Enterasys-networks 9034385 Uživatelský manuál stáhnout pdf (Strana 96)

Inline NAC Design Procedures

5-32 Design Procedures

3. Identify Backend RADIUS Server Interaction

Layer2NACControllersdetectdownstreamend‐systemsviaauthentication:MAC,web‐based,or

802.1X.Ifweb‐basedor802.1X authenticationisimplemented,thenabackendRADIUSserver

mustbeconfiguredtovalidateendusercredentialsintheauthenticationprocess.Foreach Layer2

NACController,primaryandsecondaryRADIUSservers

maybespecifiedforthevalidationof

user/devicenetworklogincredentialsonthenetwork.

4. Define Policy Configuration

Policiesareassignedtodownstreamend‐systemsontheNACControllertoauthorizeconnecting

deviceswithalevelofnetworkaccess.Adefaultsetofpoliciesareautomaticallyconfiguredon

eachNACControllerafterinstallationandinitializationoftheappliance.Thissetofpolicies

includesallpoliciesdefinedbydefaultin

NACManager,suchasEnterpriseUser,Quarantine,

Assessing,Unregistered,andFailsafe.Itisstronglyrecommendedthatthepolicyconfigurations

ofallNACControllersareimportedintoNetSightPolicyManager,reviewed,andappropriately

modified,priortothefullrolloutofinlineNAC.

Failsafe Policy and Accept Policy Configuration

TheFailsafePolicyisassignedtoend‐systemswhenanerroroccursintheNACprocess.The

FailsafepolicyroleisconfiguredbydefaultontheNACControllertobeusedastheFailsafe

PolicyinNACManager.Thispolicyisrestrictive,allowingDNSandDHCP,andredirectingweb

trafficto

servebackawebpagestatinganerrorhasoccurredonthenetwork,whilediscardingall

othertypesoftraffic.

Ifitisdesiredtoopennetworkaccesswhenanerrorisencountered,theEnterpriseUserpolicy

rolecanbeselectedastheFailsafePolicyintheNACConfiguration.The

EnterpriseUserpolicy

roleisfairlyopen,permittingmosttypesofcommunicationontothenetwork.Forsecurity

purposestheEnterpriseUserpolicyroledoesdenycommunicationtotheNACControllerover

TCPandUDPports(utilizedforadministrativepurposes,suchasRADIUSandSSH).Inaddition,

theEnterpriseUserpolicydiscards

allcommunicationtoNACManagerʹsIPaddressforfurther

securityhardening.Thispolicyrolecanbealteredtofurthercontrolwhichservicesacompliant

end‐systemisallowedtoutilize.

TheAcceptPolicyisassignedtoend‐systemswhentheyaredeemedcompliant.TheEnterprise

Userpolicyroleisconfigured

bydefaultontheNACControllertobeusedastheAcceptPolicyin

NACManager.

Assessment Policy and Quarantine Policy Configuration

TheAssessmentPolicyandQuarantinePolicyareusedwhenend‐systemassessmentis

implementedintheNACdeployment.TheAssessmentPolicymaybeusedtotemporarilyallocate 

asetofnetworkresourcestoend‐systemswhiletheyarebeingassessed.TheAssessingpolicyrole

isconfiguredbydefaultonNACControllers

tobeusedastheAssessmentPolicyinNAC

Manager.ThispolicyallowsDNSand DHCP,and anytrafficdestinedtotheIPaddressofthe

assessmentserversdeployedonthenetwork.Thepolicyalsoredirectswebtraffictoservebacka

webpagestatingthattheend‐systemhas

beenrestrictedaccesswhileitssecuritypostureisbeing

determined.Allothertypesoftrafficarediscarded.

Ifitisdesiredtoopennetworkaccesswhileanend‐systemisbeingassessed,theuseofthe

AssessmentPolicycanbedisabledintheNACconfiguration,ortheEnterpriseUserpolicyrole



canbeselectedastheAssessmentPolicyinstead.ItisimportanttonotethatwheneveraNAC

configurationisenforcedtotheNACController,theAssessmentPolicyisconfiguredtoallow

1 2 ... 91 92 93 94 95 96 97 98

Komentáře k této Příručce

Žádné komentáře

Enterasys-networks 9034385 Uživatelský manuál Strana 96

Komentáře k této Příručce

Související produkty a manuály pro Nástroje Enterasys-networks 9034385