- Pulse Secure Community
- :
- About hugo.santos_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
hugo.santos_
New Contributor
4
Posts
0
Kudos
0
Solutions
08-02-2011
08:44:AM
Another update about this case. Now we are able to change the vlan from the quarantine Vlan to User vlan, but from User vlan to Quarantine it is not working. Following is the log showing the user being ñforced offî after a role change (from Role-Quarantine to Role-Users) and changing the Vlan to 1. Info EAM24459 2011-08-02 10:55:19 - ic - [0.0.0.0] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - User assigned to vlan (VLAN='1') Info AUT24414 2011-08-02 10:55:19 - ic - [0.0.0.0] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Agent login succeeded for Anderson R. Gomes/Realm-Users from 00-0F-B0-FE-E5-B0. Info AUT24803 2011-08-02 10:55:19 - ic - [0.0.0.0] UAC\agomes(Realm-Users)[] - Host Checker policy 'Pol-Host_Checker-User' passed on host '802.1x client' address '00-0F-B0-FE-E5-B0' for user 'UAC\agomes'. Info AUT24326 2011-08-02 10:55:19 - ic - [0.0.0.0] Anderson R. Gomes(Realm-Users)[] - Primary authentication successful for Anderson R. Gomes/CA from 00-0F-B0-FE-E5-B0 Info EAM24460 2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Received a RADIUS Accounting Stop request. Terminated session Info JAV20023 2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Closed connection to 192.168.100.11-0:agentman port 0 after 120 seconds, with 35879 bytes read (in 23 chunks) and 3221 bytes written (in 8 chunks) Info EAM30444 2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Users, Role-Quarantine] - Forcing off user (Anderson R. Gomes) because of change in VLAN/RADIUS Attributes policy Info AUT24803 2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Quarantine] - Host Checker policy 'Pol-Host_Checker-User' passed on host '192.168.100.11' address '00-0F-B0-FE-E5-B0' for user 'Anderson R. Gomes'. Info AUT23524 2011-08-02 10:55:16 - ic - [192.168.100.11] Anderson R. Gomes(Realm-Users)[Role-Quarantine] - Roles for user Anderson R. Gomes on host 192.168.100.11 changed from <Role-Quarantine> to <Role-Users,Role-Quarantine> during policy reevaluation. We notice that when the user is on User vlan (1) the OAC is not showing the connection to IC, as you can see attached (UserVlan.JPG_). We think that it is the reason why the user is not being ñforced offî. When the user is on quarantine vlan the OAC is showing the informantion about the IC. We think this is the reason why it is working (QuarantineVlan.JPG_). What should we do to have this connection at User vlan the same way as Quarantine vlan? Best Regards
... View more
08-01-2011
01:55:PM
Stansislas, The suggestion number 2, about use the IC's server "Certificate" will help me a lot. Thank you so much.
... View more
08-01-2011
01:44:PM
Hi Stanislas_, Thanks for your reply. Last weekend we work hard and now the status is following: After some reading, we decided to use RADIUS with option ñdo not proxyî and this option gave a lot of options (restriction, Radius Return attributeƒ), but we are still using ñwindows passwordî (EAP-JUAC) to authenticate. Can I use Certificate with JUAC using Radius? Some costumerÍs requisites are: ‡ Machine and user authentication using a certificate ‡ Machine and user authentication without certificate (this will be another scenario ) ‡ Use an existing MicrosoftÍs user and computer database (we can use Radius _ preferable, LDAP or AD) ‡ 802.1x with dynamic Vlan ‡ Change the user to a quarantine vlan according the assessment Now we are able to change the vlan according the assessment using L2 (during authentication ), but if the user is already authenticated and change his state to ñnot complianceî with security police, the IC is not sending the Return attribute (Vlan) to NAD. In other words, using L3 to communicate IC and OAC, the IC is not sending the vlan. Maybe the logs (attached - IC logs EXPLAINED.docx) can explain better what is happening. The question is: What should we do to be able change this vlan if the user is already authenticated? What authentication method we can use to have this requisites with Machine and user authentication using certificate? If you have any suggestion about the design, please let me know. Thanks Hugo Santos
... View more
07-29-2011
01:36:PM
Hi everybody, WeÍre trying to implement a topology using a third party switch (802.1x enabled). We need to use Certificate to authenticate user and workstation, in a external RADIUS Server. We should be able to modify the Radius Return attribute, according the hostcheker, in order to modify the userÍs vlan (to a quarantine vlan). At this time, we are able to authenticate using PEAP-TLS, but after success the 802.1x authentication, the OAC agent try to establish a L3 authentication to IC (EAP over HTTP), but the realm is configured only to accept 802.1x (Layer 2) and the log is showing the following message: ñRequested realm Authentication_Realm is a RADIUS proxy realm and not available for L3 authenticationsî Can someone tell me, what should we do to use external RADIUS proxy and be able to establish a communication between IC and OAC agent? If it is not possible, what topology should we implement to have 802.1x, Dynamic vlan (according host checker) and External RADIUS server?__ Thanks
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
