ForeScout CounterACT® Authentication Module: RADIUS Plugin Configuration Guide Version 4.3 Authentication Module: RADIUS Plugin Configuration Guide Table of Contents Overview ...................................................................................................... 4 Understanding the 802.1X Protocol ................................................................. 4 About the CounterACT RADIUS Plugin ............................................................. 6 IPv6 Support ........................................................................................... 7 About This Document ................................................................................ 7 RADIUS Plugin Components ........................................................................... 7 Authentication Sources ............................................................................. 7 Pre-Admission Authorization ...................................................................... 8 RADIUS Settings ...................................................................................... 8 MAC Address Repository ............................................................................ 9 Supported Authentication Protocols ........................................................... 10 CounterACT Requirements ......................................................................... 10 How to Proceed .......................................................................................... 10 Environment Readiness ............................................................................... 11 Certificate Readiness .............................................................................. 11 Network Device Readiness ....................................................................... 12 Endpoint Readiness ................................................................................ 20 User Directory Readiness ......................................................................... 25 Plugin Configuration ................................................................................... 27 Configure Authentication Sources ............................................................. 28 Configure Pre-Admission Authorization ...................................................... 34 Configure RADIUS Settings ...................................................................... 42 Per Appliance RADIUS Plugin Configuration ................................................ 46 Configure MAC Access Bypass .................................................................. 47 Verify That the Plugin Is Running ................................................................. 53 Testing and Troubleshooting ........................................................................ 53 Test Full Plugin Configuration ................................................................... 53 Troubleshooting Policy Templates ............................................................. 55 Technical Support ................................................................................... 61 Plugin Properties and Custom Policies ....................................................... 61 Properties for Use in Policy Conditions ........................................................... 61 Advanced .............................................................................................. 62 Authentication Decision ........................................................................... 62 Authentication Details ............................................................................. 63 Authentication Events ............................................................................. 64 Authorization ......................................................................................... 64 Client Certificate .................................................................................... 65 MAR...................................................................................................... 65 NAS Device............................................................................................ 65 Windows 7 Supplicant ............................................................................. 66 Create Custom Policies ................................................................................ 67 Version 4.3 2 Authentication Module: RADIUS Plugin Configuration Guide Actions ....................................................................................................... 68 RADIUS Authorize Action ............................................................................. 68 802.1X Update MAR Action .......................................................................... 70 Use Cases ................................................................................................... 73 Categorize Endpoint Authorizations............................................................... 73 Monitor Successful Authentications and Apply Authorizations ........................... 77 Corporate Wired and Wireless Authentication ................................................. 83 Single Domain ....................................................................................... 83 Multi-Domain ......................................................................................... 84 CounterACT RADIUS Server as a Proxy ..................................................... 88 Centralized Web Authentication .................................................................... 88 Enable MAC Address Bypass .................................................................... 88 Configure Pre-Admission Authorization Rule ............................................... 89 Centralized Web Authentication Policy Template ......................................... 90 EDU-ROAM ................................................................................................ 96 MAC Address Bypass ................................................................................. 101 Network Device Administration .................................................................. 102 Advanced Topics ...................................................................................... 104 Authentication-Authorization Processing Flow............................................... 105 Re-Authentication Methods ........................................................................ 106 Plugin Redundancy and Failover ................................................................. 107 Common Troubleshooting Issues ................................................................ 108 CounterACT Machine Fails to Join Domain ................................................ 108 Appendix .................................................................................................. 109 Configure Endpoint Supplicant ................................................................... 109 Supplicant on Windows 7/Windows XP Endpoints ...................................... 109 Supplicant on MAC Endpoints ................................................................. 112 Authentication Module Information .......................................................... 112 Additional CounterACT Documentation..................................................... 112 Documentation Downloads .................................................................... 112 Documentation Portal ........................................................................... 113 CounterACT Help Tools .......................................................................... 113 Version 4.3 3 Authentication Module: RADIUS Plugin Configuration Guide Overview This section provides an overview of the following topics: . Understanding the 802.1X Protocol . About the CounterACT RADIUS Plugin . RADIUS Plugin Components Understanding the 802.1X Protocol IEEE 802.1X is the industry standard for port-based, network access control. It provides an authentication mechanism for endpoints attempting to connect to a network, whether wired and wireless. The 802.1X authentication process consists of the following participating entities: . Client: The user or client endpoint attempting to access an organization's network. The organization's security requirements require these endpoints to undergo authentication and be evaluated as authenticated, as follows: − Endpoints having a supplicant, embedded software that handles the endpoint's side of the 802.1X authentication sequence, can be authenticated based on any of the following: > User credentials or certificate > Device credentials or certificate − Endpoints not having a supplicant, for example printers, are authenticated solely based on their MAC address, which is termed the MAC address bypass (MAB) method of authentication. Authentication Server: The server that executes the authentication of endpoints, typically a RADIUS server. Authenticator: The network access entity (NAS), located between the client and the authentication server, to which the client connects in its attempt to gain network access. Both wireless access points and switches are authenticator examples. Version 4.3 4 Authentication Module: RADIUS Plugin Configuration Guide Endpoints with Supplicant: Processing Sequence The following diagram provides a high-level view of the 802.1X processing sequence for endpoints having a supplicant: Endpoints not having a supplicant undergo MAB authentication. Since in such a scenario there is no supplicant response, phase 1 times