How FreeNAC works
FreeNAC provides a transparent solution for dynamic VLAN management while restricting LAN connectivity. From the security point of view, it detects 'unknown' devices that are trying to gain access through an open Ethernet LAN socket and denies access (and logs the event). Known, registered devices are switched to the LAN attributed to them.
Visitors (unknown devices), may optionally be given access to a default/guest VLAN zone. This may be useful, for example, for organisations who wish to allow visitors Web / VPN access to the Internet, but not access to internal networks.
With FreeNAC, as soon as a new device is connected to the switch port, its MAC address is passed to the server, where it will be stored and checked to see if this device is allowed to access the network. If the connecting device is allowed, the server will give back to the switch the VLAN that this particular device belongs to. If this device isn't yet registered, it is blocked access or placed in a limited VLAN, depending upon policy.
FreeNAC has two modes of operation:
VMPS (VLAN Management Policy Server) is a way of assigning switch ports to specific VLANs based on MAC address of connecting device. In VMPS mode, a VMPS-capable switch detects a new PC and creates a VMPS request asking for authorisation from FreeNAC, which checks its database and refuses or grants access to the network based on the PCs MAC address. The switch enforces the decision taken by FreeNAC and denies access or if successful, dynamically puts the device in its predetermined VLAN.
802.1X is an IEEE standard for port-based Network Access Control. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. 802.1X is available on certain newer network switches, and can be configured to authenticate hosts which are equipped with supplicant software, denying unauthorized access to the network at the data link layer.
In 802.1X mode, FreeNAC verifies the user credentials (through the use of a third party authentication server) and uses the MAC address of the connecting device to assign it a VLAN. This creates a pair username / device which is unique for every connecting client.
For a rogue user, not only must the MAC address be spoofed; she has also to get valid user credentials, making it more difficult to gain access to the network.
For non-802.1x-capable devices using Cisco 802.1x-capable switches, we use MAC-Authentication bypass to authorise the device and assign a VLAN. Authenticating both username and device is more secure than authenticating only the device, it is risk/benefit tradeoff.