The Symantec LAN Enforcer appliance is part of the Symantec Network Access Control (SNAC) suite. The device can be used with 802.1x enabled switches and access points to open, close, or redirect ports to a particular vlan based on Host Integrity checks performed on the endpoint.
This article provides the Cisco IOS commands necessary for configuring a (newly-reset/plain-configuration) Cisco Catalyst switch for use with the Symantec LAN Enforcer. The commands are applicable for models including the 2950, 2960 and 3750.
Show the current (running) configuration: (from the plain ">" prompt, first use the "enable" command to switch to a "#" prompt) >en #show run
Start up vlan 1 on a newly reset switch and assign an IP address: #conf t #interface vlan1 # no shutdown # ip address 172.16.200.212 255.255.255.0 #exit
Configure the switch for 802.1x: #conf t #aaa new-model #aaa authentication dot1x default group radius #aaa authorization network default group radius #dot1x system-auth-control #exit
Configure the Symantec LAN Enforcer as the Radius server for the switch: (the IP address of the LAN Enforcer in the example is 172.16.200.213, the shared secret entered in the SEPM Enforcer configuration is MySharedSecret$1) #conf t #radius-server host 172.16.200.213 auth-port 1812 acct-port 1813 key MySharedSecret$1 #radius-server retransmit 3 #exit
Configure a port on the switch for dot1x authentication (to be controlled by the LAN Enforcer): (the port configured here is port #6 on the switch - repeat the steps for all ports that should be authenticated with the Enforcer) #conf t #interface fa0/6 # switchport mode access # dot1x port-control auto # dot1x reauthentication # dot1x timeout reauth-period 30 #exit #exit
The above configuration will work with the Lan Enforcer in both Basic and Transparent mode (with/without optional RADIUS user authentication). Changing from a Transparent to a Basic setup does not require re-configuration on the switch side.
The below commands are optional, for configuring a quarantine vlan.
Set up a new vlan for the SNAC quarantine: (the id "7" and name "quarantine" should be entered identically in the SEPM Enforcer configuration switch profile, to allow the Enforcer to dynamically assign vlans) #conf t #vlan 7 # name quarantine #exit
Hard-code a separate port on the switch to the quarantine vlan: (useful for a server hosting quarantine resources, or any other machine you want to make available on the quarantine vlan) #conf t #interface fa0/8 # switchport access vlan 7 #exit #exit
Optionally a guest vlan can be configured for each port, where a machine without a supplicant would be assigned.
Configure a guest vlan: #conf t #interface fa0/6 # dot1x guest-vlan 12 #exit #exit
The below is an optional command for recent switch models only, for assigning a particular vlan in case the link between the switch and LAN Enforcer is broken.
Assign a critical vlan to a port on the switch: #conf t #interface fa0/6 # dot1x critical # dot1x critical vlan 3 # dot1x critical recovery action reinitialize #exit #exit
The below commands are useful for showing information on port status and vlan assignment.
Display a list of interfaces with connection status and vlan assignment: #show interfaces status
Display a list of vlans and which ports are assigned to each: #show vlan brief
Imported Document ID: HOWTO74619
Subscribing will provide email updates when this Article is updated. Login is required.