Specifications
Model 3: End-System Authorization with Assessment
Enterasys NAC Design Guide 2-9
serverisrunningoriftheHTTPserverisout‐of‐date)and client‐sidechecks(running
applications,softwareconfigurations,installedoperatingsystempatches)providedend‐system
administrativecredentialsareavailableforremotelogintoconnectingdevices.Additionally,the
NACGatewayʹslocalassessmentservicesalsoincludeagent‐basedassessmentusing
aJavaWeb
Start‐basedclientapplicationthatallowsexecutionofserver‐sideandclient‐sidecheckswithout
requiringadministrativecredentialsorspecialhostfirewallconfigurations.
TheNACGatewayʹsremoteassessmentservicesincludeagent‐lessandagent‐basedassessment
onotherNACGatewaysdeployedonthenetworkand/orthird‐
partyvulnerabilityscannerssuch
asNessusandLockdownEnforcer.As end‐systemsconnecttothenetwork,assessmentscanbe
load‐balancedamongalloftheconfiguredassessmentservicesoradefinedpool.Thisprovides
maximumscalabilityandflexibility,and minimizestheamountoftimenecessarytocompletean
end‐systemassessment.
Authorization‐TheNACGatewayallocatestheappropriatenetworkresourcestotheend‐system
basedonauthentication,location,and/orassessmentresults.For Enterasyspolicy‐enablededge
switches,theNACGatewayformatsinformationintheRADIUSauthenticationmessagesthat
directstheedgeswitchtodynamicallyassignaparticularpolicytotheconnectingend
‐system.For
RFC3580‐capableedgeswitches,theNACGatewayformatsinformationintheRADIUS
authenticationmessagesintheformofRFC3580VLANTunnelattributesthatdirectstheedge
switchtodynam icallyassignaparticularVLANtotheconnectingend‐system.Ifauthentication
failsand/ortheassessmentresultsindicate
anoncompliantend‐system,theNACGatewaycan
eitherdenytheend‐systemaccesstothenetworkbysendingaRADIUSaccessrejectmessageto
theedgeswitchorquarantinetheend‐systemwithahighlyrestrictivesetofnetworkresources(or
possiblypermitnetworkaccess)byspecifyingaparticularpolicy
orVLANtoassigntothe
authenticatedend‐systemontheedgeswitch.
Inline NAC
ForinlineEnterasysNACdeploymentsutilizingtheLayer2orLayer3NACController,theNAC
functionsareimplementedinthefollowingway:
Detection‐AsdescribedinModel2.
Authentication‐AsdescribedinModel2.
Assessment‐TheNACControllercanleverageeitherlocalassessmentservicesand/orremote
assessmentservicesdeployedonthe
network,aspreviouslydescribedfortheNACGateway.The
NACControllerʹslocalassessmentservicesincludeagent‐lessassessmentwhichcanexecute
variousserver‐sidechecksandclient‐sidechecks.Localassessmentservicesalsoincludeagent‐
basedassessmentusingaJavaWebStart‐basedclientapplicationthatallowsexecutionofserver
‐
sideandclient‐sidechecks.TheNACControllerʹsremoteassessmentservicesincludeagent‐less
andagent‐basedassessmentwithNACGatewaysand/orthird‐partyvulnerabilityscannerssuch
asNessusandLockdownEnforcer.As end‐systemsconnecttothenetwork,assessmentcanbe
load‐balancedamongalloftheconfigured
assessmentservicestoprovidemaximumscalability
andflexibilitywhileminimizingassessmenttimes.
Authorization‐TheNACControllerallocatestheappropriatenetworkresourcestotheend‐
systembasedonauthenticationand/orassessmentresults.Thisisimplementedbyassigninga
policytotrafficsourcedfromtheend‐systemlocallyonthecontroller.Ifauthentication
failsand/
ortheassessmentresultsindicateanoncompliantend‐system,theNACControllercaneither
denytheend‐systemaccesstothenetwork,quarantinethe end‐systemwithahighlyrestrictiveset
ofnetworkresources,orpermitnetworkaccessbyspecifyingaparticularpolicy.