NAC Appliance Buying Guide: Avenda Systems
Avenda’s eTIPS strives to fit NAC into any network, small or large.
NAC Appliances enable identity and posture-based network access policy enforcement. In addition to keeping malware out, these appliances can help to safely connect bring-your-own devices (BYODs). In this EnterpriseNetworkingPlanet's buyer's guide, we examine capabilities and features offered by Avenda Systems eTIPS.
According to Marketing Director Trent Fierro, Avenda strives to deliver comprehensive back-end functionality while making NAC easy to deploy and use. “We use a three-step model: simulate, monitor, enforce,” said Fierro. “We help you learn what’s on your network first, gradually rolling out policies to make sure that users who meet requirements get in while educating those who don’t.”
Creating a foundation
NAC Appliance deployments involve (at least) three players: endpoints requesting access, network elements enforcing decisions and centralized appliance(s) making decisions based on identity, posture and policy.
Every Avenda NAC deployment starts with at least one Enterprise Trust Identity Policy System (eTIPS) appliance. There are four eTIPS models, ranging from the ET-5005 (2500 endpoints) to the ET-5040 (30,000 endpoints). All four are sold on dual-GigE Intel hardware and as host-your-own VM appliances.
“With our 4.0 release, you can place eTIPS anywhere – in the same rack [as network elements], in another building or even in another country,” explained Fierro. Larger distributed networks are supported by clustering appliances, all of which enforce shared policy, managed from any unit’s web console. Appliances exchange policy updates but operate independently, creating no single point of failure.
Every eTIPS appliance delivers core capabilities, starting with user identity and role-based access control. Endpoints can request access via 802.1X, MAC, or web portal authentication. eTIPS responds by consulting an on-board RADIUS server or querying enterprise databases (e.g., ActiveDirectory, LDAP, SQL, Kerberos). Basic guest management is also included with every eTIPS appliance.
In addition, eTIPS provides back-end support for endpoint health assessment, 802.1X supplicant configuration, and delivering associated client software (see below). eTIPS policies can include more than identity and posture – for example, decisions may be influenced by access method or date/time. Policies can be simulated to evaluate results or enabled in monitor-only mode. When ready, policies can trigger enforcement methods that range from permit/deny or VLAN assignment to enabling access via RADIUS, RADIUS CoA, TACACS, SNMP or SSH.
For example, upon receipt of an access request, eTIPS might look up a user’s credentials in ActiveDirectory, query GPO attributes, search a SQL database for the endpoint’s (user or IT) registered MAC address, and then run an endpoint assessment. “As a result, I might install a dynamic ACL to allow or restrict server access,” explained Fierro. “Our enforcement is flexible to [integrate with] legacy equipment, like old switches. We can even use SSH to send results to external captive portals.”