WeÍre trying to implement a topology using a third party switch (802.1x enabled).
We need to use Certificate to authenticate user and workstation, in a external RADIUS Server. We should be able to modify the Radius Return attribute, according the hostcheker, in order to modify the userÍs vlan (to a quarantine vlan).
At this time, we are able to authenticate using PEAP-TLS, but after success the 802.1x authentication, the OAC agent try to establish a L3 authentication to IC (EAP over HTTP), but the realm is configured only to accept 802.1x (Layer 2) and the log is showing the following message:
ñRequested realm Authentication_Realm is a RADIUS proxy realm and not available for L3 authenticationsî
Can someone tell me, what should we do to use external RADIUS proxy and be able to establish a communication between IC and OAC agent?
If it is not possible, what topology should we implement to have 802.1x, Dynamic vlan (according host checker) and External RADIUS server?__
1 - If you need to use Host checker, you must authenticate with EAP-TTLS or EAP-PEAP with EAP-JUAC inner authentication.
2 - Why authenticate on an external RADIUS server for Certificate authentication? IC is able to authenticate users and workstations by certificates. read the following extract of Administration Guide:
Note: When RADIUS proxy is used, realm or role restrictions cannot be enforced. Host Checker policies, Source IP restrictions, and any other assigned limits are bypassed. Use RADIUS proxy only if no restrictions have been applied. The exception is that session limitations can be enforced for inner proxy. With outer proxy, no session is established._
3 - when defining 802.1X Authentication protocol set, the realm is not "configured only to accept 802.1x_". it is configured with defined 802.1X protocols during 802.1X authentication.
Thanks for your reply. Last weekend we work hard and now the status is following:
After some reading, we decided to use RADIUS with option ñdo not proxyî and this option gave a lot of options (restriction, Radius Return attribute), but we are still using ñwindows passwordî (EAP-JUAC) to authenticate. Can I use Certificate with JUAC using Radius?
Some costumerÍs requisites are:
Machine and user authentication using a certificate
Machine and user authentication without certificate (this will be another scenario )
Use an existing MicrosoftÍs user and computer database (we can use Radius _ preferable, LDAP or AD)
802.1x with dynamic Vlan
Change the user to a quarantine vlan according the assessment
Now we are able to change the vlan according the assessment using L2 (during authentication ), but if the user is already authenticated and change his state to ñnot complianceî with security police, the IC is not sending the Return attribute (Vlan) to NAD. In other words, using L3 to communicate IC and OAC, the IC is not sending the vlan.
Maybe the logs (attached - IC logs EXPLAINED.docx) can explain better what is happening.
The question is: What should we do to be able change this vlan if the user is already authenticated? What authentication method we can use to have this requisites with Machine and user authentication using certificate?
If you have any suggestion about the design, please let me know.
The suggestion number 2, about use the IC's server "Certificate" will help me a lot.
Thank you so much.
Another update about this case.
Now we are able to change the vlan from the quarantine Vlan to User vlan, but from User vlan to Quarantine it is not working.
Following is the log showing the user being ñforced offî after a role change (from Role-Quarantine to Role-Users) and changing the Vlan to 1.
2011-08-02 10:55:19 - ic - [0.0.0.0] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - User assigned to vlan (VLAN='1')
2011-08-02 10:55:19 - ic - [0.0.0.0] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Agent login succeeded for Anderson R. Gomes/Realm-Users from 00-0F-B0-FE-E5-B0.
2011-08-02 10:55:19 - ic - [0.0.0.0] UAC\agomes(Realm-Users) - Host Checker policy 'Pol-Host_Checker-User' passed on host '802.1x client' address '00-0F-B0-FE-E5-B0' for user 'UAC\agomes'.
2011-08-02 10:55:19 - ic - [0.0.0.0] Anderson R. Gomes(Realm-Users) - Primary authentication successful for Anderson R. Gomes/CA from 00-0F-B0-FE-E5-B0
2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Received a RADIUS Accounting Stop request. Terminated session
2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Closed connection to 192.168.100.11-0:agentman port 0 after 120 seconds, with 35879 bytes read (in 23 chunks) and 3221 bytes written (in 8 chunks)
2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Forcing off user (Anderson R. Gomes) because of change in VLAN/RADIUS Attributes policy
2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Quarantine] - Host Checker policy 'Pol-Host_Checker-User' passed on host '192.168.100.11' address '00-0F-B0-FE-E5-B0' for user 'Anderson R. Gomes'.
2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Quarantine] - Roles for user Anderson R. Gomes on host 192.168.100.11 changed from <Role-Quarantine> to <Role-Users,Role-Quarantine> during policy reevaluation.
We notice that when the user is on User vlan (1) the OAC is not showing the connection to IC, as you can see attached (UserVlan.JPG_). We think that it is the reason why the user is not being ñforced offî.
When the user is on quarantine vlan the OAC is showing the informantion about the IC. We think this is the reason why it is working (QuarantineVlan.JPG_).
What should we do to have this connection at User vlan the same way as Quarantine vlan?
the "force off" is initiated by the IC through the EAPoHTTP connection (connection to IC). this connection is configured in the Network access policy applied to the role -> Interface
If this parameter is set to "Automatic (use configured VLANs)_", the OAC will access to the IP in the same network as the PC, or IC Internal port address if the IC do not have IP address in the same network.
Did you configure a default gateway in the DHCP server for UserVLAN Network to connect to IC Address (defined in you screenshot in the quarantine VLAN)?
One other thing to remember is thatin order for OAC to be able to communicate to the IC, nothing can be blocking the HTTPS port on the IC. In other words, you have to allow HTTPS to the IC from wherever the PC is. Secondly, is the IP address of the PC changing when you are placing him onto the quarantine VLAN? OAC is not responsible for getting the DHCP address, it is up to the host OS to do this. It's possible that you are in fact changing VLANs, but not getting an IP on that VLAN this is what is causing the connection to the IC to fail.
Hope that helps