Network Access Control
The variety of network-compatible end devices is constantly increasing in companies. This fact causes a great deal of administrative effort and raises security issues.
In the past, IT departments only had to ensure that the company’s own devices had powerful yet secure network access, but nowadays, mobile devices owned by employees, guests and suppliers are added to the mix. This not only increases the administrative burden, but raises security issues too (e. g. chargeable feature films, higher speeds or greater volume when using mobile internet connections, etc.). The list of possible offers is almost limitless.
- Who gets access to the corporate network from where?
- How are access permissions restricted for personal devices?
- Who ensures that access authorisations are deleted promptly when an employee leaves the company?
- How can the administrative burden associated with time-limited access be reduced?
To meet the high requirements for security and compliance in spite of ever-increasing cost pressure, more and more companies are opting to implement automated network access control.
Guests, partners, customers, suppliers …
… require temporary and controlled internet access. Such access should be granted without any administrative burden, while also preventing misuse and complying with the law.
Employees’ personal devices …
… require access to the internet, e-mail/calendar functions or data directories, ERP systems as well as company databases. Implementing a secure BYOD strategy that can be managed independently by employees is a major challenge for IT departments.
Company-owned devices …
…should be granted access via multi-level, mostly certificate-based methods, which authenticate both people and devices (802.1x). Successfully authenticated devices are assigned to the corresponding VLANs.
Not all devices …
… such as printers and medical devices support 802.1x. MAC-based access control with automatic assignment to dedicated VLANs is suitable for these particular devices. This access control solution is multi-client capable and has interfaces to CMDB/inventory systems.
Employees, suppliers, advisers …
… require traceable remote access to sub-areas of the company’s network. To do so, companies do not want to assign internal accounts, but rather use separate administration.
Computers with virtual machines …
… as well as computers connected to unmanaged hubs/switches or to IP telephones require special authentication procedures so that each (virtual) device is assigned to the corresponding VLAN.
We recommend our customers to use our fully comprehensive NAC solution, which consists of the innovative products mpp and macman. It is manufacturer-independent and combines a variety of access procedures. This makes it currently one of the most flexible solutions on the market and meets the requirements of medium-sized and large companies.
Simple assignment of access rights
With the onway director, different scenarios (use cases) can be implemented securely and conveniently when assigning network access rights for guests and company-owned as well as private devices (BYOD).
An internal employee is visited by an external person who needs to access the internet. To authorise this, the employee logs on to the onway director and generates the corresponding guest access. The access data generated can be printed out easily then given to the guest. The guest connects their mobile device to the guest WLAN and logs in to the landing page using their access data. Access is via an unencrypted SSID.
My Devices (BYOD)
Employees are increasingly bringing their personal devices to work and wanting to connect them to the WLAN. As these devices are not managed by the company, they are not allowed to connect to the corporate WLAN.
Thanks to the onway director, all authorised employees can manage their own personal devices. A two-step procedure is used to grant network access. When accessing the onway director (sponsoring portal) for the first time, personal WLAN credentials (username/password) are generated for each employee. The employee then connects via the encrypted SSID and logs in using the previously generated credentials. As part of the second stage of the access process, the device’s MAC address plays a crucial role. Every individual device that connects to the WLAN as described above is enabled on the onway director (sponsoring portal) and from then on, it is automatically recognised by the MAC address the next time it is accessed. In addition, any devices with valid credentials that get lost can be quickly blocked in the portal. What’s more, the number of personal devices allowed per employee can be limited.
If the employee has registered with the onway director (sponsoring portal) via an external directory, their personal devices are blocked immediately when they leave the company or deleted after the device is not used for a certain length of time that can be freely specified.
Safe Guest Access (secure WiFi/PEAP)
An authorised staff member can set up encrypted internet access for their guests and WPA2-enabled devices alike. This procedure does not require the device’s MAC address to be registered with the onway director (sponsoring portal). As with “simple” Guest Access, this is a person-related authentication. Using a PEAP (Protected Extensible Authentication Protocol), a secure connection can now be established. To connect the devices with the encrypted SSID, only the credentials previously created in the portal need to be entered. This type of access offers special protection for identification data and allows different VLANs to be assigned automatically depending on group membership.
Device Management (non-WPA2)
Nowadays, more and more consumer electronics devices such as televisions, monitors and projectors are to be connected to the corporate WLAN. Newer device types are usually WLAN-capable, but they often do not feature the 802.1x standard so are therefore denied access to the WLAN. In the age of the Internet of Things (IoT), this also increasingly affects a wide range of devices such as medical apparatus, fitness equipment, sensors, etc.
These devices are registered in the onway director (sponsoring portal) by an authorised employee using their MAC address. If the device connects to the open SSID, it is authenticated by its MAC address (MAB).
Information brochure Smart Network Access
Here you can find some information about «Smart Network Access». Click on «Request download». The corresponding download will be sent to you directly by e-mail.
Thank you for your interest in the document. Please enter the requested details below to get access to the document.
The download is being sent to you directly via e-mail. If you cannot find such a message in your inbox, please check the spam folder.
We invite you to discuss your specific requirements with us in a personal meeting. onway will find the optimal solution for you and support you in the implementation of your plans in the areas of BYOD, guest access and device management via WLAN.