[c-nsp] NAC for Thin-Clients?

Phil Mayers p.mayers at imperial.ac.uk
Mon Jul 28 04:27:41 EDT 2008


>
>The customer wants posture assessment of the user virtual systems (though
>located on a central thin-client server) and not the thin client hardware
>themselves. It is possible for one user to have viruses on his virtual PC
>because of not updating his antivirus signatures or patches or etc.
>
>My client wants a solution that would assess each user's virtual system and
>restrict network access if it should be found to be non-compliant. Note that
>a user may access his system from any thin-client.
>
>I want to believe that this makes my requirements clearer. Perhaps you could
>suggest a solution or technology for me.

Hmm.

Obviously you can't do port-based NAC becase the switch ports will be 
shared by >1 system, possibly very many?

Cisco support EAP over UDP, which allows you to do 802.1x (and thus NAC) 
through non-802.1x switches to a supporting router. You'd need the cisco 
NAC client I suspect, and it's non-standard so it might be a bit of a 
lock-in.

What virtualisation technology are the user systems on? It might be 
possible to instruct the hypervisor to move a virtual system off the 
"normal" virtual switch/bridge to a "banned" one, and implement this by 
extracting last-seen times from windows update / AV console logs (we do 
this with non-virtual systems)

>
>Thanks,
>
>Felix
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list