Isolation mode – H3C Technologies H3C Intelligent Management Center User Manual

Page 30

Advertising
background image

14

EAD supports the following security modes in descending order of severity:

Kick Out—The EAD server works with the UAM server to log off non-compliant users and generates
security logs for violations.

Isolate—The EAD server isolates non-compliant users in a restricted area, informs the users of the

security vulnerability and remediation methods, and generates security logs for violations.

Inform—The EAD server informs non-compliant users of the security vulnerability and remediation
methods on user endpoints, and generates security logs for violations.

Monitor—The EAD server monitors non-compliant users and generates security logs for violations.

When the detected security violations of a single user require actions of different severities, the most

severe action is taken.
The Action After parameter can be configured as a tolerance interval during which network access is

permitted before a non-compliant user is isolated or logged off. In this time interval, the user can fix any
detected security vulnerabilities and trigger a new security check.

Isolation mode

PC user isolation is implemented based on ACLs or VLANs, which are deployed to the access device or

iNode client.
ACLs and VLANs can be defined for network security or for isolation.

Security ACLs and VLANs define the accessible areas for users who pass the security check.

Isolation ACLs and VLANs define the quarantine areas for users who fail the security check to fix
security vulnerabilities.

EAD provides several isolation modes for PCs, as shown in

Table 7

.

Table 7 PC isolation modes

Isolation mode

Description

Remarks

Deploy ACLs to access device

The EAD server deploys security and isolation
ACLs to the access device for users' access

control.
The mechanism for processing ACLs depends

on the device vendor and model.

The access device must
support the ACL deployment

feature.

Deploy ACLs to iNode client

The EAD server deploys security and isolation
ACLs to the iNode client for users' access
control.
The mechanism for processing ACLs is not
affected by the device vendor or model.

The iNode client must support
the client ACL feature.

Deploy VLANs to access
device

The EAD server deploys security and isolation
VLANs to the access device for users' access

control.
The mechanism for processing VLANs
depends on the device vendor and model.

The access device must
support the VLAN deployment

feature.

Advertising
See also other documents in the category H3C Technologies Safety: