Network Scenario, Examples | Enterasys Networks 9034385

Procedures for Out-of-Band and Inline NAC

		Procedures for Out-of-Band and Inline NAC
Table 5-2 Security Domain Configuration Guidelines for Assessment (continued)

Network Scenario	Examples	Security Domain Configuration

Area of the network, or a group	• Switches that provide network access to	Do not use an Assessment Policy
of end-systems or users, that	mission critical servers, mandating	while end-systems are being
require assessment with	uninterrupted network connectivity while still	assessed.
immediate network access.	implementing assessment.	This guarantees mission critical
		This guarantees mission critical
	• Switches that provide network access to end-	devices with time-sensitive network
	systems used by IT operations, requiring that	access maintain network availability
	network connectivity for debugging and	during assessment.
	troubleshooting is maintained during	In NAC Manager, create a Security
	assessment.	In NAC Manager, create a Security
	assessment.	Domain with the following attribute:
		Domain with the following attribute:
	• Switches that provide network access to	• The “Use Assessment Policy While
	important end users such as executives, so	Assessing” checkbox is not
	network connectivity is maintained during	selected. In this case, NAC
	assessment.	Manager assigns the policy or
	• A group of devices, identified by MAC	VLAN returned from the RADIUS
	• A group of devices, identified by MAC	server or the locally defined Accept
	address, that are a specific OS or device type,	server or the locally defined Accept
	address, that are a specific OS or device type,	Policy while the end-system is
	such as printers or IP phones that require	Policy while the end-system is
	such as printers or IP phones that require	being assessed.
	immediate network access upon connection.	being assessed.
	immediate network access upon connection.
	• Users identified by user name, that are
	identified as important personnel on the
	network and require immediate network
	access upon connection.

Area of the network, or group of	• Switches that provide access to untrusted	Use an Assessment Policy during end-
end-systems or users, that	users, such as guests or other high risk end-	system assessment.
require assessment before	systems, may be configured to apply a highly	In NAC Manager, create a Security
network access is allowed.	restrictive Assessment Policy during end-	In NAC Manager, create a Security
network access is allowed.	restrictive Assessment Policy during end-	Domain with the following attribute:
	system assessment, only permitting end-	Domain with the following attribute:
	system assessment, only permitting end-	• Select the “Use Assessment Policy
	system communication to the assessment	• Select the “Use Assessment Policy
	system communication to the assessment	While Assessing” checkbox and
	servers, as well as basic IP services such as	While Assessing” checkbox and
	servers, as well as basic IP services such as	specify an Assessment Policy to
	ARP, DNS, and DHCP. Security threats	specify an Assessment Policy to
	ARP, DNS, and DHCP. Security threats	assign.
	created by these high-risk end-systems are	assign.

mitigated by waiting until assessment is completed before authorizing a significant level of network access.

• A group of devices, identified by MAC address, that are a specific OS or device type, and pose high risk to the network security.

• Users, identified by username, that are identified as high risk personnel on the network.

Enterasys NAC Design Guide 5-11

Enterasys Networks 9034385 manual Network Scenario, Examples, Security Domain Configuration

Models: 9034385

Procedures for Out-of-Band and Inline NAC