Quarantine VLAN or Policy based on Assessment?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hello,

I'm currently in the middle of integrating an Extreme solution in our test environment before we bring it over to production. To keep it simple, my main question is that I have a NAC policy that will authenticate a user, and do assessment. If assessment fails, then I want to apply a Quarantine rule. I'm unsure if I am supposed to create a separate Quarantine VLAN or apply policies to have these users in a limited role. I have asked Extreme consultants and some have advised going the policy route giving end users limited access. Therfore this is the route that I am trying to pursue

Here's a rundown of what we have done:
  • Integrated Active Directory, and MDM JAMF's Casper Suite for Assessment.
  • Have 2 NAC's and 2 Extreme Wireless Controllers working.
  • Have Dynamic VLAN working utilizing one SSID, "ASD_EXT". Based on LDAP:
    • If you are a High School Student, get placed into VLAN 72
    • If you are a Middle School Student, get placed into VLAN 64
    • If you are Staff, get placed into VLAN 100
  • Now with the Casper Suite integration I can create dynamic groups and link them from Casper Suite. Casper Suite is a solution we use to manage all of our Apple Mac's. With this, I setup an assessment rule basically saying that if a machine hasn't reported in after "x" amount of days to Casper, then we will put a quarantine rule. If it has "reported in" in the required timeline, then they get placed into their correct VLAN, 72 (High School), 64 (Middle School), or 100 (Staff)
    • So I sort of have this working, My Quarantine policy works where I have denied internet, allowed access to the Casper Server to remediate
    • however, the authenticated VLAN, whether 72 (High School), 64 (Middle School), or 100 (Staff), doesn't get honoured, and the client receives an IP that is in the VLAN of the Wireless AP's when in quarantine
    • On the switch port I have the Access Point untagged with the Wireless Management VLAN 102, and have VLAN's 72, 64,100 tagged.
Should I continue on this path or would it be best practice to place failed assessment users into a Quarantine VLAN?

Thanks in advance!
Peter
Photo of Peter Chang

Peter Chang

  • 394 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of James A

James A, Embassador

  • 6,806 Points 5k badge 2x thumb
Hi Peter,

I have a feeling you might need three quarantine rules in NAC, one for each group, so that the user gets placed into the correct VLAN, if you want to go down that path with a combined SSID. You will then need to have the NAC policy mapping of your quarantine policy role to three policies with the VLAN for each group. Finally, change the VNS Global/Authentication/RFC 3850 options to be Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes. NB: This is theoretical, although I do have the RFC 3850 option set to both in my environment.

Having said that, we also have Casper integrated via OFConnect for our iPads (we were the first customer actually), and I would be rather wary of having a single SSID if you're going to use AirPlay or other Bonjour services, as multicast traffic will be seen by clients in all VLANs which caused some problems. One possible solution could be to use the feature that lets you bridge Bonjour to a separate VLAN and use the same one for all, but we separated our SSIDs back into staff and students. This had further benefits in restricting students to only joining devices in Casper to our wifi which would have been more complicated with a single SSID. Obviously there is a performance degradation in having more SSIDs, so you should test it and see.

I believe the downside of a quarantine VLAN is the client not changing their IP if you have a long DHCP lease time, but that's less of an issue for Casper assessment since it'll happen immediately on join, rather than when the NAC agent relays the assessment result to the NAC assessment server. Also IIRC the client will be fully deauthed rather than have a RADIUS CoA request sent to the EWC's DAS port, as I don't think that feature request has been implemented yet. So it's not an issue at all really. Except that iPads will stop joining the wifi if you send too many deauths in a short period of time, which is one reason why, despite having asked for that assessment feature, we actually manage it by having a group in Casper and just chasing up the students directly when they haven't checked in recently.

I'm happy to discuss any further Casper/NAC/EWC questions you have here or offline too.

James A
(Edited)