How a LAN Enforcer appliance works

Article:TECH91219  |  Created: 2008-01-03  |  Updated: 2008-01-03  |  Article URL http://www.symantec.com/docs/TECH91219
Article Type
Technical Solution

Product(s)

Issue



How a LAN Enforcer appliance works


Solution



The LAN Enforcer appliance acts as a Remote Authentication Dial-In User Service (RADIUS) proxy.

You can use the LAN Enforcer appliance with a RADIUS server to do the following actions:
  • Perform traditional 802.1x/EAP user authentication.
  • Verify that client computers comply with the security policies set on the management server (host authentication).
    In the networks that do not use a RADIUS server, the LAN Enforcer appliance performs host authentication only.
    When you install the LAN Enforcer appliance with a RADIUS server, you provide the following benefits to your security network:
  • You deny network access to rogue computers. Any users that try to connect to the network must authenticate through RADIUS first.
  • You can enforce security policies, such as ensuring that the computer has the correct antivirus software, patches, or other software. You can validate that the client computer is running the Symantec client and that it passed the Host Integrity check.

A LAN Enforcer appliance communicates with a switch or wireless access point that supports EAP/802.1x authentication. The switch or wireless access point is often configured into two or more virtual local area networks (VLANs). Symantec clients on client computers pass the EAP information or Host Integrity information to the switch using the EAPOL (EAP over LANs) protocol. The switch forwards the information to the LAN Enforcer appliance for authentication.

You can configure the LAN Enforcer appliance with a set of possible responses to an authentication failure. The responses depend on the type of authentication failure: host authentication or EAP user authentication.

If you use a switch or wireless access point, you can set up the LAN Enforcer appliance to direct an authenticated client to different VLANs. The switch or wireless access point must provide dynamic VLAN capability. The VLANs might include a remediation VLAN.

If you use the LAN Enforcer with a RADIUS server, you can configure multiple RADIUS server connections for the Enforcer. If a RADIUS server connection is down, the LAN Enforcer appliance can switch to a different one. In addition, multiple LAN Enforcer appliances can be set up to connect to the switch. If one LAN Enforcer appliance fails to respond, a different LAN appliance Enforcer can handle the authentication.

How LAN Enforcer basic configuration works

If you are familiar with 802.1x authentication, you can view details about the clients that try to access the network by using the basic configuration. This information may prove useful for troubleshooting network connections.

Basic configuration of 802.1x LAN Enforcement works as follows:
  • A supplicant (for example, a client computer) tries to access the network through an authenticator (for example, an 802.1x switch).
  • The switch sees the computer and requests identification.
  • The 802.1x supplicant on the computer prompts the user for a user name and password, and responds with its identification.
  • The switch forwards this information to the LAN Enforcer, which then forwards it to the RADIUS server.
  • The RADIUS server generates an EAP challenge by selecting an EAP type that is based on its configuration.
  • The LAN Enforcer receives this challenge, adds a Host Integrity challenge, and forwards it to the switch.
  • The switch forwards the EAP and Host Integrity challenges to the client.
  • The client receives the challenges and sends a response.
  • The switch receives the response and forwards it to the LAN Enforcer.
  • The LAN Enforcer examines the Host Integrity check result and client status information and forwards it to the RADIUS server.
  • The RADIUS Server performs EAP authentication and sends the result back to the LAN Enforcer.
  • The LAN Enforcer receives the authentication results and forwards the result and action to take.
  • The switch selects the appropriate action and allows normal network access, blocking access, or permitting access to an alternate VLAN depending on the results.

How LAN Enforcer transparent mode works

LAN Enforcer transparent mode works in the following ways:
  • A supplicant (for example, a client computer) tries to access the network through an authenticator (for example, an 802.1x switch).
  • The authenticator sees the computer and sends an EAP authentication packet (EAP traffic only allowed).
  • The client that acts as an EAP supplicant sees the authentication packet and responds with Host Integrity authentication.
  • The switch sends Host Integrity authentication results to the LAN Enforcer appliance that runs as a RADIUS Proxy server.
  • LAN Enforcer appliance replies to the switch with information about the VLAN assignments that is based on authentication results.

About 802.1x authentication

IEEE 802.1X-2001 is a standard that defines access control for wireless and wired LANs. The standard provides a framework for authenticating and controlling user traffic on a protected network. The standard specifies the use of the Extensible Authentication Protocol (EAP), which uses a centralized authentication server, such as Remote Authentication Dial-In User Service (RADIUS).

The server authenticates each user that tries to access the network. The 802.1x standard includes the specifications for EAP-over-LAN (EAPOL). EAPOL is used for encapsulating EAP messages in link layer frames (for example, Ethernet) and also provides control functions.

The 802.1x architecture includes the following key components:

Authenticator The entity that brokers the authentication, such as an 802.1x-compliant LAN switch or wireless access point
Authentication Server The entity that provides the actual authentication by validating the credentials that are supplied in response to the challenge, such as a RADIUS server
Supplicant The entity that seeks network access and tries to successfully authenticate, such as a computer

When a supplicant device is connected to a network switch authenticator with 802.1x enabled, the following process occurs:
  • The switch issues an EAP Identity Request.
  • The EAP supplicant software responds with an EAP Identity Response, which is forwarded to the authentication server (for example, RADIUS) by the switch.
  • The authentication server issues an EAP Challenge, which is forwarded to the supplicant by the switch.
  • The user enters authentication credentials (user name and password, token, and so forth).
  • The supplicant sends an EAP Challenge Response, including the user-supplied credentials, to the switch, which forwards it to the authentication server.
  • The authentication server validates the credentials and replies with an EAP or User Authentication result, which indicates the success or failure of the authentication.
  • If authentication succeeds, the switch permits access for normal traffic. If authentication fails, client device access is blocked. The supplicant is notified of the result in either case.

Only EAP traffic is permitted during the authentication process

For details on EAP, refer to the IETF’s RFC 2284 at the following URL:
http://www.ietf.org/rfc/rfc2284.txt

For additional details on IEEE Standard 802.1x, refer to the text of the standard at the following URL:
http://standards.ieee.org/getieee802/download/802.1x-2001.pdf


Support for third-party vendor enforcement products

Symantec provides support in several ways for enforcement solutions developed by other vendors:
  • Universal Enforcement API Symantec has developed the Universal Enforcement API to allow other vendors with related technology to integrate their solutions with the Symantec software.
  • Cisco Network Admissions Control Symantec clients can support the Cisco Network Admissions Control enforcement solution.






Legacy ID



2008120314023148


Article URL http://www.symantec.com/docs/TECH91219


Terms of use for this information are found in Legal Notices