Campus Networks

Campus Network Solution-Deployment Guide: Impulse Point SafeConnect for BYOD

by on ‎03-22-2013 12:02 PM - edited on ‎04-25-2014 10:44 AM by Community Manager (5,146 Views)

Synopsis: A detailed deployment guide for a BYOD solution using Impulse Point's SafeConnect NAC appliance and Brocade Campus Network products.

 

 

 

Preface

 

Overview

With the increasing demand for Bring-Your-Own-Device (BYOD) implementation across existing campus networks, it is essential to understand the changes required to deploy it across network devices including routers, switches and WLAN Access Points (WAP). The network configuration changes depend on the NAC solution used.

 

Brocade campus products suitable for BYOD solutions include Brocade FastIron, Brocade NetIron, and Brocade Mobility controllers and access points. This solution includes Brocade FastIron SX, Brocade ICX Switches and Brocade Mobility Access Point products in a common campus topology.

 

The BYOD solution discussed here is developed in partnership with Impulse Point using their SafeConnect NAC appliance. For further details on the Impulse SafeConnect NAC Enforcer, see the Related Documents section.

 

Purpose of This Document

The document provides a step-by-step procedure for network and SafeConnect NAC appliance configuration. Procedures to validate device detection, authentication and administration are provided.

 

Audience

This document is intended for solution, network and IT architects who are evaluating and deploying BYOD solutions in their existing campus networks.

 

Objectives

Examples of how to deploy the SafeConnect NAC appliance in an existing Brocade network are provided with detailed configuration procedures. A companion Impulse Point SafeConnect BYOD solution design guide is listed in the Related Documents section. Although the deployment procedures use a core/distribution/access topology, the SafeConnect NAC appliance can be used in a variety of network topologies including core/edge.

 

Related Documents

 

References

 

Key Contributors

The content in this guide was developed by the following key contributors.

  • Lead Architect: Venugopal Nalakonda, Strategic Solutions Lab
  • Technical Author: Brook Reams, Strategic Solutions Lab

 

Document History

Date                 Version        Description

2013-03-xx         1.0              Initial Release

 

About Brocade

Brocade® (NASDAQ: BRCD) networking solutions help the world’s leading organizations transition smoothly to a world where applications and information reside anywhere. This vision is designed to deliver key business benefits such as unmatched simplicity, non-stop networking, application optimization, and investment protection.

 

Innovative Ethernet and storage networking solutions for data center, campus, and service provider networks help reduce complexity and cost while enabling virtualization and cloud computing to increase business agility.

 

To help ensure a complete solution, Brocade partners with world-class IT companies and provides comprehensive education, support, and professional services offerings. (www.brocade.com)

 

About Impulse Point

Impulse Point is a privately-held company addressing the challenges of managing network access policies and endpoint security within large infrastructures. SafeConnect offers an easy to implement and support endpoint policy management system. It seamlessly connects into existing multi-vendor network infrastructures while providing the flexibility to adhere to each organization’s unique computing policy philosophies. SafeConnect’s unique architecture provides a true out-of-line NAC solution that is vendor-independent, scalable, and flexible to meet your growth needs – resulting in reduced time, expense, and risk.

 

Technical Architecture

The Impulse BYOD Solution design guide shows a traditional core/distribution/access topology and an efficient core/edge topology. Both topologies meet the needs of campus networks and are supported. Each tier in the topology provides specific services and functionality including:

Access

  • STP-free Layer 2 connectivity between devices and network
  • Provides high-bandwidth uplink 1G/10G LACP LAG connectivity to Distribution

Distribution

  • Layer 2/Layer 3 based connectivity across access/core
  • Layer 2/Layer 3 Link/Node Protection via MCT and VRRP-e
  • Provides connectivity to BYOD SafeConnect NAC appliance in addition to services infrastructure (i.e DHCP/DNS/AD)

Core

  • L3 IP services using IGP (OSPF) connectivity
  • L3 connectivity to MCT-based Distribution

Edge

  • STP-free connectivity between devicess and the network.
  • Terminates Layer 2 traffic within the device or the stack
  • Layer 2/Layer 3 resiliency via stacking with master/standby switches

 

Although this deployment guide is based on the traditional core/distribution/access blocks, SafeConnect can be used with the core/edge design blocks as well.

 

For additional details and configuration of individual features referred such as LACP LAG, MCT and VRRP-e, please refer to the FastIron Family Configuration Guide in the Related Documents section.

 

Other network services such as DHCP, DNS, AD and HTTP are needed for BYOD solution. Configuration of these is not covered in this document.

 

A key requirement for integration the SafeConnect NAC appliance is access to one or more Layer 3 switch/router points. SafeConnect requires these devices to be configured with:

  • Traffic sample flow (sFlow) and
  • Policy-Based Routing (PBR).

 

Depending on the type of design blocks used in the existing network, chassis-based MCT and switch stacking can provide Layer 2 resiliency and availability. The following table shows how to enable sFlow and PBR for each.

 

Feature

Chassis-based

Stack-based

sFlow

Enable sFlow on both MCT Cluster nodes via CLI/BNA

Enable only on the Master Unit via CLI/BNA

PBR

Enable PBR on both MCT cluster nodes via CLI/BNA*

Enable PBR only on the Master Switch via CLI/BNA*

* Provisioning of PBR is supported via BNA 12.0 (or later) only for NetIron products (i.e. MLX)

 

sFlowis an IETF standard (RFC 3176) for Layer 2/Layer3 Traffic Analysis and Monitoring. It is supported in hardware on Brocade campus switches/routers SafeConnect requires Layer 3 based sFlow for detecting device connection to the network. Therefore, the device should be assigned a DHCP-based IP address prior to SafeConnect detection of the device.

 

PBR uses Layer 3 access control lists (ACL) and route maps in hardware to selectively modify packet headers and re-route them. The route map matches on the access control elements (ACE) of the ACL, and then specifies the SafeConnect IP address as the next hop for traffic.

 

For additional information about sFlow and PBR, please refer to the FastIron Family Configuration Guide in the Related Documents section.

 

The following diagram shows how SafeConnect integrated into the network providing NAC services for wired and wireless devices.

 

Impulse_SafeConnectTopology.jpg

   Impulse Point SafeConnect Solution Topology (click to enlarge)

 

References

 

Configuring the Network for SafeConnect Integration

 

The example configuration uses a four-member Brocade ICX-6610, 40GbE stack (ICX-A) to represent the access layer. Multiple stacks are commonly used in the access layer of a campus network, so the configuration procedure is applied to each of them.

 

The ICX-A stack aggregates traffic via LACP LAG for all connected devices forwarding it on uplinks to a pair of Brocade FSX-800 chassis switches configured with a Multi-chassis Trunking (MCT) at the distribution layer. Virtual Router Redundancy Protocol-Extended (VRRP-E) is also configured on the pair of FSX-800 switches to provide a resilient virtual Layer 3 default-gateway for all the devices connected to the access layer switches.  In larger campus networks, multiple distribution layer switches can be deployed so the distribution layer configuration procedure is applied to each of them.

 

The SafeConnect NAC appliance is connected to pair of Brocade FastIron SX-800 Switches at the distribution layer. Network services including DHCP, active directory, DNS and HTTP were installed using VMware ESXi5.0 with NAS storage from Violin-Memory. These services can be deployed on physical servers as well, but many networks use server virtualization to host network services to reduce cost.

 

Brocade Mobility WAPs are installed and connected to POE/PoE+ ports on a switch. Depending on the location of the Layer 3 router the SafeConnect appliance is attached to, sFlow and PBR are configured.

 

Typically, a SafeConnect NAC appliance is installed in an existing network. Therefore, the procedures in this guide only include the changes needed to the existing network. These include:

  • Access Layer: Deploy BR-7131 WAP for BYOD wireless device connectivity
  • Distribution Layer: Configure and validate sFlow and PBR
  • Core Layer:  No changes are required.

 

Topology

The diagram below shows the example configuration used to document the configuration and deployment procedures in this guide.

 

Impulse_DeploymentConfiguration.jpg

  Deployment Configuration (click to enlarge)

 

The configuration is representative of a traditional core/distribution/access topology commonly found in campus networks. Although multiple access stacks and distribution switches are used depending on the scale of the network, this simple topology makes it easy to document what and where configuration changes need to be made in an existing network.

 

Pre-requisites

  1. Since SafeConnect is integrated into the existing campus network, all of the VLAN/IP addressing and device-network connectivity should be working prior to integrating SafeConnect.
  2. Multiple 10GbE uplink ports are used on each ICX stack unit. This requires installation of the POD-license prior to connecting the uplink ports.
  3. All switches and routers should be accessible via Telnet, SSH and SNMP on the management network.
  4. All network services such as DHCP, active directory, HTTP are configured and operational before SafeConnect integration.
  5. The table below shows the VLAN and IP address assignments used in the example configuration.

 

Device

VLAN wired/wireless

IP Network

VRRP-e GW

Device Access to Network Services (DHCP/AD/DNS)

110

12.0.0.0/16

12.0.0.52

BR-7131 WAP

Default Vlan 1

12.0.0.0/16

12.0.0.52

SafeConnect NAC Appliance

130

13.0.0.0/16

13.0.0.52

 

Bill of Materials

The following products were used in this example configuration.

 

SafeConnect NAC Appliance

BYOD NAC

IMPULSE

SafeConnect Enforcer

  • 1RU NAC Linux server appliance
  • Software License

 

Core Template Components

SX-3/SX-4

BROCADE

SX-800 Chassis

  • SX-FI2XGMR6 2-port MP
  • SX-FI-8XG 8-port 10G Fiber
  • SX-FI62XG 2-port 10G

FastIron 7.4 (SXR07400)

 

Distribution Template Components

SX-1/SX-2            

BROCADE

SX-800 Chassis

  • SX-FI2XGMR6 2-port MP
  • SX-FI-8XG 8-port 10G Fiber
  • SX-FI62XG 2-port 10G

FastIron 7.4 (SXR07400)

 

Access Template Components

ICX-A

BROCADE

ICX-6610-24

  • ICX6610-24F 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.4 (FCXR07400)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10G-LIC-POD

ICX-A

BROCADE

ICX-6610-24P

  • ICX6610-24P POE 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.4 (FCXR07400)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10G-LIC-POD

ICX-A

BROCADE

ICX6610-48

  • ICX6610-48 48-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.4 (FCXR07400)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10G-LIC-POD

WAP1    

BROCADE

Brocade AP-7131 WAP

Version 5.4

 

Task 1: Access Configuration

 

Description

Following configuration steps should be performed across each of the WAPs in the Access Layer.

  1. Power up WAP using POE/POE+
  2. Set up WAP for wireless device connectivity

 

Assumptions

  1. The BR-7131 WAP is installed and connected to the ICX-A stack.
  2. To ensure end-to-end connectivity all access VLANs are extended/configured on every Layer 2 switch in the network.

 

Step 1: Power up WAP Using POE/POE+

Brocade BR-7131 WAPs can be powered via POE/POE+ by enabling the ICX-A switch port the WAP is connected to for PoE/PoE+ power. The following configuration is needed on the powered ICX switch ports.

----------

interface ethernet 2/1/1

port-name To-WAP1

inline power <- Base POE/POE+ CLI

inline power power-by-class <1-4> <- Additional POE/POE+ class based options

----------

 

Confirm power up WAP using POE/POE+

Use the following command to confirm ports are powered.

----------

ICX-A#sh inline power

Power Capacity: Total is 748000 mWatts. Current Free is 718000 mWatts.

Power Allocations: Requests Honored 57 times

 

Port   Admin Oper     ---Power(mWatts)---  PD Type PD Class  Pri  Fault/

        State   State Consumed  Allocated                          Error

--------------------------------------------------------------------------

2/1/1  On      On      12301      30000  802.3at    Class 4  3      n/a

2/1/2  On      Off         0          0   n/a      n/a       3      n/a

2/1/3  On      Off         0          0   n/a      n/a       3      n/a

2/1/4  On      Off         0          0   n/a      n/a       3      n/a

2/1/5  On      Off         0          0   n/a      n/a       3      n/a    

2/1/6  Off     Off         0          0   n/a      n/a       3      n/a

2/1/7  Off     Off         0          0   n/a      n/a       3      n/a

2/1/8  Off     Off         0          0   n/a      n/a       3      n/a

2/1/9  Off     Off         0          0   n/a      n/a       3      n/a

2/1/10 Off     Off         0          0   n/a      n/a       3      n/a

2/1/11 Off     Off         0          0   n/a      n/a       3      n/a

2/1/12 Off     Off         0          0   n/a      n/a       3      n/a       

2/1/13 Off     Off         0          0   n/a      n/a       3      n/a

2/1/14 Off     Off         0          0   n/a      n/a       3      n/a

2/1/15 Off     Off         0          0   n/a      n/a       3      n/a

2/1/16 Off     Off         0          0   n/a      n/a       3      n/a

2/1/17 Off     Off         0          0   n/a      n/a       3      n/a

2/1/18 Off     Off         0          0   n/a      n/a       3      n/a

2/1/19 Off     Off         0          0   n/a      n/a       3      n/a  

2/1/20 Off     Off         0          0   n/a      n/a       3      n/a

2/1/21 Off     Off         0          0   n/a      n/a       3      n/a

2/1/22 Off     Off         0          0   n/a      n/a       3      n/a

2/1/23 Off     Off         0          0   n/a      n/a       3      n/a

2/1/24 Off     Off         0          0   n/a      n/a       3      n/a

--------------------------------------------------------------------------

Total                  12301      30000

----------

 

References

Step 2: Setup WAP for Wireless Device Connectivity

To allow wireless devices to connect to the network, configure the WAP in a basic bridged mode and associate/map the WAP radios to broadcast an SSID. For a more advanced WAP configuration, please refer to the WAP Configuration Guide.

----------

WAP1 Base Configuration

management-policy default

no http server

https server

ssh

user admin password 1 130556ff8ffc2f8764c4d7ff7fa0737a50c64c05fbd4285ab3dcd8801

72ebc39 role superuser access all

user operator password 1 45546d22a81f67ed74bf4d2a45375dfa31c9579c2867f5b0bb8316

5266f92804 role monitor access all

no snmp-server manager v2

snmp-server community public ro

snmp-server community private rw

snmp-server user snmpoperator v3 encrypted des auth md5 0 operator

snmp-server user snmptrap v3 encrypted des auth md5 0 test123

snmp-server user snmpmanager v3 encrypted des auth md5 0 test123

banner motd Brocade Mobility Wireless AP

!

wlan-qos-policy default

qos trust dscp

qos trust wmm

!

radio-qos-policy default

wlan BYOD-1

ssid SOLC-BYOD-1 <-SSID for wireless devices

vlan 1

bridging-mode local <-Local Bridging

encryption-type ccmp

authentication-type none

wpa-wpa2 psk 0 byod

!

interface radio1 <-Map wireless radio’s to a wlan/SSID

  wlan BYOD-1 bss 1 primary

interface radio2

  wlan BYOD-1 bss 1 primary

interface wwan1

interface vlan1

  ip address dhcp

  ip address zeroconf secondary

  ip dhcp client request options all

----------

 

References

 

Task 2: Distribution Configuration

 

Description

The example configuration uses a core/distribution/edge topology with the distribution layer acting as the Layer 2/Layer 3 boundary. The SafeConnect appliance connects at distribution router as it provides Layer 3 connectivity. For a core/edge topology, the SafeConnect appliance can connect to the core router if desired.

 

Assumptions

  1. Impulse SafeConnect appliance hardware and software is installed and all network connectivity works between the SafeConnect appliance and the distribution switches.
  2. All of the configuration changes shown below are applied only on switches directly connected to a SafeConnect appliance.

 

Step 1: sFlow based Traffic Monitoring

The SafeConnect appliance uses sFlow monitoring to detect the device Layer 3 IP address. Therefore, devices must first have an IP address assigned by DHCP before their traffic is sampled by the sFlow monitor in the switch and exported to the sFlow collector embedded in the SafeConnect appliance.

----------

sflow enable <-Globally enable sFlow

sflow destination 13.0.0.6 <-Define NAC IPv4 as sFlow Collector

interface ethernet 1/1

sflow forwarding <-sFlow on Rx of primary-LAG (device facing) port

sflow sample 128 <-set sFlow sampling rate (@ 1 every 128 packets)

----------

 

Note: Sampling rate defines the ingress packet sampling ratio. It is recommended to not change the rate lower than the default value. Please refer to the product specific configuration guide for additional information on sFlow

Confirm sFlow Traffic Monitoring

The following command confirms sFlow is actively monitoring traffic.

----------

SX800-1#sh sflow

sFlow version: 5

SFlow services are enabled.

sFlow agent IP address: 5.1.1.1

Collector IP 13.0.0.6, UDP 50001 <-NAC IP acting as Collector

UDP source port: 8888 (Default)

Polling interval is 15 seconds.

Configured default sampling rate: 1 per 128 packets.

Actual default sampling rate: 1 per 128 packets. <-Actual sampling rate

The maximum sFlow sample size: 128.

SFlow exporting cpu-traffic is disabled.

491756 UDP packets exported <-sFlow data exported to NAC Collector

7746 sFlow flow samples collected.

sFlow ports: ethe 1/1 to 1/3 ethe 1/5 to 1/7 ethe 2/1 to 2/3 ethe 2/5 to 2/6 ethe 3/2

Module Sampling Rates

---------------------

Port Sampling Rates

-------------------

Port=1/1, configured rate=128, actual rate=128

Port=1/2, configured rate=128, actual rate=128

Port=1/3, configured rate=128, actual rate=128

Port=1/5, configured rate=2048, actual rate=2048

Port=1/6, configured rate=2048, actual rate=2048

Port=1/7, configured rate=128, actual rate=128

Port=2/1, configured rate=128, actual rate=128              

Port=2/2, configured rate=128, actual rate=128

Port=2/3, configured rate=128, actual rate=128

Port=2/5, configured rate=2048, actual rate=2048

Port=2/6, configured rate=128, actual rate=128

Port=3/2, configured rate=128, actual rate=128

----------

 

References

Step 2: Configure PBR using Layer 3 ACL and Route-map

As soon as the device is detected by the sFlow collector in the SafeConnect appliance, SafeConnect modifies the associated PBR ACL to route traffic from the device to the SafeConnect appliance for authentication. The following commands configure the initial PBR ACL policy.

----------

ip access-list extended impulse_block

deny udp any any eq dns

deny udp any any eq bootpc

deny tcp any any eq 3389

permit ip any host 198.31.193.211 <-Proxy IP used by NAC

!

route-map  impulse permit  10

match ip address  impulse_block

set ip next-hop 13.0.0.6 <-NAC IPv4 address of NAC

!

interface ve 110

ip policy route-map impulse ß Apply to L3 interface/VE device traffic

!

 

It is important when designing a BYOD solution with SafeConnect  to consider the Brocade switch/router platform the SafeConnect appliance connects to and size of the network. Each stage of client identification/authentication process involves dynamic PBR ACL policy changes, associated with hardware TCAM updates, that are made in the router/switch connected to SafeConnect appliance. TCAM resources are different across platforms and the network size can vary.

 

Therefore, the number of VLANs needed for device traffic, the number of PBR polices and the amount of TCAM resource available in the router/switch affect how many devices can be secured. If your network requirements exceed any specific product limits , please consult your Brocade representative for technical advice.

 

References

 

Configuring SafeConnect

To allow for device identification, authorization and administration, the SafeConnect appliance is added to the network using the following procedure. It uses the SafeConnect dashboard (GUI) and the SafeConnect Policy Manager tool.

 

Dashboard Administration Functions

  1. Access the SafeConnect Dashboard for Device Management
  2. Configure the distribution switches, SX-1 and SX-2.
  3. Configure SafeConnect so it can access Active Directory services for authorization/authentication of the device.

 

Policy Manager Tool Functions

  1. Define a NAC policy using the ‘SafeConnect Policy Manager’ for device detection and identification.

 

Pre-requisites

  1. The Network infrastructure is pre-provisioned and connected to the NAC appliance as shown in the above physical topology
  2. The Enforcer has two tools, the SafeConnect Administrator Console for software installation and the Management Controller providing a web interface. Install a windows host for access to the Administrator Console and setup a web browser to access the SafeConnect appliance. For example, 
         URL: 
    https://Enforcer IP:8443 
    lets the web browser connect to the SafeConnect appliance.
  3. Network services including DHCP, DNS, AD and an HTTP server are available and operating.

 

Bill of Materials

The following products are used in this deployment.

 

Impulse SafeConnect Components

IdentifierVendorModelNotes

1

Impulse

SafeConnect

NAC appliance

1RU Linux server to host the appliance

2

Impulse

SafeConnect Software 5.1 with License

Software License

 

References

 

Task 1: Dashboard Administration

 

Description

The SafeConnect dashboard provides status information using pie-charts and a list of all devices that have been identified. Typical information about the devices includes:

  • Device MAC and IP address
  • Username credentials
  • Machine name (e.g., user1-dell) and type (e.g., Windows XP)
  • Status indicating if the device is ‘In Compliance’ or ‘Quarantined’
  • NAC Policy Group name assigned to the device.

 

Assumptions

  1. All SafeConnect appliance hardware and software is installed, configured and management connection can be established via a web browser

 

Step 1: Access the Dashboard

On a Windows device, point the browser to the following URL:

https://Enforcer-IP:8443/

Impulse_SafeConnectDashboard.jpg

   SafeConnect Dashboard (click to enlarge)

 

Task 2: Topology Modeling

 

Description

An important step in configuring SafeConnect is discovery of the network switches it connects to. This is referred to as “topology modeling”. All switch connections are added to the SafeConnect configuration as shown below.

 

Assumptions

  1. Ensure connectivity between the SafeConnect appliance and the network switches exists prior to topology modeling. (e.g. issue a ping).

 

Step 1: Network Device Discovery

On a Windows device web browser connected to the SafeConnect management console, click ‘Enforcement Devices->Routers/Switches’ in the left-hand column of the Add/Edit/Remove page

Impulse_NetworkDeviceDiscovery.jpg

   Network Device Discovery (click to enlarge)

 

Click ‘New Connection’ to add connections to network switches.

Impulse_NewConnectionWindow.jpg

   New Connections Window (click to enlarge)

 

Task 3: Configure LDAP-based Active Directory

 

Description

To authenticate devices, an Active-Directory servers is configured with the IP address of the SafeConnect management interface.

 

Assumptions

  1. An LDAP Active Directory service is running on a windows server (either physical or running inside a VM) with access to the user database.
  2. Ensure network connectivity exists between the SafeConnect appliance and the AD server (e.g., issue a ping).

 

Step 1: Basic Authentication Setup

Click the ‘Basic Configuration->Authentication Setup’ on the left-hand column of the page to get redirected to ‘Individual Authentication Servers’ page as shown below. Then, Click ‘Create a new connection to an authentication device’.

Impulse_CreateNewConnection.jpg

   Create a New Connections (click to enlarge)

 

Step 2: Define LDAP Attributes/Parameters for AD Setup

Under the ‘Define the Connection Information’ section, add the URL, ADMIN domain and password of the LDAP server. For example:

            [ldap://ip-addr/, cn=Administrator,cn=users,dc=clientvdi,dc=com and password]

Impulse_DefineLDAPAttributes.jpg

   Define LDAP Attributes (click to enlarge)

 

Under the ‘Define Searching parameters’ section, add the information shown below.

Impulse_DefineSearchParameters.jpg

   Define Search Parameters (click to enlarge)

 

Confirm LDAP Attributes/Parameters for AD Setup

Click the ‘Test’ Section so the SafeConnect appliance can validate connectivity with the AD server.

Impulse_TestLADPParameters.jpg

   Test LDAP Attributes (click to enlarge)

 

Task 4: Policy Administration

 

Description

To allow for device administration after being detected and authenticated, SafeConnect has to have a NAC policy for the device.

 

Assumptions

  1. SafeConnect Administration application is installed and launched for access to the Policy Manager tool.

 

Step 1: Define BYOD Device Policy using Policy Manager

Launch the ‘SafeConnect Policy Manager’ from the ‘SafeConnect Administrator Console’ and Click ‘Create a New Group’

Impulse_SafeConnectPolicyManager.jpg

   SafeConnect Policy Manager (click to enlarge)

 

Step 2: Define Policy Group

Enter a Group Name and Description, for example: BYOD-Brocade-Impulse, and Click Next->

Impulse_SafeConnectDefineGroupPolicy.jpg

   Define Group Policy (click to enlarge)

 

Step 3: Select Policy Key Device Install

Check the ‘Require the Policy Key to be installed’ and Click Next->

Impulse_SafeConnectSelectPolicyKeyInstallation.jpg

   Select Policy Key Installation (click to enlarge)

 

Step 4: Define Device IP Range

Select ‘Range’ (or as applicable) and enter the IP address range devices will be assigned by the DHCP server. Click ADD and the Click Next->. The device address range should match the DHCP IP address range.

Impulse_SafeConnectDefineIPRange.jpg

   Define IP Range (click to enlarge)

 

Step 5: Select the Authentication Scheme (LDAP AD)

Choose the Active-Directory authentication scheme, ‘AD CLIENTVDI’, from the drop down menu. This was created in Step 2: Define LDAP Attributes/Parameters for AD Setup.

Impulse_SafeConnectADAuthentication.jpg

   Active Directory Authentication (click to enlarge)

 

Step 6: BYOD Policy Upload/Download

A new policy named ‘BYOD Brocade-Impulse’ is created as shown below in the highlighted section.  Click ‘Upload Data’ to add this configuration to the SafeConnect appliance and then Click ‘Download Data’ to update the Policy Manager with the new configuration.

Impulse_SafeConnectPolicyUpload.jpg

   Policy Upload (click to enlarge)

 

The SafeConnect appliance is now configured for device ‘Detection->Authorization->Management for any wired or wireless devices.

 

BYOD Device Validation

 

Pre-requisites

  1. BR-7131 wireless AP is installed and powered up
  2. AD services are and running on an AD server

 

Task 1: Wired Device Authentication

 

Description

It’s important to validate end-to-end device policy with a wired device. A laptop running a Window XP client, or similar, can be used.

 

Assumptions

  1. sFlow and PBR are enabled on VLAN/VE interfaces on both SX-1 and SX-2 distribution switches.
  2. DHCP and AD services are running.
  3. The wired device is plugged into a port of the access switch stack (ICX-A) and will be assigned IP address 12.0.0.13 by the DHCP server.

 

Step 1: SafeConnect Network Device Detection

Ensure the Windows client is identified by the SafeConnect appliance by looking at the Dashboard. Identification shows that the sFlow monitor is sending messages to the embedded SafeConnect collector. Note the device is in a ‘Quarantined’ status.

Impulse_SafeConnectClientDetection.jpg

   Device Detection (click to enlarge)

 

Next, check that the Windows client has been added to PBR ACL on the one of the distribution switches. The SafeConnect appliance automatically updates the PBR ACL so this validates correct configuration of the appliance and PBR feature on the distribution switch.

----------

SX800-2#sh run | b ip access

ip access-list extended impulse_block

deny udp any any eq dns

deny udp any any eq bootpc

deny tcp any any eq 3389

permit ip any host 198.31.193.211

permit ip host 12.0.0.13 any <-Post detection,

------------

 

Note: Upon device detection by sFlow, SafeConnect enforces PBR processing of the device traffic by updating the existing PBR ACL with the device IP address (12.0.0.13). It remains in the PBR ACL until the device is ‘Authenticated and its status changes to ‘Compliant’ at which time SafeConnect removes the device from the PBR ACL.

 

Step 2: Device Re-direction for LDAP AD Authentication

When the device, in quarantine status, attempts to connect to the network/internet, all requests are re-directed to the SafeConnect appliance for authentication as shown below.

Impulse_SafeConnectDeviceAuthorizationScreen.jpg

   SafeConnect LDAP Authentication Screen (click to enlarge)

 

Step 3: Device Policy-Key Installation

A real-time device security assessment is performed by prompting the user to install a policy-key on the device.

Impulse_SafeConnectDevicePolicyKeyInstallOptions.jpg

   Device Policy Key Installation Options (click to enlarge)

 

Impulse_SafeConnectInstallingPolicyKey.jpg

   Installing Policy Key on Device (click to enlarge)

 

Confirm Wired Device is Authenticated and Compliant

Connect to the SafeConnect Dashboard and confirm the Windows device has been assigned to the “compliant client” category. Device compliance refers to matching the requirements, such as OS/patch/application/anti-virus, set forth by the administrator in a NAC policy.

Impulse_SafeConnectDeviceCompliantConnection.jpg

   Device Compliant Connection (click to enlarge)

 

Next, click on the Windows client entry above to see additional details of the Device Compliant Status.

Impulse_SafeConnectDevicePolicyStatus.jpg

   Device Policy Status (click to enlarge)

 

Next, confirm that the Windows client has been removed from the PBR ACL on the distribution switch by the SafeConnect appliance.

----------

SX800-2# sh run | b ip access

ip access-list extended impulse_block

deny udp any any eq dns

deny udp any any eq bootpc

deny tcp any any eq 3389

permit ip any host 198.31.193.211 <-Device IP address has been removed

!

route-map  impulse permit  10

match ip address  impulse_block

set ip next-hop 13.0.0.6

!

----------

 

Task 2: Wireless Device Authentication

 

Description

Validate end-to-end policy compliance for a wireless device connected to the Brocade 7131 WAP SSID. The device can be any wireless device including an iPAD, Smartphone or a Tablet computer.

 

Assumptions

  1. The Brocade Mobility 7131 wireless access-point (WAP1) is installed and connected to the ICX-A stack as shown in the physical topology.
  2. WAP1 is configured to broadcast an authentication based SSID of SOLC-BYOD-1 for wireless clients to use when connecting to the network.
  3. A wireless device is connected to the SSID with a DHCP assigned IP address of 12.0.0.16.
  4. sFlow and PBR are enabled on VLAN/VE interfaces across the distribution switches SX-1 and SX-2 for client identification and authentication traffic.
  5. AD services are started and running on the AD server

 

Step 1: Wireless Client Identification and Authentication

Repeat through steps 1-3 of Wired Client.

Step 1: NAC Enforcer and Network Client Detection

Step 2: Device Re-direction for LDAP AD Authentication

Step 3: Device Policy-Key installation

 

Confirm Wireless Device is Authenticated and Compliant

Similar to the wired client, post authentication, the status of the wireless device, 12.0.0.16, changes from ‘Quarantine’ to ‘In Compliance’ as shown below:

 

Impulse_SafeConnectConfirmWirelessDevicePolicyCompliance.jpg

  Confirm Wireless Device Policy Compliance (click to enlarge)

 

Click the wireless device for additional details of the Client Compliant Status

 

Impulse_SafeConnectWirelessDeviceComplianceDetail.jpg

   Wireless Device Compliance Details (click to enlarge)

 

Ensure the wireless device is removed (by the NAC Enforcer) from the PBR ACL on the switch

----------

SX800-2# sh run | b ip access

ip access-list extended impulse_block

deny udp any any eq dns

deny udp any any eq bootpc

deny tcp any any eq 3389

permit ip any host 198.31.193.211 <-Device IP address has been removed

!

route-map  impulse permit  10 <-PBR Policy in use

match ip address  impulse_block

set ip next-hop 13.0.0.6

----------