Network Access Control

Hi,

when using LAN Enforcer, with unmanaged endpoints, does it have any criteria to put this machine on distinct VLANs?

Example: There is a contractor that needs to have access to the Oracle Database Server. Another contractor needs to access the ERP Application Server. Each of this servers are in different VLANs. By using any criteria, as MAC Address for eg, can we direct each contractor for the different VLANs?

Thanks!

Marcelo Brunner

EZ-Security

Hi Marcelo,

RADIUS allows you to specify VLAN for each user. In your example, you will need to create a user account for each contractor, specify the VLAN for the contractor, and have them connect to your network through 802.1x authentication. You can then set a rule in LAN enforcer with HI and Profile "Unavailable" and EAP "Pass", and then set it to "Open Port". When the contractor passes the user authentication, RADIUS will instruct the LAN enforcer which VLAN the user should be put into, and the LAN enforcer will then forward the information to the switch.

With this implementation, you are still at risk with your network since you don't know if the unmanaged endpoints meet your minimum security policy. In August/September time frame, we are going to release a guest solution for this situation. The guest solution contains a dissolvable agent so unmanaged endpoints can download the dissolvable agent, have HI policy check on the endpoint to make sure the endpoint is compliant before allowing it onto your network.

Mandy Pang

Product Manager, SNAC

Symantec Corporation