Out-of-Band NAC Design Procedures
5-22 Design Procedures
primaryNACGateway,thetransitiontothesecondaryNACGatewaywillnotexceed
maximumcapacity.
TosupportredundancywithinaSecurityDomainforeitherapproach,oneadditionalNAC
Gateway(ofthesamemodelorwithincreasedcapacity)mustbedeployedperSecurityDomainin
additiontotheNACGatewaysdeployedto
handlethemaximumnumberofconcurrentend‐
systemsconnectingtothenetwork.
ItisimportanttonotethateachNACGatewaycanbeconfiguredtoproxyRADIUSauthentication
requeststoaparticularRADIUSserver.Therefore,iftwoswitchesinthenetworkprovideaccess
to802.1Xorweb‐basedauthenticatingusers,and
thecredentialsfortheusersconnectedtoeach
switcharelocatedondifferentRADIUSserversdeployedonthenetwork,theneachswitchmust
beconfiguredtouseitsownNACGateway.EachNACGatewayisthenconfiguredtouseits
respectiveRADIUSserver.Forexample,anenterprisenetworkthatutilizes
aparticularRADIUS
serverforthe802.1Xauthenticationofwirelessusers,woulduseadifferentRADIUSserverfor
authenticatingwiredusers.Inthiscase,thesameNACGatewaycouldnotbeusedfortheswitch
providingwirelessaccessandtheswitchprovidingwiredaccess.
3. Determine NAC Gateway Location
AfterdeterminingthenumberofNACGatewaysrequiredfortheNACdeployment,thenextstep
istodetermineNACGatewaylocationonthenetwork.ThisisdependentontheNAC
deploymentmodelthatisimplementedonthenetwork.
IftheNACdeploymentdoesnotimplementremediationofquarantinedend‐systemsor
MAC
(network)registrationofnewdevicesonthenetwork,thentheNACGatewaysarelocatedinthe
authenticationpathofconnectingend‐systemsasaproxyRADIUSserver.Thismeansthatthe
RADIUSclientontheaccesslayerswitchescommunicatesdirectlytotheNACGatewayover
UDP/IP,andtheNACGateway
inturncommunicatestoabackendRADIUSserver.Therefore,the
onlyrequirementforNACGatewayplacementisthataroutableIPforwardingpathexists
betweeneachNACGatewayanditsassociatedaccesslayerswitches.
OneoptionistoplaceallNACGatewaysinthedatacenter,possiblyadjacenttotheRADIUS
serversdeployedonthenetwork.Becausetheend‐systemassessmentisnotdirectlyexecuted
fromtheNACGateways,thechoiceofthelocationfortheNACGatewaydoesnotimpactthe
NACoperation,assumingIPconnectivitybetweentheaccesslayerswitchesandtheNAC
Gatewaysismaintained.
Forabranch
officedeploymentofNAC,aNACGatewaymaybeinstalledatthebranchofficeor
atthemainsite.TheadvantageoftheNACGatewaybeinginstalledatthebranchofficeisthat
authenticationtrafficgeneratedfromend‐systemsatthebranchofficewillnotutilizethe
bandwidthoftheWAN
connection,unlessauthenticationrequestsareproxiedtoaRADIUS
serverdeployedatthemainsite.IftheNACGatewayisinstalledatthebranchofficelocation,
NACManagerrequirescommunicationtotheNACGatewayonlyduringconfiguration,
minimizingthebandwidthconsumptionovertheWANlink.TheNACGatewayneednot
communicatewithNACManagerfortheauthentication,assessment,andauthorizationof
connectingend‐systems.
IfeitherremediationorMACregistrationisimplemented,theNACGatewaysthatareperforming
remediationandregistrationserverfunctionalityviaweb‐redirection,mustbestrategically
positionedonthenetworkforendusernotification.TheNACGatewaymust
beinstalledona
networksegmentdirectlyconnectedtotherouterorroutersthatexistintheforwardingpathfor
HTTPtrafficfromend‐systemsthatmaybequarantinedorunregistered.Thisisbecausepolicy‐
basedroutingwillbeconfiguredontherouterorrouterstoredirectthewebtrafficsourced
from
quarantinedandunregisteredend‐systemstotheNACGatewaytoservetheremediationand
registrationwebpage.