Model 1: End-System Detection and Tracking
2-2 NAC Deployment Models
RADIUSAccess‐AcceptorAccess‐RejectmessagereceivedfromtheupstreamRADIUSserver,is
returnedwithoutmodificationtotheaccessedgeswitch,topermitend‐systemaccesstothe
network.ForMACauthentication,aRADIUSAccess‐Acceptmessageisreturnedtotheaccess
edgeswitchwithoutmodification,basedonaRADIUS
Access‐Acceptmessagereceivedfromthe
upstreamRADIUSserverorlocalauthorizationofMACauthenticationrequests.The
authenticatingend‐systemisprovidedaccesstothenetworkbasedontheconfigurationofthe
accessedgeswitch.
Inline NAC (Layer 2)
ForinlineNACutilizingtheLayer2NACController,anend‐systemcanbedetectedinmultiple
ways.Anend‐systemcanbedetectedsimplybytransmittingdatatra ff icnotpreviouslyseenby
theNACcontroller.Inthiscase,thetrafficisforwardedthroughtheNACControllertothetraffic
destination,
andhasnoimpactontheconnectivityoftheend‐system.Inanothermethod,end‐
systemsaredetectedwiththeauthenticationofdownstreamend‐systemsvia802.1X,web‐based,
and/orMACauthenticationontheNACController.Theseauthenticationrequestsmayormaynot
beproxiedupstreamdependingontheNAC
configuration.
Inline NAC (Layer 3)
ForinlineNACutilizingtheLayer3NACController,anend‐systemisdetectedsimplyby
transmittingdatatrafficsourcedfromanIPaddressnotpreviouslyseenbytheNACcontroller.
ThetrafficisforwardedthroughtheNACcontrollertothetrafficdestination,andhasnoimpact
ontheconnectivityof
theend‐system.
Features and Value
TherearetwokeypiecesoffunctionalityandvaluepropositionssupportedbyModel1:
End-System and User Tracking
Model1supportstheabilitytotrackend‐sys temsbyMACaddress,asthedevicemovesfrom
switchporttoswitchport,andmapthedeviceidentitytoitsIPaddresseverytimeitconnects.
Furthermore,theassociatedusercanalsobemappedtothedeviceandIPaddress,aslong
asa
username‐basedauthenticationmethod(802.1Xorweb‐basedauthenticati on)orMAC
RegistrationisimplementedwiththeNACGateway,orifendusersareconfiguredtologinto
aMicrosoftWindowsdomainwiththeNACControllerusingKerberossnooping
functionality.
Usingthesemethods,theEnterasysNACsolutioncanidentify
who,what,when,andwhere
devicesandusersconnecttothenetwork.Thisinformationismaintainedcentrallyinthe
NetSightNACManagerdatabase,providingimportanthistoricaldatathatcanbeusedfor
auditingortroubleshootingpurposes.Inaddition,thisinformationcanbeeasilysearchedto
identifywhichportaparticularuser
iscurrentlyconnectedtoonthenetwork,orwhichdevice
iscurrentlyallocatedaparticularIPaddress.Thisbinding(IPaddress,MACaddress,
username,location),whichismaintainedovertimeforeachend‐system,isusefulfor
complianceandauditingpurposes,andforplanningthesubsequentrolloutofthenext
NAC
deploymentmodel.
IP-to-ID functionality for Security Information Management (SIM)
ThisNACdeploymentmodelenablesSIMsystemssuchastheEnterasysDragonSecurity
CommandConsole(DSCC),todisplayuser‐focusedinformationaboutassetsonthenetwork.
Traditionally,SIMsystemsyielddevice‐focusedinformation(suchasIPaddress)about
detectednetworkthreats,throughthecorrelation,normalization,andprioritizationofevents