Enterasys-networks 9034385 Instrukcja Użytkownika Pobierz pdf (Strona 24)

Model 1: End-System Detection and Tracking

2-2 NAC Deployment Models

RADIUSAccess‐AcceptorAccess‐RejectmessagereceivedfromtheupstreamRADIUSserver,is

returnedwithoutmodificationtotheaccessedgeswitch,topermitend‐systemaccesstothe

network.ForMACauthentication,aRADIUSAccess‐Acceptmessageisreturnedtotheaccess

edgeswitchwithoutmodification,basedonaRADIUS

Access‐Acceptmessagereceivedfromthe

upstreamRADIUSserverorlocalauthorizationofMACauthenticationrequests.The

authenticatingend‐systemisprovidedaccesstothenetworkbasedontheconfigurationofthe

accessedgeswitch.

Inline NAC (Layer 2)

ForinlineNACutilizingtheLayer2NACController,anend‐systemcanbedetectedinmultiple

ways.Anend‐systemcanbedetectedsimplybytransmittingdatatra ff icnotpreviouslyseenby

theNACcontroller.Inthiscase,thetraffic isforwardedthroughtheNACControllertothetraffic

destination,

andhasnoimpactontheconnectivityoftheend‐system.Inanothermethod,end‐

systemsaredetectedwiththeauthenticationofdownstreamend‐systemsvia802.1X,web‐based,

and/orMACauthenticationontheNACController.Theseauthenticationrequestsmayormaynot

beproxiedupstreamdependingontheNAC

configuration.

Inline NAC (Layer 3)

ForinlineNACutilizingtheLayer3NACController,anend‐systemisdetectedsimplyby

transmittingdatatrafficsourcedfromanIPaddressnotpreviouslyseenbytheNACcontroller.

ThetrafficisforwardedthroughtheNACcontrollertothetrafficdestination,andhasnoimpact

ontheconnectivityof

theend‐system.

Features and Value

TherearetwokeypiecesoffunctionalityandvaluepropositionssupportedbyModel1:

End-System and User Tracking

Model1supportstheabilitytotrackend‐sys temsbyMACaddress,asthedevicemovesfrom

switchporttoswitchport,andmapthedeviceidentitytoitsIP addresseverytimeitconnects.

Furthermore,theassociatedusercanalsobemappedtothedeviceandIPaddress,aslong

asa

username‐basedauthenticationmethod(802.1Xorweb‐basedauthenticati on)orMAC

RegistrationisimplementedwiththeNACGateway,orifendusersareconfiguredtologinto

aMicrosoftWindowsdomainwiththeNACControllerusingKerberossnooping

functionality.

Usingthesemethods,theEnterasysNACsolutioncanidentify

who,what,when,andwhere

devicesandusersconnecttothenetwork.Thisinformationismaintainedcentrallyinthe 

NetSightNACManagerdatabase,providingimportanthistoricaldatathatcanbeusedfor

auditingortroubleshootingpurposes.Inaddition,thisinformationcanbeeasilysearchedto

identifywhichportaparticularuser

iscurrentlyconnectedtoonthenetwork,orwhichdevice

iscurrentlyallocatedaparticularIPaddress.Thisbinding(IPaddress,MACaddress,

username,location),whichismaintainedovertimeforeachend‐system,isusefulfor

complianceandauditingpurposes,andforplanningthesubsequentrolloutofthenext

NAC

deploymentmodel.

IP-to-ID functionality for Security Information Management (SIM)

ThisNACdeploymentmodelenablesSIMsystemssuchastheEnterasysDragonSecurity

CommandConsole(DSCC),todisplayuser‐focusedinformationaboutassetsonthenetwork.

Traditionally,SIMsystemsyielddevice‐focusedinformation(suchasIPaddress)about

detectednetworkthreats,throughthecorrelation,normalization,andprioritizationofevents

1 2 ... 19 20 21 22 23 24 25 26 27 28 29 ... 97 98

Komentarze do niniejszej Instrukcji

Brak uwag

Enterasys-networks 9034385 Instrukcja Użytkownika Strona 24

Komentarze do niniejszej Instrukcji

Powiązane produkty i podręczniki dla Narzędzia Enterasys-networks 9034385