Network Access Control (NAC)
Configuration > Overlays & Security > Security > Network Access Control (NAC)
The Network Access Control (NAC) tab displays the configuration settings for NAC security using 802.1x and MAC authentication. When Network Access Control (NAC) is enabled on an appliance, the appliance authenticates traffic that accesses the network over untrusted interfaces. The appliance interprets the protocol packets and builds a RADIUS packet to get the supplicant authenticated with an external RADIUS server.
By default, authentication for all interfaces is set to “trusted.” When authentication is set to “trusted”, no authentication is required to access the network. When NAC security is enabled, the appliance authenticates clients (supplicants) that are trying to access the network using the policy you assign to the interface.
This feature supports EAP-TLS, EAP-TTLS, and EAP-PEAP methods for 802.1x authentication.
All settings are initially applied via the Network Access Control (NAC) configuration template. Click Manage Network Access Control (NAC) Security with Templates to display the Templates tab to add or edit a Network Access Control (NAC) template.
NOTE: Some devices cannot act as an 802.1x client. You must enable the MAC address authentication on the interface connected to the client. The interface connected to the client uses the client’s MAC address as the username and password and uses the MAC address for authentication.
The table on the Network Access Control (NAC) tab displays the following information.
Field | Description |
---|---|
Appliance | Name of the appliance for the Network Access Control (NAC) security settings. |
LAN Interface | The LAN interface of the appliance to which the NAC policies are applied. |
AAA Profile | The AAA profile applied to the appliance. |
Auth Type | The authentication type applied to the appliance. |
To enable or edit Network Access Control (NAC), select one or more appliances from the appliance tree, and then click the edit icon in the applicable table row.
Network Access Control (NAC) Dialog Box/Edit Row
Setting Network Access Control (NAC) is a four-step process.
-
Create an 802.1x/MAC authentication profile. See 802.1x/MAC Authentication Profiles.
-
Define the servers and optional server groups used for authenticating supplicants on the selected interface. See Server.
-
Add or edit the AAA profiles used for authentication. See AAA Profile.
-
Apply the Network Access Control (NAC) policies to the interface labels. See Apply Policies.
802.1x/MAC Authentication Profile Fields
Use 802.1x/MAC tab to add or edit authentication profiles. You should create both 802.1x authentication and MAC authentication profiles. If the supplicant is 802.1x compliant, the appliance will use the 802.1x profile to authenticate the supplicant. If the supplicant is not 802.1x compliant, the appliance will use the MAC profile to authenticate the supplicant.
802.1x Authentication Profile Fields
-
Click Enable NAC.
-
Click Add to add a new 802.1x authentication profile or click the pencil icon to edit an existing 802.1x profile.
The Add 802.1x Authentication Profile dialog box opens.
NOTE: To delete a profile listed in the table on the Network Access Control (NAC) dialog box, click the corresponding delete icon (X) in the last column.
-
Complete the following fields:
Field Description Profile The name for the 802.1x profile. Max Auth Failure The maximum number of authentication failures allowed before the supplicant is denied access. Max Request The maximum number of authentication requests that the appliance will send to the server. Identity Requests Interval The interval in seconds between identity request retries. Quiet Period The interval in seconds to wait between attempting to reauthenticate after a failed authentication. Server Retry Count The maximum number of retries that can be made on each server in a server group. Server Group Retry Period The timeout duration. If the appliance cannot reach the server in the specified duration, the session times out. Reauthentication Select this option to force the appliance to do a reauthentication with the configured reauthentication interval. Max Reauthentication The maximum number of reauthentication attempts. Reauthentication Interval The interval in seconds, between reauthentication attempts. The configured interval will be overridden if the RADIUS server provided the reauthentication period. Ignore EAPOL-START After Authentication Select whether the appliance should ignore the EAPOL-START messages after authentication. Handle EAPOL-Logoff Select whether to handle the EAPOL-LOGOFF messages sent by the supplicants. -
Click Update.
MAC Authentication Profile Fields
-
Click Add to add a new MAC authentication profile or click the pencil icon to edit an existing MAC authentication profile.
NOTE: To delete a profile listed in the table on the Network Access Control (NAC) dialog box, click the corresponding delete icon (X) in the last column.
-
Complete the following fields:
Field Description Profile Enter a name for the MAC authentication profile. Max Auth Failure The maximum number of authentication failures allowed before the supplicant is denied access. Quiet Period The interval in seconds to wait before attempting the retry after the failed authentication. Server Retry Count The maximum number of retires that can be made to each server in a server group. If a server is not available, after the specified number of retries, Orchestrator attempts to access the next server in the server group. Server Group Retry Period Set the timeout duration in seconds. If the appliance cannot reach the server in the specified duration, the session will time out. Reauthentication Select this option to force the appliance to do a reauthentication with the configured reauthentication interval. Max Reauthentication The maximum number of reauthentication attempts. Reauthentication Interval The interval in seconds between reauthentication attempts. -
Click Update.
Navigate to the Server tab to configure the servers and server groups you want to use to authenticate the supplicants.
Server
Use the Server tab to add or edit the servers and server groups you want to use to authenticate the supplicants that are attempting to log in to the network.
Servers Fields
-
Click Add to add a new server.
NOTE: To modify an existing server, modify the existing data and click Save. To delete a server listed in the table on the Network Access Control (NAC) dialog box, click the corresponding delete icon (X) in the last column.
-
Complete the following fields:
Field Description ID The unique identifier of the server. Server Name Enter a name for the server. IP Address The IPv4 or IPv6 address of the RADIUS server. Key The pre-shared key of the authentication server. This key is shared between the Mobility Conductor and the server. The maximum length is 128 characters. Auth Port The server port on the sever. Interface for Source IP Address The IP address of the RADIUS server. This option allows the user to configure the interface to reach the RADIUS server. Source Segment The segment name of the interface configured to reach the server. -
Click Save.
Navigate to the AAA Profile tab to add or edit AAA profiles. AAA profiles define the authentication profile and server and server groups you want to use to authenticate supplicants.
Server Group Fields
You can create groups of servers. If one server is not reachable based on the server retry count configured on the 802.1x/MAC tab, the appliance will try to reach another server.
-
Click Add to add a new server group.
NOTE: To modify an existing server group, modify the existing data and click Save. To delete a server group, click the corresponding delete icon (X) in the last column.
-
Complete the following fields:
Field Description ID The unique identifier of the server group. Server Group Name Enter a name for the server group. Servers The servers in the server group. Click the cell to select servers from the list. -
Click Save.
Navigate to the AAA Profile tab to add or edit AAA profiles used to authenticate supplicants. AAA profiles define the authentication profile and server and server groups you want to use to authenticate supplicants.
AAA Profile
Use the AAA Profile tab to create profiles to map the 802.1x and MAC authentication profile to a server group you want to use to authenticate supplicants. This profile is used for dynamic authorization. For example, when a supplicant needs to be reauthenticated or the when the existing session is disconnected. After you create a AAA profile, you will assign that profile to an interface label.
You can edit an existing AAA profile or add a new AAA profile.
-
Click Add to add a AAA profile or click the pencil icon to edit an existing AAA profile.
The Edit AAA Profile dialog box opens.
-
Complete the following fields:
Field Description Profile The name of the AAA profile. DA Enable Select this option to enable Dynamic Authorization functionality. DA Server Select the server to be used for Dynamic Authorization. 802.1x Auth Profile Select the name of the 802.1x authentication profile. 802.1x Default Role Select the default role assigned to the 802.1x clients. 802.1x Auth Server Group Select the server group used for 802.1x authentication. MAC Auth Profile Select the name of the MAC authentication profile. MAC Default Role Select the role assigned to the client for MAC clients. MAC Auth Server Group Select the name of the server group used for MAC authentication. -
Click Update or Add.
-
Click Save.
Navigate to the Apply Policies tab to assign policies to interface labels.
Apply Policies
Use the Apply Policies tab to modify the policies that are assigned to each interface label. Supplicants plugged into the LAN port with the assigned interface label will be authenticated using the policy you select.
Each LAN interface label defined in your Orchestrator deployment is assigned the default authentication policy. The default authentication policy is set to “trusted.” When authentication is set to “trusted”, no authentication is required to access the network.
-
Click Modify to modify the policies assigned to the interface labels.
The Interfaces dialog box opens. All available LAN interfaces are listed.
-
Click any cell to modify a AAA profile.
NOTE: If AAA Profile is set to “none”, the authentication type is automatically set to “trusted”.
-
Click any cell to modify the Auth Type.
-
trusted: Select trusted if no authentication is required.
-
both: Select both to first attempt 802.1x authentication and then fall back to MAC authentication.
-
802.1x: Select 802.1x if the port only supports 802.1x authentication.
-
mac: Select mac if the port only supports MAC authentication.
-
-
Click Save.
You will receive a green status message if your policy was successfully applied.
Delete a Policy
To delete a policy from an LAN interface, click the corresponding delete icon (X) in the last column. The NAC security settings for this LAN interface will return to the default values.
NAC Status
Use the NAC Status subtab to review and monitor the authentication of all supplicants.
Field | Description |
---|---|
MAC Address | The MAC address of the supplicant. |
Identity | The identity on which the port is learned. |
Interface | The port on which the supplicant’s identity is learned. |
Auth Type | The type of authentication (802.1x or MAC). |
PAE State | Indicates whether the supplicant was authenticated. If the supplicant is not authenticated, the PAE state is displayed. |
EAP State | Indicates whether the supplicant was authenticated. If the supplicant was not authenticated, the EAP state is displayed. |
Details | Click the information icon to display a complete list of NAC status details. |