Sean Convery

Dave Kearns has a nice write-up on the directory implications of NAC / NAP. He says:

What I find extraordinary in all the material Microsoft has published on NAP and NAC (both Cisco’s NAC and the generic NAC) is the extremely limited (i.e., I couldn’t find any) references to Active Directory! But all of this is firmly based on having an up-to-date, schema-extended Active Directory forest as the basis for identifying and tracking all of the hardware that’s either on or attempting to attach to your network.

Getting a handle on AD is certainly a requirement before doing NAP but in talking to customers I’m finding things are even worse than Dave describes. Often there are multiple forests of AD through acquisition or merger. Also, many organizations have LDAP servers as well which house their own user repository for certain groups. Microsoft would like organizations to use a single forest of AD for all their users and devices but in reality while that may be a goal for an enterprise, there are plenty of things which prevent that from happening.

Network identity management is about more than just directories and AAA. It has to be about making those directories do something useful in their current state of deployment, not just their idyllic environment as envisioned by the vendor. Some of the things a virtual directory can do for application IdM are just as useful in the network context. Only when we can easily identify the user and their device can we hope to write meaningful policies around what those elements can do on a network.

Technorati Tags: NAC, NAP

This entry was posted on Monday, October 2nd, 2006 at 4:41 pm and is filed under Network Authentication. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.