topic Re: ExtremeControl Profiling in ExtremeControl

ExtremeControl Profiling

Edsond — Tue, 23 Jul 2024 13:11:12 GMT

Hi everyone,

In addition to dhcp pofiling, what are the other methods supported by ExtremeControl to identify the end-system Operating System?

When the switch port/or wifi is 802.1x enabled, only EAP traffic is allowed. So, no matter how much the end-system is sending DHCP Request, this traffic will not be allowed to pass through the port. Therefore, the DHPC Relay configuration pointing to ExtremeControl will have no effect. Am I right or wrong?

I created a rule in the NAC to authenticate via 8021.x only end-system running Windows 10 and 11 and when the end-system is first seen, the NAC didn't know who it was.

The switch is sending the DHCP request to the network, the NAC is receiving these DHCP Requests, however, this is only sent when the challenge imposed by the EAP is processed. Before this, only EAP traffic passes through the port or wireless network.

If the first packet that arrives at the NAC is from RADIUS, how will the NAC know which operating system is in use by the end-system?

I would appreciate it if we could talk more about this.

Thank you very much,

Edson Moura

Re: ExtremeControl Profiling

Robert_Haynes — Wed, 24 Jul 2024 14:05:58 GMT

You can see the various means of OS 'Device Type Detection' under Control -> Engines -> Engine Settings -> Device Type Detection. Agent-based assessment removed (defunct feature) Control will rely on DHCP Fingerprinting or Captive Portal interaction for this.

OS detection is performed after authentication of the device. If DHCP Fingerprinting is to be successful the DHCP flow should be relayed to Control (or mirrored) in addition to actual relay configuration to real DHCP servers. This way Control gets a glimpse of the DHCP exchange.

'You would never know the operating system of a device simply via EAP/RADIUS exchange. EAP/RADIUS is vendor/device agnostic.

Re: ExtremeControl Profiling

Configterminal — Wed, 24 Jul 2024 19:15:48 GMT

You are definitely not wrong with your points and I'd be curious how others have handled this with XMC-Control.

My immediate thoughts are the following although I've never attempted this on Control but you can do something like this in ClearPass - You can create a rule that sends back an ACL plus the proper VLAN for the device. The ACL will limit what the device can talk to, e.g.: DHCP Server, XMC NAC Engines, etc. This will allow the Client to perform the DHCP process and receive an IP but not much else - it will of also sent the DHCP Info to the NAC Engines so they can profile accordingly. Once this process is done, ClearPass (or XMC-Control in this case I hope) can issue a CoA and the device should now hit the proper rule giving it the proper access as long as the fingerprinting was done correctly.

I am curious as to how others have handled this as I was thinking of implementing Device Types in my rule set as well but unsure as to how to perform a CoA after fingerprinting is successful

Re: ExtremeControl Profiling

Bartek — Mon, 29 Jul 2024 09:49:41 GMT

From XIQ-SE help topic "How to Use Device Type Profiling":

Here are some examples of how device type profiling can be used to determine network access:

When an end user with valid credentials logs in to the network on a registered iPad versus a registered Windows 10 machine, they receive a lower level of network access.
When an end user registers a Windows machine using its MAC address, another user cannot spoof that MAC address using a Linux system. (Device profiling does not resolve this issue in environments with dual boot machines.)
If an end user exports a certificate from a corporate PC to an iPad and successfully authenticates with 802.1x, the iPad is not allowed full network access.

I believe the simplest way is to create two rules: upper one 802.1x to permit specific access for Windows 10/11 machines and second below to authorize all device types with lower network access to just allow them to obtain IP address. I will check this in my lab but I believe this is the recommended way to do this according to description above.

Re: ExtremeControl Profiling

Configterminal — Mon, 29 Jul 2024 12:09:06 GMT

Yes but how do you issue a CoA automatically after it gets profiled correctly?

Re: ExtremeControl Profiling

Edsond — Tue, 30 Jul 2024 17:46:40 GMT

Hello folks,

The image below show us that before the authentication only EAP/RADIUS pass througt to port/switch.

So, the NAC doesn't receive the DHCP Request from end-system. So, the EAC (or other NAC) doesn't who is the operational system.

As Configterminal said, maybe create a ACL e applied in all ports to permit DHCP. When the NAC receives the dhcp request, it will able to knows the end-system and to apply the correct rule.

"My immediate thoughts are the following although I've never attempted this on Control but you can do something like this in ClearPass - You can create a rule that sends back an ACL plus the proper VLAN for the device. The ACL will limit what the device can talk to, e.g.: DHCP Server, XMC NAC Engines, etc. "

Thanks,

Edson Moura

Re: ExtremeControl Profiling

Bartek — Wed, 31 Jul 2024 09:33:49 GMT

Hi,

I've found solution which works for EXOS switches. Keep in mind that in EXOS you can enable both MAC-based and 802.1x authentication which works concurrently which allows then the NAC to do something like this:

So just create a rule for MAC-based authentication which gives a limited access to for Base Services (ARP + DHCP) and 802.1x rule with device profiling and it works

Re: ExtremeControl Profiling

Edsond — Wed, 31 Jul 2024 15:44:10 GMT

Hi Bartek,

This could work with a wired network. But, how does it work on a wireless network with WAP2/3 Enterprise?

Thanks,

Edson Moura

Re: ExtremeControl Profiling

Bartek — Mon, 05 Aug 2024 09:24:22 GMT

Hi,

I've made a screenshot of working example in my lab so I ensure it works. In "accepted solution" you mentioned only about the wired network so I didn't try any wireless as irrelevant for you.
In wireless I would try to use PPSK with MAC-based authentication enabled to let NAC appliance do the magic. I can check this in my lab when I come back from my holiday. I believe it would be a KISS solution but I am interested of your solution using only 802.1x (I suppose that CoA would be required). What kind of wireless solution are you using now?

Re: ExtremeControl Profiling

Edsond — Mon, 05 Aug 2024 12:13:20 GMT

Hi Bartek,

I'm using Extreme Cloud IQ with 802.1x.

Thanks,

Edson Moura