Scenario 4: VPN Remote Access
3-12 Use Scenarios
Figure 3-6 VPN Remote Access
Scenario 4 Implementation
IntheVPNremoteaccessusescenario,thefiveNACfunctionsareimplementedinthefollowing
mannerwiththedeploymentoftheNACControllerforinlinenetworkaccesscontrol.
1.Detection‐Theuserʹsend‐systemsuccessfullyestablishesaVPNtunnelwiththeVPN
concentrator,andtheVPNconcentratortransmitsunencrypted
datatrafficontothenetworkthat
traversestheNACController.ThistrafficissourcedfromanIPaddressnotpreviouslyseenbythe
controller.
2.Authentication‐AuthenticationismostlikelydisabledaltogetherontheNACController,
trustingthatthedownstreamVPNconcentratorauthenticatedtheconnectinguser.
3.Assessment‐TheNACControllerrequests
anassessmentoftheend‐systemaccordingto
predefinedsecuritypolicyparameters.Theassessmentcanbeagent‐basedoragent‐less,andis
executedlocallybytheNACControllerʹsassessmentfunctionalityand/orremotelybyapoolof
assessmentservers.
4.Authorization‐Onceauthenticationandassessmentarecomplete,theNACController
allocatestheappropriatenetworkresourcestotheend‐systembasedonauthenticationand/or
assessmentresults.ThisisimplementedlocallyontheNACControllerbyassigningapolicyto
trafficsourcedfromtheend‐system.Ifauthenticationfailsand/ortheassessmentresultsindicatea
noncompliantend‐system,theNACControllercan
eitherdenytheend‐systemaccesstothe
network,orquarantinetheend‐systembyassigningaparticularpolicyonthecontroller.
1
3
3
5
Enterasys
NAC Manager
NAC
Controller
(inline appliance)
Assessment
Server
Role=Quarantine
1
2
3
4
5
NAC Functions
Detect
Authenticate
Assess
Authorize
Remediate
VPN Concentrator
Remediation
Web Page
3
4