NAC is a technology that implements a system for authentication to ensure network security. It enables the automatic operation of the system through an advanced control system for all devices connected to the infrastructure of the network. The NAC provides network control of users and devices. It applies the relevant rule sets to prevent unwanted devices from being included in the network or to position existing devices in different isolated areas.
NAC allows defining and enforcing policies that control the access of endpoints on the network. The purpose of using NAC is to ensure that only users who comply with security policies and who have been granted access are assigned to the relevant area by being included in the network. Thus, it restricts the data that can be accessed by users or is user-based and implements anti-threat actions such as antivirus, firewall, and spyware detection. Configuration changes within the network do not affect the NAC system and adapt automatically. Thanks to its advanced adaptability, it is suitable for use in areas where the security infrastructure is quite complex. At this point, low response times play a very important role.
NAC enforces the rules set to all end systems in the network without using an extra device. It enables users and devices to be recognized by scanning them at regular intervals. In order to detect activity and variability, regular scans are made and the existing rules are applied accordingly. It implements security policies such as blocking, quarantine, and repair for devices that do not work in accordance with the existing structure, without intervention, and eliminates threats. It provides network access for guest users and creates a separate record for each guest user. It performs authentication for guest users and through the guest management portal, guest accesses can be viewed and managed by the administrator. It integrates with other security and networking solutions and communicates with end devices through the Open/RestFul API. It controls detailed user rights such as what rights the users have, and how long they can stay connected when they can connect.
There is no unauthorized client or user that can be found on the network thanks to access control. Identification, control, and authorization of users to connect to the network are determined by NAC, which is network-based access control. The 802.1x protocol is used for secure and controlled authentication in wired and wireless networks. The user’s identity is determined by the credentials or certificate validated by the RADIUS server. At this point, communication about the user’s data is provided with SAML or LADP protocols. Thus, it helps the controlled connection of end devices. The 802.1x protocol takes care of users’ authentication status. However, the two applications basically work together, in addition to this, NAC also includes different applications and services. It provides access control by using the MAC addresses of the user computers that want to be included in the network.
The IEEE 802.1x standard is a port-based network access control that allows the authentication and authorization of devices directly connected to the local network. It benefits from authentication and authorization to devices. It is used to control port-based users within the network and use access policies from any route or group of users. If authentication and authorization fail, users may be temporarily blocked from accessing the port they are connected to. In this way, the local network is protected. Allows encryption for 802.1x using authentication protocols. The 802.1x protocol works with the EAP and PPP protocols and is authenticated via AAA. The AAA is the protocol that expresses the authentication process.
It manages different authorization groups that limit users’ access to the network and related resources. That becomes the headquarters of identities and passwords using AAA protocols. User IDs and passwords are encrypted using your specific purposes. Therefore, user accounts are owned by third parties. AAA consists of three phases; Authentication, Authorization, and Accounting. There is also multiple authentication (AAA) methods. These are not mentioned in detail either.
- Authentication: It is the authentication of users or device users in networks using servers, switches, or routers. Each user must have unique login credentials to gain network access.
AAA server stores a user’s authentication data in a database. The credentials of the users who want to log in to the system are compared with the stored user credentials. If the user’s login credentials match, pass-through network access is granted. If it does not obtain credentials, authentication fails and network access is denied.
- Authorization: The network that wants to be included in the network is the provision of road access. It is the process of determining what type of access, resources, or services the user should be allowed to access and manage.
- Accounting: It is the process performed to monitor users’ movements, concepts, and system records on the network. Save and store session logs and usage information. Used for analysis and planning.
PPP (Point to Point Protocol): Allows 802.1x to perform authentication on the transmission layer without the need for IP during the user authentication process. It is used as an improved transmission protocol standard. Today, PPP is usually encapsulated on the Ethernet packet header and operates as PPP over Ethernet (PPPoE). PPPoE is commonly used to connect to an internet service provider for internet access via cable modem or DSL connections. PPP includes two different authentication mechanisms at this point.
- Password Authentication Protocol (PAP)
It is one of the oldest authentication methods. Since it has a very simple working structure, its processing power is low, but it is weak in terms of security and is open to vulnerabilities. Because all information is transmitted as cleartext without encryption. In the working structure, the client initiates the authentication by sending a packet containing the credentials (username and password). Although PAP is an authentication protocol of last resort due to its security vulnerabilities, it is still widely preferred due to its simple structure.
- Challenge Handshake Authentication Protocol (CHAP)
At any time during the session, the server initiates the authentication process by generating a one-time password (OTP) and sending it to the client (usually in the form of a 128-bit string). Usually, this happens more than once during a created session, with the server repeatedly authenticating the client to provide additional security. For this reason, when compared to PAP, the session in which mutual communication is established is considered much more secure. But of course, it is quite possible to decrypt a session encrypted with MD5.
EAP (Extensible Authentication Protocol): Considering its working structure, it has emerged as an authentication protocol that works within PPP to provide support for authentication protocols beyond PAP and CHAP protocols.
It provides a generalized authentication domain for different authentication servers (RAS, RADIUS). The interoperability and compatibility of authentication methods become simpler with EAP.
The server sends an authentication request to the client with which of the 40 authentication methods it should use. The client then performs whatever calculations it needs, depending on the encryption method chosen. Next, the client sends the results back to the server with the chosen encryption method, so the server knows which method to use to check the output. It sends further requests to the client at different times throughout the entire session, changing the encryption method, until the authentication succeeds or fails. This process keeps the session reliable all the time.
The EAP protocol can be configured for authentication using authentication credentials (EAP-TTLS/PAP/MD5 and PEAP-MSCHAPv2) or a digital certificate (EAP-TLS/FAST). Considering these options, the certified authentication method, TLS, is considered the most reliable method.
RADIUS is a protocol used on the server to authenticate users who want to access the network remotely. RADIUS packets use UDP for communication. With this protocol, AAA activities required for secure access to resources are monitored. When a client wants to access the network, it sends a request to the RADIUS server.
For a secure network, first of all, all access must be under control and observable. If institutions know what’s going on in the network, they need to take precautions against dangers. With NAC technology, it becomes easier to create security policies and take automatic measures against possible threats by seeing the details of every device on the network. Thus, devices that do not comply with a predefined rule are not allowed to be connected. Any device that is not on the network cannot listen to the network.
Additionally, 802.1x is referred to as WPA2-Enterprise. Importantly, if the 802.1x configuration is to be implemented in a large enterprise, it is very important whether the organization will use credential-based authentication or certificate-based authentication. Certificate-based EAP-TLS significantly reduces the risk of an organization’s credentials being stolen and is the most secure way to use 802.1x. 802.1x WPA is usually reserved for personal networks such as home Wi-Fi. It is less secure than WPA2, but generally sufficient for home use.
WEP, or Wired Equivalent Privacy, was the first type of encryption used. It performs authentication and encryption with the RC4 password.
It can be said to oppose the flaws of WEP encryption for WAP/WPA or Wi-Fi Protected Access. It was created with the development, improvement, and elimination of many problems of the WEP encryption type. The modes for corporate and personal use are different. WEP uses a 24-bit initialization vector, while WPA it is 48 bits. It is also designed to be compatible with WEP. But it uses better encryption than WEP’s key system. For this, it is more secure than WEP; but we can say that it is not as secure as WPA2.
Wi-Fi Protected Access II came into our lives in 2006 and replaced WPA. WPA2 uses an AES-based type of encryption called CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol). This type of encryption has introduced a very important innovation such as authentication into our lives. WPA2, like WPA, has modes for both corporate and personal use. WPA2 offers more convenient roaming than WPA and WEP and is definitely much more secure than these two types of encryption. New devices are also required to have WPA2 certification.
