Agents

Agents can only be added when registering them using the credentials of an administrator of the account.

From the list of agents, an agent can:

  • be deactivated: ELAN center will ignore all requests from that agent but keep information relative to that agent (Connections, Events, …).
  • be deleted (once deactivated): This will erase any reference of that agent and thus delete any related information (Connections, Events, …).

Configuration

In this panel, you will configure RADIUS and SNMP settings for the agent:

RADIUS

All network equipments will share the same RADIUS secret.

To function correctly, 802.1X require a server certificate/key. A default certificate authority and agent key are created. You can download the provided certificate authority by clicking on the button. This authority is the same for all agents in the account. If you wish to use you own authority, you can download a Certificate Signing Request (CSR) by clicking the button and then upload the certificate chain.

  • 802.1X Authentication: Authentication to be used when a RADIUS 802.1X request is received. This can be a provider or a group.
  • Default RADIUS Secret: the secret that will be used for all RADIUS requests.
  • Certificate Chain: RADIUS server certificate chain. Click on the button to upload a new certificate chain.

SNMP

Enter all SNMP credentials used by you network equipments. When polling a switch for the first time, these credentials will be checked, best security and higher protocol first: v3AuthPriv, then v3AuthNoPriv, then v3NoAuthNoPriv, then v2c, then v1.

Note

Make sure to save the add the entry by pressing button before saving.

VLAN Definitions

In this panel, you will configure all VLANs used by the agent.

VLANs are referred to from the point of view of the Agent, that means how he “sees” it: a vlan ID on an interface. This means the Agent can be used to monitor 2 completely separate VLANs with the same vlan ID as long as they are seen on different interfaces.

Each VLAN has the following settings:

Name:
a friendly name to display the vlan in the UI.
Interface:
the interface of the agent that will “see” the VLAN.
VLAN ID:
the vlan ID as “seen” by the Agent.
Access Control:

Enable or disable access control on that VLAN.

If enabled, devices will be checked to see if it is allowed on the network (see VLAN Assignment Rules), and if so will only have access to the VLANs defined by the matching rule. If a device is not allowed on the VLAN, it will generate a device-not-authorized Event.

If disabled, not check will be performed and devices will have access to VLANs with access control disabled.

Web Authentication:
If set, captive portal for unauthorized devices or devices trying to access an unauthorized resource will display a credential form. When user posts the credentials, it will be looked up against that authentication.
Guest Access:
If set, captive portal for unauthorized devices or devices trying to access an unauthorized resource will display that guest access form.
Log Connections:

Enable or disable logging of IP connections on that VLAN.

Note

If connection goes in a vlan and out another with both Logging enabled, that connection will be logged only once.

IDS:
Enable or disable IDS scan on that VLAN.

Pass-through:

  • DHCP: List of VLAN to which DHCPv4, DHCPv6 and IPv6 autoconfig requests are allowed to pass through.

  • DNS: List of VLAN to which DNS requests are allowed to pass through.

  • ARP/NDP: List of VLAN to which IPv4 ARP and IPv6 NDP requests are allowed to pass through. This can be useful if a gateway is on that VLAN, so that requests to that gateway can be made, even if they are not authorized, in that case http request will be caught by the captive portal.

    DHCP and DNS pass-through are always included.

VLAN Assignment Rules

In this panel, you will define the rules that your devices should obey. When a device is detected on the network or just after it authenticated (802.1X, captive portal or guest access) the device information is compared to rules you defined. Processing goes from top to bottom, first rule with full match will give the authorizations of the device. If not rule matches, an alert event will be sent and the device will be given not authorizations.

The rules are checked against authentication information and device tags:

  • Authentication Type:

    How user on device was authenticated:

    • None: No authentication was performed on the user accessing the network.
    • Guest Access: User accepted “User Policy Agreement” and (for sponsored guest access) was authorized on the network.
    • Web Authentication: User authenticated on a captive portal.
    • 802.1X: User authenticated using 802.1X protocol.

    Note

    • a device may have several authentications (for example 802.1X + Web Authentication or Guest Access), in that case any of them will match, so be careful about the rules order.
    • Mac Authentication is not considered as a user authentication, so even if you have configured your switches for MAC authentication (which you should do when not doing 802.1X), authentication type in that case would be None.
  • Authentication Provider:

    What provider authenticated the user.

    This can be a group, in that case all providers in that group will match.

    For sponsored guest access, it will be the authentication provider of the staff that authorized the device on the network.

  • Device Tags:

    The device must have all the tags declared here for the rule to match.

  • Assign VLAN:

    VLAN to assign to the device during 802.1X or RADIUS MacAuth. Only the vlan ID part is used and sent back to the switch.

  • Allowed on VLANs:

    List of VLANs the device is allowed on. It always included the previous “Assigned VLAN”.

  • Give Access To:

    List of VLANs the device will be bridged to, thus allowing him access to those networks.