Network Access Control – CompTIA Network+ N10-006 – 2.3

The access to the network is often managed through switch configurations. In this video, you’ll learn about administrative port settings, mac address checking, and 802.1X network access control methods.

<< Previous: On-Boarding and Off-Boarding Mobile DevicesNext: Documenting the Network >>

When somebody’s discussing switch port security, they’re usually referring to access to the physical interfaces on the switch. When we talk about network security, we’re often talking about TCP ports and UDP ports. And that certainly applies to things like firewalls and port filters. But when we’re discussing switch port security, we’re talking more of what’s happening at the physical level.

One basic way to think about switch port security is to administratively enable or disable interfaces on the switch. Generally, it’s a best practice to disable any interfaces that aren’t currently in use. That way, if somebody was to walk into the closet, and plug into the switch to any open interface, that interface would be disabled. They would not gain access to the network, because you’ve administratively turned that off.

Another technique in switch port security is something called MAC address checking. Your switch is already keeping track of where all the different MAC addresses are on your network. And if a MAC address moves from one interface to another, you can tell your switch to automatically disable that move, because there may be someone spoofing that MAC address to gain access to the network.

A more formal method of switch port security is 802.1x. This is port-based network access control. You may see it referred to as PNAC, or simply NAC. With NAC, you can still allow all of your interfaces to be enabled, but you don’t gain access to the network unless you provide the correct authentication. We commonly see this being used on wireless networks, but it can also be used on wired networks as well. And it uses EAP and RADIUS to perform this authentication function. EAP is the Extensible Authentication Protocol. And RADIUS is the Remote Authentication Dial In User Service. And these are the protocols that are going to communicate to the devices on the back end to provide the authentication we need, and to enable the interfaces on the switches.

For this 802.1x conversation, we have three devices that will be participating. The first is the device that’s connecting to the network that needs the access. This is called the supplicant. In the middle is an authenticator. This is generally software that’s running inside of your switches. And on the back end is a separate server, called the authentication server.

In the first step, the supplicant connects to the network, and finds during this initialization there’s no access to anything on the network. 802.1x prevents anybody new from gaining access to anything else that’s on the network. It’s the authenticator’s job to constantly send messages to the network called an EAP request, asking if anybody is new, if somebody’s just connected to the network, and give them a chance to respond back to that particular request.

Since our supplicant on this network has just connected, it will send a response called an EAP response back to the authenticator, and say that my name is James, in this particular case. The authenticator takes that information and communicates back to the authentication server, informing it that James has arrived on to the network. The authentication server then determines if the device is something that we can allow to authenticate, and then sends a message back to the authenticator asking if the supplicant can then communicate privately on the network.

The authenticator is always going to be the middleman between the supplicant and the authentication server. Those two devices never communicate directly to each other. They’re always communicating through the authenticator. So the authenticator is going to take the authentication server’s request and ask the supplicant to provide authentication details.

At this point, you’ll probably get a message on your screen to input your username and password, or any other credentials. And those credentials are, then, sent to the authenticator. The authenticator takes the credentials, passes them onto the authentication server, who’s going to check the credentials and make sure that all of that information matches what it should be in the authentication server files. If your username and password and any other credentials are correct, the authentication server then sends a message to the authenticator that says, everything looks fine. You can now let the supplicant gain access to the network.

And this is usually running in the switch, so the authenticator configures the switch port to enable the access, and then is also usually going to provide you with a configuration on that interface with the VLAN that’s generally associated with your username. That way, when you connect, if you’re part of the IT department, you’ll automatically be on the IT VLAN. If you’re part of the marketing department, you’ll be configured to be on the marketing VLAN. So not only is this process an authentication method, it’s also a way to configure the switch ports themselves to match the requirements for the user that’s connecting.