LtaEap.dll: Requires Windows 2000 SP4 or later platforms. LtaEap.dll plugs into RAS manager. It will load at system startup. Therefore installation or upgrade of LtaEap.dll requires a system reboot. When authentication fails or supplicant does not meet agent/healthy checks, LtaEap.dll will prepare quarantine IP network configuration and disable following login prompts caused by EAP-Request/Identity from authenticator.
Vulscan.exe: A component from LANDesk Patch Management. It performs healthy scan using rules and definitions configured with LANDesk Patch Manager and stored at the core or remediation server. For the purpose of healthy scan, when in corporate network, it must run with /compliance2 command switch. When in quarantine network, it must run with /agentbehaviorfile=
NicRestart.exe: Restarts NIC or Windows wireless configuration service. If restart NIC, switch port will detect link down and up and, in response, sending out EAP-Request/Identity packet. If restart wireless service, the supplicant will send out EAPOL/Start to authenticator and authenticator will reply with sending out EAP-Request/Identity. In both case, a new process of authentication will be trigged to start. The difference between restart NIC and the service is that when restart NIC, the new IP configuration will be loaded into system.
Client end workflow
When authentication fails or supplicant can not pass agent/healthy checks, LtaEap.dll saves current IP configuration, setup quarantine IP configuration, blocks further EAPOL/Start and EAP-Request/Identity and then let system reload new IP configuration by running NicRestart.exe /q /noui.
When Vulscan.exe finishes healthy compliance scan in either corporate network or quarantine network and stores the scan result locally, it will run NicRestart.exe /r /vc=
If the number of vulnerability is zero and supplicant is not in quarantine state or number of vulnerability is not zero and supplicant is in quarantine state, NicReStart.exe will not trigger an authentication process and the supplicant will remain in the same state.
If vulnerability is zero and supplicant is in quarantine network, NicRestart.exe will restore saved IP configuration, enable EAPOL/Start and EAP-Request/Identity and restart NIC to let system load restored IP configuration and trigger a new authentication process to make supplicant goes out of quarantine network and comes back to corporate network after supply proper credential.
If vulnerability is greater than zero and supplicant is in corporate network, NicRestart.exe will restart wireless configuration service to trigger a new authentication process that will result in put supplicant into quarantine network.
36
附录二 交换机配置参考
(一)
Cisco 3560样例
Building configuration...
Current configuration : 2089 bytes !
version 12.2 no service pad
service timestamps debug uptime service timestamps log uptime no service password-encryption !
hostname Switch !
username landesk aaa new-model 全局启用802.1x认证 aaa authentication dot1x default local group radius
aaa authorization network default local group radius 启用动态分配VLan !
aaa session-id common system mtu routing 1500 ip subnet-zero ip routing 三层交换需要配IP 路由 ip dhcp excluded-address 1.1.1.1 为修补服务器预留IP地址 ip dhcp excluded-address 1.1.1.254 为网关预留IP地址
ip dhcp pool remediation 设置隔离区名称及IP地址池信息 network 1.1.1.0 255.255.255.0 dns-server 1.1.1.1
default-router 1.1.1.254 !
dot1x system-auth-control 全局启用802.1x no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id !
vlan internal allocation policy ascending !
interface FastEthernet0/1 !
interface FastEthernet0/2
37
!
interface FastEthernet0/3 !
interface FastEthernet0/4 !
interface FastEthernet0/5 !
interface FastEthernet0/6 !
interface FastEthernet0/7 !
interface FastEthernet0/8 !
interface FastEthernet0/9 !
interface FastEthernet0/10 !
interface FastEthernet0/11 switchport access vlan 10 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x timeout tx-period 10 dot1x guest-vlan 20
interface FastEthernet0/12 !
interface FastEthernet0/13 !
interface FastEthernet0/14 !
interface FastEthernet0/15 !
interface FastEthernet0/16 !
interface FastEthernet0/17 !
interface FastEthernet0/18 !
interface FastEthernet0/19 switchport access vlan 20 !
interface FastEthernet0/20 !
进入端口设置 健康VLAN 10 连接PC模式
在端口启用802.1x
认证时间,建议配置成10,比较快 指定Guest VLAN
38
interface FastEthernet0/21 switchport access vlan 10 !
interface FastEthernet0/22 !
interface FastEthernet0/23 switchport access vlan 10 !
interface FastEthernet0/24 !
interface GigabitEthernet0/1 !
interface GigabitEthernet0/2 !
interface Vlan1
ip address 10.10.10.254 255.255.255.0 shutdown 关闭默认VLAN !
interface Vlan10 设置Vlan10 作为健康VLAN ip address 192.168.1.254 255.255.255.0 !
interface Vlan20 设置 Vlan20 作为隔离VLAN ip address 1.1.1.254 255.255.255.0 !
ip classless ip http server
ip http secure-server ! !
radius-server host 192.168.1.2 auth-port 4001 acct-port 1813 key scab radius-server source-ports 1645-1646 !
control-plane ! !
line con 0 line vty 5 15 ! end
Switch#
39
参考前文第9页的截图
