Out-of-Band NAC Design Procedures
Enterasys NAC Design Guide 5-25
previouslyspecifiedintheNACconfigurationmustbedefinedinNetSightPolicyManagerto
ensuretheconsistentallocationofnetworkresourcestoconnectingend‐systems.
Failsafe Policy and Accept Policy Configuration
TheFailsafePolicyisassignedtoend‐systemswhenanerroroccursintheNACprocess.Anerror
stateresultsiftheend‐sy stemʹsIPaddresscouldnotbedeterminedfromitsMACaddress,orif
therewasanassessmenterrorandanassessmentoftheend‐systemcouldnot
takeplace.
ForEnterasyspolicy‐enabledswitches,acorrespondingpolicyrole(createdinPolicyManager)
shouldallocateanonrestrictivesetofnetworkresourcestotheconnectingend‐systemsoitcan
continueitsconnectivityonthenetwork,eventhoughanerroroccurredintheNACprocess.
TheAcceptPolicyisassigned
toanend‐systemwhenithasbeenauthorizedlocallybytheNAC
Gatewayandwhenanend‐systemhaspassedanassessment(ifanassessmentwasrequired),orif
theAcceptPolicyhasbeenconfiguredtoreplacetheFi lter‐IDinformationreturnedinthe
RADIUSauthenticationmessages.
ForEnterasyspolicy
‐enabledswitches,acorrespondingpolicyrole(createdinPolicyManager)
wouldallocatetheappropriatesetofnetworkresourcesfortheend‐systemdependingontheir
roleintheenterprise.Forexample,youmightassociatetheAcceptPolicytothe“EnterpriseUser”
rolethatisdefinedintheNetSightPolicyManager
demo.pmdfile.
Assessment Policy and Quarantine Policy Configuration
TheAssessmentPolicyandQuarantinePolicyareusedwhenend‐systemassessmentis
implementedintheNACdeployment.ThepolicyrolesshowninthePolicyManagerwindow
belowcorrespondtotheaccesspoliciesusedinNACManager.Forexample,theAssessingPolicy
roleinPolicyManagercorrespondstotheAssessmentPolicy
inNACManager.Notethatthe
Administrator,EnterpriseUser,EnterpriseAccess,and GuestAccesspolicyrolesarealsodefine d
inthePolicyManagerdemo.pmdfile.