AMF Security OpenFlow Authentication Flow
AMF Security performs authentication at the request of the OpenFlow Switches it manages.
OpenFlow Switches ask AMF Security for authentication in the following manner.
- An OpenFlow Switch receives a packet from a device.
- The OpenFlow Switch looks for a flow entry associated with the packet's source MAC Address. When a matching flow entry is found, the OpenFlow Switch transmits the packet according to the flow entry.
- When a matching flow entry is not found, the OpenFlow Switch sends a query packet (PACKET_IN) to AMF Security.
AMF Security performs the authentication process on the MAC Address in the query packet (PACKET_IN), then installs a new flow entry on the OpenFlow Switch depending on its decision (whether the packet should be allowed to which VLAN, quarantined to which VLAN or dropped).
AMF Security has three major authentication processes: Device Authentication Data, the UnAuth Group and Action.
- Device Authentication Data
Used to determine a network (VLAN) for a device with a known MAC Address.
- UnAuth Group
Used to determine a network (VLAN) for a device with an unknown MAC Address, combined with location and schedule conditions.
- Action
Used to determine an action (permit, block, quarantine or allow) for a device which meets the predefined criterion such as MAC Address, IPv4 Address, Device ID, Device Tag, Location, OpenFlow Switch and Network.
It is possible to manually create actions similar to the ones provided by interacting applications.
AMF Security authenticates each device in the order of Action, Device Authentication Data and the UnAuth Group.
As you can see in the diagram, if a device matches both Action and Authentication Data, Action is used.
19 Apr 2023 14:12