AT-SESC OpenFlow Authentication Flow
AT-SESC performs authentication at the request of the OpenFlow Switches it manages.
OpenFlow Switches ask AT-SESC for authentication in the following manner.
- An OpenFlow Switch receives a packet from a device.
- The OpenFlow Switch looks for a flow entry associated with the packet's source MAC address. When a matching flow entry is found, the OpenFlow Switch transmits the packet according to the flow entry.
- When a matching flow entry is not found, the OpenFlow Switch sends a query packet (PACKET_IN) to AT-SESC.
AT-SESC performs the authentication process on the MAC address in the query packet (PACKET_IN), then installs a new flow entry on the OpenFlow Switch depending on its decision (whether the packet should be allowed to which VLAN, quarantined to which VLAN or dropped).
AT-SESC has three major authentication processes: Device Authentication Data, the UnAuth Group and Action.
- Device Authentication Data
Used to determine a network (VLAN) for a device with a known MAC address.
- UnAuth Group
Used to determine a network (VLAN) for a device with an unknown MAC address, combined with location and schedule conditions.
- Action
Used to determine an action (permit, block, quarantine or allow) for a device which meets the predefined criterion such as MAC address, IPv4 address, Device ID, Device Tag, Location, OpenFlow Switch and Network.
It is possible to manually create actions similar to the ones provided by interacting applications.
AT-SESC authenticates each device in the order of Action, Device Authentication Data and the UnAuth Group.
The following diagram shows the authentication flows through Action, Device Authentication Data and the UnAuth Group where Device ID is being used to identify each device.
As you can see in the diagram, if a device matches both Action and Authentication Data, Action is used.
14 Jun 2021 09:30