June 21, 2010, 4:25 PM — In the network access control products we tested, authentication varies from very strong to very weak, and every point in-between. When starting down your path of evaluating NAC products, decide very early what kind of authentication mechanism you want, if any.
In some cases, such as McAfee NAC, Forescout ActiveScout and Trustwave NAC, authentication is de-emphasized as part of the product philosophy -- the emphasis is in some other area, typically endpoint security controls.
For example, Trustwave NAC includes an agent that runs on Windows Active Directory servers that can send user login/logout information to the Trustwave NAC appliance. This lets a particular device be associated with a user, assuming that the device was a Windows client workstation connected to the correct domain and the user logged into the device.
But this bit of authentication information is just one of many pieces that Trustwave NAC collects about each device on the network. The authentication detection is entirely passive, and not part of the lock-step workflow of getting a user on the network.
If you care about authentication of users, be careful about this category of product, because their mechanism for detecting authentication information can be unreliable, due to the nature of the protocols they are trying to sniff. Capturing 802.1X and Kerberos logins as they fly by sounds elegant, but you can't necessarily get all the information you need out of what you see on the wire. This is why Trustwave technicians installed their software agent on our Windows server — they are afraid that one day soon Microsoft will start encrypting the communications during login and the authentication information will be unavailable.
We found other issues with these products when we were using them outside of their comfort envelope. For example, we set up McAfee NAC using 802.1X, and found that it uses incorrect information in the 802.1X transaction to detect user identity. That's the kind of bug that can only exist in a product where most of the organizations deploying the product are not focusing on authentication.
If you do care about authentication, you will find that the remaining products fall into two major categories: ones that encourage you to use 802.1X on wired switches and wireless networks, and ones that avoid it or work around it.