How to de-integrate NAC from a Layer 2 / Layer 3 network (RBE/PBR)?

To de-integrate or remove NAC from a Layer 2 or Layer 3 network, please follow the relevant instructions below.

Each set of instructions applied to a specific network management device and brand.

If you do not see your network device listed, please open a case with OPSWAT Support by following the instructions in the support box at the end of this article.

RBE (Layer 2 - RADIUS Based Enforcement)

Aruba Controllers

Aruba Open or PSK SSIDS

• Execute the following command on the master controller.

conf t

!

aaa profile "Customer's Open Profile"

   no authentication-mac

!

end

!

write mem

• To prevent devices getting stuck in a blocked state, you can have the system mark all devices in quarantined states as compliant, by executing the following command.

aaa user delete role "SC_Quarantine_Role"

• To re-integrate NAC, type the following command.

conf t

!

aaa profile "Customer's Open Profile"

   authentication-mac

!

end

!

write mem

Aruba WPA2E SSIDS

1. To remove RBE from the RADIUS path of your network, you must remove or demote the entry pertaining to the RBE server from the controller’s RADIUS configurations.

• Navigate to Configuration>Authentication>AAA Profiles, and select the 802.1X Authentication Server Group of the profile used by your SSID.
• Either delete or demote the entry for the NAC RBE Device.
• Alternatively, this can be done from the CLI by replacing devradius.pd.impulse.com with the NAC Appliance, and replacing rbetest2.pd.impulse.com with an alternate RADIUS server, as illustrated below.

conf t

!

aaa server-group "Imp_PD_Dev_srvgrp-cdp10"

  no auth-server "devradius.pd.impulse.com"

  auth-server "rbetest2.pd.impulse.com" position 1

!

end

!

write mem

2. To prevent devices getting stuck in a blocked state, you can have the system mark all devices in quarantined states as Compliant, by executing the following command.

aaa user delete role "SC_Quarantine_Role"

3. To re-integrate NAC, enter the following command.

conf t

!

aaa server-group "Imp_PD_Dev_srvgrp-cdp10"

  auth-server "devradius.pd.impulse.com" position 1

!

end

!

write mem

Cisco Controllers

Cisco Open SSIDS (AireOS versions prior to and including V 8.3.102.0)

1. To turn MAC filtering off, click on WLAN>Security>Layer 2, then uncheck MAC Filtering.
2. To set Layer 3 Security to None, click on WLAN>Security>Layer 3, then select None from the drop-down menu.
3. To uncheck AAA Override, click on WLAN>Advanced, then uncheck AAA Override, as illustrated below.

To re-integrate NAC, do the following.

4. To turn MAC filtering on, click on WLAN>Security>Layer 2, then check MAC Filtering.

5. To set Layer 3 Security to Web Policy, click on WLAN>Security>Layer 3, select Web Policy from the drop-down menu, then ensure that both On MAC Filter Failure and the sc_quarantine_acl ACL are selected.

6. To check AA Override, click on WLAN>Advanced, then check AAA Override.

Cisco Open SSIDS (AireOS versions subsequent to and including V8.3.102.0)

1. To turn MAC filtering off, click on WLAN>Security>Layer 2, then uncheck MAC Filtering.
2. To uncheck AAA Override, click on WLAN>Advanced, then uncheck AAA Override.

To re-integrate NAC, do the following.

3. To turn MAC filtering on, click on WLAN>Security>Layer 2, then check MAC Filtering.
4. To check AAA Override and set the NAC State, click on WLAN>Advanced, then check AAA Override and select Radius NAC or ISE NAC.

Cisco WPA2E SSIDS

1. To set the RADIUS authentication server to an alternate RADIUS server, navigate to WLAN>Security>AAA Servers, then set Server 1 to Alternate RADIUS Server.
2. To set Allow AAA Override to Disabled and set the NAC state to None, navigate to WLAN>Advanced, then uncheck Allow AAA Override and set NAC State to None.

To re-enable NAC, do the following.

3. To set the RADIUS authentication server to NAC RADIUS server, navigate to WLAN>Security>AAA Servers, then set Server 1 to NAC RADIUS Server.
4. To check AAA Override and set the NAC State, click on WLAN>Advanced, then check AAA Override and select Radius NAC or ISE NAC.

Aerohive Controllers

Aerohive HM6 Open, WEP, WPAPSK WLANS

1. To disable MAC authentication, navigate to Configuration>SSIDs>(Name of Open / WEP or WPAPSK SSID), then uncheck Enable MAC Authentication, click Save and push the updated policy.
2. To re-integrate NAC, navigate to Configuration>SSIDs>(Name of Open / WEP or WPAPSK SSID, then check Enable MAC Authentication, click Save and push the updated policy.

Aerohive HM6 WPA2E/802.1X WLANS

1. Navigate to Configuration>SSIDs>(Name of Secure SSID), then change SSID Access Security to Open, click Save and push the updated policy.
2. To re-integrate NAC, navigate to Configure>SSIDs>(Name of Secure SSID), then change SSID Access Security to WPA/WPA2 802.1X (Enterprise), click Save and push the updated policy.

Aerohive HMNG Open, WEP, or WPAPSK WLANs

1. To turn off MAC authentication, navigate to Configure>(Name of policy)>Wireless Settings>(Name of Secure SSID)>MAC Authentication, then disable MAC Authentication, click Save and push the updated policy.
2. To re-integrate NAC, navigate to Configure>(Name of Policy)>Wireless Settings>(Name of Secure SSID)>Mac Authentication, then enable MAC Authentication, click Save and push the updated policy.

Aerohive HMNG WPA2E/802.1X WLANs

1. Navigate to Configure>(Name of Policy)>Wireless Settings>(Name of Secure SSID), then change SSID Access Security to Open, click Save and push the updated policy.
2. To re-integrate NAC, navigate to Configure>(Name of Policy)>Wireless Settings>(Name of Secure SSID), then change SSID Access Security to Enterprise, click Save and push the updated policy.

PBR (Layer 3 - Policy Based Routing)

To clear the opswat_block ACL, enter the device-relevant commands and instructions below.

NEXUS Router

conf t

!

no ip access-list opswat_block

!

ip access-list opswat_block

permit ip any host 198.31.193.211

!

end

Cisco/Brocade ICX Router (Non NEXUS Router)

conf t

!

no ip access-list extended opswat_block

!

ip access-list extended opswat_block

 permit ip any host 198.31.193.211

!

end

Alcatel Router

no policy rule block

!

no policy condition noncompliant

!

no policy network group opswat_block

!

policy network group opswat_block 169.254.0.1

!

policy condition noncompliant source network group opswat_block vrf default

!

policy rule block precedence XXX condition noncompliant action next-hop-enforcer

!

qos apply

!

write memory

!

copy working certified

HP Router

config

!

policy pbr opswat

no class ipv4 opswat_block

exit

!

no class ipv4 opswat_block

!

class ipv4 opswat_block

match ip any 198.31.193.211/32

exit

!

policy pbr opswat

class ipv4 opswat_block

action ip next-hop x.x.x.x - Must replace with Enforcer IP

exit

!

exit

!

wr mem

Huawei Router

config

!

traffic policy opswat

 undo classifier opswat_block behavior impulse_block precedence 5

!

traffic classifier opswat_block type or

 undo if-match acl opswat_block

!

undo acl name opswat_block advance

!

acl name opswat_block advance

 rule 5 permit ip destination 198.31.193.211 0

!

traffic classifier opswat_block type or

 if-match acl opswat_block

!

traffic policy opswat

 classifier opswat_block behavior opswat_block precedence 5

!

commit

!

quit

MLX Router

conf t

!

no ip access-list extended opswat_block

!

ip access-list extended opswat_block

 permit ip any host 198.31.193.211

!

ip rebind-acl opswat_block

!

end

!

wr mem

The following script is for removing the NAC route map, where X = the Layer 3 interface that has the route map applied.

X can be determined by issuing a show ip policy command, then reviewing the results to determine which interfaces have the route map applied.

conf t

!

interface X

 no ip policy route-map opswat

!

end

Then, to restore the NAC route map, enter the following script.

conf t

!

interface X

 ip policy route-map opswat

!

end