When talking about Network Access Control, we often mention digital certificates. When entering a company network, they’re like the passport that proofs you’re a trusted user using a trusted device. This comes in very handy, especially when you work with privately owned devices that are out of your control. Although this very much sounds like “access control”, certificates are not necessarily an integral part of a NAC solution. They’re actually a valuable feature that you can add if you take security risks seriously. So, what are digital certificates? How do they work and why are they so important? And moreover: should you add them to the mix when starting with Network Access Control? We’ll give you the answers to all these questions in this article.
A passport, only better
As we said in the introduction, digital certificates are like passports. Whenever you want to gain access to a network, you must show it to the receiving end, so that it can check who you are, what device you use and whether you’re allowed to enter. This makes digital certificates safer than simply typing in a password. This password can easily be stolen or accidentally leaked, and thereby give access to the wrong people. A certificate, on the other hand, is very difficult to steal and proofs your identity. After all, it has details on you and you carry it around. In an ideal world, this concept works both ways, meaning the server you’re connecting to must prove its trustworthiness too. This is what we call mutual authentication. It’s like you showing your passport to customs, and customs showing their badge to show you they’re really the customs.
Public Key Cryptography
Although helpful, the passport metaphor only goes so far. The true power of certificates lies in the fact that they use Public Key Cryptography (PKC) to prove their presence during authentication time, which goes beyond handing over some information. In public key cryptography, two keys are used: a private key (which is kept secret) and a public key (which can be distributed to others (or, in the case of network access control, to some component inside the network). Information that’s encrypted with the public key can only be decrypted with the private key and vice versa. This means that a client can be authenticated by sending it some information that’s encrypted with its public key. By decrypting this information, the client shows that he’s holding the private key. The certificate, in turn, shows that the public key indeed belongs to the holder. Thus, by using certificates, devices and users can be recognised by a mathematical trick instead of just 'passing on some information'. This is what makes certificates such a safe authentication method.
Certificates and Network Access Control
So, how do digital certificates relate to Network Access Control? As you may know, NAC starts at a network entry point, such as a switch or a Wi-Fi access point. This is the virtual door that users have to knock on if they want to access the company network. Normally, this would be the moment to type in a password. However, when the company in question uses digital certificates, this is the moment that the user must show his certificate that contains personal information and an expiration date. The switch or Wi-Fi access point recognises the user based on this certificate, and checks whether the user complies with all the pre-set rules. These rules are governed by a so-called RADIUS server, that keeps track of which users are allowed in and what their rights are. The RADIUS server instructs the switch or Wi-Fi access point to let a user or device in, to simply block the entrance or to allow access to specific network segments only. And there you have it: pièce de résistance of port-based NAC, fortified by certificates.
A word on complexity
Unfortunately, digital certificates do come with downsides. They’re ultra-safe, but they’re also a lot of work. If you work with digital certificates, you should also have a certificate authority (CA), which functions as a passport factory that creates the certificates for each and every device and regulates the codes. The good news is, there are NAC solutions that come as an all-in-one product that automates the creation and regulation of certificates. This way, you benefit from all NAC advantages without overburdening your IT department. Additionally, such packages allow you to manage multiple authentication methods alongside each other (think of a combination of a one-time password and a certificate). So, if you plan on starting with NAC and digital certificates (which we’d highly recommend!) ask yourself these questions:
- Can the authentication method be easily modified? For example, can a one-time password be easily applied in addition to the certificate?
- Can the digital certificates be distributed to multiple OSes?
- Can the digital certificates be easily and safely distributed?
- Can users who haven’t used the system for a certain period of time easily be organised?
- Can the server be easily linked with the internal AD or ID management system?
We hope we’ve shined some light on the certification matter! Do you want to learn more about Network Access Control and digital certificates? Then download the white paper below, it’s free!
Originally published 2nd February 2020, updated on 21st June 2023