Access Control Concepts

Network Access Control Technologies

 

The network access controller enters the 802.1X framework as either an

 

authentication server or a supplement to the authentication server. It inserts

 

checking an endpoint’s integrity into the process of making access decisions.

 

For example, the network access controller detects and tests all endpoints

 

when they first connect to the network. It then report the endpoints’ integrity

 

posture to network RADIUS servers, which are configured with policies that

 

take these postures into account. If necessary, the RADIUS server alters a

 

user’s assignment and places him or her in a quarantine VLAN.

 

The ProCurve NAC 800 includes its own built-in RADIUS server, so it can

 

provide both components of the solution.

 

DHCP. The DHCP quarantine method is designed primarily for networks with

 

equipment that is not 802.1X capable. Any endpoint is allowed to connect to

 

the network. However, the network access controller prevents non-compliant

 

endpoints from receiving a valid IP address. Instead, these endpoints receive

 

an address in the quarantine subnet, which has access only to remediation

 

services.

 

With the DHCP deployment method, part of a network access controller’s role

 

is acting as another PEP, quarantining non-compliant endpoints. Typically, you

 

must position the network access controller correctly—between the DHCP

 

server and the rest of the network.

 

 

N o t e

An end-user who has the technical savvy to give his or her station a valid IP

 

address can circumvent DHCP quarantining. This is one reason that 802.1X is

 

the recommended option for high security.

 

Inline. With inline quarantining, perhaps the most straightforward of the

 

 

three options, a network access controller physically separates endpoints

 

from network resources.

 

This option has the advantage of ease of setup as well as relatively high

 

security. Because the network access controller literally stands between the

 

endpoint and network resources, it can tightly control which endpoint traffic

 

passes through it.

 

However, deploying a network access controller between every Ethernet

 

workstation and its switch port is not a realistic option. And the further the

 

network access controller is from the endpoint, the more resources the

 

endpoint can access before it is tested. Inline quarantining is most viable when

 

many endpoints connect to your network through a single point of access.

1-43