-
Enterasys 9034385 - page 1
Enterasys ® Network Access Control Design Guide P/N 9034385 ...
-
Enterasys 9034385 - page 2
...
-
Enterasys 9034385 - page 3
i Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web si te without prior notice. The reader should in all cases co nsult Enterasys Netw orks ...
-
Enterasys 9034385 - page 4
ii ...
-
Enterasys 9034385 - page 5
iii Contents About This Guide Intended Audience .......... ............. ................. ............ ................. ............. ................ ........... .................. ............. vii Related Documents ............... ............. ................ ............. ................ ............. ................ ....... ............ ...
-
Enterasys 9034385 - page 6
iv Chapter 3: Use Scenarios Scenario 1: Intelligent Wired Access E dge ............ ............. ................ ................ ............. ............... ..... ........... 3-1 Policy-Enabled Edge ................. ............. ............ ................. ............. ............ ............. .......... ................ ..... 3-2 RFC ...
-
Enterasys 9034385 - page 7
v Unregistered Policy ................... ............. ............. ................ ............. ................ ............. ..... .............. 5-28 Inline NAC Design Procedures ........... ................ ............. ................ ................ ............. ............. .......... ......... 5-28 1. Determine NAC Contro ller Loc ...
-
Enterasys 9034385 - page 8
vi ...
-
Enterasys 9034385 - page 9
Enterasys NAC Design Gu ide vii About This Guide The NAC Design Guide describes the technical considerations for the planning and design of the Enterasys Netw ork Access Contr ol (NAC) solution. The guide includes the following information: Inten ...
-
Enterasys 9034385 - page 10
Getting Help viii About This Guide •E n t e r a s y s NA C Manager Online Help. Explains how to use NAC Manager to configure you r NAC appliances, and to put in place authenti cation and assessment requirements for the end ‐ systems a ...
-
Enterasys 9034385 - page 11
Enterasys NAC Design Guide 1-1 1 Overview This chapter provides an overview of the Enterasys Network Access Control (NAC) solution, including a descripti on of key NAC functions and deployment models. It also introd uces the required and ...
-
Enterasys 9034385 - page 12
NAC Solution Overview 1-2 Overview Assessment Determine if th e device complies with corporate security and configuration requirements, such as operating system patch revision levels and anti virus signature definitions. Other security compliance req ...
-
Enterasys 9034385 - page 13
NAC Solution Overview Enterasys NAC Design Guide 1-3 Model 1: End-system Detection and T racking This NAC deployment model implements the detection piece of NAC functionality . It supports the ability to track users and end ‐ sys tems over time by identify ...
-
Enterasys 9034385 - page 14
NAC Solution Components 1-4 Overview NAC Solution Component s This section discusses the required and optional components of the Enterasys NAC solution, beginning with the following table that summarizes the component requirements for each of the ...
-
Enterasys 9034385 - page 15
NAC Solution Components Enterasys NAC Design Guide 1-5 Enterasys offers two types of NA C appliances: the NAC Gatew ay appliance implements out ‐ of ‐ band network access control, and the NAC Controller appliance implements inline network access ...
-
Enterasys 9034385 - page 16
NAC Solution Components 1-6 Overview of supporting authentication and/or authorization. The NAC Controller is also required in IPSec and SSL VPN deployments. The NAC Controller provides integrated vulnerability assessment serv er functionality an ...
-
Enterasys 9034385 - page 17
NAC Solution Components Enterasys NAC Design Guide 1-7 Appliance Comp arison The following table compares how the two NA C appliance types implement the five NAC functions. T able 1-2 Comp arison of Appliance Funct ionality NAC Function NAC Gateway NAC Controller Detection RADIUS authenticatio ...
-
Enterasys 9034385 - page 18
NAC Solution Components 1-8 Overview Ta b l e 1 ‐ 3 outlines the advantages and disadv antages of the two appliance types as they pertain to network securi ty , scalabilit y , and configuration/implementation. T able 1-3 Comp arison of Appliance Adva ntag es and Disadvant ...
-
Enterasys 9034385 - page 19
NAC Solution Components Enterasys NAC Design Guide 1-9 NetSight Management The NAC appliances are configured, monit ored, and managed through management applications within the Enterasys NetSight Suite. Net Sight is a family of products comprised of NetS ...
-
Enterasys 9034385 - page 20
Summary 1-10 Overview NetSight Console NetSight Console is used to monitor the health and status of infrastructure devices in the netw ork, including switches, routers, Enterasys NAC appliances (NAC Gatew ays and NAC Controllers) as wel l ...
-
Enterasys 9034385 - page 21
Summary Enterasys NAC Design Guide 1 -11 •M o d e l 3: End ‐ Syst em Authorization with Assessment ‐ Implements detection , authentication , assessment , and authorization to provide network access control based on the security posture of a conne ...
-
Enterasys 9034385 - page 22
Summary 1-12 Overview ...
-
Enterasys 9034385 - page 23
Enterasys NAC Design Guide 2-1 2 NAC Deployment Models This chapter descri bes the four NAC deployment models and how they build on each other to provide a complete NAC solution. The first model imple ments a subset of the fiv e k ...
-
Enterasys 9034385 - page 24
Model 1: End-System Detection and Tracking 2-2 NAC Deployment Models RADIUS Access ‐ Accept or Access ‐ Reject message received from the upstream RADIUS server , is returned without modification to the access edge switch, to permit end ‐ system access ...
-
Enterasys 9034385 - page 25
Model 2: End-System Authorization Enterasys NAC Design Guide 2-3 and information on the network. Enteras ys NAC can be leveraged to provide information to SIM solutions, by mapping an IP address to an identity , such as a MAC address ...
-
Enterasys 9034385 - page 26
Model 2: End-System Authorization 2-4 NAC Deployment Models device ide ntity , us er identity , and/or location information is used to authorize the connecting end ‐ system with a certain level of netw ork access. It is important to note that ? ...
-
Enterasys 9034385 - page 27
Model 2: End-System Authorization Enterasys NAC Design Guide 2-5 The NAC Controller may eithe r deny the end ‐ system access to the network or assign the end ‐ system to a particular set of networ k reso urces by specifying a particular p ...
-
Enterasys 9034385 - page 28
Model 2: End-System Authorization 2-6 NAC Deployment Models is only provisioned by the Enterasys NAC sol ution when the devices connect to switches in the Network Operations Center (NOC). This level of granularity in provisioning access to ? ...
-
Enterasys 9034385 - page 29
Model 2: End-System Authorization Enterasys NAC Design Guide 2-7 a password in the registration web page. This sponsor username and passw ord can be va l i d a te d agai nst an existing database on the netw ork to authentica te the sponsor ʹ s i ...
-
Enterasys 9034385 - page 30
Model 3: End-System Authorization with Assessment 2-8 NAC Deployment Models A RADIUS serv er is only required if out ‐ of ‐ band netw ork access control using the NAC Gatewa y , or inline netw ork access control using the Layer 2 NAC Co ntroller ...
-
Enterasys 9034385 - page 31
Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2-9 server is running or if the HTTP server is out ‐ of ‐ date) and client ‐ side checks (run ning applications, softw are configurations, instal led operating system patches) provide ...
-
Enterasys 9034385 - page 32
Model 3: End-System Authorization with Assessment 2-10 NAC Deployment Models Features and V alue In addition to the features and val u e s found in Model 1 and Model 2, the following are key pieces of functionality and va lu e propositions supported ...
-
Enterasys 9034385 - page 33
Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2 -11 •A p p l i c a t i o n configuration The NAC solution can determine which services and applications are installed and enabled on the end ‐ system. Certain applications should be r ...
-
Enterasys 9034385 - page 34
Model 4: End-System Authorization with Assessment and Remediation 2-12 NAC Deployment Models Required and Optional Component s This section summarizes the required and optional components for Mod el 3. . The NAC Gatew ay and NAC Controller are the NAC appliances used ? ...
-
Enterasys 9034385 - page 35
Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -13 Assisted remediation informs end users when their end ‐ systems have been quarantin ed due to network securi ty policy non ‐ compliance, and allows end users to ? ...
-
Enterasys 9034385 - page 36
Model 4: End-System Authorization with Assessment and Remediation 2-14 NAC Deployment Models Inline NAC For inline Enterasys NAC deployments utilizing the Lay er 2 or Layer 3 NAC Controller , the NAC functions are implemented in the following way : Detection ...
-
Enterasys 9034385 - page 37
Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -15 traffic with specific source and destination cha racteristics as well as specific app lication identifiers (UDP/TCP ports). In addi tion, the Enterasys NAC solution w ...
-
Enterasys 9034385 - page 38
Summary 2-16 NAC Deployment Models Summary Enterasys supports all of the five key NAC functions: detection, authentication, assessment, authorization, and remediation. Howev er , not all fiv e functions need to be implemented concurrently in a ? ...
-
Enterasys 9034385 - page 39
Enterasys NAC Design Guide 3-1 3 Use Scenarios This chapter describes four NAC use scenarios that illustrate how the type of NAC deployment is directly dependent on the infrastructure devices deployed in the netw ork. For some network ...
-
Enterasys 9034385 - page 40
Scenario 1: Intelligent Wired Access Edge 3-2 Use Scenarios within the same Quarantine VLAN because the authorization point is usually implemented at the exit point of the VLAN via Access Control Lists (ACL s). Policy-Enabled Edge The fol lowing figu ...
-
Enterasys 9034385 - page 41
Scenario 1: Intelligent Wired Access Edge Enterasys NAC Design Guide 3-3 RFC 3580 Cap able Edge In this figure the NAC Gatew ay and the other Enterasys NAC components provide network access control for a network with third ‐ party switches that support ...
-
Enterasys 9034385 - page 42
Scenario 1: Intelligent Wired Access Edge 3-4 Use Scenarios Scenario 1 Implementation In the intelligent wi red edge use scenario, the five NAC functions are implemented in the following manner: 1. Detection ‐ The user ʹ s end ‐ sy stem connects to th ...
-
Enterasys 9034385 - page 43
Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-5 intellig ent edge on the network. The Mat rix N ‐ series switch is capable of authenticating and authorizing multiple devices connected to a single port for a vari e t y of ...
-
Enterasys 9034385 - page 44
Scenario 2: Intelligent Wireless Access Edge 3-6 Use Scenarios Figure 3-3 Intelligent Wirele ss Access Edge - Thin APs with W ireless Switch 1 4 3 2 Wireless Access Point 5 3 Enterasys NAC Manager Intelligent Wireless Controller (RFC 3850-compliant) NAC Gateway (out- of-band appliance) Assessment Server Authentication Server (optionally integrated ...
-
Enterasys 9034385 - page 45
Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-7 Thick Wireless Edge In a thick wireless deployment, access points forward wirele ss end ‐ system traffic directly onto the wired infrastructure without the use of a wireless switch. ? ...
-
Enterasys 9034385 - page 46
Scenario 2: Intelligent Wireless Access Edge 3-8 Use Scenarios Scenario 2 Implementation In the intelligent wireless access edge use scen ario, the five NAC functions are implemented in the following manner: 1. Detection ‐ The user ʹ s end ‐ sy stem conne ...
-
Enterasys 9034385 - page 47
Scenario 3: Non-intelligent Access Edge (Wired and Wireless) Enterasys NAC Design Guide 3-9 It is important to note that if the wireless edge of the network is non ‐ i ntelligent and not capable of authenticating and authorizing wireless end ‐ systems, ? ...
-
Enterasys 9034385 - page 48
Scenario 3: Non-intelligent Access Edge ( Wired and Wireless) 3-10 Use Scenarios Figure 3-5 Non-intelligent Access Edge (W ired and Wireless) 2 3 3 3 4 5 1 3 Enterasys NAC Manager NAC Controller (inline appliance) Assessment Server Authentication Server (optionally integrated in NAC Controller) Role= Quarantine Layer 3 Wired LAN Role= Quarantine Ro ...
-
Enterasys 9034385 - page 49
Scenario 4: VPN Remote Access Enterasys NAC Design Guide 3 -11 Scenario 3 Implementation In the non ‐ intelligent access edge use scenario, the five NAC functions are implemented in the following manner: 1. Detection ‐ The user ʹ s end ‐ sy stem connects ? ...
-
Enterasys 9034385 - page 50
Scenario 4: VPN Remote Access 3-12 Use Scenarios Figure 3-6 VPN Remote Access Scenario 4 Implementation In the VPN remote access use scenario, the five NAC functions are implemented in the following manner with the deployment of the NAC Controller for ? ...
-
Enterasys 9034385 - page 51
Summary Enterasys NAC Design Guide 3 -13 5. Remediation ‐ When the quarantined end user opens a web browser to any web site, its traffic is dynamically redirect ed to a Remediation web page that describes the compliance violation ...
-
Enterasys 9034385 - page 52
Summary 3-14 Use Scenarios Scenario 4: VPN remote access Summary: VPN concentrators act as a termination point for remote access VPN tunn els into the enterprise network. Appliance Requirement: NAC Contr oller Inline net work access control is implem ented by deploying the NAC Controller appliance to locally authorize connecting end-systems. T able ...
-
Enterasys 9034385 - page 53
Enterasys NAC Design Guide 4-1 4 Design Planning This chapter descri bes the steps yo u should take as yo u begin planning yo ur NAC deployment. The first step is to identify the deployment model that best meets you r business objecti ...
-
Enterasys 9034385 - page 54
Survey the Network 4-2 Design Planning access to a web browser to safely remediate their quarantined end ‐ syst em without impacting IT operations. Once a deployment model is se lected, the current network infrastructure must be examined to ...
-
Enterasys 9034385 - page 55
Survey the Network Enterasys NAC Design Guide 4-3 The network shown in Figure 4 ‐ 1 below , illustrates the following three examples of how the intellig ent edge can be implemented in a networ k. • Policy ‐ enabled Enterasys devices at the ...
-
Enterasys 9034385 - page 56
Survey the Network 4-4 Design Planning For the inline implementation of the Enterasys NAC solution, the NAC Controller authenticates and authorizes end ‐ systems locally on the appliance, and does not rely on the capabilities of downstr ...
-
Enterasys 9034385 - page 57
Survey the Network Enterasys NAC Design Guide 4-5 to locally authorize all MAC authentication reque sts for connecting end ‐ systems, thereby not requiring a li st of known MAC addre sses. In fact, Enterasys NAC can be configur ed in a ...
-
Enterasys 9034385 - page 58
Survey the Network 4-6 Design Planning Similar to 802.1X, web ‐ based authentication requires the input of credentials and is normally use d on user ‐ centric end ‐ systems that hav e a concept of an associated user , such as a PC. ...
-
Enterasys 9034385 - page 59
Survey the Network Enterasys NAC Design Guide 4-7 system at a time, then it is sugg ested that MAC locking (also known as Po r t Secu rity) be enabled on the edge switches to restrict the number of connecting devi ces. If multiple ...
-
Enterasys 9034385 - page 60
Survey the Network 4-8 Design Planning authenticated to the netw ork and interact with Enter asys NAC for authenticati on, assessment, authorization, and remediation. Note how ever , that this configuration may not be possible if trusted users ? ...
-
Enterasys 9034385 - page 61
Survey the Network Enterasys NAC Design Guide 4-9 If the network infrastructure does not contain intelligent devices at the edg e or distributi on layer , then inline NAC using the NAC Controller as the authorization point for connecting ...
-
Enterasys 9034385 - page 62
Survey the Network 4-10 Design Planning this case, the thick AP deployment falls into the category of non ‐ intelligent ed ge devices with the same NAC implementations as a non ‐ intelligent wired edge. These non ‐ intelligent APs must ...
-
Enterasys 9034385 - page 63
Identify Inline or Out-of-band NAC Dep loyment Enterasys NAC Design Guide 4 -11 Remote Access VPN In many enterprise environments, a VPN concentrator located at the main site connects to the Internet to provide VPN access to remote users. In this sce ...
-
Enterasys 9034385 - page 64
Summary 4-12 Design Planning server . In addi tion, NAC can also be configured to locally authorize MA C authentication requests. 3. Identify the strategic point in the network where end ‐ system authorization should be implemented. The mos ...
-
Enterasys 9034385 - page 65
Enterasys NAC Design Guide 5-1 5 Design Procedures This chapter descri bes the design procedures for Enterasys NAC deployment on an ente rprise network. The first section discusses procedures for both out ‐ of ‐ band and inline NAC deployments. ? ...
-
Enterasys 9034385 - page 66
Procedures for Out-of-Band and Inline NAC 5-2 Design Procedures Po l i c y Manager is not re quired for out ‐ of ‐ band NAC that utilizes RFC 3580 ‐ compliant switches (Enterasys and third ‐ party switches). In this case, a VLAN is specified in ? ...
-
Enterasys 9034385 - page 67
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-3 Figure 5-1 Se curity Domain NAC Configurations Each Security Domain has a default “NAC configuration” that defines the authentication, assessment, and authorization parameters for all end ‐ systems ? ...
-
Enterasys 9034385 - page 68
Procedures for Out-of-Band and Inline NAC 5-4 Design Procedures Figure 5-2 NAC Configuration Authentication The Authenticati on settings define how RADIUS requests are handled for au thenticating end ‐ systems (this does not apply to Layer 3 NAC Controllers.) This ...
-
Enterasys 9034385 - page 69
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-5 •H o w health results are processed. When an assessment is performed on an end ‐ syste m, a “health result” is generated. For each health result, there may be sev eral ? ...
-
Enterasys 9034385 - page 70
Procedures for Out-of-Band and Inline NAC 5-6 Design Procedures The following figure shows the NAC Manager window used to create or edit a NAC Configuration and defi ne its authentication, assessment, and a uthorization attributes. Figure 5-3 NAC Configurati ...
-
Enterasys 9034385 - page 71
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-7 The following table provides examples of var i o u s network scenarios that should be considered when identifyi ng the number and configuration of Sec urity Domains in your NAC ...
-
Enterasys 9034385 - page 72
Procedures for Out-of-Band and Inline NAC 5-8 Design Procedures Area of the network that provides access to a group of users or devices that pose a potentiall y high risk to the security or stability of the network. • Switches that provide access to guest users or contractors on a corporate network. These users are usually not directly unde r the ...
-
Enterasys 9034385 - page 73
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-9 Area of the network that is configured to allow access only to specific end-systems or users. • Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks. For the NAC Gateway , reject a ...
-
Enterasys 9034385 - page 74
Procedures for Out-of-Band and Inline NAC 5-10 Design Procedures The following table provides network scenarios from an as sessment standpoint that should be taken into account when identifying the number and configuration of Security Domains. T able 5-2 ...
-
Enterasys 9034385 - page 75
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -11 Area of the network, or a group of end-systems or users, that require assessment with immediate network access. • Switches that provide network acce ss to mission critical servers, mandating uninterrupted network con nectivity while still implementing assessment. • Switc ...
-
Enterasys 9034385 - page 76
Procedures for Out-of-Band and Inline NAC 5-12 Design Procedures 3. Identify Required MAC and User Overrides MAC and user overr ides are used to handle end ‐ syste ms that require a different set of authentication, assessment, and authorization parameters from the ...
-
Enterasys 9034385 - page 77
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -13 The following figure display s the windows used for MAC and user override configura tion in NAC Manager . Notice that either an existing NAC Config uration can be used or ...
-
Enterasys 9034385 - page 78
Procedures for Out-of-Band and Inline NAC 5-14 Design Procedures The following table describes scenarios where a MAC ov erride may be configured for a particular end ‐ system. T able 5-3 MAC Override Configuratio n Guidelines Network Scenario Examples Security Domain Config uration A dev ...
-
Enterasys 9034385 - page 79
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -15 A device or class of devices needs to be restricted network access (“blacklisted”) in a particular Security Domain or in all Security Domains. Denying access or quarantining the MAC addresses of laptops used b y guests or contractors in those areas of the network designa ...
-
Enterasys 9034385 - page 80
Procedures for Out-of-Band and Inline NAC 5-16 Design Procedures User Overrides A user ov erride lets you create a configuration for a specific end user , based on the user name. For example, you could create a user override that gives a ...
-
Enterasys 9034385 - page 81
Assessment Design Procedures Enterasys NAC Design Guide 5 -17 Manager will not match this end ‐ system and the end ‐ sy stem is assigned the Security Domain’ s default NAC config uration. In addition, the Layer 3 NAC Controller is not able ...
-
Enterasys 9034385 - page 82
Assessment Design Procedures 5-18 Design Procedures 2. Determine Assessm ent Server Location When determining the location of the assessme nt servers on th e network, the following factors should be considered: •T h e type of assessment: agent ‐ less or agen ...
-
Enterasys 9034385 - page 83
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -19 configuration if the security vul nerability is considered a risk for the organization. For more information on Nessus, ref er to http://nessus.org/ . Out-of-Band NAC Design Procedures The following ...
-
Enterasys 9034385 - page 84
Out-of-Band NAC Design Procedures 5-20 Design Procedures 2. Determine the Number of NAC Gateways The number of NAC Gatew ays to be depl oyed on the netw ork is a function of the following parameters: •T h e number of Security Domains configured on th e ...
-
Enterasys 9034385 - page 85
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -21 Figure 5-5 NAC Gateway Redund ancy It is important that the secondary NAC Gatew ay does not exceed maximum capacity if the primary NAC Gatew ay fails on the network. For example, let’ s ...
-
Enterasys 9034385 - page 86
Out-of-Band NAC Design Procedures 5-22 Design Procedures primary NAC Gatew ay , the transition to the secondary NAC Gateway wi ll not exceed maximum capacity . To support redundancy within a Secu rity Domain for either approach, one addi tional ? ...
-
Enterasys 9034385 - page 87
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -23 It is important to not e that only the NAC Gateways that are configured with remediation and registration functionality need to be positioned in such a manner . All other ...
-
Enterasys 9034385 - page 88
Out-of-Band NAC Design Procedures 5-24 Design Procedures 6. VLAN Configuration This step is for NA C deployments tha t use RFC ‐ 3580 ‐ compliant switches in the intelligent edge of the network to impl ement dynamic VLAN assignment of connecting devi ...
-
Enterasys 9034385 - page 89
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -25 previously specified in the NAC configuration must be def ined in NetSight Pol i c y Manager to ensure the consistent allocation of network resources to co nnecting end ‐ systems. Failsafe ...
-
Enterasys 9034385 - page 90
Out-of-Band NAC Design Procedures 5-26 Design Procedures Figure 5-6 Policy Role Configuration in NetSig ht Policy Manager Assessment Policy The Assessment Pol ic y may be used to temporarily allocate a set of network resources to end ‐ systems while they are being ass ...
-
Enterasys 9034385 - page 91
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -27 Figure 5-7 Service for the Assessing Role Note that it is not mandatory to assign the Assessment Pol i cy to a connecting end ‐ system while it is being assessed. NAC can be configured ...
-
Enterasys 9034385 - page 92
Inline NAC Design Procedures 5-28 Design Procedures Figure 5-8 Service for the Quarantine Role Furthermore, the Quarantine Po l i c y and other network infrastructure devices must be configured to implement HTTP traffic redirection for quaranti ned end ‐ systems to ? ...
-
Enterasys 9034385 - page 93
Inline NAC Design Procedures Enterasys NAC Design Guide 5 -29 Howeve r , the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the netw ork, increasing NAC deployment cost and complex ...
-
Enterasys 9034385 - page 94
Inline NAC Design Procedures 5-30 Design Procedures 2. Determine the Numb er of NAC Controllers The number of NAC Controllers to be deploy ed on the network is a function of the following parameters: •T h e network topology . Because the NAC Controller is ...
-
Enterasys 9034385 - page 95
Inline NAC Design Procedures Enterasys NAC Design Guide 5 -31 Figure 5-9 Layer 2 NAC Controller Redundancy For a Layer 3 NAC Controller , redundancy is achieved by implementing redundant Layer 3 NAC Controllers on adjacent, but separate networks as shown in ...
-
Enterasys 9034385 - page 96
Inline NAC Design Procedures 5-32 Design Procedures 3. Identify Backend RADIUS Server Interaction Layer 2 NAC Controllers detect downs tream end ‐ systems via authentication: MAC, web ‐ based, or 802.1X. If we b ‐ based or 802.1X authenti cation is implemented, th ...
-
Enterasys 9034385 - page 97
Additional Considerations Enterasys NAC Design Guide 5 -33 assessment server s to reach the end ‐ system while it is being assessed, regardless of whether the Assessing policy , Enterprise User policy , or any other policy ro le is utilized ...
-
Enterasys 9034385 - page 98
Additional Considerations 5-34 Design Procedures ...
Do you have a question concerning Enterasys 9034385?
Use the form below
If you did not solve your problem by using a manual Enterasys 9034385, ask a question using the form below. If a user had a similar problem with Enterasys 9034385 it is likely that he will want to share the way to solve it.