220 likes | 316 Views
UNI K-Series and NAC coreflow.org. Aaron Howard, Network Manager Kay Avila, Network Engineer Todd Thomas, ResNet Specialist. University of Northern Iowa. Located in Cedar Falls, IA and one of 3 state schools Undergraduates : 11,147 ; Postgraduates: 1,933
E N D
UNI K-Series and NACcoreflow.org Aaron Howard, Network Manager Kay Avila, Network Engineer Todd Thomas, ResNetSpecialist
University of Northern Iowa • Located in Cedar Falls, IA and one of 3 state schools • Undergraduates: 11,147; Postgraduates: 1,933 • Primarily an undergraduate college focusing on business and teaching • Beat Kansas in the NCAA tournament in 2010 coreflow.org
ResNet • Internet access for 4,600 on-campus residents • Primarily traditional undergraduates, but some non-student/community college residents • 21 network closet locations in 11 different buildings • Prior to the summer of 2011: • Primarily 2nd generation, 10 Mb Cabletron E-series 6000s switches • 100 Mb Multi-mode fiber uplinks coreflow.org
Why Enterasys and K-series Won • Evaluated Chassis and Stacks from Cisco & HP • Power of NMS and NAC - Fast config & break fix • Flow based architecture features of K-series • Reliable efficient expert GTAC support/Twitter • Enterasys is Responsive and Invested in UNI • Network visibility and Debug • Confidence – Design, Leadership, Financial coreflow.org
K-series Order • (45) K-series chassis • (331) line cards • (179) 15A 1400W Power supplies • Delivery before July 1st with installation and configuration by August 10 with little downtime to existing staff • Challenge: Delivery, unpacking/trash disposal and installation of equipment coreflow.org
K-series Requirements and Config • 10G, Fault tolerant & reliable • Secure consistent network • PoE for 500 access points, QOS - rate limiting • NAC, Fiber, power and cooling opportunity • 10G LRX, VRRP, OSPF, Dual PDU, T H sensors • Dual core – Dual distribution coreflow.org
Fault Tolerant Building coreflow.org
Weak Links • Built to order chassis - OTW • Alerting, ops reports, delta mgmt – Oneview K • Pro services QOS – Mitigated • DHCP snooping / C feature parity - OTW • Linecard brownout recovery – Fixed • Quick boot/init – Opportunity • Linecard fault visibility – Opportunity coreflow.org
NAC Goals • Associate individuals with devices on the network. • Walk users through a registration system. • Grant Internet access to registered devices only. • Provide different types of registered network access. coreflow.org
Walkthrough Steps • Device is connected and, via MAC auth, and gets unregistered policy. • Student opens a web browser and is redirected to registration page. • Student authenticates against Active Directory using RADIUS and registers his/her device. • Device MAC reauthentication occurs and device gets the registered policy. coreflow.org
Step 1: Initial policy • MAC authentication to NAC controller • NAC controller catch-all rule assigns Unregistered policy • Only allow DNS, DHCP, and web traffic • Tag web traffic with a DSCP coreflow.org
Step 2: Registration redirection • Web traffic is tagged by policy • Policy-based routing redirects the traffic to the NAC controller google.com coreflow.org
Step 3: Authenticated registration • User logs into registration portal with AD credentials via RADIUS • RADIUS sends back a particular filter-id based on group membership. filter-id RADIUS (NPS) AD coreflow.org
Step 4: Reauthentication • MAC authentication to NAC controller • NAC controller matches MAC in end-system group rule coreflow.org
Handling Staff and Network Devices • Currently by assigning a MAC address to different end-system groups • Alternatives – • Different filter-id from RADIUS server • Rule based on MAC OUI instead of end-system coreflow.org
Questions Along the Way • How do the Policy roles actually get tied into NAC…? • Policy mappings under Advanced Settings • NAC Profile -> NAC Policy -> Policy Profile/Role • What if we need to tweak the way a NAC profile is enforced in certain locations? • One NAC policy can refer to multiple policy profiles • Policy mappings with Location Groups (in Advanced Settings) coreflow.org
Questions Along the Way cont. • How do we allow access to some websites while redirecting everything else to the registration page? • NAC controller can proxy out websites for http • For https, change the ACL for the PBR (add denys) coreflow.org
Questions Along the Way cont. • How can we dynamically change someone’s VLAN with NAC and Policy? • Have NAC send a VLAN along with Policy • Will toggle the link state • Contain to VLAN and VLAN Egress in Policy • Will see broadcast traffic from the original VLAN • Doesn’t work on multiauth ports coreflow.org
Questions Along the Way cont. • We have two sets of controllers. How can we make their configurations independent? • No technical solution (at least right now) other than standing up another NetSight server. • Be very careful with NAC profile and NAC policy mapping names. • Request filed with Enterasys to change this coreflow.org
Other NAC challenges • Many NAC models rely on users providing their own data • The problems with this: • Inaccurate info • Prone to abuse • How do we tie in institutional user information (useful for problem tracking and support) with authentication (username)? coreflow.org
Solution: NAC Request Tool • We export institutional info into a file that is processed regularly by the NAC Request Tool • Useful also for bulk data imports • WARNING: Not a fully-fledged API • A scripting tool, not a REST/SOAP interface coreflow.org
Coreflow.org coreflow.org