Security Solutions
1-6
Access Control Concepts
Network Access Control Technologies
Network Access Control Technologies
This solution design guide focuses on two general types of access control:
■ Authentication, authorization, and accounting (AAA)—controls
(and tracks) which users access which resources on the network
■ Endpoint integrity—controls which endpoints are allowed on the net-
work based on their compliance with policies for endpoint security
settings
AAA provides the traditional framework for controlling access to the network,
whereas endpoint integrity adds the ability to protect the network from
potentially compromised endpoints.
The remainder of this chapter covers the protocols and technologies that
underlie AAA and endpoint integrity solutions. If you already have a solid
understanding of these concepts, you can proceed immediately to Chapter 2:
“Customer Needs Assessment.” But remember: designing an access control
solution is much less frustrating when you know what choices are available
and what those choices entail.
AAA
Developed by the Internet Engineering Task Force (IETF), AAA dictates how
network devices provide:
■ Authentication—determining if users are who they claim to be
■ Authorization—deciding which data and applications users can access
and applying controls to enforce those decisions
■ Accounting—tracking which resources users actually access
AAA allows you to centralize these functions and standardize policies through-
out a network. A AAA server makes decisions that edge devices—in AAA,
called network access servers (NASs)—enforce.
The NASs and AAA servers communicate using a AAA protocol, of which the
two most common are:
■ Remote Access Dial-In User Service (RADIUS)
■ Terminal Access Controller Access Control System Plus (TACACS+)
This guide focuses on RADIUS because it is compatible with most other access
control mechanisms.