Interop iLabs NAC Resources
NAC Resources
Contents
NAC: Network Access Control
Interop Labs Overview, Topology, and Presentations
Interop Labs Team White Papers
TCG/TNC Specifications
IETF Specifications
Vendor White Papers
Configuration Files from Labs Testing
External links and other resources
802.1X Background Information White Papers
NAC Topology and Presentations
Presentation on the NAC Labs (Flash)
NAC iLabs Booth Overview (PDF) (PPT) (also from 2006: (LV2006 PDF) (LV2006 PPT) (NY2006 PDF) (NY2006 PPT) )
NAC terminology glossary and map between IETF, TCG, Cisco, and Microsoft (PPT)
NAC iLabs addressing topology (XLS) (probably not interesting to most) (LV2006 version NY2006 version)
Interop Labs NAC Class Las Vegas 2007 (PDF) (PPT) ( 2006 class (PDF) (PPT))
Joel Snyder's NAC Day Presentation (Courtesy Opus One)
--------------------------------------------------------------------------------
Interop Labs Team White Papers
Here are the white papers from the 2007 iLabs NAC project. All are PDF files. You may reproduce and distribute these files unchanged.
What is NAC? Generic network access control at its core is a simple concept: Who you are should govern what you're allowed to do on the network. NAC, then, is simply the hardware and software that together let you enforce access control policies based on who you are.
What is 802.1X? Understanding what IEEE 802.1X is, its relationship to NAC, and why you should care about it means understanding three separate concepts: EAP (Extensible Authentication Protocol), IEEE 802.1X itself, and Tunneled Authentication.
Getting Started with Network Access Control If you'd like to implement Network Access Control, no matter what architecture you select, you definitely want to start by building a small interoperability lab. In this white paper, we'll give you some advice on what to think about before you get started, and outline what resources you ll need to have in place in order to begin testing.
What is TCG's Trusted Network Connect? The Trusted Computing Group (TCG) is an industry standards body formed to develop, define, and promote open standards for trusted computing and security technologies. TCG has developed an open architecture and standards for Network Access Control called Trusted Network Connect (TNC).
What is Microsoft's Network Access Protection? The most significant differences between Microsoft's Network Access Protection architecture and other NAC architectures you see in the iLabs come because Microsoft does not make switches or routers. Therefore, the path for handling enforcement is different, focusing on server enforcement and standards-based switch enforcement. The original intent of MS-NAP was not security, but to find and quarantine non-compliant clients in the enterprise LAN. As the interest in NAC has increased, Microsoft has adjusted their architecture to include more enforcement mechanisms, and it's the 802.1x portion of MS-NAP that we tested for interoperability in the iLabs.
What is Cisco NAC? Cisco's Network Admission Control, which we'll call CNAC to avoid overloading the acronym NAC (for Network Access Control), maps directly to the IETF and TCG TNC architectures. Cisco has published a set of architectural overviews, supported product tables, and deployment guides. This white paper is derived from some of those overviews as well as the results of our iLabs testing. You may find it helpful to have our companion white paper, Network Access Control Architecture Alphabet Soup, in hand showing the diagram with different parts of a NAC architecture.
What is IETF Network Endpoint Assessment? The Internet Engineering Task Force (IETF) is the ultimate arbiter for Internet protocols. They have standardized dozens of critical protocols like IP, TCP, FTP, HTTP, SMTP, and IPsec. With its many competing and incompatible architectures and standards, Network Access Control is ripe for standardization. Fortunately, the IETF has started a Working Group in this area: the Network Endpoint Assessment (NEA) Working Group.
Switch Features for NAC As an IEEE standard, 802.1X is a critical building block in each of the three major NAC architectures. Before deploying one of the NAC architectures, the first step is to roll out 802.1X. This whitepaper will cover the switch and access point features that support an 802.1X environment.
How to Handle NAC Exceptions The IEEE 802.1X standard gets all of the attention when NAC is discussed because it works well, and consistently, across many networking vendor's hardware. NAC deployments often depend on 802.1X both for authentication of the end-user and as a mechanism to tunnel end-point posture assessment information. IEEE 802.1X is a key strategy for interoperable and standards-based NAC deployments. Most network engineers understand that some devices can't be full NAC clients with 802.1X support, but what is surprising is that dealing with these "NAC Exception" devices will consume a disproportionate amount of time. The 20% of devices that can't run 802.1X may end up burning 80% of your design and deployment time.
Develop a "NAC" for Troubleshooting The use of a network analyzer can be invaluable to assist you in troubleshooting and optimizing your Network Access Control (NAC) process. In the testing and implementation phases of NAC, a network analyzer offers visibility into the network and offers valuable assistance in troubleshooting potential configuration and compatibility problems.
Network Access Control Resources This white paper provides pointers to some resources that we ve found helpful in our research on Network Access Control (NAC) architectures and interoperability.
Leave a comment