Out-of-Band NAC Design Procedures
Enterasys NAC Design Guide 5-27
Figure 5-7 Service for the Assessing Role
NotethatitisnotmandatorytoassigntheAssessmentPolicytoaconnectingend‐systemwhileit
isbeingassessed.NACcanbeconfiguredtoassignthepolicyrolereceivedfromtheRADIUS
serverortheAcceptPolicytotheend‐systemwhileitisbeingassessed.Inthis
way,theend‐
systemcanbegrantedimmediatenetworkaccesswithoutmandatingthattheenduserwaitfor
assessmenttobecompletebeforefullnetworkresourceallocationisgranted.IfNACisconfigured
toreturnthepolicyrolereceivedfromtheRADIUSServer,itisnecessarythattheenterpriseʹs
business
‐specificpolicyrolesareconfiguredtoallowaccesstotheappropriatenetworkresources
forcommunicationwiththeassessmentserversduringassessment.Thiscanbeimplementedby
associatingtheAssessingserviceshowninFigure 5‐7toallbusiness‐specificpolicyrolesinthe
NetSightPolicyManagerconfiguration.
Quarantine Policy
TheQuarantinePolicyisusedtorestrictnetworkaccesstoend‐systemsthathavefailed
assessment.ForEnterasyspolicy‐enabledswitches,acorrespondingQuarantinepolicyrole
(createdinPolicyManager)shoulddenyalltrafficbydefaultwhilepermittingaccesstoonly
requirednetworkresourcessuchasbasicnetworkservices(ARP,DHCP,
andDNS).
IftheNACdeploymentimplementsremediation,theservicesassociatedtotheQuarantinePolicy
mustbeconfiguredtoallowallHTTPtrafficontothenetwork,inadditiontootherbasicIP
servicessuchasARP,DNS,andDHCPasshowninFigure 5‐8.