CounterACT: 802.1X and Network Access Control

Technical Note
CounterACT: 802.1X and
Network Access Control
CounterACT : 802.1X and
Network Access Control
Technical Note
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is 802.1X? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Key Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Protocol Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What is NAC?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Key Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
NAC Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The Role of 802.1X in NAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Advantages of 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Disadvantages of 802.1X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How ForeScout helps Implement 802.1X within a NAC Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Verifying 802.1X Readiness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Supplicant Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Hybrid Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Automated Exception Process for non-802.1X endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
When to Use 802.1X and When Not to. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Organizational Needs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Use Case: Secure Guest Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Use Case: Endpoint Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Use Case: Secure BYOD Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Network Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Use Case: Exception Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Other Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
About ForeScout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
CounterACT : 802.1X and
Network Access Control
Technical Note
Introduction
In an era of mobile devices and IT consumerization, Network Access Control (NAC) has emerged as a popular solution for network and security
managers to mitigate risk and retain control of the network. NAC provides the capability to authenticate users and devices when they connect to the
network, assess the security posture of a device, and enforce security controls while the device is connected to the network.
There is often confusion about the relationship between 802.1X and NAC, i.e. whether they are competing or complementary technologies. This paper
will help to clarify the issues and resolve this confusion.
The following technical note provides the reader a basic understanding of 802.1X and NAC, the advantages and disadvantages of using 802.1X
authentication within a NAC implementation, and guidance on which solution set is better suited for different use cases and network environments. It
describes the capabilities of ForeScout CounterACT™ and the unique features it provides to overcome some of the challenges of using 802.1X within a
NAC implementation.
.....................................................................................................................................................
What is 802.1X?
IEEE 802.1X is a standard for port-based network access control. It provides an authentication mechanism for devices wishing to attach to a wired or
wireless LAN. It does not address other security controls that may need to be enforced when a device connects to a network (discussed later in this
technical note). The 802.1X standard was first published in 2001 (IEEE 802.1X-2001) and later updated in 2004 (IEEE 802.1X-2004) and in 2010 (IEEE
802.1X-2010).
802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over LAN, or EAPoL, which allows a number of different
authentication methods to be used. EAPoL was originally designed for 802.3 Ethernet in the 2001 standard, but was extended to other IEEE 802 LAN
technologies such as 802.11 wireless in the 2004 specification. The EAPoL protocol was modified in the 2010 update to address vulnerabilities in the
previous specifications by using optional point to point encryption over the LAN segment.
Key Concepts
802.1X authentication involves three components that communicate using EAPoL: the supplicant, the authenticator, and the authentication server.
•• The supplicant is an endpoint device (such as a laptop) attempting to connect to a wired or wireless network. The term “supplicant” is also used
interchangeably to refer to the software that is required on the endpoint (or client) to provide credentials to the authenticator. Credentials can
include username/password, digital certificate or other methods.
•• The authenticator is a network device, such as an ethernet switch or wireless access point that acts like a security guard to a protected network.
It facilitates authentication by relaying the credentials between the supplicant and authentication server, and allowing the supplicant access to
the network only after successful authentication occurs.
•• The authentication server is typically a host running a RADIUS server that validates the credentials of the supplicant and authorizes access.
3
CounterACT : 802.1X and
Network Access Control
Technical Note
Figure 1: 802.1X authentication components
Protocol Operation
802.1X provides port-based access control and as such ties authentication and admission to the point of connection to the network — a network
port. In an 802.1X environment, all network ports default to “unauthorized” state prior to authentication. Upon successful authentication a port is
dynamically changed to the “authorized” state. Control is enforced at each switch port for wired LANs, and each wireless access point for wireless LANs.
EAPoL operates at the network layer on top of the data link layer. In unauthorized state, the port is allowed to transmit and receive EAPoL messages;
other traffic, such as DHCP or HTTP, is not allowed. The typical authentication process is as follows:
1.Initiation — The port on the authenticator starts in the “unauthorized” state. To initiate authentication the authenticator periodically transmits
EAP-Request Identity messages. On receipt of this message, the supplicant responds with an EAP-Response Identity message containing an
identifier such as a username. The authenticator forwards this message on to the authentication server. The supplicant can also initiate or restart
authentication by sending an EAPOL-Start message to the authenticator, which then replies with an EAP-Request Identity message.
2.Negotiation — The authentication server sends a reply to the supplicant (via the authenticator), containing an EAP request specifying the EAP
method (the type of EAP based authentication it wishes the supplicant to perform). At this point the supplicant can start using the requested EAP
method, or do an NAK (“Negative Acknowledgement”) and respond with the EAP methods it is willing or able to perform.
3.Authentication — Once the authentication server and supplicant agree on an EAP method, EAP requests and responses are sent between the
supplicant and the authentication server (proxied through the authenticator) until the authentication server responds with either an EAP-Success
or an EAP-Failure message. If authentication is successful, the authenticator sets the port to the “authorized” state and normal traffic is allowed; if it
is unsuccessful the port remains in the “unauthorized” state.
4.Termination — When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator. The authenticator then sets the port to the
“unauthorized” state, once again blocking all non-EAPoL traffic.
802.1X authentication can be a one-time process (once a connection is authorized it remains authorized until the connection is terminated by the
supplicant), or re-authentication may be required after a specified time interval. Network connections can also be configured to time out and then
force re-authentication for any new connections.
What is NAC?
NAC controls access to a network based on adherence to security policies including authentication of users, pre-admission endpoint security
compliance checks, and post-admission controls over where users and devices can go on the network and what they can do. Unlike 802.1X, NAC
provides the ability to enforce security controls based on the security posture of the device and/or the user’s role in the organization.
Commercial NAC solutions incorporate quarantine and remediation capabilities (fixing non-compliant endpoints before allowing access). Some
advanced NAC solutions also include the ability to automatically profile and classify endpoints when they connect to the network, and subsequently
make policy decisions based on device type and other granular profiling data. NAC often incorporates post-admission functions, further differentiating
4
CounterACT : 802.1X and
Network Access Control
Technical Note
it from 802.1X which provides pre-connect authentication only. Basic post-connect functions may include periodic re-authentication and monitoring
for changes in device posture, with more advanced solutions providing capabilities for monitoring changes in device behavior and/or malicious
activity, and enforcing post-connect security controls.
Key Objectives
With an exponential increase in the number of mobile devices that are connecting to corporate networks, the focus of security controls has shifted
from the perimeter (via firewalls and IPS devices) to the internal network. Best practices now require that each endpoint be inspected to ensure that
it is compliant with security standards before the endpoint is permitted access to the network. The definition and capabilities of NAC are still evolving,
but as of this writing its primary objectives are:
•• Network visibility — In order to provide secure access and prevent unauthorized connections to the network, a NAC solution must be aware of
all users and devices that attempt to connect to the network. It can create a database of network users and a hardware and software inventory of
network endpoints.
•• BYOD and mobile device management — NAC provides the foundation for implementing a “bring your own device” (BYOD) environment
without compromising network security. This enables access while providing control over personally owned mobile devices such as laptops,
smartphones and tablets.
•• Role-based access — NAC ensures that only the right people with the right devices gain access to the right network resources. For example,
a guest may only be allowed access to the internet. An employee in the shipping department should not be allowed access to the company’s
financial systems.
•• Endpoint compliance — Unlike 802.1X, a primary objective of NAC is to manage endpoint compliance. Endpoint posture checks are required to
ensure a security baseline for any and all types of devices connecting to the network, and in some environments may be needed to demonstrate
compliance to industry or government regulations.
•• Network security — A key goal of NAC is to mitigate security risks within the network. Infected mobile devices, misconfigured endpoints, rogue
wiring devices and wireless access points are sources of threats and data loss, and can be identified, quarantined and remediated by NAC.
NAC Capabilities
Commercial NAC solutions vary widely in terms of the functions they provide. The list below is indicative of the functions that most large enterprises
are looking for.
Authentication: Authentication in NAC is conceptually similar to 802.1X, in that it occurs when an endpoint first attempts to connect to a network.
Commercial NAC solutions can leverage 802.1X as well as other standard means of authentication such as a guest registration databases, MAC address
bypass lists, or existing directory systems such as Active Directory, OpenLDAP etc.
Security Posture Assessment: Unlike 802.1X, NAC products are able to assess the security posture of each endpoint. This assessment may include:
•• checks for operating system versions and patch levels
•• presence of anti-virus and other security software with latest updates
•• required and prohibited applications (such as P2P software)
•• active and prohibited ports
•• configuration settings for various applications
•• custom registry checks
Endpoint Profiling and Classification: Some NAC solutions provide the capability to automatically profile and classify endpoints by type. Policies
and access control can be tailored based on the device type. An effective device profiling capability also allows exceptions to be automatically created
for devices such as printers, phones, security cameras, healthcare and manufacturing equipment, none of which support standard authentication
mechanisms such as 802.1X.
Access Control: NAC can implement access control in a number of ways, ranging from simply enabling or disabling physical switch ports and wireless
connections (which is included in the 802.1X standard) to the ability to enable very granular access using VLANs, Access Control Lists (ACLs), virtual
firewalls and other mechanisms. Access policies can be tied not just to authentication, but also to endpoint security posture, the user’s role, device
type, location, connection method and other factors.
5
CounterACT : 802.1X and
Network Access Control
Technical Note
Quarantine and Remediation: Quarantine and remediation is another important function of NAC. In the event that an endpoint is found to be noncompliant with security policies — for example, not having the latest security patches for its operating system — the device can be isolated on the
network. In this state, network access is significantly restricted and typically includes access to only remediation resources such as patch servers, antivirus update websites, virus cleansing applications etc. Post remediation, the endpoint is allowed to re-enter the production network. NAC solutions
that automate the remediation process by integrating with existing IT systems (e.g. patch management) reduce IT overhead costs and increase user
productivity.
Post-connect Controls: Some NAC solutions provide post-connect controls in addition to pre-connect authentication and security posture
validation. Post-connect functions can include continuous monitoring of security posture changes and network activity to maintain real-time
awareness of device behavior (anomalous or threat activity). For example, if a device originally appeared to be a printer, but then starts reading
documents from a file server, the NAC system can take appropriate action based on policy. The best NAC solutions include both pre-connect and
post-connect functions, in order to first ensure that network access is limited to only users and devices that are authorized and compliant with security
policies, and then to ensure that users and devices stay compliant while connected to the network.
The Role of 802.1X in NAC
There is often some confusion between 802.1X and NAC. Because the 802.1X specification also uses the term “network access control” there is
uncertainty whether these are competing or complementary technologies.
By itself, 802.1X is simply an authentication solution. It is adequate at providing reasonable assurance that the connected user and device belong
on the network purely from an authorization standpoint.NAC is much more. In addition to authentication, it includes device profiling, endpoint
compliance validation, enforcement capability to limit access, remediation mechanisms to bring endpoints into compliance, and post-connect
monitoring to ensure devices stay compliant. 802.1X is not required for a NAC implementation. However, network access control solutions can
leverage 802.1X for authentication.
In this section we’ll discuss the advantages and disadvantages of using 802.1X authentication.
Advantages of 802.1X
IEEE standard: 802.1X is an IEEE standard originally published in 2001, and as a result it is has been universally adopted (to varying degrees) by most
network infrastructure vendors. Similarly, most laptops, tablets and smartphones available today feature embedded 802.1X supplicants. While there
are some inconsistencies among different vendors’ networking products, and supplicant support for non-mobile operating systems may be lagging,
an organization purchasing network infrastructure and endpoint devices today can be reasonably confident that they are 802.1X-capable. Though
interoperability in a multi-vendor environment can be tricky, 802.1X is well suited to a homogenous network environment.
Layer 2 approach: 802.1X requires successful authentication before layer 3 network access is permitted by the authenticator. EAPoL operates once a
layer 2 connection is established obviating the need for an IP address during the authentication process. Since the 802.1X conversation between the
supplicant and the authenticator is done without an IP address, there is no potential for the endpoint to attack the network prior to network admission.
This advantage may be useful in high-risk environments.
Disadvantages of 802.1X
Reliance on supplicants: 802.1X requires supplicant software on endpoints for authentication. While newer laptop and mobile device operating
systems include supplicants, many legacy endpoints do not and therefore cannot participate in the 802.1X authentication process. Additionally,
printers, IP phones, physical security devices (surveillance cameras, card readers, entry keypads etc.), manufacturing, healthcare and a variety of
industry-specific equipment do not support supplicants. In many environments, non-802.1X endpoints far outnumber 802.1X-capable ones. Managing
network connectivity for non-802.1X endpoints can require a great deal of manual configuration (managing MAC authentication exception lists) as
well as potential security tradeoffs.
Simply put: many IT managers don’t want to put “yet another agent” on the endpoint, so this is a major disadvantage compared to the NAC products
that can work without agents.
Complexity in Wired LANs: While 802.1X is well-suited to wireless LANs, adoption has lagged in wired LANs due to a number of challenges that
make deployment complex and costly. Legacy switches or other network infrastructure devices may lack 802.1X support. Additionally, switches from
different manufacturers are inconsistent in the manner they support 802.1X. Unlike wireless LANs which are predominantly used by newer mobile
devices with built-in supplicants, wired LANs tend to have a greater variety of legacy endpoints, many of which do not support 802.1X supplicant
software. Also, it is challenging to configure different switches in a multi-vendor environment to handle a mix of 802.1X and non-802.1X endpoints.
6
CounterACT : 802.1X and
Network Access Control
Technical Note
Architectural limitations: By itself, the 802.1X standard does not address exceptions that abound in most business environments. It assumes that
all legitimate devices in an organization will always have properly configured supplicants. The authentication result is binary – allow or deny. There are
no considerations for guest or contractor devices with supplicants configured for a different 802.1X environment, remediation actions upon failure,
or tolerances for configuration errors. Lack of resiliency or graceful failover means that a failure in any part of the process usually requires manual IT
intervention – a major challenge for any organization. Commercial NAC solutions sometimes extend and/or complement 802.1X with additional
capabilities to address these architectural shortcomings.
Lack of security posture validation: Pre-connect security posture validation and post-connect compliance monitoring of endpoints are outside the
scope of the 802.1X standard. In addition to authenticating the endpoint and/or its user before allowing access, it is important to determine whether
the endpoint is safe and in compliance with an organization’s security policies. Even authorized users can unknowingly bring “unsafe” devices onto the
network, which can place the entire network and the organization at risk. As a standalone solution, 802.1X wraps up after authentication is completed
and does not monitor the compliance posture of the device or behavior of the user post-admission. By itself, it is essentially a one-trick pony – other
solutions are required, either in addition to, or in place of 802.1X in order to address pre-connect and post-connect endpoint compliance.
How ForeScout helps Implement 802.1X within a NAC Framework
If you have determined that 802.1X is the right authentication technology for your organization, you then need to decide how to implement 802.1X.
You could “roll your own” and work directly with the protocol and its components, but case studies published by analysts such as Gartner have shown
that such implementations often take a long time – months or even years – and require a large
Forescout CounterACT Functions
amount of administrative overhead.
Alternatively, you could purchase a turnkey solution such as ForeScout CounterACT which makes
rollout much easier. CounterACT provides all of the network access control features and functions
described above in this technical note.
ForeScout CounterACT allows enterprises to use multiple authentication methods (including
802.1X) and access control enforcement techniques. It includes a built-in RADIUS server to make
rollout of 802.1X easy. Alternatively, it can function as a RADIUS proxy and leverage existing
RADIUS servers.
CounterACT provides a number of unique features to help customers implement network access
control while leveraging 802.1X authentication. We illustrate some of these features below.
☑☑ Pre-Connect Authentication
☑☑ Profiling and Endpoint Classification
☑☑ Security Posture Assessment
☑☑ Access Control Enforcement
☑☑ Quarantine and Remediation
☑☑ Guest Registration and Enablement
☑☑ BYOD Provisioning and On-Boarding
☑☑ Post-Connect Monitoring and Controls
Verifying 802.1X Readiness
An 802.1X-based NAC deployment has a lot of moving parts and is dependent on multiple elements of the IT infrastructure being 802.1X-capable and
ready. Because the 802.1X architecture is not very forgiving or resilient, it behooves IT security managers to verify that all aspects of their environment
are properly configured before enforcing access control.
ForeScout CounterACT includes built-in visibility tools to verify that all your participating switches and endpoints are correctly configured for 802.1X
authentication. This helps identify and solve problems before they become disruptive.
Authentication
Access Control
•• 802.1X
•• Allow/deny
•• LDAP directory systems
•• VLAN assignment
•• MAC address bypass list
•• ACL management
•• Guest registration database
•• Virtual firewall
•• External authentication repositories
7
CounterACT : 802.1X and
Network Access Control
Technical Note
Figure 2: Verifying 802.1X readiness using CounterACT
CounterACT provides 802.1X policies to verify
•• Network infrastructure readiness
•• Client readiness (details in the supplicant remediation section)
•• End-to-end authentication communication from client (via switch) to RADIUS sever and directory (see Figure 2).
These policies can be run in monitor mode to identify potential issues before enforcing 802.1X access control (see
Figure 3). This helps avoid business disruption and help-desk calls. After turning on 802.1X, these policies can be
used to identify problems as they occur and take corrective action.
Figure 3: CounterACT policies for 802.1X switch readiness and monitoring
8
CounterACT : 802.1X and
Network Access Control
Technical Note
Supplicant Remediation
802.1X requires supplicant software on endpoints for authentication. Supplicants must be properly configured for the specific 802.1X environment.
Often times, supplicants are not installed or enabled on guest or BYOD endpoints, or the supplicant may be incorrectly configured for the particular
corporate environment. For example, a common issue with guest or BYOD devices is that the supplicant is configured by default to use the windows
login and password for authentication. Since these credentials may be for a different domain, they do not travel well, and the user will not be able
to get onto another 802.1X network. ForeScout CounterACT solves this problem because of its ability to allow all users, even those that fail 802.1X
authentication, to register for network access.
CounterACT provides built-in remediation tools to identify when an endpoint does not have a properly configured supplicant (see Figure 4). Policies
are provided to identify common supplicant issues for Windows, Mac OS, Linux and mobile platforms such as iOS and Android. When such issues are
found, CounterACT can automate the remediation process through scripts to install and/or configure a supplicant.
Figure 4: Supplicant remediation policies in CounterACT
9
CounterACT : 802.1X and
Network Access Control
Technical Note
Hybrid Mode
By itself, the 802.1X standard is not resilient or fault tolerant. It assumes that all legitimate devices in an organization will always have properly
configured supplicants. The authentication result is binary — allow or deny. Lack of resiliency means that there are typically many failures, and 802.1X’s
inability to gracefully failover creates a heavy helpdesk load and places a heavy toll on end user productivity.
CounterACT includes a hybrid mode which lets you utilize 802.1X and/or other authentication technologies within the same network environment.
In addition to 802.1X, CounterACT supports authentication against LDAP directories such as Active Directory, authentication against a built-in
guest registration database or MAC address bypass list, or authentication against other external databases that house guest, BYOD or contractor
authorization information.
Using CounterACT’s hybrid mode, any device that fails 802.1X authentication can be placed in a lobby VLAN. If the device is a computer, CounterACT
can give the user an opportunity to authenticate via another method, such as by entering his/her Active Directory credentials. If the user is a guest,
CounterACT can give the user the opportunity to register for guest access on the network.
Hybrid mode provides two benefits:
1. Allows organizations to roll out NAC quickly and completely in an environment that does not support 802.1X in every location
2. Provides a redundant authentication mechanism for endpoints that fail or are unable to use 802.1X authentication
Figure 5: Configuring Hybrid mode using CounterACT policies
Automated Exception Process for non-802.1X endpoints
ForeScout CounterACT automates the MAC exception process for non-802.1X endpoints (printers, phones, etc.) using its built-in endpoint profiler (see
Figure 6). CounterACT automatically identifies such devices, and based on the device type and associated policy, CounterACT adds the device’s MAC
address to an exception list and then places the device on the production network. Subsequent connections are automatically allowed as long as the
device profile stays consistent.
10
CounterACT : 802.1X and
Network Access Control
Technical Note
In addition, ForeScout CounterACT continuously monitors every endpoint in order to prevent MAC address spoofing (see Figure 7). For example, if a
device originally appeared to be a printer (based on profiling) and was allowed network access, but then starts reading documents from a file server,
CounterACT can detect this change in device profile and can remove the device from the network and the MAC exception list. This provides a fully
automated, closed-loop exception management process and alleviates security concerns related to MAC authentication in high-risk environments.
Figure 6: Automating exceptions for non-802.1X endpoints
Figure 7: Detecting MAC address spoofing and Impersonation using CounterACT
11
CounterACT : 802.1X and
Network Access Control
Technical Note
When to Use 802.1X and When Not to
As described above, 802.1X has some advantages and disadvantages, and addresses only a subset of security controls. It can be deployed as a standalone network access control solution, or it can be used to provide authentication within the broader context of a commercial NAC solution.
Since 802.1X is a standard that is supported by most networking devices and operating systems, some may perceive it as “free” and pursue the path
of implementing a NAC solution using stand-alone 802.1X. However, deploying 802.1X requires integrating multiple components; it is not a turnkey
solution. Interoperability of devices, or lack thereof, can prove challenging. And by itself, it doesn’t solve the problem of non-802.1X-capable devices,
which often exceed 802.1X-capable ones.
In this section we’ll examine a few use cases for implementing network access control. We’ll provide guidance on when to consider using 802.1X as a
stand-alone solution, and when to consider deploying a commercial NAC solution, such as ForeScout CounterACT.
Organizational Needs
Begin by considering your current needs. Do you simply want to separate guests from employees and place all guests in a different VLAN which only
provides internet access? Or do you want the ability to control guests, find out who they are, selectively approve each guest’s request for access, and
control how long they can connect to the network?
Also consider future goals and objectives. Do you think you will want to control network access on the basis of device type, security posture, user role
and other factors? Are there other needs such as integration with MDM systems or SIEM solutions lurking around the corner?
Let’s take a look at a few use cases to provide additional clarity.
Use Case: Secure Guest Access
Consultants, contractors, business partners and other guests bring their own personal devices and request internet connectivity so they can work
on site. To remain productive they may need access to basic services such as printing, or broader access to specific corporate applications and data.
Providing them unlimited access to the production network can expose you to malware and possible data loss.
Based on your specific needs, you may choose to implement some or all of the following capabilities:
•• User authentication to delineate between employees and guests
•• Provide different levels of network access (limit access to specific resources) based on user role
•• Automate guest provisioning through the use of captive portals and self-registration techniques
•• Sponsorship capability to allow non-IT employees to create and manage guest accounts based on IT policies, in external databases, utilized by a
NAC solution to authenticate guests
By itself, 802.1X can provide authentication for employees and VLAN segmentation for guests. You need a commercial NAC solution like ForeScout
CounterACT to implement the remaining functionality.
Capability
802.1X
ForeScout CounterACT
✓
User Authentication
✓
Guest Registration (Captive Portals etc.)
✓
Non-IT Sponsor Support
✓
Access Control Options
VLANs
Various Granular Options
Deployment
Multiple Components,
External RADIUS Server
Fully Integrated,
Turnkey Solution
12
CounterACT : 802.1X and
Network Access Control
Technical Note
Use Case: Endpoint Compliance
Mobile devices that connect to corporate and public networks can become infected or non-compliant over time. Endpoints can become
misconfigured. Security agents can be disabled. Antivirus software can fall out-of-date. Unauthorized software can be unknowingly installed by
employees. To control risk, the security posture of all devices must be verified before and after they’re allowed on the network.
Based on your specific needs, you may choose to implement some or all of the following capabilities:
•• Identify and authenticate a user and endpoint
•• Assess an endpoint against a security policy, such as verifying the device configuration or the status of antivirus
•• Contain or limit access to resources for endpoints that fail to meet security policy requirements
•• Remediate endpoints that do not meet security policy requirements so they can be made compliant and allowed access to the network
•• Post-connect monitoring of device behavior to detect malicious activity or failure of one or more of the onboard security controls
Endpoint compliance is outside the scope of 802.1X. To implement the above functionality you need a commercial NAC solution like ForeScout
CounterACT.
Capability
802.1X
ForeScout CounterACT
✓
✓
User/Device Authentication
Security Posture Validation
✓
Mobile Device Configuration Checks
✓
Custom Policies and Checks
✓
Quarantine and Remediation
✓
Post-Connect Monitoring
✓
Compliance Reporting
✓
Use Case: Secure BYOD Access
With the proliferation of mobile devices, employees are increasingly looking to use their own personal devices at work. A Gartner survey reveals that
U.S.-based CIOs expect 38% of mobile devices used within the enterprise will be employee owned by 2014. BYOD policies are required because
employee owned devices may present risks to the network such as propagation of malware, network instability and potential data loss.
Based on your specific needs, you may choose to implement some or all of the following capabilities:
•• Profile and identify endpoints by type when they connect to the network
•• Assess BYOD endpoints against a security policy, such as verifying the device configuration or the endpoint security posture
•• Provide different levels of network access and limit access to specific resources based on user role, device type and security posture
•• Automate provisioning of BYOD devices through the use of captive portals and other techniques
•• Remediation capability such as downloading mandated device configuration, endpoint protection agents, operating system security updates etc.
so that BYOD endpoints can be made compliant and allowed access to the network
13
CounterACT : 802.1X and
Network Access Control
Technical Note
802.1X can provide authentication for BYOD endpoints, however to do so requires properly configured supplicant software on all endpoints. A
commercial NAC solution like ForeScout CounterACT provides the most flexible approach to securing a BYOD environment because CounterACT does
not require BYOD devices to contain configured 802.1X supplicants. Also, ForeScout CounterACT can provide more granular control over which types
of devices are granted access to the network, and to limit access based on the user’s role.
Capability
User/Device Authentication
802.1X
ForeScout CounterACT
✓
✓
Profiling and Endpoint Classification
✓
Security Posture Validation
✓
Mobile Device Configuration Checks
✓
Quarantine and Remediation
✓
Role-Based Access Control
✓
MDM Integration
✓
Client Software Dependency
Supplicant Required
None Required
Network Environment
Another important consideration is your enterprise network environment. Do all your switches and wireless access points support 802.1X? Is most of
your network infrastructure from a single vendor or do you have a multi-vendor environment? Do most of your endpoints have 802.1X supplicants
built-in? Or do you have a large number of legacy endpoints and/or other non-802.1X capable devices and equipment?
802.1X authentication is well suited to a homogenous network environment, and is easier to implement in wireless LANs than in wired LANs. In large
and complex heterogeneous environments, using 802.1X authentication can be challenging and costly — the overhead of using 802.1X can be far
greater than using alternate authentication methods.
Let’s take a look at a use case for managing non-802.1Xendpoints.
Use Case: Exception Management
Endpoints such as printers, IP phones and physical security devices cannot respond to requests for identification, nor do they support authentication
agents such as 802.1X supplicants. Various industryspecific equipment such as machines on a manufacturing floor, cash registers in a retail store, and
healthcare devices in hospitals are business critical and need network access. MAC authentication is probably the best alternative for handling such
endpoints, but maintaining static MAC exception lists requires significant ongoing manual configuration and potential security tradeoffs.
•• Based on your specific needs, you may choose to implement some or all of the following capabilities:
•• Authenticate an endpoint using its MAC address
•• Profile and classify endpoints by type when they connect to the network
•• Dynamically create MAC exception lists for specific types of devices
•• Post-connect monitoring of device behavior to detect MAC address spoofing/impersonation and dynamic removal of endpoints from MAC
exception lists
14
CounterACT : 802.1X and
Network Access Control
Technical Note
Capability
MAC based authentication
802.1X
ForeScout CounterACT
✓
✓
✓
Endpoint profiling
MAC exception lists
Manual
Automated
✓
Detect MAC address spoofing
MAC exception lists can be implemented within an 802.1X environment as a way of admitting devices that don’t support 802.1X supplicants. However,
these exception lists are static and have to be maintained manually. A commercial NAC solution like ForeScout CounterACT can complement 802.1X
and automate the exception management process.
Other Considerations
There may be other factors to take into consideration when selecting an authentication mechanism for network access control. Government
organizations and a number of industry verticals are subject to various regulations, some of which may mandate the use of 802.1X or other
authentication techniques. In high-risk environments or classified networks there may be a legitimate requirement for all devices to use 802.1X
supplicants with certificates.
Budget is always a factor in any decision making process. Upgrading vast amounts of legacy network infrastructure can be a showstopper for 802.1X.
An organization may choose to use 802.1X for the wireless infrastructure while using other authentication methods on wired LANs. Conversely, if
an organization has newer homogenous network infrastructure, there may be cost savings to be had in deploying a stand-alone 802.1X solution,
especially if the IT staff can create additional home-grown tools for visibility, emediation, resiliency and automation of manual processes.
Conclusion
802.1X can be implemented as a stand-alone port-based access control solution, or it can be used as an authentication mechanism within the broader
context of a commercial network access control (NAC) solution such as ForeScout CounterACT. The decision of whether to use 802.1X or another
authentication mechanism rests on the specific needs of the organization and consideration of the advantages and disadvantages of 802.1X within a
given network environment.
Most organizations find that 802.1X by itself does not provide enough security controls, and it is too challenging to deploy. There are tremendous
benefits of using commercial solutions such as CounterACT to augment and overcome 802.1X challenges.
CounterACT greatly enhances network visibility and security, and provides additional functions such as endpoint profiling, security posture validation,
quarantine and remediation, advanced guest management and BYOD provisioning. CounterACT also includes a complete set of troubleshooting
and remediation tools that speed the deployment of any 802.1X solution and makes 802.1X more resilient and more accommodating to unknown or
misconfigured endpoints, such as often happens in a BYOD situation.
.....................................................................................................................................................
About ForeScout
ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks.
The company’s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility,
intelligence and policy-based mitigation of security issues. ForeScout’s open ControlFabric™ technology allows a broad range of IT security products
and management systems to share information and automate remediation actions. Because ForeScout’s solutions are easy to deploy, unobtrusive,
flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California,
ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com.
.....................................................................................................................................................
ForeScout Technologies, Inc.
900 E. Hamilton Ave.,
Suite 300
Campbell, CA 95008
U.S.A.
T 1-866-377-8771 (US)
T 1-408-213-3191 (Intl.)
F 408-213-2283
www.forescout.com
©2013 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks
of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners.
Doc: 2013.0057
15