Assessment Remediation (Legacy)

---

Remediation utilizes Remediation Web Server functionality installed on an ExtremeControl engine to notify end users when their systems are being assessed or have been quarantined due to network access policy non-compliance (identified during end-system security assessment). In addition, the web server notifies end users of the specific vulnerabilities identified during the end-system's assessment and the corresponding required remediation steps. When the remediation steps have been successfully performed, reassessment of the end-system is performed and the appropriate network resources are allocated to the end-system. For more information on remediation and an overview of how it works, see the Assisted Remediation section of the Concepts help file.

This Help topic describes the specific steps that must be performed when setting up remediation in your network. The steps vary depending on whether you are using ExtremeControl Gateway engines and/or ExtremeControl Controller engines on your network.

For ExtremeControl Gateway engines you must:

• Identify the location in your network topology for the ExtremeControl Gateway installation.
• Redefine the Assessing and Quarantine policy roles created on the Control > Policy tab for EOS policy-enabled switches.
• Configure policy-based routing on your network.
• Configure remediation values on the Control > Access Control tab.

For ExtremeControl Controller engines you must:

• Configure remediation values on the Control > Access Control tab.

The Remediation Web Server is pre-installed on the ExtremeControl engine. For instructions on installing and configuring the ExtremeControl engine, refer to your engine Installation Guide.

	NOTE:	It is important to add a DNS entry from the Fully Qualified Domain Name (FQDN) of the ExtremeControl Gateway into the DNS servers deployed on the network so that the device running NAC Manager is able to resolve queries to these DNS servers. Otherwise, a short delay occurs in returning the Assessment/Remediation portal web page to end users on the network.

Instructions on:

• ExtremeControl Gateway Configuration
  • Identifying ExtremeControl Gateway Location
  • Defining Assessment and Quarantine Policies
  • Configuring Policy-Based Routing
• Configuring NAC Manager (for ExtremeControl Gateway and ExtremeControl Controllers)

ExtremeControl Gateway Configuration

Perform the following steps when you are deploying remediation in a network that utilizes ExtremeControl Gateway engines. These steps are not necessary if you are utilizing only ExtremeControl Controller engines on your network.

Identifying ExtremeControl Gateway Location

Although several ExtremeControl Gateways can be deployed on the entire network depending on the number of connecting end-systems, only one ExtremeControl Gateway is required to serve as the Registration Web Server. The location of the ExtremeControl Gateway that is configured with Remediation Web Server functionality is important for the implementation of web redirection for end user notification of quarantined end-systems. The ExtremeControl Gateway must be installed on a network segment directly connected to the router or routers that exist in the forwarding path of HTTP traffic from end-systems that are quarantined. This is because policy-based routing will be configured on this router or routers to redirect the web traffic sourced from quarantined end-systems to the ExtremeControl Gateway. It is important to note that only the ExtremeControl Gateway that you wish to serve as the Registration Web Server needs to be positioned in such a manner. All other ExtremeControl Gateways can be positioned at any location on the network, with the only requirement being that access layer switches are able to communicate to the gateways.

Typically, the ExtremeControl Gateway with Remediation Web Server functionality is positioned on a network segment directly connected to the distribution layer routers on the enterprise network, so that any HTTP traffic sourced from quarantined end-systems that are connected to the network's access layer can be redirected to that ExtremeControl Gateway. As an alternative, the ExtremeControl Gateway can be positioned on a network segment directly connected to the router providing connectivity to the Internet or internal web server farm. In this scenario, the HTTP traffic sourced from quarantined end-systems would be redirected to the ExtremeControl Gateway before reaching the Internet or internal web servers.

Third-Party URL Redirection Considerations

If your environment incorporates third-party redirection (i.e., a Cisco Controller), configure the device to use the following the URL to redirect HTTP traffic to the appropriate Captive Portal pages:

http://<GatewayIP>/static/index.jsp

Defining Assessment and Quarantine Policies

When you implement remediation, ensure the Assessment and Quarantine access policies defined in NAC Manager permit traffic to and from end-systems and the Remediation Web Server. For a network composed of EOS policy-enabled switches in the access layer, you must create the appropriate network access services and rules for the associated Assessing and Quarantine policy roles created in Policy Manager, and enforce those changes to the policy-enabled switches. For a network composed of RFC 3580-enabled switches, you must ensure appropriate network services are permitted for the VLANs associated to the Assessment and Quarantine access policies.

For EOS policy-enabled switches, there are two main changes that must be made to your Assessing and Quarantine policy roles when you deploy remediation:

• A rule must be added that permits HTTP traffic to pass between end-systems and the Remediation Web Server.
• The rule must specify a class of service action that rewrites the ToS value of the HTTP traffic to a value of 'y'. This value should match the decimal equivalent used in your policy-based routing that is used on the router.

For RFC 3580-compliant access layer switches, a VLAN must be identified to which end-systems will be assigned while being assessed and quarantined on the network. This can be the same VLAN, and can be identical to the VLAN used for unregistered end-systems. This VLAN must provision services on the network to an unregistered end-system that permits the device to open a web browser; specifically DHCP, ARP, and DNS, and enable IP connectivity to the ExtremeControl Gateway implementing the Remediation Web Server.

	NOTE:	If quarantined end-users will be required to download remediation files via FTP, you will also need to add a rule that opens up ports 49152-65535. If you are concerned with security, you can configure your FTP server to use a smaller range of ports.

Furthermore, policy-based routing (PBR) must be configured on the router or routers that exist in the forwarding path of HTTP traffic sourced from quarantined end-systems where the ExtremeControl Gateway is connected. This enables the routers to redirect the web traffic sourced from quarantined end-systems to the ExtremeControl Gateway with Remediation Web Server functionality. For more information on this, see Configuring Policy-Based Routing.

When your Assessment and Quarantine access policies are defined to permit traffic between end-systems and the Remediation Web Server and your policy-based routing is implemented, the following communication can take place:

• When the end-system opens a web browser, the HTTP traffic is redirected to the ExtremeControl Gateway implementing the Remediation Web Server functionality.
• The ExtremeControl Gateway returns a web page indicating that the end-system is currently being scanned.
• If the end-system fails the scan, it is quarantined and the ExtremeControl Gateway returns a web page indicating the reasons the end system was quarantined and the corresponding self-service remediation techniques.
• After taking the appropriate remediation steps, the end-user selects a button on the web page and attempts to reconnect to the network.
• After a specified number of attempts to remediate have expired, the end user sees a web page requiring them to contact the helpdesk for further assistance.

For EOS policy-enabled Access Layer Switches

If EOS policy-enabled switches are deployed on the network, perform the following steps on the Control > Policy tab to configure your Assessing and Quarantine policy roles to enable remediation.

NOTE:

The Default Policy Domain on the Policy tab includes an Access Control Web Redirect Class of Service that can be used. Make sure that the ToS rewrite value is set to the appropriate value for your network.

1. Access the Administration > Options > Policy tab.
2. In the Default Class of Service drop-down list, select Class of Service Enabled.
3. Access the Control > Policy tab.
4. Create a new Class of Service that implements the ToS rewrite functionality:
   1. Expand Class of Service in the left panel.
   2. Right-click Class of Service in the left panel and select Create CoS.
   3. Enter a name for the class of service (for example, "Web Redirection").
   4. Select OK.
   5. Select the DSCP/ToS checkbox and select ToS Hex Value.
   6. Select OK.
   7. Use the 802.1p Priority drop-down list to select the 802.1p priority to associate with the class of service.
   8. In the Open/Manage Domain(s) drop-down list, select Save Domain to create the new Class of Service.
5. Add an "Allow HTTP" rule to a service currently included in both your Quarantine and Assessing policy roles:
   1. In the left panel, expand Roles/Services > Service Repository > Local Services > Services.
   2. Right-click the service into which you are adding the rule and select Create Rule.
   3. Enter a Name for the rule (for example, "Allow HTTP").
   4. In the Rule Type(s) drop-down list, select All Devices.
   5. Select OK.
   6. Select the new rule in the left panel.
   7. In the right panel, select Enabled in the Rule Status drop-down list..
   8. In the Traffic Description section, select Edit.
      
      The Edit Traffic Description window displays.
   9. In the Traffic Classification Layer drop-down list, select Layer 4 - Application Transport.
   10. In the Traffic Classification Type drop-down list, select IP TCP Port Destination.
   11. In the Well-Known Value drop-down list, select HTTP (80).
   12. Do not enter an IP address value.
   13. Review the traffic description summary.
   14. Select OK.
   15. In the Actions section, select the class of service you created in step 2 ("Web Redirection") in the Class of Service drop-down list.
   16. In the Access Control drop-down list, select Permit Traffic.
   17. In the Open/Manage Domain(s) drop-down list, select Save Domain to create the new Class of Service.
6. Enforce these changes to your network devices.

For RFC 3580-compliant Access Layer Switches

For RFC 3580-compliant access layer switches, the VLANs to which end-systems being assessed and quarantined are assigned must be appropriately configured on all access layer switches where end-systems can be assessed and quarantined on the network. The same VLAN can be used for end-systems being assessed and quarantined. Access control lists can be configured at the default gateway routers' interfaces for these VLANs to restrict particular types of traffic sourced from end-systems within these VLANs to other areas of the network; with respect to the previously described provisioning requirements for this VLAN.

For Both EOS policy-enabled and RFC 3580-compliant Access Layer Switches

Now that you have defined the Assessing and Quarantine policy roles for EOS policy-capable switches and/or the VLANs assigned to end-systems being assessed and quarantined for RFC-3580-compliant switches, you must associate these policy roles to the Assessment and Quarantine access policies.

1. In NAC Manager, select the Manage NAC Profiles button in the toolbar. The Manage NAC Profiles window opens.
2. Select the Quarantine NAC Profile entry and select the Edit button. The Edit NAC Profile window opens.
3. Select the Manage button in the Policy Mappings section. The Edit Policy Mapping Configuration window opens.
4. Select the Advanced Radio button.
5. Select the Quarantine policy and select the Edit button. The Edit Policy Mapping window opens.
6. Use the drop-down list to select "Quarantine" as the Policy Role. (The drop-down list displays all the policy roles you have created and saved in your Policy Manager database.)
7. If only EOS policy-enabled switches are deployed in the access layer of the network, associate the Quarantine policy with the Default VLAN [1]. If RFC 3580-compliant access layer switches are deployed, associate the Quarantine policy with the Quarantine VLAN you will be using in your network, adding the VLAN using the Add VLAN button, if necessary.
8. Select OK to close the window.
9. In the Edit Policy Mapping Configuration window, select the row where the Assessing policy is configured and select Edit selected mapping.
10. Use the drop-down list to select "Assessing" as the Policy Role.
11. If only EOS policy-enabled switches are deployed in the access layer of the network, associate the Assessing policy with the Default VLAN [1]. If RFC 3580-compliant access layer switches are deployed in the network, associate the Assessing policy with the Assessing VLAN you will be using in your network, adding the VLAN using Add VLAN, if necessary. Select OK.
12. Select OK to close all the open windows. Close the Manage NAC Profiles window.

Your NAC Manager access policies are now configured to permit communication between the end-system and the ExtremeControl Gateway implementing the Remediation Web Server functionality.

Configuring Policy-Based Routing

As described above, the ExtremeControl Gateway with Remediation Web Server functionality must be located on a network segment directly connected to a router or routers that exist in the transmission path of all traffic from any end-systems that can be scanned or quarantined. This is because policy-based routing (PBR) must be configured on the routers to redirect the web traffic sourced from quarantined end-systems to the ExtremeControl Gateway with Remediation Web Server functionality.

If EOS policy-enabled switches are deployed on the network, this is done by configuring an ACL to forward all HTTP traffic with a ToS field of 'y' to the next-hop address of the ExtremeControl Gateway implementing the Remediation Web Server functionality. If RFC 3580-enabled switches are deployed on the network, this is done by configuring an ACL to forward all HTTP traffic with the source IP address on the subnet/VLAN associated to the Quarantine and/or Assessment access policies to the next-hop address of the ExtremeControl Gateway implementing the Remediation Web Server functionality.

In addition, if you are adding multiple ExtremeControl Gateways for redundancy, the network needs to be configured for redundant policy-based routing as well.

For EOS policy-enabled Access Layer Switches

Let's consider an example where the Assessment and Quarantine access policies are associated to policy roles on EOS policy-enabled switches that use the "Allow HTTP" classification rule assigning HTTP traffic the "Web Redirection" class of service. This class of service rewrites the ToS field in the HTTP traffic to a value of 0x40 (or 64 base 10), equivalent to a DSCP value of 16. (The DSCP is the value defined in the six most significant bits of the 8-bit ToS field.) Furthermore, the Assessment and Quarantine access policies are associated to VLANs 10, 20, and 30 on RFC 3580-enabled switches on the network which map to subnets 10.1.10.0/24, 10.1.20.0/24, and 10.1.30.0/24, respectively. The following steps describe how to configure policy-based routing on an N-Series router or Cisco IOS-based router when remediation is deployed for EOS policy-enabled access layer switches.

1. Configure an entry in the access-list 102 to identify HTTP traffic with a DSCP of 16.
        access-list 102 permit tcp any any eq 80 dscp 16
        access-list 102 permit tcp any any eq 8080 dscp 16
2. Use a route-map to configure the access-list 102 ACL to redirect HTTP traffic from end-systems to the next-hop IP address of the ExtremeControl Gateway implementing the Remediation Web Server functionality, where "xxx.xxx.xxx.xxx" is the IP addresses of the ExtremeControl Gateway. Note that multiple next hop IP addresses can be specified in the route-map if multiple ExtremeControl Gateways are deployed with Remediation Web Server functionality.
        route-map 101
        match ip address 102
        set next-hop xxx.xxx.xxx.xxx
3. Apply the route map for the PBR configuration to the routed interface receiving the HTTP traffic from end-systems being assessed and quarantined by entering the routed interface configuration prompt and executing the following command.
        ip policy route-map 101

For RFC 3580-compliant Access Layer Switches

Let's consider an example where the Assessment and Quarantine access policies are associated to VLANs 10, 20, and 30 on RFC 3580-enabled switches on the network which map to subnets 10.1.10.0/24, 10.1.20.0/24, and 10.1.30.0/24, respectively. The following steps describe how to configure policy-based routing on an N-Series router or Cisco IOS-based router when remediation is deployed for RFC 3580-compliant access layer switches.

1. Configure an entry in the access-list 102 to identify HTTP traffic sourced from subnets 10.1.10.0/24, 10.1.20.0/24, and 10.1.30.0/24.
        access-list 102 permit tcp 10.1.10.0.0.0.0.255 any eq 80
        access-list 102 permit tcp 10.1.20.0.0.0.0.255 any eq 80
        access-list 102 permit tcp 10.1.30.0.0.0.0.255 any eq 80
        access-list 102 permit tcp 10.1.10.0.0.0.0.255 any eq 8080
        access-list 102 permit tcp 10.1.20.0.0.0.0.255 any eq 8080
        access-list 102 permit tcp 10.1.30.0.0.0.0.255 any eq 8080
   
2. Use a route-map to configure the access-list 102 ACL to redirect HTTP traffic from end-systems to the next-hop IP address of the ExtremeControl Gateway implementing the Remediation Web Server functionality, where "xxx.xxx.xxx.xxx" is the IP addresses of the ExtremeControl Gateway. Note that multiple next hop IP addresses can be specified in the route-map if multiple ExtremeControl Gateways are deployed with Remediation Web Server functionality.
        route-map 101
        match ip address 102
        set next-hop xxx.xxx.xxx.xxx
3. Apply the route map for the PBR configuration to the routed interface receiving the HTTP traffic from end-systems being assessed and quarantined by entering the routed interface configuration prompt and executing the following command.
        ip policy route-map 101

Setting up Redundancy on ExtremeControl Gateways

When adding multiple ExtremeControl Gateways for redundancy, the network needs to be configured for redundant policy-based routing as well. This is performed on the router in which policy-based routing is configured. Use the same commands described in the previous two sections except for the two following changes:

• In step 2, in addition to the single IP address set as the next-hop IP address, enter a list of IP addresses of the redundant ExtremeControl Gateways. For example:
       set next-hop xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
• In step 3, when adding the ip policy route-map to the router interface, specify an additional command called "ip policy pinger on". This command will attempt to ping the first IP address that is specified in the next-hop to determine its availability. If it is not available, the next IP in the list of next-hops will be pinged and then used, if it is available.
For example:
     ip policy route-map 101
     ip policy pinger on

With policy-based routing and the Assessment and Quarantine access policies defined, remediation settings can be specified, as described in the next section.

Configuring NAC Manager (for ExtremeControl Gateways and ExtremeControl Controllers)

Perform the following steps when you are deploying remediation in a network that utilizes ExtremeControl Gateway engines and/or ExtremeControl Controllers.

Use Portal Configuration in the Access Control tab to configure parameters for the Assessment/Remediation portal web pages served from the ExtremeControl engine. All ExtremeControl engines are initially assigned a default portal configuration. You can use this window to view and edit the default configuration or create new configurations to use. After you have defined your portal configuration, you must enforce the NAC configuration to your engine(s).

Use the following steps to define your portal configuration and enforce it to the engine. These steps give you an overview of the required configuration. For more detailed information, see the Portal Configuration Help topic.

1. Enable the Assessment/Remediation for End-Systems option in the NAC Manager Features options accessed from Tools > Options in the NAC Manager menu bar.
2. Use the NAC Manager toolbar button to open the NAC Configuration window.
3. In the left-panel tree, select the Features icon. Enable the registration, access, and assessment/remediation features you want for your network.
   
4. In the left-panel tree, select the Portal icon. If needed, use the Portal Configuration drop-down list in the right panel to select the configuration to configure or to create a new one.
5. Expand the Portal icon and select the portal configuration settings you want to edit:
   1. Select Network Settings to view network web page parameters. Select Look and Feel to view the common web page parameters. These parameters are shared by both the Assessment/Remediation and the Registration portal web pages. You can edit and change these parameters; for a description of each parameter, see the Network Settings and Look and Feel sections of the Portal Configuration Help topic. Be aware that if you deploy both the assessment/remediation and registration features, any changes will affect the web pages for both features.
   2. Select Administration where you can configure settings for the registration administration web page and grant access to the page for administrators and sponsors. For information on this tab, see the Administration Portal Configuration Help topic.
   3. Depending on the registration, access, and assessment/remediation features you have selected for your network, there are additional views you can access where you can configure the settings and parameters for each type. For a description of each setting and parameter, see the Portal Configuration Help topic.
   4. Select Assessment/Remediation to view the parameters for the Assessment/Remediation portal web pages. You can edit and change these parameters; for a description of each parameter, see the Assessment/Remediation section of the Portal Configuration Help topic.
6. When you have finished making your changes to the portal configuration, select Save in the NAC Configuration window and then close the window.
7. Enforce the NAC configuration to the engine group.

Remediation is now enabled on the network. Whenever an end-system is assigned to the Assessment or Quarantine access policy, the web traffic from the end-system will be redirected to a web page stating information about the network resource provisioning restrictions.

---

Related Information

For information on related help topics:

• Registration
• Portal Configuration