Cisco has announced Phase 2 of its Network Admission Control scheme, adding NAC support to its Catalyst switches and wireless devices.

A new NAC partner programme also allows it to sidestep users' objections to installing NAC client software on PCs; instead they will be able to use auditing software from Altiris, Qualys and Symantec to check the health of clients wishing to attach to the LAN.

The key to NAC is being able to assess a client device's security status - or in Cisco-speak, an endpoint's posture. This can cover such things as whether its operating system is properly patched, its anti-virus is up to date, and other vulnerabilities such as an unsecured SNMP client.

NAC was formerly only available as an appliance, but will now be built into the IOS firmware for Catalyst 6000-series and newer switches, and Catalyst and Aironet wireless products. Upgrades to the new software will be free to customers with support contracts, meaning they won't need the appliance, said NAC product marketing manager Reza Malekzadeh.

He added that the choice between the Cisco Trusted Agent (CTA) client software and the auditing approach is up to the customer. "You can do one or the other, or both. The agent gets its information from inside the device, so it can do a more complete assessment," he said, noting though that CTA software is not available for some clients, such as Macs.

If a device wishing to connect is not up to spec, it can either be blocked or quarantined, according to defined policies. It could for example be put on a separate VLAN and given Internet access to download the patches it needs.

"At the end of the day what we really want to achieve is quarantining users who're out of policy - it's up to the customer to decide what enforcement to use," said Jason Halpern, a technical marketing manager in the Cisco CTO's office. He added: "Some places can mandate an agent but most can't, that's a key reason why auditing is part of our solution."

Communication between NAC clients and switches uses 802.1x and the Extensible Authentication Protocol (EAP) riding on top of the User Datagram Protocol (UDP).

Some users who evaluated the original NAC architecture opted for a competing product because the Cisco technology required client-side software, and Layer 2 switch support was not available.

"We found NAC to be too intrusive," said Mike Hawkins, director of telecommunications networking at the University of North Carolina (UNC). "We can't touch every machine in a large university."

Last year, UNC installed 4,000 Enterasys switches, along with NetSite Atlas policy management servers, which support port-level authentication based on 802.1x, and can block or quarantine PCs. The gear works with Sygate, Fortinet and other anti-virus and security software products to scan and audit client machines.

Hawkins, who manages some Cisco as well as Alcatel switches on UNC's LAN, says NAC technology still interests him, but the delivery is probably too late for it to be installed widely at the school. "I've been doing (NAC) for two years," he said. "Why should I switch to something that just came out?"

A slew of vendors have rushed to fill the void left by NAC's delay with products that claim to integrate security software with LAN switches or control access to the LAN through other means. 3Com, Alcatel, Enterasys, HP and Nortel are shipping products that use 802.1x on LAN switches and back-end authentication servers to permit or deny network access. Meanwhile, security-focused start-ups such as ConSentry, Vernier Networks, Lockdown Networks and Nevis Networks have recently launched appliances and software that provide a NAC-like overlay for installed Ethernet switches.

"It's a wide open market," says Jon Oltsik a senior analyst at Enterprise Strategy Group. "Cisco will be in the game, but what's gone for them is the opportunity to have a dominant propriety solution."

Other industry observers say NAC support on LAN switches will be worth the wait. "I have a number of customers that are looking forward to using NAC," says Deric Scott, enterprise consultant with Optimus Systems, a network integration firm that installs Cisco, Extreme and 3Com gear. Scott says he worked with some customers on the router-based version of NAC, but uptake was not high.

"The first version of NAC had its limitations and people weren't ready to go with it," he says. "People did not want to install a router between the clients and the (network core) because it slowed things down."

Some Cisco users are taking a wait-and-see approach to NAC as they deal with other issues. "We looked at NAC but haven't gotten enough information yet to move forward with it," says Chris Mikesell, manager of networking and infrastructure at the Anne Arundel Medical Centre in Maryland. The medical centre recently installed Cisco's Clean Access Commercial appliance, which provides limited NAC capabilities for up to 750 users. The organisation uses the gear to protect against viruses brought in via the PCs of affiliated doctors who can access the network through a VPN.

Cisco's Jason Halpern acknowledged that NAC-II's primary appeal will be to existing Cisco users who can get it free under their support contract. "Most of our customers already have ACS [Access Control Server], so this is a real value proposition for them," he said. "The key difference versus our competitors is it's all one packaged solution, we just need to leverage our partners for antivirus and auditing."