Specifications

ManualsBrandsEnterasys ManualsComputer equipment9034385

Identify Inline or Out-of-band NAC Deployment

Enterasys NAC Design Guide 4-11

Remote Access VPN

Inmanyenterpriseenvironments,aVPNconcentratorlocatedatthemainsiteconnectstothe

InternettoprovideVPNaccesstoremoteusers.Inthisscenario,thereisnoconceptofintelligent

andnon‐intelligentedgeswitchesbecausetheentrypointtothemainsiteistheVPNconcentrator.

Inthis

scenario,theNACControllermustbeusedtoimplementNACforremoteaccessVPNend‐

systems,anditshouldbepositionedbehindtheVPNconcentratorthatprovidesremoteaccess

VPN.Again,reverseproxyVPNormany‐to‐oneNATimplementedonadownstreamdevicefrom

theNACControllerisnot

supportedintheEnterasysNACsolution.

Identify Inline or Out-of-band NAC Deployment

BasedontheNACdeploymentmodelyouselected,andtheresultsofyournetworkinfrastructure

evaluation,youmustidentifywhetherout‐of‐bandNACorinlineNACwillbedeployedinthe

differentareasofyournetwork.Withthedecisiontoimplementout‐of‐bandNACwiththeNAC

Gateway,and/or

inlineNACwiththeNACController,thenextdesignstepistodetermineyour

specificenterpriserequirementsfortheselectedNACsolution,andidentifythenumberofNAC

appliances,andtheirlocationandconfigurationonthenetwork.

Summary

ThefirststepwhenplanningyourNACdeployment,istoidentifytheNACdeploymentmodel,

oraphasedimplementationofmultipledeploymentmodels,thatmeetsyourNACbusiness

objectives.Onceyouhaveselectedadeploymentmodel,youcanusethefourfollowingstepsto

evaluateyourcurrentnetworkinfrastructureanddetermine

yourNACcomponentrequirements.

1. Identifythe“intelligentedge”inyournetwork,ifitexists.Thisinformationwillbeusedto

helpyouselectwhichNACappliance,theNACGatewayorNACController,bestsuitsyour

networkinfrastructure.

AnintelligentedgeisrequiredwhentheNACGatewayisutilizedforimplementingout‐

of‐

bandNAC.TheNACGatewayapplianceleveragestheintelligentedgeofthenetworkto

implementtheauthenticationandauthorizationofconnectingend‐systems.

Innetworkswithnon‐intelligentdevicesattheaccessedge,itisnotnecessarytoreplacethese

non‐intelligentdevicestobeabletoimplementout‐of

‐bandNACwiththeNACGateway.

Instead,theEnterasysMatrixN‐seriesswitchcanbepositionedupstreamfromnon‐intelligent

devices(suchasinthedistributionlayer)toimplementtheauthenticationandauthorization

functionsfordownstreamconnecteddevices.

Ifthenetworkdoesnothaveanintelligentedge,thentheNACController

mustbedeployed

inordertoprovidetheauthenticationandauthorizationcapabilitiesrequiredfor

implementingnetworkaccesscontrol.

2. Evaluatethenetworkauthenticationmethodcurrentlybeingused,andhowthedeployment

ofEnterasysNACwillaffectit.(Thisstepisnotrequiredifyouhavedeterminedthatthe

networkdoesnothave

anintelligentedgeandtheinlineNACControllerwillbe deployed.)

Ifauthenticationisnotconfiguredonthenetwork,out‐of‐bandNACcanbedeployedwith

minimalconfigurationbyimplementingMACauthenticationontheintelligentedgeofthe

network(iftheedgeswitchessupportMACauthentication).

Ifauthenticationiscurrently

deployedonthenetworkwith802.1X,web‐based,and/orMAC

authentication,out‐of‐bandNACisconfiguredtoproxyRADIUSauthenticationrequests

receivedfromtheswitchesattheintelligentedgeofthenetworktothebackendRADIUS