Out-of-band nac design procedures, Identify network authentication configuration, Out-of-band nac design procedures -19 – Enterasys Networks 9034385 User Manual
Page 83: Identify network authentication configuration -19
Out-of-Band NAC Design Procedures
Enterasys NAC Design Guide 5-19
http://nessus.org/
.
Out-of-Band NAC Design Procedures
The following section continues the Enterasys NAC design procedure with steps specifically
relating to the implementation of out‐of‐band NAC with the NAC Gateway.
1. Identify Network Authentication Configuration
Since NAC Gateways utilize authentication for the detection of connecting end‐systems, it is
necessary to identify which authentication methods are to be configured in the intelligent edge of
the network. For more information on evaluating authentication on the network, see
The following considerations should be taken into account when deploying authentication on the
network:
•
The capabilities of end‐systems connecting to the network.
Human‐centric devices may support user‐based authentication methods such as 802.1X or
web‐based authentication only if an 802.1X supplicant or a web browser is supported on the
end‐system. Machine‐centric devices most likely only support device‐based authentication
methods like MAC authentication.
•
The types of users connecting to the network.
It is necessary to understand how authentication affects the different type of users connecting
to the network and what implications this has on the NAC solution. For example, while
trusted users authenticate using a set of valid credentials held in a directory on the network,
untrusted or guest users may fail authentication upon connection.
•
The complexity involved in deploying authentication on the network, if it is not yet deployed.
Rolling out 802.1X authentication on the network requires extensive planning and mandates
configuration and possible upgrade of infrastructure devices and end‐systems, and the
dissemination of credentials to connecting users and devices. Since this is a significant
undertaking, it may be desirable to utilize MAC‐based authentication for the initial rollout of
NAC and migrate over to 802.1X over a period of time. This way, most benefits of NAC can be
obtained in the short term while the infrastructure is readied for a full 802.1X authentication
rollout.
•
The authentication method supported by the intelligent edge of the network.
Edge infrastructure devices may need to support multiple authentication methods
concurrently to account for different devices connecting to the network. Furthermore, the
authentication and authorization of multiple devices on a single port may also need to be
supported.