Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Procedures for Out-of-Band and Inline NAC

5-16 Design Procedures

User Overrides

Auseroverrideletsyoucreateaconfigurationforaspecificenduser,basedontheusername.For

example,youcouldcreateauseroverridethatgivesatrustedenduserimmediatenetworkaccess

withoutperforminganassessment.

Useroverridescanbeusedinnetworkscenariossimilartothosedescribed

forMACoverrides:

•Aspecificuserthatrequiresadistinctsetofparametersforauthentication,assessment,and

authorization.Forexample,auseroverridecanbeconfiguredforexecutivesofacorporation

topermitimmediatenetworkaccesswithoutassigningtheAssessmentPolicyduringend‐

systemassessment.

•Aspecificusercanberestrictednetwork

access(“blacklisted”)foraparticularSecurity

DomainorallSecurityDomains,byassociatingtheusernamewiththeAcceptPolicyof

“Quarantine”orbysendingaRADIUSAccess‐Rejectforthisuser.Forexample,anemployee

canberestrictedaccesstoacertainareaofthenetwork,orstudentscanbe

deniednetwork

accessduringanexam.

•Aspecificusercanbepermittedaspeciallevelofnetworkaccess(“whitelisted”)by

associatingtheusernamewiththeAcceptPolicyof“Administrator”toallowunlimited

networkaccess.

ItisimportanttonotethattheLayer3NACControllermaynotdeterminethetrueMACaddress



ofthedownstreamconnectedend‐system.Inthiscase,aMACoverrideconfiguredinNAC

A device, or class of devices,

needs to be permitted a special

level of network access

(“whitelisted”) in a particular

Security Domain or in all

Security Domains.

Permitting an unrestricted level of

access for end-systems that belong to

IT operations.

In NAC Manager, create a MAC override with the

following attributes:

• Specify either full MAC address or MAC

address OUI.

• Select the Security Domain or all Security

Domains for the MAC override scope.

For the assessment, authentication, and

authorization configuration, choose a NAC

Configuration or specify a custom configuration

with the following parameters:

• Select the “Proxy RADIUS request to a

RADIUS Server“ radio button.

• Check “Authorize MAC Authentication

Requests Locally“ so MAC authentication

attempts by these devices are assigned the

Accept Policy.

• Check “Replace RADIUS Attributes with

Accept Policy“ so the policy information

returned from the RADIUS server will be

overwritten by the Accept Policy.

• Specify “Administrator“ as the Accept Policy

to allow unlimited access for these devices.

• Uncheck the “Enable Assessment“ checkbox

so these devices are not assessed for

security posture compliance.

Table 5-3 MAC Override Configuration Guidelines (continued)

Network Scenario Examples Security Domain Configuration

previous next