NAC Solution Overview
Enterasys NAC Design Guide 1-3
Model 1: End-system Detection and Tracking
ThisNACdeploymentmodelimplementsthedetectionpieceofNACfunctionality.Itsupportsthe
abilitytotrackusersandend‐systemsovertimebyidentifyingwheretheyarecurrentlyconnected
tothenetworkandwheretheyhaveconnectedtothenetworkatanygiventimeinthepast.This
informationis
usefulforcomplianceandauditingpurposes,aswellasothermanagement
operationsthatrequirecompletevisibilityintothecurrentandhistoricalconnectionsofend‐
systemsandusers.
Model 2: End-System Authorization
ThisNACdeploymentmodelimplementsthedetection,authentication,andauthorizationNAC
functionalities,tocontrolaccesstonetworkresourcesbasedonuserandend‐systemidentityand
location.ThemodelsupportsMACaddressorguestregistration,wherenewend‐systemsare
forcedtoprovideavaliduseridentityinaweb
pageformbeforebeingallowedaccesstothe
network.Followingsuccessfu lregistration,end‐systemsaregrantedmeasuredaccess,without
requiringtheinterventionofnetworkoperations.
Model 3: End-System Authorization with Assessment
ThisNACdeploymentmodelimplementsthedetection,authentication,assessment,andauthorization
NACfunctionalities,tocontrolaccesstonetworkresourcesbasedonthesecuritypostureofa
connectingend‐system,aswellasuseranddeviceidentityandlocation.End‐systems thatfail
assessmentcanbedynamicallyquarantinedwithrestrictive
networkaccesstomitigatethe
propagationofsecuritythreatsonthenetwork,whilecompliantend‐systemsarepermittedonto
thenetworkwithameasuredlevelofaccess.
Alternatively,specificend‐systemsanduserscanbeassesseduponnetworkconnectionandbe
permittednetworkaccessregardlessoftheassessmentresults.Thisapproach
allowsanIT
administratortohavevisibilityintotheconfigurationofenddevicesonthenetworkwithout
impactingtheirnetworkconnectivityduringorafterassessment.Thisapproachisusually
implementedduringtheinitialrolloutoftheNACsolutionforbaseliningpurposes.
ThisNACdeploymentmodelrequirestheuseofeitherintegrated
assessmentserverfunctionality
ortheabilitytoconnecttoexternalassessmentservices,inordertoexecutetheend‐system
vulnerabilityassessment.
Model 4: End-System Authorization with Assessment and Remediation
ThisNACdeploymentmodelimplementsthedetection,authentication,assessment,authorization,
andremediationNACfunctionalities,providingforthequarantineandremediationof
noncompliantdevices.Assistedremediationusesweb‐basednotificationtodynamicallyinform
quarantinedend‐systemsofsecuritycomplianceviolations,andallowenduserstosafely
remediatetheirquarantinedend
‐systemwithoutimpactingIToperations.