UAC 3.0 Queries



  • Hi All

    I’m currently making some plans to segment up our network with an SSG so that everything has it’s own subnet as follows:

    • clients

    • servers

    • printers

    • IT admins

    • SAN

    • Data Backup

    The latter 2 will be isolated (not connected to any router etc) and will be on dedicated switches.  However, the switch will have one port on the IT admins VLAN for monitoring and management.

    We’re also looking at installing UAC for end point health checking and authentication.  But I have a few questions about how UAC can fit in with our requirements:

    1.  Obviously printers will not be subject to health check.  Is there any way that we can have the UAC device dynamically put our printers in the printer VLAN eg using MAC address or something even  more elegant ?  Or will we have to have a dedicated switch for this

    2.  For our IT admins VLAN, is it possible to have the UAC box dynamically put my PC on that subnet after I authenticate (based on AD group membership ) ?

    3.  If so, how can we go about putting one port of the deciated SAN switch on our IT admin VLAN also so that we can monitor it ?

    4.  We currently have about 8 switches at our office.  If we want the VLAN membership to be dynamic by using the UAC box, I presume the VLAN’s still have to be configured as normal on the switches ?  Or does the UAC box handle this ?  And how does the UAC box assign the client to the relevant VLAN ?  Does it pass this information to the switch ?

    Thanks in advance for any help or guidance anybody can provide



  • Your understanding is correct. I also tried to point out the issue where a printers MAC can be spoofed. I mean, it’s fairly simple to usa a printers MAC. That is why you should do some addtional checks and verify that the printer really is a printer.



  • Right … I’ve been doing some reading and I think I have a better grasp of what you were telling me in your last post.  So I’ll have a go at answering my own questions - if somebody could confirm if I’m right, or correct me if I’m wrong, I’d appreciate it so much

    1.  I presume you were referring to MAB here ?  So the printers (and other non 802.1x devices) would have accounts in AD matching their mac address.  And would get authenticated that way.  Then they’d just need to be put into the printers AD group to be dynamically put into that VLAN

    2.  Now I understand that if you choose to do both computer and user authentication with Odyssey, the Odyssey client will briefly dis-connect after computer authentication and re-connect after user authentication.  So it would be possible for IT admins to then be put in their own VLAN

    Like I said, if somebody could confirm if my understanding is correct, that’d be great.

    Thanks again



  • Thanks for the reply oldo, sorry for my late response

    I just have 2 further questions:

    1.  Regarding the printers, you said that we should additional checks to ensure that the printer really is a printer.  I presume that the IC box has a “place” where we can put in a list of MAC’s for our printers and say these MAC addresses are automatically authenticated (sorry, I’ve not got any experience with UAC yet).  So I don’t understand what you meant by “… verify that the printer actually is a printer and not a PC with a printer mac-address”.  Are you referring to somebody trying to spoof the MAC address ?

    I do agree that using certificates is the best option, but my boss doesn’t want to go for certificates unfortunately 😞

    2.  You mention that it’s possible that my IT Guys can be put on a dedicated VLAN after they authenticate (eg based on group membership).  It’s only occurred to me today though - how would the user authenticate without an IP address !  And if they did have an IP address for the authentication, wouldn’t it need to get released and renewed once they moved onto the IT Admins VLAN ?

    Thanks again for your help, much appreciated



  • 1.  Obviously printers will not be subject to health check.  Is there any way that we can have the UAC device dynamically put our printers in the printer VLAN eg using MAC address or something even  more elegant ?  Or will we have to have a dedicated switch for this

    Sure, you can use a “mac-address realm” to perform mac-address authentication. It’s up to you if you wish to have your mac-adresses in a database, local store or a OU in you active directory. I do however suggest you do additional checks to verify that the printer actually is a printer and not a PC with a printer mac-address. If possible I’d go for using certificates when authenticatin PC’s and printers, phones and even users if you can/wan’t. That way you can read a certificate attribute telling you if it is a thin client, PC, printer, etc.

    2.  For our IT admins VLAN, is it possible to have the UAC box dynamically put my PC on that subnet after I authenticate (based on AD group membership ) ?

    Yes, What you want can be done by reading AD attributes or/and group information.

    3.  If so, how can we go about putting one port of the deciated SAN switch on our IT admin VLAN also so that we can monitor it ?

    Even though your SA-switch has nothing to do with your other switches it will somhow be able to communicate by RADIUS with the IC to authenticate users. If that is possible in your setup you should be fine.

    4.  We currently have about 8 switches at our office.  If we want the VLAN membership to be dynamic by using the UAC box, I presume the VLAN’s still have to be configured as normal on the switches ?  Or does the UAC box handle this ?  And how does the UAC box assign the client to the relevant VLAN ?  Does it pass this information to the switch ?’

    As I said. the switch communicates with the switch by RADIUS. That way it recieves radius attributes from the IC. That way the switch can assign you to the right VLAN, or apply other polices to the switch port if you want, ie QoS policies, etc.

    Yes you are right, the switch needs to have the vlan in its VLAN table to be able to assign the user to the correct VLAN.


 

34
Online

38.4k
Users

12.7k
Topics

44.5k
Posts