Scenario 1: Intelligent Wired Access Edge
3-4 Use Scenarios
Scenario 1 Implementation
Intheintelligentwirededgeusescenario,thefiveNACfunctionsareimplementedinthe
followingmanner:
1.Detection‐Theuserʹsend‐systemconnectstothenetwork.TheedgeswitchsendsaRADIUS
authenticationrequest(802.1X,web‐based,orMACauthentication)withtheassociated
credentialstotheNACGateway.
2.Authentication
‐Iftheend‐systemisauthenticatingtothenetworkusing802.1Xorweb‐based
authentication,theNACGatewayproxiestheRADIUSa uthenti cationrequesttoabackend
authentication(RADIU S)servertovalidatetheidentityoftheenduser/device.Forend‐systems
thatareMACauthenticatingtothenetwork,theNACGateway
canbeconfiguredtoeitherproxy
theMACauthenticationrequeststotheRADIUSserverorlocallyauthorizeMACauthentication
requests.IfonlyMACauthenticationisdeployedonthenetwork,andtheNACGatewayis
configuredtolocallyauthorizeMACauthenticationrequests,abackendRADIUSserverisnot
requiredfortheEnterasys
NACsolution.
3.Assessment‐Aftertheidentityoftheend‐systemorenduserisvalidatedviaauthentication,
theNACGatewayrequestsanassessmentoftheend‐systemaccordingtopredefinedsecurity
policyparameters.Theassessmentcanbeagent‐basedoragent‐less,andisexecutedlocallybythe
NACGateway
ʹsassessmentfunctionalityand/orremotelybyapoolofassessmentservers.
4.Authorization‐Onceauthenticationandassessmentarecomplete,theNACGatewayallocates
theappropriatenetworkresourcestotheend‐systembasedonauthenticationand/orassessment
results.ForEnterasyspolicy‐enablededgeswitches,theNACGatewayformatsinformationinthe
RADIUS
authenticationmessagesthatdirectstheedgeswitchtodynamicallyassignaparticular
policytotheconnectingend‐system.ForRFC3580‐capableedgeswitches,theNACGateway
formatsinformationintheRADIUSauthenticationmessages(intheformofRFC3580VLAN
Tunnelattributes)thatdirectstheedgeswitchtodynamically
assignaparticularVLANtothe
connectingend‐system.Ifauthenticationfailsand/ortheassessmentresultsindicatea
noncompliantend‐system,theNACGatewaycaneitherdenytheend‐systemaccesstothe
networkbysendingaRADIUSaccessrejectmessagetotheedgeswitch,orquarantinethe end‐
systemby
assigningaQuarantinepolicyorVLANtotheend‐systemontheedgeswitch.
5.Remediation‐Whenthequarantinedenduseropensawebbrowsertoanywebsite,itstrafficis
dynamicallyredirectedtoaRemediationwebpagethatdescribesthecomplianceviolationsand
providesremediationsstepsfortheuser
toexecuteinordertoachievecompliance.Aftertaking
theappropriateremediationsteps,theenduserclicksonabuttononthewebpagetoreattempt
networkaccess,forcingthere‐assessmentoftheend‐system.Atthispoint,theEnterasysNAC
solutiontransitionstheend‐systemthroughtheentire
NACcycleofdetection,authentication,
assessment,andauthorization,re‐assessingthesecuritypostureoftheend‐systemtodetermineif
theremediationstepsweresuccessfullyfollowed.Iftheend‐systemisnowcompliantwith
networksecuritypolicy,theNACGatewayauthorizestheend‐systemwiththeappropriatepolicy
orVLAN.If
theend‐systemisnotcompliant,theend‐systemisrestrictedaccesstothenetwork
andtheprocessstartsagain.
Itisimportanttonotethatifthewirededgeofthenetworkisnon‐intelligent(unmanaged
switchesandhubs)andisnotcapableofauthenticatingandauthorizinglocallyconnectedend
‐
systems,itispossibletoaugmentthenetworktopologytoallowimplementationofout‐of‐band
NACwiththeNACGateway.Thiscanbeaccomplishedwithoutreplacingthephysicaledgeofthe
network,byaddinganintelligentedgeswitchthatpossessesspecializedauthenticationand
authorizationfeatures.
TheEnterasysMatrixN‐
seriesswitchiscapableofauthenticatingandauthorizingnumerousend‐
systemsconnectedonasingleportthroughitsMulti‐UserAuthentication(MUA)functionality
andmaybepositionedupstreamfromnon‐intelligentthird‐partyedgedevicestoactasthe