Now that we’ve started implementing NAC solutions with 802.1X, we (as an industry) have muddied the lines between the two technologies and even the software involved.

Understanding the difference between a NAC Client and an 802.1X Supplicant can save you much time, confusion and – yes – MONEY.

How does it save money? I figured most of you would glob on to that one first- hang on, I’ll get to it in a minute ;).

NAC Clients. Most network-based NAC vendors, such as Cisco, Juniper, StillSecure and ProCurve have some type of NAC Client or Endpoint Integrity Agent provided as part of their NAC solution. The NAC Client is a software agent that sits on the endpoint and collects statement of health or posture of the endpoint and communicates that back to whatever NAC controller you’re using. (Most of these guys offer some type of agent-less or transient-agent posture checking too, but this doesn’t apply here.)

The NAC Client may also provide additional security functions such as host enforcement or it may serve as an encryption termination point for IPSec tunnels created between the endpoint and a firewall, for example. I’m sure we’ll be seeing more and more bells and whistles added to the NAC Clients as time goes by.

802.1X Supplicant. An 802.1X supplicant is a different creature all together. First of all, it’s worth noting a supplicant can exist as a piece of software on an endpoint, or as part of an infrastructure device, including switches, APs and even printers. On an infrastructure device, the built-in supplicant lets us do things like authenticate switches to one another for maintaining integrity of network devices and prevent rogues from joining the network.

If the supplicant is on a PC or laptop, it may be built in to the operating system, or provided as a 3rd party software. The supplicant is what communicates through the switches to the RADIUS server for authentication and ‘speaks EAP’. EAP, the Extensible Authentication Protocol, is what makes 1X. Generally a supplicant’s only function in life is to speak EAP and get the device authenticated to the network.

What you may see from some vendors, such as Juniper, is an integrated NAC Client with a built-in Supplicant. Juniper’s Odyssey Client bundles both functions in to 1 agent.

Okay, so back to the money… Understanding what does what, and what comes from where is helpful when we start talking dollars. In many cases you’ll end up paying separately for the NAC Client licenses and the Supplicant licenses. You won’t have to pay for both if…

  1. If the NAC Client and Supplicant are bundled
  2. If you’re using the Supplicant integrated with the OS or 
  3. If you’re using an open source Supplicant
  4. If you’re not 802.1X with your NAC, and of course
  5. If you’re not using NAC on top of 802.1X

Some vendors may offer a pricing advantage depending on what you’re planning to do. We started with two main Supplicants a few years ago- Meetinghouse’s Aegis and Funk’s Odyssey Access Client. What happened to those guys? Cisco bought Meetinghouse and now offers the Aegis client as an option with their solution and Juniper bought Funk and integrated the Odyssey Access Client directly into their endpoint integrity agent. Most likely they want to try and recoup some of the money from those acquisitions, so what that means for you is that you will likely pay money for products containing those technologies.

On the other hand, some of the home-grown technology from the NAC side may lessen the budget burden. Cisco’s endpoint integrity agent is actually included with their NAC solution, so they don’t charge any per-seat fee (unless you add 802.1X). Juniper’s is integrated, so you’re getting both functions regardless. You can probably spot companies that OEM another solution or another client if they charge for the NAC Client license… that’s not definite, but a good rule of thumb.

From a deployment perspective an bundled agent (NAC + 1X) is nice, since it means you only need to download 1 piece of ‘thing’ onto the endpoint. From a budget persepctive it can be good or bad- it really depends on how many licenses you need and how willing your vendor is to work with you on price.

# # #


Author, speaker, and recognized authority on network and wireless security architectures, Jennifer (JJ) Minella helps organizations solve technical problems and align teams.

View all posts