Scenario 2--Unhealthy Supplicant
- The 802.1X supplicant initiates a connection to the 802.1X network access server (NAS), which in this scenario is the Extreme Networks switch.
- The supplicant passes its authentication credentials to the switch using PEAP and an inner authentication method such as MS-CHAPv2.
-
The RADIUS server requests a
statement of health (SoH) from the supplicant.
Only NAP-capable supplicants create an SoH, which contains information about whether or not the supplicant is compliant with the system health requirements defined by the network administrator.
-
If the SoH indicates that the supplicant is unhealthy, the
RADIUS server sends an Access-Accept message with RADIUS VSAs indicating which:
- VLAN the unhealthy supplicant is moved to (in this example, the Quarantine VLAN).
- the remediation server(s) from which the supplicant can get software updates, anti-virus software and so on to remediate itself.
-
When the switch receives the VLAN and remediation server
information from the RADIUS server, the switch:
- Moves the supplicant into the Quarantine VLAN.
- Applies ACLs to ensure the supplicant in the Quarantine VLAN can access only the remediation servers
- Drops all other traffic not originating/destined from/to the remediation servers
- sends a trap to Ridgeline indicating that the supplicant has been authenticated but has restricted access in the Quarantine VLAN for remediation.
- The supplicant connects to the remediation server to get software updates, anti-virus software, and so on to get healthy.
- After the supplicant is healthy, it restarts the authentication process and is moved to the Production VLAN, as a healthy supplicant with full network access.