A network access control solution that works across wired and wireless

The Kerry County Council finds a network access control solution that works across wired and wireless networks and 60 geographically dispersed branch offices.

The Kerry County Council in the south west of Ireland has a network that serves 800 users across 60 sites, but had no way of seeing who and what was connected at any given time. So when a laptop brought in a virus that crippled the network, the council was forced to quickly seek a network access control (NAC) solution that could cover a geographically dispersed wired and wireless network.

“The big issue was the amount of sites and the geographical separation. We looked at port security, but it was just too difficult to implement. We looked at maybe having a centralised DHCP server for everything and tying it down by MAC address, but again it was very difficult and was going to cause more problems than it would solve. The only solution was NAC,” said Padraig Daughton, network analyst at Kerry County Council.

Since the network was mostly Cisco powered, Kerry County Council first considered a Cisco NAC solution, but that turned out to be cost prohibitive. Then the Council evaluated five suppliers before selecting Bradford Networks and its solution provider partner Khipu.

Bradford’s Adaptive Network Security architecture and its Network Sentry NAC promised to provision network resources securely based on pre-established policies.

“Bradford’s solution was the cheapest and it fitted very nicely into our network. We didn’t have to upgrade any of the Cisco kit. Some of the solutions wanted to put four or five devices across the network, whereas the Bradford units could just be dropped into the middle and it would handle wired, wireless and VPN users all in one box,” said Daughton.

Breakdown of the Kerry County Council Network

That was no small feat, considering the complexity of Kerry's network. The Council's wide area network (WAN) backbone is high-capacity licensed wireless based on the Cisco Enhanced Interior Gateway Routing Protocol. “From the HQ site there are two 200 Mb radio links to the main high site, and from them we spread across the county with 80 Mb licensed wireless as the backbone, with a last hop into some sites of 10 or 15 Mb,” said Daughton. The council also taps into the CAMP fire service Internet link for extra bandwidth. The rest of the WAN is MPLS, using a mix of wireless and DSL operators that provide resilience and failover capacity to the wireless network.

Back at HQ, the local area network is based on fibre connectivity with three Cisco 3750 stacks and Cisco 3560 switches. The VPN uses high-availability Cisco ASA firewalls, integrated with RSA tokens.

How Kerry implemented its NAC solution

The wired network was top priority, as that was where most of the users were going to be connecting. “We got the configs working and ran a few test labs on it with Khipu, and then once that was done it was up to me to get it rolled out across the network,” Daughton said. We had to prove that it worked; we had to send someone to every site just to validate it, and with 60 sites that took a bit of time."

Once we had it in HQ and a few other sites we let it settle for a couple of months. When we were happy with that, we set out over the next couple of months to get the rest of the sites on board.”

It soon became clear that one or two NAC policies would need tweaking. Desktop users were seeing remediation rather too often on start up when the NAC policies ensure the PC should have access to the network and resolve any issues such as out-of-date antivirus software.

Daughton explained: “Those users are on the network the whole time and they should be 99% up-to-date, so we set the policy that we would trust desktops and not scan you on connect, but at 11am every day in the background to make sure you are up to date. That made our user experience an awful lot better.”

Users now have seamless authenticated access to the network even when they are wireless: “We have a Cisco wireless controller, so when a user hits that they then hit the Bradford. If they are a valid user it then goes on to our ACS server, which talks to Active Directory and it does the scan, so you don’t need to be messing around with WEP or WPA keys,” Daughton said.

The NACs have now been live on the wired and wireless networks for some months, and Daughton is putting the finishing touches to the VPN implementation: “We have the VPN set up and tested, just waiting to go live once we have upgraded the firewall code.”

Read more on Mobile networks