Enterasys-networks 9034385 Uživatelský manuál stáhnout pdf (Strana 87)

Out-of-Band NAC Design Procedures

Enterasys NAC Design Guide 5-23

Itisimportanttonotethatonly theNACGatewaysthatareconfiguredwithremediationand

registrationfunctionalityneedtobepositionedinsuchamanner.AllotherNACGatewaysmay

bepositionedatanylocationonthenetwork,withtheonlyrequirementbeingthataccesslayer

switchesareableto

communicatetothegateways.Typically ,theNACGatewaywithremediation

andregistrationfunctionalityispositionedonanetworksegmentdirectlyconnectedtothe

distributionlayerroutersontheenterprisenetwork,sothatanyHTTPtrafficsourcedfrom

quarantinedend‐systemsthatareconnectedtothenetworkʹsaccesslayercan

beredirectedtothat

NACGateway.Asanalternative,theNACGatewaymaybepositionedonanetworksegment

directlyconnectedtotherouterprovidingconnectivitytotheInternetorinternalwebserverfarm.

Inthisscenario,theHTTPtrafficsourcedfromquarantinedend‐systemswouldberedirectedto

theNAC

GatewaybeforereachingtheInternetorinternalwebservers.

4. Identify Backend RADIUS Server Interaction

IfaNACGatewayisreceiving802.1Xand/orweb‐basedauthenticationrequestsforconnecting

end‐systems,thenabackendRADIUSservermustbeconfiguredtovalidateendusercredentials

intheauthenticationprocess.ForeachNACGateway,aprimaryandsecondaryRADIUSserver

canbespecifiedforthevalidationofuser/device

networklogincredentialsonthenetwork.

If802.1X,web‐based,orRADIUSauthenticationforswitchmanagementloginsisimplemented,a

RADIUSserverwithbackenddirectoryservicesmustbedeployedonthenetwork.ARADIUS

serverisnotnecessaryifonlyMACauthenticationisdeployedonthenetwork.

AllRADIUSserverssupporting

RFC2865andsubsequentRADIUSstandardsaresupportedby

EnterasysNACapplianceswhenproxyingRADIUSauthenticationrequests.Testshavebeen

conductedonthefollowingRADIUSservers:

• FreeRADIUS

•MicrosoftIAS

•FunkSteelbeltedRADIUS

•CiscoACS

5. Determine End-System Mobility Restrictions

WhileSecurityDomain‐specificMACanduseroverridescanbeconfiguredtocontrolend‐system

andendusermobilityacrossthenetworkandbetweenSecurityDomains,the“LockMAC”

featureallowsthenetworkadministratortorestrictnetworkaccessforspecificend‐systemtoa

switchportorswitch.Theend‐system

canbedeniednetworkaccesswithaRADIUSAccess‐Reject

messagereturnedtotheswitch,orassignedaspecificpolicyorVLANwhenconnectingtothe

networkinarestrictedarea.HerearesomeexamplesofhowtheLockMACfeaturecanbeused:

•Aprinter,server,orotherend‐system

couldbeallowednetworkaccessonlywhenitis

connectedtoaports p ecifiedbyIToperations.Thispreventssecurityissuesthatcouldresultif

thedevicewasmovedtoadifferentareaofthenetwork.

•AnIPphonewithaMACoverridecouldbelockedtoaspecificporton

aswitch.Thiswould

allowexactidentificationofthephoneʹslocationincaseanemergency(911)callwasplaced

fromthephone.

1 2 ... 82 83 84 85 86 87 88 89 90 91 92 ... 97 98

Komentáře k této Příručce

Žádné komentáře

Enterasys-networks 9034385 Uživatelský manuál Strana 87

Komentáře k této Příručce

Související produkty a manuály pro Nástroje Enterasys-networks 9034385