Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Model 2: End-System Authorization

2-6 NAC Deployment Models

isonlyprovisionedbytheEnterasysNACsolutionwhenthedevicesconnecttoswitchesin

theNetworkOperationsCenter(NOC).Thislevelofgranularityinprovisioningaccessto

connectingdevicesprotectsagainstpossibleMACspoofingattacks.

Inadditiontoauthorizingaparticulardevicewithasetofnetworkresources,groupsof

devicessuchasIPphones,printers,andworkstationscanbeprovisionedaspecificsetof

networkresourcesusingMACaddressOUIprefixorcustomMACaddressmask.For

example,IPphonesmaybeidentifiedbythePolycomMACaddressOUIprefix

00:04:F2:XX:XX:XXandassignedtheVoiceVLANandahighQoS.

Insummary,device‐basedauthorizationsupportstheprovisioningofnetworkresourcestoa

connectingend‐systembasedonthedeviceʹsidentityaswellaslocation.Thisprovidesthe

abilitytorestrictend‐systemsthatposeathreattothenetwork,providespecialaccessto

particulardevices,andprovisionend‐systems

orsetsofend‐systemswithaccesstorequired

setsofnetworkresourcestoensurebusinesscontinuity.

User-Based Authorization

WiththisNACdeploymentmodel,end‐systemscanbeauthorizedwithaccesstoaspecificset

ofnetworkresourcesbasedontheuserloggedintotheend‐systemandtheirorganizational

rolewithintheenterprise.Forexample,auserwhoisanengineermaybeallocatedprioritized

accesstotheengineering

serversdeployedonthenetworkwhilebeingdeniedaccessto

serversutilizedbytheHRorlegaldepartments.Furthermore,auserwhoisknowntobe

launchingmaliciousattacksagainstcriticalresourcesonthenetworkorwasterminatedfrom

apositionwithinthecompanymaybeauthorizedarestrictiveset

ofnetworkresourcesor

outrightdeniednetworkaccess,regardlessofwhereandwhenthisuserconnectstothe

network.Incontrast,auserintheIToperationsgrouporatechniciansenttorepairadevice

onthenetworkmaybepermittedunrestrictedaccesstonetworkresourcesfor

troubleshootingandmaintenance

purposes,regardlessofwhereandwhentheuserconnects

tothenetwork,oronlyfrominsidetheNOC.

Insummary,user‐basedauthorizationsupportstheprovisioningofnetworkresourcesto

connectingusersbasedontheuserʹsidentityandsuccessfulauthentication,aswellastheir

locationonthenetwork,affording

suchcapabilitiesasdenyingusersthatposeathreattothe

network,providingparticularemployeeswithspecialaccess,andprovisioningusersin

generalwithappropriateaccesstotherequiredsetsofnetworkresources,toensurebusiness

continuity.

MAC Registration

EnterasysNACprovidessupportforMACRegistration,alsoknownasNetworkorGuest

Registration.Thissolutionforcesanynewend‐systemconnectedonthenetworktoprovide

theuserʹsidentity inawebpageformbeforebeingallowedaccesstothenetwork,without

requiringtheinterventionofITop erations.This

meansthatendusersareautomatically

provisionednetworkaccessondemandwithouttime‐consumingandcostlyhelpdesk

requestsornetworkinfrastructurereconfigurations.

Inaddition,IToperationshasvisibilityintotheend‐systemsandtheirregisteredusersonthe

network(forexample,guests,students,contractors,andemployees)withoutrequiringthe

deploymentofbackendauthenticationanddirectoryservicestomanagetheseusers.This

bindingbetweenuseridentityand machineisusefulforauditing,compliance,accounting,

andforensicspurposesonthenetwork.

Furthermore,MACRegistrationsupportsafunctionalityreferredtoas“sponsored

registration”requiringthatendusersareonlyallowedtoregisterto

thenetworkwhen

accompaniedbyatrustedsponsor;aninternalusertotheorganizationwithvalidcredentials.

Whenanenduserisregisteringtothenetwork,asponsormustenterausernameandpossibly

previous next