Enterprise architecture: example

Introduction

The following is an example of integrating 'FreeNAC enterprise' into a live environment.

NAC Modules

This section defines what modules are planned for this installation. Note that modules can always be enabled at a future date; there is no additional license fee.
Enterprise modules planned for this installation (example):
1. MAC Address authentication
2. Windows GUI
3. Web Interface
4. Active Directory querying of user details, to be able to associate users with end devices.
5. Automatic detection and inventory of end-devices not actively managed by NAC, to ensure a complete inventory of End-Devices on the network
6. Scanning of open ports and identification of the Operating System on End Devices
7. Emergency ‘stop’ tool which can disable NAC and quickly configure static Vlans on switch ports (for disaster recovery in extreme situations)

Enterprise modules not planned for this installation:
8. 802.1x User Authentication
9. McAfee Epo Anti-Virus server queries
10. Microsoft SMS (Software package/system management) server queries
11. Microsoft WSUS (Windows Update) server queries.

Custom Modules

Are any Custom Modules planned? NAC is designed to allow open interfaces, however such interfaces need to be specified in detail and are subject to additional development/installation charge.

Example: A “static inventory program” already exists at the customer called XXXX. A read-only interface is to be created from NAC to this system that allows:
- NAC to query device ownership and display it in the GUI
- The Static inventory systems to query device location, IP address, Operating system, depending on Name or MAC-Address. An SQL view with appropriate field for a specific user/password is to be created.

Concept

Describe the aim of the installation, e.g.
1. Recognise all end devices that connect to the network and request their identification based on their MAC address. The switch access port configuration will be set to dynamic, and the NAC system will:
o Listen to incoming request from switches
o Send email alerts if new end devices are detected
o Dynamically Assign a Virtual LAN (Vlan) to the access ports of the following switches, based on the MAC address of end devices: (list the switch names)
2. VLAN assignment will be based on a MAC Address. The assigned VLAN will be as follows (define key vlan names & assignments, example):
o Normal access VLAN for Corporate End-User PCs
o Guest VLAN for visitors. This VLAN will have limited network access. Or all ‘unknowns’ to be denied?
o Ad-hoc VLAN for specific devices (printers, …)
3. Is 802.1x authentication of Users required?
If so in what domain, for which switches and ports? What is the expected use-case?
i.e. 802.1x is expected to be used with Windows XP, with user logon to the domain, and vlan assignment based on the MAC address of the end device.
4. End-devices will be documented in the NAC database,
o Through initial import?
o Through dynamic discovery upon connection of new devices
o Regularly scan the switches & routers using SNMP to discover non-managed devices?
o Information to be automatically documented per device (example): MAC address, IP address, Hostname, Operating System, open ports, Anti-Virus status, Windows patch status.
o Information to be automatically documented per device (example): Assigned Username

Requirements

This sections outlines information, connectivity and hardware that is to be provided by the customer.
Network Information
Network data that is required for NAC:
1. Switches, including their IP Address, SNMP Read-only & Read-write communities
2. A list of switch ports to be configured to use NAC.
3. Core routers, including their IP Address, SNMP Read-only community
4. VLANs, including their ID and Name as reported by the switches "show vlan" command
5. A network diagram showing vlans, switches, routers.
6. DNS server names, IP addresses and the domain name.
7. The proposed IP configuration of the NAC servers: IP address, net mask, default gateway, DNS name.
8. Email server name/IP, for the delivery of email alerts.
9. What email address, per switch, are alerts to be sent to?
10. Which Active Directory user group (exact names please) are to be allowed GUI access:

• Read-only
• Super-user
• Administrator.

Optional network data that would be useful: Cabling documentation: which switch/port leads to which office/user/PC.

Server Hardware / OS
1. How many servers are to be installed, where?
2. PC server hardware is to be supplied by the customer, or by Swisscom?
3. What is the HW specification of the servers?
4. Operating system to be installed is Suse Version 10 (Enterprise, or OpenSuse), or something else?
5. Who installs the OS?
o Swisscom
o The customer? Swisscom does not install the operating system, but maintains the NAC system and associated Linux services (Apache, MySQL, ..) on these servers.

Network Connectivity
For the deployment of NAC, the following information is required:
1. Switches :
o Switches must be able to send VMPS requests and receive answers (port 1589 udp) to the NAC master and slave servers.
o Management interface must be accessible using SNMP (udp port 161) and optionally telnet (port 23 tcp) or SSH (port 22 tcp) for the Disaster Recovery scripts from the NAC master.
2. Depending on the NAC modules requested by the customer (see 2.2), specific backend systems must allow access from NAC, for example:

o The McAfee ePO database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o The WSUS database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o The MS-SMS database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o Static Inventory modules, if requested, require a dedicated interface.
o MS Active Directory (needed for 802.1x and user details syncing from Active Directory) requires the domain name and domain controller names. For details syncing, a username, password with AD rights and one or more DN (Distinguished Names) to synchronise are needed.
o The Windows GUI must be able to connect to port 3306 (mysql) on the NAC master server.
o To access the Web GUI, access is required to port 80 and 443 on the NAC master server.

3. Routers: Management interface must be accessible using SNMP from the NAC master
4. General

o DNS servers: should answer DNS requests (udp port 53)
o Email servers must accept emails from the NAC server (port 25).

5. Remote Access for Swisscom (Gold) support:
o During installation, and for updates later, the NAC servers will need HTTP/FTP access to internet (direct or via a proxy).
o SSH, IPsec or SSL VPN access from Swisscom Innovations to the server(s) for maintenance and support

Initial Data import
During an ‘initialisation period’, NAC can be configured to automatically allow all devices to a default Vlan and automatically document the MAC address, IP address and DNS name of devices found (and the switch/port).

If the customer has an exact inventory of machines, this can be imported into NAC. The data provided to Swisscom to initiate the setup must include:
• MAC Address: format is 0010.C61F.8DBF or 00:10:C6:1F:8D:BF (case insensitive)
• Hostname
• VLAN : This can be any descriptor (Lab XXX, Company Name, Network acronym, …)

It may also, ideally, contain
• Username
• Operating system, incl. patch level
• Classification (e.g. Server, Workstation, Printer)
• A static Inventory number
• A comment

The format is comma-separated value (CSV) text file.

Hubs and unmanaged switches
If more LAN access cables are needed in specific rooms, two alternatives to hubs exists:
• Pull more cables between the room and the existing switch
• Add a small managed switch in the room: the Cisco 2940-8TT is recommended as it is a smaller, fanless (noiseless) version of the Cisco 2950 switch.

However, NAC also offers optional support for hubs and unmanaged switches.
Are hubs or unmanaged switches to be used? If yes, please indicate and be aware of the limitations noted below

1. If multiple systems belonging to VLAN with the same security level use the same hub, they will be allowed access.
2. If systems belonging to VLAN with different security levels, the access will be blocked for the most recent or least numerous group.

Typically, the hub will be connected to an Internal Vlan if all connected systems belongs to the Customer, or a Guest VLAN if all connected computers are visitors. If there is a mix of Customer and visitor devices, there will be no access at all.