NAC Solution Components
Enterasys NAC Design Guide 1-5
EnterasysofferstwotypesofNACappliances:theNACGatewayapplianceimplementsout‐of‐
bandnetworkaccesscontrol,andtheNACControllerapplianceimplementsinlinenetworkaccess
control.ThefollowingsectiondescribeshoweachNACapplianceimplementsnetworkaccess
controlforconnectingend‐systems.
NAC Gateway Appliance
TheNACGatewayisutilizedtoimplementout‐of‐bandnetworkaccesscontrolforconnecting
end‐systems.WiththeNACGateway,connectingend‐systemsaredetectedonthenetwork
throughtheirRADIUSauthenticationinterchange.Basedontheassessmentandauthentication
resultsforaconnectingdevice,RADIUSattributesareaddedormodified
duringthe
authenticationprocesstoauthorizetheend‐systemontheauthenticatingedgeswitch.Therefore,
theNACGatewaycanbepositionedanywhereinthenetworktopologywiththeonly
requirementbeingthatIPconnectivitybetweentheauthenticatingedgeswitchesandtheNAC
Gatewaysisoperational.
TheNACGatewayrequirestheimplementation
ofintelligentwiredorwirelessedge
infrastructuredevicesastheauthorizat ion pointforconnectingend‐systems.Intelligentedge
devicesarecapableofsupportingauthenticationandauthorizationbasedontheauthentication
messageinterchange.Dependingontheappliancemodel,theNACGatewayprovideseither
integratedassessmentserverfunctionalityand/ortheabilityto
connecttoexternalassessment
services,todeterminethesecuritypostureofend‐systemsconnectingtothenetwork.
ThreeNACGatewaymodelsareavailabletomeettheneedsofdifferent‐sizedimplementa tions
andassessmentserverrequirements.
• SNS‐TAG‐ITAsupportsupto3000concurrentend‐systemsandprovidesintegrated
assessmentservers.(A
separatelicenseisrequiredforintegratedassessment.)Thisintegrated
NACGatewaysupportsbothagent‐less(network‐based)andagent‐basedassessment.In
additiontohavingthecapabilitytorunasanintegratedappliance,italsohasthecapabilityto
runasanassessmentserver(scanner)only.TheSNS‐TAG‐ITAalso
supportstheabilityto
connecttomultipleexternalassessmentserversincludingNessu sandLockdownEnforcer.
• SNS‐TAG‐HPA supportsupto3000concurrentend‐systemsandsupportstheabilityto
connecttomultipleexternalassessmentserversincludingNessu sandLockdownEnforcer.
• SNS‐TAG‐LPAsupportsupto2000concurrentend‐
systemsandsupportstheabilityto
connecttomultipleexternalassessmentserversincludingNessu sandLockdownEnforcer.
NAC Controller Appliance
TheNACControllerisutilizedtoimplementinlinenetworkaccesscontrolforconnectingend‐
systems.WiththeNACController,connectingend‐systemsaredetectedthroughthereceiptofa
packetfromanewend‐system.Basedontheassessmentandauthenticationresultsfora
connectingdevice,theauthorizationoftheend
‐systemisimplementedlocallyontheNAC
Controllerappliancebyassigningasetoftrafficforwardingrules,referredtoas“policy,”toall
trafficsourcedbytheend‐system.TheNACControllerapplianceispositionedstrategicallyinthe
networktopologywithintheenduserLANsegmentoracrossroutedboundaries,
inlinewithdata
trafficsourcedfromend‐systems.Sincethisapplianceexistsinthedata pathofnetworked
devices,ithasbeendesignedtoachievemulti‐gigabitthroughputwithhardware‐basedtraffic
forwarding,byleveragingcustomizedEnterasys‐builtApplicationSpecificIntegratedCircuits
(ASICs).
TheNACControllerisapplicabletoscenarioswhere
non‐intelligentwiredorwirelessedge
infrastructuredevicesaredeployedinthenetwork.Non‐intelligentedgedevicesarenotcapable