Wednesday, June 23, 2010


How NAC works. Because I am lazy and it is late, I am cribbing from a paper I wrote earlier this week:

The core functionality of NAC involves three parts: the supplicant, the authenticator, and some kind of authentication server. The supplicant is an edge host device that wants to access network resources over the local LAN. The authenticator is the network device -- usually a network switch -- that can provide that access if and only if the supplicant is correctly authenticated. The authenticator requests some kind of authentication credentials from the supplicant to determine what action to take based on the response from the authentication server. The authentication server is, unsurprisingly, a server that validates the credentials provided and informs the authenticator whether the supplicant is or is not allowed to access the LAN; they authentication server may also provide additional information to the authenticator about the user after a successful authentication. Until the negotiation is complete and a supplicant is correctly authenticated by the authenticator, the supplicant has no access to the the actual data network on the switch. Physical layer connectivity is provided, but an unauthenticated port is not part of any LAN or VLAN.

A switch acting as an authenticator will operate as a normal switch until a live network host is connected to a port configured for 802.1x. The link state change triggers the 802.1x authentication process. In normal non-802.1x operation, the switch would add the newly live switchport to the correct VLAN. For an 802.1x port, the switch is not added to a VLAN but instead placed in an unauthenticated state, which allows only 802.1x protocol traffic. The authenticator switch sends initiator datagrams that serve to request credentials. A correctly configured supplicant machine will have an operating system that is configured to listen for these packets and collect the authentication credentials from the user. They are often some kind of user/password authentication pair linked with the specific user of the supplicant machine, but may include certificates associated with the machine itself rather than the user.

The supplicant host machine and the authenticator network device exchange authentication credential information. This will include the kind of authentication, based around the Extensible Authentication Protocol originally developed for the PPP authentication, as well as the authentication credintials themselves. Communication from the authenticator switch and the authentication server is usually handled via the RADIUS authentication protocol. RADIUS allows for additional information to be exchanged besides a simple yes/no verification, so that configuration data specific to the user or a user group can be communicated back to the authenticator. The authentication server evaluates the credentials and replies to the authenticator switch to affirm or deny the access. If the authentiation server affirms the credentials, the authenticator switch will place the port onto a pre-configured VLAN or network segment. At that point, the supplicant machine can continue normal procedures for connection to the network and issue DHCP or BOOTP packets if needed, or begin normal connectivity if its network interface is already correctly configured.

No comments:

Post a Comment


About Me

My photo
Regis has worked as a network engineer since 1994 for small companies and for large companies.