To add an 802.1x switch policy for a LAN Enforcer appliance with a wizard

1. In Symantec Endpoint Protection Manager, click Admin.

2. Click Servers.

3. Select the Enforcer group.

4. Under Tasks, click Edit Group Properties.

5. In the LAN Enforcer Settings dialog box, on the Switch tab, click Add.

6. In the Welcome to the Switch Policy Configuration Wizard panel of the Switch Policy Configuration Wizard, click Next.

7. In the Basic Information panel of the Switch Policy Configuration Wizard, complete the following tasks:

   Switch policy name	Type a name of your choice that identifies the switch policy. For example, you can use the manufacturer's name and model as the name for the switch policy name.
   Switch model	The LAN Enforcer uses the switch model to determine the vendor-specific RADIUS server attribute. Select one of the following 802.1x-aware models from the list of supported switches: Other If your model is not listed, select Other to use a generic RADIUS server attribute. 3Com Alcatel switch Cisco Catalyst Series Enterasys Matix Series Extreme Summit Series Foundry Networks HP Procurve Series Nortel BayStack Series Cisco Aironet Series Aruba Switches Airespace Wireless Controller Nortel Wireless Enterasys wireless controller Allied Telesis switches HuaWei switches later than Jan. 2009 Note: For the HuaWei switches, If the administrator chooses transparent mode on the switch, the administrator must configure the policy to use transparent mode on the client, rather than letting the user select it.
   Shared secret	The shared secret that is used for communication between the 802.1x-aware switch and the LAN Enforcer appliance. The shared secret is case sensitive.
   Confirm shared secret	You must type the shared secret again.
   RADIUS server group	If you use the LAN Enforcer appliance with a RADIUS server, you must select the RADIUS server group from the available RADIUS server group list.
   Reauthentication period (seconds)	Type the amount of time in seconds during which the client must be reauthenticated. Otherwise the client is removed from the list of connected clients on the LAN Enforcer. You should set the reauthentication period to be at least double the amount of time of the reauthentication interval on the switch. For example, if the reauthentication interval on the switch is 30 seconds, the LAN Enforcer appliance reauthentication period should be at least 60 seconds. Otherwise the LAN Enforcer appliance assumes that the client is timed out. Therefore the client does not release and renew its IP address. The default setting is 30 seconds.
   Forward protocols besides EAP	You can select this option to allow the LAN Enforcer appliance to forward the RADIUS packets that contain other authentication protocols besides EAP. Other protocols include Challenge Handshake Authentication Protocol (CHAP) and PAP. The default setting is enabled.

8. In the Basic Information panel of the Switch Policy Configuration Wizard, click Next.

9. In the Switch List panel of the Switch Policy Configuration Wizard, click Add.

10. Complete the following tasks:

    Name	In the Add Single Internal IP address dialog box, type a friendly name for the switch policy to identify the 802.1x-aware switch into the Name field.
    Single IP Address	In the Add Single Internal IP Address dialog box, click Single IP address. Then type the IP address of the 802.1x-aware switch in the IP Address field.
    IP Address Range	In the Add Internal IP Address Range dialog box, click IP Address Range. Type the beginning IP address for the 802.1x-aware switch in the Starting IP Address field. Type the ending IP address of the IP address range for the 802.1x-aware switch in the End IP field.
    Subnet	In the Add Internal IP Address Subnet dialog box, click Subnet. Type the IP address for the subnet in the IP address field and the subnet in the Subnet Mask field.

    When you specify a switch policy for a LAN Enforcer appliance, you can associate the switch policy with one or more 802.1x-aware switches.

11. In the Add Internal IP address dialog box, click OK.

12. In the Switch List panel of the Switch Policy Configuration Wizard, click Next.

13. In the Switch VLAN Configuration panel of the Switch Policy Configuration Wizard, click Add.

14. In the Add VLAN dialog box, complete the following tasks:

    VLAN ID	Type an integer that can range from 1 to 4094 in the VLAN ID field. The VLAN ID must be the same as the one that is configured on the 802.1x-aware switch except for the Aruba switch. If you plan to add VLAN information about an Aruba switch, you may want to configure VLAN and role information differently than you have for other 802.1x switches. See Configuring VLAN and role information on the 802.1x-aware Aruba switch.
    VLAN Name	Type a name of the VLAN. The name for the VLAN can be up to 64 characters. It is case sensitive. The VLAN name must be the same as the one that is configured on the 802.1x-aware switch except for the Aruba switch. If you plan to add VLAN information about an Aruba switch, you may want to configure VLAN and role information that is different from other 802.1x switches. See Configuring VLAN and role information on the 802.1x-aware Aruba switch.
    Send customized RADIUS attributes to switch	Check Send customized RADIUS attributes to switch if you want the LAN Enforcer to send a customized RADIUS attribute to the 802.1x-aware switch. An attribute can be an access control list (ACL). See About the support for attributes of switch models.
    Customized attributes in hex format	Type the RADIUS attribute in hex format. The length must be even.

    When you specify a switch policy for a LAN Enforcer, you use the VLAN tab to add the VLAN information for each VLAN that is configured on the switch. You want the switch policy to be available for use by the LAN Enforcer as an action. The best practice is to specify at least one remediation VLAN.

15. Click OK.

16. In the Switch VLAN Configuration panel of the Switch Policy Configuration Wizard, click Next.

17. In the Switch Action Configuration panel of the Switch Policy Configuration Wizard, click Add.

18. In the Add Switch Action dialog box, complete the following tasks:

    Host Authentication	Click any of the following conditions: Passed Failed Unavailable Ignore Result A typical situation in which a Host Integrity check becomes unavailable would be the result of a client not running. If you set Host Authentication to Unavailable, you must also set Policy Check to Unavailable.
    User Authentication	Click any of the following conditions: Passed The client has passed user authentication. Failed The client has not passed user authentication. Unavailable The user authentication result is always unavailable if user authentication is not performed in transparent mode. If you use the LAN Enforcer in transparent mode, you must create an action for the Unavailable condition. If you use the basic configuration, you may also want to configure an action for the user authentication as an error condition. For example, an 802.1x supplicant uses an incorrect user authentication method or the RADIUS server fails in the middle of the authentication transaction. The user authentication's Unavailable condition may also occur on some RADIUS servers if the user name does not exist in the RADIUS database. For example, this problem may occur with Microsoft IAS. Therefore you may want to test the condition of a missing user name with your RADIUS server. You may want to see whether it matches the Failed or Unavailable user authentication conditions. Ignore Result A typical situation in which a Host Integrity check becomes unavailable would be the result of a client not running. If you set Policy Check to Unavailable, you must also set Host Authentication to Unavailable.
    Policy Check	Click any of the following conditions: Passed The client has passed the Policy Check. Failed The client has not passed the Policy Check. Unavailable The Unavailable result for the policy may occur under the following conditions: If the client has an invalid identifier, then the LAN Enforcer cannot obtain any policy information from the management server. This problem can occur if the management server that deployed the client policy is no longer available. If the client is first exported and installed before it connects to the management server and receives its policy. Ignore Result
    Action	You can select the following actions that the 802.1x-aware switch performs when the conditions are met: Open Port The 802.1x-aware switch allows network access on the default VLAN to which the port is normally assigned. It also allows network access on the VLAN that is specified in an attribute that is sent from the RADIUS server. Therefore the support of users having VLAN access is based on user ID and user role. The default action is Open Port. Switch to VLAN-test Allows access to the specified VLAN. The VLANs that are available to select are the ones that you configured previously. Close Port Deny network access on the default or RADIUS-specified VLAN. On some switch models, depending on the switch configuration, the port is assigned to a guest VLAN. For the Aruba switch, you can restrict access according to a specified role as well as a specified VLAN. The restrictions depend on how you configured the VLAN information for the switch policy.

19. In the Add Switch Action dialog box, click OK.

20. In the Switch Action Configuration panel of the Switch Policy Configuration Wizard, in the Switch Action table, click the switch action policy whose priority you want to change.

    The LAN Enforcer checks the authentication results against the entries in the switch action table in the order from top to bottom of the table. After it finds a matching set of conditions, it instructs the 802.1x-aware switch to apply that action. You can change the sequence in which actions are applied by changing the order in which they are listed in the table.

21. Click Move Up or Move Down.

22. Click Next.

23. In the Complete the Switch Policy Configuration panel of the Switch Policy Configuration Wizard, click Finish.