Model 2: End-System Authorization
Enterasys NAC Design Guide 2-7
apasswordintheregistrationwebpage.Thissponsorusernameandpasswordcanbe
validatedagainstanexistingdatabaseonthenetworktoauthenticatethesponsorʹsidentity.
Sponsorsmaybeallowedtosecurelyaccessanadministrativewebpagewheretheycan
delete,add,andmodifyregisteredend‐systemsonthe
networkthattheyhavesponsored.
Withsponsoredregistrationenabled,IToperationscanholdtrustedusersaccountablefor
guestsbroughtontheenterprisenetwork,whilecontrollingaccessforonlyappropriate
guests.
Post-Connect NAC integration with NetSight Automated Security Manager
NetSightAutomatedSecurityManager(ASM),asoftwareapplicationthatispartofthe
NetSightSuite,hasthecapabilitytosearchtheinfrastructureandlocatetheswitchportof
connection,basedonthereceiptofasecurityeventforaparticularIPaddress.ASMresponds
tothiseventbydisablingtheport
orassigningaVLAN(suchasthequarantineVLAN)tothe
port.Inresponsetoareal‐timesecuritythreatdetectedonthenetwork,ASMcanbe
configuredtonotifyNACManageronthisevent,dynamicallyquarantiningtheMAC
address.Thiseffectivelyrestrictsthequarantinedend‐systemfromaccessingthe
network
fromanylocation,enterprise‐wide.IfASMreversesthequarantineaction,itnotifiesNAC
Manager,andthequarantineisautomaticallyremovedandtheend‐systemisdynamicallyre‐
admittedaccesstonetworkresources.Therefore,thedeploymentofEnterasysNACfurther
increasesthesecuritypostureofthenetworkbyintegratingwith
thereactivethreatresponse
capabilitiesofASM,inadditiontocontrollingaccessandauthorizingconnectingdevices.
Required and Optional Components
ThissectionsummarizestherequiredandoptionalcomponentsforModel2.
.
TheNACGatewayandNACControlleraretheNACappliancesusedtoimplementtheout‐of‐
bandandinlinenetworkaccesscontrolfunctionalityonthenetwork.
NetSightNACManageristhesoftwareapplicationusedtocentrallymanagetheNACappliances
deployedonthenetwork.
NetSightConsoleisthesoftwareapplicationusedto
monitorthehealthandstatusof
infrastructuredevicesinthenetwork,includingswitches,routers,andEnterasysNACappliances
(NACGatewaysandNACControllers).
Assessmentfunctionalityisoptionalbecauseinthisdeploymentmodel,end‐systemsarenotbeing
assessedforsecurityposturecompliancewhenconnectingtothenetwork.
Table 2-2 Component Requirements for Authorization
Component Authorization
NAC Appliance Required
NetSight NAC Manager Required
NetSight Console Required
Assessment Optional
RADIUS Server Optional
NetSight Policy Manager Optional
NetSight Inventory Manager Optional