Douglas Otis <dotis@xxxxxxxxxxxxxx> wrote: > It seems impractical to specify system requirements or expect a > suitable examination be done realtime prior to obtaining access. Maybe you're saying that a complete systems check would take too long. That is true, but that isn't how the NEA variants are being designed or deployed. > Bad actors will always be able to falsify this information, so the > NEA does not offer protection. This issue has already been discussed. > The NEA should be viewed as a process that eliminates many of the > security related support calls. That is not a priority for any customers I talked to. I've never head this as a justification for NEA from anyone. > It seems impractical to expect NEA will prevent bad actors from > producing the expected results. Which is why recent discussions on the NEA list made it clear that no one was expecting that from NEA. > There are anti-virus and OS updating services that could produce a > certificate that includes: ... Which is a good idea, and substantially similar to validation and remediation services currently offered. That information still has to be propogated to the device that controls network access. > It seems unwise to expect an endpoint to open their robes to the > access point. However, the access point could offer certification > services they require prior to granting access. This service may be > something as simple as agreeing to the AUP presented on a web-form, > or agreeing to remedy the cause of abusive behavior. People are doing something similar to this today with quarantine networks, and remediation sites. But it's ad-hoc, and not automated. > Rather than talking about the posture of the endpoint, > consider the NEA to be little more than a repository for time- > sensitive compliance certificates offering just the five points listed. Pretty much, yes. With the addition of a protocol to carry that information from the end point to elsewhere in the network. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf