Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Model 1: End-System Detection and Tracking

2-2 NAC Deployment Models

RADIUSAccess‐AcceptorAccess‐RejectmessagereceivedfromtheupstreamRADIUSserver,is

returnedwithoutmodificationtotheaccessedgeswitch,topermitend‐systemaccesstothe

network.ForMACauthentication,aRADIUSAccess‐Acceptmessageisreturnedtotheaccess

edgeswitchwithoutmodification,basedonaRADIUS

Access‐Acceptmessagereceivedfromthe

upstreamRADIUSserverorlocalauthorizationofMACauthenticationrequests.The

authenticatingend‐systemisprovidedaccesstothenetworkbasedontheconfigurationofthe

accessedgeswitch.

Inline NAC (Layer 2)

ForinlineNACutilizingtheLayer2NACController,anend‐systemcanbedetectedinmultiple

ways.Anend‐systemcanbedetectedsimplybytransmittingdatatra ff icnotpreviouslyseenby

theNACcontroller.Inthiscase,thetrafficisforwardedthroughtheNACControllertothetraffic

destination,

andhasnoimpactontheconnectivityoftheend‐system.Inanothermethod,end‐

systemsaredetectedwiththeauthenticationofdownstreamend‐systemsvia802.1X,web‐based,

and/orMACauthenticationontheNACController.Theseauthenticationrequestsmayormaynot

beproxiedupstreamdependingontheNAC

configuration.

Inline NAC (Layer 3)

ForinlineNACutilizingtheLayer3NACController,anend‐systemisdetectedsimplyby

transmittingdatatrafficsourcedfromanIPaddressnotpreviouslyseenbytheNACcontroller.

ThetrafficisforwardedthroughtheNACcontrollertothetrafficdestination,andhasnoimpact

ontheconnectivityof

theend‐system.

Features and Value

TherearetwokeypiecesoffunctionalityandvaluepropositionssupportedbyModel1:

End-System and User Tracking

Model1supportstheabilitytotrackend‐sys temsbyMACaddress,asthedevicemovesfrom

switchporttoswitchport,andmapthedeviceidentitytoitsIPaddresseverytimeitconnects.

Furthermore,theassociatedusercanalsobemappedtothedeviceandIPaddress,aslong

asa

username‐basedauthenticationmethod(802.1Xorweb‐basedauthenticati on)orMAC

RegistrationisimplementedwiththeNACGateway,orifendusersareconfiguredtologinto

aMicrosoftWindowsdomainwiththeNACControllerusingKerberossnooping

functionality.

Usingthesemethods,theEnterasysNACsolutioncanidentify

who,what,when,andwhere

devicesandusersconnecttothenetwork.Thisinformationismaintainedcentrallyinthe 

NetSightNACManagerdatabase,providingimportanthistoricaldatathatcanbeusedfor

auditingortroubleshootingpurposes.Inaddition,thisinformationcanbeeasilysearchedto

identifywhichportaparticularuser

iscurrentlyconnectedtoonthenetwork,orwhichdevice

iscurrentlyallocatedaparticularIPaddress.Thisbinding(IPaddress,MACaddress,

username,location),whichismaintainedovertimeforeachend‐system,isusefulfor

complianceandauditingpurposes,andforplanningthesubsequentrolloutofthenext

NAC

deploymentmodel.

IP-to-ID functionality for Security Information Management (SIM)

ThisNACdeploymentmodelenablesSIMsystemssuchastheEnterasysDragonSecurity

CommandConsole(DSCC),todisplayuser‐focusedinformationaboutassetsonthenetwork.

Traditionally,SIMsystemsyielddevice‐focusedinformation(suchasIPaddress)about

detectednetworkthreats,throughthecorrelation,normalization,andprioritizationofevents

previous next