12-29-2009 08:19 AM
I realize that I may not be able to get an unbiased response from a Juniper forum, but I will at least get good info from solid engineers.
I have a solely Cisco L2 network with some Cisco security devices (ASA/PIX) and am looking to put in some additional network layers (Edge and Core/Distribution) with Juniper SRX appliances.
For NAC I am being pulled by a legacy Cisco shop vs. the Juniper SRX functions I want to put in place. If I go with Juniper UAC I can utilize 802.1x with the existing Cisco gear, but if I go with Cisco NAC w/ ACS am I pigeon holed into being a Cisco only shop?
12-29-2009 10:25 AM
With old Cisco NAC Framework (based on Cisco ACS 4.0, not available on 5.X), you can authenticate users with cisco 802.1X switches and push ACLs in Cisco Routers and PIX. NAC Framework Host checker is based on DLL files which must be added and configured manually on host.
This solution is not developped by Cisco since 2006/2007.
Juniper permit to authenticate user for:
- 802.1X Lan access with OAC Client (including host checker component)
- 802.1X Wifi access with OAC Client (including host checker component)
- 802.1X Lan access with Microsoft XPSP3, Vista SP1 802.1X supplicant and NAP host checker component
- L3 Authentication (through HTTPS connection) with OAC client (including host checker component)
- HTTPS authentication and Java / ActiveX hostchecker
- Mac Address authentication for printers, IP phones, ...
Host Enforcement can be done by:
- Any 802.1x compatible switch
- Juniper SSG/ISG/SRX Firewall with source based authorization for Clientless users
- Juniper SSG/ISG/SRX Firewall with source based authorization for OAC clients
Juniper UAC is compatible with TNC components:
- IF-TNCCS (NAP compatibility)
- IF-MAP (Metadata Access Point)
To deploy OAC agent, the procedure is:
- Install OAC agent on admin host
- Configure connection parameters according with company policy (authentication type, Machine authentication vs user authentication, SSID for wifi usage, ...)
- create a MSI file based on this configuration
- install MSI files through company solutions (AD GPO, Microsoft SMS, ...)
12-29-2009 11:34 AM
First, please have a look to the following post
For Cisco NAC (cisco clean access appliance) , there are two kind of deployment :
- out of band: only cisco switches are supported.
- in band: all switches type are supported BUT all traffic must flow through the NAC appliance. Basically, the NAC appliance is like a router. The thoughput of the box is limited to 1 Gbps.
Imagine the following scenario.
20 edges switches connected in dual attached mode to the core swiches.
1) All is cisco (switches), no problem, you can deploy the solution of of band.
2) nothing is Cisco.
* all traffic flow (20 x 1 Gbps) must cross the NAC appliance. I remember you, NAC has only 1 "outbound" gigabit interface...
* or if you have a lot of money you can install one NAC appliance behind each uplink ports (here you need 40 appliances).
In one word, with Cisco NAC, you're stuck with Cisco
Hope it can help you.
06-18-2012 05:50 AM
02-23-2013 09:48 AM - edited 02-23-2013 02:15 PM
i have use both devices ;
my opinion are following
cisco has own reporting and profiling solutions.
but licensing is complex and limit with time.you can take license for 3 aor 5 years
and include basic ,advanced and wireless license.
Cisco configuration screens looks smarter but more complex than juniper.Cisco has intergrated
profiling so profiling configuration easier than juniper+beacon
juniper uses strm for logging and reporting well then ise reporting logging and integrated with beacon for profiling
beacon .you need buy juniper nac with strm and beacon .With this situation price is cheaper or same as cisco
Beacon bring extra feature that cisco dont have .Also you can use beacon with cisco ise.
Also juniper nac , integrated radiıus has cool feature and you can use complex radius scenario like token-sms other