Become a partner
We will contact you soon

By clicking "Send", I give my consent to the processing of personal data


I want to receive news from Eltex. By clicking "Send",
I give my consent to receive advertising and information materials

Request is sent
We will contact you soon.
Request is sent
We will contact you soon.
Request is sent
We will contact you soon.
scheme-1-corporate-network-using-naice
Request is sent
We will contact you soon.
+7 (383) 274-10-01
VNRU
Go to Products
Access switches
Access ethernet switches PoE
Industrial switches
Aggregation switches
Ethernet switches for data centeres
Select alternative
Select a suitable alternative for third-party vendor devices from our catalog
Select
Solutions
About support
Назад
Maintenance
Technical support and warranty
Documents and files
Data sheets, manuals, firmwares
Knowledge base
Configuration guides
Design guides
Building networks based on Eltex solutions
Назад
Eltex Academy
In-person and online equipment configuration courses
Webinars
Free webinars on the Eltex hardware setup led by our engineers
Назад
Authorized distributors and partners
Technological partners
Назад
About company
Media center
News, articles, technical reviews
Press kit
Materials for publication
Products
Solutions
Support
Training
Partners
Company
Contacts
Phone number
+7 383 274-10-01
Email
eltex@eltex-co.ru

Unified network access control with NAICE system

Network access control system from Eltex
Description
General solution scheme
Equipment

Description

Every year, corporate networks face an increasing number of threats. Data leaks, attacks via compromised devices, and unauthorized access attempts have become a reality for companies of all sizes and in all industries. To effectively control connections, enterprises use specialized NAC (Network Access Control) systems. Without them, it is impossible to guarantee reliable protection, and for organizations working with sensitive information, it is impossible to ensure compliance with regulatory requirements.

With over 30 years of experience in developing telecommunications equipment, we have created our own NAICE system, which takes into account operational practices and customer requirements. It is used in corporate organizations, industrial enterprises, banking, telecommunications, and government sectors.
 

Solution Architecture

NAICE is a software that comprehensively covers the task of access management: from organizing user connections to Wi-Fi or Ethernet networks to controlling administrator rights.

The solution is compatible with equipment from Eltex and other manufacturers.


Network management and convenient web interface

Management is carried out through a convenient and intuitive web interface. Basic configuration includes adding network devices and profiles, connecting identification sources, creating identification chains and authorization profiles, and developing access policies.

User authentication and authorization via the RADIUS protocol

The architecture is based on the RADIUS client-server protocol (802.1x standard) with support for EAP-PEAP, PAP, MSCHAPv2, and EAP-TLS. It provides a complete cycle of authentication, authorization, and accounting (AAA) for user actions. 

For devices that do not support 802.1X, MAC Authentication Bypass (MAB) based on MAC addresses is provided.

NAICE integrates with internal databases and external identification sources such as Microsoft Active Directory and OpenLDAP, allowing you to use existing corporate account databases without having to duplicate them. Access policies are automatically applied when a client's status changes. For example, when an employee is dismissed or removed from the database, the access to network resources is automatically denied.
 

Administrator authentication and authorization via the TACACS+ protocol

The system also supports the TACACS+ protocol, designed for centralized administrator authentication, control of their access rights, and logging of actions performed. Its key advantage is centralized authentication and authorization, which provide flexible access rights management. Administrators can create privilege profiles and rules tailored to specific business tasks using both precise commands and regular expression-based templates, which is relevant for large infrastructures with a large number of devices.

The protocol provides capabilities for detailed auditing of all interactions with network equipment. All administrator actions are logged and, if necessary, notifications about them are sent in syslog format to a third-party server. Thus, if an engineer changes the settings of a router, switch, or other equipment, the system records which command was entered, by whom, and at what time. This helps to quickly restore the chronology of actions and identify the problem when it arises.
 

Captive portal

NAICE provides a Captive Portal service for temporary wireless connections for users and guests. The guest portal provides secure connections for third-party devices and helps to restrict their access to isolated network segments.

New clients are authorized via SMS, through an internal database, or using external directories. When SMS authorization is selected, integration with any SMS gateways is provided for sending one-time codes. Administrators can set the duration of a guest account for re-authorization. Using the integrated web page builder, the portal can be designed in accordance with the company's corporate identity.

This mechanism is convenient in large infrastructures with high visitor traffic, such as airports. Passengers get access to Wi-Fi via SMS, the account is valid only for the duration of their stay in the network coverage area, and all corporate and service segments remain completely isolated. This provides convenience for thousands of users every day without compromising the security of internal resources.
 

System fault tolerance

Since NAICE is a critical element of the infrastructure, special attention is paid to fault tolerance. The system supports Active-Active (1+1) mode: if one server fails, the second instantly takes over its functions.

General solution scheme

scheme-1-corporate-network-using-naice
Scheme 1. Corporate network using NAICE

The NAICE access control system is deployed as Docker containers. Eltex License Manager (ELM) is required to connect it. There are two scenarios:
 

●    Online ELM, where licenses are issued through Eltex cloud server, without requiring the installation of additional software

●    Offline ELM, where the license server is installed locally in the customer's infrastructure or jointly with NAICE and is used in closed circuits


After installation, network equipment such as switches, routers, firewalls, access points, Wi-Fi controllers, and other devices from Eltex or other vendors is registered in the system. 


Further work is based on three access scenarios:
 

1. Users (employees, customers) are authenticated using the RADIUS protocol and gain access to the Wi-Fi or Ethernet segments of the network for which they have rights. During the initial setup, the administrator specifies the identification sources (local database, Active Directory, or LDAP) and forms a chain of rules: who can connect, which VLAN the user will be placed in, and which ACLs to apply. For example, the accounting department automatically gets access only to financial systems, while sales department employees get access to CRM and shared file storage. Devices that do not support 802.1X (printers, scanners, IoT, etc.) are authenticated through the MAB mechanism: MAC addresses are entered into the database, and they immediately go to the correct segment.
 

2. Administrators are authorized via TACACS+. After deploying NAICE, privilege profiles and command sets are created: some employees can only view settings, others can perform basic operations, and senior engineers can change configurations and reboot equipment. An example of scenario: a junior administrator can check the status of a port on a switch, but does not have the rights to disable the interface or change ACLs.
 

3. Guests and temporary users connect via Captive Portal. The administrator determines the validity period of accounts (for example, one day for office visitors or one week for contractors), the method of authorization (via SMS, login/password, or external directories), and implements the company's branding on the page. This allows you to provide partners or customers with secure Internet access while completely isolating them from the corporate network.


All connections and actions are recorded in the event log, which is available in the system's web interface. Here, the administrator monitors the status of equipment, authentication and authorization results in real time. MAC OUI and DHCP probes are used to profile end devices, which can also be used for automatic security policy settings.

Equipment

NAICE
Centralized storage and management of access policies
New
0 products to compare
Show more
Compare