When using the Symantec LAN Enforcer in the Symantec Network Access Control (SNAC) solution; what is the difference between Basic and Transparent mode?
The Symantec LAN Enforcer works with 802.1x compatible switches and wireless access points to enforce endpoint compliance on a network. This means it only allows full network access to machines that match a set of criteria (a Host Integrity policy) fully configurable from the Symantec Endpoint Protection Manager (SEPM).
The LAN Enforcer has two modes of operation, Transparent and Basic, depending on if you are also using RADIUS user-level authentication on the network.
In both modes, the switch is configured to use the IP address of the LAN Enforcer as its RADIUS server IP address.
The LAN Enforcer can instruct the switch to open and close ports, as well as dynamically assign ports to a specific VLAN. Which action to make can be configured in the management server based on three criteria:
- Host Authentication Passed/Failed based on if the machine passed Host Integrity, Unavailable if there is no Host Integrity settings configured.
- User Authentication: RADIUS user level authentication - Passed/Failed based on reply from RADIUS server, Unavailable if no RADIUS server is used.
- Policy Serial Number Check: Does the client have the latest policy configuration from the SEPM manager?
- Transparent Mode
Use Transparent mode if there is no RADIUS server on the network, and user-level authentication is not necessary in the current switch configuration.
In Transparent mode the LAN Enforcer acts as a pseudo-RADIUS server. The client will act as the 802.1x supplicant and reply to the EAP packet from the switch with the Host Integrity result. The switch then forwards this information to the LAN Enforcer, which after verifying it instructs the switch to open/close the port or assign a specific VLAN as appropriate.
User Authentication will always be "Unavailable" in Transparent mode.
Client configuration: Check the "Use the client as an 802.1x supplicant" option in the management console.
- Basic Mode
Use Basic mode if there is a RADIUS server on the network that provides user-level authentication.
In Basic mode the LAN Enforcer will act as a RADIUS proxy. The switch will still be configured with the LAN Enforcer IP address as its RADIUS server, and the LAN Enforcer in turn will forward requests to the RADIUS server for user authentication. In Basic mode, the client can be used as the 802.1x supplicant, the Windows supplicant can be used or a 3rd party supplicant can be used.
Basic mode is the only possible option when configuring the LAN Enforcer to work with a wireless access point.
Client configuration: Leave the "Use the client as an 802.1x supplicant" option unchecked in the management console.
Where to change the client supplicant settings:
In the SEPM manager GUI this setting is located under Client - Policies, then General Settings - Security Settings. The option "Enable 802.1x authentication" should be checked for the group.