Friday, February 9, 2018

Network access control (NPS vs ISE vs X)

Hi,

I'm currently in a very difficult situation regarding NAC.

Maybe I start with the current situation:

We use Cisco ACS in the latest version that was released cluster-ish. So far so good. But as ACS is end of life I'm looking for a new solution. We have 4 sites. And our networking infrastructure in LAN is full Cisco. Wireless is Extreme Networks. Clients are Dell.

  • The main site

    • with over 4000 network devices (VoIP-Phones, PCs, Notebooks, Access Points, etc...)
    • with over 60 VLANs
    • 4 SSIDs each with different authentication methods (eduroam, captive portal, dot1x, and PSK for WiFi-Phones)
  • three smaller remote sites with a pretty inconsistent connection to the main site over VPN

    • with something over 20 network devices each
    • with 3 VLANs each

Currently we're using 2 ACS VMs at our main site and Microsofts NPS at our remote sites, as the VPN connection is not very reliable.

With the implementation of NPS (without the consent of the network-crew), everything got WAAAAAY too complicated and some people had the idea to use NPS at our main-location too, because it doesn't cost anything (as a university we have some kind of Microsoft flatrate)...

Now there is some kind of 'office war' between the network crew and the server crew about who is responsible for the NAC solution. Is it the network crew, or is it the server crew?

I'm absolutely not happy with NPS as a NAC-Solution at our scale. I want an all-in-one solution for our Wireless and LAN infrastructure. With captive portal, dot1x, reporting, monitoring and most importantly... security.

Our server-crew wants a simple, free and basic auth server (Where NPS is the wrong solution, but that's my opinion).

Maybe you can help me how I can work on this. Budget isn't a problem per se, but when they hear that this works with a free solution too... well you know the drill.

I'm looking at Cisco ISE or Aruba Clearpass here... I also looked at Packetfence, but that isn't a viable solution either, as it is too complicated for the 'server crew'.



No comments:

Post a Comment