Microsoft Network NAP

Extreme Networks Application Note
Network Access Control/Protection with ExtremeXOS and Microsoft NAP
This document discusses the features and conguration tools provided by ExtremeXOS NetLogin, and how they can be used in conjunction with Network Access Protection (NAP) technologies in Microsoft Windows 2008 Server to control user and device access depending on the results of health check policies. Authentication and authorizations for users and devices are provided using the Network Policy Server application, which is essentially a replacement for Internet Authentication Service (IAS) in earlier Microsoft Server versions such as Microsoft Windows 2003 Server.
2011 Extreme Networks, Inc. All rights reserved. Do not reproduce.
Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP
Introduction
Network Access Control and Protection is rapidly becoming an integral block of the network infrastructure and security. Typical NAP solutions provide the platform and framework for administrators to: Dene network access policies based on the clients identity Determine degree of client compliance with requirements congured in policy servers Take actions (such as invoking remediation procedures which provide mechanisms to bring the client computer into compliance) and also provide authorized access for client computers This document discusses the features and conguration tools provided by ExtremeXOS NetLogin, and how they can be used in conjunction with Network Access Protection (NAP) technologies in Microsoft Windows 2008 Server to control user and device access depending on the results of health check policies. Authentication and authorizations for users and devices are provided using the Network Policy Server application, which is essentially a replacement for Internet Authentication Service (IAS) in earlier Microsoft Server versions such as Microsoft Windows 2003 Server. NAP allows administrators to create and enforce health policies for computers that connect to the enterprise network. The policies govern both the installed software components and the system congurations. Computers which connect to the network, such as laptops, workstations, and other such devices, are evaluated against the congured health requirements. Health requirements include: A rewall is enabled An antivirus program is installed The antivirus program should is up to date Automatic Windows Update is enabled, etc. Client computers that connect to the network are evaluated against these health requirements, and are classied as NAP-compliant, NAP Noncompliant, or NAPIneligible. Further, policies can also contain the actions to be taken, and any authorizations to be provided to computers placed into these categories. Actions could include auto-remediation of client computers
(for example enable Windows Automatic Updates or Windows Firewall). ExtremeXOS NetLogin can be integrated with Microsoft NAP to provide authorizations to network resources for client computers. Authorizations could include: Complete network access to clients that are deemed as NAP Compliant. Restricted network access to clients that are deemed as NAP Noncompliant. Custom network access to clients that are deemed as NAP Ineligible. Microsoft NAP technology is available in the following variants of the Microsoft Windows Operating System: Servers Windows Server 2008 Windows Server 2008 R2 Clients Windows XP Professional (with Service Pack 3 updates) Windows Vista Windows 7 Microsoft NAP can be used to enforce health policies for different network access and communication technologies. This includes IPSec, 802.1X based wired and wireless network access control, and others. This document addresses NAP enforcement for wired clients using IEEE 802.1X authentication. NAP can be deployed using the typical AAA framework without the need for any additional networking equipment, and without the need for any software upgrades on ExtremeXOS based switches. ExtremeXOS NetLogin has been designed to integrate with Microsoft NAP solution from the ground up. An overview of the NAP architecture and the components involved is presented in Section 3, and subsections in the chapter provide details about the roles played by each element in the NAP framework. Readers who are familiar with the general concepts of the Microsoft NAP architecture and framework can skip this section. Readers are encouraged to review the Microsoft NAP concepts provided on the Microsoft Technical Resources website.
2 2011 Extreme Networks, Inc. All rights reserved.
Section 4 provides an overview of the NetLogin feature in ExtremeXOS, the authentication methods that work with NPS, and includes a discussion about the schemes that can be used to enforce policies (congured in the NAP server) at the network access/edge layer. A case-study of NAP and NetLogin deployment is discussed in Section 5. This section walks the user through a sample edge switch conguration, with detailed steps on how to create groups and users in the Microsoft Active Directory, and create NAP policies in the health policy server. Detailed instructions and screen shots are provided on conguring the Microsoft Windows 2008 Server to act as the NAP health policy server, the edge switch as the authenticator, and the different types of clients. The contents in this chapter are aligned with the steps presented in the document Step-by-Step Guide: Demonstrate 802.1X NAP enforcement in a Test Lab by Microsoft Corporation.
Overview of NAP Architecture

As mentioned earlier, Microsoft NAP allows administrators to create and enforce health policies for software and system congurations of client computers that connect to the network. In particular, we will explore the methods by which ExtremeXOS can be integrated into the Microsoft NAP architecture to deliver exible and comprehensive health policy enforcement for client computers that connect to the enterprise network using the IEEE 802.1X based authentication methods. NAP is deployed using multiple elements in the network, with each element providing a specic set of functionalities. The diagram below illustrates the different components in a NAP deployment.
References
1. Using ExtremeXOS NetLogin with Microsoft IAS http://www.extremenetworks.com/doc. aspx?id=957 2. Using ExtremeXOS NetLogin with Microsoft NPS (where is the link for this one???) 3. Step-by-Step Guide: Demonstrate 802.1X NAP enforcement in a Test Lab http://www.microsoft.com/downloads/details. aspx?FamilyID=8a0925ee-ee06-4dfb-bba207605eff0608&displaylang=en 4. Network Access Protection concepts http://technet.microsoft.com/en-us/library/ cc730902%28WS.10%29.aspx 5. Network Access Protection Design Guide http://technet.microsoft.com/en-us/library/ dd125338.aspx 6. Network Access Protection Deployment Guide http://technet.microsoft.com/en-us/library/ dd314175.aspx 7. Network Access Protection Troubleshooting Guide http://technet.microsoft.com/en-us/library/ dd348515.aspx
The components shown are similar to those in a typical AAA framework, of course with additional functionality provided by the clients and the backend servers in order to participate in a NAP framework. NAP Client Computers: The clients or supplicants not only contain the IEEE 802.1X authentication methods, but also contain newer Windows components such as the system health agent (SHA), NAP agent, and the enforcement clients. NAP capable clients provide system health information in addition to security credentials when requesting network access from an IEEE 802.1X compliant network access device. NAP Enforcement Point: As shown below, ExtremeXOS based switches act as the enforcement points. Enforcement could be one of the following actions: providing complete network access to NAP compliant computers; isolation of noncompliant computers in
specic broadcast domains or VLANs which provide connectivity to remediation servers; or restricted access (using access control lists) to provide connectivity to specic resources, etc. The actions performed by the switches are based on the authorizations received from the backend NAP health policy servers. These actions are delivered to the switch via RADIUS by the Network Policy Server component running in Microsoft Windows based servers. NAP Health Policy Server: In addition to the Network Policy Server that provides authentication, and authorization services, Microsoft Windows Server 2008 and Windows Server 2008 R2 contain newer components such as System Health Validator (SHV), NAP administration, and others. SHVs are used by NPS to analyze health of client computers. The results of client health status check are used by network policies to deliver appropriate authorizations.
Clients or Supplicants
Authentication Server
Summit X450e-24p
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1 2 3 4 MGMT = FAN = PSU = PSU-E =
Authenticator
STACK NO
NAP Enforcement Point
Enterprise Network
NAP Client Computers
NAP Health Policy Servers

5651-01
Figure 1: Components in NAP deployment
ExtremeXOS NetLogin
The NetLogin feature in ExtremeXOS provides the following capabilities which can be used in NAP deployments: 1. IEEE 802.1X based authentication 2. Authorizations in the form of destination VLAN ID or Name 3. In addition to VLAN information, network access can also be limited to a set of hosts. These hosts could be remediation or quarantine servers which can be used to deliver appropriate software congurations, software updates, and system congurations to bring an unhealthy supplicant into compliance with the enterprise health policies.
VLAN Authorizations
The following Vendor-Specic Attributes (VSAs) can be used to deliver the VLAN IDs or names to which to add the authenticated user. In typical NAP deployments these VSAs could be used to deliver a designated quarantine VLAN. Extreme-Netlogin-VLAN-Name (VSA 203): This attribute species a VLAN name that the RADIUS server sends to the switch after successful authentication. When the switch receives the VSA, it adds the authenticated user to the VLAN. The VLAN must already exist on the switch. Extreme-Netlogin-VLAN-ID (VSA 209): This attribute species a VLAN ID (or VLAN tag) that the RADIUS server sends to the switch after successful authentication. When the switch receives the VSA, it adds the authenticated user to the VLAN. The VLAN must already exist on the switch. Extreme-Netlogin-Extended-Vlan (VSA 211). This attribute species one or more VLANs that the RADIUS server sends to the switch after successful authentication. You can specify VLANS by VLAN name or ID (tag). The VLANs may either already exist on the switch or, if you have enabled dynamic VLANs and a nonexistent VLAN tag is given, the VLAN is created. Once authenticated, the client/port is moved to the VLAN whose VLAN ID/Name is sent in the AccessAccept message. This VLAN can be the designated quarantine VLAN. The administrator needs to ensure that the quarantine VLAN indeed has limited access to the rest of the network. Typically, this can be done by disabling IP forwarding on that VLAN so no routed traffic can traverse out of that VLAN. The quarantine VLAN can also be created dynamically in the switch using NetLogin. This case study uses the Extreme-NetLogin-VLAN-ID (VSA 209) to demonstrate the NAP concepts.
802.1X Based Authentication

This method involves the use of the standardized IEEE 802.1X protocol between the supplicant and the authenticator. The protocol is based on the Extensible Authentication Protocol (EAP). In this method, the authenticator is a facilitator to carry information received from the supplicant in EAPOL (EAP over LAN) frames to the authentication server. The authenticator still communicates to the authentication server using RADIUS; however, the RADIUS packets will contain EAP information provided by the supplicant. Various EAP types have been dened to support different types of conguration in supplicants and authenticators. Some of them are EAP-MD5, Lightweight EAP (LEAP), Protected EAP (PEAP), EAP-TLS, and EAP-TTLS. Microsoft Windows Server 2008, and Windows Server 2008 R2 technologies support the following EAP types: PEAP with MS-CHAP-V2 EAP-TLS Microsoft NAP can be deployed using any one of the EAP methods supported in the servers. In fact, the authentication and authorization are done by the Network Policy Server which incorporates the RADIUS (server) functionality. In this document we will demonstrate NAP with the clients as well as backend servers using PEAP with MS-CHAP-V2.
Restricted Network Access Using Access Control Lists

In addition to the VLAN VSAs, ExtremeXOS NetLogin provides the following VSAs: MS-Quarantine-State MS-IPv4-Remediation-Servers
These VSAs control access to network resources by unhealthy supplicants. The MS-IPv4-Remediation-Servers VSA contains a list of associated IP addresses that an unhealthy and therefore quarantined supplicant can access to so that it can correct the unhealthy attribute(s). In the real world, remediation server(s) are accessible via the uplink port and not necessarily in the same VLAN. Regardless of whether the quarantine VLAN is precongured or dynamically created, unhealthy clients must have access to the remediation servers. NetLogin supports the MS-Quarantine-State attribute (present in the Access-Accept message) with values (referred to as extremeSessionStatus) to convey the status of the client Quarantined or On Probation. In this case a dynamic ACL which denies all traffic will be applied on the VLAN. If such an ACL is already present on that VLAN, then no new ACL will be applied. The ACL will be removed automatically when the last authenticated client has been removed from the quarantine VLAN. Additionally, if the MS-IPv4-Remediation-Servers VSA is present in the Access-Accept message, for each IP address present in the VSA a permit all traffic to/from
this IP address dynamic ACL will be applied on the quarantine VLAN. This will allow traffic to/from the remediation servers to pass unhindered into the Quarantine VLAN while all other traffic is dropped.
NAP Case Study

We will build a NAP framework using the components shown in Page 8, and see how it helps the company Prime Corporation (an example used in this case study) to enforce Microsoft NAP policies using ExtremeXOS based switches.
NOTE A discussion about enterprise or campus network design is beyond the scope of this application note. The network design illustrated below is simplied to show the various features of benets of using NetLogin.
The diagram below shows the various systems, and devices used by Prime Corp, along with users attached to the edge switches.
Domain Controller Microsoft Windows 2008
Network Policy Server Microsoft Windows 2008
Campus Core, Aggregation
PRIMECORP-PDC-1
PRIMECORP-NAP-1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
MGMT = FAN = PSU = PSU-E =
STACK NO
Summit X450a-24t
Stack 1 2
Summit X250e-24p
Edge
John Smith Laptop1
JS-Workstation
Bob Stone BS-Workstation
5652-01
Figure 2: Systems and devices used by Prime Corp and users attached to the edge switches
The table below summarizes the various roles and functions performed by the devices in the network:
Performs authentication of attached users and devices such as phones using NetLogin Provides network access to users Summit X250e-24P Edge Switch Multiple VLANs in the switch helps in isolating users and devices in different broadcast domains based on the authentication and NAP policies Layer 2 switch in this scenario Provides connectivity to the rest of the campus network including authentication servers, application servers, domain controllers, and internet gateway Layer 3 switch provides routing functionality Microsoft Windows 2008 Server PRIMECORP-PDC-1 Domain Controller, and Root CA Congured as the domain controller for primecorp.com Contains the Microsoft Active Directory (AD) Enterprise Root CA for primecorp.com Microsoft Windows 2008 Server Member of domain primecorp.com PRIMECORP-NAP-1 Authentication Server, NAP Policy Server Acts as the authentication server for all users in the domain Congured with NAP policies which are enforced using features provided by ExtremeXOS NetLogin in the edge switches Microsoft Windows 7 Professional Microsoft Windows Vista Business Edition Microsoft Windows XP LAPTOP1 Laptop computer used by John Smith Contains Service Pack 3 updates Also contains all updates required for Group Policy Client Side congurations
Summit X450a-24t
Aggregation/Distribution Switch
JS-WORKSTATION BS-WORKSTATION
Workstation used by John Smith Workstation used by Bob Stone
Table 1
A summary of users and devices connecting to the edge of the network:

Network User Role Notes Works in the Sales organization in Prime Corp Uses Microsoft Windows 7 Professional based PC (Connected to Port #1 of the edge switch) John Duff Employee Uses Microsoft Windows XP SP3 based Laptop computer (Connected to Port #3 of the edge switch) Requires full access to network and resources such as le servers, printers, application servers, Internet, and so on Works in the Engineering organization in Prime Corp Bob Stone
Table 2
Employee
Uses Microsoft Windows Vista Business edition based workstation (Connected to Port #2 of the edge switch)
Edge Switch Conguration

We will proceed to congure the Summit X250e-24P switch rst. Readers will notice that changes in network policies congured in the authentication server (PRIMECORP-NAP-1) will not require changes in the edge switch conguration. This allows for exible NAP policies and changes without disturbing congurations in potentially a large number of edge switches in the network. It is recommended that the reader keeps the following information handy in order to complete the switch conguration.
Authentication Server VLAN Name corp authvlan Tag 2 7 IP: 192.168.2.11/24 IP 192.168.2.1/24 VLAN used by NetLogin
In addition to conguring the NetLogin module, the VLAN and AAA modules will also need to be congured. Conguration of the VLAN module will provide reachability to backend authentication servers, and will also create various user VLANs in the switch. Conguration of the AAA module will provide the switch with one or more RADIUS server(s) to contact for authentication.
VLAN Conguration
configure vlan default delete ports 1-26 create vlan authvlan configure vlan authvlan tag 7 create vlan corp configure vlan corp tag 2 create vlan corpvoice configure vlan corpvoice tag 4 create vlan crmapps configure vlan crmapps tag 6 create vlan quarantine configure vlan quarantine tag 3 create vlan salesapps configure vlan salesapps tag 5 configure vlan corp add ports 25 tagged configure vlan corpvoice add ports 25 tagged configure vlan crmapps add ports 25 tagged configure vlan quarantine add ports 25 tagged configure vlan salesapps add ports 25 tagged configure vlan Mgmt ipaddress 10.127.2.18 255.255.255.0 configure vlan corp ipaddress 192.168.2.1 255.255.255.0 configure vlan authvlan ipaddress 192.168.100.1 255.255.255.0
NOTE None of the VLANs actually contain user ports Port 25 is the uplink port in the edge switch and is added as a tagged port for all VLANs
AAA Module Conguration

configure radius netlogin primary server 192.168.2.11 1812 client-ip 192.168.2.1 vr VR-Default configure radius netlogin primary shared-secret encrypted r~`gobmvr enable radius netlogin
NetLogin Conguration
configure netlogin vlan authvlan enable netlogin dot1x mac web-based enable netlogin ports 1-8 dot1x enable netlogin ports 9-16 mac enable netlogin ports 17-24 web-based configure netlogin ports 1 mode port-based-vlans configure netlogin ports 1 no-restart configure netlogin ports 2 mode port-based-vlans configure netlogin ports 2 no-restart configure netlogin ports 3 mode port-based-vlans configure netlogin ports 3 no-restart configure netlogin ports 4 mode port-based-vlans configure netlogin ports 4 no-restart configure netlogin ports 5 mode port-based-vlans configure netlogin ports 5 no-restart
configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure configure
netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin netlogin
ports 6 mode port-based-vlans ports 6 no-restart ports 7 mode port-based-vlans ports 7 no-restart ports 8 mode port-based-vlans ports 8 no-restart ports 9 mode port-based-vlans ports 9 no-restart ports 10 mode port-based-vlans ports 10 no-restart ports 11 mode port-based-vlans ports 11 no-restart ports 12 mode port-based-vlans ports 12 no-restart ports 13 mode port-based-vlans ports 13 no-restart ports 14 mode port-based-vlans ports 14 no-restart ports 15 mode port-based-vlans ports 15 no-restart ports 16 mode port-based-vlans ports 16 no-restart ports 17 mode port-based-vlans ports 17 no-restart ports 18 mode port-based-vlans ports 18 no-restart ports 19 mode port-based-vlans ports 19 no-restart ports 20 mode port-based-vlans ports 20 no-restart ports 21 mode port-based-vlans ports 21 no-restart ports 22 mode port-based-vlans ports 22 no-restart ports 23 mode port-based-vlans ports 23 no-restart ports 24 mode port-based-vlans ports 24 no-restart add mac-list ff:ff:ff:ff:ff:ff 48 ports 9-16
NOTE NetLogin uses the authvlan VLAN Local database authentication is NOT used in this case study
Prerequisites for Servers and Clients

This section lists the requirements in terms of applications, roles, features, and other software updates required in both the servers and clients in order to carry out the tests described in this case study.
Domain Controller (PRIMECORP-PDC-1)

The following components are installed and the appropriate services are started: Microsoft Windows Active Directory Certication Authority is installed as an Enterprise Root CA and a default certicate for the server primecorppdc-1.primecorp.com is generated DHCP Server with a scope to serve clients which are authenticated and authorized to be part of the corporate network. DHCP Scope used in this case study contains the following: IP Address Range: 192.168.2.101 192.168.2.150 Primary DNS Server: 192.168.2.10 WINS Server: 192.168.2.10 The screen shot below shows the list of programs and applications installed for this case study.
The screen shot below shows all the roles installed on this server.
Microsoft NPS/NAP Server (PRIMECORP-NAP-1)

The following components are installed and the appropriate services are started: Network Policy Server (available via role Network Policy and Access Services) Group Policy Management (for management of client policies) A computer certicate has been obtained from primecorp-pdc-1 for use with IEEE 802.1X authentication (Protected EAP with MS-CHAP-V2)
Microsoft Windows 7 Professional Based Clients

All software updates available via Microsoft Windows Update services are installed. This computer (JS-WORKSTATION) has been joined to the primecorp.com domain.
Microsoft Windows Vista Business Edition Clients

All software updates available via Microsoft Windows Update services are installed. This computer (BS-WORKSTATION) has been joined to the primecorp.com domain.
Microsoft Windows XP Professional Clients

All software updates available via Microsoft Windows Update services are installed. In particular, Microsoft Windows XP Service Pack 3 update has been installed. This computer (LAPTOP1) has been joined to the primecorp.com domain.
Domain Controller (PRIMECORP-PDC-1) Conguration

This section describes the steps required to: a. Create users and groups in the Microsoft Active Directory b. Perform any additional congurations required on the Microsoft Windows 2008 Server
Create Group: PRIMECORP_COMPUTERS

The list of computers that are administered in this domain can be viewed in the Active Directory Users and Computers. Steps: Click Start Click Administrative Tools Click Active Directory Users and Computers.
We will now proceed to create a group called PRIMECORP_COMPUTERS, and add the clients JS-WORKSTATION, BS-WORKSTATION, and LAPTOP1 into this group. Steps: Right Click on Users Click New.
Steps: Click Group.
Steps: Enter the group name as PRIMECORP_COMPUTERS, ensure that the group is of type Security, and the scope is Global. Click OK.
Steps: Access the group properties by right clicking on PRIMECORP_COMPUTERS.
Steps: Click Properties.
Steps: Click Members Tab Click Add Click Object Types.
Steps: Select Computers Click OK.
Steps: Enter the computer names as shown, and Click Check Names to ensure all the computer names have been recognized. Click OK.
Steps: Click OK to conrm the members of the group.
Create Group: SALES

The group SALES is intended to contain users such as John Smith, and other personnel in the sales organization. The group SALES can be created using the steps described in Section 5.3.1 Create Group: PRIMECORP_COMPUTERS.
Create Group: ENGINEERING

The group ENGINEERING is intended to contain users such as Bob Stone, and other personnel in the engineering organization. The group ENGINEERING can be created using the steps described in Section 5.3.1 Create Group: PRIMECORP_COMPUTERS.
Create User: John Smith

Steps: Open the program Active Directory Users and Computers.
Steps: Right Click on Users Click New Click User..
Steps: Enter the details for the user as shown above Click Next.
Steps: Choose a password for the user Click OK.
Steps: Click Finish.
We will now proceed to make the user John Smith a member of the SALES group.
Steps: Right Click on user John Smith Click Properties.
Steps: In the Dial-In Tab Select option Allow Access Click on Members Of Tab.
Steps: Click Add In the Select Groups dialog box enter SALES in object names Click Check Names Ensure that the group name is recognized/resolved and click OK Click OK again to close the properties.
Create User: Bob Stone

The user Bob Stone with account name bob_stone can be created using the procedures described in the earlier section. Further, Bob Stone should be congured as a member of the group ENGINEERING (instead of SALES for John Smith).
NAP Policies Congurations (PRIMECORP-NAP-1) RADIUS Client Conguration

In this section, we will describe the steps required to dene a network access policy. We will rst add a RADIUS client (the Edge Switch) from which the server will receive authentication requests on behalf of the clients, and then dene authentication methods and authorization policies based on the statements of health supplied by the System Health Agents in the clients.
Steps: Click Start Click Administrative Tools Click Network Policy Server.
Steps: Expand RADIUS Clients and Servers in the left pane Right Click RADIUS Clients Click New RADIUS Client.
Steps: Enter the details as shown below and Click OK.
Create and Congure NAP Policies

In this section, we will walk through the steps required to create and congure a NAP. Steps: Click on NPS (Local) on the left pane
Steps: Click on Congure NAP on the right pane.
Steps: Select IEEE 802.1X (Wired) from the options presented for Network connection methods Enter the name of the policy (in this case study we have used the name Authenticate Corp Users NAP 802.1X (Wired) Click Next.
Steps: Conrm that the switch which we congured as a RADIUS client is selected Click Next.
Steps: Click Add User.
Steps: In the Select Group dialog box, enter the group name SALES Click Check Names Click OK.
In addition to the group SALES we will use this NAP policy to authenticate and authorize users who are part of the ENGINEERING group. Steps: Click Add User.
Steps: In the Select Group dialog box that appears, enter the group name ENGINEERING Click Check Names to verify that the group name is recognized/resolved Click OK.
Steps: Click Next.
Steps: Select the EAP Type Secure Password (PEAP-MS-CHAP-v2) Click Next. The two screen shots shown below are optional steps for users who want to view the server certicate being used for this authentication method. The server certicate being used here, in this case study, was requested by the server PRIMECORP-NAP-1 and was issued by PRIMECORP-PDC-1 (which is congured as the Enterprise Root CA for the domain primecorp.com).
When NAP policies are created using the wizard, users can specify both the organizational network VLAN (a VLAN that can be used by supplicants who pass the authentication and the health policies) and a restricted VLAN (which can be used to isolate unhealthy supplicants, i.e. those users who do not pass the health policy checks). In this case study, we have chosen to congure these VLANs and possibly other authorizations separately after the NAP policies are created by the wizard.
Steps: Click Next.
The Dene NAP Health Policy step when using the wizard allows administrators to congure the Health Validator to be used, auto-remediation (if desired), and the restrictions that are to be placed on computers which are non-NAP capable. Steps: Ensure that the default health validator Windows Security Health Validator is selected Unselect Enable auto-remediation of client computers Select Allow full network access to NAP-ineligible computers Click Next.
Steps: Click Finish.
Verify Processing Order of NAP Policies

The screen shots in this section show all the three types of policies created by the wizard. It is recommended that users verify the processing order of the policies and that it matches or is close to what is shown in the screen shots. The screen shot below shows the list of Connection Request Policies. Note that the rst policy Authenticate Corp Users NAP 802.1X (Wired) is a result of the wizard we used in the previous section.
The screen shot below shows the list of Network Policies which were created by the NAP conguration wizard.
The screen shot below shows the list of Health Policies which were created by the NAP conguration wizard.
Modify NAP Policies

In this section, we will walk through the steps required to dene authorizations based on the health checks performed by the System Health Validator.
Authorizations for NAP Compliant or Healthy Supplicants

This section shows the steps required to provide the right authorization for clients that are deemed as healthy and compliant to the health policy dened in NAP. Steps: In the left pane, under Policies, click Network Policies Double Click on the policy Authenticate Corp Users NAP 802.1X (Wired) Compliant.
Steps: Click on Settings tab.
Steps: Under RADIUS Attributes in the left pane, Click on Standard Remove both the attributes which appear by default Framed Protocol and Service-Type.
Steps: Click OK Click on Vendor Specic on the left pane Click on Add on the right pane.
Steps: Scroll down the list of attributes, select Vendor-Specic Click Add.
Steps: In Attribute Information dialog box, click on Add.
Steps: Select the Enter Vendor Code option Enter 1916 which is the Extreme Network Vendor ID Click Yes, it conrms Click Congure Attribute.
Steps: Enter 209 in Vendor-assigned attribute number which denotes the Extreme-Netlogin-VLAN-ID VSA Select Decimal as the Attribute format Enter 2 (which is the VLAN ID for corp VLAN) in the Attribute value Click OK twice to return back to the list of vendor specic attributes.
Steps: Click OK to return back to the network policies.
Authorizations for NAP Noncompliant or Unhealthy Supplicants

This section shows the steps required to provide the right authorization for clients that are deemed as unhealthy and noncompliant to the health policy dened in NAP. Steps: Double click on the Authenticate Corp Users NAP 802.1X (Wired) Noncompliant policy.
Steps: Click on Settings tab Under RADIUS Attributes in the left pane, select Standard Remove both the attributes Framed-Protocol and Service-Type.
Steps: Under RADIUS Attributes in the left pane Click on Vendor Specic Click Add on the right pane.
Steps: Scroll down to the last and select Vendor Specic in the list of attributes Click Add.
Steps: Click Add to add a new VSA.
Steps: Select Enter Vendor Code option Enter 1916 Select Yes, it conforms Click Congure Attribute.
Steps: Enter the value 209 for the attribute number Select the attribute format as Decimal Enter the value 3 in the attribute value Click OK twice to return back to the Vendor Specic attributes.
Steps: Click OK.
Authorizations for NAP Ineligible Supplicants

The authorizations for NAP ineligible supplicants for this case study will be the same as those for NAP compliant supplicants. The authorizations can be congured using exactly the same steps shown and described in Section 5.4.4.1 Authorizations for NAP compliant or Healthy Supplicants.
Congure System Health Validator

This section describes the conguration and settings for the Windows System Health Validator (the default SHV). The SHV will be congured to check the following: a. Firewall: A rewall application is available, and is enabled. In the case study we have used the Windows Firewall application in the clients. b. Windows Automatic Updates: The automatic updates option is enabled in the client computers.
Steps: Under Health Policies on the left pane, click on Health Policies Double click on the policy Authenticate Corp Users NAP 802.1X (Wired) Compliant.
Steps: In SHVs used in the health policy ensure that the Windows Security Health Validator is selected Click OK.
Steps: Under Network Access Protection in the left pane, click on System Health Validators Double click on Windows Security Health Validator on the right pane.
Steps: Click on Congure.
Steps: Click on the Windows Vista tab, and select only the following options: a. Under Firewall select A rewall is enabled for all network connections. b. Under Automatic Updating select Automatic updating is enabled. c. Click on the Windows XP tab.
NOTE The settings for Windows Vista is also applicable for Windows 7 clients.
Steps: Ensure that the rewall and automatic update settings are done as described in the earlier screenshot Click OK.
Group Policy Congurations

In this section, we will walk through the steps required to create common group policies for clients using the following operating systems: Microsoft Windows Vista, Microsoft Windows 7, and Microsoft XP. Group policies can be applied on both individual computers, and a security group which contains one or more clients. Recall from section 5.3.1 Create Group: PRIMECORP_COMPUTERS, we had created a security group which contains all of the clients (joined to the domain) used in this case study. This group denition will be used to deploy the common group policies described in this section.
Server Side Conguration (PRIMECORP-NAP-1)

This section describes the steps to be followed to create a Group Policy Object called NAP Clients GPO.
Steps: Click Start Enter gpme.msc and hit enter to execute the program.
Steps: Click On Create New Group Policy Object.
Steps: Enter a name for the new GPO (the name selected here is NAP Client Settings GPO) Click OK to start the Group Policy Management Editor.
Steps: On the left pane, navigate to Computer Conguration\Policies\Windows Settings\Security Settings\System Services On the right pane, double click on Network Access Protection Agent.
Steps: Select Dene this policy setting Select Automatic Click OK.
Steps: On the right pane, double click Wired AutoCong.
Steps: Select Dene this policy setting Select Automatic Click OK.
Steps: On the left pane, navigate to Computer Conguration\Windows Settings\Security Settings\Network Access Protection\NAP Client Conguration\Enforcement Clients On the right pane, right click on EAP Quarantine Enforcement Client Click Enable.
Steps: On the left pane, navigate to Computer Conguration\Windows Settings\Security Settings\Network Access Protection Right click on NAP Client Conguration Click Apply.
Steps: On the left pane, navigate to Computer Conguration\Policies\Administrative Templates: Policy denitions\ Windows Components\Security Center On the right pane, double click on Turn on Security Center (Domain PCs only)
Steps: Under Setting tab, check option Enabled Click OK [Optionally close the Group Policy Management Editor].
Steps: Click on Start Enter gpmc.msc and hit enter.
Steps: In the left pane, navigate to Group Policy Management\Forest primecorp.com\Domains\primecorp.com\ Group Policy Objects\NAP Client Settings GPO On the right pane, under Security Filtering select Authenticated Users Click Remove.
Steps: On the right pane, under Security Filtering Click Add.
Steps: Type object name PRIMECORP_COMPUTERS Click Check Names to ensure that the object has been resolved Click OK.
Client Side Verication

In this section, we will describe the steps to verify that the group policy conguration done on the NAP server PRIMECORP-NAP-1 has taken effect on the clients. It might be required to reboot the clients for the group policy conguration to be updated.
NOTE It is important that the group policy conguration is updated on all the clients before proceeding with the rest of case study. It is strongly recommended that users ensure and if required troubleshoot any problems encountered in the group policy update for clients. We will mainly use the netsh command, and also look at the settings of services as a result of the group policy update from the NAP server PRIMECORP-NAP-1.
Microsoft Windows 7 Professional (JS-WORKSTATION)

Steps: Open a command prompt, enter the command netsh nap client show grouppolicy Ensure that the EAP Quarantine Enforcement Client has the admin state of Enabled.
Steps: Open a command prompt, enter the command netsh nap client show state Ensure that the EAP Quarantine Enforcement Client is initialized (Initialized = Yes).
Steps: Open Control Panel Click on System and Security Click on Administrative Tools On the right pane, double click on Services.
Steps: Ensure that the service Network Access Protection Agent is set to start automatically.
Steps: Ensure that the service Wired AutoCong is set to start automatically.
Microsoft Windows Vista Business Edition (BS-WORKSTATION)

Steps: Open Control Panel Click on System and Maintenance Click on Administrative Tools In the right pane, double click on Services.
Steps: Ensure that the service Network Access Protection Agent is set to start automatically.
Microsoft Windows XP Service Pack 3 (LAPTOP1)

Steps: Open Control Panel Double click on Administrative Tools Double click on Services.
Steps: Ensure that the Network Access Protection Agent is set to start automatically.
Client Side Conguration for IEEE 802.1X (PEAP-MS-CHAP-v2) Authentication

This section describes the conguration required on the client side to perform IEEE 802.1X based authentication with PEAP and Secured MS-CHAP-V2.
Microsoft Windows 7 Professional (JS-WORKSTATION)

Steps: Right click on Network Connection icon in the System Tray Click on Open Network and Sharing Center.
Steps: Click on Local Area Connection.
Steps: Click on Properties.
Steps: Select Enable IEEE 802.1X authentication Select method Microsoft Protected EAP (PEAP) Click on Settings.
Steps: Select Validate server certicate Under Select Authentication Method select Secured password (EAP-MSCHAP-V2) Click on Congure.
Steps: It is recommended that the option Automatically use my Windows logon name and password is used. If this option is not selected, then the user will have to enter the credentials every time the client performs authentication.
Microsoft Windows Vista Business Edition (BS-WORKSTATION)

Steps: Open Control Panel Click on Network and Internet Click on Network and Sharing Center.
Steps: Right click on Local Area Connection Click on Properties.
Steps: Click on Authentication tab Select option Enable IEEE 802.1X authentication Under Choose a network authentication method select Microsoft Protected EAP (PEAP) Click Settings.
Steps: Select Validate server certicate Under Select Authentication Method select Secured password (EAP-MSCHAP-V2) option Select Enable Quarantine checks Click on Congure.
Steps: It is recommended that the option Automatically use my Windows logon name and password is selected.
Microsoft Windows XP Service Pack 3 (LAPTOP1)

Steps: Open Control Panel Double Click on Network Connections Right click on Local Area Connection Click on Properties.
Steps: Under Authentication tab, select Enable IEEE 802.1X authentication Select Protected EAP in Choose a network authentication method Click on Settings.
Steps: Select Validate server certicate Under Select Authentication Method select Secured password (EAP-MSCHAP-V2) Select Enable Quarantine checks Click Congure.
Steps: It is recommended that the option Automatically use my windows logon name and password is selected.
Healthy Supplicants Scenario

In this section, we will go through the information available at the server, and the switch when supplicants who meet all the health policies dened by the administrator in the NAP server (PRIMECORP-NAP-1). This means that all the clients have the Windows Firewall and the Windows Automatic Update features enabled. The rst step is login to the respective clients, and let the clients authenticate with the edge switch.
John Smith (JS-WORKSTATION)

The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client has been granted access to the network.
The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: john_smith) has met all the health policy requirements.
Bob Stone (Logging in Using BS-WORKSTATION)

The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: bob_stone) has authenticated successfully and has been granted access to the network.
The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: bob_stone) has met all the health policy requirements.
John Smith (LAPTOP1)

The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: john_smith logging in from host LAPTOP1) has authenticated successfully and has been granted network access.
The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: john_smith logging in from host LAPTOP1) has met all the health policy requirements.
Information Available at the Edge Switch

Output of command: show log chronological
06/24/2010 19:11:29.45 <Info:nl.ClientAuthenticated> Network Login 802.1x user PRIMECORP\john_smith logged in MAC 00:11:11:CD:74:6B port 1 VLAN(s) corp, authentication Radius 06/24/2010 19:11:30.14 <Info:nl.ClientAuthenticated> Network Login 802.1x user PRIMECORP\bob_stone logged in MAC 00:11:43:4C:90:6F port 2 VLAN(s) corp, authentication Radius 06/24/2010 19:11:30.71 <Info:nl.ClientAuthenticated> Network Login 802.1x user PRIMECORP\john_smith logged in MAC 00:11:43:51:B9:63 port 3 VLAN(s) corp, authentication Radius
The following snippet shows that the ports, from which the clients have logged on to the network, have been added to the corp VLAN.
X250e-24p.5 # show corp VLAN Interface with name corp created by user Admin State: Enabled Tagging: 802.1Q Tag 2 Virtual router: VR-Default Primary IP : 192.168.2.1/24 IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 4. (Number of active ports=4) Untag: *1a, *2a, *3a Tag: *25 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (e) Private-VLAN End Point Port (x) VMAN Tag Translated port
The snippet below shows the state recorded by the ExtremeXOS NetLogin module for each of the clients.
X250e-24p.5 # show netlogin port 1-3 Port : 1 Port Restart : Disabled Allow Egress : None Vlan : corp Authentication : 802.1x Port State : Enabled Guest Vlan : Disabled Auth Failure Vlan : Disabled Auth Service-Unavailable Vlan : Disabled MAC IP address Authenticated 00:11:11:cd:74:6b 192.168.2.102 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB Port Port Restart Allow Egress Vlan Authentication Port State Guest Vlan Auth Failure Vlan Auth Service-Unavailable Vlan : : : : : : : : : 2 Disabled None corp 802.1x Enabled Disabled Disabled Disabled Type 802.1x ReAuth-Timer 2995 User PRIMECORP\ Type 802.1x ReAuth-Timer 3577 User PRIMECORP\
MAC IP address Authenticated 00:11:43:4c:90:6f 192.168.2.101 Yes, Radius bob_stone ----------------------------------------------(B) - Client entry Blackholed in FDB Port Port Restart Allow Egress Vlan Authentication Port State Guest Vlan Auth Failure Vlan Auth Service-Unavailable Vlan : : : : : : : : : 3 Disabled None corp 802.1x Enabled Disabled Disabled Disabled
MAC IP address Authenticated 00:11:43:51:b9:63 192.168.2.103 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB
Type 802.1x
ReAuth-Timer 2995
User PRIMECORP\
Restricted Network Access for Unhealthy Supplicants

In this section, we will go through the information available at the server, switch, and the clients when supplicants (clients) do not meet all the health policies dened by the administrator in the NAP server (PRIMECORP-NAP-1). We will disable the Windows Automatic Updates feature in all the clients and let the clients authenticate to the network. The NAP server will categorize all the clients as Noncompliant, and will deliver authorizations accordingly.
Network Access Restriction Using VLANs

This section describes the use of VLANs to isolate the unhealthy supplicants in to a network segment which can be used to quarantine the clients. We will place the unhealthy supplicants into VLAN quarantine, and the VLAN ID will be delivered using NPS (via VSAs). The rest of the section is applicable after all the clients are allowed to authenticate to the network.
John Smith (JS-WORKSTATION) Information Available on the Client

Steps: 1. Open Control Panel Click on System and Security Click on Windows Update Click on Change Settings Select Never check for updates (not recommended) Click Apply. 2. [Optional Step] The user could speed up the reauthentication process by disabling and enabling the local are connection interface. 3. Observe that the Network Access Protection agent displays an error message to indicate that a system health component is not enabled on the host.
Information Available on the NAP Server PRIMECORP-NAP-1

The screen shot below shows that NPS has authenticated the client successfully and has granted access to the network. We will look at the actual network authorizations at the switch later in the section.
The screen shot below shows that the server (PRIMECORP-NAP-1) attempted to quarantine the unhealthy supplicant.
The screen shot below is an event generated by the NPS program and indicates that client has not met the health policy requirements.
The screen shot below (scroll down below for event details) shows the reason for the client to be deemed as noncompliant.
Bob Stone (BS-WORKSTATION) Information Available on the Client

Steps: 1. Open Control Panel Click on Windows Security Center Click on Change Settings Turn Off Automatic Updates Click Apply. 2. [Optional Step] The user could speed up the re-authentication process by disabling and enabling the local area connection interface.
Steps: Observe that the Network Access Protection agent displays an error message to indicate that the computer is not compliant with the health policy requirements. A recommendation for remediation is also shown in the same window.
John Smith (LAPTOP1) Information on the Client

Steps: 1. Open Control Panel Click on Windows Security Center Click on Change Settings Turn Off Automatic Updates Click Apply. 2. [Optional Step] The user could speed up the re-authentication process by disabling and enabling the local area connection interface.
Steps: Observe that the Network Access Protection agent displays an error message to indicate that the computer is not compliant with the health policy requirements. A recommendation for remediation is also shown in the same window
Information Available at the Edge Switch

Logs to indicate the authorizations for the clients are available at the switch. Notice that all the clients have been placed into the quarantine VLAN.
06/24/2010 22:16:12.49 <Info:nl.ClientAuthenticated> Network Login 802.1x user PRIMECORP\john_smith logged in MAC 00:11:11:CD:74:6B port 1 VLAN(s) quarantine, authentication Radius 06/24/2010 22:16:12.64 <Info:nl.ClientAuthenticated> Network Login 802.1x user PRIMECORP\bob_stone logged in MAC 00:11:43:4C:90:6F port 2 VLAN(s) quarantine, authentication Radius 06/24/2010 22:16:13.65 <Info:nl.ClientAuthenticated> Network Login 802.1x user PRIMECORP\john_smith logged in MAC 00:11:43:51:B9:63 port 3 VLAN(s) quarantine, authentication Radius * X250e-24p.28 # show quarantine VLAN Interface with name quarantine created by user Admin State: Enabled Tagging: 802.1Q Tag 3 Virtual router: VR-Default IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 4. (Number of active ports=4) Untag: *1a, *2a, *3a Tag: *25 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (e) Private-VLAN End Point Port (x) VMAN Tag Translated port * X250e-24p.29 # show netlogin port 1-3 Port : 1 Port Restart : Disabled Allow Egress : None Vlan : quarantine Authentication : 802.1x Port State : Enabled Guest Vlan : Disabled Auth Failure Vlan : Disabled Auth Service-Unavailable Vlan : Disabled
MAC IP address Authenticated 00:11:11:cd:74:6b 0.0.0.0 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB Port Port Restart Allow Egress Vlan Authentication Port State Guest Vlan Auth Failure Vlan Auth Service-Unavailable Vlan : : : : : : : : : 2 Disabled None quarantine 802.1x Enabled Disabled Disabled Disabled
Type 802.1x
ReAuth-Timer 3509
User PRIMECORP\
MAC IP address Authenticated 00:11:43:4c:90:6f 0.0.0.0 Yes, Radius bob_stone ----------------------------------------------(B) - Client entry Blackholed in FDB Port Port Restart Allow Egress Vlan Authentication Port State Guest Vlan Auth Failure Vlan Auth Service-Unavailable Vlan : : : : : : : : : 3 Disabled None quarantine 802.1x Enabled Disabled Disabled Disabled
Type 802.1x
ReAuth-Timer 3507
User PRIMECORP\
MAC IP address Authenticated 00:11:43:51:b9:63 0.0.0.0 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB
Type 802.1x
ReAuth-Timer 3508
User PRIMECORP\
Network Access Restriction Using VLAN and Access Control Lists

This section describes the use of VLANs to isolate unhealthy supplicants into a network segment which can be used to quarantine these clients. In addition to using a designated VLAN for quarantine, we will also use access control lists to limit connectivity of these clients to specic hosts (which could be used as remediation servers). The rest of the section is applicable after all clients are allowed to authenticate to the network.
Server Side Conguration (PRIMECORP-NAP-1)

Steps: Open the Network Policy Server program on the left pane, navigate to NPS (Local)\Policies\Network Policies On the right pane, double click on Authenticate Corp Users NAP 802.1X (Wired) Noncompliant.
Steps: In the left pane, click on Vendor Specic Click Add.
Steps: Select option Enter Vendor Code Enter the vendor code 1916 Select Yes, it conforms Click Congure Attribute.
Steps: Enter 209 as the Vendor assigned attribute number Select Decimal as the format Enter value 2 in the attribute value Click OK Click Add again to add a new VSA.
NOTE We are now placing the unhealthy supplicants in the corp VLAN (VID = 2), but we will restrict access to a limited set of hosts.
Steps: Enter the value of 1916 in the vendor code Select Yes, it conforms Click Congure Attribute.
Steps: Click Add to add the new attribute.
Steps: Select the vendor as Microsoft Click Congure Attribute.
Steps: Enter the value of 45 for the attribute number Select format as Decimal Enter value of 1 for the value Click OK twice.
NOTE This is the MS-Quarantine-State attribute described in Section 4.1.3 Restricted network access using Access Control Lists.
Steps: Select Microsoft as the vendor code select Yes, it conforms Click Congure Attribute.
Steps: Enter the value of 52 for the attribute number Select Hexadecimal as the attribute format Enter the value 0xC0A8020B as the value (equivalent to the IP Address 192.168.2.11 of the edge switch) Click OK three times.
NOTE This is the MS-IPv4-Remediation-Server attribute described in Section 4.1.3 Restricted network access using Access Control Lists.
Steps: Observe that all the three VSAs are now included in the policy.
Steps: On the left pane, right click on Network Policies Click Refresh.
Verifying Network Access Restrictions Information Available at the Edge Switch

The log below shows that the client (in this case john_smith) has been authenticated and placed into the VLAN corp. Additionally, ACLs have been created and applied dynamically to restrict access only to the set of servers delivered as part of the MS-IPv4-Remediation-Servers VSA.
06/24/2010 23:17:33.60 <Info:nl.ClientAuthenticated> Network Login 802.1x user PRIMECORP\john_smith logged in MAC 00:11:11:CD:74:6B port 1 VLAN(s) corp, authentication Radius 06/24/2010 23:17:33.61 <Info:ACL.Policy.AddDynAcl> Configure dynamic Acl nl001111cd746b_4_10001 rule index 4294967246 above rule index 4294967295 for applicaition NetLogin. 06/24/2010 23:17:33.61 <Info:ACL.Policy.AddDynAcl> Configure dynamic Acl nl001111cd746b_2_10001 rule index 4294967245 above rule index 4294967246 for applicaition NetLogin. 06/24/2010 23:17:33.72 <Info:ACL.Policy.AddDynAcl> Configure dynamic Acl nl001111cd746b_3_10001 rule index 4294967244 above rule index 4294967245 for applicaition NetLogin. 06/24/2010 23:17:33.72 <Info:ACL.Policy.AddDynAcl> Configure dynamic Acl nl_0_1_10001 rule index 4294967243 above rule index 4294967245 for applicaition NetLogin. * X250e-24p.75 # show corp VLAN Interface with name corp created by user Admin State: Enabled Tagging: 802.1Q Tag 2 Virtual router: VR-Default Primary IP : 192.168.2.1/24 IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 4. (Number of active ports=4) Untag: *1a, *2a, *3a Tag: *25 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (e) Private-VLAN End Point Port (x) VMAN Tag Translated port
* X250e-24p.76 # show netlogin port 1 Port : 1 Port Restart : Disabled Allow Egress : None Vlan : corp Authentication : 802.1x Port State : Enabled Guest Vlan : Disabled Auth Failure Vlan : Disabled Auth Service-Unavailable Vlan : Disabled MAC IP address Authenticated 00:11:11:cd:74:6b 192.168.2.102 Yes, Radius john_smith ----------------------------------------------(B) - Client entry Blackholed in FDB Type 802.1x ReAuth-Timer 3544 User PRIMECORP\
Details of the ACLs applied can be seen using the show access-list command.
* X250e-24p.77 # show access-list dynamic Dynamic Rules: ((*)- Rule is non-permanent ) (*)hclag_arp_0_4_96_28_b_c1 (*)nl001111cd746b_2_10001 (*)nl001111cd746b_3_10001 (*)nl001111cd746b_4_10001 (*)nl_0_1_10001 Bound Bound Bound Bound Bound to to to to to 0 1 1 1 1 interfaces interfaces interfaces interfaces interfaces for for for for for application application application application application HealthCheckLAG NetLogin NetLogin NetLogin NetLogin
* X250e-24p.78 # show access-list dynamic rule nl001111cd746b_2_10001 entry nl001111cd746b_2_10001 { if match all { ethernet-source-address 00:11:11:cd:74:6b ; ethernet-destination-address ff:ff:ff:ff:ff:ff ; } then { permit ; } } * X250e-24p.79 # show access-list dynamic rule nl001111cd746b_3_10001 entry nl001111cd746b_3_10001 { if match all { ethernet-type 34958 ; ethernet-source-address 00:11:11:cd:74:6b ; } then { permit ; } }
* X250e-24p.80 # show access-list dynamic rule nl001111cd746b_4_10001 entry nl001111cd746b_4_10001 { if match all { ethernet-source-address 00:11:11:cd:74:6b ; } then { deny ; } } * X250e-24p.81 # show access-list dynamic rule nl_0_1_10001 entry nl_0_1_10001 { if match all { destination-address 192.168.2.11/255.255.255.255 ; } then { permit ; } }
Client Side Verication

The screen shot below shows a command prompt window, and contains results of two ping requests initiated by the client. Notice that the client is now able to access only the server/host with IP address 192.168.2.11.
Corporate and North America Extreme Networks, Inc. 3585 Monroe Street Santa Clara, CA 95051 USA Phone +1 408 579 2800
Europe, Middle East, Africa and South America Phone +31 30 800 5100
Asia Pacic Phone +65 6836 5437
Japan Phone +81 3 5842 4011
www.extremenetworks.com
2011 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks Logo, ExtremeXOS and Summit are either registered trademarks or trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other trademarks are the trademarks of their respective owners. Specications are subject to change without notice. 1709_01 11/11

Microsoft Network NAP

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Microsoft Network NAP

Hochgeladen von

Copyright:

Verfügbare Formate

Extreme Networks Application Note

Network Access Control/Protection with ExtremeXOS and Microsoft NAP

2011 Extreme Networks, Inc. All rights reserved. Do not reproduce.

2 2011 Extreme Networks, Inc. All rights reserved.

Overview of NAP Architecture

3 2011 Extreme Networks, Inc. All rights reserved.

NAP Enforcement Point

NAP Client Computers

NAP Health Policy Servers

Figure 1: Components in NAP deployment

4 2011 Extreme Networks, Inc. All rights reserved.

802.1X Based Authentication

Restricted Network Access Using Access Control Lists

5 2011 Extreme Networks, Inc. All rights reserved.

NAP Case Study

Domain Controller Microsoft Windows 2008

Network Policy Server Microsoft Windows 2008

Campus Core, Aggregation

MGMT = FAN = PSU = PSU-E =

John Smith Laptop1

Bob Stone BS-Workstation

6 2011 Extreme Networks, Inc. All rights reserved.

Workstation used by John Smith Workstation used by Bob Stone

7 2011 Extreme Networks, Inc. All rights reserved.

A summary of users and devices connecting to the edge of the network:

Edge Switch Conguration

8 2011 Extreme Networks, Inc. All rights reserved.

AAA Module Conguration

9 2011 Extreme Networks, Inc. All rights reserved.

10 2011 Extreme Networks, Inc. All rights reserved.

Prerequisites for Servers and Clients

Domain Controller (PRIMECORP-PDC-1)

11 2011 Extreme Networks, Inc. All rights reserved.

Microsoft NPS/NAP Server (PRIMECORP-NAP-1)

Microsoft Windows 7 Professional Based Clients

Microsoft Windows Vista Business Edition Clients

Microsoft Windows XP Professional Clients

12 2011 Extreme Networks, Inc. All rights reserved.

Domain Controller (PRIMECORP-PDC-1) Conguration

Create Group: PRIMECORP_COMPUTERS

13 2011 Extreme Networks, Inc. All rights reserved.

Steps: Click Group.

14 2011 Extreme Networks, Inc. All rights reserved.

15 2011 Extreme Networks, Inc. All rights reserved.

Steps: Access the group properties by right clicking on PRIMECORP_COMPUTERS.

Steps: Click Properties.

16 2011 Extreme Networks, Inc. All rights reserved.

Steps: Click Members Tab Click Add Click Object Types.

17 2011 Extreme Networks, Inc. All rights reserved.

Steps: Select Computers Click OK.

18 2011 Extreme Networks, Inc. All rights reserved.

19 2011 Extreme Networks, Inc. All rights reserved.

Steps: Click OK to conrm the members of the group.

Create Group: SALES

Create Group: ENGINEERING

Create User: John Smith

20 2011 Extreme Networks, Inc. All rights reserved.

Steps: Right Click on Users Click New Click User..

21 2011 Extreme Networks, Inc. All rights reserved.

22 2011 Extreme Networks, Inc. All rights reserved.

Steps: Choose a password for the user Click OK.

23 2011 Extreme Networks, Inc. All rights reserved.

Steps: Click Finish.

24 2011 Extreme Networks, Inc. All rights reserved.