locked
Non nap-capable machines not quarantined RRS feed

  • Question

  • Hello,

    I'm having some difficulties getting an 802.1X Wired NAP test enviroment up and running. Getting Windows XP SP3 and Vista machines compliant/non-compliant has been a relatively simple process, and it functions perfectly. I am mystified, however, as to why an XP SP2 laptop I'm connecting to my switch (An enterasys C3G124-24) gets full network access instead of being quarantined.

    I have a non nac-capable network policy set up... It is the first Network Policy to be processed.
    It will deny access to the user. The only constraints on it are that the computer is non-nap capable and the NAS Port Type is set to Ethernet.
    For attributes, I have:
    Framed-Protocol = PPP
    Service-Type = Framed
    Tunnel-Medium-Type = 802 (includes all 802 media plus Ethernet canonical..)
    Filter-Id = Set up so that the Windows server will pass a certain policy to the Enterasys switch.

    When I connect the laptop to the switch nothing happens. I don't even see anything show up in the event logs. However, when I hook up an SP3 laptop which is fully NAC capable, it almost immediately accepts it or quarantines it (depending on if it means the health requirements).

    The machine is not on the same domain as the Windows 2008 server. Will this pose a problem? Should I set the "authentication method" in constraints to anything specific?

    I'm sorry for the trouble and thank you in advance.

    Monday, October 27, 2008 9:39 PM

Answers

  •   Hi,

    In order to send credentials to NPS, the machine must try to authenticate - at least with machine credentials. If you don't have any authentication going on at the port, then nothing will be sent to NPS and you won't see any events. The non-NAP-capable policy is meant to use the same authentication methods as compliant and noncompliant policies, but you can probably modify this to be just a straight 802.1X wired policy.

    The laptop might be getting full network access because of the default VLAN on the port, or perhaps you have a guest or auth-fail VLAN set up.

    -Greg
    Tuesday, October 28, 2008 3:32 PM