How can we tell whether the new 802.11n WAPs that we purchase today will be compatible with NAC?
Today, there are several well-known Network Access Control (NAC) architectures, including Cisco NAC, Microsoft NAP, and Trusted Computing Group TNC. These architectures embed NAC capabilities into the network itself, using devices like Ethernet switches and Wireless APs to handle access requests and enforce access decisions. In addition, there are dozens of products that spin their own flavor of NAC, from proprietary network appliances to endpoint security agents.
This degree of diversity makes it hard to say whether or not any product is compatible with NAC -- a better question to ask is whether a given product is compatible with a specific NAC architecture or appliance. For example, Cisco NAC can protect networks composed of Cisco devices. Today, CNAC-compatible devices include Cisco routers, Catalyst switches, Aironet Access Points, and the Cisco VPN 3000 Concentrator. See Cisco's website for a list of CNAC-enabled products.
Nonetheless, some commonality does extend across all of these NAC architectures, and many proprietary NAC appliances. In particular, most can use 802.1X to handle Layer 2 access requests, relaying those requests over standard RADIUS to NAC policy server where decisions are made. 802.1X is designed to support an open-ended dialog between an 802.1X supplicant (the host requesting access) and an 802.1X authentication server (the system responsible for permitting or denying access). The messages exchanged during that dialog are represented using the Extensible Authentication Protocol (EAP). Today, NAC architectures use different EAP types and endpoint assessment messages carried within those EAP bindings. However, all of those EAPs ride on standard 802.1X.
The bottom line is this: If you plan to implement NAC, purchase Wireless APs (and Ethernet switches) that support standard 802.1X/RADIUS-based port access control. When examining Wi-Fi Alliance test certifications look for WPA-Enterprise and WPA2-Enterprise support. This is all your WAP will need to support basic go/no-go NAC decisions. If you plan to take NAC further, look for the following features:
802.1Q VLAN support letting the WAP tag wireless traffic before it heads into your wired network.
RFC 3580 support letting the WAP understand and apply VLAN IDs returned by the NAC policy server in RADIUS Access Responses.
Virtual APs with the ability to simultaneously support multiple SSIDs, letting the same WAP support both open guest access and secure access.
Intra-WLAN security options that let the WLAN prevent unknown, potentially infected or malicious users from interacting with NAC-authorized users.
These features won't guarantee plug-and-play compatibility between your WAP and all NAC products, but it will give you a pretty good shot at integrating that WAP into many possible NAC deployments.
This was first published in September 2007