What Is The Working Of Network Access Control (NAC)?
What Is Nac?
Network access control (NAC) is a solution that supports network visibility, access management through policy enforcement on devices and users of a corporate network.
Why Do We Need Nac?
In organizations now we have exponential growth of mobile devices and the endpoint that accessing their network and then they bring the security risk it very critical to have a solution that provides the visibility, access control, and compliance capabilities that are required to strengthen your network security infrastructure.
A NAC system can deny network access to a non-compliant device and place them in the quarantined area or give them only limited access to computing resources thus keeping insecure nodes from infecting the network.
What Do You Mean By Network Access?
Network access means an endpoint is connecting with our network and tries to access the network resources like accessing printer, computing resources, Internet, Camera, FTP server, Device administration, etc.
We have multiple NAC solutions available in the market and one of them is Cisco’s “Identity service Engine (ISE)”.
We have two types of Cisco ISE: –
- Virtual appliance: – We can deploy Cisco ISE in a virtual machine (VM). We can deploy a VM on any ESXi, Hypervisor, KVM and we must provide fixed resources for ISE in case of VM that mans those resources is not used by any VM.
- Physical appliance: – we can buy physical resources from Cisco.
Where can ISE help to achieve the objective of NAC?
- Wired access
- Wireless access
- VPN
- Device admin
ISE is a network security and policy platform, and it has four personas: –
- PAN: – PAN stands for “Policy Administration Node”. The first, and possibly the most important, the persona is the Administration Node. This function of Cisco ISE is important because it is how the network administrator configures and administers the network security policy.
When a network administrator needs to make or change to a security policy on Cisco ISE administrator must access the PAN GUI (Graphical User Interface). PAN, which is the central control center for cisco ISE, all policy is configured and pushed to other ISE Node or personas.
- It is a single plane of glass for ISE admin.
- Replication hub for all database configuration changes.
- Responsible for policy sync across all PSN’s and secondary nodes.
PAN provides the below features: –
- Licencing
- Admin authentication and authorization
- Admin audit
In Each ISE deployment, we must have one PSN, and Maximum we can deploy two PSN. One PSN will be primary (Active) and the other will be secondary (standby).
- PSN: – PSN stands for “Policy Serving Node”. This is the next persona in Cisco ISE deployment. This persona is the workhorse of ISE deployment. After making changes to PAN all policy is pushed to the PSN. Each network access device (NAD) can point to one or more PSN’s. When an endpoint/User authenticates to the network The NAD forwards the RADIUS Access-Request and subsequent packet to the configured PSN. The PSN has a complete security policy as pushed from PAN it will authenticate and authorize the user/endpoint.
- PSN can directly coordinate with external identity sources for user authentication.
- It can work as RADIUS and TACACS+ server and it can work as a proxy server for RADIUS and the TACACS+ server.
- In each ISE deployment, we must have one PSN and we can deploy a maximum of Fifty (50) PSN.
- Provide GUI for agent download, Guest access, Device registration, and guest onboarding.
NAD: – NAD stand for Network access device also known as a radius client.
NAD is responsible for encapsulation and decapsulation of Radius/ TACACS+ packet as well as encapsulation and decapsulation 802.1x Packet.
NAD receives 802.1x packet from the endpoint and decapsulate this packet and pull the information from this packet and again encapsulate this information into RADIUS/TACACS+ packet vice-versa.
NAD sends a request to the PSN for Implementing authorization decisions for the resources.
Blow devices are known as NAD in networking infrastructure.
- Switch
- Access Point
- Firewall (VPN Gateway)
Common authorization enforcement mechanisms:
• VLAN Assignment/VRF
• dACLs & named ACLs
MnT: – MnT stands for Monitoring and Troubleshooting Node. The function of this node is to provide the monitoring and troubleshoot function in Cisco ISE deployment. As an endpoint authenticates to ISE an event is created to keep track of the authentication and authorization process. These created events are forwarded to the MnT Node, which then consolidates and processes these events into a legible format. A network administrator requires reports to be created for whatever purpose, such as managerial slides and presentations, access reports, and so on, and this function is also provided by the MnT node.
The second function of MnT is troubleshooting. Whatever events are forwarded to MnT success or failure of authentication and authorization process. In Cisco ISE we have detailed event tracking and by this, a network administrator can easily check where the issue is in the authentication or authorization process and troubleshoot this easily.
In each ISE deployment at least one MnT node is needed and Maximum we can deploy two MnT nodes in Cisco ISE deployment. One will be the active node and the other will be the Passive node.
IPN: – IPN stand for Inline posture node. We can consider IPN as the gatekeeper between a NAD and endpoint. IPN can ensure that an endpoint is adhering to the required security policy before it is given access to the network. The IPN completes the posture assessment of the endpoint by checking Antivirus, Antispyware, OS Patch, label, and another critical parameter, and based upon this check IPN provides endpoint appropriate remediation to get endpoint compliant.
Note: – In ISE deployment is not mandatory to deploy an IPN. It is required only when our NAD is capable of holding of CoA(Change to Authorization) request or when an additional posture check is required.
In this blog, we learned NAC, Cisco NAC solution ISE and ISE personas. Zindagi Technologies has been providing security services for many years which makes us one of the trusted IT Consulting companies as we deliver what we promise. If you want security services, then give us a call or WhatsApp us on +919773973971. You can also drop us an email.
Author
Yuvraj Kumar
Senior Consultant Network Security
Understanding AAA and its need | Zindagi Technologies
November 10, 2022[…] Network Access Control […]
TACACS+ Vs. RADIUS, which is better | Zindagi Technologies
December 13, 2022[…] Administration and Network Access policies are quite different. With Device Admin, policies are created that dictate privilege […]
Cross-site scripting & its prevention | Zindagi Technologies
May 18, 2023[…] variety of issues, including the exposure of other sensitive information. Some steps to secure your Network Infrastructure are offered above to help you overcome this. You can reach us at or +919773973971 if you wish to […]