Model 1: End-System Detection and Tracking
2-2 NAC Deployment Models
RADIUS
Access
‐
Accept
or
Access
‐
Reject
message
received
from
the
upstream
RADIUS
server,
is
returned
without
modification
to
the
access
edge
switch,
to
permit
end
‐
system
access
to
the
network.
For
MAC
authentication,
a
RADIUS
Access
‐
Accept
message
is
returned
to
the
access
edge
switch
without
modification,
based
on
a
RADIUS
Access
‐
Accept
message
received
from
the
upstream
RADIUS
server
or
local
authorization
of
MAC
authentication
requests.
The
authenticating
end
‐
system
is
provided
access
to
the
network
based
on
the
configuration
of
the
access
edge
switch.
Inline NAC (Layer 2)
For
inline
NAC
utilizing
the
Layer
2
NAC
Controller,
an
end
‐
system
can
be
detected
in
multiple
ways.
An
end
‐
system
can
be
detected
simply
by
transmitting
data
traffic
not
previously
seen
by
the
NAC
controller.
In
this
case,
the
traffic
is
forwarded
through
the
NAC
Controller
to
the
traffic
destination,
and
has
no
impact
on
the
connectivity
of
the
end
‐
system.
In
another
method,
end
‐
systems
are
detected
with
the
authentication
of
downstream
end
‐
systems
via
802.1X,
web
‐
based,
and/or
MAC
authentication
on
the
NAC
Controller.
These
authentication
requests
may
or
may
not
be
proxied
upstream
depending
on
the
NAC
configuration.
Inline NAC (Layer 3)
For
inline
NAC
utilizing
the
Layer
3
NAC
Controller,
an
end
‐
system
is
detected
simply
by
transmitting
data
traffic
sourced
from
an
IP
address
not
previously
seen
by
the
NAC
controller.
The
traffic
is
forwarded
through
the
NAC
controller
to
the
traffic
destination,
and
has
no
impact
on
the
connectivity
of
the
end
‐
system.
Features and Value
There
are
two
key
pieces
of
functionality
and
value
propositions
supported
by
Model
1:
End-System and User Tracking
Model
1
supports
the
ability
to
track
end
‐
systems
by
MAC
address,
as
the
device
moves
from
switch
port
to
switch
port,
and
map
the
device
identity
to
its
IP
address
every
time
it
connects.
Furthermore,
the
associated
user
can
also
be
mapped
to
the
device
and
IP
address,
as
long
as
a
username
‐
based
authentication
method
(802.1X
or
web
‐
based
authentication)
or
MAC
Registration
is
implemented
with
the
NAC
Gateway,
or
if
end
users
are
configured
to
login
to
a
Microsoft
Windows
domain
with
the
NAC
Controller
using
Kerberos
snooping
functionality.
Using
these
methods,
the
Enterasys
NAC
solution
can
identify
who,
what,
when,
and
where
devices
and
users
connect
to
the
network.
This
information
is
maintained
centrally
in
the
NetSight
NAC
Manager
database,
providing
important
historical
data
that
can
be
used
for
auditing
or
troubleshooting
purposes.
In
addition,
this
information
can
be
easily
searched
to
identify
which
port
a
particular
user
is
currently
connected
to
on
the
network,
or
which
device
is
currently
allocated
a
particular
IP
address.
This
binding
(IP
address,
MAC
address,
username,
location),
which
is
maintained
over
time
for
each
end
‐
system,
is
useful
for
compliance
and
auditing
purposes,
and
for
planning
the
subsequent
rollout
of
the
next
NAC
deployment
model.
IP-to-ID functionality for Security Information Management (SIM)
This
NAC
deployment
model
enables
SIM
systems
such
as
the
Enterasys
Dragon
Security
Command
Console
(DSCC),
to
display
user
‐
focused
information
about
assets
on
the
network.
Traditionally,
SIM
systems
yield
device
‐
focused
information
(such
as
IP
address)
about
detected
network
threats,
through
the
correlation,
normalization,
and
prioritization
of
events
Содержание 9034385
Страница 1: ...Enterasys Network Access Control Design Guide P N 9034385...
Страница 2: ......
Страница 4: ...ii...
Страница 8: ...vi...
Страница 22: ...Summary 1 12 Overview...
Страница 98: ...Additional Considerations 5 34 Design Procedures...
