Appliance comparison, Appliance comparison -7, Comparison of appliance functionality -7 – Enterasys Networks 9034385 User Manual

NAC Solution Components

Enterasys NAC Design Guide 1-7

Appliance Comparison

The following table compares how the two NAC appliance types implement the five NAC 
functions.

Table 1-2 Comparison of Appliance Functionality

NAC Function

NAC Gateway

NAC Controller

Detection

RADIUS authentication request is
received from access edge switches.

Traffic sourced from a new end-system
traverses the inline appliance.

Authentication

For user authentication, RADIUS
authentication requests are proxied to
an upstream RADIUS server which
contains a database of valid user
credentials.
For device authentication, the NAC
Gateway can locally validate whether
the connecting MAC address is
permitted network access.

It is possible to disable authentication on
the NAC Controller and rely instead on the
authentication of the end-system by
downstream infrastructure devices, such as
authenticating to a wireless LAN or VPN
concentrator.
Alternatively, the NAC Controller supports
MAC registration where the end user must
provide a valid username and password,
verified via LDAP, before being allowed to
register to the network.

Assessment

Assessment can be implemented using
localized, integrated agent-based and/
or agent-less assessment

1

or external

agent-based and/or agent-less
assessment using a bank of external
assessment servers (Nessus and
Lockdown Enforcer) for maximum
assessment scalability.
The SNS-TAG-ITA Gateway appliance
provides integrated assessment
servers.

Assessment can be implemented using
localized, integrated agent-based and/or
agent-less assessment

1

or external agent-

based and/or agent-less assessment using
a bank of external assessment servers
(Nessus and Lockdown Enforcer) for
maximum assessment scalability.

Authorization

For Enterasys access edge switches,
the end-system is assigned a policy (a
set of granular traffic forwarding rules)
and/or VLAN based on the
authentication and assessment results.
For third-party edge switches, the end-
system is assigned a VLAN via RFC
3580 Tunnel attributes based on the
authentication and assessment results.

End-system's traffic is assigned a policy (a
set of granular traffic forwarding rules) at
the NAC Controller, based on
authentication and assessment results.

Remediation

Captive web portal is served by the
NAC Gateway.

Captive web portal is served by the NAC
Controller.

1. A separate license for integrated assessment functionality is required.