Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Enterasys NAC Design Guide 2-1

2

NAC Deployment Models

ThischapterdescribesthefourNACdeploymentmodelsandhowtheybuildoneachotherto

provideacompleteNACsolution.ThefirstmodelimplementsasubsetofthefivekeyNAC

functions(asdescribedinChapter 1),andeachsubsequentmodelprovidesadditional

functionalitywithouttheneedtoreplaceexisting

piecesoftheNACsolution.Thisallows

businesseswhoarestillintheearlystagesofNACdeployment,totakeaphasedapproachto

implementingNACwhilederivingvaluefromthesolutionateachstepalongtheway.

Model 1: End-System Detection and Tracking

ThisNACdeploymentmodelimplementsthefirstkeyNACfunction,detection.Thedetectionof

connectingend‐systemsprovidesthenetworkadministratorwithvisibilityintowhatdevicesare

connectingtothenetwork,whoisusingthesedevices,andwherethedevicesareconnected.

FormanyNACdeployments,thefirstphaseconsistsof

trackingovertimetheend‐systemsand

endusersconnectedtothenetwork,inordertoprofileandenumeratetheassetsontheenterprise

network.Itisimportanttonotethatinthismodel,theNACsolutiondoesnotplayapartin

authorizingaccessforconnectingend‐systems,leavingthis

tothedefaultconfigurationsonthe

switch.Theend‐systemsconnecttothenetworkandareallocated“business‐as‐usual”accessto

networkresources,whiletheNACsolutionprovidesvisibilityintotheconnectionbehaviorand

detailsofthesedevices.

Implementation

End‐systemscanbedetectedandtrackedindifferentwaysdependingonwhetherinlineorout‐of‐

bandnetworkaccesscontrolisimplemented.

Out-of-Band NAC

Forout‐of‐bandNACutilizingtheNACGatewayappliance,detectionisimplementedasfollows.

Inthecaseofweb‐basedor802.1Xauthentication,end‐systemsaredetectedwiththereceiptof

RADIUSpacketsfromanaccessedgeswitchattemptingtoauthenticateanend‐system.The

For information about... Refer to page...

Model 1: End-System Detection and Tracking 2-1

Model 2: End-System Authorization 2-3

Model 3: End-System Authorization with Assessment 2-8

Model 4: End-System Authorization with Assessment and Remediation 2-12

Summary 2-16

previous next