Re: UAC Topology using 802.1x, Dynamic VLan, OAC, ...

hugo.santos_ · ‎07-29-2011

Hi everybody,

WeÍre trying to implement a topology using a third party switch (802.1x enabled).

We need to use Certificate to authenticate user and workstation, in a external RADIUS Server. We should be able to modify the Radius Return attribute, according the hostcheker, in order to modify the userÍs vlan (to a quarantine vlan).

At this time, we are able to authenticate using PEAP-TLS, but after success the 802.1x authentication, the OAC agent try to establish a L3 authentication to IC (EAP over HTTP), but the realm is configured only to accept 802.1x (Layer 2) and the log is showing the following message:

ñRequested realm Authentication_Realm is a RADIUS proxy realm and not available for L3 authenticationsî

Can someone tell me, what should we do to use external RADIUS proxy and be able to establish a communication between IC and OAC agent?

If it is not possible, what topology should we implement to have 802.1x, Dynamic vlan (according host checker) and External RADIUS server?__

Thanks

Stanislas P_ · ‎08-01-2011

Hi,

1 - If you need to use Host checker, you must authenticate with EAP-TTLS or EAP-PEAP with EAP-JUAC inner authentication.

2 - Why authenticate on an external RADIUS server for Certificate authentication? IC is able to authenticate users and workstations by certificates. read the following extract of Administration Guide:

Note: When RADIUS proxy is used, realm or role restrictions cannot be enforced. Host Checker policies, Source IP restrictions, and any other assigned limits are bypassed. Use RADIUS proxy only if no restrictions have been applied. The exception is that session limitations can be enforced for inner proxy. With outer proxy, no session is established._

3 - when defining 802.1X Authentication protocol set, the realm is not "configured only to accept 802.1x_". it is configured with defined 802.1X protocols during 802.1X authentication.

Stanislas

hugo.santos_ · ‎08-01-2011

Hi Stanislas_,

Thanks for your reply. Last weekend we work hard and now the status is following:

After some reading, we decided to use RADIUS with option ñdo not proxyî and this option gave a lot of options (restriction, Radius Return attributeƒ), but we are still using ñwindows passwordî (EAP-JUAC) to authenticate. Can I use Certificate with JUAC using Radius?

Some costumerÍs requisites are:

‡ Machine and user authentication using a certificate

‡ Machine and user authentication without certificate (this will be another scenario )

‡ Use an existing MicrosoftÍs user and computer database (we can use Radius _ preferable, LDAP or AD)

‡ 802.1x with dynamic Vlan

‡ Change the user to a quarantine vlan according the assessment

Now we are able to change the vlan according the assessment using L2 (during authentication ), but if the user is already authenticated and change his state to ñnot complianceî with security police, the IC is not sending the Return attribute (Vlan) to NAD. In other words, using L3 to communicate IC and OAC, the IC is not sending the vlan.

Maybe the logs (attached - IC logs EXPLAINED.docx) can explain better what is happening.

The question is: What should we do to be able change this vlan if the user is already authenticated? What authentication method we can use to have this requisites with Machine and user authentication using certificate?

If you have any suggestion about the design, please let me know.

Thanks

Hugo Santos

hugo.santos_ · ‎08-01-2011

Stansislas,

The suggestion number 2, about use the IC's server "Certificate" will help me a lot.

Thank you so much.

hugo.santos_ · ‎08-02-2011

Another update about this case.

Now we are able to change the vlan from the quarantine Vlan to User vlan, but from User vlan to Quarantine it is not working.

Following is the log showing the user being ñforced offî after a role change (from Role-Quarantine to Role-Users) and changing the Vlan to 1.

Info	EAM24459	2011-08-02 10:55:19 - ic - [0.0.0.0] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - User assigned to vlan (VLAN='1')
Info	AUT24414	2011-08-02 10:55:19 - ic - [0.0.0.0] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Agent login succeeded for Anderson R. Gomes/Realm-Users from 00-0F-B0-FE-E5-B0.
Info	AUT24803	2011-08-02 10:55:19 - ic - [0.0.0.0] UAC\agomes(Realm-Users)[] - Host Checker policy 'Pol-Host_Checker-User' passed on host '802.1x client' address '00-0F-B0-FE-E5-B0' for user 'UAC\agomes'.
Info	AUT24326	2011-08-02 10:55:19 - ic - [0.0.0.0] Anderson R. Gomes(Realm-Users)[] - Primary authentication successful for Anderson R. Gomes/CA from 00-0F-B0-FE-E5-B0
Info	EAM24460	2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Received a RADIUS Accounting Stop request. Terminated session
Info	JAV20023	2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Closed connection to 192.168.100.11-0:agentman port 0 after 120 seconds, with 35879 bytes read (in 23 chunks) and 3221 bytes written (in 8 chunks)
Info	EAM30444	2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Forcing off user (Anderson R. Gomes) because of change in VLAN/RADIUS Attributes policy
Info	AUT24803	2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Quarantine] - Host Checker policy 'Pol-Host_Checker-User' passed on host '192.168.100.11' address '00-0F-B0-FE-E5-B0' for user 'Anderson R. Gomes'.
Info	AUT23524	2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Quarantine] - Roles for user Anderson R. Gomes on host 192.168.100.11 changed from <Role-Quarantine> to <Role-Users,Role-Quarantine> during policy reevaluation.

We notice that when the user is on User vlan (1) the OAC is not showing the connection to IC, as you can see attached (UserVlan.JPG_). We think that it is the reason why the user is not being ñforced offî.

When the user is on quarantine vlan the OAC is showing the informantion about the IC. We think this is the reason why it is working (QuarantineVlan.JPG_).

What should we do to have this connection at User vlan the same way as Quarantine vlan?

Best Regards

Stanislas P_ · ‎08-11-2011

Hi,

the "force off" is initiated by the IC through the EAPoHTTP connection (connection to IC). this connection is configured in the Network access policy applied to the role -> Interface

If this parameter is set to "Automatic (use configured VLANs)_", the OAC will access to the IP in the same network as the PC, or IC Internal port address if the IC do not have IP address in the same network.

Did you configure a default gateway in the DHCP server for UserVLAN Network to connect to IC Address (defined in you screenshot in the quarantine VLAN)?

Regards,

Stanislas

CraigB_ · ‎08-29-2011

One other thing to remember is thatin order for OAC to be able to communicate to the IC, nothing can be blocking the HTTPS port on the IC. In other words, you have to allow HTTPS to the IC from wherever the PC is. Secondly, is the IP address of the PC changing when you are placing him onto the quarantine VLAN? OAC is not responsible for getting the DHCP address, it is up to the host OS to do this. It's possible that you are in fact changing VLANs, but not getting an IP on that VLAN this is what is causing the connection to the IC to fail.

Hope that helps

Craig

UAC Topology using 802.1x, Dynamic VLan, OAC, External Radius and host checker

UAC Topology using 802.1x, Dynamic VLan, OAC, External Radius and host checker

Re: UAC Topology using 802.1x, Dynamic VLan, OAC, External Radius and host checker

Re: UAC Topology using 802.1x, Dynamic VLan, OAC, External Radius and host checker

Re: UAC Topology using 802.1x, Dynamic VLan, OAC, External Radius and host checker

Re: UAC Topology using 802.1x, Dynamic VLan, OAC, External Radius and host checker

Re: UAC Topology using 802.1x, Dynamic VLan, OAC, External Radius and host checker

Re: UAC Topology using 802.1x, Dynamic VLan, OAC, External Radius and host checker