Designing Access Controls
Choose Endpoint Integrity Testing Methods
The PCU network administrators also want to use the NAC EI agent for the public wired and private wireless zones. Although some students and guest users may refuse to download an agent to their endpoint, the PCU network administrators still want to offer this option. As a backup testing method, the network administrators will use the ActiveX testing method. They think most users accessing the network in these zones will make heavy use of the Internet, so their Web browsers will typically be open.
Table 3-47. Testing Method by Post-Connect Testing
Factor | Public Wired | Private Wired | Public Wireless | Private Wireless | Remote |
NAC EI agent | NAC EI agent | NAC EI agent | NAC EI agent | NAC EI agent | |
| ActiveX | Agentless | ActiveX | Agentless | Agentless |
|
|
|
|
|
|
User Sophistication
User sophistication can be a factor for testing methods if users have such low sophistication that they are overly bothered by downloads and installations, or conversely, when they are so sophisticated that they know how to avoid having their endpoints retested
What can you reasonably expect your users to do? Can they download and install the NAC EI agent? For the majority of users, this process should not be too taxing. However, if you are setting up endpoint integrity for your Windows domain users, you could use Active Directory to automatically install the agent on the endpoints so that users would not have to perform this task.
The agentless testing method is generally not a good option for users who are not part of your Windows domain. To use this method, you or the users must supply the admin credentials. Because you will not know these credentials, it is left to the users to enter them on the
The agentless testing method also requires very minimal setup on the end- point. File and print sharing must be enabled so that the necessary ports are open. The configuration required is very minor, but if your users are incapable or unwilling to do it, you will have to set up the configuration yourself or select another testing method.
The ActiveX testing method requires ActiveX and JavaScript support on the users’ Web browsers. If the Web browsers already have this support, no user interaction is required. If not, this support must be added.
