In the network access control products we tested, authentication varies from very strong to very weak, and every point in-between. When starting down your path of evaluating NAC products, decide very early what kind of authentication mechanism you want, if any.
In some cases, such as McAfee NAC, Forescout ActiveScout and Trustwave NAC, authentication is de-emphasized as part of the product philosophy — the emphasis is in some other area, typically endpoint security controls.
For example, Trustwave NAC includes an agent that runs on Windows Active Directory servers that can send user login/logout information to the Trustwave NAC appliance. This lets a particular device be associated with a user, assuming that the device was a Windows client workstation connected to the correct domain and the user logged into the device.
But this bit of authentication information is just one of many pieces that Trustwave NAC collects about each device on the network. The authentication detection is entirely passive, and not part of the lock-step workflow of getting a user on the network.
If you care about authentication of users, be careful about this category of product, because their mechanism for detecting authentication information can be unreliable, due to the nature of the protocols they are trying to sniff. Capturing 802.1X and Kerberos logins as they fly by sounds elegant, but you can’t necessarily get all the information you need out of what you see on the wire. This is why Trustwave technicians installed their software agent on our Windows server — they are afraid that one day soon Microsoft will start encrypting the communications during login and the authentication information will be unavailable.
We found other issues with these products when we were using them outside of their comfort envelope. For example, we set up McAfee NAC using 802.1X, and found that it uses incorrect information in the 802.1X transaction to detect user identity. That’s the kind of bug that can only exist in a product where most of the organizations deploying the product are not focusing on authentication.
If you do care about authentication, you will find that the remaining products fall into two major categories: ones that encourage you to use 802.1X on wired switches and wireless networks, and ones that avoid it or work around it.
While 802.1X is acknowledged as the most secure way to do NAC authentication, the fear factor accompanying 802.1X is so great that there are more products in our test that avoid 802.1X than work well with it. The fear factor — that 802.1X will be too hard to manage on the network side and too hard to configure on the client side — is only slowly being overcome by improvements in switch software and Microsoft Windows.
The 802.1X category products (Avenda eTIPS, Enterasys NAC, HP ProCurve Identity Driven Manager, Juniper UAC, and to a lesser extent, Microsoft NAP and Symantec NAC) all actively participate in the authentication dialog and use 802.1X as a way of pushing access control to edge devices such as switches and wireless controllers.
In other cases, including Alcatel-Lucent Safe NAC, Bradford Network Sentry and Cisco NAC Appliance, the products all support 802.1X authentication, but the most common deployment path uses some other kind of authentication. For example, in Cisco NAC Appliance, if you want to avoid having users be interrupted by a Web-based captive portal every time they sit down at their workstation, you can install a client on user workstations that will transparently pass authentication to the Cisco NAC Appliance.
However, don’t get the idea that you can easily segment the world of NAC into 802.1X vs. non-802.1X, or that you should use one or the other exclusively. For example, in our testing, Juniper UAC worked well when users authenticated with their client over an IP network (for example when they were behind a VPN tunnel) or using 802.1X directly connected to a switch.
Bradford Network Sentry, Enterasys NAC and Juniper UAC offered the most options for different types of authentication scenarios. These would be on our short list if you wanted the widest array of authentication options.
Although 802.1X authentication has a reputation for being particularly difficult, we didn’t find setting up NAC with 802.1X to be any more or less difficult than using other protocols. For example, we had one vendor who would only work with our Cisco 3750 switch in 802.1X mode when it had been upgraded to a particular version, while a different vendor recommended another version.
On the other hand, we experienced problems with multiple vendors, one on our Aruba wireless controller and one on our HP switch, when their SNMP management of the devices wouldn’t control them correctly. So while we ran into issues, the 802.1X issues were no worse than the SNMP issues on the infrastructure side. Of course, since we focused on Windows 7 and Mac OS X, both 802.1X-ready clients, we didn’t run into client headaches making 802.1X work.
The question of authentication and NAC has other dimensions than just deciding whether you want to use 802.1X or not. In our testing, we looked at three special cases that may be important to many networks: domain devices without users in front of them (such as a domain-connected PC which is not logged in, but which should be accessible for remote management and patching), browserless/userless devices (such as VoIP phones and printers) that generally require media access control (MAC)-based authentication, and guest users.
The case of an unlogged-in device is a tricky one. Generally, a PC without an authenticated user sitting in front of it should have more restricted access to the network than one with an authenticated user. Unfortunately, you can’t just shut off all network access, as the device may need to contact update servers for patches, download anti-malware updates, or be remotely managed by the desktop management team.
Even without someone logging on, patch update servers may be hard at work pushing software updates all night long. Desktop security software, such as anti-malware, also generally pulls updates continuously, even when someone isn’t logged in. These all require network access.
When a product is based on 802.1X, this becomes a fairly easy case to handle, because the Microsoft 802.1X client will automatically log the device off when the user logs off, and then try and re-log on the device using what Microsoft calls “Machine Authentication,” based on credentials that were created when the device was joined to the domain. Some products, such as Alcatel-Lucent Safe NAC and the McAfee N-450 NAC appliance can work in 802.1X mode and do a good job detecting this then, but not when used in other ways.
When we tested Avenda’s eTIPS, Enterasys NAC, HP Identity Driven Manager, Juniper UAC and Microsoft NAP in 802.1X mode, they all handled this seamlessly. For example, we could easily distinguish between devices in different groups within Active Directory, and give different access to them based on their AD group.
Enterasys even includes a nice “How-To” document on the right way to set up your configuration to properly distinguish between users and computers for access control. Symantec NAC in 802.1X mode wasn’t as elegant — partially because Symantec NAC doesn’t really pay attention to the details of the authentication, just whether or not the device was authenticated at all.
When we looked at ForeScout CounterACT and Trustwave NAC, two products that don’t normally directly authenticate users, we had less success in trying to draw a distinction when the user logged out. For example, CounterACT wasn’t successful 100% of the time in detecting when a system switched from “machine” authentication to “user” authentication.
In Trustwave NAC, you can detect that a system was once authenticated (such as the user logged off), but there is no easy path that makes managing the switch between the two states easy. That’s not to say you can’t do it; you’re just going outside of the comfort zone of the Trustwave NAC product. We had a similar problem with Cisco NAC Appliance and Bradford Network Sentry
Phones and printers, oh my
A common problem in NAC deployments is dealing with userless and browserless devices, such as printers and VoIP phones. Of course, if you want to avoid the problem, you can make sure the ports these devices are plugged into are not part of your NAC deployment — but then you’ve got ports that people can walk up to and borrow for a few evil moments. That scenario frightens some network managers, but not all, since those ports would normally be restricted to a well-firewalled printer subnet. In our testing, we wanted to look at a common difficult case, a network with edge switch ports that could be used just as easily by end users as by printers.
The general solution to this problem is MAC-based authentication. Of course, MAC addresses are easy to forge, so NAC vendors bring in a combination of tools to back up this extremely weak authentication method. The first is simple access controls — making sure that a printer can only do what a printer should be able to do, such as receive connections on a few well known ports and send the occasional e-mail when it’s time to add paper. The theory here is that even if someone does steal a printer’s MAC address, the worst they can do is limited by the NAC-defined access controls.
We found that with a little help from the manager of the switch, we could make MAC-based authentication work with all of the products we tested, except for McAfee N-450, at least to some extent. (McAfee told us that they will be putting this feature into a future version of their product.) Products that usually point to an Active Directory server, such as Microsoft NAP and HP Identity Driven Manager, only support MAC-based authentication in the weakest sense — you’d have to start dropping MAC addresses into your Active Directory as domain users. But it can be wedged in there somehow.
We were more interested in products that seemed to go beyond the basics in handling MAC authentication. Avenda eTIPS, Bradford Network Sentry, Cisco NAC Appliance, Enterasys Network Sentry, Forescout CounterACT and Trustwave NAC all have some sort of validation mechanism that can help to ensure that a printer really is a printer.
Juniper UAC and Symantec NAC don’t include this feature directly, but all integrate with a popular third-party tool, Great Bay Software’s Beacon Endpoint Profiler. Actually, Cisco NAC Appliance integrates with Beacon as well, but Cisco OEMs Great Bay’s product and has built pieces of it into NAC Appliance and an associated product, Cisco NAC Profiler.
We tested all of these products by stealing a printer’s MAC address, and then loudly stomping around the Internet and generally acting un-printer-like. In every case, we got caught sooner or later. However, these validation techniques generally require some amount of special configuration, such as feeding a network tap to the endpoint profiler. Simply launching a scanner against the device isn’t going to work all the time. For example, with Windows 7 out-of-the-box, the firewall is locked down so tightly that sitting passively on the network wasn’t enough to get us caught. Instead, we had to become active on the network — requesting an IP by DHCP, for example, is a big giveaway since a Windows 7 system’s DHCP request doesn’t look anything like an HP printer’s DHCP.
Be my guest
Giving guests a limited set of network privileges, such as Internet-only access, is a big part of many NAC deployments. Since guests are not expected to run either 802.1X or a NAC client, NAC products usually handle them using some type of captive portal — a Web server that intercepts the user’s traffic the first time they try and browse anywhere, sending them to a Web page which lets them identify themselves to the network.
Microsoft NAP is the only NAC product we saw that doesn’t handle the guest case at all. If you were to base your NAC on Microsoft NAP, you’d have to program your switches to send guest users to a special VLAN and buy or build a guest access system for them.
We found captive portals for guest users built into HP, and Alcatel-Lucent switches that were complementary to their NAC solutions, but not very sophisticated. Alcatel-Lucent’s Safe NAC is particularly weak when it comes to captive portals for guests because they have two of them: a simplistic one that runs on the switches but which doesn’t integrate with their endpoint security tools, and a more sophisticated one that runs using the CyberGatekeeper endpoint security infrastructure, but which doesn’t link back to the authentication information on the switches. Two weak portals don’t add up to a strong one. Symantec and Trustwave also have simple captive portals that don’t function well for guest management.
On the other hand, some products, such as Bradford Network Sentry, McAfee N-450 NAC Appliance, Enterasys NAC, Forescout CounterACT, Juniper UAC and Avenda eTIPS all have very nice captive portals with extensive guest management tools.
There are definitely differences in the tools, and if guest access is important, you should carefully review what types of guests, registrations and sponsorships are included with each product. Juniper UAC meets the most basic requirements, while Forescout CounterACT does the best job without charging more, with the other NAC products we tested coming somewhere in-between.
If all of these authentication options seem confusing, don’t worry. They are confusing. Even with a week spent on each product, we found lots of special cases that we didn’t have time to configure and test. The key to deciding which of these products will work best in your network is planning ahead.
In some cases, products offer lots of authentication options that don’t meld well together. In other cases, though, we found that having multiple options, such as doing 802.1X, MAC-based authentication, client-based authentication or Web-based authentication all in the same product, flowed together fairly naturally and gave the potential for a lot of flexibility in deployment. The hard part is telling the difference between products that specialize in confusion and ones that legitimately have a broad range of authentication options.