3.11 Quarantining, 802.1X

The 802.1X quarantine (enforcement) method is enabled by default.

To select the 802.1X quarantine method:

Home window>>System configuration>>Quarantining

  1. Select a cluster.

  2. In the Quarantine method area, select the 802.1X radio button.

  3. Click ok.

The following sections contain more information:

3.11.1 Entering Basic 802.1X Settings

To enter basic 802.1X settings:

Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button

  1. In 802.1X enforcement mode, the Enforcement servers must be able monitor DHCP conversations and detect endpoints by sniffing network traffic as it flows between the DHCP server and the endpoints. Select an Endpoint detection location radio button as follows:

    • Remote — In more complex deployments, it is often impossible (in the case of multiple Enforcement servers or multiple DHCP servers) or undesirable to span switch ports. In this case the DHCP traffic monitoring and endpoint detection can be run remotely by installing and configuring the endpoint activity capture software on each DHCP server involved in the 802.1X deployment. In this case, choose the remote option.

    • Local — In simple configurations, it is possible to span, or mirror, the switch port into which the DHCP server is connected. The eth1 interface of the Enforcement server is then plugged into the spanned port and endpoint traffic is monitored on the eth1 interface. In this case, choose the local option.

  2. Enter one or more non-quarantined subnets, separated by commas in the Quarantine subnets text field. All subnets should be entered using CIDR addresses.

  3. Select a RADIUS server type by selecting one of the following radio buttons:

    • Local — Enables a local RADIUS server on the ES which can be configured to perform authentication itself or proxy to another server.

    • Remote IAS — Disables the local RADIUS server so that an IAS server configured with the NAC IAS plug-in to point to an ES can be used instead. When possible, a local RADIUS server that proxies to the IAS server should be the preferred configuration.

  4. Click ok.

3.11.2 Authentication Settings

The following sections contain more information:

Selecting the RADIUS Authentication method

To select the RADIUS authentication method:

Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button

  1. Select the Local radio button in the Basic 802.1X settings area.

  2. Select an End-user authentication method:

  3. Click ok.

Configuring Windows Domain Settings

To configure Windows domain settings:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button

  1. Select Windows domain from the End-user authentication method drop-down list.

    Figure 3-21 System Configuration, Windows Domain

  2. Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field.

  3. Enter the user name of an account with sufficient administrative rights to join an ES to the domain in the Administrator user name text field.

  4. Enter the password of the account entered into the Administrator user name field in the Administrator password text field.

  5. Enter the list of domain controllers, separated by commas, for this domain in the Domain controllers text field.

  6. To test the Windows domain settings:

    1. Select one of the following from the Server to test from drop-down list in the Test Windows domain settings area:

      • The ES in this cluster to test from, or

      • The MS

        NOTE:If you have a single-server installation, the Server to test from drop-down list is not available.

    2. To verify a specific set of user credentials in addition to the Windows domain settings, select the Verify credentials for an end-user check box, and specify the following:

      1. Enter the user name of the end-user in the User name text box.

      2. Enter the password of the end-user in the Password text box.

      3. Re-enter the password of the end-user in the Re-enter password text box.

    3. Click test settings.

  7. Click ok.

Configuring OpenLDAP Settings

To configure OpenLDAP settings:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button

  1. Select OpenLDAP from the End-user authentication method drop-down list.

    Figure 3-22 System Configuration, OpenLDAP

  2. Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636

  3. Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA

  4. Enter the password that authenticates the DN entered into the Identity text field in the Password text field.

  5. Type the same password you entered into the Password field in the Re-enter password field.

  6. Enter the base DN of LDAP searches in the Base DN text field. For example: o=My Org,c=UA

  7. Enter the LDAP search filter used to locate user objects from name supplied by endpoint in the Filter text field. For example: (uid=%u)

  8. Enter the LDAP attribute which contains end-user passwords in the Password attribute text field. This is initially set to userPassword to use the universal password of the eDirectory user.

  9. To use a secure Transport Layer Security (TLS) connection with the LDAP server that is verified with a certificate authority:

    1. Select the Use a secure connection (TLS) check box.

    2. Enter a PEM-encoded file name that contains the CA certificate used to sign the LDAP server's TLS certificate in the New certificate text field. Click Browse to search for file names. The current certificate selected is shown by Current certificate.

  10. To test the OpenLDAP settings:

    1. Select one of the following from the Server to test from drop-down list in the Test Windows domain settings area:

      • The ES in this cluster to test from, or

      • The MS

    2. To verify a specific set of user credentials in addition to the OpenLDAP settings, select the Verify credentials for an end-user check box, and specify the following:

      1. Enter the user name of the end-user in the User name text box.

      2. Enter the password of the end-user in the Password text box.

      3. Re-enter the password of the end-user in the Re-enter password text box.

    3. Click test settings.

  11. Click ok.

3.11.3 Adding 802.1X Devices

To add an 802.1X device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-23 Add 802.X Device

  1. Enter the IP address of the 802.1X device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

    NOTE:See your system administrator to obtain the shared secret for your switch.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select an 802.1X device from the Device type drop-down list.

  6. Enter the configuration settings for the specific device:

  7. Click ok.

3.11.4 Testing the Connection to a Device

The test connection area has different options based on the switch you select:

  • Cisco CATOS, Cisco IOS, Enterasys, Extreme, Foundry switches — See Figure 3-24.

  • ProCurve, Nortel, Other switches — See Figure 3-25.

To test the connection to an 802.1X device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button

NOTE:You must have already added devices for them to appear in the 802.1X devices area. You can also test the device as you add it.

  1. In the 802.1X devices area, click edit next to the device you want to test. The 802.1X device window appears. The Test connection to this device area is near the bottom of the window:

    Figure 3-24 Add 802.X Device, Test Connection Area Option 1

    Figure 3-25 Add 802.X Device, Test Connection Area Option 2

  2. For ProCurve, Nortel, Other switches (Figure 3-24),:

    1. Select the Method to execute the re-authentication command in test:

      • 802.1X

      • MAC auth

    2. Enter the port of the endpoint being tested in the Port text field.

    3. Enter the MAC address of the endpoint being tested in the MAC address text field.

  3. For Cisco CATOS, Cisco IOS, Enterasys, Extreme, Foundry switches (Figure 3-25) if you want to include the re-authentication command as part of the test, select the Re-authenticate an endpoint during test check box and:

    1. Enter the port of the endpoint being tested in the Port text field.

    2. Enter the MAC address of the endpoint being tested in the MAC address text field.

      NOTE:You must enter the port, the MAC address, or both, depending on the re-authentication OID.

  4. Click test connection to this device.

3.11.5 Cisco IOS

To add a Cisco IOS device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-26 Add Cisco IOS Device

  1. Enter the IP address of the Cisco IOS device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select Cisco IOS from the Device type drop-down list.

  6. Select telnet or SSH from the Connection method drop-down list.

  7. Enter the User name with which to log into the device's console.

  8. Enter the Password with which to log into the device's console.

  9. Re-enter the console password.

  10. Enter the Cisco port mask in the text field. This specifies which characters within the endpoint identifier returned by the Cisco device contain the bank and port information of the endpoint. All offsets start at 0, so a mask of 2/34 indicates character 3 for the bank and characters 4 and 5 for the port. If the Cisco device were to return 50210 for an endpoint, a port mask of 2/34 would indicate that the endpoint is on bank 2 and port 10 (2/10), where 210 are the third, fourth and fifth bytes in the identifier.

  11. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset.

  12. Select the Show scripts plus symbol to show the following scripts:

    • Initialization script — The expect script used to log into the console and enter enable mode.

    • Re-authentication script — The expect script used to perform endpoint re-authentication.

    • Exit script — The expect script used to exit the console.

  13. Click ok.

HINT:Click revert to defaults to restore the default settings.

3.11.6 Cisco CatOS

To add a Cisco CatOS device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-27 Add Cisco CatOS Device

  1. Enter the IP address of the Cisco CatOS device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select Cisco CatOS from the Device type drop-down list.

  6. Select telnet or SSH from the Connection method drop-down list.

  7. Enter the User name with which to log into the device's console.

  8. Enter the Password with which to log into the device's console.

  9. Re-enter the console password.

  10. Enter the password with which to enter enable mode.

  11. Re-enter the enable mode password.

  12. Enter the networks (using CIDR notation) that this device is in direct control over in the Network list text field. This is only necessary if the device does not send its IP address with its supplicant request.

  13. Enter the Cisco port mask in the text field. This specifies which characters within the endpoint identifier returned by the Cisco device contain the bank and port information of the endpoint. All offsets start at 0, so a mask of 2/34 indicates character 3 for the bank and characters 4 and 5 for the port. If the Cisco device were to return 50210 for an endpoint, a port mask of 2/34 would indicate that the endpoint is on bank 2 and port 10 (2/10), where 210 are the third, fourth and fifth bytes in the identifier.

  14. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset.

  15. Select the Show scripts plus symbol to show the following scripts:

    • Initialization script — The expect script used to log into the console and enter enable mode.

    • Re-authentication script — The expect script used to perform endpoint re-authentication.

    • Exit script — The expect script used to exit the console.

  16. Click ok.

HINT:Click revert to defaults to restore the default settings.

CatOS User Name in Enable Mode

If you have your CatOS switch configured to run in enable mode with a user name, the expect script supplied with Novell ZENworks Network Access Control will not run “out of the box.”

Workaround: Do not use a user name with your switch, or modify the expect script in the console to include the user name.

To modify the expect script in the Novell ZENworks Network Access Control user interface:

Home window>>System configuration>>Quarantining menu option

  1. Click edit next to an 802.1X device. (You can also perform these steps while you are adding an 802.1X device.)

  2. Click the plus sign next to Show scripts.

  3. Add the correct expect script syntax to the text box for enable mode user name. See your switch documentation for more information on the correct syntax.

  4. Click ok.

3.11.7 Enterasys

To add an Enterasys device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-28 Add Enterasys Device

  1. Enter the IP address of the Enterasys device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select Enterasys from the Device type drop-down list.

  6. Select telnet or SSH from the Connection method drop-down list.

  7. Enter the User name with which to log into the device's console.

  8. Enter the Password with which to log into the device's console.

  9. Re-enter the console password.

  10. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset.

  11. Select the Show scripts plus symbol to show the following scripts:

    • Initialization script — The expect script used to log into the console and enter enable mode.

    • Re-authentication script — The expect script used to perform endpoint re-authentication.

    • Exit script — The expect script used to exit the console.

  12. Click ok.

HINT:Click revert to defaults to restore the default settings.

3.11.8 Extreme ExtremeWare

To add an ExtremeWare device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-29 Add ExtremeWare Device

  1. Enter the IP address of the ExtremeWare device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select Extreme ExtremeWare from the Device type drop-down list.

  6. Select telnet or SSH from the Connection method drop-down list.

  7. Enter the User name with which to log into the device's console.

  8. Enter the Password with which to log into the device's console.

  9. Re-enter the console password.

  10. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset.

  11. Select the Show scripts plus symbol to show the following scripts:

    • Initialization script — The expect script used to log into the console and enter enable mode.

    • Re-authentication script — The expect script used to perform endpoint re-authentication.

    • Exit script — The expect script used to exit the console.

  12. Click ok.

HINT:Click revert to defaults to restore the default settings.

3.11.9 Extreme XOS

To add an Extreme XOS device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-30 Add Extreme XOS Device

  1. Enter the IP address of the Extreme XOS device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select Extreme XOS from the Device type drop-down list.

  6. Select telnet or SSH from the Connection method drop-down list.

  7. Enter the User name with which to log into the device's console.

  8. Enter the Password with which to log into the device's console.

  9. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset.

  10. Select the Show scripts plus symbol to show the following scripts:

    • Initialization script — The expect script used to log into the console and enter enable mode.

    • Re-authentication script — The expect script used to perform endpoint re-authentication.

    • Exit script — The expect script used to exit the console.

  11. Click ok.

HINT:Click revert to defaults to restore the default settings.

3.11.10 Foundry

To add a Foundry device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-31 Add Foundry Device

  1. Enter the IP address of the Foundry device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select Foundry from the Device type drop-down list.

  6. Select telnet or SSH from the Connection method drop-down list.

  7. Enter the User name with which to log into the device's console.

  8. Enter the Password with which to log into the device's console.

  9. Re-enter the console password.

  10. Enter the password with which to enter enable mode.

  11. Re-enter the enable mode password.

  12. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset.

  13. Select the Show scripts plus symbol to show the following scripts:

    • Initialization script — The expect script used to log into the console and enter enable mode.

    • Re-authentication script — The expect script used to perform endpoint re-authentication.

    • Exit script — The expect script used to exit the console.

  14. Click ok.

HINT:Click revert to defaults to restore the default settings.

3.11.11 HP ProCurve Switch

To add an HP ProCurve switch:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-32 Add HP ProCurve Device

  1. Enter the IP address of the HP ProCurve device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select ProCurve Switch from the Device type drop-down list.

  6. Select whether to connect to this device using telnet, SSH, or SNMPv2 in the Connection method drop-down list.

  7. SSH settings:

    1. Enter the User name used to log into this device's console.

    2. Enter the Password used to log into this device's console.

    3. To help confirm accuracy, type the same password you entered into the Password field in the Re-enter Password field.

    4. Enter the Enable mode user name that is used to enter enable mode on this device.

    5. Enter the Password used to enter enable mode on this device.

    6. To help confirm accuracy, type the same password you entered into the Enable password field in the Re-enter Password field.

    7. Enter the amount of time, in milliseconds, before an idle open SSH session is reset. The default is 60000 (60 seconds) in the Reconnect idle time field.

  8. Telnet settings:

    1. Enter the User name used to log into this device's console.

    2. Enter the Password used to log into this device's console.

    3. To help confirm accuracy, type the same password you entered into the Password field in the Re-enter Password field.

    4. Enter the Enable mode user name that is used to enter enable mode on this device.

    5. Enter the Password used to enter enable mode on this device.

    6. To help confirm accuracy, type the same password you entered into the Enable password field in the Re-enter Password field.

    7. Enter the amount of time, in milliseconds, before an idle open telnet session is reset. The default is 60000 (60 seconds) in the Reconnect idle time field.

  9. SNMPv2 settings:

    1. Enter the Community string used to authorize writes to SNMP objects.

    2. Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings "${Port}" and "${MAC}" will be substituted for the port and MAC address of the endpoint to be re-authenticated.

    3. Select the type of the re-authentication OID from the OID type drop-down list:

      • INTEGER

      • unsigned INTEGER

      • TIMETICKS

      • IPADDRESS

      • OBJID

      • STRING

      • HEX STRING

      • DECIMAL STRING

      • BITS

      • NULLOBJ

    4. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.

    5. Select the Use a different OID for MAC authentication check box to re-authenticate using a different OID when the supplicant request is for a MAC authenticated device.

      1. Enter the Re-authenticate OID used to re-authenticate an endpoint. The strings "${PORT}" and "${MAC_DOTTED_DECIMAL}" are substituted for the port and MAC address of the endpoint to be re-authenticated.

      2. Select the type of the re-authentication OID from the OID type drop-down list:

        • INTEGER

        • unsigned INTEGER

        • TIMETICKS

        • IPADDRESS

        • OBJID

        • STRING

        • HEX STRING

        • DECIMAL STRING

        • BITS

        • NULLOBJ

      3. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.

HINT:Click revert to defaults to restore the default settings.

3.11.12 HP ProCurve WESM xl or HP ProCurve WESM zl

To add an HP ProCurve WESM xl or HP ProCurve WESM zl device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-33 Add HP ProCurve WESM xl/zl Device

  1. Enter the IP address of the HP ProCurve WESM device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select ProCurve WESM from the Device type drop-down list.

  6. Enter the Community string used to authorize writes to SNMP objects.

  7. Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port and MAC address of the endpoint to be re-authenticated.

    NOTE:Figure 3-33 shows an example for WESM zl.

  8. Select the type of the re-authentication OID from the OID type drop-down list:

    • INTEGER

    • unsigned INTEGER

    • TIMETICKS

    • IPADDRESS

    • OBJID

    • STRING

    • HEX STRING

    • DECIMAL STRING

    • BITS

    • NULLOBJ

  9. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.

  10. Select the Use a different OID for MAC authentication check box to re-authenticate using a different OID when the supplicant request is for a MAC authenticated device.

    1. Enter the Re-authenticate OID used to re-authenticate an endpoint. The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" are substituted for the port and MAC address of the endpoint to be re-authenticated.

    2. Select the type of the re-authentication OID from the OID type drop-down list:

      • INTEGER

      • unsigned INTEGER

      • TIMETICKS

      • IPADDRESS

      • OBJID

      • STRING

      • HEX STRING

      • DECIMAL STRING

      • BITS

      • NULLOBJ

    3. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.

HINT:Click revert to defaults to restore the default settings.

3.11.13 HP ProCurve 420 AP or HP ProCurve 530 AP

To add an HP ProCurve 420 AP or HP ProCurve 530 AP device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-34 Add HP ProCurve 420/530 AP Device

  1. Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select ProCurve 420 AP or ProCurve 530 AP from the Device type drop-down list.

  6. Enter the Community string used to authorize writes to SNMP objects.

  7. Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port and MAC address of the endpoint to be re-authenticated.

  8. Select the type of the re-authentication OID from the OID type drop-down list:

    • INTEGER

    • unsigned INTEGER

    • TIMETICKS

    • IPADDRESS

    • OBJID

    • STRING

    • HEX STRING

    • DECIMAL STRING

    • BITS

    • NULLOBJ

  9. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.

  10. Select the Use a different OID for MAC authentication check box to re-authenticate using a different OID when the supplicant request is for a MAC authenticated device.

    1. Enter the Re-authenticate OID used to re-authenticate an endpoint. The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" are substituted for the port and MAC address of the endpoint to be re-authenticated.

    2. Select the type of the re-authentication OID from the OID type drop-down list:

      • INTEGER

      • unsigned INTEGER

      • TIMETICKS

      • IPADDRESS

      • OBJID

      • STRING

      • HEX STRING

      • DECIMAL STRING

      • BITS

      • NULLOBJ

    3. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.

HINT:Click revert to defaults to restore the default settings.

3.11.14 Nortel

To add a Nortel device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-35 Add Nortel Device

  1. Enter the IP address of the Nortel device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select Nortel from the Device type drop-down list.

  6. Select telnet or SSH from the Connection method drop-down list.

  7. Enter the User name with which to log into the device's console.

  8. Enter the Password with which to log into the device's console.

  9. Re-enter the console password.

  10. Enter the Enable mode user name.

  11. Enter the password with which to enter enable mode.

  12. Re-enter the enable mode password.

  13. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset.

  14. Select the Device is stacked check box if the device is in a stacked configuration.

  15. Select the Show scripts plus symbol to show the following scripts:

    • Initialization script — The expect script used to log into the console and enter enable mode.

    • Re-authentication script — The expect script used to perform endpoint re-authentication.

    • Exit script — The expect script used to exit the console.

  16. Click ok.

HINT:Click revert to defaults to restore the default settings.

3.11.15 Other

To add a non-listed 802.1X device:

Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device

Figure 3-36 Add Other Device

  1. Enter the IP address of the new device in the IP address text field.

  2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  3. Re-enter the shared secret in the Re-enter shared secret text field.

  4. Enter an alias for this device that appears in log files in the Short name text field.

  5. Select Other from the Device type drop-down list.

  6. Enter the User name with which to log into the device's console.

  7. Enter the Password with which to log into the device's console.

  8. Re-enter the console password.

  9. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset.

  10. Select the Show scripts plus symbol to show the following scripts:

    NOTE:You must enter the script contents yourself for the 802.1X device you are adding.

    • Initialization script — The expect script used to log into the console and enter enable mode.

    • Re-authentication script — The expect script used to perform endpoint re-authentication.

    • Exit script — The expect script used to exit the console.

  11. Click ok.

HINT:Click revert to defaults to restore the default settings.