Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Survey the Network

Enterasys NAC Design Guide 4-7

systematatime, thenitissuggestedthatMAClocking(alsoknownasPortSecurity)beenabled

ontheedgeswitchestorestrictthenumberofconnectingdevices.Ifmultipleend‐system

connectionissupported,thentheintelligentedgeswitchmustsupporttheauthenticationand

authorizationofmultipledevices(possibly

usingmultipleauthenticationmethods)concurrently

onthenetwork.Ifthisisnotsupported,thenasecurityholeexistswhereanoncompliantend‐

systemcan“piggyback”ontheopennetworkconnectionofacompliantend‐system.

Forexample,NACisoftendeployedonanIPtelephonyconvergednetworkwhereIPphone

handsetsarecascadedwithPCsconnectedtoasingleintelligentedgeinfrastructureport.Ifthe

intelligentedgeinfrastructuredevicesdonotsupporttheauthenticationandauthorizationofboth

thePCandIPphoneconnectedtothesameport,thenanoncompliantPCmaybeallowed

networkaccesswhenthesecurityposture

ofanIPphonethatconnectedtothenetworkfirst,is

deemedcompliant.

Furthermore,iftheauthenticationandauthorization ofmultipledevicesconnectingtoasingle

portisnotsupported,certaindevicesmayloseconnectivitywhenNACisdeployed.Forexample,

anIPphoneʹsnetworkconnectionmaybelostwhen

aPCisquarantinedonthenetwork.

Authentication Support on Enterasys Devices

Followingisinformationontheauthenticati onsupportprovidedbyEnterasysdevices:

•TheMatrixN‐seriesMulti‐UserAuthentication(MUA)featureallowstheenablingofany

combinationofauthenticationmethods(802.1X,web‐based,and/orMAC)bothgloballyand

perport.WhiletheMatrixN‐seriesGoldsupportstheauthenticationandauthorizationof

two

users/devicesperport,theMatrixN‐seriesPlatinumsupportstheauthenticationand

authorizationofover2000usersanddevicesperport,providingthehighestdegreeof

authenticationmethodconfiguration flexibility.

•TheSecureStackC2/C3andB2/B3User+IPPhoneauthenticationallowstheconfigurationof

multipleauthenticationmethodsgloballyandper

port(802.1X,web‐based,and/orMAC)with

thelimitationofaPCandanIPphoneauthenticatingonasingleport.

•TheMatrixE1ʹsHybridauthenticationallowstheenablingofboth802.1XandMAC

authenticationonthesameport,andsupportstheauthenticationofasingleend‐systemusing

only

oneoftheseauthenticationmethodsatatime.

•Ifweb‐basedauthenticationisgloballyenabled onthe MatrixE1andtheMatrixE‐series

Generation2/3platforms,eachportontheswitch canonlybeconfiguredtoimplementweb‐

basedauthentication.

Authentication Considerations

Ifauthenticationiscurrentlydeployedonthenetwork,hereareconsiderationsthatshouldbe

reviewedasyouplanyourNACdeployment:

•EnterasysNACwillseamlesslyintegratewithdeploymentswheretheauthenticatingand

authorizationoftrustedusersisalreadyimplemented.EnterasysNACcanbeconfiguredto

forwardtheRADIUSFilter‐IDand/or

VLANTunnelattributereturnedfromtheRADIUS

servertotheaccesslayerswitchduringtheauthenticationprocess.

•IfguestaccessisimplementedonthenetworkbyassigningadefaultpolicyorVLANon

certainports(assumingguestuserswillfailauthenticationonthenetwork),theinfrastructure

willneedtobereconfigured

toimplementNACforguestusers.EnterasysNACwillnot

assessorauthorizeend‐systemsthatonlyfailauthenticationagainstabackendRADIUS

server.ToenableEnterasysNACtointeractwithguestusersonthenetwork,MAC

authenticationmustbeenabledonportswhereguestusersconnecttothenetwork,and



EnterasysNACmustbeconfiguredtolocallyauthorizeMACauthenticationrequestsand

assigntheappropriateguestauthorizationlevel.Then,guestuserswillbesuccessfullyMAC

previous next