McAfee NAC Solution v3.2
Strengths: In-band and out-of-band; great guest-user options; full-featured; very flexible; provides numerous policy options.
Weaknesses: Pricey and requires ePolicy Orchestrator add-on if you don’t have a McAfee security architecture currently deployed.
Verdict: Strong platform, has it all. Recommended.
SummaryMcAfee NAC Solution v3.2 provides network access security by detecting and assessing managed systems on your network and enforcing access to network resources based on a system's health level. Alternatively, it can detect and assess unmanaged systems on your network and enforce network access based on a system's health or user identity when combined with a supported network product. The components of the solution include the server, ePolicy Orchestrator and the agents.
The offering supports both an in-band and an out-of-band capability. The in-band capabilities can be delivered via inline DHCP or inline health check and/or authentication.
The NAC appliance can provide user identity-based access control by mapping a network user to a specific network access policy. The tool's Network Security Manager can be configured to derive roles for network users from one or more Active Directory sources, Radius servers, DHCP servers or 802.1x-enabled infrastructure.
Network NAC is offered in two forms: The NAC Appliance is available at $25,000, or as an optional software NAC add-on to the McAfee Intrusion Prevention System (IPS). This ranges from $3,995 (on the 100 Mbps IPS) to $41,250 (on the five Gbps IPS).
The documentation we were provided didn't cover the implementation of the appliance so we can't comment on the level of effort required to get it out of the box and into a usable state on the network. However, the user interface we did see during the demonstration was very powerful and mature.
Basic support is included and includes 24/7 access to resources. There are a variety of upgrade support options available for a fee.
This is a full-featured offering that provides all the tools needed to validate that endpoints are in compliance with policies.