NAP to NAC
As usual, tomorrow will be a better day. But what if you want to integrate Cisco NAC and Microsoft NAP today? Here the story is more mixed. For instance, Cisco's NAC client does not work directly with Microsoft's Network Policy Server (NPS), and it doesn't appear that it will anytime soon. Microsoft Windows' built-in NAP client doesn't talk directly to Cisco's NAC servers either. However, that doesn't mean all is lost.
Microsoft's NAP client can collect an SoH and send it to the NPS, which in turn determines whether the endpoint should be allowed on the network. The NPS can instruct Cisco's version of RADIUS, called Access Control Server (ACS), to enable or disable ports on participating 802.1X-compliant network devices. See Cisco's NAC and NAP integration guide for more details.
Most NAC manufacturers require that customers install a vendor-specific NAC client on each participating endpoint. Some NAC clients work with only the vendor's corresponding NAC compliance server. A large portion of NAC vendors and products make up this group.
For example, to use Symantec's Network Access Control product, you must install Symantec's NAC or Endpoint Protection client (the latter incorporates the Symantec NAC agent) and talk to participating Symantec NAC-compliant services (anti-virus, host-based firewall, and so on) or 802.1x network devices. You define access rules in the Symantec Policy Management console or the Symantec Endpoint Protection Manager console, and then enforce network access by turning on various host-based firewall rules. (See the Test Center review.)
But more and more, NAC vendors are supporting Microsoft's NAP or TCG's TNC standard, or they're facilitating enforcement via 802.1X network devices using RADIUS. For example, Symantec's NAC products have the ability to communicate with Cisco's 802.1X network routers and switches. The Symantec NAC client can also integrate with Microsoft's NAP by installing itself as a System Health Validator (SHV) extension, which essentially makes it a part of the NAP client. As an SHV extension, the Symantec client can assess and control everything NAP normally does. And of course, any product can use Microsoft's Network Policy Server as a RADIUS service to talk to any 802.1X-compliant network device.
Alas, without a little planning, integration between Microsoft NAP and Cisco NAC isn't as simple as picking and choosing your favorites. But there is a moderate amount of interoperability, and that benefits us all.