The Infoblox NAC Foundation module enables intelligent, policy-based control over Infoblox’s DHCP services, and provides a foundation for a wide variety of NAC solutions that may integrate components from one or more vendors.

Every device that is enabled to communicate on an IP network contains a unique, hard-coded device identifier, also known as a MAC address. The MAC address is included in every DHCP request made by a device. The Infoblox DHCP server has the ability to maintain lists of MAC addresses known as MAC filters and can implement different behaviors (e.g. assign addresses out of different address ranges) depending on whether a particular device address is contained in a particular MAC filter.

The NAC Foundation module automates the process of populating the DHCP server MAC filters and the process for specifying the network segment to which a device is assigned based on user-configurable policies. For example, an administrator may segment the network into one or more production segments—for authorized employees and devices: a guest segment, with access only to the Internet and/or limited pubic servers; and a quarantine segment—with access only to the Infoblox appliance and perhaps an endpoint scanning and remediation system. This enables control over which users and devices are able to access sensitive network resources and can prevent the spread of malware from malicious users or infected devices.

The NAC Foundation module is fully integrated with Infoblox NIOS software and grid technology. All components, including the captive Web portal, are built-in and benefit from the advantages of Infoblox grids such as central administration and high-availability failover. The NAC Foundation module provides several key features that greatly benefit customers.

Integrated Captive Web Portal: Provides a familiar “hotel-like” user interface for managing user registration and authentication. The portal pages can be easily customized for each organization including company logos, acceptable use policies, help-desk phone numbers, etc.

Integrated DHCP Authentication:Uses a variety of industry-standard authentication mechanisms including RADIUS, Active Directory, LDAP, or local NIOS user accounts. The authentication schemes can also be “stacked” to allow for complex policies such as: “authenticate first against the AD server and pass on success, on failure check the local NIOS user database.”

Guest Access: Can be enabled on the captive web portal and customized for each organization, including required fields such as first name, last name, visitor, etc. Upon entering data, guest users will be put into a special MAC Filter and granted an IP address from the guest network.

Automated MAC Filter entry timeout: The system can be configured to automatically remove MAC entries from any of the filters—including guest and authorized users—after a configurable timeout. This allows flexibility in configuring the frequency with which users need to re-authenticate.

Integration with McAfee Enterprise Policy Orchestrator (ePO):The solution can be configured to query ePO servers to determine if a client should be given an IP address in the authorized network. The ePO checks can be configured to grant an IP based on any combination of three parameters: Is the client registered with the ePO server; Does the client have the MPE scanner installed; and has the client communicated with the ePO server within a configurable time period.

User Class Assignment: Automates mapping of AD group information to a specific DHCP range. The system can be configured to give an IP address from a different network range based upon a user’s AD group membership. For example, employees in the finance organization get an IP address in one range while all other users get an IP in a different range.

Recording and linking of user information with MAC and IP: When a user authenticates, the user name is put into the MAC filter, thereby creating a “link” among the user, IP, and MAC address which can be used for audit purposes.
Software packages run on Infoblox network services appliances.