cancel
Showing results for 
Search instead for 
Did you mean: 

NAC-Appliance IA-A-20 vs Mobile-IAM-APP

NAC-Appliance IA-A-20 vs Mobile-IAM-APP

Suhail_Ahmad
New Contributor
Hi There,



Can you please help us out against below queries?



1. What’s the difference between NAC Appliance part# IA-A-20 and IAM appliance part# Mobile-IAM-APP?

2. Can NAC & IAM appliances be equipped with SFP+ transceiver?

3. Is it possible to roll out EAP certificate based authentication using NAC or IAM appliance.



Your quick response in this regard would be highly appreciated.



7 REPLIES 7

Michael_Kirchne
Contributor
Hi Suhail,

Yes you are right, in an Active Directory Domain PEAP can be implemented transparent to the user, so that the NTLM authentication is done by NAC. Nevertheless the NAC Appliance need a server certificate so that the 802.1X supplicant trusts the NAC as RADIUS Server. But be carful in an multi-forrest, in this case it can be easier to use the NAC as RADIUS-Proxy to an Microsoft NPS Server as PEAP needs an AD membership. But if onlye on Domain I would use directly NAC.

With EAP-TLS from my point of view this is a lot easier as you don't need the AD integration with NTLM. NAC needs a trusted server certificate of the Domain CA and the beloning CA certficiates of the client certs. That's all. The fact that the client uses a trusted client certificate is enough. If you want to check if the user (or mostly better - machine) has an active AD member account you can do a simple group membership check based on an LDAP-Bind. (memberOf CN=MyGroup,DC=myDomain,DC=local).

That's the way I implement most of my NAC projects. EAP-TLS combind with LDAP-Bind memberOf check.

The NICs are normally used seperatly. E.g. you can user 1 for Mangement and RADIUS and another for handling Guest Portal traffic. It is not intended to create a LAG.

What kind of assessment are you gonna to do? Agent-Based Assessment or Agentless? If agent-bases I would not worry of 1G. With agentless you could use a second NIC. In general I would recomend to use at least 2 NAC Appliances (hardware or virtual) to have the redundancy. Virtualization is no redundancy if you think about Updates ect. .

Hope that helps. If you have any further question don't hesitate to ask.

Regards
Michael

Suhail_Ahmad
New Contributor
Hi Micheal,

Thanks for your reply, now i am clear about the differences between IAM and NAC.

How EAP-TLS authentication works using NAC? As far I know PEAP authentication is transparent to users and NTLM authentication is being performed by NAC on behalf of users at back end with LDAP server so even I don't have install my org certificate on NAC for PEAP authentication. Can you please elaborate how it works with EAP-TLS?

Is 1G connectivity would be enough to handle authentication and assessment for 3000 users simultaneously? can we create lag between 4 x 1G NAC ports?

Thank you for your support.

Regards

Suhail

Michael_Kirchne
Contributor
Hi Suhail,

at first Mobile-IAM and NAC is the excactly same technology. The major difference is that "Mobile-IAM" is pre-defined package of 1x NMS-5 and 1xNAC Appliance with an End-Sytsem capacity of 3000. I think the Mobile-IAM-APP Appliance is the same as the "old" NAC-A-20 but I'm not quite sure. But that appliance is comparable to the IA-A-20.

2) No - all NAC / IAM Appliances have 4 RJ45 NICs
3) EAP-TLS is supported by the Extreme NAC/IAM solution.

Best Regards
Michael
GTM-P2G8KFN