When and why agents for NAC? It’s not a secret…

By Trent Fierro, Blog Contributor
Share Post

I recently read an article written to help resellers sell agentless NAC, but I'm not sure the writer understood the idea in a broad sense. And then a few days later a customer asked about the difference between an agent/client and a supplicant. And then another customer asked if agents were required for device profiling, so I figured it was time for a basics primer.

Reason being is that in most cases when deploying NAC today you really do not need an agent anyway, but there is that caveat. If you're going to perform an assessment on a computer or smart device, like checking for an anti-virus app or whether the device is jailbroken, then an agent is usually involved.

Let's take a look at a high level description of an agent/client and what it does.

Agent – A software program that that reacts to its environment and runs without direct supervision to perform some function for an end user or another program. Some, but not all, software agents have UIs (user interfaces). Agents can also initiate, oversee, and terminate other programs or agents, including applications. And agents can be persistent or dissolvable when talking NAC.

The idea is that when a device connects to a network, the agent software performs some actions that have been defined in a central access controller or policy management platform. If persistent, the agent performs auto-remediation functions during a connection and will also monitor the device throughout a session to "fix" things that may change.

For example, if a policy dictates that users not run Peer-to-Peer apps, but then a user turns on the app after connecting, the agent software can turn the app off automatically.

If considering or using ClearPass, our ClearPass OnGuard option would be used to perform these services on laptops and computers. If using our persistent agent, the user may see a pop-up interface that informs the user of progress during the assessment. The dissolvable option is normally used during a portal login and software never lives on the endpoint.

If looking to perform assessments on smartphones and tablets the usual path is to consider MDM/EMM solutions, like AirWatch, MobileIron, Citrix, and others. The same principles apply, but agents are traditionally persistent (no dissolvable option). The value is that you can assign off-net policy rules regarding apps, cell-plan use, etc.

When are agents not really needed?

  • Authentication/authorization of computers, smart devices, and tablets onto a network without an assessment or health check
  • The same for printers, IP phones, cameras, IV Pumps, PoS devices, scanners, and similar devices as most of these are not capable or require agents
  • The profiling of devices – think DHCP fingerprinting and other techniques

So, everything listed above is pretty much performed using an agentless model. The confusion comes from another vendor that leads with the term agentless. Their model provides slightly more comprehensive assessments but requires all windows devices for agentless. If the environment includes MacBooks or non-Windows computers a "client" is required. Client equals agent in this instance.

Almost forgot, a supplicant is a software that sits on all devices that participate in the authentication process in the 802.1X protocol. This talks to your RADIUS server. In fact, the RADIUS component is probably more important than agentless NAC, so when exploring make sure you ask questions about the viability of the solution to perform encrypted authentication, RADIUS enforcement and role-based access security functions.