Service for the assessing role -27 – Enterasys Networks 9034385 User Manual
Page 91
Out-of-Band NAC Design Procedures
Enterasys NAC Design Guide 5-27
Figure 5-7 Service for the Assessing Role
Note that it is not mandatory to assign the Assessment Policy to a connecting end‐system while it
is being assessed. NAC can be configured to assign the policy role received from the RADIUS
server or the Accept Policy to the end‐system while it is being assessed. In this way, the end‐
system can be granted immediate network access without mandating that the end user wait for
assessment to be complete before full network resource allocation is granted. If NAC is configured
to return the policy role received from the RADIUS Server, it is necessary that the enterpriseʹs
business‐specific policy roles are configured to allow access to the appropriate network resources
for communication with the assessment servers during assessment. This can be implemented by
associating the Assessing service shown in
to all business‐specific policy roles in the
NetSight Policy Manager configuration.
Quarantine Policy
The Quarantine Policy is used to restrict network access to end‐systems that have failed
assessment. For Enterasys policy‐enabled switches, a corresponding Quarantine policy role
(created in Policy Manager) should deny all traffic by default while permitting access to only
required network resources such as basic network services (ARP, DHCP, and DNS).
If the NAC deployment implements remediation, the services associated to the Quarantine Policy
must be configured to allow all HTTP traffic onto the network, in addition to other basic IP
services such as ARP, DNS, and DHCP as shown in