Design Guide
Network Access Control
Enterasys
Page
Enterasys Networks, Inc 50 Minuteman Road Andover, MA
Page
Chapter 2 NAC Deployment Models
Contents
About This Guide
Chapter 1 Overview
Chapter 4 Design Planning
Chapter 5 Design Procedures
Chapter 3 Use Scenarios
Tables
Figures
Page
Related Documents
About This Guide
Intended Audience
Getting Help
Key Functionality
NAC Solution Overview
Authentication
Overview
Remediation
Authorization
Deployment Models
Assessment
Model 1 End-system Detection and Tracking
Model 2 End-System Authorization
Model 3 End-System Authorization with Assessment
Model 4 End-System Authorization with Assessment and Remediation
The NAC Appliance
NAC Solution Components
Authorization
Authorization with
NAC Controller Appliance
NAC Gateway Appliance
The NAC Controller is available in two models
NAC Gateway
Appliance Comparison
Table 1-2 Comparison of Appliance Functionality
NAC Function
NAC Controller
Features
Table 1-3 Comparison of Appliance Advantages and Disadvantages
NAC Gateway
NAC Gateway
NetSight Management
NetSight NAC Manager
Features
NetSight Console
Summary
RADIUS Server
Assessment Server
Enterasys offers two types of NAC appliances
1-12 Overview
Summary
Out-of-Band NAC
NAC Deployment Models
Model 1 End-System Detection and Tracking
Implementation
IP-to-ID functionality for Security Information Management SIM
Features and Value
Inline NAC Layer
End-System and User Tracking
Component
Model 2 End-System Authorization
Required and Optional Components
Table 2-1 Component Requirements for Detection and Tracking
Out-of-Band NAC
Inline NAC
Authorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switch
Implementation
Features and Value
Location-Based Authorization
Device-Based Authorization
MAC Registration
User-Based Authorization
Required and Optional Components
Table 2-2 Component Requirements for Authorization
Post-Connect NAC integration with NetSight Automated Security Manager
Authorization
Out-of-Band NAC
Model 3 End-System Authorization with Assessment
Model 3 End-System Authorization with Assessment
Implementation
Inline NAC
Features and Value
Extensive Security Posture Compliance Verification
Diverse Security Posture Compliance Verification
Required and Optional Components
Model 4 End-System Authorization with Assessment and Remediation
Table 2-3 Component Requirements for Authorization with Assessment
Authorization with
Out-of-Band NAC
Implementation
Inline NAC
Self-Service Remediation
Features and Value
Assessment and
Authorization with
Required and Optional Components
Component
Summary
Table 2-5 Enterasys NAC Deployment Models
Deployment Model
Value
Use Scenarios
Scenario 1 Intelligent Wired Access Edge
Authentication
Policy-Enabled Edge
Switch
Authenticate
VLAN=Quarantine
RFC 3580 Capable Edge
Scenario 1 Intelligent Wired Access Edge
3rd Party Switch
Scenario 1 Implementation
Thin Wireless Edge
Scenario 2 Intelligent Wireless Access Edge
VLAN=Quarantine
Access
Wireless
Intelligent Wireless
Point5
Thick Wireless Edge
Assessment Authentication
3-8 Use Scenarios
Scenario 2 Implementation
Scenario 2 Intelligent Wireless Access Edge
Scenario 3 Non-intelligent Access Edge Wired and Wireless
Figure 3-5 Non-intelligent Access Edge Wired and Wireless
Layer 3 Wired LAN
Layer 2 Wired LAN
Layer 2 Wireless LAN
Scenario 3 Implementation
Scenario 4 VPN Remote Access
4 Controller
Figure 3-6 VPN Remote Access
Scenario 4 Implementation
NAC Manager
Summary
Table 3-1 Use Scenario Summaries
Use Scenario
Summary and Appliance Requirements
Summary
Table 3-1 Use Scenario Summaries continued
Use Scenario
Summary and Appliance Requirements
Identify the NAC Deployment Model
Design Planning
1. Identify the Intelligent Edge of the Network
Survey the Network
Policy‐enabled Enterasys devices at the physical edge of the network
Figure 4-1 Network with Intelligent Edge
Figure 4-2 Network with Non-Intelligent Edge
2. Evaluate Policy/VLAN and Authentication Configuration
Case #1 No authentication method is deployed on the network
Overview of Supported Authentication Methods
Case #2 Authentication methods are deployed on the network
MAC Authentication
Support of Multiple Authentication Methods
End-System Capabilities
Support for Multiple End-System Connection
Authentication Considerations
Authentication Support on Enterasys Devices
3. Identify the Strategic Point for End-System Authorization
4. Identify Network Connection Methods
Wired LAN
Wireless LAN
Thick Wireless Deployments
Site-to-Site VPN
Remote Access WAN
Thin Wireless Deployments
Summary
Remote Access VPN
Identify Inline or Out-of-band NAC Deployment
Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN
1. Identify Required NetSight Applications
Design Procedures
Procedures for Out-of-Band and Inline NAC
5-2 Design Procedures
2. Define Network Security Domains
Procedures for Out-of-Band and Inline NAC
Figure 5-1 Security Domain
NAC Configurations
Assessment
Figure 5-2 NAC Configuration
Authentication
How health results are processed
Authorization
5-6 Design Procedures
Figure 5-3 NAC Configuration for a Security Domain
Procedures for Out-of-Band and Inline NAC
Examples
Table 5-1 Security Domain Configuration Guidelines
Security Domain Configuration
Network Scenario
Examples
Table 5-1 Security Domain Configuration Guidelines continued
Security Domain Configuration
Network Scenario
Examples
Table 5-1 Security Domain Configuration Guidelines continued
Security Domain Configuration
Network Scenario
Examples
Table 5-2 Security Domain Configuration Guidelines for Assessment
Security Domain Configuration
Network Scenario
Examples
Security Domain Configuration
Procedures for Out-of-Band and Inline NAC
Network Scenario
MAC Overrides
3. Identify Required MAC and User Overrides
Enterasys NAC Design Guide
Figure 5-4 MAC and User Override Configuration
Procedures for Out-of-Band and Inline NAC
Examples
Table 5-3 MAC Override Configuration Guidelines
Security Domain Configuration
Network Scenario
Examples
Table 5-3 MAC Override Configuration Guidelines continued
Security Domain Configuration
Network Scenario
Network Scenario
User Overrides
Table 5-3 MAC Override Configuration Guidelines continued
Security Domain Configuration
1. Determine the Number of Assessment Servers
Assessment Design Procedures
2. Determine Assessment Server Location
3. Identify Assessment Server Configuration
1. Identify Network Authentication Configuration
Out-of-Band NAC Design Procedures
Concurrent End-Systems Supported
2. Determine the Number of NAC Gateways
Table 5-4 End-System Limits for NAC Gateways
NAC Gateway Model
Figure 5-5 NAC Gateway Redundancy
3. Determine NAC Gateway Location
5. Determine End-System Mobility Restrictions
4. Identify Backend RADIUS Server Interaction
8. Define NAC Access Policies
6. VLAN Configuration
7. Policy Role Configuration
Assessment Policy and Quarantine Policy Configuration
Failsafe Policy and Accept Policy Configuration
Assessment Policy
Figure 5-6 Policy Role Configuration in NetSight Policy Manager
Quarantine Policy
Figure 5-7 Service for the Assessing Role
Unregistered Policy
Inline NAC Design Procedures
Figure 5-8 Service for the Quarantine Role
1. Determine NAC Controller Location
However, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security
Concurrent End-Systems Supported
2. Determine the Number of NAC Controllers
Table 5-5 End-System Limits for NAC Controllers
NAC Controller Model
Figure 5-10 Layer 3 NAC Controller Redundancy
Figure 5-9 Layer 2 NAC Controller Redundancy
Assessment Policy and Quarantine Policy Configuration
4. Define Policy Configuration
3. Identify Backend RADIUS Server Interaction
Failsafe Policy and Accept Policy Configuration
Unregistered Policy
Additional Considerations
NAC Deployment With an Intrusion Detection System IDS
NAC Deployment With NetSight ASM
Additional Considerations
5-34 Design Procedures