Enterasys Networks 9034385 User Manual

Procedures for Out-of-Band and Inline NAC

Enterasys NAC Design Guide 5-11

Area of the network, or a group
of end-systems or users, that
require assessment with
immediate network access.

• Switches that provide network access to

mission critical servers, mandating
uninterrupted network connectivity while still
implementing assessment.

• Switches that provide network access to end-

systems used by IT operations, requiring that
network connectivity for debugging and
troubleshooting is maintained during
assessment.

• Switches that provide network access to

important end users such as executives, so
network connectivity is maintained during
assessment.

• A group of devices, identified by MAC

address, that are a specific OS or device type,
such as printers or IP phones that require
immediate network access upon connection.

• Users identified by user name, that are

identified as important personnel on the
network and require immediate network
access upon connection.

Do not use an Assessment Policy
while end-systems are being
assessed.
This guarantees mission critical
devices with time-sensitive network
access maintain network availability
during assessment.
In NAC Manager, create a Security
Domain with the following attribute:
• The “Use Assessment Policy While

Assessing” checkbox is not
selected. In this case, NAC
Manager assigns the policy or
VLAN returned from the RADIUS
server or the locally defined Accept
Policy while the end-system is
being assessed.

Area of the network, or group of
end-systems or users, that
require assessment before
network access is allowed.

• Switches that provide access to untrusted

users, such as guests or other high risk end-
systems, may be configured to apply a highly
restrictive Assessment Policy during end-
system assessment, only permitting end-
system communication to the assessment
servers, as well as basic IP services such as
ARP, DNS, and DHCP. Security threats
created by these high-risk end-systems are
mitigated by waiting until assessment is
completed before authorizing a significant
level of network access.

• A group of devices, identified by MAC

address, that are a specific OS or device type,
and pose high risk to the network security.

• Users, identified by username, that are

identified as high risk personnel on the
network.

Use an Assessment Policy during end-
system assessment.
In NAC Manager, create a Security
Domain with the following attribute:
• Select the “Use Assessment Policy

While Assessing” checkbox and
specify an Assessment Policy to
assign.

Table 5-2 Security Domain Configuration Guidelines for Assessment (continued)

Network Scenario

Examples

Security Domain Configuration