Enterasys NAC Design Guide 3-1
3
Use Scenarios
ThischapterdescribesfourNACusescenariosthatillustratehowthetypeofNACdeploymentis
directlydependentontheinfrastr ucturedevicesdeployedinthenetwork.Forsomenetwork
topologies,inlinenetworkaccesscontrolutilizingtheNACControllermayberequiredwhilefor
othernetworkconfigurations,theNACGatewayimplementingout
‐of‐bandNACmaybeused.
TheEnterasysNACsolutioniscapableofimplementingnetworkaccesscontrolforallfouruse
scenariosaswellasenvironmentswithmixedusescenariosthatmayrequiretheconcurrent
deploymentoftheNACGatewayandtheNACController.Regardlessofthescenariothatis
deployed,
allNACGatewaysandNACControllersarecentrallymanagedbytheNetSightNAC
Managersoftwareapplication.
Fortheintelligentwiredaccessedgeandintelligentwirelessaccessedgeusescenarios,theterm
“intelligent”referstoanetworktopologywheretheaccessedgeiscomposedofEnterasyspolicy‐
enabledswitchescapableofsupporting
authenticationandpolicyenforcement,orthird‐party
switchescapableofsupportingauthenticationanddynamicVLANassignmentasdefinedinRFC
3580.
Scenario 1: Intelligent Wired Access Edge
Intheintelligentwiredaccessedgeusescenario,theedgeswitchesthatcomposethenetwork
accesslayerarecapableofprovidingauthentication(802.1X,web‐based,orMAC)forconnecting
end‐systems,andtheyarealsocapableofbeinganauthorizat ion pointfortheseend‐systems
throughEnterasyspolicyand/ordynamicVLAN
assignmentasspecifiedinRFC3580.
Forthisusescenario,theNACGatewayapplianceisdeployedforout‐of‐bandnetworkaccess
control,leveragingtheintelligentinfrastructuredevicesintheaccessedgeastheauthorization
pointforconnectingend‐systems.
ItisimportanttonotethatEnterasyspolicy‐enabledswitchesprovide
increasedsecurityover
third‐partyswitchesthatsupportRFC3580.Byusingport‐levelgranulartrafficcontrol,users
quarantinedwithEnterasyspolicycanberestrictedfromcommunicatingwithotherquarantined
users,evenifco‐locatedonthesameVLAN.InaQuarantineVLANasimplementedonthird‐
partyRFC3580
capableswitches,aquarantineduserposesathreattootherquarantinedusers
For information about... Refer to page...
Scenario 1: Intelligent Wired Access Edge 3-1
Scenario 2: Intelligent Wireless Access Edge 3-5
Scenario 3: Non-intelligent Access Edge (Wired and Wireless) 3-9
Scenario 4: VPN Remote Access 3-11
Summary 3-13