Enterasys NAC Design Guide 4-1
4
Design Planning
ThischapterdescribesthestepsyoushouldtakeasyoubeginplanningyourNACdeployment.
Thefirststepistoidentifythedeploymentmodelthatbestmeetsyourbusinessobjectives.Then,
thecurrentnetworkinfrastructuremustbeevaluatedinordertodetermineNACcomponent
requirements.Basedonthisevaluation,youwill
beabletodecidewhethertodeployinlineorout‐
of‐bandnetworkaccesscontrol.
Identify the NAC Deployment Model
WhenplanningyourNACdeployment,thefirststepistoidentifytheNACdeploymentmodel,or
aphasedimplementationofmultipledeploymentmodels,thatmeetsyourNACbusiness
objectives.Thefourdeploymentmodelsaresummarizedbelow.Formoreindepthinformationon
eachmodel,seeChapter 2,NACDeploymentModels.
•Model
#1:End‐SystemDetectionandTracking
EnterasysNACdetectsdevicesastheyconnecttothenetwork,identifyingthelocation,MAC
address,IPaddress,andusernameofthepersonusingtheend‐system.Thisinformationis
maintainedovertimeforeachdeviceonthenetwork,yieldingcompletehistoricalinformation
aboutadevice
asitinteractswiththenetwork.
•Model#2:End‐SystemAuthorization
EnterasysNACdetects,authenticates,andauthorizesconnectingend‐systems,tocontrol
accesstonetworkresourcesbasedonlocationaswellasuserandend‐systemidentity.
•Model#3:End‐SystemAuthorizationwithAssessment
EnterasysNACisdeployedwithend‐systemassessmentand
authorization(butwithout
remediation),tocontrolaccesstonetworkresourcesbasedonthesecuritypostureofa
connectingend‐system.Compliantend‐systemsarepermittedontothenetwork,whileend‐
systemsthatfailassessmentcanbedynamicallyquarantinedwithrestrictivenetworkaccess.
•Model#4:End‐SystemAuthorizationwithAssessmentandRemediation
Inadditiontoend‐systemassessmentandauthorization,EnterasysNACisdeployedwith
remediationtodynamicallyinformquarantinedend‐systemsofsecuritycompliance
violations.Usingweb‐basednotification,assistedremediationallowsendusersthathave
For information about... Refer to page...
Identify the NAC Deployment Model 4-1
Survey the Network 4-2
Identify Inline or Out-of-band NAC Deployment 4-11
Summary 4-11