technical proposal - · pdf file1.1.1 overview of enterprise network security ... with...

Huawei Policy Center

Technical Proposal

Issue 01

Date 2011-07-24

HUAWEI TECHNOLOGIES CO., LTD.

Issue 01 (2011-07-24) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd

i

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not be

within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,

information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

http://www.huawei.com/

mailto:[email protected]

NAC Security Solution

Technical Proposal 1 Overview of the Policy Center Solution



ii

Contents

1 Overview of the Policy Center Solution ............................................................................... 1

1.1 Background ............................................................................................................................................... 1

1.1.1 Overview of Enterprise Network Security ......................................................................................... 1

1.2 Major Requirements .................................................................................................................................. 1

1.2.1 Authentication .................................................................................................................................. 2

1.2.2 Security Check ................................................................................................................................. 2

1.2.3 User Authorization ............................................................................................................................ 2

1.2.4 Division of Security Domains ........................................................................................................... 3

1.3 Huawei NAC Security Solution ................................................................................................................. 4

2 Policy Center Access Control Solution .................................................................................. 7

2.1 Network Access Control ............................................................................................................................ 7

2.2 Device Profiling ........................................................................................................................................ 8

2.3 Guest Management .................................................................................................................................... 9

3 Planning Suggestions for Policy CenterSolution .............................................................. 10

3.1 Overview..................................................................................................................................................10

3.1.1 Introduction to the NAC Security Solution .......................................................................................10

3.1.2 Composition of the NAC System ..................................................................................................... 11

3.1.3 Service Capabilities of the NAC System...........................................................................................13

3.1.4 Basic Process of the NAC Security Solution .....................................................................................15

3.2 Planning Suggestions for the Authentication Solution ................................................................................16

3.2.1 Introduction to Authentication Protocols...........................................................................................16

3.2.2 Selection of Authentication Modes and Authentication Control Points ..............................................22

3.3 Planning Suggestions for the Solution to Access Layer Authentication .......................................................24

3.3.1 Application Scenarios ......................................................................................................................24

3.3.2 Networking Planning .......................................................................................................................24

3.3.3 Planning for the NAC System ..........................................................................................................25

3.3.4 Security Policy Planning ..................................................................................................................26

3.3.5 User Authority Planning ...................................................................................................................26

3.3.6 Reliability Planning .........................................................................................................................27

3.4 Planning Suggestions for the Solution to Convergence Layer Authentication .............................................27







iii

3.4.3 Planning for the NAC System ..........................................................................................................28

3.4.4 Security Policy Planning ..................................................................................................................29

3.4.5 User Authority Planning ...................................................................................................................29

3.4.6 Reliability Planning .........................................................................................................................30

3.5 Planning Suggestions for the Solution to Side-Connection Authentication at the Convergence Layer ..........30



3.6 Planning Suggestions for the Solution to Wlan Portal Authentication .........................................................31

4 Product Suggestions............................................................................................................... 37





1

1 Overview of the Policy Center Solution

1.1 Background

1.1.1 Overview of Enterprise Network Security

With the application and development of enterprise network, production and operating

activities of enterprises rely more on networks. However, various information security threats,

such as viruses, Trojan horse programs, spyware, and network attacks, also keep increasing.

According to statistics, the requirement for the network security has overtaken the

requirements for the network reliability, switching capability, and quality of service (QoS),

and the network security has become the greatest concern of enterprise users. Network

security infrastructures have also become the focus of enterprise network construction.

In traditional ideas of enterprise network construction, it is considered that enterprise intranets

are safe and security threats come externally. Therefore, most security measures, for example,

deploying a firewall or an access control system, focus on how to protect networks against

external attacks. In addition, these products and techniques are mutually independent and

cannot collaborate.

It is proved, however, that many critical network security problems occur in enterprise

intranets. Eighty percent of network security loopholes exist inside networks. The loopholes

continue to damage networks in a severer and wider manner, and often cause system and

network breakdown. Certain malicious software such as spyware and Trojan horse programs

may be unknowingly downloaded to PCs when enterprise employees browse certain websites.

The malicious software is distributed in enterprise intranets, leading to serious security

troubles.

Therefore, with continuous upgrade of security challenges, mere border defense depending on

traditional security measures and independent work is far from enough. Instead, the security

model must be shifted from the passive mode to the active mode, completely tackling network

security problems from the root (terminals), and finally improving the information security

level of the whole enterprise.

1.2 Major Requirements

With continuous scale enlargement of an enterprise, the number of employees and that of

terminals rapidly grow, and the network complexity also increases by geometric progression.

The major purposes of enterprise network security are to effectively manage networks, to





2

update system patches and upgrade the virus library in time, and to enable network

administrators to promptly identify, isolate, and repair insecure terminals.

Enterprise network security solutions must meet requirements on authentication, security

check, user authorization, and division of security domains.

1.2.1 Authentication

Because more and more problems about enterprise intranets result from terminal related

problems, the capability of authenticating users is a basic requirement of enterprise network

security.

User authentication on ordinary terminals (for example, PCs) must meet the following requirements:

− A terminal meeting security requirements can normally access the intranet after providing the correct user name and password.

− A terminal that does not meet security requirements can access only network isolation areas. The terminal can access the intranet after its security is repaired.

− Terminals used by invalid users cannot access the intranet.

The validity of other terminals including printers, fax machines, and IP telephones

cannot be authenticated through terminal software, but can be authenticated through MAC addresses.

1.2.2 Security Check

Hidden terminal troubles do great harm to networks. Therefore, in the security solution of an

enterprise intranet, the intranet must restrict the access of invalid users and must perform

systematic security check for valid users. Security check must meet the following

requirements:

The intranet checks the security status of the terminal that is to access the intranet. The

system must finish checking the antivirus software installation, patch update, password strength, and screen saver of the terminal before the terminal accesses the intranet.

The intranet must be capable of responding to the insecure state of the terminal together

with control devices. When an insecure terminal is found to access the intranet, the

intranet must be able to block the access of the terminal to prevent damages to the

service system. In addition, the intranet must be able to actively help the terminal complete self-repair of the security status.

The intranet must be able to restrict the access authority of an insecure terminal failing to

be repaired in time, to stop the terminal from accessing the intranet and avoid network

security problems.

1.2.3 User Authorization

Currently, access control of network resources is not strict on enterprise intranets. Generally,

terminals can freely access the entire intranet if the intranet is successfully accessed. Based on

IP addresses only, common firewall isolation cannot be flexibly configured and managed. In

addition, security risks such as IP address forgery also exist. Therefore, firewall isolation

cannot completely solve the problems of illegal access and unauthorized access.

In the security solution of an enterprise intranet, the network must manage access control

rights based on user authentication of terminals and user roles. By doing this, the access

control of the intranet is enhanced and illegal access and unauthorized access are prevented, finally ensuring the security of the enterprise intranet.





3

1.2.4 Division of Security Domains

Administrators divide the network resources of the live network into different logical security

domains by service and security level. The system opens access authorities for different

security domains according to results of user authentication and security check. In this way,

illegal terminals are isolated and the security of the entire enterprise intranet is ensured. Table

1-1 describes the division of security domains.





4

Table 1-1 Division of security domains

Type Description

Pre-authenticati

on domain

Network resources that terminals can access before user authentication

and security check. The network resources of this type include DHCP servers and system servers.

Isolation

domain

Network resources that terminals in the isolated state can access. When

the authentication of a terminal is successful but the security check fails,

the terminal is in the isolated state. In that case, the terminal can perform only security repair, including antivirus update servers and patch servers.

Post-authentica

tion domain

Network resources that terminals with successful authentication and

security check can access. Administrators can authorize different

terminal users to access relevant network resources according to the job

relatedness and minimum authorization principle. This method can effectively prevent illegal access and unauthorized access.

The security domain division described in the security solution of an enterprise intranet must

meet the following requirements:

A common terminal can obtain valid public area authorities and departmental authorities

after properly accessing the network. After the location of a terminal is moved, the

terminal must still be able to obtain its network authorities.

A wireless user has the same legal network authorities as a wired user after properly

accessing the network. Illegal wireless users will be rejected to access the network in this domain.

A new user must have a default authority to access the network. Employees on business must be restricted on relevant authorities when accessing the network.

Printers, fax machines, access control systems, and voice and video terminals on the

network must be granted authorities by class of service (CoS), preventing information port theft from bringing security problems to the network.

The network must be able to control inter-access between terminals. Terminals before

authentication must be restricted to only access server resources that are configured

according to the security policy. The mode of trusted inter-access is used after

authentication. That is, only terminals with successful authentication can access each other.

1.3 Huawei NAC Security Solution Huawei network access control (NAC) security solution provides integrated terminal security

protection functions through user authentication, security check, and repair and upgrade,

based on the guiding ideology that only valid users and safe terminals can access the intranet.

Huawei can help enterprises construct safe intranets, ensuring normal service development

and operation of enterprises. Huawei NAC security solution starts with the security control of

terminals that access networks. In the solution, the terminal security status is combined with

network access control. The active defense capability of terminals on a network is enhanced

through check, isolation, hardening, and audit, ensuring the security of each terminal on an

enterprise intranet and the security of the enterprise intranet. Figure 1-1 shows the networking of the NAC solution.





5

Figure 1-1 Networking of the NAC solution

Intranet

Pre-authentication

domain Access server

DHCP server

DNS server

Software server

Isolation domainPatch server

Virus database

server

Post-authentication domain

NMC

Service server

Data

center

Small

branch

AR router

Router/VPN

gateway

Remote

access

Campus

network/large

branch

Convergenc

switch

Access

switch

Access

switch

AP

IP

telephone Printer PC terminal Mobile access

Convergence

switch

Branch authentication point

Portal authentication access

Branch authentication point

SSL VPN accessAuthentication point at the

convergenc layer

Portal authentication point

Authentication

point at the

access layer

IEEE 802.1X

authentication

access

Huawei NAC security solution includes the following contents:

Check the validity of a terminal user using multiple authentication methods.

Check terminals about their security loopholes, antivirus software installation, and virus

database update.

Control network access authorities of terminal users through unified access policy and security policy management.

Register and monitor desktop assets, manage peripheral equipment, and distribute software through desktop operation and maintenance.


Technical Proposal 2 Policy Center Access Control Solution



7

2 Policy Center Access Control Solution

2.1 Network Access Control

The Policy Center can function with ACs/APs, Huawei Portal switches, and standard 802.1x

switches to implement network access control. It provides flexible authentication and

authorization policies based on user identities, device types, access locations, access time, and

terminal compliance check results.

(1) Based on user identity

The Policy Center authenticates and authorizes users based on the users' departments or roles.

(2) Based on device type

The Policy Center identifies and groups access devices and then authorizes them based on the

device groups to meet the complex service requirements for wireless 802.1x access and portal

access in the BYOD environment.

(3) Based on access location

The Policy Center distinguishes the switches, AP/AC devices, and SSIDs accessed by

terminals to apply different access control and authorization policies to these terminals.

(4) Based on access time

The Policy Center provides different access control and authorization policies in working

hours and non-working hours.

(5) Based on terminal compliance check result

The Policy Center authorizes the terminals with an NAC client installed based on terminal

compliance check results. It isolates the terminals that fail the compliance check and help

bring terminals into compliance.

The Policy Center can independently authenticate users using locally configured user

information or work with other authentication systems listed in Table 2-1.





8

Table 2-1 External authentication systems and protocol support

Authentication Protocol Local

User

Information

AD LDAP Radius Token

Radius Relay

PAP YES YES YES YES Rely on an

external system.

CHAP YES NO NO NO Rely on an

external system.

EAP-PEAP-MSCHAPV2 YES YES NO NO Rely on an

external system.

EAP-MD5 YES NO NO NO Rely on an

external

system.

EAP-TLS YES YES YES NO Rely on an

external system.

EAP-TTLS-PAP YES YES YES YES Rely on an

external system.

EAP-PEAP-GTC YES YES YES YES Rely on an

external

system.

If an enterprise has a complex live network and does not need to replace all network devices,

deploy an 802.1x or portal switch. Then the Policy Center can interwork with the 802.1x or

portal switch to save hardware investment. Or deploy a Huawei SACG at the core position on

the enterprise network (or at the egress for a data center) and configure policy-based routes to

divert specific traffic to the SACG to protect key service resources. If an SACG is deployed,

the Policy Center control access based only on user identities and terminal compliance check

results.

2.2 Device Profiling

The Policy Center is capable of identifying terminal devices based on the device feature data

obtained by the device identification probes. Specifically, the Policy Center identifies the

device type and operating system (OS) type. The Policy Center supports the following device

identification probes:

MAC OUI probe

MAC organizationally unique identifier (OUI) refers to the first three bytes in a MAC

address. MAC OUIs are assigned to vendors by IEEE, and the Policy Center establishes





9

an OUI database. During a MAC OUI matching process, the system checks the first three

bytes in a MAC address against the OUI database to identify the specific vendor.

DHCP Option probe

Terminal devices send DHCP messages to obtain IP addresses from the DHCP server. In

a DHCP message, there is a DHCP Option field that contains device-specific feature

information, which is used to identify the device type. The Policy Center now is

compatible with only Huawei-supplied switches when obtaining DHCP Option information specific to terminal devices.

HTTP User-Agent probe

The HTTP packets sent by a terminal-specific browser carry the specific HTTP User-Agent field, which identifies the device type.

SNMP probe

For SNMP-supported network devices, SNMP can be used to retrieve the device description and SNMP OID, which identifies the terminal type.

The Policy Center supports a combination of probes and makes a comprehensive

analysis based on the feature data obtained by these probes, to obtain more accurate

terminal device type information. In BYOD application, device identification provided

by the Policy Center can collaborate with network access control to apply network

access policies specific to terminal device types, to improve IT O&M efficiency.

2.3 Guest Management The Policy Center is capable of managing guests for enterprise users. Specifically, it manages

application, approval, distribution, authentication, and cancelation over the guest lifetime span.

The Policy Center provides the following guest management functions:

Tailors the guest application and authentication pages.

− Enables guests to tailor the registration-related pages, including the online registration and account notification pages.

− Enables guests to tailor the web login-related pages, including the login page and the page that will be displayed after a successful login.

− Enables users to tailor several authentication and registration pages.

− Redirects pages based on the browser language and geographic position of users.

− Provides a field for user-defined guest attributes. The system has default guest

attributes. When the default guest attributes are insufficient, the user-defined guest attributes can be used.

− Enables users to preview the user-defined registration and authentication pages so that the users can test and change the pages.

Enables guests to register themselves and employees to apply for guest accounts.

− Enables guests to apply for guest accounts by typing the required information on the

registration page.

− Enables users to define guest managers and allows the receptionist to apply for guest accounts.

− Provides flexible guest approval modes. The guest account applicant can specify the approval mode.

− Supports approval-free application, employee-approved application, and system administrator-approved application.


Technical Proposal 3 Planning Suggestions for Policy CenterSolution



10

Notifies guest accounts in several ways:

− On web

− By Email

− By SMS

Provides a guest management API.

Through this API, the Policy Center can be integrated with external systems. This

integration is commonly required in the service industry. For example, the Policy Center

may be integrated with the Automatic Call Distribution (ACD) in a business outlet.

When a client is ticketing on an ACD, a guest account is created through the API. Then the client can access the Wi-Fi network using this guest account.

3 Planning Suggestions for Policy CenterSolution

3.1 Overview

3.1.1 Introduction to the NAC Security Solution

Huawei NAC security solution is based on the guiding ideology that only valid users and safe

terminals can access the network. Huawei combines a complete series of enterprise intranet

and security products with the Policy Center system to provide an integral and safe NAC

solution based on user identification, security check, and repair and upgrade. In addition, the

solution has rich extension functions, providing enterprise intranets with a capability of

integral terminal security protection.

Authentication and Access Control

In the NAC solution, the network can authenticate the validity of users that attempt to access

the network. Only valid users are allowed into the network and available resources vary with

roles and users.

Administrators can divide users into groups or define different roles, and configure different

resources for them. In this way, specific users can access only authorized specific resources.

Access Security Check and Control

The NAC solution provides security check for user terminals. Only healthy and safe user

terminals are allowed to access the network. Network administrators of an enterprise can





11

self-define security rules and policies for the enterprise intranet. For example, antivirus

software must be installed and run on terminals, the virus database must be the latest, it is

prohibited to install unlawful software on terminal systems, and terminal systems must be

installed with system patches.

System Repair and Upgrade

If hidden security troubles exist in the system, Huawei NAC solution provides the automatic

and manual repair and upgrade functions for the system. The solution enables the system to be

associated with the Windows Server Update Services (WSUS) and to automatically download

and upgrade system patches. The solution also provides strong association with commercial

antivirus software to update the virus database. In addition, the solution provides forcible

security measures to automatically kill invalid or illegal processes.

Rich Extension Functions

Huawei NAC solution also provides extension functions such as behavior management,

software distribution, and asset management.

Behavior management

The Policy Center system provides the terminal based function of employee behavior

management to remind terminal users to obey the enterprise behavioral norms when using terminal hosts and thus improve the intranet capability of security management.

Software distribution

The Policy Center system provides the software distribution function to manually or

automatically distribute software on schedule to corresponding terminal hosts. Software can be distributed by department or operating system (OS).

Asset management

The Policy Center system provides the asset management function to uniformly manage

enterprise assets. The function improves efficiency, reduces maintenance costs, avoids

behaviors that employees privately modify configurations on enterprise terminal hosts,

and reduce risks in losing assets.

3.1.2 Composition of the NAC System

The framework of the NAC security system (NAC system for short) comprises three key

components: agent clients, network admission devices, and admission servers, as shown in

Figure 3-1.

Figure 3-1 Components of the NAC system





12

Intranet

Terminal agent

Special client software

Network admission

device

Access controller

Admission control server

CN

Authenticate usersCheck security

Authenticator/checker

Virus database server

Patch server

Management server

Admission server

Agent Clients

Agent clients are special client software installed in the user terminal system. They associate

with admission servers to do such work as user authentication, terminal security check,

system repair and upgrade, and terminal behavior monitoring and audit.

User authentication

You can enter the user name and password after client software is installed on a terminal. Then the client software sends the user name and password to admission servers.

Terminal security check

Terminal security check is also called terminal health check. According to the security

policy delivered by the admission servers, the client software checks the security status

of the user terminal, including the OA version, system patch installation, antivirus

software installation, virus database date, and black and white lists of application

processes. After that, the client software reports the check result to the admission servers

to determine whether the terminal is secure or healthy.

System repair and upgrade

The client software accepts instructions from the admission servers. If the user terminal

does not meet the security standards, the client software requires the terminal to

automatically repair and upgrade its system, or forces the terminal to do so. After the repair, the client software reports the result to the admission servers.

Monitoring and audit

The client software monitors in real time whether the security status of the terminal host

and user behaviors comply with the security policy, and regularly reports security events

to the admission servers for security audit afterwards. Terminal security check comprises

the check on the agent client implementation patch, antivirus software, screen saver, and

shared directory. User behavior monitoring includes the monitoring of agent client

operations on executable files, network connections, accessed websites, and USB storage devices.





13

Network Admission Devices

Network admission devices are network control points (NCPs) for terminals to access

networks. As implementers of enterprise security policies, network admission devices

implement relevant admission control (permission, rejection, isolation, or restriction)

according to security policies of customers' networks.

In Huawei NAC solution, network admission devices can be a switch, router, wireless access

point, virtual private network (VPN) gateway, or other security devices. These network

admission devices force users to be authenticated for admission, reject network access of

invalid users, isolate unhealthy terminals, and provide valid users and healthy terminals with

network services.

Network admission devices have the following functions:

User authentication

Network admission devices can help agent clients fulfill authentication. Huawei NAC

solution supports multiple authentication modes, such as IEEE 802.1X, MAC, and Portal

authentication. In different authentication modes, network admission devices assist client software and admission server with user authentication.

User authority control

Network admission devices monitor the process of user authentication and grant users authorities corresponding to the results provided by admission servers.

− Terminals before authentication have the access authorities of the pre-authentication

domain. They can access admission servers and public-domain software servers to install agent clients.

− Terminals isolated for security have the authorities of the isolation domain. They can access the virus database server and patch server.

− Terminals with successful authentication have the network authorities of the post-authentication domain. Network authorities can vary with different user roles.

Admission Servers

Admission servers include the admission control server, management server, virus database

server, and patch server.

The admission control server authenticates users, audits the security, implements security policies, and associate with network admission devices to grant user authorities.

The management server manages users using the following ways: add, delete, or modify

user authorities, configure users' departments, and customize and manage security

policies.

The virus database server controls automatic virus database update of antivirus software on terminals.

The patch server controls patch installation and update of OSs and application software on terminals.

3.1.3 Service Capabilities of the NAC System

The NAC security solution provides such functions as access authentication, authority control,

terminal management, attack defense, and assets management. In addition, the solution

features high reliability, flexible implementation, and open convergence.





14

Multiple Authentication Modes Provide different solutions to the authentication deployed at the access layer and the

convergence layer, suitable for large campus networks.

Provide multiple authentication modes, such as IEEE 802.1X, MAC, Portal, forcibly

pushed web authentication, and active directory (AD) or Lightweight Directory Access

Protocol (LDAP) authentication, which needs just authentication one time if combining

with the domain authentication

Support deployment on various terminals, including PCs, non-PC terminals, wireless terminals, and IP telephones.

Provide agent clients and ActiveX plug-ins without agent clients.

Rich Security Control Modes

Support access control list (ACL) delivery based on users and ports, and support access authorities based on limited users.

Support authority restriction based on user security statuses.

Provide the perfect function of one-touch intelligent repair.

Perfect Terminal Management Scheme

Provide such functions as organization personnel management, policy management, behavior monitoring, and patch management.

Provide the richest security policies in the industry for user customization.

Provide abundant user behavior audit functions, including USB device monitoring, management on illegal access to external networks, and process and service monitoring.

Attack Defense

Support preventing terminal hosts from sending Address Resolution Protocol (ARP) spoofed messages.

Support preventing terminal hosts from sending ARP flooding messages.

Provide the static ARP address binding function.

Efficient Assets Management

Provide abundant assets management functions, such as assets registration, assets lifecycle management, assets statistics, and assets change alarms.

Provide the functions of server platform monitoring, announcement, and remote

assistance for user management.

High Reliability Provide remote authentication dial-in user service (RADIUS) server backup and Portal

server backup.

Provide the functions of two-node cluster hot backup, two-node cluster cold backup, and

single-point escape.

Flexible and Convenient Implementation Interface Provide simple and easy-to-use operation interfaces with complete functions.





15

Provide a convenient and fast installation mode, in which you just need to install the

system once and purchase licenses on demand.

Rich, Flexible, Convergent, and Open Solutions Realize centralized and unified authentication and authorization management.

Make the best of the existing network security construction to integrate isolated solutions

in an optimal manner.

Provide flexible and abundant security checks that include the most terminal security check policies in the industry and can be performed in the whole process of user access.

Provide industry-class high security. In terms of system management, the NAC system

controls operation authorities based on management roles, and records administrator

operation logs to enhance operation security and traceability.

Provide high reliability. All the important components of the NAC system work in

active-standby and load balancing mode, and provide a particular escape channel function.

Support the installation of Windows software and the authentication associated with Windows domains.

3.1.4 Basic Process of the NAC Security Solution

Figure 3-2 shows the basic process of the NAC solution, which involves the components of

agent clients, network admission devices, and admission servers.

Figure 3-2 Basic process of the NAC solution

Network

Terminal Network admission device

Admission/Policy server

Patch/Virus database server

A user enters the user name and password to initiate authentication.

After the authentication is successful, servers deliver security policies to check the security

Security check is successful

The user can access the network

Security check fails

Repair the security

Upgrade other patches and upgrade the virus database

Audit the user on the server

Repair the security

Secutity check

Servers enable network authorities

Security repair is complete

Servers enable network authorities

The user can access the network





16

The detailed process is as follows:

b. A user terminal accesses the network. Terminals before authentication all have the

network authorities of the pre-authentication domain. They can access the networks in

the pre-authentication domain on demand.

c. The user installs the agent client software or Web Agent plug-in on the PC terminal.

Then the user enters the user name and password to initiate authentication. After the

authentication of the terminal is successful, the agent client software or Web Agent

plug-in associates with the admission servers to check the security status of the terminal.

d. If the user is valid and safe, after the authentication, the admission servers deliver

corresponding network authorities to the network admission devices to permit the user to access the networks in the post-authentication domain.

e. If the user is valid but has a few security risks, after the authentication, the admission

servers deliver corresponding network authorities to the network admission devices to

permit the user to access the networks in the post-authentication domain, and prompt the terminal about the security risks.

f. If the user is valid but seriously insecure, after the authentication, the admission servers

deliver corresponding network authorities to the network admission devices to permit the

user only to access the networks in the isolation domain. In that case, the user can access

the patch server and the virus database server in the isolation domain. After the terminal

security is repaired, the admission servers deliver the network authorities in the

post-authentication domain.

g. The system can check the security status of the online terminal in real time. If a serious

security problem occurs during the use of the online terminal, the terminal will still be isolated

h. The terminal after the authentication can install patches on demand. It can also access relevant servers for virus database upgrade.

i. The policy server can audit the user.

j. If the user is invalid and unauthenticated, the user can access only the network resources

in the pre-authentication domain.

3.2 Planning Suggestions for the Authentication Solution

3.2.1 Introduction to Authentication Protocols

Huawei NAC security solution supports multiple network access control modes, such as IEEE

802.1X, MAC, and Portal authentication. In addition, this solution can be flexibly deployed

on multiple network devices such as access switches, convergence switches, access

controllers, and AR routers. The network devices work with the NAC terminal agents and

servers to fulfill NAC and to provide secure and reliable access control for enterprise intranets,

campus networks, and metropolitan area networks (MANs).

IEEE 802.1X Authentication

As a port-based NAC protocol, the standard IEEE 802.1X protocol is used to authenticate and

control accessed user devices at the ports of local area network (LAN) access devices.

Terminals connected to the ports can access the resources in the LAN only when the

authentication of the terminals is successful.

IEEE 802.1X authentication uses the Extensible Authentication Protocol (EAP),

implementing authentication information exchange between clients, network admission





17

devices, and admission servers. Encapsulated in the EAP over LAN (EAPoL) format, EAP

messages between terminals and devices are directly carried in the LAN environment.

Figure 3-3 Flowchart of IEEE 802.1X authentication

Terminal agent Network

admission deviceAdmission server Patch server

User authenticationUser authentication through

the RADIUS protocolEAPo802.1X

Repair and upgrade

Successful

authentication

After the authentication through

the RADIUS protocol is

successful, the admission server

tells the network admission

devices to assign network

authorities to the user.

The server delivers a

VLAN ID/ACLEAP Success

Security check


b. When a user terminal accesses the network, the agent clients and network admission devices exchange user name and password information through the EAP.

c. The network admission devices and admission servers authenticate the validity of the terminal user through the RADIUS protocol.

d. If the authentication of the terminal is successful, the admission servers report to the

network admission devices through the RADIUS protocol, and deliver the corresponding

ACL or the ID of the VLAN that the terminal accesses, to perform an access control over the valid terminal user after authentication.

e. The network admission devices send an EAP Success message to inform the terminal.

f. The terminal agents and admission servers exchange the security status information of the terminal system, and check the security of the terminal.

g. If the terminal is insecure, the terminal agents start system repair and upgrade, interact

with related servers such as the patch server and the virus database server, and complete the system security repair.

If the IEEE 802.1X protocol cannot be deployed on the underlying access switch on a

customer's network for special reasons, or if multiple user terminals accesses the hub

connected to the access switch, the standard port-based IEEE 802.1X protocol cannot perform

separate access control over each terminal.

In view of the preceding problems, Huawei NAC security solution enhances the functions of

the standard IEEE 802.1X protocol on switches and routers, and realizes the MAC-based

IEEE 802.1X access control. In addition, the solution can realize the access control over a single terminal when one port accesses multiple terminals access the network from a single





18

port. Huawei NAC solution supports both port-based and MAC-based IEEE 802.1X access

control, which can be selected for customers' networks.

Port-based mode: In port-based mode, if the first user connected to the port succeeds in

authentication, other users can access the network resources without authentication. Once the first user gets offline, however, other users will be rejected to use the network.

MAC-based mode: In MAC-based mode, all users connected to the port must be separately authenticated.

The NAC system can control the access of user terminals by delivering VLAN IDs or ACLs,

or delivering both VLAN IDs and ACLs. According to different control modes, IEEE 802.1X

authentication can be subdivided into Guest VLAN-based and ACL-based authentication.

Guest VLAN-based IEEE 802.1X authentication

This is the most commonly used 802.1X authentication mode in the industry. Terminals

before authentication belong to Guest VLANs by default. After the authentication of the

terminals is successful, admission servers deliver VLAN IDs of corresponding roles after

user authentication, and switch user terminals from Guest VLANs to the VLANs of corresponding roles.

ACL-based IEEE 802.1X authentication

In this mode, after the authentication of a terminal is successful, admission servers

deliver only the user ACL to control the access of this user. This mode has relatively high requirements for the ACL specifications of devices in the case of mass users.

Admission devices first initiate terminals to use the IEEE 802.1X authentication. If the

terminals do not perform the IEEE 802.1X authentication for a long time, the admission

devices regard the MAC addresses of the terminals as the authentication information, and

send the MAC addresses to servers as user names and passwords for authentication. This

authentication mode is called bypass MAC authentication.

Portal Authentication

Portal authentication is a layer-3 authentication mode. Users can access the Web

authentication pages on the Portal server or the Web server, and enter user names and

password to complete user authentication. If Portal authentication is used, terminals do not

need to be installed with client software. When terminals access the Portal pages, the system

implements the basic security check function through the ActiveX control that is downloaded

following automatic prompts.

Portal authentication supports Web authentication and does not require installing client

software. With the two features, Portal authentication is applicable to visitors and users on

business.

NOTE In Portal authentication mode, you can still realize the complete function of terminal admission control by downloading the client.

Before Web authentication on the Portal server, users must first access the authentication page,

and then enter and submit user names and passwords on the authentication page. Users can

access the authentication page either actively or passively (namely, in forcibly pushed mode).





19

Figure 3-4 Flowchart of Portal authentication

Terminal

agent

Network admission

device

Admission

serverPatch server

A user accesses web

pages

Web authentication(account

information)HTTP redirection

Repair and upgrade

Network admission

devices push the web

pages on the Portal server

Portal authentication exchange

Security check

Portal server

Authentication result

(Web)

Authentication result (Portal)

RADIUS authentication exchange

Authentication result: If the authentication is

successful, admission servers deliver an ACL

(RADIUS)


b. A user terminal accesses any Web server.

c. Network admission devices capture the user's HTTP request. If the destination address of

the request is not the address of the Portal server, the network admission devices push

the Web authentication page on the Portal server by running the HTTP redirection

command.

d. The terminal accesses the Web authentication page on the Portal server. The user enters and then submit the user name and password for authentication.

e. The Portal server and network admission devices exchange user account information through the Portal protocol.

f. The network admission devices request the admission server (RADIUS server) to

authenticate the user through the RADIUS protocol.

g. The admission servers authenticate the user and report the authentication result. If the authentication is successful, the admission servers deliver also deliver the user ACL.

h. The network admission devices inform the Portal server through the Portal protocol after

receiving the RADIUS authentication result. If the authentication succeeds, the Portal

server assigns the network access authorities to the user and starts the ACL for the

network access control over the user.

i. The Portal server informs the terminal of the authentication result through the HTTP.

j. The user downloads and installs the ActiveX control or install the client agent software

on the terminal. After the authentication of the terminal is successful, the terminal agent

exchanges information about the security status with the admission servers to check the

security of the terminal.





20

k. If the terminal is insecure, the agent client starts system repair and upgrade, interacts

with related servers such as the patch server and the virus database server, and completes the system security repair.

NOTE In Huawei NAC solution of, the Portal server and admission servers are integrated. They can be different functional modules deployed on the same physical server.

MAC Authentication

In certain special cases, terminal users do not want or fail to complete authentication by

entering user names and passwords. For example, certain privileged terminals hope to directly

access networks without authentication; certain special PC terminals, such as printers and IP

telephones, can neither be installed with client software nor be authenticated or authorized by

entering user names and passwords. In those cases, the network access of terminals is

controlled through MAC authentication.

MAC authentication is that the system authenticates a terminal using the MAC address of the

terminal as the proof of identification. After MAC authentication is enabled, when a terminal

accesses the network, network admission devices extract the MAC address of the terminal and

use it as the user name and password for authentication. If the authentication fails, the

network admission devices force users to get offline, stop initiating authentication and

detection for a preset period, and restart detection after timeout. If the authentication succeeds,

the switch will add the MAC address to the MAC table and the user can normally access the

network.

The MAC authentication of users can be performed locally or remotely through the RADIUS

server. In the case of RADIUS authentication, the RADIUS server controls user access

authorities by delivering ACLs or VLAN IDs.

Figure 3-5 Flowchart of MAC authentication

Network

admission deviceAdmission

server

Terminals go onlineNetwork admission devices sends the

MAC address of the terminal through

the RADIUS protocol

Remote MAC

authentication or

local MAC

authentication Terminals access the network

Network admission servers deliver an ACL

or VLAN ID after the authentication

through the RADIUS protocol is successful

SIP terminal,

printer

The detailed process of MAC authentication is as follows:

b. When a terminal goes online, network admission devices automatically extract the MAC

address of the terminal.

c. The network admission devices authenticate the MAC address of the terminal.





21

− In the case of RADIUS authentication, the network admission devices send the MAC

address of the terminal as the user name and password through the RADIUS protocol to admission servers for authentication.

− In the case of local authentication, the network admission devices authenticate the MAC address of the terminal using the locally configured MAC authentication table.

d. If the authentication is successful, the network admission devices assign network

authorities to the terminal. In the case of RADIUS authentication, the network admission

devices use the ACL or VLAN ID delivered by the RADIUS server to control the authorities of the terminal.

Comparison Between the Three Authentication Modes

Table 3-1 lists the comparison of advantages and disadvantages between IEEE 802.1X, Portal,

and MAC authentication.

Table 3-1 Comparison between the three authentication modes

Compared Item

IEEE 802.1X Authentication

Portal Authentication

MAC Authentication

Client

requirements

Mandatory. Portal authentication

does not need clients,

while forcibly pushed

web authentication needs.

Not required.

Advantages If this mode is

deployed at the access

layer, the system

directly controls the

connection and

disconnection of the

network access

information port. The security is high.

The deployment is

flexible.

No need to install

clients.

Disadvantages The deployment is

inflexible.

The security is low. The management is

complicated and MAC

addresses must be

registered.

Applicable

scenarios

This mode is

applicable to the

scenarios in which a

new network is

constructed, users are

centralized, and

information security is

strictly required.

This mode is flexible,

and applicable to

wireless scenarios in

which users are

scattered.

This mode is

applicable to the

access authentication

of SIP terminals,

printers, and fax machines.





22

3.2.2 Selection of Authentication Modes and Authentication Control Points

As described in section 3.2.1 "Introduction to Authentication Protocols", the currently

available authentication modes include IEEE 802.1X, Portal and MAC authentication.

Authentication control points can be deployed at the access layer and convergence layer, and

on routers or VPN gateways.

Deployment of Authentication Control Points at the Access Layer

IEEE 802.1X authentication is recommended if deploy authentication control points are

deployed at the access layer, as shown in Figure 3-6.

All terminals before authentication belong to the Guest VLAN.

If the authentication of a terminal is successful, the admission server delivers Service VLAN and switches the domain of the terminal.

If a terminal is found insecure, the admission server delivers Isolate VLAN to isolate the

terminal.

Convergence switches control user authorities according to different VLAN or network segment configurations.

Because this deployment mode is simple and control points are the closest to users, intranets

can obtain the maximum security assurance. This deployment mode is applicable to most new

campus networks or the campus networks having relatively new network devices. Owing to

many authentication points, however, such deployment causes troubles to management and

maintenance.

Figure 3-6 Deployment of authentication control points at the access layer

Access

swtich

PC terminal

Authentication point at the access layer

IEEE 802.1X authentication access

Pre-authentication

domain Admission server

DHCP server

DNS server

Software server

Isolation

domainPatch server

Virus database

server

Intranet

Configure ACL on the

convergence switch to

control access authorities

1 2 3

2. Servers check the security of the terminal after the

authentication is successful. If the security check

fails, the authentication server delivers Isolate VLAN

to switch the user authorities

3. After repair and the security check are successful,

the authentication server delivers Service VLAN to

switch the user authorities

1. A terminal accesses the network. The terminal

before authentication belongs to the Guest VLAN

configured at the port

Post-authenticaion

domain

NMC

Service server





23

Deployment of Authentication Control Points at the Convergence Layer

Portal authentication is recommended if authentication control points are deployed at the

convergence layer, as shown in Figure 3-7.

User authorities of the pre-authentication domain are restricted through the Portal Free Rule.

If the authentication of a terminal is successful, the admission server delivers an ACL

and switches the user authorities.

If a terminal is found insecure, the admission server delivers an ACL to isolate the terminal.

Owing to a few authentication points, this deployment mode is suitable for the access of

various users. Featuring convenient and flexible deployment and easy management and

maintenance, this mode applies to the scenarios in which users are scattered, or both wireless

and wired terminals access the network. In addition, this mode also applies to network

reconstruction scenarios in which access control of network security is improved with the

original network structure unchanged. To solve network security problems resulting from

terminal inter-access at the access layer, you can configure such security functions as port

isolation and DHCP snooping on access switches.

Figure 3-7 Deployment of authentication control points at the convergence layer

Acess switch

PC termianl

Pre-authenticaton


DHCP server

DNS server

Software server

Isolation

domainPatch server

Virus database

server

Intranet

1 2 3

2. If the authentication of the user is successful

but the security check fails, the TSM server

delivers Isolate ACL to change the user’s access

authority to that of the isolation domain.

3. After the user’s security is repaired, the TSM

server delivers a new ACL to change the user’s

authority to that of the post-authentication

domain.

1. A user accesses the network. The user can

access the region defined through the Portal

Free Rule, namely, the pre-authentication

domain.

Post-authentication

domain

NMC

Service server

Authentication point at the

convergence layer

Portal authentication

access

Deployment of Authentication Control Points on Routers or VPN Gateways

The deployment of authentication control points on routers or VPN gateways is generally

used to control the access authentication of remote mobile office personnel. In this case,

Portal authentication is used. The detailed deployment mode is similar to that of

authentication control points at the convergence layer.





24

3.3 Planning Suggestions for the Solution to Access Layer Authentication

3.3.1 Application Scenarios

The current security solutions focus on the protection of layer 3 and higher layers on networks.

However, any behavior that threatens the security of layer 2 will endanger the whole network.

Therefore, the access layer is the best point to deploy network security control. IEEE 802.1X

authentication can directly isolate invalid users at the access layer, ensuring the validity of

accessed users.

To deploy the NAC solution at the access layer, access switches must support IEEE 802.1X

authentication. Because this deployment mode is simple and control points are the closest to

users, intranets can obtain the maximum security assurance. This mode applies to the

scenarios in which networks are newly built. In addition, this mode also applies to network

reconstruction scenarios in which authentication must be added with the original network

security deployment unchanged.

3.3.2 Networking Planning

The solution to access layer authentication uses the traditional three-layer network structure.

Deploy IEEE 802.1X or MAC authentication on access switches to authenticate accessed

users and isolate invalid and insecure users. Configure ACLs on convergence switches for

access authority control. Deploy admission servers and patch and virus database servers in the

server area, in addition to the traditional service server, network management (NM) server,

DHCP server, and domain name server (DNS). See Figure 3-8.





25

Figure 3-8 Networking of the solution to access layer authentication

Intranet

Pre-authenticaton


DHCP server

DNS server

Software server

Isolation

domainPatch server

Virus database

server

Post-authentication

domainNMC

Service server

Router/VPN

gateway

Remote access

AP

IP

telephonePrinter Mobile

access

Convergence

switch

Authentication point at

the access layer

IEEE 802.1X

authentication access

Authentication point at

the access layer

IEEE 802.1X

authentication access

Department

A

Department

B

terminal

accessInsecure

usersVisitorsDepartment

B

Authentication

point at the access

layer

IEEE 802.1X

authentication

access

Branch access

3.3.3 Planning for the NAC System

Planning for the Software System Clients

Install the agent client software on PCs and set the authentication mode in the software to 802.1X.

Servers

− Deploy the admission servers, DHCP server, DNS server, and public software servers in the pre-authentication domain.

− Deploy the patch server and virus database servers in the isolation domain.

− Deploy the NM server and the service system in the post-authentication domain.

− Deploy active and standby admission servers according to network reliability requirements.

Planning for Network Devices IP addresses

Use the DHCP to dynamically obtain client IP addresses. Dynamically allocate constant addresses to obtain static IP addresses of users in either of the following ways:





26

− After a user applies for an IP address, the DHCP server binds the IP address with the

MAC address. Since then, the DHCP server allocates the same IP address to the terminal corresponding to the MAC address each time the terminal goes online.

− Use DHCP Option 82 to bind an IP address with the switch through which a terminal

goes online and the port on the switch. In this way, the same IP address is allocated to

the terminal goes online from this port.

VLAN planning

VLANs can be divided into three types: Guest VLAN in the pre-authentication domain,

Isolate VLAN in the isolation domain, and VLAN in the post-authentication domain. In

actual deployment, you can allocate VLANs by functional department, and reserve the Guest VLAN and the Isolate VLAN.

Domain planning

Distinguish the pre-authentication domain, isolation domain, and post-authentication

domain through VLAN planning. Configure ACLs on convergence switches to control

the access authority of each VLAN. You can combine the pre-authentication and isolation domains into one domain according to actual deployment conditions.

Authentication configuration

− Configure IEEE 802.1X authentication and specify the EAP mode for access devices

that serve as access control points.

− Configure IEEE 802.1X authentication for agent clients.

− Configure MAC authentication for the terminals such as printers and IP telephones.

− If both printers and PCs access the network from a port, configure bypass MAC authentication on access devices.

3.3.4 Security Policy Planning

Configure a unified security template on admission servers, determine security check items in the template, and set security levels to general and serious levels.

If a PC terminal lightly violates related rules, the terminal enters the post-authentication

domain after authentication, and admission servers deliver the VLAN in the

post-authentication domain to access switches for authority control. Although the

authorities of the terminal are not restricted, the terminal receives a violation alarm that prompts the user to perform violation repair as soon as possible.

If a PC terminal seriously violates related rules, the terminal enters the isolation domain

after authentication. The authorities of the terminal are controlled, and the terminal

receives a serious violation alarm that prompts the user to perform violation repair as

soon as possible. The user can perform automatic repair by pressing the relevant button.

The user can gain the access authorities of the post-authentication domain only after

successful repair.

The NAC system provides real-time security check. If a PC terminal violates rules again,

re-authentication is triggered, and the terminal enters the isolation domain and receives an alarm prompt.

3.3.5 User Authority Planning

Authority control over valid users

The access layer uses IEEE 802.1X authentication and changes user authorities by

switching VLANs before and after authentication. Configure ACLs on convergence switches to control the access authorities of VLAN IDs or network segments.

Authority control over invalid users





27

Access authorities of invalid or unauthenticated users are restricted on access switches.

They can access only the networks restricted by the Guest VLAN.

Authority control over insecure users

IEEE 802.1X authentication requires the installation of agent client software. Admission

servers associate with agent clients to check the security of clients and discriminate terminals with different security risk levels.

− For general violation of security rules with small risks, for example, if a user does not

set a screen saver or share files, the agent client software will offer a risk prompt but will not change the user authorities.

− Serious violation of security rules may do great harm to intranets if not controlled.

For example, if the patches on a terminal are not upgraded or the virus database is not

updated, the terminal will be directly assigned to the isolation domain and given a

violation alarm that prompts the user to perform violation repair. The agent client

software provides a one-touch automatic repair function that facilitate violation repair.

The agent client rechecks the security of the terminal after the repair. If the terminal

complies with the security policies, the agent client automatically re-authenticates the terminal and obtains the network authorities of the post-authentication domain.

3.3.6 Reliability Planning

Deploy security functions such as DHCP snooping and IP Source Guard on access switches to prevent address theft and spoofing between users.

Bind terminals to the port of a switch to effectively restrict the access of terminals and prevent terminal theft.

3.4 Planning Suggestions for the Solution to Convergence Layer Authentication


The deployment of authentication control points at the convergence layer applies to the

scenarios in which users are scattered, multiple types of terminals access the network, or both

wireless and wired terminals access the network. In these cases, gateway-based Portal

authentication is recommended.

This authentication mode is irrelevant to access devices. In this mode, terminal devices can be

installed with agent clients or use the forcibly pushed web mode instead. Featuring convenient

and flexible deployment and easy management and maintenance, this mode applies to the

access of various kinds of terminals such as PCs and handheld devices. If the function of

security access control must be added with the original network structure unchanged during

network reconstruction, directly deploy Portal authentication at the convergence layer.


The solution to convergence layer authentication uses the traditional three-layer network

structure. Deploy gateway-based Portal authentication on convergence switches to

authenticate accessed users and isolate invalid and insecure users. Configure ACLs on

convergence switches for access authority control. Deploy the admission servers, patch server,

and virus database server in the server area, in addition to the traditional service server, NM server, DHCP server, and DNS server. See Figure 3-9.





28

Figure 3-9 Networking of the solution to convergence layer authentication

Intranet

Pre-authenticaton


DHCP server

DNS server

Software server

Isolation domainPatch server

Virus database

server

Post-authentication

domain

NMC

Service server

Router/VPN

gateway

Remote

access

AP

IP

telephone Printer Mobile

access

Convergence

switch

Authentication point at the

convergence layer

Portal identificaiton

access

Department

A

Department

B

New terminal

accessInsecure

usersVisitorsDepartment

B

Branch

access

3.4.3 Planning for the NAC System

Planning for the Software System Clients

Installation of the agent client software on PCs is optional. The default authentication mode is Portal.

Servers

− Deploy the admission servers, DHCP server, DNS server, and public software server in the pre-authentication domain.

− Deploy the patch server and virus database server in the isolation domain.

− Deploy the NM server and service system in the post-authentication domain.

− Deploy active and standby admission servers according to network reliability

requirements.

Network Device Planning IP addresses

Use the DHCP to dynamically obtain client IP addresses. Dynamically allocate constant

addresses to obtain static IP addresses of users in either of the following ways:





29

− After a user applies for an IP address, the DHCP server binds the IP address with the

MAC address. Since then, the DHCP server allocates the same IP address to the terminal corresponding to the MAC address each time the terminal goes online.

− Use DHCP Option 82 to bind an IP address with the switch through which a terminal

goes online and the port on the switch. In this way, the same IP address is allocated to

the terminal goes online from this port.

VLAN planning

Allocate VLANs by functional department during deployment. Deploy terminals devices like printers and IP telephones to other VLANs without authentication.

Domain planning

The pre-authentication domain is the access area specified through the Portal Free Rule.

The isolation and post-authentication domains are specified through ACLs delivered by

admission servers. During deployment, combine the pre-authentication and isolation

domains into one according the actual situation.

Authentication configuration

− Configure Portal authentication for convergence devices that serve as access control points.

− Configure the default Portal authentication for agent clients.

− If terminals such as printers and IP telephones are deployed on the same VLAN as

PCs, configure the Portal Free Rule to assign their access authorities. If they are

deployed on a VLAN different from PCs, you do not need to configure authentication for the VLAN.

3.4.4 Security Policy Planning

Configure a unified security template on admission servers, determine security check items in the template, and set security levels to general and serious levels.

If a PC terminal slightly violates related rules, the terminal enters the post-authentication

domain after authentication, and admission servers deliver the VLAN in the

post-authentication domain to access switches for authority control. Although the

authorities of the terminal is not restricted, the terminal receives a violation alarm that prompts the user to perform violation repair as soon as possible.

If a PC terminal seriously violates related rules, the terminal enters the isolation domain

after authentication. The authorities of the terminal are controlled, and the terminal

receives a serious violation alarm that prompts the user to perform violation repair as

soon as possible. Users can perform automatic repair by pressing the relevant button.

Users can gain the access authorities of the post-authentication domain only after

successful repair.

The NAC system provides real-time security check. If a PC terminal violates rules,

re-authentication is triggered, and the terminal enters the isolation domain and receives an alarm prompt.

3.4.5 User Authority Planning

Authority control over valid users

Portal authentication is used for access authority control at the convergence layer. Admission servers deliver ACLs to convergence switches to control user authority.

In actual deployment, you can flexibly configure ACLs according to different

departments and levels of users. Admission servers also support uniformly configuring ACLs by department, greatly facilitating actual deployment.





30

Authority control over invalid users

Convergence switches restrict access authorities of invalid or unauthenticated users, who

can only access the network area restricted through the Portal Free Rule.

To avoid user inter-access, you can deploy port isolation or other security features on access switches.

Authority control over insecure users

Admission servers associate with the agent client to check the security of the terminal

installed with the agent client, using the method similar to the one described in the

solution to access layer authentication. That is, the agent client gives alarms to the

terminals having small risks and isolates the terminals having large risks. The difference

is that in deployment of authentication solution at the convergence layer, the isolated information is the ACL control information.

If a terminal is not installed with the agent client but use the web authentication, the Web

Agent plug-in can also check the security of the terminal. Different from the agent client, the Web Agent plug-in does not support automatic repair for violations.

3.4.6 Reliability Planning

Deploy security functions such as DHCP snooping and IP Source Guard on access switches to prevent address theft and spoofing between users.

Bind terminals with the port of a switch to effectively restrict the access of terminals and prevent terminal theft.

To avoid user inter-access, deploy port isolation on access switches.

3.5 Planning Suggestions for the Solution to Side-Connection Authentication at the Convergence Layer


The solution to side-connection authentication at the convergence layer is specific to certain

network upgrade scenarios. In such a scenario, network devices on the network to be

upgraded are old but the original network structure must remain unchanged. In that case, the

NAC security solution can be introduce through a side-connected device installed on the

network, effectively saving customer investments. In the solution to side-connection

authentication at the convergence layer, the side-connected device serves as a gateway of both

uplink and downlink flows. Therefore, the side-connected device must have good

performance.

Portal authentication is also recommended for the solution to side-connection authentication

at the convergence layer. For details about the planning for the NAC system, security policy

planning, user authority planning, and reliability planning, see section 3.4 "Planning

Suggestions for the Solution to Convergence Layer Authentication."


The networking of this solution is similar to that of the solution to convergence layer

authentication. The difference is that a switch having the authentication function is connected

at the side of the convergence switch. The side-connected switch serves as a gateway. Deploy

gateway-based Portal authentication on the side-connected switch to authenticate accessed users and to isolate invalid and insecure users. See Figure 3-10.





31

Figure 3-10 Networking diagram of bypass authentication solution at the convergence layer

Intranet

Pre-authenticaton


DHCP server

DNS server

Software server

Isolation

domainPatch server

Virus database

server

Post-authentication

domain

NMC

Service server

Router/VPN

gateway

Remote

access

AP

IP

telephone PrinterMobile

access

Convergence

switch

Department

A

Department

B

New terminal

accessInsecure

user

VisitorsDepartment

B

Branch

access

Side-connected

device

Side-connected

authentication point at

the convergence layer


access分分分分

3.6 Planning Suggestions for the Solution to Wlan Portal Authentication

Portal authentication is also called web authentication.

When a user accesses the authentication page on the Portal server or when a user attempts to

access other websites using HTTP, the user is redirected to the web authentication page. After

the user enters the account information and submits the web page, the Portal server obtains

the account information. The Portal server sends the user account information to the WLAN

server using the Portal protocol. The WLAN server and authentication server exchange

messages to complete user authentication.

The Portal authentication can provide convenient management functions. Portal websites can

develop advertisement and community services and personalized businesses. In this manner,

carriers, device providers, and content and service providers can form an Internet content

union. The Portal authentication is frequently used on carrier or enterprise WLANs.

The Portal authentication system consists of four basic elements: client, access server, Portal

server, and AAA server. Figure 3-11 shows the networking diagram. The AC functions as an

access server.





32

Figure 3-11 Portal authentication system

STA

AC

(Access server)

AAA

server

Portal

server

STA

IP

Network

AP AP

Access

switch

Aggregation

switch

The Portal authentication includes the Layer 2 authentication and Layer 3 authentication.

Layer 2 authentication differs from Layer 3 authentication. In the Layer 2 authentication, the

MAC address of the server to which a user is to visit cannot be obtained. Therefore, binding

information check between MAC and IP addresses cannot be performed. The Layer 2

authentication has low security. In the Layer 3 authentication, ARP request packets cannot be

routed, and ARP detection cannot be performed to check whether a user is online. The Layer 2

authentication and Layer 3 authentication processes are the same, as shown in Figure 3-12.





33

Figure 3-12 Portal authentication system

Client

Access

server

DHCP

server


server

AAA server

Dynamically

obtain an IP

address

Logout

process

Accounting

stops

1. A dynamic user obtains the IP address through DHCP (a static user can manually configure the address).

2. The user visits the authentication page of the Portal authentication server, and enters the

user name and password to log in.

3. The Portal authentication server notifies the access server of the user information

through internal protocols.

4. The AAA server authenticates the user.

5. The AAA server sends the authentication result to the access server.

6. The access server notifies the Portal authentication server of the authentication result.

7. The Portal authentication server displays the authentication result on the HTTP page to

notify the user.

8. If the authentication succeeds, the user can access network resources.

A Portal authentication user may request the termination of service or be disconnected

unexpectedly.





34

Figure 3-13 Request termination of service

Users are onlineUser

communication

Logout request, IP

address of the user

Logout result

Logout

process

Accounting

stops

Figure 3-13 shows the process for a user to request termination of services.

1. To go offline, a user clicks Logout on the authentication page and sends a logout request

to the Portal server.

2. The Portal server sends a logout request to the AC.

3. The AC returns a logout ACK packet to the Portal server.

4. The Portal server returns the HTTP response and directs the user to the HTTP page that

contains corresponding information based on the logout ACK packet.

5. When the AC receives a logout request, it sends an accounting-stop packet to the

RADIUS server.

6. The RADIUS server sends a response packet to the AC.

A user is disconnected unexpectedly.

The AC detects that a user logs out. Figure 3-14 shows the process:





35

Figure 3-14 Unexpected user logout detected by the AC

Users are online

User

communication

The AC detects that

a user logs out

Logout process

Accounting

stops

1. The AC detects that a user logs out and sends a logout request to the Portal server.

2. The Portal server returns a logout ACK packet.

3. After receiving the logout ACK packet, the AC sends an accounting-stop packet to the

RADIUS server.

4. The RADIUS server sends a response packet to the AC.

The Portal server detects that a user logs out. Figure 3-15 shows the process:





36

Figure 3-15 Unexpected logout detected by the Portal server

Users are online

User

communication

The Portal server

detects that a user

logs out

Logout process

Accounting

stops

1. The Portal server detects that a user logs out and sends a logout request to the AC.

2. The AC returns a logout ACK packet.

3. When the AC receives a logout request, it sends an accounting-stop packet to the

RADIUS server.

The RADIUS server sends a response packet to the A


Technical Proposal 4 Product Suggestions



37

4 Product Suggestions

Huawei recommends the products listed in Table 4-1 for the nodes and network elements

(NEs) involved in the NAC security solution.

Table 4-1 Suggestions for component products

Component Product/Model

Access switch S5700, S370, S2700S5700, S3700, S2700

Convergence switch S7700, S5700

Core switch S9300

WLAN AC S9300 AC plug-in card

Server software Policy Center Server

Client software Policy Center Agent

AD server Windows 2008 Server

technical proposal - · pdf file1.1.1 overview of enterprise network security ... with...

Documents