Scenario 2--Unhealthy Supplicant
The steps to authenticate an unhealthy supplicant are:
-
The 802.1X supplicant initiates a connection
to the 802.1X network access server (NAS), which in this scenario
is the Extreme Networks switch.
-
The supplicant passes its authentication credentials
to the switch using PEAP and an inner authentication method such
as MS-CHAPv2.
-
The RADIUS (Remote Authentication Dial In User Service) server requests a
statement of health (SoH) from the supplicant.
Only NAP-capable supplicants create an SoH, which contains
information about whether or not the supplicant is compliant with the system health
requirements defined by the network administrator.
-
If the SoH indicates that the supplicant is unhealthy, the
RADIUS server sends an Access-Accept message with RADIUS VSAs indicating which:
- VLAN (Virtual LAN) the unhealthy supplicant is
moved to (in this example, the Quarantine VLAN).
- the remediation server(s) from which the supplicant can get software updates,
anti-virus software and so on to remediate itself.
-
When the switch receives the VLAN and remediation server
information from the RADIUS server, the switch:
- Moves the supplicant into the Quarantine VLAN.
- Applies ACLs to ensure the supplicant in the Quarantine VLAN can access only the
remediation servers
- Drops all other traffic not originating/destined from/to the remediation
servers
- sends a trap to Ridgeline indicating that the supplicant has been authenticated but
has restricted access in the Quarantine VLAN for remediation.
-
The supplicant connects to the remediation server to
get software updates, anti-virus software, and so on to get healthy.
-
After the supplicant is healthy, it restarts the
authentication process and is moved to the Production VLAN, as a healthy supplicant with
full network access.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB