Specifications

ManualsBrandsEnterasys ManualsComputer equipment9034385

Out-of-Band NAC Design Procedures

5-24 Design Procedures

6. VLAN Configuration

ThisstepisforNACdeploymentsthatuseRFC‐3580‐compliantswitchesintheintelligentedgeof

thenetworktoimplementdynamicVLANassignmentofconnectingdevices.

NACleveragesVLANTunnelRADIUSattributemodificationinRADIUSauthentication

messagesfornetworkresourceallocationtoend‐systemsconnectedtotheseRFC3580‐compliant

switches.ThisrequiresthatbeforeNACisdeployedonthenetwork,eachRFC3580‐compliant

switchintheintelligentedgeofthenetworkisconfiguredwiththeappropriateVLANsthatmay

bereturnedfromtheNACGateways.AlistofVLANsthatmaybeassignedtoconnectingend‐

systemsforeach

SecurityDomainmustbegeneratedbyanalyzingtheAcceptPolicy,Assessment

Policy,FailsafePolicy,andQuarant inePolicyofthefollowing NACconfigurations:

•TheSecurityDomains’defaultNACconfigurations

•MACoverridesfortheSecurityDomains

•UseroverridesfortheSecurityDomains

•GlobalMACanduseroverrides

7. Policy Role Configuration

ThisstepisforNACdeploymentsthatuseEnterasyspolicy‐enabledswitchesintheintelligent

edgeofthenetworktoimplementdynamicpolicyassignmentofconnectingdevices.

NACleveragesFilter‐IDRADIUSattributemodificationinRADIUSauthenticationmessagesfor

networkresourceallocationtoend‐systemsconnectedtotheseEnterasysswitches.Therefore,



beforeNACisdeployedonthenetwork,eachEnterasysswitchintheintelligentedgeofthe

networkmustbeconfiguredwiththeappropriatepolicyrolesthatmaybereturnedfromtheNAC

Gateways.Alistofpolicyrolesthatmaybeassignedtoconnectingend‐systemsforeachSecurity

Domain

canbegeneratedbyanalyzingtheAcceptPolicy,AssessmentPolicy,FailsafePolicy,and

QuarantinePolicyofthefollowingNACconfigurations:

•TheSecurityDomains’defaultNACconfiguration

•MACoverridesfortheSecurityDomains

•UseroverridesfortheSecurityDomains

•GlobalMACanduseroverrides

8. Define NAC Access Policies

AccesspoliciesdefinetheauthorizationlevelthatNACassignstoaconnectingend‐systembased

ontheend‐systemʹsauthenticationand/orassessmentresults.Therearefouraccesspoliciesused

inNACManager:FailsafePolicy,AcceptPolicy,QuarantinePolicy,andAssessmentPolicy.Inyour

securitydomainandoverrideconfigurations,theseaccess

policiesdefineasetofnetworkaccess

servicesthatdetermineexactlyhowanend‐systemʹstrafficisauthorizedonthenetwork.

WhenEnterasyspolicy‐enabledswitchesaredeployedintheintelligentedgeofthenetworkto

authenticateandauthorizeconnectingend‐systems,theseswitchesmustbeconfiguredwith

access

policiesbeforeNACisdeployed.NetSightPolicyManagerenablestheenterprise‐wide

deploymentofpolicyrolestoEnterasyspolicy‐enabledswitches,withasingleclick.

Inadditiontotheenterpriseʹsbusinessspecificroles,suchas“Faculty”or“Sales,”NACpolicy

rolesmustbedefined,configured,andenforcedtothenetwork

forNAC.Allpolicyroles