Symantec Network Access Control 11.0 LAN Enforcement Overview

Article:TECH102536  |  Created: 2007-01-26  |  Updated: 2008-01-20  |  Article URL http://www.symantec.com/docs/TECH102536
Article Type
Technical Solution


Environment

Issue



You would like an overview on how LAN Enforcement works


Solution



Symantec Network Access Control - LAN Enforcement

Overview

LAN Enforcer can be seen as an Authentication framework to verify user and/or computer with a central authority before providing access to the network
    • LAN Enforcer leverages a technology that initially was designed for Wireless LANs. To be more specific, it relies on the 802.1x Protocol - CISCO calls it the "dot1x" protocol.
    • The 802.1x Protocol is a IEEE standard to enhance security of wired and wireless LANs. Comprehensive information about 802.1x on Wikipedia
    • Requires compliant switches (old switches may not do it)
    • Works with multiple authentication protocols such as Extensible Authentication Protocol (EAP)
    • Can optionally be used in conjunction with RADIUS (Remote Authentication Dial In User Service) aka AAA, or "triple A". (Authentication, Authorization, Accounting)
    • If a client is non compliant, the LAN Enforcer can assign the client to a Quarantine VLAN
    • LAN Enforcer can be used in two modes. Full 802.1x (or basic) mode, or Transparent mode
Of the three Enforcer types, the LAN Enforcer is the most complicated (has the most moving parts) and this is predominantly due to the 802.1x implementation.

Full 802.1x Mode - With RADIUS authentication

In this mode, the Enforcer will also take a user's RADIUS authentication into consideration, as opposed to Transparent mode, where RADIUS authentication is not used.

Prerequisites:

    • 802.1x capable switches
    • 802.1x deployments need to be well planned
    • backend (RADIUS) infrastructure
    • SEP/SNAC client needs to be configured as 802.1x supplicant:

SNAC_LAN_dot1x_enable.jpg


How it works
SNAC_LAN_Basic.JPG

Transparent Mode

In this mode, RADIUS Authentication will be ignored.

Prerequisites:

    • 802.1x capable switches
    • 802.1x deployments need to be well planned
    • SEP/SNAC client needs to be configured as 802.1x supplicant
    • Symantec Transparent Mode has to be selected:

SNAC_LAN_dot1x_enable_Transparent.jpg

How it works
SNAC_LAN_Transparent.JPG

The authentication process in more detail

note: SMS = SEPM / SSA = SEP

SNAC_LAN_Auth.jpg

CISCO switch configuration file example

SNAC_CISCO_Config_example.jpg

Setting up a 802.1x Environment

Sygate Technologies, Inc. – TechNote
Document: 061507TS-02
Applies to: 802.1x authentication

Configuring 802.1x Authentication

Internet Authentication Service (IAS)
-Start > Run > Administrative Tools > Internet Authentication Service
-Right click ‘Internet Authentication Service (Local)’ > Register service in Active Directory
-Right click Clients > New RADIUS Client
-Enter a name for the switch
-Enter IP of the switch
-Click Next
-Confirm the Client-Vendor is RADIUS Standard
-Enter Shared Secret > Finish
-Follow same steps and enter information for the RADIUS and LAN enforcer servers.

-Click on Remote Access Policies
-Right click Connections to other access servers, choose properties
-Click the Edit_Profile button
-Switch to the Authentication tab
-Click the EAP Methods button
-Click the Add… button
-Highlight MD5-Challenge and click OK
-Click OK to save the EAP Provider
-Uncheck the following check boxes:
-Micorosft Encrypted Authentication version 2 (MS-CHAP v2)
-Micorosft Encrypted Authentication (MS-CHAP)
-Click OK to save the changes
-Switch the Radio button to Grant remote access permission
-Click Apply to save the changes

Domain Controller Configuration
-Start > Programs > Administrative Tools > Active Directory Users and Computers
-Create a new Organizational Unit
-Create a new user called
-Store password using reversible encryption
-Change user password
-allow user to have access to dial-in

Client Machine(s)
-Open ‘Local Area Connection’ properties > Authentication
**If Authentication tab is missing**
-Start > Programs > Administrative Tools > Services
-Set “Wireless Configuration” to start automatically
-start service
-Check ‘Enable Network Access Control Using IEEE 802.1x”
-Select MD5-Challenge as the EAP type
-Check ‘Authenticate as Computer When Information is Available”

Switch Configuration
-Follow the vendor’s steps to enable 802.1x with their appropriate switch
-Configure the RADIUS host as the LAN Enforcer IP address





Legacy ID



2007092617572148


Article URL http://www.symantec.com/docs/TECH102536


Terms of use for this information are found in Legal Notices