Académique Documents
Professionnel Documents
Culture Documents
This document discusses the features and conguration tools provided by ExtremeXOS NetLogin, and how they can be used in conjunction with Network Access Protection (NAP) technologies in Microsoft Windows 2008 Server to control user and device access depending on the results of health check policies. Authentication and authorizations for users and devices are provided using the Network Policy Server application, which is essentially a replacement for Internet Authentication Service (IAS) in earlier Microsoft Server versions such as Microsoft Windows 2003 Server.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Introduction
Network Access Control and Protection is rapidly becoming an integral block of the network infrastructure and security. Typical NAP solutions provide the platform and framework for administrators to: Dene network access policies based on the clients identity Determine degree of client compliance with requirements congured in policy servers Take actions (such as invoking remediation procedures which provide mechanisms to bring the client computer into compliance) and also provide authorized access for client computers This document discusses the features and conguration tools provided by ExtremeXOS NetLogin, and how they can be used in conjunction with Network Access Protection (NAP) technologies in Microsoft Windows 2008 Server to control user and device access depending on the results of health check policies. Authentication and authorizations for users and devices are provided using the Network Policy Server application, which is essentially a replacement for Internet Authentication Service (IAS) in earlier Microsoft Server versions such as Microsoft Windows 2003 Server. NAP allows administrators to create and enforce health policies for computers that connect to the enterprise network. The policies govern both the installed software components and the system congurations. Computers which connect to the network, such as laptops, workstations, and other such devices, are evaluated against the congured health requirements. Health requirements include: A rewall is enabled An antivirus program is installed The antivirus program should is up to date Automatic Windows Update is enabled, etc. Client computers that connect to the network are evaluated against these health requirements, and are classied as NAP-compliant, NAP Noncompliant, or NAPIneligible. Further, policies can also contain the actions to be taken, and any authorizations to be provided to computers placed into these categories. Actions could include auto-remediation of client computers
(for example enable Windows Automatic Updates or Windows Firewall). ExtremeXOS NetLogin can be integrated with Microsoft NAP to provide authorizations to network resources for client computers. Authorizations could include: Complete network access to clients that are deemed as NAP Compliant. Restricted network access to clients that are deemed as NAP Noncompliant. Custom network access to clients that are deemed as NAP Ineligible. Microsoft NAP technology is available in the following variants of the Microsoft Windows Operating System: Servers Windows Server 2008 Windows Server 2008 R2 Clients Windows XP Professional (with Service Pack 3 updates) Windows Vista Windows 7 Microsoft NAP can be used to enforce health policies for different network access and communication technologies. This includes IPSec, 802.1X based wired and wireless network access control, and others. This document addresses NAP enforcement for wired clients using IEEE 802.1X authentication. NAP can be deployed using the typical AAA framework without the need for any additional networking equipment, and without the need for any software upgrades on ExtremeXOS based switches. ExtremeXOS NetLogin has been designed to integrate with Microsoft NAP solution from the ground up. An overview of the NAP architecture and the components involved is presented in Section 3, and subsections in the chapter provide details about the roles played by each element in the NAP framework. Readers who are familiar with the general concepts of the Microsoft NAP architecture and framework can skip this section. Readers are encouraged to review the Microsoft NAP concepts provided on the Microsoft Technical Resources website.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Section 4 provides an overview of the NetLogin feature in ExtremeXOS, the authentication methods that work with NPS, and includes a discussion about the schemes that can be used to enforce policies (congured in the NAP server) at the network access/edge layer. A case-study of NAP and NetLogin deployment is discussed in Section 5. This section walks the user through a sample edge switch conguration, with detailed steps on how to create groups and users in the Microsoft Active Directory, and create NAP policies in the health policy server. Detailed instructions and screen shots are provided on conguring the Microsoft Windows 2008 Server to act as the NAP health policy server, the edge switch as the authenticator, and the different types of clients. The contents in this chapter are aligned with the steps presented in the document Step-by-Step Guide: Demonstrate 802.1X NAP enforcement in a Test Lab by Microsoft Corporation.
References
1. Using ExtremeXOS NetLogin with Microsoft IAS http://www.extremenetworks.com/doc. aspx?id=957 2. Using ExtremeXOS NetLogin with Microsoft NPS (where is the link for this one???) 3. Step-by-Step Guide: Demonstrate 802.1X NAP enforcement in a Test Lab http://www.microsoft.com/downloads/details. aspx?FamilyID=8a0925ee-ee06-4dfb-bba207605eff0608&displaylang=en 4. Network Access Protection concepts http://technet.microsoft.com/en-us/library/ cc730902%28WS.10%29.aspx 5. Network Access Protection Design Guide http://technet.microsoft.com/en-us/library/ dd125338.aspx 6. Network Access Protection Deployment Guide http://technet.microsoft.com/en-us/library/ dd314175.aspx 7. Network Access Protection Troubleshooting Guide http://technet.microsoft.com/en-us/library/ dd348515.aspx
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The components shown are similar to those in a typical AAA framework, of course with additional functionality provided by the clients and the backend servers in order to participate in a NAP framework. NAP Client Computers: The clients or supplicants not only contain the IEEE 802.1X authentication methods, but also contain newer Windows components such as the system health agent (SHA), NAP agent, and the enforcement clients. NAP capable clients provide system health information in addition to security credentials when requesting network access from an IEEE 802.1X compliant network access device. NAP Enforcement Point: As shown below, ExtremeXOS based switches act as the enforcement points. Enforcement could be one of the following actions: providing complete network access to NAP compliant computers; isolation of noncompliant computers in
specic broadcast domains or VLANs which provide connectivity to remediation servers; or restricted access (using access control lists) to provide connectivity to specic resources, etc. The actions performed by the switches are based on the authorizations received from the backend NAP health policy servers. These actions are delivered to the switch via RADIUS by the Network Policy Server component running in Microsoft Windows based servers. NAP Health Policy Server: In addition to the Network Policy Server that provides authentication, and authorization services, Microsoft Windows Server 2008 and Windows Server 2008 R2 contain newer components such as System Health Validator (SHV), NAP administration, and others. SHVs are used by NPS to analyze health of client computers. The results of client health status check are used by network policies to deliver appropriate authorizations.
Clients or Supplicants
Authentication Server
Summit X450e-24p
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1 2 3 4 MGMT = FAN = PSU = PSU-E =
Authenticator
STACK NO
Enterprise Network
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
ExtremeXOS NetLogin
The NetLogin feature in ExtremeXOS provides the following capabilities which can be used in NAP deployments: 1. IEEE 802.1X based authentication 2. Authorizations in the form of destination VLAN ID or Name 3. In addition to VLAN information, network access can also be limited to a set of hosts. These hosts could be remediation or quarantine servers which can be used to deliver appropriate software congurations, software updates, and system congurations to bring an unhealthy supplicant into compliance with the enterprise health policies.
VLAN Authorizations
The following Vendor-Specic Attributes (VSAs) can be used to deliver the VLAN IDs or names to which to add the authenticated user. In typical NAP deployments these VSAs could be used to deliver a designated quarantine VLAN. Extreme-Netlogin-VLAN-Name (VSA 203): This attribute species a VLAN name that the RADIUS server sends to the switch after successful authentication. When the switch receives the VSA, it adds the authenticated user to the VLAN. The VLAN must already exist on the switch. Extreme-Netlogin-VLAN-ID (VSA 209): This attribute species a VLAN ID (or VLAN tag) that the RADIUS server sends to the switch after successful authentication. When the switch receives the VSA, it adds the authenticated user to the VLAN. The VLAN must already exist on the switch. Extreme-Netlogin-Extended-Vlan (VSA 211). This attribute species one or more VLANs that the RADIUS server sends to the switch after successful authentication. You can specify VLANS by VLAN name or ID (tag). The VLANs may either already exist on the switch or, if you have enabled dynamic VLANs and a nonexistent VLAN tag is given, the VLAN is created. Once authenticated, the client/port is moved to the VLAN whose VLAN ID/Name is sent in the AccessAccept message. This VLAN can be the designated quarantine VLAN. The administrator needs to ensure that the quarantine VLAN indeed has limited access to the rest of the network. Typically, this can be done by disabling IP forwarding on that VLAN so no routed traffic can traverse out of that VLAN. The quarantine VLAN can also be created dynamically in the switch using NetLogin. This case study uses the Extreme-NetLogin-VLAN-ID (VSA 209) to demonstrate the NAP concepts.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
These VSAs control access to network resources by unhealthy supplicants. The MS-IPv4-Remediation-Servers VSA contains a list of associated IP addresses that an unhealthy and therefore quarantined supplicant can access to so that it can correct the unhealthy attribute(s). In the real world, remediation server(s) are accessible via the uplink port and not necessarily in the same VLAN. Regardless of whether the quarantine VLAN is precongured or dynamically created, unhealthy clients must have access to the remediation servers. NetLogin supports the MS-Quarantine-State attribute (present in the Access-Accept message) with values (referred to as extremeSessionStatus) to convey the status of the client Quarantined or On Probation. In this case a dynamic ACL which denies all traffic will be applied on the VLAN. If such an ACL is already present on that VLAN, then no new ACL will be applied. The ACL will be removed automatically when the last authenticated client has been removed from the quarantine VLAN. Additionally, if the MS-IPv4-Remediation-Servers VSA is present in the Access-Accept message, for each IP address present in the VSA a permit all traffic to/from
this IP address dynamic ACL will be applied on the quarantine VLAN. This will allow traffic to/from the remediation servers to pass unhindered into the Quarantine VLAN while all other traffic is dropped.
The diagram below shows the various systems, and devices used by Prime Corp, along with users attached to the edge switches.
PRIMECORP-PDC-1
PRIMECORP-NAP-1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STACK NO
Summit X450a-24t
Stack 1 2
Summit X250e-24p
Edge
JS-Workstation
5652-01
Figure 2: Systems and devices used by Prime Corp and users attached to the edge switches
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The table below summarizes the various roles and functions performed by the devices in the network:
Performs authentication of attached users and devices such as phones using NetLogin Provides network access to users Summit X250e-24P Edge Switch Multiple VLANs in the switch helps in isolating users and devices in different broadcast domains based on the authentication and NAP policies Layer 2 switch in this scenario Provides connectivity to the rest of the campus network including authentication servers, application servers, domain controllers, and internet gateway Layer 3 switch provides routing functionality Microsoft Windows 2008 Server PRIMECORP-PDC-1 Domain Controller, and Root CA Congured as the domain controller for primecorp.com Contains the Microsoft Active Directory (AD) Enterprise Root CA for primecorp.com Microsoft Windows 2008 Server Member of domain primecorp.com PRIMECORP-NAP-1 Authentication Server, NAP Policy Server Acts as the authentication server for all users in the domain Congured with NAP policies which are enforced using features provided by ExtremeXOS NetLogin in the edge switches Microsoft Windows 7 Professional Microsoft Windows Vista Business Edition Microsoft Windows XP LAPTOP1 Laptop computer used by John Smith Contains Service Pack 3 updates Also contains all updates required for Group Policy Client Side congurations
Summit X450a-24t
Aggregation/Distribution Switch
JS-WORKSTATION BS-WORKSTATION
Table 1
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Employee
Uses Microsoft Windows Vista Business edition based workstation (Connected to Port #2 of the edge switch)
In addition to conguring the NetLogin module, the VLAN and AAA modules will also need to be congured. Conguration of the VLAN module will provide reachability to backend authentication servers, and will also create various user VLANs in the switch. Conguration of the AAA module will provide the switch with one or more RADIUS server(s) to contact for authentication.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
VLAN Conguration
configure vlan default delete ports 1-26 create vlan authvlan configure vlan authvlan tag 7 create vlan corp configure vlan corp tag 2 create vlan corpvoice configure vlan corpvoice tag 4 create vlan crmapps configure vlan crmapps tag 6 create vlan quarantine configure vlan quarantine tag 3 create vlan salesapps configure vlan salesapps tag 5 configure vlan corp add ports 25 tagged configure vlan corpvoice add ports 25 tagged configure vlan crmapps add ports 25 tagged configure vlan quarantine add ports 25 tagged configure vlan salesapps add ports 25 tagged configure vlan Mgmt ipaddress 10.127.2.18 255.255.255.0 configure vlan corp ipaddress 192.168.2.1 255.255.255.0 configure vlan authvlan ipaddress 192.168.100.1 255.255.255.0
NOTE None of the VLANs actually contain user ports Port 25 is the uplink port in the edge switch and is added as a tagged port for all VLANs
NetLogin Conguration
configure netlogin vlan authvlan enable netlogin dot1x mac web-based enable netlogin ports 1-8 dot1x enable netlogin ports 9-16 mac enable netlogin ports 17-24 web-based configure netlogin ports 1 mode port-based-vlans configure netlogin ports 1 no-restart configure netlogin ports 2 mode port-based-vlans configure netlogin ports 2 no-restart configure netlogin ports 3 mode port-based-vlans configure netlogin ports 3 no-restart configure netlogin ports 4 mode port-based-vlans configure netlogin ports 4 no-restart configure netlogin ports 5 mode port-based-vlans configure netlogin ports 5 no-restart
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure
netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin
ports 6 mode port-based-vlans ports 6 no-restart ports 7 mode port-based-vlans ports 7 no-restart ports 8 mode port-based-vlans ports 8 no-restart ports 9 mode port-based-vlans ports 9 no-restart ports 10 mode port-based-vlans ports 10 no-restart ports 11 mode port-based-vlans ports 11 no-restart ports 12 mode port-based-vlans ports 12 no-restart ports 13 mode port-based-vlans ports 13 no-restart ports 14 mode port-based-vlans ports 14 no-restart ports 15 mode port-based-vlans ports 15 no-restart ports 16 mode port-based-vlans ports 16 no-restart ports 17 mode port-based-vlans ports 17 no-restart ports 18 mode port-based-vlans ports 18 no-restart ports 19 mode port-based-vlans ports 19 no-restart ports 20 mode port-based-vlans ports 20 no-restart ports 21 mode port-based-vlans ports 21 no-restart ports 22 mode port-based-vlans ports 22 no-restart ports 23 mode port-based-vlans ports 23 no-restart ports 24 mode port-based-vlans ports 24 no-restart add mac-list ff:ff:ff:ff:ff:ff 48 ports 9-16
NOTE NetLogin uses the authvlan VLAN Local database authentication is NOT used in this case study
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The screen shot below shows all the roles installed on this server.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
We will now proceed to create a group called PRIMECORP_COMPUTERS, and add the clients JS-WORKSTATION, BS-WORKSTATION, and LAPTOP1 into this group. Steps: Right Click on Users Click New.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Enter the group name as PRIMECORP_COMPUTERS, ensure that the group is of type Security, and the scope is Global. Click OK.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Enter the computer names as shown, and Click Check Names to ensure all the computer names have been recognized. Click OK.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Enter the details for the user as shown above Click Next.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
We will now proceed to make the user John Smith a member of the SALES group.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: In the Dial-In Tab Select option Allow Access Click on Members Of Tab.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Click Add In the Select Groups dialog box enter SALES in object names Click Check Names Ensure that the group name is recognized/resolved and click OK Click OK again to close the properties.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Click Start Click Administrative Tools Click Network Policy Server.
Steps: Expand RADIUS Clients and Servers in the left pane Right Click RADIUS Clients Click New RADIUS Client.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select IEEE 802.1X (Wired) from the options presented for Network connection methods Enter the name of the policy (in this case study we have used the name Authenticate Corp Users NAP 802.1X (Wired) Click Next.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Conrm that the switch which we congured as a RADIUS client is selected Click Next.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: In the Select Group dialog box, enter the group name SALES Click Check Names Click OK.
In addition to the group SALES we will use this NAP policy to authenticate and authorize users who are part of the ENGINEERING group. Steps: Click Add User.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: In the Select Group dialog box that appears, enter the group name ENGINEERING Click Check Names to verify that the group name is recognized/resolved Click OK.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select the EAP Type Secure Password (PEAP-MS-CHAP-v2) Click Next. The two screen shots shown below are optional steps for users who want to view the server certicate being used for this authentication method. The server certicate being used here, in this case study, was requested by the server PRIMECORP-NAP-1 and was issued by PRIMECORP-PDC-1 (which is congured as the Enterprise Root CA for the domain primecorp.com).
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
When NAP policies are created using the wizard, users can specify both the organizational network VLAN (a VLAN that can be used by supplicants who pass the authentication and the health policies) and a restricted VLAN (which can be used to isolate unhealthy supplicants, i.e. those users who do not pass the health policy checks). In this case study, we have chosen to congure these VLANs and possibly other authorizations separately after the NAP policies are created by the wizard.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The Dene NAP Health Policy step when using the wizard allows administrators to congure the Health Validator to be used, auto-remediation (if desired), and the restrictions that are to be placed on computers which are non-NAP capable. Steps: Ensure that the default health validator Windows Security Health Validator is selected Unselect Enable auto-remediation of client computers Select Allow full network access to NAP-ineligible computers Click Next.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The screen shot below shows the list of Network Policies which were created by the NAP conguration wizard.
The screen shot below shows the list of Health Policies which were created by the NAP conguration wizard.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Under RADIUS Attributes in the left pane, Click on Standard Remove both the attributes which appear by default Framed Protocol and Service-Type.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Click OK Click on Vendor Specic on the left pane Click on Add on the right pane.
Steps: Scroll down the list of attributes, select Vendor-Specic Click Add.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select the Enter Vendor Code option Enter 1916 which is the Extreme Network Vendor ID Click Yes, it conrms Click Congure Attribute.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Enter 209 in Vendor-assigned attribute number which denotes the Extreme-Netlogin-VLAN-ID VSA Select Decimal as the Attribute format Enter 2 (which is the VLAN ID for corp VLAN) in the Attribute value Click OK twice to return back to the list of vendor specic attributes.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Click on Settings tab Under RADIUS Attributes in the left pane, select Standard Remove both the attributes Framed-Protocol and Service-Type.
Steps: Under RADIUS Attributes in the left pane Click on Vendor Specic Click Add on the right pane.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Scroll down to the last and select Vendor Specic in the list of attributes Click Add.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select Enter Vendor Code option Enter 1916 Select Yes, it conforms Click Congure Attribute.
Steps: Enter the value 209 for the attribute number Select the attribute format as Decimal Enter the value 3 in the attribute value Click OK twice to return back to the Vendor Specic attributes.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Under Health Policies on the left pane, click on Health Policies Double click on the policy Authenticate Corp Users NAP 802.1X (Wired) Compliant.
Steps: In SHVs used in the health policy ensure that the Windows Security Health Validator is selected Click OK.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Under Network Access Protection in the left pane, click on System Health Validators Double click on Windows Security Health Validator on the right pane.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Click on the Windows Vista tab, and select only the following options: a. Under Firewall select A rewall is enabled for all network connections. b. Under Automatic Updating select Automatic updating is enabled. c. Click on the Windows XP tab.
NOTE The settings for Windows Vista is also applicable for Windows 7 clients.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Ensure that the rewall and automatic update settings are done as described in the earlier screenshot Click OK.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Click Start Enter gpme.msc and hit enter to execute the program.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Enter a name for the new GPO (the name selected here is NAP Client Settings GPO) Click OK to start the Group Policy Management Editor.
Steps: On the left pane, navigate to Computer Conguration\Policies\Windows Settings\Security Settings\System Services On the right pane, double click on Network Access Protection Agent.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select Dene this policy setting Select Automatic Click OK.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select Dene this policy setting Select Automatic Click OK.
Steps: On the left pane, navigate to Computer Conguration\Windows Settings\Security Settings\Network Access Protection\NAP Client Conguration\Enforcement Clients On the right pane, right click on EAP Quarantine Enforcement Client Click Enable.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: On the left pane, navigate to Computer Conguration\Windows Settings\Security Settings\Network Access Protection Right click on NAP Client Conguration Click Apply.
Steps: On the left pane, navigate to Computer Conguration\Policies\Administrative Templates: Policy denitions\ Windows Components\Security Center On the right pane, double click on Turn on Security Center (Domain PCs only)
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Under Setting tab, check option Enabled Click OK [Optionally close the Group Policy Management Editor].
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: In the left pane, navigate to Group Policy Management\Forest primecorp.com\Domains\primecorp.com\ Group Policy Objects\NAP Client Settings GPO On the right pane, under Security Filtering select Authenticated Users Click Remove.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Type object name PRIMECORP_COMPUTERS Click Check Names to ensure that the object has been resolved Click OK.
NOTE It is important that the group policy conguration is updated on all the clients before proceeding with the rest of case study. It is strongly recommended that users ensure and if required troubleshoot any problems encountered in the group policy update for clients. We will mainly use the netsh command, and also look at the settings of services as a result of the group policy update from the NAP server PRIMECORP-NAP-1.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Open a command prompt, enter the command netsh nap client show state Ensure that the EAP Quarantine Enforcement Client is initialized (Initialized = Yes).
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Open Control Panel Click on System and Security Click on Administrative Tools On the right pane, double click on Services.
Steps: Ensure that the service Network Access Protection Agent is set to start automatically.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Ensure that the service Wired AutoCong is set to start automatically.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Open a command prompt, enter the command netsh nap client show state Ensure that the EAP Quarantine Enforcement Client is initialized (Initialized = Yes).
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Open Control Panel Click on System and Maintenance Click on Administrative Tools In the right pane, double click on Services.
Steps: Ensure that the service Network Access Protection Agent is set to start automatically.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Ensure that the service Wired AutoCong is set to start automatically.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Open a command prompt, enter the command netsh nap client show state Ensure that the EAP Quarantine Enforcement Client is initialized (Initialized = Yes).
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Open Control Panel Double click on Administrative Tools Double click on Services.
Steps: Ensure that the Network Access Protection Agent is set to start automatically.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Ensure that the service Wired AutoCong is set to start automatically.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select Enable IEEE 802.1X authentication Select method Microsoft Protected EAP (PEAP) Click on Settings.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select Validate server certicate Under Select Authentication Method select Secured password (EAP-MSCHAP-V2) Click on Congure.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: It is recommended that the option Automatically use my Windows logon name and password is used. If this option is not selected, then the user will have to enter the credentials every time the client performs authentication.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Click on Authentication tab Select option Enable IEEE 802.1X authentication Under Choose a network authentication method select Microsoft Protected EAP (PEAP) Click Settings.
Steps: Select Validate server certicate Under Select Authentication Method select Secured password (EAP-MSCHAP-V2) option Select Enable Quarantine checks Click on Congure.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: It is recommended that the option Automatically use my Windows logon name and password is selected.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Under Authentication tab, select Enable IEEE 802.1X authentication Select Protected EAP in Choose a network authentication method Click on Settings.
Steps: Select Validate server certicate Under Select Authentication Method select Secured password (EAP-MSCHAP-V2) Select Enable Quarantine checks Click Congure.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: It is recommended that the option Automatically use my windows logon name and password is selected.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: john_smith) has met all the health policy requirements.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: bob_stone) has met all the health policy requirements.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: john_smith logging in from host LAPTOP1) has met all the health policy requirements.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The following snippet shows that the ports, from which the clients have logged on to the network, have been added to the corp VLAN.
X250e-24p.5 # show corp VLAN Interface with name corp created by user Admin State: Enabled Tagging: 802.1Q Tag 2 Virtual router: VR-Default Primary IP : 192.168.2.1/24 IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 4. (Number of active ports=4) Untag: *1a, *2a, *3a Tag: *25 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (e) Private-VLAN End Point Port (x) VMAN Tag Translated port
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The snippet below shows the state recorded by the ExtremeXOS NetLogin module for each of the clients.
X250e-24p.5 # show netlogin port 1-3 Port : 1 Port Restart : Disabled Allow Egress : None Vlan : corp Authentication : 802.1x Port State : Enabled Guest Vlan : Disabled Auth Failure Vlan : Disabled Auth Service-Unavailable Vlan : Disabled MAC IP address Authenticated 00:11:11:cd:74:6b 192.168.2.102 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB Port Port Restart Allow Egress Vlan Authentication Port State Guest Vlan Auth Failure Vlan Auth Service-Unavailable Vlan : : : : : : : : : 2 Disabled None corp 802.1x Enabled Disabled Disabled Disabled Type 802.1x ReAuth-Timer 2995 User PRIMECORP\ Type 802.1x ReAuth-Timer 3577 User PRIMECORP\
MAC IP address Authenticated 00:11:43:4c:90:6f 192.168.2.101 Yes, Radius bob_stone ----------------------------------------------(B) - Client entry Blackholed in FDB Port Port Restart Allow Egress Vlan Authentication Port State Guest Vlan Auth Failure Vlan Auth Service-Unavailable Vlan : : : : : : : : : 3 Disabled None corp 802.1x Enabled Disabled Disabled Disabled
MAC IP address Authenticated 00:11:43:51:b9:63 192.168.2.103 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB
Type 802.1x
ReAuth-Timer 2995
User PRIMECORP\
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The screen shot below shows that the server (PRIMECORP-NAP-1) attempted to quarantine the unhealthy supplicant.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
The screen shot below is an event generated by the NPS program and indicates that client has not met the health policy requirements.
The screen shot below (scroll down below for event details) shows the reason for the client to be deemed as noncompliant.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Observe that the Network Access Protection agent displays an error message to indicate that the computer is not compliant with the health policy requirements. A recommendation for remediation is also shown in the same window.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Observe that the Network Access Protection agent displays an error message to indicate that the computer is not compliant with the health policy requirements. A recommendation for remediation is also shown in the same window
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
MAC IP address Authenticated 00:11:11:cd:74:6b 0.0.0.0 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB Port Port Restart Allow Egress Vlan Authentication Port State Guest Vlan Auth Failure Vlan Auth Service-Unavailable Vlan : : : : : : : : : 2 Disabled None quarantine 802.1x Enabled Disabled Disabled Disabled
Type 802.1x
ReAuth-Timer 3509
User PRIMECORP\
MAC IP address Authenticated 00:11:43:4c:90:6f 0.0.0.0 Yes, Radius bob_stone ----------------------------------------------(B) - Client entry Blackholed in FDB Port Port Restart Allow Egress Vlan Authentication Port State Guest Vlan Auth Failure Vlan Auth Service-Unavailable Vlan : : : : : : : : : 3 Disabled None quarantine 802.1x Enabled Disabled Disabled Disabled
Type 802.1x
ReAuth-Timer 3507
User PRIMECORP\
MAC IP address Authenticated 00:11:43:51:b9:63 0.0.0.0 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB
Type 802.1x
ReAuth-Timer 3508
User PRIMECORP\
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select option Enter Vendor Code Enter the vendor code 1916 Select Yes, it conforms Click Congure Attribute.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Enter 209 as the Vendor assigned attribute number Select Decimal as the format Enter value 2 in the attribute value Click OK Click Add again to add a new VSA.
NOTE We are now placing the unhealthy supplicants in the corp VLAN (VID = 2), but we will restrict access to a limited set of hosts.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Enter the value of 1916 in the vendor code Select Yes, it conforms Click Congure Attribute.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Enter the value of 45 for the attribute number Select format as Decimal Enter value of 1 for the value Click OK twice.
NOTE This is the MS-Quarantine-State attribute described in Section 4.1.3 Restricted network access using Access Control Lists.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Select Microsoft as the vendor code select Yes, it conforms Click Congure Attribute.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Enter the value of 52 for the attribute number Select Hexadecimal as the attribute format Enter the value 0xC0A8020B as the value (equivalent to the IP Address 192.168.2.11 of the edge switch) Click OK three times.
NOTE This is the MS-IPv4-Remediation-Server attribute described in Section 4.1.3 Restricted network access using Access Control Lists.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Steps: Observe that all the three VSAs are now included in the policy.
Steps: On the left pane, right click on Network Policies Click Refresh.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
* X250e-24p.76 # show netlogin port 1 Port : 1 Port Restart : Disabled Allow Egress : None Vlan : corp Authentication : 802.1x Port State : Enabled Guest Vlan : Disabled Auth Failure Vlan : Disabled Auth Service-Unavailable Vlan : Disabled MAC IP address Authenticated 00:11:11:cd:74:6b 192.168.2.102 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB Type 802.1x ReAuth-Timer 3544 User PRIMECORP\
Details of the ACLs applied can be seen using the show access-list command.
* X250e-24p.77 # show access-list dynamic Dynamic Rules: ((*)- Rule is non-permanent ) (*)hclag_arp_0_4_96_28_b_c1 (*)nl001111cd746b_2_10001 (*)nl001111cd746b_3_10001 (*)nl001111cd746b_4_10001 (*)nl_0_1_10001 Bound Bound Bound Bound Bound to to to to to 0 1 1 1 1 interfaces interfaces interfaces interfaces interfaces for for for for for application application application application application HealthCheckLAG NetLogin NetLogin NetLogin NetLogin
* X250e-24p.78 # show access-list dynamic rule nl001111cd746b_2_10001 entry nl001111cd746b_2_10001 { if match all { ethernet-source-address 00:11:11:cd:74:6b ; ethernet-destination-address ff:ff:ff:ff:ff:ff ; } then { permit ; } } * X250e-24p.79 # show access-list dynamic rule nl001111cd746b_3_10001 entry nl001111cd746b_3_10001 { if match all { ethernet-type 34958 ; ethernet-source-address 00:11:11:cd:74:6b ; } then { permit ; } }
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
* X250e-24p.80 # show access-list dynamic rule nl001111cd746b_4_10001 entry nl001111cd746b_4_10001 { if match all { ethernet-source-address 00:11:11:cd:74:6b ; } then { deny ; } } * X250e-24p.81 # show access-list dynamic rule nl_0_1_10001 entry nl_0_1_10001 { if match all { destination-address 192.168.2.11/255.255.255.255 ; } then { permit ; } }
Corporate and North America Extreme Networks, Inc. 3585 Monroe Street Santa Clara, CA 95051 USA Phone +1 408 579 2800
Europe, Middle East, Africa and South America Phone +31 30 800 5100
www.extremenetworks.com
2011 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks Logo, ExtremeXOS and Summit are either registered trademarks or trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other trademarks are the trademarks of their respective owners. Specications are subject to change without notice. 1709_01 11/11