Can ACLs and NAC mix for security success?

The second type of equipment required the ACL to actually be generated on the policy server and pushed to the switch at the moment the user wants to get on the network. In our interoperability testing, HP's wired and wireless equipment fell into this camp. Although this is a less popular approach, it offers a different way to manage security in a more dynamic fashion.

While our policy server vendors also could all interoperate with the HP equipment, we didn't find any policy server that actually dynamically generated the ACL. Juniper's UAC, which can dynamically generate ACLs for Juniper's own firewalls, won't do so for non-Juniper equipment. None of the other policy servers had any dynamic generation capability. So while the HP approach is theoretically more dynamic, it's a moot point until more NAC products support that feature.

The Force10 switch on the network work couldn't support ACLs which restricted us to VLAN assignment when testing NAC with it. We took advantage of this difference to show how alternative NAC technologies can be used to provide posture checking and authentication by integrating Cisco's NAC Appliance (formerly Cisco Clean Access) into our network to handle guest users on all switches, and posture checking for the Force10 users. This alternative approach may be important, as new Gigabit-capable wiring closet switches are being selected with only very basic management and no support for ACLs.