Network Access Control Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hi, and welcome to Module 2, Lesson 3.3.
00:00
In this lesson, we're going to cover
00:00
Network Access Control,
00:00
otherwise known as NAC.
00:00
We're going to talk about the basic functionality
00:00
of NAC. How does it work?
00:00
Why do we use it? We'll also talk about
00:00
supplicant and non supplicant devices.
00:00
All a supplicant is
00:00
software that speaks a certain language.
00:00
We're going to talk about
00:00
what we can do after authentication.
00:00
NAC is just basically a way to
00:00
authenticate devices before they access the network.
00:00
We'll talk about how that works,
00:00
but we'll also then talk about after authentication,
00:00
some of the issues that can come up.
00:00
Let's start with basic NAC functionality.
00:00
As I said before, NAC is just a way to authenticate
00:00
a device before it actually gets onto your network.
00:00
You can have the network be smart enough to detect
00:00
whether the device it's trying to
00:00
connect to it is friend or foe.
00:00
You can also have it be smart enough to
00:00
detect what type of device it is and put
00:00
it in certain parts of the environment
00:00
depending on what type of device it is.
00:00
Now, this works on both a
00:00
wired and a wireless environment.
00:00
It works on the basic protocol of 802.1X,
00:00
which is a standard Layer 2 authentication protocol.
00:00
It's a port level authentication protocol.
00:00
Basic functionality, whenever a device
00:00
tries to connect to the network,
00:00
that network is going to detect
00:00
that connection either in the form of link-state,
00:00
if it's a wired device or just in the form
00:00
of an incoming connection, if it's wireless.
00:00
If configured for 802.1X authentication or NAC,
00:00
there's going to be
00:00
a two-way challenge credential request
00:00
and response mechanism that happens
00:00
between the endpoint and the device.
00:00
Then that information is going to be
00:00
sent to a back-end authentication server.
00:00
In our case, we're going to talk about using
00:00
a radius server on that back end
00:00
for the final authentication mechanism.
00:00
Then once an authentication decision is made,
00:00
the switch will put
00:00
that device onto the appropriate V land,
00:00
and only then can that device
00:00
actually communicate on the network.
00:00
All of this authentication happens before
00:00
the network layer even starts,
00:00
this is all at Layer 2.
00:00
Let's take a look at this in a little bit more depth.
00:00
802.1X makes use of
00:00
a protocol called the
00:00
extensible authentication protocol,
00:00
otherwise known as EAP.
00:00
The way this works is on
00:00
the left side of the screen here we've got our end point.
00:00
Let's just say that this is a workstation and it
00:00
has an 802.1X supplicant loaded on it.
00:00
Now all that means is it is a supplicant,
00:00
is a piece of software on that system that
00:00
understands how to speak the 802.1X protocol.
00:00
In the middle we have our authenticator.
00:00
In this case, it's our switch.
00:00
On the right, we have our authentication server,
00:00
and this is where the actual authentication decision
00:00
is going to be made.
00:00
In this case, it's going to be a radio server.
00:00
When that device first connects to the network,
00:00
the switch detects a link-state,
00:00
it detects a new connection.
00:00
That switch or authenticator will
00:00
send back an EAP identity request.
00:00
It basically says, hey, who are you?
00:00
The device if it has an
00:00
802.1X supplicant installed on it and it
00:00
knows how to speak 802.1X protocol and EAP language,
00:00
it'll respond and it will say here,
00:00
here you go, here's my identity,
00:00
and here's who I am.
00:00
That information is taken and it's
00:00
encapsulated into a radius request,
00:00
and it's sent from the switch to
00:00
the back-end authentication server in the form of radius.
00:00
The radius server basically says,
00:00
okay, prove it.
00:00
It sends back a radius access challenge.
00:00
You say you're this person or this device,
00:00
prove that your that device.
00:00
That radius challenge gets decapsulated
00:00
outside the radius and it gets
00:00
converted into an EAP response.
00:00
That EAP response is basically sent back to the
00:00
supplicant again in the form of another EAP request.
00:00
This is an EAP challenge request and says,
00:00
okay, prove who you are.
00:00
Now that supplicant, should be
00:00
configured to hand back
00:00
a certain set of credentials when challenged.
00:00
A very common one and
00:00
a very effective one is a machine certificate.
00:00
If you've got say, a PKI environment,
00:00
you got a certificate environment
00:00
in your internal network.
00:00
You can actually issue
00:00
trusted certificates to all
00:00
of the devices in your environment.
00:00
That way, anytime they're challenged
00:00
with with a radius challenge,
00:00
they can hand that certificate back.
00:00
That's how the radius server
00:00
will know that they're actually
00:00
a company asset versus
00:00
some other device that
00:00
some guests just walked in and plugged in.
00:00
But when this EAP requests comes back
00:00
if the supplicant is configured to hand back, say,
00:00
a machine cert, it's going to
00:00
respond with that as its response.
00:00
It's a challenge response,
00:00
it's going to hand the certificate
00:00
back to the authenticator.
00:00
The authenticator is going to encapsulate
00:00
that back into radius again
00:00
and send that response back
00:00
to the authentication server or the radius server.
00:00
Now at this point, the radius server
00:00
looks at its policies internally and says,
00:00
okay, you've identified yourself,
00:00
you've proven your identity.
00:00
Now let's see if that identity is something
00:00
that our policy is going to allow on the network.
00:00
The radius server goes through
00:00
its policies and it makes a decision yes or no.
00:00
Along with that decision,
00:00
it could also send additional information back.
00:00
It sends a radius access decision back to the switch,
00:00
but it's not just a yes or no decision.
00:00
Other information could be
00:00
coupled into that decision as well.
00:00
For example, if that certificate,
00:00
what if instead of it being
00:00
a laptop over there on
00:00
the left-hand side, what if it's a phone?
00:00
Because a lot of voiceover IP phones
00:00
have 802.1X applicants,
00:00
and they have the ability to have certificates.
00:00
Maybe you have different certificates
00:00
for phones than you do PCs,
00:00
and the phones certificate is going to
00:00
be distinguishable from the PC.
00:00
When that phone identified
00:00
itself and it handed over its certificate,
00:00
the authentication server not only says yes,
00:00
you're a phone and you're
00:00
validated to be on our network,
00:00
but it knows you're a phone
00:00
because of what your certificate looked like.
00:00
It can pass that information back to
00:00
the authenticator at the same time it makes a decision,
00:00
so it can pass back and say, yes,
00:00
this thing is authenticated and by the way, it's a phone.
00:00
The switch then finishes the EAP decision and it
00:00
opens up the VLAN and puts the device on the proper VLAN.
00:00
If it's a company asset,
00:00
maybe it's the production VLAN.
00:00
If it happens to be a guest device and it doesn't
00:00
have a company certificate,
00:00
it puts it on the guest VLAN.
00:00
If that device happens to be a phone,
00:00
maybe there's a voice VLAN or a printer VLAN.
00:00
You can have different VLANs for different devices.
00:00
Those certificates can help
00:00
identify what types of devices they are.
00:00
That can be used in
00:00
the decision on which VLAN to put these devices in to.
00:00
Then you can wrap security around each VLAN in the form
00:00
of ACLs or firewall rules or something like that.
00:00
Now only after all of this takes place,
00:00
that VLAN is then open,
00:00
that device is then placed on the VLAN,
00:00
and only then can that device actually go out and
00:00
try to get an IP address and
00:00
start communicating on the network.
00:00
All of this happens before the device is
00:00
even allowed to communicate on the network.
Up Next