Enterasys Networks 9034385 manual Remote Access WAN, Site-to-Site VPN, Thin Wireless Deployments

Survey the Network

this case, the thick AP deployment falls into the category of non‐intelligent edge devices with the same NAC implementations as a non‐intelligent wired edge. These non‐intelligent APs must be configured with inline NAC, positioning the NAC Controller at a strategic point in the network upstream from the non‐intelligent APs where it will implement the authentication and authorization of connecting end‐systems.

Thin Wireless Deployments

For thin wireless deployments, the wireless switch usually supports the authentication and authorization of the wireless end‐systems connected to the APs on the network. Therefore, thin wireless deployments can be configured with out‐of‐band NAC using the NAC Gateway, with the authentication and authorization implemented on the wireless switch. If the wireless switch does not support dynamic VLAN assignment via RFC 3580, inline NAC may be used by positioning the NAC Controller behind the wireless switch to implement the authentication and authorization of wireless end‐systems.

Remote Access WAN

In many enterprise networks, larger remote sites are connected to the main network site over a WAN connection, affording remote users access to corporate resources. If the remote sites are composed of intelligent edge devices supporting the authentication and authorization of the remotely connected end‐systems, then the NAC Gateway can be utilized in the deployment of out‐of‐band NAC. The NAC Gateway may be positioned either locally at the remote site (which may not be practical) or at the main site of the enterprise network. Either way, the NAC Gateway leverages the authentication and authorization capabilities of the switches in the remote site to implement network access control for remote users.

If the NAC Gateway is implemented at the main site, then it is important to consider what impact a WAN link disconnection would have on the NAC process and remote end‐system connectivity. It is recommended that switches in remote sites be configured with a default VLAN or policy that will be applied to the end‐system in the case that connectivity to the main site goes down.

If the remote sites are composed of non‐intelligent switches, then the NAC Controller can be strategically positioned inline with traffic sourced from remote end‐systems to implement the authentication and authorization of these devices. The NAC Controller is most often positioned at the central siteʹs WAN connection to the remote sites. In this configuration, the NAC Controller is able to implement NAC for multiple remote sites, which is important when you consider that some remote sites may have only a few end‐systems concurrently connected.

Site-to-Site VPN

In multi‐site enterprise environments, it is common to have a VPN concentrator located at the main site connecting to remote sites via a VPN tunnel. Similar to the remote access WAN scenario, the implementation of out‐of‐band or inline NAC depends on the capabilities of the edge switches located at the remote site. If the remote sites are composed of intelligent edge switches, then the NAC Gateway can be positioned at the main site to implement out‐of‐band NAC. If the remote sites are composed of non‐intelligent edge switches, then the NAC Controller can be positioned behind the VPN concentrator that provides site‐to‐site VPN connectivity. It is important to note that the NAC Controller must see the actual IP address of the end‐system when an end‐systemʹs traffic traverses it. Therefore, a downstream device from the NAC Controller cannot implement many‐to‐one NAT or reverse proxy VPN, so that the IP address of the end‐system is preserved at the point that the traffic traverses the NAC Controller.

4-10 Design Planning