Enterasys 9034385, Design Manual, Page: 59 / 98

Survey the Network
Enterasys NAC Design Guide 4-7
system at a time, then it is suggested that MAC locking (also known as Port Security) be enabled
on the edge switches to restrict the number of connecting devices. If multiple end ‐ system
connection is supported, then the intelligent edge switch must support the authentication and
authorization of multiple devices (possibly using multiple authentication methods) concurrently
on the network. If this is not supported, then a security hole exists where a noncompliant end ‐
system can “piggyback” on the open network connection of a compliant end ‐ system.
For example, NAC is often deployed on an IP telephony converged network where IP phone
handsets are cascaded with PCs connected to a single intelligent edge infrastructure port. If the
intelligent edge infrastructure devices do not support the authentication and authorization of both
the PC and IP phone connected to the same port, then a noncompliant PC may be allowed
network access when the security posture of an IP phone that connected to the network first, is
deemed compliant.
Furthermore, if the authentication and authorization of multiple devices connecting to a single
port is not supported, certain devices may lose connectivity when NAC is deployed. For example,
an IP phone ʹ s network connection may be lost when a PC is quarantined on the network.
Authentication Support on Enterasys Devices
Following is information on the authentication support provided by Enterasys devices:
• The Matrix N ‐ series Multi ‐ User Authentication (MUA) feature allows the enabling of any
combination of authentication methods (802.1X, web ‐ based, and/or MAC) both globally and
per port. While the Matrix N ‐ series Gold supports the authentication and authorization of two
users/devices per port, the Matrix N ‐ series Platinum supports the authentication and
authorization of over 2000 users and devices per port, providing the highest degree of
authentication method configuration flexibility.
• The SecureStack C2/C3 and B2/B3 User + IP Phone authentication allows the configuration of
multiple authentication methods globally and per port (802.1X, web ‐ based, and/or MAC) with
the limitation of a PC and an IP phone authenticating on a single port.
• The Matrix E1 ʹ s Hybrid authentication allows the enabling of both 802.1X and MAC
authentication on the same port, and supports the authentication of a single end ‐ system using
only one of these authentication methods at a time.
• If web ‐ based authentication is globally enabled on the Matrix E1 and the Matrix E ‐ series
Generation 2/3 platforms, each port on the switch can only be configured to implement web ‐
based authentication.
Authentication Considerations
If authentication is currently deployed on the network, here are considerations that should be
reviewed as you plan your NAC deployment:
• Enterasys NAC will seamlessly integrate with deployments where the authenticating and
authorization of trusted users is already implemented. Enterasys NAC can be configured to
forward the RADIUS Filter ‐ ID and/or VLAN Tunnel attribute returned from the RADIUS
server to the access layer switch during the authentication process.
• If guest access is implemented on the network by assigning a default policy or VLAN on
certain ports (assuming guest users will fail authentication on the network), the infrastructure
will need to be reconfigured to implement NAC for guest users. Enterasys NAC will not
assess or authorize end ‐ systems that only fail authentication against a backend RADIUS
server. To enable Enterasys NAC to interact with guest users on the network, MAC
authentication must be enabled on ports where guest users connect to the network, and
Enterasys NAC must be configured to locally authorize MAC authentication requests and
assign the appropriate guest authorization level. Then, guest users will be successfully MAC