Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Question on Remediation VLAN

SOLVED
Go to solution
Stanislas P_
Contributor
‎11-21-2011 03:14:AM
‎11-21-2011 03:14:AM

Re: Question on Remediation VLAN

Hi,

You can't use 802.1x Vlan assignment with clientless configuration.

clientless need Infranet Enforcer (ScreenOS or Junos Firewall) as Layer 3 enforcer.

802.1x need either OAC or JunOS Pulse. with one of these clients, the host is checked before the first VLAN assignment. there is no temporary vlan assignement as some other unsecured NAC competitors.

Regards,

Stanislas

0 Kudos
james.akpan_
New Contributor
‎11-22-2011 11:19:AM
‎11-22-2011 11:19:AM

Re: Question on Remediation VLAN

Thanks a million Stanislas.

I thought i could make this work with the agentless mode, just using the native windows supplicant. I shall implement using OAC and let us know how it goes. Here are a few questions needing prompt response regaring this deployment:

1. I get this debug message from my Cisco switch on the port connecting to my PC. Any idea what this is sbout?

04:35:30: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/2.

2. I have an AD server connected to the MAG for user authentication. However, each time i try to authenticate a user via the AD, i get the following error message:

2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm)[] - Radius authentication rejected for ZENITHLAB\testuser2 (realm 'TestRealm') from location-group 'Firstfloor' and attributes are: NAS-IP-Address = 10.0.1.99,NAS-Port = 50002,NAS-Port-Type = 15

2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm)[] - Login failed using auth server ZenithAD (Samba). Reason: Failed

2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm)[] - Primary authentication failed for ZENITHLAB\testuser2/ZenithAD from 00-21-86-F2-F5-16

Please could be wrong with my setup?

Thanks._

0 Kudos
vclement_
Occasional Contributor
‎12-21-2011 02:49:AM
‎12-21-2011 02:49:AM

Re: Question on Remediation VLAN

Hi,

I'm not sure about your setup, but:

- If you make the HC evaluation at the realm level, you can then make a role mapping rule based on the status of the Host Checker (if HC=OK -> role employee, else -> role quarantine).

- You can make vlan assignment without agent, but it is needed if you want host checker.

I'm pretty sure you can allow agent AND agentless client to a same realm, by selecting the rights protocols in protocol set, then make distinction with role mapping rules.

With an AD configuration, make sure the NTP is configured on IC/MAG and its the same than AD server, cause this type of authentication requires time sync to work (linked to kerberos tickets I think), and it can generate authentication failed log you linked. Please make sur that the username is in the right format by the policy tracing option, you may need to remove/add the realm suffix to the username value.

Hope it will help.

Regards,

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.