Network Access Control

 View Only
Back to discussions
Expand all | Collapse all

SNAC-LAN Enforcer Transparent mode

  • 1.  SNAC-LAN Enforcer Transparent mode

    Posted Jun 01, 2012 09:45 AM

    greetings

    i have set up SNAC for host integrity check as a LAN enforcer in transparent mode. i have setup vlans on the switch, setup interfaces on the router with routing. pinging from client pc when connected to a guest vlan is successful. when i connect a pc to the switch it  fails to authenticate and is moved to the guest vlan that is when Wired AutoConfig service is no running. if i start th wired Autoconfig service it tries to authenticate but fails and does not move pc to guest vlan or quarantine vlan. on the Symantec Endpoint Manager on SNAC settings i have set it to ignore result on host integrity check and action is to open port. i enabled debug on the switch, and when a switch is trying to authenticate it shows a message that the SNAC enforcer is not responding.

     

    The SNAC kernel log shows "[  radproxy.c][ 2846]: Invalid signature from switch 192.168.1.2", but the key password matches. please assist i dont know where im doing it wrong. below is the cisco 2960 switch config:

     

    int vlan 1
    ip address 192.168.1.2 255.255.255.0
    no shut
     
    int g0/1
    switchport mode trunk
    switchport trunk native vlan 1
     
    vlan 10
    name quarantine
     
    vlan 20
    name guest
     
    int range g0/2 - 15
    switchport mode access
    switchport access vlan 1
    dot1x port-control auto
    dot1x reauthentication
    dot1x timeout reauth-period 30
    dot1x guest-vlan 20
     
    int range g0/16 - 20
    switchport mode access
    switchport access vlan 10
     
    int range g0/21 - 24
    switchport mode access
    switchport access vlan 20
     
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    dot1x system-auth-control
     
    radius-server host 10.2.0.78 auth-port 1812 acct-port 1813 key Password1
    radius-server retransmit 3

     



  • 2.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 05, 2012 06:11 AM

    Hi;

    On the SEPM site you must select use SNAC client as an suplicant for Transparent mode. If you dont select this you will faced with this kind of porblems. And also you must add the IP address of the swith in the Lan enforcer configuration.

    And can you please send the configuratşon screens on SEPM for further assistance.

    Regards.

    Cemile



  • 3.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 05, 2012 12:56 PM
      |   view attached

    hie

    thanks for the help. please find attached the config screens on the sepm.

    is there a way to tell if the port 1812 port is open? i tried to telnet to the SNAC ip address port 1812 and its refusing. also did a debug on the switch below is a sample:

     

    *Mar  1 01:36:33.961: RADIUS/ENCODE(0000000C):Orig. component type = DOT1X
    *Mar  1 01:36:33.961: RADIUS:  AAA Unsupported Attr: audit-session-id  [599] 24
    *Mar  1 01:36:33.961: RADIUS:   43 30 41 38 30 31 30 32 30 30 30 30 30 30 30 42  [C0A801020000000B]
    *Mar  1 01:36:33.961: RADIUS:   30 30 34 36 41 41            [ 0046AA]
    *Mar  1 01:36:33.961: RADIUS:  AAA Unsupported Attr: interface         [170] 19
    *Mar  1 01:36:33.961: RADIUS:   47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 30  [GigabitEthernet0]
    *Mar  1 01:36:33.961: RADIUS:   2F                 [ /]
    *Mar  1 01:36:33.961: RADIUS(0000000C): Config NAS IP: 0.0.0.0
    *Mar  1 01:36:33.961: RADIUS/ENCODE(0000000C): acct_session_id: 12
    *Mar  1 01:36:33.961: RADIUS(0000000C): sending
    *Mar  1 01:36:33.961: RADIUS/ENCODE: Best Local IP-Address 192.168.1.2 for Radius-Server 10.2.0.78
    *Mar  1 01:36:33.961: RADIUS(0000000C): Send Access-Request to 10.2.0.78:1812 id 1645/3, len 192
    *Mar  1 01:36:33.961: RADIUS:  authenticator 74 DC 9B 55 92 D5 68 78 - 8D 8C C9 5F 94 97 BE 1D
    *Mar  1 01:36:33.961: RADIUS:  User-Name           [1]   30  "zzzzzz\Administrator"
    *Mar  1 01:36:33.961: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    *Mar  1 01:36:33.961: RADIUS:  Framed-MTU          [12]  6   1500
    *Mar  1 01:36:33.969: RADIUS:  Called-Station-Id   [30]  19  "04-FE-7F-62-44-8A"
    *Mar  1 01:36:33.969: RADIUS:  Calling-Station-Id  [31]  19  "00-19-DB-55-96-AF"
    *Mar  1 01:36:33.969: RADIUS:  EAP-Message         [79]  35
    *Mar  1 01:36:33.969: RADIUS:   02 02 00 21 01 44 49 54 49 2D 4A 53 48 45 4E 4A 45 52 45 5C  [!zzzzzz\]
    *Mar  1 01:36:33.969: RADIUS:   41 64 6D 69 6E 69 73 74 72 61 74 6F 72     [ Administrator]
    *Mar  1 01:36:33.969: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 01:36:33.969: RADIUS:   AC C7 2C CC B8 67 6A A4 0F 37 41 1C 99 69 98 49           [ ,gj7AiI]
    *Mar  1 01:36:33.969: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    *Mar  1 01:36:33.969: RADIUS:  NAS-Port            [5]   6   50010
    *Mar  1 01:36:33.969: RADIUS:  NAS-Port-Id         [87]  21  "GigabitEthernet0/10"
    *Mar  1 01:36:33.969: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.2
    *Mar  1 01:36:38.918: RADIUS: Retransmit to (10.2.0.78:1812,1813) for id 1645/3
    *Mar  1 01:36:43.784: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.2.0.78:1812,1813 is not responding.
    *Mar  1 01:36:43.784: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.2.0.78:1812,1813 has returned.
    *Mar  1 01:36:43.784: RADIUS: Retransmit to (10.2.0.78:1812,1813) for id 1645/3
    *Mar  1 01:36:48.347: RADIUS: Retransmit to (10.2.0.78:1812,1813) for id 1645/3

    Attachment(s)

    rar
    nac config images.rar   74 KB 1 version


  • 4.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 06, 2012 04:43 AM

    Can you please send the data which incluse in the Radius Group.

     

    You must add a dummy radius. With the ip address 0.0.0.0



  • 5.  RE: SNAC-LAN Enforcer Transparent mode
    Best Answer

    Posted Jun 06, 2012 05:18 AM

    Radius Group must be like this

    And the actions must the like this.

     



  • 6.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 08, 2012 07:49 AM

    whats on the screenshots above is how i configured my SEPM. it looks like the Lan Enforcer is not responding to requests. below is a log what could it mean?

     

     

    Jun/08/2012 12:52:43  [  radproxy.c][ 4494]: PEAP, start packet eap id is 3, current eap packet id 3
    Jun/08/2012 12:52:43  [  radproxy.c][ 4508]: Payload=83, EAP Length=87, eaphdr=4, Reply=52
    Jun/08/2012 12:52:43  [  radproxy.c][ 4660]: No LAN Enforcer reply header for user zzzzz\Administrator
    Jun/08/2012 12:52:43  [  radproxy.c][ 4734]: Forward packet from user zzzzz\Administrator via switch 192.168.1.2 to RADIUS server 0.0.0.0
    Jun/08/2012 12:52:43  [  radproxy.c][ 2753]: Failed to find switch profile with IP 127.0.0.1!
    Jun/08/2012 12:52:46  [  radproxy.c][ 9082]: Current RADIUS Server for user(is ACCT=0) zzzzz\Administrator[00-19-DB-55-96-AF], on Switch 10 is switched from 0.0.0.0 to 0.0.0.0.
    Jun/08/2012 12:52:46  [  radproxy.c][ 1008]: Challenge response already sent to RADIUS server. No response, directly send response to switch!
    Jun/08/2012 12:52:46  [  radproxy.c][ 8014]: Action table rule order 2 matched! vlan_index=0, vlan_id=0
    Jun/08/2012 12:52:46  [  radproxy.c][ 8195]: Client[0000000d] zzzzz\Administrator, Status Recevied(HI:UNAVAILABLE, EAP:FAILED, PRO:UNKNOWN), UID is UNKNOWN, HI will be set to N/A, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), CLOSE_PORT on switch 192.168.1.2.
    Jun/08/2012 12:52:48  [  radproxy.c][ 4494]: PEAP, start packet eap id is 3, current eap packet id 3
    Jun/08/2012 12:52:48  [  radproxy.c][ 4508]: Payload=83, EAP Length=87, eaphdr=4, Reply=52
    Jun/08/2012 12:52:48  [  radproxy.c][ 4660]: No LAN Enforcer reply header for user zzzzz\Administrator
    Jun/08/2012 12:52:48  [  radproxy.c][ 4734]: Forward packet from user zzzzz\Administrator via switch 192.168.1.2 to RADIUS server 0.0.0.0
    Jun/08/2012 12:52:48  [  radproxy.c][ 2753]: Failed to find switch profile with IP 127.0.0.1!
    Jun/08/2012 12:52:51  [  radproxy.c][ 9082]: Current RADIUS Server for user(is ACCT=0) zzzzz\Administrator[00-19-DB-55-96-AF], on Switch 10 is switched from 0.0.0.0 to 0.0.0.0.
    Jun/08/2012 12:52:51  [  radproxy.c][ 1008]: Challenge response already sent to RADIUS server. No response, directly send response to switch!
    Jun/08/2012 12:52:51  [  radproxy.c][ 8014]: Action table rule order 2 matched! vlan_index=0, vlan_id=0
    Jun/08/2012 12:52:51  [  radproxy.c][ 8195]: Client[0000000d] zzzzz\Administrator, Status Recevied(HI:UNAVAILABLE, EAP:FAILED, PRO:UNKNOWN), UID is UNKNOWN, HI will be set to N/A, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), CLOSE_PORT on switch 192.168.1.2.
    --- Press CTRL+C to quit ---
    Jun/08/2012 12:52:53  [  radproxy.c][ 4494]: PEAP, start packet eap id is 3, current eap packet id 3
    Jun/08/2012 12:52:53  [  radproxy.c][ 4508]: Payload=83, EAP Length=87, eaphdr=4, Reply=52
    Jun/08/2012 12:52:53  [  radproxy.c][ 4660]: No LAN Enforcer reply header for user zzzzz\Administrator
    Jun/08/2012 12:52:53  [  radproxy.c][ 4734]: Forward packet from user zzzzz\Administrator via switch 192.168.1.2 to RADIUS server 0.0.0.0
    Jun/08/2012 12:52:53  [  radproxy.c][ 2753]: Failed to find switch profile with IP 127.0.0.1!
    Jun/08/2012 12:52:55  [  radproxy.c][ 9082]: Current RADIUS Server for user(is ACCT=0) zzzzz\Administrator[00-19-DB-55-96-AF], on Switch 10 is switched from 0.0.0.0 to 0.0.0.0.
    Jun/08/2012 12:52:55  [  radproxy.c][ 1008]: Challenge response already sent to RADIUS server. No response, directly send response to switch!
    Jun/08/2012 12:52:55  [  radproxy.c][ 8014]: Action table rule order 2 matched! vlan_index=0, vlan_id=0
    Jun/08/2012 12:52:55  [  radproxy.c][ 8195]: Client[0000000d] zzzzz\Administrator, Status Recevied(HI:UNAVAILABLE, EAP:FAILED, PRO:UNKNOWN), UID is UNKNOWN, HI will be set to N/A, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), CLOSE_PORT on switch 192.168.1.2.
    Jun/08/2012 12:53:55  [  radproxy.c][  605]: Remove zzzzz\Administrator since it's timeout!
     


  • 7.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 09, 2012 06:14 AM

    Hi;

     

    Can you please upgrade your lanenforcer to the latest version. And also SNAC to 12.1 ru1 mp1.

    On one of my case problems solved after upgrade.



  • 8.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 11, 2012 03:05 AM

    ok thanks i will upgrade.

    just something that has come through my mind. do i have to enable authentication on client pc's when im using transparent mode. for what it does is host integrity. also if so which authentication protocol do i use e.g. peap, md-5 challenge etc



  • 9.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 11, 2012 03:23 AM

    Hi;

    if you want to use authentication you muct use full mode not trasnparent mode.

    And also you must use raduis (for example IAS or NPS) for user authentication. In that case you can use eap or peap regarding you radius.

     



  • 10.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 14, 2012 11:26 AM

    thanks a lot for the assistance, the Symantec Lan Enforcer is working well when im using the protocol "symantec nac transparent mode". i noticed on the actions tab stated that we ignore the result of "policy check". can i be able to check for policies like if the antivirus is updated etc



  • 11.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 15, 2012 03:17 AM

    Yes.

    With Host Integrity policy you can check antivirus updates or any thing you want. Host Authentication measn Host integrity



  • 12.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jun 19, 2012 04:21 PM

    hie

    is there a way of starting the wired autoconfig serv ice on computers remotely like via group policy and selecting "Symantec nac transparent mode" as the authentication method?



  • 13.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jul 11, 2012 11:18 AM

    i have configured my vlans as:

    vlan 1 default 

    vlan 10 quarantine

    my switch interfaces are vlan 1 - 192.168.1.2

    vlan 10 - 192.168.10.2

    i get the error "Jul/11/2012 16:54:23  [  radproxy.c][ 2753]: Failed to find switch profile with IP 192.168.10.2!", what does it mean and how can i resolve this.

    also authentication fails.



  • 14.  RE: SNAC-LAN Enforcer Transparent mode

    Posted Jul 12, 2012 11:23 AM

    hey

     

    i noticed it was authenticating but its working perfectly now.

    is there a way to grant access to a computer so that it can bypass the nac authentication and access network resources without being moved to the guest or quarantine vlan?



  • 15.  RE: SNAC-LAN Enforcer Transparent mode