Specifications

Scenario 3: Non-intelligent Access Edge (Wired and Wireless)

Enterasys NAC Design Guide 3-9

Itisimportanttonotethatifthewirelessedgeofthenetworkisnon‐intelligentandnotcapableof

authenticatingandauthorizingwirelessend‐systems,itispossibletoaugmentthenetwork

topologytoimplementout‐of‐bandNACwiththeNACGateway.Thiscanbeaccomplished

withoutreplacingthe

physicaledgeofthenetwork,byaddinganintelligentedgeswitchthat

possessesspecializedauthenti cationandauthorizationfeat ures.

TheEnterasysMatrixN‐seriesswitchiscapableofauthenticatingandauthorizingnumerousend‐

systemsconnectedonasingleportthroughMulti‐UserAuthentication (MUA),andmaybe

positionedupstreamfromnon‐

intelligentthird‐partywirelessAPstoactastheintelligentedgeon

thenetwork.TheEnterasysMatrixN‐seriesswitchiscapableofauthenticatingandauthorizing

over1000end‐systemsuplinkedtoasingleMatrixN‐seriesportfromanAP,asetofAPs,or

wirelessswitches.Inthisconfiguration,

theMatrixN‐seriesactsastheintelligentedgeswitchon

thenetwork,althoughnotphysicallylocatedontheaccessedge.Byprovisioningaccessto

networkresourcesontheMatrixN‐seriesviaMUA,end‐systemtrafficdestinedtoadjacent

switchesonthenetworkcanbesecurelycontainedatthe

MatrixN‐seriesport.

Scenario 3: Non-intelligent Access Edge (Wired and Wireless)

Inthenon‐intelligentaccessedgeusescenario,theedgeswitchesandaccesspointsthatcompose

thenetworkaccesslayerarenotcapableofauthenticatingandauthorizingtheconnectingend‐

systemsonthenetwork.

Inthisscenario,inlineNACisimplementedbypositioningtheNACControlleratastrategicpoint

in

thenetworktopology,astheauthorizationpointforend‐systemtrafficenforcement.

TheNACControllermaybepositioneddirectlywithintheVLANwhereend‐systemsare

connectedoracrossoneormoreroutedboundaries.WhentheNACControllerispositioned

withintheVLANwhereend‐systemsareconnected,eachdeviceis

uniquelyidentifiedbyits

associatedMACaddress.WhentheNACControllerispositionedacrossaroutedboundary(for

example,behindaWANrouterlocatedinanenterpriseʹscentralsite),eachend‐systemis

identifiedbyitsassociatedIPaddress.

ThefollowingfigureillustrateshowtheNACControllerandtheother

EnterasysNAC

componentsworktogetherinthenon‐intelligentedgetoprovidenetworkaccesscontrol.