Functional capabilities of Eltex-NAICE version 1.0:
RADIUS-based access control provides the following capabilities:
- Operation with a local user account database;
- User authentication and authorization via the 802.1X protocol;
- Authentication and authorization of network equipment administrators;
- Support for EAP-TLS, EAP-PEAP, MS-CHAPv2 and PAP protocols for access control and protection against unauthorized network connections;
- Endpoint authentication and authorization using MAB (MAC Authentication Bypass), PAP, and EAP-MD5.
TACACS+-based access control provides the following capabilities:
- Authentication and authorization of equipment administrators via the TACACS+ protocol with a specified privilege level;
- Authorization of privilege escalation via TACACS+;
- Authorization of network equipment administrator commands using the TACACS+ protocol;
- Support for ASCII/PAP protocols when using TACACS+.
Integration with external identity sources:
- MS Active Directory (MS AD). Limitations: it is not possible to use Cyrillic characters in user login or password; EAP-MS-CHAP-v2 or MS-CHAP-v2 may be used for authorization;
- Custom LDAP (e.g., Open LDAP). Limitations: SLDAP is not supported, and user passwords must be stored in clear text.
Portal-based authorization:
- Portal appearance management, support for configuring multiple portals, management of registration and authorization methods;
- Guest user registration via SMS confirmation;
- User authorization on the portal using login/password with either the local user database or external identity sources.
Flexible security policy system:
- Multivendor solution — the system can operate with products from different vendors that support RADIUS and TACACS+;
- Configuring access rights based on static and dynamic parameters;
- Ability to use user attributes from an external identity source in security policies;
- Assigning privileges according to group membership of users and devices;
- Built-in library of RADIUS attributes. Currently, adding new RADIUS dictionaries and attributes manually is not supported (can be done through a development request);
- Assignment of VLAN, ACL, and other custom attributes over RADIUS;
- Auto-addition of endpoints when attempting to connect via RADIUS;
- Support for endpoint profiling based on MAC OUI and DHCP probes, with the option to use profiling results in security policy configuration.
Centralized management — user and endpoint authentication and authorization are managed via a web interface designed based on experience of developing international products. This enables a fast and easy transition with no need for lengthy training.
Role model:
- Administrator access to the system web interface and its sections based on a role-based access control model (RBAC);
- Creation of roles with precise configuration of access rights to system functions, using five access levels for system sections;
- Assignment of roles to administrators with different privilege levels;
- Predefined roles for typical use cases;
- Termination of active sessions upon role privilege changes to ensure security.
Event logging and monitoring — information on user connections enables tracking of authentication and authorization results and identification of connection issues.
SIEM integration — sending information on connection attempts via RADIUS and TACACS+, as well as NAICE administrator activities, using the Syslog protocol in CEF format.
Built-in documentation — the system contains complete configuration documentation and provides the necessary information in the context of the page where the administrator is located.
Redundancy — ensures reliable operation in an Active-Active configuration and preserves system operability in case of failure.
System distribution
- The system is deployed as Docker containers;
- Installation is available both in environments with Internet access and in isolated environments;
- Ansible scripts are used to automate deployment.
System requirements are described in section: v1.0_3.1 System requirements.