Integration with IP Phones



Similar documents
Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Configuring Infoblox DHCP

Sophos Endpoint Security and Control standalone startup guide

Moving SQL Servers. Document version 3.2 Published December 2010

Network Security Solutions Implementing Network Access Control (NAC)

Sophos Anti-Virus for NetApp Storage Systems startup guide

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Lab - Configure a Windows 7 Firewall

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Sophos Computer Security Scan startup guide

Sophos Anti-Virus for Mac OS X network startup guide. For networked Macs running Mac OS X

TotalCloud Phone System

Sophos Endpoint Security and Control Windows Embedded test guide. Product version: 10

How to Create VLANs Within a Virtual Switch in VMware ESXi

Sophos Anti-Virus standalone startup guide. For Windows and Mac OS X

Lab - Configure a Windows Vista Firewall

Lab Diagramming Intranet Traffic Flows

Device Interface IP Address Subnet Mask Default Gateway

Endpoint Security Console. Version 3.0 User Guide

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Dynamic VLAN assignment using RADIUS. Network Diagram

Sophos Anti-Virus for Mac OS X network startup guide

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Cisco 7940 How To. (c) Bicom Systems

Sophos Mobile Control User guide for Windows Mobile

Sophos Enterprise Console server to server migration guide. Product version: 5.1 Document date: June 2012

Installing and Using Wireshark for Capturing Network Traffic

Lab Developing ACLs to Implement Firewall Rule Sets

Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication

DIGIPASS Authentication for Cisco ASA 5500 Series

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

Sophos Client Firewall version 1.5 user manual. For Windows

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

Endpoint web control overview guide. Sophos Web Appliance Sophos Enterprise Console Sophos Endpoint Security and Control

Docufide Client Installation Guide for Windows

Session Title: Exploring Packet Tracer v5.3 IP Telephony & CME. Scenario

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Application Note VAST Network settings

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

Sophos SafeGuard Native Device Encryption for Mac quick startup guide. Product version: 7

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Installation & Configuration Guide Version 1.0. TekSIP Route Server Version Installation & Configuration Guide

Dolphin Ocean Server and Dolphin Mobile Client Installation Guide for Android and ios. May 2012

MS Series: VolP Deployment Guide

LiveAction Application Note

ECView Pro Network Management System. Installation Guide.

Creating a VPN Using Windows 2003 Server and XP Professional

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Sophos for Microsoft SharePoint startup guide

Sophos Mobile Control User guide for Windows Phone 8. Product version: 3.5

ClearPass Policy manager Cisco Switch Setup with CPPM. Technical Note

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Using the Aironet Client Monitor (ACM)

SafeGuard Enterprise upgrade guide. Product version: 7

MAC Address Table Attribute Configuration

Introduction. What is a Remote Console? What is the Server Service? A Remote Control Enabled (RCE) Console

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

Sophos Enterprise Console server to server migration guide. Product version: 5.2

Integrated Citrix Servers

Interoperability between Avaya IP phones and ProCurve switches

Configure VPN between ProSafe VPN Client Software and FVG318

Application Note Gigabit Ethernet Port Modes

Lab Configuring Access Policies and DMZ Settings

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

How To Use Cisco Identity Based Networking Services (Ibns)

Chapter 6 Virtual Private Networking

Sophos UTM. Remote Access via IPsec Configuring Remote Client

Citrix Access Gateway Plug-in for Windows User Guide

Configuring iscsi Multipath

Flow Publisher v1.0 Getting Started Guide. Get started with WhatsUp Flow Publisher.

User Manual. 3CX VOIP client / Soft phone Version 6.0

DC Agent Troubleshooting

Identikey Server Getting Started Guide 3.1

Microsoft Windows Server System White Paper

SafeGuard Easy upgrade guide. Product version: 7

StarWind iscsi SAN Software: Challenge-Handshake Authentication Protocol (CHAP) for Authentication of Users

Sophos Mobile Control Installation guide

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Configuring IBM Cognos Controller 8 to use Single Sign- On

Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

How to Create a Virtual Switch in VMware ESXi

All Tech Notes and KBCD documents and software are provided "as is" without warranty of any kind. See the Terms of Use for more information.

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

VPNC Interoperability Profile

Sophos Endpoint Security and Control How to deploy through Citrix Receiver 2.0

VLANs. Application Note

NOVELL ZENWORKS ENDPOINT SECURITY MANAGEMENT

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

SolarWinds Technical Reference

CTS2134 Introduction to Networking. Module Network Security

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

SafeGuard Enterprise upgrade guide. Product version: 6.1

Tested Solution: Protecting your network with Symantec Network Access Control (NAC) and Allied Telesis Switches

TALKSWITCH VOIP NETWORK TROUBLESHOOTING GUIDE

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Transcription:

Copyright 2010 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in retrieval system, or transmitted, in any form or by any means electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner. Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited. All other product and company names are trademarks or registered trademarks of their respective owners. Document version 3.2 Published December 2010 2

Table of Contents Sophos NAC Advanced Integration with IP Phones... 4 Configuring the Network to Support IP Phones and Sophos NAC Advanced... 4 Configuring Sophos NAC Advanced to Support IP Phones... 5 Operating the Endpoints and IP Phones... 6 3

Sophos NAC Advanced Integration with IP Phones This document provides information on integrating Sophos NAC Advanced with a network where endpoints are connected through switches imbedded in IP phones. The IP phone models for this test are the Cisco 7912 and 7940. The key to the integration is to set up separate VLANs and use 802.1x authentication with RADIUS to access the separate VLANs based on compliance. While Cisco equipment was used for the purposes of this testing, other equipment that support 802.1x and RADIUS authentication are also supported with Sophos NAC Advanced. The following diagram displays a simplified view of the configuration that is used: Important: This configuration ensures that the IP phones will work regardless of which VLAN the endpoint has access to or whether the endpoint is turned off. More importantly, all voice traffic is shuttled to VLAN 100, which is not used by Sophos NAC Advanced. Configuring the Network to Support IP Phones and Sophos NAC Advanced This configuration requires running Cisco Call Manager (v3.0 or above) on the 2811 router. Call Manager supports configuration and administration of the IP phones that are connected to the network. 4

Three VLANs must be created: one dedicated to voice, one for Sophos permitted access, and one for Sophos denied access. This test uses the following VLANs: VLAN Purpose VLAN 100 VLAN 102 VLAN 103 Voice Permit access Deny access The ports on the switch must be configured to carry traffic from a voice VLAN. To do this, type the following command for each port while in privileged EXEC mode: switchport voice vlan <vlan-id> The specified VLAN then supports all voice traffic from the IP phone, while data traffic is carried on one of the other two VLANs. This configuration ensures that voice traffic on the IP phone is always available, even if Sophos NAC Advanced determines that the endpoint is not compliant with the defined security policy. Configuring Sophos NAC Advanced to Support IP Phones The Sophos Compliance Application Server must have a RADIUS compliance setting to support the other two VLANs (102 and 103 in this case). For more information on configuring dynamic VLANs for 802.1x authentication, see the 802.1x Dynamic VLAN Assignment document located on the Sophos web site: http://www.sophos.com/sophos/docs/eng/manuals/nacadv8021x_32_tgeng.pdf Using the Sophos Compliance Manager, create a new RADIUS setting with the IP address pointing to the switch. For this test, the Cisco 2950 switch is used. The following Tunnel-Private-Group-ID attribute will send data traffic from the endpoint to VLAN 102 when Sophos NAC Advanced permits access. 5

Setting up the Deny Attribute involves specifying the deny VLAN in the Tunnel-Private-Group-ID deny attribute, as follows. Once the permit and deny attributes are specified, click the Save button to create and save these RADIUS settings. Operating the Endpoints and IP Phones If you experience problems getting the Compliance Agent to work behind the phone using 802.1x, do the following: 1. Plug the computer directly into the 802.1x-enabled port and confirm that it authenticates without the phone. 2. Set up the phone on the switch (make sure you have added that port to the voice VLAN) and confirm that it connects without issue. 3. Plug the computer into the switch port on the phone and try to get connected using the desired supplicant. 4. If you still aren t being authenticated, packet sniff the subnet to confirm that RADIUS protocol packets are being sent. 5. Open up the Event Viewer on the Compliance Application Server and go to the system logs. If you see Internet Authentication Service (IAS) or Network Policy Server errors (depending on operating system), then you know that the request is passing all the way to the server, at which point the server will issue a permit or deny entry in the logs. 6. If you are being granted access with RADIUS but still aren t able to log in with the Compliance Agent, go into the switch and see what error messages are generated during the authentication. If there is a problem with the RADIUS attributes or with your VLAN naming convention, you will see these errors on the switch. 7. If you still are unable to register or retrieve your policy, enable client logging (right-click the Agent system tray icon, select About Sophos Network Access Control, and then select the Enable Logging check box to enable client logging.) Once enabled, check for endpoint compliance (right-click the Agent system tray icon, and select Check Compliance). Then, open c:\program files\endforce\log\ and locate the trace log for your session to view errors. Any errors that are occurring will be listed there for further troubleshooting. The endpoints must access the appropriate VLAN, VLAN 102, or VLAN 103, depending on compliance, by initiating the Sophos Agent and an 802.1x supplicant on the endpoint. For more information on this process, see the 802.1x Dynamic VLAN Assignment document located on the Sophos web site: http://www.sophos.com/sophos/docs/eng/manuals/nacadv8021x_32_tgeng.pdf 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information