Barracuda Networks VERSION SP4 instruction

In order for the RADIUS authentication to succeed with the above mentioned switch and software, "Authentication, Authorization and Accounting" need to be disabled. This can be done by following procedure:

Command:

•configure terminal

Enter global configuration mode

•no aaa accounting dot1x default group <radius>

Disable accounting for 802.1X. The parameter <radius> sets the default group holding the attributes for RADIUS authentication. The group <radius> is configured and available by de- fault. For any specific needs create your own group.

Otherwise, the RADIUS server receives an accounting request containing an empty user name. This request is not treated as an authentication failure; therefore the switch will not disable the port, allowing all network traffic. Given these circumstances client computers can perform health evaluations, but will be assigned a VLAN, remaining in the configured guest VLAN.

Furthermore, the legacy mode must be enabled on the switch to obtain a successful authentication. This is only possible by entering following command in the switch's command interface via telnet or the web interface.

•Switch# test aaa group radius server $Server$ $User$ $Pwd$ port $Port$ legacy

Where the following must be replaced according to your configuration:

Table 14–22Command for Legacy Mode – Pptions

$Server$	IP or host name of the RADIUS server

$User$	User name

$Pwd$	Password

$Port$	Tthe RADIUS server’s listening port

204 802.1X – Technical Guideline

Image 206

Barracuda Networks VERSION SP4 manual No aaa accounting dot1x default group radius

Contents

Page Copyright Notice Barracuda NG Network Access Client VPN Configuration Update or MigrationUninstall VPN Component Configuration Warranty and Software License Agreement Pre-Connector and Remote VPNExample Configuration 802.1X Technical Guideline Introduction Endpoint Security and Network Access ControlIntroduction to Barracuda NG Network Access Client Client software consists of the following subsystems Barracuda NG Personal Firewall What can Barracuda NG Network Access Client be used for? 1Barracuda NG Network Access Client environment Barracuda NG Network Access Client Administrator’s Guide Healthy Limited Access VPN Offline What is a Policy Rule Set?Policy Matching Procedure Licensing Aspects Barracuda NG Network Access Client Administrator’s Guide Healthy Probation actions VPN context Local Machine contextCurrent User context Health Matching Matching Criteria Local Machine Current User Health State Healthy Health State UntrustedHealth State Probation Health State Unhealthy Health State Requirements Border Patrol Analyse Enforce Monitor 3Trust Relationships General Server Config Access Control ServiceAccess Control Service Settings System Health Validator ParameterDescription Remediation Service Trustzone-Border Number of used Threads AdvancedLog Level Access Control Objects General Welcome Messages Pictures 3Access Control Objects Access Control Service Bitmaps Personal Firewall Rules Import of a registry file Click clipboard, import the adequate registry fileRegistry Check Objects Access Control Service Trustzone 7Access Control Service Trustzone Configuration tree Servername Assigned Services servicename ACS 9Access Control Service Trustzone Rules Rules Client Connection External Ignore Internal Policy NameDeactivate Policy Time Restriction Policy Matching All-of-following One-of-following Net BiosUser Login Group Patterns X509 Subject X509 IssuerMicrosoft X509 Required Health State Basic Antispyware Required Scanner On Tries to execute a full system scan automatically AS Engine Required Ignore Latest default Previous Last-2Last AV Scan Action Manual Auto Remediation Last AS Scan Action Manual Auto Remediation Update automatically AV Engine/Pattern Manual Action Auto Remediation Parameter Description Server Personal Ruleset Name Firewall SettingsSoftware Yes Update No default Required Yes-Even-Major Message Use Dhcp renew Settings802.1X Use Healthy Vlan Id Bitmap Limited AccessRuleset Name Limited Access Message Passport Verification Key Health PassportVerification Key 802.1X Support Chart Double-click the appropriate VPN Firewall Rule Set Server Config Personal Firewall RulesRule Set Name Tab 1Rules Incoming Rules Incoming / Outgoing Copy New…Delete Paste Comment Select New… from the context menu to create a new ruleItem / Parameter Description Inactive Section Description Tester view allows testing rule sets for consistency Tester Following entities are available for rule testing Test Report Options Connect to the Internet Port Protocol Service Name DescriptionIcmp Parameters With Adsl Pptp Listing is divided into the following columns PreconfiguredAdapters Following objects assigned with status multi are available Following further adapter objects are available Name Specify a name for the adapter object IPs Trust TypeStatus Adapter/Ref User Objects 10User Object dialog Net Objects 11Network Objects window This object includes the Multicast network 239.255.0.0/16 Click New… to open the Net Object dialog 12Net Object dialog Service Objects 13Service Object dialog Kerberos Service Name Port Protocol Connection DescriptionApplication Objects 14Application Object dialog HKEYLOCALMACHINE\Services registry key Application Connection Description Available Columns Operating & Monitoring Barracuda NG NACBox Monitoring and Real-time Information Name of the matching policy rule Possible values are Access, Not Restricted, or ProbationFiltering Clients MAC address as reported by the NG client Context Menus Visualize this Computer… Status Tab 3Box Monitoring and Real-time Information Show time in UTC Quarantine Tab Access TabStatus VPN Tab Installation routine offers three basic ways of setup Client InstallationDouble-click setup.exe to start the installation routine See 5.4 Customer Setup, Complete InstallationSee 5.3 Unattended Setup, Parameter Default Custom InstallationUnattended Setup 802.1x Enable Dhcp Renew See description for parameter Trusted Network, See description for parameter Windows File Sharing, This parameter defines the Access Control Server to be used This option prevents deactivating the NG Personal Firewall Customer.inf Customer SetupProceed as follows to prepare a completely customized setup See 5.4.1 customer.inf, Optionally, the following file-directives may be detailed Directive Comment 0x00000010 0x000008000x00000008 0x00001000 Value-entry-name Reg-rootSubkey Flags Edit profile name Diskid Silent.cmdFilename Subdir For an overview of specific properties see -1, System Restore Refer to the OS help for details Update or Migration Uninstall Procedure Facts and Figures VPN ConfigurationOverview Function Supported Function Comment Usage Scenario Architecture All Programs Barracuda NG Network Access Client NG Firewall Barracuda NG Personal Firewall Integration within Windows 1Windows 7 Windows Firewall and Action Center screens Rule Set Selection 2Rule set selection User Interface 3Graphical Interface of the Barracuda NG Personal Firewall General Firewall Settings and Tasks Menu Bar Firewall Menu Automatic Adapter Assignment This tab allows you to configure blocking of Icmp packetsDisable Windows Firewall Block all IP Fragments View Menu Connect Close Block Security Mode Menu Load Display NG Control Center Monitoring Firewall Activities Summary Events History 11NG Control Center History window Send to Rule Tester Show DetailsResolve Source/Destination IP Add Pass Rule Filters the application which has attempted to connect Filters the connection’s Traffic PolicyFilters the source IP address of the connection Filters incoming or outgoing connections Live Activity Live Activity view details all currently active connections Disconnect Filter Conditions Current State Setting the Security Mode Configuration Show Adapters Show Source Addresses…Show Destination Addresses… Show Users ItemDescription Paste Pastes the selected rules from the clipboard Source / Destination Action Name CommentInactive checkbox Select Application optional Monitor Connections Yes 18Time restriction dialog Adapters 19Adapter objects window Network Connection name for example, Local Area Connection Control Network Connections Untrusted NetworksFollowing options are available Secured Routes are assigned to the Net-NGVPNObject Services 22Net Object dialog Example Applications 24Application Object dialog 10Applications required in Microsoft Windows domains Users 25User Object dialog Rule Tester view allows testing rule sets for consistency Rule Tester Test Reports 27Test Report window Administration Firewall Settings Wizard Following options are available for customisation Automatic Adapter Configuration However, it will not pop up if Automatic Rule Configuration 28Security Alert windows 29Security Alert Advanced Policy Restrictive rule set only VPN Component Configuration Create a New Profile Using the Profile Wizard 2VPN Profile Wizard Profile Wizard 4VPN Profile Wizard Enter personal License Configure a New Profile Manually 6VPN Profile Wizard Modify Existing Profile Using the Wizard 8NG VPN client Connect dialog Field where characters need to be inserted Shows the version information 11Editing options of the VPN client dialog Barracuda NG VPN Client’s Menu Bar 13Close NG VPN Client informational window NG VPN Client can be started in the following ways Connection DialogCloses the NG VPN Client window Click Connect to establish a connection to the VPN server Assigned DNS IP address for the VPN connection Status DialogAssigned domain Assigned Wins address VPN server to which the client currently is connected Enable or disable compressionUptime for the current connection Local time on the VPN server Message Dialog 16Message dialog window Barracuda Networks Control / Preferences Dialog VPN Profiles Configuration WindowConfigured VPN server to connect to Name of the profile Modify, copy or delete an existing profile Certification Authorities Configuration WindowStore into which the certificate was saved Use this menu item to terminate a connection Deletes the selected certificate from the certificate store Configure specific Barracuda NG VPN adapter settings hereOpens a window with detailed certificate information General VPN Settings section Direct Access Connection Entries Tab 19Connection Entries tab Barracuda Authentication Following parameters are available for X509 authentication External File Path to the external X.509 certificate Advanced Settings TabDescriptionDescription Use Access Control Service Virtual Adapter ConfigurationDefault Direct assignment Default Yes Fallback Profile Disconnecting. Recommended value NoEnable MS Logon Be established URL or IP address of the proxy server User name possibly needed for proxy authenticationIP address of the VPN server Log Window Log entry’s time stamp Module the respective log entry refers to Port Security Barracuda NG Access MonitorAccess Monitor Monitoring Health Agent Property Description Advanced Status information State Description 5Connection error using Icmp connectivity checking see Barracuda NG Network Access Client Administrator’s Guide 11.2.6 802.1X Authentication Port Security Task Description Column Description EAP Tracer Use Basic Authentication Access Control Server IPs from RegistryAccess Control Server IPs from Dhcp Use Ntml Authentication Health Agent Connectivity Item Description Key Value Health Agent Authentication 11.3.9 802.1X Settings Ieee 802.1X Authentication Capture 802.1X Traffic EAP 16 Log Files Description Log SettingsLog Files Download.xml Client.xmlConnect.xml DownloadLocal.xml Create a connector to achieve following Pre-Connector and Remote VPNVPN Connector Creating a Connector Thereafter rename the default profile Remote VPN rvpn Remote Domain Logon Pre-Logon Connection Procedure Same example with 10 retries for connecting -c Dhcp Example Configuration 1Example configuration environment Introduce Access Control Objects Personal Firewall Rule Set Introduce an Access Control Service Trustzone Next create and edit the unrestricted rule setPage Configure an Access Control Service Trustzone Policy Rule dialog is split up into these views Barracuda NG Network Access Client Administrator’s Guide Parameter Value Page Example Configuration Configure Forwarding Firewall Rule Set Example Configuration 802.1X Technical Guideline SwitchAuthentication Server Client computer Status Monitoring Access Control ServerDisabled Enabled EAP Packet Tracer Log Files on the Client Computer Using the Barracuda NG Access Monitor for AnalysisCommand Description Supplicant console interface Key Logging Switch Web InterfaceThese values are described in more details on Path See 14.3.9 Periodic client re-authentication by the switch, See 14.3.11 Authentication Message Exchange, Example enabling debug output AuthenticationSwitch Console Interface Ethernet Token Ring Operational SequenceStart up Point-to-Point Dot3svc Windows Vista Service Friendly Name Service NameWZO prior to Windows Vista Wpa-supplicant configuration You will require elevated privileges to perform this step To resolve this problem proceed following stepsRuntime Successful start of the wpa-supplicant can be verified by Verify your entries Enter global configuration modeReturn to privileged Exec mode Re-authentication started by the switch is illustrated Example See for the Eapol packet frames CommandEnter the global configuration mode Condition Description Return to the privileged Exec mode Dhcp Renew Resetting the 802.1X Authentication process 15 phions.log Output Shutdown14 phions.log Output WPA Supplicant Log File Identifiers AddendumPackets Table shows an Eapol packet frame 200 802.1X Technical Guideline Sending / receiving commands over pipe 202 802.1X Technical Guideline Engineering Environment Known Issues using Cisco Catalyst 3750-E SwitchWireshark Additionally following tools have been used for analysis No aaa accounting dot1x default group radius Customer Install Files Appendix Appendix Barracuda NG Network Access Client Administrator’s Guide Appendix VPN Profile Registry Keys VPN Profile Registry Keys 3DES AES FAQs Profile Registry Keys Appendix Configuration Parameters 214 Reconnect immidiately 10 X509 Altnames 2 X509 Issuer 2 X509 Subject 2 Introduction Server Config Access Control Service 15.6 Parameter Lists Barracuda NG Access Monitor Figures 220 802.1X Technical Guideline Barracuda Networks Limited Hardware Warranty Barracuda Networks Software License Agreement Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Software License Agreement Appendix Page Page No Warranty Terms and Conditions Page Page Page Page Limitation of Liability Page Page Page 238 Page Page Page Page Disclaimer of Warranty Miscellaneous Page Limits Terms and Conditions for USE, REPRODUCTION, and Distribution Page Page Page Page 252 Page Page Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Warranty and Software License Agreement Page Page Issue Date Aug 6 262 Page 264