Identity Management in 802.1x networks

Network without Identity Management

Netw

ork switch

Netw

ork switch

Internet Internet

Microsoft AD, DC and Radius(IAS/NPS) server

Finance Dept

Client Project

Private NetworkPrivate Network

Finance Team

Project Team

Visitor

Why is identity management needed in networks

• Security to your network.

• Protecting confidential data.

• Per Project level isolation.

What is Identity Management

IdentityIdentity

Account IDDomain

VLAN Membership

IP Address

Mac Address

Network switchNetwork switch

Authentication/Authorization Server

How does an Identity Aware Network look like

Netw

ork switch

Netw

ork switch

Internet Internet

Microsoft AD, DC and Radius(IAS/NPS) server

Private NetworkPrivate Network

Client Project Vlan

Finance Dept VLan

Finance Team

Project Team

Visitor

Guest VLANGuest VLAN

Enabled with identity

management

Enabled with identity

management

Network without VLAN

Finance TeamProject Team

Project TeamFinance Team Visitors

Since there is no vlan isolation in the switch,

anyone connecting to the switch will have access to anything in the network.

Since there is no vlan isolation in the switch,

anyone connecting to the switch will have access to anything in the network.

Network Switch

How does VLAN isolation work?

Project TeamFinance Team Visitors

Network Switch

How Does Authentication work ?

Netw

ork Switch

Netw

ork Switch

Client Project Vlan

Private NetworkPrivate Network

• Microsoft AD, DC • Radius(IAS/NPS) server

Radius verifies the Account ID /Domain

id with AD

Radius verifies the Account ID /Domain

id with AD

Radius processes the policy set for that user :1.Security Group

2.Radius attributes (In this case vlan membership)

Radius processes the policy set for that user :1.Security Group

2.Radius attributes (In this case vlan membership)

Based on the information sent by Radius, the switch places

the person in the corresponding vlan

Based on the information sent by Radius, the switch places

the person in the corresponding vlan

Vlan Membership

Switch sends the user identity to

Authentication Server

Switch sends the user identity to

Authentication Server

Project Team

User connects to the networks

User connects to the networks

Questions ?