Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Survey the Network

Enterasys NAC Design Guide 4-5

tolocallyauthorizeallMACauthenticationrequestsforconnectingend‐systems,therebynot

requiringalistofknownMACaddresses.Infact,EnterasysNACcanbeconfiguredina“learning

mode”todynamicallylearntheMACaddressesofalldevicesconnectingtothenetwork,

permittingnetworkaccesstoallofthese

end‐systemsforaperiodoftime.

AftertheMACaddressesarelearned,NACcanbereconfiguredtopermitaccessonlytothese

end‐systems,requiringallotherdevicesconnectingtothenetworktogothrougharegistration

process.

WithMACauthenticationdeployedonthenetwork,abackendRADIUSserver

withassociated

directoryservicesisnotrequired,simplifyingtheimplementation.Furthermore,becauseMAC

authenticationonlyrequirestheend‐systemtogenerateanEthernetpacketontothenetwork,both

human‐centricandmachine‐centricend‐systemshavethecapabilitytoauthenticatetothe

network,regardlessofwhethertheend‐systemisa

PCoraprinter.

Case #2: Authentication methods are deployed on the network.

Ifauthenticationiscurrentlydeployedonthenetworkwith802.1X,web‐based,and/or MAC

authentication,thenaRADIUSserverwithassociatedbackenddirectoryservicesmustbe

deployedforuser/device802.1Xand web‐basedcredentialvalidation.Moreover,ifRADIUS

authenticationforswitchmanagementloginsisimplemented,aRADIUSservermustbedeployed



onthenetwork.Inthisscenario,out‐of‐bandNACisconfiguredtoseamlesslyproxyRADIUS

authenticationrequestsreceivedfromtheswitchesattheintelligentedgeofthenetworktothe

backendRADIUSserver,withoutrequiringcomplexconfigurationchangestotheRADIUSserver

andassociateddirectoryservices.Inaddition,NAC

canalsobeconfiguredtolocallyauthorize

MACauthenticationrequests.

Overview of Supported Authentication Methods

FollowingisanoverviewofauthenticationmethodssupportedbyEnterasysandsomethird‐party

switches,andproxiedbyout‐of‐bandNAC.

802.1XAuthentication

TheIEEE802.1Xstandardforport‐basednetworkaccesscontrol,providesnetworkadministrators

withtheabilitytoauthenticateandauthorizeanenduserattheportlevel.

The

802.1XauthenticationmethodisusuallyimplementedonPCsinsecureenvironmentsand

requiresthattheend‐systemimplementan802.1X supplicant,whichisspecialsoftwarethat

communicatesinthisprotocol.

Because802.1Xrequirestheinputofusercredentials,802.1Xisnormallyusedonuser‐centricend‐

systemsthathaveaconcept

ofanassociateduser,suchasaPC.Therefore,thisauthentication

methodmaybeinappropriateformachine‐centricdevices,suchasprintersandIPcameras.

However,newersoftwarereleasesforIPphonesmayincludean802.1Xsupplicant.

SinceEnterasysNAConlyactsasapass‐throughtoanupstreamRADIUSServer,

itismandatory

thatafullauthenticationdeploymentisconfiguredonthenetworkif802.1Xisused.

Web‐BasedAuthentication

Web‐basedauthentication,orPortWebAuthentication(PWA),isanauthenticationprocessthat

usesawebbrowser,user‐loginprocesstogainaccesstoports.ItemployseitherCHAP(Challenge

Handshake

AuthenticationProtocol)orPAP(PasswordAuthenticationProtocol).

Sinceweb‐basedauthenticationonlyrequiresthatawebbrowserisontheend‐system,itis

deployedinheterogeneousenvironmentswherecertainend‐systemsmaynothavean802.1X

supplicantinstalled.

previous next