Main Nav

Hello. We are currently using Bradford on our campus for NAC. We often receive complaints about how difficult the registration process is and why we require antivirus since "Mac's never get viruses." This has prompted us to start researching the future of NAC. What are other schools doing in this area? If you have gone away from using a NAC, what approach are you using now to get the similar functionality? How do you authenticate guest users? How do you disable access for those students who violate policy? Looking forward to the feedback, Jason -- Jason R. Hall Denison University Network Engineer Desk: 740-587-6229 Cell: 740-973-5754 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at


Message from

Jason, We are using Forescout and often have the same complaints, we are in the process of reevaluating how our NAC is being used because we have gone from a wired network to a almost completely wireless network and a lot of the feature sets were not designed to function with controller based wireless. In regards to macs not getting viruses this is something that has been on our radar the last few days: Best, Ryan Young Network Administrator The Masters School Dobbs Ferry, NY 10522
With over 600,000 Macs in the Flashback botnet, I think you can definitively say that Macs do get viruses.

We also use Bradford but have had chronic issues with it, but that might just be us. When it works it's fine. We do have a "get connected" clinic for the first-year students every year, since they usually need updates and a virus scanner installed, and are totally lost without some IT guidance. We use the dissolvable agent.

We use our Cisco WLC guest interface for guest users. It's simpler for us.

Students who violate policy get their network access turned off in Bradford and then get a call from the Dean of Students office. They can jump to the guest network but they have to keep registering. 


Message from

Jason, We use a multi-layer approach to "NAC". We are using PacketFence as a MAC-based, wired access solution, and are thinking about using it, also, as a guest wireless portal. Our regular wireless infrastructure uses 802.1x back-ended by Radius and our IDM solution. Additionally, we are using Impulse's SafeConnect product as a Layer3 policy enforcement device; this is where/how we force/enforce updates and AV "stuff". Our initial reasoning for PacketFence was so that we could move from a single vendor MAC solution (Cisco's VMPS) to a multi-vendor Layer2 capable product. PacketFence has really worked well for us. Unfortunately, in the intervening years, we have hit a few vendor issues ... "Oh, we have to work with PacketFence in order to be considered for a campus edge solution? Of course, we are committed to you and your needs" and then "well, you have to show your commitment to us ... how about your purchase this/these and then we will ..." I really hate being held hostage by vendors. I don't play those games. The Impulse product turned out to be a no-brainer. We were trying to solve the "Oh crap, the students are back from Spring Break and viruses are killing us" problem. Since the day we installed that product, we haven't had a major virus outbreak. Yes, we see the onesey-twosey infections for old java versions and vulnerable pdf readers, but to address that, we are using the KACE product. So .... The bottom line: PacketFence was free Our servers - two servers (one physical, one virtual) and one MySQL backend. We pay approximately $5000/yr for maintenance to Inverse. This covers 150 hours of support We get as many upgrades from them as our $$ last We normally have $$ "left over" at the end of the support year and that gets applied to the next year Impulse was maybe $6000 6/7 years ago We pay approximately $5000 per year for maintenance We get our own support engineer We have gotten a new upgraded server at no cost since the original server If you would like more information, don't hesitate to contact me P
Message from

We use Bradford as well, mostly with the one time agent and a 60day timeout/registration so most students only re-register once a year after returning from the summer. We currently only allow our required anti-virus solution (McAfee) but are considering changing this. Our guest system is done via an Aruba wireless captive portal which lets anyone on who enters an email address and agree to terms of use. This network is limited in bandwidth and ports available. These systems were setup many years as a compromise between our security needs and our user base's willingness to accept more registration hurtles. I'm starting to think it is time to improve things. I really like the looks of Aruba's new Quick Connect product (based around their purchase of AmigoPod). It does all the things a traditional NAC does but seems to have a very well thought out guest registration system as well. It is based more around the corporate world and "onboarding" BYOD devices onto the network, but seems to fit the edu market as well. They have some impressive options around controlling iOS/Android devices as well as MacOS/Windows/Linux. The way they are identifying other types of devices and authorizing their use seems smart. It integrates all the data with AirWave which gives you a lot of information about about each wireless client already. Lastly they are the first ones I've seen that allow you to manage all the stupid mDNS stuff in a sane way which might actually work in an enterprise environment. That said, the product is very new and I've only just looked at the demos so far. Time will tell if they have enough bugs out of it and will get the client base needed to continue to support keeping up with all the different devices and vendor updates. I tend to prefer that a product survive the September rush at another school before I want to try it myself. :) Problem devices (and users) are controlled by a custom written setup that works with the Bradford to give them a restricted network and different redirect pages. The page informs them about their violation type and requires them to talk to an IT staff person before being cleared to re-register. In extreme cases we blacklist the client on the Aruba and DHCP servers. -Fred
Hello Jason,
Good question. We see plenty of Mac security issues. Problem is that I have yet to see anything showing that forcing people to run AV software has a significant impact on AV issues developing on their machines. We enforced update AV software on Windows machines, and had plenty of issues with them. Many security issues in the Windows world are prevented by firewalls and keeping patches up to date. Recent versions of Windows comes with FW and WU on by default and Microsoft appears to be making it more and more of a priority to annoy harass and scare users when these settings change. It also does this when AV software is turned off or not up to date. I would contend that Windows comes with built-in strong encouragement of the posture that many attempt to enforce with NAC software. So the question is, what incremental value do you get going the extra step to enforce? And does that value justify all the pain users suffer (which often makes us and our networks look bad) from the NAC agents, as well as the costs of hardware/software and internal support to keep the NAC system running? The other problem is that we started doing NAC to stop the worms that brought down our networks. Back then it had not occurred to anyone to protect users from themselves. Yet, at least in conversations I'm often involved in, we interchange the importance of protecting users with protecting the network. Do we really need to force young adults into safe computing practices when they have grown up using computers? I would also contend that when we had the outbreaks of network worms, firewalls did not exist on windows machines, and I don't believe they were capable of automatic updates. Either of these would likely have prevented the worms which took advantage of un-patched Windows machines and spread primarily by accessing other machines on the same layer 2 network which were not protected by firewalls. That leaves the authentication/tracking feature of NAC. Most of this can be done through a combination of 802.1x and radius which are common on the wireless networks that our students seem to live on. 802.1x is more challenging on wired networks (even though it was designed for them originally), but apparently it can be done with modern switches. There are simpler ways to do it on the wire as well. Then there is the quarantine feature of NAC systems which we use to get a problem machine off the network, get a user's attention, or penalize them for inappropriate computing behavior. Most wireless systems and radius systems provide ways to deny access to a wireless network. What they don't do is give you a way to communicate to the user the reason their network access is denied, or the ability to remediate a problem that requires some network access. There are simpler ways to do this as well though using DNS/DHCP for those who consider this to be a priority. Guest users are a completely separate problem. We user Bluesocket for this. It makes it easy for a guest to provision a temporary login for themselves by going to the web page on the guest network where they plug in their cell phone number and get a password texted to them. This makes it easy for any user to figure out how to get on the network and provides us with something to track them to if there was ever a problem. We can also provision temporary logins either for individuals or a group if there is a conference. If they are here for a longer amount of time they can be provisioned a netid which will get them on 802.1x. Pete Morrissey
We were quite late being able to get a NAC solution in only implementing it this current year, but we haven't experienced many of the issues described on this topic. We use Enterasys's solution and it seems to address many of the issues that have been described here. It does both wired and wireless authentication as well as 802.1x and Mac authentication. We also have guest portal authentication through it on both wired and wireless side, as well as a recent upgrade that provided a mobile formatted guest authentication page. Regarding "assessment" we can require a variety things based on institution policies based on a large variety of variables. For example, it can distinguish OS on the device, including things like Xbox, ps3, wii, iOS, android, Mac versions, windows, Linux, etc. and you can implement different policies on this or even different users inside these groups. For example, faculty and staff using windows must have all windows patches up to date, av on, and a screensaver configured to lock the machine after 15 minutes none use, where students might just be required to have updated patches and firewall turned on. I guess if you are looking to replace Bradford anyway I would recommend at least taking a look at it because for us it has made our life way better in trying to manage things. Ben Parker Network Support Tech University of Mount Union
We first explored NAC with Perfigo/Clean Access in response to the old worm threats (Slammer, Nachi, Blaster, etc). As others have mentioned, the addition of windows firewall and automatic updates have replaced some of these concerns, although default windows provisions have no teeth (they can be ignored/disabled). We changed to Bradford after Vista came out and necessitated a forklift upgrade of our Clean Access (new CCA version was a repurchase, and new version did not support all of our existing switches, so the overall upgrade price tag was huge). We encountered significant resistance to forced remediation (even for basic windows update and some updated A/V product). We disabled forced remediation over a year ago (when splitting our installation from a HA pair into two separate pods, campus vs dorm/wireless). Some of the remediation issues were simple timing, and recent updates to Bradford allow "delayed remediation" with policy status reflected in the agent icon. We are still not doing remediation, but the option is much more attractive with the delayed approach. Our "primary" payoff with Bradford is in network management - we make heavy use of VRFs, vlans, and role-based subnet security, and using role-based management with Bradford does much of that automatically. We also get the "universal quarantine" approach of placing compromised hosts in quarantine (registered or not) and having that status track them regardless of connection location. No more whack-a-mole with physical port shutdowns, and the redirect to the captive portal lets us convey some information to the user (why they are quarantined, and contact information for the helpdesk). We also get excellent auditing/tracking of time, IP address, MAC address, switchport, host, and if registered, the associated user. Over the past year we have started moving Bradford management to the campus network (was originally just Resnet/wireless), and are fast approaching complete coverage. We place less emphasis on the policy enforcement (patching, A/V, remediation) and more on identification of connected devices (we are doing printers, cameras, access panels, etc in addition to computers) and vlan placement. We are also in the initial phase of deploying BigFix (IBM Tivoli Endpoint) to put "teeth" into the patching process as well as including third party products (Flash, Java, Acrobat, etc). It won't be deployed to student computers, but will solve the university owned equipment challenges. We certainly depend upon Bradford, but not for the traditional "NAC" connotations, rather the side benefits. Jeff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at
We are using Cisco's NAC but do not enforce any policies such as AV. We've gotten enough complaints about students having to load a client that I doubt we'll ever enforce any requirements. I can just imagine our helpdesk calls doubling or worse if we tried. I think in the future we will just look for something just handles the network access part. Something like NetReg but commercial. It would be clientless as well. I was also kicking around the idea of private VLANs. I think the combo of IPS and private VLANs would be more effective and user friendly than the Cisco solution we have now. On 4/5/2012 9:20 AM, Jason Hall wrote: > Hello. We are currently using Bradford on our campus for NAC. We > often receive complaints about how difficult the registration process > is and why we require antivirus since "Mac's never get viruses." This > has prompted us to start researching the future of NAC. What are > other schools doing in this area? > > If you have gone away from using a NAC, what approach are you using > now to get the similar functionality? > How do you authenticate guest users? > How do you disable access for those students who violate policy? > > Looking forward to the feedback, > Jason > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at