8.2. Identity Authentication

The policy engine is at the core of the authentication process for the NAC-based network. Authentication is a process of determining whether a user or a device (identity) is really what it claims to be:

  • Identity without authentication is like a hostess at a restaurant asking for your name to ensure a reservation.

    Maybe you can lie and get away with it (until the real party of seven shows).

  • Identity with authentication is like a police officer asking for your driver's license after a traffic violation.

    The officer and his network will verify your identity to make sure that you're who you say you are.

Many networks operate today as a network without identity, which isn't that much different than an open parking lot, where nobody checks who comes and who leaves. These networks connect the user or device to the network, and after the user or device is on the network, the enforcement point blocks access if that user or device has no credentials. Identity checks should happen a lot sooner, like putting a card-checking booth at the entrance to a parking lot.

With NAC, you can find out who the user or device is before you attach that user or device to the network.

8.2.1. Collecting identity

Although different NAC vendors support different methods of collecting identity, the typical first step in validating identity for access control is to collect the identity's ...

Get Network Access Control For Dummies® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.