Identify Inline or Out-of-band NAC Deployment
Enterasys NAC Design Guide 4-11
Remote Access VPN
In
many
enterprise
environments,
a
VPN
concentrator
located
at
the
main
site
connects
to
the
Internet
to
provide
VPN
access
to
remote
users.
In
this
scenario,
there
is
no
concept
of
intelligent
and
non
‐
intelligent
edge
switches
because
the
entry
point
to
the
main
site
is
the
VPN
concentrator.
In
this
scenario,
the
NAC
Controller
must
be
used
to
implement
NAC
for
remote
access
VPN
end
‐
systems,
and
it
should
be
positioned
behind
the
VPN
concentrator
that
provides
remote
access
VPN.
Again,
reverse
proxy
VPN
or
many
‐
to
‐
one
NAT
implemented
on
a
downstream
device
from
the
NAC
Controller
is
not
supported
in
the
Enterasys
NAC
solution.
Identify Inline or Out-of-band NAC Deployment
Based
on
the
NAC
deployment
model
you
selected,
and
the
results
of
your
network
infrastructure
evaluation,
you
must
identify
whether
out
‐
of
‐
band
NAC
or
inline
NAC
will
be
deployed
in
the
different
areas
of
your
network.
With
the
decision
to
implement
out
‐
of
‐
band
NAC
with
the
NAC
Gateway,
and/or
inline
NAC
with
the
NAC
Controller,
the
next
design
step
is
to
determine
your
specific
enterprise
requirements
for
the
selected
NAC
solution,
and
identify
the
number
of
NAC
appliances,
and
their
location
and
configuration
on
the
network.
Summary
The
first
step
when
planning
your
NAC
deployment,
is
to
identify
the
NAC
deployment
model,
or
a
phased
implementation
of
multiple
deployment
models,
that
meets
your
NAC
business
objectives.
Once
you
have
selected
a
deployment
model,
you
can
use
the
four
following
steps
to
evaluate
your
current
network
infrastructure
and
determine
your
NAC
component
requirements.
1.
Identify
the
“intelligent
edge”
in
your
network,
if
it
exists.
This
information
will
be
used
to
help
you
select
which
NAC
appliance,
the
NAC
Gateway
or
NAC
Controller,
best
suits
your
network
infrastructure.
An
intelligent
edge
is
required
when
the
NAC
Gateway
is
utilized
for
implementing
out
‐
of
‐
band
NAC.
The
NAC
Gateway
appliance
leverages
the
intelligent
edge
of
the
network
to
implement
the
authentication
and
authorization
of
connecting
end
‐
systems.
In
networks
with
non
‐
intelligent
devices
at
the
access
edge,
it
is
not
necessary
to
replace
these
non
‐
intelligent
devices
to
be
able
to
implement
out
‐
of
‐
band
NAC
with
the
NAC
Gateway.
Instead,
the
Enterasys
Matrix
N
‐
series
switch
can
be
positioned
upstream
from
non
‐
intelligent
devices
(such
as
in
the
distribution
layer)
to
implement
the
authentication
and
authorization
functions
for
downstream
connected
devices.
If
the
network
does
not
have
an
intelligent
edge,
then
the
NAC
Controller
must
be
deployed
in
order
to
provide
the
authentication
and
authorization
capabilities
required
for
implementing
network
access
control.
2.
Evaluate
the
network
authentication
method
currently
being
used,
and
how
the
deployment
of
Enterasys
NAC
will
affect
it.
(This
step
is
not
required
if
you
have
determined
that
the
network
does
not
have
an
intelligent
edge
and
the
inline
NAC
Controller
will
be
deployed.)
If
authentication
is
not
configured
on
the
network,
out
‐
of
‐
band
NAC
can
be
deployed
with
minimal
configuration
by
implementing
MAC
authentication
on
the
intelligent
edge
of
the
network
(if
the
edge
switches
support
MAC
authentication).
If
authentication
is
currently
deployed
on
the
network
with
802.1X,
web
‐
based,
and/or
MAC
authentication,
out
‐
of
‐
band
NAC
is
configured
to
proxy
RADIUS
authentication
requests
received
from
the
switches
at
the
intelligent
edge
of
the
network
to
the
backend
RADIUS
Содержание 9034385
Страница 1: ...Enterasys Network Access Control Design Guide P N 9034385...
Страница 2: ......
Страница 4: ...ii...
Страница 8: ...vi...
Страница 22: ...Summary 1 12 Overview...
Страница 98: ...Additional Considerations 5 34 Design Procedures...
