Enterasys
Network Access Control
Design Guide
Page
Enterasys Networks, Inc 50 Minuteman Road Andover, MA
Page
Chapter 1 Overview
Contents
About This Guide
Chapter 2 NAC Deployment Models
Chapter 3 Use Scenarios
Chapter 5 Design Procedures
Chapter 4 Design Planning
Figures
Tables
Page
Intended Audience
About This Guide
Related Documents
Getting Help
Overview
NAC Solution Overview
Authentication
Key Functionality
Assessment
Authorization
Deployment Models
Remediation
Model 4 End-System Authorization with Assessment and Remediation
Model 2 End-System Authorization
Model 3 End-System Authorization with Assessment
Model 1 End-system Detection and Tracking
Authorization with
NAC Solution Components
Authorization
The NAC Appliance
NAC Gateway Appliance
NAC Controller Appliance
The NAC Controller is available in two models
NAC Function
Appliance Comparison
Table 1-2 Comparison of Appliance Functionality
NAC Gateway
NAC Gateway
Features
Table 1-3 Comparison of Appliance Advantages and Disadvantages
NAC Controller
Features
NetSight Management
NetSight NAC Manager
NAC Gateway
Assessment Server
Summary
RADIUS Server
NetSight Console
Enterasys offers two types of NAC appliances
Summary
1-12 Overview
Implementation
NAC Deployment Models
Model 1 End-System Detection and Tracking
Out-of-Band NAC
End-System and User Tracking
Features and Value
Inline NAC Layer
IP-to-ID functionality for Security Information Management SIM
Table 2-1 Component Requirements for Detection and Tracking
Model 2 End-System Authorization
Required and Optional Components
Component
Implementation
Inline NAC
Authorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switch
Out-of-Band NAC
Device-Based Authorization
Location-Based Authorization
Features and Value
User-Based Authorization
MAC Registration
Authorization
Table 2-2 Component Requirements for Authorization
Post-Connect NAC integration with NetSight Automated Security Manager
Required and Optional Components
Implementation
Model 3 End-System Authorization with Assessment
Model 3 End-System Authorization with Assessment
Out-of-Band NAC
Inline NAC
Extensive Security Posture Compliance Verification
Features and Value
Diverse Security Posture Compliance Verification
Authorization with
Model 4 End-System Authorization with Assessment and Remediation
Table 2-3 Component Requirements for Authorization with Assessment
Required and Optional Components
Implementation
Out-of-Band NAC
Features and Value
Self-Service Remediation
Inline NAC
Component
Authorization with
Required and Optional Components
Assessment and
Value
Table 2-5 Enterasys NAC Deployment Models
Deployment Model
Summary
Scenario 1 Intelligent Wired Access Edge
Use Scenarios
Authenticate
Policy-Enabled Edge
Switch
Authentication
3rd Party Switch
RFC 3580 Capable Edge
Scenario 1 Intelligent Wired Access Edge
VLAN=Quarantine
Scenario 1 Implementation
Scenario 2 Intelligent Wireless Access Edge
Thin Wireless Edge
Intelligent Wireless
Access
Wireless
VLAN=Quarantine
Assessment Authentication
Thick Wireless Edge
Point5
Scenario 2 Intelligent Wireless Access Edge
Scenario 2 Implementation
3-8 Use Scenarios
Scenario 3 Non-intelligent Access Edge Wired and Wireless
Layer 2 Wireless LAN
Layer 3 Wired LAN
Layer 2 Wired LAN
Figure 3-5 Non-intelligent Access Edge Wired and Wireless
Scenario 4 VPN Remote Access
Scenario 3 Implementation
NAC Manager
Figure 3-6 VPN Remote Access
Scenario 4 Implementation
4 Controller
Summary and Appliance Requirements
Table 3-1 Use Scenario Summaries
Use Scenario
Summary
Summary and Appliance Requirements
Table 3-1 Use Scenario Summaries continued
Use Scenario
Summary
Design Planning
Identify the NAC Deployment Model
Survey the Network
1. Identify the Intelligent Edge of the Network
Figure 4-1 Network with Intelligent Edge
Policy‐enabled Enterasys devices at the physical edge of the network
Case #1 No authentication method is deployed on the network
2. Evaluate Policy/VLAN and Authentication Configuration
Figure 4-2 Network with Non-Intelligent Edge
Case #2 Authentication methods are deployed on the network
Overview of Supported Authentication Methods
Support for Multiple End-System Connection
Support of Multiple Authentication Methods
End-System Capabilities
MAC Authentication
Authentication Support on Enterasys Devices
Authentication Considerations
3. Identify the Strategic Point for End-System Authorization
Thick Wireless Deployments
Wired LAN
Wireless LAN
4. Identify Network Connection Methods
Thin Wireless Deployments
Remote Access WAN
Site-to-Site VPN
Identify Inline or Out-of-band NAC Deployment
Remote Access VPN
Summary
Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN
Procedures for Out-of-Band and Inline NAC
Design Procedures
1. Identify Required NetSight Applications
Procedures for Out-of-Band and Inline NAC
2. Define Network Security Domains
5-2 Design Procedures
NAC Configurations
Figure 5-1 Security Domain
Authentication
Figure 5-2 NAC Configuration
Assessment
Authorization
How health results are processed
Procedures for Out-of-Band and Inline NAC
Figure 5-3 NAC Configuration for a Security Domain
5-6 Design Procedures
Network Scenario
Table 5-1 Security Domain Configuration Guidelines
Security Domain Configuration
Examples
Network Scenario
Table 5-1 Security Domain Configuration Guidelines continued
Security Domain Configuration
Examples
Network Scenario
Table 5-1 Security Domain Configuration Guidelines continued
Security Domain Configuration
Examples
Network Scenario
Table 5-2 Security Domain Configuration Guidelines for Assessment
Security Domain Configuration
Examples
Network Scenario
Security Domain Configuration
Procedures for Out-of-Band and Inline NAC
Examples
3. Identify Required MAC and User Overrides
MAC Overrides
Procedures for Out-of-Band and Inline NAC
Figure 5-4 MAC and User Override Configuration
Enterasys NAC Design Guide
Network Scenario
Table 5-3 MAC Override Configuration Guidelines
Security Domain Configuration
Examples
Network Scenario
Table 5-3 MAC Override Configuration Guidelines continued
Security Domain Configuration
Examples
Security Domain Configuration
User Overrides
Table 5-3 MAC Override Configuration Guidelines continued
Network Scenario
Assessment Design Procedures
1. Determine the Number of Assessment Servers
3. Identify Assessment Server Configuration
2. Determine Assessment Server Location
Out-of-Band NAC Design Procedures
1. Identify Network Authentication Configuration
NAC Gateway Model
2. Determine the Number of NAC Gateways
Table 5-4 End-System Limits for NAC Gateways
Concurrent End-Systems Supported
Figure 5-5 NAC Gateway Redundancy
3. Determine NAC Gateway Location
4. Identify Backend RADIUS Server Interaction
5. Determine End-System Mobility Restrictions
7. Policy Role Configuration
6. VLAN Configuration
8. Define NAC Access Policies
Failsafe Policy and Accept Policy Configuration
Assessment Policy and Quarantine Policy Configuration
Figure 5-6 Policy Role Configuration in NetSight Policy Manager
Assessment Policy
Figure 5-7 Service for the Assessing Role
Quarantine Policy
1. Determine NAC Controller Location
Inline NAC Design Procedures
Figure 5-8 Service for the Quarantine Role
Unregistered Policy
However, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security
NAC Controller Model
2. Determine the Number of NAC Controllers
Table 5-5 End-System Limits for NAC Controllers
Concurrent End-Systems Supported
Figure 5-9 Layer 2 NAC Controller Redundancy
Figure 5-10 Layer 3 NAC Controller Redundancy
Failsafe Policy and Accept Policy Configuration
4. Define Policy Configuration
3. Identify Backend RADIUS Server Interaction
Assessment Policy and Quarantine Policy Configuration
NAC Deployment With NetSight ASM
Additional Considerations
NAC Deployment With an Intrusion Detection System IDS
Unregistered Policy
5-34 Design Procedures
Additional Considerations