The steps to authenticate an unhealthy supplicant are:
The 802.1X supplicant initiates a connection
to the 802.1X network access server (NAS), which in this scenario
is the Extreme Networks switch.
The supplicant passes its authentication credentials
to the switch using PEAP and an inner authentication method such
as MS-CHAPv2.
The RADIUS server requests a
statement of health (SoH) from the supplicant.
Only NAP-capable supplicants create an SoH, which contains
information about whether or not the supplicant is compliant with the system health
requirements defined by the network administrator.
If the SoH indicates that the supplicant is unhealthy, the
RADIUS server sends an Access-Accept message with RADIUS VSAs indicating which:
VLAN the unhealthy supplicant is
moved to (in this example, the Quarantine VLAN).
the remediation server(s) from which the supplicant can get software updates,
anti-virus software and so on to remediate itself.
When the switch receives the VLAN and remediation server
information from the RADIUS server, the switch:
Moves the supplicant into the Quarantine VLAN.
Applies ACLs to ensure the supplicant in the Quarantine VLAN can access only the
remediation servers
Drops all other traffic not originating/destined from/to the remediation
servers
sends a trap to Ridgeline indicating that the supplicant has been authenticated but
has restricted access in the Quarantine VLAN for remediation.
The supplicant connects to the remediation server to
get software updates, anti-virus software, and so on to get healthy.
After the supplicant is healthy, it restarts the
authentication process and is moved to the Production VLAN, as a healthy supplicant with
full network access.
