Enterasys NAC Design Guide 2-1
2
NAC Deployment Models
ThischapterdescribesthefourNACdeploymentmodelsandhowtheybuildoneachotherto
provideacompleteNACsolution.ThefirstmodelimplementsasubsetofthefivekeyNAC
functions(asdescribedinChapter 1),andeachsubsequentmodelprovidesadditional
functionalitywithouttheneedtoreplaceexisting
piecesoftheNACsolution.Thisallows
businesseswhoarestillintheearlystagesofNACdeployment,totakeaphasedapproachto
implementingNACwhilederivingvaluefromthesolutionateachstepalongtheway.
Model 1: End-System Detection and Tracking
ThisNACdeploymentmodelimplementsthefirstkeyNACfunction,detection.Thedetectionof
connectingend‐systemsprovidesthenetworkadministratorwithvisibilityintowhatdevicesare
connectingtothenetwork,whoisusingthesedevices,andwherethedevicesareconnected.
FormanyNACdeployments,thefirstphaseconsistsof
trackingovertimetheend‐systemsand
endusersconnectedtothenetwork,inordertoprofileandenumeratetheassetsontheenterprise
network.Itisimportanttonotethatinthismodel,theNACsolutiondoesnotplayapartin
authorizingaccessforconnectingend‐systems,leavingthis
tothedefaultconfigurationsonthe
switch.Theend‐systemsconnecttothenetworkandareallocated“business‐as‐usual”accessto
networkresources,whiletheNACsolutionprovidesvisibilityintotheconnectionbehaviorand
detailsofthesedevices.
Implementation
End‐systemscanbedetectedandtrackedindifferentwaysdependingonwhetherinlineorout‐of‐
bandnetworkaccesscontrolisimplemented.
Out-of-Band NAC
Forout‐of‐bandNACutilizingtheNACGatewayappliance,detectionisimplementedasfollows.
Inthecaseofweb‐basedor802.1Xauthentication,end‐systemsaredetectedwiththereceiptof
RADIUSpacketsfromanaccessedgeswitchattemptingtoauthenticateanend‐system.The
For information about... Refer to page...
Model 1: End-System Detection and Tracking 2-1
Model 2: End-System Authorization 2-3
Model 3: End-System Authorization with Assessment 2-8
Model 4: End-System Authorization with Assessment and Remediation 2-12
Summary 2-16