Enterasys 9034385, Руководство по конструкции, Страница: 86 / 98

Out-of-Band NAC Design Procedures
5-22 Design Procedures
primary NAC Gateway, the transition to the secondary NAC Gateway will not exceed
maximum capacity.
To support redundancy within a Security Domain for either approach, one additional NAC
Gateway (of the same model or with increased capacity) must be deployed per Security Domain in
addition to the NAC Gateways deployed to handle the maximum number of concurrent end ‐
systems connecting to the network.
It is important to note that each NAC Gateway can be configured to proxy RADIUS authentication
requests to a particular RADIUS server. Therefore, if two switches in the network provide access
to 802.1X or web ‐ based authenticating users, and the credentials for the users connected to each
switch are located on different RADIUS servers deployed on the network, then each switch must
be configured to use its own NAC Gateway. Each NAC Gateway is then configured to use its
respective RADIUS server. For example, an enterprise network that utilizes a particular RADIUS
server for the 802.1X authentication of wireless users, would use a different RADIUS server for
authenticating wired users. In this case, the same NAC Gateway could not be used for the switch
providing wireless access and the switch providing wired access.
3. Determine NAC Gateway Location
After determining the number of NAC Gateways required for the NAC deployment, the next step
is to determine NAC Gateway location on the network. This is dependent on the NAC
deployment model that is implemented on the network.
If the NAC deployment does not implement remediation of quarantined end ‐ systems or MAC
(network) registration of new devices on the network, then the NAC Gateways are located in the
authentication path of connecting end ‐ systems as a proxy RADIUS server. This means that the
RADIUS client on the access layer switches communicates directly to the NAC Gateway over
UDP/IP, and the NAC Gateway in turn communicates to a backend RADIUS server. Therefore, the
only requirement for NAC Gateway placement is that a routable IP forwarding path exists
between each NAC Gateway and its associated access layer switches.
One option is to place all NAC Gateways in the data center, possibly adjacent to the RADIUS
servers deployed on the network. Because the end ‐ system assessment is not directly executed
from the NAC Gateways, the choice of the location for the NAC Gateway does not impact the
NAC operation, assuming IP connectivity between the access layer switches and the NAC
Gateways is maintained.
For a branch office deployment of NAC, a NAC Gateway may be installed at the branch office or
at the main site. The advantage of the NAC Gateway being installed at the branch office is that
authentication traffic generated from end ‐ systems at the branch office will not utilize the
bandwidth of the WAN connection, unless authentication requests are proxied to a RADIUS
server deployed at the main site. If the NAC Gateway is installed at the branch office location,
NAC Manager requires communication to the NAC Gateway only during configuration,
minimizing the bandwidth consumption over the WAN link. The NAC Gateway need not
communicate with NAC Manager for the authentication, assessment, and authorization of
connecting end ‐ systems.
If either remediation or MAC registration is implemented, the NAC Gateways that are performing
remediation and registration server functionality via web ‐ redirection, must be strategically
positioned on the network for end user notification. The NAC Gateway must be installed on a
network segment directly connected to the router or routers that exist in the forwarding path for
HTTP traffic from end ‐ systems that may be quarantined or unregistered. This is because policy ‐
based routing will be configured on the router or routers to redirect the web traffic sourced from
quarantined and unregistered end ‐ systems to the NAC Gateway to serve the remediation and
registration web page.