Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Out-of-Band NAC Design Procedures

Enterasys NAC Design Guide 5-23

Itisimportanttonotethatonly theNACGatewaysthatareconfiguredwithremediationand

registrationfunctionalityneedtobepositionedinsuchamanner.AllotherNACGatewaysmay

bepositionedatanylocationonthenetwork,withtheonlyrequirementbeingthataccesslayer

switchesareableto

communicatetothegateways.Typically ,theNACGatewaywithremediation

andregistrationfunctionalityispositionedonanetworksegmentdirectlyconnectedtothe

distributionlayerroutersontheenterprisenetwork,sothatanyHTTPtrafficsourcedfrom

quarantinedend‐systemsthatareconnectedtothenetworkʹsaccesslayercan

beredirectedtothat

NACGateway.Asanalternative,theNACGatewaymaybepositionedonanetworksegment

directlyconnectedtotherouterprovidingconnectivitytotheInternetorinternalwebserverfarm.

Inthisscenario,theHTTPtrafficsourcedfromquarantinedend‐systemswouldberedirectedto

theNAC

GatewaybeforereachingtheInternetorinternalwebservers.

4. Identify Backend RADIUS Server Interaction

IfaNACGatewayisreceiving802.1Xand/orweb‐basedauthenticationrequestsforconnecting

end‐systems,thenabackendRADIUSservermustbeconfiguredtovalidateendusercredentials

intheauthenticationprocess.ForeachNACGateway,aprimaryandsecondaryRADIUSserver

canbespecifiedforthevalidationofuser/device

networklogincredentialsonthenetwork.

If802.1X,web‐based,orRADIUSauthenticationforswitchmanagementloginsisimplemented,a

RADIUSserverwithbackenddirectoryservicesmustbedeployedonthenetwork.ARADIUS

serverisnotnecessaryifonlyMACauthenticationisdeployedonthenetwork.

AllRADIUSserverssupporting

RFC2865andsubsequentRADIUSstandardsaresupportedby

EnterasysNACapplianceswhenproxyingRADIUSauthenticationrequests.Testshavebeen

conductedonthefollowingRADIUSservers:

• FreeRADIUS

•MicrosoftIAS

•FunkSteelbeltedRADIUS

•CiscoACS

5. Determine End-System Mobility Restrictions

WhileSecurityDomain‐specificMACanduseroverridescanbeconfiguredtocontrolend‐system

andendusermobilityacrossthenetworkandbetweenSecurityDomains,the“LockMAC”

featureallowsthenetworkadministratortorestrictnetworkaccessforspecificend‐systemtoa

switchportorswitch.Theend‐system

canbedeniednetworkaccesswithaRADIUSAccess‐Reject

messagereturnedtotheswitch,orassignedaspecificpolicyorVLANwhenconnectingtothe

networkinarestrictedarea.HerearesomeexamplesofhowtheLockMACfeaturecanbeused:

•Aprinter,server,orotherend‐system

couldbeallowednetworkaccessonlywhenitis

connectedtoaportspecifiedbyIToperations.Thispreventssecurityissuesthatcouldresultif

thedevicewasmovedtoadifferentareaofthenetwork.

•AnIPphonewithaMACoverridecouldbelockedtoaspecificporton

aswitch.Thiswould

allowexactidentificationofthephoneʹslocationincaseanemergency(911)callwasplaced

fromthephone.

previous next