Enterasys ® Network Access Control Design Guide P/N 9034385
Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
ii
Contents About This Guide Intended Audience ............................................................................................................................................ vii Related Documents .......................................................................................................................................... vii Getting Help .....................................................................................................................................................
Chapter 3: Use Scenarios Scenario 1: Intelligent Wired Access Edge ..................................................................................................... 3-1 Policy-Enabled Edge ................................................................................................................................ 3-2 RFC 3580 Capable Edge ......................................................................................................................... 3-3 Scenario 1 Implementation ............
Unregistered Policy .......................................................................................................................... 5-28 Inline NAC Design Procedures ..................................................................................................................... 5-28 1. Determine NAC Controller Location ................................................................................................... 5-28 2. Determine the Number of NAC Controllers ...........................
vi
About This Guide The NAC Design Guide describes the technical considerations for the planning and design of the Enterasys Network Access Control (NAC) solution. The guide includes the following information: For information about... Refer to... An overview of the Enterasys NAC Solution and a comparison between the inline NAC Controller and the out-of-band NAC Gateway appliances. Chapter 1, Overview The four different NAC deployment models and their requirements.
Getting Help • Enterasys NAC Manager Online Help. Explains how to use NAC Manager to configure your NAC appliances, and to put in place authentication and assessment requirements for the end‐ systems accessing your network. • Installing the Assessment Agent on the Lockdown Enforcer Appliance. Provides instructions for installing the Enterasys Networks Assessment Agent on the Lockdown Enforcer appliance (or another Linux system).
1 Overview This chapter provides an overview of the Enterasys Network Access Control (NAC) solution, including a description of key NAC functions and deployment models. It also introduces the required and optional components of the Enterasys NAC solution, and presents a comparison between the inline NAC Controller for implementation of inline network access control and the out‐of‐band NAC Gateway for implementation of out‐of‐band network access control. For information about... Refer to page...
NAC Solution Overview Assessment Determine if the device complies with corporate security and configuration requirements, such as operating system patch revision levels and antivirus signature definitions. Other security compliance requirements might include the physical location of the device and the time of day the connection attempt is made.
NAC Solution Overview Model 1: End-system Detection and Tracking This NAC deployment model implements the detection piece of NAC functionality. It supports the ability to track users and end‐systems over time by identifying where they are currently connected to the network and where they have connected to the network at any given time in the past.
NAC Solution Components NAC Solution Components This section discusses the required and optional components of the Enterasys NAC solution, beginning with the following table that summarizes the component requirements for each of the four deployment models. Table 1-1 .
NAC Solution Components Enterasys offers two types of NAC appliances: the NAC Gateway appliance implements out‐of‐ band network access control, and the NAC Controller appliance implements inline network access control. The following section describes how each NAC appliance implements network access control for connecting end‐systems. NAC Gateway Appliance The NAC Gateway is utilized to implement out‐of‐band network access control for connecting end‐systems.
NAC Solution Components of supporting authentication and/or authorization. The NAC Controller is also required in IPSec and SSL VPN deployments. The NAC Controller provides integrated vulnerability assessment server functionality and supports both agent‐less (network‐based) and agent‐based assessment. (A separate license is required for integrated assessment.) It also supports the ability to connect to multiple external assessment servers including Nessus and Lockdown Enforcer.
NAC Solution Components Appliance Comparison The following table compares how the two NAC appliance types implement the five NAC functions. Table 1-2 Comparison of Appliance Functionality NAC Function NAC Gateway NAC Controller Detection RADIUS authentication request is received from access edge switches. Traffic sourced from a new end-system traverses the inline appliance.
NAC Solution Components Table 1‐3 outlines the advantages and disadvantages of the two appliance types as they pertain to network security, scalability, and configuration/implementation. Table 1-3 Comparison of Appliance Advantages and Disadvantages Features 1-8 Overview NAC Gateway NAC Controller Supported Connection Types Disadvantage: Restricted to wired and wireless access edge with authentication and authorization functionality.
NAC Solution Components Table 1-3 Comparison of Appliance Advantages and Disadvantages (continued) Features NAC Gateway NAC Controller NAC Granularity Advantage: The NAC Gateway is always aware of the MAC address of the device connecting to the network, and its associated IP address, username, and location (switch IP address and port). Therefore, NAC can be configured to uniquely authenticate, assess, and authorize specific endsystems and users in particular locations in the network.
Summary NetSight Console NetSight Console is used to monitor the health and status of infrastructure devices in the network, including switches, routers, Enterasys NAC appliances (NAC Gateways and NAC Controllers) as well as other security appliances. NetSight NAC Manager is a plugin to NetSight Console, and NetSight Console must be installed on a server with NAC Manager for the Enterasys NAC solution.
Summary • Model 3: End‐System Authorization with Assessment ‐ Implements detection, authentication, assessment, and authorization to provide network access control based on the security posture of a connecting end‐system, as well as user and device identity and location. This model requires the use of either integrated assessment server functionality or the ability to connect to external assessment services, in order to perform the end‐system assessment.
Summary 1-12 Overview
2 NAC Deployment Models This chapter describes the four NAC deployment models and how they build on each other to provide a complete NAC solution. The first model implements a subset of the five key NAC functions (as described in Chapter 1), and each subsequent model provides additional functionality without the need to replace existing pieces of the NAC solution.
Model 1: End-System Detection and Tracking RADIUS Access‐Accept or Access‐Reject message received from the upstream RADIUS server, is returned without modification to the access edge switch, to permit end‐system access to the network. For MAC authentication, a RADIUS Access‐Accept message is returned to the access edge switch without modification, based on a RADIUS Access‐Accept message received from the upstream RADIUS server or local authorization of MAC authentication requests.
Model 2: End-System Authorization and information on the network. Enterasys NAC can be leveraged to provide information to SIM solutions, by mapping an IP address to an identity, such as a MAC address or username and location, for a more complete representation of the attack source or target on the network. In this way, the Enterasys NAC solution further enhances the operation of existing security technologies deployed on the network.
Model 2: End-System Authorization device identity, user identity, and/or location information is used to authorize the connecting end‐ system with a certain level of network access. It is important to note that in this model, network access is not being controlled based on end‐system assessment results. Assessment will be introduced in the next NAC deployment model.
Model 2: End-System Authorization The NAC Controller may either deny the end‐system access to the network or assign the end‐ system to a particular set of network resources by specifying a particular policy.
Model 2: End-System Authorization is only provisioned by the Enterasys NAC solution when the devices connect to switches in the Network Operations Center (NOC). This level of granularity in provisioning access to connecting devices protects against possible MAC spoofing attacks.
Model 2: End-System Authorization a password in the registration web page. This sponsor username and password can be validated against an existing database on the network to authenticate the sponsorʹs identity. Sponsors may be allowed to securely access an administrative web page where they can delete, add, and modify registered end‐systems on the network that they have sponsored.
Model 3: End-System Authorization with Assessment A RADIUS server is only required if out‐of‐band network access control using the NAC Gateway, or inline network access control using the Layer 2 NAC Controller, is implemented with web‐ based and/or 802.1X authentication. NetSight Policy Manager is required for all inline NAC deployments, and recommended for out‐ of‐band NAC deployments that utilize Enterasys policy‐capable switches.
Model 3: End-System Authorization with Assessment server is running or if the HTTP server is out‐of‐date) and client‐side checks (running applications, software configurations, installed operating system patches) provided end‐system administrative credentials are available for remote login to connecting devices.
Model 3: End-System Authorization with Assessment Features and Value In addition to the features and values found in Model 1 and Model 2, the following are key pieces of functionality and value propositions supported by Model 3, End‐System Authorization with Assessment: Extensive Security Posture Compliance Verification The following describes a few examples of tests that can be executed for connecting end‐ systems and the relevance of these tests from a compliance and security standpoint: • Antivirus so
Model 3: End-System Authorization with Assessment • Application configuration The NAC solution can determine which services and applications are installed and enabled on the end‐system. Certain applications should be removed from the device prior to establishing connectivity because they may have a negative impact on the operation of the end‐system, distract the end user from business functions, or be used to launch attacks on the network.
Model 4: End-System Authorization with Assessment and Remediation Required and Optional Components This section summarizes the required and optional components for Model 3. .
Model 4: End-System Authorization with Assessment and Remediation Assisted remediation informs end users when their end‐systems have been quarantined due to network security policy non‐compliance, and allows end users to safely remediate their non‐ compliant end‐systems without assistance from IT operations. The process takes place when an end‐system connects to the network and assessment is performed.
Model 4: End-System Authorization with Assessment and Remediation Inline NAC For inline Enterasys NAC deployments utilizing the Layer 2 or Layer 3 NAC Controller, the NAC functions are implemented in the following way: Detection ‐ As described in Model 2. Authentication ‐ As described in Model 2. Assessment ‐ As described in Model 3. Authorization ‐ As described in Model 3.
Model 4: End-System Authorization with Assessment and Remediation traffic with specific source and destination characteristics as well as specific application identifiers (UDP/TCP ports). In addition, the Enterasys NAC solution will support an unlimited number of different quarantine policy roles, which means that the solution can support varying degrees of network usage restrictions depending upon the severity of the non‐compliance or security breach.
Summary Summary Enterasys supports all of the five key NAC functions: detection, authentication, assessment, authorization, and remediation. However, not all five functions need to be implemented concurrently in a NAC deployment to derive value from the solution. The four NAC deployment models each yield unique value propositions to the IT personnel managing the network, and provide a logical progression to deploying the full Enterasys NAC solution.
3 Use Scenarios This chapter describes four NAC use scenarios that illustrate how the type of NAC deployment is directly dependent on the infrastructure devices deployed in the network. For some network topologies, inline network access control utilizing the NAC Controller may be required while for other network configurations, the NAC Gateway implementing out‐of‐band NAC may be used.
Scenario 1: Intelligent Wired Access Edge within the same Quarantine VLAN because the authorization point is usually implemented at the exit point of the VLAN via Access Control Lists (ACLs). Policy-Enabled Edge The following figure illustrates how the NAC Gateway and the other Enterasys NAC components work together in a network with policy‐enabled edge switches to provide a comprehensive NAC solution.
Scenario 1: Intelligent Wired Access Edge RFC 3580 Capable Edge In this figure the NAC Gateway and the other Enterasys NAC components provide network access control for a network with third‐party switches that support RFC 3580.
Scenario 1: Intelligent Wired Access Edge Scenario 1 Implementation In the intelligent wired edge use scenario, the five NAC functions are implemented in the following manner: 1. Detection ‐ The userʹs end‐system connects to the network. The edge switch sends a RADIUS authentication request (802.1X, web‐based, or MAC authentication) with the associated credentials to the NAC Gateway. 2. Authentication ‐ If the end‐system is authenticating to the network using 802.
Scenario 2: Intelligent Wireless Access Edge intelligent edge on the network. The Matrix N‐series switch is capable of authenticating and authorizing multiple devices connected to a single port for a variety of network topologies, ranging from an IP phone cascaded with a PC on a single Matrix N‐series port, to a stack of non‐ intelligent edge switches uplinked to a single Matrix N‐series port where over 1000 end‐systems connect.
Scenario 2: Intelligent Wireless Access Edge Figure 3-3 Intelligent Wireless Access Edge - Thin APs with Wireless Switch Remediation Web Page User Laptop VLAN=Quarantine Enterasys NAC Manager 5 3 Wireless Access Point Intelligent Wireless Controller NAC Gateway (RFC 3850-compliant) (out-of-band appliance) 1 3 5 4 3 2 3 NAC Functions 1 2 3 4 5 VLAN=Production 3-6 Use Scenarios Detect Authenticate Assess Authorize Remediate Assessment Server (optionally integrated in NAC Gateway) Authe
Scenario 2: Intelligent Wireless Access Edge Thick Wireless Edge In a thick wireless deployment, access points forward wireless end‐system traffic directly onto the wired infrastructure without the use of a wireless switch. Thick wireless deployments may or may not be categorized under the intelligent wireless access edge use scenario depending on the functionality supported by the APs.
Scenario 2: Intelligent Wireless Access Edge Scenario 2 Implementation In the intelligent wireless access edge use scenario, the five NAC functions are implemented in the following manner: 1. Detection ‐ The userʹs end‐system connects to the network. The wireless switch or thick AP sends a RADIUS authentication request (802.1X, web‐based, or MAC authentication) with the associated credentials to the NAC Gateway. 2. Authentication ‐ If the end‐system is authenticating to the network using 802.
Scenario 3: Non-intelligent Access Edge (Wired and Wireless) It is important to note that if the wireless edge of the network is non‐intelligent and not capable of authenticating and authorizing wireless end‐systems, it is possible to augment the network topology to implement out‐of‐band NAC with the NAC Gateway. This can be accomplished without replacing the physical edge of the network, by adding an intelligent edge switch that possesses specialized authentication and authorization features.
Scenario 3: Non-intelligent Access Edge (Wired and Wireless) Figure 3-5 Non-intelligent Access Edge (Wired and Wireless) Layer 3 Wired LAN Remediation Web Page NAC Functions 1 Detect 2 Authenticate Enterasys NAC Manager (optional MAC registration) Role=Quarantine 3 Assess 4 Authorize 5 Remediate Layer 2 Wired LAN Role=Quarantine 1 Remediation Web Page 4 NAC Controller (inline appliance) 5 3 5 3 2 Role=Quarantine Layer 2 Wireless LAN Remediation Web Page 3 3 Assessment Server (optionally in
Scenario 4: VPN Remote Access Scenario 3 Implementation In the non‐intelligent access edge use scenario, the five NAC functions are implemented in the following manner: 1. Detection ‐ The userʹs end‐system connects to the network and transmits data traffic onto the network that traverses the NAC Controller. This traffic is sourced from a MAC address or IP address not previously seen by the controller. 2.
Scenario 4: VPN Remote Access Figure 3-6 VPN Remote Access Enterasys NAC Manager NAC Functions 1 2 3 4 5 Remediation Web Page Detect Authenticate Assess Authorize Remediate Role=Quarantine NAC 4 Controller (inline appliance) 1 5 3 3 3 VPN Concentrator Assessment Server Scenario 4 Implementation In the VPN remote access use scenario, the five NAC functions are implemented in the following manner with the deployment of the NAC Controller for inline network access control. 1.
Summary 5. Remediation ‐ When the quarantined end user opens a web browser to any web site, its traffic is dynamically redirected to a Remediation web page that describes the compliance violations and provides remediations steps for the user to execute in order to achieve compliance. After taking the appropriate remediation steps, the end user clicks on a button on the web page to reattempt network access, forcing the re‐assessment of the end‐system.
Summary Table 3-1 Use Scenario Summaries (continued) Use Scenario Scenario 4: VPN remote access Summary and Appliance Requirements Summary: VPN concentrators act as a termination point for remote access VPN tunnels into the enterprise network. Appliance Requirement: NAC Controller Inline network access control is implemented by deploying the NAC Controller appliance to locally authorize connecting end-systems.
4 Design Planning This chapter describes the steps you should take as you begin planning your NAC deployment. The first step is to identify the deployment model that best meets your business objectives. Then, the current network infrastructure must be evaluated in order to determine NAC component requirements. Based on this evaluation, you will be able to decide whether to deploy inline or out‐ of‐band network access control. For information about... Refer to page...
Survey the Network access to a web browser to safely remediate their quarantined end‐system without impacting IT operations. Once a deployment model is selected, the current network infrastructure must be examined to identify the technical dependencies and requirements imposed by the NAC solution. Survey the Network The steps in this section will help you identify and evaluate the current network infrastructure so that you can make design decisions regarding NAC component requirements. 1.
Survey the Network The network shown in Figure 4‐1 below, illustrates the following three examples of how the intelligent edge can be implemented in a network. • Policy‐enabled Enterasys devices at the physical edge of the network. The SecureStack B2/B3, SecureStack C2/C3, and Matrix N‐series switches are the intelligent edge of the network as well as the physical edge of the network.
Survey the Network For the inline implementation of the Enterasys NAC solution, the NAC Controller authenticates and authorizes end‐systems locally on the appliance, and does not rely on the capabilities of downstream infrastructure devices. Because of this, the NAC Controller can be utilized in networks where non‐intelligent and/or intelligent infrastructure devices exist at the edge of the network.
Survey the Network to locally authorize all MAC authentication requests for connecting end‐systems, thereby not requiring a list of known MAC addresses. In fact, Enterasys NAC can be configured in a “learning mode” to dynamically learn the MAC addresses of all devices connecting to the network, permitting network access to all of these end‐systems for a period of time.
Survey the Network Similar to 802.1X, web‐based authentication requires the input of credentials and is normally used on user‐centric end‐systems that have a concept of an associated user, such as a PC. Therefore, this authentication method is inappropriate for machine‐centric devices such as printers and IP cameras. Note that web‐based authentication is a user‐initiated authentication method where the user must manually begin the network login process by opening a web browser and entering credentials.
Survey the Network system at a time, then it is suggested that MAC locking (also known as Port Security) be enabled on the edge switches to restrict the number of connecting devices. If multiple end‐system connection is supported, then the intelligent edge switch must support the authentication and authorization of multiple devices (possibly using multiple authentication methods) concurrently on the network.
Survey the Network authenticated to the network and interact with Enterasys NAC for authentication, assessment, authorization, and remediation. Note however, that this configuration may not be possible if trusted users are also being MAC authenticated to the network in the same Security Domain. In this case, MAC or user overrides would need to be configured for the trusted users, and the default NAC configuration of the Security Domain would specify the NAC implementation for guest users.
Survey the Network If the network infrastructure does not contain intelligent devices at the edge or distribution layer, then inline NAC using the NAC Controller as the authorization point for connecting end‐systems must be implemented. This is not as secure as out‐of‐band NAC because the authorization point for end‐systems is located deeper into the network at the NAC Controller.
Survey the Network this case, the thick AP deployment falls into the category of non‐intelligent edge devices with the same NAC implementations as a non‐intelligent wired edge. These non‐intelligent APs must be configured with inline NAC, positioning the NAC Controller at a strategic point in the network upstream from the non‐intelligent APs where it will implement the authentication and authorization of connecting end‐systems.
Identify Inline or Out-of-band NAC Deployment Remote Access VPN In many enterprise environments, a VPN concentrator located at the main site connects to the Internet to provide VPN access to remote users. In this scenario, there is no concept of intelligent and non‐intelligent edge switches because the entry point to the main site is the VPN concentrator.
Summary server. In addition, NAC can also be configured to locally authorize MAC authentication requests. 3. Identify the strategic point in the network where end‐system authorization should be implemented. The most secure place for implementing authorization is directly at the point of connection at the edge of the network, as supported by Enterasys policy‐capable switches.
5 Design Procedures This chapter describes the design procedures for Enterasys NAC deployment on an enterprise network. The first section discusses procedures for both out‐of‐band and inline NAC deployments. The second section discusses procedures for deployments implementing assessment. Subsequent sections present design steps relating specifically to out‐of band deployments using the NAC Gateway and inline deployments using the NAC Controller. For information about... Refer to page...
Procedures for Out-of-Band and Inline NAC Policy Manager is not required for out‐of‐band NAC that utilizes RFC 3580‐compliant switches (Enterasys and third‐party switches). In this case, a VLAN is specified in NAC Manager to authorize connecting end‐systems with a particular level of network access, using dynamic VLAN assignment. Refer to the Enterasys Networks web site http://www.enterasys.com/products/management/ downloads/NetSight.html for NetSight software licensing and download information. 2.
Procedures for Out-of-Band and Inline NAC Figure 5-1 Security Domain NAC Configurations Each Security Domain has a default “NAC configuration” that defines the authentication, assessment, and authorization parameters for all end‐systems connecting in that domain. A Security Domain can also include MAC or user override rules that are used to override the NAC configuration parameters with a special NAC configuration to be used for specific end‐systems or end users.
Procedures for Out-of-Band and Inline NAC Figure 5-2 NAC Configuration Authentication The Authentication settings define how RADIUS requests are handled for authenticating end‐ systems (this does not apply to Layer 3 NAC Controllers.) This includes identifying whether MAC authentication requests are proxied upstream or locally authorized, and whether Filter‐ID and Tunnel RADIUS attributes are added to RADIUS messages during the authentication process.
Procedures for Out-of-Band and Inline NAC • How health results are processed. When an assessment is performed on an end‐system, a “health result” is generated. For each health result, there may be several “health result details.” A health result detail is a result for an individual test performed during the assessment. Each health result detail is given a score ranging from 1 to 10, and based on this score, the health result is assigned a risk level.
Procedures for Out-of-Band and Inline NAC The following figure shows the NAC Manager window used to create or edit a NAC Configuration and define its authentication, assessment, and authorization attributes.
Procedures for Out-of-Band and Inline NAC The following table provides examples of various network scenarios that should be considered when identifying the number and configuration of Security Domains in your NAC deployment. Table 5-1 Security Domain Configuration Guidelines Network Scenario Examples Area of the network that is configured to authenticate endsystems with a secure authentication method, such as 802.1X or web-based authentication.
Procedures for Out-of-Band and Inline NAC Table 5-1 Security Domain Configuration Guidelines (continued) Network Scenario Area of the network that provides access to a group of users or devices that pose a potentially high risk to the security or stability of the network. Examples Security Domain Configuration • Switches that provide access to guest users or contractors on a corporate network.
Procedures for Out-of-Band and Inline NAC Table 5-1 Security Domain Configuration Guidelines (continued) Network Scenario Examples Security Domain Configuration Area of the network that is configured to allow access only to specific end-systems or users. • Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks. For the NAC Gateway, reject all RADIUS authentication attempts.
Procedures for Out-of-Band and Inline NAC The following table provides network scenarios from an assessment standpoint that should be taken into account when identifying the number and configuration of Security Domains.
Procedures for Out-of-Band and Inline NAC Table 5-2 Security Domain Configuration Guidelines for Assessment (continued) Network Scenario Area of the network, or a group of end-systems or users, that require assessment with immediate network access. Examples • Switches that provide network access to mission critical servers, mandating uninterrupted network connectivity while still implementing assessment.
Procedures for Out-of-Band and Inline NAC 3. Identify Required MAC and User Overrides MAC and user overrides are used to handle end‐systems that require a different set of authentication, assessment, and authorization parameters from the rest of the end‐systems in a Security Domain. A MAC or user override can be defined within the scope of a specific Security Domain or all Security Domains.
Procedures for Out-of-Band and Inline NAC The following figure displays the windows used for MAC and user override configuration in NAC Manager. Notice that either an existing NAC Configuration can be used or a custom configuration can be specified for the override.
Procedures for Out-of-Band and Inline NAC The following table describes scenarios where a MAC override may be configured for a particular end‐system. Table 5-3 MAC Override Configuration Guidelines Network Scenario Examples Security Domain Configuration A device, or class of devices, that utilize a distinct set of parameters for authentication, assessment, and authorization. Allocating VoIP services to IP phones on the network.
Procedures for Out-of-Band and Inline NAC Table 5-3 MAC Override Configuration Guidelines (continued) Network Scenario Examples Security Domain Configuration A device or class of devices needs to be restricted network access (“blacklisted”) in a particular Security Domain or in all Security Domains. Denying access or quarantining the MAC addresses of laptops used by guests or contractors in those areas of the network designated to provide access only to trusted employees.
Procedures for Out-of-Band and Inline NAC Table 5-3 MAC Override Configuration Guidelines (continued) Network Scenario A device, or class of devices, needs to be permitted a special level of network access (“whitelisted”) in a particular Security Domain or in all Security Domains. Examples Permitting an unrestricted level of access for end-systems that belong to IT operations.
Assessment Design Procedures Manager will not match this end‐system and the end‐system is assigned the Security Domain’s default NAC configuration. In addition, the Layer 3 NAC Controller is not able to determine the username associated to the downstream end‐system for matching against user overrides, and the end‐system is assigned the Security Domain’s default NAC configuration.
Assessment Design Procedures 2. Determine Assessment Server Location When determining the location of the assessment servers on the network, the following factors should be considered: • The type of assessment: agent‐less or agent‐based. Agent‐less assessment consumes more bandwidth than agent‐based assessment during the scan of an end‐system.
Out-of-Band NAC Design Procedures configuration if the security vulnerability is considered a risk for the organization. For more information on Nessus, refer to http://nessus.org/. Out-of-Band NAC Design Procedures The following section continues the Enterasys NAC design procedure with steps specifically relating to the implementation of out‐of‐band NAC with the NAC Gateway. 1.
Out-of-Band NAC Design Procedures 2. Determine the Number of NAC Gateways The number of NAC Gateways to be deployed on the network is a function of the following parameters: • The number of Security Domains configured on the network. Each NAC Gateway appliance may be associated to only one Security Domain. Therefore, the number of NAC Gateways deployed on the network will be greater than or equal to the number of Security Domains configured in NAC Manager.
Out-of-Band NAC Design Procedures Figure 5-5 NAC Gateway Redundancy It is important that the secondary NAC Gateway does not exceed maximum capacity if the primary NAC Gateway fails on the network. For example, let’s say that two NAC Gateways, both running at maximum load on the network, are being used by six switches. NAC Gateway #1 is the primary gateway for switch A, switch B, and switch C, and NAC Gateway #2 is the primary gateway for switch D, switch E, and switch F.
Out-of-Band NAC Design Procedures primary NAC Gateway, the transition to the secondary NAC Gateway will not exceed maximum capacity. To support redundancy within a Security Domain for either approach, one additional NAC Gateway (of the same model or with increased capacity) must be deployed per Security Domain in addition to the NAC Gateways deployed to handle the maximum number of concurrent end‐ systems connecting to the network.
Out-of-Band NAC Design Procedures It is important to note that only the NAC Gateways that are configured with remediation and registration functionality need to be positioned in such a manner. All other NAC Gateways may be positioned at any location on the network, with the only requirement being that access layer switches are able to communicate to the gateways.
Out-of-Band NAC Design Procedures 6. VLAN Configuration This step is for NAC deployments that use RFC‐3580‐compliant switches in the intelligent edge of the network to implement dynamic VLAN assignment of connecting devices. NAC leverages VLAN Tunnel RADIUS attribute modification in RADIUS authentication messages for network resource allocation to end‐systems connected to these RFC 3580‐compliant switches.
Out-of-Band NAC Design Procedures previously specified in the NAC configuration must be defined in NetSight Policy Manager to ensure the consistent allocation of network resources to connecting end‐systems. Failsafe Policy and Accept Policy Configuration The Failsafe Policy is assigned to end‐systems when an error occurs in the NAC process.
Out-of-Band NAC Design Procedures Figure 5-6 Policy Role Configuration in NetSight Policy Manager Assessment Policy The Assessment Policy may be used to temporarily allocate a set of network resources to end‐ systems while they are being assessed.
Out-of-Band NAC Design Procedures Figure 5-7 Service for the Assessing Role Note that it is not mandatory to assign the Assessment Policy to a connecting end‐system while it is being assessed. NAC can be configured to assign the policy role received from the RADIUS server or the Accept Policy to the end‐system while it is being assessed.
Inline NAC Design Procedures Figure 5-8 Service for the Quarantine Role Furthermore, the Quarantine Policy and other network infrastructure devices must be configured to implement HTTP traffic redirection for quarantined end‐systems to return web notification of the quarantined state of an end‐system. Unregistered Policy If MAC (network) registration is configured in the NAC deployment, an “Unregistered” policy can be assigned to connecting end‐systems while they are unregistered on the network.
Inline NAC Design Procedures However, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security.
Inline NAC Design Procedures 2. Determine the Number of NAC Controllers The number of NAC Controllers to be deployed on the network is a function of the following parameters: • The network topology. Because the NAC Controller is placed inline with traffic sourced from connecting end‐ systems, the number of NAC Controllers required is directly dependent on the network topology.
Inline NAC Design Procedures Figure 5-9 Layer 2 NAC Controller Redundancy For a Layer 3 NAC Controller, redundancy is achieved by implementing redundant Layer 3 NAC Controllers on adjacent, but separate networks as shown in Figure 5‐10. The NAC Controllers must be in different networks, and a dynamic routing protocol such as OSPF or RIP must be configured between the upstream and downstream routers that are positioned on either side of the NAC Controllers.
Inline NAC Design Procedures 3. Identify Backend RADIUS Server Interaction Layer 2 NAC Controllers detect downstream end‐systems via authentication: MAC, web‐based, or 802.1X. If web‐based or 802.1X authentication is implemented, then a backend RADIUS server must be configured to validate end user credentials in the authentication process. For each Layer 2 NAC Controller, primary and secondary RADIUS servers may be specified for the validation of user/device network login credentials on the network. 4.
Additional Considerations assessment servers to reach the end‐system while it is being assessed, regardless of whether the Assessing policy, Enterprise User policy, or any other policy role is utilized for assessment. The Quarantine Policy is used to restrict network access to end‐systems that have failed assessment. The Quarantine policy role is configured by default on the NAC Controller to be used as the Quarantine Policy in NAC Manager.
Additional Considerations 5-34 Design Procedures