McAfee's NAC strategy rests on two separate, but tightly integrated products. The first is ePolicy Orchestrator, which is McAfee's endpoint security client management system. EPolicy Orchestrator is a traditional enterprise console for McAfee's flagship endpoint security client.
EPolicy Orchestrator can report the results of endpoint security policies back to the other half of McAfee’s NAC product line. That’s the N-450 NAC Appliance and McAfee's Network Security Manager. When a device running McAfee's endpoint security comes on the network, the N-450 acts to enforce access control policies and endpoint security policies for that client.
The NAC Appliance and Network Security Manager can enforce NAC policies via full inline enforcement, DHCP-based enforcement or VLANs enforced at the edge of the network, which we focused on.
In edge enforcement, the NAC Appliance starts in-line between the end user device and the rest of the network. The user authenticates to the network using their Windows login, switch-based 802.1X, or a captive portal provided by McAfee.
If the end device is running the McAfee client, and if they are compliant with the endpoint security policy, then the NAC Appliance gets "out of the way." You can choose to leave the NAC Appliance in-line for some users and apply more sophisticated access controls for end users such as guests who may need more watching.
In our tests, we found McAfee NAC at a crossroads. While the ePolicy Orchestrator is solid and well tested, the NAC Appliance and Network Security Manager is a fusion of McAfee thinking on NAC combined with technology McAfee acquired from Lockdown Networks.
This left a few bumpy spots in the road when it came to enforcement. Lockdown was notorious for its feature-creep and it's going to take McAfee some time to get its heads around all of the capabilities inherited.
With VLAN switching as the primary enforcement mechanism, McAfee NAC is clearly slanted towards endpoint security and compliance requirements more than fine-grained network access controls. Because McAfee NAC depends heavily on ePolicy Orchestrator, existing McAfee endpoint security customers will find that adding McAfee's NAC to their networks is a very natural and easy extension.