There are several different methods for authenticating wireless clients. Some have fallen out of favor due to security weaknesses, ultimately being replaced with newer, more secure authentication methods. These include :
Open authentication to the access point
Shared key authentication to the access point
EAP authentication to the network
MAC address authentication to the network
Combining MAC-based, EAP, and open authentication
Using CCKM for authenticated clients
Using WPA key management
WiFi Authentication Challenges
From its outset, WiFi posed a unique challenge when it came to authenticating identities since users were no longer physically connecting to ethernet ports. Originally, there were several methods used to authenticate users across wireless networks:
Separation: One was to separate the WiFi network and enable it to access the Internet. If you needed to access on-prem applications or resources, you would VPN into the network just as if you were remote. In this case the solution for WiFi authentication was the implementation of the SSID and password which was shared across any users of that particular network. In this case, there wasn’t really a connection to the main network even though the WiFi network was located alongside the internal network. It operated more as a separate network for a variety of reasons.
SSID: Another path is to simply leverage an SSID and passphrase and let anybody on the network that has that. Subsequently the user could authenticate to the directory service, but even if they failed the authentication, they would still have access to the WiFi network.
RADIUS Authentication: Yet, another path was to leverage the RADIUS authentication protocol to auth access to the WiFi network which would subsequently authenticate access with Active Directory. The RADIUS server was the intermediary between the WiFi access point and the core identity provider. RADIUS was able to speak to the WiFi access points and then translate for the directory to authenticate user access. Of course, the downside of this approach was more servers, more integration, and more configuration on end user devices.
WiFi Authentication with Portnox CLEAR
WiFi extends beyond your walls. Employees harmlessly share company WiFi passwords with guests, contractors, business neighbors without ever stopping to think about the network and information security risks this poses to their organization. It’s not just outsiders, however. Today, nearly 20% of SMBs experience a data breach by a former employee who still has WiFi access.
It’s never been easier to secure your WiFi. With Portnox’s WiFi Security-as-a-Service, complex integrations and RADIUS server setups that traditionally required skilled IT staff and extensive training have been eliminated. Now, you can set-up user and device authentication that comply with security regulations in minutes.
Watch How it Works
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
Why today’s boundless company networks are like castles without walls being protected by network security systems stuck in the middle ages.
Today, your network is likely comprised of your LAN, MPLS, SD-WAN, employees’ homes, Azure, Starbucks, Marriott, any airport…you get the idea. Your network extends to wherever authorized devices connect to gain access to company resources.
All of this proprietary, confidential or merely sensitive data being accessed across these parts of the network is no longer safe behind your castle walls. Access to everything (from everywhere) has changed the security dynamic.
How does zero trust factor in?
Enter zero trust, a new – well, maybe not that new – but let’s say in vogue network security model that is focused to address the challenges posed by today’s increasingly complex and extended corporate networks.
The zero trust model does not require or expect you to have walls around your networks. With zero trust, as the name implies, NOTHING inside or outside a company is trusted. That means no devices or systems used by employees is automatically trusted.
Traditional NAC meet zero trust requirements
Now, this security model may seem familiar. Isn’t this just like network access control (NAC)? Well, yes and no. NAC has been around since the early 2000s, and has been primarily focused on ensuring only valid and authorized devices can access your network. Traditionally, however, NAC solutions have only focused on the LAN, as that was what existed within the castle walls of an organization. But as I’ve stressed, the typical network extends far beyond the LAN today.
To truly achieve zero trust, organizations need a NAC solution that can easily and effectively work when your castle has no walls.
NAC for today’s sprawling networks
Since your employees are likely on the move and using several different devices (desktop, laptop, phone, etc.), any NAC would need to have device awareness no matter where the device is geo-locationally. And that means not only when it is joining the LAN, but also when it is connecting from home, from a remote office, from Starbucks – awareness anywhere and everywhere, always.
Perhaps the most critical factor when assessing your network security needs is having the ability to continuously monitor endpoint risk. After all, you can’t just go around authorizing every company PC to connect if it’s not “trusted.”
Ensuring endpoints are in a company compliant state, minimizing or eliminating the potential for endpoints to be hacked and used to bridge your network is crucial. This requires a NAC that is always aware of endpoint risk and can use that to allow or block access. Today, this mixture give your network the best chance of minimizing such threats.
It’s the control part of NAC that ultimately brings the most added value versus endpoint-only zero trust solutions. The ability to not only allow access to your trusted devices, but also to control that access by placing them on the proper VLAN or under an appropriate access control list (ACL) adds a powerful layer of security.
The answer is in the cloud
Lastly, a NAC for today’s boundless network must be “light weight.” You don’t want to be deploying appliances or software in every remote location, store or office. It takes an immense amount of bandwidth and expertise to properly execute. Can’t that investment be better spent elsewhere?
This is where traditional NAC solutions fall short. Since they were designed for the old castle network model, they simply aren’t equipped to give you the full visibility and control you need over your extended network to prevent breaches.
The answer is NAC delivered as a cloud service. Manageable from anywhere, coverage for everywhere, and with continuous device awareness – a cloud-delivered NAC adhering to the zero trust model can future-proof your increasingly extended network.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
The problem with most traditional on-premise network access control solutions is their complexity across many fronts, including initial setup, configuration, scalability, and on-going maintenance and upgrades. As a truly cloud-delivered NAC service, Portnox CLEAR delivers SIMPLICITY across all of these critical areas.
VALUE 1: Setup Simplicity
Unlike traditional on-premise solutions that require hardware appliances, software, and other on-premise elements, with Portnox CLEAR, you simply create your dedicated instance in Microsoft Azure using your company email or via SSO (such as Azure AD or GSuite) in a matter of just minutes!
With your dedicated instance of CLEAR created, you simply check the appropriate box(s) to create your RADIUS instance. Dedicated F5 load balancers are spun up as well as auto-scale, so you never have to be concerned with service performance or scalability – it will automatically expand as needed to meet demand.
Portnox CLEAR’s simplicity extends with out-of-box integration and one-click set-up for several common directory services, including:
On-premise AD
Azure AD
G-Suite
Okta Universal Directory
SIEM integration is as simple as providing the IP/port, protocol type (TCP, UDP, HTTPS), and data format (JSON/CEF).
VALUE 2: Configuration Simplicity
The complexity of traditional on-premise NAC does not stop at the initial set-up of the local appliance(s), load balancing, RADIUS, and other on-premise components. As shown in the sample policy screenshots below, the complexity of traditional NAC extends to policy configuration that is often layered with multiple and nested interdependencies.
From inception, the focus with CLEAR has been to simplify policy configuration, allowing CLEAR to be fully deployed and operational in a measure of hours/days vs. traditional NAC, which typically can take weeks, or in many cases, months to roll out. Intuitive, easy-to-configure access control, risk, and remediation policies are at the foundation of Portnox CLEAR as reflected in the sample screenshots below.
Risk Policies
Easily configure risk-based access controls for all devices or different groups of devices (i.e. accounting, engineering, etc.), by simply assigning a risk value to each group’s relevant compliance checks.
A simple slide bar easily turns risk values into action (allow, alert, block). It’s that SIMPLE! Unlike traditional NAC that monitors a device risk ONLY when it is on or connected to the network, Portnox CLEAR will monitor risk all the time regardless of if the device is on or off-network.
Remediation Policies
While it is important to continuously be aware of the current risk posture of a device and to be able to use that awareness as part of access control. The ability to proactively take action on the endpoint to help assure a minimum level of compliance is always maintained can be equally important. As with all other policy configurations, setting group-specific remediation policies in CLEAR is as simple as a few clicks.
Unlike traditional NAC that will take remediation actions ONLY if the device is on the network, Portnox CLEAR proactively enforces remediation actions all the time regardless if the device is on or off-network.
VALUE 3: On-Demand Auto-Scale
Delivered as a cloud service, Portnox CLEAR eliminates the need for the capacity planning of on-premise software or appliances. Eliminates the need to expand capacity or upgrade appliances to meet future growth needs. Portnox CLEAR services will automatically expand on-demand to meet any demand spikes and future growth.
Our Azure services are scaling up (and down) automatically based on usage and load. We can automatically control the VM size and the scale-up / down rules.
For the RADIUS component, we use Azure Kubernetes to manage the instances and allow scaling based on demand. We use F5 load balancer to channel the traffic to the right instances and make sure the scaling is transparent to the end-user.
VALUE 4: Ease of Integration
Portnox CLEAR continues to expand native integrations and simplified out-of-band integration through and included restAPI.
Current integrations include:
Active Directory
Azure AD
GSuite
MS Intune
OKTA
Palo Alto
SIEM (any/all leading vendors)
Portnox CLEAR also integrates with all leading anti-virus providers to validate and remediate (update) as part of CLEAR compliance and remediation capabilities. Portnox CLEAR also includes a REST-full API over HTTPS that can be used in any programming language that supports REST calls or invoked directly through any HTTPS client such as cURL.
VALUE 5: Zero-Touch Maintenance
As a true SaaS solution, Portnox CLEAR is truly zero-touch!
No on-going software updates/patching
No management of scheduled downtime
No hardware or software end-of-life issues
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
Portnox demonstrates best-in-class capability and market leadership through demonstrated technology success and customer commitment.
NEW YORK, NY – November 4, 2020 – Portnox, a fully cloud-delivered network access control (NAC) provider, today announced it has attained a Gold Cloud Platform competency, demonstrating a “best-in-class” ability and commitment to meet Microsoft Corp. customers’ evolving needs in today’s mobile-first, cloud-first world and distinguishing itself within Microsoft’s partner ecosystem.
To earn a Microsoft Gold competency, partners must successfully complete exams (resulting in Microsoft Certified Professionals) to prove their level of technology expertise, and then designate these certified professionals uniquely to one Microsoft competency, ensuring a certain level of staffing capacity. They also must submit customer references that demonstrate successful projects, meet a performance (revenue and or consumption/usage) commitment (for most Gold competencies), and pass technology and/or sales assessments.
The cloud-delivered CLEAR NAC platform from Portnox is designed to help partners capitalize on the growing demand for infrastructure and software-as-a-service (SaaS) solutions built on Microsoft Azure. With built-in scalability, no on-site hardware, multitenancy and other benefits, the platform allows Microsoft partners to empower their customers by eliminating the traditional complexities associated with on-premises NAC.
“This Microsoft Gold Cloud Platform competency showcases our expertise in and commitment to today’s technology market and demonstrates our deep knowledge of Microsoft’s products and services,” said Ofer Amitai, CEO at Portnox “We plan to accelerate our customers’ success by serving as technology advisors for their business demands.”
“By achieving a Gold competency, partners have demonstrated the highest, most consistent capability and commitment to the latest Microsoft technology,” said Gavriella Schuster, corporate vice president, One Commercial Partner (OCP) at Microsoft Corp. “These partners have a deep expertise that puts them in the top of our partner ecosystem, and their proficiency will help customers drive innovative solutions.”
Cloud Platform
The Cloud Platform competency is designed for partners to capitalize on the growing demand for infrastructure and software-as-a-service (SaaS) solutions built on Microsoft Azure. Differentiate your company with the Cloud Platform competency, and you will be eligible for Signature Cloud Support, Azure deployment planning services, Azure sponsored credit, direct partner support, eligibility to deploy certain on-premises, internal use software on Microsoft Azure, and access to the cloud platform roadmap.
The Microsoft Partner Network helps partners strengthen their capabilities to showcase leadership in the marketplace on the latest technology, to better serve customers and to easily connect with one of the most active, diverse networks in the world.
Author Michael Marvin
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
In this webinar, co-hosted by Portnox and CyberTEK, we examine how Portnox CLEAR – the first and only cloud-delivered NAC-as-a-Service – is helping organizations gain actionable network visibility and continuous risk monitoring of all endpoints across all access layers – no matter device type or geo-location.
Michael Marvin
Director of Marketing
Mike leads global cross-channel marketing efforts at Portnox. Over the last ten years, Mike has led marketing and communications teams across a variety of areas in B2B tech, including AdTech and FinTech. He holds a B.A. in English and American Studies from Hobart College.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit www.portnox.com, and follow us on Twitter and LinkedIn.。
The RADIUS change of authorization (as defined in RFC 5176) provides a mechanism to change authorization dynamically after the device/user is authenticated. Once there is a policy change for a user, you can send RADIUS CoA packets from the authorization server to reinitiate authentication and apply the new policy.
The RADIUS CoA process allows you to change the user access immediately when needed, without the need to wait for the wired switch or access point to initiate a re-authentication process, or for the device to disconnect and re-connect again.
CoA use cases (for connected authenticated devices) include:
Access control policy update, such as VLAN assignment for a group of devices/users
Risk/posture assessment policy was updated for a group of devices/users
Administrator blocked a device/user
Device risk score/compliance changes: Device is out of compliance (such as AntiVirus or firewall was turned off), thus needs to be set to quarantine VLAN or have access completely blocked; Or device is back in compliance, thus needs to be set to the production VLAN.
The CoA process functions as follow:
A device is connected to a wired ethernet switch or WiFi SSID after a successful authentication
There was a policy update or a change on the endpoint which requires that the device completely disconnect from the network or reconnect with different access than the current one (i.e. different VLAN, apply ACL)
The RADIUS server sends the CoA packet to disconnect the device which leads to re-authentication and applies the new access policy
CoA Packets
The RADIUS CoA packet is sent on port UDP 3799 or UDP 1700 – as used by some network vendors.
Disconnect-Request (PoD – Packet of Disconnect) is a request being sent to the NAS – Network Access Server (i.e. switch/access point), in order to terminate the user session/s. As a reply, two packets can be sent from the NAS:
A CoA-Request packet can also be sent to initiate changes on the device or port such as re-authentication and bounce port. As a reply, two packets can be sent from the NAS: CoA-ACK (successful CoA action acknowledgment) and CoA-NAK (CoA failed action). When there’s a need for a VLAN change, using CoA-Request, might not force the endpoint IP address to be released and renew. Instead, it may only change the VLAN. Thus, for implementations that require VLAN change, it’s recommended to use the Disconnect-Request CoA packet which will lead to re-authentication, and for the device to get a new IP address on the updated VLAN.
CoA Disconnect-Request with 802.1X RADIUS Authentication Flow
>RADIUS Change of Authorization Packet Capture
CoA RADIUS codes
CoA Packet
Radius Code
Disconnect-Request
40
Disconnect-ACK
41
Disconnect-NAK
42
CoA-Request
43
CoA-ACK
44
CoA-NAK
45
Packets Capture Examples using Wireshark
Disconnect-Request:
Disconnect-ACK:
These packets contain attributes with information on the NAS (wired switch/access point), endpoint involved, timestamp, and a link to the frame of the RADIUS server requests / NAS responses.
RADIUS Change of Authorization with Portnox CLEAR
Using Portnox CLEAR for CoA with dynamic VLAN assignment (previously discussed in Dynamic VLAN Assignment) implementation, allows the administrator to achieve a secure and segmented network for dynamic changes in the environment. Whether it’s an access policy change for a group of users/devices or a compliance change on a specific endpoint, the device(s) will be immediately placed on the relevant network, or blocked according to the policy.
In the following video, we’ll demonstrate a CoA use case of risk violation for a device with Portnox CLEAR. Scenario description:
Configure SSID to work with CLEAR services, including CoA.
In CLEAR, review risk assessment policy which requires AntiVirus to be up, running, and updated, and access control policy which places devices with risk violation in quarantine VLAN.
Connect a device with AgentP (CLEAR agent on the endpoint for risk assessment) enrolled to the configured SSID and authenticate successfully with a certificate.
Turn off AntiVirus on the endpoint, CLEAR identify the risk, and send CoA packet to disconnect the device.
The re-authentication process starting, and the device is being placed in the quarantine VLAN.
Add remediation action to start AntiVirus | AntiVirus is being enabled on the endpoint by CLEAR and the device is back in compliance.
CoA process is initiated, and the device is being placed back in the production VLAN.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
Traditionally, enterprises have enabled network authentication via usernames and passwords. As we now know today, this method of network authentication can be easily compromised by bad actors, making it no longer sufficiently secure for enforcing network access control. As a means of elevating and strengthening network authentication, Portnox has introduced several new and powerful certificate authority services within Portnox CLEAR, our cloud-delivered network access control solution.
Types of Network Authentication with Portnox CLEAR
Self-Onboarding (Agent-Based)
When an endpoint enrolls using AgentP, Portnox CLEAR will automatically generate a supplicant certificate for the endpoint. This is true for all supported operating systems (Windows, OSX, Linux, etc.), and for all AgentP enrollment methods.
Self-Onboarding (Agentless)
For those not using AgentP, Portnox CLEAR generates an organizational root certificate upon org creation in the system and adds the root certificate to its list of trusted root certificates.
Simple Certificate Enrollment Protocol (SCEP)
To make certificate issuance easier for our customers, Portnox CLEAR also supports SCEP, the open-source protocol, which issues a one-time password to the user transmitted out-of-band.
Microsoft InTune
Portnox CLEAR customers utilizing our MS InTune integration can use InTune to authenticate devices to the network as an alternative to Portnox’s agent-based or agentless options.
EAP-TLS 802.1X
EAP-TLS is considered by many to be the gold standard when it comes to network authentication. EAP-TLS 802.1X authentication is available with Portnox CLEAR out of the box.
Simple, Secure Certificate Authority Services
With Portnox’s ability to offer companies an easy and secure certificate authority services, each customer can leverage its own certificate authority in the cloud, allowing for simpler, more seamless and secure user onboarding. Once configured, Portnox CLEAR will issue every user an identity certificate for self-enrollment via the portal. Once the user has a certificate, he/she will then be granted password-less authentication.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
As the NCUA audits continue to expand, many credit unions struggle with finding an effective solution to meet Domain 3 controls within the ACET framework.
In this webinar, co-hosted by Portnox and Btech, find out how Portnox CLEAR is providing the remote network access control, off-campus endpoint awareness, risk and real-time remediation capabilities that either directly meet or highly contribute to many of the most difficult Domain 3 audit areas and requirements.
As part of this webinar, you will also hear from Utah-based University Federal Credit Union – a Portnox customer utilizing Portnox CLEAR’s zero-trust remote access-as-a-service capabilities.
The webinar will take place on Wednesday, October 14 at 3PM EST.
Author Michael Marvin
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
No matter what industry you’re in, your company has likely been affected by the coronavirus outbreak. In fact, you’re probably reading this from home as we speak. Remote work is a new reality. While many of us will return to the office when it’s deemed safe, many companies have seen first-hand the value and ability of employees to work from home and will look to enhance and expand their remote workforces when things return to normal.
For network security teams, this poses a host of new challenges, particularly given the loss of physical control over those newly at-home corporate devices. But have no fear…we’re here to share the important and often overlooked remote access security best practices to consider as you elevate your remote access visibility and security.
I. A Bridge Too Far
No,we’re not talking about the 1977 WWII film starring Michael Caine and Sean Connery (albeit a great movie). Today, companies use VPN gateways and/or virtual remote desktops to provide their remote employees with access to the corporate network and other internal resources.
The problem, however, is that some of the most popular VPN vendors have admitted to significant vulnerabilities that would allow any person from the internet with no credentials to use the VPN gateway as the bridge to your corporate network and crown jewels.
II. Are You Afraid of the Dark?
90s kids will get this Nickelodeon reference, although it’s not the show we’re focused on today. We’re all afraid of the dark, and rightly so…scary stuff happens in the dark. That’s why you need to be continuously aware of the risk posture of every remote device connecting to the network continuously – all the time, every time, no matter location or device type. This will allow you to react in real-time to potential threats before $#!% really hits the fan.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
As we’ve written about previously, the standard authentication protocol used on encrypted networks is Extensible Authentication Protocol (EAP), which provides a secure method to send identifying information for network authentication. 802.1x is the standard that is used for passing EAP over wired and wireless Local Area Networks (LAN), as it provides an encrypted EAP tunnel that prevents outside users from intercepting information. The EAP protocol can be configured for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital certificate (EAP-TLS) authentication and is a highly secure method for protecting the authentication process.
Throughout this article, we will look at how to monitor 802.1X EAP and why doing so is important from a network security perspective.
MAC Authentication Bypass (MAB)
MAB enables port-based access control using the MAC address of the endpoint. A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the device that connects to it. The below diagram illustrates the default behavior of a MAB-enabled port.
Session Initiation
From the switch’s perspective, the authentication session begins when the switch detects link-up on a port. The switch will initiate authentication by sending an EAP Request-Identity message to the endpoint. If the switch does not receive a response, the switch will retransmit the request at periodic intervals. If no response is received after the maximum number of retries, the switch will let IEEE 802.1X time out and proceed to MAB.
MAC Address Learning
During the MAC address learning stage, the switch begins MAB by opening the port to accept a single packet from which it will learn the source MAC address of the endpoint. Packets sent before the port has fallen back to MAB (that is, during the IEEE 802.1X timeout phase) are discarded immediately and cannot be used to learn the MAC address.
The switch can use almost any Layer 2 and 3 packets to learn MAC addresses, with the exception of bridging frames such as Link Layer Discovery Protocol (LLDP), Spanning Tree Protocol, and Dynamic Trunking Protocol (DTP). 1
After the switch learns the source MAC address, it discards the packet. Then the switch crafts a RADIUS Access-Request packet. A sample MAB RADIUS Access-Request packet is shown in the snapshot below.
By default, the Access-Request message is a Password Authentication Protocol (PAP) authentication request, The request includes the source MAC address in three attributes: Attribute 1 (Username), Attribute 2 (Password), and Attribute 31 (Calling-Station-Id). Although the MAC address is the same in each attribute, the format of the address differs. This feature is important because different RADIUS servers may use different attributes to validate the MAC address. Some RADIUS servers may look at only Attribute 31 (Calling-Station-Id), while others will actually verify the username and password in Attributes 1 and 2.
Because MAB uses the MAC address as a username and password, you should make sure that the RADIUS server can differentiate MAB requests from other types of requests for network access. This precaution will prevent other clients from attempting to use a MAC address as a valid credential. Cisco switches uniquely identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access-Request message. Therefore, you can use Attribute 6 to filter MAB requests at the RADIUS server.
Session Authorization
If the MAC address is valid, the RADIUS server will return a RADIUS Access-Accept message. This message indicates to the switch that the endpoint should be allowed access to the port. Optionally, the RADIUS server may include dynamic network access policy instructions (for example, a dynamic VLAN or access control list [ACL]) in the Access-Accept message. In the absence of dynamic policy instructions, the switch will simply open the port. No further authentication methods will be tried if MAB succeeds.
If the MAC address is not valid or is not allowed to access the network for policy reasons, the RADIUS server will return a RADIUS Access-Reject message. This message indicates to the switch that the endpoint should not be allowed access to the port based on the MAC address.
If no fallback authentication or authorization methods are configured, the switch will stop the authentication process and the port will remain unauthorized.
Session Accounting
If the switch can successfully apply the authorization policy, the switch can send a RADIUS Accounting-Request message to the RADIUS server with details about the authorized session.
In the diagram above, the first frame sent is an EAPOL-Start frame. This frame is not critical, and the process can be started by the authenticator sending the EAP-Request Frame.
Next, the supplicant responds with an EAP-Response. Messages from the Authenticator to the Radius server use the radius protocol (UDP 1812 for Authentication)When the authenticator receives an Access-Accept packet from the radius server it will authorize the port and allow access to the supplicant. If access is denied by the Radius server an Access-Reject message will be sent to the authenticator and the port will stay unauthorized.
The supplicant can terminate the authentication of the port by sending an EAPOL-logoff frame to the authenticator.
Supplicant to Authenticator (EAPoL)
This is the communication method utilized that provides the Authenticator and the Client a line of communication prior to network access. This is what the capture will look like:
The EAPoL portion of communication will vary depending on the authentication type. In my examples, we are using EAP-PEAP w/EAP-MsCHAPv2. This is a fairly standard form of authentication.
The useful portions that can usually be derived from a pcap are:
In this frame, you can see the Client’s (Supplicant) Identity being used of “Vova.Halimon“. This can be extremely useful when trying to determine if the supplicant is going to authenticate as the user or the machine account as well as what the user could be typing into the username prompt.
EAP Auth Method Negotiation and Credential Exchange:
The first message in the above screenshot is the server’s proposal of EAP-PEAP (EAP-TLS, EAP-TTLS EAP-FAST, EAP-LEAP, EAP-MD5) then the client’s response with, “EAP-PEAP good for me” In some situations, depending on the RADIUS server configuration, the client may try to propose a method that is not permitted or supported by the server. This is where you would see that negotiation fail, and ultimately an Access-Reject / EAP-Failure.
Once the client has been successfully authenticated and authorized, there is an EAP Success message sent back to signify the end of the process. If this is a wired client, the process is over, and the client is able to start transmitting and receiving data frames. If this is a wireless client, the station will utilize a few EAP attributes and the AP will utilize two MPPE (Microsoft Point-to-Point Encryption – key attributes in the RADIUS Access-Accept response to perform the 4-way handshake and create the encryption keys for secure communication.
MD5 isn’t typically used as it only does a one-way authentication, and perhaps even more importantly doesn’t support automatic distribution and rotation of WEP keys so does nothing to relieve the administrative burden of manual WEP key maintenance.
TLS, while very secure, requires client certificates to be installed on each Wi-Fi workstation. Maintenance of a PKI infrastructure requires additional administrative expertise and time in addition to that of maintaining the WLAN itself.
TTLS addresses the certificate issue by tunneling TLS, and thus eliminating the need for a certificate on the client side. Making this an often preferred option. Funk Software* is the primary promoter of TTLS, and there’s a charge for supplicant and authentication server software.
LEAP has the longest history, and while previously Cisco proprietary (works with Cisco Wi-Fi adapters only), Cisco has licensed LEAP to a variety of other manufacturers through their Cisco Compatible Extensions program. A strong password policy should be enforced when LEAP is used for authentication.
EAP-FAST is now available for enterprises that can’t enforce a strong password policy and don’t want to deploy certificates for authentication.
The more recent PEAP works similarly to EAP-TTLS in that it doesn’t require a certificate on the client side. PEAP is backed by Cisco and Microsoft and is available at no additional cost from Microsoft. If desired to transition from LEAP to PEAP, Cisco’s ACS authentication server will run both.
EAP-TLS Example
However, in this graphic, you can see the client and server negotiate EAP-PEAP. Once that is completed, the server will present the client with its certificate. If the client does not trust the certificate from the server, and the user does not accept the certificate(The end-user might be presented with a dialog to trust this certificate), the exchange will fail after the first frame or two of the handshake.
In this situation, however, the client trusts the server certificate, and the two endpoints secure the medium with a TLS tunnel. Once secured you should notice that the protocol becomes purely TLS and since the traffic is encrypted, we can only see that the frames are “Application Data”. This is the point at which the client and server are exchanging inner authentication data such as EAP-MsCHAPv2 or EAP-TLS.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。