NAC Zones - design question

Userlevel 2

i wanna setup NAC Zones, locations/switches being the selector. Got about 20 locations to reflect in Zones, and about 20 for dieferent endsystem classifications across all locations. Because the Zones are applied by NAC rules only, this would result in a very questionable amount of NAC rules. Ist there any other way to use zones just by switch location?

13 replies

Userlevel 4
Hi ,

I hope this below steps would help you to configure zones.

Userlevel 2
this article is regarding wireless zones. I'm refering to endsytem zones in nac, standard wired devices. My problem ist just the amount of NAC rules needed.
Goal is to use these zones to make only specific endsystems visible for administrator of a location.
Userlevel 2
This should not be a big problem. I currently have about 900 rule matrix entries in my customers NAC. We there also use zones for the same reason. But zones did NOT expand your rule matrix, you have to add the zone to the users and groups AND to the rule matrix entries. Users are only viewable there (in OneView) AFTER they are authenticated with a zones fittet rule matrix. No panic about a bigger count of rules in the Rulematrix 🙂
Userlevel 2
At first you have to enable the row "zone" in the RuleMatrix to make it view and accessable.....

Userlevel 2
And then add "simply" the ID of your Zone, in this example "4", this makes the through this rule matrix line authenticated client viewable in Oneview....

Userlevel 2
thanks for reply - this is like we do this now. But its a lot work to do so much rules. And on any new endsystem classification wishes, i need to adjust rules for any department...
Userlevel 2
I don't know what you really need, in my customers case there are departments all over there biggest location and there is no limit to witch switch they connect to, it depends on there end-system-group. So a client of end-system "A" will always be authenticated to the same vlan unequal to witch switch they are connected, execpt the switch is in a different location (where we have a different vlan infrastructure).

I would recommend you to create a excel sheet where you define witch user groups (end-system-groups) are allowed to move between location and to witch vlan they should be authenticated.

Per vlan you need one rule matrix entry, that is not depending on a zone management. Zone's can be add additionally to each rule matrix entry. You only have to create and define the zones and users / groups the should be able to manage and add this to the rule-matrix entry where they are authenticated.

Are you having different "managers" for clients within the same vlan? Then I would understand what you mean, but if different "managers" have to admit different vlan's this is really easy.

If you need more details please contact me directly. 🙂
Userlevel 2
the only criteria for which end-system belongs to which manager is the switch/port location, not the vlan or end-system group. So this is why it looks tricky to me to achieve this...
Userlevel 2
I see....

Could you please describe how your rule matrix works? In my opinion it does'nt matter if you only authentcate based on the switch location, you do it, so the clients are authenticated through a rule matrix rule, right?

Define a number of Zones that matches to your network managers and add to each rule matrix entry the current zone and advise your managers to use OneView to manage or view the clients.
Userlevel 2
I am sorry, I delete my last answer to you, I was wrong.

Are you having moving users that on some days are connected to switch A and on other days to Switch B or are the users static to there switches?
Userlevel 2
The point is that the Zones only works with end-system-groups. So therefor you had to create end-system-groups based on your switch locations. So these mac addresses you can easy get from the NAC Manager by using a filter to the switch ip, then export it and import the mac addresses to each end-system-group.

Best if you choose names that are likly for your switches.

Create your zone managers in the Zone management and then you have to edit your current rule Matrix entries and add the correct zone to each "manager" (=user).

The "managers" should now be able to add a user to his end-system-group if a client connects to his switch based on the entry in the rule matrix line for this.
Userlevel 2
But, what should this managers have to be done? Allow "unknown" MAC addresses? Whats the reason for you to involve theme for this job? For me there is somegthing missing for a fully understanding.
Userlevel 2
the only purpose for this is to make local end systems visible to local admins (admins of the end systems, not networking) via oneview. All real network administration tasks are done by central IT departement admins.