How to de-integrate MetaAccess NAC from a Layer 2 / Layer 3 network (RBE/PBR)?

To de-integrate/remove MetaAccess NAC from a Layer 2 or Layer 3 network, follow the steps defined for the network device brand managing that respective network below. If you do not see your network device listed below, encounter any issues, or have any questions, please submit a ticket at: Case Management

These steps should only be followed as instructed by OPSWAT Support or if enforcement has already been disabled in the MetaAccess NAC UI as defined at How To Toggle Enforcement on Layer 2 or Layer 3 networks (RBE/PBR)

RBE (Layer 2 / Radius Based Enforcement)

Aruba Controllers

Aruba Open or PSK SSIDS

Execute the following on the master controller

conf t ! aaa profile "Customer's Open Profile" no authentication-mac ! end ! write mem

To have any devices in a quarantine state be marked as compliant (to ensure no devices are stuck in a block state), execute the following:

aaa user delete role "SC_Quarantine_Role"

To re-integrate MetaAccess NAC:

conf t ! aaa profile "Customer's Open Profile" authentication-mac ! end ! write mem

Aruba WPA2E SSIDS

Warning

This method cannot be used if MetaAccess NAC is the only RADIUS server, as there must be an alternate RADIUS server to point at in the below steps

To remove RBE from the RADIUS path of your network, you must remove (or demote) the entry pertaining to the RBE server from the controllers RADIUS configurations.

Through the Web UI, navigate to Configuration->Authentication->AAA Profiles and select the 802.1X Authentication Server Group of the profile used by your SSID. You can either delete or demote the entry for MetaAccess NAC RBE device.

Alternatively, this can be done from the CLI (replace devradius.pd.impulse.com with the MetaAccess NAC appliance and replace rbetest2.pd.impulse.com with an alternate RADIUS server)

conf t ! aaa server-group "Imp_PD_Dev_srvgrp-cdp10" no auth-server "devradius.pd.impulse.com" auth-server "rbetest2.pd.impulse.com" position 1 ! end ! write mem

To have any devices in a quarantine state be marked as compliant (to ensure no devices are stuck in a block state), execute the following:

aaa user delete role "SC_Quarantine_Role"

To re-integrate MetaAccess NAC:

conf t ! aaa server-group "Imp_PD_Dev_srvgrp-cdp10" auth-server "devradius.pd.impulse.com" position 1 ! end ! write mem

Cisco Controllers

Cisco Open SSIDS (AireOS versions earlier than 8.3.102.0)

  1. Turn MAC filtering off (Click on WLAN > Security > Layer 2 and uncheck Mac Filtering)

  2. Set Layer 3 Security to None (Click on WLAN > Security > Layer 3, and select None from the dropdown)

  3. Uncheck AAA Override (Click on WLAN > Advanced, and uncheck AAA Override)


To re-integrate MetaAccess NAC:

  1. Turn MAC filtering on (Click on WLAN > Security > Layer 2 and check Mac Filtering)


  1. Set Layer 3 Security to Web Policy (Click on WLAN > Security > Layer 3, and select Web Policy from the dropdown, ensure that On MAC Filter Failure is selected and the sc_quarantine_acl ACL is selected.)


  1. Check AAA Override (Click on WLAN > Advanced, and check AAA Override)


Cisco Open SSIDS (AireOS version 8.3.102.0 and later)

  1. Turn MAC filtering off (Click on WLAN > Security > Layer 2 and uncheck Mac Filtering)

  2. Uncheck AAA Override (Click on WLAN > Advanced, and uncheck AAA Override)

Warning

This method cannot be used if MetaAccess NAC is the only RADIUS server, as there must be an alternate RADIUS server to point at in the below steps

To re-integrate MetaAccess NAC :

  1. Turn MAC filtering on (Click on WLAN > Security > Layer 2 and check Mac Filtering)

  2. Check AAA Override and set NAC State (Click on WLAN > Advanced, check AAA Override and select Radius NAC or ISE NAC)

Cisco WPA2E SSIDS

  1. Set RADIUS authentication server to an alternative RADIUS server (WLAN > Security >AAA Servers > Set Server 1 to Alternate RADIUS Server)

  2. Set Allow AAA override to Disabled, and set NAC State to None (WLAN > Advanced > Uncheck "Allow AAA Override" and set NAC State to "None")

To re-enable MetaAccess NAC:

  1. Set RADIUS authentication server to MetaAccess NAC RADIUS server (WLAN > Security >AAA Servers > Set Server 1 to MetaAccess NAC RADIUS Server)

  2. Check AAA Override and set NAC State (Click on WLAN > Advanced, check AAA Override and select Radius NAC or ISE NAC)

Aerohive Controllers

Aerohive HM6 Open, WEP, WPAPSK WLANS

Navigate to Configuration > SSIDs > (Name of Open, WEP or WPAPSK SSID) and deselect Enable MAC Authentication. Click Save. Push updated policy.

To re-integrate MetaAccess NAC :

  1. Navigate to Configuration > SSIDs > (Name of Open, WEP or WPAPSK SSID) and select Enable MAC Authentication. Click Save. Push updated policy.

Aerohive HM6 WPA2E/802.1X WLANs

Navigate to Configuration > SSIDs > (Name of Secure SSID) and change SSID Access Security to Open. Click Save. Push updated policy.

To re-integrate MetaAccess NAC:

Navigate to Configuration > SSIDs > (Name of Secure SSID) and change SSID Access Security to WPA/WPA2 802.1X (Enterprise). Click Save. Push updated policy.

Aerohive HMNG Open, WEP, or WPAPSK WLANs

Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) > MAC Authentication and turn off Mac Authentication. Click Save. Push updated policy.

To re-integrate MetaAccess NAC:

Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) > MAC Authentication and turn on Mac Authentication. Click Save. Push updated policy.

Aerohive HMNG WPA2E/802.1X WLANs

Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) and change SSID Access Security to Open. Click Save. Push updated policy

To re-integrate MetaAccess NAC:

Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) and change SSID Access Security to Enterprise. Click Save. Push updated policy

PBR (Layer 3 / Policy Based Routing)

Clearing the opswat_block ACL

NEXUS Router

conf t ! no ip access-list opswat_block ! ip access-list opswat_block permit ip any host 198.31.193.211 ! end

Cisco/Brocade ICX Router (Non NEXUS Router)

conf t ! no ip access-list extended opswat_block ! ip access-list extended opswat_block permit ip any host 198.31.193.211 ! end

Alcatel Router

Info

Confirm the name of the policy network group, as the group may be called "blockedhost" rather than "opswat_block" on some legacy devices. If so, replace "opswat_block" with "blockedhost" or whatever the name of the policy network group may be, before executing the script.

no policy rule block ! no policy condition noncompliant ! no policy network group opswat_block ! policy network group opswat_block 169.254.0.1 ! policy condition noncompliant source network group opswat_block vrf default ! policy rule block precedence XXX condition noncompliant action next-hop-enforcer ! qos apply ! write memory ! copy working certified

HP Router

config ! policy pbr opswat no class ipv4 opswat_block exit ! no class ipv4 opswat_block ! class ipv4 opswat_block match ip any 198.31.193.211/32 exit ! policy pbr opswat class ipv4 opswat_block action ip next-hop x.x.x.x - Must replace with Enforcer IP exit ! exit ! wr mem

Huawei Router

config ! traffic policy opswat undo classifier opswat_block behavior impulse_block precedence 5 ! traffic classifier opswat_block type or undo if-match acl opswat_block ! undo acl name opswat_block advance ! acl name opswat_block advance rule 5 permit ip destination 198.31.193.211 0 ! traffic classifier opswat_block type or if-match acl opswat_block ! traffic policy opswat classifier opswat_block behavior opswat_block precedence 5 ! commit ! quit

MLX Router

conf t ! no ip access-list extended opswat_block ! ip access-list extended opswat_block permit ip any host 198.31.193.211 ! ip rebind-acl opswat_block ! end ! wr mem
Info

If you encounter the following error:

telnet@BG-MLX8-Core2(config)#no ip access-list extended opswat_block

Cannot delete l4 access-list opswat_block : Currently in use by PBR.

error - ACL In Use.

Execute:

acl-policy

force-delete-bound-acl

Removing the MetaAccess NAC route mapWhere "X" = Layer3 interface that has route-map applied. X can be determined be issuing "show ip policy" and reviewing the results to determine which interfaces have the route-map applied

conf t ! interface X no ip policy route-map opswat ! end

To restore the MetaAccess NAC route-map:

conf t ! interface X ip policy route-map opswat ! end