Network Access Control

Hi all,

I am in the middle of a lab and doing some testing and I have a couple of doubts about the LAN Enforcer setup:

How does the Enforcer differentiate between an external laptop connecting to the network with no 802.1x client enabled and a printer for example?? - from the testing I have done I have seen that with the SNAC agent installed the MAC address of the client is passed to the switch and then this info is passed to the Enforcer, with no SNAC agent this info is not passed on - is this expected behaviour?

I want to use the MAB option to list all my printers (I understand this option is like a whitelist for MACs) - I have tried to add a MAC address to the local database (a laptop for testing) but it is still put into quarantine, ie all the checks are done...so it isn't working - why not??

What is the difference between the MAB option and the Ignore-Check option?

Is there any way to view the MAC list on the Enforcer or does it have to be exported and viewed externally? From what I have seen it is not a very user friendly setup!?

As always, any info is much appreciated.

Thanks!

Hi,  Here's some repsonses to your questions:

How does the Enforcer differentiate between an external laptop connecting to the network with no 802.1x client enabled and a printer for example

Your 802.1x switch should challenge any connecting device.   Because printers will not respond to the 802.1x challenge, the LAN enforcer will direct the switch to assign that device to the VLAN of your choice.   This will likely be the quarantine VLAN.   If that device is whitelisted (Configure this on the enforcer by using the SEPM console), the LAN enforcer will also direct the switch to assign it to the VLAN of your choice (usually Production network).

If a laptop connects, it will also be challanged. With no response to the 802.1x challenge from the switch, it will be assigned the quarantined VLAN.   

The LAN Enforcer pulls together information from the 802.1x authentication process, SNAC agent, RADIUS server (if installed), and Active Directory (if configured).  On the SEPM console, the LAN Enforcer's action table allows you to define which critera will determine which action.  Example:

No 802.1x at all, send to quarantine VLAN (or block port)
802.1x only (no SNAC agent), assign to a VLAN if authenticated by RADIUS server
SNAC agent and passes Host Integrity, assign to VLAN

I want to use the MAB option to list all my printers (I understand this option is like a whitelist for MACs) - I have tried to add a MAC address to the local database (a laptop for testing) but it is still put into quarantine, ie all the checks are done...so it isn't working - why not??

Need more info on this to help you.   Either post a separate forum thread or call support and they will be able to figure out where the hangup is.

What is the difference between the MAB option and the Ignore-Check option?

MAB is for systems with no ability to respond to 802.1x  challenges.   The ignore check option is for systems with the SNAC agent installed.  It is directing your enforcer to ignore the Host Integrity status reported by that agent.    This setting is often used for troubleshooting and initial deployments.

Is there any way to view the MAC list on the Enforcer or does it have to be exported and viewed externally? From what I have seen it is not a very user friendly setup!?

Exporting it is the most efficient way, IMO.   The Enforcer shell has severely reduced command-support in order to be locked-down/function as a security appliance.  

Let me know if this helps or if you need more info

Many thanks for your info...I have already managed to get things working but it took me a long time!

Basically what was happening (or wasn't happneing) was due to (lack of) switch configuration. If the switch is only configured with 802.1x authentication  and a device without 802.1x is connected, after failing the authentication process nothing is sent to the LAN Enforcer. The switch may put the device in the Guest VLAN but the LAN Enforcer doesn't get involved. If however, MAB is configured on the switch, after the 802.1x process fails, MAB initiates, asks the device for their MAC and this is sent to the LAN Enforcer, allocation of VLAN is then dependant on whether the MAC is in the local database or not. My problem was that I didn't have MAB configured in my switch.

To continue with the MAB theme, is there a limit to the number of MACs that can be uploaded to the local database? Does Symantec have a recommended maximum?

Thanks again for your help