Network Access Control (NAC)
by Naveen Sharma - CISSP - Monday, 26 November 2007.
802.1X has three major components: the Supplicant, which is the person or endpoint attempting access, the Authenticator, which is the device that the Supplicant is attempting to connect to, and the Authentication server, which holds credentials. The process of gaining access is:
  • The end user machine connects to the Authenticator, which can be a WLAN access point or a LAN switch.
  • The Authenticator sets the port to ‘unauthorized’, which will only permit 802.1X traffic, and requests authentication data from the endpoint. The endpoint returns it’s authentication data to the Authenticator.
  • The Authenticator knows the Authentication server, and forward to the request to authentication server (typically a RADIUS server). The radius server returns a pass/fail.
  • Once the authentication is successful, the Authenticator opens the port for the supplicant to join the network.
DHCP based access restriction works on the premise that the endpoint user will play by the rules of the game. Purely DHCP based restriction may not prove to be effective as it is possible to bypass. DHCP assigns quarantined or unknown end points to an IP address that is restricted by ACL’s on switches/routers. Some of the considerations for the DHCP method of enforcement are:
  • Is this secure enough for the environment? Requires a risk analysis for the given environment.
  • Is the existing environment’s architecture suitable for this enforcement? Possibilities here include placing a NAC server inline with DHCP.
  • Does it require a significant additional outlay for the equipment?
Policy and remediation service

Policy and remediation services are the last part of NAC picture, though the endpoint assessment is done against the policy set by administrator at the very start of NAC process. Once the assessment is carried out on the endpoint, and matched against the policy for compliance, the decision to restrict or allow the endpoint is taken. If the endpoint is restricted due to a failure to comply with one or more policies, the endpoint is quarantined.

The next logical step is to seek to remediate the endpoint. The task of a remediation service is to make the endpoint compliant to the policy, thus restoring the access to join the network for services in a healthy state. The remediation process may be single or multiple steps. For example, if an endpoint does not have current Anti-virus definition and lacks critical Microsoft patches, then the remediation process directs the endpoint to the current Anti-virus definition and required Microsoft patches (either from Microsoft itself or on the internal patch distribution server or process).

The endpoint security posture should also be regularly re-tested, so as to remain proactive. The results of this continuous monitoring of the endpoint posture and status of compliance must be reported promptly. Another final point to consider here is the execution and delivery of policy, either to the endpoint or enforcement point. The frequency and protocol for delivery are equally important in this whole NAC framework. Needless to say the policy has to be regularly backed-up, and the facility to restore from backed-up policies should be regularly tested. Considerations for the remediation and policy service are:
  • Placement and capacity of remediation servers, for example the patch distribution mechanism etc.
  • Will remediation be self-service, or will be performed by help desk?
  • How does the remediation server obtain the third-party details such as the Anti-virus and other malware definition currency, MS patches levels etc.
  • What mechanism is in place for communication between the remediation servers and the policy server?


Most IT pros have seen potentially embarrassing information about their colleagues

More than three-quarters of IT professionals have seen and kept secret potentially embarrassing information about their colleagues, according to new research conducted by AlienVault.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th