Procedures for Out-of-Band and Inline NAC
5-4 Design Procedures
Figure 5-2 NAC Configuration
Authentication
TheAuthenticationsettingsdefinehowRADIUSrequestsarehandledforauthenticatingend‐
systems(thisdoesnotapplytoLayer3NACControllers.)ThisincludesidentifyingwhetherMAC
authenticationrequestsareproxiedupstreamorlocallyauthorized,andwhetherFilter‐IDand
TunnelRADIUSattributesareaddedtoRADIUSmessagesduringtheauthentication
process.
Assessment
TheAssessmentConfigurationdefinesthefollowingrequirementsforend‐systemassessment:
•Whatassessmentteststorun.
TheAssessmentConfigurationdetermineswhattypesofassessmenttestsareexecutedand
whatparametersareused.Forexample,youcanspecifyaNessusassessmentutilizinga
specificNessusconfigurationfilethatdeterminesend‐systemcompliancewith
theSANSTop
20vulnerabilities.ThesameNessusservercanbeusedtoassessWindowsmachinesfor
Windows‐relatedvulnerabilitiesandalsoassessMACOS‐basedmachinesforMAC‐related
vulnerabilities.Inaddition,youcanspecifyNessusaswellasotherassessmentservicesto
jointlydeterminethesecuritypostureof
aconnectingdevice.
•Whatresourcestousetoruntheassessment.
TheAssessmentConfigurationdetermineswhatassessmentserversareusedtoperformthe
assessment.Youcanbalancetheassessmentloadbetweenallyourassessmentservers,oryou
canselectaspecificassessmentserverpooltouse.Forexample,assumingNessusischosen
for
assessment,end‐systemsconnectingtothenetworkinthecompanyʹsheadquarterscanbe
assessedwiththeNessusserverdeployedintheheadquarters,whileend‐systemsinabranch
officewillbeassessedwithNessusserversdeployedinthebranchoffice,conserving
bandwidthutilizationonthenetwork.