Survey the Network
Enterasys NAC Design Guide 4-7
systematatime, thenitissuggestedthatMAClocking(alsoknownasPortSecurity)beenabled
ontheedgeswitchestorestrictthenumberofconnectingdevices.Ifmultipleend‐system
connectionissupported,thentheintelligentedgeswitchmustsupporttheauthenticationand
authorizationofmultipledevices(possibly
usingmultipleauthenticationmethods)concurrently
onthenetwork.Ifthisisnotsupported,thenasecurityholeexistswhereanoncompliantend‐
systemcan“piggyback”ontheopennetworkconnectionofacompliantend‐system.
Forexample,NACisoftendeployedonanIPtelephonyconvergednetworkwhereIPphone
handsetsarecascadedwithPCsconnectedtoasingleintelligentedgeinfrastructureport.Ifthe
intelligentedgeinfrastructuredevicesdonotsupporttheauthenticationandauthorizationofboth
thePCandIPphoneconnectedtothesameport,thenanoncompliantPCmaybeallowed
networkaccesswhenthesecurityposture
ofanIPphonethatconnectedtothenetworkfirst,is
deemedcompliant.
Furthermore,iftheauthenticationandauthorization ofmultipledevicesconnectingtoasingle
portisnotsupported,certaindevicesmayloseconnectivitywhenNACisdeployed.Forexample,
anIPphoneʹsnetworkconnectionmaybelostwhen
aPCisquarantinedonthenetwork.
Authentication Support on Enterasys Devices
Followingisinformationontheauthenticati onsupportprovidedbyEnterasysdevices:
•TheMatrixN‐seriesMulti‐UserAuthentication(MUA)featureallowstheenablingofany
combinationofauthenticationmethods(802.1X,web‐based,and/orMAC)bothgloballyand
perport.WhiletheMatrixN‐seriesGoldsupportstheauthenticationandauthorizationof
two
users/devicesperport,theMatrixN‐seriesPlatinumsupportstheauthenticationand
authorizationofover2000usersanddevicesperport,providingthehighestdegreeof
authenticationmethodconfiguration flexibility.
•TheSecureStackC2/C3andB2/B3User+IPPhoneauthenticationallowstheconfigurationof
multipleauthenticationmethodsgloballyandper
port(802.1X,web‐based,and/orMAC)with
thelimitationofaPCandanIPphoneauthenticatingonasingleport.
•TheMatrixE1ʹsHybridauthenticationallowstheenablingofboth802.1XandMAC
authenticationonthesameport,andsupportstheauthenticationofasingleend‐systemusing
only
oneoftheseauthenticationmethodsatatime.
•Ifweb‐basedauthenticationisgloballyenabled onthe MatrixE1andtheMatrixE‐series
Generation2/3platforms,eachportontheswitch canonlybeconfiguredtoimplementweb‐
basedauthentication.
Authentication Considerations
Ifauthenticationiscurrentlydeployedonthenetwork,hereareconsiderationsthatshouldbe
reviewedasyouplanyourNACdeployment:
•EnterasysNACwillseamlesslyintegratewithdeploymentswheretheauthenticatingand
authorizationoftrustedusersisalreadyimplemented.EnterasysNACcanbeconfiguredto
forwardtheRADIUSFilter‐IDand/or
VLANTunnelattributereturnedfromtheRADIUS
servertotheaccesslayerswitchduringtheauthenticationprocess.
•IfguestaccessisimplementedonthenetworkbyassigningadefaultpolicyorVLANon
certainports(assumingguestuserswillfailauthenticationonthenetwork),theinfrastructure
willneedtobereconfigured
toimplementNACforguestusers.EnterasysNACwillnot
assessorauthorizeend‐systemsthatonlyfailauthenticationagainstabackendRADIUS
server.ToenableEnterasysNACtointeractwithguestusersonthenetwork,MAC
authenticationmustbeenabledonportswhereguestusersconnecttothenetwork,and
EnterasysNACmustbeconfiguredtolocallyauthorizeMACauthenticationrequestsand
assigntheappropriateguestauthorizationlevel.Then,guestuserswillbesuccessfullyMAC