C H A P T E R  25

Configuring Network Access Control

This chapter describes how to configure network access control.

This chapter contains the following topics:


Understanding Port-Based Network Access Control

Port-based network access control allows the operation of a system’s port(s) to be controlled to ensure that access to its services is permitted only by systems that are authorized to do so.

Port Access Control provides a means of preventing unauthorized access by supplicants or users to the services offered by a system. Control over the access to a switch and the LAN to which it is connected can be desirable in order to restrict access to publicly accessible bridge ports or departmental LANs.

FASTPATH achieves access control by enforcing authentication of supplicants that are attached to an authenticator’s controlled ports. The result of the authentication process determines whether the supplicant is authorized to access services on that controlled port.

A PAE (Port Access Entity) can adopt one of two roles within an access control interaction:

Additionally, there exists a third role:

Completion of an authentication exchange requires all three roles. FASTPATH supports the authenticator role only, in which the PAE is responsible for communicating with the supplicant. The authenticator PAE is also responsible for submitting information received from the supplicant to the authentication server in order for the credentials to be checked, which determines the authorization state of the port. Depending on the outcome of the authentication process, the authenticator PAE then controls the authorized/unauthorized state of the controlled Port.

Authentication can be handled locally or via an external authentication server. Two are: Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+). FASTPATH currently supports RADIUS. TACACS+ support implementation is planned for the future.

RADIUS supports an accounting function to maintain data on service usages. Under RFC 2866, an extension was added to the RADIUS protocol giving the client the ability to deliver accounting information about a user to an accounting server. Exchanges to the accounting server follow similar guidelines as that of an authentication server but the flows are much simpler. At the start of service for a user, the RADIUS client that is configured to use accounting sends an accounting start packet specifying the type of service that it will deliver. Once the server responds with an acknowledgement, the client periodically transmits accounting data. At the end of service delivery, the client sends an accounting stop packet allowing the server to update specified statistics. The server again responds with an acknowledgement.


Configuring Network Access Control

The following example configures a single RADIUS server used for authentication and accounting at 10.10.10.10. The shared secret is configured to be secret. The process creates a new authentication list, called radiusList, which uses RADIUS as the authentication method. This authentication list is associated with the 802.1x default login. 802.1x port based access control is enabled for the system, and interface 1/0/1 is configured to be in force-authorized mode because this is where the RADIUS server and protected network resources are located.


FIGURE 25-1 FASTPATH with 802.1x Network Access Control

If a user, or supplicant, attempts to communicate via the switch on any interface except interface 0/1, the system challenges the supplicant for login credentials. The system encrypts the provided information and transmits it to the RADIUS server. If the RADIUS server grants access, the system sets the 802.1x port state of the interface to authorized and the supplicant is able to access network resources.

 


CODE EXAMPLE 25-1 Configuring 802.1x Port Access Control
config		        radius server host auth 10.10.10.10		        radius server key auth 10.10.10.10		                secret		                secret		        radius server host acct 10.10.10.10		        radius server key acct 10.10.10.10		                secret		                secret        radius accounting mode		        authentication login radiusList radius		        dot1x default-login radiusList		        dot1x system-auth-control		        interface 0/1		                dot1x port-control force-authorized		        exitexit