Cisco is developing a hybrid of its two NAC offerings to address criticisms about the complexity, maintenance and speed of its current options.

The upgrades would make it easier to migrate from Cisco's NAC appliance - the NAC option most of its customers opt for first - to its network-based NAC Framework without having to swap out as many elements.

Currently NAC Appliance and NAC Framework use different client software to evaluate the security posture of network endpoints. And the NAC Framework relies on its Access Control Server (ACS) to determine which access policy to apply while the NAC Appliance relies on its separate management server.

Cisco calls the hybrid oneNAC, according to a source knowledgeable about what Cisco is saying to its customers about its NAC road map.

One of the problems all NAC customers face is that NAC appliances in general don't scale large enough to accommodate a large corporate wide deployment without using many appliances, said Rob Whiteley, an analyst with Forrester Research.

The solution is network-based NAC that scales to large deployments without requiring a proliferation of new devices on the network, he said. A migration strategy between appliance and network-based NAC would simplify customers' transitions to wider NAC deployments.

Cisco describes its NAC plans as a path for customers to buy its NAC Appliance now and migrate to its NAC Framework over time.

"Our customers like to start with NAC Appliance because it's easier and doesn't require upgrading their infrastructure gear all at once, but they also like many aspects of the Framework approach," said a Cisco spokesman.

"So in interpreting 'oneNAC', it refers to making sure both solutions are interoperable with each other, that customers get investment protection, etc. That way, customers can upgrade infrastructure as part of the natural refresh cycle while getting started with NAC."

One of Cisco's NAC options is an appliance that can sit inline with traffic to enforce access policies. The throughput is 1Gbit/s, a limiting factor for faster networks.

The appliance can also be deployed out of the traffic stream and use Cisco network switches to enforce NAC policies.

Cisco Framework relies on software deployed on network endpoints in combination with Cisco's ACS/RADIUS server to trigger 802.1X enforcement of admission policies. One drawback customers find is that adding and updating policies is complex because it involves directly touching the RADIUS server and refreshing local policy directories, the source said.

"The technology is there, but to get the implementation is a battle," said the source, who spoke on the condition of anonymity because the source's employer didn't authorise speaking to the press.

OneNAC would draw on pieces of both architectures. It would use the management-server portion of the NAC appliance implementation as the single place for customers to create, add and change NAC policies, the source said. And it would be fully compliant with the 802.1X authentication standard, the source said.

The new Cisco NAC flavour would also consolidate NAC client software that reports on the configuration of endpoints. The Cisco appliance and Cisco's network-based NAC products use different clients, and oneNAC would create a single client that serves both scenarios, the source said.

Cisco's oneNAC is a year to 18-months from being available, the source said.

Cisco has an advantage in that it owns its own RADIUS server technology, and can freely customise its interactions with its NAC platform. Among its competitors, only Juniper Networks, with its Steel Belted Radius server, owns its own RADIUS technology.

It is very possible to deploy NAC that relies on standard interfaces with RADIUS servers, as has been demonstrated at Interop.

Unlike smaller vendors that sell appliances that work within existing networks, Cisco actually makes the switches that are used as enforcement points, making customisation and extended features a possibility.