11.3 Setting up the 802.1X Components

In order to use Novell ZENworks Network Access Control in an 802.1X environment, Novell recommends configuring your environment first, then installing and configuring Novell ZENworks Network Access Control.

This section provides instructions for the following:

11.3.1 Setting up the RADIUS Server

Switches support 802.1X authentication by authenticating against a RADIUS server. The Novell ZENworks Network Access Control 802.1X solution must be integrated with the RADIUS authentication to “intervene” in the authentication process, test endpoints, and assign them to the appropriate VLAN. Novell ZENworks Network Access Control can be deployed and integrated with RADIUS in the following three ways:

Any of these solutions can be customized to work with your existing LDAP or Active Directory user databases. This section provides instructions of configuring these three options.

Using the Novell ZENworks Network Access Control IAS Plug-in to the Microsoft IAS RADIUS Server

This section provides instructions for how to install the Microsoft IAS to the Novell ZENworks Network Access Control IAS plug-in.

HINT:For an explanation of how the components communicate, see Section 11.2, Novell ZENworks Network Access Control and 802.1X.

Microsoft® Windows Server™ 2003 Internet Authentication Service (IAS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server. This section provides instructions on configuring this server to use with Novell ZENworks Network Access Control.

For details on the Windows Server 2003 IAS, refer to the following link:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ias.mspx

In addition to installing the Windows Server 2003 software, you also need to have a database of users for authentication purposes. The Windows IAS implementation of RADIUS can use the following:

  • Active Directory (recommended)

  • A Windows NT domain

  • The local Security Accounts Manager (SAM)

To add IAS to the Windows Server 2003 installation:

Windows desktop>>Start>>Settings>>Control Panel>>Add or remove programs

  1. In the left column, click Add/Remove Windows Components. The Windows Components Wizard window appears, as shown in the following figure.

    Figure 11-4 Windows Components Wizard

  2. Select the Networking Services check box.

  3. Click Details. The Networking Services window appears, as shown in the following figure.

    Figure 11-5 Networking Services

  4. Select the check box for Internet Authentication Service and any other Windows Internet Authentication Service (IAS) components you want to install.

  5. Click OK.

  6. Click Next.

  7. Click Finish.

  8. Install any IAS and 802.1X updates that are available.

    http://www.microsoft.com/downloads/search.aspx?displaylang=en

Configuring the Microsoft IAS RADIUS Server

For an explanation of how the components communicate, see Section 11.2, Novell ZENworks Network Access Control and 802.1X.

Now that you have the RADIUS server installed, you need to log into it and perform the configuration steps described in this section.

To configure the RADIUS server:

  1. Log into the RADIUS server.

  2. From the RADIUS server main window, select Start>>Settings>>Control Panel>>Administrative Tools>>Internet Authentication Service.

  3. Configure IAS to use Active Directory:

    1. Right-click on Internet Authentication Service (Local).

    2. Select Register Server in Active Directory (Figure 11-6).

    3. Click OK if a registration completed window appears.

  4. Configure the RADIUS server parameters:

    Figure 11-6 IAS, Register Server in Active Directory

    1. Right-click on Internet Authentication Service (local)

    2. Select Properties (Figure 11-7). The Properties window appears (Figure 11-8).

      Figure 11-7 IAS, Properties Option

      Figure 11-8 IAS, Properties

    3. General tab

      1. Enter a descriptive name in the Server Description text box. For example, IAS.

      2. Select the Rejected authentication requests check box.

      3. Select the Successful authentication requests check box.

    4. Ports tab

      1. Enter the authentication port numbers in the Authentication text box. The authentication port (1812) is used to verify the user.

      2. Enter the accounting port numbers in the Accounting text box. The accounting port (1813) is used to track the user’s network use.

    5. Click OK.

  5. Define the authenticators that use this RADIUS server for authentication.

    1. Right-click on RADIUS Clients.

    2. Select New RADIUS Client. The New RADIUS Client window appears:

      Figure 11-9 IAS, New Client, Name and Address

    3. Enter a descriptive name for the Friendly name, such as Foundry.

    4. Enter the IP address of the authenticator in the Client address text box.

      HINT:Click Verify to test the connection.

    5. Click Next.

      Figure 11-10 IAS, New Client, Additional Information

    6. Select RADIUS Standard from the Client Vendor drop-down list

    7. Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator.

      NOTE:See your system administrator to obtain the shared secret for your switch.

    8. Re-enter the password in the Confirm shared secret text box.

    9. Select the Request must contain the Message Authenticator attribute check box.

    10. Click Finish.

  6. Repeat Step 5 for every authenticator in your system that uses this RADIUS server.

  7. Create a Remote Access Policy:

    If you already have an 802.1X environment configured, you already have a Remote Access Policy defined; however, you can create as many as you need.

    1. Right-click on Remote Access Policy.

    2. Select New Remote Access Policies.

    3. Click Next. The New Remote Access Policy Wizard window appears:

      Figure 11-11 IAS, New Remote Access Policy

    4. Select the Use the wizard radio button.

    5. Enter a meaningful name in the Policy Name text field.

    6. Click Next.

      Figure 11-12 IAS, Remote Access Policy, Access Method

    7. Select the Ethernet radio button. (The Ethernet option will not work for authenticating wireless clients with this policy.)

    8. Click Next.

      Figure 11-13 IAS, Remote Access Policy, Group Access

    9. You can configure your Access policy by user or group. This example uses the group method. Select the Group radio button.

    10. Click Add. The Select Groups pop-up window appears:

      Figure 11-14 IAS, Remote Access Policy, Find Group

    11. Click Advanced.

      Figure 11-15 IAS, Remote Access Policy, Select Group

    12. Click Find Now to populate the Search Results area.

    13. Select Domain Guests.

    14. Click OK.

    15. Click OK.

    16. Click Next.

      Figure 11-16 IAS, Remote Access Policy, Authentication Method

      NOTE:If you choose PEAP as your authentication mechanism in Step 7.q, see Step 8 before completing Step 7.r and Step 7.s. Adding a certificate, if your server does not already have one, and configuring PEAP is explained in Step 8.

    17. Select the EAP type from the drop-down list.

      IMPORTANT:The type selected here must match the type selected for the endpoint described in Step 5, Step 7.

    18. Click Next.

    19. Click Finish.

  8. The PEAP authentication method requires that a specific type of SSL certificate is available for use during authentication. These steps assume there is a Domain Certificate Authority (CA) available to request a certificate.

    Click Configure.

    If you receive the error message shown in Figure 11-17, complete these steps to request a certificate.

    These steps assume there is a Domain Certificate Authority (CA) available to request a certificate. If there is not a CA available, the certificate needs to be imported manually.

    NOTE:To import the certificate manually:

    1. Right-click on the Personal folder>>select All Tasks>>Import.

    2. When the wizard opens, click Next.

    3. Enter the path to the Novell ZENworks Network Access Control certificate, for example:

      D:\support\ias\compliance.keystore.cer

    4. Click Next, Next, and Finish.

  9. To request a certificate from a Domain Certificate Authority:

    Figure 11-17 Error Message

    1. Open the Microsoft management console by choosing Start>>Run and entering mmc.

    2. Choose File>>Add/Remove Snap-in.

    3. Click Add.

    4. Choose the certificates snap-in and click Add.

    5. Select Computer account and click Next.

    6. Select Local Computer and click Finish.

    7. Click Close and OK to exit out of the properties.

    8. Open the Certificates folder under the Console Root.

    9. Right-click on the Personal folder and select All Tasks>>Request New Certificate.

      NOTE:To import the certificate manually:

      1. Right-click on the Personal folder>>select All Tasks>>Import.

      2. When the wizard opens, click Next.

      3. Enter the path to the Novell ZENworks Network Access Control certificate, for example:

        D:\support\ias\compliance.keystore.cer

      4. Click Next, Next, and Finish.

    10. Follow the instructions to generate a certificate request. If there are no certificate templates available you need to edit the certificate template permissions (in mmc add the certificate template snap-in, right-click on the template, select properties, and change the permissions for your user) on the certificate authority. The Computer or RAS and IAS templates both work.

    11. Once the Certificate is granted by the certificate authority, return to the IAS policy editor to continue the setup.

    12. Click Configure to configure the certificate for use with the PEAP authentication method. The Protected EAP Properties window appears (Figure 11-18).

    13. Select the certificate you created in the previous steps, select the EAP types you want to use, and click OK.

    14. Once the Certificate is granted by the certificate authority, edit the IAS policy.

    15. On the authentication tab click authentication methods.

    16. Select PEAP and click Edit.

    17. Select the new certificate and click Apply.

    18. Click Configure to configure the certificate for use with the PEAP authentication method. The Protected EAP Properties window appears, as shown in the following figure:

      Figure 11-18 Protected EAP Properties

  10. Configure the new Remote Access Policy.

    Figure 11-19 IAP, Remote Access Policy, Properties

    1. Select Remote Access Policies.

    2. In the right pane, right-click the new policy name and select Properties. The Guest Policy Properties window appears:

      Figure 11-20 IAS, Remote Access Policy, Configure

    3. Click Edit Profile. The Edit Dial-in Profile window appears.

      1. Authentication tab — Select the check boxes for the authentication methods you will allow. This example does not use additional selections.

      2. Advanced tab — Add three RADIUS attributes:

        HINT:The attributes you select might be different for different switch types. Contact Novell Support or call (800) 858-4000 if you would like assistance.

      1. Click Add.

        Figure 11-21 IAS, Remote Access Policy, Add Attribute

      2. Select Tunnel-Medium-Type. (Adding the first of the three attributes.)

      3. Click Add.

      4. Click Add again on the next window.

      5. From the Attribute value drop-down list, select 802 (includes all 802 media.

      6. Click OK.

      7. Click OK.

      8. Select Tunnel-Pvt-Group-ID.

      9. Click Add.

      10. Click Add again on the next window. (Adding the second of the three attributes.)

      11. In the Enter the attribute value area, select the String radio button and type the VLAN ID (usually a number such as 50) in the text box.

      12. Click OK.

      13. Click OK.

      14. Select Tunnel-Type. (Adding the third of the three attributes.)

      15. Click Add.

      16. Click Add again on the next window.

      17. From the Attribute value drop-down list, select Virtual LANS (VLAN).

      18. Click OK.

      19. Click OK.

      20. Click OK.

  11. Repeat step 9 for every VLAN group defined in Active Directory.

    IMPORTANT:The order of the connection attributes should be most-specific at the top, and most-general at the bottom.

  12. Turn on remote access logging

    1. Click on Remote Access Logging.

    2. In the right pane, right-click Local File.

    3. Select Properties. The Local File Properties window appears:

      Figure 11-22 IAS, Remote Access Logging Properties

    4. Settings tab — Select any of the request and status options you are interested in logging.

    5. Log file tab

      1. In the Format area, select the IAS radio button.

      2. In the Create a new log file area, select a frequency, such as Daily.

      3. Select the When disk is full, delete older log files check box.

      4. Click OK.

  13. Install the Novell ZENworks Network Access Control-to-IAS connector — The Novell ZENworks Network Access Control IAS Connector is a DLL file that is installed on your Windows Server 2003 machine where the IAS component is enabled. The connector is called by IAS after the RADIUS authentication of an endpoint and during the authorization phase. The connector contacts Novell ZENworks Network Access Control and asks for the posture of the endpoint. Depending on the posture of the endpoint, the plug-in can return RADIUS attributes to your switch instructing it into which VLAN to place an endpoint. The following figure illustrates this process:

    NOTE:If you have an existing Novell ZENworks Network Access Control v4.1 certificate (compliance.keystore.cer), you need to replace it with the v5.0 certificate.

    Figure 11-23 ZENworks Network Access Control-to-IAS Connector

    1. Copy the following Novell ZENworks Network Access Control IAS Connector files from the Novell ZENworks Network Access Control CD-ROM (/support directory) to the WINDOWS/system32 directory on your Windows Server 2003 machine. 

      support/ias/SAIASConnector.dll 
support/ias/SAIASConnector.ini

      NOTE:SAIASConnector.ini is installed within Novell ZENworks Network Access Control using standard system defaults. Utilities for this such as DebugAttributes and DebugLevel should be modified only in conjunction with technical assistance through Novell Support or call (800) 858-4000.

    2. Import the Novell ZENworks Network Access Control server’s certificate so the connector can communicate with Novell ZENworks Network Access Control over SSL:

      1. On the Windows Server 2003 machine, click Start.

      2. Select run.

      3. Enter mmc.

      4. Click OK.

        Figure 11-24 IAS, Add/Remove Snap-in

      5. Select File>>Add/Remove Snap-in.

      6. Click Add.

        Figure 11-25 IAS, Add/Remove Snap-in, Certificates

      7. Select Certificates.

      8. Click Add.

      9. Select the Computer account radio button.

      10. Click Next.

      11. Select the Local computer: (the computer this console is running on) radio button.

      12. Click Finish.

      13. Click Close.

      14. Click OK.

        Figure 11-26 IAS, Import Certificate

      15. Right-click on Console Root>>Certificates (Local Computer)>>Trusted Root Certificate Authorities.

      16. Select All tasks>>import.

      17. Click Next.

      18. Click Browse and choose the certificate. The Novell ZENworks Network Access Control server certificate is located on the CD-ROM in

        support/ias/compliance.keystore.cer

      19. Click Next.

      20. Click Next.

      21. Click Finish.

  14. Configure the Novell ZENworks Network Access Control-to-IAS connector

    1. Modify the INI file for your network environment.

      Novell ZENworks Network Access Control returns one of following postures for an endpoint attempting to authenticate. For each posture received, a different RADIUS response to the switch can be configured using RADIUS attributes. This response determines into what VLAN the endpoint is placed.

      Healthy — The endpoint passed all tests or no failed tests were configured to quarantine.

      Checkup — The endpoint failed a test and the action is configured to grant temporary access.

      Quarantined — The endpoint failed a test and the action is configured to quarantine.

      Unknown — The endpoint has not been tested.

      Infected — The endpoint failed the Worms, Virus, and Trojans test.

      To configure the response, edit the SAIASConnector.ini file. This file was copied from the CD in Step 13.a.

    2. Enable the Authorization DLL file. At startup, IAS checks the registry for a list of third-party DLL files to call.

      1. Click Start.

      2. Select Run.

      3. Enter regedit.

      4. Navigate to:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

      5. Create an AuthSrv folder if it does not already exist. (Edit>>New>>Key)

      6. Create a Parameters folder inside the AuthSrv folder if it does not already exist. (New>>Key)

      7. Right-click on the Parameters folder name.

      8. Select New>>Multi-string value.

      9. Type AuthorizationDLLs for the name and press Enter on the keyboard.

      10. Right-click AuthorizationDLLs, and select Modify.

      11. Enter the following value in the Value Data text box.

        C:\Windows\System32\SAIASConnector.dll

      12. Click OK.

    3. Restart the IAS server (Start>>Settings>>Control Panel>>Services>>Internet Authentication Services>>Restart). A log file (SAIASConnector.log) is created in the WINDOWS\system32 directory for debugging purposes.

  15. Verify that you are using Microsoft’s version of the challenge-handshake authentication protocol (CHAP) MSCHAPv2. If for some reason, you cannot upgrade to MSCHAPv2 at this time, perform the following workaround for MSCHAPv1:

    1. Configure passwords:

      1. From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers.

        Figure 11-27 Active Directory, Properties

      2. Right-click on your directory name and select Properties.

      3. Select the Group Policy tab.

      4. Click Open.

      5. Right-click Default Domain Policy and select Edit (click OK if you get a global changes pop-up message).

        Figure 11-28 Active Directory, Store Passwords

      6. Navigate to Computer Configuration>>Windows Settings>>Security Settings>>Account Policies>>Password Policy.

      7. Select Password Policy.

      8. Right-click Store passwords using reversible encryption.

      9. Select the Enabled check box.

      10. Click OK.

      11. Close the Group Policy Object Editor window.

      12. Close the Group Policy Management window.

      13. Close the <Active Directory Name> Properties window.

  16. Create active directory user accounts.

    1. From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers.

    2. Right-click on the user’s entry under the appropriate domain under Active Directory Users and Computers.

    3. Enter the user information requested.

    4. Click Next.

    5. Enter the password information.

    6. Click Next.

    7. Click Finish.

    8. Repeat from step a for all users that need to authenticate using Active Directory.

  17. Configure user accounts for Dial-in access and Password Reversible Encryption:

    1. From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers.

    2. Click the plus symbol next to the domain to expand the selection.

    3. Select the Users folder.

      Figure 11-29 Active Directory Users and Computers

    4. Right-click a user name and select Properties. The Properties windows appears:

      Figure 11-30 Active Directory User Account Properties

    5. Select the Dial-in tab.

    6. In the Remote Access Permission area, select the Allow Access radio button.

    7. Select the Account tab.

    8. Verify that you are using Microsoft’s version of the challenge-handshake authentication protocol (CHAP) MSCHAPv2. If for some reason, you cannot upgrade to MSCHAPv2 at this time, perform the following workaround for MSCHAPv1:

      In the Account options area, select the Store password using reversible encryption check box.

      NOTE:If there are existing user accounts in your Active Directory installation when you enable reversible encryption, the passwords must be reset (either by the user or by the system administrator) before reversible encryption takes effect.

    9. Click OK.

    10. Repeat from step a for each user account.

Proxying RADIUS Requests to an Existing RADIUS Server Using the Built-in Novell ZENworks Network Access Control RADIUS Server

HINT:For an explanation of how the components communicate, see Section 11.2, Novell ZENworks Network Access Control and 802.1X.

To configure Novell ZENworks Network Access Control to proxy RADIUS requests to an existing RADIUS server:

  1. To configure the RADIUS server to proxy requests to your existing RADIUS server:

    1. Log in to the ES as root via SSH.

    2. Open the following file with a text editor such as vi: 

      /etc/raddb/proxy.conf

    3. Append the following section replacing the parameters in <> with your RADIUS servers information: realm NULL { type = radius authhost = <RADIUS host or IP>:<RADIUS auth port> accthost = <RADIUS host or IP>:<RADIUS acct port> secret = <the shared secret for your RADIUS server> }

    4. Save and exit the file.

      NOTE:The realm NULL section must go after the realm LOCAL section, or you can comment out the realm LOCAL section.

  2. Configure your RADIUS server to allow the Novell ZENworks Network Access Control IP address as a client with the shared secret specified in the previous step. See your RADIUS server’s documentation for instructions on how to configure allowed clients.

  3. Configure the SAFreeRADIUSConnector.conf file with the appropriate RADIUS attributes and VLANS. See comments in the following sample file for instructions.

    #
# FreeRADIUS Connector configuration file
#

#
# TO DO - Change localhost to your server's IP if this is not the built-in FreeRADIUS server
#

ServerUrl=https://localhost/servlet/AccessControlServlet
DebugLevel=4
Debug=onUsername=nacuser
Password=nacpwd

#
# TO DO - Modify the vlan ids and names to match your switch configuration
#


#
# Use these attributes for all non-Extreme switches
#

#
# Uncomment these two sections if you want the connector to specify the normal user vlan
# rather than specifying it for each user in the users configuration file.
#

#"HealthyRadiusAttributes"
#      Tunnel-Medium-Type := 6,
#      Tunnel-Private-Group-ID := 50,
#      Tunnel-Type := VLAN,
#
#"CheckupRadiusAttributes" 
#      Tunnel-Medium-Type := 6,
#      Tunnel-Private-Group-ID := 50,
#      Tunnel-Type := VLAN,


"QuarantineRadiusAttributes"
      Tunnel-Medium-Type := 6,
      Tunnel-Private-Group-ID := 15,
      Tunnel-Type := VLAN,

"InfectedRadiusAttributes"
      Tunnel-Medium-Type := 6,
      Tunnel-Private-Group-ID := 15,
      Tunnel-Type := VLAN,


"UnknownRadiusAttributes"
      Tunnel-Medium-Type := 6,
      Tunnel-Private-Group-ID := 5,
      Tunnel-Type := VLAN,


#
# Use these attributes for Extreme switches
#

#"HealthyRadiusAttributes"
#      Extreme-Netlogin-Vlan := HealthyVlanName
#
#"CheckupRadiusAttributes"
#      Extreme-Netlogin-Vlan := HealthyVlanName
#
#"QuarantineRadiusAttributes"
#      Extreme-Netlogin-Vlan := QuarantineVlanName
#

#"InfectedRadiusAttributes"
#      Extreme-Netlogin-Vlan := QuarantineVlanName
#
#"UnknownRadiusAttributes"
#      Extreme-Netlogin-Vlan := TempOrGuestVlanName


#
# TO DO - Uncomment if you want different switches to have different attributes.
#      Posture is Healthy, Checkup, Quarantine, Infected, or Unknown.
#      This entry must come after the default set of attributes in the file.
#
#"<POSTURE>RadiusAttributes-<NAS IP ADDRESS>"
#      Tunnel-Medium-Type := 6,
#      Tunnel-Private-Group-ID := 15,
#      Tunnel-Type := VLAN,

  4. Test the RADIUS server proxy: 

    radtest <user> <passwd> <radius-server[:port]> <nas-port-number><secret>

Using the Built-in Novell ZENworks Network Access Control RADIUS Server for Authentication

If you selected the Manual End-user authentication method in the Authentication settings area of the System configuration>>Quarantining>>802.1X window, configure Novell ZENworks Network Access Control according to the instructions in this section.

To configure Novell ZENworks Network Access Control to handle RADIUS requests:

Add users to the RADIUS server by modifying the /etc/raddb/users file. Add user entries to the beginning of the file in the following format:

Clear text authentication: 

<user name> Auth-Type := Local, User-Password =="password"

EAP, PEAP, or MD5-Challenge authentication (the built-in windows 802.1X supplicant uses these methods): 

<user name> Auth-Type := EAP, User-Password =="password"

For example: 

dave Auth-Type := EAP, User-Password =="d@9ij8!e"

11.3.2 Enabling Novell ZENworks Network Access Control for 802.1X

To enable Novell ZENworks Network Access Control for use in an 802.1X network, you need to select it in the user interface, and make a few changes to the properties using JMS and an XML file.

Novell ZENworks Network Access Control User Interface Configuration

To enable 802.1X in the Novell ZENworks Network Access Control user interface:

Home window>>System configuration>>Quarantining

  1. In the Select a quarantine method area, select the 802.1X quarantine method radio button.

    Figure 11-31 Enabling 802.1X in the User Interface

  2. In 802.1X enforcement mode, the ESs must be able watch DHCP conversations and detect endpoints by sniffing network traffic as it flows between the DHCP server and the endpoints. Select one of the following radio buttons:

    • remote — In more complex deployments, it is often impossible (in the case of multiple ESs or multiple DHCP servers) or undesirable to span switch ports. In this case the DHCP traffic monitoring and endpoint detection can be run remotely by installing and configuring the endpoint activity capture software on each DHCP server involved in the 802.1X deployment. In this case, choose the remote option.

    • local — In simple configurations, it is possible to span, or mirror, the switch port into which the DHCP server is connected. The eth1 interface of the ES is then plugged into the spanned port and endpoint traffic is monitored on the eth1 interface. In this case, choose the local option.

  3. Click ok.

11.3.3 Setting up the Supplicant

Now you must enable the endpoint for 802.1X. If you do not, the endpoint can never pass the initial challenge from the switch, as the switch searches for an 802.1X-enabled endpoint. This sections describes how to set up the following endpoints for 802.1X:

  • Windows XP Professional endpoint

  • Windows XP Home endpoint

  • Windows 2000 Professional endpoint

  • Windows Vista endpoint

HINT:The exact instructions for Windows XP and Windows Vista tasks will vary slightly depending on whether you are using Classic or Category view.

To determine which view you are using in the Control Panel, select Start>>Control Panel. At the top left you will see either Switch to Classic View or Switch to Category View.

To determine which view you are using in the Start Menu, Right-click Start>>Select Properties. If the Start menu radio button is selected, you are using Category View. If the Classic Start menu radio button is selected you are using Classic View.

The instructions in this section assume you are using Classic View in both cases.

The following sections contain more information:

Windows XP Professional Setup

To enable a Windows XP Professional endpoint for 802.1X:

Windows desktop>>Start>>Settings>>Network Connections

  1. Right-click on Local Area Connection.

  2. Select Properties. The Local Area Connection windows appears:

    Figure 11-32 Windows XP Pro Local Area Connection, General Tab

  3. Select the General tab.

  4. Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors.

  5. Select the Authentication tab.

    Figure 11-33 Windows XP Pro Local Area Connection Properties, Authentication Tab

  6. Select the Enable IEE 802.1X authentication for this network check box.

  7. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.

    IMPORTANT:This EAP type must match the EAP type selected in Step 7.q.

  8. Clear or select the Authenticate as computer when computer information is available check box. The choice is yours.

  9. Click OK.

  10. Select to reboot if prompted.

Windows XP Home Setup

To enable a Windows XP Home endpoint for 802.1X:

  1. Start the wireless service:

    Windows desktop>>Start>>Settings>>Control Panel>>Administrative Tools>>Services

    1. Select Wireless Zero Configuration. If the Status column does not already show Started, start the service:

      1. Right click on Wireless Zero Configuration.

      2. Select Start.

    2. Close the Services window.

  2. Configure the network connections:

    Windows desktop>>Start>>Settings>>Control Panel>>Network Connections

  3. Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears (Figure 11-32).

  4. Select the General tab.

  5. Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors.

  6. Select the Authentication tab (Figure 11-33).

    1. Select the Enable IEE 802.1X authentication for this network check box.

    2. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.

      IMPORTANT:This EAP type must match the EAP type selected in Section 11.3.1, Setting up the RADIUS Server, Step 7.q.

    3. Clear or select the Authenticate as computer when computer information is available check box. The choice is yours.

  7. Click OK.

  8. Select to reboot if prompted.

Windows 2000 Professional Setup

To enable a Windows 2000 Professional endpoint for 802.1X:

  1. Start the wireless service:

    Windows desktop>>Start>>Settings>>Control Panel>>Administrative Tools>>Services

    1. Select Wireless Configuration. If the Status column does not already show Started, start the service:

      1. Right click on Wireless Configuration.

      2. Select Start.

    2. Close the Services window.

  2. Configure the network connections:

    Windows desktop>>Start>>Settings>>Control Panel>>Network and Dial-up Connections

    1. Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears.

      Figure 11-34 Windows 2000 Local Area connection Properties, General Tab

    2. Select the General tab.

    3. Select the Show icon in taskbar when connected check box.

    4. Select the Authentication tab.

      Figure 11-35 Windows 2000 Local Area Connection Properties, Authentication

    5. Select the Enable network access control using IEE 802.1X check box.

    6. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.

      IMPORTANT:This EAP type must match the EAP type selected in Section 11.3.1, Setting up the RADIUS Server, Step 7.q.

    7. Clear or select the Authenticate as computer when computer information is available check box. The choice is yours.

    8. Click OK.

  3. Select to reboot if necessary.

Windows Vista Setup

NOTE:Frequently when performing actions on Windows Vista, the User Account Control window pops up and asks you to select Continue to authorize the action. The instructions in this section do not include this step.

To enable a Windows Vista endpoint for 802.1X:

Windows desktop>>Start>>Control Panel>>Administrative Tools>>Services

  1. Start the wired service:

    1. Double-click on Wired AutoConfig. The Wired AutoConfig Properties window appears.

      Figure 11-36 Wired AutoConfig Properties

    2. Select Automatic from the Startup type drop-down list.

    3. Click Start in the Service status area.

    4. Click OK.

    5. Close the Services window.

  2. Configure the network connections:

    Windows desktop>>Start>>Settings>>Network Connections

  3. Right-click on Local Area Connection.

  4. Select Properties. The Local Area Connection windows appears:

    Figure 11-37 Windows Vista Local Area Connection, Networking Tab

  5. Select the Authentication tab.

    Figure 11-38 Windows Vista Local Area Connection Properties, Authentication Tab

  6. Select the Enable IEE 802.1X authentication check box.

  7. Select an EAP type from the Choose a network authentication method drop-down list. For this example, select Protected EAP (PEAP).

    IMPORTANT:This EAP type must match the EAP type selected in Step 7.q.

  8. Clear or select the Cache user information for subsequent connections to this network check box. The choice is yours.

  9. Click OK.

  10. Select to reboot if prompted.

11.3.4 Setting up the Authenticator

This section provides sample configurations for the following switches:

The lines that apply to 802.1X are shown in italic text. Make sure that you add this information when configuring your switch.

Cisco® 2950 IOS

aaa new-model 
aaa authentication dot1x default group radius 
aaa authorization network default group radius 

dot1x system-auth-control
interface FastEthernet0/1
  switchport mode access
  dot1x port-control auto
  dot1x timeout quiet-period 30
  dot1x guest-vlan 5
  dot1x reauthentication
  spanning-tree portfast
!
interface FastEthernet0/2
  switchport mode access
  dot1x port-control auto
  dot1x timeout quiet-period 30
  dot1x guest-vlan 5
  dot1x reauthentication
  spanning-tree portfast
!
interface FastEthernet0/3
  switchport mode access
  dot1x port-control auto
  dot1x timeout quiet-period 30
  dot1x guest-vlan 5
  dot1x reauthentication
  spanning-tree portfast
!
interface FastEthernet0/4
  switchport mode access
  dot1x port-control auto
  dot1x timeout quiet-period 30
  dot1x guest-vlan 5
  dot1x reauthentication
  spanning-tree portfast

ip http server
radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 key mysecretpassword
radius-server retransmit 3
!

Cisco® 4006 CatOS

set dot1x re-authperiod 100
set feature dot1x-radius-keepalive disable

#radius
set radius server 172.17.20.150 auth-port 1812 primary
set radius key mysecretpassword
!

#module 2 : 48-port 10/100BaseTx Ethernet
set port dot1x 2/15 port-control auto
set port dot1x 2/17 port-control auto
set port dot1x 2/18 port-control auto
set port dot1x 2/19 port-control auto
set port dot1x 2/15 re-authentication enable
set port dot1x 2/17 re-authentication enable
set port dot1x 2/18 re-authentication enable
set port dot1x 2/19 re-authentication enable
set port dot1x 2/15 guest-vlan 40
set port dot1x 2/17 guest-vlan 40
set port dot1x 2/18 guest-vlan 40
set port dot1x 2/19 guest-vlan 40

Enterasys® Matrix 1H582-25 

! dot1x
  set dot1x auth-config authcontrolled-portcontrol forced-auth fe.0.5-24
  set dot1x auth-config maxreq 10000 fe.0.1-4
  set dot1x auth-config keytxenabled true fe.0.1-4
  set dot1x enable
!

! radius
  set radius timeout 30
set radius server 1 10.11.100.10 1812 02108000AE5BA9C47EDC24F2CA6529EE4CCC8930B
BD70F5AAA2CF0C5DBAA5DA97FADFE95
  set radius enable
!

Extreme® Summit 48si

HINT:When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS users file.

HINT:Change the admin password to a non-blank password.

create vlan "Operations"
create vlan "CommandControl"
create vlan "Quarantine"
create vlan "Guest"
create vlan "Temp"

# RADIUS configuration
#
enable radius
configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa"
configure radius primary server 10.10.100.10 1812 client-ip 10.10.100.1


# Network Login Configuration
configure vlan Temp dhcp-address-range 10.10.5.100 - 10.10.5.150
configure vlan Temp dhcp-options default-gateway 10.10.5.1
configure vlan Temp dhcp-options dns-server 10.10.100.11
configure vlan Temp dhcp-options wins-server 10.10.100.10
enable netlogin port 33 vlan Temp
enable netlogin port 34 vlan Temp
enable netlogin port 35 vlan Temp
enable netlogin port 36 vlan Temp
enable netlogin port 37 vlan Temp
enable netlogin port 38 vlan Temp
enable netlogin port 39 vlan Temp
enable netlogin port 40 vlan Temp
configure netlogin redirect-page "https://10.10.100.100:89"

ExtremeWare

HINT:When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS users file.

HINT:Change the admin password to a non-blank password.

create vlan "Quarantine"
create vlan "Test"
# RADIUS configuration
#
enable radius
configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa"
configure radius primary server 10.50.32.10 1812 client-ip 10.50.32.254

# Network Login Configuration
enable netlogin port 1 vlan Default
enable netlogin port 2 vlan Default
enable netlogin port 3 vlan Default
enable netlogin port 4 vlan Default
enable netlogin port 5 vlan Default
enable netlogin port 6 vlan Default
enable netlogin port 7 vlan Default
enable netlogin port 8 vlan Default
configure netlogin mac auth-retry-count 3
configure netlogin mac reauth-period 1800

ExtremeXOS 

#
create vlan "Quarantine"
create vlan "Test"

enable radius netlogin
configure radius netlogin timeout 3

configure radius-accounting netlogin timeout 3

# Module netLogin configuration.
#
configure netlogin vlan Test
enable netlogin dot1x mac
enable netlogin ports 1-8 dot1x
configure netlogin dot1x timers server-timeout 30 quiet-period 60 reauth-period
100 supp-resp-timeout 30
configure netlogin dot1x eapol-transmit-version v1
configure netlogin dot1x guest-vlan Guest
enable netlogin logout-privilege
enable netlogin session-refresh 3
configure netlogin base-url "network-access.com"
configure netlogin redirect-page "http://www.extremenetworks.com"
configure netlogin banner ""

Foundry® FastIron® Edge 2402 

dot1x-enable
  auth-fail-action restricted-vlan
  auth-fail-vlanid 5
  mac-session-aging no-aging permitted-mac-only
  enable ethe 1 to 4 

aaa authentication dot1x default radius

radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 default key 1 $6\-ndUnoS!--+sU@

interface ethernet 1
  dot1x port-control auto
  sflow-forwarding
!
interface ethernet 2
  dot1x port-control auto
  sflow-forwarding
!
interface ethernet 3
  dot1x port-control auto
  sflow-forwarding
!
interface ethernet 4
  dot1x port-control auto
  sflow-forwarding
!

HP ProCurve 420AP

This section shows how to configure the security settings on the 420AP so that user access may be controlled using Dynamic VLAN provisioning.

HP ProCurve Access Point 420#configure
HP ProCurve Access Point 420(config)#interface ethernet
Enter Ethernet configuration commands, one per line.
HP ProCurve Access Point 420(if-ethernet)#no ip dhcp
HP ProCurve Access Point 420(if-ethernet)#ip address <IP of Access Point Netmask Gateway>
HP ProCurve Access Point 420(if-ethernet)#end
HP ProCurve Access Point 420(config)#management-vlan 200 tagged
HP ProCurve Access Point 420(config)#interface wireless g
Enter Wireless configuration commands, one per line.
HP ProCurve Access Point 420(if-wireless-g)#ssid index 1
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#closed-system
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius-authentication-server address <IP of RADIUS Server>
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius-authentication-server key <Shared RADIUS secret>
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius-authentication-server vlan-format ascii
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#ssid Enterprise420
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#vlan 100 tagged
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#security-suite 6 wpa-wpa2
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#enable
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#end
HP ProCurve Access Point 420(if-wireless-g)#end
HP ProCurve Access Point 420(config)#radius-accounting address <IP of RADIUS Server>
HP ProCurve Access Point 420(config)#radius-accounting key <Shared RADIUS secret>
HP ProCurve Access Point 420(config)#radius-accounting enable
HP ProCurve Access Point 420(config)#vlan enable dynamic
Reboot system now? <y/n>: y
Dynamic WEP

Enter the same commands as the previous configuration; however, substitute security-suite 5 instead of security-suite 6 wpa-wpa2.

HP ProCurve 530AP

This section shows how to configure the security settings on the 530AP so that user access may be controlled using Dynamic VLAN provisioning.

ProCurve Access Point 530#conf
ProCurve Access Point 530(config)#interface ethernet
ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask
ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway>
ProCurve Access Point 530(ethernet)#management-vlan 200
ProCurve Access Point 530(ethernet)#untagged-vlan 200
ProCurve Access Point 530(radio1-wlan1)#ssid Enterprise530
ProCurve Access Point 530(radio1-wlan1)#closed
ProCurve Access Point 530(radio1-wlan1)#vlan 100
ProCurve Access Point 530(radio1-wlan1)#security wpa-8021x
ProCurve Access Point 530(radio1-wlan1)#radius primary ip <IP of RADIUS Server>
The RADIUS shared secret key must also be set to enable communication between this
device and the RADIUS server.
ProCurve Access Point 530(radio1-wlan1)#radius primary key <Shared RADIUS secret>
ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary ip <IP of RADIUS Server>
ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary key<Shared RADIUS secret>
ProCurve Access Point 530(radio1-wlan1)#wpa-cipher-aes
ProCurve Access Point 530(radio1-wlan1)#write mem
ProCurve Access Point 530(radio1-wlan1)#enable
ProCurve Access Point 530(radio1-wlan1)#enable
ProCurve Access Point 530(config)#radio 1
ProCurve Access Point 530(radio1)#enable
ProCurve Access Point 530(radio1)#radio 2
ProCurve Access Point 530(radio2)#enable
ProCurve Access Point 530(config)#write mem
ProCurve Access Point 530(config)#exit
Dynamic WEP
ProCurve Access Point 530#conf
ProCurve Access Point 530(config)#interface ethernet
ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask
ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway>
ProCurve Access Point 530(ethernet)#management-vlan 200
ProCurve Access Point 530(ethernet)#untagged-vlan 200
ProCurve Access Point 530(radio1-wlan1)#ssid Enterprise530
ProCurve Access Point 530(radio1-wlan1)#closed
ProCurve Access Point 530(radio1-wlan1)#vlan 100
ProCurve Access Point 530(radio1-wlan1)#security dynamic-wep
ProCurve Access Point 530(radio1-wlan1)#radius primary ip <IP of RADIUS Server>
The RADIUS shared secret key must also be set to enable communication between this device and the RADIUS server.
ProCurve Access Point 530(radio1-wlan1)#radius primary key <Shared RADIUS secret>
ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary ip <IP of RADIUS Server>
The RADIUS shared secret key must also be set to enable communication between this device and the RADIUS server.
ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary key<Shared RADIUS secret>
ProCurve Access Point 530(radio1-wlan1)#wep-key-ascii ProCurve Access Point 530(radio1-wlan1)#wep-key-1 1q2w3e4r5t6y7
ProCurve Access Point 530(radio1-wlan1)#write mem
ProCurve Access Point 530(radio1-wlan1)#enable
ProCurve Access Point 530(radio2-wlan1)#enable
ProCurve Access Point 530(config)#radio 1
ProCurve Access Point 530(radio1)#enable
ProCurve Access Point 530(radio1)#radio 2
ProCurve Access Point 530(radio2)#enable
ProCurve Access Point 530(config)#write mem
ProCurve Access Point 530(config)#exit

HP ProCurve 3400/3500/5400

radius-server host 10.60.1.3 key hpsecret
aaa accounting network start-stop radius
aaa authentication port-access eap-radius
aaa port-access authenticator 1-8
aaa port-access authenticator 1-8 auth-vid 100
aaa port-access authenticator 1-8 unauth-vid 101
aaa port-access authenticator active

Nortel® 5510

NOTE:When the Nortel switch is used in unstacked mode, a range of ports is defined as 1-24.

When the Nortel switch is used in stacked mode, a range of ports is defined as 1/1-24; <unit>/<port-port>. See the Nortel switch user manuals for more information.

RADIUS Server setup:

radius-server host 10.0.0.5
radius-server secondary-host 0.0.0.0
radius-server port 1812
! radius-server key ********


Enable 802.1X:

eapol enable
interface FastEthernet ALL
eapol port 1-2 status auto traffic-control in-out re-authentication enable re-a
uthentication-period 3600 re-authenticate quiet-interval 60 transmit-interval 3
0 supplicant-timeout 30 server-timeout 30 max-request 2

Vlan Info:

vlan create 10 name "production" type port
vlan create 11 name "guest" type port
vlan create 12 name "quarantine" type port

! *** EAP ***
!
eapol enable
interface FastEthernet ALL
eapol port 1-2 status auto traffic-control in-out re-authentication enable re-authentication-period 3600 re-authenticate quiet-interval 60 transmit-interval 3 0 supplicant-timeout 30 server-timeout 30 max-request 2


! *** Port Mirroring ***
!
port-mirroring mode XrxOrXtx monitor-port 9 mirror-port-X 12
!

Creating Custom Expect Scripts

Expect is a tool that uses simple scripts to automate interactive applications.

Novell ZENworks Network Access Control utilizes expect scripts when communicating with 802.1X devices. You can add 802.1X devices in the Novell ZENworks Network Access Control user interface (Home>>System configuration>>Quarantining menu option>>Add 802.1X device). There are 11 pre-defined devices, and one generic device. You can use the default expect script values, modify them, or enter new values. The expect scripts used are as follows:

  • Initialization script — This script is used to log in to the device, enter enable mode and set up the state necessary to execute the re-authentication command. It is executed the first time a connection to the device is opened or if the connection to the device is reset.

  • Re-authentication script — This script is used to perform endpoint re-authentication. It is executed once for each endpoint re-authentication while the connection to the device remains active (until the connection goes bad or the idle time inactivity timeout is reached).

  • Exit script — This script is used to exit the console. It is executed when the idle time timeout is reached.

When testing configuration settings from the Novell ZENworks Network Access Control user interface, all three scripts are executed once in sequence and the connection is closed. If any output is returned by a command sent in the re-authentication script, it is logged and returned to the user. If an expect command times out the current expect buffer is logged and returned to the user.

As an example, the following figures show the initial scripts used for a Nortel device in the Novell ZENworks Network Access Control user interface.

Example 11-1 Nortel Initialization Script

expect Enter Ctrl-Y to begin.
send -noreturn \031
expect -ifset USERNAME Username:
send -ifset USERNAME ${USERNAME}
expect -ifset PASSWORD Password:
send -ifset PASSWORD ${PASSWORD}
expect press <Return> or <Enter> to select option.
send -noreturn c
expect >
send enable
expect -ifset ENABLE_USERNAME Username:
send -ifset ENABLE_USERNAME ${USERNAME}
expect -ifset ENABLE_PASSWORD Password:
send -ifset ENABLE_PASSWORD ${ENABLE_PASSWORD}
expect #
send configure terminal
expect (config)#

Example 11-2 Nortel Re-authentication Script

send interface FastEthernet ${PORT}
expect (config-if)#
send eapol re-authenticate
expect (config-if)#
send exit
expect (config)#

Example 11-3 Nortel Exit Script

send exit
expect #
send exit
expect press <Return> or <Enter> to select option.
send -noreturn l
Expect Script Commands
expect [OPTIONS] TEXT   | "Waits for TEXT to appear on connection input"
send [OPTIONS] TEXT     | "Writes TEXT to connection output"

The expect scripts use the following commands:

Table 11-1 Expect Script Commands and Parameters

Command

Description and parameters

 
expect [OPTIONS] TEXT

Waits for TEXT to appear on the connection input.

Where OPTION is one of three optional parameters:

  • regex

    Interprets the expect string as a (Java 1.5) regular expression.

  • ifmatched

    Skips the command if the value captured from the last regular expression doesn't match the specified expression (the expression may contain spaces if wrapped in double quotes).

  • ifset

    Skips the command if the specified variable is not set.

 
send [OPTIONS] TEXT

Writes text to the connection output followed by a carriage return.

Where OPTION is one of three optional parameters:

  • noreturn

    Omits the carriage return.

  • ifmatched

    Skips the command if the value captured from the last regular expression doesn't match the specified expression (the expression may contain spaces if wrapped in double quotes).

  • ifset

    Skips the command if the specified variable is not set.
Expect Script Variables

Variables referenced with the syntax ${VARIABLE_NAME} will be substituted with the value of the variable at execution time.

The following variables may be referenced anywhere:

  • USERNAME— The username used to log in to the device

  • PASSWORD— The password used to log in to the device

  • ENABLE_USERNAME— The username used to enter enable mode

  • ENABLE_PASSWORD— The password used to enter enable mode

  • IS_TELNET— Set to "true" for a telnet connection (otherwise unset)

  • IS_SSH— Set to "true" for an SSH connection (otherwise unset)

The following variables may be referenced from re-authentication script:

  • PORT— The endpoint's port

  • PORT_ID— The endpoint's port ID, usually the same as PORT

  • MAC— The MAC address of the endpoint in colon/hex format (hh:hh:hh:hh:hh:hh)

  • MAC_DOTTED_DECIMAL— The MAC address of the endpoint in dotted decimal format (ddd.ddd.ddd.ddd.ddd.ddd)

  • MAC_DOTTED_HEX— The MAC address of the endpoint in dotted hex format (hhhh.hhhh.hhhh)

  • IP_ADDRESS— The IP address of the endpoint in dotted decimal format

  • IS_MAC_AUTH— Set to "true" if the username from the switch is a MAC address (otherwise unset)

  • IS_DOT1X— Set to "true" if the username from the switch is not a MAC address (otherwise unset)

Escape Sequences

Special characters can be included by escaping them as "\XXX" where XXX is an octal value representing an ASCII character, or as "\uXXXX" where XXXX is a hexadecimal value representing a unicode character.

Comments

Lines that start with the # character are ignored.

Examples

Example 11-4 Initialization script:

expect Enter Ctrl-Y to begin.

send -noreturn \031
expect -ifset IS_TELNET Username:
send -ifset IS_TELNET ${USERNAME}
expect -ifset IS_TELNET Password:
send -ifset IS_TELNET ${PASSWORD}
expect press or to select option.

send -noreturn c
expect >

send enable
expect -ifset ENABLE_USERNAME Username:
send -ifset ENABLE_USERNAME ${ENABLE_USERNAME}
expect -ifset ENABLE_PASSWORD Password:
send -ifset ENABLE_PASSWORD ${ENABLE_PASSWORD}
expect #

send configure terminal
expect (config)#

Example 11-5 Reauthorization script:

send interface FastEthernet ${PORT}
expect (config-if)#

send eapol re-authenticate
expect (config-if)#

send exit
expect (config)#

Example 11-6 Exit script:

send exit
expect #

send exit
expect press or to select option.
send -noreturn l

The conditions in the above scripts are driven by the values of the variables entered by the user, but sometimes it is necessary to drive conditions from interactions with the switch. For example, if a switch can be configured with either a blank password or no password (no password prompt) then the text field for password is insufficient to specify the correct configuration. Instead the script can use a regular expression to expect either a password prompt or no prompt, and drive subsequent commands from the result.

The following script works when any combination of Username and Password prompt appear (and thus also works with both telnet and SSH without needing to check which the user selected):

Example 11-7 Initialization script:

expect -regex (Username:|Password:|>)
send -ifmatched Username: ${USERNAME}
expect -ifmatched Username: -regex (Password:|>)
send -ifmatched Password: ${PASSWORD}
expect -ifmatched Password: >

Example 11-8 Reauthorization script:

send set dot1x port ${PORT} init
expect >

Example 11-9 Exit script:

send exit