Scenario 2--Unhealthy Supplicant

The steps to authenticate an unhealthy supplicant are:
  1. The 802.1X supplicant initiates a connection to the 802.1X network access server (NAS), which in this scenario is the Extreme Networks switch.
  2. The supplicant passes its authentication credentials to the switch using PEAP and an inner authentication method such as MS-CHAPv2.
  3. The RADIUS server requests a statement of health (SoH) from the supplicant.

    Only NAP-capable supplicants create an SoH, which contains information about whether or not the supplicant is compliant with the system health requirements defined by the network administrator.

  4. If the SoH indicates that the supplicant is unhealthy, the RADIUS server sends an Access-Accept message with RADIUS VSAs indicating which:
    • VLAN the unhealthy supplicant is moved to (in this example, the Quarantine VLAN).
    • the remediation server(s) from which the supplicant can get software updates, anti-virus software and so on to remediate itself.
  5. When the switch receives the VLAN and remediation server information from the RADIUS server, the switch:
    • Moves the supplicant into the Quarantine VLAN.
    • Applies ACLs to ensure the supplicant in the Quarantine VLAN can access only the remediation servers
    • Drops all other traffic not originating/destined from/to the remediation servers
    • sends a trap to Ridgeline indicating that the supplicant has been authenticated but has restricted access in the Quarantine VLAN for remediation.
  6. The supplicant connects to the remediation server to get software updates, anti-virus software, and so on to get healthy.
  7. After the supplicant is healthy, it restarts the authentication process and is moved to the Production VLAN, as a healthy supplicant with full network access.