Microsoft's Vista operating system has been shipping since January, with beta code available for over a year before that. Yet, neither of the two NAC frameworks tested have any inherit support for Microsoft's newest operating system. What gives?
One factor is Vista's very different TCP/IP stack. A complete reorganization of the stack, started back in the Windows 2000 days, finally reached fruition in Vista. Therefore, putting the necessary 802.1X hooks deep in the operating system isn't just a question of recompiling, but of starting nearly from scratch. A difficult problem, yes, but if that were the only issue involved here, we'd have seen at least some NAC beta software by now.
Then there's Microsoft's own plan for a NAC called, Network Access Protection (NAP). While NAP is often mentioned as a competitor framework to CNAC and TCG/TNC, it's really not in the same ballpark. Microsoft has taken a heavy emphasis on end-point posture assessment and built a series of interfaces and products around that focus. There is less overlap in functionality than appears at first glance.
NAP represents Microsoft's own vision of how NAC frameworks should integrate with the operating system, specifically, and with third-party posture checking tools, in general. Microsoft has opened up significantly to both Cisco and TCG/TNC vendors by offering to make hooks (in the form of EAP methods, the core transports used in 802.1X authentication and posture assessment dialogs) needed for their NAC frameworks available through its Windows Update service. With that, Microsoft has come as close as it can to making these other NAC frameworks part of the Vista operating system.
Rather than run ahead with their own Vista plug-in plans, both Cisco and the TCG/TNC teams seem willing to let Microsoft control, manage and distribute the desktop client. After all, while both Cisco and TCG/TNC participants have written and distributed software for Microsoft Windows in the past, who is better qualified than Microsoft to integrate NAC into its own operating systems? And, while Microsoft has dabbled in the network business in the small and midsize enterprise space with tools such as the RRAS VPN server, most enterprise network managers are going to look to their network and security hardware manufacturers, for guidance on NAC.
If Cisco, Microsoft and TCG/TNC can achieve a rough truce and division of responsibilities on integrating Windows into the NAC scene, then the industry would be the beneficiary.
Who will define the interfaces and protocols and who will provide which pieces of the puzzle are still unknown. Network managers who have used the Odyssey supplicant (now owned by Juniper) and the Meetinghouse supplicant (now owned by Cisco) often prefer them to the built-in supplicant provided with past versions of Windows. But there is general agreement that the less software added to a Windows desktop after it's installed, the better it is for everyone.
The jury is out while these three groups engage in an elaborate dance and negotiations. The picture may not be completely clear until Longhorn ships later this year, although Microsoft has hinted at an important NAC-related announcement to be made at Interop.
In the meantime, stick with Windows XP for your NAC deployment.
Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.