topic Re: NAC and DOT1X in Network Access Control

NAC and DOT1X

gauravpundir231 — Fri, 21 Feb 2020 18:34:39 GMT

Hi All,

I am confused about NAC and 802.1x. What NAC is doing, what dot1x is doing. How they are related to each other. Totally confuded. Please shed some light

Re: NAC and DOT1X

Marvin Rhoads — Sun, 24 Sep 2017 15:31:10 GMT

NAC or Network Access Control is a general term describing the concept of using technical means to control network access for wired, wireless and VPN network devices and clients.

802.1x is a specific technology used to implement the communications between a supplicant (software on the endpoint OS) and the network access device (NAD - switch or WLC/AP). It works in conjunction with RADIUS (between the NAD and the back end RADIUS server - e.g. ISE or ACS in Cisco products) to accomplish some of the tasks necessary for a full-fledged NAC solution.

https://en.wikipedia.org/wiki/IEEE_802.1X

Re: NAC and DOT1X

Mohammed al Baqari — Sun, 24 Sep 2017 17:04:48 GMT

+5 Marvin.

I was having the same confusion when I started and managed to reorder things as follow:

NAC is the umberalla made of multiple components to provide authenticated access to the network. This access can be over wired, wireless or VPN connection.

The NAC umberalla is composed of:

Supplicant - This is the actual client connecting to the network (windows, MACOSX, AnyConnect)
Authenticator - This is the network device (NAD)
Authentication Server - ISE Server, Microsoft NPM, Cisco ACS, etc
Identity Store - AD, RSA Token Server

In each access request to the network, there are 3 communications involved:

- Communication between supplicant and authenticator (this is using dot1x protocol)

- Communication between authenticator and authentication server (this is using radius protocol)

- Communication between authetication server and identity store (the can be LDAP, Novell, ADLDS, local inside the authentication server)

Re: NAC and DOT1X

gauravpundir231 — Mon, 25 Sep 2017 13:06:50 GMT

Thanks for your rply.

Need more clarification.

So AD is actual thing that is containing the user database. Is there any possibility we can connect Authenticator directly with AD and wht is role of Authentication server (as it is just passing the info between AD and Authenticator)

Also, if you have any info/docs/knowldg about Aruba NAC solutions pls share as we are using it in our infra.

Do Aruba has different servers that authenticate users which eliminate the need of any backend database like AD.

Re: NAC and DOT1X

Marvin Rhoads — Mon, 25 Sep 2017 13:12:53 GMT

A Cisco NAD (switch, AP or remote access VPN device) can talk to an Authentication server using either RADIUS or TACACS. If your AD server has the NPS role then it can also be the RADIUS server.

If you want to know more about Aruba then you are best asking at airheads (their community) - not the Cisco community.