Network Requirements for openNAC Deployment

  • Network Access technologies requires appropiate network segmentation, have a clear design will help to deploy a NAC Solution.

  • We will define Layer 2, Layer 3, and Layer 4 network requirements in order to guarantee a success deployment.

    • Layer 2: Deployed in the network before openNAC deployment.
    • Layer 3: IP visibility between different sofware pieces, routing and firewalls changes could be required.
    • Layer 4: TCP/UDP Ports that must be open in the network to avoid integration problems.

Layer 2 Requirements

openNAC provides an easily adaptable and customizable network configuration module called ON Netconf

openNAC establishes at least three VLANS by default but those can be easily expanded such as is explained:

Registry VLANs:

openNAC use Registry VLANS to register users, this can be used to register new devices for authenticated users, a common use case that apply for that is BYOD.

Quarantine VLANs:

openNAC use Quarantine VLANS for User devices that don’t comply with the enterprise security policies, furtner action (agent installation, patching, AV updates..etc) can be done in order to comply.

Service VLANs:

openNAC use the Service VLAN to provides access to corporate resources. There may be one or more service VLANs depending on the number of the user devices and on the resources access rights. openNAC assigns user devices to the different service VLANs based on policy compliance defined by the administrator.

Guest VLANs:

openNAC use Guest VLANS to provide Guest services in the Network through a sponsorization process, auto enrollment is also available. Guest management use customizable workflow.

Custom VLANs openNAC can expand the VLANs to provide more flexibility.

Layer 3 and 4 Requirements

[*] Depending on customer’s Proxy ‘s settings [*] Core Master and Agg. Master are only Service IPs in a virtual network interface, not a Load Balance service

../../../_images/l3l4authenticationrequest.PNG

We are assuming a common scenario where and endpoint is going to be authenticated via wired and WIFI networks:

At the point 1 and point 6 the authentication process starts to the network devices and also finished, this stage is used EAPOL.

At the point 2 and point 5 the network device encapsulate and decapsulate the network request into radius protocol.

At the point 3 and point 4 the openNAC Core use its Active directory integration to check credentials, to be ready to this integration is required to following network access, Kerberos access, NTP synchronized, Ldap queries, Netbios and so on.

../../../_images/l3l4default_vlan_assigment.PNG

Default VLAN assignment can be done looking at the presentation and reviewing inside of the radius protocol used, can be identify and used different parameters such as VLAN Name or ID, in the following example the openNAC Core will send this empty parameters to be assigned to the proper user port and leaving this configuration to the network devices criteria.

../../../_images/l3l4agentconnectivity.PNG

This communication is available for several O.S’s, using SSL/TLS, 443 https.

../../../_images/l3l4networkdevicemanagement.PNG

Other flows to be under consideration are:

Network device connection: is required and recommended to use SSH connection to gain access to network devices, this connection allows a few important capabilities, for instances:

Network devices configuration management.

Network devices backup management.

Network compliance configuration management.

COA (Change of authorization, is some scenarios is required to force a policy evaluation and change the type of authorization using COA via software change.

SNMP Toggle port, as additional method in order to force a policy evaluation can be used SNMP shutting down the port fiscally.

../../../_images/l3l4dhcp_relay_agent.PNG

Another important protocol used to discover and profile assets is the DHCP, as a general concept must be understand that is based on broadcast messages and if there is used IP Helper o DHCP Relay agent this will forward in unicast packages as show by point 1 and point 2

../../../_images/l3l4intraproduct.PNG

This communication flows are intra product and needs to be troubleshooting in any cases were a communication issue happens.

../../../_images/l3l4captiveportal.PNG

Other common use case is how to manage not corporate devices or users, for that matter was created a registry portal which is locate at openNAC Core role.

For those users or devices not corporative (Guest and BYOD) is required to create a way to provide authentication and authorization mechanisms for devices connected to a network, it is necessary to establish the following:

As soon as the user or the devices is identify as not accepted by the security policy, the user’s and device`s requests will be forwarder to registry VLAN and from then to a captive portal using a poisoned DNS, is important to mention that openNAC Core could provide dns services.

To access to the captive portal you must be forwarder to registry network as a requirement as shown by point 1.

The client will get IP configuration from DHCP servers defining the proper DNS server.

As soon as the client run any query such as wwww.any.com as shown by point 2 the DNS server poisoned will response with the IP for the captive portal as shown by point 3.

After that the client will connect to the captive portal using https as shown by point 4 and point 5