Configuring Infoblox DHCP - Sophos · Configuring Infoblox DHCP 3 Table of Contents ... Note: Make...

Configuring Infoblox DHCP


2

Copyright 2008 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in retrieval system, or transmitted, in any form or by any means electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. All other product and company names are trademarks or registered trademarks of their respective owners. Document version 3.0 Published February 2008


3

Table of Contents Configuring Infoblox DHCP to work with Sophos NAC ................................................................. 4

Step One: Create and Configure DHCP Ranges.................................................................................................... 4 Step Two: Create a Radius Client on the NAC Application Server ........................................................................ 5 Step Three: Configure External RADIUS Servers .................................................................................................. 6 Step Four: Configuring DHCP Authentication and Captive Portal.......................................................................... 7


4

Configuring Infoblox DHCP to work with Sophos NAC

This document outlines the steps necessary to implement Sophos NAC DHCP Enforcement using the Infoblox DNS-One appliance. This document assumes that NIOS v4.2 (latest current version) is running on the Infoblox appliance and that it has a valid DHCP and Radius license installed. More information is available about this appliance and its configuration in the Infoblox Administrator Guide which is available in the support section of the Infoblox website (www.infoblox.com/support). The following steps will allow you to setup the Infoblox appliance for integration with Sophos NAC. The following is assumed about the existing DHCP environment: ▪ You have some existing knowledge of the Infoblox DNS-One appliance ▪ Your Infoblox appliance is already setup and working with regular DHCP ▪ Your Infoblox appliance has the necessary IP addresses needed for setup ▪ Your Infoblox appliance has a network defined in the networks section ▪ The Grid Manager is working ▪ You are running the necessary Java software to start the Grid Manager software (currently running on JRE

1.6.0.40).

Step One: Create and Configure DHCP Ranges Go to the DHCP and IPAM section and select the Networks section. You need to have three DHCP ranges created. These ranges are associated with the authorized, quarantine and guest users so that different ranges can be used depending on compliance state. Note: Make sure to add the local DHCP server as a Member in the Member Assignment tab in the properties. 1. Right-click on your Network (If you have created multiple networks, right-click on the one that you want to use

for authorized) and click Add DHCP Range. The Add DHCP Range tab opens so that you can create your IP range that will be applied to authorized users.

2. Add a comment specifying what the range will be used for and click Save.


5

3. Repeat steps 1-2 to create IP ranges for quarantine and guest use. Configurations will vary depending on the network structure. This document is only using one network IP block for illustrative purposes.

Step Two: Create a Radius Client on the NAC Application Server Now that you have created the IP ranges, you need to setup the Infoblox appliance to forward the requests to the NAC application server for authentication. 1. Minimize the Infoblox Grid Manager open and Remote Desktop or access the NAC application Server. 2. Open IAS, and go into the Radius Clients section. 3. Right-click and select New Radius Client. 4. Type the name and IP address of the Infoblox appliance, and assign a shared secret for authentication.


6

Step Three: Configure External RADIUS Servers Now that you have created the Radius Client in IAS, go back into the Infoblox Grid Manager and create the corresponding entry. 1. Click AAA and click the External Servers tab. 2. Right-click the RADIUS Authentication Home Server, and select Add RADIUS Authentication Home Server. 3. In the properties tab to the right, type the Name, IP Address, and Port of the Sophos NAC application server.

4. Click Add and type the shared secret. This is the same password that you entered in step 2 on the NAC

application server.

5. Click Select Member and highlight the Infoblox entry, and then click OK twice to close both of the windows.


7

6. Repeat steps 1-6 using the RADIUS Accounting Home Servers section to create the second entry for RADIUS

authentication.

You should now have two entries pointing to the NAC application server, one within the RADIUS Authentication Home Servers (on port 1812), and the other within the RADIUS Accounting Home Servers (on port 1813).

Step Four: Configuring DHCP Authentication and Captive Portal Now that you have created our external server entries, you can configure the Infoblox appliance to send authorization requests to the NAC application server which will then send back which the MAC filter list that the user should be placed in. 1. Open the AAA Members tab and double click your DHCP server. This opens the Properties box on the right. 2. Expand the RADIUS Authentication tab on the right and select the Listen on RADIUS authentication port

check box, or verify that it is already selected. Leave the 1812 authentication port. 3. Expand the RADIUS Accounting tab on the right and select Listen on RADIUS accounting port check box,

or verify that it is already selected. Leave the 1813 accounting port.


8

4. Expand the DHCP Authentication tab below the RADIUS Accounting tab and select the DHCP

Authentication check box. 5. Type the word prefix for the MAC Filter Name Prefix. 6. Select the Portal IP from the list box.

Note: If you don’t have an IP address to choose from, then you don’t have a 2nd IP assigned to your Infoblox appliance. You need to add one. For more information, see the Infoblox Admin Guide.

7. Locate the Authentication Policy and click Add. 8. Expand the RADIUS Authentication Services section and select the NAC application server that you previously

created. Verify that the Success and Failure option buttons are selected (success = success, failure = failure). Click OK.


9

9. After adding the NAC application server to the Authentication Policy, select the Enable RADIUS accounting

check box, select the NAC application server from the list box. Also, select the Log authentication success check box and the Log authentication failure check box. These selections are helpful for troubleshooting..

10. Now that logging is enabled, select the Enable guest authentication check box. Select any additional check boxes you require. These check boxes depending on what information you want guests to have to type before receiving a guest IP address.


10

11. Make the appropriate customizations for your company so that when users access the captive portal, they will see a welcome message as well as a phone number for the help desk.

12. Expand the DHCP Authorization tab and click Add for the quarantine range. Note: If you do not see any entries, then your networks do not have a member assignment for grid membership.

13. Select the network that you want to use for quarantined users, and then click OK.

14. Click the Enforce quarantine lease time check box and type a lease time out in seconds. Sophos

recommends setting this low (around 30-60 seconds) since this is the time that the user’s MAC address will remain in quarantine after checking compliance. Note: If this setting is too high, then it is possible for a user who was initially non-compliant and then became compliant to still be in the quarantine filter list.

15. Select the Automatically Expires option button within the guest DHCP range, and then specify an expiration time. Six hours is reasonable for guest users. However, it is really a matter of preference since guest users will usually remain guests for the duration of their stay.

16. Click Add, and then select the IP Range that you want guest users to receive.


11

17. Configure the authorized DHCP range in the same fashion as the guest and quarantine range. Specify the

authorized range depending on how much you want to restrict access on compliant. Traditionally, this setting is approximately six hours so that compliant users are not continuously forced to go to the Captive portal and re-login to get an IP from the authorized range.

18. Once the expiration has been set, add the IP range that authorized users will be given. Traditionally this range will be the IP range with full network access.

19. Enable the self-service portal and configure it as needed. Click Save at the top left of the Infoblox Grid Manager to save your changes.


12

Step Five: Customizing the DHCP Ranges for Quarantined Users Now that you have created entries for DHCP authentication, you need to go back and configure the quarantine DHCP range to restrict network access for the quarantined users. Ideally, the quarantined users should also be on a separate subnet from each other and the authorized network. 1. Go back to the Infoblox Grid Manager. In the IPAM section, expand the Networks button within the Networks

tab. All three networks ranges should display. This document has you setup all of our ranges in the same subnet for testing purposes only.

2. Highlight the authorized DHCP range, right-click, and select View Properties. 3. Within the Properties (on the right-hand side), expand the Lease Times tab, and then click the Override

network lease time check box. Specify an appropriate lease time as needed for authorized users.

4. Expand the Filter Rules tab and confirm that the prefix-authorized filter rule is applied to this range.


13

5. Right-click and expand the quarantine range, and select View Properties. 6. Select the Override network routers and Override network DNS servers check boxes. Specify the router to

be blank and specify the DNS settings to be the Infoblox appliance’s IP address. These settings makes it impossible for quarantined users to be able to get anywhere outside of the Infoblox server.

7. Select the Override network option list and Ignore option list requested by client and return all defined options check boxes.


14

8. Expand the Lease Times section and select the Override network lease time check box. Specify the Lease Time value to something low, such as 5 minutes or lower.

9. Expand the Custom Options to give quarantined users static routes to resources such as the NAC application server. A static route to the NAC application server ensures that if users have a NAC Agent installed, then they are able to get to the NAC application server to retrieve the latest policy.

10. Select the Override network custom options check box. 11. Click Add. Once the Option window opens, click Select Option, select Option 33, and then click OK. 12. In the Value field, type the IP address of the NAC application server followed by a space, and then type the IP

address of the default gateway for this IP address.

13. Add a secondary static route after the first one so the client has a route to the Captive Portal, and then click OK

to close the window. Note: To add more static routes, type them in this same window in the format of: Destination IP Router IP, Destination IP Router IP

14. Expand the Filter Rules tab and verify that the prefix-authorized and prefix-guest are both set to the permission of deny lease.

15. Click Save, and then click Restart. The Restart button restarts all of the services and finalizes your changes.


15

Step Six: Basic Troubleshooting Since all of the necessary entries are configured. Testing should be done to confirm that the configuration settings are correct. To do this, take a NAC computer that has a valid IP and made it non-compliant with its policy so that the NAC server has an entry for this user’s MAC address as being non-compliant. 1. Once the NAC application server has the non-compliance record, complete an ipconfig /release /renew from the

command prompt to force the computer to get another IP address. If everything is setup correctly, the non-compliant computer should receive a quarantine IP address from the DHCP server.

2. By doing an ip config /all, you can see that the computer has received an IP from the quarantine section and has received bad subnet, router and DNS server information.

3. To confirm that the computer has a route to the NAC application server and the Captive Portal, you can do a route print to show all the known routes. You should see a route for both the NAC application server and the Captive Portal.

4. Confirm that the computer can open a Web browser and no matter what the user types, he or she should reach the Captive Portal.

5. To confirm that the guest access is working, complete the required information, and then wait for a few seconds and do another ipconfig /all from the command line to confirm that the computer has received a guest user IP.

6. To confirm that the authorized range is working, make the computer compliant with NAC policy. Right-click the NAC Agent in the system tray and select Check Compliance. This sends a compliant record to the NAC application server so that authorized users receive an authorized IP address, subnet, router, and DNS information.

If the computer is not able to authenticate, you can go to the Infoblox Grid Manager section, and expand until you see the DHCP server in the Members section. Right-click the server and select the system log for the server. This log shows a list of all DHCP/RADIUS transactions. The log should show why the authentication request was denied. If all is working properly, you should see an entry in the log for “Radius Accept”. Similarly, if you are non-compliant and you try to authenticate using the Captive Portal, you should see a “Registration Error” message on the Web portal and you should see a “Radius Reject” entry in the log. If you have trace logging enabled on the NAC application server, you can see in the event logs which indicate why the user was given the non-compliant status.

Configuring Infoblox DHCP - Sophos · Configuring Infoblox DHCP 3 Table of Contents ... Note: Make...

Documents

Transcript of Configuring Infoblox DHCP - Sophos · Configuring Infoblox DHCP 3 Table of Contents ... Note: Make...