Network Sentry Wireless Integration Overview

Network Sentry Wireless Integration Overview
Wireless Integration Overview
Version: 4.1.1
Date: 12/28/2010
Copyright Notice
Copyright © 2010 by Bradford Networks, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set
forth in DFARS 252.227-7013(c)(1)(ii) and FAR 52.227-19.
Liability Disclaimer
Bradford Networks, Inc. reserves the right to make changes in specifications and other
information contained in this document without prior notice. In all cases, the reader
should contact Bradford Networks to inquire if any changes have been made.
The hardware, firmware, or software described in this manual is subject to change
without notice.
IN NO EVENT SHALL BRADFORD NETWORKS, ITS EMPLOYEES, OFFICERS,
DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL,
INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO
THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF BRADFORD HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE
POSSIBILITY OF SUCH DAMAGES.
Trademark, Service Mark, and Logo Information
Bradford Networks, the Bradford Networks logo, and Bradford Network Sentry are
copyrighted by Bradford Networks, Inc. All other trademarks and registered trademarks are the property of their respective owners.
Contact Information
Bradford Networks, Inc., 162 Pembroke Road, Concord, NH 03301 USA
Phone: 603.228.5300
Fax: 603.228.6420
Web site: http://www.bradfordnetworks.com
Information: cm_questions@bradfordnetworks.com
Sales: sales@bradfordnetworks.com
Support: support@bradfordnetworks.com
Document Notes
This document is an excerpt from the larger Administration And Operation document.
Links containing page numbers indicate that additional information is provided within
this document. For example, see Modify Groups on page 10 for additional information.
Links with no page numbers indicate that additional information can be found in the
main Administration And Operation document. For example, see Modify Groups for additional information.
Network Sentry Wireless Integration
Contents
Wireless Integration Overview
Wireless Authentication
1
2
RADIUS MAC
2
802.1x
4
Wireless Integration Requirements
6
Client Connection With Wireless Access
8
WLAN Management
10
Users With Both Wired And Wireless Connections
11
Network Sentry Wireless Integration
i
Table Of Contents
ii
Network Sentry Wireless Integration
Wireless Integration Overview
Important: Refer to the vendor documentation for your Wireless Device for detailed set up and
configuration information. Refer to the Bradford Networks Resource Center for information on
specific devices.
Network Sentry integrates with both intelligent access points (IAPs) and centralized
controller-based wireless solutions.
•
Intelligent access points manage both the access point and its connecting
clients.
•
Controller-based solutions manage multiple access points and their connecting
clients.
To manage wireless clients with Network Sentry you must configure Network Sentry
as the RADIUS server to authenticate clients for IAPs and controllers . Network Sentry responds to the RADIUS authentication requests with an accept or reject message.
When accepting users, Network Sentry can include information that identifies the network the connecting client can access. Network access is based upon the client's current Network Sentry state and role. Configuration of client network access varies
depending on the device and can include: VLAN IDs and names, role names, or proprietary network identifiers.
Network Sentry Wireless Integration
1
Wireless Integration Overview
Wireless Authentication
Intelligent Access Points (IAPs) and controllers support two methods of RADIUS based
authentication: RADIUS MAC authentication and 802.1x authentication. Network Sentry only supports Password Authentication Protocol (PAP) for RADIUS authentication.
RADIUS MAC
With RADIUS MAC authentication connecting clients are validated based on their
physical addresses. Network Sentry acts as the terminating RADIUS server. When
Network Sentry receives an authentication request it tries to locate the client's MAC
Address in its own database. If it finds the MAC Address in the database, it checks
the client's state and sends an accept response along with information about which the
network the client can access.
If the client has been administratively disabled, Network Sentry sends a reject
response. If the client's MAC Address is not found in the database, Network Sentry
returns an accept response along with information that places the wireless client in
the Registration subnet so that the user can access the Registration portal.
2
Network Sentry Wireless Integration
Wireless Integration Overview
Network Sentry Wireless Integration
3
Wireless Integration Overview
802.1x
802.1x defines the authentication of connecting clients based on their user credentials
or certificates. Network Sentry acts as a proxy RADIUS server and forwards requests
to an independent production RADIUS server. The independent RADIUS server
responds to Network Sentry with the accept or reject message. Network Sentry passes
the message to the wireless controller or IAP.
As the proxy authentication server, Network Sentry passes EAP messages between the
IAPs or controllers and the production authentication server. The production authentication server is the EAP termination point. When the authentication process completes, Network Sentry inserts network access information into the authentication
response if configured to do so.
If Network Sentry Authentication is enabled in an 802.1x environment, when users log
in they can automatically be authenticated to bypass the authentication captive portal.
However, this depends on the configuration of the client supplicant. You can configure
supplicants to either expose or encrypt the user IDs within the RADIUS request
packet. If the user ID is encrypted, Network Sentry cannot identify it in the RADIUS
request, and therefore cannot bypass its own authentication process.
Client supplicants should be configured to authenticate using user credentials, not
host information, such as host name. This will give Network Sentry the user information to associate with the host/device and avoid authentication delays.
EAP
The EAP type must be configured on the supplicant and the Authentication server.
Supported EAP types include:
•
EAP-PEAP
•
EAP-TTLS
•
EAP-TLS
The following EAP types have not yet been tested with Network Sentry:
4
•
EAP-MD-5
•
EAP-Fast
•
Cisco LEAP
Network Sentry Wireless Integration
Wireless Integration Overview
Network Sentry Wireless Integration
5
Wireless Integration Overview
Wireless Integration Requirements
1. Configure your device to use Network Sentry as the RADIUS Server. If you
are setting up Network Sentry as the RADIUS server for a device in a Bradford High Availability environment, you must use the actual IP address of the
primary control server, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS
server to be used in the event that none of your Network Sentry appliances
can be reached. This would allow users to access the network, but they would
not be controlled by Network Sentry.
2. Do not use asynchronous routing between your device and the Network Sentry
server. RADIUS requests and responses between the Network Sentry server
and the wireless device must travel through the same interface on the Network Sentry server.
3. PAP encryption must be set up on the RADIUS server for encryption/decryption of user names and passwords that are sent to and from Network Sentry.
4. Configure network access control features on your device. Contact Customer
Support or go to the Resource Center for device specific configuration information.
5. Add your device in Network Sentry. See Network Devices.
6. Model your wireless device in Network Sentry. See Model Configuration.
7. In the Model Configuration Network Sentry must be configured as the
RADIUS server for wireless devices.
Note: When Network Sentry acts as a RADIUS Server in a busy environment, it could
become a bottleneck for authentications, resulting in RADIUS processing delays.
Devices that use RADIUS authentication need to be configured with RADIUS timeouts
that are large enough to allow some transaction delays. Many devices use default timeout values under 10 seconds. It is recommended that you use larger values for busy
environments, though you may have to experiment to find the optimal value.
8. The RADIUS Secret must be the same in the following locations:
-
RADIUS Server settings in Network Sentry. See RADIUS And 802.1x
Environments and Configure RADIUS Server Profiles.
-
Model configuration for the wireless device when it is modeled in Network
Sentry. See Model Configuration.
-
Configuration of the device itself.
9. In order to detect which clients have disconnected from the wireless device,
you must set up a frequent polling interval for your wireless devices. Set the
polling frequency to less than 10 minutes if the clients are using the persistent agent. The recommended poll frequency is approximately 5 minutes.
6
Network Sentry Wireless Integration
Wireless Integration Overview
See L3 Polling (IP --> MAC). It is not necessary to set Network Sentry as the
trap receiver on any wireless devices.
10. Remove the switch ports from the Forced Registration Group. This ensures
that Network Sentry will not switch these ports into the registration VLAN
once the APs are connected. The APs appear as rogue clients in Network Sentry until they are identified by the controller as managed devices. If those
ports are left in forced registration, the APs will end up in the registration
VLAN and may not be able to connect to their managing controller.Network
Devices See Modify A Group.
11. If you want to use Forced Authentication for users connecting on your wireless device, set the Enable Authentication option on the Authentication plugin. See Configure Authentication Plug-In Properties. Add the interfaces or
ports for each wireless device that participates in authentication to the Forced
Authentication group. See Modify A Group .
12. If you are working in a Hot Standby environment using RADIUS authentication you must configure your managed wireless devices to point to the
NAC Server or NAC Control Server eth0 address - NOT the virtual address.
Configure a secondary RADIUS server for the device to be the failover eth0
address. This ensures that if the primary NAC Server or NAC Control Server
appliance goes down, the backup will take over and will be able to respond and
take over RADIUS responsibility. An IAP/controller will switch over to the
backup NAC Server or NAC Control Server appliance if it fails to get
responses from the primary.
Network Sentry Wireless Integration
7
Wireless Integration Overview
Client Connection With Wireless Access
Network Sentry performs RADIUS MAC Authentication and VLAN, network, and role
association based on the settings of the IAP/controller to which a client connects. Configure each IAP/controller separately with VLAN, network and role settings.
When a client connects to a wireless device, Network Sentry uses the MAC address to
determine the state of the client.
The first row in the table below that matches the client's state and device's configuration determines the RADIUS response from Network Sentry. For example, a
client connecting to the network has a state set to Disabled. There is no value set in
the Device Model for the Deadend/Penalty VLAN/network or role. The client is rejected
and denied any access to the network. However, if the Device Model contains the value
of 10 for the Deadend/Penalty VLAN/network/role, the client is given VLAN 10 and its
associated access to the network.
This scenario is the same for clients with a state of At Risk and Unregistered. There
is no state setting for Non-Authenticated clients. Those clients are associated to the
Authentication VLAN set in the Device Model if authentication is being forced on the
device.
8
Network Sentry Wireless Integration
Wireless Integration Overview
Table 1: Client State and VLAN/Network/Role Association
State of Client
Applicable VLAN / Network / Role Name
Is Value Set In Model
Config
Client Treatment
Disabled
Deadend / Penalty
No
Client Rejected - No
Access
Disabled
Deadend / Penalty
Yes
Client sent to VLAN/network/role value
At Risk
Quarantine
No
Client Rejected - No
Access
At Risk
Quarantine
Yes
Client sent to VLAN/network/role value
Unregistered
Registration
No
Client Rejected - No
Access
Unregistered
Registration
Yes
Client sent to VLAN/network/role = value
Not Authenticated
Authentication
No
Client to Default/Production
Not Authenticated
Authentication
Yes
Client to Authentication
Name or Number defined
in the Network Sentry
Role Device Mapping
Yes
Client sent to VLAN/network/role defined in the
Network Sentry Role
Device Mapping
Default/Production
Yes
Client to Default/Production
Client has Network Sentry
Role defined
• If a user has authenticated
and belongs to a role, the
role takes precedence
over the default value.
• If the user has a role
defined in LDAP, it takes
precedence over the
client role.
None of the above
Note: If no role mapping exists and no default value exists, no VLAN/network/role is provided by
Network Sentry. The device itself is responsible for determining the appropriate VLAN/network/role for the client.
Network Sentry Wireless Integration
9
Wireless Integration Overview
WLAN Management
Most Intelligent Access Points (IAPs) and controllers allow you to create multiple,
independent Wireless LANs (WLANs) that can be accessed through separate SSIDs.
The configuration of each WLAN on these devices usually includes support for separate authentication parameters for each WLAN. For example, a wireless network
could contain two separate WLANs, one for employees or residents and one for guests.
The employee/resident WLAN might authenticate connecting users to a central directory prior to granting access to network resources. A guest WLAN might avoid authentication and provide connecting users with limited access only to the external Internet.
In such an environment, you can have Network Sentry secure only a subset of the
available WLANs. To do this, you only need to configure the secured WLANs on the
wireless devices to use Network Sentry as their authentication server (RADIUS).
WLANs that use no authentication or that use a different authentication server
bypass Network Sentry’s control. Network Sentry still monitors clients connecting to
the IAP/controller devices, but does not control their access to the network. The means
to configure this behavior differs, based on the specific IAP/controller vendor model.
Refer to the vendor's documentation for configuration details.
Note: If your device supports independent authentication for individual SSIDs, Network Sentry
can secure a subset of available WLANs. If your device does not support this option, Network
Sentry secures all WLANs on the device.
When configuring a wireless device with multiple SSIDs that will be managed by Network Sentry, Network Sentry only allows a single VLAN mapping for each isolation
state per device. For example, if the Remediation VLAN is VLAN 10 on one SSID it
has to be VLAN 10 on all SSIDs, and if Dead End is VLAN 25 it has to be VLAN 25
for all SSIDs.
10
Network Sentry Wireless Integration
Wireless Integration Overview
Users With Both Wired And Wireless Connections
When you use a wired connection in a wireless hot spot, wireless interfaces that are
enabled often attempt to connect to a local AP. It is recommended that you instruct
users to disable their wireless interfaces on their laptops when they use wired ports
for the following reasons:
1. The wireless connection attempt may or may not succeed. RADIUS traffic is
created to authenticate the client even though it is already connected to the
network through its wired connection. If the client is authenticated on the
wireless device (either through RADIUS or the local AP), the client is connected and no additional traffic is generated. However, if the client is rejected
for any reason, the client will often retry continuously. For some APs, this generates a steady stream of RADIUS requests and creates an unnecessary load
on the Network Sentry appliance and the supporting network.
2. If a wireless interface connects simultaneously with a wired interface, each
interface could be placed on a different VLAN or network. In cases where the
network administrator is enforcing authentication or where separate networks
have been defined for their wired and wireless users, this will always occur.
When this happens, depending on the network access given to the different network connections, the client may experience abnormal network behavior as the
client chooses different interfaces for network access.
There are steps users can take to configure a client running Windows OS to favor
their wired over their wireless (see http://support.microsoft.com/?kbid=894564), but the
best course of action is to simply disable the wireless when not in use.
Network Sentry Wireless Integration
11
Wireless Integration Overview
12
Network Sentry Wireless Integration
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising