AAA and 802.1X Authentication

Lessons Discussion
42

Hello David!

The primary difference between the two is their scope.

Here’s a short overview of each. I will create a NetworkLessons note on the topic in the near future too…

802.1X:

  • 802.1X is an IEEE Standard for port-based security. It is a protocol that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
  • It is primarily focused on the authentication phase, ensuring that only authenticated devices can connect to the network. This process involves three components: the supplicant (device wishing to connect), the authenticator (network device such as a switch or wireless access point), and the authentication server (typically a RADIUS server).
  • The key function of 802.1X is to prevent unauthorized access at the point of entry to the network. It doesn’t dictate what happens post-authentication or provide extensive policies for different users or devices beyond access control.

Network Access Control (NAC)

  • NAC is not based on a specific protocol like 802.1X. Instead, it refers to a broad collection of technologies and solutions designed to enforce security policy compliance on devices before they access the network.
  • NAC solutions offer a wide range of functionalities beyond simple authentication. These include post-admission control over devices, compliance checks (such as whether the antivirus is up to date), and the ability to enforce policies dynamically based on user role, device type, location, and other factors.
  • NAC solutions are more comprehensive in scope, providing detailed control over network access, ongoing monitoring of devices on the network, and the capability to respond to changes in device status or compliance with security policies.

So 802.1X focuses on authenticating devices at the point of entry to the network, NAC encompasses a broader set of tools and technologies aimed at continuously managing and enforcing security policies for devices both before and after they gain access to the network. NAC can utilize 802.1X as part of its implementation but extends far beyond it in functionality and control.

I hope this has been helpful!

Laz

43

Hello, everyone. A quick question:

obrázok
obrázok1013×513 81 KB

The first scenario seems a bit unusual for me. It says that it is performed with wireless connections - a MAB request is sent (so I suppose that its for devices that dont have a supplicant installed).

If I understand it right, the user has to be authenticated by using WebAuth if its MAC address isnt stored on ISE?

As for EasyConnect, if I understand this right, MAB is used to provide a limited level of authorization for PCs that are joined to AD. The user logs in, EasyConnect captures this information, sends it to ISE and the user is authenticated?

David

44

Hello David

Concerning the WebAuth option, MAB in general is typically used for wired devices without supplicants, but it can also apply to wireless clients when used with WebAuth, in niche cases such as with IoT devices without 802.1X support. Here’s the flow:

  • Initial MAB Attempt: The wireless device sends its MAC address to ISE.
  • If MAC is registered: ISE grants network access, in cases such as printers or IoT devices that don’t correspond to a single user.
  • If MAC is unknown: ISE can trigger WebAuth (Captive Portal) for access. This requires ISE to:
    • Configure an Authorization Profile with a Redirect URL in ISE.
    • Use a WebAuth ACL to restrict traffic until the user completes portal authentication.

This mix allows devices without supplicants to either get basic access (via MAB) or be redirected to WebAuth for user credentials if unregistered.

Concerning EasyConnect, you are correct. Devices get temporary access via MAB before user login. User credentials then dynamically elevate privileges (no manual 802.1X supplicant config needed). This works with agent-based or native OS supplicants.

I hope this has been helpful!

Laz