locked
NAP and dynamic VLAN RRS feed

  • Question

  • Server 2008 Enterprise edition funtionin as domain controller, DHCP, DNS, NAP

    DHCP server has 4 scopes
    1) 192.168.1.0/24
    2) 192.168.2.0/24
    3) 192.168.3.0/24
    4) 192.168.4.0/24

    Cisco Catalyst 3750 switch with the following VLANs
    VLAN1 Sales
    VLAN2 Management
    VLAN3 IT
    VLAN4 Non-compliant

    what im tryin to implement is, when SALES user log-in, if the pc is compliant, DHCP server will assign ip address from range 192.168.1.0/24. if the pc is not compliant he will get ip address 192.168.4.0/24

    when IT user connects, if he is compliant he will get ip address 192.168.3.0/24

    is this possible? if so how can i implement?



     

    Friday, February 27, 2009 2:30 PM

Answers

  • Thats somewhat similar to what we wanted to solve with our own VLAN switching solution - special case rules for certain people (or rather computers), as well as remediation zones and non-compatible zones.
    We used VLAN tagging on the NPS server, sending Radius attributes when the computers are trapped by certain rules.
    Such rules may include "computer member of group" as well as "health status compliant / non-compliant / non-compatible".

    But we're not using NAP via DHCP since it wont maintain our needs for security - but you may not have such issue.

    A short description and insight into our choices in this thread where we trid to solve certain issues:
    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/7713b391-d413-4141-9695-4bcd2d55289b

    But in more general terms we followed the guidelines and designchoice of this document:
    Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab
    http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en

    And yes, we've assigned certain IT staff to their own VLAN assignement rules - and sales to other, but they all share a common Remediation Zone. Everyone else is either rejcted (from WLAN) or getting a guest zone for inet-access.

    Sincerly, Jon E. Carlsen
    Wednesday, March 4, 2009 11:23 PM
  • Hi,

    I've accomplished such thing earlier with NAP 802.1x, like the post from Jon E. Carlsen, but the with AD user groupmembership.

    The way i've done it:

    Make sure that all the vlans are present on the switch(es). After that make all the vlans a NAP 802.1x Network Policy:

    NAP 802.1X Noncompliant computers for assigning remediation vlan. assign Vlan 4
    NAP 802.1x Compliant Sales. Assign vlan 1
    NAP 802.1x Compliant Management. Assign vlan 2
    NAP 802.1x Compliant IT. Assign vlan 3

    If you use Active Directory, make for each compliant vlan a Global Group:

    Vlan-Sales, Vlan-Management, Vlan-IT.

    Then make the users member of the appropiate vlan groups.

    After that, add to each compliant NAP 802.1x Network Policy a rule that the policy must check AD User Membership:

    Vlan 1: user must be member of the Global Group Vlan-Sales.
    Vlan 2: user must be member of the Global Group Vlan-Management.
    etc.

    So when a user logs in, NAP checks first the status of the client computer, and if compliant, NAP looks to which AD Vlan Group the user belongs, and places the computer in that vlan.

    To assign an IP address throughout all the vlans, follow ALSO the post of Greg Lindsay.

    So that's the way i find out.

    Have fun with it.
    Thursday, March 5, 2009 4:06 AM

All replies

  • Hi,

    The GIADDR (gateway interface address) is added by the switch to DHCP requests that come from a particular VLAN. The server then knows to create a DHCP lease and send it back to the right VLAN, based on the GIADDR.

    Here is an example that I think will work for the configuration you have provided. I don't have a layer 3 switch to test this, it is extrapolated from configurations I've seen. Let me know if you have problems.

    -Greg

    interface Vlan1
     ip address 192.168.1.1 255.255.255.0
     ip helper-address 192.168.0.1
    !
    interface Vlan2
     ip address 192.168.2.1 255.255.255.0
     ip helper-address 192.168.0.1
    !
    interface Vlan3
     ip address 192.168.3.1 255.255.255.0 
    ip helper-address 192.168.0.1
    !
    interface Vlan4
     ip address 192.168.4.1 255.255.255.0
     ip helper-address 192.168.0.1
    !
    no ip classless
    ip route 192.168.1.0 255.255.255.0 Vlan1
    ip route 192.168.2.0 255.255.255.0 Vlan2
    ip route 192.168.3.0 255.255.255.0 Vlan3
    ip route 192.168.4.0 255.255.255.0 Vlan4
    ip http server
    !
    Wednesday, March 4, 2009 9:04 PM
  • Thats somewhat similar to what we wanted to solve with our own VLAN switching solution - special case rules for certain people (or rather computers), as well as remediation zones and non-compatible zones.
    We used VLAN tagging on the NPS server, sending Radius attributes when the computers are trapped by certain rules.
    Such rules may include "computer member of group" as well as "health status compliant / non-compliant / non-compatible".

    But we're not using NAP via DHCP since it wont maintain our needs for security - but you may not have such issue.

    A short description and insight into our choices in this thread where we trid to solve certain issues:
    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/7713b391-d413-4141-9695-4bcd2d55289b

    But in more general terms we followed the guidelines and designchoice of this document:
    Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab
    http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en

    And yes, we've assigned certain IT staff to their own VLAN assignement rules - and sales to other, but they all share a common Remediation Zone. Everyone else is either rejcted (from WLAN) or getting a guest zone for inet-access.

    Sincerly, Jon E. Carlsen
    Wednesday, March 4, 2009 11:23 PM
  • Hi,

    I've accomplished such thing earlier with NAP 802.1x, like the post from Jon E. Carlsen, but the with AD user groupmembership.

    The way i've done it:

    Make sure that all the vlans are present on the switch(es). After that make all the vlans a NAP 802.1x Network Policy:

    NAP 802.1X Noncompliant computers for assigning remediation vlan. assign Vlan 4
    NAP 802.1x Compliant Sales. Assign vlan 1
    NAP 802.1x Compliant Management. Assign vlan 2
    NAP 802.1x Compliant IT. Assign vlan 3

    If you use Active Directory, make for each compliant vlan a Global Group:

    Vlan-Sales, Vlan-Management, Vlan-IT.

    Then make the users member of the appropiate vlan groups.

    After that, add to each compliant NAP 802.1x Network Policy a rule that the policy must check AD User Membership:

    Vlan 1: user must be member of the Global Group Vlan-Sales.
    Vlan 2: user must be member of the Global Group Vlan-Management.
    etc.

    So when a user logs in, NAP checks first the status of the client computer, and if compliant, NAP looks to which AD Vlan Group the user belongs, and places the computer in that vlan.

    To assign an IP address throughout all the vlans, follow ALSO the post of Greg Lindsay.

    So that's the way i find out.

    Have fun with it.
    Thursday, March 5, 2009 4:06 AM
  • Hello..
    the steps i have done as follow
    1. create vlans on switch
    2. make all the vlans a NAP 802.1x Network Policy
        Authentication Method: EAP
        Select User Group
        VLAN Attributes :
              Tunnel-Type = VLAN
              Tunnel-Medium-Type = 802...
              Tunnel-Pvt-Group-id= 3
    Vendor Specific Attribute: Cisco AV-Pair (Value 9)

    3. now created additional network policy that the policy must check AD User Membership
        in specify conditions i selected user group and all other settings default


    anything addition i have to do?


    Wednesday, March 18, 2009 5:19 AM
  • If you look at the "Step by step" document it also shows that you must configure the client-side environment. (You've performed everything up to page 27?).

    (Note, I'm not sure what steps you've performed on the switch - but you need to configure it to use Radius and 802.1x of course)

    You *can* use a manually configured client, but in my previous tests I found a got more consistent results (during boot of clients) in the test by configuring the client by using Group Policy Objects.

    Create a Wired Policy using "Microsoft: Protected EAP" and customize it to your needs.
    Here's one we are using;

    Security Settings     
    - Enable use of IEEE 802.1X authentication for network access Enabled      
    - Enforce use of IEEE 802.1X authentication for network access Disabled      
        
    IEEE 802.1X Settings     
    - Cache user information for subsequent connections to this network Disabled      
    - Computer Authentication Computer only      
    - EAPOL Start Message Transmit per IEEE 802.1X      
    - Maximum Authentication Failures 2      
    - Maximum EAPOL-Start Messages Sent 3      
    - Held Period (seconds) 1      
    - Start Period (seconds) 5      
    - Authentication Period (seconds) 18      
        
     

    You need to set the correct certificate settings, which means you should select "Smart card or other certificate" as auth method within the "Protected EAP" properties.
    Enable "Fast Reconnect" and "Quarantine Checks" in the same properties as well.
    (PKI infrastructure, automatic user/computer certificate deployment is a "must", this goes without a further explanation).

    For testing purposes you can turn of the "validate server certificate", but for production I recommend you keep it on.
    The same goes for the Smartcard configuration.

    Then add the required "System Services" startup mode;
    * Network Access Protection = Automatic
    * Wired Autoconfig = Automatic
    * Background Intelligent Transfer Service = Automatic
    (Not 100% sure that BITS need to be kickstarted like this, but we had issues in our lab test without it).

    Lastly add the "Network Access Protection" configuration to the policy;
    * EAP Quarantine Enforcement Client

    After the policy is applied you might to a reboot then to check the clientside settings do the following;
    netsh nap client>show grouppolicy

    A final recomendation is to enable the NPS Accounting logs, all the options - and start reading. :-)
    Sincerly, Jon E. Carlsen
    • Edited by Jon E. Carlsen Wednesday, March 18, 2009 5:53 AM Audit->Accounting
    Wednesday, March 18, 2009 5:51 AM
  • In the previous post, Jon mentioned the configuration of the NAP client. I think that you (maldiveboy) ment the further configuration of the NAP vlan part?

    what you've done:

    1. create vlans on switch (This is OK)
    2. make all the vlans a NAP 802.1x Network Policy (This is OK)
        Authentication Method: EAP
        Select User Group
        VLAN Attributes :
              Tunnel-Type = VLAN
              Tunnel-Medium-Type = 802...
              Tunnel-Pvt-Group-id= 3
    Vendor Specific Attribute: Cisco AV-Pair (Value 9)

    3. now created additional network policy that the policy must check AD User Membership
        in specify conditions i selected user group and all other settings default

    The last step is not OK. The AD User Membership check must be added to each Network Policy (exept the one for noncompliant computers).

    So regarding the first post you must have the following:

    1. 4 vlans on the switch (including the noncompliant vlan)
    2. 4 Network Policies (3 compliant vlans (IT, Sales, Managment) and 1 for noncompliant computers)
    3. Created 3 AD Global Groups, regarding the Compliant vlans (IT, Sales, Managment), and add the appropiate users to the vlan Global Groups.
    4. Added the User Group membership condition to the 3 compliant vlans Network Policies (IT, Sales, Management), and specify in the User Check the appropiate AD Global Group of the vlan.

    For the noncompliant vlan you don't have to add a user check, because the computer is already determined noncompliant.


    Wednesday, March 18, 2009 5:21 PM