84 CHAPTER 4: USING 3COM NETWORK ACCESS MANAGER WITHIN A NETWORK
Case Study 5 - Removing Infected Devices From The Network
Combining Auto VLAN with MAC-address based authentication enables
infected PCs to be moved to a separate network, until the network
administrator has removed any viruses or worms.
Network
Administrator Tasks
The following provides an overview of the tasks for a network
administrator responsible for the domain on the network.
1Ensure edge port security is set to MAC-address based authentication (for
example RADA-Else-Network Login) and Auto VLAN is enabled, on edge
ports in the domain.
Edge ports are called ‘access ports’ on the Switch 5500.
Using 3Com Network Access Manager:
2Select the Default Rule and set the Network Access to Allow, see
“Changing Rule Properties” in Chapter 3.
3Create VLANs and QoS profiles. Use the same VLAN IDs and QoS profile
IDs as set up in the network access device (switch or wireless access
point), otherwise the network access device may not accept the RADIUS
response.
4Decide which VLAN will be the Isolation VLAN.
5Create an Isolation rule.
aSet security permissions for the Isolation rule. Grant READ and WRITE
access to the users/groups permitted to apply the rule, grant READ
access to all Network Administrators in the domain to ensure they can
see that the rule exists even if they are not permitted to apply the rule.
bSet the Actions for the Isolation rule:
■select the rule priority, an Isolation rule should have a high priority
to ensure it takes precedence over other rules,
■set Network Access to Allow,
■select the VLAN ID of the Isolation VLAN.
6Ensure the network operators or those individuals responsible for
applying the rule have the Network Operator component of 3Com
Network Access Manager installed on their PC.