Scenario 2: Intelligent Wireless Access Edge
Enterasys NAC Design Guide 3-5
intelligentedgeonthenetwork.TheMatrixN‐seriesswitchiscapableofauthenticatingand
authorizingmultipledevicesconnectedtoasingleportforavarietyofnetworktopologies,
rangingfromanIPphonecascadedwithaPConasingleMatrixN‐seriesport,toastackofnon‐
intelligent
edgeswitchesuplinkedtoasingleMatrixN‐seriesportwhereover1000end‐systems
connect.Inthisconfiguration,theMatrixN‐seriesactsastheintelligentedgeswitchonthe
network,althoughnotphysicallylocatedattheaccessedge.Eachindividualend‐systemis
authenticatedusing802.1X,web‐based,
and/orMACauthenticationandissubsequently
authorizedontheMatrixN‐seriesinter‐switchlinktotheaccessedge.Byprovisioningaccessto
networkresourcesontheMatrixN‐seriesusingMUA,end‐systemtrafficdestinedtoadjacent
switchesonthenetworkcanbesecurelycontainedwithpolicyattheMa trix
N‐seriesport.
Scenario 2: Intelligent Wireless Access Edge
Intheintelligentwirelessaccessedgeusescenario,thickAccessPoints(APs)orwirelessswitches
withthinAPsprovideauthenticationandauthorizationforconnectingend‐systems.
Forthisusescenario,theNACGatewayapplianceisdeployedforout‐of‐bandnetworkaccess,
leveragingtheintelligentwirelessinfrastructuredevicesastheauthorization
pointforconnecting
end‐systems.
Thin Wireless Edge
Inathinwirelessdeployment,wirelessswitchestunnelwirelessend‐systemtraffictoandfrom
accesspointsdeployedonthenetwork.Mostthinwirelessdeploymentsarecategorizedunderthe
intelligentwirelessaccessedgeusescenariobecausethewirelessswitchesarecapableof
providingauthentication(802.1x,web‐based,orMAC)andare
alsocapableofbeingan
authorizationpointeitherthroughdynamicVLANassignmentasspecifiedinRFC3580or
applicationofuser‐basedACLsorpolicy.
ThefollowingfigureillustrateshowtheNACGatewayandtheotherEnterasysNACcomponents
worktogetherinathinwirelessdeployment.