C H A P T E R 25 |
Configuring Network Access Control |
This chapter describes how to configure network access control.
This chapter contains the following topics:
Port-based network access control allows the operation of a system’s port(s) to be controlled to ensure that access to its services is permitted only by systems that are authorized to do so.
Port Access Control provides a means of preventing unauthorized access by supplicants or users to the services offered by a system. Control over the access to a switch and the LAN to which it is connected can be desirable in order to restrict access to publicly accessible bridge ports or departmental LANs.
FASTPATH achieves access control by enforcing authentication of supplicants that are attached to an authenticator’s controlled ports. The result of the authentication process determines whether the supplicant is authorized to access services on that controlled port.
A PAE (Port Access Entity) can adopt one of two roles within an access control interaction:
Additionally, there exists a third role:
Completion of an authentication exchange requires all three roles. FASTPATH supports the authenticator role only, in which the PAE is responsible for communicating with the supplicant. The authenticator PAE is also responsible for submitting information received from the supplicant to the authentication server in order for the credentials to be checked, which determines the authorization state of the port. Depending on the outcome of the authentication process, the authenticator PAE then controls the authorized/unauthorized state of the controlled Port.
Authentication can be handled locally or via an external authentication server. Two are: Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+). FASTPATH currently supports RADIUS. TACACS+ support implementation is planned for the future.
RADIUS supports an accounting function to maintain data on service usages. Under RFC 2866, an extension was added to the RADIUS protocol giving the client the ability to deliver accounting information about a user to an accounting server. Exchanges to the accounting server follow similar guidelines as that of an authentication server but the flows are much simpler. At the start of service for a user, the RADIUS client that is configured to use accounting sends an accounting start packet specifying the type of service that it will deliver. Once the server responds with an acknowledgement, the client periodically transmits accounting data. At the end of service delivery, the client sends an accounting stop packet allowing the server to update specified statistics. The server again responds with an acknowledgement.
The following example configures a single RADIUS server used for authentication and accounting at 10.10.10.10. The shared secret is configured to be secret. The process creates a new authentication list, called radiusList, which uses RADIUS as the authentication method. This authentication list is associated with the 802.1x default login. 802.1x port based access control is enabled for the system, and interface 1/0/1 is configured to be in force-authorized mode because this is where the RADIUS server and protected network resources are located.
FIGURE 25-1 FASTPATH with 802.1x Network Access Control
If a user, or supplicant, attempts to communicate via the switch on any interface except interface 0/1, the system challenges the supplicant for login credentials. The system encrypts the provided information and transmits it to the RADIUS server. If the RADIUS server grants access, the system sets the 802.1x port state of the interface to authorized and the supplicant is able to access network resources.
© 2007 Diversified Technology, Inc. All Rights Reserved. © 2009 Sun Microsystems, Inc. All rights reserved.