Network Access Control
Enterasys
Design Guide
Page
Enterasys Networks, Inc 50 Minuteman Road Andover, MA
Page
About This Guide
Contents
Chapter 1 Overview
Chapter 2 NAC Deployment Models
Chapter 5 Design Procedures
Chapter 3 Use Scenarios
Chapter 4 Design Planning
Tables
Figures
Page
About This Guide
Intended Audience
Related Documents
Getting Help
Authentication
NAC Solution Overview
Overview
Key Functionality
Deployment Models
Authorization
Assessment
Remediation
Model 3 End-System Authorization with Assessment
Model 2 End-System Authorization
Model 4 End-System Authorization with Assessment and Remediation
Model 1 End-system Detection and Tracking
Authorization
NAC Solution Components
Authorization with
The NAC Appliance
NAC Controller Appliance
NAC Gateway Appliance
The NAC Controller is available in two models
Table 1-2 Comparison of Appliance Functionality
Appliance Comparison
NAC Function
NAC Gateway
Table 1-3 Comparison of Appliance Advantages and Disadvantages
Features
NAC Gateway
NAC Controller
NetSight NAC Manager
NetSight Management
Features
NAC Gateway
RADIUS Server
Summary
Assessment Server
NetSight Console
Enterasys offers two types of NAC appliances
1-12 Overview
Summary
Model 1 End-System Detection and Tracking
NAC Deployment Models
Implementation
Out-of-Band NAC
Inline NAC Layer
Features and Value
End-System and User Tracking
IP-to-ID functionality for Security Information Management SIM
Required and Optional Components
Model 2 End-System Authorization
Table 2-1 Component Requirements for Detection and Tracking
Component
Authorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switch
Inline NAC
Implementation
Out-of-Band NAC
Location-Based Authorization
Device-Based Authorization
Features and Value
MAC Registration
User-Based Authorization
Post-Connect NAC integration with NetSight Automated Security Manager
Table 2-2 Component Requirements for Authorization
Authorization
Required and Optional Components
Model 3 End-System Authorization with Assessment
Model 3 End-System Authorization with Assessment
Implementation
Out-of-Band NAC
Inline NAC
Features and Value
Extensive Security Posture Compliance Verification
Diverse Security Posture Compliance Verification
Table 2-3 Component Requirements for Authorization with Assessment
Model 4 End-System Authorization with Assessment and Remediation
Authorization with
Required and Optional Components
Out-of-Band NAC
Implementation
Self-Service Remediation
Features and Value
Inline NAC
Required and Optional Components
Authorization with
Component
Assessment and
Deployment Model
Table 2-5 Enterasys NAC Deployment Models
Value
Summary
Use Scenarios
Scenario 1 Intelligent Wired Access Edge
Switch
Policy-Enabled Edge
Authenticate
Authentication
Scenario 1 Intelligent Wired Access Edge
RFC 3580 Capable Edge
3rd Party Switch
VLAN=Quarantine
Scenario 1 Implementation
Thin Wireless Edge
Scenario 2 Intelligent Wireless Access Edge
Wireless
Access
Intelligent Wireless
VLAN=Quarantine
Thick Wireless Edge
Assessment Authentication
Point5
Scenario 2 Implementation
Scenario 2 Intelligent Wireless Access Edge
3-8 Use Scenarios
Scenario 3 Non-intelligent Access Edge Wired and Wireless
Layer 2 Wired LAN
Layer 3 Wired LAN
Layer 2 Wireless LAN
Figure 3-5 Non-intelligent Access Edge Wired and Wireless
Scenario 3 Implementation
Scenario 4 VPN Remote Access
Scenario 4 Implementation
Figure 3-6 VPN Remote Access
NAC Manager
4 Controller
Use Scenario
Table 3-1 Use Scenario Summaries
Summary and Appliance Requirements
Summary
Use Scenario
Table 3-1 Use Scenario Summaries continued
Summary and Appliance Requirements
Summary
Identify the NAC Deployment Model
Design Planning
1. Identify the Intelligent Edge of the Network
Survey the Network
Policy‐enabled Enterasys devices at the physical edge of the network
Figure 4-1 Network with Intelligent Edge
2. Evaluate Policy/VLAN and Authentication Configuration
Case #1 No authentication method is deployed on the network
Figure 4-2 Network with Non-Intelligent Edge
Overview of Supported Authentication Methods
Case #2 Authentication methods are deployed on the network
End-System Capabilities
Support of Multiple Authentication Methods
Support for Multiple End-System Connection
MAC Authentication
Authentication Considerations
Authentication Support on Enterasys Devices
3. Identify the Strategic Point for End-System Authorization
Wireless LAN
Wired LAN
Thick Wireless Deployments
4. Identify Network Connection Methods
Remote Access WAN
Thin Wireless Deployments
Site-to-Site VPN
Remote Access VPN
Identify Inline or Out-of-band NAC Deployment
Summary
Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN
Design Procedures
Procedures for Out-of-Band and Inline NAC
1. Identify Required NetSight Applications
2. Define Network Security Domains
Procedures for Out-of-Band and Inline NAC
5-2 Design Procedures
Figure 5-1 Security Domain
NAC Configurations
Figure 5-2 NAC Configuration
Authentication
Assessment
How health results are processed
Authorization
Figure 5-3 NAC Configuration for a Security Domain
Procedures for Out-of-Band and Inline NAC
5-6 Design Procedures
Security Domain Configuration
Table 5-1 Security Domain Configuration Guidelines
Network Scenario
Examples
Security Domain Configuration
Table 5-1 Security Domain Configuration Guidelines continued
Network Scenario
Examples
Security Domain Configuration
Table 5-1 Security Domain Configuration Guidelines continued
Network Scenario
Examples
Security Domain Configuration
Table 5-2 Security Domain Configuration Guidelines for Assessment
Network Scenario
Examples
Procedures for Out-of-Band and Inline NAC
Security Domain Configuration
Network Scenario
Examples
MAC Overrides
3. Identify Required MAC and User Overrides
Figure 5-4 MAC and User Override Configuration
Procedures for Out-of-Band and Inline NAC
Enterasys NAC Design Guide
Security Domain Configuration
Table 5-3 MAC Override Configuration Guidelines
Network Scenario
Examples
Security Domain Configuration
Table 5-3 MAC Override Configuration Guidelines continued
Network Scenario
Examples
Table 5-3 MAC Override Configuration Guidelines continued
User Overrides
Security Domain Configuration
Network Scenario
1. Determine the Number of Assessment Servers
Assessment Design Procedures
2. Determine Assessment Server Location
3. Identify Assessment Server Configuration
1. Identify Network Authentication Configuration
Out-of-Band NAC Design Procedures
Table 5-4 End-System Limits for NAC Gateways
2. Determine the Number of NAC Gateways
NAC Gateway Model
Concurrent End-Systems Supported
Figure 5-5 NAC Gateway Redundancy
3. Determine NAC Gateway Location
5. Determine End-System Mobility Restrictions
4. Identify Backend RADIUS Server Interaction
6. VLAN Configuration
7. Policy Role Configuration
8. Define NAC Access Policies
Assessment Policy and Quarantine Policy Configuration
Failsafe Policy and Accept Policy Configuration
Assessment Policy
Figure 5-6 Policy Role Configuration in NetSight Policy Manager
Quarantine Policy
Figure 5-7 Service for the Assessing Role
Figure 5-8 Service for the Quarantine Role
Inline NAC Design Procedures
1. Determine NAC Controller Location
Unregistered Policy
However, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security
Table 5-5 End-System Limits for NAC Controllers
2. Determine the Number of NAC Controllers
NAC Controller Model
Concurrent End-Systems Supported
Figure 5-10 Layer 3 NAC Controller Redundancy
Figure 5-9 Layer 2 NAC Controller Redundancy
3. Identify Backend RADIUS Server Interaction
4. Define Policy Configuration
Failsafe Policy and Accept Policy Configuration
Assessment Policy and Quarantine Policy Configuration
NAC Deployment With an Intrusion Detection System IDS
Additional Considerations
NAC Deployment With NetSight ASM
Unregistered Policy
Additional Considerations
5-34 Design Procedures