Security domain configuration guidelines -7 – Enterasys Networks 9034385 User Manual

Procedures for Out-of-Band and Inline NAC

Enterasys NAC Design Guide 5-7

The following table provides examples of various network scenarios that should be considered 
when identifying the number and configuration of Security Domains in your NAC deployment.

Table 5-1 Security Domain Configuration Guidelines

Network Scenario

Examples

Security Domain Configuration

Area of the network that is
configured to authenticate end-
systems with a secure
authentication method, such as
802.1X or web-based
authentication.

• Switches that provide access for

trusted users authenticating to the
network using 802.1X or web-based
authentication, such as LAN
segments and wireless networks
designated for trusted user access.

• VPN concentrator providing

connectivity to users implementing
remote access VPN to connect into
the corporate LAN.

Proxy 802.1X and web-based authentication
requests to a backend RADIUS server. This
allows for the proper validation of end-system
login credentials for 802.1X and web-based
authentication methods.
In NAC Manager, create a Security Domain with
the following configuration attributes:
• Select the “Proxy RADIUS Request to a

RADIUS Server” radio button to allow the
forwarding of RADIUS authentication
requests to a RADIUS server.

• If the RADIUS server returns a policy or VLAN

based on user or end-system identity,
uncheck “Replace RADIUS Attributes with
Accept Policy.” Otherwise, user overrides can
be configured to return a policy or VLAN
based on the user or end-system.

• Configure the Accept Policy with a policy or

VLAN that allows less restrictive network
access for trusted users.

Area of the network that is
configured to MAC authenticate
end-systems solely for the
purpose of end-system
detection.

• Switches that provide access to

machine-centric end-systems, such
as printers, IP phones, and IP
cameras.

• Switches that provide access to

human-centric end-systems that are
not authenticated in traditional
network environments, such as
untrusted users like guests and
contractors.

Locally authorize MAC authentication attempts.
This enables the detection and authorization of
human-centric and machine-centric end-
systems.
In NAC Manager, create a Security Domain with
the following configuration attributes:
• With the “Proxy RADIUS Request to a

RADIUS Server” radio button selected, check
the “Authorize MAC Authentication Requests
Locally” option and specify a policy or VLAN
in the Accept Policy field.

• Configure the Accept Policy field with a policy

or VLAN that provides more restrictive
network access for end-systems
authenticating with a less secure
authentication method.