Enterasys Networks 9034385 manual Identify Backend RADIUS Server Interaction

Inline NAC Design Procedures

3. Identify Backend RADIUS Server Interaction

Layer 2 NAC Controllers detect downstream end‐systems via authentication: MAC, web‐based, or 802.1X. If web‐based or 802.1X authentication is implemented, then a backend RADIUS server must be configured to validate end user credentials in the authentication process. For each Layer 2 NAC Controller, primary and secondary RADIUS servers may be specified for the validation of user/device network login credentials on the network.

4. Define Policy Configuration

Policies are assigned to downstream end‐systems on the NAC Controller to authorize connecting devices with a level of network access. A default set of policies are automatically configured on each NAC Controller after installation and initialization of the appliance. This set of policies includes all policies defined by default in NAC Manager, such as Enterprise User, Quarantine, Assessing, Unregistered, and Failsafe. It is strongly recommended that the policy configurations of all NAC Controllers are imported into NetSight Policy Manager, reviewed, and appropriately modified, prior to the full rollout of inline NAC.

Failsafe Policy and Accept Policy Configuration

The Failsafe Policy is assigned to end‐systems when an error occurs in the NAC process. The Failsafe policy role is configured by default on the NAC Controller to be used as the Failsafe Policy in NAC Manager. This policy is restrictive, allowing DNS and DHCP, and redirecting web traffic to serve back a web page stating an error has occurred on the network, while discarding all other types of traffic.

If it is desired to open network access when an error is encountered, the Enterprise User policy role can be selected as the Failsafe Policy in the NAC Configuration. The Enterprise User policy role is fairly open, permitting most types of communication onto the network. For security purposes the Enterprise User policy role does deny communication to the NAC Controller over TCP and UDP ports (utilized for administrative purposes, such as RADIUS and SSH). In addition, the Enterprise User policy discards all communication to NAC Managerʹs IP address for further security hardening. This policy role can be altered to further control which services a compliant end‐system is allowed to utilize.

The Accept Policy is assigned to end‐systems when they are deemed compliant. The Enterprise User policy role is configured by default on the NAC Controller to be used as the Accept Policy in NAC Manager.

Assessment Policy and Quarantine Policy Configuration

The Assessment Policy and Quarantine Policy are used when end‐system assessment is implemented in the NAC deployment. The Assessment Policy may be used to temporarily allocate a set of network resources to end‐systems while they are being assessed. The Assessing policy role is configured by default on NAC Controllers to be used as the Assessment Policy in NAC Manager. This policy allows DNS and DHCP, and any traffic destined to the IP address of the assessment servers deployed on the network. The policy also redirects web traffic to serve back a web page stating that the end‐system has been restricted access while its security posture is being determined. All other types of traffic are discarded.

If it is desired to open network access while an end‐system is being assessed, the use of the Assessment Policy can be disabled in the NAC configuration, or the Enterprise User policy role can be selected as the Assessment Policy instead. It is important to note that whenever a NAC configuration is enforced to the NAC Controller, the Assessment Policy is configured to allow

5-32 Design Procedures