Understanding Network Access Control

In this article, I’m going to discuss the 802.1x Standard for Port-based Network Access Control (NAC).

802.1x is an IEEE protocol that provides authentication for devices trying to access the wired and wireless LAN offering secure access at the port level. Network Ports can be dynamically enabled or disabled based on the identity of the user or device that connects to the switch. All traffic is blocked from the endpoint until the user or device authenticates. Endpoints can either authenticate using EAP (defined later) where an endpoint's identity is verified with certificates plus username and password or with MAC-Address-Based Authentication (MAB) where the MAC addresses of endpoints are stored in an identity store for verification. MAB authentication is often used for devices that are not capable of 802.1x EAP authentication like IP cameras, UPS devices, IP Clocks...etc.).

There are 3 components to making 802.1x Function:

• Supplicant - The client running on the endpoint that submits the credentials for authentication. The client can be built into the OS such as with Microsoft Windows or it can be a third party application deployed to the devices.

• Authenticator - The Network Device (Switch) that relays the credentials from the Supplicant to the Authentication Server. The Authenticator also enforces the defined network access policies (VLAN assignments, ACLs).

• Authentication Server - A server that validates the credentials sent by the supplicant. A RADIUS server such as Microsoft NPS or Cisco ISE is the industry standard for accomplishing this. Often, the authentication server communicates with a back-end identity store such as Active Directory to verify credentials. This is known as an External Identity Store. The server also has the capability to maintain credentials internally. This is known as an Internal Identity store.

EAP and Certificates

Supplicants pass credentials using the Extensible Authentication Protocol (EAP). EAP messages can be sent over Ethernet, EAP over LAN (EAPoL) or EAP over wireless (EAPoW). There are a few different EAP Methods available for you to configure your clients to use but the two most common and secure are EAP-TLS and PEAP-MSCHAPv2.

• EAP-TLS - Uses X.509 certificate exchange for securing authentication. Upon connection and login attempt, the Authentication Server submits its certificate to the Supplicant for validation. Once validated, the supplicant sends back its certificate for the server to validate and completes authentication. When using EAP-TLS, every endpoint, including the authentication server must have two certificates - A client certificate signed by the certificate authority (CA) and a copy of the CA root certificate. Certificates can be deployed to endpoints with Active Directory-based auto-enrollment.

• PEAP-MSCHAPv2 - Similarly to EAP-TLS, the Authentication Server sends its certificate to the supplicant to verify the server's identity. Once identity has been validated, the Supplicant builds an encrypted tunnel to the Authentication Server. The tunnel is used to submit the username and password from the Supplicant. Authentication relies on the validation of the password. Each endpoint device must have the Root CA certificate for the CA that signed the certificate of the Authentication Server and an MSCHAPv2 username and password. The Authentication Server must have a certificate signed by the Root CA and the username and password for every computer. Active Directory accounts are often used in the exchange. AD will serve as the identity store for the Authentication Server. The authentication server will validate the credentials against AD. This allows the user only to enter their credentials once.

Once authenticated, you can configure users to have full or limited network access based on attributes a user has within AD. This is accomplished by configuring VLANs and ACLs for access. Some organizations might require devices accessing the network to go through a process called Posturing. During this process, an assessment is used to determine the "health" of the endpoint connecting. You can check for anti-virus installation and updates, verify the OS version, confirm if certain applications are installed on the machine, and more. This can be used to deny network access to endpoints that pose a security risk to the network. You can also offer users specific remediation actions the user can complete to bring the endpoint into compliance.

Host Modes

To address the Design consideration for multiple devices per switch port, 802.1x gives various configuration options based on your environment:

• Single-Host Mode - Only a single device will be allowed to authenticate at a time

• Multi-Domain Authentication (MDA) - This is often used when there's a VoIP phone connected to the port. This allows one device to connect to the Voice VLAN and one to the Data VLAN. Any additional devices will result in a port security violation being triggered and the port is shut down. Phones are identified with LLDP or CDP.

• Multi-Host Authentication - Designed for environments that deploy mini-switches. This allows multiple hosts to authenticate to a port on the data VLAN.

Other Design Considerations

• Deploy multiple Authentication (RADIUS) Servers - If your RADIUS server is down - no one will be able to access the network. Redundancy is key!

• Authentication Timers - Take time to research authentication timers. A timer that's too short will result in your users being kicked off the network and having to re-authenticate.

• RADIUS Accounting - Provides you with detailed information on each 802.1x session. Ensure this is turned on, especially in the early stages of deployment for troubleshooting purposes.

• Determine a mechanism to ensure workstations can communicate with the network to receive their updates. Since workstations have no network access until a user logs in, they can miss patches and software updates that are pushed.

NAC & ARP Poisoning

Another emerging approach to NAC is leveraging a common cyber-attack known as ARP Poisoning. ARP Poisoning is defined as when an attacker sends falsified ARP messages over a local area network (LAN) to link an attacker’s MAC address with the IP address of a legitimate computer or server on the network.

So How can this be leveraged to support NAC?

Essentially, you would install an appliance or sensor on the network that monitors and captures ARP packets when a device connects to the network. This appliance can analyze information like device models, operating systems, etc. This information is then sent to a controller and evaluated based on the policies you set. Access is then granted or Denied Based on the policies set.