VPN and 802.1x
Port-based user authentication is very useful in a remote-access or teleworker environment. The ability for people to work at home after hours or on weekends can provide a major boost in productivity. However, the ability for people to work from home also has risks because the home network is typically not controlled by the IT staff of the employer. Due to security risks, the IT staff of the employer would like only the employee to access the corporate network, and not the PCs or PDA of that employee’s spouse or kids. For example, the employee’s daughter takes her laptop to college and downloads MP3s. Unfortunately, in this process she also downloads the latest virus in addition to the latest tune from her favorite band. She goes home for the weekend to get her laundry done and uses the wireless network at home to IM with her college friends. In this process, she inadvertently places the virus on the employer’s network through the tunneled connection from the employee’s house that first goes through the employer’s corporate network prior to the Internet.
802.1x authentication can be used to allow only the employee’s laptop to join the VPN connection to the corporate network, while allowing the college student at home to use the Internet through the home network. An 802.1x authenticator is embedded or included in the home router as an IOS feature. In this example, the home router receives information from the 802.1x supplicant on the laptop. The home router, or 802.1x authenticator, sends the authentication request to the authentication server at the corporate network. The authentication server in many Cisco self-defending networks is the Cisco Secure ACS.
Figure 5-2 shows an example of a teleworker network with a VPN to the corporate network using 802.1x authentication. In Figure 5-2, the at-home college student can access the Internet through the same home network router that the employee uses to access the corporate network. She does not risk infection to the corporate network because her network traffic goes directly to the Internet rather than going first to the corporate network and then to the Internet.
Figure 5-2 Teleworker VPN with 802.1x
This teleworker network supports the ability for the VPN tunnel to remain active between the home network router and the access router at the corporate network. The IT staff at the employer’s network can define an IP pool for valid employee devices that need to connect to the corporate network and a separate IP pool for nonemployee machines. The dual IP pool solution has the advantage that the employee machines can use the corporate DNS server and the nonemployee machines can use the ISP DNS server.