Enterasys Networks 9034385 manual Survey the Network, Identify the Intelligent Edge of the Network

Survey the Network

access to a web browser to safely remediate their quarantined end‐system without impacting IT operations.

Once a deployment model is selected, the current network infrastructure must be examined to identify the technical dependencies and requirements imposed by the NAC solution.

Survey the Network

The steps in this section will help you identify and evaluate the current network infrastructure so that you can make design decisions regarding NAC component requirements.

1. Identify the Intelligent Edge of the Network

The first step in surveying your network is to determine whether or not your network has an “intelligent edge.” This information will help you decide whether the NAC Gateway or NAC Controller appliance best suits your network infrastructure.

The term “intelligent” refers to a network topology where the access edge is composed of Enterasys policy‐enabled switches capable of supporting authentication and policy enforcement, or third‐party switches capable of supporting authentication and dynamic VLAN assignment as defined in RFC 3580.

Non‐intelligent infrastructure devices, such as repeaters and hubs, are not capable of supporting authentication and/or authorization of end‐systems, and simply provide connectivity to the infrastructure.

An intelligent edge is required when the NAC Gateway is utilized for implementing out‐of‐band NAC. The NAC Gateway appliance leverages the intelligent edge of the network to implement the authentication and authorization of connecting end‐systems. The NAC Gateway effects the assignment of policies or VLANs on Enterasys switches or RFC 3580‐capable switches located at edge of the network, to authorize a level of network access to connecting end‐systems. These assignments are based on various parameters, such as the location of the end‐system and security posture assessment results. The intelligent edge of the network also implements an authentication method (802.1X, web‐based, or MAC authentication) for validating the device and/or user identity of connecting end‐systems.

However, in networks with non‐intelligent devices at the access edge, it is not necessary to replace these non‐intelligent devices to be able to implement out‐of‐band NAC with the NAC Gateway. Instead, the Enterasys Matrix N‐series switch can be positioned upstream from non‐intelligent devices (such as in the distribution layer) to implement the authentication and authorization functions for downstream connected devices. Matrix N‐Series devices support Multi‐User Authentication (MUA) which enables the switch to individually authenticate and uniquely authorize multiple end‐systems connected to the same physical port. MUA on the Matrix N‐series Platinum supports the concurrent authentication and authorization of over 1000 end‐systems on a single port with the allocation of disparate network resources to each end‐system. In this case, the Matrix N‐series switch is the intelligent edge of the network although it is not physically located in the access layer. By utilizing the Matrix N‐series in this type of configuration, most of the benefits of out‐of‐band NAC can be obtained without upgrading the edge of the network.

4-2 Design Planning