Got the NAC
Juniper Employee
Juniper Employee
‎09-05-2008 12:06 PM
‎09-05-2008 12:06 PM

I’m happy to say that the IETF NEA Working Group has decided to adopt several of the latest TNC standards as Working Group drafts! Let me answer some frequently asked questions about the process and the drafts. If you have more questions, please post them and I will try to answer them.


Q. Does this mean that these TNC standards are now IETF RFCs?


A. No, there’s still a long path to follow before they can be published as RFCs (the IETF’s term for their officially published documents). But it does mean that the NEA WG is working to develop RFCs based on them.


Q. Where can I get a copy of these specs?


A. In the cryptic manner of standards groups, there are two versions of each spec: the IETF version and the TCG version. The IETF specs are PA-TNC and PB-TNC. The TCG specs are IF-M 1.0 and IF-TNCCS 2.0. The only difference is the formatting and terminology!


Q. What if the NEA WG wants to change these specs before they become RFCs?


A. That’s OK. Everyone expects that. All standards go through changes and revisions, like HTTP 1.0 and 1.1. The protocols and products are designed to support such changes with a smooth and gradual transition. It’s worth it to get everyone on board.


Q. I have another question!


A. Ask it below in a comment and I’ll answer it.

Sep 15, 2008
Grant Hartline
I’m happy to see the movement towards unification of standards and appreciate all of the effort you’ve put into NAC standards adoption, both within the TCG and the IETF. However, one TNC standard that is conspicuous in its absence is IF-PEP. Is there an IETF working group that may pull in IF-PEP for the purposes of triggering enforcement actions? Alternatively, or at least in the meantime, do you see any movement within what we’ll call “the industry” on adoption of RFC 3576 within Ethernet switches?
Sep 15, 2008
Tarek Amr

It’s really great that Juniper and TNC are doing their best to standardize the NAC. I believe this will really help in speeding up the adoption of such new technology.

I’ve noticed that most of the standards are focusing on how the PDP communicates with the PEP when the PEP is a LAN switch or Access Point. Correct me if I am wrong, but when the UAC communicates with Juniper Firewalls they do it in a non standard way. So, are you planning to come out with another standard for communicating with Firewalls? Or are you going to re-use what is currently done when dealing with LAN switches in the Firewalls? I’ve noticed that the new ScreeOS version support IEEE 802.1x, so I was thinking that you may be planning to make your Firewalls support EAP-JUAC, and may be then you can come out with some extensions in the JUAC to help in pushing policies to the firewalls. Then it may be easier for other Firewall vendors (or any network-based security products) to interoperate with Juniper’s UAC or any TCG-TNC compliant NAC solution.