Model 4: End-System Authorization with Assessment and Remediation
Enterasys NAC Design Guide 2-13
Assistedremediationinformsenduserswhentheirend‐systemshavebeenquarantineddueto
networksecuritypolicynon‐compliance,andallowsenduserstosafelyremediatetheirnon‐
compliantend‐systemswithoutassistancefromIToperations.Theprocesstakesplacewhenan
end‐systemconnectstothenetworkandassessmentis
performed.Enduserswhosesystemsfail
assessmentarenotifiedviawebredirectionthattheirsystemshavebeenquarantined,andare
instructedinhowtoperformself‐serviceremediationspecifictothedetectedcompliance
violations.
Oncetheremediationstepshavebeensuccessfullyperformedandtheend‐systemiscompliant,
theend
usercaninitiateanon‐demandreassessmentoftheend‐systemandcanbeallocatedthe
appropriatenetworkresources,againwithouttheinterventionofIToperations.
Implementation
InModel4,end‐systemscanbedetected,authenticated,assessed,authorized,andremediatedin
differentwaysdependingonthewhetherinlineorout‐of‐bandnetworkaccesscontrolis
implementedintheEnterasysNACsolution.
Out-of-Band NAC
Forout‐of‐bandEnterasysNACdeploymentsutilizingtheNACGateway,NACfunctionsare
implementedinthefollowingway:
Detection‐AsdescribedinModel2.
Authentication‐AsdescribedinModel2.
Assessment‐AsdescribedinModel3.
Authorization‐AsdescribedinModel3.
Remediation‐Whenend‐systemsarequarantinedbytheNACGateway,
thenetworkmustbe
configuredtodirectalltrafficfromthequarantinedend‐systemstotheNACGateway.Thiscanbe
implementedbyconfiguringpolicy‐basedroutingonarouterinlinewiththetrafficsourcedfrom
quarantinedend‐systems.Thisrouterwouldbeconfiguredtosendallwebtrafficfrom
quarantined
end‐systemstotheNACGateway,whichthenservesbacktheremediationwebpage
totheenduser.
Thewaytherouteridentifiesthetrafficfromquarantinedend‐systemsdiffersbetweenanetwork
composedofpolicy‐enabledswitchesintheaccessedgeoranetworkcomposedofswitches
implementingRFC
3580dynamicVLANassignmentintheaccessedge.ForanEnterasyspolicy‐
enablededge,theQuarantinepolicycanbeconfiguredtorewritetheTypeofService(ToS)valueof
HTTPtraffictoaparticularsettingthatmatchesthepolicy‐basedroutingconfiguration.Foran
RFC3580capableedge,thepolicy‐based
routingwouldbeconfiguredtomatchthesourceIP
addressoftheHTTPtrafficbeinggeneratedfromthesubnetsthatcorrespondstotheQuarantine
and/orAssessingVLAN.Ineithercase,bydirectingtheHTTPtrafficfromquarantinedend‐
systemsovertotheNACGateway,theNACGatewaywillserveback
theremediationwebpageto
thenoncompliantend‐sy stem.