Nile Service Block
...
Zero Trust Campus
Zero Trust Access
802.1x - Wired & Wireless
14min
overview nile's campus zero trust approach to network security is essential in today's high risk environment nile's support for industry standard 802 1x authentication enables you to enforce consistent access controls and policies across your wired and wireless campus networks, ensuring only authorized devices and users can connect by integrating with your existing radius infrastructure, such as windows nps, aruba clearpass, cisco ise etc to authenticate clients the nile access service ensures only authorized devices and users can access network resources in the campus zero trust architecture, devices are denied access by default, and can only access resources through one of the supported authentication methods, including 802 1x this streamlines the onboarding process and ensures a seamless user experience, all while maintaining a strong security posture the nile access service supports several radius powered authentication methods to provide secure network access for a variety of devices and use cases these authentication options include 802 1x authentication with external radius wireless 802 1x wired 802 1x mac authentication with external radius upsk (unique passphrase) with external radius guest services with external radius in this section we will cover 802 1x authentication configuring 802 1x authentication on nile to set up 802 1x authentication on your campus zero trust network with nile, follow these steps add a radius server in the nile portal, navigate to the "network setup >authentication " tab and click "add" name a unique name for the radius server group port the standard radius port, is usually 1812 shared secret the shared secret must be configured on the radius server side as well host 1, host 2, host 3 the ip addresses or hostnames of the primary, secondary, and tertiary radius servers geo scope the geographical scope (sites) that the radius server group serves verify hosts an optional setting to authenticate the radius server using mschap peapv2 username and password display nas ips displays the nile ip addresses from which authentication requests will originate, allowing you to configure the radius server accordingly guest portal urls this setting is leveraged for guest access authentication wired mac auth specifies that this radius server group should be used for mac authentication enable 802 1x on a nile segment go to network setup >segements tab section, click the pencil icon to edit your chosen segment in the segment details, navigate to the service area tab select the radius server you just configured in the authentication dropdown click save to immediately enable 802 1x on that segment redundancy if multiple radius servers are configured (host 1, host 2, host 3), the nile access service will follow a primary secondary tertiary failover model the authentication request is first sent to the primary server (host 1) if the primary server is down, the request is sent to the secondary server (host 2), and ifthe secondary server also down, the request is sent to the tertiary server (host 3) if the primary server (host 1) comes back online, the nile access service will resume sending requests to the primary server proactive monitoring the nile access service proactively monitors all configured radius servers every minute, reporting on latency and the up/down status of each server this monitoring can be based on accounting transactions or mschap peapv2 username and password verification provided by the administrator supporting non 802 1x devices in a campus zero trust network nile understands that not every device on your network will support 802 1x for these non 802 1x capable clients, nile offers mac authentication bypass ; learn more dynamic segment assignment with nile dictionary in some use cases, a single ssid can be mapped to multiple segments in the nile access service in such scenarios, it is mandatory for the radius server to send back the exact segment name that the user or device should be assigned to the nile access service supports dynamic segment assignment based on user and device attributes received from external radius servers, such as cisco identity services engine (ise) and aruba clearpass to facilitate this, nile provides a custom dictionary file that can be uploaded to the radius servers or standard radius attributes can be used when a user or device authenticates to the nile access service using 802 1x, the radius server can send the "netseg" vendor specific attribute (vsa) during the authentication process this attribute informs the nile access service which network segment the user or device should be assigned to following is the 802 1x flow a wireless or wired device initiates 802 1x nsb proxy's all requests to the radius server once the device is successfully authenticated the radius server is required to send a segment name (exact case match to nsb for wired devices for wireless devices segment is optional if the ssid is mapped to just one segment if nsb has the segment configured, the device will be assigned the segment nsb now allows and forwards all frames including dhcp example use case single ssid for teachers and students the ssid "acme campus" is used by both teachers and students teachers belong to the "teacher" segment, while students belong to the "student" segment the radius server is configured to send the "netseg" attribute during the 802 1x authentication process the radius server sends "netseg=teacher" when a teacher authenticates, and "netseg=student" when a student authenticates the segment names sent by the radius server must exactly match (case sensitive) the segment names configured in the nile access service configuring dynamic segment assignment the segment assignement can be achieved in two ways vendor specific attribute (nile dictionary file) the nile dictionary file needs to be uploaded into the radius server, and the "netseg" attribute should be leveraged for example, the radius server should send "netseg=teacher" or "netseg=student" when authenticating users the "netseg" value is case sensitive and must match the segment names configured in the nile customer portal nile custom dictionary file vendor nile 58313 begin vendor nile attribute redirect url 1 string attribute netseg 2 string attribute nile avpair 3 string end vendor nile standard radius attribute if the radius server does not support uploading a custom dictionary file, the segment name can be sent using the standard radius attribute tunnel private group id lookup if the segment name sent by the radius server is null or does not match the configured segments in nile, the device will fail authentication with the appropriate error message note that if the ssid is mapped to only one segment in the nile access service, the use of the nile dictionary file or the standard radius attribute is not required create and upload the nile dictionary to the radius server depending on the radius server you're using (cisco ise or aruba clearpass), follow the instructions in the respective guides integrating cisco ise with the nile access service for dynamic segment assignment integrating aruba clearpass with the nile access service for dynamic segment assignment https //app archbee com/docs/jugamsswawauxxjhmyr53/ui7al rirqzpo wldhpjk configure the radius server to send the "netseg" attribute ensure that your radius server is set up to send the "netseg" attribute during the 802 1x authentication process the attribute value should match the segment names configured in the nile access service configure segments in the nile customer portal in the "network setup" > "segments" section of the nile customer portal, create the necessary network segments that correspond to the "netseg" attribute values received from the radius server (e g , "teacher" and "student" segments) associate segments with 802 1x authentication when configuring 802 1x authentication in the "network setup" > "segments" section, select the radius server you've set up and enable dynamic segment assignment the nile access service will then automatically place users and devices in the appropriate network segments based on the "netseg" attribute received from the radius server by leveraging dynamic segment assignment with the nile provided dictionary file, organizations can achieve a higher level of granular access control, ensuring that users and devices are consistently placed in the correct network segments based on their identity, device type, and location this enhances the overall security of the campus zero trust network by reducing the risk of unauthorized access and lateral movement centralized management and visibility nile's cloud managed architecture provides a simple path for 802 1x deployment this includes the ability to easily onboard and manage primary, secondary and tertiary radius servers for redundancy and segmentation track authentication events and client activity across your wired and wireless networks quickly troubleshoot connectivity issues with detailed logs and reporting by leveraging nile's 802 1x capabilities, you can establish a robust, campus zero trust network that securely connects all devices and users, regardless of their location or device type contact us today to learn more about how nile can help secure your campus environment read next single sign on (sso) https //docs nilesecure com/single sign on sso