Survey the Network
Enterasys NAC Design Guide 4-5
tolocallyauthorizeallMACauthenticationrequestsforconnectingend‐systems,therebynot
requiringalistofknownMACaddresses.Infact,EnterasysNACcanbeconfiguredina“learning
mode”todynamicallylearntheMACaddressesofalldevicesconnectingtothenetwork,
permittingnetworkaccesstoallofthese
end‐systemsforaperiodoftime.
AftertheMACaddressesarelearned,NACcanbereconfiguredtopermitaccessonlytothese
end‐systems,requiringallotherdevicesconnectingtothenetworktogothrougharegistration
process.
WithMACauthenticationdeployedonthenetwork,abackendRADIUSserver
withassociated
directoryservicesisnotrequired,simplifyingtheimplementation.Furthermore,becauseMAC
authenticationonlyrequirestheend‐systemtogenerateanEthernetpacketontothenetwork,both
human‐centricandmachine‐centricend‐systemshavethecapabilitytoauthenticatetothe
network,regardlessofwhethertheend‐systemisa
PCoraprinter.
Case #2: Authentication methods are deployed on the network.
Ifauthenticationiscurrentlydeployedonthenetworkwith802.1X,web‐based,and/or MAC
authentication,thenaRADIUSserverwithassociatedbackenddirectoryservicesmustbe
deployedforuser/device802.1Xand web‐basedcredentialvalidation.Moreover,ifRADIUS
authenticationforswitchmanagementloginsisimplemented,aRADIUSservermustbedeployed
onthenetwork.Inthisscenario,out‐of‐bandNACisconfiguredtoseamlesslyproxyRADIUS
authenticationrequestsreceivedfromtheswitchesattheintelligentedgeofthenetworktothe
backendRADIUSserver,withoutrequiringcomplexconfigurationchangestotheRADIUSserver
andassociateddirectoryservices.Inaddition,NAC
canalsobeconfiguredtolocallyauthorize
MACauthenticationrequests.
Overview of Supported Authentication Methods
FollowingisanoverviewofauthenticationmethodssupportedbyEnterasysandsomethird‐party
switches,andproxiedbyout‐of‐bandNAC.
802.1XAuthentication
TheIEEE802.1Xstandardforport‐basednetworkaccesscontrol,providesnetworkadministrators
withtheabilitytoauthenticateandauthorizeanenduserattheportlevel.
The
802.1XauthenticationmethodisusuallyimplementedonPCsinsecureenvironmentsand
requiresthattheend‐systemimplementan802.1X supplicant,whichisspecialsoftwarethat
communicatesinthisprotocol.
Because802.1Xrequirestheinputofusercredentials,802.1Xisnormallyusedonuser‐centricend‐
systemsthathaveaconcept
ofanassociateduser,suchasaPC.Therefore,thisauthentication
methodmaybeinappropriateformachine‐centricdevices,suchasprintersandIPcameras.
However,newersoftwarereleasesforIPphonesmayincludean802.1Xsupplicant.
SinceEnterasysNAConlyactsasapass‐throughtoanupstreamRADIUSServer,
itismandatory
thatafullauthenticationdeploymentisconfiguredonthenetworkif802.1Xisused.
Web‐BasedAuthentication
Web‐basedauthentication,orPortWebAuthentication(PWA),isanauthenticationprocessthat
usesawebbrowser,user‐loginprocesstogainaccesstoports.ItemployseitherCHAP(Challenge
Handshake
AuthenticationProtocol)orPAP(PasswordAuthenticationProtocol).
Sinceweb‐basedauthenticationonlyrequiresthatawebbrowserisontheend‐system,itis
deployedinheterogeneousenvironmentswherecertainend‐systemsmaynothavean802.1X
supplicantinstalled.