Design Guide
Network Access Control
Enterasys
Page
Enterasys Networks, Inc 50 Minuteman Road Andover, MA
Page
Contents
About This Guide
Chapter 1 Overview
Chapter 2 NAC Deployment Models
Chapter 4 Design Planning
Chapter 5 Design Procedures
Chapter 3 Use Scenarios
Figures
Tables
Page
Related Documents
About This Guide
Intended Audience
Getting Help
NAC Solution Overview
Authentication
Overview
Key Functionality
Authorization
Deployment Models
Assessment
Remediation
Model 2 End-System Authorization
Model 3 End-System Authorization with Assessment
Model 4 End-System Authorization with Assessment and Remediation
Model 1 End-system Detection and Tracking
NAC Solution Components
Authorization
Authorization with
The NAC Appliance
NAC Gateway Appliance
NAC Controller Appliance
The NAC Controller is available in two models
Appliance Comparison
Table 1-2 Comparison of Appliance Functionality
NAC Function
NAC Gateway
Features
Table 1-3 Comparison of Appliance Advantages and Disadvantages
NAC Gateway
NAC Controller
NetSight Management
NetSight NAC Manager
Features
NAC Gateway
Summary
RADIUS Server
Assessment Server
NetSight Console
Enterasys offers two types of NAC appliances
Summary
1-12 Overview
NAC Deployment Models
Model 1 End-System Detection and Tracking
Implementation
Out-of-Band NAC
Features and Value
Inline NAC Layer
End-System and User Tracking
IP-to-ID functionality for Security Information Management SIM
Model 2 End-System Authorization
Required and Optional Components
Table 2-1 Component Requirements for Detection and Tracking
Component
Inline NAC
Authorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switch
Implementation
Out-of-Band NAC
Features and Value
Location-Based Authorization
Device-Based Authorization
User-Based Authorization
MAC Registration
Table 2-2 Component Requirements for Authorization
Post-Connect NAC integration with NetSight Automated Security Manager
Authorization
Required and Optional Components
Model 3 End-System Authorization with Assessment
Model 3 End-System Authorization with Assessment
Implementation
Out-of-Band NAC
Inline NAC
Extensive Security Posture Compliance Verification
Features and Value
Diverse Security Posture Compliance Verification
Model 4 End-System Authorization with Assessment and Remediation
Table 2-3 Component Requirements for Authorization with Assessment
Authorization with
Required and Optional Components
Implementation
Out-of-Band NAC
Inline NAC
Self-Service Remediation
Features and Value
Authorization with
Required and Optional Components
Component
Assessment and
Table 2-5 Enterasys NAC Deployment Models
Deployment Model
Value
Summary
Scenario 1 Intelligent Wired Access Edge
Use Scenarios
Policy-Enabled Edge
Switch
Authenticate
Authentication
RFC 3580 Capable Edge
Scenario 1 Intelligent Wired Access Edge
3rd Party Switch
VLAN=Quarantine
Scenario 1 Implementation
Scenario 2 Intelligent Wireless Access Edge
Thin Wireless Edge
Access
Wireless
Intelligent Wireless
VLAN=Quarantine
Point5
Thick Wireless Edge
Assessment Authentication
3-8 Use Scenarios
Scenario 2 Implementation
Scenario 2 Intelligent Wireless Access Edge
Scenario 3 Non-intelligent Access Edge Wired and Wireless
Layer 3 Wired LAN
Layer 2 Wired LAN
Layer 2 Wireless LAN
Figure 3-5 Non-intelligent Access Edge Wired and Wireless
Scenario 4 VPN Remote Access
Scenario 3 Implementation
Figure 3-6 VPN Remote Access
Scenario 4 Implementation
NAC Manager
4 Controller
Table 3-1 Use Scenario Summaries
Use Scenario
Summary and Appliance Requirements
Summary
Table 3-1 Use Scenario Summaries continued
Use Scenario
Summary and Appliance Requirements
Summary
Design Planning
Identify the NAC Deployment Model
Survey the Network
1. Identify the Intelligent Edge of the Network
Figure 4-1 Network with Intelligent Edge
Policy‐enabled Enterasys devices at the physical edge of the network
Figure 4-2 Network with Non-Intelligent Edge
2. Evaluate Policy/VLAN and Authentication Configuration
Case #1 No authentication method is deployed on the network
Case #2 Authentication methods are deployed on the network
Overview of Supported Authentication Methods
Support of Multiple Authentication Methods
End-System Capabilities
Support for Multiple End-System Connection
MAC Authentication
Authentication Support on Enterasys Devices
Authentication Considerations
3. Identify the Strategic Point for End-System Authorization
Wired LAN
Wireless LAN
Thick Wireless Deployments
4. Identify Network Connection Methods
Site-to-Site VPN
Remote Access WAN
Thin Wireless Deployments
Summary
Remote Access VPN
Identify Inline or Out-of-band NAC Deployment
Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN
1. Identify Required NetSight Applications
Design Procedures
Procedures for Out-of-Band and Inline NAC
5-2 Design Procedures
2. Define Network Security Domains
Procedures for Out-of-Band and Inline NAC
NAC Configurations
Figure 5-1 Security Domain
Assessment
Figure 5-2 NAC Configuration
Authentication
Authorization
How health results are processed
5-6 Design Procedures
Figure 5-3 NAC Configuration for a Security Domain
Procedures for Out-of-Band and Inline NAC
Table 5-1 Security Domain Configuration Guidelines
Security Domain Configuration
Network Scenario
Examples
Table 5-1 Security Domain Configuration Guidelines continued
Security Domain Configuration
Network Scenario
Examples
Table 5-1 Security Domain Configuration Guidelines continued
Security Domain Configuration
Network Scenario
Examples
Table 5-2 Security Domain Configuration Guidelines for Assessment
Security Domain Configuration
Network Scenario
Examples
Security Domain Configuration
Procedures for Out-of-Band and Inline NAC
Network Scenario
Examples
3. Identify Required MAC and User Overrides
MAC Overrides
Enterasys NAC Design Guide
Figure 5-4 MAC and User Override Configuration
Procedures for Out-of-Band and Inline NAC
Table 5-3 MAC Override Configuration Guidelines
Security Domain Configuration
Network Scenario
Examples
Table 5-3 MAC Override Configuration Guidelines continued
Security Domain Configuration
Network Scenario
Examples
User Overrides
Table 5-3 MAC Override Configuration Guidelines continued
Security Domain Configuration
Network Scenario
Assessment Design Procedures
1. Determine the Number of Assessment Servers
3. Identify Assessment Server Configuration
2. Determine Assessment Server Location
Out-of-Band NAC Design Procedures
1. Identify Network Authentication Configuration
2. Determine the Number of NAC Gateways
Table 5-4 End-System Limits for NAC Gateways
NAC Gateway Model
Concurrent End-Systems Supported
Figure 5-5 NAC Gateway Redundancy
3. Determine NAC Gateway Location
4. Identify Backend RADIUS Server Interaction
5. Determine End-System Mobility Restrictions
8. Define NAC Access Policies
6. VLAN Configuration
7. Policy Role Configuration
Failsafe Policy and Accept Policy Configuration
Assessment Policy and Quarantine Policy Configuration
Figure 5-6 Policy Role Configuration in NetSight Policy Manager
Assessment Policy
Figure 5-7 Service for the Assessing Role
Quarantine Policy
Inline NAC Design Procedures
Figure 5-8 Service for the Quarantine Role
1. Determine NAC Controller Location
Unregistered Policy
However, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security
2. Determine the Number of NAC Controllers
Table 5-5 End-System Limits for NAC Controllers
NAC Controller Model
Concurrent End-Systems Supported
Figure 5-9 Layer 2 NAC Controller Redundancy
Figure 5-10 Layer 3 NAC Controller Redundancy
4. Define Policy Configuration
3. Identify Backend RADIUS Server Interaction
Failsafe Policy and Accept Policy Configuration
Assessment Policy and Quarantine Policy Configuration
Additional Considerations
NAC Deployment With an Intrusion Detection System IDS
NAC Deployment With NetSight ASM
Unregistered Policy
5-34 Design Procedures
Additional Considerations
