Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Scenario 4: VPN Remote Access

Enterasys NAC Design Guide 3-11

Scenario 3 Implementation

Inthenon‐intelligentaccessedgeusescenario,thefiveNACfunctionsareimplementedinthe

followingmanner:

1.Detection‐Theuserʹsend‐systemconnectstothenetworkandtransmitsdatatrafficontothe

networkthattraversestheNACController.ThistrafficissourcedfromaMACaddressorIP

addressnotpreviouslyseenbythecontroller.

2.Authentication‐OneoftwoconfigurationsmaybeimplementedontheNACControllerfor

enduserauthentication.Authenticationcanbedisabledaltogether,trustingthatthedownstream

infrastructuredevicesauthenticated theend‐systemtothenetwork(802.1Xauthenticationtothe

wirelessLAN,web‐basedauthentication

tothewiredLAN).Alternatively,MACregistrationcan

beimplemented,whereanenduserusernameandpasswordand/orsponsorusernameand

passwordmustbevalidatedagainstabackendLDAP‐compliantdatabasebeforenetworkaccessis

permitted.

3.Assessment‐Aftertheidentityoftheend‐systemorenduserisvalidatedby

authentication,the

NACControllerrequestsanassessmentoftheend‐systemaccordingtopredefinedsecuritypolicy

parameters.Theassessmentcanbeagent‐basedoragent‐less,andisexecutedlocallybytheNAC

Controllerʹsassessmentfunctionalityand/orremotelybyapoolofassessmentservers.

4.Authorization‐Onceauthenticationandassessment

arecomplete,theNACController

allocatestheappropriatenetworkresourcestotheend‐systembasedonauthenticationand/or

assessmentresults.ThisisimplementedlocallyontheNACControllerbyassigningapolicyto

trafficsourcedfromthisend‐system.Ifauthenticationfailsand/ortheassessmentresultsindicate

anoncompliantend‐system,

theNACControllercaneitherdenytheend‐systemaccesstothe

networkorquarantinetheend‐systembyspecifyingaparticularpolicyontheNACController.

5.Remediation‐Whenthequarantinedenduseropensawebbrowsertoanywebsite,itstrafficis

dynamicallyredirectedtoaRemediationweb

pagethatdescribesthecomplianceviolationsand

providesremediationsstepsfortheusertoexecuteinordertoachievecompliance.Aftertaking

theappropriateremediationsteps,theenduserclicksonabuttononthewebpagetoreattempt

networkaccess,forcingthere‐assessmentoftheend‐system.At

thispoint,theEnterasysNAC

solutiontransitionstheend‐systemthroughtheentireNACcycleofdetection,authentication,

assessment,andauthorization,re‐assessingthesecuritypostureoftheend‐systemtodetermineif

theremediationtechniquesweresuccessfullyfollowed.Iftheend‐systemisnowcompliant,the

NACControllerauthorizesthe

end‐systemwiththeappropriateaccesspolicy.Iftheend‐systemis

notcompliant,theend‐systemisrestrictedaccesstothenetworkbyassigningapolicytotheend‐

systemontheNACController,andtheprocessstartsagain.

Scenario 4: VPN Remote Access

IntheVPNremoteaccessusescenario,VPNconcentratorsactasaterminationpointforremote

accessVPNtunnelsintotheenterprisenetwork.

Forthisusescenario,theNACControllerapplianceisdeployedtoauthorizeconnectingend‐

systemsonthenetworkandimplementnetworkaccesscontrol.

Thefollowingfigureillustrateshowthe

NACControllerandtheotherEnterasysNAC

componentsworktogetherinaVPNremoteaccessdeploymenttoprovideacomprehensiveNAC

solution.

previous next