This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- RE: NAC-Appliance IA-A-20 vs Mobile-IAM-APP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
NAC-Appliance IA-A-20 vs Mobile-IAM-APP
NAC-Appliance IA-A-20 vs Mobile-IAM-APP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2015 05:53 AM
Hi There,
Can you please help us out against below queries?
1. What’s the difference between NAC Appliance part# IA-A-20 and IAM appliance part# Mobile-IAM-APP?
2. Can NAC & IAM appliances be equipped with SFP+ transceiver?
3. Is it possible to roll out EAP certificate based authentication using NAC or IAM appliance.
Your quick response in this regard would be highly appreciated.
Can you please help us out against below queries?
1. What’s the difference between NAC Appliance part# IA-A-20 and IAM appliance part# Mobile-IAM-APP?
2. Can NAC & IAM appliances be equipped with SFP+ transceiver?
3. Is it possible to roll out EAP certificate based authentication using NAC or IAM appliance.
Your quick response in this regard would be highly appreciated.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2015 01:00 PM
Hi Suhail,
Yes you are right, in an Active Directory Domain PEAP can be implemented transparent to the user, so that the NTLM authentication is done by NAC. Nevertheless the NAC Appliance need a server certificate so that the 802.1X supplicant trusts the NAC as RADIUS Server. But be carful in an multi-forrest, in this case it can be easier to use the NAC as RADIUS-Proxy to an Microsoft NPS Server as PEAP needs an AD membership. But if onlye on Domain I would use directly NAC.
With EAP-TLS from my point of view this is a lot easier as you don't need the AD integration with NTLM. NAC needs a trusted server certificate of the Domain CA and the beloning CA certficiates of the client certs. That's all. The fact that the client uses a trusted client certificate is enough. If you want to check if the user (or mostly better - machine) has an active AD member account you can do a simple group membership check based on an LDAP-Bind. (memberOf CN=MyGroup,DC=myDomain,DC=local).
That's the way I implement most of my NAC projects. EAP-TLS combind with LDAP-Bind memberOf check.
The NICs are normally used seperatly. E.g. you can user 1 for Mangement and RADIUS and another for handling Guest Portal traffic. It is not intended to create a LAG.
What kind of assessment are you gonna to do? Agent-Based Assessment or Agentless? If agent-bases I would not worry of 1G. With agentless you could use a second NIC. In general I would recomend to use at least 2 NAC Appliances (hardware or virtual) to have the redundancy. Virtualization is no redundancy if you think about Updates ect. .
Hope that helps. If you have any further question don't hesitate to ask.
Regards
Michael
Yes you are right, in an Active Directory Domain PEAP can be implemented transparent to the user, so that the NTLM authentication is done by NAC. Nevertheless the NAC Appliance need a server certificate so that the 802.1X supplicant trusts the NAC as RADIUS Server. But be carful in an multi-forrest, in this case it can be easier to use the NAC as RADIUS-Proxy to an Microsoft NPS Server as PEAP needs an AD membership. But if onlye on Domain I would use directly NAC.
With EAP-TLS from my point of view this is a lot easier as you don't need the AD integration with NTLM. NAC needs a trusted server certificate of the Domain CA and the beloning CA certficiates of the client certs. That's all. The fact that the client uses a trusted client certificate is enough. If you want to check if the user (or mostly better - machine) has an active AD member account you can do a simple group membership check based on an LDAP-Bind. (memberOf CN=MyGroup,DC=myDomain,DC=local).
That's the way I implement most of my NAC projects. EAP-TLS combind with LDAP-Bind memberOf check.
The NICs are normally used seperatly. E.g. you can user 1 for Mangement and RADIUS and another for handling Guest Portal traffic. It is not intended to create a LAG.
What kind of assessment are you gonna to do? Agent-Based Assessment or Agentless? If agent-bases I would not worry of 1G. With agentless you could use a second NIC. In general I would recomend to use at least 2 NAC Appliances (hardware or virtual) to have the redundancy. Virtualization is no redundancy if you think about Updates ect. .
Hope that helps. If you have any further question don't hesitate to ask.
Regards
Michael
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2015 12:03 PM
Hi Micheal,
Thanks for your reply, now i am clear about the differences between IAM and NAC.
How EAP-TLS authentication works using NAC? As far I know PEAP authentication is transparent to users and NTLM authentication is being performed by NAC on behalf of users at back end with LDAP server so even I don't have install my org certificate on NAC for PEAP authentication. Can you please elaborate how it works with EAP-TLS?
Is 1G connectivity would be enough to handle authentication and assessment for 3000 users simultaneously? can we create lag between 4 x 1G NAC ports?
Thank you for your support.
Regards
Suhail
Thanks for your reply, now i am clear about the differences between IAM and NAC.
How EAP-TLS authentication works using NAC? As far I know PEAP authentication is transparent to users and NTLM authentication is being performed by NAC on behalf of users at back end with LDAP server so even I don't have install my org certificate on NAC for PEAP authentication. Can you please elaborate how it works with EAP-TLS?
Is 1G connectivity would be enough to handle authentication and assessment for 3000 users simultaneously? can we create lag between 4 x 1G NAC ports?
Thank you for your support.
Regards
Suhail
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2015 11:07 AM
Hi Suhail,
at first Mobile-IAM and NAC is the excactly same technology. The major difference is that "Mobile-IAM" is pre-defined package of 1x NMS-5 and 1xNAC Appliance with an End-Sytsem capacity of 3000. I think the Mobile-IAM-APP Appliance is the same as the "old" NAC-A-20 but I'm not quite sure. But that appliance is comparable to the IA-A-20.
2) No - all NAC / IAM Appliances have 4 RJ45 NICs
3) EAP-TLS is supported by the Extreme NAC/IAM solution.
Best Regards
Michael
at first Mobile-IAM and NAC is the excactly same technology. The major difference is that "Mobile-IAM" is pre-defined package of 1x NMS-5 and 1xNAC Appliance with an End-Sytsem capacity of 3000. I think the Mobile-IAM-APP Appliance is the same as the "old" NAC-A-20 but I'm not quite sure. But that appliance is comparable to the IA-A-20.
2) No - all NAC / IAM Appliances have 4 RJ45 NICs
3) EAP-TLS is supported by the Extreme NAC/IAM solution.
Best Regards
Michael
