Enterasys-networks 9034385 Manuel d'utilisateur Page 28

  • Télécharger
  • Ajouter à mon manuel
  • Imprimer
  • Page
    / 98
  • Table des matières
  • MARQUE LIVRES
  • Noté. / 5. Basé sur avis des utilisateurs
Vue de la page 27
Model 2: End-System Authorization
2-6 NAC Deployment Models
isonlyprovisionedbytheEnterasysNACsolutionwhenthedevicesconnecttoswitchesin
theNetworkOperationsCenter(NOC).Thislevelofgranularityinprovisioningaccessto
connectingdevicesprotectsagainstpossibleMACspoofingattacks.
Inadditiontoauthorizingaparticulardevicewithasetofnetworkresources,groupsof
devicessuchasIPphones,printers,andworkstationscanbeprovisionedaspecificsetof
networkresourcesusingMACaddressOUIprefixorcustomMACaddressmask.For
example,IPphonesmaybeidentifiedbythePolycomMACaddressOUIprefix
00:04:F2:XX:XX:XXandassignedtheVoiceVLANandahighQoS.
Insummary,devicebasedauthorizationsupportstheprovisioningofnetworkresourcestoa
connectingendsystembasedonthedeviceʹsidentityaswellaslocation.Thisprovidesthe
abilitytorestrictendsystemsthatposeathreattothenetwork,providespecialaccessto
particulardevices,andprovisionendsystems
orsetsofendsystemswithaccesstorequired
setsofnetworkresourcestoensurebusinesscontinuity.
User-Based Authorization
WiththisNACdeploymentmodel,endsystemscanbeauthorizedwithaccesstoaspecificset
ofnetworkresourcesbasedontheuserloggedintotheendsystemandtheirorganizational
rolewithintheenterprise.Forexample,auserwhoisanengineermaybeallocatedprioritized
accesstotheengineering
serversdeployedonthenetworkwhilebeingdeniedaccessto
serversutilizedbytheHRorlegaldepartments.Furthermore,auserwhoisknowntobe
launchingmaliciousattacksagainstcriticalresourcesonthenetworkorwasterminatedfrom
apositionwithinthecompanymaybeauthorizedarestrictiveset
ofnetworkresourcesor
outrightdeniednetworkaccess,regardlessofwhereandwhenthisuserconnectstothe
network.Incontrast,auserintheIToperationsgrouporatechniciansenttorepairadevice
onthenetworkmaybepermittedunrestrictedaccesstonetworkresourcesfor
troubleshootingandmaintenance
purposes,regardlessofwhereandwhentheuserconnects
tothenetwork,oronlyfrominsidetheNOC.
Insummary,userbasedauthorizationsupportstheprovisioningofnetworkresourcesto
connectingusersbasedontheuserʹsidentityandsuccessfulauthentication,aswellastheir
locationonthenetwork,affording
suchcapabilitiesasdenyingusersthatposeathreattothe
network,providingparticularemployeeswithspecialaccess,andprovisioningusersin
generalwithappropriateaccesstotherequiredsetsofnetworkresources,toensurebusiness
continuity.
MAC Registration
EnterasysNACprovidessupportforMACRegistration,alsoknownasNetworkorGuest
Registration.Thissolutionforcesanynewendsystemconnectedonthenetworktoprovide
theuserʹsidentity inawebpageformbeforebeingallowedaccesstothenetwork,without
requiringtheinterventionofITop erations.This
meansthatendusersareautomatically
provisionednetworkaccessondemandwithouttimeconsumingandcostlyhelpdesk
requestsornetworkinfrastructurereconfigurations.
Inaddition,IToperationshasvisibilityintotheendsystemsandtheirregisteredusersonthe
network(forexample,guests,students,contractors,andemployees)withoutrequiringthe
deploymentofbackendauthenticationanddirectoryservicestomanagetheseusers.This
bindingbetweenuseridentityand machineisusefulforauditing,compliance,accounting,
andforensicspurposesonthenetwork.
Furthermore,MACRegistrationsupportsafunctionalityreferredtoas“sponsored
registration”requiringthatendusersareonlyallowedtoregisterto
thenetworkwhen
accompaniedbyatrustedsponsor;aninternalusertotheorganizationwithvalidcredentials.
Whenanenduserisregisteringtothenetwork,asponsormustenterausernameandpossibly
Vue de la page 27
1 2 ... 23 24 25 26 27 28 29 30 31 32 33 ... 97 98

Commentaires sur ces manuels

Pas de commentaire