How to de-integrate SafeConnect from a Layer 2 / Layer 3 network (RBE/PBR)
To de-integrate/remote SafeConnect from a Layer 2 or Layer 3 network, follow the steps defined for the network device brand managing that respective network below. If you do not see your network device listed below, encounter any issues, or have any questions, please submit a ticket at The Impulse Support Portal
These steps should only be followed as instructed by Impulse Support or if enforcement has already been disabled in the SafeConnect UI as defined at How To Toggle Enforcement on Layer 2 or Layer 3 networks (RBE/PBR)
Execute the following on the master controller
conf t
!
aaa profile
"Customer's Open Profile"
no authentication-mac
!
end
!
write mem
To have any devices in a quarantine state be marked as compliant (to ensure no devices are stuck in a block state), execute the following:
aaa user delete role
"SC_Quarantine_Role"
To re-integrate SafeConnect:
conf t
!
aaa profile
"Customer's Open Profile"
authentication-mac
!
end
!
write mem
This method cannot be used if SafeConnect is the only RADIUS server, as there must be an alternate RADIUS server to point at in the below steps
To remove RBE from the RADIUS path of your network, you must remove (or demote) the entry pertaining to the RBE server from the controllers RADIUS configurations.
Through the Web UI, navigate to Configuration->Authentication->AAA Profiles and select the 802.1X Authentication Server Group of the profile used by your SSID. You can either delete or demote the entry for Safe•Connect's RBE device:
Alternatively, this can be done from the CLI (replace devradius.pd.impulse.com with the SafeConnect appliance and replace rbetest2.pd.impulse.com with an alternate RADIUS server)
conf t
!
aaa server-group
"Imp_PD_Dev_srvgrp-cdp10"
no auth-server
"devradius.pd.impulse.com"
auth-server
"rbetest2.pd.impulse.com"
position
1
!
end
!
write mem
To have any devices in a quarantine state be marked as compliant (to ensure no devices are stuck in a block state), execute the following:
aaa user delete role
"SC_Quarantine_Role"
To re-integrate SafeConnect:
conf t
!
aaa server-group
"Imp_PD_Dev_srvgrp-cdp10"
auth-server
"devradius.pd.impulse.com"
position
1
!
end
!
write mem
-
Turn MAC filtering off (Click on WLAN > Security > Layer 2 and uncheck Mac Filtering)
-
-
Set Layer 3 Security to None (Click on WLAN > Security > Layer 3, and select None from the dropdown)
-
-
Uncheck AAA Override (Click on WLAN > Advanced, and uncheck AAA Override)
-
To re-integrate SafeConnect:
-
Turn MAC filtering on (Click on WLAN > Security > Layer 2 and check Mac Filtering)
-
-
Set Layer 3 Security to Web Policy (Click on WLAN > Security > Layer 3, and select Web Policy from the dropdown, ensure that On MAC Filter Failure is selected and the sc_quarantine_acl ACL is selected.)
-
-
Check AAA Override (Click on WLAN > Advanced, and check AAA Override)
-
-
Turn MAC filtering off (Click on WLAN > Security > Layer 2 and uncheck Mac Filtering)
-
-
Uncheck AAA Override (Click on WLAN > Advanced, and uncheck AAA Override)
-
To re-integrate SafeConnect:
-
Turn MAC filtering on (Click on WLAN > Security > Layer 2 and check Mac Filtering)
-
-
Check AAA Override and set NAC State (Click on WLAN > Advanced, check AAA Override and select Radius NAC or ISE NAC)
-
This method cannot be used if SafeConnect is the only RADIUS server, as there must be an alternate RADIUS server to point at in the below steps
-
Set RADIUS authentication server to an alternative RADIUS server (WLAN > Security >AAA Servers > Set Server 1 to Alternate RADIUS Server)
-
-
Set Allow AAA override to Disabled, and set NAC State to None (WLAN > Advanced > Uncheck "Allow AAA Override" and set NAC State to "None")
-
To re-enable SafeConnect:
-
Set RADIUS authentication server to SafeConnect RADIUS server (WLAN > Security >AAA Servers > Set Server 1 to SafeConnect RADIUS Server)
-
-
Check AAA Override and set NAC State (Click on WLAN > Advanced, check AAA Override and select Radius NAC or ISE NAC)
-
Navigate to Configuration > SSIDs > (Name of Open, WEP or WPAPSK SSID) and deselect Enable MAC Authentication. Click Save. Push updated policy.
To re-integrate SafeConnect:
Navigate to Configuration > SSIDs > (Name of Open, WEP or WPAPSK SSID) and select Enable MAC Authentication. Click Save. Push updated policy.
Navigate to Configuration > SSIDs > (Name of Secure SSID) and change SSID Access Security to Open. Click Save. Push updated policy.
To re-integrate SafeConnect:
Navigate to Configuration > SSIDs > (Name of Secure SSID) and change SSID Access Security to WPA/WPA2 802.1X (Enterprise). Click Save. Push updated policy.
Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) > MAC Authentication and turn off Mac Authentication. Click Save. Push updated policy.
To re-integrate SafeConnect:
Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) > MAC Authentication and turn on Mac Authentication. Click Save. Push updated policy.
Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) and change SSID Access Security to Open. Click Save. Push updated policy
To re-integrate SafeConnect:
Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) and change SSID Access Security to Enterprise. Click Save. Push updated policy
conf t
!
no ip access-list impulse_block
!
ip access-list impulse_block
permit ip any host
198.31
.
193.211
!
end
conf t
!
no ip access-list extended impulse_block
!
ip access-list extended impulse_block
permit ip any host
198.31
.
193.211
!
end
Confirm the name of the policy network group, as the group may be called "blockedhost" rather than "impulse_block" on some legacy devices. If so, replace "impulse_block" with "blockedhost" or whatever the name of the policy network group may be, before executing the script.
no policy rule block
!
no policy condition noncompliant
!
no policy network group impulse_block
!
policy network group impulse_block
169.254
.
0.1
!
policy condition noncompliant source network group impulse_block vrf
default
!
policy rule block precedence XXX condition noncompliant action next-hop-enforcer
!
qos apply
!
write memory
!
copy working certified
config
!
policy pbr impulse
no
class
ipv4 impulse_block
exit
!
no
class
ipv4 impulse_block
!
class
ipv4 impulse_block
match ip any
198.31
.
193.211
/
32
exit
!
policy pbr impulse
class
ipv4 impulse_block
action ip next-hop x.x.x.x - Must replace with Enforcer IP
exit
!
exit
!
wr mem
config
!
traffic policy impulse
undo classifier impulse_block behavior impulse_block precedence
5
!
traffic classifier impulse_block type or
undo
if
-match acl impulse_block
!
undo acl name impulse_block advance
!
acl name impulse_block advance
rule
5
permit ip destination
198.31
.
193.211
0
!
traffic classifier impulse_block type or
if
-match acl impulse_block
!
traffic policy impulse
classifier impulse_block behavior impulse_block precedence
5
!
commit
!
quit
conf t
!
no ip access-list extended impulse_block
!
ip access-list extended impulse_block
permit ip any host
198.31
.
193.211
!
ip rebind-acl impulse_block
!
end
!
wr mem
If you encounter the following error:
telnet
@BG
-MLX8-Core2(config)#no ip access-list extended impulse_block
Cannot delete l4 access-list impulse_block : Currently in use by PBR.
error - ACL In Use.
Execute:
acl-policy
force-delete-bound-acl
conf t
!
interface
X
no ip policy route-map impulse
!
end
To restore the SafeConnect route-map:
conf t
!
interface
X
ip policy route-map impulse
!
end