You are configuring a Symantec Network Access Control (SNAC) environment with a Symantec LAN Enforcer appliance, and have problems with newly installed Symantec Endpoint Protection (SEP) clients that have not yet connected to the policy manager server (SEPM).
How are these machines meant to gain access to the network? How can they download the policy from SEPM, and how can the LAN Enforcer verify the machines before they are known to the SEPM server?
The switch is closing the port for these machines, instead of assigning the port to the quarantine VLAN as intended.
Configuring a default LAN Enforcer action
In the SEPM a list of actions are configured for the LAN Enforcer - typically to open the port / assign to default VLAN when passing Host Integrity, and assigning to a quarantine VLAN when failing Host Integrity. The LAN Enforcer switch configuration in SEPM is located under Admin - Servers, then under properties for the Enforcer group.
A typical example configuration:
Action #1 Host Authentication: Passed User Authentication: Ignore Result Policy Check: Ignore Result Action: Open Port
Action #2 Host Authentication: Failed User Authentication: Ignore Result Policy Check: Ignore Result Action: Assign to Quarantine VLAN
In this example the port would be closed if the Host Integrity status was not "Passed" or "Failed". If the newly installed client does not yet have a Host Integrity policy the status would be "Unavailable". To deal with this and other cases not covered by Action #1 and #2 above, a default action needs to be configured in SEPM.
Add the following action to the very bottom of the list:
Action #3 Host Authentication: Ignore Result User Authentication: Ignore Result Policy Check: Ignore Result Action: Assign to Quarantine VLAN
This would assign all non-Host Integrity passing cases to the quarantine VLAN. Provided the SEPM server is accessible from both the quarantine and default VLAN's, this should allow the newly installed client to register with SEPM and download new policies.
Configuring Inter-VLAN routing Routing must be configured between the quarantine VLAN and default VLAN to allow traffic to the SEPM server IP address also from the quarantine VLAN. On newer switch models this can often be configured on the switch itself. On older switches you may need to configure a separate dual-homed (two network cards) machine to act as a router, and connect the machine to both VLAN.
Verify 802.1x supplicant settings on the client Verify that the install package used for the new clients is configured to enable 802.1x authentication. In the SEPM manager GUI this setting is under Client - Policies, then General Settings - Security Settings. The option "Enable 802.1x authentication" should be checked for the group before exporting the package. If using Transparent mode (no radius user-level authentication) the option to "Use the client as an 802.1x supplicant" should be checked, if using Basic mode (with a radius server for user authentication) leave this option unchecked (but with the main "Enable 802.1x authentication" option still checked).
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.