Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Scenario 2: Intelligent Wireless Access Edge

3-8 Use Scenarios

Scenario 2 Implementation

Intheintelligentwirelessaccessedgeusescenario,thefiveNACfunctionsareimplementedinthe

followingmanner:

1.Detection‐Theuserʹsend‐systemconnectstothenetwork.ThewirelessswitchorthickAP

sendsaRADIUSauthenticationrequest(802.1X,web‐based,orMACauthentication)withthe

associatedcredentialsto

theNACGateway.

2.Authentication‐Iftheend‐systemisauthenticatingtothe networkusing802.1Xorweb‐based

authentication,theNACGatewayproxiestheRADIUSa uthenti cationrequesttoabackend

authentication(RADIU S)servertovalidatetheidentityoftheenduser/device.Forend‐systems

thatareMACauthenticatingtothe

network,theNACGatewaymaybeconfiguredtoeitherproxy

theMACauthenticationrequeststotheRADIUSserver,orlocallyauthorizeMACauthentication

requests.IfonlyMACauthenticationisdeployedonthenetworkandtheNACGatewayis

configuredtolocallyauthorizeMACauthenticationrequests,abackendRADIUSserverisnot



requiredwiththeEnterasysNACsolution.

3.Assessment‐Aftertheidentityoftheend‐systemorenduserisvalidatedviaauthentication,

theNACGatewayrequestsanassessmentoftheend‐systemaccordingtopredefinedsecurity

policyparameters.Theassessmentcanbeagent‐basedoragent‐less,andisexecutedlocally

bythe

NACGatewayʹsassessmentfunctionalityand/orremotelybyapoolofassessmentservers.

4.Authorization‐Onceauthenticationandassessmentarecomplete,theNACGatewayallocates

theappropriatenetworkresourcestotheend‐systembasedonauthenticationand/orassessment

results.ForEnterasyspolicy‐enabledwirelessswitchesandaccesspoints,the

NACGateway

formatsinformationintheRADIUSauthenticationmessagesthatdirectstheedgeswitchto

dynamicallyassignaparticularpolicytothewirelessend‐systemonthewirelessswitchorAP,

dependingonthetypeofwirelessimplementation.ForRFC3580‐capablewirelessswitchesand

APs,theNACGatewayformats

informationintheRADIUSauthenticationmessages(intheform

ofRFC3580VLANTunnelattribut es)thatdirectstheedgeswitchtodynamicallyassigna

particularVLANtothewirelessend‐system.Ifauthenticationfailsand/ortheassessmentresults

indicateanoncompliantend‐system,theNACGatewaycaneitherdenytheend

‐systemaccessto

thenetworkbysendingaRADIUSaccessrejectmessage,orquarantinetheend‐systemby

assigningaQuarantinepolicyorVLANtothewirelessend‐system.

5.Remediation‐Whenthequarantinedenduseropensawebbrowsertoanywebsite,itstrafficis

dynamicallyredirectedtoa

Remediationwebpagethatdescribesthecomplianceviolationsand

providesremediationsstepsfortheusertoexecuteinordertoachievecompliance.Aftertaking

theappropriateremediationsteps,theenduserclicksonabuttononthewebpagetoreattempt

networkaccess,forcingthere‐assessmentoftheend‐

system.Atthispoint,theEnterasysNAC

solutiontransitionstheend‐systemthroughtheentireNACcycleofdetection,authentication,

assessment,andauthorization,re‐assessingthesecuritypostureoftheend‐systemtodetermineif

theremediationtechniquesweresuccessfullyfollowed.Iftheend‐systemisnowcompliantwith

networksecurity

policy,theNACGatewayauthorizestheend‐systemwiththeappropriateaccess

policy.Iftheend‐systemisnotcompliant,theend‐systemisrestrictedaccesstothenetworkand

theprocessstartsagain.

previous next