Working with Compliance Module
  • 31 May 2024
  • 9 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Working with Compliance Module

  • Dark
    Light
  • PDF

Article summary

After a succesful 802.1X deployment it is crucial to validate 802.1X switchport configurations on all switches to make sure that all switches and interfaces have expected configurations and there are no unintended interfaces without 802.1X configurations.

Compliance module will help you to validate the configurations and fix them if they does not comply with your configuration templates and periodically validate them. If there are interfaces without 802.1X configurations with a legitimate reason you can configure exception on an interface and document the exception and responsible person.

Starting with compliance

Configure Compliance module

Before you start using the Compliance Module, make sure you configure it correctly. This guide will show you how to evaluate a single switch and will refer to the Compliance Module Configuration.

This section will show you how to evaluate, analyze and make compliant on single example switch.

Compliance Templates

The first configuration step is compliance templates. There are three compliance templates available:
Compliant Template - should contain all interface configurations which should be configured on your secured access interfaces. The configurations may vary across your network based on the IOS version, Switch model, or you simply have different configuration templates across your network.

Apart from Compliant Templates, you can optionally configure Partially Compliant templates or Non Compliant templates.

Partially Compliant Template - as well as Compliant Templates, it should contain full interface configuration. An interface with this template configured should be still considered safe and secured but may contain some configuration exceptions.

Non Compliant Template - these templates should contain a single command or a selection of commands which must not be configured on any access interface in your network.

Make Compliant

Compliant and Partially Compliant Templates can be used by the "Make Compliant" feature (described later in this documentation) to push interface configurations to a switch.

Compliance Rules

Configure the compliance rules to match the correct Compliance Templates to each switch. Configure compliance rules in the way that every switch matches a Compliance rule. You can use multiple parameters separated by a comma in each condition. This is common especially for the IOS version because Compliance Templates (Interface configurations) usually vary in various IOS versions. If a switch does not match any rule it is automatically considered as Non Compliant

Building Compliance rules takes some time to tune especially in large Enterprise deployments. It is a good practice to start on a few reference switches which are the most common in your network or single location and build it up.

Running Compliance Jobs

Synchronizing Network Devices from ISE to XTENDISE

When you first open a Compliance module make sure that all Network Access Devices (Switches) are synchronized from ISE to XTENDISE. The synchronization runs every Sunday at 1 a.m. but you can synchronize it manually. Navigate to Compliance Module -> Compliance Configuration (4th page) and click Run Device Synchronization. It takes a few minutes to finish. When the job is done, navigate to Compliance Module -> Device List where you will see the current list of switches. All Switches should be Unknown as any switch has not been evaluated yet.

Running Evaluation on a single switch

Click the Edit button on a reference switch you want to start with to open the switch details.

The details are empty as the switch has not been evaluated yet. Click the Evaluate button to start evaluation it takes a few seconds to complete. In this way, you can run evaluations on switch bases.
image.png

When the evaluation is done, you should see the Switch details including interfaces and evaluation results. Make sure that the Rule field shows you the rule number the switch should match. You can also click the Rule button to see the rule details. If there is no rule displayed or the rule number is incorrect, validate your Compliance Rules configuration.

Analyzing Evaluation Results

During the evaluation, XTENDISE connects to the switch and collects the result of multiple show commands and analysis them. In the end, interfaces and the switch Compliance Result are displayed.

The Switch Compliance Result is based on Interface Compliance Results and can have the following values:

  • Unknown - Evaluation has not been executed on the switch or XTENDISE was not able to connect to the switch
  • Non Compliant - At least one interface Non Compliant
  • Partially Compliant - At least one interface is Partially Compliant and there is no Non Compliant interface
  • Compliant - All interfaces are Compliant

In our Example, the switch result is Non Compliant because there are Non Compliant interfaces.

2022-03-06 10_31_25-Greenshot.jpg

As you can see there are multiple interface states which are telling us something about the interface configuration. These states are set automatically to each interface:

  • Unknown - Evaluation has not been executed on the switch or XTENDISE was not able to connect to the switch
  • Auto Bypass - Bypassed interfaces are not evaluated. These interfaces cannot have 802.1X configuration or it does not make sense to evaluate them. An interface is set to Auto Bypass state if it meets any of the following conditions: 1) Interface is shutdown 2) Interface is in trunk mode 3) Interface has Macsec configuration 4) interface is an EtherChannel or a member of EtherChannel 5) VLAN number or description matches the global exceptions.
  • Non Compliant - Interface did not matched any Compliant Template (There are certain commands missing) or it matched a Non Compliant Template
  • Partially Compliant - Interface Matched a Partially Compliant Template
  • Compliant - Interface Matched a Compliant Template
Global Settings

The Auto Bypass behavior is described for the default Compliance Module Global Settings configuration. Please note that there are global setting which can alter the Auto Bypass behavior. Please read the Compliance Module Global Settings for more details.

Analyzing the example switch results

In our example, there are multiple Non Compliant interfaces and thus the whole switch is considered a Non Compliant. You can mouse focus on the question mark to see the reason. On the interface GigabitEthernet0/1, as shown in the previous picture, there are many missing commands compared to the compliant template which means there is no 802.1X configuration deployed. The Interface GigabitEhternet0/2 is set to Auto Bypass state, because it is a trunk interface. Interfaces GigabitEthernet0/3,6,7 are compliant and the Template Name column gives us the name of the matched Template. This is the same for the GigabitEthernet0/4 which matched a Partially Compliant Template. GigabitEthernet0/5 is considered as Non Compliant because it is missing a command authentication periodic. Missing or incorrect configuration may result in unexpected switch behavior.

2022-03-06 11_55_40-Greenshot.jpg

Lastly, Interface GigabitEthernet0/8 matched the Non Compliant Template. In our case the interface has the authentication open command configured, which means that the interface is opened regardless of the authentication status. This command is forbidden in our example company.

2022-03-06 12_26_30-Greenshot.jpg

You can display the interface configuration by clicking on the interface name to verify it.

image.png

Making the switch Compliant

In the end of the analysis, we want to make the switch "green" and thus Compliant. To do that we have to fix the "Red" interfaces which are for some reason Non Compliant. We need to either fix the configuration on the interface or add an Exception to it.

Configuring Exceptions

An interface can be configured with an exception which means that the interface is bypassed not considered during evaluation. There are two states which can be configured on an interface manually:

  • Manual Bypass - Same as Auto Bypass but configured manually. This state should be used on interfaces which cannot be configured with 802.1X configuration.
  • Exception - Interfaces without 802.1X configuration for a legitimate reason. Unlike Manual Bypass, Exception requires to configure an exception reason.
Exceptions
  • In most of the deployments, there is no need to use Manual Bypass thus we encourage you to only use Exceptions. Unlike Manual Bypass, Exceptions also stores the exception reason and the person who configured it.
  • Neither Manual Bypass nor Exception does not mean any real configuration change on the switch interface. It only means that the interface won't be considered during compliance evaluation.

In our example company, the administrator figured out that there is a server connected to the interface GigabitEthernet0/1 and thus it is legitimate that there is no 802.1X configuration.

To configure an Exception:

  1. Click on the Settings icon on the interface row and select Exception.
  2. Fill the Exception Reason and click Save

2022-03-06 13_54_57-Greenshot.jpg

Export

In the real environment it is crucial to keep up to date list of interface Exceptions from 802.1X configuration because it means a security hole to the network. XTENDISE helps you to keep this list which you can export for auditing purposes.

Fixing interfaces configuration

Of course the most common problems are missing or incorrect configurations on network switchports. XTENDISE "Make Compliant" feature will help you to easily fix the configuration.

Simply click to Configuration Mode button on switch to the configure interface. You will be presented with a configuration interface which will help you to configure interfaces based on the preconfigured Compliant Templates.

In the picture below, There is an example configuration we want to push to the switch in order to fix it's configuration.

image.png

There are options to configure on the switch configuration page:

  • dot1x checkboxes - indicates interfaces to configure. Non Compliant interfaces are selected by default but you can select any other interface to configure. Next to it, there is the interface Compliance template which will be configured on the interface. The first compliance template is selected by default or you can select any Compliant or Partially Compliant Template per interface.

  • shutdown checkboxes - allows you to shutdown interfaces which are not used. This usually concerns interfaces without SFP modules which are many times left in the default configuration but rather should be shutdown.

  • VLAN or VOICE columns - allows you to customize VLAN number configured on the interface

  • Description column - Allows you to customize the interface description. Beginning of the description is taken from the selected Compliance Template.

When you are done with the switch configuration, you can deploy the configuration to the switch. Click the Preview button to preview the configuration. The displayed configuration will be executed on the switch. Click the Deploy button to send the configuration to the switch.

image.png

In this way, you can use the Compliance module not only to fix configurations but also to rollout 802.1X configuration to your network.

Switch and Switchport Utilization

In the Device List, at the start of each row, there's an icon indicating the switch's utilization. The color of this icon is determined by the configured thresholds. Hovering over the icon reveals the utilization percentage.
sw_ut.png

When a user navigates to the switch details, they'll find an icon at the beginning of each row corresponding to a switchport. This icon indicates whether the port is currently in use or when it was last used. Additionally, there's information provided about the last connected device to the port.
int_ut.png

Device Detail Filter

In the Device Detail, there is an option to select switch member from the switch stack.
device_filter_2.png

Periodic Compliance Evaluation

In the previous example, we have fixed the 802.1X configuration on the single switch and evaluated its configuration manually. In the real deployment, it is crucial to periodically check the configuration on all network switches in your environment to make sure, that your network is safe and secured.

You can enable the periodic evaluation by navigation to Compliance Module -> Compliance Configuration (Page 4) and click the Run Compliance Evaluation button. This will start the evaluation and also enable the periodic evaluation which will run every Sunday at 1 a.m.