Procedures for Out-of-Band and Inline NAC
5-2 Design Procedures
PolicyManagerisnotrequiredforout‐of‐bandNACthatutilizesRFC3580‐compliantswitches
(Enterasysandthird‐partyswitches).Inthiscase,aVLANisspecifiedinNACManagerto
authorizeconnectingend‐systemswithaparticularlevelofnetworkaccess,usingdynamicVLAN
assignment.
RefertotheEnterasys
Networkswebsitehttp://www.enterasys.com/products/management/
downloads/NetSight.htmlforNetSightsoftwarelicensinganddownloadinformation.
2. Define Network Security Domains
AdifferentSecurityDomainshouldbedefinedforeachareaofthenetworkthathasitsown
uniquerequirementsforend‐systemauthentication,assessment,andauthorization.
ASecurityDomaindefinesasetofNACGatewaysandNACControllersthathavecommon
authentication,assessment,andauthorizationrequirementsforend‐systemsconnectingto
the
network.ForNACGateways,thedomainalsoincludestheassociatedswitchesthatareuniquely
assignedtothegateways.
ASecurityDomaincanbecomposedofbothNACControllerandNACGatewayappliances.Each
NACGatewaycanonlybeassignedtooneSecurityDomainandthereforeallportsonaparticular
switch(forexample,astackofSecureStackC2switchesoraMatrixN7chassis)canonlybe
associatedtooneSecurityDomain.Likewise,aNACControllercanonlybeassignedtoone
SecurityDomain.