1 / 22

UNI K-Series and NAC coreflow.org

UNI K-Series and NAC coreflow.org. Aaron Howard, Network Manager Kay Avila, Network Engineer Todd Thomas, ResNet Specialist. University of Northern Iowa. Located in Cedar Falls, IA and one of 3 state schools Undergraduates : 11,147 ; Postgraduates: 1,933

eden
Download Presentation

UNI K-Series and NAC coreflow.org

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. UNI K-Series and NACcoreflow.org Aaron Howard, Network Manager Kay Avila, Network Engineer Todd Thomas, ResNetSpecialist

  2. University of Northern Iowa • Located in Cedar Falls, IA and one of 3 state schools • Undergraduates: 11,147; Postgraduates: 1,933 • Primarily an undergraduate college focusing on business and teaching • Beat Kansas in the NCAA tournament in 2010 coreflow.org

  3. ResNet • Internet access for 4,600 on-campus residents • Primarily traditional undergraduates, but some non-student/community college residents • 21 network closet locations in 11 different buildings • Prior to the summer of 2011: • Primarily 2nd generation, 10 Mb Cabletron E-series 6000s switches • 100 Mb Multi-mode fiber uplinks coreflow.org

  4. Why Enterasys and K-series Won • Evaluated Chassis and Stacks from Cisco & HP • Power of NMS and NAC - Fast config & break fix • Flow based architecture features of K-series • Reliable efficient expert GTAC support/Twitter • Enterasys is Responsive and Invested in UNI • Network visibility and Debug • Confidence – Design, Leadership, Financial coreflow.org

  5. K-series Order • (45) K-series chassis • (331) line cards • (179) 15A 1400W Power supplies • Delivery before July 1st with installation and configuration by August 10 with little downtime to existing staff • Challenge: Delivery, unpacking/trash disposal and installation of equipment coreflow.org

  6. K-series Requirements and Config • 10G, Fault tolerant & reliable • Secure consistent network • PoE for 500 access points, QOS - rate limiting • NAC, Fiber, power and cooling opportunity • 10G LRX, VRRP, OSPF, Dual PDU, T H sensors • Dual core – Dual distribution coreflow.org

  7. Fault Tolerant Building coreflow.org

  8. Weak Links • Built to order chassis - OTW • Alerting, ops reports, delta mgmt – Oneview K • Pro services QOS – Mitigated • DHCP snooping / C feature parity - OTW • Linecard brownout recovery – Fixed • Quick boot/init – Opportunity • Linecard fault visibility – Opportunity coreflow.org

  9. NAC Goals • Associate individuals with devices on the network. • Walk users through a registration system. • Grant Internet access to registered devices only. • Provide different types of registered network access. coreflow.org

  10. Walkthrough Steps • Device is connected and, via MAC auth, and gets unregistered policy. • Student opens a web browser and is redirected to registration page. • Student authenticates against Active Directory using RADIUS and registers his/her device. • Device MAC reauthentication occurs and device gets the registered policy. coreflow.org

  11. Step 1: Initial policy • MAC authentication to NAC controller • NAC controller catch-all rule assigns Unregistered policy • Only allow DNS, DHCP, and web traffic • Tag web traffic with a DSCP coreflow.org

  12. Step 2: Registration redirection • Web traffic is tagged by policy • Policy-based routing redirects the traffic to the NAC controller google.com coreflow.org

  13. Step 3: Authenticated registration • User logs into registration portal with AD credentials via RADIUS • RADIUS sends back a particular filter-id based on group membership. filter-id RADIUS (NPS) AD coreflow.org

  14. Step 4: Reauthentication • MAC authentication to NAC controller • NAC controller matches MAC in end-system group rule coreflow.org

  15. Handling Staff and Network Devices • Currently by assigning a MAC address to different end-system groups • Alternatives – • Different filter-id from RADIUS server • Rule based on MAC OUI instead of end-system coreflow.org

  16. Questions Along the Way • How do the Policy roles actually get tied into NAC…? • Policy mappings under Advanced Settings • NAC Profile -> NAC Policy -> Policy Profile/Role • What if we need to tweak the way a NAC profile is enforced in certain locations? • One NAC policy can refer to multiple policy profiles • Policy mappings with Location Groups (in Advanced Settings) coreflow.org

  17. Questions Along the Way cont. • How do we allow access to some websites while redirecting everything else to the registration page? • NAC controller can proxy out websites for http • For https, change the ACL for the PBR (add denys) coreflow.org

  18. Questions Along the Way cont. • How can we dynamically change someone’s VLAN with NAC and Policy? • Have NAC send a VLAN along with Policy • Will toggle the link state • Contain to VLAN and VLAN Egress in Policy • Will see broadcast traffic from the original VLAN • Doesn’t work on multiauth ports coreflow.org

  19. Questions Along the Way cont. • We have two sets of controllers. How can we make their configurations independent? • No technical solution (at least right now) other than standing up another NetSight server. • Be very careful with NAC profile and NAC policy mapping names. • Request filed with Enterasys to change this coreflow.org

  20. Other NAC challenges • Many NAC models rely on users providing their own data • The problems with this: • Inaccurate info • Prone to abuse • How do we tie in institutional user information (useful for problem tracking and support) with authentication (username)? coreflow.org

  21. Solution: NAC Request Tool • We export institutional info into a file that is processed regularly by the NAC Request Tool • Useful also for bulk data imports • WARNING: Not a fully-fledged API • A scripting tool, not a REST/SOAP interface coreflow.org

  22. Coreflow.org coreflow.org

More Related