DRAFTS

Nile Access Service: Quick Start Guide

[DEPRECATED] Building a Zero Trust Campus: Authentication

Shiv> Zero Trus Campus has three sections, This section falls under Zero Trust Access.

Authentication Methods in the Nile Access Service: Building a Zero Trust Campus

The Nile Access Service is built on the principles of the "Zero Trust Campus," ensuring that no user or device is implicitly trusted. By implementing strong authentication methods and granular access controls, the Nile Access Service helps organizations secure their network resources and protect against unauthorized access.

The following authentication methods are supported within the Nile Access Service, each playing a crucial role in establishing a Zero Trust Campus:

  1. Wired and Wireless 802.1X
  2. Single Sign-On (SSO)
  3. MAC Authentication Bypass (MAB)

Let's review each of these in more detail.

Wired and Wireless 802.1X: Strong Authentication for Zero Trust

802.1X is an IEEE standard for port-based network access control, providing strong authentication and encryption for both wired and wireless connections. By implementing 802.1X, organizations can ensure that only authenticated users and devices can access network resources, aligning with the principles of the Zero Trust Campus.

Nile's implementation of 802.1X offers:

Learn more about configuring 802.1X in the Nile Access Service to strengthen your Zero Trust Campus.

Single Sign-On (SSO): Streamlining Zero Trust Access

Single Sign-On allows users to access multiple applications with a single set of credentials, streamlining the user experience while maintaining the principles of the Zero Trust Campus. By integrating SSO with the Nile Access Service, organizations can enforce consistent authentication and authorization policies across their network resources.

Nile's SSO integration provides:

Discover how SSO can be seamlessly integrated into the Nile Access Service to enhance your Zero Trust Campus.

MAC Authentication Bypass (MAB): Securing Devices in a Zero Trust Campus

MAC Authentication Bypass is an authentication method that grants network access based on a device's MAC address. While MAB is useful for devices that don't support 802.1X, it's essential to implement additional security measures to maintain the integrity of the Zero Trust Campus.

Nile's MAB implementation includes:

Explore the configuration and best practices for MAB in the Nile Access Service to secure devices within your Zero Trust Campus.

By leveraging these authentication methods and following best practices, organizations can build a robust Zero Trust Campus with the Nile Access Service, ensuring secure access to network resources and protecting against unauthorized access.

Authentication Comparison

Shiv> I did not follow why there is an under considerations. That symbol means something is not good. Maybe we dont need that column?

Authentication Method Description Zero Trust Campus Benefits Considerations

Wired and Wireless 802.1X
- IEEE standard for port-based network access control
- Supports various EAP methods (PEAP, EAP-TLS, EAP-TTLS)
- Provides strong authentication and encryption
Ensures only authenticated users and devices access network resources
Enables granular access control based on user identity and device posture
Integrates with existing RADIUS infrastructure for centralized management
Requires careful planning and configuration
Necessitates compatible client software on devices
May introduce additional authentication latency

Single Sign-On (SSO)
- Allows users to access multiple applications with a single set of credentials
- Supports popular SSO protocols (SAML, OAuth, OpenID Connect)
- Reduces password fatigue and improves user experience
Enforces consistent authentication and authorization policies
Provides granular access control based on user attributes and group membership
Streamlines user experience while maintaining Zero Trust principles
Requires integration with identity providers (IdPs)
IdP becomes a critical component, necessitating high availability
May require additional attribute mapping and user provisioning

MAC Authentication Bypass (MAB)
- Authenticates devices based on their MAC address
- Useful for devices that don't support 802.1X (printers, IoT devices)
Provides network access for devices that can't support 802.1X
Serves as a fallback method to ensure maximum device coverage
Centralized configuration through the Nile Customer Portal
Less secure than 802.1X, as it relies on MAC addresses
Vulnerable to MAC spoofing attacks
Requires additional measures to maintain Zero Trust principles

Integrating Aruba Clearpass for Dynamic Segment Assigment

Introduction

The Nile Access Service supports integration with Aruba ClearPass, a leading network access control (NAC) solution, to enable dynamic segment assignment based on user and device attributes.

Configure Nile to Use Aruba ClearPass as Authentication Server

  1. In the Nile Customer Portal, navigate to "Settings" > "Authentication" and click the "Add" button to configure a new authentication server.
  2. Enter the required details, including the ClearPass server's name, IP address, port, and shared secret.
  3. Select the appropriate geographical scope (Geo Scope) for the ClearPass server.
  4. Click "Verify Hosts" to test the connection to the ClearPass server.

Configure ClearPass for Nile Integration

  1. Import the Nile dictionary file into the ClearPass RADIUS dictionary. This file contains the necessary vendor-specific attributes (VSAs) used for dynamic segment assignment.
  2. Add the Nile Service Block (NSB) as a network device in the ClearPass Policy Manager, specifying the NAS IP address and RADIUS shared secret.
  3. Create a new 802.1X wireless service in the ClearPass Policy Manager, leveraging the local identity store.
  4. Configure the Enforcement Profile for the 802.1X service to include the "netseg" attribute, which will be used to dynamically assign the user or device to the appropriate network segment in the Nile Access Service.

Verify Authentication and Segment Assignment

  1. In the Nile Customer Portal, navigate to the "Devices" section and select a device that has recently authenticated.
  2. Review the "Events" details to verify the RADIUS authentication information, including the assigned network segment.
  3. You can also check the user authentication logs in the Aruba ClearPass Policy Manager for additional troubleshooting.

By integrating Aruba ClearPass with the Nile Access Service, organizations can leverage the advanced network access control features of ClearPass, such as device profiling and posture assessment, while benefiting from the dynamic segment assignment capabilities of the Nile platform.