v1.0.0 Design Guide

Network Identity Authentication
Architecture Design Guide

An engineering-grade reference for designing, deploying, and operating a unified network identity authentication system — covering AAA, 802.1X, NAC, PKI, MFA, PAM, ZTNA, and end-to-end audit across multi-site enterprise environments.

Start Reading Use Calculators

System Overview

This guide defines an engineering-grade Network Identity Authentication System whose core goal is to form a closed loop of Unified Identity Source + Strong Authentication + Least-Privilege Authorization + End-to-End Auditing. The system unifies identity lifecycle for people, devices, and service accounts, and enforces access decisions consistently across wired, wireless, VPN/ZTNA, management access, and application entry points.

It is designed for procurement, implementation, delivery, and long-term operations, emphasizing interoperability with AAA (RADIUS/TACACS+), NAC, PKI, MFA/conditional access, PAM, SIEM, and NTP time synchronization. The architecture supports organizations with 2,000–10,000 users across 8–30 sites in mixed on-premises and cloud environments.

Project Deliverables Overview
Figure 0.1: Typical Project Deliverables — Identity → AuthN → AuthZ → Audit closed-loop delivery package

System Architecture

The reference architecture uses a single authoritative identity plane and multiple policy enforcement planes. The directory/IdP provides identity truth; AAA/NAC enforces access at network edges; PAM and TACACS+ control privileged operations; SIEM provides audit centralization. The four-layer model ensures clear separation of concerns and supports independent scaling of each tier.

System Architecture Diagram
Figure 0.2: Four-Layer Reference Architecture — Identity & Trust → Policy Decision → Enforcement → Telemetry
Layer Key Components Primary Function Key Protocols
Identity & TrustAD/LDAP, IdP, PKI/CA, PAM, HR/IGAAuthoritative identity source and certificate trustLDAP, Kerberos, SAML/OIDC, SCEP/EST
Policy DecisionRADIUS, TACACS+, NAC Engine, Conditional AccessEvaluate authentication and authorization requestsRADIUS (UDP 1812/1813), TACACS+ (TCP 49)
EnforcementSwitches, APs/WLC, ZTNA/VPN, Jump Server, FirewallApply access decisions at network edge802.1X/EAPOL, EAP-TLS, IPsec/TLS
TelemetrySyslog/CEF, SIEM, SOAR, NTP, NetFlowCentralized audit, correlation, and alertingSyslog TLS (6514), NTP (UDP 123)

Main Functions

The system delivers six integrated capability domains, each contributing to the overall security posture. The honeycomb model below illustrates how all six domains radiate from a central unified identity source, ensuring coherent policy enforcement across every access pathway.

Main Functions Honeycomb Diagram
Figure 0.3: Main Functions Overview — Six capability domains centered on Unified Identity Source
Function DomainValue DeliveredKey ImplementationAcceptance Criterion
Unified Identity LifecycleEliminates orphan accounts and inconsistent privilegesHR-driven provisioning, joiner/mover/leaver; MDM device enrollment; service account vaultAccount disable/revoke within defined SLA; group mapping consistent
Strong AuthN — 802.1X EAP-TLSPasswordless device identity; resists phishingCertificate issuance, CRL/OCSP, supplicant config, fallback/MAB for legacyCorrect cert chain validation, dynamic VLAN/ACL, fail-closed for sensitive zones
Centralized AAA — TACACS+Command-level least privilege; full accountabilityPer-role command sets, device privilege levels, unique admin IDsCommand logs correlate to user; deny unauthorized commands
NAC Profiling & Guest/IoT OnboardingContain unmanaged endpoints; reduce lateral movementDevice fingerprinting, DHCP/SNMP/RADIUS attributes, captive portal for guestsCorrect segmentation for IoT/guest; posture-based quarantine works
Remote Access — MFA + ZTNAReduce risky logins; adapt to contextRisk score, device compliance, geo/IP reputation, step-up authHigh-risk blocked/step-up; policy exceptions documented
End-to-End Audit & Alert LinkageForensics-ready; faster incident responseStandardized log schema, correlation IDs, NTP, SIEM dashboards"who/when/how/what" trace within minutes; alerting tested

Scope & Key Dependencies

CategoryIn-Scope
IdentityCentral identity source (AD/LDAP/IdP), account lifecycle, group/role model
Network AccessAAA services, 802.1X EAP-TLS for wired/wireless, dynamic authorization (VLAN/ACL/SGT)
NACProfiling, posture/health checks, IoT/guest tiered onboarding
Remote AccessMFA, conditional access, risk-based policies (Zero Trust / ZTNA)
Privileged AccessPAM, session recording, command authorization, break-glass
AuditLogging, correlation IDs, SIEM integration, time synchronization, alerting

Chapter Navigation

System Components
1
Design Methods
2
Scenarios & Selection
3
Architecture Design
4
Selection & Interfaces
5
Security & Risks
6
Support & Integration
7
Tools & Accessories
8
Calculator
9
Quality & Acceptance
10
Installation & Debugging
11
O&M
12