Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Inline NAC Design Procedures

5-32 Design Procedures

3. Identify Backend RADIUS Server Interaction

Layer2NACControllersdetectdownstreamend‐systemsviaauthentication:MAC,web‐based,or

802.1X.Ifweb‐basedor802.1X authenticationisimplemented,thenabackendRADIUSserver

mustbeconfiguredtovalidateendusercredentialsintheauthenticationprocess.ForeachLayer2

NACController,primaryandsecondaryRADIUSservers

maybespecifiedforthevalidationof

user/devicenetworklogincredentialsonthenetwork.

4. Define Policy Configuration

Policiesareassignedtodownstreamend‐systemsontheNACControllertoauthorizeconnecting

deviceswithalevelofnetworkaccess.Adefaultsetofpoliciesareautomaticallyconfiguredon

eachNACControllerafterinstallationandinitializationoftheappliance.Thissetofpolicies

includesallpoliciesdefinedbydefaultin

NACManager,suchasEnterpriseUser,Quarantine,

Assessing,Unregistered,andFailsafe.Itisstronglyrecommendedthatthepolicyconfigurations

ofallNACControllersareimportedintoNetSightPolicyManager,reviewed,andappropriately

modified,priortothefullrolloutofinlineNAC.

Failsafe Policy and Accept Policy Configuration

TheFailsafePolicyisassignedtoend‐systemswhenanerroroccursintheNACprocess.The

FailsafepolicyroleisconfiguredbydefaultontheNACControllertobeusedastheFailsafe

PolicyinNACManager.Thispolicyisrestrictive,allowingDNSandDHCP,andredirectingweb

trafficto

servebackawebpagestatinganerrorhasoccurredonthenetwork,whilediscardingall

othertypesoftraffic.

Ifitisdesiredtoopennetworkaccesswhenanerrorisencountered,theEnterpriseUserpolicy

rolecanbeselectedastheFailsafePolicyintheNACConfiguration.The

EnterpriseUserpolicy

roleisfairlyopen,permittingmosttypesofcommunicationontothenetwork.Forsecurity

purposestheEnterpriseUserpolicyroledoesdenycommunicationtotheNACControllerover

TCPandUDPports(utilizedforadministrativepurposes,suchasRADIUSandSSH).Inaddition,

theEnterpriseUserpolicydiscards

allcommunicationtoNACManagerʹsIPaddressforfurther

securityhardening.Thispolicyrolecanbealteredtofurthercontrolwhichservicesacompliant

end‐systemisallowedtoutilize.

TheAcceptPolicyisassignedtoend‐systemswhentheyaredeemedcompliant.TheEnterprise

Userpolicyroleisconfigured

bydefaultontheNACControllertobeusedastheAcceptPolicyin

NACManager.

Assessment Policy and Quarantine Policy Configuration

TheAssessmentPolicyandQuarantinePolicyareusedwhenend‐systemassessmentis

implementedintheNACdeployment.TheAssessmentPolicymaybeusedtotemporarilyallocate

asetofnetworkresourcestoend‐systemswhiletheyarebeingassessed.TheAssessingpolicyrole

isconfiguredbydefaultonNACControllers

tobeusedastheAssessmentPolicyinNAC

Manager.ThispolicyallowsDNSandDHCP,andanytrafficdestinedtotheIPaddressofthe

assessmentserversdeployedonthenetwork.Thepolicyalsoredirectswebtraffictoservebacka

webpagestatingthattheend‐systemhas

beenrestrictedaccesswhileitssecuritypostureisbeing

determined.Allothertypesoftrafficarediscarded.

Ifitisdesiredtoopennetworkaccesswhileanend‐systemisbeingassessed,theuseofthe

AssessmentPolicycanbedisabledintheNACconfiguration,ortheEnterpriseUserpolicyrole



canbeselectedastheAssessmentPolicyinstead.ItisimportanttonotethatwheneveraNAC

configurationisenforcedtotheNACController,theAssessmentPolicyisconfiguredtoallow

previous next