LAN Enforcer Blocks PEAP+TLS Authentication

Article:TECH139791  |  Created: 2010-09-14  |  Updated: 2010-10-07  |  Article URL http://www.symantec.com/docs/TECH139791
Article Type
Technical Solution


Issue



Several WYSE thin clients are being authenticated by the local Cisco ACS RAIDUS server. The thin clients are not running an Windows OS and do not have the SEP 11+SNAC agent installed.  With the LAN Enforcer 6100 appliance placed inline with the networked the WYSE thin clients are no longer able to authenticate with the RAIDUS  server.


Error



The enforcer kernel.log file reports a PEAP timeout and the client is not authenticated by the RAIDUS server which results in the client not being allowed onto the network.


Environment



The network environment would include a RAIDUS server, LAN 6100 Enforcer Appliance, SEP 11 manager, and WYSE thin client or device that uses PEAP+TLS  authentication. Software version of the LAN Enforcer was 11.0.5 or below.


Cause



The current enforcer 11.0.5 sofware would prevent PEAP+TLS authentication from being forwarded to the RAIDUS server causing a timeout. Issue was caused by the softwares inability to handle TLS authentication traffic.  If the LAN Enforcer was removed from the environment then authentication between the thin client and RAIDUS server occurs as expected.


Solution



Update the LAN Enforcer software to the latest 11.0.6 RU6 MP1 release. The updated enforcer software release is available on Symantec fileconnect and Platinum web sites.

Ignore Check Commands for TLS (RU6 MP1 or Later)

1. Enforcer CLI command "ignore-check" is added under command group "/configure/advanced".
 
2. To ignore Symantec client check on certain EAP methods, examples:
   ignore-check eap "peap,tls"
   EAP method MD5, PEAP, TLS, TTLS are supported
 
3. To clear ignore EAP methods:
   ignore-check eap clear
   Since "clear" is the value of an argument, there's no auto-complete for it. For instance, command "ignore-check eap cle" won't be accepted.
 
4. To ignore Symantec client check on certain devices(MAC addresses), example:
   ignore-check mac "00:11:22:33:44, 00:22:33:44:55:66-00:33:44:55:66:77, 00:44:55:00:00:00/ff:ff:ff:00:00:00"
   Single MAC address, MAC address range and MAC address mask are supported.
 
5. To clear ignore MAC:
   ignore-check mac clear
   Here, "clear" has same behavior as 3.
 
 

 




Article URL http://www.symantec.com/docs/TECH139791


Terms of use for this information are found in Legal Notices