Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding the Device Identity XML Solution for Third-Party NAC Authentication Systems

 

The integrated user firewall device identity authentication feature enables you to control access to network resources based on the identity of a device. You can use one of the following device identity solutions:

  • Microsoft Active Directory as the authentication source.

    If your environment is set up to use Microsoft Active Directory, the NFX Series device obtains the device IP address and groups from the Active Directory domain controller and LDAP service.

  • Network access control (NAC) authentication system.

    If your network environment is configured for a NAC solution and you decide to take this approach, the NAC system sends the device identity information to the NFX Series device. The RESTful Web services API enables you to send the device information to the NFX Series device in a formal XML structure.

    Warning

    If you take this approach, you must verify that your NAC solution works with the NFX Series device.

XML Web API Implementation

The RESTful Web services API enables you to send the device identity information to the NFX Series device in a formal XML structure. It allows your NAC solution to integrate with the NFX Series and efficiently send the device information to it. You must adhere to the formal structure and restrictions in sending information to the NFX Series device using the API.

Ensuring the Integrity of Data Sent from the NAC Service to the NFX Series Device

The following requirements ensure that the data sent from the NAC service is not compromised:

  • The API implementation is restricted to processing only HTTP/HTTPS POST requests. Any other type of request that it receives generates an error message.

  • The API daemon analyzes and processes HTTP/HTTPS requests from only the following dedicated URL:

    /api/userfw/v1/post-entry
  • The HTTP/HTTPS content that your NAC solution posts to the NFX Series device must be consistently formatted correctly. The correct XML format indicates a lack of compromise, and it ensures that user identity information is not lost.

Data Size Restrictions and Other Constraints

The following data size restrictions and limitations apply to the data posted to the NFX Series device:

  • The NAC authentication system must control the size of the data that it posts. Otherwise, the Web API daemon is unable to process it. The Web API daemon can process a maximum of 2 megabytes of data.

  • The following limitations apply to XML data for role and device posture information. The Web API daemon discards XML data sent to it that exceeds these amounts (that is, the overflow data):

    • The NFX Series device can process a maximum of 209 roles.

    • The NFX Series device supports only one type of posture with six possible posture tokens, or values. Identity information for an individual user can have only one posture token.