How to Set Up Assessment Remediation

---

Remediation utilizes Remediation Web Server functionality installed on an Extreme Access Control engine to notify end users when their systems are being assessed or have been quarantined due to network access policy non-compliance (identified during end-system security assessment). In addition, the web server notifies end users of the specific vulnerabilities identified during the end-system's assessment and the corresponding required remediation steps. Once the remediation steps have been successfully performed, reassessment of the end-system is performed and the appropriate network resources are allocated to the end-system. For more information on remediation and an overview of how it works, see the Assisted Remediation section of the Concepts help file.

This Help topic describes the specific steps that must be performed when setting up remediation in your network. The steps vary depending on whether you are using Access Control Gateway engines and/or Access Control Controller engines on your network.

For Access Control Gateway engines you must:

• Identify the location in your network topology for the Access Control Gateway installation.
• Redefine the Assessing and Quarantine policy roles created in Management Center Policy Manager for EOS policy-enabled switches.
• Configure policy-based routing on your network.
• Configure remediation values in NAC Manager.

For Access Control Controller engines you must:

• Configure remediation values in NAC Manager.

The Remediation Web Server is pre-installed on the Access Control engine. For instructions on installing and configuring the Access Control engine, please refer to your engine Installation Guide.

	NOTE:	It is important to add a DNS entry from the Fully Qualified Domain Name (FQDN) of the Access Control Gateway into the DNS servers deployed on the network so that the device running NAC Manager is able to resolve queries to these DNS servers. Otherwise, a short delay occurs in returning the Assessment/Remediation portal web page to end users on the network.

Instructions on:

• Extreme Access Control Gateway Configuration
  • Identifying Access Control Gateway Location
  • Defining Assessment and Quarantine Policies
  • Configuring Policy-Based Routing
• Configuring NAC Manager (for Access Control Gateway and Access Control Controllers)

Extreme Access Control Gateway Configuration

Perform the following steps when you are deploying remediation in a network that utilizes Extreme Access Control (Access Control) Gateway engines. These steps are not necessary if you are utilizing only Access Control Controller engines on your network.

Identifying Extreme Access Control Gateway Location

Although several Access Control Gateways may be deployed on the entire network depending on the number of connecting end-systems, only one Access Control Gateway is required to serve as the Registration Web Server. The location of the Access Control Gateway that is configured with Remediation Web Server functionality is important for the implementation of web redirection for end user notification of quarantined end-systems. The Access Control Gateway must be installed on a network segment directly connected to the router or routers that exist in the forwarding path of HTTP traffic from end-systems that may be quarantined. This is because policy-based routing will be configured on this router or routers to redirect the web traffic sourced from quarantined end-systems to the Access Control Gateway. It is important to note that only the Access Control Gateway that you wish to serve as the Registration Web Server needs to be positioned in such a manner. All other Access Control Gateways may be positioned at any location on the network, with the only requirement being that access layer switches are able to communicate to the gateways.

Typically, the Access Control Gateway with Remediation Web Server functionality is positioned on a network segment directly connected to the distribution layer routers on the enterprise network, so that any HTTP traffic sourced from quarantined end-systems that are connected to the network's access layer can be redirected to that Access Control Gateway. As an alternative, the Access Control Gateway may be positioned on a network segment directly connected to the router providing connectivity to the Internet or internal web server farm. In this scenario, the HTTP traffic sourced from quarantined end-systems would be redirected to the Access Control Gateway before reaching the Internet or internal web servers.

Third-Party URL Redirection Considerations

If your environment incorporates third-party redirection (i.e., a Cisco Controller), configure the device to use the following the URL (or redirection ACL) to redirect HTTP traffic to the appropriate Captive Portal pages:

http://<GatewayIP>/static/index.jsp

Defining Assessment and Quarantine Policies

When you implement remediation, you must make sure the Assessment and Quarantine access policies defined in NAC Manager allow traffic to and from end-systems and the Remediation Web Server. For a network composed of EOS policy-enabled switches in the access layer, you must create the appropriate network access services and rules for the associated Assessing and Quarantine policy roles created in Policy Manager, and enforce those changes to the policy-enabled switches. For a network composed of RFC 3580-enabled switches, you must ensure appropriate network services are allowed for the VLANs associated to the Assessment and Quarantine access policies.

For EOS policy-enabled switches, there are two main changes that must be made to your Assessing and Quarantine policy roles when you deploy remediation:

• A rule must be added that allows HTTP traffic to pass between end-systems and the Remediation Web Server.
• The rule must specify a class of service action that rewrites the ToS value of the HTTP traffic to a value of 'y'. This value should match the decimal equivalent used in your policy-based routing that is used on the router.

For RFC 3580-compliant access layer switches, a VLAN must be identified to which end-systems will be assigned while being assessed and quarantined on the network. This may or may not be the same VLAN, and may or may not be identical to the VLAN used for unregistered end-systems. This VLAN must provision services on the network to an unregistered end-system that allows the device to open a web browser; specifically DHCP, ARP, and DNS, and allow IP connectivity to the Access Control Gateway implementing the Remediation Web Server.

	NOTE:	If quarantined end-users will be required to download remediation files via FTP, you will also need to add a rule that opens up ports 49152-65535. If you are concerned with security, you can configure your FTP server to use a smaller range of ports.

Furthermore, policy-based routing (PBR) must be configured on the router or routers that exist in the forwarding path of HTTP traffic sourced from quarantined end-systems where the Access Control Gateway is connected. This allows the routers to redirect the web traffic sourced from quarantined end-systems to the Access Control Gateway with Remediation Web Server functionality. For more information on this, see Configuring Policy-Based Routing.

Once your Assessment and Quarantine access policies are defined to allow traffic between end-systems and the Remediation Web Server and your policy-based routing is implemented, the following communication can take place:

• When the end-system opens a web browser, the HTTP traffic is redirected to the Access Control Gateway implementing the Remediation Web Server functionality.
• The Access Control Gateway returns a web page indicating that the end-system is currently being scanned.
• If the end-system fails the scan, it is quarantined and the Access Control Gateway returns a web page indicating the reasons the end system was quarantined and the corresponding self-service remediation techniques.
• After taking the appropriate remediation steps, the end-user clicks a button on the web page and attempts to reconnect to the network.
• After a specified number of attempts to remediate have expired, the end user sees a web page requiring them to contact the helpdesk for further assistance.

For EOS policy-enabled Access Layer Switches

If EOS policy-enabled switches are deployed on the network, perform the following steps in Policy Manager to configure your Assessing and Quarantine policy roles to allow remediation.

NOTE:

The Policy Manager Default Policy Domain includes a NAC Web Redirect Class of Service that can be used. Make sure that the ToS rewrite value is set to the appropriate value for your network.

1. Use the Device Configuration Wizard to enable the Role-based Class of Service mode on your network devices.
2. Create a new Class of Service that implements the ToS rewrite functionality:
   1. Open the Class of Service Configuration window (Edit > Class of Service Configuration).
   2. Click the Create button and open the Create Class of Service window.
   3. Enter a name for the class of service (e.g. "Web Redirection").
   4. Select the 802.1p Priority checkbox and use the drop-down list to select the 802.1p priority to associate with the class of service.
   5. Select the Enable ToS/DSCP Marking checkbox and set the ToS Rewrite value to 'y' (hex).
   6. Click OK to create the new Class of Service.
3. Use the Classification Rule Wizard to add an "Allow HTTP" rule to a service currently included in both your Quarantine and Assessing policy roles:
   1. Select the service in the left-panel Services tab.
   2. From the menu bar, select Tools > Classification Rule Wizard.
   3. Enter a name for the rule (e.g. " Allow HTTP").
   4. Set the rule status to Enabled.
   5. Set the rule type to All Devices.
   6. Set the traffic classification layer to Layer 4.
   7. Set the traffic classification type to IP TCP Port Destination.
   8. Set the well-known values to HTTP (80).
   9. Do not enter an IP address value.
   10. Review the traffic description summary.
   11. For the Actions, select the CoS checkbox and the class of service you created in step 2 ("Web Redirection").
   12. Select Permit Traffic for the Access Control.
   13. Click Finish to complete the rule.
4. Enforce these changes to your network devices.

For RFC 3580-compliant Access Layer Switches

For RFC 3580-compliant access layer switches, the VLANs to which end-systems being assessed and quarantined are assigned must be appropriately configured on all access layer switches where end-systems may be assessed and quarantined on the network. The same VLAN may be used for end-systems being assessed and quarantined. Access control lists may be configured at the default gateway routers' interfaces for these VLANs to restrict particular types of traffic sourced from end-systems within these VLANs to other areas of the network; with respect to the previously described provisioning requirements for this VLAN.

For Both EOS policy-enabled and RFC 3580-compliant Access Layer Switches

Now that you have defined the Assessing and Quarantine policy roles in Policy Manager for EOS policy-capable switches and/or the VLANs assigned to end-systems being assessed and quarantined for RFC-3580-compliant switches, you must associate these policy roles to the Assessment and Quarantine access policies in NAC Manager.

1. In NAC Manager, click on the Manage NAC Profiles button in the toolbar. The Manage NAC Profiles window opens.
2. Select the Quarantine NAC Profile entry and click the Edit button. The Edit NAC Profile window opens.
3. Click the Manage button in the Policy Mappings section. The Edit Policy Mapping Configuration window opens.
4. Select the Advanced Radio button.
5. Select the Quarantine policy and click the Edit button. The Edit Policy Mapping window opens.
6. Use the drop-down list to select "Quarantine" as the Policy Role. (The drop-down list displays all the policy roles you have created and saved in your Policy Manager database.)
7. If only EOS policy-enabled switches are deployed in the access layer of the network, associate the Quarantine policy with the Default VLAN [1]. If RFC 3580-compliant access layer switches are deployed, associate the Quarantine policy with the Quarantine VLAN you will be using in your network, adding the VLAN using the Add VLAN button, if necessary.
8. Click OK to close the window.
9. In the Edit Policy Mapping Configuration window, select the row where the Assessing policy is configured and click Edit selected mapping.
10. Use the drop-down list to select "Assessing" as the Policy Role.
11. If only EOS policy-enabled switches are deployed in the access layer of the network, associate the Assessing policy with the Default VLAN [1]. If RFC 3580-compliant access layer switches are deployed in the network, associate the Assessing policy with the Assessing VLAN you will be using in your network, adding the VLAN using Add VLAN, if necessary. Click OK.
12. Click OK to close all the open windows. Close the Manage NAC Profiles window.

Your NAC Manager access policies are now configured to allow communication between the end-system and the Access Control Gateway implementing the Remediation Web Server functionality.

Configuring Policy-Based Routing

As described above, the Access Control Gateway with Remediation Web Server functionality must be located on a network segment directly connected to a router or routers that exist in the transmission path of all traffic from any end-systems that may be scanned or quarantined. This is because policy-based routing (PBR) must be configured on the routers to redirect the web traffic sourced from quarantined end-systems to the Access Control Gateway with Remediation Web Server functionality.

If EOS policy-enabled switches are deployed on the network, this is done by configuring an ACL to forward all HTTP traffic with a ToS field of 'y' to the next-hop address of the Access Control Gateway implementing the Remediation Web Server functionality. If RFC 3580-enabled switches are deployed on the network, this is done by configuring an ACL to forward all HTTP traffic with the source IP address on the subnet/VLAN associated to the Quarantine and/or Assessment access policies to the next-hop address of the Access Control Gateway implementing the Remediation Web Server functionality.

In addition, if you are adding multiple Access Control Gateways for redundancy, the network needs to be configured for redundant policy-based routing as well.

For EOS policy-enabled Access Layer Switches

Let's consider an example where the Assessment and Quarantine access policies are associated to policy roles on EOS policy-enabled switches that use the "Allow HTTP" classification rule assigning HTTP traffic the "Web Redirection" class of service. This class of service rewrites the ToS field in the HTTP traffic to a value of 0x40 (or 64 base 10), equivalent to a DSCP value of 16. (The DSCP is the value defined in the six most significant bits of the 8-bit ToS field.) Furthermore, the Assessment and Quarantine access policies are associated to VLANs 10, 20, and 30 on RFC 3580-enabled switches on the network which map to subnets 10.1.10.0/24, 10.1.20.0/24, and 10.1.30.0/24, respectively. The following steps describe how to configure policy-based routing on an N-Series router or Cisco IOS-based router when remediation is deployed for EOS policy-enabled access layer switches.

1. Configure an entry in the access-list 102 to identify HTTP traffic with a DSCP of 16.
        access-list 102 permit tcp any any eq 80 dscp 16
        access-list 102 permit tcp any any eq 8080 dscp 16
2. Use a route-map to configure the access-list 102 ACL to redirect HTTP traffic from end-systems to the next-hop IP address of the Access Control Gateway implementing the Remediation Web Server functionality, where "xxx.xxx.xxx.xxx" is the IP addresses of the Access Control Gateway. Note that multiple next hop IP addresses may be specified in the route-map if multiple Access Control Gateways are deployed with Remediation Web Server functionality.
        route-map 101
        match ip address 102
        set next-hop xxx.xxx.xxx.xxx
3. Apply the route map for the PBR configuration to the routed interface receiving the HTTP traffic from end-systems being assessed and quarantined by entering the routed interface configuration prompt and executing the following command.
        ip policy route-map 101

For RFC 3580-compliant Access Layer Switches

Let's consider an example where the Assessment and Quarantine access policies are associated to VLANs 10, 20, and 30 on RFC 3580-enabled switches on the network which map to subnets 10.1.10.0/24, 10.1.20.0/24, and 10.1.30.0/24, respectively. The following steps describe how to configure policy-based routing on an N-Series router or Cisco IOS-based router when remediation is deployed for RFC 3580-compliant access layer switches.

1. Configure an entry in the access-list 102 to identify HTTP traffic sourced from subnets 10.1.10.0/24, 10.1.20.0/24, and 10.1.30.0/24.
        access-list 102 permit tcp 10.1.10.0.0.0.0.255 any eq 80
        access-list 102 permit tcp 10.1.20.0.0.0.0.255 any eq 80
        access-list 102 permit tcp 10.1.30.0.0.0.0.255 any eq 80
        access-list 102 permit tcp 10.1.10.0.0.0.0.255 any eq 8080
        access-list 102 permit tcp 10.1.20.0.0.0.0.255 any eq 8080
        access-list 102 permit tcp 10.1.30.0.0.0.0.255 any eq 8080
   
2. Use a route-map to configure the access-list 102 ACL to redirect HTTP traffic from end-systems to the next-hop IP address of the Access Control Gateway implementing the Remediation Web Server functionality, where "xxx.xxx.xxx.xxx" is the IP addresses of the Access Control Gateway. Note that multiple next hop IP addresses may be specified in the route-map if multiple Access Control Gateways are deployed with Remediation Web Server functionality.
        route-map 101
        match ip address 102
        set next-hop xxx.xxx.xxx.xxx
3. Apply the route map for the PBR configuration to the routed interface receiving the HTTP traffic from end-systems being assessed and quarantined by entering the routed interface configuration prompt and executing the following command.
        ip policy route-map 101

Setting up Redundancy on Access Control Gateways

When adding multiple Access Control Gateways for redundancy, the network needs to be configured for redundant policy-based routing as well. This is performed on the router in which policy-based routing is configured. Use the same commands described in the previous two sections except for the two following changes:

• In step 2, in addition to the single IP address set as the next-hop IP address, enter a list of IP addresses of the redundant Access Control Gateways. For example:
       set next-hop xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
• In step 3, when adding the ip policy route-map to the router interface, specify an additional command called "ip policy pinger on". This command will attempt to ping the first IP address that is specified in the next-hop to determine its availability. If it is not available, the next IP in the list of next-hops will be pinged and then used, if it is available.
For example:
     ip policy route-map 101
     ip policy pinger on

With policy-based routing and the Assessment and Quarantine access policies defined, remediation settings can be specified, as described in the next section.

Configuring NAC Manager (for Extreme Access Control Gateways and Extreme Access Control Controllers)

Perform the following steps when you are deploying remediation in a network that utilizes Access Control Gateway engines and/or Access Control Controllers.

Use the portal configuration section of the NAC Configuration window (in NAC Manager) to configure parameters for the Assessment/Remediation portal web pages served from the Access Control engine. All Access Control engines are initially assigned a default portal configuration. You can use this window to view and edit the default configuration or create new configurations to use. Once you have defined your portal configuration, you must enforce the NAC configuration to your engine(s).

Use the following steps to define your portal configuration and enforce it to the engine. These steps give you an overview of the required configuration. For more detailed information, see the NAC Configuration Window and Portal Configuration Help topics.

1. Enable the Assessment/Remediation for End-Systems option in the NAC Manager Features options accessed from Tools > Options in the NAC Manager menu bar.
2. Use the NAC Manager toolbar button to open the NAC Configuration window.
3. In the left-panel tree, select the Features icon. Enable the registration, access, and assessment/remediation features you want for your network. For information on each available feature, see the Features section in the NAC Configuration Window Help topic.
   
4. In the left-panel tree, select the Portal icon. If needed, use the Portal Configuration drop-down menu in the right panel to select the configuration to configure or to create a new one.
5. Expand the Portal icon and select the portal configuration settings you want to edit:
   1. Click on Network Settings to view network web page parameters. Click on Look and Feel to view the common web page parameters. These parameters are shared by both the Assessment/Remediation and the Registration portal web pages. You can edit and change these parameters; for a description of each parameter, see the Network Settings and Look and Feel sections of the Portal Configuration Help topic. Be aware that if you deploy both the assessment/remediation and registration features, any changes will affect the web pages for both features.
   2. Click on Administration where you can configure settings for the registration administration web page and grant access to the page for administrators and sponsors. For information on this tab, see the Administration section of the Portal Configuration Help topic.
   3. Depending on the registration, access, and assessment/remediation features you have selected for your network, there are additional views you can access where you can configure the settings and parameters for each type. For a description of each setting and parameter, see the Portal Configuration Help topic.
   4. Click on Assessment/Remediation to view the parameters for the Assessment/Remediation portal web pages. You can edit and change these parameters; for a description of each parameter, see the Assessment/Remediation section of the Portal Configuration Help topic.
6. When you have finished making your changes to the portal configuration, click Save in the NAC Configuration window and then close the window.
7. Enforce the NAC configuration to the engine group.

Remediation is now enabled on the network. Whenever an end-system is assigned to the Assessment or Quarantine access policy, the web traffic from the end-system will be redirected to a web page stating information about the network resource provisioning restrictions.

---

Related Information

• Registration

• Portal Configuration