RADIUS-based NAC vs Sensor-based NAC
This article will focus on some of the Pros and Cons of central versus distributed architectures with respect to Network Access Control (NAC) solutions. During the decision making process when purchasing or implementing NAC solutions, the question of architecture is always at the forefront.
Many factors come into consideration when looking at central versus distributed architecture. Cost, complexity implementation, ongoing management, redundancy, connectivity, routing, location of directory or other servers, the list goes on and on. To highlight some of the specific factors and how they translate to real-world considerations, we will compare and contrast a generic RADIUS-based central NAC architecture to a Genian NAC distributed Sensor architecture.
Central RADIUS Architecture
Genian NAC Distributed Sensor Architecture – An Alternative Approach
Since Genian NAC Sensors and Policy Servers are not part of the network architecture, this eliminates many of the challenges involved with a RADIUS architecture and implementation. Additionally, since the Sensors are centrally managed by a Policy Server, all of the benefits of a central architecture are present without the drawbacks.
- No Single Point of Failure for network access
- Policy Servers and Sensors are not part of the network infrastructure
- This negates the requirement for HA to ensure network availability
- No HA reduces cost
- No HA reduces complexity
- Less complexity means faster implementation
- Does not require any integration with network devices
- No switch, controller or access point configuration required
- Network access devices do not need to be aware of or point traffic to Sensors
- Although multiple sensors may be present, no integration means easy installation
- WAN connectivity does not create additional challenges
- Sensors communicate to Cloud Policy Servers to download policies
- For On-Prem Policy Servers, Sensors communicate via keepalives
- No unsolicited RADIUS Change of Authorization (CoA) packets must be permitted through Firewalls/ACLs
- In the event of a WAN failure, Sensors operate in Fail Safe mode by default
- No network access is blocked while in Fail Safe mode
- Fail Closed option is available if desire is to block new devices from network
- Ease of Sensor Provisioning
- Zero Touch Provisioning to Cloud Policy Server
- Low Touch Provisioning to On-Prem Policy Server
- Distributed Architecture = Low Cost? – Yes!
- Sensors can be installed as Virtual Machines
- Sensors can be installed on almost any Intel physical machine
- Even an endpoint node with an Agent can act as a Sensor
- Sensor deployment options offset cost of a typical distributed architecture
- Licensing not tied to number of Sensors further offsetting cost
In conclusion, the Genian NAC architecture provides a solution that is centrally managed, yet can be deployed in a distributed fashion. With no requirement for HA, no requirement to integrate with network infrastructure, concerns regarding remote site WAN connectivity negated and the ability to rapidly deploy, Genian NAC’s architecture means low overhead for IT and Security teams. Less planning, less design, less caveats, ease of provisioning, faster implementation.