15 Apr

Cisco Joins the NAP Party

A self-defending Cisco network?

Networking behemoth Cisco has finally made good on its 2006 commitment to integrate their proprietary NAC products with Microsoft’s NAP architecture, and the result should be shipping any month now.

I keep the three volumes of Cisco Press books about NAC on my desk as a handy paperweight (1800 pages, actual weight 5.1 lbs), so I’m already aware how complex the Cisco NAC product line is. Ironically, support for NAP appears to have made Cisco NAC more complex, not less. Last year Cisco and Microsoft published a white paper explaining how Cisco Secure ACS works with NAP. The approach relies heavily on 802.1x in addition to a number of different servers. ChrisB posted earlier today on why we don’t think 802.1x will see wide adoption in the small and medium enterprise, and Network World found even the latest Cisco and Dell switches have problems with 802.1x, but that’s just the start of the challenges for Cisco NAC.

When you dig into the details of Cisco’s NAP integration, you quickly realize Cisco did not take the opportunity to simplify their product. For example, the Cisco Secure ACS configuration guide describes a NAP scenario with fifteen steps for implementation. Fifteen steps sounds pretty manageable, right? Wrong! Each of the fifteen steps contains another dozen or so steps. Step 10 promises instructions for setting up Windows Server 2008 and the Microsoft clients, but instead directs you to the wrong URL for the helpful-sounding NAC/NAP Configuration and Troubleshooting Guide (which appears to be missing in action).

Missing documents aside, 250+ steps later you may just have a working NAP integration. The sheer amount of information covered in the Cisco configuration guide might be OK for the large enterprise CCIE who deals with Cisco products every day, but the average IT administrator is going to be overwhelmed. Cisco is a welcome boost to the NAP ecosystem, but I doubt small and medium enterprise customers will be rushing to implement Cisco’s flavor of NAC just because they finally support NAP.

Cisco lab photo courtesy of Roney.

One Response to “Cisco Joins the NAP Party”

  1. JJ (Jennifer Jabbusch) 15. Apr, 2008 at 7:14 pm #

    AMEN!

    Hit the nail on the head. I don’t love Cisco, but we have some customers that are happy with it and choose to go that route. When they ask for advice, we just tell them to go for it, but see it working FIRST (before they sign a PO).

    15 steps x 12 sub-steps = not gonna happen

    They usually call back a few months later and want to look at something else…

    -jj

Leave a Reply