5.5 Describe components of network security design
📘CCNP Encore (350-401-ENCORE-v1.1)
1. What is Network Access Control (NAC)?
Network Access Control (NAC) is a security design that controls who or what is allowed to connect to the network and what level of access they receive after connecting.
Instead of allowing any device to connect freely, NAC:
- Verifies the identity of users or devices
- Checks authentication and authorization
- Applies security policies before granting access
In enterprise networks, NAC is commonly implemented using:
- IEEE 802.1X
- MAB (MAC Authentication Bypass)
- WebAuth (Web Authentication)
These methods are often used together.
2. Why NAC is Important in Network Security Design
NAC helps to:
- Prevent unauthorized devices from accessing the network
- Control user access based on identity
- Enforce security policies at the network edge
- Reduce risk from unknown or unmanaged devices
NAC is usually enforced on:
- Switch ports
- Wireless LANs
- VPN access
3. Core Components of NAC Architecture
NAC typically uses three main components:
1. Supplicant
- The client requesting network access
- Runs on user devices (PCs, laptops, IP phones)
- Supports authentication methods (e.g., 802.1X)
2. Authenticator
- The network device that controls access
- Usually a switch or wireless controller
- Blocks or allows traffic based on authentication result
3. Authentication Server
- Validates credentials and decides access
- Commonly a RADIUS server
- Sends permit or deny decisions
4. IEEE 802.1X (Port-Based Network Access Control)
4.1 What is 802.1X?
802.1X is a port-based authentication standard that controls access to the network at Layer 2.
Before authentication:
- The port is unauthorized
- Only authentication traffic is allowed
After successful authentication:
- The port becomes authorized
- Normal network traffic is permitted
4.2 How 802.1X Works (High-Level Flow)
- Device connects to the network
- Authenticator blocks all traffic except authentication
- Device sends credentials using EAP
- Authenticator forwards credentials to RADIUS
- RADIUS validates identity
- Access is granted or denied
4.3 EAP (Extensible Authentication Protocol)
EAP is a framework used by 802.1X to carry authentication information.
Common EAP methods (exam awareness):
- EAP-TLS
- PEAP
- EAP-FAST
For ENCOR:
- You need to know EAP is used with 802.1X
- Exact configuration is not required
4.4 802.1X Authentication States
| State | Description |
|---|---|
| Unauthorized | Only EAP traffic allowed |
| Authorized | Full network access permitted |
| Failed | Access denied or limited |
4.5 Benefits of 802.1X
- Strong user or device authentication
- Dynamic policy enforcement
- Scalable for enterprise networks
- Works on wired and wireless networks
4.6 Limitations of 802.1X
- Requires client support
- Some devices cannot run a supplicant
- Configuration complexity
This leads to the need for MAB and WebAuth.
5. MAB (MAC Authentication Bypass)
5.1 What is MAB?
MAC Authentication Bypass (MAB) is a fallback authentication method used when:
- A device does not support 802.1X
- No authentication client is available
Instead of user credentials, MAB uses:
- The MAC address of the device for authentication
5.2 How MAB Works
- Device connects to a port
- No 802.1X response is received
- Switch collects device MAC address
- MAC address is sent to RADIUS
- RADIUS checks MAC address database
- Access is allowed or denied
5.3 Characteristics of MAB
- Authentication is device-based
- No user identity verification
- Less secure than 802.1X
- Easy to deploy
5.4 Common Uses of MAB in IT Environments
Used for devices such as:
- IP phones
- Printers
- Cameras
- Legacy systems
These devices often:
- Cannot run 802.1X
- Still need network access
5.5 Security Limitations of MAB
- MAC addresses can be spoofed
- No encryption of credentials
- Provides basic access control only
Because of this, MAB is often:
- Combined with restricted VLANs
- Used with additional security policies
6. Web Authentication (WebAuth)
6.1 What is WebAuth?
Web Authentication (WebAuth) is a NAC method where:
- The user is redirected to a web login page
- Authentication occurs via a browser
WebAuth is commonly used when:
- The device cannot use 802.1X
- User credentials are required
6.2 How WebAuth Works
- Device connects to the network
- Traffic is initially blocked
- User opens a web browser
- Redirected to authentication page
- User enters credentials
- RADIUS validates credentials
- Access is granted
6.3 WebAuth Characteristics
- Browser-based authentication
- User-friendly
- Does not require client software
- Works on wired and wireless networks
6.4 Types of WebAuth (Conceptual)
- Local WebAuth – credentials stored locally
- Central WebAuth – credentials validated by RADIUS
For ENCOR:
- Understand the concept, not configurations
6.5 Limitations of WebAuth
- Not suitable for non-browser devices
- Less secure than 802.1X
- Depends on user interaction
7. Comparing 802.1X, MAB, and WebAuth
| Feature | 802.1X | MAB | WebAuth |
|---|---|---|---|
| Authentication Type | User/Device | Device | User |
| Security Level | High | Low | Medium |
| Client Required | Yes | No | No |
| Automation | High | High | Low |
| Exam Importance | Very High | High | Medium |
8. NAC Design Strategy (Exam Perspective)
In a real enterprise design:
- 802.1X is the primary method
- MAB is a fallback
- WebAuth is used for temporary or limited access
All three methods can coexist on the same switch port.
9. Key Exam Points to Remember
- NAC controls who can access the network
- 802.1X uses EAP and RADIUS
- MAB uses MAC addresses
- WebAuth uses browser-based login
- 802.1X provides the strongest security
- MAB and WebAuth are supplementary methods
- NAC is enforced at the network edge
10. Summary
Network Access Control is a critical security component in modern network design.
By using 802.1X, MAB, and WebAuth, organizations can control access for different types of devices while maintaining security and flexibility.
For the CCNP ENCOR exam, focus on:
- Understanding how each method works
- Knowing when and why each is used
- Remembering their security strengths and weaknesses
