Here at Interop the show floor was pretty dead yesterday. I had a chance to sit in the audience on a panel on NAC hosted by Mike Fratto. Mike had 5 panelists including a few friends of mine. It was pretty much the usual NAC panel. Steve Hanna from Juniper/TNC touting the standards that his group offers, Cisco saying they will support standards, HP ProCurve always loves standards, Microsoft actually being very pragmatic and then there was JJ. My friend Jennifer Jabbusch was her usual self talking as she sees it and giving quote fodder to the journalists like Michael Sean Kerner who wrote about the panel in this article.
Of course the media loves to jump on any angle as to why NAC has not brought world peace and helped cure cancer. So Kerner’s article screams that authentication is where we screwed up. He says the audience demanded to know when NAC is going to deliver on the promise. How can we have a standard without Cisco. Well I was in the audience too and had all I could to bite my tongue and not say anything. But hey that is why I have a blog. So let me respond here:
1. Authentication is where we screwed up. Who said NAC was about authentication? Listening yesterday you would think that 802.1x authentication was a direct result of NAC needing a secure authentication process. Guys lets not put the cart in front of the horse. 802.1x offers a lot of other features and advantages besides NAC authentication. In fact it is the other way around. NAC vendors adopted 802.1x because it offered some distinct advantages. It was widespread in wireless networks. However, JJ is right. It is complex. There are a lot of moving parts. If you have not done everything right to implement 802.1x on your network, don’t bother trying to use it for NAC. But if you had, it does work like a charm. As I have said before it is not for the faint of heart.
But back to my original comment. Originally NAC/NAP was not the authentication. NAC rode on top of your existing authentication. We as an industry have issues around easy to use, robust authentication methods. So this became NAC’s problem? A good NAC solution should be able to use the authentication system you are using. Authentication sucks? Look to the folks developing authentication. Hint: it is the same network vendors sitting on the panel. But lets not saddle NAC with albatross.
2. Searching for the mythical NAC Unicorn. Fact is there was one member in the audience who was quite vocal (no not me) and kept insisting that NAC would not be real until everyone adopted one standard, that no matter what network we log into, no matter what different software I had, NAC would solve it all because “a big database” would contain all of this information. Yeah, all right. I wanted to ask the guy if he still leave out cookies and milk for Santa Claus. From what I understand this particular individual makes a habit of doing this at NAC panels.
The guy from Microsoft said it best. It is OK if NAC does not give you all of this, it is still valuable. Stop trying to make it all things to everyone and take it for what it is. It is not the answer to authentication, it is near impossible to treat heterogeneous network environments like they were homogenous, but that is not what it is about. Stop looking for Unicorns and make use of what you have to work with!