If there was ever a technology which had a minimum pre-level of knowledge attached, it was JNCIA-AC. Understanding the dead-simple IVE-based UAC OS quite frankly is no help at all; you really need knowledge about the following topics:
- Ethernet Switching, Wireless and 802.1x
- DHCP, DNS, NTP and PKI
- Firewalls, Routers & Security Policy Design
- Windows Domain and RADIUS authentication
- Supplicants, endpoints and client OS
When UAC was launched, Juniper had no switching platform and ScreenOS was the only firewall; it had to be deployed on other vendor’s networks. However, that has changed significantly. With both EX and SRX platforms gaining traction in the market, Juniper now has the technologies and training courses in place to compliment it. Whilst UAC may well be continue to be deployed in other vendors networks (indeed, it’s a strength), the time is right to actively enforce a wider knowledge before you can be certified in it and the bar raised in terms of who can sell and deploy it. Sticking it on the edge of the portfolio makes no sense; it is a product which never will be deployed in isolation like a Firewall, IDP, SSL or even WX; it will always be tightly integrated into the network. Even the JNCIA-Junos exam probably isn’t stringent enough; to encourage the development of best-practice in this area, I wonder if it shouldn’t be pushed up the “Enterprise” or “Security” tracks, making it passing it a requirement for JNCIP-SEC/ENT or even JNCIE-SEC/ENT. Not having reached those lofty heights myself yet, I don’t know how much overlap there is, but I can’t help but think that the knowledge gained on the UAC course would cross-fertilise the higher tiers of the Networking and Security Tracks and ultimately produce engineers with a wider knowledge base.
Why this rant? I can’t see stand to see a good technology deployed badly or mis-sold. I still run into this more than I should, despite the massive efforts Juniper have put into training programs for sales, technical and pre-sales. At the moment, “Select” Juniper partner are able to sell the UAC products, which is not far from “anyone”. I think that it should be restricted to Elite Partners only, as the entry requirements are not purely commercial, a bunch of sales, presales and of course technical exams need to be completed. Ideally a Juniper SE should be attached to the project as well to provide design signoff as this is a key point. This is a premium technology which requires planning and forethought. If you have a requirement to deploy a hard-core Network Access Control solution, you need hard core people to do it. Raising the bar and referencing it part of the higher-order Juniper certifications will enable this keystone piece of technology to be front and centre and more widely deployed. What I’m aiming for is to promote better end to end understanding of the network infrastructure. Deploying NAC is relatively easy if you know which bit of the network is connected to which; in my experience very few people do (excluding the loyal listeners of the PPP!). Tweaking the certification process will better reflect the knowledge required to actually deploy such solutions rather than leaving it as an optional extra.