Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Out-of-Band NAC Design Procedures

Enterasys NAC Design Guide 5-19

configurationifthesecurityvulnerabilityisconsideredariskfortheorganization.Formore

informationonNessus,refertohttp://nessus.org/.

Out-of-Band NAC Design Procedures

ThefollowingsectioncontinuestheEnterasysNACdesignprocedurewithstepsspecifically

relatingtotheimplementationofout‐of‐bandNACwiththeNACGateway.

1. Identify Network Authentication Configuration

SinceNACGatewaysutilizeauthenticationforthedetectionofconnectingend‐systems,itis

necessarytoidentifywhichauthenticationmethodsaretobeconfiguredintheintelligentedgeof

thenetwork.Formoreinformationonevaluatingauthenticationonthenetwork,see“Surveythe

Network”(page 4‐2).

Thefollowingconsiderationsshouldbe

takenintoaccountwhendeployingauthenticationonthe

network:

•Thecapabilitiesofend‐systemsconnectingtothenetwork.

Human‐centricdevicesmaysupportuser‐basedauthenticationmethodssuchas802.1X or

web‐basedauthenticationonlyifan802.1Xsupplicantorawebbrowserissupportedonthe

end‐system.Machine‐centric

devicesmostlikelyonlysupportdevice‐basedauthentication

methodslikeMACauthentication.

•Thetypesofusersconnectingtothenetwork.

Itisnecessarytounderstandhowauthenticationaffectsthedifferenttypeofusersconnecting

tothenetworkandwhatimplicationsthishasontheNACsolution.Forexample,while

trustedusers

authenticateusingasetofvalidcredentialsheldinadirectoryonthenetwork,

untrustedorguestusersmayfailauthenticationuponconnection.

•Thecomplexityinvolvedindeployingauthenticationonthenetwork,ifitisnotyetdeployed.

Rollingout802.1Xauthenticationonthenetworkrequiresextensiveplanningandmandates

configuration

andpossibleupgradeofinfrastructuredevicesandend‐systems,andthe

disseminationofcredentialstoconnectingusersanddevices.Sincethisisasignificant

undertaking,itmaybedesirabletoutilizeMAC‐basedauthenticationfortheinitialrolloutof

NACandmigrateoverto802.1Xoveraperiodoftime.

Thisway,mostbenefitsofNACcanbe

obtainedintheshorttermwhiletheinfrastructureisreadiedforafull802.1Xauthentication

rollout.

•Theauthenticationmethodsupportedbytheintelligentedgeofthenetwork.

Edgeinfrastructuredevicesmayneedtosupportmultipleauthentication methods

concurrentlytoaccountfordifferentdevices

connectingtothenetwork.Furthermore,the

authenticationandauthorizationofmultipledevicesonasingleportmayalsoneedtobe

supported.

previous next