Enterasys 9034385, Design Manual, Page: 28 / 98

Model 2: End-System Authorization
2-6 NAC Deployment Models
is only provisioned by the Enterasys NAC solution when the devices connect to switches in
the Network Operations Center (NOC). This level of granularity in provisioning access to
connecting devices protects against possible MAC spoofing attacks.
In addition to authorizing a particular device with a set of network resources, groups of
devices such as IP phones, printers, and workstations can be provisioned a specific set of
network resources using MAC address OUI prefix or custom MAC address mask. For
example, IP phones may be identified by the Polycom MAC address OUI prefix
00:04:F2:XX:XX:XX and assigned the Voice VLAN and a high QoS.
In summary, device ‐ based authorization supports the provisioning of network resources to a
connecting end ‐ system based on the device ʹ s identity as well as location. This provides the
ability to restrict end ‐ systems that pose a threat to the network, provide special access to
particular devices, and provision end ‐ systems or sets of end ‐ systems with access to required
sets of network resources to ensure business continuity.
User-Based Authorization
With this NAC deployment model, end ‐ systems can be authorized with access to a specific set
of network resources based on the user logged into the end ‐ system and their organizational
role within the enterprise. For example, a user who is an engineer may be allocated prioritized
access to the engineering servers deployed on the network while being denied access to
servers utilized by the HR or legal departments. Furthermore, a user who is known to be
launching malicious attacks against critical resources on the network or was terminated from
a position within the company may be authorized a restrictive set of network resources or
outright denied network access, regardless of where and when this user connects to the
network. In contrast, a user in the IT operations group or a technician sent to repair a device
on the network may be permitted unrestricted access to network resources for
troubleshooting and maintenance purposes, regardless of where and when the user connects
to the network, or only from inside the NOC.
In summary, user ‐ based authorization supports the provisioning of network resources to
connecting users based on the user ʹ s identity and successful authentication, as well as their
location on the network, affording such capabilities as denying users that pose a threat to the
network, providing particular employees with special access, and provisioning users in
general with appropriate access to the required sets of network resources, to ensure business
continuity.
MAC Registration
Enterasys NAC provides support for MAC Registration, also known as Network or Guest
Registration. This solution forces any new end ‐ system connected on the network to provide
the user ʹ s identity in a web page form before being allowed access to the network, without
requiring the intervention of IT operations. This means that end users are automatically
provisioned network access on demand without time ‐ consuming and costly help desk
requests or network infrastructure reconfigurations.
In addition, IT operations has visibility into the end ‐ systems and their registered users on the
network (for example, guests, students, contractors, and employees) without requiring the
deployment of backend authentication and directory services to manage these users. This
binding between user identity and machine is useful for auditing, compliance, accounting,
and forensics purposes on the network.
Furthermore, MAC Registration supports a functionality referred to as “sponsored
registration” requiring that end users are only allowed to register to the network when
accompanied by a trusted sponsor; an internal user to the organization with valid credentials.
When an end user is registering to the network, a sponsor must enter a username and possibly