Survey the Network
4-2 Design Planning
accesstoawebbrowsertosafelyremediatetheirquarantinedend‐systemwithoutimpacting
IToperations.
Onceadeploymentmodelisselected,thecurrentnetworkinfrastructuremustbeexaminedto
identifythetechnicaldependenciesandrequirementsimposedbytheNACsolution.
Survey the Network
Thestepsinthissectionwillhelpyouidentifyandevaluatethecurrentnetworkinfrastructureso
thatyoucanmakedesigndecisionsregardingNACcomponentrequirements.
1. Identify the Intelligent Edge of the Network
Thefirststepinsurveyingyournetworkistodeterminewhetherornotyournetworkhasan
“intelligentedge.”ThisinformationwillhelpyoudecidewhethertheNACGatewayorNAC
Controllerappliancebestsuitsyournetworkinfrastructure.
Theterm“intelligent”referstoanetworktopologywheretheaccessedgeis
composedof
Enterasyspolicy‐enabledswitchescapableofsupportingauthenticationandpolicyenforcement,
orthird‐partyswitchescapableofsupportingauthenticationanddynamicVLAN assignmentas
definedinRFC3580.
Non‐intelligentinfrastructuredevices,suchasrepeatersandhubs,arenotcapableofsupporting
authenticationand/orauthorizat ion ofend‐systems,and
simplyprovideconnectivitytothe
infrastructure.
AnintelligentedgeisrequiredwhentheNACGatewayisutilizedforimplementingout‐of‐band
NAC.TheNACGatewayapplianceleveragestheintelligentedgeofthenetworktoimplementthe
authenticationandauthorizationofconnectingend‐systems.TheNACGatewayeffectsthe
assignmentof
policiesorVLANsonEnterasysswitchesorRFC3580‐capableswitcheslocatedat
edgeofthenetwork,toauthorizealevelofnetworkaccesstoconnectingend‐systems.These
assignmentsarebasedonvariousparameters,suchasthelocationoftheend‐systemandsecurity
postureassessmentresults.Theintelligentedge
ofthenetworkalsoimplementsanauthentication
method(802.1X,web‐based,orMACauthentication)forvalidatingthedeviceand/oruseridentity
ofconnectingend‐systems.
However,innetworkswithnon‐intelligentdevicesattheaccessedge,itisnotnecessarytoreplace
thesenon‐intelligentdevicestobeabletoimplement
out‐of‐bandNACwiththeNACGateway.
Instead,theEnterasysMatrixN‐seriesswitchcanbepositionedupstreamfromnon‐intelligent
devices(suchasinthedistributionlayer)toimplementtheauthenti cationandauthorization
functionsfordownstreamconnecteddevices.MatrixN‐SeriesdevicessupportMulti‐User
Authentication(MUA)which
enablestheswitchtoindividuallyauthenticateanduniquely
authorizemultipleend‐systemsconnectedtothesamephysicalport.MUAontheMatrixN‐series
Platinumsupportstheconcurrentauthenticationandauthorizationofover1000end‐systemsona
singleportwiththeallocationofdisparatenetworkresourcestoeachend‐system.
Inthiscase,the
MatrixN‐seriesswitchistheintelligentedgeofthenetworkalthoughitisnotphysicallylocatedin
theaccesslayer.ByutilizingtheMatrixN‐seriesinthistypeofconfiguration,mostofthebenefits
ofout‐of‐bandNACcanbeobtainedwithoutupgrading
theedgeofthenetwork.