Enterasys Networks 9034385 manuale d’uso

Enterasys ® Network Access Control Design Guide P/N 9034385[...]

[...]

i Notice Enterasys Networks  reserves  the  right  to  make  changes  in  specifications  and  other  information  contained  in  this  document  and  its  web  si te  without  prior  notice.  The  reader  should  in  all  cases  co nsult  Enterasys Netw orks [...]

ii[...]

iii Contents About This Guide Intended Audience .......... ............. ................. ............ ................. ............. ................ ........... .................. ............. vii Related Documents ............... ............. ................ ............. ................ ............. ................ ....... ............ [...]

iv Chapter 3: Use Scenarios Scenario 1: Intelligent Wired Access E dge ............ ............. ................ ................ ............. ............... ..... ........... 3-1 Policy-Enabled Edge ................. ... ............. ............. ................ ............. ............. ............. ...... ................... .. 3-2 RFC[...]

v Unregistered Policy ................... ............. ............. ................ ............. ................ ............. ..... .............. 5-28 Inline NAC Design Procedures ........................... ............. ................ ................ ............. ............. .......... ......... 5-28 1. Determine NAC Contro ller Loca[...]

vi[...]

Enterasys NAC Design Gu ide vii About This Guide The  NAC  Design  Guide  describes  the  technical  considerations  for  the  planning  and  design  of  the  Enterasys  Netw ork  Access  Contr ol  (NAC)  solution.  The  guide  includes  the  following  information: Inten[...]

Getting Help viii About This Guide •E n t e r a s y s  NA C  Manager  Online  Help.  Explains  how  to  use  NAC  Manager  to  configure  you r  NAC  appliances,  and  to  put  in  place  authenti cation  and  assessment  requirements  for  the  end ‐ systems  a[...]

Enterasys NAC Design Guide 1-1 1 Overview This  chapter  provides  an  overview  of  the  Enterasys  Network  Access  Control  (NAC)  solution,  including  a  descripti on  of  key  NAC  functions  and  deployment  models.  It  also  introd uces  the  required  and [...]

NAC Solution Overview 1-2 Overview Assessment Determine  if  th e  device  complies  with  corporate  security  and  configuration  requirements,  such  as  operating  system  patch  revision  levels  and  anti virus  signature  definitions.  Other  security  compliance  req[...]

NAC Solution Overview Enterasys NAC Design Guide 1-3 Model 1: End-system Detection and T racking This  NAC  deployment  model  implements  the  detection  piece  of  NAC  functionality .  It  supports  the  ability  to  track  users  and  end ‐ sys tems  over  time  by  identify[...]

NAC Solution Components 1-4 Overview NAC Solution Component s This  section  discusses  the  required  and  optional  components  of  the  Enterasys  NAC  solution,  beginning  with  the  following  table  that  summarizes  the  component  requirements  for  each  of  the[...]

NAC Solution Components Enterasys NAC Design Guide 1-5 Enterasys  offers  two  types  of  NA C  appliances:  the  NAC  Gatew ay  appliance  implements  out ‐ of ‐ band  network  access  control,  and  the  NAC  Controller  appliance  implements  inline  network  access  [...]

NAC Solution Components 1-6 Overview of  supporting  authentication  and/or  authorization.  The  NAC  Controller  is  also  required  in  IPSec  and  SSL  VPN  deployments.  The  NAC  Controller  provides  integrated  vulnerability  assessment  serv er  functionality  an[...]

NAC Solution Components Enterasys NAC Design Guide 1-7 Appliance Comp arison The  following  table  compares  how  the  two  NA C  appliance  types  implement  the  five  NAC  functions. T able 1-2 Comp arison of Appliance Funct ionality NAC Function NAC Gateway NAC Controller Detection RADIUS authenticatio[...]

NAC Solution Components 1-8 Overview Ta b l e 1 ‐ 3  outlines  the  adv antages  and  disadv antages  of  the  tw o  appliance  types  as  they  pertain  to  network  securi ty ,  scalabilit y ,  and  configuration/implementation. T able 1-3 Comp arison of Appliance Adva ntag es and Disadva[...]

NAC Solution Components Enterasys NAC Design Guide 1-9 NetSight Management The  NAC  appliances  are  configured,  monit ored,  and  managed  through  management  applications  within  the  Enterasys  NetSight  Suite.  Net Sight  is  a  family  of  products  comprised  of  NetS[...]

Summary 1-10 Overview NetSight Console NetSight  Console  is  used  to  monitor  the  health  and  status  of  infrastructure  devices  in  the  netw ork,  including  switches,  routers,  Enterasys  NAC  appliances  (NAC  Gatew ays  and  NAC  Controllers)  as  wel l[...]

Summary Enterasys NAC Design Guide 1 -11 •M o d e l  3:  End ‐ Syst em  Authorization  with  Assessment ‐ Implements  detection ,  authentication ,  assessment ,  and  authorization  to  provide  network  access  control  based  on  the  security  posture  of  a  conne[...]

Summary 1-12 Overview[...]

Enterasys NAC Design Guide 2-1 2 NAC Deployment Models This  chapter  descri bes  the  four  NAC  deployment  models  and  how  they  build  on  each  other  to  provide  a  complete  NAC  solution.  The  first  model  imple ments  a  subset  of  the  fiv e  k[...]

Model 1: End-System Detection and Tracking 2-2 NAC Deployment Models RADIUS  Access ‐ Accept  or  Access ‐ Reject  message  received  from  the  upstream  RADIUS  server ,  is  returned  without  modification  to  the  access  edge  switch,  to  permit  end ‐ system  access [...]

Model 2: End-System Authorization Enterasys NAC Design Guide 2-3 and  information  on  the  network.  Enteras ys  NAC  can  be  leveraged  to  provide  information  to  SIM  solutions,  by  mapping  an  IP  address  to  an  identity ,  such  as  a  MAC  address  [...]

Model 2: End-System Authorization 2-4 NAC Deployment Models device  ide ntity ,  us er  identity ,  and/or  location  information  is  used  to  authorize  the  connecting  end ‐ system  with  a  certain  level  of  netw ork  access.  It  is  important  to  note  that ?[...]

Model 2: End-System Authorization Enterasys NAC Design Guide 2-5 The  NAC  Controller  may  eithe r  deny  the  end ‐ system  access  to  the  network  or  assign  the  end ‐ system  to  a  particular  set  of  networ k  reso urces  by  specifying  a  particular  p[...]

Model 2: End-System Authorization 2-6 NAC Deployment Models is  only  provisioned  by  the  Enterasys  NAC  sol ution  when  the  devices  connect  to  switches  in  the  Network  Operations  Center  (NOC).  This  level  of  granularity  in  provisioning  access  to ?[...]

Model 2: End-System Authorization Enterasys NAC Design Guide 2-7 a  password  in  the  registration  web  page.  This  sponsor  username  and  passw ord  can  be  va l i d a te d  against  an  existing  database  on  the  netw ork  to  authenticate  the  sponsor ʹ s  ide[...]

Model 3: End-System Authorization with Assessment 2-8 NAC Deployment Models A  RADIUS  serv er  is  only  required  if  out ‐ of ‐ band  netw ork  access  control  using  the  NAC  Gatewa y ,  or  inline  netw ork  access  control  using  the  Layer  2  NAC  Co ntroller [...]

Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2-9 server  is  running  or  if  the  HTTP  server  is  out ‐ of ‐ date)  and  client ‐ side  checks  (run ning  applications,  softw are  configurations,  instal led  operating  system  patches)  provide[...]

Model 3: End-System Authorization with Assessment 2-10 NAC Deployment Models Features and V alue In  addition  to  the  features  and  val u e s  found  in  Model  1  and  Model  2,  the  following  are  key  pieces  of  functionality  and  va lu e  propositions  supported  [...]

Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2 -11 •A p p l i c a t i o n  configuration The  NAC  solution  can  determine  which  services  and  applications  are  installed  and  enabled  on  the  end ‐ system.  Certain  applications  should  be  r[...]

Model 4: End-System Authorization with Assessment and Remediation 2-12 NAC Deployment Models Required and Optional Component s This  section  summarizes  the  required  and  optional  components  for  Mod el  3. . The  NAC  Gatew ay  and  NAC  Controller  are  the  NAC  appliances  used ?[...]

Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -13 Assisted  remediation  informs  end  users  when  their  end ‐ systems  have  been  quarantin ed  due  to  network  securi ty  policy  non ‐ compliance,  and  allows  end  users  to ?[...]

Model 4: End-System Authorization with Assessment and Remediation 2-14 NAC Deployment Models Inline NAC For  inline  Enterasys  NAC  deployments  utilizing  the  Lay er  2  or  Layer  3  NAC  Controller ,  the  NAC  functions  are  implemented  in  the  following  way : Detection [...]

Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -15 traffic  with  specific  source  and  destination  cha racteristics  as  well  as  specific  app lication  identifiers  (UDP/TCP  ports).  In  addi tion,  the  Enterasys  NAC  solution  w[...]

Summary 2-16 NAC Deployment Models Summary Enterasys  supports  all  of  the  five  key  NAC  functions:  detection,  authentication,  assessment,  authorization,  and  remediation.  Howev er ,  not  all  fiv e  functions  need  to  be  implemented  concurrently  in  a ?[...]

Enterasys NAC Design Guide 3-1 3 Use Scenarios This  chapter  describes  four  NAC  use  scenarios  that  illustrate  how  the  type  of  NAC  deployment  is  directly  dependent  on  the  infrastructure  devices  deployed  in  the  netw ork.  For  some  network [...]

Scenario 1: Intelligent Wired Access Edge 3-2 Use Scenarios within  the  same  Quarantine  VLAN  because  the  authorization  point  is  usually  implemented  at  the  exit  point  of  the  VLAN  via  Access  Control  Lists  (ACL s). Policy-Enabled Edge The  fol lowing  figu[...]

Scenario 1: Intelligent Wired Access Edge Enterasys NAC Design Guide 3-3 RFC 3580 Cap able Edge In  this  figure  the  NAC  Gatew ay  and  the  other  Enterasys  NAC  components  provide  network  access  control  for  a  network  with  third ‐ party  switches  that  support [...]

Scenario 1: Intelligent Wired Access Edge 3-4 Use Scenarios Scenario 1 Implementation In  the  intelligent  wi red  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects  to  th[...]

Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-5 intellig ent  edge  on  the  network.  The  Mat rix  N ‐ series  switch  is  capable  of  authenticating  and  authorizing  multiple  devices  connected  to  a  single  port  for  a  vari e t y  of[...]

Scenario 2: Intelligent Wireless Access Edge 3-6 Use Scenarios Figure 3-3 Intelligent Wirele ss Access Edge - Thin APs with W ireless Switch 1 4 3 2 Wireless Access Point 5 3 Enterasys NAC Manager Intelligent Wireless Controller (RFC 3850-compliant) NAC Gateway (out- of-band appliance) Assessment Server Authentication Server (optionally integrated [...]

Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-7 Thick Wireless Edge In  a  thick  wireless  deployment,  access  points  forward  wirele ss  end ‐ system  traffic  directly  onto  the  wired  infrastructure  without  the  use  of  a  wireless  switch. ?[...]

Scenario 2: Intelligent Wireless Access Edge 3-8 Use Scenarios Scenario 2 Implementation In  the  intelligent  wireless  access  edge  use  scen ario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  conne[...]

Scenario 3: Non-intelligent Access Edge (Wired and Wireless) Enterasys NAC Design Guide 3-9 It  is  important  to  note  that  if  the  wireless  edge  of  the  network  is  non ‐ i ntelligent  and  not  capable  of  authenticating  and  authorizing  wireless  end ‐ systems, ?[...]

Scenario 3: Non-intelligent Access Edge ( Wired and Wireless) 3-10 Use Scenarios Figure 3-5 Non-intelligent Access Edge (W ired and Wireless) 2 3 3 3 4 5 1 3 Enterasys NAC Manager NAC Controller (inline appliance) Assessment Server Authentication Server (optionally integrated in NAC Controller) Role= Quarantine Layer 3 Wired LAN Role= Quarantine Ro[...]

Scenario 4: VPN Remote Access Enterasys NAC Design Guide 3 -11 Scenario 3 Implementation In  the  non ‐ intelligent  access  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects ?[...]

Scenario 4: VPN Remote Access 3-12 Use Scenarios Figure 3-6 VPN Remote Access Scenario 4 Implementation In  the  VPN  remote  access  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner  with  the  deployment  of  the  NAC  Controller  for ?[...]

Summary Enterasys NAC Design Guide 3 -13 5.  Remediation ‐  When  the  quarantined  end  user  opens  a  web  browser  to  any  web  site,  its  traffic  is  dynamically  redirect ed  to  a  Remediation  web  page  that  describes  the  compliance  violation[...]

Summary 3-14 Use Scenarios Scenario 4: VPN remote access Summary: VPN concentrators act as a termination point for remote access VPN tunn els into the enterprise network. Appliance Requirement: NAC Contr oller Inline net work access control is implem ented by deploying the NAC Controller appliance to locally authorize connecting end-systems. T able[...]

Enterasys NAC Design Guide 4-1 4 Design Planning This  chapter  descri bes  the  steps  yo u  should  take  as  yo u  begin  planning  yo ur  NAC  deployment.  The  first  step  is  to  identify  the  deployment  model  that  best  meets  you r  business  objecti[...]

Survey the Network 4-2 Design Planning access  to  a  web  browser  to  safely  remediate  their  quarantined  end ‐ syst em  without  impacting  IT  operations. Once  a  deployment  model  is  se lected,  the  current  network  infrastructure  must  be  examined  to[...]

Survey the Network Enterasys NAC Design Guide 4-3 The  network  shown  in  Figure 4 ‐ 1  below ,  illustrates  the  following  three  examples  of  how  the  intellig ent  edge  can  be  implemented  in  a  networ k. • Policy ‐ enabled  Enterasys  devices  at  the  [...]

Survey the Network 4-4 Design Planning For  the  inline  implementation  of  the  Enterasys  NAC  solution,  the  NAC  Controller  authenticates  and  authorizes  end ‐ systems  locally  on  the  appliance,  and  does  not  rely  on  the  capabilities  of  downstr[...]

Survey the Network Enterasys NAC Design Guide 4-5 to  locally  authorize  all  MAC  authentication  reque sts  for  connecting  end ‐ systems,  thereby  not  requiring  a  li st  of  known  MAC  addre sses.  In  fact,  Enterasys  NAC  can  be  configur ed  in  a  [...]

Survey the Network 4-6 Design Planning Similar  to  802.1X,  web ‐ based  authentication  requires  the  input  of  credentials  and  is  normally  use d  on  user ‐ centric  end ‐ systems  that  hav e  a  concept  of  an  associated  user ,  such  as  a  PC. [...]

Survey the Network Enterasys NAC Design Guide 4-7 system  at  a  time,  then  it  is  sugg ested  that  MAC  locking  (also  known  as  Po r t  Secu rity)  be  enabled  on  the  edge  switches  to  restrict  the  number  of  connecting  devi ces.  If  multiple[...]

Survey the Network 4-8 Design Planning authenticated  to  the  netw ork  and  interact  with  Enter asys  NAC  for  authenticati on,  assessment,  authorization,  and  remediation.  Note  how ever ,  that  this  configuration  may  not  be  possible  if  trusted  users ?[...]

Survey the Network Enterasys NAC Design Guide 4-9 If  the  network  infrastructure  does  not  contain  intelligent  devices  at  the  edg e  or  distributi on  layer ,  then  inline  NAC  using  the  NAC  Controller  as  the  authorization  point  for  connecting  [...]

Survey the Network 4-10 Design Planning this  case,  the  thick  AP  deployment  falls  into  the  category  of  non ‐ intelligent  ed ge  devices  with  the  same  NAC  implementations  as  a  non ‐ intelligent  wired  edge.  These  non ‐ intelligent  APs  must [...]

Identify Inline or Out-of-band NAC Dep loyment Enterasys NAC Design Guide 4 -11 Remote Access VPN In  many  enterprise  environments,  a  VPN  concentrator  located  at  the  main  site  connects  to  the  Internet  to  provide  VPN  access  to  remote  users.  In  this  sce[...]

Summary 4-12 Design Planning server .  In  addi tion,  NAC  can  also  be  configured  to  locally  authorize  MA C  authentication  requests. 3. Identify  the  strategic  point  in  the  network  where  end ‐ system  authorization  should  be  implemented.  The  mos[...]

Enterasys NAC Design Guide 5-1 5 Design Procedures This  chapter  descri bes  the  design  procedures  for  Enterasys  NAC  deployment  on  an  ente rprise  network.  The  first  section  discusses  procedures  for  both  out ‐ of ‐ band  and  inline  NAC  deployments. ?[...]

Procedures for Out-of-Band and Inline NAC 5-2 Design Procedures Po l i c y  Manager  is  not  required  for  out ‐ of ‐ band  NAC  that  utilizes  RFC  3580 ‐ compliant  switches  (Enterasys  and  third ‐ party  switches).  In  this  case,  a  VLAN  is  specified  in ?[...]

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-3 Figure 5-1 Se curity Domain NAC Configurations Each  Security  Domain  has  a  default  “NAC  configuration”  that  defines  the  authentication,  assessment,  and  authorization  parameters  for  all  end ‐ systems ?[...]

Procedures for Out-of-Band and Inline NAC 5-4 Design Procedures Figure 5-2 NAC Configuration Authentication The  Authenticati on  settings  define  how  RADIUS  requests  are  handled  for  au thenticating  end ‐ systems  (this  does  not  apply  to  Layer  3  NAC  Controllers.)  This[...]

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-5 •H o w  health  results  are  processed. When  an  assessment  is  performed  on  an  end ‐ syste m,  a  “health  result”  is  generated.  For  each  health  result,  there  may  be  sev eral  ?[...]

Procedures for Out-of-Band and Inline NAC 5-6 Design Procedures The  following  figure  shows  the  NAC  Manager  window  used  to  create  or  edit  a  NAC  Configuration  and  defi ne  its  authentication,  assessment,  and  a uthorization  attributes. Figure 5-3 NAC Configurati[...]

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-7 The  following  table  provides  examples  of  var i o u s  network  scenarios  that  should  be  considered  when  identifyi ng  the  number  and  configuration  of  Sec urity  Domains  in  your  NAC  [...]

Procedures for Out-of-Band and Inline NAC 5-8 Design Procedures Area of the network that provides access to a group of users or devices that pose a potentiall y high risk to the security or stability of the network. • Switches that provide access to guest users or contractors on a corporate network. These users are usually not directly unde r the[...]

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-9 Area of the network that is configured to allow access only to specific end-systems or users. • Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks. For the NAC Gateway , reject a[...]

Procedures for Out-of-Band and Inline NAC 5-10 Design Procedures The  following  table  provides  network  scenarios  from  an  as sessment  standpoint  that  should  be  taken  into  account  when  identifying  the  number  and  configuration  of  Security  Domains. T able 5-2[...]

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -11 Area of the network, or a group of end-systems or users, that require assessment with immediate network access. • Switches that provide network acce ss to mission critical servers, mandating uninterrupted network con nectivity while still implementing assessment. • Switc[...]

Procedures for Out-of-Band and Inline NAC 5-12 Design Procedures 3. Identify Required MAC and User Overrides MAC  and  user  overr ides  are  used  to  handle  end ‐ syste ms  that  require  a  different  set  of  authentication,  assessment,  and  authorization  parameters  from  the[...]

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -13 The  following  figure  display s  the  windows  used  for  MAC  and  user  override  configura tion  in  NAC  Manager .  Notice  that  either  an  existing  NAC  Config uration  can  be  used  or [...]

Procedures for Out-of-Band and Inline NAC 5-14 Design Procedures The  following  table  describes  scenarios  where  a  MAC  ov erride  may  be  configured  for  a  particular  end ‐ system. T able 5-3 MAC Override Configuratio n Guidelines Network Scenario Examples Security Domain Config uration A dev[...]

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -15 A device or class of devices needs to be restricted network access (“blacklisted”) in a particular Security Domain or in all Security Domains. Denying access or quarantining the MAC addresses of laptops used b y guests or contractors in those areas of the network designa[...]

Procedures for Out-of-Band and Inline NAC 5-16 Design Procedures User Overrides A  user  ov erride  lets  you  create  a  configuration  for  a  specific  end  user ,  based  on  the  user  name.  For  example,  you  could  create  a  user  override  that  gives  a [...]

Assessment Design Procedures Enterasys NAC Design Guide 5 -17 Manager  will  not  match  this  end ‐ system  and  the  end ‐ sy stem  is  assigned  the  Security  Domain’ s  default  NAC  config uration.  In  addition,  the  Layer  3  NAC  Controller  is  not  able [...]

Assessment Design Procedures 5-18 Design Procedures 2. Determine Assessm ent Server Location When  determining  the  location  of  the  assessme nt  servers  on  th e  network,  the  following  factors  should  be  considered: •T h e  type  of  assessment:  agent ‐ less  or  agen[...]

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -19 configuration  if  the  security  vul nerability  is  considered  a  risk  for  the  organization.  For  more  information  on  Nessus,  ref er  to  http://nessus.org/ . Out-of-Band NAC Design Procedures The  following  [...]

Out-of-Band NAC Design Procedures 5-20 Design Procedures 2. Determine the Number of NAC Gateways The  number  of  NAC  Gatew ays  to  be  depl oyed  on  the  netw ork  is  a  function  of  the  following  parameters: •T h e  number  of  Security  Domains  configured  on  th e[...]

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -21 Figure 5-5 NAC Gateway Redund ancy It  is  important  that  the  secondary  NAC  Gatew ay  does  not  exceed  maximum  capacity  if  the  primary  NAC  Gatew ay  fails  on  the  network.  For  example,  let’ s[...]

Out-of-Band NAC Design Procedures 5-22 Design Procedures primary  NAC  Gatew ay ,  the  transition  to  the  secondary  NAC  Gateway  wi ll  not  exceed  maximum  capacity .  To  support  redundancy  within  a  Security  Domain  for  either  approach,  one  additional [...]

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -23 It  is  important  to  not e  that  only  the  NAC  Gateways  that  are  configured  with  remediation  and  registration  functionality  need  to  be  positioned  in  such  a  manner .  All  other  [...]

Out-of-Band NAC Design Procedures 5-24 Design Procedures 6. VLAN Configuration This  step  is  for  NA C  deployments  tha t  use  RFC ‐ 3580 ‐ compliant  switches  in  the  intelligent  edge  of  the  network  to  impl ement  dynamic  VLAN  assignment  of  connecting  devi[...]

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -25 previously  specified  in  the  NAC  configuration  must  be  def ined  in  NetSight  Pol i c y  Manager  to  ensure  the  consistent  allocation  of  network  resources  to  co nnecting  end ‐ systems. Failsafe [...]

Out-of-Band NAC Design Procedures 5-26 Design Procedures Figure 5-6 Policy Role Configuration in NetSig ht Policy Manager Assessment Policy The  Assessment  Pol ic y  ma y  be  used  to  temporarily  allocate  a  set  of  netw ork  resources  to  end ‐ systems  while  they  are  being  a[...]

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -27 Figure 5-7 Service for the Assessing Role Note  that  it  is  not  mandatory  to  assign  the  Assessment  Pol i cy  to  a  connecting  end ‐ system  while  it  is  being  assessed.  NAC  can  be  configured  [...]

Inline NAC Design Procedures 5-28 Design Procedures Figure 5-8 Service for the Quarantine Role Furthermore,  the  Quarantine  Po l i c y  and  other  network  infrastructure  devices  must  be  configured  to  implement  HTTP  traffic  redirection  for  quaranti ned  end ‐ systems  to ?[...]

Inline NAC Design Procedures Enterasys NAC Design Guide 5 -29 Howeve r ,  the  closer  the  NAC  Controller  is  placed  to  the  edge  of  the  network,  the  more  NAC  Controllers  are  required  on  the  netw ork,  increasing  NAC  deployment  cost  and  complex[...]

Inline NAC Design Procedures 5-30 Design Procedures 2. Determine the Numb er of NAC Controllers The  number  of  NAC  Controllers  to  be  deploy ed  on  the  network  is  a  function  of  the  following  parameters: •T h e  network  topology . Because  the  NAC  Controller  is [...]

Inline NAC Design Procedures Enterasys NAC Design Guide 5 -31 Figure 5-9 Layer 2 NAC Controller Redundancy For  a  Layer  3  NAC  Controller ,  redundancy  is  achieved  by  implementing  redundant  Layer  3  NAC  Controllers  on  adjacent,  but  separate  networks  as  shown  in [...]

Inline NAC Design Procedures 5-32 Design Procedures 3. Identify Backend RADIUS Server Interaction Layer  2  NAC  Controllers  detect  downs tream  end ‐ systems  via  authentication:  MAC,  web ‐ based,  or  802.1X.  If  we b ‐ based  or  802.1X  authenti cation  is  implemented,  th[...]

Additional Considerations Enterasys NAC Design Guide 5 -33 assessment  server s  to  reach  the  end ‐ system  while  it  is  being  assessed,  regardless  of  whether  the  Assessing  policy ,  Enterprise  User  policy ,  or  any  other  policy  ro le  is  utilized [...]

Additional Considerations 5-34 Design Procedures[...]