Scenario 2: Intelligent Wireless Access Edge
3-8 Use Scenarios
Scenario 2 Implementation
Intheintelligentwirelessaccessedgeusescenario,thefiveNACfunctionsareimplementedinthe
followingmanner:
1.Detection‐Theuserʹsend‐systemconnectstothenetwork.ThewirelessswitchorthickAP
sendsaRADIUSauthenticationrequest(802.1X,web‐based,orMACauthentication)withthe
associatedcredentialsto
theNACGateway.
2.Authentication‐Iftheend‐systemisauthenticatingtothe networkusing802.1Xorweb‐based
authentication,theNACGatewayproxiestheRADIUSa uthenti cationrequesttoabackend
authentication(RADIU S)servertovalidatetheidentityoftheenduser/device.Forend‐systems
thatareMACauthenticatingtothe
network,theNACGatewaymaybeconfiguredtoeitherproxy
theMACauthenticationrequeststotheRADIUSserver,orlocallyauthorizeMACauthentication
requests.IfonlyMACauthenticationisdeployedonthenetworkandtheNACGatewayis
configuredtolocallyauthorizeMACauthenticationrequests,abackendRADIUSserverisnot
requiredwiththeEnterasysNACsolution.
3.Assessment‐Aftertheidentityoftheend‐systemorenduserisvalidatedviaauthentication,
theNACGatewayrequestsanassessmentoftheend‐systemaccordingtopredefinedsecurity
policyparameters.Theassessmentcanbeagent‐basedoragent‐less,andisexecutedlocally
bythe
NACGatewayʹsassessmentfunctionalityand/orremotelybyapoolofassessmentservers.
4.Authorization‐Onceauthenticationandassessmentarecomplete,theNACGatewayallocates
theappropriatenetworkresourcestotheend‐systembasedonauthenticationand/orassessment
results.ForEnterasyspolicy‐enabledwirelessswitchesandaccesspoints,the
NACGateway
formatsinformationintheRADIUSauthenticationmessagesthatdirectstheedgeswitchto
dynamicallyassignaparticularpolicytothewirelessend‐systemonthewirelessswitchorAP,
dependingonthetypeofwirelessimplementation.ForRFC3580‐capablewirelessswitchesand
APs,theNACGatewayformats
informationintheRADIUSauthenticationmessages(intheform
ofRFC3580VLANTunnelattribut es)thatdirectstheedgeswitchtodynamicallyassigna
particularVLANtothewirelessend‐system.Ifauthenticationfailsand/ortheassessmentresults
indicateanoncompliantend‐system,theNACGatewaycaneitherdenytheend
‐systemaccessto
thenetworkbysendingaRADIUSaccessrejectmessage,orquarantinetheend‐systemby
assigningaQuarantinepolicyorVLANtothewirelessend‐system.
5.Remediation‐Whenthequarantinedenduseropensawebbrowsertoanywebsite,itstrafficis
dynamicallyredirectedtoa
Remediationwebpagethatdescribesthecomplianceviolationsand
providesremediationsstepsfortheusertoexecuteinordertoachievecompliance.Aftertaking
theappropriateremediationsteps,theenduserclicksonabuttononthewebpagetoreattempt
networkaccess,forcingthere‐assessmentoftheend‐
system.Atthispoint,theEnterasysNAC
solutiontransitionstheend‐systemthroughtheentireNACcycleofdetection,authentication,
assessment,andauthorization,re‐assessingthesecuritypostureoftheend‐systemtodetermineif
theremediationtechniquesweresuccessfullyfollowed.Iftheend‐systemisnowcompliantwith
networksecurity
policy,theNACGatewayauthorizestheend‐systemwiththeappropriateaccess
policy.Iftheend‐systemisnotcompliant,theend‐systemisrestrictedaccesstothenetworkand
theprocessstartsagain.