The Symantec LAN Enforcer appliance is part of the Symantec Network Access Control (SNAC) suite. The device can be used with 802.1x enabled switches and access points to open, close, or redirect ports to a particular vlan based on Host Integrity checks performed on the endpoint.
This article provides the Cisco IOS commands necessary for configuring a (newly-reset/plain-configuration) Cisco Catalyst switch for use with the Symantec LAN Enforcer. The commands are applicable for models including the 2950, 2960 and 3750.
- Start up vlan 1 on a newly reset switch and assign an IP address:
# no shutdown
# ip address 172.16.200.212 255.255.255.0
- Configure the switch for 802.1x:
#aaa authentication dot1x default group radius
#aaa authorization network default group radius
- Configure the Symantec LAN Enforcer as the Radius server for the switch:
(the IP address of the LAN Enforcer in the example is 172.16.200.213, the shared secret entered in the SEPM Enforcer configuration is MySharedSecret$1)
#radius-server host 172.16.200.213 auth-port 1812 acct-port 1813 key MySharedSecret$1
#radius-server retransmit 3
- Configure a port on the switch for dot1x authentication (to be controlled by the LAN Enforcer):
(the port configured here is port #6 on the switch - repeat the steps for all ports that should be authenticated with the Enforcer)
# switchport mode access
# dot1x port-control auto
# dot1x reauthentication
# dot1x timeout reauth-period 30
The above configuration will work with the Lan Enforcer in both Basic and Transparent mode (with/without optional RADIUS user authentication). Changing from a Transparent to a Basic setup does not require re-configuration on the switch side.
The below commands are optional, for configuring a quarantine vlan.
- Set up a new vlan for the SNAC quarantine:
(the id "7" and name "quarantine" should be entered identically in the SEPM Enforcer configuration switch profile, to allow the Enforcer to dynamically assign vlans)
# name quarantine
- Hard-code a separate port on the switch to the quarantine vlan:
(useful for a server hosting quarantine resources, or any other machine you want to make available on the quarantine vlan)
# switchport access vlan 7
Optionally a guest vlan can be configured for each port, where a machine without a supplicant would be assigned.
- Configure a guest vlan:
# dot1x guest-vlan 12
The below is an optional command for recent switch models only, for assigning a particular vlan in case the link between the switch and LAN Enforcer is broken.
- Assign a critical vlan to a port on the switch:
# dot1x critical
# dot1x critical vlan 3
# dot1x critical recovery action reinitialize
The below commands are useful for showing information on port status and vlan assignment.
- Display a list of interfaces with connection status and vlan assignment:
#show interfaces status
- Display a list of vlans and which ports are assigned to each:
#show vlan brief