Enterasys Networks 9034385 manual Scenario 3 Non-intelligent Access Edge Wired and Wireless

Page 47

Scenario 3: Non-intelligent Access Edge (Wired and Wireless)

It is important to note that if the wireless edge of the network is non‐intelligent and not capable of authenticating and authorizing wireless end‐systems, it is possible to augment the network topology to implement out‐of‐band NAC with the NAC Gateway. This can be accomplished without replacing the physical edge of the network, by adding an intelligent edge switch that possesses specialized authentication and authorization features.

The Enterasys Matrix N‐series switch is capable of authenticating and authorizing numerous end‐ systems connected on a single port through Multi‐User Authentication (MUA), and may be positioned upstream from non‐intelligent third‐party wireless APs to act as the intelligent edge on the network. The Enterasys Matrix N‐series switch is capable of authenticating and authorizing over 1000 end‐systems uplinked to a single Matrix N‐series port from an AP, a set of APs, or wireless switches. In this configuration, the Matrix N‐series acts as the intelligent edge switch on the network, although not physically located on the access edge. By provisioning access to network resources on the Matrix N‐series via MUA, end‐system traffic destined to adjacent switches on the network can be securely contained at the Matrix N‐series port.

Scenario 3: Non-intelligent Access Edge (Wired and Wireless)

In the non‐intelligent access edge use scenario, the edge switches and access points that compose the network access layer are not capable of authenticating and authorizing the connecting end‐ systems on the network.

In this scenario, inline NAC is implemented by positioning the NAC Controller at a strategic point in the network topology, as the authorization point for end‐system traffic enforcement.

The NAC Controller may be positioned directly within the VLAN where end‐systems are connected or across one or more routed boundaries. When the NAC Controller is positioned within the VLAN where end‐systems are connected, each device is uniquely identified by its associated MAC address. When the NAC Controller is positioned across a routed boundary (for example, behind a WAN router located in an enterpriseʹs central site), each end‐system is identified by its associated IP address.

The following figure illustrates how the NAC Controller and the other Enterasys NAC components work together in the non‐intelligent edge to provide network access control.

Enterasys NAC Design Guide 3-9

Page 46 Page 48
Image 47
Page 46 Page 48
Contents Enterasys Page Page Page Contents Design Planning Design ProceduresUse Scenarios Tables FiguresPage Related Documents Intended AudienceSupport@enterasys.com Getting HelpDetection NAC Solution OverviewAuthentication Key FunctionalityRemediation AuthorizationDeployment Models AssessmentModel 1 End-system Detection and Tracking Model 2 End-System AuthorizationModel 3 End-System Authorization with Assessment NAC Appliance NAC Solution ComponentsNAC Controller Appliance NAC Gateway ApplianceNAC Controller is available in two models NAC Gateway NAC Controller Appliance ComparisonDisadvantage Advantage NetSight NAC Manager NetSight ManagementAssessment Server SummaryRadius Server Summary Summary Overview Out-of-Band NAC Model 1 End-System Detection and TrackingImplementation End-System and User Tracking Features and ValueInline NAC Layer Required and Optional Components Model 2 End-System AuthorizationInline NAC Device-Based Authorization Location-Based AuthorizationMAC Registration User-Based AuthorizationComponent Requirements for Authorization Model 3 End-System Authorization with Assessment Inline NAC Extensive Security Posture Compliance Verification Diverse Security Posture Compliance Verification Component Requirements for Authorization with Assessment Implementation Self-Service Remediation Required and Optional Components Enterasys NAC Deployment Models Value Use Scenarios Scenario 1 Intelligent Wired Access EdgeNAC Functions Policy-Enabled EdgeVLAN=Production RFC 3580 Capable EdgeScenario 1 Implementation Thin Wireless Edge Scenario 2 Intelligent Wireless Access Edge Remediation Web User Laptop Thick Wireless Edge Scenario 2 Implementation Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 2 Wired LAN Scenario 3 Implementation Scenario 4 VPN Remote AccessScenario 4 Implementation VPN Remote Access EnterasysUse Scenario Summaries Summary and Appliance Requirements VPN remote access Identify the NAC Deployment Model Design PlanningIdentify the Intelligent Edge of the Network Survey the NetworkNetwork with Intelligent Edge Case #1 No authentication method is deployed on the network Evaluate Policy/VLAN and Authentication ConfigurationOverview of Supported Authentication Methods Case #2 Authentication methods are deployed on the networkSupport for Multiple End-System Connection Support of Multiple Authentication MethodsEnd-System Capabilities Authentication Considerations Authentication Support on Enterasys DevicesIdentify the Strategic Point for End-System Authorization Identify Network Connection Methods Wired LANWireless LAN Thick Wireless DeploymentsSite-to-Site VPN Remote Access WANThin Wireless Deployments Identify Inline or Out-of-band NAC Deployment Remote Access VPNSummary Identify Required NetSight Applications Procedures for Out-of-Band and Inline NACDefine Network Security Domains Security Domain NAC ConfigurationsNAC Configuration Authorization NAC Configuration for a Security Domain Procedures for Out-of-Band and Inline NAC To the network Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC Security Domain Configuration Guidelines for Assessment MAC Overrides Identify Required MAC and User OverridesMAC and User Override Configuration Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC User Overrides Determine the Number of Assessment Servers Assessment Design ProceduresDetermine Assessment Server Location Identify Assessment Server ConfigurationIdentify Network Authentication Configuration Out-of-Band NAC Design ProceduresDetermine the Number of NAC Gateways NAC Gateway Redundancy Determine NAC Gateway Location Determine End-System Mobility Restrictions Identify Backend Radius Server InteractionDefine NAC Access Policies Vlan ConfigurationPolicy Role Configuration Assessment Policy and Quarantine Policy Configuration Failsafe Policy and Accept Policy ConfigurationAssessment Policy Policy Role Configuration in NetSight Policy ManagerQuarantine Policy Service for the Assessing RoleUnregistered Policy Inline NAC Design ProceduresDetermine NAC Controller Location Inline NAC Design Procedures Determine the Number of NAC Controllers Layer 2 NAC Controller Redundancy Define Policy Configuration NAC Deployment With NetSight ASM Additional ConsiderationsNAC Deployment With an Intrusion Detection System IDS Additional Considerations Design Procedures
Top Page Image Contents