Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Out-of-Band NAC Design Procedures

5-22 Design Procedures

primaryNACGateway,thetransitiontothesecondaryNACGatewaywillnotexceed

maximumcapacity.

TosupportredundancywithinaSecurityDomainforeitherapproach,oneadditionalNAC

Gateway(ofthesamemodelorwithincreasedcapacity)mustbedeployedperSecurityDomainin

additiontotheNACGatewaysdeployedto

handlethemaximumnumberofconcurrentend‐

systemsconnectingtothenetwork.

ItisimportanttonotethateachNACGatewaycanbeconfiguredtoproxyRADIUSauthentication

requeststoaparticularRADIUSserver.Therefore,iftwoswitchesinthenetworkprovideaccess

to802.1Xorweb‐basedauthenticatingusers,and

thecredentialsfortheusersconnectedtoeach

switcharelocatedondifferentRADIUSserversdeployedonthenetwork,theneachswitchmust

beconfiguredtouseitsownNACGateway.EachNACGatewayisthenconfiguredtouseits

respectiveRADIUSserver.Forexample,anenterprisenetworkthatutilizes

aparticularRADIUS

serverforthe802.1Xauthenticationofwirelessusers,woulduseadifferentRADIUSserverfor

authenticatingwiredusers.Inthiscase,thesameNACGatewaycouldnotbeusedfortheswitch

providingwirelessaccessandtheswitchprovidingwiredaccess.

3. Determine NAC Gateway Location

AfterdeterminingthenumberofNACGatewaysrequiredfortheNACdeployment,thenextstep

istodetermineNACGatewaylocationonthenetwork.ThisisdependentontheNAC

deploymentmodelthatisimplementedonthenetwork.

IftheNACdeploymentdoesnotimplementremediationofquarantinedend‐systemsor

MAC

(network)registrationofnewdevicesonthenetwork,thentheNACGatewaysarelocatedinthe

authenticationpathofconnectingend‐systemsasaproxyRADIUSserver.Thismeansthatthe

RADIUSclientontheaccesslayerswitchescommunicatesdirectlytotheNACGatewayover

UDP/IP,andtheNACGateway

inturncommunicatestoabackendRADIUSserver.Therefore,the

onlyrequirementforNACGatewayplacementisthataroutableIPforwardingpathexists

betweeneachNACGatewayanditsassociatedaccesslayerswitches.

OneoptionistoplaceallNACGatewaysinthedatacenter,possiblyadjacenttotheRADIUS



serversdeployedonthenetwork.Becausetheend‐systemassessmentisnotdirectlyexecuted

fromtheNACGateways,thechoiceofthelocationfortheNACGatewaydoesnotimpactthe

NACoperation,assumingIPconnectivitybetweentheaccesslayerswitchesandtheNAC

Gatewaysismaintained.

Forabranch

officedeploymentofNAC,aNACGatewaymaybeinstalledatthebranchofficeor

atthemainsite.TheadvantageoftheNACGatewaybeinginstalledatthebranchofficeisthat

authenticationtrafficgeneratedfromend‐systemsatthebranchofficewillnotutilizethe

bandwidthoftheWAN

connection,unlessauthenticationrequestsareproxiedtoaRADIUS

serverdeployedatthemainsite.IftheNACGatewayisinstalledatthebranchofficelocation,

NACManagerrequirescommunicationtotheNACGatewayonlyduringconfiguration,

minimizingthebandwidthconsumptionovertheWANlink.TheNACGatewayneednot

communicatewithNACManagerfortheauthentication,assessment,andauthorizationof

connectingend‐systems.

IfeitherremediationorMACregistrationisimplemented,theNACGatewaysthatareperforming

remediationandregistrationserverfunctionalityviaweb‐redirection,mustbestrategically

positionedonthenetworkforendusernotification.TheNACGatewaymust

beinstalledona

networksegmentdirectlyconnectedtotherouterorroutersthatexistintheforwardingpathfor

HTTPtrafficfromend‐systemsthatmaybequarantinedorunregistered.Thisisbecausepolicy‐

basedroutingwillbeconfiguredontherouterorrouterstoredirectthewebtrafficsourced

from

quarantinedandunregisteredend‐systemstotheNACGatewaytoservetheremediationand

registrationwebpage.

previous next