Loader

Download the PDF 

Network Access Control

Introduction

Document Number

ENG-010542

Purpose

The purpose of this document is to define the behavior of the Network Access Control(NAC) feature of the Tellabs OLAN product.

Applies To

All Tellabs OLTs and ONTs.

What is NAC

Network Access control is a set of protocols that is used to enforce a security/authentication policy for devices attached to the network.  The protocol consists of several pieces: 

  • Authenticator: An Authenticator defines whether or not a device can access the network.  Generally this is communicated via RADIUS.
  • Policy Manager: The Policy Manager defines what to do with a user based on the results of the authentication.  Common examples of a policy manager are systems like the Aruba Clearpass, and Cisco ISE.  
  • PAE: Port authentication Entity is the software that is a part of NAC that controls access to the port and relays credentials to the Authenticator and receives Policy information from the Policy Manager.  It also enforces the policy configured via the Policy Manager.  For the Tellabs OLAN system, the NAC software provides the PAE entity as part of its overall NAC solution.




     

 The picture above shows a typical architecture that NAC would be deployed in.  The PAE or Port Authentication Entity is the Gatekeeper.  He blocks access to a port until a user has been authenticated.  He awaits the authentication result from the Authenticator and possibly a policy to apply.  

The switch contains the PAE and also enforces whatever policy the user ends up being assigned. 

The Authenticator takes the credentials that were collected from either the user or the device and gives a pass/fail result back to the PAE.  The Authenticator may, or may not also be involved in defining policy for the users connection.  In some cases it simply gives an authentication result and it is up to the switch to decide on policy.  Typical Authenticators are RADIUS, TACACS+, and DIAMETER. 

The Policy Manager defines what policy to apply to the user based on the credentials offered, and the authentication result. 

NAC is the mechanism on the switch that allows control over the security posture of the port, how and where to authenticate, and determines the source of the policy to be enforced on the port. 

Tellabs NAC Profile

This section will outline the capabilities of the NAC profile and how it is configured.



The NAC profile has several functions: 

  • Max MACs: Controlling the Maximum number of MACs on a Service
  • Access Violations: Controlling what to do when an access violation occurs.
  • Service Profile Definition: Defines the list of service profiles to apply to a port via several different mechanisms which will be discussed later.
  • Remote Authentication: Defines the allowed remote authentication methods and what information to take from the Authenticator response.  This is done via PAE or MAC Bypass. 

Service Profiles

Service Profiles on the Tellabs system define a Policy to apply a port.  Multiple service profiles can be assigned to a port.  Each Service profile defines things like: 

  • VLAN: The VLAN that is associated with the service and whether the service will be tagged or untagged on ingress to the system.
  • Bridging Model: How bridging is applied to the port and what other ports can bridge traffic with this port.
  • Class of Service: The class of service to be applied on the PON.
  • Rate Limiting: Sets the rates that are allowed on this service.
  • QoS Marking: How the L2 marking is to be applied to traffic. 

Service profiles can be applied to a port by default or can be applied based on the results of authentication. 

NAC Max MACs

The Max MACs field is used to configure the maximum number of MACs that is allowed on the Port.  The sum of all MACs that are learned on all VLANs that are configured on the port must not exceed the Max MACs.  Traffic will only be passed on the MACs that were learned prior to the Max MACs being exceeded, all other traffic will be dropped. 

NAC Access Violation

The system can disable the port whenever a violation on the port is detected.  The Auto Disable setting of the NAC profile controls whether the users port is disabled on detection of a violation.  The Auto Re-Enable timeout will determine how  long the port will be disabled.  The default is 300 seconds or 5 minutes.  At the end of the timeout, the port will be re-enabled, the violation cleared and the port will available for use.   

If the auto disable timeout is set to zero, the port will be disabled until an administrator Disables and Enables the port. 

Default VLAN 

 

The default VLAN is used when VLANs/Services are to be assigned to the port by default.  This option is typically used whenever you are not authenticating the port.  As soon as the port is enabled, all of the service profiles that are assigned to the port will be applied.   

  • The Service Profile selection is a multi-p lick list and multiple service profiles can be assigned to a port. 
  • Up to 8 service profiles can be assigned to a port for most bridge models and are supported by all ONTs.  
  • Up to 25 VLANs can be used when Trunk VLAN is selected and is allowed on only the 140C, 140W and newer ONTs.  

Guest VLAN

The Guest VLAN feature is used for assigning a VLAN to guests that are not able to authenticate to the network.  In most cases this is used in an enterprise where you want users to be able to authenticate and get access to all services, but you want guests inside the building to only have access to the internet.   


 

The Guest VLAN will ONLY be applied if PAE Dynamic Service is enabled and the user never attempts to authenticate to the network.  The startup delay defines how long the guest service will wait before being applied.  It must be long enough for any authentication attempts to complete.  If the delay is too short valid users may not be able to complete authentication and get access to the internal network. 

MAC Bypass

The MAC Bypass feature allows devices that do not support 802.1X to be authenticated via their MAC address to RADIUS.  The Application Note ENG-010469 MAC Authentication Bypass gives more details on the operation of MAC Bypass and it’s configuration.  The startup delay for MAC bypass defines when the MAC will be sent.  Typically you want to set this timer long enough to allow one 802.1x attempt before the MAC bypass attempt occurs.  This allows the more stringent authentication of 802.1x to be resolved first.  Typically the PAP (MAC as Credentials) is the correct choice if MAC bypass is enabled.  Both MAB and 802.1x can simultaneously authenticate, but it should be noted that as soon as RADIUS returns either an Access-Accept or Access-Reject, that result will immediately take effect and the policy will be applied. 

PAE Dynamic Service

The PAE Dynamic service when enabled will turn on 802.1x on the port and deny access to the port until it has been authenticated.  Radius will return one of two responses back from the Authentication Attempt: 

  • Access-Accept: Authentication was successful, access will be granted to the port.
  • Access-Reject: Authentication failed, access to the port will denied unless an Authorization failure policy is defined. 

In addition to authentication, the following attribute control what happens with respect to policy: 

  • Enable Filter ID: The name of a service profile will be returned by Radius in the Access-Accept message.  All of the policy is defined on the OLAN OLT/EMS, but is selected by the policy server.  Multiple filter IDs can be returned from RADIUS in a single message allowing multiple service profiles to be applied.
  • Enable Egress VLAN ID: The RADIUS server will return a VLAN ID and indication of whether it is tagged or untagged.  Policy will come from the Default VLAN if it is defined but the VLAN ID will be overwritten by the VLAN returned from RADIUS.
  • Enable Tunnel ID: The RADIUS server will return the VLAN ID and the ingress traffic is expected to be untagged.  (Essentially an Access VLAN).  The policy will be defined by the Default VLAN if defined and the VLAN ID will be overwritten by the VLAN ID returned from RADIUS. 

If the attribute Authentication Failure is enabled, then it allows the user to define a service profile that will be assigned to the port if an Access-Reject is returned from the server.  This allows users which attempt to authenticate but have invalid credentials to be moved to a quarantine VLAN or remediation VLAN so that further action can be taken and they can be isolated from the rest of the network. 

Further information about how to configure the PAE for proper RADIUS authentication can be found in the Application Note E-010428 Configuring Policy via Radius Authentication. 

Summary

The Tellabs NAC feature allows a very rich set of authentication and policy management features using a simple but powerful NAC profile.  It should be remembered though that it depends on the RADIUS server at a minimum to provide authentication services.  If you want the policy to be dynamic based on user, it does require that either RADIUS or a backend policy server make the policy (service profile) assignments based on the user credentials.  When properly designed and configured, any user can log into any port and get the appropriate access to the network based on their login.  Guests can safely attach to any port and get internet access without compromising system security.   

Tellabs will continue to enhance the NAC service to allow even more mechanisms for dynamically applying services and policies to user ports.

 

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image