User overrides, User overrides -16 – Enterasys Networks 9034385 User Manual

Procedures for Out-of-Band and Inline NAC

5-16 Design Procedures

User Overrides

A user override lets you create a configuration for a specific end user, based on the user name. For 
example, you could create a user override that gives a trusted end user immediate network access 
without performing an assessment.

User overrides can be used in network scenarios similar to those described for MAC overrides:

•

A specific user that requires a distinct set of parameters for authentication, assessment, and 
authorization. For example, a user override can be configured for executives of a corporation 
to permit immediate network access without assigning the Assessment Policy during end‐
system assessment.

•

A specific user can be restricted network access (“blacklisted”) for a particular Security 
Domain or all Security Domains, by associating the username with the Accept Policy of 
“Quarantine” or by sending a RADIUS Access‐Reject for this user. For example, an employee 
can be restricted access to a certain area of the network, or students can be denied network 
access during an exam.

•

A specific user can be permitted a special level of network access (“whitelisted”) by 
associating the username with the Accept Policy of “Administrator” to allow unlimited 
network access.

It is important to note that the Layer 3 NAC Controller may not determine the true MAC address 
of the downstream connected end‐system. In this case, a MAC override configured in NAC 

A device, or class of devices,
needs to be permitted a special
level of network access
(“whitelisted”) in a particular
Security Domain or in all
Security Domains.

Permitting an unrestricted level of
access for end-systems that belong to
IT operations.

In NAC Manager, create a MAC override with the
following attributes:
• Specify either full MAC address or MAC

address OUI.

• Select the Security Domain or all Security

Domains for the MAC override scope.

For the assessment, authentication, and
authorization configuration, choose a NAC
Configuration or specify a custom configuration
with the following parameters:
• Select the “Proxy RADIUS request to a

RADIUS Server“ radio button.

• Check “Authorize MAC Authentication

Requests Locally“ so MAC authentication
attempts by these devices are assigned the
Accept Policy.

• Check “Replace RADIUS Attributes with

Accept Policy“ so the policy information
returned from the RADIUS server will be
overwritten by the Accept Policy.

• Specify “Administrator“ as the Accept Policy

to allow unlimited access for these devices.

• Uncheck the “Enable Assessment“ checkbox

so these devices are not assessed for
security posture compliance.

Table 5-3 MAC Override Configuration Guidelines (continued)

Network Scenario

Examples

Security Domain Configuration