Configuring the Symantec On-Demand Client for Basic mode with a LAN Enforcer

Article:TECH159800  |  Created: 2011-05-11  |  Updated: 2012-05-24  |  Article URL
Article Type
Technical Solution



This document gives a step-by-step guide for configuring the Symantec Network Access Control (SNAC) 11.0 or 12.1 On-Demand Client (ODC) to authenticate using dot1x through a switch and a Symantec LAN Enforcer, using Basic mode where user authentication as well as Host Integrity status is verified before network access is allowed.



This setup requires :

  • one Gateway Enforcer appliance (with a single NIC connected) to deliver the ODC client from
  • one LAN Enforcer appliance to authenticate clients
  • an 802.1x compatible switch
  • a radius server for user-level authentication (IAS or similar)
  • a Symantec Endpoint Protection Manager (SEPM) server


This document does not cover basic installation of each component, and assumes an already functioning LAN Enforcer environment for non-ODC clients.

Please refer to the Enforcer Implementation Guide PDF document for basic setup instructions.

The document does not specifically cover the switch configuration, and assumes that the two Enforcer appliances and the SEPM server are reachable from both the production VLAN and guest VLAN.



General configuration to enable the use of the On-Demand client with a LAN Enforcer


On the SEPM, create a new group for the On-Demand clients:

  • On the Clients tab, click Add Group and create a new group ("On-Demand")
  • Under the new group, select the Policies tab, untick "inherit policies from the parent group", and select the General Settings link
  • In General Settings, select the Security Settings tab and select the following options:
    • Enable 802.1x authentication
    • Use the client as an 802.1x supplicant
    • Allow the user to select the authentication protocol
  • Press OK
  • Add to the group the Host Integrity policy that you would like for On-Demand clients to use.


First connect the Gateway Enforcer appliance to the network using only the eth0 interface. The Gateway Enforcer will in this configuration not be used as a gateway for traffic to pass through, but as a web server to deliver the On-Demand Client from.

Configure the Gateway Enforcer with an ip address and a network mask using the configuration wizard, and use the following command to connect the appliance to the SEPM

  • configure spm ip [sepm-address] http 8014 group GW_ENF key My$ecr4t   (using your SEPM address and port, a new Enforcer group name, and the SEPM shared secret)


On the Gateway Enforcer, type the following commands in the CLI to enable the On-Demand Client:

  • on-demand
  • spm-domain name Default   (use your SEPM domain in place of Default if needed)
  • client-group "My Company/On-Demand"   (use the name of the group created on the SEPM in the previous steps)
  • enable


Visiting the http://gw-enforcer-address/ website in a browser on a client machine should now give you the option to install the On-Demand client.

By configuring the LAN Enforcer group switch actions in the SEPM it should now be possible to allow this client access to the network only on passing the configured Host Integrity checks.


Additional configuration to enable Basic mode configuration


In Basic mode Active Directory user authentication will be verified, in addition to the Host Integrity result.


The steps below are configured in the Gateway Enforcer CLI, and will use the snac.local domain as an example.


Configure PEAP supplicant settings for the On-Demand client:

  • on-demand dot1x
  • protocol peap
  • peap
  • fast-reconn enable
  • exit
  • show protocol   (to verify that PEAP is the active protocol)
  • show peap   (to verify the peap configuration)


The remaining configuration can be done either using pure Radius, or using Active Directory:


Option #1 - Using Active Directory authentication:


If not already configured, add a DNS server to the Gateway Enforcer configuration

  • configure dns add   (use the address of your network's DNS server)


If not already configured, add an NTP server to the Gateway Enforcer configuration

  • configure ntp
  • server pdc.snac.local
  • enable

(this is required before enabling AD authentication)


Configure authentication for the On-Demand Client:

  • on-demand authentication
  • ad domain snac.local name snac.local
  • ad enable
  • enable
  • show status   (verify that Authentication is ENABLED and Active Directory is ENABLED - Local Database, Anonymity and RADIUS can all remain DISABLED)


Option #2 - Using RADIUS authentication:


On the radius server, add the Gateway Enforcer as a new trusted client (the LAN Enforcer should already exist as a trusted client in the radius server configuration)

Using IAS as the radius server the steps are:

  • Open the Internet Authentication Service MMC snapin
  • Navigate to RADIUS Clients
  • Select New RADIUS Client, type in the IP address of the Gateway Enforcer, and press Next
  • Select RADIUS Standard and type in the shared secret, then press Finish


On the Gateway Enforcer command line, configure authentication for the On-Demand Client:

  • on-demand authentication
  • radius add name [myradius] server [radius-address]:1812 secret My$ecr4t ms-CHAP-V2   (using your custom name, the radius server address, and the shared secret)
  • radius enable
  • enable
  • show status   (verify that Authentication is ENABLED and RADIUS is ENABLED - Local Database, Anonymity and Active Directory can all remain DISABLED)
  • show radius   (verify the configuration entered above)


Visiting the http://gw-enforcer-address/ website in a browser on a client machine should now present a login page, entering valid credentials will allow the installation of the On-Demand Client.


The ODC client will forward the Host Integrity status (to be forwarded by the switch to the LAN Enforcer for verification) as well as the user credentials that was used to download the ODC client (to be forwarded by the LAN Enforcer to the Radius server for verification).



To verify that the configuration is working you can view the kernel debug on the LAN Enforcer using this command

  • debug show kernel live

The user request should come in with both EAP:PASS and HI:PASS provided the above configuration was implemented correctly (and the client passes Host Integrity).


Capturing the network traffic on the radius server there should be incoming Access-Requests from the LAN Enforcer when using the Active Directory configuration, and from the Gateway Enforcer followed a while later by the LAN Enforcer when using the RADIUS configuration.


Article URL

Terms of use for this information are found in Legal Notices