Network Access Control

If a machine doesn't have the HI policy, and tries to connect to a switch port which has 802.1x authentication enabled, it will stay disconnected and the status of NAC is "Allowed" on SEP interface. Is this happening by design, or due to a wrong SNAC Action? Can you please advice here? Because we have to disable port security temporary to let the machine connect and communicate with SEPM to download the HI, then enable port security back, then everything will go fine…connect, authenticate, and get approved by SNAC. I think the Symantec consultant who installed SNAC forgot to address this issue.

Hi,

 

"Allowed" means that you have SNAC license, but the agent is not communicating with an enforcer. For you case, it looks like the supplicant is not turned on on the client machine. The best way is to configure your switch to put the client into quarantine vlan (where it can contact SEPM server to download the latest policy) when there is no supplicant on the client or EAP authentication failed. Different swtich has different commands, here is an example for cisco switch:

dot1x guest-vlan <vlan id>  <== this command sets the switch to put the client into the specified vlan when the client does not response to EAP request

dot1x auth-fail vlan <vlan id>  <== this command sets the switch to put the client into the specified vlan when EAP authenticaiton failed.

 

Hope this helps.

Regards,

Mandy

Will enabling the guest-vlan would make any conflict with the following switch configuration:

 

aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

 switchport access vlan 209
 switchport mode access
 switchport voice vlan 202
 dot1x pae authenticator
 dot1x host-mode multi-domain
 dot1x violation-mode protect
 dot1x timeout reauth-period 60
 dot1x timeout tx-period 5
 dot1x reauthentication
 spanning-tree portfast

dot1x port-control auto

 

radius-server host 10.9.1.11 auth-port 1812 acct-port 1646 key
radius-server host 10.9.1.13 auth-port 1812 acct-port 1646 key

 

Please advice coz I need to solve this issue and move on . Thanks

No, there should not be any conflicts.

Ok. So if 'Allowed' means you have a valid SNAC license, then it will read 'Approved' when you have successfully passed HI.  Correct?