Inline NAC Design Procedures
5-32 Design Procedures
3. Identify Backend RADIUS Server Interaction
Layer2NACControllersdetectdownstreamend‐systemsviaauthentication:MAC,web‐based,or
802.1X.Ifweb‐basedor802.1X authenticationisimplemented,thenabackendRADIUSserver
mustbeconfiguredtovalidateendusercredentialsintheauthenticationprocess.ForeachLayer2
NACController,primaryandsecondaryRADIUSservers
maybespecifiedforthevalidationof
user/devicenetworklogincredentialsonthenetwork.
4. Define Policy Configuration
Policiesareassignedtodownstreamend‐systemsontheNACControllertoauthorizeconnecting
deviceswithalevelofnetworkaccess.Adefaultsetofpoliciesareautomaticallyconfiguredon
eachNACControllerafterinstallationandinitializationoftheappliance.Thissetofpolicies
includesallpoliciesdefinedbydefaultin
NACManager,suchasEnterpriseUser,Quarantine,
Assessing,Unregistered,andFailsafe.Itisstronglyrecommendedthatthepolicyconfigurations
ofallNACControllersareimportedintoNetSightPolicyManager,reviewed,andappropriately
modified,priortothefullrolloutofinlineNAC.
Failsafe Policy and Accept Policy Configuration
TheFailsafePolicyisassignedtoend‐systemswhenanerroroccursintheNACprocess.The
FailsafepolicyroleisconfiguredbydefaultontheNACControllertobeusedastheFailsafe
PolicyinNACManager.Thispolicyisrestrictive,allowingDNSandDHCP,andredirectingweb
trafficto
servebackawebpagestatinganerrorhasoccurredonthenetwork,whilediscardingall
othertypesoftraffic.
Ifitisdesiredtoopennetworkaccesswhenanerrorisencountered,theEnterpriseUserpolicy
rolecanbeselectedastheFailsafePolicyintheNACConfiguration.The
EnterpriseUserpolicy
roleisfairlyopen,permittingmosttypesofcommunicationontothenetwork.Forsecurity
purposestheEnterpriseUserpolicyroledoesdenycommunicationtotheNACControllerover
TCPandUDPports(utilizedforadministrativepurposes,suchasRADIUSandSSH).Inaddition,
theEnterpriseUserpolicydiscards
allcommunicationtoNACManagerʹsIPaddressforfurther
securityhardening.Thispolicyrolecanbealteredtofurthercontrolwhichservicesacompliant
end‐systemisallowedtoutilize.
TheAcceptPolicyisassignedtoend‐systemswhentheyaredeemedcompliant.TheEnterprise
Userpolicyroleisconfigured
bydefaultontheNACControllertobeusedastheAcceptPolicyin
NACManager.
Assessment Policy and Quarantine Policy Configuration
TheAssessmentPolicyandQuarantinePolicyareusedwhenend‐systemassessmentis
implementedintheNACdeployment.TheAssessmentPolicymaybeusedtotemporarilyallocate
asetofnetworkresourcestoend‐systemswhiletheyarebeingassessed.TheAssessingpolicyrole
isconfiguredbydefaultonNACControllers
tobeusedastheAssessmentPolicyinNAC
Manager.ThispolicyallowsDNSandDHCP,andanytrafficdestinedtotheIPaddressofthe
assessmentserversdeployedonthenetwork.Thepolicyalsoredirectswebtraffictoservebacka
webpagestatingthattheend‐systemhas
beenrestrictedaccesswhileitssecuritypostureisbeing
determined.Allothertypesoftrafficarediscarded.
Ifitisdesiredtoopennetworkaccesswhileanend‐systemisbeingassessed,theuseofthe
AssessmentPolicycanbedisabledintheNACconfiguration,ortheEnterpriseUserpolicyrole
canbeselectedastheAssessmentPolicyinstead.ItisimportanttonotethatwheneveraNAC
configurationisenforcedtotheNACController,theAssessmentPolicyisconfiguredtoallow