Summary
Enterasys NAC Design Guide 1-11
•Model3:End‐SystemA ut horizationwithAssessment‐Implementsdetection,authentication,
assessment,andauthorizationtoprovidenetworkaccesscontrolbasedonthesecurityposture
ofaconnectingend‐system,aswellasuseranddeviceidentityandlocation.Thismodel
requirestheuseofeitherintegratedassessmentserverfunctionalityor
theabilitytoconnectto
externalassessmentservices,inordertoperformtheend‐systemassessment.
•Model4:End‐SystemA ut horizationwithAssessmentandRemediation‐Implements
detection,authentication,assessment,authorization,andremediation,providingtheadditional
abilitytoquarantineandremediatenoncompliantdevices.
TheNACapplianceisacorecomponent
oftheEnterasysNACsolutionandisrequiredforall
NACdeploymentmodels.Itprovidestheabilitytodetect,authenticate,andauthorizeenddevices
attemptingtoconnecttothenetwork.Italsointegrateswithorconnectstoassessmentservicesto
performassessmentofend‐systemsconnectingtothenetwork.Onceauthentication
and
assessmentarecomplete,theNACapplianceauthorizesdevicesonthenetworkbyallocatingthe
appropriatenetworkresourcestotheend‐systembasedonauthenticationand/orassessment
results.TheNACappliancealsoprovidesremediationfunctionality,allowingenduserstosafely
remediatetheirquarantinedend‐systemwithoutimpactingIToperations.
Enterasysoffers
twotypesofNACappliances:
•TheNACGatewayapplianceimplementsout‐of‐bandnetworkaccesscontrolandrequires
theimplementationofintelligentwiredorwirelessedgeinfrastructuredevicesonthe
network.
•TheNACControllerapplianceimplementsinlinenetworkaccesscontrolandisapplicableto
scenarioswherenon‐intelligentwiredorwireless
edgeinfrastructuredevicesaredeployedin
thenetwork.TheNACControllerisalsorequiredinIPSecandSSLVPNdeployments.
TheNACappliancesareconfigured,monitored,andmanagedthroughEnterasysNetSight
managementapplications.NetSightNACManagerandNetSightConsolearerequiredforallfour
NACdeploymentmodels.NACManagerprovides
configurationsfortheassessment,
authentication,authorization,andremediationparametersforallNACappliances,whileNetSight
Consoleisusedtomonitorthehealthandstatusofinfrastructuredevicesinthenetwork,
includingswitches,routers,andEnterasysNACappliances.
NetSightPolicyManagerandNetSightInventoryManagerareoptionalNetSightapplications.
PolicyManagerprovides
theabilitytocentrallydefineandconfiguretheauthorizationlevelsor
“policies”forcertainout‐of‐bandNACdeploymentsandallinlineNACdeployments.Inventory
Managerprovidescomprehensivenetworkinventoryandchangemanagementcapabilitiesfor
yournetworkinfrastructure.
ThenextchapterprovidesamoredetaileddescriptionofthefourNACdeployment
models
includingtheirrequirementsandimplementation.