Do We Need NAC and 802.1x?

Another question I got in my Inbox:

What is your opinion on NAC and 802.1x for wired networks? Is there a better way to solve user access control at layer 2? Or is this a poor man's way to avoid network segmentation and internal network firewalls.

Unless you can trust all users (fat chance) or run a network with no access control (unlikely, unless you’re a coffee shop), you need to authenticate the users anyway.

You could use a captive portal (and modern operating systems are pretty good in handling them) or you could use 802.1x. The beauty of 802.1x is that it allows you to authenticate the users or hosts (and use something else but MAC addresses to authenticate the hosts), whereas a captive portal usually requires user intervention.

Yes, 802.1x could be a nightmare to set up and might not be supported on all BYOD platforms, but it’s the least intrusive authentication option.

After authenticating the users, you have to decide how you want to handle their traffic. You could allow them to do anything they want (good luck with that) or you might want to be more specific and control their traffic.

You could use a private VLAN (or any other microsegmentation solution) and send all traffic through a firewall or another security appliance, which might be the best solution for small sites where almost all traffic exits the site anyway.

In larger environments with lots of intra-site traffic you might decide to do the basic traffic scrubbing at the network edge, in which case you have to deploy per-user ACLs on the network edge. Whether you call that NAC or not is a marketing challenge.

Last question: how do you deploy per-user ACLs on the network edge? RADIUS is one of the popular options (assuming your device supports RADIUS and downloadable per-user ACLs), or you could use OpenFlow the way HP uses it in their campus solutions.

Want to know more?

5 comments:

  1. The problems becom, when your clients don't support 802.1x (or big amount of them). Well, if it is not difficult, it is sure expensive...
  2. Well I think everyone should use 802.1X. I have deployed it at many sites and I call it the SDN of the campus! (I know some will slap me for it)

    The reason why I call it the SDN of the Campus, is that one of the things SDN gives you is automations and fast services enablement.

    And that is what 802.1X gives you in the Campus network. (Automation + Security)

    User/machines will be placed in the correct vlan based on some policies (authentication + status + etc)

    Devices that don't have an 802.1X supplicant can be profiled based on MAC address, but even more if you use the correct tools. So this shouldn't be a problem.

    You always read that 802.1X is difficult and complex, I don't agree. If you have a good network design your 802.1X controller configuration can be very easy.

    The most important thing that is forgotten most of the time is that most advanced features are a combination of switch features and controller features.


  3. Hello,

    I'm university study and I'm doing my final project. I would like implement EAP-TLS on pox controler to autenticate my clients with digital certificate. I would like to use a FREERADIUS to autenticate the users. What can I do to implement 802.1x on pox controler on mininet for it to works with OpenFlow?

    Thanks a lot for your help,
    Replies
    1. Here's the basic description of how one would implement a control-plane protocol with OpenFlow:

      http://blog.ipspace.net/2013/06/implementing-control-plane-protocols.html

      You'd have to find an open-source 801.2x authenticator and integrate it with pox. Good luck!
  4. Thanks for your help, I will try find some authenticator mecanism and integrate it on the Openflow. Do you have some ideia wich mecanism can I could to use?
Add comment
Sidebar