Wireless Integration Overview

Transcription

1 Version: Date: 12/28/2010

2 Copyright Notice Copyright 2010 by Bradford Networks, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set forth in DFARS (c)(1)(ii) and FAR Liability Disclaimer Bradford Networks, Inc. reserves the right to make changes in specifications and other information contained in this document without prior notice. In all cases, the reader should contact Bradford Networks to inquire if any changes have been made. The hardware, firmware, or software described in this manual is subject to change without notice. IN NO EVENT SHALL BRADFORD NETWORKS, ITS EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUD- ING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF BRAD- FORD HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES. Trademark, Service Mark, and Logo Information Bradford Networks, the Bradford Networks logo, and Bradford Network Sentry are copyrighted by Bradford Networks, Inc. All other trademarks and registered trademarks are the property of their respective owners. Contact Information Bradford Networks, Inc., 162 Pembroke Road, Concord, NH USA Phone: Fax: Web site: Information: Sales: Support: Document Notes This document is an excerpt from the larger Administration And Operation document. Links containing page numbers indicate that additional information is provided within this document. For example, see Modify Groups on page 10 for additional information. Links with no page numbers indicate that additional information can be found in the main Administration And Operation document. For example, see Modify Groups for additional information. Network Sentry Wireless Integration

3 Contents Wireless Integration Overview 1 Wireless Authentication 2 RADIUS MAC x 4 Wireless Integration Requirements 6 Client Connection With Wireless Access 8 WLAN Management 10 Users With Both Wired And Wireless Connections 11 Network Sentry Wireless Integration i

4 Table Of Contents ii Network Sentry Wireless Integration

5 Important: Refer to the vendor documentation for your Wireless Device for detailed set up and configuration information. Refer to the Bradford Networks Resource Center for information on specific devices. Network Sentry integrates with both intelligent access points (IAPs) and centralized controller-based wireless solutions. Intelligent access points manage both the access point and its connecting clients. Controller-based solutions manage multiple access points and their connecting clients. To manage wireless clients with Network Sentry you must configure Network Sentry as the RADIUS server to authenticate clients for IAPs and controllers. Network Sentry responds to the RADIUS authentication requests with an accept or reject message. When accepting users, Network Sentry can include information that identifies the network the connecting client can access. Network access is based upon the client's current Network Sentry state and role. Configuration of client network access varies depending on the device and can include: VLAN IDs and names, role names, or proprietary network identifiers. Network Sentry Wireless Integration 1

6 Wireless Authentication Intelligent Access Points (IAPs) and controllers support two methods of RADIUS based authentication: RADIUS MAC authentication and 802.1x authentication. Network Sentry only supports Password Authentication Protocol (PAP) for RADIUS authentication. RADIUS MAC With RADIUS MAC authentication connecting clients are validated based on their physical addresses. Network Sentry acts as the terminating RADIUS server. When Network Sentry receives an authentication request it tries to locate the client's MAC Address in its own database. If it finds the MAC Address in the database, it checks the client's state and sends an accept response along with information about which the network the client can access. If the client has been administratively disabled, Network Sentry sends a reject response. If the client's MAC Address is not found in the database, Network Sentry returns an accept response along with information that places the wireless client in the Registration subnet so that the user can access the Registration portal. 2 Network Sentry Wireless Integration

7 Network Sentry Wireless Integration 3

8 802.1x 802.1x defines the authentication of connecting clients based on their user credentials or certificates. Network Sentry acts as a proxy RADIUS server and forwards requests to an independent production RADIUS server. The independent RADIUS server responds to Network Sentry with the accept or reject message. Network Sentry passes the message to the wireless controller or IAP. As the proxy authentication server, Network Sentry passes EAP messages between the IAPs or controllers and the production authentication server. The production authentication server is the EAP termination point. When the authentication process completes, Network Sentry inserts network access information into the authentication response if configured to do so. If Network Sentry Authentication is enabled in an 802.1x environment, when users log in they can automatically be authenticated to bypass the authentication captive portal. However, this depends on the configuration of the client supplicant. You can configure supplicants to either expose or encrypt the user IDs within the RADIUS request packet. If the user ID is encrypted, Network Sentry cannot identify it in the RADIUS request, and therefore cannot bypass its own authentication process. Client supplicants should be configured to authenticate using user credentials, not host information, such as host name. This will give Network Sentry the user information to associate with the host/device and avoid authentication delays. EAP The EAP type must be configured on the supplicant and the Authentication server. Supported EAP types include: EAP-PEAP EAP-TTLS EAP-TLS The following EAP types have not yet been tested with Network Sentry: EAP-MD-5 EAP-Fast Cisco LEAP 4 Network Sentry Wireless Integration

9 Network Sentry Wireless Integration 5

10 Wireless Integration Requirements 1. Configure your device to use Network Sentry as the RADIUS Server. If you are setting up Network Sentry as the RADIUS server for a device in a Bradford High Availability environment, you must use the actual IP address of the primary control server, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your Network Sentry appliances can be reached. This would allow users to access the network, but they would not be controlled by Network Sentry. 2. Do not use asynchronous routing between your device and the Network Sentry server. RADIUS requests and responses between the Network Sentry server and the wireless device must travel through the same interface on the Network Sentry server. 3. PAP encryption must be set up on the RADIUS server for encryption/decryption of user names and passwords that are sent to and from Network Sentry. 4. Configure network access control features on your device. Contact Customer Support or go to the Resource Center for device specific configuration information. 5. Add your device in Network Sentry. See Network Devices. 6. Model your wireless device in Network Sentry. See Model Configuration. 7. In the Model Configuration Network Sentry must be configured as the RADIUS server for wireless devices. Note: When Network Sentry acts as a RADIUS Server in a busy environment, it could become a bottleneck for authentications, resulting in RADIUS processing delays. Devices that use RADIUS authentication need to be configured with RADIUS timeouts that are large enough to allow some transaction delays. Many devices use default timeout values under 10 seconds. It is recommended that you use larger values for busy environments, though you may have to experiment to find the optimal value. 8. The RADIUS Secret must be the same in the following locations: - RADIUS Server settings in Network Sentry. See RADIUS And 802.1x Environments and Configure RADIUS Server Profiles. - Model configuration for the wireless device when it is modeled in Network Sentry. See Model Configuration. - Configuration of the device itself. 9. In order to detect which clients have disconnected from the wireless device, you must set up a frequent polling interval for your wireless devices. Set the polling frequency to less than 10 minutes if the clients are using the persistent agent. The recommended poll frequency is approximately 5 minutes. 6 Network Sentry Wireless Integration

11 See L3 Polling (IP --> MAC). It is not necessary to set Network Sentry as the trap receiver on any wireless devices. 10. Remove the switch ports from the Forced Registration Group. This ensures that Network Sentry will not switch these ports into the registration VLAN once the APs are connected. The APs appear as rogue clients in Network Sentry until they are identified by the controller as managed devices. If those ports are left in forced registration, the APs will end up in the registration VLAN and may not be able to connect to their managing controller.network Devices See Modify A Group. 11. If you want to use Forced Authentication for users connecting on your wireless device, set the Enable Authentication option on the Authentication plugin. See Configure Authentication Plug-In Properties. Add the interfaces or ports for each wireless device that participates in authentication to the Forced Authentication group. See Modify A Group. 12. If you are working in a Hot Standby environment using RADIUS authentication you must configure your managed wireless devices to point to the NAC Server or NAC Control Server eth0 address - NOT the virtual address. Configure a secondary RADIUS server for the device to be the failover eth0 address. This ensures that if the primary NAC Server or NAC Control Server appliance goes down, the backup will take over and will be able to respond and take over RADIUS responsibility. An IAP/controller will switch over to the backup NAC Server or NAC Control Server appliance if it fails to get responses from the primary. Network Sentry Wireless Integration 7

12 Client Connection With Wireless Access Network Sentry performs RADIUS MAC Authentication and VLAN, network, and role association based on the settings of the IAP/controller to which a client connects. Configure each IAP/controller separately with VLAN, network and role settings. When a client connects to a wireless device, Network Sentry uses the MAC address to determine the state of the client. The first row in the table below that matches the client's state and device's configuration determines the RADIUS response from Network Sentry. For example, a client connecting to the network has a state set to Disabled. There is no value set in the Device Model for the Deadend/Penalty VLAN/network or role. The client is rejected and denied any access to the network. However, if the Device Model contains the value of 10 for the Deadend/Penalty VLAN/network/role, the client is given VLAN 10 and its associated access to the network. This scenario is the same for clients with a state of At Risk and Unregistered. There is no state setting for Non-Authenticated clients. Those clients are associated to the Authentication VLAN set in the Device Model if authentication is being forced on the device. 8 Network Sentry Wireless Integration

13 Table 1: Client State and VLAN/Network/Role Association State of Client Applicable VLAN / Network / Role Name Is Value Set In Model Config Client Treatment Disabled Deadend / Penalty No Disabled Deadend / Penalty Yes At Risk Quarantine No At Risk Quarantine Yes Unregistered Registration No Unregistered Registration Yes Not Authenticated Authentication No Client Rejected - No Access Client sent to VLAN/network/role value Client Rejected - No Access Client sent to VLAN/network/role value Client Rejected - No Access Client sent to VLAN/network/role = value Client to Default/Production Not Authenticated Authentication Yes Client to Authentication Client has Network Sentry Role defined If a user has authenticated and belongs to a role, the role takes precedence over the default value. If the user has a role defined in LDAP, it takes precedence over the client role. Name or Number defined in the Network Sentry Role Device Mapping Yes None of the above Default/Production Yes Client sent to VLAN/network/role defined in the Network Sentry Role Device Mapping Client to Default/Production Note: If no role mapping exists and no default value exists, no VLAN/network/role is provided by Network Sentry. The device itself is responsible for determining the appropriate VLAN/network/role for the client. Network Sentry Wireless Integration 9

14 WLAN Management Most Intelligent Access Points (IAPs) and controllers allow you to create multiple, independent Wireless LANs (WLANs) that can be accessed through separate SSIDs. The configuration of each WLAN on these devices usually includes support for separate authentication parameters for each WLAN. For example, a wireless network could contain two separate WLANs, one for employees or residents and one for guests. The employee/resident WLAN might authenticate connecting users to a central directory prior to granting access to network resources. A guest WLAN might avoid authentication and provide connecting users with limited access only to the external Internet. In such an environment, you can have Network Sentry secure only a subset of the available WLANs. To do this, you only need to configure the secured WLANs on the wireless devices to use Network Sentry as their authentication server (RADIUS). WLANs that use no authentication or that use a different authentication server bypass Network Sentry s control. Network Sentry still monitors clients connecting to the IAP/controller devices, but does not control their access to the network. The means to configure this behavior differs, based on the specific IAP/controller vendor model. Refer to the vendor's documentation for configuration details. Note: If your device supports independent authentication for individual SSIDs, Network Sentry can secure a subset of available WLANs. If your device does not support this option, Network Sentry secures all WLANs on the device. When configuring a wireless device with multiple SSIDs that will be managed by Network Sentry, Network Sentry only allows a single VLAN mapping for each isolation state per device. For example, if the Remediation VLAN is VLAN 10 on one SSID it has to be VLAN 10 on all SSIDs, and if Dead End is VLAN 25 it has to be VLAN 25 for all SSIDs. 10 Network Sentry Wireless Integration

15 Users With Both Wired And Wireless Connections When you use a wired connection in a wireless hot spot, wireless interfaces that are enabled often attempt to connect to a local AP. It is recommended that you instruct users to disable their wireless interfaces on their laptops when they use wired ports for the following reasons: 1. The wireless connection attempt may or may not succeed. RADIUS traffic is created to authenticate the client even though it is already connected to the network through its wired connection. If the client is authenticated on the wireless device (either through RADIUS or the local AP), the client is connected and no additional traffic is generated. However, if the client is rejected for any reason, the client will often retry continuously. For some APs, this generates a steady stream of RADIUS requests and creates an unnecessary load on the Network Sentry appliance and the supporting network. 2. If a wireless interface connects simultaneously with a wired interface, each interface could be placed on a different VLAN or network. In cases where the network administrator is enforcing authentication or where separate networks have been defined for their wired and wireless users, this will always occur. When this happens, depending on the network access given to the different network connections, the client may experience abnormal network behavior as the client chooses different interfaces for network access. There are steps users can take to configure a client running Windows OS to favor their wired over their wireless (see but the best course of action is to simply disable the wireless when not in use. Network Sentry Wireless Integration 11

16 12 Network Sentry Wireless Integration