Netgear XCM8810 - 8800 SERIES 10-SLOT CHASSIS SWITCH ユーザーズマニュアル
412
|
Chapter 16. Network Login
NETGEAR 8800 User Manual
ACLS for Remediation Servers
The NAP VSA, MS-IPv4-Remediation-Servers, contains a list of IP addresses that an
unhealthy and therefore quarantined supplicant should be allowed access to so that it can
remediate itself and become healthy.
unhealthy and therefore quarantined supplicant should be allowed access to so that it can
remediate itself and become healthy.
The way a quarantine is implemented on the switch is simply by moving the client/port to a
user-designated 'quarantine' VLAN whose VLANID/Name is sent in the Access-Accept
message. It is up to the user to ensure that the quarantine VLAN does indeed have limited
access to the rest of the network. Typically, this can be done by disabling IP forwarding on
that VLAN so no routed traffic can get out of that VLAN. Also, with dynamic VLAN creation,
the quarantine VLAN being supplied by RADIUS could be dynamically created on the switch,
once dynamic VLAN creation is enabled on it. The remediation server(s) would need to be
accessible via the uplink port, regardless of whether the quarantine VLAN is pre-configured
or dynamically created, since IP forwarding is not enabled on it.
user-designated 'quarantine' VLAN whose VLANID/Name is sent in the Access-Accept
message. It is up to the user to ensure that the quarantine VLAN does indeed have limited
access to the rest of the network. Typically, this can be done by disabling IP forwarding on
that VLAN so no routed traffic can get out of that VLAN. Also, with dynamic VLAN creation,
the quarantine VLAN being supplied by RADIUS could be dynamically created on the switch,
once dynamic VLAN creation is enabled on it. The remediation server(s) would need to be
accessible via the uplink port, regardless of whether the quarantine VLAN is pre-configured
or dynamically created, since IP forwarding is not enabled on it.
To get around this restriction, network login has been enhanced so when a
MS-Quarantine-State attribute is present in the Access-Accept message with
extremeSessionStatus being either 'Quarantined' or 'On Probation,' then a 'deny all traffic'
dynamic ACL will be applied on the VLAN. If such an ACL is already present on that VLAN,
then no new ACL will be applied.
MS-Quarantine-State attribute is present in the Access-Accept message with
extremeSessionStatus being either 'Quarantined' or 'On Probation,' then a 'deny all traffic'
dynamic ACL will be applied on the VLAN. If such an ACL is already present on that VLAN,
then no new ACL will be applied.
When the last authenticated client has been removed from the quarantine VLAN, then the
above ACL will be removed.
above ACL will be removed.
Additionally, if the MS-IPv4-Remediation-Servers VSA is present in the Access-Accept
message, for each IP address present in the VSA a 'permit all traffic to/from this IP address'
ACL will be applied on the quarantine VLAN. This will allow traffic to/from the remediation
servers to pass unhindered in the Quarantine VLAN while all other traffic will be dropped.
message, for each IP address present in the VSA a 'permit all traffic to/from this IP address'
ACL will be applied on the quarantine VLAN. This will allow traffic to/from the remediation
servers to pass unhindered in the Quarantine VLAN while all other traffic will be dropped.
Web-Based Authentication
This section describes web-based network login. For web-based authentication, you need to
configure the switch DNS name, default redirect page, session refresh, and logout-privilege.
URL redirection requires the switch to be assigned a DNS name. The default name is
configure the switch DNS name, default redirect page, session refresh, and logout-privilege.
URL redirection requires the switch to be assigned a DNS name. The default name is
network-access.net
. Any DNS query coming to the switch to resolve switch DNS name in
unauthenticated mode is resolved by the DNS server on the switch in terms of the interface
(to which the network login port is connected to)
(to which the network login port is connected to)
IP address.
This section describes the following topics: