Inline NAC Design Procedures
5-28 Design Procedures
Figure 5-8 Service for the Quarantine Role
Furthermore,theQuarantinePolicyandothernetworkinfrastructuredevicesmustbeconfigured
toimplementHTTPtrafficredirectionforquarantinedend‐systemstoreturnwebnotificationof
thequarantinedstateofanend‐system.
Unregistered Policy
IfMAC(network)registrationisconfiguredintheNACdeployment,an“Unregistered”policy
canbeassignedtoconnectingend‐systemswhiletheyareunregisteredonthenetwork.This
policymustbeconfiguredtoallowbasicservicessuchasARP,DNS,DHCP,andtoimplement
HTTPtrafficredirectiontoreturnweb‐based
notificationforunregist eredend‐systems.(Because
thisconfigurationissimilartotheQuarantinePolicyandtheAssessmentPolicy,thosepolicies
couldbeassignedtounregisteredend‐systems,ifdesired).
Inline NAC Design Procedures
ThefollowingsectioncontinuestheEnterasysNACdesignprocedurewithstepsspecifically
relatingtotheimplementationofinline NACwiththeNACController.
1. Determine NAC Controller Location
BecausetheNACControllerisplacedinlinewithtrafficsourcedfromconnectingend‐systems,the
locationofNACControllersisdirectlydependentonthenetworktopology.NACControllersare
typicallyplacedbetweentheedgewhereend‐systemsconnecttothenetwork(forexample,the
wiredandwirelessaccessedge,orthe
remoteaccessedgebehindaVPNconcentrator)andthe
networkʹscoreanddatacenterwheremissioncriticalinfrastructureresourcesreside.Thisway,
noncompliantend‐systemscanberestrictedfromcommunicatingtomissioncriticalresources.
WiththeNACControlleractingastheauthorizationpointfortrafficenforcementwithinline
NAC,there
isafundamentaltrade‐offwhenpositioningtheNACControllerinthenetwork
topology:theclosertheNACControllerisplacedtotheedgeofthenetwork,thehigherthelevel
ofsecurityisachieved,inthatend‐systemsareauthorizedclosertothepointofconnectionand
end‐systems
deemednoncomplianthaveaccesstoasmallersetofnetworkresources.