Filter
Top Products
Procedures for Out-of-Band and Inline NAC
Enterasys NAC Design Guide 5-7
Thefollowingtableprovidesexamplesofvariousnetworkscenariosthatshouldbeconsidered
whenidentifyingthenumberandconfigurationofSecurityDomainsinyourNACdeployment.
Table 5-1 Security Domain Configuration Guidelines
Network Scenario Examples Security Domain Configuration
Area of the network that is
configured to authenticate end-
systems with a secure
authentication method, such as
802.1X or web-based
authentication.
• Switches that provide access for
trusted users authenticating to the
network using 802.1X or web-based
authentication, such as LAN
segments and wireless networks
designated for trusted user access.
• VPN concentrator providing
connectivity to users implementing
remote access VPN to connect into
the corporate LAN.
Proxy 802.1X and web-based authentication
requests to a backend RADIUS server. This
allows for the proper validation of end-system
login credentials for 802.1X and web-based
authentication methods.
In NAC Manager, create a Security Domain with
the following configuration attributes:
• Select the “Proxy RADIUS Request to a
RADIUS Server” radio button to allow the
forwarding of RADIUS authentication
requests to a RADIUS server.
• If the RADIUS server returns a policy or VLAN
based on user or end-system identity,
uncheck “Replace RADIUS Attributes with
Accept Policy.” Otherwise, user overrides can
be configured to return a policy or VLAN
based on the user or end-system.
• Configure the Accept Policy with a policy or
VLAN that allows less restrictive network
access for trusted users.
Area of the network that is
configured to MAC authenticate
end-systems solely for the
purpose of end-system
detection.
• Switches that provide access to
machine-centric end-systems, such
as printers, IP phones, and IP
cameras.
• Switches that provide access to
human-centric end-systems that are
not authenticated in traditional
network environments, such as
untrusted users like guests and
contractors.
Locally authorize MAC authentication attempts.
This enables the detection and authorization of
human-centric and machine-centric end-
systems.
In NAC Manager, create a Security Domain with
the following configuration attributes:
• With the “Proxy RADIUS Request to a
RADIUS Server” radio button selected, check
the “Authorize MAC Authentication Requests
Locally” option and specify a policy or VLAN
in the Accept Policy field.
• Configure the Accept Policy field with a policy
or VLAN that provides more restrictive
network access for end-systems
authenticating with a less secure
authentication method.