Enterasys-networks 9034385 Bedienungsanleitung PDF herunterladen (Seite 46)

Scenario 2: Intelligent Wireless Access Edge

3-8 Use Scenarios

Scenario 2 Implementation

Intheintelligentwirelessaccessedgeusescenario,thefiveNACfunctionsareimplementedinthe

followingmanner:

1.Detection‐Theuserʹsend‐systemconnectstothenetwork.ThewirelessswitchorthickAP

sendsaRADIUSauthenticationrequest(802.1X,web‐based,orMACauthentication)withthe

associatedcredentialsto

theNACGateway.

2.Authentication‐Iftheend‐systemisauthenticatingtothe networkusing802.1Xorweb‐based

authentication,theNACGatewayproxiestheRADIUSa uthenti cationrequesttoabackend

authentication(RADIU S)servertovalidatetheidentityoftheenduser/device.Forend‐systems

thatareMACauthenticatingtothe

network,theNACGatewaymaybeconfiguredtoeitherproxy

theMACauthenticationrequeststotheRADIUSserver,orlocallyauthorizeMACauthentication

requests.IfonlyMACauthenticationisdeployedonthenetworkandtheNACGatewayis

configuredtolocallyauthorizeMACauthenticationrequests,abackendRADIUSserverisnot



requiredwiththeEnterasysNACsolution.

3.Assessment‐Aftertheidentityoftheend‐systemorenduserisvalidatedviaauthentication,

theNACGatewayrequestsanassessmentoftheend‐systemaccordingtopredefinedsecurity

policyparameters.Theassessmentcanbeagent‐basedoragent‐less,andisexecutedlocally

bythe

NACGatewayʹsassessmentfunctionalityand/orremotelybyapoolofassessmentservers.

4.Authorization‐Onceauthenticationandassessmentarecomplete,theNACGatewayallocates

theappropriatenetworkresourcestotheend‐systembasedonauthenticationand/orassessment

results.ForEnterasyspolicy‐enabledwirelessswitchesandaccesspoints,the

NACGateway

formatsinformationintheRADIUSauthenticationmessagesthatdirectstheedgeswitchto

dynamicallyassignaparticularpolicytothewirelessend‐systemonthewirelessswitchorAP,

dependingonthetypeofwirelessimplementation.ForRFC3580‐capablewirelessswitchesand

APs,theNACGatewayformats

informationintheRADIUSauthenticationmessages(intheform

ofRFC3580VLANTunnelattributes)thatdirectstheedgeswitchtodynamicallyassigna

particularVLANtothewirelessend‐system.Ifauthenticationfailsand/ortheassessmentresults

indicateanoncompliantend‐system,theNACGatewaycaneitherdenytheend

‐systemaccessto

thenetworkbysendingaRADIUSaccessrejectmessage,orquarantinetheend‐systemby

assigningaQuarantinepolicyorVLANtothewirelessend‐system.

5.Remediation‐Whenthequarantinedenduseropensawebbrowsertoanywebsite,itstrafficis

dynamicallyredirectedtoa

Remediationwebpagethatdescribesthecomplianceviolationsand

providesremediationsstepsfortheusertoexecuteinordertoachievecompliance.Aftertaking

theappropriateremediationsteps,theenduserclicksonabuttononthewebpagetoreattempt

networkaccess,forcingthere‐assessmentoftheend‐

system.Atthispoint,theEnterasysNAC

solutiontransitionstheend‐systemthroughtheentireNACcycleofdetection,authentication,

assessment,andauthorization,re‐assessingthesecuritypostureoftheend‐systemtodetermineif

theremediationtechniquesweresuccessfullyfollowed.Iftheend‐systemisnowcompliantwith

networksecurity

policy,theNACGatewayauthorizestheend‐systemwiththeappropriateaccess

policy.Iftheend‐systemisnotcompliant,theend‐systemisrestrictedaccesstothenetworkand

theprocessstartsagain.

1 2 ... 41 42 43 44 45 46 47 48 49 50 51 ... 97 98

Kommentare zu diesen Handbüchern

Keine Kommentare

Enterasys-networks 9034385 Bedienungsanleitung Seite 46

Kommentare zu diesen Handbüchern

Verwandte Produkte und Handbücher für Werkzeug Enterasys-networks 9034385