No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

What is NAC

This document describes the definition and purpose of NAC, the comparison of the three authentication methods and the relationship between NAC and AAA.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
What is NAC

What is NAC

What is NAC

Definition

Network Admission Control (NAC) is an end-to-end access security framework and includes 802.1X authentication, MAC address authentication, and Portal authentication.

With the development of enterprise network, threats increasingly bring risks, such as viruses, Trojan horses, spyware, and malicious network attacks. On a traditional enterprise network, the intranet is considered as secure and threats come from extranet. However, 80% security threats actually come from the intranet. The intranet threats will cause serious damage in a wide range. Even worse, the system and network will break down. In addition, when intranet users browse websites on the external network, the spyware and Trojan horse software may be automatically installed on users' computers, which cannot be sense by the users. The malicious software may spread on the internal network.

The traditional security measures cannot meet requirements on border defense due to increasing security challenges. The security model should be converted into active mode to solve security problems from the roots (terminals), improving information security level of the entire enterprise.

The NAC solution integrates terminal security and access control and takes the check, audit, secure, and isolation measures to improve the proactive protection capability of terminals. This solution ensures security of each terminal and the entire enterprise network.

As shown in the following diagram, NAC includes three components: NAC terminal, network access device, and access server.

  1. Typical NAC networking diagram

  • NAC terminal: functions as the NAC client and interacts with network access devices to authenticate access users. If 802.1X authentication is used, users must install client software.
  • Network access device: function as the network access control point that enforces enterprise security policies. It allows, rejects, isolates, or restricts users based on the security policies customized for enterprise networks.
  • Access server: includes the access control server, management server, antivirus server, and patch server. It authenticates users, checks terminal security, repairs and upgrades the system, and monitors and audits user actions.

Purpose

Traditional network security technologies focus on threats from external computers, but typically neglect threats from internal computers. In addition, current network devices cannot prevent attacks initiated by devices on internal networks.

The NAC security framework was developed to ensure the security of network communication services. The NAC security framework improves internal network security by focusing on user terminals, and implement security control over access users to provide end-to-end security.

Comparison Between Three NAC Authentication Modes

NAC provides 802.1X authentication, MAC address authentication, and Portal authentication. You can select a proper authentication mode or a combination of multiple authentication modes based on your application scenarios. The combination of multiple authentication modes varies according to the device type and configuration. Table 1 compares the three NAC authentication modes.

Table 1-1 Comparison between NAC authentication modes

Item

802.1X Authentication

MAC Address Authentication

Portal Authentication

Application scenario

New network with concentrated users and high requirements for information security

Authentication of dumb terminals such as printers and fax machines

Scenario where users are sparsely distributed and move frequently

Client

Required

Not required

Not required

Advantage

High security

No client required

Flexible deployment

Disadvantage

Inflexible deployment

Complex management and MAC address registration required

Low security

NAC and AAA

To configure NAC, you must enable authentication, authorization, and accounting (AAA). NAC and AAA work together to implement access authentication.

  • NAC is used for interaction between users and access devices. It controls the user access mode (802.1X, MAC address, or Portal), as well as the parameters and timers used during network access. NAC ensures secure and stable connections between authorized users and access devices.
  • AAA is used for interaction between access devices and authentication servers. AAA provides authentication, authorization, and accounting for access users to control their network access rights.
Translation
Download
Updated: 2019-06-04

Document ID: EDOC1100086561

Views: 947

Downloads: 80

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next