Zero Trust Access 802.1x

Overview

Nile's Campus Zero Trust approach to network security is essential in today's high risk environment. Nile's support for industry-standard 802.1X authentication enables you to enforce consistent access controls and policies across your wired and wireless campus networks, ensuring only authorized devices and users can connect.

By integrating with your existing RADIUS infrastructure, such as Active Directory, to authenticate clients The Nile Access Service ensures only authorized devices and users can access network resources. In the Campus Zero Trust architecture, devices are denied access by default, and can only access resources through one of the supporteed authentication methods, including 802.1x. This streamlines the onboarding process and ensures a seamless user experience, all while maintaining a strong security posture.

wired802.png

Configuring 802.1X Authentication on Nile
To set up 802.1X authentication on your campus zero trust network with Nile, follow these steps:

  1. Configure RADIUS Servers

    • In the Nile Portal, navigate to "Settings>Authentication" tab and click "Add".
    • Enter the details for your RADIUS server, including the Name, port, shared secret, the Geo Scope which it supports, nad the IP address or FQDN. I
    • Click the "VERIFY HOSTS" button to confirm your settings. If everything passes, you can then save this server configuration.
  2. Enable 802.1X on a Nile Segment

    • Go to Settings>Segements tab. section, click the pencil icon to edit your chosen segment.
    • In the segment details, navigate to the Service Area tab.
    • Select the RADIUS server you just configured in the Authentication dropdown.
    • Click SAVE to immediately enable 802.1x on that segment.

segment_auth_services.png

Supporting Non-802.1X Devices in a Campus Zero Trust Network

Nile understands that not every device on your network will support 802.1X. For these non-802.1X-capable clients, Nile offers MAC Authentication Bypass; learn more.

Shiv> I forgot about this. We need to upload the NIle dictionary file here. This file is uploaded in the RADIUS server and is used to send us back the segment name as a Vendor specific attribute.

Dynamic Segment Assignment with Nile Dictionary

The Nile Access Service supports dynamic segment assignment based on user and device attributes received from external RADIUS servers, such as Cisco Identity Services Engine (ISE) and Aruba ClearPass. To facilitate this, Nile provides a custom dictionary file that can be uploaded to the RADIUS servers.

When a user or device authenticates to the Nile Access Service using 802.1X, the RADIUS server can send the "netseg" attribute during the authentication process. This attribute informs the Nile Access Service which network segment the user or device should be assigned to.

Example Use Case: Single SSID for Teachers and Students

Shiv provided the following example use case:

Configuring Dynamic Segment Assignment

To configure dynamic segment assignment using the Nile dictionary file, follow these steps:

By leveraging dynamic segment assignment with the Nile-provided dictionary file, organizations can achieve a higher level of granular access control, ensuring that users and devices are consistently placed in the correct network segments based on their identity, device type, and location. This enhances the overall security of the campus zero trust network by reducing the risk of unauthorized access and lateral movement.

Unique Passphrase (UPSK) with SSO External RADIUS

The Nile Access Service supports the integration of Unique Passphrase (UPSK) with external RADIUS servers, such as Cisco ISE and Aruba ClearPass. UPSK enhances the security of traditional pre-shared key (PSK) wireless networks by assigning a unique passphrase to each authenticated user, rather than a single shared key.

To configure UPSK with an external RADIUS server in the Nile Access Service, follow these steps:

By integrating UPSK with an external RADIUS server, you can leverage your existing identity management infrastructure to provide secure wireless access, while still benefiting from the enhanced security and user-specific credentials offered by the Nile Access Service's UPSK feature.

Centralized Management and Visibility

Nile's cloud-managed architecture provides a simple path for 802.1X deployment. This includes the ability to:

(Screenshot of the Nile Portal's 802.1X monitoring and reporting dashboard)

By leveraging Nile's 802.1X capabilities, you can establish a robust, campus zero trust network that securely connects all devices and users, regardless of their location or device type.

Contact us today to learn more about how Nile can help secure your campus environment.

Single Sign-On (SSO)


Revision #9
Created 20 March 2024 18:20:59 by JR
Updated 28 March 2024 21:53:20 by JR