Scribd
Upload
2 views

L2 - Network Access and Cloud Computing

Uploaded by

ttooffee23
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
2 views

L2 - Network Access and Cloud Computing

Uploaded by

ttooffee23
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 20

Network Access Control

1
Network Access Control
– Network access control (NAC) is an
umbrella term for managing access to a
network.

– NAC authenticates users logging into the


network and determines :
• what data they can access and
• what actions they can perform.

2
Elements of Network Access Control
System
– Access requestor (AR)
• is the node that is attempting to access the
network.
– Policy server
• the policy server determines what access should
be granted.
– Network access server (NAS)
• functions as an access control point for users in
remote locations connecting to an enterprise’s
internal network.

3
4
Network Access Enforcement Methods
– Enforcement methods are the actions that are applied to ARs
to regulate access to the enterprise network. They are:
– IEEE 802.1X
• use of the Extensible Authentication Protocol for the authentication
process.
• IEEE 802.1X is the most commonly implemented solution.
– VLANs
• VLAN is a logical subgroup within a LAN that is created via software
rather than manually moving cables.
– Firewall
– DHCP management
• NAC occurs at the IP layer based on subnet and IP assignment
• DHCP is subject to various forms of IP spoofing, providing limited
security

5
Extensible Authentication Protocol
(EAP)
– EAP is a framework for network access and
authentication protocols.

– EAP provides a set of protocol messages that can


encapsulate various authentication methods.

– EAP can operate over a variety of networks and link


level facilities, including
• point-to-point links
• LANs
– EAP supports multiple authentication methods. This
is what is meant by referring to EAP as extensible.
6
7
EAP Authentication Methods
– EAP provides a generic transport service for
the exchange of authentication information
between a client system and an
authentication server.

– Authentication Methods such as:


• EAP-TLS (EAP Transport Layer Security)
• EAP-TTLS (EAP Tunneled TLS)
• EAP-GPSK (EAP Generalized Pre-Shared Key)
• EAP-IKEv2

8
EAP Authentication Methods
– EAP-TLS (EAP Transport Layer Security)
• EAP-TLS defines how the TLS protocol can be
encapsulated in EAP messages.
• EAP-TTLS (EAP Tunneled TLS) a secure
connection (the “tunnel”) is established with secret
keys.
• EAP-GPSK (EAP Generalized Pre-Shared Key) is
an EAP method for mutual authentication and
session key derivation using a Pre-Shared Key
(PSK).
• EAP-IKEv2 is based on the Internet Key Exchange
protocol version 2 (IKEv2)
9
EAP Exchanges
– Whatever method is used for authentication,
the authentication information and
authentication protocol information are
carried (or exchanged) in EAP messages.

– EAP pass-through mode The authentication


server (AS) functions as a backend server
that can authenticate peers as a service to a
number of EAP authenticators.

10
EAP Message Fields
– EAP messages may include the following
fields:
• Code: Identifies the Type of EAP message. The
codes are Request (1), Response (2), Success (3),
and Failure (4).
• Identifier: Used to match Responses with
Requests.
• Length: Indicates the length of the EAP message.
• Data: Contains information related to
authentication.

11
EAP Usage Components
– EAP peer
• Client computer that is attempting to access a network.
– EAP authenticator
• An access point or NAS that requires EAP
authentication.
– Authentication server
• A server computer that negotiates the use of a specific
EAP method with an EAP peer, validates the EAP peer’s
credentials, and authorizes access to the network.
• Typically, the authentication server is a Remote
Authentication Dial-In User Service (RADIUS) server.

12
13
14
IEEE 802.1X Port-Based Network
Access Control
– IEEE 802.1X was designed to provide access control
functions for LANs.

– Network Access Port (NAP): A point of attachment of a


system to a LAN.

– NAP can be:


1-a physical port
• such as a single LAN MAC attached to a physical LAN segment.
2-a logical port
• such as an IEEE 802.11 association between a station and an
access point.

15
Controlled and Uncontrolled Ports
– An uncontrolled port allows the exchange of
protocol data between the supplicant and the
AS, regardless of the authentication state of
the supplicant.

– A controlled port allows the exchange of


protocol data between a supplicant and other
systems on the network only if the current
state of the supplicant authorizes such an
exchange.
16
17
EAP over LAN (EAPOL)
– The essential element defined in 802.1X is a
protocol known as EAPOL.

– EAPOL makes use of an IEEE 802 LAN,


such as Ethernet or Wi-Fi, at the link level.

– EAPOL supports the exchange of EAP


packets for authentication between
supplicant and authenticator.

18
EAPOL packets

19
EAPOL Packet Format
– Protocol version: version of EAPOL.
– Packet type: indicates start, EAP, key, logoff,
etc.
– Packet body length: If the packet includes a
body, this field indicates the body length.
– Packet body: The payload for this EAPOL
packet. An example is an EAP packet.

20

You might also like