Home > Networking Solutions > Campus Switches and Solutions > Campus and Mobility Networking Solutions > Guides > ClearPass NAC and Posture Assessment for Campus Networks Deployment Guide > Topology
The following is an example of the wired topology using PowerSwitch N-series switches:
The following example details a typical scenario involving a user requiring wired access to a corporate or guest network. Posture compliance with OnGuard is the key feature demonstrated.
In this scenario, a user requires network access with a device not supplied by a corporate IT department and is connecting to a network using a wired Ethernet connection.
i. If healthy, W-ClearPass places the user in the appropriate VLAN.
ii. If not healthy, W-ClearPass places the user in a quarantine VLAN. Users are automatically reauthenticated once the issue is resolved and placed into the appropriate VLAN. Sometimes, Autoremediation can perform changes without user action.
The above scenario can be used for any type of guest or employee network. The example in this paper uses a single employee VLAN and a quarantine VLAN. Administrators can setup W-ClearPass to assign users to different VLANs to support guest networks, contractor networks, or multiple employee group VLANs.
This example uses username and password credentials that are stored in a Windows Server Active Directory. Any type of authentication, including certificates can be used with OnGuard posture policies. This guide does not go into detail on configuring authentication types. For further information about BYOD topics through Onboard and Guest access, see the W-ClearPass User Guide or other available deployment guides at https://www.dell.com/support/.
The configuration examples in the Dell W-series controller configuration – wireless and Dell W-ClearPass configuration – wireless sections detail a basic solution that uses W-ClearPass OnGuard and a PowerSwitch N-series switch. The scenarios presented contain a policy decision and enforcement based on posture information from OnGuard.
The configuration for the PowerSwitch N-series switch remains the same regardless of the type of OnGuard client or operating system you use. The configuration for W-ClearPass differentiates between the following combinations of OnGuard client types and operating systems:
The solution uses a W-ClearPass website for access to both OnGuard application types for employees, and guest scenarios. In scenario step 4c, the website URL is manually provided to the user. See the Create an OnGuard landing webpage section for information.
Note: The following configuration commands are not intended to consist of the full configuration needed for a fully functional access switch. The commands contain the key configurations needed to enable the features described in this document. See the attached configuration file (N-Series Configuration example.txt) for the running-config.
N3048P configuration commands | Description of commands |
Configure vlan 6,8 exit ip routing | Create 2 VLANs, one for employee (vlan 6) and another for quarantine (vlan 8). |
interface vlan 1 ip address 172.25.172.47 255.255.0.0 exit | Configure IP address. Vlan 1 is used for corporate resource traffic. |
interface vlan 6 ip address 10.1.6.2 255.255.255.0 ip dhcp relay information option-insert exit | Configure IP address. Vlan 6 is used for employee traffic. Configure dhcp relay to enable circuit ID option (option 82). |
interface vlan 8 ip address 10.1.8.2 255.255.255.0 ip dhcp relay information option-insert exit | Configure IP address. Vlan 8 is used for quarantined employee traffic. Configure dhcp relay to enable circuit ID option (option 82). |
ip dhcp relay information option | Configure global dhcp relay to enable circuit ID option (option 82). |
ip helper-address 172.25.172.189 dhcp | Configure global relay of DHCP UDP packets to corporate DHCP server address. |
dot1x system-auth-control aaa authentication dot1x default radius aaa authorization network default radius | Configure to enable dot1x authentication. Specifies the authentication method. Specifies the authorization method. |
aaa server radius dynamic-author client 172.25.172.188 server-key "radius_key" auth-type any exit | Configure system to begin listening for RADIUS CoA requests. Configure shared secret key used for RADIUS CoA requests. Configure accepted authorization types. |
radius-server host auth 172.25.172.188 name "Default-RADIUS-Server" source-ip 172.25.172.47 usage 802.1x key "radius_key" exit | Configure to specify a RADIUS server. Descriptive name (default). Specify a source IP address used with the RADIUS server. Specify usage type. Configure shared secret used for the RADIUS server. |
Note: This example uses a single switch for Layer 2 and Layer 3 traffic. Some of the commands shown above, particularly for the DHCP relay feature may not be required on the access switch being used. Commands unique to the interface ports are not shown. For more detail, see the attached configuration file.
W-ClearPass is configured using the ClearPass UI through a standard browser. This guide presents the key steps necessary to configure the example scenario. To improve readability, the included screenshots do not show the entire browser. Usually, the navigation window on the left side of the screen is not shown. To ensure readers understand the configuration location shown, the navigation path is provided in the configuration steps. In the screenshots, the current tab is highlighted with a dark blue color.
W-ClearPass allows administrators to configure policies and profiles directly from the main service configuration screen. When using this method of configuration, the necessary windows are opened automatically, which can streamline the amount of time it takes an experienced user to configure a fully functional service. In this guide, each profile and policy is built before the creation of the service to aid in the description of navigating the configuration provided in this document.
Note: This guide does not detail the initial setup of the W-ClearPass server. For more information about VM installation, initial server configuration, and licensing, see the W-ClearPass User Guides at https://www.dell.com/support.
As shown in the figure prior, the W-ClearPass Welcome screen is the main screen used to go to each W-ClearPass application. The W-ClearPass Policy Manager is at the core of the solution and is the focus of most of this document.
Note: For more information about each of the W-ClearPass applications, see the W-ClearPass User Guide at https://www.dell.com/support.
Before W-ClearPass will recognize authentication requests, the switch originating the request must be added to the list of network devices in W-ClearPass. The IP Address and RADIUS shared secret (step 4) must match the configuration used on the switch.
The following figure shows a partial configuration of the Active Directory Authentication Source. This example uses Windows Server with Active Directory installed as the source for the username and password credential store. W‑ClearPass supports many different authentication sources.
Note: For additional details on configuring Active Directory and other authentication source types, see the W-ClearPass User Guide at https://www.dell.com/support.
W-ClearPass includes templates for many common services. These templates allow administrators to easily build the services and their associated policies. This section details the use of the 802.1X Wired template in the Start Here section within the Configuration section as shown in the figure below.
The General tab of the 802.1X Wired Service Template opens.
Note: 802.1X Wired is appended to the Name Prefix.
Note: More authentication sources can be added later.
Note: This message is displayed anytime OnGuard detects a posture compliance issue.
Note: At least one rule and the three VLAN/Role fields at the bottom of the list are required. These settings can be changed and added later.
Note: The numbering may vary between deployments.
The services can be viewed by selecting Configuration > Services. The two services shown in Figure 14 will be modified after the Posture, Role Mapping and Enforcement Policies are configured.
The 802.1x Wired template creates three Posture Policies, as shown in the figure below, with the prefix name used in the template. To view the Posture Policies, go to Configuration > Posture > Posture Policies.
The following figure shows the default policy the Service Template creates. In this example, the only posture check will be to enable checks for a firewall.
The ClearPass Windows Universal System Health Validator window opens. This window allows you to customize each posture category for each type of Windows operating system. In this example, only checks for firewall applications on the Microsoft Windows 7 operating system are enabled.
These options will check Windows 7 devices for any active firewalls. If there is not an active (on) firewall application, then OnGuard will report the device as unhealthy.
Note: By default, the AntiVirus check is enabled. If you do not want OnGuard to quarantine your test device due to the absence of an antivirus client, clear the appropriate box now to disable it.
The Rules tab, shown in the figure below, allows the administrator to define the conditions that determine the type of posture token assigned, based on the outcome of the health scan.
In this example, the default settings are used. Any single failure of the health scan produces a Quarantine token. This token later used to determine the enforcement policies during authentication, or a reauthentication that OnGuard enforces.
Role mappings are used to apply conditions to each user to classify them into roles. The roles are then used to identify users and can be used to enforce policies within the service. There are numerous conditions and rules that can be used to form a Role Mapping. For more information about roles and Role Mapping, see the W-ClearPass Policy Manger User Guide at https://www.dell.com/support.
In this guide, this example uses default roles that are built into the W-ClearPass Policy Manager. The two roles used are [Employee] and [Guest].
Note: Brackets surrounding the name identify the default configurations in W-ClearPass.
Administrators can build sophisticated condition lists and any number of specific rules to identify multiple user types. This simplistic example assigns any user with the Employee department name in the Active Directory, with the [Employee] role. Any user that does not have the Active Directory department field populated with Employee is assigned the default [Guest] role.
Note: The Role Mapping created is used in the 802.1X RADIUS Service. Role Mapping is not used for the Health Check Service. A more detailed explanation of the two services is discussed later in this section.
Enforcement Policies are a group of rules with conditions that direct enforcement actions that ultimately are sent to the Network Access Device. In this example, the N-series switch is the Network Access Device. Enforcement profiles are a collection of attributes that define those enforcement actions.
The 802.1x Wired template with posture checks produced two services:
Both of the services need Enforcement Policies, and their associated Enforcement Profiles. The Health Check Service produces a posture token by performing an action, while the Radius Service uses that token within its conditions, to determine a VLAN assignment action.
Enforcement Profiles are used within the Enforcement Policies, so the profiles are configured first.
The Health Check Service requires a profile to terminate the session so that the RADIUS 802.1X authentication Service can use the posture token in a new authentication routine. The terminate session profile will use the Change of Authorization feature to force a reauthentication.
This example uses Dell Terminate Session as the profile name.
The following details an example of configuring the Enforcement Policy for the Health Check Service. The prepopulated policy from the template is sufficient for this example and most of the default settings are kept.
Note: In this example, the name is Posture Scenario 802.1X Wired OnGuard Agent Enforcement Policy, and its type is WEBAUTH. The template automatically generates this policy based on the prefix name.
Note: For the example in this guide, the prepopulated conditions work well. No changes are made to the default conditions.
Note: The first part of the rule states that any posture token values that are not equal to HEALTHY(0), triggers the rule to be enforced.
The Enforcement Profiles under the condition are the actions that are applied if the conditions in this rule are met. The first profile in the list is named [Agent] Posture Scenario 802.1X Wired Quarantined Agent Enforcement. This profile displays a quarantine message to the client.
To access the profile from the Enforcement Profiles list, click Configuration > Enforcement > Profiles.
The profile was created from the Service template during the Service creation process. The settings for this profile are kept as default and are not shown in this guide.
Note: For the example in this guide, the prepopulated conditions work well. Do not change the default conditions.
Note: The first part of the rule states that any posture token values that are not equal to HEALTHY(0), triggers the rule to be enforced.
The Enforcement Profiles under the condition are the actions that are applied if the conditions in this rule are met. The first profile in the list is named [Agent] Posture Scenario 802.1X Wired Quarantined Agent Enforcement. This profile displays a quarantine message to the client.
To access the profile from the Enforcement Profiles list, click Configuration > Enforcement > Profiles.
The profile was created from the Service template during the Service creation process. The settings for this profile are kept as default and are not shown in this guide.
The next section details the configuration of the policy and profiles that are used in the RADIUS 802.1X service.
The RADIUS 802.1X Service requires an Enforcement profile to enable the assignment of VLANs. In this example, a client device that fails a health check is assigned to a Quarantine VLAN. A client device that passes a health check is assigned an Employee VLAN.
To create a profile to enforce an Employee VLAN assignment, perform the following steps:
Note: This example uses N-Series VLAN Employee as the profile name.
Note: In this example, Employees are assigned to VLAN 6.
The Summary tab should look similar to what is in the following image.
To create a profile to enforce a Quarantine VLAN assignment, perform the following steps:
Note: This example uses N-Series VLAN Quarantine as the profile name.
Note: In this example, Quarantined users are assigned to VLAN 8.
The following steps configure the Enforcement Policy for the RADIUS 802.1X Service. The prepopulated policy from the template is sufficient for this example, and many settings will be kept as default. The next steps will describe the contents of the Enforcement Policy.
Note: In this example, the name is Posture Scenario 802.1X Wired Enforcement Policy, and its type is RADIUS. The template has automatically generated this policy based on the prefix name.
Note: This example uses the quarantine profile to place users that fail authentication checks into quarantine. If the administrator chooses, a profile to deny access or place users into a different VLAN is possible here.
In this example, this authentication policy has only two outcomes given the correct credentials.
The first outcome places the user in the Employee Vlan (6). The second outcome will place the user into a Quarantine Vlan (8).
If the administrator has other user classifications and conditions, they can be added now. Extra profiles or user roles may be required.
Note: The first condition must be saved before the second condition can be created.
The Rules Editor window should look like example below.
Note: The first condition must be saved before the second condition can be created.
The Rules Editor window should look like the example below.
Now that all the components of the Services are defined and configured, the Services themselves need to be configured.
The template populates the Service Rules with two rules that require all rules to match. In this example, a simpler configuration is used. Only the first condition is used. This Service classifies all devices that connect using an Ethernet. Administrators can add other rules to narrow the devices that this Service will be applied to at any time.
Note: The deletion of the Service-Type rule is optional. This rule can be added back inyou’re your deployed service.
Note: Configuring the Service Rules are key to properly map the authentication request to the proper service. In a complex deployment, administrators can have multiple Services with similar functions that have different actions depending on the method of network access. This allows for a posture check Service for both wired and wireless access to enable different enforcement actions. For more information about Service Rules, see the Dell Networking W-Series ClearPass Policy Manager User Guide at https://www.dell.com/support.
This example uses Microsoft Active Directory with username and password requirements for the credentials. Authentication methods for this example are satisfied by using MSCHAPv2 and PEAP. Administrators can use any type of authentication method required by their network security policy.
The template populates the appropriate Enforcement Policy in the drop-down menu.
Note: For this example, keep all the default settings.
Note: In this example, no Roles are needed for this Health Check Service.
During testing, Posture Policies can be kept as default, but it is recommended that you modify each policy for a specific operating system to reflect the heath posture being tested.
Note: For initial testing, Dell Technologies recommends that you validate the functionality with a single operating system and health check setting, such as Windows 7 and Firewall.
It is useful to have control over the health status of the client. Autoremediation automatically fixes many health issues on the device. If administrators want to verify assigned VLANs and other enforcement actions, Dell Technologies recommends that you clear the Remediate End-Hosts checkbox. You can reselect this option at any time after verifying that the policy actions are behaving as expected.
The template populates the appropriate Enforcement Policy in the drop-down menu.
Configuration of the W-ClearPass Services to include all supporting policies and roles is now complete.
The W-ClearPass and N-Series configuration in this guide can be tested with any client. The following section details the use of a laptop running the Windows 7 operating system.
After the user is authenticated, the user is placed into Quarantine due to the absence of a health token.
After the installation, OnGuard scans the health, initiates reauthentication, and places the user into the Employee VLAN.
There are many issues to solve in order to enable health checks on any unmanaged device through BYOD. This section discusses common issues, and how they are addressed, but does not provide a complete list of the potential issues and solutions.
In this example, a user without OnGuard is placed into a Quarantine VLAN. This VLAN can be set up to allow access to the W-ClearPass server, where the user can download either the persistent client, or use the dissolvable application. The method that is used to inform the user or redirect the user to the W ClearPass URL, is left to the administrator. There are several options available:
Once the user has access to OnGuard and performs a health check, the user can be allowed onto the network for full access.
When using the example of placing users into a different VLAN for quarantine, the device must obtain another IP address through DHCP for the new VLAN. Client behavior associated with the release and renewal of IP addresses can depend on the operating system, network card, and the network driver. Some clients may not release their IP address, even after the port on the switch transitions to a new VLAN. In these cases, the client is forced to renew their DHCP lease.
Example solutions that force a DHCP renewal are:
In the cases above, the user requires notification that an action is required. Providing directions, through instructions either on a landing page or through client messages from the W-ClearPass OnGuard agent, is a good practice.