home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers

Network Computing Blog
Lead NAC Analyst:
Mike Fratto
Mike Fratto


:: More analysis, strategies and news at our
NAC Immersion Center


:: Subcribe to This Blog's
RSS Feed
SPECIAL EVENT BLOGS:
BrainShare 2008

IMMERSION CENTER BLOGS:
Network Access Control
Virtualization
Application Performance Optimization
Data Center
Data Privacy
802.11n
SOA/Web Services

MORE TOPCS:
Security
Wireless
Application Infrastructure
Collaboration
Network and Systems Management
Network Infrastructure
Storage and Servers
Enterprise Applications
Business Strategy
Personal Technology
Podcasts
NWC Inc
NWC Labs
Techno-Oddities

MORE GREAT BLOGS
Ars Technica
bMighty
Boing Boing
Geek.com
InformationWeek
IT Toolbox
TechCrunch



NAC Immersion Center Blog

July 06, 2007
Making a Test Bed
By Mike Fratto

In setting up the test bed for a series of NAC reviews, I ran into some interesting issues some of which I want to lay out here and some I will explore more in depth later (at some point, I have to get some testing done). So in preparation for upcoming tests, I created my test bed.

My goal is always to make sure that the test bed works fully and then stabilize it. From that point, I should be able to insert different products with minimal change to the infrastructure other than cabling and integration. This lets me swap products in and out of the test bed quickly. I use a mix of products to help out like Ghost to make images, VMWare ESX Server, and big honking hard drives to store this stuff.

So, here is what I am building (see NAC Test Bed, right). Currently, access control is based on physical location and separated by VLAN’s. VLAN’s are a fine engineering tool and while I don’t advocate VLANs as a security technology, if your switches are current and you have complete control of your infrastructure, then properly deployed VLANs are acceptable layer 2 segmentation. Each location is on a separate VLAN and traffic moves from one subnet to another through a router. In the real world, I might replace that router with a firewall or some other in-line device, for my NAC testbed, it doesn’t matter.

The details of this test bed are:

  • I am using Microsoft Windows 2003 Server SP2, fully patched as an Active Directory in native W3K mode. Installed are IAS, Certificate Services, DHCP, DNS, and IIS. Normally, I would move some of these services off the AD machine and set-up some redundancy.

  • I am using Symantec’s AntiVirus Enterprise as an AV package since it is widely deployed. Frankly, any AV package that is widely supported should be acceptable in a test bed.

  • The Internal Network access switch is a Cisco 3750

  • The router is a Cisco 2800 running IOS 12.4.

  • The Distribution Switch is Cisco 3750G running IOS 12.2(25)

  • The Conference Room access switch is an HP ProCurve 2650-PWR running H.10.38

  • Client hosts are a mix of Windows XP computers, MacOSX, and Linux.

The port and VLAN configuration is static at the moment. If you connect to a port on the conference switch, you are in VLAN 204. If I want to move a port to a different VLAN, I have to reconfigure the switch. If a host doesn’t authenticate via 802.1X, then they are put into the guest VLAN, otherwise, they are moved to their associated access VLAN defined for the switch port. 802.1X is configured using MD5 EAP type as well EAP-TLS.

I want something more dynamic. I know that for the conference room, I can’t expect users to have an 802.1X supplicant configured to my parameters, so I have configured the switch to put a user on a "guest VLAN" with a separate subnet. I want any port in the network to be available to any VLAN based on a users’ condition.

Part of what I want to test in the NAC products are the various enforcement options like VLAN steering, DHCP control, ARP management (aka ARP poisoning), in-line blocking, etc. The reasons are two fold. First, I want to see what the integration requires and secondly, I there may be cases where you need to use multiple enforcement methods. A switch may not support 802.1X or perhaps you can’t enforce client configuration, so 802.1X is not an option. The switch configurations for the Cisco and HP switches are at the end of this blog.

Stumbles
The basic configuration is pretty simple. Only three things tripped me up. In Windows 2003, there is an option in the Dial-In tab, "Control access through Remote Access Policy" when Active Directory is installed in Windows 2000 Mixed Mode, the default. In order to get RADIUS accept response, the user has to have remote access permissions. By default, new users in Mixed mode don’t have remote access permissions, so that needs to be changed. But using a remote access policy for 802.1X, I could grant remote access permission but that option is grayed out while in Mixed mode. I had to update my Windows 2003 AD to Native mode. Once I did that, any new users had the remote access policy option checked.

Now in IAS, I defined the policy so that only a specific group was granted access and by default, all others were denied access. That's much easier to manage than granting individual users remote access settings (you can still do to override the remote access policy setting per user).

The other thing that snagged me, and this happens more than I care to admit. When I configured 802.1X on the Cisco switches, I cut my self off from the telnet console. I really need a serial console. Anyway, I had to add a user name to my IOS config so that I could login via telnet.

Finally, I tested my configuration using a single port while telneting to the switch from my AD server. Once I got the configuration set, all I had to do was apply the "switchport mode access" and "dot1x port-control auto" commands to each interface. So I went into configure terminal, entered a range "int range g1/0/10 – 32" and applied those two commands and was instantly cut off. Duh. The AD server is connected to g1/0/10 and of course, it’s not setup for 802.1X. So I connect to the console and I removed the "switchport mode access" line, which in turn appears to remove the dot1x commands on that interface. Don’t be fooled! Doing that only hides the dot1x commands and they are still active. I had to re-enable the switchport line and manually remove the dot1x commands, then remove the swtichport line. Just a little bit of IOS weirdness.

Now I just have to define the policies I want to enforce and I am off the races. Until next time.

Config lines
These are just the configuration lines relevant to 802.1X and RADIUS. Microsofts 802.1Xguide for Windows XP is a helpful resource for the client and server side configurations.

The IOS commands and a reference to the documentation page for IOS 12.2(25). Versions earlier than 12.1 have different commands.

First we define a new AAA model
aaa new-model
aaa authentication dot1x default group radius

Then we point to our RADIUS server.
radius-server host 192.168.201.5 auth-port 1645 acct-port 1646 key 123456789
radius-server source-ports 1645-1646

Then we configure the interface.
interface GigabitEthernet1/0/33
switchport access vlan 202
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast

The HP Procurve Switch commands based on this manual.
First we configure the port authentication system
aaa authentication port-access eap-radius

Then we define the RADIUS server
radius-server host 192.168.201.5 key 123456789

Then we apply 802.1X authentication to the ports and activate.
aaa port-access authenticator 2-50
aaa port-access authenticator active

-- Posted at 01:25 PM in NAC Immersion Center





This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.

Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
Federal CTO Sees IT Leading U.S. Out Of Recession
Aneesh Chopra is looking to other CIOs to advise him on fleshing out a more detailed agenda to best serve the president's IT agenda.

IT Spending To Fall By 3.8 Percent
IT spending is expected to decline by 3.8 percent in 2009 according to Gartner.

More articles from our career center










2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



Techweb
Informationweek Business Technology Network
InformationweekInformationweek 500Informationweek 500 ConferenceInformationweek AnalyticsInformationweek Events
Informationweek MagazineGlobal CIOIWK Government ITbMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingPlug Into The CloudDr. DobbsContentinople
space
TechWeb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0Mobile Business ExpoNoJitter
Black HatGTECEnergy CampCloud ConnectGov 2.0 ExpoGov 2.0 Summit
space
Light Reading Communications Network
Light ReadingLight Reading AsiaUnstrungCable Digital NewsInternet EvolutionPyramid Research
Heavy ReadingLight Reading LiveLight Reading InsiderEthrnet ExpoTelco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems and TechnologyInsurance and TechnologyWall Street and TechnologyAccelerating WallstreetBST SummitBuyside Trading SummitIT Summit
space
Microsoft Technology Network
MSDNTechNetTotal IT ProTotal Dev ProNET Total Dev Pro CommunitySQL Total Dev Pro Community
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2009  United Business Media LLC  |  Privacy Statement  |  Terms of Service