Model 4: End-System Authorization with Assessment and Remediation
2-12 NAC Deployment Models
Required and Optional Components
ThissectionsummarizestherequiredandoptionalcomponentsforModel3.
.
TheNACGatewayandNACControlleraretheNACappliancesusedtoimplementtheout‐of‐
bandandinlinenetworkaccesscontrolfunctionalityonthenetwork.
NetSightNACManageristhesoftwareapplicationusedtocentrallymanagetheNACappliances
deployedonthenetwork.
NetSightConsoleisthesoftwareapplicationusedto
monitorthehealthandstatusof
infrastructuredevicesinthenetwork,includingswitches,routers,andEnterasysNACappliances
(NACGatewaysandNACControllers).
Assessmentfunctionalityisrequiredbecauseinthisdeploymentmodel,connectingend‐systems
arebeingassessedforsecurityposturecompliance.
ARADIUSserverisonlyrequiredifout‐of‐
bandnetworkaccesscontrolviatheNACGatewayis
implementedwithweb‐basedand/or802.1Xauthentication.
NetSightPolicyManagerisrequiredforallinlineNACdeployments,andrecommendedforout‐
of‐bandNACdeploymentsthatutilizeEnterasyspolicy‐capableswitches.PolicyManager
providestheabilitytocentrallydefineandconfigurethe
authorizationlevelsorpolicies.
NetSightInventoryManagerisanoptionalcomponent,providingcomprehensivenetwork
inventoryandchangemanagementcapabilities.
Model 4: End-System Authorization with Assessment and
Remediation
ThisNACdeploymentmodelimplementsallfiveNACfunctions:detection,authentication,
assessment,authorization,andremediation.InModel3,end‐systemsandendusersconnectedto
thenetworkareauthorizedbasedonthedeviceidentity,useridentity,location,and/orsecurity
postureinformation.And,asexplainedinModel3,itwasnotnecessary
toquarantine
noncompliantend‐systemswhilephasingintheNACsolutiononthenetwork.However,oncea
restrictiveauthorizationlevelisallocatedtononcompliantend‐systems,itisimportanttoinform
theenduseroftherestrictionsandprovidethestepstheycanexecuteforself‐repairofthedevice.
Thisistheprocessofassistedremediation,whichistheNACfunctionintroducedinModel4.
Table 2-3 Component Requirements for Authorization with Assessment
Component
Authorization with
Assessment
NAC Appliance Required
NetSight NAC Manager Required
NetSight Console Required
Assessment Service Required
RADIUS Server Optional
NetSight Policy Manager Optional
NetSight Inventory Manager Optional