• LAN Enforcer leverages a technology that initially was designed for Wireless LANs. To be more specific, it relies on the 802.1x Protocol - CISCO calls it the "dot1x" protocol.
• The 802.1x Protocol is a IEEE standard to enhance security of wired and wireless LANs. Comprehensive information about 802.1x on Wikipedia
• Requires compliant switches (old switches may not do it)
• Works with multiple authentication protocols such as Extensible Authentication Protocol (EAP)
• Can optionally be used in conjunction with RADIUS (Remote Authentication Dial In User Service) aka AAA, or "triple A". (Authentication, Authorization, Accounting)
• If a client is non compliant, the LAN Enforcer can assign the client to a Quarantine VLAN
• LAN Enforcer can be used in two modes. Full 802.1x (or basic) mode, or Transparent mode

Full 802.1x Mode - With RADIUS authentication

In this mode, the Enforcer will also take a user's RADIUS authentication into consideration, as opposed to Transparent mode, where RADIUS authentication is not used.

Prerequisites:

• 802.1x capable switches
• 802.1x deployments need to be well planned
• backend (RADIUS) infrastructure
• SEP/SNAC client needs to be configured as 802.1x supplicant:

In this mode, RADIUS Authentication will be ignored.

Prerequisites:

• 802.1x capable switches
• 802.1x deployments need to be well planned
• SEP/SNAC client needs to be configured as 802.1x supplicant
• Symantec Transparent Mode has to be selected:

The authentication process in more detail

note: SMS = SEPM / SSA = SEP

CISCO switch configuration file example

Setting up a 802.1x Environment

Sygate Technologies, Inc. – TechNote
Document: 061507TS-02
Applies to: 802.1x authentication

Configuring 802.1x Authentication

Internet Authentication Service (IAS)
-Start > Run > Administrative Tools > Internet Authentication Service
-Right click ‘Internet Authentication Service (Local)’ > Register service in Active Directory
-Right click Clients > New RADIUS Client
-Enter a name for the switch
-Enter IP of the switch
-Click Next
-Confirm the Client-Vendor is RADIUS Standard
-Enter Shared Secret > Finish
-Follow same steps and enter information for the RADIUS and LAN enforcer servers.

-Click on Remote Access Policies
-Right click Connections to other access servers, choose properties
-Click the Edit_Profile button
-Switch to the Authentication tab
-Click the EAP Methods button
-Click the Add… button
-Highlight MD5-Challenge and click OK
-Click OK to save the EAP Provider
-Uncheck the following check boxes:
-Micorosft Encrypted Authentication version 2 (MS-CHAP v2)
-Micorosft Encrypted Authentication (MS-CHAP)
-Click OK to save the changes
-Switch the Radio button to Grant remote access permission
-Click Apply to save the changes

Domain Controller Configuration
-Start > Programs > Administrative Tools > Active Directory Users and Computers
-Create a new Organizational Unit
-Create a new user called
-Store password using reversible encryption
-Change user password
-allow user to have access to dial-in

Client Machine(s)
-Open ‘Local Area Connection’ properties > Authentication
**If Authentication tab is missing**
-Start > Programs > Administrative Tools > Services
-Set “Wireless Configuration” to start automatically
-start service
-Check ‘Enable Network Access Control Using IEEE 802.1x”
-Select MD5-Challenge as the EAP type
-Check ‘Authenticate as Computer When Information is Available”

Switch Configuration
-Follow the vendor’s steps to enable 802.1x with their appropriate switch
-Configure the RADIUS host as the LAN Enforcer IP address