NAC
NAC Definition
Network Access Control (NAC) is a set of protocols that is used to enforce a security/authentication policy for devices attached to the network. The protocol consists of several pieces:
- Authenticator - An Authenticator defines whether a device can access the network. Generally, this is communicated via RADIUS.
- Policy Manager - The Policy Manager defines what to do with a user based on the results of the authentication. Common examples of a policy manager are systems like the Aruba Clearpass, and Cisco ISE.
- PAE - Port authentication Entity is the software that is a part of NAC that controls access to the port and relays credentials to the Authenticator and receives Policy information from the Policy Manager. It also enforces the policy configured via the Policy Manager. For the Tellabs OLAN system, the NAC software provides the PAE entity as part of its overall NAC solution.
The picture above shows a typical architecture that NAC would be deployed in. The PAE or Port Authentication Entity is the Gatekeeper. The Gatekeeper blocks access to a port until a user has been authenticated. He awaits the authentication result from the Authenticator and possibly a policy to apply.
The switch contains the PAE and also enforces whatever policy the user ends up being assigned.
The Authenticator takes the credentials that were collected from either the user or the device and gives a pass/fail result back to the PAE. The Authenticator may or may not also be involved in defining policy for the user's connection. In some cases, it simply gives an authentication result, and it is up to the switch to decide on policy. Typical Authenticators are RADIUS, TACACS+, and DIAMETER.
The Policy Manager defines what policy to apply to the user based on the credentials offered, and the authentication result.
NAC is the mechanism on the switch that allows control over the security posture of the port, how and where to authenticate, and determines the source of the policy to be enforced on the port.
NAC, also referred to as network admission control, is a method of bolstering the security of a proprietary network by restricting the availability of network resources to endpoint devices that comply with a defined security policy.
A traditional network access server (NAS) performs authentication and authorization functions for potential users by verifying logon information. In addition to these functions, NAC restricts the data that each particular user can access, as well as implementing anti-threat applications such as firewalls, anti-virus software, and spyware-detection programs. NAC also regulates and restricts things individual subscribers can do once they are connected. NAC is ideal for universities, corporations and agencies where the user environment can be limited, while allowing the implementation of regulatory policies. For example, in colleges or universities, where there are multiple departments, and students use a variety of devices, (e.g., Xboxes, iPads, and laptops), the MAC Authentication Bypass (MAB) feature present in the NAC profile can be implemented along with 802.1x port authentication to maintain another level of security.
MAC Authentication Bypass
Many Enterprise and other secure installations use the 802.1x Port Authentication feature to control access to the Ethernet ports within a facility. The 802.1x protocol forces a user to authenticate using their credentials prior to gaining access to a port. The user is typically authenticated to some backend system such as RADIUS.
For many intelligent devices that support 802.1x this works well to secure the ports for use only by authorized parties. The problem is that there are simple devices such as printers and cameras that may not support 802.1x and backend authorization. In order to handle these use cases, the MAC Authentication Bypass, or MAB, uses the MAC address of the attached device to authenticate to the backend AAA server, typically RADIUS.
It should be noted that, due to the fact that MACs can be easily spoofed by most PCs and other devices, MAB is a weak authentication protocol and as such should be paired with ACLs, firewall rules, and other mechanisms to ensure that proper security is maintained within the network.
For many intelligent devices supported by protocol 802.1x, authentication works well to secure ports used by authorized parties. However, for devices not supported by the 802.1x protocol, MAC Authentication Bypass (MAB) uses the MAC address of the device attached to the back-end server as authentication.
Because the MAC Authentication Bypass is a basic authentication protocol, it should be paired with ACL or firewall rules to ensure that proper security is maintained within the network.
NAC Profile Attributes
The following NAC profile attributes are available for user editing.
Access Violation
- Enable Auto-Disable - Enable automatic port disabled on access violation. Values are disabled or enabled. Default is disabled.
- Auto Re-enable Timeout -Set the duration of time, in seconds, to remain in auto-disabled state. Between 60 and 86400 seconds.
- Max MACs - Set the upper limit of authorized MAC addresses using this service.
Default VLAN
- Enable Default VLAN - The default service profile containing the VLAN to be applied. Will be overridden by policy from RADIUS if one is included.
- Service Profiles - When Guest VLAN is enabled, specify a Service Profile from the dropdown list to apply to the NAC profile. Once the NAC profile is saved.
Guest VLAN
- Enable Guest VLAN - The Guest VLAN is used when 802.1x or MAB is enabled and either the user never attempts to authenticate or never completes authentication. (RADIUS response timeout).
- Startup Delay - Sets a startup delay to active service. Values are none or range of 1 to 3600. Default is 90 seconds.
- Service Profile - When Guest VLAN is enabled, specify a Service Profile from the dropdown list to apply to the NAC profile. Once the NAC profile is saved, view the Service Profile by clicking the hyperlink of the selected profile in the Attributes area of the NAC tab.
MAC Bypass
- Enable MAC Bypass - Enable MAC Authentication Bypass (MAB) to transfer the authentication request to the RADIUS server using the NAC profile. This option prevents unauthorized MAB clients from accessing a VLAN without prior authentication.
- Startup Delay - Set up a startup delay to active service. Values are none or 30. Default is 30.
- Auth Method - Specify Authentication Method for MAC Bypass. Values are PAP (MAC as credentials), EAP-MD5 (MAC as Credentials) and EAP-MD5 (specify username and password as credentials).
Note: Username and Password are only visible on EAP-MD5 (specify username/password option and are user-defined.
- Username - User name to access a specific account on RADIUS server and as credentials in Auth Method EAP-MD5 (username/password).
- Password - Password to access a specific account on RADIUS server and as credentials in Auth Method EAP-MD5 (username/password).
PAE Dynamic Service
- Enable PAE Dynamic Service - Enables the use of 802.1x and RADIUS to authenticate access to the port prior to giving access to the network.
- Enable Filter ID - Allows the service profile to be selected based on the string returned in the RADIUS Filter ID. This allows a user to log in at any port with 802.1x enabled and have the proper policy applied based on the FILTER ID in the RADIUS Access Accept message.
- Enable Egress VLAN ID - Allows parsing of the RADIUS EGRESS VLAN ID for the tagged VLAN to be applied to the port.
- Enable Tunnel - Allows setting of untagged VLAN ID/PVID of a port via the RADIUS tunnel attributes if they are returned in the RADIUS Accept message
Authorization Failure
- Enable Authentication Failure - Enable Authorization Failure Dynamic Service Provisioning Values are disabled or enabled, default is disabled.
- Service Profile - Specify Service Profile(s) to be applied when Access Reject is returned from RADIUS, or RADIUS fails to respond within the timeout.