Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Out-of-Band NAC Design Procedures

Enterasys NAC Design Guide 5-27

Figure 5-7 Service for the Assessing Role

NotethatitisnotmandatorytoassigntheAssessmentPolicytoaconnectingend‐systemwhileit

isbeingassessed.NACcanbeconfiguredtoassignthepolicyrolereceivedfromtheRADIUS

serverortheAcceptPolicytotheend‐systemwhileitisbeingassessed.Inthis

way,theend‐

systemcanbegrantedimmediatenetworkaccesswithoutmandatingthattheenduserwaitfor

assessmenttobecompletebeforefullnetworkresourceallocationisgranted.IfNACisconfigured

toreturnthepolicyrolereceivedfromtheRADIUSServer,itisnecessarythattheenterpriseʹs

business

‐specificpolicyrolesareconfiguredtoallowaccesstotheappropriatenetworkresources

forcommunicationwiththeassessmentserversduringassessment.Thiscanbeimplementedby

associatingtheAssessingserviceshowninFigure 5‐7toallbusiness‐specificpolicyrolesinthe

NetSightPolicyManagerconfiguration.

Quarantine Policy

TheQuarantinePolicyisusedtorestrictnetworkaccesstoend‐systemsthathavefailed

assessment.ForEnterasyspolicy‐enabledswitches,acorrespondingQuarantinepolicyrole

(createdinPolicyManager)shoulddenyalltrafficbydefaultwhilepermittingaccesstoonly

requirednetworkresourcessuchasbasicnetworkservices(ARP,DHCP,

andDNS).

IftheNACdeploymentimplementsremediation,theservicesassociatedtotheQuarantinePolicy

mustbeconfiguredtoallowallHTTPtrafficontothenetwork,inadditiontootherbasicIP

servicessuchasARP,DNS,andDHCPasshowninFigure 5‐8.

previous next