4.2. Dealing with Clients
An endpoint client is a component typically responsible for collecting information from the endpoint and forwarding it to the policy engine for verification and validation.
4.2.1. Client functions
An endpoint client needs to be able to collect user and endpoint information from the connecting user and endpoint.
4.2.1.1. Collect posture
If endpoint identity is one of the most valuable bits of information that you need to collect, an endpoint client can do that collection efficiently and correctly. Every endpoint is different, so you need to have the flexibility to collect the information that you need to make decisions. You should also look for open standard support for endpoint integrity collection so that if something isn't in your current NAC solution, you can find another company that supports the standards and leverage the integration, or in very rare situations, write or develop something yourself.
|
4.2.1.2. Collect user credentials
Identity is a critical aspect of network access control, and the endpoint agent typically collects this information. An endpoint agent can collect several kinds of authentication, such as
The endpoint client must have the flexibility to collect any form of authentication that you plan to use in your network.
NOTE
The endpoint client should also have support for some form of Single Sign On (SSO) authentication. If you plan to add an agent to the endpoint that's going to request credentials, try to get rid of the password prompt to make logging into the network more usable. Think of the situation this way: How would you feel if you had to log into Windows and then log into an agent right afterward? You'd probably find it quite annoying. SSO gets rid of the second login request by using the credentials that it gets from the Windows login. If you use Group Policy Objects (GPOs) in a Windows network, you may need the Graphical Identification and Authentication (GINA) library integration to get the endpoint on the network so that you can start login scripts, map drives, and so on.
4.2.1.3. Network enforcement support
If you're rolling out a Layer 3 NAC deployment, you may need support for Layer 3 enforcement in the agent you're deploying, such as IPSec enforcement for data privacy. The agent would have to support IPSec to be able to connect the user to the network.
4.2.1.4. Network supplicant functionality
If you plan to leverage 802.1X as an enforcement mechanism, then the supplicant functionality of the endpoint agent becomes very important. You need to make sure that it supports all the Extensible Authentication Protocol (EAP) methods that you need for your deployment, as illustrated in Figure 4-1.
NOTE
EAP is a framework for universal authentication, as described by RFC 3748. Although you can find many different EAP methods, the most common are EAP-TTLS, EAP-PEAP, EAP-TLS, and EAP-MD5.
4.2.1.5. Deploying, supporting, and troubleshooting
If you're planning to roll out an agent to 25,000 or more users in your network, you need an endpoint agent that you can easily pre-configure before deploying it to the users. Also, you need to figure out whether you can lock down the configuration and how easily you can upgrade it. Look for these features in your endpoint agent, as well as other features, such as an option to deploy the endpoint agent by using tools such as SMS or Active directory. You need to be able to troubleshoot endpoint agents easily if something isn't working.
4.2.2. Not-so-secret agents
Although many different types of endpoint clients can fit a multitude of network needs in the world, you can divide endpoint clients into three general groups.
The client depends on type of device or endpoint that you are going to be running it on.
Figure 4.1. An EAP authentication diagram.
4.2.2.1. Full agent
The full agent is typically a large agent that you need to pre-install on the endpoint before it can get on the network. The agent usually includes
A supplicant
Layer 3 enforcement functionality
Endpoint integrity collection
Remediation support
Troubleshooting tools
Some sort of tray icon
|
The challenge with full agents is that you usually need administrator rights on the local machine to install the agent. So, a network administrator typically uses a software deployment service that exists on the network already, usually SMS or Active Directory.
4.2.2.2. Lightweight agent
The lightweight agent is a client, which you typically run via ActiveX or Java, that includes
Layer 3 enforcement functionality
Endpoint integrity collection
Remediation support
Not much else, usually
|
The biggest benefit of the lightweight agent is that you typically don't need administrator privileges on the local machine to do the endpoint integrity query and perform Layer 3 enforcement in the network.
NOTE
You usually use the lightweight agent in conjunction with a captive portal feature, which is best described as the hotel-room experience. At a hotel, you plug into the network and try to browse somewhere, but instead of getting what you want, you see a web page that asks you for your room number and last name. In the case of network access control, you're redirected to a page that runs the lightweight agent via ActiveX or Java. After that has happened, it will ask the user for their username and password.
4.2.2.3. Clientless
Clientless access typically takes the form of a Web page to which a user submits his or her password to get access to the network. Clientless access usually uses a captive portal feature to provide a redirect of the user's web browser to the location for the clientless access page.
Clientless access is typically limited to user authentication and Layer 3 enforcement only. Clientless access is often targeted at guest users or devices for which no agent exists. The only requirement on the device is a Web browser.
4.2.3. Left behind
Each of the types of agents behave slightly differently when you sign out or close the agent.
4.2.3.1. Persistent
The persistent state is typically what you get if you have a full agent. After you install a full agent, it starts every time that the operating system does.
|
4.2.3.2. Dissolvable
A dissolvable agent is usually an ActiveX control or Java applet that runs when the user tries to get on the network. It uses captive portal functionality to redirect a user's Web browser to a page that can run the dissolvable agent. This agent persists only while the user has the Web browser open. When the user closes the Web browser, the dissolvable agent closes. To get back on, the user needs to launch the dissolvable agent via the captive portal Web page.
|
4.2.3.3. None
No client is targeted at devices that aren't capable of running ActiveX or Java applet, including guest machines. For any machine that you don't want to run ActiveX or Java, the no client option provides network access only when the Web browser is open.