Identity and Policy Control
Reply
Visitor
FireSecurity
Posts: 7
Registered: ‎08-19-2009
0

Juniper UAC vs.. Cisco NAC

Forum,

 

I realize that I may not be able to get an unbiased response from a Juniper forum, but I will at least get good info from solid engineers.

 

I have a solely Cisco L2 network with some Cisco security devices (ASA/PIX) and am looking to put in some additional network layers (Edge and Core/Distribution) with Juniper SRX appliances.

 

For NAC I am being pulled by a legacy Cisco shop vs. the Juniper SRX functions I want to put in place.  If I go with Juniper UAC I can utilize 802.1x with the existing Cisco gear, but if I go with Cisco NAC w/ ACS am I pigeon holed into being a Cisco only shop?

 

HELP!!!

Contributor
StanislasP
Posts: 13
Registered: ‎09-29-2008
0

Re: Juniper UAC vs.. Cisco NAC

 

Hi,

 

With old Cisco NAC Framework (based on Cisco ACS 4.0, not available on 5.X), you can authenticate users with cisco 802.1X switches and push ACLs in Cisco Routers and PIX. NAC Framework Host checker is based on DLL files which must be added and configured manually on host.

This solution is not developped by Cisco since 2006/2007.

 

Juniper permit to authenticate user for:

- 802.1X Lan access with OAC Client (including host checker component)

- 802.1X Wifi access with OAC Client (including host checker component)

- 802.1X Lan access with Microsoft XPSP3, Vista SP1 802.1X supplicant and NAP host checker component

- L3 Authentication (through HTTPS connection) with OAC client (including host checker component)

- HTTPS authentication and Java / ActiveX hostchecker

- Mac Address authentication for printers, IP phones, ...

 

Host Enforcement can be done by:

- Any 802.1x compatible switch

- Juniper SSG/ISG/SRX Firewall with source based authorization for Clientless users

 

- Juniper SSG/ISG/SRX Firewall with source based authorization for OAC clients

- Juniper SSG/ISG/SRX Firewall with dynamic VPN for OAC clients (VPN client included in OAC)
- Juniper SSG/ISG Firewall redirect HTTP connections to IC appliance for unauthenticated clients (non implemented in SRX)
- Host enforcer (included in OAC) activate local firewall on OAC agent with rules based on Role identified by IC policy

 

 

Juniper UAC is compatible with TNC components:

- IF-TNCCS (NAP compatibility)

- IF-MAP (Metadata Access Point)

 

To deploy OAC agent, the procedure is:

- Install OAC agent on admin host

- Configure connection parameters according with company policy (authentication type, Machine authentication vs user authentication, SSID for wifi usage, ...)

- create a MSI file based on this configuration

- install MSI files through company solutions (AD GPO, Microsoft SMS, ...)

 

 

 

Visitor
FireSecurity
Posts: 7
Registered: ‎08-19-2009
0

Re: Juniper UAC vs.. Cisco NAC

Okay...All that is helpful.  But with the any current Cisco NAC solution, are you locked into Cisco only gear going forward?

Contributor
Hedia
Posts: 93
Registered: ‎05-28-2008
0

Re: Juniper UAC vs.. Cisco NAC

Hello,

 

First, please have a look to the following post

http://forums.juniper.net/t5/Identity-and-Policy-Control/UAC-Implementation-with-Cisco/td-p/32109

 

For Cisco NAC (cisco clean access appliance) , there are two kind of deployment :

- out of band: only cisco switches are supported.

- in band: all switches type are supported BUT all traffic must flow through the NAC appliance. Basically, the NAC appliance is like a router. The thoughput of the box is limited to 1 Gbps.

 

Imagine the following scenario.

20 edges switches connected in dual attached mode to the core swiches.

1) All is cisco (switches), no problem, you can deploy the solution of of band.

2) nothing is Cisco.

     * all traffic flow (20 x 1 Gbps) must cross the NAC appliance. I remember you, NAC has only 1 "outbound" gigabit interface...

     * or if you have a lot of money you can install one NAC appliance behind each uplink ports (here you need 40 appliances).

 

In one word, with Cisco NAC, you're stuck with Cisco

 

Hope it can help you.

 

Regards,

 

Hedi

 

Visitor
FireSecurity
Posts: 7
Registered: ‎08-19-2009
0

Re: Juniper UAC vs.. Cisco NAC

That is very helpful.

Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: Juniper UAC vs.. Cisco NAC

Anyone can share some latest comparisons on this for the year 2012?
Any kb or doc links to share?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Contributor
RadiusAttributesfilter
Posts: 23
Registered: ‎09-25-2009
0

Re: Juniper UAC vs.. Cisco NAC

[ Edited ]

i have use both devices ;

my opinion are  following

cisco has own reporting and profiling solutions.

but licensing is complex and limit with time.you can take license for 3 aor 5 years 

and include basic ,advanced and wireless license.

Cisco configuration screens  looks smarter  but more complex than juniper.Cisco has intergrated 

profiling so profiling configuration easier than juniper+beacon 

 

juniper uses strm for logging and reporting well then ise reporting logging  and integrated with  beacon for profiling 

beacon  .you need buy juniper nac with strm and beacon .With this situation price is cheaper or same as cisco 

Beacon bring extra feature that cisco dont have .Also you can use beacon with cisco ise.

 

Also juniper nac , integrated radiıus has cool feature and you can use complex radius scenario like token-sms other 

auhentication features

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.