Out-of-Band NAC Design Procedures
Enterasys NAC Design Guide 5-19
configurationifthesecurityvulnerabilityisconsideredariskfortheorganization.Formore
informationonNessus,refertohttp://nessus.org/.
Out-of-Band NAC Design Procedures
ThefollowingsectioncontinuestheEnterasysNACdesignprocedurewithstepsspecifically
relatingtotheimplementationofout‐of‐bandNACwiththeNACGateway.
1. Identify Network Authentication Configuration
SinceNACGatewaysutilizeauthenticationforthedetectionofconnectingend‐systems,itis
necessarytoidentifywhichauthenticationmethodsaretobeconfiguredintheintelligentedgeof
thenetwork.Formoreinformationonevaluatingauthenticationonthenetwork,see“Surveythe
Network”(page 4‐2).
Thefollowingconsiderationsshouldbe
takenintoaccountwhendeployingauthenticationonthe
network:
•Thecapabilitiesofend‐systemsconnectingtothenetwork.
Human‐centricdevicesmaysupportuser‐basedauthenticationmethodssuchas802.1X or
web‐basedauthenticationonlyifan802.1Xsupplicantorawebbrowserissupportedonthe
end‐system.Machine‐centric
devicesmostlikelyonlysupportdevice‐basedauthentication
methodslikeMACauthentication.
•Thetypesofusersconnectingtothenetwork.
Itisnecessarytounderstandhowauthenticationaffectsthedifferenttypeofusersconnecting
tothenetworkandwhatimplicationsthishasontheNACsolution.Forexample,while
trustedusers
authenticateusingasetofvalidcredentialsheldinadirectoryonthenetwork,
untrustedorguestusersmayfailauthenticationuponconnection.
•Thecomplexityinvolvedindeployingauthenticationonthenetwork,ifitisnotyetdeployed.
Rollingout802.1Xauthenticationonthenetworkrequiresextensiveplanningandmandates
configuration
andpossibleupgradeofinfrastructuredevicesandend‐systems,andthe
disseminationofcredentialstoconnectingusersanddevices.Sincethisisasignificant
undertaking,itmaybedesirabletoutilizeMAC‐basedauthenticationfortheinitialrolloutof
NACandmigrateoverto802.1Xoveraperiodoftime.
Thisway,mostbenefitsofNACcanbe
obtainedintheshorttermwhiletheinfrastructureisreadiedforafull802.1Xauthentication
rollout.
•Theauthenticationmethodsupportedbytheintelligentedgeofthenetwork.
Edgeinfrastructuredevicesmayneedtosupportmultipleauthentication methods
concurrentlytoaccountfordifferentdevices
connectingtothenetwork.Furthermore,the
authenticationandauthorizationofmultipledevicesonasingleportmayalsoneedtobe
supported.