Yesterday Cisco announced its intent to purchase Meetinghouse, the only remaining 802.1X supplicant vendor in the market after Juniper’s recent acquisition of Funk. As Wi-fi Net News notes, this thins the RADIUS market even further (though it sounds like I should get my marketing department in touch with the author–Glenn Fleishman–for a product overview). Overall the acquisition seems like a significant positive for Cisco for a number of reasons. There are also some considerations for the industry as a whole. Let’s cover Cisco first.
First, Cisco now has a multi-OS supplicant they can provide to their customers to help remove objections to new wireless or wired infrastructure deployments. They achieved this goal for significantly less money that Juniper did with Funk (44 vs. 122 million) in part because Meetinghouse did not have a significant presence in the AAA server space the way Funk did with its SBR. Since Cisco has their own AAA server in ACS, this wasn’t a significant issue in Cisco’s eyes.
Second, it appears that Juniper is attempting to take control of the edge access methods within an organization through either their SSL VPN products or the 802.1X supplicant. Since they have neither Ethernet switches nor wireless APs to sell, they recognize revenue on the supplicant. Cisco on the other hand, has both switches and WLAN APs allowing them to use their new supplicant as an enabler potentially by giving the client away or offering it for substantially less. Assuming that Cisco continues to commit to standards, having a freely-available and well-supported supplicant in the marketplace would be a great thing.
Third, by being in control of the supplicant rather than using an OEM Cisco can have complete control over the roadmap ensuring that the supplicant does what is needed for both WLAN and Cisco NAC.
Moving onto the industry implications things get a bit more muddy. First, I think this will be a net positive for 802.1X deployment but I’m not certain which way Cisco will go with respect to keeping the Meetinghouse supplicant open. If they go the route of a free supplicant, what motivation do they have to make sure it supports the EAP-types and unique parameters of their competitor’s gear?
Speaking of standards, the TCG TNC could be adversely affected. The TNC has been around for a couple years now and hasn’t yet seen a ton of traction. Up until May’s Interop conference, Juniper was the only announced and shipping TNC server. At Interop, Meetinghouse announced an appliance which was set to be the second TNC server though it has no definite ship date to customers. Since Cisco seems to view the IETF as the only viable forum for standards in this space I would not at all be surprised to see Cisco end Meetinghouse’s engagement with the TNC and kill the announced appliance. This would leave the TCG TNC effort as primarily Juniper and friends. Looking at the announced and shipping products list on the TCG website it looks quite thin.
As stated several times on this blog, 802.1X is hardly the runaway success it hopes to be, at least on the wired side. Cisco themselves are pushing the NAC appliance more than the 802.1X approach anyway which diminishes the implications of much of this. Until the industry gets some agreement on a ubiquitous and standard tunneled-EAP type as well as some standardization in messages and frameworks many organizations will be left to put together ad-hoc solutions which may not hold out for the long haul.
Companies can recognize significant value from authenticated networks today using a mix of authentication methods including 802.1X. The benefits of centralized policy decision and network compartmentalization are real. The key is to avoid going into this thinking that it is a binary event to turn on 802.1X. As mentioned earlier, making good use of the default VLAN feature can give you a migration path which doesn’t seem quite so vertical.