Most NAC products require enough administration that managing transient users often is more trouble than it's worth. At my university, we have managed this problem - especially in our student wireless network - by creating user-specific domains with different access requirements for each. The domains cannot touch, usually, resources reserved for other domains. This is not trivial to setup, configure or manage. It depends on sort of a one-size-fits-all approach to access control, and that never really works as well as it should.
Bradford Networks has continued to build its NAC infrastructure by adding NAC Director Guest/Contractor Services (NAC Director GCS) to its platform. GCS is a NAC system designed explicitly to support transient users.
There are, in my view, three important issues that need to be addressed when applying NAC to transient users. First is provisioning, second is access control, and third is management. Provisioning needs to be self-service for the user. But it also needs to easily be manageable by administrators. Bradford has solved this by moving the provisioning to the transient user's sponsor. The sponsor can designate guests in advance of the guest arriving, can assign the guest to a preconfigured role, and the rest is up to the guest. NAC administrators never need to be involved. The registration follows the guest no matter where they go within the enterprise - wired or wireless.
Consider this approach to enrolling several hundred guests connecting to the network for a conference: As attendees enroll for the conference, they are added to the attendee role. When they connect to the conference wireless network for the first time, they are logged in automatically and are guided through self-enrollment. Their credentials can be emailed to them or printed on site when they arrive.
Vendors are equally simple to add. As vendors make appointments with an employee for sales calls or demos, the employee (who is also their sponsor), simply adds them to the appropriate role. When the vendor arrives and starts to setup their demo, the self-enrollment process begins and just takes a few minutes.
Finally, management is simplified because administrators deal with groups only while the sponsors deal with individual users. Guests are controlled as far as what they can access and do on the enterprise. Rather than simply turning them on or off, administrators can setup comprehensive, granular roles. If, for some reason, the requirements for a role change, it is easy to manage the entire group by managing the role.
The NAC Director GCS appliance is priced reasonably at under $32 per user, including hardware. It becomes more economical as you add $495/50 license packs. Bradford offers a full suite of support services that includes training and professional services.
This part of the NAC Director platform offers an innovative approach to NAC for organizations of most sizes. The platform constitutes a NAC infrastructure that can be customized to the needs and size of the organization. One of its strengths, in my view, is that it is an out-of-band solution to the NAC problem. That problem - access control for the enterprise - is exacerbated when the bandwidth available for enterprise access is reduced due to the inline appliances on the perimeter. NAC is not the only inline appliance in most cases.
The bottom line is that GCS provides an extremely flexible, secure and scalable solution to the challenge of managing network access by transient users with a simplified management approach where administrators manage roles and sponsors manage individual users. It does all of this at a reasonable price.
AT A GLANCE
Product: NAC Director Guest Contractor Services
Company: Bradford Networks
Price: Starting at $7,995 for a 50 license starter pack with hardware that supports up to 250 concurrent connections, and goes up to $46,995 for the GCS 6000 Bundle with hardware that supports up to 6,000 concurrent connections.
What it does: Provides full-featured NAC services for guests, contractors and other transient users.
What we liked: Simplicity of administration coupled with a full feature set slanted toward non-employee users.