Can you please help us out against below queries?
1. What’s the difference between NAC Appliance part# IA-A-20 and IAM appliance part# Mobile-IAM-APP?
2. Can NAC & IAM appliances be equipped with SFP+ transceiver?
3. Is it possible to roll out EAP certificate based authentication using NAC or IAM appliance.
Your quick response in this regard would be highly appreciated.
at first Mobile-IAM and NAC is the excactly same technology. The major difference is that "Mobile-IAM" is pre-defined package of 1x NMS-5 and 1xNAC Appliance with an End-Sytsem capacity of 3000. I think the Mobile-IAM-APP Appliance is the same as the "old" NAC-A-20 but I'm not quite sure. But that appliance is comparable to the IA-A-20.
2) No - all NAC / IAM Appliances have 4 RJ45 NICs
3) EAP-TLS is supported by the Extreme NAC/IAM solution.
Thanks for your reply, now i am clear about the differences between IAM and NAC.
How EAP-TLS authentication works using NAC? As far I know PEAP authentication is transparent to users and NTLM authentication is being performed by NAC on behalf of users at back end with LDAP server so even I don't have install my org certificate on NAC for PEAP authentication. Can you please elaborate how it works with EAP-TLS?
Is 1G connectivity would be enough to handle authentication and assessment for 3000 users simultaneously? can we create lag between 4 x 1G NAC ports?
Thank you for your support.
Yes you are right, in an Active Directory Domain PEAP can be implemented transparent to the user, so that the NTLM authentication is done by NAC. Nevertheless the NAC Appliance need a server certificate so that the 802.1X supplicant trusts the NAC as RADIUS Server. But be carful in an multi-forrest, in this case it can be easier to use the NAC as RADIUS-Proxy to an Microsoft NPS Server as PEAP needs an AD membership. But if onlye on Domain I would use directly NAC.
With EAP-TLS from my point of view this is a lot easier as you don't need the AD integration with NTLM. NAC needs a trusted server certificate of the Domain CA and the beloning CA certficiates of the client certs. That's all. The fact that the client uses a trusted client certificate is enough. If you want to check if the user (or mostly better - machine) has an active AD member account you can do a simple group membership check based on an LDAP-Bind. (memberOf CN=MyGroup,DC=myDomain,DC=local).
That's the way I implement most of my NAC projects. EAP-TLS combind with LDAP-Bind memberOf check.
The NICs are normally used seperatly. E.g. you can user 1 for Mangement and RADIUS and another for handling Guest Portal traffic. It is not intended to create a LAG.
What kind of assessment are you gonna to do? Agent-Based Assessment or Agentless? If agent-bases I would not worry of 1G. With agentless you could use a second NIC. In general I would recomend to use at least 2 NAC Appliances (hardware or virtual) to have the redundancy. Virtualization is no redundancy if you think about Updates ect. ;).
Hope that helps. If you have any further question don't hesitate to ask.
Thank you for detailed information, it really clarifies to get better understanding :), while configuring EAP-TLS which authentication method should I select? is it LDAP Authentication type with plain password lookup?
We want to implement implement both agent-less assessment for tablets/phones and agent-based for Windows/MAC/Linux machines.
Do you think NAC can play any role for ADFS?
Thanks for the support.
Thanks for the reply. Sorry I didn't clarify my question regarding Active Directory Federation Services,
I am looking for alternatives to Microsoft certificate support, third-party solution that provide strong authentication and integrate with Microsoft technologies. To varying degrees, all of the AD FS remote access alternatives can be integrated with third-party strong authentication solutions.
One of the more popular third-party two-factor authentication solutions is RSA SecurID.
I am interested to know and see if NAC supports this feature.