Cisco has announced the branding of the Meetinghouse 802.1X supplicant. The “Cisco Secure Services Client” is now available. I wrote about the Meetinghouse and Cisco deal a while back. I was right when I predicted that Cisco would pull Meetinghouse out of the TCG / TNC; that happened pretty fast. However, I was wrong when I predicted that Cisco might sell their client for substantially less than Juniper’s offering or even give it away for free. My reasoning was that Cisco had far more to gain by selling switch migrations enabled by a supported supplicant, than they did in trying to recognize revenue per seat in connecting to those switches.
I still stand by that. However, there is some subtlety here. just because something costs between $30 and $40 a seat depending on volume (very similar to Juniper’s supplicant), doesn’t mean that Cisco will charge that to its biggest customers. The minute a major account manager has a giant Catalyst switch deal on the line if they can remove the supplicant objection, I think the cost will be reduced if not eliminated. That’s just good business.
However, if Cisco’s goal was to ensure that 802.1X succeeded only on Cisco kit, their strategy seems more plausible but is still flawed. A Cisco supplicant which was almost free to Cisco networking customers but not for anyone else would prevent non-Cisco network customers from freely using the Cisco supplicant. The flaw comes in with respect to 802.1X’s wired deployability in general. Cisco succeeds when the network gets more intelligent. 802.1X is still in its nascent stages on the wired side and Cisco’s competition isn’t really HP ProCurve (regardless of how much HP would like that to be true). Their real competition is dumb networks in general. Vista’s security infrastructure doesn’t require the use of networking as enforcement. It doesn’t have the 802.1X supplicant complexity as a required element. While their security model is incomplete, it is also mostly free to organizations deploying Microsoft on the server and client side–which is just about everyone. For more evidence on Microsoft’s stance on wired 802.1X see this article which was originally titled “802.1X on Wired Networks Considered Harmful.”
Rather than trying to differentiate Cisco vs. the other network vendors, Cisco should instead be trying to rally the networking industry to compete with the onslaught of host and application oriented security solutions. I’ve often stated that security is a system and that there are roles for the network and the host to play. However, business goals and security architecture aren’t always aligned. Cisco should be championing open standards to make the network more intelligent, not looking for ways to keep such systems proprietary. They already have the market share and if customers see them as innovators and embracing standards (which is how Cisco got to where it is today) they will continue to buy Cisco. This bears on their supplicant pricing decision as well as their involvement and willingness to drive standards around NAC.
When IPsec VPNs for remote teleworking became viable, Cisco bought a company called Altiga. Altiga became the Cisco VPN 3000 Concentrator and it was quite a success. The client for connecting to the concentrator was given away since the money they wanted to make was in the hardware. However, there were proprietary extensions to the client from Cisco and other VPN vendors like CheckPoint and Nortel. Microsoft had their own IPsec client in Windows, but because its configuration was clunky; it wasn’t used. IPsec never really converged on a standard, open, and interoperable client. As a result, SSL VPN seems to be the technology with long-term staying power in no small part due to the client being ubiquitous. With 802.1X / NAC, Cisco has proprietary technology and is charging for the client. I’ll be surprised if the outcome is better and not at all surprised if it turns out worse.
This further reinforces the need for an open supplicant as I’ve wrote about before. The next 18 months will be very telling for 802.1X as a ubiquitous authentication mechanism rather than a deployment necessity for secure wireless.
Technorati Tags: 802.1X, Cisco, HP Procurve, NAC