Procedures for Out-of-Band and Inline NAC
The following table provides examples of various network scenarios that should be considered when identifying the number and configuration of Security Domains in your NAC deployment.
Table
Network Scenario |
| Examples | Security Domain Configuration |
|
|
|
|
Area of the network that is | • | Switches that provide access for | Proxy 802.1X and |
configured to authenticate end- |
| trusted users authenticating to the | requests to a backend RADIUS server. This |
systems with a secure |
| network using 802.1X or | allows for the proper validation of |
authentication method, such as |
| authentication, such as LAN | login credentials for 802.1X and |
802.1X or |
| segments and wireless networks | authentication methods. |
authentication. |
| designated for trusted user access. | In NAC Manager, create a Security Domain with |
|
|
| |
| • | VPN concentrator providing | the following configuration attributes: |
|
| connectivity to users implementing | • Select the “Proxy RADIUS Request to a |
|
| remote access VPN to connect into | |
|
| RADIUS Server” radio button to allow the | |
|
| the corporate LAN. | |
|
| forwarding of RADIUS authentication | |
|
|
| requests to a RADIUS server. |
|
|
| • If the RADIUS server returns a policy or VLAN |
|
|
| based on user or |
|
|
| uncheck “Replace RADIUS Attributes with |
|
|
| Accept Policy.” Otherwise, user overrides can |
|
|
| be configured to return a policy or VLAN |
|
|
| based on the user or |
|
|
| • Configure the Accept Policy with a policy or |
|
|
| VLAN that allows less restrictive network |
|
|
| access for trusted users. |
|
|
|
|
Area of the network that is | • | Switches that provide access to | Locally authorize MAC authentication attempts. |
configured to MAC authenticate |
| This enables the detection and authorization of | |
| as printers, IP phones, and IP | ||
purpose of |
| cameras. | systems. |
detection. | • Switches that provide access to | In NAC Manager, create a Security Domain with | |
| |||
|
| the following configuration attributes: | |
|
| not authenticated in traditional | • With the “Proxy RADIUS Request to a |
|
| network environments, such as | |
|
| RADIUS Server” radio button selected, check | |
|
| untrusted users like guests and | |
|
| the “Authorize MAC Authentication Requests | |
|
| contractors. | |
|
| Locally” option and specify a policy or VLAN |
in the Accept Policy field.
• Configure the Accept Policy field with a policy or VLAN that provides more restrictive network access for
Enterasys NAC Design Guide