Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Model 2: End-System Authorization

2-4 NAC Deployment Models

deviceidentity,useridentity,and/orlocationinformationisusedtoauthorizetheconnectingend‐

systemwithacertainlevelofnetworkaccess.Itisimportanttonotethatinthismodel,network

accessisnotbeingcontrolledbasedonend‐systemassessmentresults.Assessmentwillbe

introducedinthenextNAC

deploymentmodel.

Implementation

InModel2,end‐systemscanbedetected,authenticated,andauthorizedindifferentways

dependingonwhetherinlineorout‐of‐bandnetworkaccesscontrolisimplemented.

Out-of-Band NAC

Forout‐of‐bandNACutilizingtheNACGateway,NACfunctionsareimplementedinthe

followingway:

Detection‐End ‐systemsaredetectedviathereceiptofRADIUSpacketsfromanaccessedge

switchattempting toauthenticateanend‐system.

Authentication‐Iftheend‐systemis802.1Xorwebauthenticatingtothenetwork,

theNAC

GatewayproxiestheRADIUSauthenticationrequesttoabackend authentication(RADIUS)

servertovalidatetheidentityoftheuser/deviceconnectingtothenetwork.Forend‐systemsthat

areMACauthenticatingtothenetwork,theNACGatewaycanbeconfiguredtoeitherproxythe

MACauthenticationrequeststoa

RADIUSserverorlocallyauthorizeMACauthentication

requestsattheNACGateway.IfonlyMACauthenticationisdeployedonthenetworkandthe

NACGatewayisconfiguredtolocallyauthorizeMA C a uthenti cationrequests,thenabackend

RADIUSserverisnotrequiredfortheEnterasysNACsolution.

Authorization‐TheNACGatewayallocates

theappropriatenetworkresourcestotheend‐system

basedondeviceidentity,useridentity,andlocation.ForEnterasyspolicy‐enablededgeswitches,

theNACGatewayformatsinformationintheRADIUSauthenticationmessagesthatdirectsthe

edgeswitchtodynamicallyassignaparticularpolicytotheconnectingend‐system.ForRFC3580

‐

capableedgeswitches,theNACGatewayformatsinformationintheRADIUSauthentication

messages(intheformofRFC3580VLANTunnelattributes)thatdirectstheedgeswitch to

dynamicallyassignaparticularVLANtotheconnectingend‐system.TheNACGatewaymay

denytheend‐systemaccesstothenetwork

bysendingaRADIUSAccess‐Rejectmessagetothe

edgeswitchorassigntheend‐systemasetofnetworkresourcesbyspecifyingaparticularpolicy

orVLANtoassigntotheauthenticatedend‐systemontheedgeswitch.

Inline NAC

ForinlineNACutilizingtheLayer2orLayer3NACController,NACfunctionsareimplemented

inthefollowingway:

Detection‐End ‐systemsaredetectedviathereceiptofRADIUSpacketsfromanaccessedge

switchattempting toauthenticateanend‐system.

Authentication‐Oneoftwoauthenticationconfigurationscanbeimplementedon

theNAC

Controller.Authenticationcanbedisabledaltogether,trustingthatthedownstreaminfrastructure

devicesauthenticatedtheend‐systemandpermittednetworkaccess.Alternately,MAC

registrationcanbeimplementedfornewdevicesconnectingtothenetwork,whereausername

andpasswordand/orasponsorusernameandpasswordmustbevalidatedagainst 

abackend

LDAP‐compliantdatabasebeforenetworkaccessispermitted.

Authorization‐TheNACControllerallocatestheappropriatenetworkresourcestotheend‐

systembyassigningapolicylocallyonthecontrollertothetrafficsourcedfromtheend‐system.

previous next