not want to wait for Cisco to ship its super-NAC product.
Read more about wide area network in Network World's Wide Area Network section.