How to Configure Quarantine Authentication

---

Quarantine authentication allows you to assign a Quarantine role to an authenticated end user, thereby limiting or denying their ability to access the network. If an end user's traffic appears to be malicious, this enables you to quarantine the end user until further action can be taken.

Quarantine authentication works in conjunction with quarantine policy rules that assign a Quarantine role to the end user as part of their rule actions. When an end user authenticates to the network and is assigned a role, if their traffic matches a quarantine rule, they will be assigned a Quarantine role. The Quarantine role then restricts or prevents additional traffic from that user from entering the network, according to how the role is configured.

For example, let's say an authenticated end user is acting as a rogue DNS server on the network. Since a DNS server maps hostnames to IP addresses, this would allow them to direct traffic somewhere other than the legitimate destination. If the role assigned to the end user includes a quarantine rule that denies DNS traffic, the end user's traffic would be dropped and they would be assigned a Quarantine role to restrict or stop their access to the network. The end user will have to contact the administrator to regain access to the network.

There are four main steps to configuring quarantine authentication:

• Define the Quarantine role.
• Create a quarantine rule that specifies the Quarantine role.
• Enable quarantine authentication on the device and port.
• Set session properties on the device and port.

Define the Quarantine Role

With quarantine authentication, a Quarantine role is assigned to an end user to prevent or restrict their network access. You must define which of your roles will be used as the Quarantine role.

The Policy Manager default domain includes a Quarantine role that is configured to block all traffic. This default Quarantine role is used in conjunction with the Extreme Networks Intrusion Prevention System (IPS) and the NetSight Automated Security Manager to create an automatic response to threats detected on the network. In addition, the Quarantine role can be used by the NetSight NAC Manager assessment functionality. Typically, you will want to use the default Quarantine role for quarantine authentication. If you make any changes to the Quarantine role, keep in mind that the role may be used by other applications and should remain highly restrictive in nature.

You can also create additional roles to use as Quarantine roles, if desired. Each role could have different restrictive behaviors, for example, you could create a role that allows limited internet access. Once you have created these roles, you can select them as the Quarantine role in your rules, just as you would the default Quarantine role. For information on creating a new role, see How to Create a Role.

Create a Quarantine Rule

Quarantine policy rules assign a Quarantine role to the end user as part of their rule actions.

Create a Quarantine rule using the classification rule type that identifies the traffic that you want to restrict from your network. Make sure that in the rule's actions you specify the Quarantine role to assign to the end user. When you have finished the rule, assign the service that includes the rule to your network roles and enforce.

For information on creating a rule, see How to Create a Rule.

Enable Quarantine Authentication

Use the following steps to enable quarantine authentication on the device and port. These instructions use the Device Authentication tab and Port Properties window. However, if you are configuring multiple devices and ports, you can use the Device Configuration Wizard and the Port Configuration Wizard.

On the device:

1. Select the device in the left-panel Network Elements tab.
2. Select the right-panel Authentication tab.
3. In the General Settings section, under Multi-User Authentication type, select the Quarantine checkbox.
4. Set Authentication Status to Enabled.
5. Click Apply.

On the port:

1. Select the device in the left-panel Network Elements tab.
2. In the right-panel Ports tab, select a port and click the Port Properties button.
3. In the Port Properties window, select the Authentication Configuration tab (in the top row of tabs).
4. Select the General tab (in the lower row of tabs).
5. Verify that the Port Mode Authentication Behavior is set to Active.
6. Verify that the Disable Quarantine Authentication for this port checkbox is not selected.
7. If you made any changes, click Apply.

Set Session Properties

Use the following steps to configure session timeout and user count values on the device and port. These instructions use the Device Authentication tab and Port Properties window.

On the device:

1. Select the device in the left-panel Network Elements tab.
2. Select the right-panel Authentication tab.
3. Select the Global Authentication Settings subtab.
4. Set the session timeout and session idle timeout values for Quarantine authentication.
5. Click Apply.

On the port:

1. Select the device in the left-panel Network Elements tab.
2. In the right-panel Ports tab, select a port and click the Port Properties button.
3. In the Port Properties window, select the Authentication Configuration tab (in the top row of tabs).
4. Select the Login Settings tab (in the lower row of tabs).
5. Set the session timeout and session idle timeout values for Quarantine authentication.
6. Click Apply.
7. Select the Authenticated User Counts tab (in the lower row of tabs).
8. Set the user count value for Quarantine authentication.
9. Click Apply.

---

Related Information

For information on related tasks:

• How to Create a Role
• How to Create a Rule