Access Control Concepts

Network Access Control Technologies

 

In theory, a MAC address is unique and unalterable and therefore a good

 

choice for identifying whether the endpoint should be allowed access. In

 

practice, however, an attacker can spoof a MAC address relatively easily.

 

If you are using IAS, you might encounter another problem. MAC addresses

 

do not conform to the rules for a typical user account. You must create an

 

entirely new set of pseudo-user accounts, which can be tedious and might

 

introduce security vulnerablities.

 

Despite its flaws, MAC-Auth remains the only choice for devices that have

 

neither user interfaces nor support for 802.1X.

 

 

N o t e

A device without a user interface may still support 802.1X. For example, many

 

Voice-over-IP (VoIP) phones support EAP-Subscriber Identity Module (SIM)

 

and include smart cards automatically configured with authentication creden-

 

tials. In addition, some Hewlett-Packard (HP) printers support 802.1X.

 

Process. An endpoint follows this process to connect to a network that

 

 

enforces MAC-Auth:

 

1. The endpoint connects to a PEP and begins generating traffic, typically

 

 

Dynamic Host Configuration Protocol (DHCP) requests.

 

2. The PEP observes that the traffic’s source MAC address is unauthenti-

 

 

cated, so it drops the traffic.

 

3.

The PEP generates an access request specifying the source MAC address

 

 

as the username, and, as the password, either the same MAC address or

 

 

a password configured on the PEP. The request also contains other

 

 

information, such as the port, time, and so forth. The PEP forwards the

 

 

request to an authentication server.

 

4. The authentication server, acting as the PDP, verifies the MAC address

 

 

against its own or a centrally managed data store. The authentication

 

 

server may also retrieve policy information, such as rules for the times

 

 

that the MAC address is allowed on the network or rules that specify

 

 

authorization instructions (for example, a VLAN assignment).

 

5.

The authentication server returns an accept or deny response to the PEP

 

 

that is based on the results of step 4.

6. The PEP reconfigures itself dynamically to forward or block all traffic from the MAC address depending on the access decision. If the accept response included authorization instructions, the PEP configures itself to enforce them—for example, assigning the endpoint’s port to the specified VLAN.

1-17

Page 30 Page 32
Page 31
Image 31
HP Access Control Client Software manual Introduce security vulnerablities
Page 30 Page 32
Top Page Image Contents