Manuals / Enterasys Networks / Household Appliance / Plumbing Product

Enterasys Networks 9034385 3 MAC Override Configuration Guidelines, Network Scenario, Examples

Models: 9034385

1 98

Download 98 pages 26.86 Kb

Page 78

Procedures for Out-of-Band and Inline NAC

The following table describes scenarios where a MAC override may be configured for a particular end‐system.

Table 5-3 MAC Override Configuration Guidelines

Network Scenario	Examples	Security Domain Configuration

A device, or class of devices, that utilize a distinct set of parameters for authentication, assessment, and authorization.

Allocating VoIP services to IP phones on the network. For example, you could create a MAC override where a Polycom IP Phone, identified by the MAC address OUI of the authenticating end-system, is assigned to the IP Phone policy or Voice VLAN and not assessed for security posture compliance when connecting to any Security Domain.

In NAC Manager, create a MAC override with the following attributes:

•Specify either full MAC address or MAC address OUI.

•Select the Security Domain or all Security Domains for the MAC override scope.

For the assessment, authentication, and authorization configuration, choose a NAC Configuration or specify a custom configuration with the following parameters:

•Select either the “Proxy RADIUS request to a RADIUS Server” radio button or the “Reject” radio button.

•If the “Proxy RADIUS request to a RADIUS Server” radio button is selected, check “Authorize MAC Authentication Requests Locally” if MAC authentication requests are to be authorized, regardless of the MAC authentication password.

•Check “Replace RADIUS Attributes with Accept Policy” if the policy information returned from the RADIUS server will be overwritten by the Accept Policy.

•Format the Accept Policy with the policy or VLAN.

•Check the “Enable Assessment” checkbox if this device, or class of devices, is to be assessed, and select the appropriate Assessment Configuration for these devices.

•Specify the assessment and authorization parameters such as assessment interval, Quarantine Policy, and whether or not to apply the Assessment Policy while the end- system is being scanned.

5-14 Design Procedures

Image 78

Enterasys Networks 9034385 manual 3 MAC Override Configuration Guidelines, Network Scenario, Examples

Contents

Network Access Control EnterasysDesign Guide Page Enterasys Networks, Inc 50 Minuteman Road Andover, MA Page Chapter 1 Overview ContentsAbout This Guide Chapter 2 NAC Deployment ModelsChapter 5 Design Procedures Chapter 3 Use ScenariosChapter 4 Design Planning Figures TablesPage About This Guide Intended AudienceRelated Documents Getting Help Overview NAC Solution OverviewAuthentication Key FunctionalityAssessment AuthorizationDeployment Models RemediationModel 4 End-System Authorization with Assessment and Remediation Model 2 End-System AuthorizationModel 3 End-System Authorization with Assessment Model 1 End-system Detection and TrackingAuthorization with NAC Solution ComponentsAuthorization The NAC ApplianceNAC Gateway Appliance NAC Controller ApplianceThe NAC Controller is available in two models NAC Function Appliance ComparisonTable 1-2 Comparison of Appliance Functionality NAC GatewayNAC Gateway FeaturesTable 1-3 Comparison of Appliance Advantages and Disadvantages NAC ControllerFeatures NetSight ManagementNetSight NAC Manager NAC GatewayAssessment Server SummaryRADIUS Server NetSight ConsoleEnterasys offers two types of NAC appliances Summary 1-12 OverviewImplementation NAC Deployment ModelsModel 1 End-System Detection and Tracking Out-of-Band NACEnd-System and User Tracking Features and ValueInline NAC Layer IP-to-ID functionality for Security Information Management SIMTable 2-1 Component Requirements for Detection and Tracking Model 2 End-System AuthorizationRequired and Optional Components ComponentImplementation Inline NACAuthorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switch Out-of-Band NACLocation-Based Authorization Device-Based AuthorizationFeatures and Value User-Based Authorization MAC RegistrationAuthorization Table 2-2 Component Requirements for AuthorizationPost-Connect NAC integration with NetSight Automated Security Manager Required and Optional ComponentsImplementation Model 3 End-System Authorization with AssessmentModel 3 End-System Authorization with Assessment Out-of-Band NACInline NAC Extensive Security Posture Compliance Verification Features and ValueDiverse Security Posture Compliance Verification Authorization with Model 4 End-System Authorization with Assessment and RemediationTable 2-3 Component Requirements for Authorization with Assessment Required and Optional ComponentsImplementation Out-of-Band NACSelf-Service Remediation Features and ValueInline NAC Component Authorization withRequired and Optional Components Assessment andValue Table 2-5 Enterasys NAC Deployment ModelsDeployment Model SummaryScenario 1 Intelligent Wired Access Edge Use ScenariosAuthenticate Policy-Enabled EdgeSwitch Authentication3rd Party Switch RFC 3580 Capable EdgeScenario 1 Intelligent Wired Access Edge VLAN=QuarantineScenario 1 Implementation Scenario 2 Intelligent Wireless Access Edge Thin Wireless EdgeIntelligent Wireless AccessWireless VLAN=QuarantineThick Wireless Edge Assessment AuthenticationPoint5 Scenario 2 Implementation Scenario 2 Intelligent Wireless Access Edge3-8 Use Scenarios Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 2 Wireless LAN Layer 3 Wired LANLayer 2 Wired LAN Figure 3-5 Non-intelligent Access Edge Wired and WirelessScenario 4 VPN Remote Access Scenario 3 ImplementationNAC Manager Figure 3-6 VPN Remote AccessScenario 4 Implementation 4 ControllerSummary and Appliance Requirements Table 3-1 Use Scenario SummariesUse Scenario SummarySummary and Appliance Requirements Table 3-1 Use Scenario Summaries continuedUse Scenario SummaryDesign Planning Identify the NAC Deployment ModelSurvey the Network 1. Identify the Intelligent Edge of the NetworkFigure 4-1 Network with Intelligent Edge Policy‐enabled Enterasys devices at the physical edge of the network2. Evaluate Policy/VLAN and Authentication Configuration Case #1 No authentication method is deployed on the networkFigure 4-2 Network with Non-Intelligent Edge Case #2 Authentication methods are deployed on the network Overview of Supported Authentication MethodsSupport for Multiple End-System Connection Support of Multiple Authentication MethodsEnd-System Capabilities MAC AuthenticationAuthentication Support on Enterasys Devices Authentication Considerations3. Identify the Strategic Point for End-System Authorization Thick Wireless Deployments Wired LANWireless LAN 4. Identify Network Connection MethodsRemote Access WAN Thin Wireless DeploymentsSite-to-Site VPN Remote Access VPN Identify Inline or Out-of-band NAC DeploymentSummary Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN Design Procedures Procedures for Out-of-Band and Inline NAC1. Identify Required NetSight Applications 2. Define Network Security Domains Procedures for Out-of-Band and Inline NAC5-2 Design Procedures NAC Configurations Figure 5-1 Security DomainFigure 5-2 NAC Configuration AuthenticationAssessment Authorization How health results are processedFigure 5-3 NAC Configuration for a Security Domain Procedures for Out-of-Band and Inline NAC5-6 Design Procedures Network Scenario Table 5-1 Security Domain Configuration GuidelinesSecurity Domain Configuration ExamplesNetwork Scenario Table 5-1 Security Domain Configuration Guidelines continuedSecurity Domain Configuration ExamplesNetwork Scenario Table 5-1 Security Domain Configuration Guidelines continuedSecurity Domain Configuration ExamplesNetwork Scenario Table 5-2 Security Domain Configuration Guidelines for AssessmentSecurity Domain Configuration ExamplesNetwork Scenario Security Domain ConfigurationProcedures for Out-of-Band and Inline NAC Examples3. Identify Required MAC and User Overrides MAC OverridesFigure 5-4 MAC and User Override Configuration Procedures for Out-of-Band and Inline NACEnterasys NAC Design Guide Network Scenario Table 5-3 MAC Override Configuration GuidelinesSecurity Domain Configuration ExamplesNetwork Scenario Table 5-3 MAC Override Configuration Guidelines continuedSecurity Domain Configuration ExamplesSecurity Domain Configuration User OverridesTable 5-3 MAC Override Configuration Guidelines continued Network ScenarioAssessment Design Procedures 1. Determine the Number of Assessment Servers3. Identify Assessment Server Configuration 2. Determine Assessment Server LocationOut-of-Band NAC Design Procedures 1. Identify Network Authentication ConfigurationNAC Gateway Model 2. Determine the Number of NAC GatewaysTable 5-4 End-System Limits for NAC Gateways Concurrent End-Systems SupportedFigure 5-5 NAC Gateway Redundancy 3. Determine NAC Gateway Location 4. Identify Backend RADIUS Server Interaction 5. Determine End-System Mobility Restrictions6. VLAN Configuration 7. Policy Role Configuration8. Define NAC Access Policies Failsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationFigure 5-6 Policy Role Configuration in NetSight Policy Manager Assessment PolicyFigure 5-7 Service for the Assessing Role Quarantine Policy1. Determine NAC Controller Location Inline NAC Design ProceduresFigure 5-8 Service for the Quarantine Role Unregistered PolicyHowever, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security NAC Controller Model 2. Determine the Number of NAC ControllersTable 5-5 End-System Limits for NAC Controllers Concurrent End-Systems SupportedFigure 5-9 Layer 2 NAC Controller Redundancy Figure 5-10 Layer 3 NAC Controller RedundancyFailsafe Policy and Accept Policy Configuration 4. Define Policy Configuration3. Identify Backend RADIUS Server Interaction Assessment Policy and Quarantine Policy ConfigurationNAC Deployment With NetSight ASM Additional ConsiderationsNAC Deployment With an Intrusion Detection System IDS Unregistered Policy5-34 Design Procedures Additional Considerations