English dropdown-ico

Enterasys 9034385 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

Go to page of

Similar user manuals

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Enterasys 9034385, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Enterasys 9034385 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Enterasys 9034385. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Enterasys 9034385 should contain:
- informations concerning technical data of Enterasys 9034385
- name of the manufacturer and a year of construction of the Enterasys 9034385 item
- rules of operation, control and maintenance of the Enterasys 9034385 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Enterasys 9034385 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Enterasys 9034385, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Enterasys service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Enterasys 9034385.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Enterasys 9034385 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    Enterasys ® Network Access Control Design Guide P/N 9034385[...]

  • Page 2

    [...]

  • Page 3

    i Notice Enterasys Networks  reserves  the  right  to  make  changes  in  specifications  and  other  information  contained  in  this  document  and  its  web  si te  without  prior  notice.  The  reader  should  in  all  cases  co nsult  Enterasys Netw orks [...]

  • Page 4

    ii[...]

  • Page 5

    iii Contents About This Guide Intended Audience .......... ............. ................. ............ ................. ............. ................ ........... .................. ............. vii Related Documents ............... ............. ................ ............. ................ ............. ................ ....... ............ [...]

  • Page 6

    iv Chapter 3: Use Scenarios Scenario 1: Intelligent Wired Access E dge ............ ............. ................ ................ ............. ............... ..... ........... 3-1 Policy-Enabled Edge ................. ............. ............ ................. ............. ............ ............. .......... ................ ..... 3-2 RFC [...]

  • Page 7

    v Unregistered Policy ................... ............. ............. ................ ............. ................ ............. ..... .............. 5-28 Inline NAC Design Procedures ........... ................ ............. ................ ................ ............. ............. .......... ......... 5-28 1. Determine NAC Contro ller Loc[...]

  • Page 8

    vi[...]

  • Page 9

    Enterasys NAC Design Gu ide vii About This Guide The  NAC  Design  Guide  describes  the  technical  considerations  for  the  planning  and  design  of  the  Enterasys  Netw ork  Access  Contr ol  (NAC)  solution.  The  guide  includes  the  following  information: Inten[...]

  • Page 10

    Getting Help viii About This Guide •E n t e r a s y s  NA C  Manager  Online  Help.  Explains  how  to  use  NAC  Manager  to  configure  you r  NAC  appliances,  and  to  put  in  place  authenti cation  and  assessment  requirements  for  the  end ‐ systems  a[...]

  • Page 11

    Enterasys NAC Design Guide 1-1 1 Overview This  chapter  provides  an  overview  of  the  Enterasys  Network  Access  Control  (NAC)  solution,  including  a  descripti on  of  key  NAC  functions  and  deployment  models.  It  also  introd uces  the  required  and [...]

  • Page 12

    NAC Solution Overview 1-2 Overview Assessment Determine  if  th e  device  complies  with  corporate  security  and  configuration  requirements,  such  as  operating  system  patch  revision  levels  and  anti virus  signature  definitions.  Other  security  compliance  req[...]

  • Page 13

    NAC Solution Overview Enterasys NAC Design Guide 1-3 Model 1: End-system Detection and T racking This  NAC  deployment  model  implements  the  detection  piece  of  NAC  functionality .  It  supports  the  ability  to  track  users  and  end ‐ sys tems  over  time  by  identify[...]

  • Page 14

    NAC Solution Components 1-4 Overview NAC Solution Component s This  section  discusses  the  required  and  optional  components  of  the  Enterasys  NAC  solution,  beginning  with  the  following  table  that  summarizes  the  component  requirements  for  each  of  the[...]

  • Page 15

    NAC Solution Components Enterasys NAC Design Guide 1-5 Enterasys  offers  two  types  of  NA C  appliances:  the  NAC  Gatew ay  appliance  implements  out ‐ of ‐ band  network  access  control,  and  the  NAC  Controller  appliance  implements  inline  network  access  [...]

  • Page 16

    NAC Solution Components 1-6 Overview of  supporting  authentication  and/or  authorization.  The  NAC  Controller  is  also  required  in  IPSec  and  SSL  VPN  deployments.  The  NAC  Controller  provides  integrated  vulnerability  assessment  serv er  functionality  an[...]

  • Page 17

    NAC Solution Components Enterasys NAC Design Guide 1-7 Appliance Comp arison The  following  table  compares  how  the  two  NA C  appliance  types  implement  the  five  NAC  functions. T able 1-2 Comp arison of Appliance Funct ionality NAC Function NAC Gateway NAC Controller Detection RADIUS authenticatio[...]

  • Page 18

    NAC Solution Components 1-8 Overview Ta b l e 1 ‐ 3  outlines  the  advantages  and  disadv antages  of  the  two  appliance  types  as  they  pertain  to  network  securi ty ,  scalabilit y ,  and  configuration/implementation. T able 1-3 Comp arison of Appliance Adva ntag es and Disadvant[...]

  • Page 19

    NAC Solution Components Enterasys NAC Design Guide 1-9 NetSight Management The  NAC  appliances  are  configured,  monit ored,  and  managed  through  management  applications  within  the  Enterasys  NetSight  Suite.  Net Sight  is  a  family  of  products  comprised  of  NetS[...]

  • Page 20

    Summary 1-10 Overview NetSight Console NetSight  Console  is  used  to  monitor  the  health  and  status  of  infrastructure  devices  in  the  netw ork,  including  switches,  routers,  Enterasys  NAC  appliances  (NAC  Gatew ays  and  NAC  Controllers)  as  wel l[...]

  • Page 21

    Summary Enterasys NAC Design Guide 1 -11 •M o d e l  3:  End ‐ Syst em  Authorization  with  Assessment ‐ Implements  detection ,  authentication ,  assessment ,  and  authorization  to  provide  network  access  control  based  on  the  security  posture  of  a  conne[...]

  • Page 22

    Summary 1-12 Overview[...]

  • Page 23

    Enterasys NAC Design Guide 2-1 2 NAC Deployment Models This  chapter  descri bes  the  four  NAC  deployment  models  and  how  they  build  on  each  other  to  provide  a  complete  NAC  solution.  The  first  model  imple ments  a  subset  of  the  fiv e  k[...]

  • Page 24

    Model 1: End-System Detection and Tracking 2-2 NAC Deployment Models RADIUS  Access ‐ Accept  or  Access ‐ Reject  message  received  from  the  upstream  RADIUS  server ,  is  returned  without  modification  to  the  access  edge  switch,  to  permit  end ‐ system  access [...]

  • Page 25

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-3 and  information  on  the  network.  Enteras ys  NAC  can  be  leveraged  to  provide  information  to  SIM  solutions,  by  mapping  an  IP  address  to  an  identity ,  such  as  a  MAC  address  [...]

  • Page 26

    Model 2: End-System Authorization 2-4 NAC Deployment Models device  ide ntity ,  us er  identity ,  and/or  location  information  is  used  to  authorize  the  connecting  end ‐ system  with  a  certain  level  of  netw ork  access.  It  is  important  to  note  that ?[...]

  • Page 27

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-5 The  NAC  Controller  may  eithe r  deny  the  end ‐ system  access  to  the  network  or  assign  the  end ‐ system  to  a  particular  set  of  networ k  reso urces  by  specifying  a  particular  p[...]

  • Page 28

    Model 2: End-System Authorization 2-6 NAC Deployment Models is  only  provisioned  by  the  Enterasys  NAC  sol ution  when  the  devices  connect  to  switches  in  the  Network  Operations  Center  (NOC).  This  level  of  granularity  in  provisioning  access  to ?[...]

  • Page 29

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-7 a  password  in  the  registration  web  page.  This  sponsor  username  and  passw ord  can  be  va l i d a te d  agai nst  an  existing  database  on  the  netw ork  to  authentica te  the  sponsor ʹ s  i[...]

  • Page 30

    Model 3: End-System Authorization with Assessment 2-8 NAC Deployment Models A  RADIUS  serv er  is  only  required  if  out ‐ of ‐ band  netw ork  access  control  using  the  NAC  Gatewa y ,  or  inline  netw ork  access  control  using  the  Layer  2  NAC  Co ntroller [...]

  • Page 31

    Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2-9 server  is  running  or  if  the  HTTP  server  is  out ‐ of ‐ date)  and  client ‐ side  checks  (run ning  applications,  softw are  configurations,  instal led  operating  system  patches)  provide[...]

  • Page 32

    Model 3: End-System Authorization with Assessment 2-10 NAC Deployment Models Features and V alue In  addition  to  the  features  and  val u e s  found  in  Model  1  and  Model  2,  the  following  are  key  pieces  of  functionality  and  va lu e  propositions  supported  [...]

  • Page 33

    Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2 -11 •A p p l i c a t i o n  configuration The  NAC  solution  can  determine  which  services  and  applications  are  installed  and  enabled  on  the  end ‐ system.  Certain  applications  should  be  r[...]

  • Page 34

    Model 4: End-System Authorization with Assessment and Remediation 2-12 NAC Deployment Models Required and Optional Component s This  section  summarizes  the  required  and  optional  components  for  Mod el  3. . The  NAC  Gatew ay  and  NAC  Controller  are  the  NAC  appliances  used ?[...]

  • Page 35

    Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -13 Assisted  remediation  informs  end  users  when  their  end ‐ systems  have  been  quarantin ed  due  to  network  securi ty  policy  non ‐ compliance,  and  allows  end  users  to ?[...]

  • Page 36

    Model 4: End-System Authorization with Assessment and Remediation 2-14 NAC Deployment Models Inline NAC For  inline  Enterasys  NAC  deployments  utilizing  the  Lay er  2  or  Layer  3  NAC  Controller ,  the  NAC  functions  are  implemented  in  the  following  way : Detection [...]

  • Page 37

    Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -15 traffic  with  specific  source  and  destination  cha racteristics  as  well  as  specific  app lication  identifiers  (UDP/TCP  ports).  In  addi tion,  the  Enterasys  NAC  solution  w[...]

  • Page 38

    Summary 2-16 NAC Deployment Models Summary Enterasys  supports  all  of  the  five  key  NAC  functions:  detection,  authentication,  assessment,  authorization,  and  remediation.  Howev er ,  not  all  fiv e  functions  need  to  be  implemented  concurrently  in  a ?[...]

  • Page 39

    Enterasys NAC Design Guide 3-1 3 Use Scenarios This  chapter  describes  four  NAC  use  scenarios  that  illustrate  how  the  type  of  NAC  deployment  is  directly  dependent  on  the  infrastructure  devices  deployed  in  the  netw ork.  For  some  network [...]

  • Page 40

    Scenario 1: Intelligent Wired Access Edge 3-2 Use Scenarios within  the  same  Quarantine  VLAN  because  the  authorization  point  is  usually  implemented  at  the  exit  point  of  the  VLAN  via  Access  Control  Lists  (ACL s). Policy-Enabled Edge The  fol lowing  figu[...]

  • Page 41

    Scenario 1: Intelligent Wired Access Edge Enterasys NAC Design Guide 3-3 RFC 3580 Cap able Edge In  this  figure  the  NAC  Gatew ay  and  the  other  Enterasys  NAC  components  provide  network  access  control  for  a  network  with  third ‐ party  switches  that  support [...]

  • Page 42

    Scenario 1: Intelligent Wired Access Edge 3-4 Use Scenarios Scenario 1 Implementation In  the  intelligent  wi red  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects  to  th[...]

  • Page 43

    Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-5 intellig ent  edge  on  the  network.  The  Mat rix  N ‐ series  switch  is  capable  of  authenticating  and  authorizing  multiple  devices  connected  to  a  single  port  for  a  vari e t y  of[...]

  • Page 44

    Scenario 2: Intelligent Wireless Access Edge 3-6 Use Scenarios Figure 3-3 Intelligent Wirele ss Access Edge - Thin APs with W ireless Switch 1 4 3 2 Wireless Access Point 5 3 Enterasys NAC Manager Intelligent Wireless Controller (RFC 3850-compliant) NAC Gateway (out- of-band appliance) Assessment Server Authentication Server (optionally integrated [...]

  • Page 45

    Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-7 Thick Wireless Edge In  a  thick  wireless  deployment,  access  points  forward  wirele ss  end ‐ system  traffic  directly  onto  the  wired  infrastructure  without  the  use  of  a  wireless  switch. ?[...]

  • Page 46

    Scenario 2: Intelligent Wireless Access Edge 3-8 Use Scenarios Scenario 2 Implementation In  the  intelligent  wireless  access  edge  use  scen ario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  conne[...]

  • Page 47

    Scenario 3: Non-intelligent Access Edge (Wired and Wireless) Enterasys NAC Design Guide 3-9 It  is  important  to  note  that  if  the  wireless  edge  of  the  network  is  non ‐ i ntelligent  and  not  capable  of  authenticating  and  authorizing  wireless  end ‐ systems, ?[...]

  • Page 48

    Scenario 3: Non-intelligent Access Edge ( Wired and Wireless) 3-10 Use Scenarios Figure 3-5 Non-intelligent Access Edge (W ired and Wireless) 2 3 3 3 4 5 1 3 Enterasys NAC Manager NAC Controller (inline appliance) Assessment Server Authentication Server (optionally integrated in NAC Controller) Role= Quarantine Layer 3 Wired LAN Role= Quarantine Ro[...]

  • Page 49

    Scenario 4: VPN Remote Access Enterasys NAC Design Guide 3 -11 Scenario 3 Implementation In  the  non ‐ intelligent  access  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects ?[...]

  • Page 50

    Scenario 4: VPN Remote Access 3-12 Use Scenarios Figure 3-6 VPN Remote Access Scenario 4 Implementation In  the  VPN  remote  access  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner  with  the  deployment  of  the  NAC  Controller  for ?[...]

  • Page 51

    Summary Enterasys NAC Design Guide 3 -13 5.  Remediation ‐  When  the  quarantined  end  user  opens  a  web  browser  to  any  web  site,  its  traffic  is  dynamically  redirect ed  to  a  Remediation  web  page  that  describes  the  compliance  violation[...]

  • Page 52

    Summary 3-14 Use Scenarios Scenario 4: VPN remote access Summary: VPN concentrators act as a termination point for remote access VPN tunn els into the enterprise network. Appliance Requirement: NAC Contr oller Inline net work access control is implem ented by deploying the NAC Controller appliance to locally authorize connecting end-systems. T able[...]

  • Page 53

    Enterasys NAC Design Guide 4-1 4 Design Planning This  chapter  descri bes  the  steps  yo u  should  take  as  yo u  begin  planning  yo ur  NAC  deployment.  The  first  step  is  to  identify  the  deployment  model  that  best  meets  you r  business  objecti[...]

  • Page 54

    Survey the Network 4-2 Design Planning access  to  a  web  browser  to  safely  remediate  their  quarantined  end ‐ syst em  without  impacting  IT  operations. Once  a  deployment  model  is  se lected,  the  current  network  infrastructure  must  be  examined  to[...]

  • Page 55

    Survey the Network Enterasys NAC Design Guide 4-3 The  network  shown  in  Figure 4 ‐ 1  below ,  illustrates  the  following  three  examples  of  how  the  intellig ent  edge  can  be  implemented  in  a  networ k. • Policy ‐ enabled  Enterasys  devices  at  the  [...]

  • Page 56

    Survey the Network 4-4 Design Planning For  the  inline  implementation  of  the  Enterasys  NAC  solution,  the  NAC  Controller  authenticates  and  authorizes  end ‐ systems  locally  on  the  appliance,  and  does  not  rely  on  the  capabilities  of  downstr[...]

  • Page 57

    Survey the Network Enterasys NAC Design Guide 4-5 to  locally  authorize  all  MAC  authentication  reque sts  for  connecting  end ‐ systems,  thereby  not  requiring  a  li st  of  known  MAC  addre sses.  In  fact,  Enterasys  NAC  can  be  configur ed  in  a  [...]

  • Page 58

    Survey the Network 4-6 Design Planning Similar  to  802.1X,  web ‐ based  authentication  requires  the  input  of  credentials  and  is  normally  use d  on  user ‐ centric  end ‐ systems  that  hav e  a  concept  of  an  associated  user ,  such  as  a  PC. [...]

  • Page 59

    Survey the Network Enterasys NAC Design Guide 4-7 system  at  a  time,  then  it  is  sugg ested  that  MAC  locking  (also  known  as  Po r t  Secu rity)  be  enabled  on  the  edge  switches  to  restrict  the  number  of  connecting  devi ces.  If  multiple[...]

  • Page 60

    Survey the Network 4-8 Design Planning authenticated  to  the  netw ork  and  interact  with  Enter asys  NAC  for  authenticati on,  assessment,  authorization,  and  remediation.  Note  how ever ,  that  this  configuration  may  not  be  possible  if  trusted  users ?[...]

  • Page 61

    Survey the Network Enterasys NAC Design Guide 4-9 If  the  network  infrastructure  does  not  contain  intelligent  devices  at  the  edg e  or  distributi on  layer ,  then  inline  NAC  using  the  NAC  Controller  as  the  authorization  point  for  connecting  [...]

  • Page 62

    Survey the Network 4-10 Design Planning this  case,  the  thick  AP  deployment  falls  into  the  category  of  non ‐ intelligent  ed ge  devices  with  the  same  NAC  implementations  as  a  non ‐ intelligent  wired  edge.  These  non ‐ intelligent  APs  must [...]

  • Page 63

    Identify Inline or Out-of-band NAC Dep loyment Enterasys NAC Design Guide 4 -11 Remote Access VPN In  many  enterprise  environments,  a  VPN  concentrator  located  at  the  main  site  connects  to  the  Internet  to  provide  VPN  access  to  remote  users.  In  this  sce[...]

  • Page 64

    Summary 4-12 Design Planning server .  In  addi tion,  NAC  can  also  be  configured  to  locally  authorize  MA C  authentication  requests. 3. Identify  the  strategic  point  in  the  network  where  end ‐ system  authorization  should  be  implemented.  The  mos[...]

  • Page 65

    Enterasys NAC Design Guide 5-1 5 Design Procedures This  chapter  descri bes  the  design  procedures  for  Enterasys  NAC  deployment  on  an  ente rprise  network.  The  first  section  discusses  procedures  for  both  out ‐ of ‐ band  and  inline  NAC  deployments. ?[...]

  • Page 66

    Procedures for Out-of-Band and Inline NAC 5-2 Design Procedures Po l i c y  Manager  is  not  re quired  for  out ‐ of ‐ band  NAC  that  utilizes  RFC  3580 ‐ compliant  switches  (Enterasys  and  third ‐ party  switches).  In  this  case,  a  VLAN  is  specified  in ?[...]

  • Page 67

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-3 Figure 5-1 Se curity Domain NAC Configurations Each  Security  Domain  has  a  default  “NAC  configuration”  that  defines  the  authentication,  assessment,  and  authorization  parameters  for  all  end ‐ systems ?[...]

  • Page 68

    Procedures for Out-of-Band and Inline NAC 5-4 Design Procedures Figure 5-2 NAC Configuration Authentication The  Authenticati on  settings  define  how  RADIUS  requests  are  handled  for  au thenticating  end ‐ systems  (this  does  not  apply  to  Layer  3  NAC  Controllers.)  This[...]

  • Page 69

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-5 •H o w  health  results  are  processed. When  an  assessment  is  performed  on  an  end ‐ syste m,  a  “health  result”  is  generated.  For  each  health  result,  there  may  be  sev eral  ?[...]

  • Page 70

    Procedures for Out-of-Band and Inline NAC 5-6 Design Procedures The  following  figure  shows  the  NAC  Manager  window  used  to  create  or  edit  a  NAC  Configuration  and  defi ne  its  authentication,  assessment,  and  a uthorization  attributes. Figure 5-3 NAC Configurati[...]

  • Page 71

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-7 The  following  table  provides  examples  of  var i o u s  network  scenarios  that  should  be  considered  when  identifyi ng  the  number  and  configuration  of  Sec urity  Domains  in  your  NAC  [...]

  • Page 72

    Procedures for Out-of-Band and Inline NAC 5-8 Design Procedures Area of the network that provides access to a group of users or devices that pose a potentiall y high risk to the security or stability of the network. • Switches that provide access to guest users or contractors on a corporate network. These users are usually not directly unde r the[...]

  • Page 73

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-9 Area of the network that is configured to allow access only to specific end-systems or users. • Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks. For the NAC Gateway , reject a[...]

  • Page 74

    Procedures for Out-of-Band and Inline NAC 5-10 Design Procedures The  following  table  provides  network  scenarios  from  an  as sessment  standpoint  that  should  be  taken  into  account  when  identifying  the  number  and  configuration  of  Security  Domains. T able 5-2[...]

  • Page 75

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -11 Area of the network, or a group of end-systems or users, that require assessment with immediate network access. • Switches that provide network acce ss to mission critical servers, mandating uninterrupted network con nectivity while still implementing assessment. • Switc[...]

  • Page 76

    Procedures for Out-of-Band and Inline NAC 5-12 Design Procedures 3. Identify Required MAC and User Overrides MAC  and  user  overr ides  are  used  to  handle  end ‐ syste ms  that  require  a  different  set  of  authentication,  assessment,  and  authorization  parameters  from  the[...]

  • Page 77

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -13 The  following  figure  display s  the  windows  used  for  MAC  and  user  override  configura tion  in  NAC  Manager .  Notice  that  either  an  existing  NAC  Config uration  can  be  used  or [...]

  • Page 78

    Procedures for Out-of-Band and Inline NAC 5-14 Design Procedures The  following  table  describes  scenarios  where  a  MAC  ov erride  may  be  configured  for  a  particular  end ‐ system. T able 5-3 MAC Override Configuratio n Guidelines Network Scenario Examples Security Domain Config uration A dev[...]

  • Page 79

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -15 A device or class of devices needs to be restricted network access (“blacklisted”) in a particular Security Domain or in all Security Domains. Denying access or quarantining the MAC addresses of laptops used b y guests or contractors in those areas of the network designa[...]

  • Page 80

    Procedures for Out-of-Band and Inline NAC 5-16 Design Procedures User Overrides A  user  ov erride  lets  you  create  a  configuration  for  a  specific  end  user ,  based  on  the  user  name.  For  example,  you  could  create  a  user  override  that  gives  a [...]

  • Page 81

    Assessment Design Procedures Enterasys NAC Design Guide 5 -17 Manager  will  not  match  this  end ‐ system  and  the  end ‐ sy stem  is  assigned  the  Security  Domain’ s  default  NAC  config uration.  In  addition,  the  Layer  3  NAC  Controller  is  not  able [...]

  • Page 82

    Assessment Design Procedures 5-18 Design Procedures 2. Determine Assessm ent Server Location When  determining  the  location  of  the  assessme nt  servers  on  th e  network,  the  following  factors  should  be  considered: •T h e  type  of  assessment:  agent ‐ less  or  agen[...]

  • Page 83

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -19 configuration  if  the  security  vul nerability  is  considered  a  risk  for  the  organization.  For  more  information  on  Nessus,  ref er  to  http://nessus.org/ . Out-of-Band NAC Design Procedures The  following  [...]

  • Page 84

    Out-of-Band NAC Design Procedures 5-20 Design Procedures 2. Determine the Number of NAC Gateways The  number  of  NAC  Gatew ays  to  be  depl oyed  on  the  netw ork  is  a  function  of  the  following  parameters: •T h e  number  of  Security  Domains  configured  on  th e[...]

  • Page 85

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -21 Figure 5-5 NAC Gateway Redund ancy It  is  important  that  the  secondary  NAC  Gatew ay  does  not  exceed  maximum  capacity  if  the  primary  NAC  Gatew ay  fails  on  the  network.  For  example,  let’ s[...]

  • Page 86

    Out-of-Band NAC Design Procedures 5-22 Design Procedures primary  NAC  Gatew ay ,  the  transition  to  the  secondary  NAC  Gateway  wi ll  not  exceed  maximum  capacity .  To  support  redundancy  within  a  Secu rity  Domain  for  either  approach,  one  addi tional ?[...]

  • Page 87

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -23 It  is  important  to  not e  that  only  the  NAC  Gateways  that  are  configured  with  remediation  and  registration  functionality  need  to  be  positioned  in  such  a  manner .  All  other  [...]

  • Page 88

    Out-of-Band NAC Design Procedures 5-24 Design Procedures 6. VLAN Configuration This  step  is  for  NA C  deployments  tha t  use  RFC ‐ 3580 ‐ compliant  switches  in  the  intelligent  edge  of  the  network  to  impl ement  dynamic  VLAN  assignment  of  connecting  devi[...]

  • Page 89

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -25 previously  specified  in  the  NAC  configuration  must  be  def ined  in  NetSight  Pol i c y  Manager  to  ensure  the  consistent  allocation  of  network  resources  to  co nnecting  end ‐ systems. Failsafe [...]

  • Page 90

    Out-of-Band NAC Design Procedures 5-26 Design Procedures Figure 5-6 Policy Role Configuration in NetSig ht Policy Manager Assessment Policy The  Assessment  Pol ic y  may  be  used  to  temporarily  allocate  a  set  of  network  resources  to  end ‐ systems  while  they  are  being  ass[...]

  • Page 91

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -27 Figure 5-7 Service for the Assessing Role Note  that  it  is  not  mandatory  to  assign  the  Assessment  Pol i cy  to  a  connecting  end ‐ system  while  it  is  being  assessed.  NAC  can  be  configured  [...]

  • Page 92

    Inline NAC Design Procedures 5-28 Design Procedures Figure 5-8 Service for the Quarantine Role Furthermore,  the  Quarantine  Po l i c y  and  other  network  infrastructure  devices  must  be  configured  to  implement  HTTP  traffic  redirection  for  quaranti ned  end ‐ systems  to ?[...]

  • Page 93

    Inline NAC Design Procedures Enterasys NAC Design Guide 5 -29 Howeve r ,  the  closer  the  NAC  Controller  is  placed  to  the  edge  of  the  network,  the  more  NAC  Controllers  are  required  on  the  netw ork,  increasing  NAC  deployment  cost  and  complex[...]

  • Page 94

    Inline NAC Design Procedures 5-30 Design Procedures 2. Determine the Numb er of NAC Controllers The  number  of  NAC  Controllers  to  be  deploy ed  on  the  network  is  a  function  of  the  following  parameters: •T h e  network  topology . Because  the  NAC  Controller  is [...]

  • Page 95

    Inline NAC Design Procedures Enterasys NAC Design Guide 5 -31 Figure 5-9 Layer 2 NAC Controller Redundancy For  a  Layer  3  NAC  Controller ,  redundancy  is  achieved  by  implementing  redundant  Layer  3  NAC  Controllers  on  adjacent,  but  separate  networks  as  shown  in [...]

  • Page 96

    Inline NAC Design Procedures 5-32 Design Procedures 3. Identify Backend RADIUS Server Interaction Layer  2  NAC  Controllers  detect  downs tream  end ‐ systems  via  authentication:  MAC,  web ‐ based,  or  802.1X.  If  we b ‐ based  or  802.1X  authenti cation  is  implemented,  th[...]

  • Page 97

    Additional Considerations Enterasys NAC Design Guide 5 -33 assessment  server s  to  reach  the  end ‐ system  while  it  is  being  assessed,  regardless  of  whether  the  Assessing  policy ,  Enterprise  User  policy ,  or  any  other  policy  ro le  is  utilized [...]

  • Page 98

    Additional Considerations 5-34 Design Procedures[...]