Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Model 4: End-System Authorization with Assessment and Remediation

Enterasys NAC Design Guide 2-13

Assistedremediationinformsenduserswhentheirend‐systemshavebeenquarantineddueto

networksecuritypolicynon‐compliance,andallowsenduserstosafelyremediatetheirnon‐

compliantend‐systemswithoutassistancefromIToperations.Theprocesstakesplacewhenan

end‐systemconnectstothenetworkandassessmentis

performed.Enduserswhosesystemsfail

assessmentarenotifiedviawebredirectionthattheirsystemshavebeenquarantined,andare

instructedinhowtoperformself‐serviceremediationspecifictothedetectedcompliance

violations.

Oncetheremediationstepshavebeensuccessfullyperformedandtheend‐systemiscompliant,

theend

usercaninitiateanon‐demandreassessmentoftheend‐systemandcanbeallocatedthe

appropriatenetworkresources,againwithouttheinterventionofIToperations.

Implementation

InModel4,end‐systemscanbedetected,authenticated,assessed,authorized,andremediatedin

differentwaysdependingonthewhetherinlineorout‐of‐bandnetworkaccesscontrolis

implementedintheEnterasysNACsolution.

Out-of-Band NAC

Forout‐of‐bandEnterasysNACdeploymentsutilizingtheNACGateway,NACfunctionsare

implementedinthefollowingway:

Detection‐AsdescribedinModel2.

Authentication‐AsdescribedinModel2.

Assessment‐AsdescribedinModel3.

Authorization‐AsdescribedinModel3.

Remediation‐Whenend‐systemsarequarantinedbytheNACGateway,

thenetworkmustbe

configuredtodirectalltrafficfromthequarantinedend‐systemstotheNACGateway.Thiscanbe

implementedbyconfiguringpolicy‐basedroutingonarouterinlinewiththetrafficsourcedfrom

quarantinedend‐systems.Thisrouterwouldbeconfiguredtosendallwebtrafficfrom

quarantined

end‐systemstotheNACGateway,whichthenservesbacktheremediationwebpage

totheenduser.

Thewaytherouteridentifiesthetrafficfromquarantinedend‐systemsdiffersbetweenanetwork

composedofpolicy‐enabledswitchesintheaccessedgeoranetworkcomposedofswitches

implementingRFC

3580dynamicVLANassignmentintheaccessedge.ForanEnterasyspolicy‐

enablededge,theQuarantinepolicycanbeconfiguredtorewritetheTypeofService(ToS)valueof

HTTPtraffictoaparticularsettingthatmatchesthepolicy‐basedroutingconfiguration.Foran

RFC3580capableedge,thepolicy‐based

routingwouldbeconfiguredtomatchthesourceIP

addressoftheHTTPtrafficbeinggeneratedfromthesubnetsthatcorrespondstotheQuarantine

and/orAssessingVLAN.Ineithercase,bydirectingtheHTTPtrafficfromquarantinedend‐

systemsovertotheNACGateway,theNACGatewaywillserveback

theremediationwebpageto

thenoncompliantend‐sy stem.

previous next