Video Screencast Help

SNAC-LAN Enforcer Transparent mode

Created: 01 Jun 2012 • Updated: 24 Jul 2012 | 14 comments
awmhove's picture
This issue has been solved. See solution.

greetings

i have set up SNAC for host integrity check as a LAN enforcer in transparent mode. i have setup vlans on the switch, setup interfaces on the router with routing. pinging from client pc when connected to a guest vlan is successful. when i connect a pc to the switch it  fails to authenticate and is moved to the guest vlan that is when Wired AutoConfig service is no running. if i start th wired Autoconfig service it tries to authenticate but fails and does not move pc to guest vlan or quarantine vlan. on the Symantec Endpoint Manager on SNAC settings i have set it to ignore result on host integrity check and action is to open port. i enabled debug on the switch, and when a switch is trying to authenticate it shows a message that the SNAC enforcer is not responding.

The SNAC kernel log shows "[  radproxy.c][ 2846]: Invalid signature from switch 192.168.1.2", but the key password matches. please assist i dont know where im doing it wrong. below is the cisco 2960 switch config:

int vlan 1
ip address 192.168.1.2 255.255.255.0
no shut
 
int g0/1
switchport mode trunk
switchport trunk native vlan 1
 
vlan 10
name quarantine
 
vlan 20
name guest
 
int range g0/2 - 15
switchport mode access
switchport access vlan 1
dot1x port-control auto
dot1x reauthentication
dot1x timeout reauth-period 30
dot1x guest-vlan 20
 
int range g0/16 - 20
switchport mode access
switchport access vlan 10
 
int range g0/21 - 24
switchport mode access
switchport access vlan 20
 
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
 
radius-server host 10.2.0.78 auth-port 1812 acct-port 1813 key Password1
radius-server retransmit 3

Comments 14 CommentsJump to latest comment

cemilebaşak's picture

Hi;

On the SEPM site you must select use SNAC client as an suplicant for Transparent mode. If you dont select this you will faced with this kind of porblems. And also you must add the IP address of the swith in the Lan enforcer configuration.

And can you please send the configuratşon screens on SEPM for further assistance.

Regards.

Cemile

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

awmhove's picture

hie

thanks for the help. please find attached the config screens on the sepm.

is there a way to tell if the port 1812 port is open? i tried to telnet to the SNAC ip address port 1812 and its refusing. also did a debug on the switch below is a sample:

*Mar  1 01:36:33.961: RADIUS/ENCODE(0000000C):Orig. component type = DOT1X
*Mar  1 01:36:33.961: RADIUS:  AAA Unsupported Attr: audit-session-id  [599] 24
*Mar  1 01:36:33.961: RADIUS:   43 30 41 38 30 31 30 32 30 30 30 30 30 30 30 42  [C0A801020000000B]
*Mar  1 01:36:33.961: RADIUS:   30 30 34 36 41 41            [ 0046AA]
*Mar  1 01:36:33.961: RADIUS:  AAA Unsupported Attr: interface         [170] 19
*Mar  1 01:36:33.961: RADIUS:   47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 30  [GigabitEthernet0]
*Mar  1 01:36:33.961: RADIUS:   2F                 [ /]
*Mar  1 01:36:33.961: RADIUS(0000000C): Config NAS IP: 0.0.0.0
*Mar  1 01:36:33.961: RADIUS/ENCODE(0000000C): acct_session_id: 12
*Mar  1 01:36:33.961: RADIUS(0000000C): sending
*Mar  1 01:36:33.961: RADIUS/ENCODE: Best Local IP-Address 192.168.1.2 for Radius-Server 10.2.0.78
*Mar  1 01:36:33.961: RADIUS(0000000C): Send Access-Request to 10.2.0.78:1812 id 1645/3, len 192
*Mar  1 01:36:33.961: RADIUS:  authenticator 74 DC 9B 55 92 D5 68 78 - 8D 8C C9 5F 94 97 BE 1D
*Mar  1 01:36:33.961: RADIUS:  User-Name           [1]   30  "zzzzzz\Administrator"
*Mar  1 01:36:33.961: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Mar  1 01:36:33.961: RADIUS:  Framed-MTU          [12]  6   1500
*Mar  1 01:36:33.969: RADIUS:  Called-Station-Id   [30]  19  "04-FE-7F-62-44-8A"
*Mar  1 01:36:33.969: RADIUS:  Calling-Station-Id  [31]  19  "00-19-DB-55-96-AF"
*Mar  1 01:36:33.969: RADIUS:  EAP-Message         [79]  35
*Mar  1 01:36:33.969: RADIUS:   02 02 00 21 01 44 49 54 49 2D 4A 53 48 45 4E 4A 45 52 45 5C  [!zzzzzz\]
*Mar  1 01:36:33.969: RADIUS:   41 64 6D 69 6E 69 73 74 72 61 74 6F 72     [ Administrator]
*Mar  1 01:36:33.969: RADIUS:  Message-Authenticato[80]  18
*Mar  1 01:36:33.969: RADIUS:   AC C7 2C CC B8 67 6A A4 0F 37 41 1C 99 69 98 49           [ ,gj7AiI]
*Mar  1 01:36:33.969: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
*Mar  1 01:36:33.969: RADIUS:  NAS-Port            [5]   6   50010
*Mar  1 01:36:33.969: RADIUS:  NAS-Port-Id         [87]  21  "GigabitEthernet0/10"
*Mar  1 01:36:33.969: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.2
*Mar  1 01:36:38.918: RADIUS: Retransmit to (10.2.0.78:1812,1813) for id 1645/3
*Mar  1 01:36:43.784: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.2.0.78:1812,1813 is not responding.
*Mar  1 01:36:43.784: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.2.0.78:1812,1813 has returned.
*Mar  1 01:36:43.784: RADIUS: Retransmit to (10.2.0.78:1812,1813) for id 1645/3
*Mar  1 01:36:48.347: RADIUS: Retransmit to (10.2.0.78:1812,1813) for id 1645/3
AttachmentSize
nac config images.rar 74.53 KB
cemilebaşak's picture

Can you please send the data which incluse in the Radius Group.

You must add a dummy radius. With the ip address 0.0.0.0

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

cemilebaşak's picture

Radius Group must be like this

And the actions must the like this.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

SOLUTION
awmhove's picture

whats on the screenshots above is how i configured my SEPM. it looks like the Lan Enforcer is not responding to requests. below is a log what could it mean?

Jun/08/2012 12:52:43  [  radproxy.c][ 4494]: PEAP, start packet eap id is 3, current eap packet id 3
Jun/08/2012 12:52:43  [  radproxy.c][ 4508]: Payload=83, EAP Length=87, eaphdr=4, Reply=52
Jun/08/2012 12:52:43  [  radproxy.c][ 4660]: No LAN Enforcer reply header for user zzzzz\Administrator
Jun/08/2012 12:52:43  [  radproxy.c][ 4734]: Forward packet from user zzzzz\Administrator via switch 192.168.1.2 to RADIUS server 0.0.0.0
Jun/08/2012 12:52:43  [  radproxy.c][ 2753]: Failed to find switch profile with IP 127.0.0.1!
Jun/08/2012 12:52:46  [  radproxy.c][ 9082]: Current RADIUS Server for user(is ACCT=0) zzzzz\Administrator[00-19-DB-55-96-AF], on Switch 10 is switched from 0.0.0.0 to 0.0.0.0.
Jun/08/2012 12:52:46  [  radproxy.c][ 1008]: Challenge response already sent to RADIUS server. No response, directly send response to switch!
Jun/08/2012 12:52:46  [  radproxy.c][ 8014]: Action table rule order 2 matched! vlan_index=0, vlan_id=0
Jun/08/2012 12:52:46  [  radproxy.c][ 8195]: Client[0000000d] zzzzz\Administrator, Status Recevied(HI:UNAVAILABLE, EAP:FAILED, PRO:UNKNOWN), UID is UNKNOWN, HI will be set to N/A, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), CLOSE_PORT on switch 192.168.1.2.
Jun/08/2012 12:52:48  [  radproxy.c][ 4494]: PEAP, start packet eap id is 3, current eap packet id 3
Jun/08/2012 12:52:48  [  radproxy.c][ 4508]: Payload=83, EAP Length=87, eaphdr=4, Reply=52
Jun/08/2012 12:52:48  [  radproxy.c][ 4660]: No LAN Enforcer reply header for user zzzzz\Administrator
Jun/08/2012 12:52:48  [  radproxy.c][ 4734]: Forward packet from user zzzzz\Administrator via switch 192.168.1.2 to RADIUS server 0.0.0.0
Jun/08/2012 12:52:48  [  radproxy.c][ 2753]: Failed to find switch profile with IP 127.0.0.1!
Jun/08/2012 12:52:51  [  radproxy.c][ 9082]: Current RADIUS Server for user(is ACCT=0) zzzzz\Administrator[00-19-DB-55-96-AF], on Switch 10 is switched from 0.0.0.0 to 0.0.0.0.
Jun/08/2012 12:52:51  [  radproxy.c][ 1008]: Challenge response already sent to RADIUS server. No response, directly send response to switch!
Jun/08/2012 12:52:51  [  radproxy.c][ 8014]: Action table rule order 2 matched! vlan_index=0, vlan_id=0
Jun/08/2012 12:52:51  [  radproxy.c][ 8195]: Client[0000000d] zzzzz\Administrator, Status Recevied(HI:UNAVAILABLE, EAP:FAILED, PRO:UNKNOWN), UID is UNKNOWN, HI will be set to N/A, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), CLOSE_PORT on switch 192.168.1.2.
--- Press CTRL+C to quit ---
Jun/08/2012 12:52:53  [  radproxy.c][ 4494]: PEAP, start packet eap id is 3, current eap packet id 3
Jun/08/2012 12:52:53  [  radproxy.c][ 4508]: Payload=83, EAP Length=87, eaphdr=4, Reply=52
Jun/08/2012 12:52:53  [  radproxy.c][ 4660]: No LAN Enforcer reply header for user zzzzz\Administrator
Jun/08/2012 12:52:53  [  radproxy.c][ 4734]: Forward packet from user zzzzz\Administrator via switch 192.168.1.2 to RADIUS server 0.0.0.0
Jun/08/2012 12:52:53  [  radproxy.c][ 2753]: Failed to find switch profile with IP 127.0.0.1!
Jun/08/2012 12:52:55  [  radproxy.c][ 9082]: Current RADIUS Server for user(is ACCT=0) zzzzz\Administrator[00-19-DB-55-96-AF], on Switch 10 is switched from 0.0.0.0 to 0.0.0.0.
Jun/08/2012 12:52:55  [  radproxy.c][ 1008]: Challenge response already sent to RADIUS server. No response, directly send response to switch!
Jun/08/2012 12:52:55  [  radproxy.c][ 8014]: Action table rule order 2 matched! vlan_index=0, vlan_id=0
Jun/08/2012 12:52:55  [  radproxy.c][ 8195]: Client[0000000d] zzzzz\Administrator, Status Recevied(HI:UNAVAILABLE, EAP:FAILED, PRO:UNKNOWN), UID is UNKNOWN, HI will be set to N/A, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), CLOSE_PORT on switch 192.168.1.2.
Jun/08/2012 12:53:55  [  radproxy.c][  605]: Remove zzzzz\Administrator since it's timeout!
 
cemilebaşak's picture

Hi;

Can you please upgrade your lanenforcer to the latest version. And also SNAC to 12.1 ru1 mp1.

On one of my case problems solved after upgrade.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

awmhove's picture

ok thanks i will upgrade.

just something that has come through my mind. do i have to enable authentication on client pc's when im using transparent mode. for what it does is host integrity. also if so which authentication protocol do i use e.g. peap, md-5 challenge etc

cemilebaşak's picture

Hi;

if you want to use authentication you muct use full mode not trasnparent mode.

And also you must use raduis (for example IAS or NPS) for user authentication. In that case you can use eap or peap regarding you radius.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

awmhove's picture

thanks a lot for the assistance, the Symantec Lan Enforcer is working well when im using the protocol "symantec nac transparent mode". i noticed on the actions tab stated that we ignore the result of "policy check". can i be able to check for policies like if the antivirus is updated etc

cemilebaşak's picture

Yes.

With Host Integrity policy you can check antivirus updates or any thing you want. Host Authentication measn Host integrity

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

awmhove's picture

hie

is there a way of starting the wired autoconfig serv ice on computers remotely like via group policy and selecting "Symantec nac transparent mode" as the authentication method?

awmhove's picture

i have configured my vlans as:

vlan 1 default 

vlan 10 quarantine

my switch interfaces are vlan 1 - 192.168.1.2

vlan 10 - 192.168.10.2

i get the error "Jul/11/2012 16:54:23  [  radproxy.c][ 2753]: Failed to find switch profile with IP 192.168.10.2!", what does it mean and how can i resolve this.

also authentication fails.

awmhove's picture

hey

i noticed it was authenticating but its working perfectly now.

is there a way to grant access to a computer so that it can bypass the nac authentication and access network resources without being moved to the guest or quarantine vlan?