Specifications
Model 2: End-System Authorization
2-4 NAC Deployment Models
deviceidentity,useridentity,and/orlocationinformationisusedtoauthorizetheconnectingend‐
systemwithacertainlevelofnetworkaccess.Itisimportanttonotethatinthismodel,network
accessisnotbeingcontrolledbasedonend‐systemassessmentresults.Assessmentwillbe
introducedinthenextNAC
deploymentmodel.
Implementation
InModel2,end‐systemscanbedetected,authenticated,andauthorizedindifferentways
dependingonwhetherinlineorout‐of‐bandnetworkaccesscontrolisimplemented.
Out-of-Band NAC
Forout‐of‐bandNACutilizingtheNACGateway,NACfunctionsareimplementedinthe
followingway:
Detection‐End ‐systemsaredetectedviathereceiptofRADIUSpacketsfromanaccessedge
switchattempting toauthenticateanend‐system.
Authentication‐Iftheend‐systemis802.1Xorwebauthenticatingtothenetwork,
theNAC
GatewayproxiestheRADIUSauthenticationrequesttoabackend authentication(RADIUS)
servertovalidatetheidentityoftheuser/deviceconnectingtothenetwork.Forend‐systemsthat
areMACauthenticatingtothenetwork,theNACGatewaycanbeconfiguredtoeitherproxythe
MACauthenticationrequeststoa
RADIUSserverorlocallyauthorizeMACauthentication
requestsattheNACGateway.IfonlyMACauthenticationisdeployedonthenetworkandthe
NACGatewayisconfiguredtolocallyauthorizeMA C a uthenti cationrequests,thenabackend
RADIUSserverisnotrequiredfortheEnterasysNACsolution.
Authorization‐TheNACGatewayallocates
theappropriatenetworkresourcestotheend‐system
basedondeviceidentity,useridentity,andlocation.ForEnterasyspolicy‐enablededgeswitches,
theNACGatewayformatsinformationintheRADIUSauthenticationmessagesthatdirectsthe
edgeswitchtodynamicallyassignaparticularpolicytotheconnectingend‐system.ForRFC3580
‐
capableedgeswitches,theNACGatewayformatsinformationintheRADIUSauthentication
messages(intheformofRFC3580VLANTunnelattributes)thatdirectstheedgeswitchto
dynamicallyassignaparticularVLANtotheconnectingend‐system.TheNACGatewaymay
denytheend‐systemaccesstothenetwork
bysendingaRADIUSAccess‐Rejectmessagetothe
edgeswitchorassigntheend‐systemasetofnetworkresourcesbyspecifyingaparticularpolicy
orVLANtoassigntotheauthenticatedend‐systemontheedgeswitch.
Inline NAC
ForinlineNACutilizingtheLayer2orLayer3NACController,NACfunctionsareimplemented
inthefollowingway:
Detection‐End ‐systemsaredetectedviathereceiptofRADIUSpacketsfromanaccessedge
switchattempting toauthenticateanend‐system.
Authentication‐Oneoftwoauthenticationconfigurationscanbeimplementedon
theNAC
Controller.Authenticationcanbedisabledaltogether,trustingthatthedownstreaminfrastructure
devicesauthenticatedtheend‐systemandpermittednetworkaccess.Alternately,MAC
registrationcanbeimplementedfornewdevicesconnectingtothenetwork,whereausername
andpasswordand/orasponsorusernameandpasswordmustbevalidatedagainst
abackend
LDAP‐compliantdatabasebeforenetworkaccessispermitted.
Authorization‐TheNACControllerallocatestheappropriatenetworkresourcestotheend‐
systembyassigningapolicylocallyonthecontrollertothetrafficsourcedfromtheend‐system.