Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

Understanding NAC - Basic operation of authentication and authorization engine

« Go Back

Information

 
TitleUnderstanding NAC - Basic operation of authentication and authorization engine
Question
  • Understanding NAC - Basic operation of authentication and authorization engine
Environment
Extreme Control
Extreme NetSight NAC Manager
Answer
The base responsibility of a NAC appliance is to provide visibility and control over your network through a series of authentication and authorization engines.

NAC is essentially a RADIUS server that sends authorization information down to switches to determine a policy role. The switch then enforces traffic rules per the switches policy configuration based on the policy provided by NAC.

The article assumes that NetSight is up and running, and NetSight NAC Manager already has a NAC configured.

1. Authorized Switch:

The switch must be an authorized device on the network. Add the switches you want to use to the NAC switches tab:

User-added image

Adding devices into the switches tab and enforcing the appliance will configure the NAC to handle RADIUS requests from these switches. If a RADIUS request come in from an IP address that is not in this switches tab will cause the request to be dropped at the NAC as unauthorized. The IP address listed in the switches tab must match the source IP address on the RADIUS packet.

2: Authentication

The first step after receiving an authorized RADIUS packet is to complete authentication of the request. 

The NAC can be configured as the primary RADIUS server in which 802.1x and all authentications are terminated, or it can act as a proxy to a backend RADIUS server like Microsoft NPS.

The NAC looks to a AAA configuration to determine how it's going to process the RADIUS request. The Advanced Configuration menu can be found at tools --> Management and Configuration --> Advanced configuration


User-added image

This AAA engine works in a top down manner where the first match will be used to determine how the authentication request will be processed.

In a typical deployment MAC authentications are always handled locally, and do not have any criteria in order to be accepted. MAC authentication an authentication method for visibility more than security. MAC authentication can result if providing locked down policy roles, but typically MAC authentication has limited ability to treat users in a granular way as MAC authentication is limited to MAC end system groups, or MAC OUIs for classification of end systems. 

All authentication types that will be seen by the NAC must be allocated in the AAA rules engine. For example: If you have an 802.1x authentication request come in and there is no line in the AAA to determine how to process the request will be dropped with an error relating to mis-configuration of the NAC. The displayed example is local termination of 802.1x using an Active Directory backend for user authentication.

3. Authorization

Authorization is what occurs after authentication where the NAC determines what it's going to send back as a result of the RADIUS request. 
User-added image

This rules engine works in a top down manner where the first complete match to the rule's criteria will be the result, if your rules engine is complicated thought must be put into the ordering of the rules to result in the correct rule hit.

Rules are evaluated one at a time, and per criteria within the rule. Criteria can be many different criteria types, including authentication type, username usergroup, LDAP user group, MAC end system group or device type groups. The rule itself is tied to profile. The profile is what determines that action that will be taken as a result of the rule hit.

User-added image

If you click on the profile you'll see the options for that specific profile

User-added image

In this window you can actually determine the outcome of the authentication request. If you want to reject the user even though they have passed authentication you click "Reject Authentication Requests", or enable Assessment and configuration a policy to be sent with the RADIUS accept. The policy that will be sent with the RADIUS request will be used by the switch to determine which policy to use for the end system's session.

User-added image

The policy Mappings indicate which attributes can be sent in the request and are configurable. 


Authentication and Authorization come together to determine if a user is authentic, and to determine what that user is authorized to do. 



 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255