Avenda Adds Non-802.1x Agents to NAC Appliance Software

• By Dian Schaffhauser
• 10/12/10

Avenda Systems will shortly be rolling out enhancements to eTIPS, its network access control appliance. Expected in early November 2010, the updates include OnGuard, a set of network access agents, and enhanced features in the company's guest management application.

Deployed in conjunction with eTIPS version 3.5, also due in November, the OnGuard agents provide identity and health checks for environments that are incompatible with 802.1x, such as older versions of Mac OS X, Linux, or Windows operating systems. This will allow campus IT administrators to manage those devices alongside 802.1x devices in controlling access to peer-to-peer applications and services through their networks to help ensure the health of devices getting onto the network and to send network notifications to users. For example, if a user is caught violating media copyrights or is running a device with out-of-date anti-virus, anti-spyware, or firewall settings, IT can deny network access to that device and send a message that appears on the screen at set intervals warning that person to take corrective actions to bring the machine up to standard.

"The enforcement of peer to peer policies always comes up when we talk to higher ed prospects," noted Trent Fierro, director of marketing. "Now you can go in and create a policy: 'I will allow this and I won't allow that,' even being specific about what types of peer to peer apps kids can use."

If a user is doing something not allowed by the school, IT can bounce the person off the network and send a message that pops up on the user's screen, with information about how to regain network access.

Currently, in order for non-802.1x devices to be authenticated, the user is forced to use a Web portal for login. "A lot of people don't like to do that," Fierro pointed out. Users tend to assume that once they've logged onto their computer, they'll have access to the network, he said. "But we were forcing customers to do an additional login, like you're logging into a hotel or an airport network." There's big pushback from people who don't want to do that, he added.

Under the new scheme that uses the persistent agent technology, the IT person can capture information about the user, the services they're running, the types of applications they're using, and the health aspects of the machine. "What this means is that I can do a mix of 802.1x and non-802.1x and get the same kind of information. That opens it up. You're maintaining the same kind of policies now for both types of environments, which you couldn't do before," Fierro said.

OnGuard also addresses the challenge of performing health checks on devices connecting to the campus network through a virtual private network. This will replace the need for Avenda Edge in environments running eTIPS version 3.5.

Currently, the company is working with customer Northwestern University in Evanston, IL to test out the feature. "It was a big request from them," Fierro said. "They have 30,000 users, and it was too much for them to manage."

One unnamed campus customer requested the ability to use the agents strictly for health assessments. For that reason, the agents can handle both identity and health checks or just health checks alone. "They want to check against their Active Directory for the identity of the person, but they want to use eTIPS for the health component," Fierro said. "They're not going to modify their approach to policies. They're going to use eTIPS to go back and say, is this user running anti-virus? What level? When was it last run?"

"Avenda's new OnGuard agents provide a seamless way to monitor user and device information while taking advantage of legacy security mechanisms," said John Call, systems and network analyst at Brigham Young University-Hawaii. "I can see how the additional visibility and safeguards would benefit education and enterprise organizations alike--for not only security, but also for network troubleshooting and compliance mandates as well."

Avenda has also said it would add Web-based authentication features to eTIPS 3.5 for environments running Meru Networks wireless controllers and Cisco Ethernet switches.

The company has bolstered GuestConnect to provide for tiered approval flow in eTIPS' guest registration application. This feature will let the IT administrator designate various levels of permission for set-up of guest user access based on user role. The application also includes a function for users to add their own endpoint MAC addresses to the system, which will allow approved devices to be tracked and managed by IT without IT intervention.