Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Model 3: End-System Authorization with Assessment

2-8 NAC Deployment Models

ARADIUSserverisonlyrequiredifout‐of‐bandnetworkaccesscontrolusingtheNACGateway,

orinlinenetworkaccesscontrolusingtheLayer2NACController,isimplementedwithweb‐

basedand/or802.1Xauthenticati on.

NetSightPolicyManagerisrequiredforallinlineNACdeployments,andrecommendedforout‐

of

‐bandNACdeploymentsthatutilizeEnterasyspolicy‐capableswitches.PolicyManager

providestheabilitytocentrallydefineandconfiguretheauthorizationlevelsorpolicies.

NetSightInventoryManagerisanoptionalcomponent,providingcomprehensivenetwork

inventoryandchangemanagementcapabilities.

Model 3: End-System Authorization with Assessment

ThisNACdeploymentmodelimplementsthedetection,authentication,assessmentand

authorizationNACfunctionalitiesforconnectingend‐systems.InModel2,end‐systemsandend

usersconnectedtothenetworkareauthorizedbasedonthedeviceidentity,useridentity,and/or

locationinformation.Model3extendstheauthorizationdecisioninNACtoone

additional

dimension—thesecuritypostureoftheend‐systemasdeterminedfromanassessment.The

assessmentcanbeexecutedthroughagent‐basedoragent‐lesstechniquesandcanidentify

differentpiecesofinformationaboutthedevice,suchanantivirussoftwareconfiguration,

operatingsystempatchesinstalled,softwareapplicationsinstalledand

running,processes

running,servicesconfigured,andregistryvaluesset.

ItisimportanttonotethatitisnotnecessarytoconfiguretheEnterasysNACsolutionto

quarantineend‐systemsthatfailassessment.Infact,duringtheinitialrolloutofNAConthe

enterprisenetwork,itishighlyrecommendedthatend‐systems

arenotrestrictedaccesstothe

networkinanywaybefore,during,orafterfailedassessment.ThispassiveNACconfiguration

allowstheITadministratortobaselinetheconfigurationofdevicesonthenetworkand

understandthecurrentlandscapeofitsassetswithoutimpactingnetworkconnectivityfor

connectingend‐systems.Inthis

configuration,itisnotnecessarytoinformtheendusersthatthey

arebeingassessedorhavefailedassessmentbecausethereislittle‐to‐noimpactonnetwork

connectivityduringthisassessment.End‐systemscanbescannedinthebackgroundproviding 

thenetworkadministratorwithimportantvisibilityintohowdevices

areconfiguredontheir

network,whileenduserscanutilizethenetworkasdesired.Then,whenthenetwork

administratorisready,theEnterasysNACsolutioncanbeconfiguredwiththeclickofabuttonto

immediatelyrestrictaccessforend‐systemsthathavefailedassessment.

Implementation

InModel3,end‐systemscanbedetectedandtracked,authenticated,assessed,andauthorizedin

differentwaysdependingonwhetherinlineorout‐of‐bandnetworkaccesscontrolis

implementedintheEnterasysNACsolution.

Out-of-Band NAC

Forout‐of‐bandEnterasysNACdeploymentsutilizingtheNACGateway,NACfunctionsare

implementedinthefollowingway:

Detection‐AsdescribedinModel2.

Authentication‐AsdescribedinModel2.

Assessment‐TheNACGatewaycanleverageeitherlocalassessmentservicesand/orremote

assessmentservicesdeployedonthenetwork.TheNACGatewayʹ

slocalassessmentservices

includeagent‐lessassessmentwhichcanexecutevariousserver‐sidechecks(whetheranFTP

previous next