This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ExtremeControl Profiling

ExtremeControl Profiling

Go to solution
Edsond
New Contributor II

‎07-23-2024 06:09 AM - edited ‎07-23-2024 06:11 AM

Hi everyone,

In addition to dhcp pofiling, what are the other methods supported by ExtremeControl to identify the end-system Operating System?

When the switch port/or wifi is 802.1x enabled, only EAP traffic is allowed. So, no matter how much the end-system is sending DHCP Request, this traffic will not be allowed to pass through the port. Therefore, the DHPC Relay configuration pointing to ExtremeControl will have no effect. Am I right or wrong?

I created a rule in the NAC to authenticate via 8021.x only end-system running Windows 10 and 11 and when the end-system is first seen, the NAC didn't know who it was.

The switch is sending the DHCP request to the network, the NAC is receiving these DHCP Requests, however, this is only sent when the challenge imposed by the EAP is processed. Before this, only EAP traffic passes through the port or wireless network.

If the first packet that arrives at the NAC is from RADIUS, how will the NAC know which operating system is in use by the end-system?

I would appreciate it if we could talk more about this.

Thank you very much,

Edson Moura

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Edsond
New Contributor II

‎07-30-2024 10:46 AM

Hello folks,

The image below show us that before the authentication only EAP/RADIUS pass througt to port/switch. 
Edsond_1-1722361032326.png
So, the NAC doesn't receive the DHCP Request from end-system. So, the EAC (or other NAC) doesn't who is the operational system.

As Configterminal said, maybe create a ACL e applied in all ports to permit DHCP. When the NAC receives the dhcp request, it will able to knows the end-system and to apply the correct rule.

"My immediate thoughts are the following although I've never attempted this  on Control but you can do something like this in ClearPass - You can create a rule that sends back an ACL plus the proper VLAN for the device.  The ACL will limit what the device can talk to, e.g.: DHCP Server, XMC NAC Engines, etc. "

Thanks,

Edson Moura

 

 
 

View solution in original post

0 Kudos
9 REPLIES 9

Go to solution
Edsond
New Contributor II

‎07-30-2024 10:46 AM

Hello folks,

The image below show us that before the authentication only EAP/RADIUS pass througt to port/switch. 
Edsond_1-1722361032326.png
So, the NAC doesn't receive the DHCP Request from end-system. So, the EAC (or other NAC) doesn't who is the operational system.

As Configterminal said, maybe create a ACL e applied in all ports to permit DHCP. When the NAC receives the dhcp request, it will able to knows the end-system and to apply the correct rule.

"My immediate thoughts are the following although I've never attempted this  on Control but you can do something like this in ClearPass - You can create a rule that sends back an ACL plus the proper VLAN for the device.  The ACL will limit what the device can talk to, e.g.: DHCP Server, XMC NAC Engines, etc. "

Thanks,

Edson Moura

 

 
 
0 Kudos

Go to solution
Bartek
Contributor

‎07-29-2024 02:49 AM

From XIQ-SE help topic "How to Use Device Type Profiling":

Here are some examples of how device type profiling can be used to determine network access:

  • When an end user with valid credentials logs in to the network on a registered iPad versus a registered Windows 10 machine, they receive a lower level of network access.
  • When an end user registers a Windows machine using its MAC address, another user cannot spoof that MAC address using a Linux system. (Device profiling does not resolve this issue in environments with dual boot machines.)
  • If an end user exports a certificate from a corporate PC to an iPad and successfully authenticates with 802.1x, the iPad is not allowed full network access.

I believe the simplest way is to create two rules: upper one 802.1x to permit specific access for Windows 10/11 machines and second below to authorize all device types with lower network access to just allow them to obtain IP address. I will check this in my lab but I believe this is the recommended way to do this according to description above.

0 Kudos

Go to solution
Configterminal
New Contributor III
In response to Bartek

‎07-29-2024 05:09 AM

Yes but how do you issue a CoA automatically after it gets profiled correctly? 

0 Kudos

Go to solution
Bartek
Contributor
In response to Configterminal

‎07-31-2024 02:33 AM

Hi,

I've found solution which works for EXOS switches. Keep in mind that in EXOS you can enable both MAC-based and 802.1x authentication which works concurrently which allows then the NAC to do something like this:

Bartek_0-1722418325840.png

So just create a rule for MAC-based authentication which gives a limited access to for Base Services (ARP + DHCP) and 802.1x rule with device profiling and it works

 

 

0 Kudos
GTM-P2G8KFN