Admission Control Design

The final topic in this chapter builds on the previous WLAN security frameworks and extends the concept of network admission beyond what has been discussed previously in this book. In this concept, admission to the network at Layer 3 or Layer 2 is determined not only by the user or machine's identity but by the compliance of the WLAN devices to a corporate policy for a variety of criteria. These criteria include antivirus software from vendor XXXX, version YYYY, which must be active and compliant to the latest AV definition files. The intent of this solution is to improve the network's capability to identify, prevent, and adapt to threats. The admission control allows the network designer to make a policy decision on the threat of network clients based on compliance to client security posture.

The solution architecture is designed to allow the access-control decisions to be based on identity information, posture compliance, or both. However, the first phases of the admission-control solution concentrate only on the posture validation. Initial phases of the admission-control solution support Layer 3 access control.

In the context of a WLAN, this access control will initially be determined by a Layer 3 device that sits behind the APs and before the enterprise network. This admission control improves the security posture of the network by being able to validate the security posture of clients that have passed the WLAN authentication but still might be carrying a threat into the enterprise network (such as a worm or a virus). For example, suppose a mobile device has become infected with a virus and deactivates the AV software installed on the mobile device. The corporate policy is that the AV software must be active on the mobile device before access to the network is granted. When the mobile device accesses the WLAN, it is assessed for its compliance to the corporate policy. Because the virus disabled the AV software, the mobile device would fail the policy check and either be denied access to the network or have its access restricted to just accessing remediation services for the virus. Figure 10-7 depicts the network topology for this solution.

Figure 10-7. Advanced Security Design with Client Policy Compliance

Posture validation can be triggered by any traffic that transverses the gateway. In the Layer 3 mode, posture validation is done by having the Cisco Trust Agent (CTA) be a single point of contact for the host to exchange posture credentials with the network. CTA is intended to aggregate credentials for the client from multiple posture plug-ins and communicating with the network. In Figure 10-7, the network access device (NAD), upon recognition of an incoming client's traffic, issues a challenge for credentials to the client station's CTA via Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP). CTA then gathers its posture credentials and sends them to the NAD. The NAD takes the response from the client and forwards it to the policy server (AAA). The NAD acts as a relay between the client and the policy server. The conversation between the client and the policy server is protected from eavesdropping by tunneling the conversation through Protected Extensible Authentication Protocol (PEAP). The policy server can validate the posture of the client either locally or through an external AV server. When the validation is complete, the NAD enforces the access policy downloaded to it from the policy server. The access policy can be one of the following options:

  • Full access

  • Restrict access (quarantine)

  • Deny access through the NAD

  • The restricted access is intended to allow the client to access resources where the client can make changes to its configuration or software installation to become compliant with the posture assessment. At administratively defined intervals, the NAD revalidates the posture assessment of the client. In addition, in between the posture assessments, the NAD also periodically does status queries to determine that the client using the NAD is still the same client that passed the posture validation and that posture credentials have not changed. For clients that do not have CTA installed, the NAD has the capability to query the policy server for access-control policy or a local exception list if available.

Later phases of the solution introduce Layer 2 posture validation via 802.1x/EAP, which makes it applicable for WLANs that utilize WPA/802.11i for their security framework. Additionally, Layer 3 posture assessment can be accomplished in a VPN environment by having the VPN concentrator perform the policy validation functionality and then act on the client's compliance to posture assessment.