4.2.1. Introduction

On this page, we will see the use case of UNAC. This includes an explanation of what UNAC is, the benefits UNAC brings, the value it adds, and simple use-case scenarios.

4.2.1.1. What is UNAC?

• OpenNAC Enterprise is a module with the power to authenticate all users and devices in a corporate network (wired, wireless, and VPN).

• Allows you to set:

  • The foundations of Zero Trust security strategy.

  • The security principles as the least privilege principle.

• Allows users and/or devices authentication through:

  • Corporate user credentials

  • Corporate credentials + OTP. (2FA)

  • Certificates with internal CA

  • MAB for non-supplicant devices

• 802.1X protocol as the basis for establishing authentication policies. T understand the protocol fundamentals, see 802.1x Basic Concept

4.2.1.2. UNAC Benefits

• Establishes the foundations of the Zero Trust strategy, through the user’s identity validation and the entity of devices, mitigating the risk of identity fraud.

• Allows to setting up security principles, determining the identity of the users, and granting only the necessary permissions for performing the functions of each user -the principle of least privilege.

• Defines a single point of control for network access. From this centralized point administrators can deploy access policies and other key aspects for network security orchestration, for take reactive and proactive actions.

• Double authentication factor using (OTP) -for user’s identity validation in remote connections.

• Shows the real-time statistics and authentication details in the network, using dashboards to monitor the authentication processes of users and devices.

• Facilitates the adaptation of standards and frameworks such as ISO2700x, NIST, ENS etc.

4.2.1.3. UNAC in 4 Steps

The UNAC configuration and operation process involve the following 4 steps:

The first two steps are explained in the Configuration documentation and the last two are in the UNAC operation.

4.2.1.4. Authentication Scenarios

4.2.1.4.1. User and Password

User identity will be validated based on information that users know, such as their username and password. In this case, the user’s corporate credentials will be utilized for the validation process.

Requirements

• Integration with User Database (LDAP, AD).

• Enable 802.1x supplicant in user device.

• Enable 802.1X protocol settings in network devices.

• Access rules in OpenNAC Enterprise.

Outputs

• Authentication metrics

• Control Dashboards

• Connected devices information: Connected devices information: IP, MAC, Switch Interface, VLAN, Hostname, User, and last access.

4.2.1.4.2. Certificate

Every user and/or device will possess a unique certificate generated by a Certificate Authority (CA). These certificates can be issued for either devices or individual users.

Requirements

• CA Settings

• Certificates generation

• Certificates Deployment

• Enable 802.1X protocol settings in network devices

• Access rules in OpenNAC Enterprise

Outputs

• Authentication metrics

• Control Dashboards

• Connected devices information: IP, MAC, Switch Interface, VLAN, Hostname, User, and last access.

4.2.1.4.3. MAB

The authentication process will accommodate devices that do not have an 802.1x supplicant. In such cases, the MAC address of the device will be validated for authentication purposes.

Requirements

• Enable 802.1X protocol settings in network devices

• Access rules in OpenNAC Enterprise

Outputs

• Authentication metrics

• Control Dashboards

• Connected devices information: IP, MAC, Switch Interface, VLAN, Hostname, User, and last access.

4.2.1.5. Authorization Options

The Authorization is given in three forms and you can apply them simultaneously in the same policy.

1. Dynamic ACLs through OpenNAC Enterprise access lists.

2. Dynamic VLAN assignments.

3. NGFW integration.

4.2.1.5.1. Change of Authorization (CoA)

When a user connects to a network, the RADIUS server receives a packet containing information about the Network Device and connection port. The CoA (Change of Authorization) method, allows interactions to perform changes in authorizations after the device or user is authenticated. These interactions can be seen in use cases for wired and wireless Captive Portal, device profiling, posture assessment, Adaptive Network Control, and more.

In the figure below, you can see an example of Change of Authorization:

4.2.1.5.2. Location-Based Authorization

In regard to authorization, we can have different approaches and Location is one of them. We can add a location to a Network Device and create authorization policies based on that information. The following figure shows an example of a location-based authorization scenario:

The Administrator defines location hierarchy and grants specific access rights based on their location.

The above diagram shows how data access changes based on location. For example, a doctor may have access to patient data inside the E.R., but the same data might not be accessible when the doctor is in the lobby.

4.2.1.5.3. Host Modes

Host Modes define the different levels of access control that can be applied to network resources. It is based on the host that is trying to access them and can enforce different levels of security and restrictions for different types of devices.

There are several Host Modes that can be used in network authentication.

• Single-Host Mode: Only “a” MAC address is allowed. A second MAC address causes a security violation.

• Multi-Host Mode: The first MAC address is authenticated. The second endpoint piggybacks on the first MAC address authentication and bypasses authentication.

• Multi-Domain Host Mode: Each domain (voice or data) authenticates one MAC address. The second MAC address in each domain causes a security violation.

• Multi-Authentication: The voice domain authenticates one MAC address. The data domain authenticates multiple MAC addresses. dACL or single VLAN Assignment for all devices is supported.

4.2.1.6. UNAC Value

4.2.1.6.1. IT Support/ Help Desk

Reducing incidents response time: identify the affected device from the CMDB (username, IP, MAC, etc.) and toggle the related port on the switch (Toggle Port).

4.2.1.6.2. Monitoring - IT management

Real-time connections information Control Dashboards.

• Users’ connection metrics:

  • Wi-Fi users

  • Wired users

  • User’s information (location)

  • User’s rol

• Devices Information:

  • Device topology

  • Device location

  • Device information

  • MAC

  • Vendor

4.2.1.6.3. Adaptability

The value is subjective. The perception of the value of an IT tool increases as they solve a given problem.

The adaptability degree of IT tools will determine the value they provide.

• UNAC module integrates with the current company’s infrastructure. It does not add administration efforts, but rather automates some recurring tasks, removing some mechanical tasks from the technical team.

• Eliminate technological rigidity

• Task automation

• Multi-vendor, agnostic technology

• Plugins, integrations

4.2.1.6.4. Dashboards Customization

1. The administrator selects the visualization type to set the Dashboard graphics(Bars, cake, etc).

2. Select the information, the device data (TAGS) that you want to show from the CMDB.

3. Set the structure of dashboards and selects all visualization.

4. Generate a new dashboard adding all the visualizations you want.

5. Add the dashboard to the OpenNAC Enterprise web console.

4.2.1.6.5. Reports. Audit Teams.

Management and audit reports in real-time:

• Dashboards with users authentication details are automatically updated in real-time.

• Companies can choose how to segment authenticated users on the network to have a report available at any time.

Examples:

• Authenticated users

• Authentication sources

• Connected users from a certain group.

• Users location