Procedures for Out-of-Band and Inline NAC
Enterasys NAC Design Guide 5-11
Area of the network, or a group
of end-systems or users, that
require assessment with
immediate network access.
• Switches that provide network access to
mission critical servers, mandating
uninterrupted network connectivity while still
implementing assessment.
• Switches that provide network access to end-
systems used by IT operations, requiring that
network connectivity for debugging and
troubleshooting is maintained during
assessment.
• Switches that provide network access to
important end users such as executives, so
network connectivity is maintained during
assessment.
• A group of devices, identified by MAC
address, that are a specific OS or device type,
such as printers or IP phones that require
immediate network access upon connection.
• Users identified by user name, that are
identified as important personnel on the
network and require immediate network
access upon connection.
Do not use an Assessment Policy
while end-systems are being
assessed.
This guarantees mission critical
devices with time-sensitive network
access maintain network availability
during assessment.
In NAC Manager, create a Security
Domain with the following attribute:
• The “Use Assessment Policy While
Assessing” checkbox is not
selected. In this case, NAC
Manager assigns the policy or
VLAN returned from the RADIUS
server or the locally defined Accept
Policy while the end-system is
being assessed.
Area of the network, or group of
end-systems or users, that
require assessment before
network access is allowed.
• Switches that provide access to untrusted
users, such as guests or other high risk end-
systems, may be configured to apply a highly
restrictive Assessment Policy during end-
system assessment, only permitting end-
system communication to the assessment
servers, as well as basic IP services such as
ARP, DNS, and DHCP. Security threats
created by these high-risk end-systems are
mitigated by waiting until assessment is
completed before authorizing a significant
level of network access.
• A group of devices, identified by MAC
address, that are a specific OS or device type,
and pose high risk to the network security.
• Users, identified by username, that are
identified as high risk personnel on the
network.
Use an Assessment Policy during end-
system assessment.
In NAC Manager, create a Security
Domain with the following attribute:
• Select the “Use Assessment Policy
While Assessing” checkbox and
specify an Assessment Policy to
assign.
Table 5-2 Security Domain Configuration Guidelines for Assessment (continued)
Network Scenario
Examples
Security Domain Configuration
Содержание 9034385
Страница 1: ...Enterasys Network Access Control Design Guide P N 9034385...
Страница 2: ......
Страница 4: ...ii...
Страница 8: ...vi...
Страница 22: ...Summary 1 12 Overview...
Страница 98: ...Additional Considerations 5 34 Design Procedures...