Handling a Radius server non-response in a LAN Enforcer environment; the no-radius-rsp option

Article:TECH153860  |  Created: 2011-02-21  |  Updated: 2011-11-07  |  Article URL http://www.symantec.com/docs/TECH153860
Article Type
Technical Solution


Issue



You are using Symantec Network Access Control (SNAC) in a LAN Enforcer environment, in a basic mode configuration where user authentication is verified against a Radius server.

You are looking for a way to treat a Radius server non-response different from a Reject response.

 


Solution



The 11.0 RU6MP2 release of Symantec Network Access Control Enforcer software adds the no-radius-rsp command to the Enforcer configuration.
 

In the Enforcer command line interface (CLI), type the following:

  • configure
  • advanced
  • no-radius-rsp and one of the following:
    • eap-failed  (default) - set the EAP result to FAILED when the radius server does not reply.
    • eap-unavailable - set the EAP result to UNAVAILABLE when the radius server does not reply.
    • no-action - the Enforcer will not send a response back to the switch when the radius server does not reply to the Enforcer.

 

 

After setting the configuration option to for example eap-unavailable you can use the Enforcer Group switch configuration in the Symantec Endpoint Protection Manager (SEPM) console to configure an action to take when the Radius server becomes unavailable.

In the SEPM console:

  • Go to the Admin tab and select Servers
  • Select the LAN Enforcer Group and click Edit Group Properties
  • Go to the Switch tab, select the switch configuration and click Edit
  • On the Action tab you can now use the User Authentication: Unavailable setting to assign clients to a particular VLAN in case the Radius server becomes uncontactable.

 




Article URL http://www.symantec.com/docs/TECH153860


Terms of use for this information are found in Legal Notices