Configuring Infoblox DHCP

Similar documents
Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Integration with IP Phones

ASUS WL-5XX Series Wireless Router Internet Configuration. User s Guide

USING THE DNS/DHCP ADMINISTRATIVE INTERFACE Last Updated:

Sophos Anti-Virus for NetApp Storage Systems startup guide

Easy Setup Guide for the Sony Network Camera

Configuring Routers and Their Settings

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Sophos Mobile Control Installation guide

DIGIPASS Authentication for Cisco ASA 5500 Series

TALKSWITCH VOIP NETWORK TROUBLESHOOTING GUIDE

Computer Networks I Laboratory Exercise 1

SonicWALL Global Management System Configuration Guide Standard Edition

Quick Connect. Overview. Client Instructions. LabTech

Installing and Configuring vcloud Connector

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

Allworx OfficeSafe Operations Guide Release 6.0

Release Notes. Pre-Installation Recommendations... 1 Platform Compatibility... 1 Known Issues... 2 Resolved Issues... 2 Troubleshooting...

Chapter 10 Troubleshooting

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

How to configure DVR and computer for running Remote Viewer via IP network

EnGenius ERB M Range Extender. Quick Start Guide

Supplement I.B: Installing and Configuring JDK 1.6

D-Link DAP-1360 Repeater Mode Configuration

IIS, FTP Server and Windows

Sophos Mobile Control Installation guide. Product version: 3

Sophos Mobile Control User guide for Windows Mobile

CHANGE NETWORK SETTINGS Technicolor TG582n

Configuring Trend Micro Content Security

1-Port Wireless USB 2.0 Print Server Model # APSUSB201W. Quick Installation Guide. Ver. 2A

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Quick Start Guide for Zone Director Controller

Citrix Access Gateway Plug-in for Windows User Guide

Symphony Network Troubleshooting

Lab Configuring Access Policies and DMZ Settings

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

BASIC ANALYSIS OF TCP/IP NETWORKS

Forcepoint Sidewinder, Virtual Appliance Evaluation for Desktop. Installation Guide 8.x. Revision A

RouteFinder SOHO. Quick Start Guide. SOHO Security Appliance. EDGE Models RF825-E, RF825-E-AP CDMA Models RF825-C-Nx, RF825-C-Nx-AP

Qvis Security Technical Support Field Manual LX Series

Configuring a customer owned router to function as a switch with Ultra TV

Use this guide if you are no longer able to scan to Sharpdesk. Begin with section 1 (easiest) and complete all sections only if necessary.

Network Monitoring User Guide Pulse Appliance

Intel Active Management Technology with System Defense Feature Quick Start Guide

MFC7840W Windows Network Connection Repair Instructions

How do I set up a branch office VPN tunnel with the Management Server?

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

Configuring Network Load Balancing with Cerberus FTP Server

Parental Control Setup Guide

Installing and Configuring vcloud Connector

Sophos Mobile Control Installation guide. Product version: 3.5

Protecting the Home Network (Firewall)

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

pfsense Captive Portal: Part One

JMC Next Generation Web-based Server Install and Setup

Interact for Microsoft Office

Multi-factor Authentication using Radius

Basic Exchange Setup Guide

Step-by-Step Guide for Setting Up VPN-based Remote Access in a

Networking Guide Redwood Manager 3.0 August 2013

Click Main on the left hand side then click on Password at the top of the page.

Cisco SPA Phones User Guide Bicom Systems

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Quick Installation Guide

Integrating with IBM Tivoli TSOM

Microsoft Windows Server System White Paper

Steps for Basic Configuration

Integration Guide. SafeNet Authentication Service. VMWare View 5.1

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

FLX VoIP Registering with Avaya IP Office 500

Sophos Mobile Control User guide for Windows Phone 8. Product version: 3.5

Agent Configuration Guide

Quick Start Guide for Parallels Virtuozzo

3.5 EXTERNAL NETWORK HDD. User s Manual

Quick Start Guide. for Installing vnios Software on. VMware Platforms

Basics of Port Forwarding on a Router for Security DVR s

How To Configure L2TP VPN Connection for MAC OS X client

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

BusinessObjects Enterprise XI Release 2

Virtual Web Appliance Setup Guide

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

User Manual. 3CX VOIP client / Soft phone Version 6.0

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

DSL Installation Guide

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

WakeMyPC technical user guide

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

REMOTE ACCESS DDNS CONFIGURATION MANUAL

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Basic Exchange Setup Guide

Installing and Using the vnios Trial

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

How to Create a Basic VPN Connection in Panda GateDefender eseries

Sophos Mobile Control Installation guide. Product version: 3.6

Transcription:

Copyright 2008 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in retrieval system, or transmitted, in any form or by any means electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. All other product and company names are trademarks or registered trademarks of their respective owners. Document version 3.0 Published February 2008 2

Table of Contents Configuring Infoblox DHCP to work with Sophos NAC... 4 Step One: Create and Configure DHCP Ranges... 4 Step Two: Create a Radius Client on the NAC Application Server... 5 Step Three: Configure External RADIUS Servers... 6 Step Four: Configuring DHCP Authentication and Captive Portal... 7 3

Configuring Infoblox DHCP to work with Sophos NAC This document outlines the steps necessary to implement Sophos NAC DHCP Enforcement using the Infoblox DNS-One appliance. This document assumes that NIOS v4.2 (latest current version) is running on the Infoblox appliance and that it has a valid DHCP and Radius license installed. More information is available about this appliance and its configuration in the Infoblox Administrator Guide which is available in the support section of the Infoblox website (www.infoblox.com/support). The following steps will allow you to setup the Infoblox appliance for integration with Sophos NAC. The following is assumed about the existing DHCP environment: You have some existing knowledge of the Infoblox DNS-One appliance Your Infoblox appliance is already setup and working with regular DHCP Your Infoblox appliance has the necessary IP addresses needed for setup Your Infoblox appliance has a network defined in the networks section The Grid Manager is working You are running the necessary Java software to start the Grid Manager software (currently running on JRE 1.6.0.40). Step One: Create and Configure DHCP Ranges Go to the DHCP and IPAM section and select the Networks section. You need to have three DHCP ranges created. These ranges are associated with the authorized, quarantine and guest users so that different ranges can be used depending on compliance state. Note: Make sure to add the local DHCP server as a Member in the Member Assignment tab in the properties. 1. Right-click on your Network (If you have created multiple networks, right-click on the one that you want to use for authorized) and click Add DHCP Range. The Add DHCP Range tab opens so that you can create your IP range that will be applied to authorized users. 2. Add a comment specifying what the range will be used for and click Save. 4

3. Repeat steps 1-2 to create IP ranges for quarantine and guest use. Configurations will vary depending on the network structure. This document is only using one network IP block for illustrative purposes. Step Two: Create a Radius Client on the NAC Application Server Now that you have created the IP ranges, you need to setup the Infoblox appliance to forward the requests to the NAC application server for authentication. 1. Minimize the Infoblox Grid Manager open and Remote Desktop or access the NAC application Server. 2. Open IAS, and go into the Radius Clients section. 3. Right-click and select New Radius Client. 4. Type the name and IP address of the Infoblox appliance, and assign a shared secret for authentication. 5

Step Three: Configure External RADIUS Servers Now that you have created the Radius Client in IAS, go back into the Infoblox Grid Manager and create the corresponding entry. 1. Click AAA and click the External Servers tab. 2. Right-click the RADIUS Authentication Home Server, and select Add RADIUS Authentication Home Server. 3. In the properties tab to the right, type the Name, IP Address, and Port of the Sophos NAC application server. 4. Click Add and type the shared secret. This is the same password that you entered in step 2 on the NAC application server. 5. Click Select Member and highlight the Infoblox entry, and then click OK twice to close both of the windows. 6

6. Repeat steps 1-6 using the RADIUS Accounting Home Servers section to create the second entry for RADIUS authentication. You should now have two entries pointing to the NAC application server, one within the RADIUS Authentication Home Servers (on port 1812), and the other within the RADIUS Accounting Home Servers (on port 1813). Step Four: Configuring DHCP Authentication and Captive Portal Now that you have created our external server entries, you can configure the Infoblox appliance to send authorization requests to the NAC application server which will then send back which the MAC filter list that the user should be placed in. 1. Open the AAA Members tab and double click your DHCP server. This opens the Properties box on the right. 2. Expand the RADIUS Authentication tab on the right and select the Listen on RADIUS authentication port check box, or verify that it is already selected. Leave the 1812 authentication port. 3. Expand the RADIUS Accounting tab on the right and select Listen on RADIUS accounting port check box, or verify that it is already selected. Leave the 1813 accounting port. 7

4. Expand the DHCP Authentication tab below the RADIUS Accounting tab and select the DHCP Authentication check box. 5. Type the word prefix for the MAC Filter Name Prefix. 6. Select the Portal IP from the list box. Note: If you don t have an IP address to choose from, then you don t have a 2 nd IP assigned to your Infoblox appliance. You need to add one. For more information, see the Infoblox Admin Guide. 7. Locate the Authentication Policy and click Add. 8. Expand the RADIUS Authentication Services section and select the NAC application server that you previously created. Verify that the Success and Failure option buttons are selected (success = success, failure = failure). Click OK. 8

9. After adding the NAC application server to the Authentication Policy, select the Enable RADIUS accounting check box, select the NAC application server from the list box. Also, select the Log authentication success check box and the Log authentication failure check box. These selections are helpful for troubleshooting.. 10. Now that logging is enabled, select the Enable guest authentication check box. Select any additional check boxes you require. These check boxes depending on what information you want guests to have to type before receiving a guest IP address. 9

11. Make the appropriate customizations for your company so that when users access the captive portal, they will see a welcome message as well as a phone number for the help desk. 12. Expand the DHCP Authorization tab and click Add for the quarantine range. Note: If you do not see any entries, then your networks do not have a member assignment for grid membership. 13. Select the network that you want to use for quarantined users, and then click OK. 14. Click the Enforce quarantine lease time check box and type a lease time out in seconds. Sophos recommends setting this low (around 30-60 seconds) since this is the time that the user s MAC address will remain in quarantine after checking compliance. Note: If this setting is too high, then it is possible for a user who was initially non-compliant and then became compliant to still be in the quarantine filter list. 15. Select the Automatically Expires option button within the guest DHCP range, and then specify an expiration time. Six hours is reasonable for guest users. However, it is really a matter of preference since guest users will usually remain guests for the duration of their stay. 16. Click Add, and then select the IP Range that you want guest users to receive. 10

17. Configure the authorized DHCP range in the same fashion as the guest and quarantine range. Specify the authorized range depending on how much you want to restrict access on compliant. Traditionally, this setting is approximately six hours so that compliant users are not continuously forced to go to the Captive portal and relogin to get an IP from the authorized range. 18. Once the expiration has been set, add the IP range that authorized users will be given. Traditionally this range will be the IP range with full network access. 19. Enable the self-service portal and configure it as needed. Click Save at the top left of the Infoblox Grid Manager to save your changes. 11

Step Five: Customizing the DHCP Ranges for Quarantined Users Now that you have created entries for DHCP authentication, you need to go back and configure the quarantine DHCP range to restrict network access for the quarantined users. Ideally, the quarantined users should also be on a separate subnet from each other and the authorized network. 1. Go back to the Infoblox Grid Manager. In the IPAM section, expand the Networks button within the Networks tab. All three networks ranges should display. This document has you setup all of our ranges in the same subnet for testing purposes only. 2. Highlight the authorized DHCP range, right-click, and select View Properties. 3. Within the Properties (on the right-hand side), expand the Lease Times tab, and then click the Override network lease time check box. Specify an appropriate lease time as needed for authorized users. 4. Expand the Filter Rules tab and confirm that the prefix-authorized filter rule is applied to this range. 12

5. Right-click and expand the quarantine range, and select View Properties. 6. Select the Override network routers and Override network DNS servers check boxes. Specify the router to be blank and specify the DNS settings to be the Infoblox appliance s IP address. These settings makes it impossible for quarantined users to be able to get anywhere outside of the Infoblox server. 7. Select the Override network option list and Ignore option list requested by client and return all defined options check boxes. 13

8. Expand the Lease Times section and select the Override network lease time check box. Specify the Lease Time value to something low, such as 5 minutes or lower. 9. Expand the Custom Options to give quarantined users static routes to resources such as the NAC application server. A static route to the NAC application server ensures that if users have a NAC Agent installed, then they are able to get to the NAC application server to retrieve the latest policy. 10. Select the Override network custom options check box. 11. Click Add. Once the Option window opens, click Select Option, select Option 33, and then click OK. 12. In the Value field, type the IP address of the NAC application server followed by a space, and then type the IP address of the default gateway for this IP address. 13. Add a secondary static route after the first one so the client has a route to the Captive Portal, and then click OK to close the window. Note: To add more static routes, type them in this same window in the format of: Destination IP Router IP, Destination IP Router IP 14. Expand the Filter Rules tab and verify that the prefix-authorized and prefix-guest are both set to the permission of deny lease. 15. Click Save, and then click Restart. The Restart button restarts all of the services and finalizes your changes. 14

Step Six: Basic Troubleshooting Since all of the necessary entries are configured. Testing should be done to confirm that the configuration settings are correct. To do this, take a NAC computer that has a valid IP and made it non-compliant with its policy so that the NAC server has an entry for this user s MAC address as being non-compliant. 1. Once the NAC application server has the non-compliance record, complete an ipconfig /release /renew from the command prompt to force the computer to get another IP address. If everything is setup correctly, the non-compliant computer should receive a quarantine IP address from the DHCP server. 2. By doing an ip config /all, you can see that the computer has received an IP from the quarantine section and has received bad subnet, router and DNS server information. 3. To confirm that the computer has a route to the NAC application server and the Captive Portal, you can do a route print to show all the known routes. You should see a route for both the NAC application server and the Captive Portal. 4. Confirm that the computer can open a Web browser and no matter what the user types, he or she should reach the Captive Portal. 5. To confirm that the guest access is working, complete the required information, and then wait for a few seconds and do another ipconfig /all from the command line to confirm that the computer has received a guest user IP. 6. To confirm that the authorized range is working, make the computer compliant with NAC policy. Right-click the NAC Agent in the system tray and select Check Compliance. This sends a compliant record to the NAC application server so that authorized users receive an authorized IP address, subnet, router, and DNS information. If the computer is not able to authenticate, you can go to the Infoblox Grid Manager section, and expand until you see the DHCP server in the Members section. Right-click the server and select the system log for the server. This log shows a list of all DHCP/RADIUS transactions. The log should show why the authentication request was denied. If all is working properly, you should see an entry in the log for Radius Accept. Similarly, if you are noncompliant and you try to authenticate using the Captive Portal, you should see a Registration Error message on the Web portal and you should see a Radius Reject entry in the log. If you have trace logging enabled on the NAC application server, you can see in the event logs which indicate why the user was given the non-compliant status. 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information