Ivanti Policy Secure Configuration

The goal is to configure the following to permit the VoIP phone to access the LAN network:

  • Create a role for hosts that don’t have a 802.1x supplicant. For example, VoIP Phones.
  • Create MAC Address Authentication Server and MAC Address Authentication Realm.
  • Create Local Profiler Authorization Server and assign it to a MAC Address Authentication Realm.
  • In the MAC Address Authentication Realm, create role mapping rules to assign roles to devices based on their device “profile”.
  • Create a location group and map the location group to MAC Address Authentication Realm.
  • Configure a RADIUS client.
  • Create RADIUS return attributes for final VLAN assignment and assign it to Roles.
  • This use case configuration applies to profiled devices using either DHCP, or SNMP/NMAP mechanisms. For more information, see Profiler Deployment Guide.

Pre-Requisite

You must ensure that the Switch port is configured to allow MAC Address Authentication. You must procure Profiler license for profiler functionality. See Ivanti Policy Secure Admin Guide for sample configurations.

Procedure

  1. Create a new user role, select Users > User Roles > New User Role. Enter a name. For example, VoIP Phones.

  2. Uncheck Install Agent for this Role. Do not configure any role restrictions.

  3. Create a new MAC address Authentication server, select Authentication > Auth.Servers > MAC Address Authentication. Click New Server. To allow all MAC addresses, configure * as a wild character and assign the device attribute of “deviceName=unknown” as shown in the below screenshot.

  4. Create a new Local Profiler authorization server.

    • Select Authentication > Auth.Servers. Select Local Profiler from the server type drop-down list and click New Server.

    • Click Browse and upload the device fingerprints package.

    • Configure SNMP Poll interval and DHCP sniffing mode interface.

    • For Profiling devices using SNMP, you can configure the switch under Endpoint Policy > Network Access > SNMP Device Configuration.

    • (Optional) Add one or more subnets that can be included or excluded for fingerprinting unmanaged devices using Nmap target scans. Note that an Nmap target scan is only performed on valid IP addresses in the subnet.

  5. Create a new MAC Address Authentication realm and assign it to MAC Address Authentication and profiler server, select Endpoint Policy > MAC Address Realms > MAC Authentication Realm.

  6. Set Role Mapping rules. Select Rule based on Device attribute and click Update. Enter the rule name and under Rule, select Category as Attribute and values as “VoIP Phone/Adapters” and then assign all devices of category to the role called “VoIP Phone” as shown in the following figure.

    • Select Stop processing rules when the rule matches and click Save Changes.

  7. Similarly Create another rule, to assign other unknown devices to “Unknown_Device” Role. Select Rule based on User attribute and click Update. Enter the rule name and under Rule, click Attributes to add the custom attribute as shown in the screenshot. Provide a custom attribute name, which matches with the attribute name configured previously in the Mac Auth Server by clicking Add Attribute and then click OK.

  8. Select Attribute as deviceName from the list and value as “Unknown” and then assign all devices of category to the role called “Unknown Device” as shown below. Select Stop processing rules when the rule matches and click Save Changes.

    Once the role mapping roles are configured the following screen is displayed.

  9. Configure the RADIUS client (Add the switch in the Ivanti Policy Secure admin UI).

    • Create a location group. Select Endpoint Policy > Network Access > Location Group (and assign the default Signing In policy and MAC Address Authentication Realm).

  10. Create new RADIUS client. Select Endpoint Policy > Network Access > RADIUS Client. Enable Support Disconnect Messages.

    RADIUS Disconnect is used for session termination.

    Change of Authorization (CoA) is used to change the ACLs and several other attributes for the endpoint instantly based on roles without the need of re-authentication through Switch/WLC.

    • Set RADIUS return attributes. Select Endpoint Policy > Network Access > RADIUS Return Attribute Policies. Click New Policy.

      For example, define a “VoIP Phones” policy for moving endpoint to the appropriate VLAN.

Conclusion

You should now be able to properly authenticate devices based on their profile even if they do not have a 802.1x supplicant. For example, in the above scenario, all VoIP phones will automatically be assigned to the appropriate VLAN when they attempt to access the network.

You can view the high-level device statistics from the Device dashboard page at System > Status > Device Profiles.

You can view the device reports at System > Reports > Device Discovery.

You can verify the active users table to view the session details of the user.

For troubleshooting you can verify the user access logs.