Enterasys-networks 9034385 Manuel d'utilisateur télécharger pdf (Page 31)

Model 3: End-System Authorization with Assessment

Enterasys NAC Design Guide 2-9

serverisrunningoriftheHTTPserverisout‐of‐date)and client‐sidechecks(running

applications,softwareconfigurations,installedoperatingsystempatches)providedend‐system

administrativecredentialsareavailableforremotelogintoconnectingdevices.Additionally,the

NACGatewayʹslocalassessmentservicesalsoincludeagent‐basedassessmentusing

aJavaWeb

Start‐basedclientapplicationthatallowsexecutionofserver‐sideandclient‐sidecheckswithout

requiringadministrativecredentialsorspecialhostfirewallconfigurations.

TheNACGatewayʹsremoteassessmentservicesincludeagent‐lessandagent‐basedassessment

onotherNACGatewaysdeployedonthenetworkand/orthird‐

partyvulnerabilityscannerssuch

asNessusandLockdownEnforcer.As end‐systemsconnecttothenetwork,assessmentscanbe

load‐balancedamongalloftheconfiguredassessmentservicesoradefinedpool.Thisprovides

maximumscalabilityandflexibility,and minimizestheamountoftimenecessarytocompletean

end‐systemassessment.

Authorization‐TheNACGatewayallocatestheappropriatenetworkresourcestotheend‐system

basedonauthentication,location,and/orassessmentresults.For Enterasyspolicy‐enablededge

switches,theNACGatewayformatsinformationintheRADIUSauthenticationmessagesthat

directstheedgeswitchtodynamicallyassignaparticularpolicytotheconnectingend

‐system.For

RFC3580‐capableedgeswitches,theNACGatewayformatsinformationintheRADIUS

authenticationmessagesintheformofRFC3580VLANTunnelattributesthatdirectstheedge

switchtodynam icallyassignaparticularVLANtotheconnectingend‐system.Ifauthentication

failsand/ortheassessmentresultsindicate

anoncompliantend‐system,theNACGatewaycan

eitherdenytheend‐systemaccesstothenetworkbysendingaRADIUSaccessrejectmessageto

theedgeswitchorquarantinetheend‐systemwithahighlyrestrictivesetofnetworkresources(or

possiblypermitnetworkaccess)byspecifyingaparticularpolicy

orVLANtoassigntothe

authenticatedend‐systemontheedgeswitch.

Inline NAC

ForinlineEnterasysNACdeploymentsutilizingtheLayer2orLayer3NACController,theNAC

functionsareimplementedinthefollowingway:

Detection‐AsdescribedinModel2.

Authentication‐AsdescribedinModel2.

Assessment‐TheNACControllercanleverageeitherlocalassessmentservicesand/orremote

assessmentservicesdeployedonthe

network,aspreviouslydescribedfortheNACGateway.The

NACControllerʹslocalassessmentservicesincludeagent‐lessassessmentwhichcanexecute

variousserver‐sidechecksandclient‐sidechecks.Localassessmentservicesalsoincludeagent‐

basedassessmentusingaJavaWebStart‐basedclientapplicationthatallowsexecutionofserver

‐

sideandclient‐sidechecks.TheNACControllerʹsremoteassessmentservicesincludeagent‐less

andagent‐basedassessmentwithNACGatewaysand/orthird‐partyvulnerabilityscannerssuch

asNessusandLockdownEnforcer.As end‐systemsconnecttothenetwork,assessmentcanbe

load‐balancedamongalloftheconfigured

assessmentservicestoprovidemaximumscalability

andflexibilitywhileminimizingassessmenttimes.

Authorization‐TheNACControllerallocatestheappropriatenetworkresourcestotheend‐

systembasedonauthenticationand/orassessmentresults.Thisisimplementedbyassigninga

policytotrafficsourcedfromtheend‐systemlocallyonthecontroller.Ifauthentication

failsand/

ortheassessmentresultsindicateanoncompliantend‐system,theNACControllercaneither

denytheend‐systemaccesstothenetwork,quarantinethe end‐systemwithahighlyrestrictiveset

ofnetworkresources,orpermitnetworkaccessbyspecifyingaparticularpolicy.

1 2 ... 26 27 28 29 30 31 32 33 34 35 36 ... 97 98

Commentaires sur ces manuels

Pas de commentaire

Enterasys-networks 9034385 Manuel d'utilisateur Page 31

Commentaires sur ces manuels

Produits connexes et manuels pour Outils Enterasys-networks 9034385