NAC Manager Concepts

---

This Help topic explains some of the concepts you'll need to understand in order to make the most effective use of NAC Manager.

Information on:

• Overview of NAC Manager
• Extreme Access Control Engines
  • Use Scenario
  • NAC VPN Deployment
• NAC Manager Structure
  • NAC Configuration
    • Rule Components
    • NAC Profiles
    • AAA Configurations
    • Portal Configurations
• Access Policies
• Registration
• Assessment
  • Assessment Remediation
• End-System Zones
• Enforcing
• MAC Locking
• Notifications
• Automated Security Manager Blacklist
• Mobile IAM

Overview of NAC Manager

Extreme Networks NAC is a centralized network access control solution that combines authentication, vulnerability assessment, and location services to authorize network access and determine the appropriate level of service for an end-system. The NAC solution ensures that only valid users and devices with appropriate security postures at the proper location are granted access to your network. For end-systems which are not compliant with defined security guidelines, the NAC solution provides assisted remediation, allowing end users to perform self-service repair steps specific to the detected compliance violation.

NAC Manager is the management component in the Extreme Networks NAC solution. NAC Manager and NAC engines work in conjunction to implement network access control. NAC Manager provides one centralized interface for configuring the authentication, authorization, assessment, and remediation parameters for your Access Control engines. After these configurations are enforced, the Access Control engines can detect, authenticate, assess, authorize, and remediate end-systems connecting to the network according to those configuration specifications.

NAC Engines

The Access Control engine is required for all Extreme Networks NAC deployments. It provides the ability to detect, authenticate, and effect the authorization of end devices attempting to connect to the network. It also integrates with, or connects to, vulnerability assessment services to determine the security posture of end-systems connecting to the network. Once authentication and assessment are complete, the Access Control engine effects the authorization of devices on the network by allocating the appropriate network resources to the end-system based on authentication and/or assessment results.

If authentication fails and/or the assessment results indicate a non-compliant end-system, the Access Control engine can either totally deny the end-system access to the network or quarantine the end-system with a highly restrictive set of network resources, depending on its configuration. The Access Control engine also provides the remediation functionality of the NAC solution by means of the remediation web server that runs on the engine. Remediation informs end users when their end-systems have been quarantined due to network security policy non-compliance, and allows end users to safely remediate their non-compliant end-systems without assistance from IT operations.

Use Scenario

The Access Control Gateway engine provides out-of-band network access control for networks where intelligent wired or wireless edge infrastructure devices are deployed as the authorization point for connecting end-systems. End-systems are detected on the network through their RADIUS authentication interchange. Based on the assessment and authentication results for a connecting device, RADIUS attributes are added/modified during the authentication process to authorize the end-system on the authenticating edge switch. Therefore, the NAC Gateway may be positioned anywhere in the network topology with the only requirement being that IP connectivity between the authenticating edge switches and the NAC Gateways is operational.

It is important to note that if the wired edge of the network is non-intelligent (unmanaged switches and hubs) and is not capable of authenticating and authorizing locally connected end-systems, it is possible to augment the network topology to allow implementation of inline NAC with the NAC Gateway. This can be accomplished by adding an intelligent edge switch that possesses specialized authentication and authorization features. The Extreme Networks K-, S-, or N-Series switch is capable of authenticating and authorizing numerous end-systems connected on a single port through its Multi-User Authentication (MUA) functionality, and may be positioned upstream from non-intelligent edge devices to act as the intelligent edge on the network. In this configuration, the K-, S-, or N-Series switch acts as the intelligent edge switch on the network, although not physically located at the access edge.

For end-systems connected to EOS policy-enabled switches, a policy role is specified in NAC Manager (policy roles are defined and distributed to those switches on the Control > Policy tab) to authorize connecting end-systems with a particular level of network access. For end-systems connected to RFC 3580-compliant switches (Enterasys and third-party), a VLAN is specified in NAC Manager to authorize connecting end-systems with a particular level of network access, facilitated using dynamic VLAN assignment via Tunnel RADIUS attributes.

When a user or device attempts to connect to the network, the end-system is authenticated and assessed according to configurations defined in NAC Manager. NAC Manager uses the results of the authentication and assessment to determine if that device meets the requirements for a compliant end-system. If the results of the authentication and security assessment are positive, NAC Manager authorizes the end-system with network access by assigning a designated policy role or VLAN on the switch port to which the end-system is connected. If the result of the security assessment is negative, NAC will restrict network access by assigning the user or device to a Quarantine policy role or VLAN on the switch port until the end-system is remediated and brought into a compliant state. If the result of the authentication is negative, NAC can deny all network access for the endpoint as an invalid device or user on the network, setting the switch port to the unauthenticated state.

Depending on the engine model, the Access Control Gateway provides either on-board (integrated) vulnerability assessment server functionality and/or the ability to connect to external assessment services, to determine the security posture of end-systems connecting to the network. (On-board assessment requires a separate license.)

The number of NAC Gateways you deploy on the network depends on the number of end-systems on the network. The following table displays the number of end-systems supported per NAC Gateway model. Use this table to help determine the number of gateways to deploy.

Model	Number of End‑Systems Supported	Notes
IA‑A‑20	6000	Configured NAC Features: Authentication and OS/Device Fingerprinting, but no Registration or Assessment.
	4500	Configured NAC Features: All features excluding Assessment.
	3000	Configured NAC Features: All features including Assessment.
IA‑A‑300	12000	Configured NAC Features: Authentication and OS/Device Fingerprinting, but no Registration or Assessment.
	9000	Configured NAC Features: All features excluding Assessment.
	6000	Configured NAC Features: All features including Assessment.
IA‑V	See Notes	The IA-V is included with the Extreme Management Center Advanced (NMS-ADV) license and is used in conjunction with a NAC Enterprise license (IA-ES-12K). For more information, see NAC Enterprise Licensing.
NAC‑V‑20	3000	The NAC-V-20 is a virtual engine and requires a NAC VM license in the Management Center Server. For more information, see the Suite-Wide Tools Server Information Window Help topic section on NAC VM license.
NAC‑A‑20	3000
SNS‑TAG‑ITA	3000
SNS‑TAG‑HPA	3000
SNS‑TAG‑LPA	2000

It is important to configure NAC Gateway redundancy for each switch. This is achieved by configuring two different Access Control Gateway engines as a primary and secondary gateway for each switch. When connection to the primary gateway engine is lost, the secondary gateway is used. Note that this configuration supports redundancy but not load-sharing, as the secondary gateway engine is only used in the event that the primary gateway becomes unreachable. To achieve redundancy with load-sharing for two NAC Gateways, it is suggested that one half of the switches connecting to the gateways are configured with "NAC Gateway A" as the primary and "NAC Gateway B" as the secondary, and the second half are configured with "NAC Gateway B" as the primary and "NAC Gateway A" as the secondary. In this way, NAC Gateways are configured in redundant active-active operation on the network.

NAC VPN Deployment

Extreme Networks NAC provides out-of-band support for VPN remote access with specific VPN concentrators (see the Release Notes for a list of supported VPN concentrators). Out-of-band VPN support provides visibility into who and what is accessing the network over VPN. If RADIUS accounting is used, you will have the additional ability to determine who was on the network at any given time. In the VPN remote access use scenario, the VPN concentrator acts as a termination point for remote access VPN tunnels into the enterprise network. In addition, the Extreme Networks Access Control Gateway engine is deployed to authenticate and authorize connecting end-systems on the network and implement network access control.

The process begins when the user's end-system successfully establishes a VPN tunnel with the VPN concentrator, and the VPN concentrator sends a RADIUS authentication request with the associated credentials to the Access Control Gateway. The Access Control Gateway proxies the authentication request to a backend authentication server (RADIUS or LDAP) to validate the identity of the end user/device or can authenticate with a local password repository within NAC. If authentication fails, the NAC Gateway can deny the end-system access to the network by sending a RADIUS access reject message to the VPN concentrator.

After the end-system is authenticated, the NAC Gateway requests an assessment of the end-system, if assessment is configured. Once authentication and assessment are complete, the NAC Gateway allocates the appropriate access control to the end-system based on authentication and/or assessment results. Access control can be implemented using one of two methods. With the first method, access control is applied directly at the VPN concentrator via RADIUS response attributes, if the VPN concentrator supports this. For example, with a Cisco ASA security engine, this can be accomplished by using the filter-ID response attribute to specify the name of a valid ACL.

With the second method, an Extreme Networks K-Series, S-Series, or N-Series device is added between the VPN's internal port and the internal network as a Policy Enforcement Point (PEP). This allows the NAC Gateway to provide a more granular access control mechanism using IP to Policy Mappings. This method must be used if you are implementing remediation on your network. If the end-system fails assessment, the NAC Gateway can apply a Quarantine policy on the PEP to quarantine the end-system. When the quarantined end user opens a web browser to any web site, its traffic is dynamically redirected to a Remediation web page that provides steps for the user to execute in order to achieve compliance. After executing the steps, the end user can reattempt network access and start the process again.

NAC Manager Structure

The following diagram shows the structure of NAC Manager components. At the top is the Engine Group, which is a "virtual container" that includes the Access Control engines, the switches in the network, and the NAC configuration that will be utilized. Most NAC deployments will have only one engine group configured for the network. And in that case, the "engine group" is the All Access Control Engines folder in the left-panel tree. However, an example of a network that may require separate engine groups would be a network in which there are remote offices that wish to have completely different NAC functionality than the main branch. These remote offices would need to have their own Access Control engines in a separate group. In this case, the separate engine groups are listed in the left-panel tree.

NAC Configuration

The NAC Configuration lets you manage the end user connection experience and control network access based on a variety of criteria. NAC Manager comes with a default NAC Configuration which is automatically assigned to your Access Controlengines. You can use this default configuration as is, or make changes to the default configuration, if desired.

The NAC Configuration determines what NAC Profile will be assigned to an end-system connecting to the network. It contains an ordered list of rules that are used by the configuration to assign a NAC Profile to a connecting end-system based on rule criteria. It also specifies the Default Profile which serves as a "catch-all" profile for any end-system that doesn't match one of the rules. By default, all end-systems will match the Default Profile.

When an end-system connects to the network, the rules are evaluated in a top-down fashion, similar to the way an ACL would be evaluated. End-systems that do not match any of the rules are assigned the Default Profile.

Rule Components

The rules defined in a NAC Configuration provide very granular control over how end-systems are treated as they come onto the network. The following criteria can be used to define the rules used in your NAC Configuration:

• Authentication Type - for example, 802.1X or MAC authentication.
• End-System Groups - allow you to group together devices that have similar network access requirements or restrictions. For example, a list of MAC addresses, IP addresses, or hostnames.
• Device Type - allow you to group together end-systems based on their device type. The device type can be an operating system family, an operating system, or a hardware type, such as Windows, Windows 7, Debian 3.0, and HP Printers.
• Locations - allow you to specify network access requirements or restrictions based on the network location where the end user is connecting. For example, a list of switches, wireless devices, switch ports, or SSIDs.
• Time of Day - allow you to specify network access requirements or restrictions based on the day and time when the end user is accessing the network. For example, traditional work hours or weekend work hours.
• User Groups - allow you to group together end users having similar network access requirements or restrictions. For example, a list of usernames, an LDAP users group, or a RADIUS user group.

For more information, see the Manage Rule Groups window.

NAC Profiles

NAC Profiles specify the authorization and assessment requirements for the end-systems connecting to the network. Profiles also specify the security policies that will be applied to end-systems for network authorization, depending on authentication and assessment results.

NAC Manager comes with ten system-defined NAC Profiles:

• Administrator
• Allow
• Default
• Guest Access
• Notification
• Pass Through
• Quarantine
• Registration Denied Access
• Secure Guest Access
• Unregistered

If desired, you can edit these profiles or you can define your own profiles to use for your NAC Configurations. For more information, see the Manage NAC Profiles window.

AAA Configurations

The AAA Configuration defines the RADIUS servers, LDAP configurations, and Local Password Repository that provide the authentication and authorization services for all end-systems connecting to your Access Control engines. NAC Manager comes with a default Basic AAA Configuration that ships with each Access Control engine. You can use this default configuration as is, or make changes to the default configuration, if desired. For more information, see the Edit Basic AAA Configurations window.

Portal Configurations

If your network is implementing Registration or Assisted Remediation, the Portal Configuration defines the branding and behavior of the website used by the end user during the registration or remediation process. Access Control engines are shipped with a default Portal Configuration. You can use this default configuration as is, or make changes to the default configuration, if desired. For more information, see the Portal Configuration Help topic.

Access Policies

Access policies define the authorization level that the NAC assigns to a connecting end-system based on the end-system's authentication and/or assessment results. There are four access policies used in NAC Manager: Accept policy, Quarantine policy, Failsafe policy, and Assessment policy. In your NAC Profiles, these access policies define a set of network access services that determine exactly how an end-system's traffic is authorized on the network. How access policies are implemented depends on whether your network utilizes Access Control Controller engines and/or Access Control Gateway engines.

For end-systems connected to EOS policy-enabled switches, Access Control Gateway engines inform the switch to assign a policy role to a connecting end-system, as specified by the access policy. These policy roles must be defined on the Control > Policy tab and enforced to the EOS policy-enabled switches in your network.

For end-systems connected to RFC 3580-enabled switches, policy roles are associated to a VLAN ID. This allows your NAC Gateways to send a VLAN ID instead of a policy role to those switches using Tunnel RADIUS attributes.

For Access Control Controller engines, authorization of the end-system is implemented locally on the Access Control Controller engine by assigning a policy role to the end-system, as specified by the access policy. In this scenario, all policy roles must be defined in the Access Control Controller policy configuration.

Here is a description of each NAC Manager access policy, and some guidelines for creating corresponding policy roles in Policy Manager.

Accept Policy: The Accept access policy is applied to an end-system when it has been authorized locally by the NAC Gateway and when an end-system has passed an assessment (if an assessment was required), or if the Accept policy has been configured to replace the Filter-ID information returned in the RADIUS authentication messages. For EOS policy-enabled switches, a corresponding policy role (created in Policy Manager) would allocate the appropriate set of network resources for the end-system depending on their role in the enterprise. For example, you might associate the Accept policy in NAC Manager to the "Enterprise User" role that is defined in the on the Control > Policy tab demo.pmd file. For RFC 3580-compliant switches, the Accept access policy may be mapped to the Production VLAN. Access Control Controllers are shipped with a default policy configuration that includes an Enterprise User policy role.

Quarantine Policy: The Quarantine access policy is used to restrict network access to end-systems that have failed assessment. For EOS policy-enabled switches, a corresponding Quarantine policy role (created in Policy Manager) should deny all traffic by default while permitting access to only required network resources such as basic network services (e.g. ARP, DHCP, and DNS) and HTTP to redirect web traffic for Assisted Remediation. For RFC 3580-compliant switches, the Quarantine access policy may be mapped to the Quarantine VLAN. Access Control Controllers are shipped with a default policy configuration that includes a Quarantine policy role.

Failsafe Policy: The Failsafe access policy is applied to an end-system when it is in an Error connection state. An Error state results if the end-system's IP address could not be determined from its MAC address, or if there was an assessment error and an assessment of the end-system could not take place. For EOS policy-enabled switches, a corresponding policy role (created in Policy Manager) should allocate a nonrestrictive set of network resources to the connecting end-system so it can continue its connectivity on the network, even though an error occurred in the NAC Solution operation. For RFC 3580-compliant switches, the Failsafe access policy may be mapped to the Production VLAN. Access Control Controllers are shipped with a default policy configuration that includes a Failsafe policy role.

Assessment Policy: The Assessment access policy may be used to temporarily allocate a set of network resources to end-systems while they are being assessed. For EOS policy-enabled switches, a corresponding policy role (created in Policy Manager) should allocate the appropriate set of network resources needed by the Assessment server to successfully complete its end-system assessment, while restricting the end-system's access to the network.

Typically, the Assessment access policy allows access to basic network services (e.g. ARP, DHCP, and DNS), permits all IP communication to the Assessment servers so the assessment can be successfully completed (using destination IP address "Permit" classification rule), and HTTP to redirect web traffic for Assisted Remediation. For RFC 3580-compliant switches, the Assessment access policy may be mapped to the Quarantine VLAN. Access Control Controllers are shipped with a default policy configuration that includes an Assessing policy role.

It is not mandatory to assign the Assessment policy to a connecting end-system while it is being assessed. The policy role received from the RADIUS server or the Accept policy can be applied to the end-system, allowing the end-system immediate network access while the end-system assessment is occurring in the background. In this case, the policy role or Accept policy (or the associated VLAN for RFC 3580-compliant switches) must be configured to allow access to the appropriate network resources for communication with the Assessment servers.

	NOTE:	The Assessment server sends an ICMP Echo Request (a "ping") to the end-system before the server begins to test IP connectivity to the end-system. Therefore, the Assessment policy role, the router ACLs, and the end-system's personal firewall must allow this type of communication between end-systems and Assessment servers in order for the assessment to take place. If the Assessment server cannot verify IP connectivity, the Failsafe policy will be assigned to the end-system.

For more information, refer to the How to Set Up Access Policies Help topic.

Registration

The Extreme Networks NAC Solution provides support for Registration, a solution that forces any new end-system connected on the network to provide the user's identity in a web page form before being allowed access to the network, without requiring the intervention of network operations. This means that end users are automatically provisioned network access on demand without time-consuming and costly network infrastructure reconfigurations. In addition, IT operations has visibility into the end-systems and their associated users (e.g. guests, students, contractors, and employees) on the network without requiring the deployment of backend authentication and directory services to manage these users. This binding between user identity and machine is useful for auditing, compliance, accounting, and forensics purposes on the network.

End-system or user groups may be configured to exempt certain devices and users from having to register to the network, based on authentication type, MAC address, or user name. For example, a end-system group for the MAC OUI of the printer vendor for the network can be configured to exempt printers from having to register for network access.

The Registration solution has minimal impact on the end user's experience by initially redirecting guests, contractors, partners, students, or other pre-defined end users to a web page for registering their end-system when it is first connected to the network. After successful registration, the end-system is permitted access, and possibly assessed for security posture compliance checking, until the registration is administratively revoked.

Registration is supported on Access Control Gateway engines and/or Layer 2 Access Control Controller engines. (Registration is not supported on the Layer 3 Access Control Controller engines.) Registration provides flexibility in implementation by offering the following capabilities:

• Determine "valid" end users by prompting each end user for a username with additional information such as full name and e-mail address, or a username and password (e.g. e-mail address and student ID number) which can be validated against an existing database on the network.
• Allow end users to register to the network when approved by a "sponsor" who is an internal trusted user to the organization. This is referred to as "Sponsored Registration." With sponsored registration, end users are only allowed to register to the network when approved by a sponsor. Sponsorship can provide the end user with a higher level of access than just guest or web access and allows the sponsor to fine-tune the level of access for individual end users.
• Configure the introductory message for the Registration web page (displayed to end-systems before registering to the network) to state that the end user is agreeing to the Acceptable Use Policy for the network upon registering their device. 
• Specify the maximum number of registered MAC addresses per user.
• Control areas on the network where Registration is enabled.
• Provide a web-based administrative interface served over HTTPS where registrations may be viewed, manually added, deleted, and modified by administrators and sponsors without requiring access to NAC Manager.

The Extreme Networks NAC Solution utilizes a Registration Web Server installed on the Access Control engine to provide this registration functionality to end-systems. Note that an Access Control engine may implement both assisted remediation and registration concurrently.

There are specific network configuration steps that must be performed when using Registration in your NAC Solution. In addition, you must configure Registration in NAC Manager. For more information, see How to Set up Registration.

How Registration Works

Here is a description of how Registration works in the Extreme Networks NAC Solution:

• An unregistered end-system attempts to connect to the network and is assigned the unregistered access profile without being assessed by the Access Control engine. For example, if connected to a Layer 2 Access Control Controller, the end-system may be assigned to the "Unregistered" policy as defined in the Access Control Controller's default policy configuration. If connected to an EOS policy-enabled switch, the end-system may be assigned to the "Unregistered" policy as defined in on the Control > Policy tab and enforced to the policy-enabled switches. Or, if connected to an RFC 3580-compliant switch, the end-system may be assigned to the "Unregistered" VLAN.
• The user on the unregistered end-system opens up a web browser to any URL and is redirected to the Registration Web Page served by the Access Control engine.
• The end user registers its end-system on the network by entering information such as username, full name, e-mail, and possibly a password or sponsor's email address into the Registration Web Page, and clicking the "Complete Registration" button.
• The Registration Web Server assigns the end user to an end-system group based on the Registration Behavior configured in the NAC Configuration. 
• The end-system is then automatically re-authenticated to the network by the Access Controlengine. Upon re-authentication, the end-system is authenticated, assessed, and authorized as defined by the profile specified in the NAC Configuration for the newly registered system. If the profile specifies to assess the end-system, an assessment of the end-system will take place at this time.

Assessment

The Extreme Networks NAC Solution integrates with assessment services to determine the security posture of end-systems connecting to the network. It uses assessment servers to assess and audit connecting end-systems and provide details about an end-system's patch levels, running processes, anti-virus definitions, device type, operating system, and other information critical in determining an end-system's security compliance. End-systems that fail assessment can be dynamically quarantined with restrictive network access to prevent security threats from entering the network.

When an assessment is performed on an end-system, a Health Result is generated. For each health result, there may be several Health Result Details. A health result detail is a result for an individual test performed during the assessment. Each health result detail is given a score ranging from 1 to 10, and based on this score, the health result is assigned a risk level. NAC Manager uses this risk level to determine whether or not the end-system will be quarantined.

In addition, assessment tests are assigned a scoring mode which determines whether the resulting health result detail is applied towards the quarantine decision, or is used only for informational or warning purposes. Informational health result details can be used to gather information about the security risks on your network, while warning health result details allow you to notify end users when they have security risks that should be remediated. Informational or warning health result details have scores, however these health result details do not impact the end-system's overall risk level.

NAC Manager lets you create multiple assessment configurations that can define different assessment requirements for end-systems. Assessment configurations define the following information:

• What assessment tests to run (determined by the selected test sets).
• What resources to use to run the tests (determined by the selected Assessment Resources).
• How to score assessment results (determined by the selected Risk Level and Scoring Override configurations).

Test sets let you define what type of assessment to execute, what parameters to pass to the assessment server, and which assessment server resources to use. NAC Manager provides three default test sets; one for each type of assessment agent that is either supplied or supported by NAC Manager. You can use these default test sets "as is" or edit them, if desired.

When you define your assessment server resources for a test set, you can specify to balance the assessment load between your all your assessment servers, or, you can specify an assessment server pool. For example, if you have four Nessus assessment servers, you can put server A and server B in server pool 1, and server C and server D in server pool 2. Then, in your test set configuration you can specify which server pool that test set should use.

You can use risk level and scoring override configurations to define how each assessment configuration will interpret an end-system's health results. The risk level configuration determines what risk level will be assigned to an end-system (high, medium, or low) based on the end-system's health result details score. The scoring override configuration lets you override the default score and scoring mode assigned to a particular assessment test ID.

Once you have defined your assessment configurations, they are available for selection when creating your NAC Profiles. In addition, NAC Manager provides a default assessment configuration that is already set up with default assessment parameters and is ready to use in your NAC Profiles.

Before beginning to configure assessment on your network, you should read through the following information presented in the NAC Manager online Help.

• How to Set up Assessment - Provides information on the steps that must be performed in NAC Manager prior to deploying assessment on your network, including managing your assessment servers and adding external assessment servers. It also includes basic information on how to use the default assessment configurations provided by NAC Manager, and enable assessment for your NAC Configuration.
• NAC Assessment Phased Deployment Guide - This guide describes the phased approach to introducing assessment into your NAC deployment using Informational, Warning, and Quarantine assessment. The guide also provides information on NAC Manager tools that can be used to monitor and evaluate assessment results, and diagnose and troubleshoot problems.
• How to Configure Assessment - Provides step-by-step instructions for configuring assessment using the phased approach described in the NAC Assessment Phased Deployment Guide. Instructions are provided for configuring phased assessment using agent-less or agent-based assessment, or a combination of both.
• How to Deploy Agent-Based Assessment - If you are deploying agent-based assessment, this Help topic provides the configuration steps specific to deploying agent-based assessment in a Windows and Mac network environment. It includes instructions for configuring agent deployment and provides information about the agent icon and notification messages that appear on the end-user's system. It also includes instructions on performing a managed deployment or installation of the agent.
• How to Set Up Assessment Remediation - Because Warning and Quarantine assessment provides end-system remediation, you must enable remediation for your NAC Configuration. This Help topic provides the specific steps that must be performed when setting up assisted remediation in your network.

Assessment Remediation

Remediation is a process that informs end users when their end-systems have been quarantined due to network security policy non-compliance, and allows end users to safely remediate their non-compliant end-systems without assistance from IT operations. The process takes place when an end-system connects to the network and assessment is performed. End users whose systems fail assessment are notified that their systems have been quarantined, and are instructed in how to perform self-service remediation specific to the detected compliance violation. Once the remediation steps have been successfully performed and the end-system is compliant with network security policy, the appropriate network resources are allocated to the end-system, again without the intervention of IT operations.

The Extreme Networks NAC Solution implements local Remediation Web Server functionality to provide web notification to end users indicating when their end-systems are quarantined and what remediation steps the end user must take. The Remediation Web Server is installed on the Access Controlengine.

There are specific network configuration steps that must be performed when using assisted remediation in your NAC Solution. In addition, you must configure assisted remediation in NAC Manager. For more information, see How to Set up Assessment Remediation and Portal Configuration Help topics.

How Remediation Works

Here is a description of how assisted remediation works in the Extreme Networks NAC Solution:

• An end-system connects to the network (where assessment has been configured) and is authorized with the level of network access defined by the Assessment access policy configuration.
• The end-system is assessed by the assessment server for security threats and vulnerabilities.
• When the end-system opens a web browser to any web site, the HTTP traffic is redirected to the Access Control engine and a web page indicating that the end-system is currently being assessed is displayed.
• When the assessment is complete, the assessment server sends the results to the Access Control engine. If the end-system failed assessment, the end-system is authorized with the level of network access defined by the Quarantine access policy configuration.
• When the quarantined end user opens a web browser to any web site, its traffic is dynamically redirected to the Access Controlengine.
• The Access Control engine returns a web page formatted with self-service remediation information for the quarantined end-system. This web page indicates the reasons the end-system was quarantined and the remediation steps the end user must take.
• After taking the appropriate remediation steps, the end-user clicks a button on the web page and attempts to reconnect to the network. A re-assessment of the end-system is initiated. If the end-system is now compliant with network security policy, the Access Control engine authorizes the end-system with the appropriate access policy. If the end-system is not compliant, the Quarantine access policy is again utilized to restrict the authorization level of the end-system and the process starts again.
• After a specified number of attempts and/or maximum time to remediate have expired, the end user may be redirected to a web page requiring them to contact the helpdesk for further assistance, and a notification is sent to the helpdesk system with information regarding the non-compliant end-system.

End-System Zones

NAC Manager end-system zones allow you to group end-systems into zones, and then limit a user’s access to Management Center end-system information and configuration based on those zones.

End-system zones are configured and managed in NAC Manager, and are enforced for Management Center end-system information and configuration.

When an end-system authenticates to the network, NAC rules are used to assign a NAC profile and an end-system zone to the end-system. This allows you to use a variety of rule components (such as End-System Groups, Location Groups, and User Groups) to determine which zone an end-system should be assigned to.

You can create any number of end-system zones in your network. An end-system can only be assigned to one zone (but does not have to be assigned to a zone). You can view which zone an end-system is currently assigned to in the end-systems table in NAC Manager and Management Center.

A user's authorized zones are determined by their Management Center user group membership. User groups are created and configured in the Authorization/Device Access Tool (accessed from the Tool menu), and authorized zones are assigned to each user group in NAC Manager. For instructions, see How to Configure End-System Zones.

In addition to using end-system zones, you can also limit a user’s access to Management Center operations by assigning authorized rule groups. Whenever a user initiates a change to a rule group, such as adding or removing an end-system to or from a group, a check is performed to verify that the user is authorized to change that rule group. Similar to end-system zones, a user's authorized rule groups are determined by their Management Center user group membership.

A third component that should be taken into consideration is the ability to limit user access to Management Center using authorization group capabilities. For example, you can assign a user group the OneView (Management Center) End-Systems Read Access capability to allow read-only access to Management Center end-system information, and use end-system zones to limit which end-systems can be viewed. You can assign a user group the OneView (Management Center) End-Systems Read/Write Access capability to allow the ability to modify rule groups, and use rule group authorization to limit which rule groups the user can perform these operations on.

Capabilities are assigned to user groups using the Authorization/Device Access Tool. The Management Center Administrator group is always assigned all capabilities.

For more information, see How to Configure User Access to Extreme Management Center Applications and Authorization Group Capabilities in the Suite-Wide Tools Help.

End-System Zone Use Cases

Here are several network scenarios where using end-system zones could be beneficial.

• A Service Provider with multiple tenants. If a service provider serves multiple tenants and each tenant has a clearly delineated set of switches, user access can be configured to allow each tenant's IT staff to only view the end-systems connecting to their own switches.
• A large enterprise with network administrator groups. In a large enterprise where specific groups of network administrators are responsible for specific groups of switches on shared engines, user access can be configured so that each administrator can view reports and other information only for their switches and end-systems.
• A large business segmented by business function. In a large enterprise where division of control is not closely tied to switches or engines, user access can be configured so that administrators only have the ability to view and manage the appropriate end user groups.

In each of these scenarios, a restricted set of authorization group capabilities must be used to prevent users from viewing and accessing information that may not pertain to their area.

Enforcing

In NAC Manager, enforcing means writing NAC configuration information to one or more Access Control engines. Any time you add or make a change to the NAC Configuration, the engines need to be informed of the change through an enforce, otherwise the changes will not take effect. When an engine needs to be enforced, the Enforce icon   appears on that engine in the left-panel tree.

To enforce, use the Enforce All button in the toolbar   or the Tools >  Enforce All menu option, both of which write the information to all the Access Controlengines. You can enforce to an individual engine or engine group by right-clicking the engine or group in the left panel and choosing Enforce or Enforce Group from the menu.

TIP:

For a preview of what will be enforced/updated on an individual engine, right-click the engine and choose Enforce Preview from the menu.

The enforce operation is performed in two stages: first an engine configuration audit is performed and then the actual enforce to engines is performed.

The configuration audit takes place automatically after you start the enforce operation. It looks for a wide-range of engine configuration problems including a review of the NAC Configuration, NAC Profile, rule configuration, AAA configuration, and portal configuration. The audit results are displayed in the Enforce window, allowing you to view any warning and error information. To see warning or error details, use the + icon in the left column to expand the Details information (as shown below) or click Show Details to open the information in a new window.

If you choose to correct any problems at this point, you must close the Audit Results window. When you have made your changes, click the Enforce All button to start the enforce operation and perform a new audit.

From the Enforce window, you can click the Enforce All button to enforce all engines, or use the checkboxes in the Select column to select some of the engines to enforce and click the Enforce button. In order for the enforce operation to be carried out, none of the selected engines can have an error associated with it. Even if one of the selected engine has passed the audit, it will not be enforced if other selected engines have errors.

If none of the selected engines have errors, but a selected engine has a warning associated with it, you will be given the option to acknowledge the warning and proceed with the enforce anyway. Once you acknowledge the warning and click OK, the enforce will be performed.

TIP:

If there are warning messages that are regularly displayed during Enforce engine audits, you can use the Enforce Warning Settings (Tools > Options) to specify that these messages should be ignored and not be displayed.

The Enforce window will display the enforce operation status, as shown below.

Advanced Enforce Options

In the Enforce window, there are two Advanced enforce options available. The two options can be used for the following situations:

• Force Reconfiguration for All Switches - This option can be used if the switch RADIUS settings were manually changed via CLI or Policy Manager. Since NAC does not reconfigure the switches every time there is an enforce, selecting this option forces reconfiguration of  RADIUS settings on all switches to ensure they are configured correctly.
• Force Reconfiguration for Captive Portal - During an enforce, captive portal settings are not enforced unless they have changed. You can use this option to force reconfiguration of the portal to ensure the state of the captive portal processes.

MAC Locking

MAC Locking lets you lock a MAC address to a specific switch or port on a switch so that the end-system can only access the network from that port or switch. If the end-system tries to authenticate on a different port or switch, it will be rejected or assigned a specific policy based on an action that you specify when you create the MAC Lock. You can view all your locked MAC addresses in the MAC Locking pane of the Advance Configuration tool, and access the Add MAC Lock window to set up your MAC Locks.

	NOTE:	MAC Locking to a specific port on a switch is based on the port interface name (e.g. fe.5.1). If a switch board is moved to a different slot in a chassis, or if a stack reorders itself, this name will change and break the MAC Locking settings.

Here are some examples of ways to use MAC Locking:

• A university might lock end-users on a specific floor in a dormitory to a switch that services that floor.
• A printer, server, or other end-system could be allowed network access only when it is connected to a port specified by IT operations. This prevents security issues that could result if the device was moved to a different area of the network.
• A company could lock an IP phone to a specific port on a switch. This would allow exact identification of the phone's location in case an emergency (911) call was placed from the phone.

	NOTE:	For Access Control Controller Engines. -- On Layer 3 Access Control Controllers, you should not use MAC Locking to lock a MAC address to the Access Control Controller PEP IP address and a port on the PEP. You can however, lock a MAC address to the PEP IP and not the port, which would restrict movement of the MAC address away from the Layer 3 Access Control Controller. -- On Layer 2 Access Control Controllers, a MAC address can be locked to the Access Control Controller PEP IP address and port, or just the PEP IP address, but this will only control the movement of the end-system between the downstream ports on the PEP (IP address and port) and not the actual edge of the network. -- On Layer 3 Access Control Controllers, there may be cases where NAC Manager cannot determine the MAC address of the connecting end-system (for example, DHCP is disabled and a firewall is enabled on the end-system, or the end-system is connecting through a VPN), and the MAC address for the end-system is displayed as "Unknown." In these cases, the MAC Locking feature is not supported.

Notifications

Notifications provide the ability for NAC Manager to notify administrators or helpdesk personnel of important information through email, Trap, or Syslog messages. These notifications help administrators understand what is going on in their NAC system on a real-time basis. For example, NAC Manager could be configured to send a notification when a new end-system is learned on the network, when a MAC lock is violated, or when a new MAC address is registered on the network. For more information, see the Manage Notifications window.

Automated Security Manager Blacklist

Extreme Management Center Automated Security Manager (ASM) can be configured to notify NAC Manager in response to a real-time security threat from an end-system on the network. NAC Manager automatically adds the end-system's MAC address to the Blacklist end-system group, effectively putting the end-system in quarantine and preventing the end-system from accessing the network from any location. If ASM notifies NAC Manager that the security threat is no longer present, then NAC Manager removes the end-system from the Blacklist group and the end-system is dynamically re-authenticated to the network. Use ASM's Create/Edit Rule window (accessed from the Rule Definition view of the Automated Security Manager Configuration window) to configure the "Notify NAC" action.

You can view ASM blacklists under the End-System Group folder in the Advanced Configuration view, by selecting Tools > Management and Configuration > Advanced Configurations from the menu bar. In the left-panel tree, expand the Rule Components folder and the End-System Group folder, and click on Blacklist. An ASM blacklist entry will have a description of "ASM." In addition, NAC Manager generates a health result for the end-system when it is blacklisted by ASM. In the Health Result Summaries table, the health result reason states "ASM Denied" and lists the Sender ID, Signature, and Sender Name. In the Health Result Details table, one health result detail is generated with a Test Case ID of 200001, and a risk level of HIGH with a score of 10. All ASM Blacklist health result details will use the same Test Case ID of 200001.

Mobile IAM

Extreme Networks Mobile IAM (Identity and Access Management) is a comprehensive BYOD solution that provides total security, full IT control, and predictable network experience for all users. Mobile IAM provides the controls required to grant network access to BYOD devices, with the same fine-grained security controls that are applied to wired and wireless IT managed devices.

The Mobile IAM solution provides complete software for:

• identification all of the devices connected to their network
• access and inventory management
• context-based policy enforcement
• end-to-end management from a single, easy-to-use management application
• auditing and reporting

The Mobile IAM solution is delivered through an Access Control gateway engine and NetSight version 4.3, and configured in NAC Manager. The engine is available as a physical or virtual engine to best meet your deployment needs. The solution can also include installation and integration services that are sold separately.

Contact your Extreme Networks sales representative for more information about Mobile IAM.