technical proposal - · pdf file1.1.1 overview of enterprise network security ... with...
TRANSCRIPT
Huawei Policy Center
Technical Proposal
Issue 01
Date 2011-07-24
HUAWEI TECHNOLOGIES CO., LTD.
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
i
Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: [email protected]
NAC Security Solution
Technical Proposal 1 Overview of the Policy Center Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
ii
Contents
1 Overview of the Policy Center Solution ............................................................................... 1
1.1 Background ............................................................................................................................................... 1
1.1.1 Overview of Enterprise Network Security ......................................................................................... 1
1.2 Major Requirements .................................................................................................................................. 1
1.2.1 Authentication .................................................................................................................................. 2
1.2.2 Security Check ................................................................................................................................. 2
1.2.3 User Authorization ............................................................................................................................ 2
1.2.4 Division of Security Domains ........................................................................................................... 3
1.3 Huawei NAC Security Solution ................................................................................................................. 4
2 Policy Center Access Control Solution .................................................................................. 7
2.1 Network Access Control ............................................................................................................................ 7
2.2 Device Profiling ........................................................................................................................................ 8
2.3 Guest Management .................................................................................................................................... 9
3 Planning Suggestions for Policy CenterSolution .............................................................. 10
3.1 Overview..................................................................................................................................................10
3.1.1 Introduction to the NAC Security Solution .......................................................................................10
3.1.2 Composition of the NAC System ..................................................................................................... 11
3.1.3 Service Capabilities of the NAC System...........................................................................................13
3.1.4 Basic Process of the NAC Security Solution .....................................................................................15
3.2 Planning Suggestions for the Authentication Solution ................................................................................16
3.2.1 Introduction to Authentication Protocols...........................................................................................16
3.2.2 Selection of Authentication Modes and Authentication Control Points ..............................................22
3.3 Planning Suggestions for the Solution to Access Layer Authentication .......................................................24
3.3.1 Application Scenarios ......................................................................................................................24
3.3.2 Networking Planning .......................................................................................................................24
3.3.3 Planning for the NAC System ..........................................................................................................25
3.3.4 Security Policy Planning ..................................................................................................................26
3.3.5 User Authority Planning ...................................................................................................................26
3.3.6 Reliability Planning .........................................................................................................................27
3.4 Planning Suggestions for the Solution to Convergence Layer Authentication .............................................27
3.4.1 Application Scenarios ......................................................................................................................27
3.4.2 Networking Planning .......................................................................................................................27
NAC Security Solution
Technical Proposal 1 Overview of the Policy Center Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
iii
3.4.3 Planning for the NAC System ..........................................................................................................28
3.4.4 Security Policy Planning ..................................................................................................................29
3.4.5 User Authority Planning ...................................................................................................................29
3.4.6 Reliability Planning .........................................................................................................................30
3.5 Planning Suggestions for the Solution to Side-Connection Authentication at the Convergence Layer ..........30
3.5.1 Application Scenarios ......................................................................................................................30
3.5.2 Networking Planning .......................................................................................................................30
3.6 Planning Suggestions for the Solution to Wlan Portal Authentication .........................................................31
4 Product Suggestions............................................................................................................... 37
NAC Security Solution
Technical Proposal 1 Overview of the Policy Center Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
1
1 Overview of the Policy Center Solution
1.1 Background
1.1.1 Overview of Enterprise Network Security
With the application and development of enterprise network, production and operating
activities of enterprises rely more on networks. However, various information security threats,
such as viruses, Trojan horse programs, spyware, and network attacks, also keep increasing.
According to statistics, the requirement for the network security has overtaken the
requirements for the network reliability, switching capability, and quality of service (QoS),
and the network security has become the greatest concern of enterprise users. Network
security infrastructures have also become the focus of enterprise network construction.
In traditional ideas of enterprise network construction, it is considered that enterprise intranets
are safe and security threats come externally. Therefore, most security measures, for example,
deploying a firewall or an access control system, focus on how to protect networks against
external attacks. In addition, these products and techniques are mutually independent and
cannot collaborate.
It is proved, however, that many critical network security problems occur in enterprise
intranets. Eighty percent of network security loopholes exist inside networks. The loopholes
continue to damage networks in a severer and wider manner, and often cause system and
network breakdown. Certain malicious software such as spyware and Trojan horse programs
may be unknowingly downloaded to PCs when enterprise employees browse certain websites.
The malicious software is distributed in enterprise intranets, leading to serious security
troubles.
Therefore, with continuous upgrade of security challenges, mere border defense depending on
traditional security measures and independent work is far from enough. Instead, the security
model must be shifted from the passive mode to the active mode, completely tackling network
security problems from the root (terminals), and finally improving the information security
level of the whole enterprise.
1.2 Major Requirements
With continuous scale enlargement of an enterprise, the number of employees and that of
terminals rapidly grow, and the network complexity also increases by geometric progression.
The major purposes of enterprise network security are to effectively manage networks, to
NAC Security Solution
Technical Proposal 1 Overview of the Policy Center Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
2
update system patches and upgrade the virus library in time, and to enable network
administrators to promptly identify, isolate, and repair insecure terminals.
Enterprise network security solutions must meet requirements on authentication, security
check, user authorization, and division of security domains.
1.2.1 Authentication
Because more and more problems about enterprise intranets result from terminal related
problems, the capability of authenticating users is a basic requirement of enterprise network
security.
User authentication on ordinary terminals (for example, PCs) must meet the following requirements:
− A terminal meeting security requirements can normally access the intranet after providing the correct user name and password.
− A terminal that does not meet security requirements can access only network isolation areas. The terminal can access the intranet after its security is repaired.
− Terminals used by invalid users cannot access the intranet.
The validity of other terminals including printers, fax machines, and IP telephones
cannot be authenticated through terminal software, but can be authenticated through MAC addresses.
1.2.2 Security Check
Hidden terminal troubles do great harm to networks. Therefore, in the security solution of an
enterprise intranet, the intranet must restrict the access of invalid users and must perform
systematic security check for valid users. Security check must meet the following
requirements:
The intranet checks the security status of the terminal that is to access the intranet. The
system must finish checking the antivirus software installation, patch update, password strength, and screen saver of the terminal before the terminal accesses the intranet.
The intranet must be capable of responding to the insecure state of the terminal together
with control devices. When an insecure terminal is found to access the intranet, the
intranet must be able to block the access of the terminal to prevent damages to the
service system. In addition, the intranet must be able to actively help the terminal complete self-repair of the security status.
The intranet must be able to restrict the access authority of an insecure terminal failing to
be repaired in time, to stop the terminal from accessing the intranet and avoid network
security problems.
1.2.3 User Authorization
Currently, access control of network resources is not strict on enterprise intranets. Generally,
terminals can freely access the entire intranet if the intranet is successfully accessed. Based on
IP addresses only, common firewall isolation cannot be flexibly configured and managed. In
addition, security risks such as IP address forgery also exist. Therefore, firewall isolation
cannot completely solve the problems of illegal access and unauthorized access.
In the security solution of an enterprise intranet, the network must manage access control
rights based on user authentication of terminals and user roles. By doing this, the access
control of the intranet is enhanced and illegal access and unauthorized access are prevented, finally ensuring the security of the enterprise intranet.
NAC Security Solution
Technical Proposal 1 Overview of the Policy Center Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
3
1.2.4 Division of Security Domains
Administrators divide the network resources of the live network into different logical security
domains by service and security level. The system opens access authorities for different
security domains according to results of user authentication and security check. In this way,
illegal terminals are isolated and the security of the entire enterprise intranet is ensured. Table
1-1 describes the division of security domains.
NAC Security Solution
Technical Proposal 1 Overview of the Policy Center Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
4
Table 1-1 Division of security domains
Type Description
Pre-authenticati
on domain
Network resources that terminals can access before user authentication
and security check. The network resources of this type include DHCP servers and system servers.
Isolation
domain
Network resources that terminals in the isolated state can access. When
the authentication of a terminal is successful but the security check fails,
the terminal is in the isolated state. In that case, the terminal can perform only security repair, including antivirus update servers and patch servers.
Post-authentica
tion domain
Network resources that terminals with successful authentication and
security check can access. Administrators can authorize different
terminal users to access relevant network resources according to the job
relatedness and minimum authorization principle. This method can effectively prevent illegal access and unauthorized access.
The security domain division described in the security solution of an enterprise intranet must
meet the following requirements:
A common terminal can obtain valid public area authorities and departmental authorities
after properly accessing the network. After the location of a terminal is moved, the
terminal must still be able to obtain its network authorities.
A wireless user has the same legal network authorities as a wired user after properly
accessing the network. Illegal wireless users will be rejected to access the network in this domain.
A new user must have a default authority to access the network. Employees on business must be restricted on relevant authorities when accessing the network.
Printers, fax machines, access control systems, and voice and video terminals on the
network must be granted authorities by class of service (CoS), preventing information port theft from bringing security problems to the network.
The network must be able to control inter-access between terminals. Terminals before
authentication must be restricted to only access server resources that are configured
according to the security policy. The mode of trusted inter-access is used after
authentication. That is, only terminals with successful authentication can access each other.
1.3 Huawei NAC Security Solution Huawei network access control (NAC) security solution provides integrated terminal security
protection functions through user authentication, security check, and repair and upgrade,
based on the guiding ideology that only valid users and safe terminals can access the intranet.
Huawei can help enterprises construct safe intranets, ensuring normal service development
and operation of enterprises. Huawei NAC security solution starts with the security control of
terminals that access networks. In the solution, the terminal security status is combined with
network access control. The active defense capability of terminals on a network is enhanced
through check, isolation, hardening, and audit, ensuring the security of each terminal on an
enterprise intranet and the security of the enterprise intranet. Figure 1-1 shows the networking of the NAC solution.
NAC Security Solution
Technical Proposal 1 Overview of the Policy Center Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
5
Figure 1-1 Networking of the NAC solution
Intranet
Pre-authentication
domain Access server
DHCP server
DNS server
Software server
Isolation domainPatch server
Virus database
server
Post-authentication domain
NMC
Service server
Data
center
Small
branch
AR router
Router/VPN
gateway
Remote
access
Campus
network/large
branch
Convergenc
switch
Access
switch
Access
switch
AP
IP
telephone Printer PC terminal Mobile access
Convergence
switch
Branch authentication point
Portal authentication access
Branch authentication point
SSL VPN accessAuthentication point at the
convergenc layer
Portal authentication point
Authentication
point at the
access layer
IEEE 802.1X
authentication
access
Huawei NAC security solution includes the following contents:
Check the validity of a terminal user using multiple authentication methods.
Check terminals about their security loopholes, antivirus software installation, and virus
database update.
Control network access authorities of terminal users through unified access policy and security policy management.
Register and monitor desktop assets, manage peripheral equipment, and distribute software through desktop operation and maintenance.
NAC Security Solution
Technical Proposal 2 Policy Center Access Control Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
7
2 Policy Center Access Control Solution
2.1 Network Access Control
The Policy Center can function with ACs/APs, Huawei Portal switches, and standard 802.1x
switches to implement network access control. It provides flexible authentication and
authorization policies based on user identities, device types, access locations, access time, and
terminal compliance check results.
(1) Based on user identity
The Policy Center authenticates and authorizes users based on the users' departments or roles.
(2) Based on device type
The Policy Center identifies and groups access devices and then authorizes them based on the
device groups to meet the complex service requirements for wireless 802.1x access and portal
access in the BYOD environment.
(3) Based on access location
The Policy Center distinguishes the switches, AP/AC devices, and SSIDs accessed by
terminals to apply different access control and authorization policies to these terminals.
(4) Based on access time
The Policy Center provides different access control and authorization policies in working
hours and non-working hours.
(5) Based on terminal compliance check result
The Policy Center authorizes the terminals with an NAC client installed based on terminal
compliance check results. It isolates the terminals that fail the compliance check and help
bring terminals into compliance.
The Policy Center can independently authenticate users using locally configured user
information or work with other authentication systems listed in Table 2-1.
NAC Security Solution
Technical Proposal 2 Policy Center Access Control Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
8
Table 2-1 External authentication systems and protocol support
Authentication Protocol Local
User
Information
AD LDAP Radius Token
Radius Relay
PAP YES YES YES YES Rely on an
external system.
CHAP YES NO NO NO Rely on an
external system.
EAP-PEAP-MSCHAPV2 YES YES NO NO Rely on an
external system.
EAP-MD5 YES NO NO NO Rely on an
external
system.
EAP-TLS YES YES YES NO Rely on an
external system.
EAP-TTLS-PAP YES YES YES YES Rely on an
external system.
EAP-PEAP-GTC YES YES YES YES Rely on an
external
system.
If an enterprise has a complex live network and does not need to replace all network devices,
deploy an 802.1x or portal switch. Then the Policy Center can interwork with the 802.1x or
portal switch to save hardware investment. Or deploy a Huawei SACG at the core position on
the enterprise network (or at the egress for a data center) and configure policy-based routes to
divert specific traffic to the SACG to protect key service resources. If an SACG is deployed,
the Policy Center control access based only on user identities and terminal compliance check
results.
2.2 Device Profiling
The Policy Center is capable of identifying terminal devices based on the device feature data
obtained by the device identification probes. Specifically, the Policy Center identifies the
device type and operating system (OS) type. The Policy Center supports the following device
identification probes:
MAC OUI probe
MAC organizationally unique identifier (OUI) refers to the first three bytes in a MAC
address. MAC OUIs are assigned to vendors by IEEE, and the Policy Center establishes
NAC Security Solution
Technical Proposal 2 Policy Center Access Control Solution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
9
an OUI database. During a MAC OUI matching process, the system checks the first three
bytes in a MAC address against the OUI database to identify the specific vendor.
DHCP Option probe
Terminal devices send DHCP messages to obtain IP addresses from the DHCP server. In
a DHCP message, there is a DHCP Option field that contains device-specific feature
information, which is used to identify the device type. The Policy Center now is
compatible with only Huawei-supplied switches when obtaining DHCP Option information specific to terminal devices.
HTTP User-Agent probe
The HTTP packets sent by a terminal-specific browser carry the specific HTTP User-Agent field, which identifies the device type.
SNMP probe
For SNMP-supported network devices, SNMP can be used to retrieve the device description and SNMP OID, which identifies the terminal type.
The Policy Center supports a combination of probes and makes a comprehensive
analysis based on the feature data obtained by these probes, to obtain more accurate
terminal device type information. In BYOD application, device identification provided
by the Policy Center can collaborate with network access control to apply network
access policies specific to terminal device types, to improve IT O&M efficiency.
2.3 Guest Management The Policy Center is capable of managing guests for enterprise users. Specifically, it manages
application, approval, distribution, authentication, and cancelation over the guest lifetime span.
The Policy Center provides the following guest management functions:
Tailors the guest application and authentication pages.
− Enables guests to tailor the registration-related pages, including the online registration and account notification pages.
− Enables guests to tailor the web login-related pages, including the login page and the page that will be displayed after a successful login.
− Enables users to tailor several authentication and registration pages.
− Redirects pages based on the browser language and geographic position of users.
− Provides a field for user-defined guest attributes. The system has default guest
attributes. When the default guest attributes are insufficient, the user-defined guest attributes can be used.
− Enables users to preview the user-defined registration and authentication pages so that the users can test and change the pages.
Enables guests to register themselves and employees to apply for guest accounts.
− Enables guests to apply for guest accounts by typing the required information on the
registration page.
− Enables users to define guest managers and allows the receptionist to apply for guest accounts.
− Provides flexible guest approval modes. The guest account applicant can specify the approval mode.
− Supports approval-free application, employee-approved application, and system administrator-approved application.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
10
Notifies guest accounts in several ways:
− On web
− By Email
− By SMS
Provides a guest management API.
Through this API, the Policy Center can be integrated with external systems. This
integration is commonly required in the service industry. For example, the Policy Center
may be integrated with the Automatic Call Distribution (ACD) in a business outlet.
When a client is ticketing on an ACD, a guest account is created through the API. Then the client can access the Wi-Fi network using this guest account.
3 Planning Suggestions for Policy CenterSolution
3.1 Overview
3.1.1 Introduction to the NAC Security Solution
Huawei NAC security solution is based on the guiding ideology that only valid users and safe
terminals can access the network. Huawei combines a complete series of enterprise intranet
and security products with the Policy Center system to provide an integral and safe NAC
solution based on user identification, security check, and repair and upgrade. In addition, the
solution has rich extension functions, providing enterprise intranets with a capability of
integral terminal security protection.
Authentication and Access Control
In the NAC solution, the network can authenticate the validity of users that attempt to access
the network. Only valid users are allowed into the network and available resources vary with
roles and users.
Administrators can divide users into groups or define different roles, and configure different
resources for them. In this way, specific users can access only authorized specific resources.
Access Security Check and Control
The NAC solution provides security check for user terminals. Only healthy and safe user
terminals are allowed to access the network. Network administrators of an enterprise can
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
11
self-define security rules and policies for the enterprise intranet. For example, antivirus
software must be installed and run on terminals, the virus database must be the latest, it is
prohibited to install unlawful software on terminal systems, and terminal systems must be
installed with system patches.
System Repair and Upgrade
If hidden security troubles exist in the system, Huawei NAC solution provides the automatic
and manual repair and upgrade functions for the system. The solution enables the system to be
associated with the Windows Server Update Services (WSUS) and to automatically download
and upgrade system patches. The solution also provides strong association with commercial
antivirus software to update the virus database. In addition, the solution provides forcible
security measures to automatically kill invalid or illegal processes.
Rich Extension Functions
Huawei NAC solution also provides extension functions such as behavior management,
software distribution, and asset management.
Behavior management
The Policy Center system provides the terminal based function of employee behavior
management to remind terminal users to obey the enterprise behavioral norms when using terminal hosts and thus improve the intranet capability of security management.
Software distribution
The Policy Center system provides the software distribution function to manually or
automatically distribute software on schedule to corresponding terminal hosts. Software can be distributed by department or operating system (OS).
Asset management
The Policy Center system provides the asset management function to uniformly manage
enterprise assets. The function improves efficiency, reduces maintenance costs, avoids
behaviors that employees privately modify configurations on enterprise terminal hosts,
and reduce risks in losing assets.
3.1.2 Composition of the NAC System
The framework of the NAC security system (NAC system for short) comprises three key
components: agent clients, network admission devices, and admission servers, as shown in
Figure 3-1.
Figure 3-1 Components of the NAC system
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
12
Intranet
Terminal agent
Special client software
Network admission
device
Access controller
Admission control server
CN
Authenticate usersCheck security
Authenticator/checker
Virus database server
Patch server
Management server
Admission server
Agent Clients
Agent clients are special client software installed in the user terminal system. They associate
with admission servers to do such work as user authentication, terminal security check,
system repair and upgrade, and terminal behavior monitoring and audit.
User authentication
You can enter the user name and password after client software is installed on a terminal. Then the client software sends the user name and password to admission servers.
Terminal security check
Terminal security check is also called terminal health check. According to the security
policy delivered by the admission servers, the client software checks the security status
of the user terminal, including the OA version, system patch installation, antivirus
software installation, virus database date, and black and white lists of application
processes. After that, the client software reports the check result to the admission servers
to determine whether the terminal is secure or healthy.
System repair and upgrade
The client software accepts instructions from the admission servers. If the user terminal
does not meet the security standards, the client software requires the terminal to
automatically repair and upgrade its system, or forces the terminal to do so. After the repair, the client software reports the result to the admission servers.
Monitoring and audit
The client software monitors in real time whether the security status of the terminal host
and user behaviors comply with the security policy, and regularly reports security events
to the admission servers for security audit afterwards. Terminal security check comprises
the check on the agent client implementation patch, antivirus software, screen saver, and
shared directory. User behavior monitoring includes the monitoring of agent client
operations on executable files, network connections, accessed websites, and USB storage devices.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
13
Network Admission Devices
Network admission devices are network control points (NCPs) for terminals to access
networks. As implementers of enterprise security policies, network admission devices
implement relevant admission control (permission, rejection, isolation, or restriction)
according to security policies of customers' networks.
In Huawei NAC solution, network admission devices can be a switch, router, wireless access
point, virtual private network (VPN) gateway, or other security devices. These network
admission devices force users to be authenticated for admission, reject network access of
invalid users, isolate unhealthy terminals, and provide valid users and healthy terminals with
network services.
Network admission devices have the following functions:
User authentication
Network admission devices can help agent clients fulfill authentication. Huawei NAC
solution supports multiple authentication modes, such as IEEE 802.1X, MAC, and Portal
authentication. In different authentication modes, network admission devices assist client software and admission server with user authentication.
User authority control
Network admission devices monitor the process of user authentication and grant users authorities corresponding to the results provided by admission servers.
− Terminals before authentication have the access authorities of the pre-authentication
domain. They can access admission servers and public-domain software servers to install agent clients.
− Terminals isolated for security have the authorities of the isolation domain. They can access the virus database server and patch server.
− Terminals with successful authentication have the network authorities of the post-authentication domain. Network authorities can vary with different user roles.
Admission Servers
Admission servers include the admission control server, management server, virus database
server, and patch server.
The admission control server authenticates users, audits the security, implements security policies, and associate with network admission devices to grant user authorities.
The management server manages users using the following ways: add, delete, or modify
user authorities, configure users' departments, and customize and manage security
policies.
The virus database server controls automatic virus database update of antivirus software on terminals.
The patch server controls patch installation and update of OSs and application software on terminals.
3.1.3 Service Capabilities of the NAC System
The NAC security solution provides such functions as access authentication, authority control,
terminal management, attack defense, and assets management. In addition, the solution
features high reliability, flexible implementation, and open convergence.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
14
Multiple Authentication Modes Provide different solutions to the authentication deployed at the access layer and the
convergence layer, suitable for large campus networks.
Provide multiple authentication modes, such as IEEE 802.1X, MAC, Portal, forcibly
pushed web authentication, and active directory (AD) or Lightweight Directory Access
Protocol (LDAP) authentication, which needs just authentication one time if combining
with the domain authentication
Support deployment on various terminals, including PCs, non-PC terminals, wireless terminals, and IP telephones.
Provide agent clients and ActiveX plug-ins without agent clients.
Rich Security Control Modes
Support access control list (ACL) delivery based on users and ports, and support access authorities based on limited users.
Support authority restriction based on user security statuses.
Provide the perfect function of one-touch intelligent repair.
Perfect Terminal Management Scheme
Provide such functions as organization personnel management, policy management, behavior monitoring, and patch management.
Provide the richest security policies in the industry for user customization.
Provide abundant user behavior audit functions, including USB device monitoring, management on illegal access to external networks, and process and service monitoring.
Attack Defense
Support preventing terminal hosts from sending Address Resolution Protocol (ARP) spoofed messages.
Support preventing terminal hosts from sending ARP flooding messages.
Provide the static ARP address binding function.
Efficient Assets Management
Provide abundant assets management functions, such as assets registration, assets lifecycle management, assets statistics, and assets change alarms.
Provide the functions of server platform monitoring, announcement, and remote
assistance for user management.
High Reliability Provide remote authentication dial-in user service (RADIUS) server backup and Portal
server backup.
Provide the functions of two-node cluster hot backup, two-node cluster cold backup, and
single-point escape.
Flexible and Convenient Implementation Interface Provide simple and easy-to-use operation interfaces with complete functions.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
15
Provide a convenient and fast installation mode, in which you just need to install the
system once and purchase licenses on demand.
Rich, Flexible, Convergent, and Open Solutions Realize centralized and unified authentication and authorization management.
Make the best of the existing network security construction to integrate isolated solutions
in an optimal manner.
Provide flexible and abundant security checks that include the most terminal security check policies in the industry and can be performed in the whole process of user access.
Provide industry-class high security. In terms of system management, the NAC system
controls operation authorities based on management roles, and records administrator
operation logs to enhance operation security and traceability.
Provide high reliability. All the important components of the NAC system work in
active-standby and load balancing mode, and provide a particular escape channel function.
Support the installation of Windows software and the authentication associated with Windows domains.
3.1.4 Basic Process of the NAC Security Solution
Figure 3-2 shows the basic process of the NAC solution, which involves the components of
agent clients, network admission devices, and admission servers.
Figure 3-2 Basic process of the NAC solution
Network
Terminal Network admission device
Admission/Policy server
Patch/Virus database server
A user enters the user name and password to initiate authentication.
After the authentication is successful, servers deliver security policies to check the security
Security check is successful
The user can access the network
Security check fails
Repair the security
Upgrade other patches and upgrade the virus database
Audit the user on the server
Repair the security
Secutity check
Servers enable network authorities
Security repair is complete
Servers enable network authorities
The user can access the network
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
16
The detailed process is as follows:
b. A user terminal accesses the network. Terminals before authentication all have the
network authorities of the pre-authentication domain. They can access the networks in
the pre-authentication domain on demand.
c. The user installs the agent client software or Web Agent plug-in on the PC terminal.
Then the user enters the user name and password to initiate authentication. After the
authentication of the terminal is successful, the agent client software or Web Agent
plug-in associates with the admission servers to check the security status of the terminal.
d. If the user is valid and safe, after the authentication, the admission servers deliver
corresponding network authorities to the network admission devices to permit the user to access the networks in the post-authentication domain.
e. If the user is valid but has a few security risks, after the authentication, the admission
servers deliver corresponding network authorities to the network admission devices to
permit the user to access the networks in the post-authentication domain, and prompt the terminal about the security risks.
f. If the user is valid but seriously insecure, after the authentication, the admission servers
deliver corresponding network authorities to the network admission devices to permit the
user only to access the networks in the isolation domain. In that case, the user can access
the patch server and the virus database server in the isolation domain. After the terminal
security is repaired, the admission servers deliver the network authorities in the
post-authentication domain.
g. The system can check the security status of the online terminal in real time. If a serious
security problem occurs during the use of the online terminal, the terminal will still be isolated
h. The terminal after the authentication can install patches on demand. It can also access relevant servers for virus database upgrade.
i. The policy server can audit the user.
j. If the user is invalid and unauthenticated, the user can access only the network resources
in the pre-authentication domain.
3.2 Planning Suggestions for the Authentication Solution
3.2.1 Introduction to Authentication Protocols
Huawei NAC security solution supports multiple network access control modes, such as IEEE
802.1X, MAC, and Portal authentication. In addition, this solution can be flexibly deployed
on multiple network devices such as access switches, convergence switches, access
controllers, and AR routers. The network devices work with the NAC terminal agents and
servers to fulfill NAC and to provide secure and reliable access control for enterprise intranets,
campus networks, and metropolitan area networks (MANs).
IEEE 802.1X Authentication
As a port-based NAC protocol, the standard IEEE 802.1X protocol is used to authenticate and
control accessed user devices at the ports of local area network (LAN) access devices.
Terminals connected to the ports can access the resources in the LAN only when the
authentication of the terminals is successful.
IEEE 802.1X authentication uses the Extensible Authentication Protocol (EAP),
implementing authentication information exchange between clients, network admission
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
17
devices, and admission servers. Encapsulated in the EAP over LAN (EAPoL) format, EAP
messages between terminals and devices are directly carried in the LAN environment.
Figure 3-3 Flowchart of IEEE 802.1X authentication
Terminal agent Network
admission deviceAdmission server Patch server
User authenticationUser authentication through
the RADIUS protocolEAPo802.1X
Repair and upgrade
Successful
authentication
After the authentication through
the RADIUS protocol is
successful, the admission server
tells the network admission
devices to assign network
authorities to the user.
The server delivers a
VLAN ID/ACLEAP Success
Security check
The detailed process is as follows:
b. When a user terminal accesses the network, the agent clients and network admission devices exchange user name and password information through the EAP.
c. The network admission devices and admission servers authenticate the validity of the terminal user through the RADIUS protocol.
d. If the authentication of the terminal is successful, the admission servers report to the
network admission devices through the RADIUS protocol, and deliver the corresponding
ACL or the ID of the VLAN that the terminal accesses, to perform an access control over the valid terminal user after authentication.
e. The network admission devices send an EAP Success message to inform the terminal.
f. The terminal agents and admission servers exchange the security status information of the terminal system, and check the security of the terminal.
g. If the terminal is insecure, the terminal agents start system repair and upgrade, interact
with related servers such as the patch server and the virus database server, and complete the system security repair.
If the IEEE 802.1X protocol cannot be deployed on the underlying access switch on a
customer's network for special reasons, or if multiple user terminals accesses the hub
connected to the access switch, the standard port-based IEEE 802.1X protocol cannot perform
separate access control over each terminal.
In view of the preceding problems, Huawei NAC security solution enhances the functions of
the standard IEEE 802.1X protocol on switches and routers, and realizes the MAC-based
IEEE 802.1X access control. In addition, the solution can realize the access control over a single terminal when one port accesses multiple terminals access the network from a single
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
18
port. Huawei NAC solution supports both port-based and MAC-based IEEE 802.1X access
control, which can be selected for customers' networks.
Port-based mode: In port-based mode, if the first user connected to the port succeeds in
authentication, other users can access the network resources without authentication. Once the first user gets offline, however, other users will be rejected to use the network.
MAC-based mode: In MAC-based mode, all users connected to the port must be separately authenticated.
The NAC system can control the access of user terminals by delivering VLAN IDs or ACLs,
or delivering both VLAN IDs and ACLs. According to different control modes, IEEE 802.1X
authentication can be subdivided into Guest VLAN-based and ACL-based authentication.
Guest VLAN-based IEEE 802.1X authentication
This is the most commonly used 802.1X authentication mode in the industry. Terminals
before authentication belong to Guest VLANs by default. After the authentication of the
terminals is successful, admission servers deliver VLAN IDs of corresponding roles after
user authentication, and switch user terminals from Guest VLANs to the VLANs of corresponding roles.
ACL-based IEEE 802.1X authentication
In this mode, after the authentication of a terminal is successful, admission servers
deliver only the user ACL to control the access of this user. This mode has relatively high requirements for the ACL specifications of devices in the case of mass users.
Admission devices first initiate terminals to use the IEEE 802.1X authentication. If the
terminals do not perform the IEEE 802.1X authentication for a long time, the admission
devices regard the MAC addresses of the terminals as the authentication information, and
send the MAC addresses to servers as user names and passwords for authentication. This
authentication mode is called bypass MAC authentication.
Portal Authentication
Portal authentication is a layer-3 authentication mode. Users can access the Web
authentication pages on the Portal server or the Web server, and enter user names and
password to complete user authentication. If Portal authentication is used, terminals do not
need to be installed with client software. When terminals access the Portal pages, the system
implements the basic security check function through the ActiveX control that is downloaded
following automatic prompts.
Portal authentication supports Web authentication and does not require installing client
software. With the two features, Portal authentication is applicable to visitors and users on
business.
NOTE In Portal authentication mode, you can still realize the complete function of terminal admission control by downloading the client.
Before Web authentication on the Portal server, users must first access the authentication page,
and then enter and submit user names and passwords on the authentication page. Users can
access the authentication page either actively or passively (namely, in forcibly pushed mode).
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
19
Figure 3-4 Flowchart of Portal authentication
Terminal
agent
Network admission
device
Admission
serverPatch server
A user accesses web
pages
Web authentication(account
information)HTTP redirection
Repair and upgrade
Network admission
devices push the web
pages on the Portal server
Portal authentication exchange
Security check
Portal server
Authentication result
(Web)
Authentication result (Portal)
RADIUS authentication exchange
Authentication result: If the authentication is
successful, admission servers deliver an ACL
(RADIUS)
The detailed process is as follows:
b. A user terminal accesses any Web server.
c. Network admission devices capture the user's HTTP request. If the destination address of
the request is not the address of the Portal server, the network admission devices push
the Web authentication page on the Portal server by running the HTTP redirection
command.
d. The terminal accesses the Web authentication page on the Portal server. The user enters and then submit the user name and password for authentication.
e. The Portal server and network admission devices exchange user account information through the Portal protocol.
f. The network admission devices request the admission server (RADIUS server) to
authenticate the user through the RADIUS protocol.
g. The admission servers authenticate the user and report the authentication result. If the authentication is successful, the admission servers deliver also deliver the user ACL.
h. The network admission devices inform the Portal server through the Portal protocol after
receiving the RADIUS authentication result. If the authentication succeeds, the Portal
server assigns the network access authorities to the user and starts the ACL for the
network access control over the user.
i. The Portal server informs the terminal of the authentication result through the HTTP.
j. The user downloads and installs the ActiveX control or install the client agent software
on the terminal. After the authentication of the terminal is successful, the terminal agent
exchanges information about the security status with the admission servers to check the
security of the terminal.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
20
k. If the terminal is insecure, the agent client starts system repair and upgrade, interacts
with related servers such as the patch server and the virus database server, and completes the system security repair.
NOTE In Huawei NAC solution of, the Portal server and admission servers are integrated. They can be different functional modules deployed on the same physical server.
MAC Authentication
In certain special cases, terminal users do not want or fail to complete authentication by
entering user names and passwords. For example, certain privileged terminals hope to directly
access networks without authentication; certain special PC terminals, such as printers and IP
telephones, can neither be installed with client software nor be authenticated or authorized by
entering user names and passwords. In those cases, the network access of terminals is
controlled through MAC authentication.
MAC authentication is that the system authenticates a terminal using the MAC address of the
terminal as the proof of identification. After MAC authentication is enabled, when a terminal
accesses the network, network admission devices extract the MAC address of the terminal and
use it as the user name and password for authentication. If the authentication fails, the
network admission devices force users to get offline, stop initiating authentication and
detection for a preset period, and restart detection after timeout. If the authentication succeeds,
the switch will add the MAC address to the MAC table and the user can normally access the
network.
The MAC authentication of users can be performed locally or remotely through the RADIUS
server. In the case of RADIUS authentication, the RADIUS server controls user access
authorities by delivering ACLs or VLAN IDs.
Figure 3-5 Flowchart of MAC authentication
Network
admission deviceAdmission
server
Terminals go onlineNetwork admission devices sends the
MAC address of the terminal through
the RADIUS protocol
Remote MAC
authentication or
local MAC
authentication Terminals access the network
Network admission servers deliver an ACL
or VLAN ID after the authentication
through the RADIUS protocol is successful
SIP terminal,
printer
The detailed process of MAC authentication is as follows:
b. When a terminal goes online, network admission devices automatically extract the MAC
address of the terminal.
c. The network admission devices authenticate the MAC address of the terminal.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
21
− In the case of RADIUS authentication, the network admission devices send the MAC
address of the terminal as the user name and password through the RADIUS protocol to admission servers for authentication.
− In the case of local authentication, the network admission devices authenticate the MAC address of the terminal using the locally configured MAC authentication table.
d. If the authentication is successful, the network admission devices assign network
authorities to the terminal. In the case of RADIUS authentication, the network admission
devices use the ACL or VLAN ID delivered by the RADIUS server to control the authorities of the terminal.
Comparison Between the Three Authentication Modes
Table 3-1 lists the comparison of advantages and disadvantages between IEEE 802.1X, Portal,
and MAC authentication.
Table 3-1 Comparison between the three authentication modes
Compared Item
IEEE 802.1X Authentication
Portal Authentication
MAC Authentication
Client
requirements
Mandatory. Portal authentication
does not need clients,
while forcibly pushed
web authentication needs.
Not required.
Advantages If this mode is
deployed at the access
layer, the system
directly controls the
connection and
disconnection of the
network access
information port. The security is high.
The deployment is
flexible.
No need to install
clients.
Disadvantages The deployment is
inflexible.
The security is low. The management is
complicated and MAC
addresses must be
registered.
Applicable
scenarios
This mode is
applicable to the
scenarios in which a
new network is
constructed, users are
centralized, and
information security is
strictly required.
This mode is flexible,
and applicable to
wireless scenarios in
which users are
scattered.
This mode is
applicable to the
access authentication
of SIP terminals,
printers, and fax machines.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
22
3.2.2 Selection of Authentication Modes and Authentication Control Points
As described in section 3.2.1 "Introduction to Authentication Protocols", the currently
available authentication modes include IEEE 802.1X, Portal and MAC authentication.
Authentication control points can be deployed at the access layer and convergence layer, and
on routers or VPN gateways.
Deployment of Authentication Control Points at the Access Layer
IEEE 802.1X authentication is recommended if deploy authentication control points are
deployed at the access layer, as shown in Figure 3-6.
All terminals before authentication belong to the Guest VLAN.
If the authentication of a terminal is successful, the admission server delivers Service VLAN and switches the domain of the terminal.
If a terminal is found insecure, the admission server delivers Isolate VLAN to isolate the
terminal.
Convergence switches control user authorities according to different VLAN or network segment configurations.
Because this deployment mode is simple and control points are the closest to users, intranets
can obtain the maximum security assurance. This deployment mode is applicable to most new
campus networks or the campus networks having relatively new network devices. Owing to
many authentication points, however, such deployment causes troubles to management and
maintenance.
Figure 3-6 Deployment of authentication control points at the access layer
Access
swtich
PC terminal
Authentication point at the access layer
IEEE 802.1X authentication access
Pre-authentication
domain Admission server
DHCP server
DNS server
Software server
Isolation
domainPatch server
Virus database
server
Intranet
Configure ACL on the
convergence switch to
control access authorities
1 2 3
2. Servers check the security of the terminal after the
authentication is successful. If the security check
fails, the authentication server delivers Isolate VLAN
to switch the user authorities
3. After repair and the security check are successful,
the authentication server delivers Service VLAN to
switch the user authorities
1. A terminal accesses the network. The terminal
before authentication belongs to the Guest VLAN
configured at the port
Post-authenticaion
domain
NMC
Service server
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
23
Deployment of Authentication Control Points at the Convergence Layer
Portal authentication is recommended if authentication control points are deployed at the
convergence layer, as shown in Figure 3-7.
User authorities of the pre-authentication domain are restricted through the Portal Free Rule.
If the authentication of a terminal is successful, the admission server delivers an ACL
and switches the user authorities.
If a terminal is found insecure, the admission server delivers an ACL to isolate the terminal.
Owing to a few authentication points, this deployment mode is suitable for the access of
various users. Featuring convenient and flexible deployment and easy management and
maintenance, this mode applies to the scenarios in which users are scattered, or both wireless
and wired terminals access the network. In addition, this mode also applies to network
reconstruction scenarios in which access control of network security is improved with the
original network structure unchanged. To solve network security problems resulting from
terminal inter-access at the access layer, you can configure such security functions as port
isolation and DHCP snooping on access switches.
Figure 3-7 Deployment of authentication control points at the convergence layer
Acess switch
PC termianl
Pre-authenticaton
domain Admission server
DHCP server
DNS server
Software server
Isolation
domainPatch server
Virus database
server
Intranet
1 2 3
2. If the authentication of the user is successful
but the security check fails, the TSM server
delivers Isolate ACL to change the user’s access
authority to that of the isolation domain.
3. After the user’s security is repaired, the TSM
server delivers a new ACL to change the user’s
authority to that of the post-authentication
domain.
1. A user accesses the network. The user can
access the region defined through the Portal
Free Rule, namely, the pre-authentication
domain.
Post-authentication
domain
NMC
Service server
Authentication point at the
convergence layer
Portal authentication
access
Deployment of Authentication Control Points on Routers or VPN Gateways
The deployment of authentication control points on routers or VPN gateways is generally
used to control the access authentication of remote mobile office personnel. In this case,
Portal authentication is used. The detailed deployment mode is similar to that of
authentication control points at the convergence layer.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
24
3.3 Planning Suggestions for the Solution to Access Layer Authentication
3.3.1 Application Scenarios
The current security solutions focus on the protection of layer 3 and higher layers on networks.
However, any behavior that threatens the security of layer 2 will endanger the whole network.
Therefore, the access layer is the best point to deploy network security control. IEEE 802.1X
authentication can directly isolate invalid users at the access layer, ensuring the validity of
accessed users.
To deploy the NAC solution at the access layer, access switches must support IEEE 802.1X
authentication. Because this deployment mode is simple and control points are the closest to
users, intranets can obtain the maximum security assurance. This mode applies to the
scenarios in which networks are newly built. In addition, this mode also applies to network
reconstruction scenarios in which authentication must be added with the original network
security deployment unchanged.
3.3.2 Networking Planning
The solution to access layer authentication uses the traditional three-layer network structure.
Deploy IEEE 802.1X or MAC authentication on access switches to authenticate accessed
users and isolate invalid and insecure users. Configure ACLs on convergence switches for
access authority control. Deploy admission servers and patch and virus database servers in the
server area, in addition to the traditional service server, network management (NM) server,
DHCP server, and domain name server (DNS). See Figure 3-8.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
25
Figure 3-8 Networking of the solution to access layer authentication
Intranet
Pre-authenticaton
domain Admission server
DHCP server
DNS server
Software server
Isolation
domainPatch server
Virus database
server
Post-authentication
domainNMC
Service server
Router/VPN
gateway
Remote access
AP
IP
telephonePrinter Mobile
access
Convergence
switch
Authentication point at
the access layer
IEEE 802.1X
authentication access
Authentication point at
the access layer
IEEE 802.1X
authentication access
Department
A
Department
B
terminal
accessInsecure
usersVisitorsDepartment
B
Authentication
point at the access
layer
IEEE 802.1X
authentication
access
Branch access
3.3.3 Planning for the NAC System
Planning for the Software System Clients
Install the agent client software on PCs and set the authentication mode in the software to 802.1X.
Servers
− Deploy the admission servers, DHCP server, DNS server, and public software servers in the pre-authentication domain.
− Deploy the patch server and virus database servers in the isolation domain.
− Deploy the NM server and the service system in the post-authentication domain.
− Deploy active and standby admission servers according to network reliability requirements.
Planning for Network Devices IP addresses
Use the DHCP to dynamically obtain client IP addresses. Dynamically allocate constant addresses to obtain static IP addresses of users in either of the following ways:
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
26
− After a user applies for an IP address, the DHCP server binds the IP address with the
MAC address. Since then, the DHCP server allocates the same IP address to the terminal corresponding to the MAC address each time the terminal goes online.
− Use DHCP Option 82 to bind an IP address with the switch through which a terminal
goes online and the port on the switch. In this way, the same IP address is allocated to
the terminal goes online from this port.
VLAN planning
VLANs can be divided into three types: Guest VLAN in the pre-authentication domain,
Isolate VLAN in the isolation domain, and VLAN in the post-authentication domain. In
actual deployment, you can allocate VLANs by functional department, and reserve the Guest VLAN and the Isolate VLAN.
Domain planning
Distinguish the pre-authentication domain, isolation domain, and post-authentication
domain through VLAN planning. Configure ACLs on convergence switches to control
the access authority of each VLAN. You can combine the pre-authentication and isolation domains into one domain according to actual deployment conditions.
Authentication configuration
− Configure IEEE 802.1X authentication and specify the EAP mode for access devices
that serve as access control points.
− Configure IEEE 802.1X authentication for agent clients.
− Configure MAC authentication for the terminals such as printers and IP telephones.
− If both printers and PCs access the network from a port, configure bypass MAC authentication on access devices.
3.3.4 Security Policy Planning
Configure a unified security template on admission servers, determine security check items in the template, and set security levels to general and serious levels.
If a PC terminal lightly violates related rules, the terminal enters the post-authentication
domain after authentication, and admission servers deliver the VLAN in the
post-authentication domain to access switches for authority control. Although the
authorities of the terminal are not restricted, the terminal receives a violation alarm that prompts the user to perform violation repair as soon as possible.
If a PC terminal seriously violates related rules, the terminal enters the isolation domain
after authentication. The authorities of the terminal are controlled, and the terminal
receives a serious violation alarm that prompts the user to perform violation repair as
soon as possible. The user can perform automatic repair by pressing the relevant button.
The user can gain the access authorities of the post-authentication domain only after
successful repair.
The NAC system provides real-time security check. If a PC terminal violates rules again,
re-authentication is triggered, and the terminal enters the isolation domain and receives an alarm prompt.
3.3.5 User Authority Planning
Authority control over valid users
The access layer uses IEEE 802.1X authentication and changes user authorities by
switching VLANs before and after authentication. Configure ACLs on convergence switches to control the access authorities of VLAN IDs or network segments.
Authority control over invalid users
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
27
Access authorities of invalid or unauthenticated users are restricted on access switches.
They can access only the networks restricted by the Guest VLAN.
Authority control over insecure users
IEEE 802.1X authentication requires the installation of agent client software. Admission
servers associate with agent clients to check the security of clients and discriminate terminals with different security risk levels.
− For general violation of security rules with small risks, for example, if a user does not
set a screen saver or share files, the agent client software will offer a risk prompt but will not change the user authorities.
− Serious violation of security rules may do great harm to intranets if not controlled.
For example, if the patches on a terminal are not upgraded or the virus database is not
updated, the terminal will be directly assigned to the isolation domain and given a
violation alarm that prompts the user to perform violation repair. The agent client
software provides a one-touch automatic repair function that facilitate violation repair.
The agent client rechecks the security of the terminal after the repair. If the terminal
complies with the security policies, the agent client automatically re-authenticates the terminal and obtains the network authorities of the post-authentication domain.
3.3.6 Reliability Planning
Deploy security functions such as DHCP snooping and IP Source Guard on access switches to prevent address theft and spoofing between users.
Bind terminals to the port of a switch to effectively restrict the access of terminals and prevent terminal theft.
3.4 Planning Suggestions for the Solution to Convergence Layer Authentication
3.4.1 Application Scenarios
The deployment of authentication control points at the convergence layer applies to the
scenarios in which users are scattered, multiple types of terminals access the network, or both
wireless and wired terminals access the network. In these cases, gateway-based Portal
authentication is recommended.
This authentication mode is irrelevant to access devices. In this mode, terminal devices can be
installed with agent clients or use the forcibly pushed web mode instead. Featuring convenient
and flexible deployment and easy management and maintenance, this mode applies to the
access of various kinds of terminals such as PCs and handheld devices. If the function of
security access control must be added with the original network structure unchanged during
network reconstruction, directly deploy Portal authentication at the convergence layer.
3.4.2 Networking Planning
The solution to convergence layer authentication uses the traditional three-layer network
structure. Deploy gateway-based Portal authentication on convergence switches to
authenticate accessed users and isolate invalid and insecure users. Configure ACLs on
convergence switches for access authority control. Deploy the admission servers, patch server,
and virus database server in the server area, in addition to the traditional service server, NM server, DHCP server, and DNS server. See Figure 3-9.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
28
Figure 3-9 Networking of the solution to convergence layer authentication
Intranet
Pre-authenticaton
domain Admission server
DHCP server
DNS server
Software server
Isolation domainPatch server
Virus database
server
Post-authentication
domain
NMC
Service server
Router/VPN
gateway
Remote
access
AP
IP
telephone Printer Mobile
access
Convergence
switch
Authentication point at the
convergence layer
Portal identificaiton
access
Department
A
Department
B
New terminal
accessInsecure
usersVisitorsDepartment
B
Branch
access
3.4.3 Planning for the NAC System
Planning for the Software System Clients
Installation of the agent client software on PCs is optional. The default authentication mode is Portal.
Servers
− Deploy the admission servers, DHCP server, DNS server, and public software server in the pre-authentication domain.
− Deploy the patch server and virus database server in the isolation domain.
− Deploy the NM server and service system in the post-authentication domain.
− Deploy active and standby admission servers according to network reliability
requirements.
Network Device Planning IP addresses
Use the DHCP to dynamically obtain client IP addresses. Dynamically allocate constant
addresses to obtain static IP addresses of users in either of the following ways:
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
29
− After a user applies for an IP address, the DHCP server binds the IP address with the
MAC address. Since then, the DHCP server allocates the same IP address to the terminal corresponding to the MAC address each time the terminal goes online.
− Use DHCP Option 82 to bind an IP address with the switch through which a terminal
goes online and the port on the switch. In this way, the same IP address is allocated to
the terminal goes online from this port.
VLAN planning
Allocate VLANs by functional department during deployment. Deploy terminals devices like printers and IP telephones to other VLANs without authentication.
Domain planning
The pre-authentication domain is the access area specified through the Portal Free Rule.
The isolation and post-authentication domains are specified through ACLs delivered by
admission servers. During deployment, combine the pre-authentication and isolation
domains into one according the actual situation.
Authentication configuration
− Configure Portal authentication for convergence devices that serve as access control points.
− Configure the default Portal authentication for agent clients.
− If terminals such as printers and IP telephones are deployed on the same VLAN as
PCs, configure the Portal Free Rule to assign their access authorities. If they are
deployed on a VLAN different from PCs, you do not need to configure authentication for the VLAN.
3.4.4 Security Policy Planning
Configure a unified security template on admission servers, determine security check items in the template, and set security levels to general and serious levels.
If a PC terminal slightly violates related rules, the terminal enters the post-authentication
domain after authentication, and admission servers deliver the VLAN in the
post-authentication domain to access switches for authority control. Although the
authorities of the terminal is not restricted, the terminal receives a violation alarm that prompts the user to perform violation repair as soon as possible.
If a PC terminal seriously violates related rules, the terminal enters the isolation domain
after authentication. The authorities of the terminal are controlled, and the terminal
receives a serious violation alarm that prompts the user to perform violation repair as
soon as possible. Users can perform automatic repair by pressing the relevant button.
Users can gain the access authorities of the post-authentication domain only after
successful repair.
The NAC system provides real-time security check. If a PC terminal violates rules,
re-authentication is triggered, and the terminal enters the isolation domain and receives an alarm prompt.
3.4.5 User Authority Planning
Authority control over valid users
Portal authentication is used for access authority control at the convergence layer. Admission servers deliver ACLs to convergence switches to control user authority.
In actual deployment, you can flexibly configure ACLs according to different
departments and levels of users. Admission servers also support uniformly configuring ACLs by department, greatly facilitating actual deployment.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
30
Authority control over invalid users
Convergence switches restrict access authorities of invalid or unauthenticated users, who
can only access the network area restricted through the Portal Free Rule.
To avoid user inter-access, you can deploy port isolation or other security features on access switches.
Authority control over insecure users
Admission servers associate with the agent client to check the security of the terminal
installed with the agent client, using the method similar to the one described in the
solution to access layer authentication. That is, the agent client gives alarms to the
terminals having small risks and isolates the terminals having large risks. The difference
is that in deployment of authentication solution at the convergence layer, the isolated information is the ACL control information.
If a terminal is not installed with the agent client but use the web authentication, the Web
Agent plug-in can also check the security of the terminal. Different from the agent client, the Web Agent plug-in does not support automatic repair for violations.
3.4.6 Reliability Planning
Deploy security functions such as DHCP snooping and IP Source Guard on access switches to prevent address theft and spoofing between users.
Bind terminals with the port of a switch to effectively restrict the access of terminals and prevent terminal theft.
To avoid user inter-access, deploy port isolation on access switches.
3.5 Planning Suggestions for the Solution to Side-Connection Authentication at the Convergence Layer
3.5.1 Application Scenarios
The solution to side-connection authentication at the convergence layer is specific to certain
network upgrade scenarios. In such a scenario, network devices on the network to be
upgraded are old but the original network structure must remain unchanged. In that case, the
NAC security solution can be introduce through a side-connected device installed on the
network, effectively saving customer investments. In the solution to side-connection
authentication at the convergence layer, the side-connected device serves as a gateway of both
uplink and downlink flows. Therefore, the side-connected device must have good
performance.
Portal authentication is also recommended for the solution to side-connection authentication
at the convergence layer. For details about the planning for the NAC system, security policy
planning, user authority planning, and reliability planning, see section 3.4 "Planning
Suggestions for the Solution to Convergence Layer Authentication."
3.5.2 Networking Planning
The networking of this solution is similar to that of the solution to convergence layer
authentication. The difference is that a switch having the authentication function is connected
at the side of the convergence switch. The side-connected switch serves as a gateway. Deploy
gateway-based Portal authentication on the side-connected switch to authenticate accessed users and to isolate invalid and insecure users. See Figure 3-10.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
31
Figure 3-10 Networking diagram of bypass authentication solution at the convergence layer
Intranet
Pre-authenticaton
domain Admission server
DHCP server
DNS server
Software server
Isolation
domainPatch server
Virus database
server
Post-authentication
domain
NMC
Service server
Router/VPN
gateway
Remote
access
AP
IP
telephone PrinterMobile
access
Convergence
switch
Department
A
Department
B
New terminal
accessInsecure
user
VisitorsDepartment
B
Branch
access
Side-connected
device
Side-connected
authentication point at
the convergence layer
Portal authentication
access分 分 分 分
3.6 Planning Suggestions for the Solution to Wlan Portal Authentication
Portal authentication is also called web authentication.
When a user accesses the authentication page on the Portal server or when a user attempts to
access other websites using HTTP, the user is redirected to the web authentication page. After
the user enters the account information and submits the web page, the Portal server obtains
the account information. The Portal server sends the user account information to the WLAN
server using the Portal protocol. The WLAN server and authentication server exchange
messages to complete user authentication.
The Portal authentication can provide convenient management functions. Portal websites can
develop advertisement and community services and personalized businesses. In this manner,
carriers, device providers, and content and service providers can form an Internet content
union. The Portal authentication is frequently used on carrier or enterprise WLANs.
The Portal authentication system consists of four basic elements: client, access server, Portal
server, and AAA server. Figure 3-11 shows the networking diagram. The AC functions as an
access server.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
32
Figure 3-11 Portal authentication system
STA
AC
(Access server)
AAA
server
Portal
server
STA
IP
Network
AP AP
Access
switch
Aggregation
switch
The Portal authentication includes the Layer 2 authentication and Layer 3 authentication.
Layer 2 authentication differs from Layer 3 authentication. In the Layer 2 authentication, the
MAC address of the server to which a user is to visit cannot be obtained. Therefore, binding
information check between MAC and IP addresses cannot be performed. The Layer 2
authentication has low security. In the Layer 3 authentication, ARP request packets cannot be
routed, and ARP detection cannot be performed to check whether a user is online. The Layer 2
authentication and Layer 3 authentication processes are the same, as shown in Figure 3-12.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
33
Figure 3-12 Portal authentication system
Client
Access
server
DHCP
server
Portal authentication
server
AAA server
Dynamically
obtain an IP
address
Logout
process
Accounting
stops
1. A dynamic user obtains the IP address through DHCP (a static user can manually configure the address).
2. The user visits the authentication page of the Portal authentication server, and enters the
user name and password to log in.
3. The Portal authentication server notifies the access server of the user information
through internal protocols.
4. The AAA server authenticates the user.
5. The AAA server sends the authentication result to the access server.
6. The access server notifies the Portal authentication server of the authentication result.
7. The Portal authentication server displays the authentication result on the HTTP page to
notify the user.
8. If the authentication succeeds, the user can access network resources.
A Portal authentication user may request the termination of service or be disconnected
unexpectedly.
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
34
Figure 3-13 Request termination of service
Users are onlineUser
communication
Logout request, IP
address of the user
Logout result
Logout
process
Accounting
stops
Figure 3-13 shows the process for a user to request termination of services.
1. To go offline, a user clicks Logout on the authentication page and sends a logout request
to the Portal server.
2. The Portal server sends a logout request to the AC.
3. The AC returns a logout ACK packet to the Portal server.
4. The Portal server returns the HTTP response and directs the user to the HTTP page that
contains corresponding information based on the logout ACK packet.
5. When the AC receives a logout request, it sends an accounting-stop packet to the
RADIUS server.
6. The RADIUS server sends a response packet to the AC.
A user is disconnected unexpectedly.
The AC detects that a user logs out. Figure 3-14 shows the process:
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
35
Figure 3-14 Unexpected user logout detected by the AC
Users are online
User
communication
The AC detects that
a user logs out
Logout process
Accounting
stops
1. The AC detects that a user logs out and sends a logout request to the Portal server.
2. The Portal server returns a logout ACK packet.
3. After receiving the logout ACK packet, the AC sends an accounting-stop packet to the
RADIUS server.
4. The RADIUS server sends a response packet to the AC.
The Portal server detects that a user logs out. Figure 3-15 shows the process:
NAC Security Solution
Technical Proposal 3 Planning Suggestions for Policy CenterSolution
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
36
Figure 3-15 Unexpected logout detected by the Portal server
Users are online
User
communication
The Portal server
detects that a user
logs out
Logout process
Accounting
stops
1. The Portal server detects that a user logs out and sends a logout request to the AC.
2. The AC returns a logout ACK packet.
3. When the AC receives a logout request, it sends an accounting-stop packet to the
RADIUS server.
The RADIUS server sends a response packet to the A
NAC Security Solution
Technical Proposal 4 Product Suggestions
Issue 01 (2011-07-24) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
37
4 Product Suggestions
Huawei recommends the products listed in Table 4-1 for the nodes and network elements
(NEs) involved in the NAC security solution.
Table 4-1 Suggestions for component products
Component Product/Model
Access switch S5700, S370, S2700S5700, S3700, S2700
Convergence switch S7700, S5700
Core switch S9300
WLAN AC S9300 AC plug-in card
Server software Policy Center Server
Client software Policy Center Agent
AD server Windows 2008 Server