Extreme Management Center
|
|
- Theodore Johnston
- 5 years ago
- Views:
Transcription
1 Extreme Management Center Cisco Switch Integration Guide Abstract: This document describes how to use a Cisco switch as an edge enforcement point in Extreme Management Center (formerly NetSight). The intended audience for this document is an Extreme Networks employee or partner with an Extreme Management Center certification. Published: August 2017 Extreme Networks, Inc Via Del Oro San Jose, California Phone / Toll-free / Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. All other registered trademarks, trademarks, and service marks are property of their respective owners. For additional information on Extreme Networks trademarks, see
2 Contents Overview... 3 Test Environment... 3 Part 1: Configure the Cisco Switch... 4 Step 1: Configure SNMP... 4 Step 2: Configure RADIUS... 4 Step 3: Configure the VLANs and/or ACLs for Enforcement...5 Step 4: Configure the Interfaces for Authentication... 6 Part 2: Configure EAC for the Cisco Switch... 8 Step 1: Add the Cisco Switch to EAC... 8 Step 2: Configure the EAC Policy Mappings Step 3: Configure Router Lookups for IP Resolution Appendix A: Example ACLs for the Cisco Switch Appendix B: Considerations for VoIP Connections Appendix C: IP Resolution Options Appendix D: Troubleshooting Revision History Terms and Conditions for Use Extreme Networks, Inc. All rights reserved. 2
3 Overview There are five phases to integrating Cisco switches into Extreme Management Center (EMC, formerly NetSight): 1. All clients must authenticate to the Extreme Access Control (formerly NAC) engine using RADIUS. This can be either 802.1X or MAC authentication. In a Cisco network, MAC authentication is called MAC Authentication Bypass. This is a bare minimum to access the end system within EAC. 2. Enforcement must be applied via RADIUS attributes. The standard method for this is to use VLANs according to RFC However, sometimes that can result in users having stale IP addresses after being moved between VLANs. The other method used for the Cisco wireless LAN controller (WLC) is the passing of dynamic Access Control Lists (ACLs) and Vendor Specific Attributes (VSAs), both of which can be used to provision users access dynamically. 3. A way is needed to re-authenticate devices on demand. The standards-based method of doing this is by using RFC 3576 (also known as RFC 5176) to dynamically send a re-authentication via RADIUS. This is also known as a CoA (Change of Authorization) or POD (Packet of Disconnect). EAC also has native support for Cisco s Reauthentication MIB, which can be used in place of RFC A way is needed to redirect users web traffic in the case of registration or remediation. Typically, policy-based routing is used if specific attributes can be set to single out an unregistered or quarantined user s web traffic. However, it hasn t yet been discovered how to do this on Cisco. Instead, the DNS proxy redirection solution is used. This solution spoofs DNS responses to the client when the user needs to be redirected. Note that this functionality also requires a change to the DHCP scope to assign the EAC Gateway as a secondary DNS server. 5. Router SNMP queries need to be configured in order to verify an IP address of a connecting device. The IP address will be discovered via DHCP snooping. However, it sometimes needs to be verified by querying the ARP cache of the router. Note If VLAN-based enforcement is to be used, policy-based routing should be used. It is still the best method for redirection. Test Environment Extreme Management Center (NetSight) and Extreme Access Control (EAC) version Cisco 2960 version 12.2(58)SE2 Cisco 3750 version 12.2(55)SE2 Cisco 3750G version 15.0(2)SE2 Cisco 3750X version 12.2(58)SE2 Extreme Networks, Inc. All rights reserved. 3
4 Part 1: Configure the Cisco Switch The first section covers configuring the Cisco switch to be monitored by Extreme Management Center (EMC, formerly NetSight) and configuring EAC for use as a RADIUS server. All configurations are done by command line. It is assumed that the console has access to the switch. Step 1: Configure SNMP For EMC to manage the switch, it needs to have SNMP read/write capabilities configured. We highly recommend that, if possible, the Cisco switch be configured to use SNMPv3. SNMPv3 has many advantages over v1 and v2, including security of communication and performance. To configure SNMPv3 on a Cisco switch, enter the following commands: snmp-server group V3Group v3 auth read V3Read write V3Write snmp-server user snmpuser V3Group v3 auth md5 snmpauthcred priv des snmpprivcred snmp-server view V3Read iso included snmp-server view V3Write iso included Step 2: Configure RADIUS So that the Cisco switch can authenticate against EAC, the EAC engine must be configured as a RADIUS server on the switch. This requires a few sets of commands on the switch. The first set of commands create aaa rules. These need to be carefully evaluated when applying them, as it is quite easy to deny existing Telnet, SSH, or console access to the switch. Note if any of these commands are already present and adjust the commands accordingly. If no aaa commands are present, the following commands will need to be added: aaa new-model aaa authentication login default local aaa authentication enable default enable none!add a username to log into the switch locally username admin privilege 15 password 0 MyPassword123 Use the following commands to add the EAC engine as a RADIUS sever. Note that the RADIUS shared secret will always be ETS_TAG_SHARED_SECRET. The test username is used to verify that a EAC engine is still alive after a default period of 60 minutes. This account does not need to exist; the switch is only looking for a response from the server.!add a test account for RADIUS connectivity checks username test-radius privilege 0 password 0 BadPass123!Repeat this command for all EAC engines the switch will authenticate against. radius-server host auth-port 1812 acct-port 1813 test username testradius key ETS_TAG_SHARED_SECRET After defining the EAC engines, add them to a group that can be used in the aaa configuration: aaa group server radius EAC!Add any other EACEngines here server auth-port 1812 acct-port 1813 Define a few more RADIUS options for the switch to make the EAC process operate smoothly:!set the source interface for the RADIUS traffic to be the management interface ip radius source-interface vlan 20 radius-server attribute nas-port format c Extreme Networks, Inc. All rights reserved. 4
5 radius-server vsa send authentication radius-server vsa send accounting radius-server dead-criteria time 30 tries 3 Add the aaa rules for the switch to authenticate users against the EAC engines: aaa authentication dot1x default group EAC aaa authorization network default group EAC aaa accounting dot1x default start-stop group EAC aaa accounting update periodic 5 Add the following commands to enable RFC 3576 support. This is not required for EAC, but it can be useful if problems arise with re-authentication:!time needs to be accurate for RFC 3576 to function properly. ntp server aaa server radius dynamic-author!add any other EAC engines here server server-key ETS_TAG_SHARED_SCRET auth-type any Add the following global commands to make the authentication process run a bit more smoothly:!time to wait in ms after the EAC comes back online authentication critical recovery delay 1000!!Allows a device to move between ports on a switch and still be authenticated authentication mac-move permit!allows devices to connect to the network even if EAC is down dot1x critical eapol!enables internal tracking of IP s on the switch ip device tracking!turns on logging for internal policy functions epm logging Step 3: Configure the VLANs and/or ACLs for Enforcement There are two enforcement methods for devices attaching to a Cisco switch: passing back dynamic VLANs or passing back dynamic ACLs. Both the VLANs and the ACLs must exist on the switch before they can be dynamically assigned. To preconfigure VLANs, enter the following commands for each applicable VLAN. Defining the VLAN ID and name gives the option to use either the ID or name within EAC as well. vlan 98 name Quarantine To preconfigure the ACLs, enter the following commands for each applicable ACL. Note that the ACL names cannot contain spaces. ip access-list extended Unregistered permit ip any host deny udp any any eq domain permit ip any any Appendix A: Example ACLs for the Cisco Switch contains a list of example default ACLs that can be used as a starting point. Extreme Networks, Inc. All rights reserved. 5
6 Note According to Cisco s documentation, For any ACL configured for multiple-host mode, the source portion of statement must be any. (For example, permit icmp any host ) This is also believed to be true for multi-auth mode as well. If this rule is not followed, authorization will fail. Step 4: Configure the Interfaces for Authentication Each interface that will be connected to an end system should have authentication enabled in order to be visible in EAC. Note that the commands below assume that both 802.1X and MAC authentication will be used on the wire. If 802.1X will not be used, it can be removed from the command list. These commands will most likely need to be merged with existing commands on each interface. The interface range command can also be used to modify multiple interfaces at once. interface GigabitEthernet 1/0/10 switchport mode access switchport access vlan 3!Allows traffic before authentication is completed. authentication open!printers seem to have issues without this command turned on. authentication control-direction in!allow multiple devices to authenticate to a single port. authentication host-mode multi-auth!re-authenticate periodically authentication periodic!listen to session-timeout information from EAC. authentication timer reauthenticate server!if 802.1X fails, use MAC authentication authentication event fail action next-method!if EAC fails, open access to the access VLAN listed above authentication event server dead action authorize vlan 3!When EAC comes back online, re-authenticate. authentication event server alive action reinitialize!use 802.1X first if available, then MAC authentication bypass. authentication order dot1x mab authentication priority dot1x mab!if a device moves from one port to another, replace the existing session. authentication violation replace!enable MAC authentication bypass and 802.1X. mab dot1x pae authenticator!set 802.1X timeout to 10 seconds. This can be adjusted if 802.1X timeout is taking!long.!if 802.1X is used in the network, though, be careful of making it too low. dot1x timeout tx-period 10!Set port as an edge port for Spanning Tree. Extreme Networks, Inc. All rights reserved. 6
7 spanning-tree portfast!enable authentication on this port. authentication port-control auto After entering all of these commands an interface should look similar to this: interface GigabitEthernet1/0/10 switchport access vlan 3 switchport mode access authentication contro-direction in authentication event fail action next-method authentication event server dead action authorize vlan 3 authentication event server alive action reinitialize authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation replace mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast end If 802.1X will be used, enter one last command to globally enable 802.1X on the switch: dot1x system-auth-control Extreme Networks, Inc. All rights reserved. 7
8 Part 2: Configure EAC for the Cisco Switch This section describes how to configure Extreme Management Center (EMC, formerly NetSight) and Extreme Access Control (EAC, formerly NAC) to monitor the Cisco switch and use it as an edge enforcement point for EAC. Step 1: Add the Cisco Switch to EAC The first step in the process of integrating the Cisco switch with EAC is to add it to the Extreme Management Center s EAC configuration with the RADIUS attributes that should be returned to it for enforcement. 1. Open Management Center and navigate to the Control > Access Control tab. 2. Expand the Engines section in the left-panel. 3. Select the engine you are using to monitor the Cisco switch in the Engines section. The Engine panel displays in the right-panel. 4. Click the Switches tab in the right-panel. 5. Click Add Switches. The Add Switches to Access Control Engine Group window displays. Extreme Networks, Inc. All rights reserved. 8
9 6. Add the Cisco switch to the Management Center database, if the switch is not yet added. Click Add Device in the left-panel to add the switch to the Management Center database. The Add Device window displays. Extreme Networks, Inc. All rights reserved. 9
10 Enter the IP Address of the switch and select the Profile with the appropriate SNMP credentials. Note: Configure a new set of SNMP credentials on the Administration > Profiles tab. Enter a Nickname for the device, if necessary. Note: If no Nickname is entered, the device IP address is used for its name in Management Center. Click OK. 7. Select the device in the left-panel of the Add Switches to Access Control Engine Group window. Some settings automatically populate in the right-panel based on the type of device selected. 8. Ensure the following fields are configured properly: Switch Type Layer 2 Out-of-Band Primary Engine The EAC engine used to monitor the switch Secondary Engine Secondary EAC engine, if one is to be used Auth. Access Type Manual RADIUS Configuration RADIUS Accounting Enabled 9. Click Advanced. The Advanced Switch Settings window displays. 10. Ensure IP Subnet for IP Resolution is None and click OK. 11. Select the appropriate RADIUS Attributes to Send for your network. Select RFC 3580 VLAN ID if using dynamic VLANs. Select Cisco Wired Dynamic ACL if using dynamic ACLs. If this option is not available, configure the RADIUS attributes via the legacy NAC Manager java application. i. Click the Menu icon ( ) in the Management Center top menu and select Legacy. The NetSight Suite Home page displays. ii. Click NAC Manager to download the java application. iii. Navigate to the download path and open NAC Manager. iv. Select the engine you are using to monitor the switch in the left-panel and click the NAC Configurations button ( ). The NAC Configurations window displays. Extreme Networks, Inc. All rights reserved. 10
11 v. Select AAA: <NAC Configuration> in the left-panel. vi. Select the appropriate authentication mapping in the table and click the Edit selected mapping button. Extreme Networks, Inc. All rights reserved. 11
12 The Edit User to Authentication Mapping window displays. vii. Expand the Inject Authentication Attrs drop-down menu and select Edit RADIUS Attribute Settings. Extreme Networks, Inc. All rights reserved. 12
13 The RADIUS Attribute Settings window displays. viii. There are multiple ways to determine the format of the RADIUS attributes to send back to the switch. One way is to use the custom field. For this method, the full RADIUS attribute and value would be in the custom field Extreme Networks, Inc. All rights reserved. 13
14 . Another option is to create a new set of RADIUS attributes. Click Add and enter the correct RADIUS attributes into the new window. The following example displays a dynamic ACL being applied from the Custom 4 field. Another option is to assign both a VLAN and a dynamic ACL. The RADIUS attribute that assigns the ACL on the Cisco switch is called Filter-Id. Create the following entries in the settings window. Note that the Filter-ID needs to end with.in for the Cisco switch to know to assign this ACL as an inbound ACL. Attribute Definition Filter-Id=%CUSTOM4%.in %CUSTOM2% %CUSTOM3% Extreme Networks, Inc. All rights reserved. 14
15 Extreme Networks, Inc. All rights reserved. 15
16 12. Restart Management Center after creating the new attribute. 13. Select the new attribute in the drop-down list for RADIUS Attributes to Send when adding the switch. Press OK to finish adding the wireless controller to EAC. Step 2: Configure the EAC Policy Mappings The next step to integrating with the Cisco switch is to configure Extreme Access Control (EAC, formerly NAC) to send back different dynamic ACLs or VLANs based on the determined state and policy of the end system. Extreme Networks, Inc. All rights reserved. 16
17 1. Navigate to the Policy Mapping Configuration panel by navigating to Configuration Profiles Policy Mappings in the Access Control tab. By default, the Policy Mappings Configuration screen shows the Basic view. This view shows only the configurations that are being used by the switches added to EAC Manager. If both VLANs and dynamic ACLs are used, there will be an additional column for VLAN. In this example, because Custom2, Custom3, and Custom4 were used, they are the only additional fields to be shown for each dynamic ACL. To modify an existing mapping, either click the Edit button or double-click an existing entry. Extreme Networks, Inc. All rights reserved. 17
18 2. Enter the appropriate dynamic ACL name in the Custom4 field. Since the custom attribute created for the switch was Filter-ID=%CUSTOM4%.in, the resulting attribute to be passed back from the example below will be Filter-Id=GuestAccess.in. Leave the Custom2 and Custom3 fields empty. Extreme Networks, Inc. All rights reserved. 18
19 Step 3: Configure Router Lookups for IP Resolution The last step for integrating the Cisco switch with Extreme Access Control (EAC) is ensuring that IP resolution will work properly. For this to happen, we highly recommend that SNMPv3 read-only credentials be configured on the router through which users will connect. With these credentials configured, EAC can be set to do an SNMP lookup of the ARP cache to determine whether the client has an entry there. To configure router lookups for IP resolution, open the Advanced EAC Configuration screen and navigate to Appliance Configuration as shown previously. On the IP Resolution screen, select the appropriate SNMP profile for the router. If one is not already created, create a set of SNMP credentials in Extreme Management Center (NetSight) that can be used with the router. If the switch and router(s) share the same SNMP credentials, you can skip this step because the default action is to use the same SNMP credentials as the switch. Note We highly recommend that SNMPv3 be used instead of SNMPv1 or v2. SNMPv3 provides a much higher level of security and efficiency. Extreme Networks, Inc. All rights reserved. 19
20 Appendix A: Example ACLs for the Cisco Switch This section contains example definitions for the ACLs that must be configured on the Cisco switch. The ACLs are currently configured for a format that can be used in the Extreme Management Center (NetSight) Console s Command Script Utility. However, they could also be copied and pasted into a console session with the wireless controller. If you use copy/paste, be sure to change the %EACIP% variable to the real IP address of the EAC engine. terminal length 0 enable %ENABLEPSWD% conf t ip access-list extended Administrator permit ip any any ip access-list extended Assessing permit ip any host %EACIP% permit udp any any eq bootps ip access-list extended DenyAccess permit ip any host %EACIP% permit udp any any eq bootps ip access-list extended EnterpriseUser permit ip any any ip access-list extended Failsafe permit ip any any ip access-list extended GuestAccess permit ip any any ip access-list extended Notification permit ip any host %EACIP% permit udp any any eq bootps ip access-list extended Quarantine permit ip any host %EACIP% permit udp any any eq bootps ip access-list extended Unregistered permit ip any host %EACIP% permit udp any any eq bootps deny icmp any any end Extreme Networks, Inc. All rights reserved. 20
21 Appendix B: Considerations for VoIP Connections When an IP phone is connected to a Cisco switch port that has Extreme Access Control (EAC) enabled, the following considerations apply. Define the IP phone in an End Systems group within EAC, and have a EAC profile and policy assigned specifically to the IP phone. Create a dynamic ACL for the IP phone. In the switch configuration, each interface that a phone could be on should have the following command, where the Voice VLAN being used is substituted appropriately: switchport voice vlan 40 With that command on the interface, configure EAC to send back the following attributes in either the Custom2 or Custom3 RADIUS attribute column: cisco-avpair=device-traffic-class=voice The policy mapping should be similar to this: Extreme Networks, Inc. All rights reserved. 21
22 Extreme Networks, Inc. All rights reserved. 22
23 Appendix C: IP Resolution Options IP resolution for Cisco switches is typically done when a DHCP message is discovered via DHCP relay snooping. Sometimes, however, this can be expedited by configuring DHCP snooping on the Cisco switch. There have been problems in the past with DHCP snooping not working properly, so if an end system is not getting an IP even though it should be, the first thing you should remove is DHCP snooping. To enable DHCP snooping, first enable it on all VLANs that will be snooped. Then enable it globally. ip dhcp snooping vlan 3-4,40,52,98 ip dhcp snooping After DHCP snooping is enabled globally, add the following command for the uplink port from which the DHCP server messages will arrive: ip dhcp snooping trust Use this command to show the DHCP snooping configuration: show ip dhcp snooping Use this command to show the DHCP snooping binding table: show ip dhcp snooping binding Extreme Networks, Inc. All rights reserved. 23
24 Appendix D: Troubleshooting When troubleshooting a Cisco switch, a few commands can be used to verify what is happening on it. The following command shows the output of the authenticated session. Note that the domain will be either VOICE or DATA depending on whether the cisco-avpair attribute was passed back. Also note the Filter-Id that is assigned. Cisco2960#show authentication sessions interface fa 0/4 Interface: FastEthernet0/4 MAC Address: aa.1d5f IP Address: User-Name: aa1d5f Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: in Authorized By: Authentication Server Vlan Group: N/A Filter-Id: GuestAccess Session timeout: N/A Idle timeout: N/A Common Session ID: C0A F1DDCA Acct Session ID: 0x Handle: 0xDA Runnable methods list: Method State dot1x Failed over mab Authc Success You can use the following commands to enable debug logging on the switch. Debug radius authentication debug dot1x all debug dot1x events debug dot1x errors debug epm all debug authentication all You can use the following command to verify the port VLAN, both statically and dynamically assigned. show interfaces GigabitEthernet1/0/10 switchport Extreme Networks, Inc. All rights reserved. 24
25 Revision History Version Date Author Changes 0.1 April 15, 2012 Massimiliano Macri, Enterasys Networks 0.2 February 27, 2013 Tyler Marcotte, Enterasys Networks 0.3 March 7, 2013 Tyler Marcotte, Enterasys Networks 0.4 August 10, 2017 Susan Verona, Larry Kunz, John Moore Extreme Networks Original draft. Changed format. Added more details around functionality and integration to EAC. Added note about restrictions of ACLs that are defined. Revised to update product brand names (NAC to EAC) and update procedures and screen shots to reflect product changes. Extreme Networks, Inc. All rights reserved. 25
26 Terms and Conditions for Use Extreme Networks reserves all rights to its materials and the content of the materials. No material provided by Extreme Networks to a Partner (or Customer, etc.) may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage or retrieval system, or incorporated into any other published work, except for internal use by the Parnter and except as may be expressly permitted in writing by Extreme Networks. This document and the information contained herein are intended solely for informational use. Extreme Networks makes no representation or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Extreme Networks hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on as as is basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Extreme Networks from any and all liability related in any way to this information. A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright Extreme Networks, Inc. All rights reserved. All information contained in this document is subject to change without notice. For additional information refer to END OF DOCUMENT Extreme Networks, Inc. All rights reserved. 26
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions To ensure Cisco ISE is able to interoperate with network switches and functions from Cisco ISE are successful across
More informationConfiguring MAC Authentication Bypass
Configuring MAC Authentication Bypass Last Updated: January 18, 2012 The MAC Authentication Bypass feature is a MAC-address-based authentication mechanism that allows clients in a network to integrate
More informationIEEE 802.1X Multiple Authentication
The feature provides a means of authenticating multiple hosts on a single port. With both 802.1X and non-802.1x devices, multiple hosts can be authenticated using different methods. Each host is individually
More informationConfiguring IEEE 802.1x Port-Based Authentication
CHAPTER 10 Configuring IEEE 802.1x Port-Based Authentication IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. Unless otherwise noted, the
More informationFigure 1 - Controller-Initiated Web Login Flow
Figure 1 - Controller-Initiated Web Login Flow Figure 2 Controller-Initiated Web Login with MAC Cache Figure 3 Server-Initiated Web Login Figure 4 Server Initated Web Login with MAC Cache Figure 5 Server-Initiated
More informationCisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller
Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table
More informationFortiNAC Motorola Wireless Controllers Integration
FortiNAC Motorola Wireless Controllers Integration Version: 8.x Date: 8/29/2018 Rev: B FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET KNOWLEDGE
More informationConfiguring Web-Based Authentication
CHAPTER 42 This chapter describes how to configure web-based authentication. It consists of these sections: About Web-Based Authentication, page 42-1, page 42-5 Displaying Web-Based Authentication Status,
More informationConfiguring Web-Based Authentication
This chapter describes how to configure web-based authentication on the switch. It contains these sections: Finding Feature Information, page 1 Web-Based Authentication Overview, page 1 How to Configure
More informationCWA URL Redirect support on C891FW
Introduction, page 1 Prerequisites for, page 2 Configuring, page 3 HTTP Proxy Configuration, page 8 Configuration Examples for, page 8 Important Notes, page 14 Additional References for, page 14 Feature
More informationConfiguring IEEE 802.1x Port-Based Authentication
CHAPTER 8 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized
More informationConfiguring Web-Based Authentication
CHAPTER 61 This chapter describes how to configure web-based authentication. Cisco IOS Release 12.2(33)SXH and later releases support web-based authentication. Note For complete syntax and usage information
More informationWritten by Alexei Spirin Wednesday, 02 January :06 - Last Updated Wednesday, 02 January :24
This is a pretty complex but robust switch configuration with almost maximum access layer security in mind. I call it L2-security and it includes: - 802.1x (used with Microsoft Radius service for user
More informationIEEE 802.1X with ACL Assignments
The feature allows you to download access control lists (ACLs), and to redirect URLs from a RADIUS server to the switch, during 802.1X authentication or MAC authentication bypass of the host. It also allows
More informationConfigure IBNS 2.0 for Single-Host and Multi- Domain Scenarios
Configure IBNS 2.0 for Single-Host and Multi- Domain Scenarios Contents Introduction Prerequisites Requirements Components Used Configure Configuration Theory Scenario for Single-Host Scenario for Multi-Domain
More informationConfiguring Web-Based Authentication
This chapter describes how to configure web-based authentication on the switch. It contains these sections: Finding Feature Information, page 1 Web-Based Authentication Overview, page 1 How to Configure
More informationForescout. Configuration Guide. Version 4.4
Forescout Version 4.4 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationConfiguring IEEE 802.1x Port-Based Authentication
CHAPTER 9 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 2960 switch. IEEE 802.1x authentication prevents
More informationPosture Services on the Cisco ISE Configuration Guide Contents
Posture Services on the Cisco ISE Configuration Guide Contents Introduction Prerequisites Requirements Components Used Background Information ISE Posture Services Client Provisioning Posture Policy Authorization
More informationIEEE 802.1X RADIUS Accounting
The feature is used to relay important events to the RADIUS server (such as the supplicant's connection session). The information in these events is used for security and billing purposes. Finding Feature
More informationTroubleshooting Cisco ISE
APPENDIXD This appendix addresses several categories of troubleshooting information that are related to identifying and resolving problems that you may experience when you use Cisco Identity Services Engine
More information802.1X Authentication Services Configuration Guide, Cisco IOS Release 15SY
802.1X Authentication Services Configuration Guide, Cisco IOS Release 15SY Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
More informationCisco TrustSec How-To Guide: Global Switch Configuration
Cisco TrustSec How-To Guide: Global Switch Configuration For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents...
More informationNAC-Auth Fail Open. Prerequisites for NAC-Auth Fail Open. Restrictions for NAC-Auth Fail Open. Information About Network Admission Control
NAC-Auth Fail Open Last Updated: October 10, 2012 In network admission control (NAC) deployments, authentication, authorization, and accounting (AAA) servers validate the antivirus status of clients before
More informationConfiguring Web-Based Authentication
The Web-Based Authentication feature, also known as web authentication proxy, authenticates end users on host systems that do not run the IEEE 802.1x supplicant. Finding Feature Information, on page 1
More informationCisco TrustSec How-To Guide: Central Web Authentication
Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1
More informationISE Version 1.3 Self Registered Guest Portal Configuration Example
ISE Version 1.3 Self Registered Guest Portal Configuration Example Document ID: 118742 Contributed by Michal Garcarz and Nicolas Darchis, Cisco TAC Engineers. Feb 13, 2015 Contents Introduction Prerequisites
More informationNetwork Admission Control Agentless Host Support
Network Admission Control Agentless Host Support Last Updated: October 10, 2012 The Network Admission Control: Agentless Host Support feature allows for an exhaustive examination of agentless hosts (hosts
More informationAuto Identity. Auto Identity. Finding Feature Information. Information About Auto Identity. Auto Identity Overview. Auto Identity, page 1
, page 1 The feature provides a set of built-in policies at global configuration and interface configuration modes. This feature is available only in Class-Based Policy Language (CPL) control policy-equivalent
More informationDGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window
9. Security DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide Port Security 802.1X AAA RADIUS TACACS IMPB DHCP Server Screening ARP Spoofing Prevention MAC Authentication Web-based
More informationP ART 3. Configuring the Infrastructure
P ART 3 Configuring the Infrastructure CHAPTER 8 Summary of Configuring the Infrastructure Revised: August 7, 2013 This part of the CVD section discusses the different infrastructure components that are
More informationFortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B
FortiNAC Cisco Airespace Wireless Controller Integration Version: 8.x Date: 8/28/2018 Rev: B FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET KNOWLEDGE
More informationFirewall Authentication Proxy for FTP and Telnet Sessions
Firewall Authentication Proxy for FTP and Telnet Sessions Last Updated: January 18, 2012 Before the introduction of the Firewall Authentication Proxy for FTP and Telnet Sessions feature, users could enable
More informationForeScout CounterACT. Configuration Guide. Version 4.3
ForeScout CounterACT Authentication Module: RADIUS Plugin Version 4.3 Table of Contents Overview... 4 Understanding the 802.1X Protocol... 4 About the CounterACT RADIUS Plugin... 6 IPv6 Support... 7 About
More informationUniversal Switch Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series
Universal Switch Configuration for Cisco Identity Services Engine Secure Access How-To Guide Series Author: Hosuk Won Date: January 2017 Table of Contents Introduction 3 What is Cisco Identity Services
More informationSecurity Commands. Consolidated Platform Command Reference, Cisco IOS XE 3.3SE (Catalyst 3850 Switches) OL
Security Commands aaa accounting dot1x, page 4 aaa accounting identity, page 6 aaa authentication dot1x, page 8 aaa authorization, page 9 aaa new-model, page 14 access-session mac-move deny, page 16 action,
More informationConfigure to Secure a Flexconnect AP Switchport with Dot1x
Configure to Secure a Flexconnect AP Switchport with Dot1x Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Verify Troubleshoot Introduction This document describes
More informationNetwork Admission Control
Network Admission Control Last Updated: October 24, 2011 The Network Admission Control feature addresses the increased threat and impact of worms and viruses have on business networks. This feature is
More informationFortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E
FortiNAC Aerohive Wireless Access Point Integration Version 8.x 8/28/2018 Rev: E FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET KNOWLEDGE BASE
More informationIdentity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) First Published: January 29, 2013 Last Modified: January 29, 2013 Americas Headquarters Cisco Systems,
More informationFortiNAC. HiPath. Enterasys. Siemens. Extreme. Wireless Integration. Version: 8.x. Date: 8/28/2018. Rev: B
FortiNAC HiPath Enterasys Siemens Extreme Wireless Integration Version: 8.x Date: 8/28/2018 Rev: B FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET
More informationISE Express Installation Guide. Secure Access How -To Guides Series
ISE Express Installation Guide Secure Access How -To Guides Series Author: Jason Kunst Date: September 10, 2015 Table of Contents About this Guide... 4 How do I get support?... 4 Using this guide... 4
More informationLab 8.5.2: Troubleshooting Enterprise Networks 2
Lab 8.5.2: Troubleshooting Enterprise Networks 2 Topology Diagram Addressing Table Device Interface IP Address Subnet Mask Default Gateway Fa0/0 192.168.10.1 255.255.255.0 N/A R1 Fa0/1 192.168.11.1 255.255.255.0
More informationConfiguring Network Admission Control
45 CHAPTER This chapter describes how to configure Network Admission Control (NAC) on Catalyst 6500 series switches. With a PFC3, Release 12.2(18)SXF2 and later releases support NAC. Note For complete
More informationCisco TrustSec How-To Guide: Monitor Mode
Cisco TrustSec How-To Guide: Monitor Mode For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More information802.1x EAP TLS with Binary Certificate Comparison from AD and NAM Profiles Configuration Example
802.1x EAP TLS with Binary Certificate Comparison from AD and NAM Profiles Configuration Example Document ID: 116018 Contributed by Michal Garcarz, Cisco TAC Engineer. Apr 09, 2013 Contents Introduction
More informationConfiguring Security for the ML-Series Card
19 CHAPTER Configuring Security for the ML-Series Card This chapter describes the security features of the ML-Series card. This chapter includes the following major sections: Understanding Security, page
More informationBEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features
BEST PRACTICE - NAC AUF ARUBA SWITCHES Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features Agenda 1 Overview 2 802.1X Authentication 3 MAC Authentication
More informationRADIUS Change of Authorization
The (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user or user group
More informationContents. Introduction
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance
More informationUniversal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series
Universal Wireless Controller Configuration for Cisco Identity Services Engine Secure Access How-To Guide Series Author: Hosuk Won Date: November 2015 Table of Contents Introduction... 3 What Is Cisco
More informationNetwork security session 9-2 Router Security. Network II
Network security session 9-2 Router Security Network II Router security First line of defense of the network Compromise of a router can lead to many issues: Denial of network services Degrading of network
More informationMonitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series
Monitor Mode Deployment with Cisco Identity Services Engine Secure Access How -To Guides Series Author: Adrianne Wang Date: December 2012 Table of Contents Monitor Mode... 3 Overview of Monitor Mode...
More informationPer-User ACL Support for 802.1X/MAB/Webauth Users
Per-User ACL Support for 802.1X/MAB/Webauth Users This feature allows per-user ACLs to be downloaded from the Cisco Access Control Server (ACS) as policy enforcement after authentication using IEEE 802.1X,
More informationIEEE 802.1X VLAN Assignment
The feature is automatically enabled when IEEE 802.1X authentication is configured for an access port, which allows the RADIUS server to send a VLAN assignment to the device port. This assignment configures
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo
Vendor: Cisco Exam Code: 642-737 Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0 Version: Demo QUESTION 1 Which statement describes the major difference between PEAP and EAP-FAST
More informationCentral Web Authentication on the WLC and ISE Configuration Example
Central Web Authentication on the WLC and ISE Configuration Example Contents Introduction Prerequisites Requirements Components Used Configure WLC Configuration ISE Configuration Create the Authorization
More informationChapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION
CCNPv7.1 SWITCH Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION Topology Objectives Background Secure the server farm using private VLANs. Secure the staff VLAN from the student VLAN. Secure the
More informationConfiguring RADIUS Servers
CHAPTER 7 This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), that provides detailed accounting information and flexible administrative control over
More informationMS Switch Access Policies (802.1X) Host Modes
MS Switch Access Policies (802.1X) Cisco Meraki MS switches offer the ability to configure access policies, which require connecting devices to authenticate against a RADIUS server before they are granted
More informationAuthentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T
Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com
More informationDeployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1
Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1 Last revised: February 1, 2008 Contents Overview section on page 1 Configuring Guest Access on the Cisco Wireless
More informationIntegrating Meraki Networks with
Integrating Meraki Networks with Cisco Identity Services Engine Secure Access How-To guide series Authors: Tim Abbott, Colin Lowenberg Date: April 2016 Table of Contents Introduction Compatibility Matrix
More informationConfiguring ISG Policies for Automatic Subscriber Logon
Configuring ISG Policies for Automatic Subscriber Logon Intelligent Services Gateway (ISG) is a software feature set that provides a structured framework in which edge devices can deliver flexible and
More informationConfiguring IEEE 802.1x Port-Based Authentication
CHAPTER 8 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Cisco ME 3400 Ethernet Access switch. As LANs extend to
More informationCCNP Switch Questions/Answers Securing Campus Infrastructure
What statement is true about a local SPAN configuration? A. A port can act as the destination port for all SPAN sessions configured on the switch. B. A port can be configured to act as a source and destination
More informationConfiguring 802.1X Port-Based Authentication
CHAPTER 37 This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized client devices from gaining access to the network. This chapter includes the following major
More informationConfiguring Network Admission Control
CHAPTER 59 This chapter describes how to configure Network Admission Control (NAC) in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see
More informationCatalyst 3850 Series Switch Session Aware Networking with a Service Template on the ISE Configuration Example
Catalyst 3850 Series Switch Session Aware Networking with a Service Template on the ISE Configuration Example Document ID: 116838 Contributed by Michal Garcarz, Cisco TAC Engineer. Nov 26, 2013 Contents
More information2012 Cisco and/or its affiliates. All rights reserved. 1
2012 Cisco and/or its affiliates. All rights reserved. 1 Policy Access Control: Challenges and Architecture UA with Cisco ISE Onboarding demo (BYOD) Cisco Access Devices and Identity Security Group Access
More information!! Configuration of RFS4000 version R!! version 2.3!! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10
Configuration of RFS4000 version 5.5.1.0-017R version 2.3 ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic" permit udp any eq 67
More informationApplication Notes for Enterasys Secure Networks Dynamic Intrusion Response Solution in an Avaya IP Telephony Infrastructure - Issue 1.
Avaya Solution & Interoperability Test Lab Application Notes for Enterasys Secure Networks Dynamic Intrusion Response Solution in an Avaya IP Telephony Infrastructure - Issue 1.0 Abstract These Application
More informationBrocade FastIron Flexible Authentication
18 December 2015 Brocade FastIron Flexible Authentication Deployment Guide Supporting FastIron 08.0.40 2015, Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade, Brocade Assurance, the
More informationEnterasys. Design Guide. Network Access Control P/N
Enterasys Network Access Control Design Guide P/N 9034385 Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site
More informationRADIUS Packet of Disconnect
First Published: March 19, 2001 Last Updated: October 2, 2009 The feature is used to terminate a connected voice call. Finding Feature Information Your software release may not support all the features
More informationTECHNICAL NOTE UWW & CLEARPASS HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS. Version 2
HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS Version 2 CONTENTS Introduction... 7 Background information... 7 Requirements... 7 Network diagram... 7 VLANs... 8 Switch configuration... 8 Initial setup...
More informationCCBOOTCAMP Webinar 3/15/2011 CCIE Security / RS x. Tim Rowley CCIE#25960, CCSI#33858, CISSP
CCBOOTCAMP Webinar 3/15/2011 CCIE Security / RS - 802.1x Tim Rowley CCIE#25960, CCSI#33858, CISSP What is it? Components Basic Operation Basic Configuration Advanced Features and Configuration Verification
More informationCisco Virtual Office: Easy VPN Deployment Guide
Cisco Virtual Office: Easy VPN Deployment Guide This guide provides detailed design and implementation information for deployment of Easy VPN in client mode with the Cisco Virtual Office. Please refer
More informationConfiguring 802.1X Port-Based Authentication
CHAPTER 39 This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized client devices from gaining access to the network. This chapter includes the following major
More informationIdentity Services Engine Guest Portal Local Web Authentication Configuration Example
Identity Services Engine Guest Portal Local Web Authentication Configuration Example Document ID: 116217 Contributed by Marcin Latosiewicz, Cisco TAC Engineer. Jun 21, 2013 Contents Introduction Prerequisites
More informationConfiguring Hybrid REAP
13 CHAPTER This chapter describes hybrid REAP and explains how to configure this feature on controllers and access points. It contains the following sections: Information About Hybrid REAP, page 13-1,
More informationRADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values First Published: September 23, 2005 Last Updated: August 18, 2010 The Internet Engineering Task Force (IETF) draft standard
More informationCatalyst 4500 Series IOS Commands
CHAPTER Catalyst 4500 Series IOS Commands New Commands dot1x guest-vlan supplicant ip dhcp snooping information option allow-untrusted port-security mac-address port-security mac-address sticky port-security
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo
Vendor: Cisco Exam Code: 300-208 Exam Name: Implementing Cisco Secure Access Solutions Version: Demo QUESTION 1 By default, how many days does Cisco ISE wait before it purges the expired guest accounts?
More informationCounterACT Wireless Plugin
CounterACT Wireless Plugin Version 1.7.0 Table of Contents About the Wireless Plugin... 4 Wireless Network Access Device Terminology... 5 How It Works... 6 About WLAN Controller/Lightweight Access Points...
More informationaaa max-sessions maximum-number-of-sessions The default value for aaa max-sessions command is platform dependent. Release 15.0(1)M.
aaa max-sessions aaa max-sessions To set the maximum number of simultaneous authentication, authorization, and accounting (AAA) connections permitted for a user, use the aaa max-sessions command in global
More informationDumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download
DumpsFree http://www.dumpsfree.com DumpsFree provide high-quality Dumps VCE & dumps demo free download Exam : 300-208 Title : Implementing Cisco Secure Access Solutions Vendor : Cisco Version : DEMO Get
More informationConfiguring 802.1X Port-Based Authentication
CHAPTER 10 This chapter describes how to configure IEEE 802.1X port-based authentication on the Catalyst 3750 switch. As LANs extend to hotels, airports, and corporate lobbies, creating insecure environments,
More informationForescout. Configuration Guide. Version 4.2
Forescout Version 4.2 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationConfiguring IEEE 802.1X Port-Based Authentication
CHAPTER 44 This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage
More informationWireless Integration Overview
Version: 4.1.1 Date: 12/28/2010 Copyright Notice Copyright 2010 by Bradford Networks, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the
More informationNAC: LDAP Integration with ACS Configuration Example
NAC: LDAP Integration with ACS Configuration Example Document ID: 107285 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configuration Flow Chart Diagram
More informationDeploying Cisco ISE for Guest Network Access
Deploying Cisco ISE for Guest Network Access Jason Kunst September 2018 Table of Contents Introduction... 4 About Cisco Identity Services Engine (ISE)... 4 About This Guide... 4 Define... 6 What is Guest
More informationCounterACT 802.1X Plugin
CounterACT 802.1X Plugin Version 4.2.0 Table of Contents Overview... 4 Understanding the 802.1X Protocol... 4 About the CounterACT 802.1X Plugin... 6 About This Document... 7 802.1X Plugin Components...
More informationForeScout CounterACT. Configuration Guide. Version 1.8
ForeScout CounterACT Network Module: Wireless Plugin Version 1.8 Table of Contents About the Wireless Plugin... 4 Wireless Network Access Device Terminology... 6 How It Works... 6 About WLAN Controller/Lightweight
More informationChapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM
Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights
More informationConverged Access Wireless Controller (5760/3850/3650) BYOD client Onboarding with FQDN ACLs
Converged Access Wireless Controller (5760/3850/3650) BYOD client Onboarding with FQDN ACLs Contents Introduction Prerequisites Requirements Components Used DNS Based ACL Process Flow Configure WLC Configuration
More informationCatalyst 4500 Series IOS Commands
CHAPTER Catalyst 4500 Series IOS Commands New Commands call-home (global configuration) call-home request call-home send call-home send alert-group call-home test clear energywise neighbors clear errdisable
More informationIdentity Based Network Access
Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor
More informationNortel Ethernet Routing Switch 5000 Series Configuration Security. Release: 6.1 Document Revision:
Release: 6.1 Document Revision: 05.01 www.nortel.com NN47200-501. . Release: 6.1 Publication: NN47200-501 Document release date: 20 May 2009 While the information in this document is believed to be accurate
More information