Model 2: End-System Authorization
Enterasys NAC Design Guide 2-5
TheNACControllermayeitherdenytheend‐systemaccesstothenetworkorassigntheend‐
systemtoaparticularsetofnetworkresourcesbyspecifyingaparticularpolicy.
Features and Value
InadditiontothefeaturesandvaluesfoundinModel1,thefollowingarekeypiecesof
functionalityandvaluepropositionssupportedbyModel2,End‐SystemAuthorization:
Location-Based Authorization
Inadditiontoprovidingvisibilityintowho,what,when,andwheredevicesandusersare
connectingtothenetwork,thisdeploymentmodelallowsIToperationstocontrolaccessto
thenetworkwithdifferentlevelsofauthorizationbasedontheseparameters.Forlocation‐
basedauthorization,theEnterasysNACsolutioncanassigna
levelofaccesstoaconnecting
enduserordevicebasedonwhichareaofthenetworktheend‐systemisconnected,through
theconfigurationofSecurityDomains.Forexample,whenanengineerconnectstothe
networkfromacontrolledareaofthenetworksuchasthelab,ora
facultymemberconnectsto
thenetworkfromaphysicallysecured facultyoffice,theengineerandfacultymemberare
appropriatelyauthorizedtoaccesssensitiveinformationresidingoninternalservers.
However,ifthesameusersconnecttothenetworkfromanunsecuredareaofthenetwork
suchastheopenwirelessLANavailable
intheenterpriseʹslobbyorcampus,orinastudent
dormitory,thentheseend‐systemscanbeauthorizedwithadifferentlevelofnetworkaccess,
possiblyrestrictingcommunicationtotheinternalserversandotherresourcesonthenetwork.
Furthermore,theNACsolutioncanalsolockadevicetoa
specificswitchorswitchport,using
the“LockMAC”feature.Ifthedeviceismovedtoanyotherswitchportonthenetwork,it
willnotbeabletoconnect.Forexample,aprinteroraservercontainingsensitivedatamaybe
connectedtothenetworkataspecificlocation,such
asbehindafirewalloronaparticular
VLANforsecurityreasons.Physicallymovingtheconnectionofthesedevicestoanopenarea
ofthenetworkincreasestheriskofthesedevicesbeingattackedandcompromisedbecause
theywouldnolongerbeprotectedbythesecuritymechanismsthatwereput
inplaceonthe
network.The“LockMAC”featurecanbeusedtolimitthemobilityofspecificdevicesand
avoidmaliciousorunintentionalmisconfigurationsonthenetwork,therebyreducingrisk.
Device-Based Authorization
WiththisNACdeploymentmodel,end‐systemsareauthorizedwithaccesstoaspecificsetof
networkresourcesbasedontheend‐systemʹsMACaddress.Forinitialimplementation,the
EnterasysNACsolutionisconfiguredinamodewhereallMACaddressesofconnectingend‐
systemsarepermittedontothenetwork
anddynamicallylearned.TheEnterasysNAC
solutionisthenconfiguredtoallowonlyknownMACaddressesontothenetwork,assigning
eachend‐systemaparticularauthorizationlevel.AnynewMACaddressconnectingtothe
networkisassignedadifferentauthorizationlevel,suchasdeniedaccess,restrictedaccess,or
allowedaccess
iftheuserisabletoproperlyregistertheirdevicetothenetwork.
TheEnterasysNACsolutionisabletoauthorizespecificdevicesorclassesofdevices(ba sed
onMACaddressOUIprefix)withaccesstoaspecificsetofnetworkresourcesthroughthe
configurationofMACoverrides.Forexample,an
end‐systemthatisknowntobeinfected
withaworm,apubliclyaccessiblemachine,oramachinebelongingtoguestusermaybe
authorizedwitharestrictivesetofnetworkresourcesorcompletelydeniednetworkaccess,
regardlessofwhereandwhenthisdeviceconnects.Incontrast,anend‐systembelonging
to
theIToperationsgroupmaybepermittedunrestrictedaccesstonetworkresourcesfor
infrastructuretroubleshootingandmaintenancepurposes,regardlessofwhereandwhenthe
deviceconnectstothenetwork.Ifyouaddlocation‐basedauthorization(asdiscussedabove)
tothisexample,thenunrestrictedaccessforend‐systemsbelongingto
theIToperationsgroup