NAC – Network Access Control
Increasing network security by using 802.1x authentication and authorization.
AddNet secures the network access by integrated support of 802.1x authentication and authorization. AddNet can allow network communication only to authenticated devices and assign the device to corresponding VLAN.
To take full advantage of the AddNet NAC, it is necessary that the network infrastructure supports the standard of 802.1x authentication. This requirement is nowadays met by most of the medium and high cost switches from all major vendors. Novicom brings heterogeneity in the area of NAC, it is able to simultaneously operate NAC on switches from multiple vendors.
The advantage of AddNet’s NAC is the simple implementation in large distributed networks. It is possible to provide the NAC functionality for remote locations, temporarily disconnected from the central. This is achieved thanks to the integrated Radius server, operated on remote AddNet Workservers.
In the NAC area, AddNet is taking advantage of a standard RADIUS protocol. It supports the option of full 802.1x with the use of supplicants or MAC authentication. Implementing full 802.1x traditionally brings a lot of additional efforts in managing the supplicants for all network devices and keeping all certificates up to date. There are also additional risks such as the need of managing exceptions – not all platforms and devices have a supplicant available for them. Networking hardware port with such device has to be removed from the 802.1x support. Eventual connection of a different device into such port is a security risk.
Significant part of AddNet users therefore prefers the possibility to use NAC in the form of MAC authentication with protection. This means that the devices are authenticated by their MAC address. The integrated monitor is able to evaluate multiple parameters and notify the administrator about a device with changed MAC. This approach to NAC is very close to full 802.1x functionality without any need for a difficult implementation, administration and the long term exception management.
AddNet is not limited to MAC authentication. Customers who desire higher level of security can use the option of full 802.1x with supplicant support. Both modes can also be elegantly combined to reap the benefits of full 802.1x while removing the need of time consuming managment of exceptions typical for conventional 802.1x implementations.
The implementation of AddNet MAC authentication with protection is a part of standard DDI implementation and does not have any additional requirements apart from the setup of networking hardware. Adding few additional lines in the configuration of networking hardware results into an instant usage of NAC. From AddNet’s perspective, it is only necessary to set up the communication parameters for Radius servers.
AddNet NAC implementation is done in two phases. MAC authentication with protection is enabled on the whole network together with DDI services. This brings security to the whole network and all its plugs. The second phase is an evaluation of whether it is possible to switch to full 802.1x and which networks are suitable for it which is followed by the setup of supplicants in corresponding networks.
Another significant feature of AddNet is the management of authorization. After the authentication has been performed – communication in a network is allowed to the device based on its identity, the authorization process determines to which the network (VLAN) the device belongs. The appropriate switch port then gets set as an access port to corresponding VLAN. The device is therefore allowed to communicate only in the VLAN assigned to it.
The authorization, similarly as in the 802.1 authentication, is controlled through Radius which is a part of AddNet workserver. The advantage of such model is that there is no necessity for setting up the VLAN for each switch. The switches are dynamically controlled by AddNet according to the need of adding a device to specific network. It is possible to achieve a state where no matter where the device connects within the large network, it always automatically receives its IP address and is assigned to a corresponding VLAN.