Network Access Control

 View Only

  • 1.  802.1x, SNAC and SEP

    Posted Feb 25, 2009 08:22 PM

    Hello again all....

     

    I am trying to implement 802.1x authentication one my SEP/SNAC implmentation. I've configured my Cisco switches as suggested in the example configs posted by LAWMAN and I've enable the 802.1x options under the Clients - Policies - General Settings - Security Settings - Enable 802.1x Authentication, I've also check the use the client as an 802.1x supplicant and I've check the radio button for Use Symantec Transparent Mode. 

     

    When I attempt 802.1x authentication with my test client, the process fails. Wireshark captures on the client show that the first EAP request and response between switch and client are ok, but then I see a request, identity packet from the switch which has any unknown type (88) and the reponse, identity reply from the client also reports an unknown type (88) and then I receive a failure reponse from the switch. 

     

    On the switch, using debug dot1x all, I see that there is a failure at the aaa point. I am not sure what I am missing, but can some one help me understand the way in which Symantec doe dot1x. 

     

    I am happy to provide the .cap file for the capture on the client as well as the switch config if needed. 

     

    I also somewhat confused on how you build the different types of enforcer for 802.1x, the doco speaks about either the basic mode or transparent mode, I coudn't find any specifics around the actual process to build each one, eg - the actual options/commands you enter. 

     

    Any help with this would be very very appreciated as this is for a customer and this is my first time using the Symantec product. 

     

    Thanks.

     

    Steve



  • 2.  RE: 802.1x, SNAC and SEP

    Posted Feb 26, 2009 01:18 PM

    Hi Steve,

     

    Symantec Transparent mode is a EAP type Symantec created (88) for host authentication. This means that there is no user authentication, only host integrity check result, and profile policy information is used for authentication. It does not require a RADIUS server. LAN enforcer serves as the RADIUS.

     

    Baisc mode is where you will allow user to choose which EAP type for authentication. The types we supported are PEAP, TLS, and transparent mode. User can choose the EAP type on the connection properties of the network card.

     

    To use the SNAC LAN enforcement, you will need to set the switch radius server ip to point to LAN enforcer.

     

    If you are using transparent mode, on the LAN enforcer action table on the SEPM, you need to set user authentication to unavailable.

     

    Regards,

    Mandy 



  • 3.  RE: 802.1x, SNAC and SEP

    Posted May 22, 2009 10:43 AM

    Dears,

    I'm facing some problems in this scenario.

    I did all configuration on switch, Enforcer and Policy Manager (SEPM), but seems that the Enforcer is not respecting the rules configured in "Action Table" in Policy Manager.

    I have one workstation that pass on Host Integrity check. When I connect on switch, the SEP Client shows Authentication Success pop-up and the switch change the VLAN to default, but after a few seconds, the switch changes the interface to VLAN guest, as the Host Integrity was failed.

    To test, I configured the same action (change to VLAN default) in both situations, passed and failed, but the result was the same. I don't know if there are wrong configurations on switch, Enforcer or both.

    Do anyone faced a problem like this?

    Regards and thanks in advance,



  • 4.  RE: 802.1x, SNAC and SEP

    Posted Jul 21, 2009 12:39 AM
    Hi Marcelo,
    Can you show me the action table in SEPM? and when does SEP Client check for host integrity, always or when connect to SEPM ?

    Regards,