Deploying an Identity Aware Network

Recommendations

Info

Extreme Networks Application NoteThe table below summarizes the various roles and functions performed by the devices in the network:Table 2:Summit ® X250e-24pMicrosoft Windows2003 ServerWeb Application ServerEdge SwitchAuthentication Server andDomain ControllerSample Application Server• Performs authentication of attached users and devicessuch as phones using NetLogin• Enabled with the identity management feature to trackuser and device identities connected to the switch• Provides network access to users and phones• Multiple VLANs in the switch help in isolating users anddevices in different broadcast domains based on theauthorization process• Contains the Microsoft Active Directory (AD)• Configured as a domain controller• Includes the Microsoft Internet Authentication Service(IAS) to authenticate users and devices• IAS provides the RADIUS server functions to communicatewith clients such as the Summit X250e-24p edgeswitch and end users/systems equipped with 802.1xbased authentication• Hosts Web-based SALES applications used by partnersto order products from Prime CorporationCRM Application Server Sample Application Server • Hosts customer relationship management applicationA summary of users and devices connecting to the edge of the network in Prime Corporation is given below.Table 3:Network User Role NotesJohn SmithBob StoneAlice DuffMary Hughes00:00:00:FE:ED:0100:00:00:FE:ED:02EmployeeEmployeeTemp/ContractorTemp/ContractorMAC addresses ofSample devices• Works in the Sales organization in Prime Corporation• Uses Microsoft Windows XP based PC and VoIP Phone• Requires full access to network and resources such as file servers,printers, application servers, internet, and so on• Works in the engineering organization in Prime Corporation• Uses Microsoft Windows XP based PC• Requires full access to network and resources such as file servers,printers, application servers, internet, and so on• Helps Prime Corporation in developing a sales application• Visits Prime Corporation to troubleshoot problems in the application server• IT department provides a Microsoft Windows XP based Laptop fortemporary use (connected to the edge switch on port #17)• Requires connectivity only to the Web application server• Helps Prime Corporation in developing a CRM application• Visits Prime Corporation to troubleshoot problems in the application server• IT department provides a Microsoft Windows XP based Laptop fortemporary use• Shares the laptop with other contractors such as Alice Duff• Requires connectivity only to the CRM application server• Used to illustrate identities discovered with MAC-based authentication only© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 8
Extreme Networks Application Note4.2. Identity Monitoring4.2.1. Configurations for Backend ServersThe following table lists the requirements and configurations to be completed in the backend servers.Table 4:3 IP Address: 192.168.0.10/24Microsoft Windows2003 ServerWeb Applications ServerCRM Applications ServerPlease refer to the steps and configurations described in the document “Application Note:Using ExtremeXOS NetLogin with Microsoft IAS” to setup the server to perform the followingfunctions:3 Remote Access Policy to authenticate John Smith (username: john_smith) and Bob Stone(username: bob_smith) using EAP-MD5-Challenge. Upon successful authentication,authorization for VLAN corp membership should be granted using Extreme-NetLogin-VLAN-IDVSA.3 Remote Access Policy to authenticate Alice Duff (username alice_duff) and authorization toVLAN webapps upon successful authentication.3 Remote Access Policy to authenticate Mary Hughes (username: mary_hughes) andauthorization to VLAN crmapps upon successful authentication.3 Remote Access Policy to authenticate the following MAC addresses – 00:00:00:FE:ED:01,00:00:00:FE:ED:02, and 00:04:96:28:01:8D using PAP. Upon successful authentication,access to VLAN corpvoice should be granted using Extreme-NetLogin-VLAN-ID VSA.3 IP Address: 192.168.1.10/243 Any operating system could be used3 IP Address: 192.168.2.10/243 Any operating system could be used4.2.2. Edge Switch ConfigurationWe will now proceed to configure the Summit X250e-24p switch. It is recommended to keep the following information handyin order to complete the edge switch configuration.Edge Switch IP 10.127.2.18Authentication Server IP 192.168.0.10VLAN Name Tag IP/Subnet/Notescorp 2 IP: 192.168.0.1/24corpvoice 3webapps 5 IP: 192.168.1.1/24authvlan 7 VLAN used by NetLogincrmapps 8 IP: 192.168.2.1/24In addition to configuring the Identity Management module, the NetLogin module, VLAN and AAA modules will also need tobe configured. Configuration of the VLAN module will provide reachability to backend authentication servers, and will alsocreate various user VLANs in the switch. Configuration of the AAA module will provide the switch with one or more RADIUSservers to contact for authentication. The NetLogin module will provide for all the authentication methods and uses the AAAinfrastructure to authenticate and authorize clients.© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 9
Page 1 and 2: Extreme Networks Application NoteDe
Page 3 and 4: Extreme Networks Application NoteTa
Page 5 and 6: Extreme Networks Application Note3.
Page 7: Extreme Networks Application Note4.
Page 11 and 12: Extreme Networks Application Noteco
Page 13 and 14: Extreme Networks Application NoteSt
Page 31 and 32: Extreme Networks Application NoteTh
Page 35 and 36: Extreme Networks Application Note©
Page 39 and 40: Extreme Networks Application NoteDe
Page 59 and 60:
Extreme Networks Application Note<r
Page 61 and 62:
Extreme Networks Application Note<c
Page 63 and 64:
Extreme Networks Application NoteBe
Page 65 and 66:
Extreme Networks Application Note*
Page 67 and 68:
Extreme Networks Application NoteTo
show all

Deploying an Identity Aware Network

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?