Enterasys Networks 9034385 User Manual

Procedures for Out-of-Band and Inline NAC

Enterasys NAC Design Guide 5-9

Area of the network that is
configured to allow access only
to specific end-systems or
users.

• Switches that provide access to only

pre-configured end-systems and
users in highly controlled
environments, such as industrial
automation networks.

For the NAC Gateway, reject all RADIUS
authentication attempts. For the NAC Controller,
set the Accept Policy to a highly restrictive policy
or VLAN such as “Deny All.“
This allows the administrator to locally authorize
specific MAC addresses or users by using MAC
and user overrides, and rejecting all other
connection attempts to the network.

Area of the network that
provides access to a group of
users or devices that pose a
guaranteed low risk to the
security and stability of the
network.

• Switches that provide network

access to servers that are highly
protected from attack through the
implementation of firewalls as well
as network-based and host-based
IDS.

• Switches that provide network

access to end-systems that are
highly managed and restricted from
risky network behaviors, such as
end-systems that are restricted from
Internet access and always kept up-
to-date with the latest anti-virus and
anti-malware definitions. This may
include devices restricted to
communication on the private LAN,
and data center or network IT
operations devices.

Authorize connecting end-systems with a less
restrictive set of network resources, and either
don’t implement assessment, or implement
assessment less frequently and with fewer
parameters.
In NAC Manager, create a Security Domain with
the following configuration attributes:
• With the “Proxy RADIUS Request to a

RADIUS Server” radio button selected, check
the “Replace RADIUS Attributes with Accept
Policy” option and specify a non-restrictive
policy or VLAN in the Accept Policy field.

This allows the administrator to locally
authorize MAC authentication requests and
overwrite the policy information returned from
the RADIUS server with a less restrictive
policy or VLAN.

It should be noted that this configuration may
open the network to security threats, and should
be reviewed carefully before being implemented.

Area of the network that
provides access to a group of
users or devices that will be
allocated a different set of
network resources based on
their location on the network.

• Switches that provide access to both

trusted and untrusted users on the
network, such as conference rooms
and cafeterias. These areas can be
configured to restrict trusted user
access to servers containing
sensitive information. This protects
against the possibility that an
untrusted user obtains access to a
trusted user's computer that is
logged into the network, or that an
untrusted user eavesdrops on
sensitive material being viewed by
adjacent trusted users.

Impose the level of authorization based on
requirements of IT operations.
In NAC Manager, create a Security Domain with
the following configuration attributes:
• With the “Proxy RADIUS Request to a

RADIUS Server” radio button selected, check
the “Replace RADIUS Attributes with Accept
Policy” option and specify a policy or VLAN in
the Accept Policy field.

This allows the administrator to locally
authorize MAC authentication requests and
overwrite the policy information returned from
the RADIUS server with a different policy
based on the network location of an end-
system.

Table 5-1 Security Domain Configuration Guidelines (continued)

Network Scenario

Examples

Security Domain Configuration