I'm working with Impulse SafeConnect and I've got Cisco Layer 2 switching (2960-X) and Cisco WLC with APs in Local Mode. I'm attempting to implement 802.1x auth on these platforms with SafeConnect as the RADIUS controller. Our previous SafeConnect deployment had Layer 3 enforcement so quarantined devices were all policy-based routed to the SafeConnect appliance which would act as a proxy for AV websites but block everything else.
The issue is trying to allow Quarantined clients to get out to the web for certain things like AV downloads and updates so that they can self remediate. Apparently, the remediation bit is the only thing that the Layer 3 deployment option really does better.
With 802.1x I'm utilizing a Redirect URL ACL on the Layer 2 switches but Cisco switches don't seem to do DNS or URL based ACLs. You can enter a DNS name and it immediately gets converted to an IP. For something in Amazon Cloud Services, this is likely to be a problem due to IP changes or a DNS name that resolves to multiple IPs.
The Cisco WLC CAN utilize some DNS names with a standard ACL, however, it seems like it can only hold about 20 entries which sounds like a lot until you realize that some AV vendors utilize multiple URLs for updates that don't always exist in their registered CIDR.
Options I'm considering:
- Limit the number of AV vendors we officially support and do our best in the ACLs to allow access to these even while in Quarantine
- Turn off the policy check for AV updates and maybe only check to make sure the user has one installed and running (I believe this already being done for Mac clients... Windows clients are the only ones checking to make sure everything is up-to-date)
- Create a Quarantine VLAN for every building and expand our SafeConnect policy to allow for this and then have the RADIUS commands tell switches to move the client to that Quarantine VLAN if they fail policy. Policy Based Routing can be applied on this VLAN to force all traffic to SafeConnect. The issue here is that, apparently, devices can get stuck because they don't realize they need to ask for a new IP when the VLAN switching occurs.
I'm looking for recommendations for what others do in a BYOD environment like public Wifi and on-campus housing networks.
Thanks!
No comments:
Post a Comment