Out-of-Band NAC Design Procedures
Enterasys NAC Design Guide 5-23
Itisimportanttonotethatonly theNACGatewaysthatareconfiguredwithremediationand
registrationfunctionalityneedtobepositionedinsuchamanner.AllotherNACGatewaysmay
bepositionedatanylocationonthenetwork,withtheonlyrequirementbeingthataccesslayer
switchesareableto
communicatetothegateways.Typically ,theNACGatewaywithremediation
andregistrationfunctionalityispositionedonanetworksegmentdirectlyconnectedtothe
distributionlayerroutersontheenterprisenetwork,sothatanyHTTPtrafficsourcedfrom
quarantinedend‐systemsthatareconnectedtothenetworkʹsaccesslayercan
beredirectedtothat
NACGateway.Asanalternative,theNACGatewaymaybepositionedonanetworksegment
directlyconnectedtotherouterprovidingconnectivitytotheInternetorinternalwebserverfarm.
Inthisscenario,theHTTPtrafficsourcedfromquarantinedend‐systemswouldberedirectedto
theNAC
GatewaybeforereachingtheInternetorinternalwebservers.
4. Identify Backend RADIUS Server Interaction
IfaNACGatewayisreceiving802.1Xand/orweb‐basedauthenticationrequestsforconnecting
end‐systems,thenabackendRADIUSservermustbeconfiguredtovalidateendusercredentials
intheauthenticationprocess.ForeachNACGateway,aprimaryandsecondaryRADIUSserver
canbespecifiedforthevalidationofuser/device
networklogincredentialsonthenetwork.
If802.1X,web‐based,orRADIUSauthenticationforswitchmanagementloginsisimplemented,a
RADIUSserverwithbackenddirectoryservicesmustbedeployedonthenetwork.ARADIUS
serverisnotnecessaryifonlyMACauthenticationisdeployedonthenetwork.
AllRADIUSserverssupporting
RFC2865andsubsequentRADIUSstandardsaresupportedby
EnterasysNACapplianceswhenproxyingRADIUSauthenticationrequests.Testshavebeen
conductedonthefollowingRADIUSservers:
• FreeRADIUS
•MicrosoftIAS
•FunkSteelbeltedRADIUS
•CiscoACS
5. Determine End-System Mobility Restrictions
WhileSecurityDomain‐specificMACanduseroverridescanbeconfiguredtocontrolend‐system
andendusermobilityacrossthenetworkandbetweenSecurityDomains,the“LockMAC”
featureallowsthenetworkadministratortorestrictnetworkaccessforspecificend‐systemtoa
switchportorswitch.Theend‐system
canbedeniednetworkaccesswithaRADIUSAccess‐Reject
messagereturnedtotheswitch,orassignedaspecificpolicyorVLANwhenconnectingtothe
networkinarestrictedarea.HerearesomeexamplesofhowtheLockMACfeaturecanbeused:
•Aprinter,server,orotherend‐system
couldbeallowednetworkaccessonlywhenitis
connectedtoaportspecifiedbyIToperations.Thispreventssecurityissuesthatcouldresultif
thedevicewasmovedtoadifferentareaofthenetwork.
•AnIPphonewithaMACoverridecouldbelockedtoaspecificporton
aswitch.Thiswould
allowexactidentificationofthephoneʹslocationincaseanemergency(911)callwasplaced
fromthephone.