Reset_
asked on
NAP
I have set up NAP on a Windows server 2008 in a lab environment. The goal is to implement this in a production environment.
The goal is to handle 6 types of computers:
1. Domain joined, compliant
2. Domain joined, not compliant
3. Domain joined, not NAP capable
4. Not domain joined, compliant
5. Not domain joined, not compliant
6. Not domain joined, not NAP capable
When a machine connects to a switch in the network with cable it will be put in a vlan based on the category it falls into above.
I have solved the first 3 scenarios in my lab, but i had no luck with the last 3.
I got everything working with the first three scenarios on a win7 machine that was joined to the domain. I then set up a XP machine with sp3 to se if it worked with this OS also.
When i connected the XP machine to the switch it didnt get an IP address. My hope was that it would be recognized as a 4/5/6 machine (see categories above) and put in the vlan specified for that policy (i.e. vlan DMZ). But nothing happened. Then i configured the nap client via netsh etc etc.. Nothing happens.. After trying this and that i patched the xp box to a port in the switch with a static configuration so it got an IP in the corp network. I joined the computer to the domain and booted the computer. After i had done that i patched the xp box back to the port i used in the start and everything worked fine. If i disable the firewall the box is put in the dmz vlan, if i enable it the box gets back in the corp vlan. All good! When i removed the computer from the domain again (after i had concluded that all parts were working) and rebooted, the computer fails to get an ip address.
I am thinking 1 of 2:
1. It is not possible to handle computers unless they are members of the domain
2. My configuration on the NAP server needs to be adjusted.
My guess is 2, but i cant get it to work.
It is nice to see that i can gain control on my domain joined computers, but i need a solution that can handle a guest machine that is not part of the domain, and put it in a dmz vlan as i want them to gain internet access, but not be able to access the servers.
I have fiddeled around with the NAP configuration, authentication/authenticat
The goal is to handle 6 types of computers:
1. Domain joined, compliant
2. Domain joined, not compliant
3. Domain joined, not NAP capable
4. Not domain joined, compliant
5. Not domain joined, not compliant
6. Not domain joined, not NAP capable
When a machine connects to a switch in the network with cable it will be put in a vlan based on the category it falls into above.
I have solved the first 3 scenarios in my lab, but i had no luck with the last 3.
I got everything working with the first three scenarios on a win7 machine that was joined to the domain. I then set up a XP machine with sp3 to se if it worked with this OS also.
When i connected the XP machine to the switch it didnt get an IP address. My hope was that it would be recognized as a 4/5/6 machine (see categories above) and put in the vlan specified for that policy (i.e. vlan DMZ). But nothing happened. Then i configured the nap client via netsh etc etc.. Nothing happens.. After trying this and that i patched the xp box to a port in the switch with a static configuration so it got an IP in the corp network. I joined the computer to the domain and booted the computer. After i had done that i patched the xp box back to the port i used in the start and everything worked fine. If i disable the firewall the box is put in the dmz vlan, if i enable it the box gets back in the corp vlan. All good! When i removed the computer from the domain again (after i had concluded that all parts were working) and rebooted, the computer fails to get an ip address.
I am thinking 1 of 2:
1. It is not possible to handle computers unless they are members of the domain
2. My configuration on the NAP server needs to be adjusted.
My guess is 2, but i cant get it to work.
It is nice to see that i can gain control on my domain joined computers, but i need a solution that can handle a guest machine that is not part of the domain, and put it in a dmz vlan as i want them to gain internet access, but not be able to access the servers.
I have fiddeled around with the NAP configuration, authentication/authenticat
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Reset,
Wholeheartedly agree with every point you make. We too were trying to "fit the NAP shoe", so to speak...you can't argue with the cost (free) so we had hoped that the product would allow for some dynamic configurations and quick interaction with our Cisco environment.
Alas, that is not the case. After decommissioning the Cisco Clean Access product (way too complicated for my staff) the search began.
We still seek out a simple, easy to manage, role based NAC solution. I will check out IDM...hadn't heard about that one. The cost seems pretty good as well.
I was happy to help out. No sense re-doing work that has already been done. Please PM me and keep me posted on your IDM experiences. It might work in our environment as well.
Take care!
Wholeheartedly agree with every point you make. We too were trying to "fit the NAP shoe", so to speak...you can't argue with the cost (free) so we had hoped that the product would allow for some dynamic configurations and quick interaction with our Cisco environment.
Alas, that is not the case. After decommissioning the Cisco Clean Access product (way too complicated for my staff) the search began.
We still seek out a simple, easy to manage, role based NAC solution. I will check out IDM...hadn't heard about that one. The cost seems pretty good as well.
I was happy to help out. No sense re-doing work that has already been done. Please PM me and keep me posted on your IDM experiences. It might work in our environment as well.
Take care!
ASKER
Will do!
Thanks again Dossaviation
Thanks again Dossaviation
ASKER
Working with the security setup wizard in HP's IDM i found a setting under "Advanced settings for Wired 802.1x" named unauth-vid (Unauthorized vlan id)
I set this to my guest vlan, and the laptop i have been using for this lab automatically got put in the guest vlan without any configuration on the laptop.
After checking the config on the switch it looks like it adds the following configuration on the ports:
gvrp
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server timeout 1
radius-server host 10.11.181.21
aaa port-access gvrp-vlans
aaa port-access authenticator 17-24
aaa port-access authenticator 17 unauth-vid 50
aaa port-access authenticator 17 client-limit 1
aaa port-access authenticator 18 unauth-vid 50
aaa port-access authenticator 18 client-limit 1
aaa port-access authenticator 19 unauth-vid 50
aaa port-access authenticator 19 client-limit 1
aaa port-access authenticator 20 unauth-vid 50
aaa port-access authenticator 20 client-limit 1
aaa port-access authenticator 21 unauth-vid 50
aaa port-access authenticator 21 client-limit 1
aaa port-access authenticator 22 unauth-vid 50
aaa port-access authenticator 22 client-limit 1
aaa port-access authenticator 23 unauth-vid 50
aaa port-access authenticator 23 client-limit 1
aaa port-access authenticator 24 unauth-vid 50
aaa port-access authenticator 24 client-limit 1
aaa port-access authenticator active
Now i am thinking it might be possible to configure the switch this way in the NAP case i had going earlier, and beeing able to put clients that are not NAP capable etc into a guest vlan. I havent tried a linux box or anything like that yet, but my guess is that everything that doesnt autthenticate with the radius server will be put in this vlan. If this is true things will be better, not perfect but a lot better.
"aaa port-access authenticator 24 unauth-vid 50"
I just wanted to give u a quick update on this, i will continue the IDM lab now and do some research on this later.
/K
I set this to my guest vlan, and the laptop i have been using for this lab automatically got put in the guest vlan without any configuration on the laptop.
After checking the config on the switch it looks like it adds the following configuration on the ports:
gvrp
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server timeout 1
radius-server host 10.11.181.21
aaa port-access gvrp-vlans
aaa port-access authenticator 17-24
aaa port-access authenticator 17 unauth-vid 50
aaa port-access authenticator 17 client-limit 1
aaa port-access authenticator 18 unauth-vid 50
aaa port-access authenticator 18 client-limit 1
aaa port-access authenticator 19 unauth-vid 50
aaa port-access authenticator 19 client-limit 1
aaa port-access authenticator 20 unauth-vid 50
aaa port-access authenticator 20 client-limit 1
aaa port-access authenticator 21 unauth-vid 50
aaa port-access authenticator 21 client-limit 1
aaa port-access authenticator 22 unauth-vid 50
aaa port-access authenticator 22 client-limit 1
aaa port-access authenticator 23 unauth-vid 50
aaa port-access authenticator 23 client-limit 1
aaa port-access authenticator 24 unauth-vid 50
aaa port-access authenticator 24 client-limit 1
aaa port-access authenticator active
Now i am thinking it might be possible to configure the switch this way in the NAP case i had going earlier, and beeing able to put clients that are not NAP capable etc into a guest vlan. I havent tried a linux box or anything like that yet, but my guess is that everything that doesnt autthenticate with the radius server will be put in this vlan. If this is true things will be better, not perfect but a lot better.
"aaa port-access authenticator 24 unauth-vid 50"
I just wanted to give u a quick update on this, i will continue the IDM lab now and do some research on this later.
/K
ASKER
In my oppinion NAP works great if you are dealing with domain computers but that is not the case for many of our customers. I need a lot more flexibility in the solution i pick and i am not going to use more time trying to get this NAP shoe to fit.
This has to be common problems when implementing NAC in a network, and i really hope Microsoft would adress theese issues. Mabe it is just me, but beeing able to define a policy where you are able to put non-windows and non-nap capable clients in a "if-everything-fails" VLAN, is a must have.
I am currently looking into the IDM product from HP, and so far it looks like it will fit my needs perfectly.
From the IDM manual:
"If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not
override RADIUS authentication and default switch settings, unless you
configure it to do so. You can create a "guest" profile in IDM to provide
limited access for unknown users."
According to my estimate a solution based on PCM+ and IDM will cost around 7000$ to implement (includes 1 yr of maintanance, upgrades etc..) and then 300$ a yr to get all the program updates etc.. At this point it looks like the best way to go.
Again, thank you for your time, and a very good answer.
I will close the case and award you the points.
/K