Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Model 3: End-System Authorization with Assessment

Enterasys NAC Design Guide 2-9

serverisrunningoriftheHTTPserverisout‐of‐date)and client‐sidechecks(running

applications,softwareconfigurations,installedoperatingsystempatches)providedend‐system

administrativecredentialsareavailableforremotelogintoconnectingdevices.Additionally,the

NACGatewayʹslocalassessmentservicesalsoincludeagent‐basedassessmentusing

aJavaWeb

Start‐basedclientapplicationthatallowsexecutionofserver‐sideandclient‐sidecheckswithout

requiringadministrativecredentialsorspecialhostfirewallconfigurations.

TheNACGatewayʹsremoteassessmentservicesincludeagent‐lessandagent‐basedassessment

onotherNACGatewaysdeployedonthenetworkand/orthird‐

partyvulnerabilityscannerssuch

asNessusandLockdownEnforcer.Asend‐systemsconnecttothenetwork,assessmentscanbe

load‐balancedamongalloftheconfiguredassessmentservicesoradefinedpool.Thisprovides

maximumscalabilityandflexibility,andminimizes theamountoftimenecessarytocompletean

end‐systemassessment.

Authorization‐TheNACGatewayallocatestheappropriatenetworkresourcestotheend‐system

basedonauthentication,location,and/orassessmentresults.For Enterasyspolicy‐enablededge

switches,theNACGatewayformatsinformationintheRADIUSauthenticationmessagesthat

directstheedgeswitchtodynamicallyassignaparticularpolicytotheconnectingend

‐system.For

RFC3580‐capableedgeswitches,theNACGatewayformatsinformationintheRADIUS

authenticationmessagesintheformofRFC3580VLANTunnelattributesthat directstheedge

switchtodynam icallyassignaparticularVLANtotheconnectingend‐system.Ifauthentication

failsand/ortheassessmentresultsindicate

anoncompliantend‐system,theNACGatewaycan

eitherdenytheend‐systemaccesstothenetworkbysendingaRADIUSaccessrejectmessageto

theedgeswitchorquarantinetheend‐systemwithahighlyrestrictivesetofnetworkresources(or

possiblypermitnetworkaccess)byspecifyingaparticularpolicy

orVLANtoassigntothe

authenticatedend‐systemontheedgeswitch.

Inline NAC

ForinlineEnterasysNACdeploymentsutilizingtheLayer2orLayer3NACController,theNAC

functionsareimplementedinthefollowingway:

Detection‐AsdescribedinModel2.

Authentication‐AsdescribedinModel2.

Assessment‐TheNACControllercanleverageeitherlocalassessmentservicesand/orremote

assessmentservicesdeployedonthe

network,aspreviouslydescribedfortheNACGateway.The

NACControllerʹslocalassessmentservicesincludeagent‐lessassessmentwhichcanexecute

variousserver‐sidechecksandclient‐sidechecks.Localassessmentservicesalsoincludeagent‐

basedassessmentusingaJavaWebStart‐basedclientapplicationthatallowsexecutionofserver

‐

sideandclient‐sidechecks.TheNACControllerʹsremoteassessmentservicesincludeagent‐less

andagent‐basedassessmentwithNACGatewaysand/orthird‐partyvulnerabilityscannerssuch

asNessusandLockdownEnforcer.Asend‐systemsconnecttothenetwork,assessmentcanbe

load‐balancedamongalloftheconfigured

assessmentservicestoprovidemaximumscalability

andflexibilitywhileminimizingassessmenttimes.

Authorization‐TheNACControllerallocatestheappropriatenetworkresourcestotheend‐

systembasedonauthenticationand/orassessmentresults.Thisisimplementedbyassigninga

policytotrafficsourcedfromtheend‐systemlocallyonthecontroller.Ifauthentication

failsand/

ortheassessmentresultsindicateanoncompliantend‐system,theNACControllercaneither

denytheend‐systemaccesstothenetwork,quarantinetheend‐systemwithahighlyrestrictiveset

ofnetworkresources,orpermitnetworkaccessbyspecifyingaparticularpolicy.

previous next