This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- Quarantine VLAN or Policy based on Assessment?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Quarantine VLAN or Policy based on Assessment?
Quarantine VLAN or Policy based on Assessment?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-30-2016 09:04 AM
Hello,
I'm currently in the middle of integrating an Extreme solution in our test environment before we bring it over to production. To keep it simple, my main question is that I have a NAC policy that will authenticate a user, and do assessment. If assessment fails, then I want to apply a Quarantine rule. I'm unsure if I am supposed to create a separate Quarantine VLAN or apply policies to have these users in a limited role. I have asked Extreme consultants and some have advised going the policy route giving end users limited access. Therfore this is the route that I am trying to pursue
Here's a rundown of what we have done:
Thanks in advance!
Peter
I'm currently in the middle of integrating an Extreme solution in our test environment before we bring it over to production. To keep it simple, my main question is that I have a NAC policy that will authenticate a user, and do assessment. If assessment fails, then I want to apply a Quarantine rule. I'm unsure if I am supposed to create a separate Quarantine VLAN or apply policies to have these users in a limited role. I have asked Extreme consultants and some have advised going the policy route giving end users limited access. Therfore this is the route that I am trying to pursue
Here's a rundown of what we have done:
- Integrated Active Directory, and MDM JAMF's Casper Suite for Assessment.
- Have 2 NAC's and 2 Extreme Wireless Controllers working.
- Have Dynamic VLAN working utilizing one SSID, "ASD_EXT". Based on LDAP:
- If you are a High School Student, get placed into VLAN 72
- If you are a Middle School Student, get placed into VLAN 64
- If you are Staff, get placed into VLAN 100
- So I sort of have this working, My Quarantine policy works where I have denied internet, allowed access to the Casper Server to remediate
- however, the authenticated VLAN, whether 72 (High School), 64 (Middle School), or 100 (Staff), doesn't get honoured, and the client receives an IP that is in the VLAN of the Wireless AP's when in quarantine
- On the switch port I have the Access Point untagged with the Wireless Management VLAN 102, and have VLAN's 72, 64,100 tagged.
Thanks in advance!
Peter
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-01-2016 11:24 AM
Hi Peter,
I have a feeling you might need three quarantine rules in NAC, one for each group, so that the user gets placed into the correct VLAN, if you want to go down that path with a combined SSID. You will then need to have the NAC policy mapping of your quarantine policy role to three policies with the VLAN for each group. Finally, change the VNS Global/Authentication/RFC 3850 options to be Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes. NB: This is theoretical, although I do have the RFC 3850 option set to both in my environment.
Having said that, we also have Casper integrated via OFConnect for our iPads (we were the first customer actually), and I would be rather wary of having a single SSID if you're going to use AirPlay or other Bonjour services, as multicast traffic will be seen by clients in all VLANs which caused some problems. One possible solution could be to use the feature that lets you bridge Bonjour to a separate VLAN and use the same one for all, but we separated our SSIDs back into staff and students. This had further benefits in restricting students to only joining devices in Casper to our wifi which would have been more complicated with a single SSID. Obviously there is a performance degradation in having more SSIDs, so you should test it and see.
I believe the downside of a quarantine VLAN is the client not changing their IP if you have a long DHCP lease time, but that's less of an issue for Casper assessment since it'll happen immediately on join, rather than when the NAC agent relays the assessment result to the NAC assessment server. Also IIRC the client will be fully deauthed rather than have a RADIUS CoA request sent to the EWC's DAS port, as I don't think that feature request has been implemented yet. So it's not an issue at all really. Except that iPads will stop joining the wifi if you send too many deauths in a short period of time, which is one reason why, despite having asked for that assessment feature, we actually manage it by having a group in Casper and just chasing up the students directly when they haven't checked in recently.
I'm happy to discuss any further Casper/NAC/EWC questions you have here or offline too.
James A
I have a feeling you might need three quarantine rules in NAC, one for each group, so that the user gets placed into the correct VLAN, if you want to go down that path with a combined SSID. You will then need to have the NAC policy mapping of your quarantine policy role to three policies with the VLAN for each group. Finally, change the VNS Global/Authentication/RFC 3850 options to be Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes. NB: This is theoretical, although I do have the RFC 3850 option set to both in my environment.
Having said that, we also have Casper integrated via OFConnect for our iPads (we were the first customer actually), and I would be rather wary of having a single SSID if you're going to use AirPlay or other Bonjour services, as multicast traffic will be seen by clients in all VLANs which caused some problems. One possible solution could be to use the feature that lets you bridge Bonjour to a separate VLAN and use the same one for all, but we separated our SSIDs back into staff and students. This had further benefits in restricting students to only joining devices in Casper to our wifi which would have been more complicated with a single SSID. Obviously there is a performance degradation in having more SSIDs, so you should test it and see.
I believe the downside of a quarantine VLAN is the client not changing their IP if you have a long DHCP lease time, but that's less of an issue for Casper assessment since it'll happen immediately on join, rather than when the NAC agent relays the assessment result to the NAC assessment server. Also IIRC the client will be fully deauthed rather than have a RADIUS CoA request sent to the EWC's DAS port, as I don't think that feature request has been implemented yet. So it's not an issue at all really. Except that iPads will stop joining the wifi if you send too many deauths in a short period of time, which is one reason why, despite having asked for that assessment feature, we actually manage it by having a group in Casper and just chasing up the students directly when they haven't checked in recently.
I'm happy to discuss any further Casper/NAC/EWC questions you have here or offline too.
James A
