Have you ever wondered what the big deal with network access and AAA is?
After all check the users account and then determine what Active Directory group they are in, Right? – Not so fast.

Well let me tell you on today’s networks the process of AAA is more critical than ever before. Authentication is the simple part – is you account valid ? Do your credentials match ?  We have focused on this for years, incorporating technology such as dual factor authentication or one time pass-codes. but is it really enough?

There are new products on the market that take this whole concept a step further.

To give you an idea what your looking at lets explore a scenario.

You want to join a country club. so you go down, select your plan and sign up, pay your dues and receive your account Tennis club information, an ID card and a PIN. simple enough.

Then one day you decide that you want to go play racquetball at the club. So you take your card and drive up to the gate of the club, you swipe the card in the access control machine at the gate then enter your PIN. The gate opens and you drive in. So far So good the gate access device just confirmed that your account is valid and your PIN matches. You may now drive in and park.

Next you walk over to the courts and announce you intention to play tennis. Once more they ask for your card to identify your account. The trainer behind the desk looks up your account in the system to see if your account has been given access to the courts. The trainer looks up and says your account has the right attributes and you can play tennis. The trainer then directs you towards the locker room.

In the locker room you proceed to change into your tennis outfit, after changing you step out of the locker room. This is where everything goes wrong. The trainer at the desk looks you up and down and stops you cold. You see in the locker room you changed into a pair of blue jeans, western boots, a panhandle slim shirt and pulled a guitar out of your bag.

The trainer thinks for a second …  it would be very entertaining to watch you attempt to play tennis with a guitar, but… the club has rules about dress on the courts. So the trainer stops you and directs you back into the locker room.

While this seems to be a somewhat ridiculous scenario it reflects very accurately what we need on the networks today. Lets follow our user through the access cycle.

  1. The User is given an account and credentials
  2. User attempts to access the network
    The user presents account information
    The user presents account credentials
  3. The authentication server collects the credentials and validates the user account and credentials
    If account is valid move forward
    If account is not valid block user access
  4. Next the user account attributes are read from the account information and evaluated for the right to access.
    If your account has the correct attributes – move forward
    If account does not have the correct attributes – block access
  5. Finally the client is profiled and evaluated
    Notice NOT the user but client is evaluated.
    If the Client is properly dressed for the network allow access
    If the client is not properly dressed for the network deny access

The critical step is step 5. First for most network access scenarios access is grated to users, based on user account validity and user account attributes. However, in today’s networks the users cannot and must not be trusted to only bring the prescribed devices (clients) onto the network. Regardless of the buzz phrase applied it ends the same, BYOD or Bring Your Own Device mentalities have changed how we must view network access. Today many users want to use the tools they have purchased and feel best serves them on their jobs. Companies benefit from these tools and should encourage users to bring them to work, the benefits are many. The risks in BYOD are many as well.

Many users simply want to leverage the company resources to conduct personal tasks or simply entertain themselves. Regardless of the reason users access the network with BYOD devices, often these client devices lack the security of corporate provided devices, and many users could care less or simply don’t know they should care. it is up to ouyr network administrators to enforce a standard level of security over these devices.

As mentioned above Step 5 “the client is profiled and evaluated” is rapidly becoming the most critical step. Today we refer to this final stage of authorization as “Endpoint Compliance” , “Client Health”, “Posture” or “Endpoint Profile” it all boils down the same thing. Trust your user but Know your client. Plain and simple, today’s networks need an automated system to accomplish client authorization.

clearpass policy manager

Products like Aruba Networks ClearPass Policy Manager (CPPM) have a complete suite of tools to enforce network access. Modules such as the Endpoint Profiler can determine what type of client device the user is attempting to place on the network. Then there is the OnGuard module used to determine if the device is complainant with the companies security policies. Finally tie all of this together in service enforcement and you have a very robust and versatile NAC solution for any network.