Network Access Control

[!NOTE] This module explores the core principles of Network Access Control, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.

1. Port Security

The simplest form of access control. You tell a switch port to only allow specific MAC addresses.

  • Sticky MAC: The switch learns the MAC of the first device plugged in and blocks everything else.
  • Violation Action: Shutdown the port or send an alert.

2. IEEE 802.1X

A much more advanced standard for port-based Network Access Control. It ensures that a device cannot send any traffic through a switch port until it has authenticated itself.

The Players

  1. Supplicant: The device trying to connect (Your laptop).
  2. Authenticator: The switch or wireless Access Point.
  3. Authentication Server: usually a RADIUS server that checks the username/password or certificate.

3. Zero Trust Architecture

The old “Castle and Moat” security model assumed that if you were inside the building, you could be trusted. Modern security uses Zero Trust.

Never Trust, Always Verify

  1. Identity-Centric: Access is granted based on who you are, not where you are.
  2. Least Privilege: Give users the absolute minimum access they need.
  3. Continuous Monitoring: Every single request is authenticated and authorized, even if you are on the “internal” Wi-Fi.

4. Interactive: 802.1X Handshake

See how the port stays locked.

💻
Supplicant
🔒
Switch Port
RADIUS Server
Port Status: BLOCKED

5. RADIUS vs. TACACS+

Two protocols used for centralized authentication.

  • RADIUS: Merges authentication/authorization into one step. Uses UDP. Encrypts only the password.
  • TACACS+: Separates authentication, authorization, and accounting. Uses TCP. Encrypts the entire packet. Preferred by Cisco for device management.