Microsoft Network NAP

Extreme Networks Application Note

2011 Extreme Networks, Inc. All rights reserved. Do not reproduce.

This document discusses the features and configuration tools provided by ExtremeXOS NetLogin, and how they can be used in conjunction with Network Access Protection (NAP) technologies in Microsoft Windows 2008 Server to control user and device access depending on the results of health check policies. Authentication and authorizations for users and devices are provided using the Network Policy Server application, which is essentially a replacement for Internet Authentication Service (IAS) in earlier Microsoft Server versions such as Microsoft Windows 2003 Server.

Network Access Control/Protection with ExtremeXOS and Microsoft NAP

2Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP

2011 Extreme Networks, Inc. All rights reserved.

Introduction

Network Access Control and Protection is rapidly becoming an integral block of the network infrastructure and security. Typical NAP solutions provide the platform and framework for administrators to:

Define network access policies based on the clients identity

Determine degree of client compliance with requirements configured in policy servers

Take actions (such as invoking remediation procedures which provide mechanisms to bring the client computer into compliance) and also provide authorized access for client computers

This document discusses the features and configura-tion tools provided by ExtremeXOS NetLogin, and how they can be used in conjunction with Network Access Protection (NAP) technologies in Microsoft Windows 2008 Server to control user and device access depending on the results of health check policies. Authentication and authorizations for users and devices are provided using the Network Policy Server applica-tion, which is essentially a replacement for Internet Authentication Service (IAS) in earlier Microsoft Server versions such as Microsoft Windows 2003 Server.

NAP allows administrators to create and enforce health policies for computers that connect to the enterprise network. The policies govern both the installed software components and the system configurations. Computers which connect to the network, such as laptops, workstations, and other such devices, are evaluated against the configured health requirements. Health requirements include:

A firewall is enabled An antivirus program is installed The antivirus program should is up to date

Automatic Windows Update is enabled, etc.

Client computers that connect to the network are evalu-ated against these health requirements, and are clas-sified as NAP-compliant, NAP Noncompliant, or NAP-Ineligible. Further, policies can also contain the actions to be taken, and any authorizations to be provided to computers placed into these categories. Actions could include auto-remediation of client computers

(for example enable Windows Automatic Updates or Windows Firewall). ExtremeXOS NetLogin can be integrated with Microsoft NAP to provide authorizations to network resources for client computers. Authorizations could include:

Complete network access to clients that are deemed as NAP Compliant.

Restricted network access to clients that are deemed as NAP Noncompliant.

Custom network access to clients that are deemed as NAP Ineligible.

Microsoft NAP technology is available in the following variants of the Microsoft Windows Operating System:

Servers Windows Server 2008

Windows Server 2008 R2

Clients Windows XP Professional (with Service Pack 3 updates)

Windows Vista

Windows 7

Microsoft NAP can be used to enforce health policies for different network access and communication technologies. This includes IPSec, 802.1X based wired and wireless network access control, and others. This document addresses NAP enforcement for wired clients using IEEE 802.1X authentication.

NAP can be deployed using the typical AAA framework without the need for any additional networking equip-ment, and without the need for any software upgrades on ExtremeXOS based switches. ExtremeXOS NetLogin has been designed to integrate with Microsoft NAP solution from the ground up.

An overview of the NAP architecture and the compo-nents involved is presented in Section 3, and subsections in the chapter provide details about the roles played by each element in the NAP framework. Readers who are familiar with the general concepts of the Microsoft NAP architecture and framework can skip this section. Readers are encouraged to review the Microsoft NAP concepts provided on the Microsoft Technical Resources website.



Section 4 provides an overview of the NetLogin feature in ExtremeXOS, the authentication methods that work with NPS, and includes a discussion about the schemes that can be used to enforce policies (configured in the NAP server) at the network access/edge layer.

A case-study of NAP and NetLogin deployment is discussed in Section 5. This section walks the user through a sample edge switch configuration, with detailed steps on how to create groups and users in the Microsoft Active Directory, and create NAP policies in the health policy server. Detailed instructions and screen shots are provided on configuring the Microsoft Windows 2008 Server to act as the NAP health policy server, the edge switch as the authenticator, and the different types of clients. The contents in this chapter are aligned with the steps presented in the document Step-by-Step Guide: Demonstrate 802.1X NAP enforce-ment in a Test Lab by Microsoft Corporation.

References

1. Using ExtremeXOS NetLogin with Microsoft IAS http://www.extremenetworks.com/doc.aspx?id=957

2. Using ExtremeXOS NetLogin with Microsoft NPS (where is the link for this one???)

3. Step-by-Step Guide: Demonstrate 802.1X NAP enforcement in a Test Lab http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en

4. Network Access Protection concepts http://technet.microsoft.com/en-us/library/cc730902%28WS.10%29.aspx

5. Network Access Protection Design Guide http://technet.microsoft.com/en-us/library/dd125338.aspx

6. Network Access Protection Deployment Guide http://technet.microsoft.com/en-us/library/dd314175.aspx

7. Network Access Protection Troubleshooting Guide http://technet.microsoft.com/en-us/library/dd348515.aspx

Overview of NAP Architecture

As mentioned earlier, Microsoft NAP allows administrators to create and enforce health policies for software and system configurations of client computers that connect to the network. In particular, we will explore the methods by which ExtremeXOS can be integrated into the Microsoft NAP architecture to deliver flexible and comprehensive health policy enforcement for client computers that connect to the enterprise network using the IEEE 802.1X based authentication methods.

NAP is deployed using multiple elements in the network, with each element providing a specific set of functionalities. The diagram below illustrates the different components in a NAP deployment.



The components shown are similar to those in a typical AAA framework, of course with additional functionality provided by the clients and the backend servers in order to participate in a NAP framework.

NAP Client Computers: The clients or supplicants not only contain the IEEE 802.1X authentication methods, but also contain newer Windows components such as the system health agent (SHA), NAP agent, and the enforcement clients. NAP capable clients provide system health information in addition to security credentials when requesting network access from an IEEE 802.1X compliant network access device.

NAP Enforcement Point: As shown below, ExtremeXOS based switches act as the enforcement points. Enforcement could be one of the following actions: providing complete network access to NAP compliant computers; isolation of noncompliant computers in

specific broadcast domains or VLANs which provide connectivity to remediation servers; or restricted access (using access control lists) to provide connectivity to specific resources, etc. The actions performed by the switches are based on the authorizations received from the backend NAP health policy servers. These actions are delivered to the switch via RADIUS by the Network Policy Server component running in Microsoft Windows based servers.

NAP Health Policy Server: In addition to the Network Policy Server that provides authentication, and authorization services, Microsoft Windows Server 2008 and Windows Server 2008 R2 contain newer components such as System Health Validator (SHV), NAP administration, and others. SHVs are used by NPS to analyze health of client computers. The results of client health status check are used by network policies to deliver appropriate authorizations.

5651-01

Summit X450e-24pAuthenticator

NAP Enforcement Point

Clients orSupplicants

AuthenticationServer

NAP ClientComputers

NAP HealthPolicy Servers

MGMT =MGMT =

FAN =FAN =

PSU =PSU =

PSU-E =PSU-E =

STACK NO

11 33 55 7722 44 66 88 99 11111010 1212 1313 1515 1717 19191414 1616 1818 2020 2121 23232222 2424 22 3311 44 EnterpriseNetwork

Figure 1: Components in NAP deployment



ExtremeXOS NetLogin

The NetLogin feature in ExtremeXOS provides the following capabilities which can be used in NAP deployments:

1. IEEE 802.1X based authentication2. Authorizations in the form of destination VLAN ID

or Name3. In addition to VLAN information, network access

can also be limited to a set of hosts. These hosts could be remediation or quarantine servers which can be used to deliver appropriate software configurations, software updates, and system configurations to bring an unhealthy supplicant into compliance with the enterprise health policies.

802.1X Based AuthenticationThis method involves the use of the standardized IEEE 802.1X protocol between the supplicant and the authenticator. The protocol is based on the Extensible Authentication Protocol (EAP). In this method, the authenticator is a facilitator to carry information received from the supplicant in EAPOL (EAP over LAN) frames to the authentication server. The authenticator still communicates to the authentication server using RADIUS; however, the RADIUS packets will contain EAP information provided by the supplicant.

Various EAP types have been defined to support different types of configuration in supplicants and authenticators. Some of them are EAP-MD5, Lightweight EAP (LEAP), Protected EAP (PEAP), EAP-TLS, and EAP-TTLS.

Microsoft Windows Server 2008, and Windows Server 2008 R2 technologies support the following EAP types:

PEAP with MS-CHAP-V2 EAP-TLS

Microsoft NAP can be deployed using any one of the EAP methods supported in the servers. In fact, the authentication and authorization are done by the Network Policy Server which incorporates the RADIUS (server) functionality. In this document we will demon-strate NAP with the clients as well as backend servers using PEAP with MS-CHAP-V2.

VLAN AuthorizationsThe following Vendor-Specific Attributes (VSAs) can be used to deliver the VLAN IDs or names to which to add the authenticated user. In typical NAP deployments these VSAs could be used to deliver a designated quarantine VLAN.

Extreme-Netlogin-VLAN-Name (VSA 203): This attribute specifies a VLAN name that the RADIUS server sends to the switch after successful authentication. When the switch receives the VSA, it adds the authenticated user to the VLAN. The VLAN must already exist on the switch.

Extreme-Netlogin-VLAN-ID (VSA 209): This attribute specifies a VLAN ID (or VLAN tag) that the RADIUS server sends to the switch after successful authentica-tion. When the switch receives the VSA, it adds the authenticated user to the VLAN. The VLAN must already exist on the switch.

Extreme-Netlogin-Extended-Vlan (VSA 211). This attribute specifies one or more VLANs that the RADIUS server sends to the switch after successful authentication. You can specify VLANS by VLAN name or ID (tag). The VLANs may either already exist on the switch or, if you have enabled dynamic VLANs and a nonexistent VLAN tag is given, the VLAN is created.

Once authenticated, the client/port is moved to the VLAN whose VLAN ID/Name is sent in the Access-Accept message. This VLAN can be the designated quarantine VLAN. The administrator needs to ensure that the quarantine VLAN indeed has limited access to the rest of the network. Typically, this can be done by disabling IP forwarding on that VLAN so no routed traffic can traverse out of that VLAN. The quarantine VLAN can also be created dynamically in the switch using NetLogin.

This case study uses the Extreme-NetLogin-VLAN-ID (VSA 209) to demonstrate the NAP concepts.

Restricted Network Access Using Access Control ListsIn addition to the VLAN VSAs, ExtremeXOS NetLogin provides the following VSAs:

MS-Quarantine-State MS-IPv4-Remediation-Servers



These VSAs control access to network resources by unhealthy supplicants.

The MS-IPv4-Remediation-Servers VSA contains a list of associated IP addresses that an unhealthy and therefore quarantined supplicant can access to so that it can correct the unhealthy attribute(s). In the real world, remediation server(s) are accessible via the uplink port and not necessarily in the same VLAN. Regardless of whether the quarantine VLAN is preconfigured or dynamically created, unhealthy clients must have access to the remediation servers.

NetLogin supports the MS-Quarantine-State attribute (present in the Access-Accept message) with values (referred to as extremeSessionStatus) to convey the status of the client Quarantined or On Probation. In this case a dynamic ACL which denies all traffic will be applied on the VLAN. If such an ACL is already present on that VLAN, then no new ACL will be applied. The ACL will be removed automatically when the last authenticated client has been removed from the quarantine VLAN.

Additionally, if the MS-IPv4-Remediation-Servers VSA is present in the Access-Accept message, for each IP address present in the VSA a permit all traffic to/from

this IP address dynamic ACL will be applied on the quar-antine VLAN. This will allow traffic to/from the remedia-tion servers to pass unhindered into the Quarantine VLAN while all other traffic is dropped.

NAP Case Study

We will build a NAP framework using the components shown in Page 8, and see how it helps the company Prime Corporation (an example used in this case study) to enforce Microsoft NAP policies using ExtremeXOS based switches.

NOTE

A discussion about enterprise or campus network design is beyond the scope of this application note. The network design illustrated below is simplified to show the various features of benefits of using NetLogin.

The diagram below shows the various systems, and devices used by Prime Corp, along with users attached to the edge switches.

5652-01

Campus Core,Aggregation

Edge

Summit X250e-24p

Summit X450a-24t

PRIMECORP-PDC-1 PRIMECORP-NAP-1

MGMT =MGMT =

FAN =FAN =

PSU =PSU =

PSU-E =PSU-E =

STACK NO

11 33 55 7722 44 66 88 99 11111010 1212 1313 1515 1717 19191414 1616 1818 2020 2121 23232222 2424 22 3311 44

Domain ControllerMicrosoft Windows 2008

John SmithLaptop1

JS-Workstation

Network Policy ServerMicrosoft Windows 2008

Bob StoneBS-Workstation

1

2

Stack

Figure 2: Systems and devices used by Prime Corp and users attached to the edge switches



The table below summarizes the various roles and functions performed by the devices in the network:

Summit X250e-24P Edge Switch

Performs authentication of attached users and devices such as phones using NetLogin

Provides network access to users

Multiple VLANs in the switch helps in isolating users and devices in different broadcast domains based on the authentication and NAP policies

Layer 2 switch in this scenario

Summit X450a-24t Aggregation/Distribution Switch

Provides connectivity to the rest of the campus network including authentication servers, application servers, domain controllers, and internet gateway

Layer 3 switch provides routing functionality

PRIMECORP-PDC-1 Domain Controller, and Root CA

Microsoft Windows 2008 Server

Configured as the domain controller for primecorp.com

Contains the Microsoft Active Directory (AD)

Enterprise Root CA for primecorp.com

PRIMECORP-NAP-1Authentication Server, NAP Policy Server

Microsoft Windows 2008 Server

Member of domain primecorp.com

Acts as the authentication server for all users in the domain

Configured with NAP policies which are enforced using features provided by ExtremeXOS NetLogin in the edge switches

JS-WORKSTATION Workstation used by John Smith Microsoft Windows 7 Professional

BS-WORKSTATION Workstation used by Bob Stone Microsoft Windows Vista Business Edition

LAPTOP1Laptop computer used by John Smith

Microsoft Windows XP

Contains Service Pack 3 updates

Also contains all updates required for Group Policy Client Side configurations

Table 1



A summary of users and devices connecting to the edge of the network:

Network User Role Notes

John Duff Employee

Works in the Sales organization in Prime Corp

Uses Microsoft Windows 7 Professional based PC (Connected to Port #1 of the edge switch)

Uses Microsoft Windows XP SP3 based Laptop computer (Connected to Port #3 of the edge switch)

Requires full access to network and resources such as file servers, printers, application servers, Internet, and so on

Bob Stone Employee Works in the Engineering organization in Prime Corp

Uses Microsoft Windows Vista Business edition based workstation (Connected to Port #2 of the edge switch)

Table 2

Edge Switch ConfigurationWe will proceed to configure the Summit X250e-24P switch first. Readers will notice that changes in network policies configured in the authentication server (PRIMECORP-NAP-1) will not require changes in the edge switch configuration. This allows for flexible NAP policies and changes without disturbing configura-tions in potentially a large number of edge switches in the network.

It is recommended that the reader keeps the following information handy in order to complete the switch configuration.

In addition to configuring the NetLogin module, the VLAN and AAA modules will also need to be configured. Configuration of the VLAN module will provide reach-ability to backend authentication servers, and will also create various user VLANs in the switch. Configuration of the AAA module will provide the switch with one or more RADIUS server(s) to contact for authentication.

Authentication Server IP: 192.168.2.11/24

VLAN Name Tag IP

corp 2 192.168.2.1/24

authvlan 7 VLAN used by NetLogin



VLAN Configurationconfigure vlan default delete ports 1-26

create vlan authvlan

configure vlan authvlan tag 7

create vlan corp

configure vlan corp tag 2

create vlan corpvoice

configure vlan corpvoice tag 4

create vlan crmapps

configure vlan crmapps tag 6

create vlan quarantine

configure vlan quarantine tag 3

create vlan salesapps

configure vlan salesapps tag 5

configure vlan corp add ports 25 tagged

configure vlan corpvoice add ports 25 tagged

configure vlan crmapps add ports 25 tagged

configure vlan quarantine add ports 25 tagged

configure vlan salesapps add ports 25 tagged

configure vlan Mgmt ipaddress 10.127.2.18 255.255.255.0

configure vlan corp ipaddress 192.168.2.1 255.255.255.0

configure vlan authvlan ipaddress 192.168.100.1 255.255.255.0

AAA Module Configurationconfigure radius netlogin primary server 192.168.2.11 1812 client-ip 192.168.2.1 vr

VR-Default

configure radius netlogin primary shared-secret encrypted r~`gobmvr

enable radius netlogin

NetLogin Configurationconfigure netlogin vlan authvlan

enable netlogin dot1x mac web-based

enable netlogin ports 1-8 dot1x

enable netlogin ports 9-16 mac

enable netlogin ports 17-24 web-based

configure netlogin ports 1 mode port-based-vlans

configure netlogin ports 1 no-restart









NOTE

None of the VLANs actually contain user ports

Port 25 is the uplink port in the edge switch and is added as a tagged port for all VLANs

10

Extreme Networks Application Note: Network Access Control/Protection with ExtremeXOS and Microsoft NAP








































configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 ports 9-16

NOTE

NetLogin uses the authvlan VLAN

Local database authentication is NOT used in this case study

11



Prerequisites for Servers and ClientsThis section lists the requirements in terms of applications, roles, features, and other software updates required in both the servers and clients in order to carry out the tests described in this case study.

Domain Controller (PRIMECORP-PDC-1)The following components are installed and the appropriate services are started:

Microsoft Windows Active Directory Certification Authority is installed as an Enterprise Root CA and a default certificate for the server primecorp-

pdc-1.primecorp.com is generated

DHCP Server with a scope to serve clients which are authenticated and authorized to be part of the corporate network. DHCP Scope used in this case study contains the following:

IP Address Range: 192.168.2.101 192.168.2.150

Primary DNS Server: 192.168.2.10

WINS Server: 192.168.2.10

The screen shot below shows the list of programs and applications installed for this case study.

12



The screen shot below shows all the roles installed on this server.

Microsoft NPS/NAP Server (PRIMECORP-NAP-1)The following components are installed and the appropriate services are started:

Network Policy Server (available via role Network Policy and Access Services) Group Policy Management (for management of client policies) A computer certificate has been obtained from primecorp-pdc-1 for use with IEEE 802.1X authentication

(Protected EAP with MS-CHAP-V2)

Microsoft Windows 7 Professional Based Clients

All software updates available via Microsoft Windows Update services are installed. This computer (JS-WORKSTATION) has been joined to the primecorp.com domain.

Microsoft Windows Vista Business Edition Clients

All software updates available via Microsoft Windows Update services are installed. This computer (BS-WORKSTATION) has been joined to the primecorp.com domain.

Microsoft Windows XP Professional Clients

All software updates available via Microsoft Windows Update services are installed. In particular, Microsoft Windows XP Service Pack 3 update has been installed.

This computer (LAPTOP1) has been joined to the primecorp.com domain.

13



Domain Controller (PRIMECORP-PDC-1) ConfigurationThis section describes the steps required to:

a. Create users and groups in the Microsoft Active Directoryb. Perform any additional configurations required on the Microsoft Windows 2008 Server

Create Group: PRIMECORP_COMPUTERSThe list of computers that are administered in this domain can be viewed in the Active Directory Users and Computers.

Steps: Click Start Click Administrative Tools Click Active Directory Users and Computers.

14



Steps: Click Group.

We will now proceed to create a group called PRIMECORP_COMPUTERS, and add the clients JS-WORKSTATION, BS-WORKSTATION, and LAPTOP1 into this group.

Steps: Right Click on Users Click New.

15



Steps: Enter the group name as PRIMECORP_COMPUTERS, ensure that the group is of type Security, and the scope is Global. Click OK.

16



Steps: Access the group properties by right clicking on PRIMECORP_COMPUTERS.

Steps: Click Properties.

17



Steps: Click Members Tab Click Add Click Object Types.

18



Steps: Select Computers Click OK.

19



Steps: Enter the computer names as shown, and Click Check Names to ensure all the computer names have been recognized. Click OK.

20



Steps: Click OK to confirm the members of the group.

Create Group: SALESThe group SALES is intended to contain users such as John Smith, and other personnel in the sales organization. The group SALES can be created using the steps described in Section 5.3.1 Create Group: PRIMECORP_COMPUTERS.

Create Group: ENGINEERINGThe group ENGINEERING is intended to contain users such as Bob Stone, and other personnel in the engineering organization. The group ENGINEERING can be created using the steps described in Section 5.3.1 Create Group: PRIMECORP_COMPUTERS.

Create User: John SmithSteps: Open the program Active Directory Users and Computers.

21



Steps: Right Click on Users Click New Click User..

22



Steps: Enter the details for the user as shown above Click Next.

23



Steps: Choose a password for the user Click OK.

24



Steps: Click Finish.

We will now proceed to make the user John Smith a member of the SALES group.

25



Steps: Right Click on user John Smith Click Properties.

26



Steps: In the Dial-In Tab Select option Allow Access Click on Members Of Tab.

27



Steps: Click Add In the Select Groups dialog box enter SALES in object names Click Check Names Ensure that the group name is recognized/resolved and click OK Click OK again to close the properties.

Create User: Bob StoneThe user Bob Stone with account name bob_stone can be created using the procedures described in the earlier section. Further, Bob Stone should be configured as a member of the group ENGINEERING (instead of SALES for John Smith).

NAP Policies Configurations (PRIMECORP-NAP-1)

RADIUS Client ConfigurationIn this section, we will describe the steps required to define a network access policy. We will first add a RADIUS client (the Edge Switch) from which the server will receive authentication requests on behalf of the clients, and then define authentication methods and authorization policies based on the statements of health supplied by the System Health Agents in the clients.

28



Steps: Click Start Click Administrative Tools Click Network Policy Server.

Steps: Expand RADIUS Clients and Servers in the left pane Right Click RADIUS Clients Click New RADIUS Client.

29



Steps: Enter the details as shown below and Click OK.

Create and Configure NAP PoliciesIn this section, we will walk through the steps required to create and configure a NAP.

Steps: Click on NPS (Local) on the left pane

30



Steps: Click on Configure NAP on the right pane.

Steps: Select IEEE 802.1X (Wired) from the options presented for Network connection methods Enter the name of the policy (in this case study we have used the name Authenticate Corp Users NAP 802.1X (Wired) Click Next.

31



Steps: Confirm that the switch which we configured as a RADIUS client is selected Click Next.

Steps: Click Add User.

32



Steps: In the Select Group dialog box, enter the group name SALES Click Check Names Click OK.

In addition to the group SALES we will use this NAP policy to authenticate and authorize users who are part of the ENGINEERING group.

Steps: Click Add User.

33



Steps: In the Select Group dialog box that appears, enter the group name ENGINEERING Click Check Names to verify that the group name is recognized/resolved Click OK.

Steps: Click Next.

34



Steps: Select the EAP Type Secure Password (PEAP-MS-CHAP-v2) Click Next.

The two screen shots shown below are optional steps for users who want to view the server certificate being used for this authentication method. The server certificate being used here, in this case study, was requested by the server PRIMECORP-NAP-1 and was issued by PRIMECORP-PDC-1 (which is configured as the Enterprise Root CA for the domain primecorp.com).

35



When NAP policies are created using the wizard, users can specify both the organizational network VLAN (a VLAN that can be used by supplicants who pass the authentication and the health policies) and a restricted VLAN (which can be used to isolate unhealthy supplicants, i.e. those users who do not pass the health policy checks). In this case study, we have chosen to configure these VLANs and possibly other authorizations separately after the NAP policies are created by the wizard.

36



Steps: Click Next.

37



The Define NAP Health Policy step when using the wizard allows administrators to configure the Health Validator to be used, auto-remediation (if desired), and the restrictions that are to be placed on computers which are non-NAP capable.

Steps: Ensure that the default health validator Windows Security Health Validator is selected Unselect Enable auto-remediation of client computers Select Allow full network access to NAP-ineligible computers Click Next.

38



Steps: Click Finish.

39



Verify Processing Order of NAP PoliciesThe screen shots in this section show all the three types of policies created by the wizard. It is recommended that users verify the processing order of the policies and that it matches or is close to what is shown in the screen shots.

The screen shot below shows the list of Connection Request Policies. Note that the first policy Authenticate Corp Users NAP 802.1X (Wired) is a result of the wizard we used in the previous section.

40



The screen shot below shows the list of Network Policies which were created by the NAP configuration wizard.

The screen shot below shows the list of Health Policies which were created by the NAP configuration wizard.

41



Modify NAP PoliciesIn this section, we will walk through the steps required to define authorizations based on the health checks performed by the System Health Validator.

Authorizations for NAP Compliant or Healthy Supplicants

This section shows the steps required to provide the right authorization for clients that are deemed as healthy and compliant to the health policy defined in NAP.

Steps: In the left pane, under Policies, click Network Policies Double Click on the policy Authenticate Corp Users NAP 802.1X (Wired) Compliant.

42



Steps: Click on Settings tab.

Steps: Under RADIUS Attributes in the left pane, Click on Standard Remove both the attributes which appear by default Framed Protocol and Service-Type.

43



Steps: Click OK Click on Vendor Specific on the left pane Click on Add on the right pane.

Steps: Scroll down the list of attributes, select Vendor-Specific Click Add.

44



Steps: In Attribute Information dialog box, click on Add.

Steps: Select the Enter Vendor Code option Enter 1916 which is the Extreme Network Vendor ID Click Yes, it confirms Click Configure Attribute.

45



Steps: Enter 209 in Vendor-assigned attribute number which denotes the Extreme-Netlogin-VLAN-ID VSA Select Decimal as the Attribute format Enter 2 (which is the VLAN ID for corp VLAN) in the Attribute value Click OK twice to return back to the list of vendor specific attributes.

46



Steps: Click OK to return back to the network policies.

47



Authorizations for NAP Noncompliant or Unhealthy Supplicants

This section shows the steps required to provide the right authorization for clients that are deemed as unhealthy and noncompliant to the health policy defined in NAP.

Steps: Double click on the Authenticate Corp Users NAP 802.1X (Wired) Noncompliant policy.

48



Steps: Click on Settings tab Under RADIUS Attributes in the left pane, select Standard Remove both the attributes Framed-Protocol and Service-Type.

Steps: Under RADIUS Attributes in the left pane Click on Vendor Specific Click Add on the right pane.

49



Steps: Scroll down to the last and select Vendor Specific in the list of attributes Click Add.

Steps: Click Add to add a new VSA.

50



Steps: Select Enter Vendor Code option Enter 1916 Select Yes, it conforms Click Configure Attribute.

Steps: Enter the value 209 for the attribute number Select the attribute format as Decimal Enter the value 3 in the attribute value Click OK twice to return back to the Vendor Specific attributes.

51



Steps: Click OK.

Authorizations for NAP Ineligible Supplicants

The authorizations for NAP ineligible supplicants for this case study will be the same as those for NAP compliant supplicants. The authorizations can be configured using exactly the same steps shown and described in Section 5.4.4.1 Authorizations for NAP compliant or Healthy Supplicants.

Configure System Health Validator

This section describes the configuration and settings for the Windows System Health Validator (the default SHV). The SHV will be configured to check the following:

a. Firewall: A firewall application is available, and is enabled. In the case study we have used the Windows Firewall application in the clients.

b. Windows Automatic Updates: The automatic updates option is enabled in the client computers.

52



Steps: Under Health Policies on the left pane, click on Health Policies Double click on the policy Authenticate Corp Users NAP 802.1X (Wired) Compliant.

Steps: In SHVs used in the health policy ensure that the Windows Security Health Validator is selected Click OK.

53



Steps: Under Network Access Protection in the left pane, click on System Health Validators Double click on Windows Security Health Validator on the right pane.

Steps: Click on Configure.

54



Steps: Click on the Windows Vista tab, and select only the following options:

a. Under Firewall select A firewall is enabled for all network connections.b. Under Automatic Updating select Automatic updating is enabled.c. Click on the Windows XP tab.

NOTE

The settings for Windows Vista is also applicable for Windows 7 clients.

55



Steps: Ensure that the firewall and automatic update settings are done as described in the earlier screenshot Click OK.

Group Policy ConfigurationsIn this section, we will walk through the steps required to create common group policies for clients using the following operating systems: Microsoft Windows Vista, Microsoft Windows 7, and Microsoft XP. Group policies can be applied on both individual computers, and a security group which contains one or more clients. Recall from section 5.3.1 Create Group: PRIMECORP_COMPUTERS, we had created a security group which contains all of the clients (joined to the domain) used in this case study. This group definition will be used to deploy the common group policies described in this section.

Server Side Configuration (PRIMECORP-NAP-1)This section describes the steps to be followed to create a Group Policy Object called NAP Clients GPO.

56



Steps: Click Start Enter gpme.msc and hit enter to execute the program.

Steps: Click On Create New Group Policy Object.

57



Steps: Enter a name for the new GPO (the name selected here is NAP Client Settings GPO) Click OK to start the Group Policy Management Editor.

Steps: On the left pane, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\System Services On the right pane, double click on Network Access Protection Agent.

58



Steps: Select Define this policy setting Select Automatic Click OK.

Steps: On the right pane, double click Wired AutoConfig.

59



Steps: Select Define this policy setting Select Automatic Click OK.

Steps: On the left pane, navigate to Computer Configuration\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients On the right pane, right click on EAP Quarantine Enforcement Client Click Enable.

60



Steps: On the left pane, navigate to Computer Configuration\Windows Settings\Security Settings\Network Access Protection Right click on NAP Client Configuration Click Apply.

Steps: On the left pane, navigate to Computer Configuration\Policies\Administrative Templates: Policy definitions\Windows Components\Security Center On the right pane, double click on Turn on Security Center (Domain PCs only)

61



Steps: Under Setting tab, check option Enabled Click OK [Optionally close the Group Policy Management Editor].

62



Steps: Click on Start Enter gpmc.msc and hit enter.

63



Steps: In the left pane, navigate to Group Policy Management\Forest primecorp.com\Domains\primecorp.com\Group Policy Objects\NAP Client Settings GPO On the right pane, under Security Filtering select Authenticated Users Click Remove.

Steps: On the right pane, under Security Filtering Click Add.

64



Steps: Type object name PRIMECORP_COMPUTERS Click Check Names to ensure that the object has been resolved Click OK.

Client Side VerificationIn this section, we will describe the steps to verify that the group policy configuration done on the NAP server PRIMECORP-NAP-1 has taken effect on the clients. It might be required to reboot the clients for the group policy configuration to be updated.

NOTE

It is important that the group policy configuration is updated on all the clients before proceeding with the rest of case study. It is strongly recommended that users ensure and if required troubleshoot any problems encountered in the group policy update for clients.

We will mainly use the netsh command, and also look at the settings of services as a result of the group policy update from the NAP server PRIMECORP-NAP-1.

65



Microsoft Windows 7 Professional (JS-WORKSTATION)

Steps: Open a command prompt, enter the command netsh nap client show grouppolicy Ensure that the EAP Quarantine Enforcement Client has the admin state of Enabled.

66



Steps: Open a command prompt, enter the command netsh nap client show state Ensure that the EAP Quarantine Enforcement Client is initialized (Initialized = Yes).

67



Steps: Open Control Panel Click on System and Security Click on Administrative Tools On the right pane, double click on Services.

Steps: Ensure that the service Network Access Protection Agent is set to start automatically.

68



Steps: Ensure that the service Wired AutoConfig is set to start automatically.

69



Microsoft Windows Vista Business Edition (BS-WORKSTATION)



70



Steps: Open Control Panel Click on System and Maintenance Click on Administrative Tools In the right pane, double click on Services.

Steps: Ensure that the service Network Access Protection Agent is set to start automatically.

71




72



Microsoft Windows XP Service Pack 3 (LAPTOP1)


73




74



Steps: Open Control Panel Double click on Administrative Tools Double click on Services.

Steps: Ensure that the Network Access Protection Agent is set to start automatically.

75




Client Side Configuration for IEEE 802.1X (PEAP-MS-CHAP-v2) AuthenticationThis section describes the configuration required on the client side to perform IEEE 802.1X based authentication with PEAP and Secured MS-CHAP-V2.

76



Microsoft Windows 7 Professional (JS-WORKSTATION)Steps: Right click on Network Connection icon in the System Tray Click on Open Network and Sharing Center.

77



Steps: Click on Local Area Connection.

Steps: Click on Properties.

78



Steps: Select Enable IEEE 802.1X authentication Select method Microsoft Protected EAP (PEAP) Click on Settings.

79



Steps: Select Validate server certificate Under Select Authentication Method select Secured password (EAP-MSCHAP-V2) Click on Configure.

80



Steps: It is recommended that the option Automatically use my Windows logon name and password is used. If this option is not selected, then the user will have to enter the credentials every time the client performs authentication.

81



Microsoft Windows Vista Business Edition (BS-WORKSTATION)Steps: Open Control Panel Click on Network and Internet Click on Network and Sharing Center.

Steps: Right click on Local Area Connection Click on Properties.

82



Steps: Click on Authentication tab Select option Enable IEEE 802.1X authentication Under Choose a network authentication method select Microsoft Protected EAP (PEAP) Click Settings.

Steps: Select Validate server certificate Under Select Authentication Method select Secured password (EAP-MSCHAP-V2) option Select Enable Quarantine checks Click on Configure.

83



Steps: It is recommended that the option Automatically use my Windows logon name and password is selected.

Microsoft Windows XP Service Pack 3 (LAPTOP1)Steps: Open Control Panel Double Click on Network Connections Right click on Local Area Connection Click on Properties.

84



Steps: Under Authentication tab, select Enable IEEE 802.1X authentication Select Protected EAP in Choose a network authentication method Click on Settings.

Steps: Select Validate server certificate Under Select Authentication Method select Secured password (EAP-MSCHAP-V2) Select Enable Quarantine checks Click Configure.

85



Steps: It is recommended that the option Automatically use my windows logon name and password is selected.

Healthy Supplicants ScenarioIn this section, we will go through the information available at the server, and the switch when supplicants who meet all the health policies defined by the administrator in the NAP server (PRIMECORP-NAP-1). This means that all the clients have the Windows Firewall and the Windows Automatic Update features enabled. The first step is login to the respective clients, and let the clients authenticate with the edge switch.

86



John Smith (JS-WORKSTATION)The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client has been granted access to the network.

87



The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: john_smith) has met all the health policy requirements.

88



Bob Stone (Logging in Using BS-WORKSTATION)The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: bob_stone) has authenticated successfully and has been granted access to the network.

89



The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: bob_stone) has met all the health policy requirements.

90



John Smith (LAPTOP1)The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: john_smith logging in from host LAPTOP1) has authenticated successfully and has been granted network access.

91



The screen shot below shows the events available on the Event Viewer program on the NAP server (PRIMECORP-NAP-1). The event selected and shown below is generated by NPS, and shows that the client (Username: john_smith logging in from host LAPTOP1) has met all the health policy requirements.

92



Information Available at the Edge SwitchOutput of command: show log chronological

06/24/2010 19:11:29.45 Network Login 802.1x user

PRIMECORP\john_smith logged in MAC 00:11:11:CD:74:6B port 1 VLAN(s) corp, authenti-

cation Radius


PRIMECORP\bob_stone logged in MAC 00:11:43:4C:90:6F port 2 VLAN(s) corp, authentica-

tion Radius


PRIMECORP\john_smith logged in MAC 00:11:43:51:B9:63 port 3 VLAN(s) corp, authenti-

cation Radius

The following snippet shows that the ports, from which the clients have logged on to the network, have been added to the corp VLAN.

X250e-24p.5 # show corp

VLAN Interface with name corp created by user

Admin State: Enabled Tagging: 802.1Q Tag 2

Virtual router: VR-Default

Primary IP : 192.168.2.1/24

IPv6: None

STPD: None

Protocol: Match all unfiltered protocols

Loopback: Disabled

NetLogin: Disabled

QosProfile: None configured

Egress Rate Limit Designated Port: None configured

Flood Rate Limit QosProfile: None configured

Ports: 4. (Number of active ports=4)

Untag: *1a, *2a, *3a

Tag: *25

Flags: (*) Active, (!) Disabled, (g) Load Sharing port

(b) Port blocked on the vlan, (m) Mac-Based port

(a) Egress traffic allowed for NetLogin

(u) Egress traffic unallowed for NetLogin

(t) Translate VLAN tag for Private-VLAN

(s) Private-VLAN System Port, (L) Loopback port

(e) Private-VLAN End Point Port

(x) VMAN Tag Translated port

93



The snippet below shows the state recorded by the ExtremeXOS NetLogin module for each of the clients.

X250e-24p.5 # show netlogin port 1-3

Port : 1

Port Restart : Disabled

Allow Egress : None

Vlan : corp

Authentication : 802.1x

Port State : Enabled

Guest Vlan : Disabled

Auth Failure Vlan : Disabled

Auth Service-Unavailable Vlan : Disabled

MAC IP address Authenticated Type ReAuth-Timer User

00:11:11:cd:74:6b 192.168.2.102 Yes, Radius 802.1x 3577 PRIMECORP\

john_smith

-----------------------------------------------

(B) - Client entry Blackholed in FDB

Port : 2


Allow Egress : None

Vlan : corp







00:11:43:4c:90:6f 192.168.2.101 Yes, Radius 802.1x 2995 PRIMECORP\

bob_stone

-----------------------------------------------


Port : 3


Allow Egress : None

Vlan : corp







00:11:43:51:b9:63 192.168.2.103 Yes, Radius 802.1x 2995 PRIMECORP\

john_smith

-----------------------------------------------


94



Restricted Network Access for Unhealthy SupplicantsIn this section, we will go through the information available at the server, switch, and the clients when supplicants (clients) do not meet all the health policies defined by the administrator in the NAP server (PRIMECORP-NAP-1). We will disable the Windows Automatic Updates feature in all the clients and let the clients authenticate to the network. The NAP server will categorize all the clients as Noncompliant, and will deliver authorizations accordingly.

Network Access Restriction Using VLANsThis section describes the use of VLANs to isolate the unhealthy supplicants in to a network segment which can be used to quarantine the clients. We will place the unhealthy supplicants into VLAN quarantine, and the VLAN ID will be delivered using NPS (via VSAs).

The rest of the section is applicable after all the clients are allowed to authenticate to the network.

John Smith (JS-WORKSTATION)

Information Available on the Client

Steps:

1. Open Control Panel Click on System and Security Click on Windows Update Click on Change Settings Select Never check for updates (not recommended) Click Apply.

2. [Optional Step] The user could speed up the reauthentication process by disabling and enabling the local are connection interface.

3. Observe that the Network Access Protection agent displays an error message to indicate that a system health component is not enabled on the host.

95



Information Available on the NAP Server PRIMECORP-NAP-1

The screen shot below shows that NPS has authenticated the client successfully and has granted access to the network. We will look at the actual network authorizations at the switch later in the section.

The screen shot below shows that the server (PRIMECORP-NAP-1) attempted to quarantine the unhealthy supplicant.

96



The screen shot below is an event generated by the NPS program and indicates that client has not met the health policy requirements.

The screen shot below (scroll down below for event details) shows the reason for the client to be deemed as noncompliant.

97



Bob Stone (BS-WORKSTATION)

Information Available on the Client

Steps:

1. Open Control Panel Click on Windows Security Center Click on Change Settings Turn Off Automatic Updates Click Apply.

2. [Optional Step] The user could speed up the re-authentication process by disabling and enabling the local area connection interface.

Steps: Observe that the Network Access Protection agent displays an error message to indicate that the computer is not compliant with the health policy requirements. A recommendation for remediation is also shown in the same window.

98



John Smith (LAPTOP1)

Information on the Client

Steps:

1. Open Control Panel Click on Windows Security Center Click on Change Settings Turn Off Automatic Updates Click Apply.

2. [Optional Step] The user could speed up the re-authentication process by disabling and enabling the local area connection interface.

Steps: Observe that the Network Access Protection agent displays an error message to indicate that the computer is not compliant with the health policy requirements. A recommendation for remediation is also shown in the same window

99



Information Available at the Edge Switch

Logs to indicate the authorizations for the clients are available at the switch. Notice that all the clients have been placed into the quarantine VLAN.


PRIMECORP\john_smith logged in MAC 00:11:11:CD:74:6B port 1 VLAN(s) quarantine,

authentication Radius


PRIMECORP\bob_stone logged in MAC 00:11:43:4C:90:6F port 2 VLAN(s) quarantine,



PRIMECORP\john_smith logged in MAC 00:11:43:51:B9:63 port 3 VLAN(s) quarantine,


* X250e-24p.28 # show quarantine

VLAN Interface with name quarantine created by user



IPv6: None

STPD: None


Loopback: Disabled

NetLogin: Disabled






Tag: *25









* X250e-24p.29 # show netlogin port 1-3

Port : 1


Allow Egress : None

Vlan : quarantine






100





john_smith

-----------------------------------------------


Port : 2


Allow Egress : None

Vlan : quarantine







00:11:43:4c:90:6f 0.0.0.0 Yes, Radius 802.1x 3507 PRIMECORP\

bob_stone

-----------------------------------------------


Port : 3


Allow Egress : None

Vlan : quarantine







00:11:43:51:b9:63 0.0.0.0 Yes, Radius 802.1x 3508 PRIMECORP\

john_smith

-----------------------------------------------


101



Network Access Restriction Using VLAN and Access Control ListsThis section describes the use of VLANs to isolate unhealthy supplicants into a network segment which can be used to quarantine these clients. In addition to using a designated VLAN for quarantine, we will also use access control lists to limit connectivity of these clients to specific hosts (which could be used as remediation servers).

The rest of the section is applicable after all clients are allowed to authenticate to the network.

Server Side Configuration (PRIMECORP-NAP-1)

Steps: Open the Network Policy Server program on the left pane, navigate to NPS (Local)\Policies\Network Policies On the right pane, double click on Authenticate Corp Users NAP 802.1X (Wired) Noncompliant.

102



Steps: In the left pane, click on Vendor Specific Click Add.


103



Steps: Select option Enter Vendor Code Enter the vendor code 1916 Select Yes, it conforms Click Configure Attribute.

104



Steps: Enter 209 as the Vendor assigned attribute number Select Decimal as the format Enter value 2 in the attribute value Click OK Click Add again to add a new VSA.

NOTE

We are now placing the unhealthy supplicants in the corp VLAN (VID = 2), but we will restrict access to a limited set of hosts.

105



Steps: Enter the value of 1916 in the vendor code Select Yes, it conforms Click Configure Attribute.

Steps: Click Add to add the new attribute.

106



Steps: Select the vendor as Microsoft Click Configure Attribute.

107



Steps: Enter the value of 45 for the attribute number Select format as Decimal Enter value of 1 for the value Click OK twice.

NOTE

This is the MS-Quarantine-State attribute described in Section 4.1.3 Restricted network access using Access Control Lists.

108




Steps: Select Microsoft as the vendor code select Yes, it conforms Click Configure Attribute.

109



Steps: Enter the value of 52 for the attribute number Select Hexadecimal as the attribute format Enter the value 0xC0A8020B as the value (equivalent to the IP Address 192.168.2.11 of the edge switch) Click OK three times.

NOTE

This is the MS-IPv4-Remediation-Server attribute described in Section 4.1.3 Restricted network access using Access Control Lists.

110



Steps: Observe that all the three VSAs are now included in the policy.

Steps: On the left pane, right click on Network Policies Click Refresh.

111



Verifying Network Access Restrictions

Information Available at the Edge Switch

The log below shows that the client (in this case john_smith) has been authenticated and placed into the VLAN corp. Additionally, ACLs have been created and applied dynamically to restrict access only to the set of servers delivered as part of the MS-IPv4-Remediation-Servers VSA.


PRIMECORP\john_smith logged in MAC 00:11:11:CD:74:6B port 1 VLAN(s) corp, authenti-

cation Radius

06/24/2010 23:17:33.61 Configure dynamic Acl

nl001111cd746b_4_10001 rule index 4294967246 above rule index 4294967295 for applicai-

tion NetLogin.



tion NetLogin.



tion NetLogin.

06/24/2010 23:17:33.72 Configure dynamic Acl nl_0_1_10001

rule index 4294967243 above rule index 4294967245 for applicaition NetLogin.

* X250e-24p.75 # show corp

VLAN Interface with name corp created by user



Primary IP : 192.168.2.1/24

IPv6: None

STPD: None


Loopback: Disabled

NetLogin: Disabled






Tag: *25









112



* X250e-24p.76 # show netlogin port 1

Port : 1


Allow Egress : None

Vlan : corp








john_smith

-----------------------------------------------


Details of the ACLs applied can be seen using the show access-list command.

* X250e-24p.77 # show access-list dynamic

Dynamic Rules: ((*)- Rule is non-permanent )

(*)hclag_arp_0_4_96_28_b_c1 Bound to 0 interfaces for application HealthCheckLAG

(*)nl001111cd746b_2_10001 Bound to 1 interfaces for application NetLogin



(*)nl_0_1_10001 Bound to 1 interfaces for application NetLogin

* X250e-24p.78 # show access-list dynamic rule nl001111cd746b_2_10001

entry nl001111cd746b_2_10001 {

if match all {

ethernet-source-address 00:11:11:cd:74:6b ;

ethernet-destination-address ff:ff:ff:ff:ff:ff ;

} then {

permit ;

} }


entry nl001111cd746b_3_10001 {

if match all {

ethernet-type 34958 ;


} then {

permit ;

} }


2011 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks Logo, ExtremeXOS and Summit are either registered trade-marks or trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other trademarks are the trademarks of their respective owners. Specifications are subject to change without notice. 1709_01 11/11

www.extremenetworks.com

Corporateand North AmericaExtreme Networks, Inc.3585 Monroe Street Santa Clara, CA 95051 USAPhone +1 408 579 2800

Europe, Middle East, Africaand South AmericaPhone +31 30 800 5100

Asia PacificPhone +65 6836 5437

JapanPhone +81 3 5842 4011


entry nl001111cd746b_4_10001 {

if match all {


} then {

deny ;

} }

* X250e-24p.81 # show access-list dynamic rule nl_0_1_10001

entry nl_0_1_10001 {

if match all {

destination-address 192.168.2.11/255.255.255.255 ;

} then {

permit ;

} }

Client Side Verification

The screen shot below shows a command prompt window, and contains results of two ping requests initiated by the client. Notice that the client is now able to access only the server/host with IP address 192.168.2.11.

Date post:	02-Mar-2016
Category:	Documents
Upload:	marcoschimenti
View:	75 times
Download:	0 times

Microsoft Network NAP

Documents