Model 3: End-System Authorization with Assessment
2-8 NAC Deployment Models
ARADIUSserverisonlyrequiredifout‐of‐bandnetworkaccesscontrolusingtheNACGateway,
orinlinenetworkaccesscontrolusingtheLayer2NACController,isimplementedwithweb‐
basedand/or802.1Xauthenticati on.
NetSightPolicyManagerisrequiredforallinlineNACdeployments,andrecommendedforout‐
of
‐bandNACdeploymentsthatutilizeEnterasyspolicy‐capableswitches.PolicyManager
providestheabilitytocentrallydefineandconfiguretheauthorizationlevelsorpolicies.
NetSightInventoryManagerisanoptionalcomponent,providingcomprehensivenetwork
inventoryandchangemanagementcapabilities.
Model 3: End-System Authorization with Assessment
ThisNACdeploymentmodelimplementsthedetection,authentication,assessmentand
authorizationNACfunctionalitiesforconnectingend‐systems.InModel2,end‐systemsandend
usersconnectedtothenetworkareauthorizedbasedonthedeviceidentity,useridentity,and/or
locationinformation.Model3extendstheauthorizationdecisioninNACtoone
additional
dimension—thesecuritypostureoftheend‐systemasdeterminedfromanassessment.The
assessmentcanbeexecutedthroughagent‐basedoragent‐lesstechniquesandcanidentify
differentpiecesofinformationaboutthedevice,suchanantivirussoftwareconfiguration,
operatingsystempatchesinstalled,softwareapplicationsinstalledand
running,processes
running,servicesconfigured,andregistryvaluesset.
ItisimportanttonotethatitisnotnecessarytoconfiguretheEnterasysNACsolutionto
quarantineend‐systemsthatfailassessment.Infact,duringtheinitialrolloutofNAConthe
enterprisenetwork,itishighlyrecommendedthatend‐systems
arenotrestrictedaccesstothe
networkinanywaybefore,during,orafterfailedassessment.ThispassiveNACconfiguration
allowstheITadministratortobaselinetheconfigurationofdevicesonthenetworkand
understandthecurrentlandscapeofitsassetswithoutimpactingnetworkconnectivityfor
connectingend‐systems.Inthis
configuration,itisnotnecessarytoinformtheendusersthatthey
arebeingassessedorhavefailedassessmentbecausethereislittle‐to‐noimpactonnetwork
connectivityduringthisassessment.End‐systemscanbescannedinthebackgroundproviding
thenetworkadministratorwithimportantvisibilityintohowdevices
areconfiguredontheir
network,whileenduserscanutilizethenetworkasdesired.Then,whenthenetwork
administratorisready,theEnterasysNACsolutioncanbeconfiguredwiththeclickofabuttonto
immediatelyrestrictaccessforend‐systemsthathavefailedassessment.
Implementation
InModel3,end‐systemscanbedetectedandtracked,authenticated,assessed,andauthorizedin
differentwaysdependingonwhetherinlineorout‐of‐bandnetworkaccesscontrolis
implementedintheEnterasysNACsolution.
Out-of-Band NAC
Forout‐of‐bandEnterasysNACdeploymentsutilizingtheNACGateway,NACfunctionsare
implementedinthefollowingway:
Detection‐AsdescribedinModel2.
Authentication‐AsdescribedinModel2.
Assessment‐TheNACGatewaycanleverageeitherlocalassessmentservicesand/orremote
assessmentservicesdeployedonthenetwork.TheNACGatewayʹ
slocalassessmentservices
includeagent‐lessassessmentwhichcanexecutevariousserver‐sidechecks(whetheranFTP