Network Access Control¶

Network Access¶

Requirements

limiting access on switch ports to specified MAC addresses only
manual or automatic through "learning"
Disadvantages: not flexible in networks with roaming/ mobile devices, MAC addresses can be spoofed

Port-Based Network Access Control
restricts the use of networks/ports to authenticated and authorized devices
specifies a common architecture and protocols that support mutual authentication between the clients of ports (supplicant) and the switch (authenticator) using a backend (authentication server, e.g. a RADIUS server) & secures the communication between them
based on extensible authentication protocol (EAP) and works with any IEEE802 network technology (ethernet, wireless)

Goals

identity and access management: identify user, his node, ip address, switch-port, network segment, MAC address
policy enforcement: grant or deny access to a network segment
mitigation of zero-day attacks: deny access for unmaintained, contaminated and malicious nodes

Concepts

client verification: before (pre-admission) or after (post-admission) granting access
- pre-admission: e.g. check for out-of-date antivirus signatures
- post-admission: continuous compliance checking after device is given access
agent or argent less: verification of the client with or without installed client
- agent-based: Clients need to have an agent installed to connect to the network, agent can verify security policies (antivirus signature, system updates, etc.)
- agent-less: No agent installed, not all security policies can be verified, relies on 802.1X to authenticate devices
remediation: using quarantine networks/vlans
- for devices that do not follow security policies
- allows the user to remediate the device (e.g. install updates, etc.)