How to de-integrate SafeConnect from a Layer 2 / Layer 3 network (RBE/PBR)

To de-integrate/remote SafeConnect from a Layer 2 or Layer 3 network, follow the steps defined for the network device brand managing that respective network below. If you do not see your network device listed below, encounter any issues, or have any questions, please submit a ticket at The Impulse Support Portal

These steps should only be followed as instructed by Impulse Support or if enforcement has already been disabled in the SafeConnect UI as defined at How To Toggle Enforcement on Layer 2 or Layer 3 networks (RBE/PBR)

RBE (Layer 2 / Radius Based Enforcement)

Aruba Controllers

Aruba Open or PSK SSIDS

Execute the following on the master controller

conf t
!
aaa profile "Customer's Open Profile"
no authentication-mac
!
end
!
write mem

To have any devices in a quarantine state be marked as compliant (to ensure no devices are stuck in a block state), execute the following:

aaa user delete role "SC_Quarantine_Role"

To re-integrate SafeConnect:

conf t
!
aaa profile "Customer's Open Profile"
authentication-mac
!
end
!
write mem

Aruba WPA2E SSIDS

This method cannot be used if SafeConnect is the only RADIUS server, as there must be an alternate RADIUS server to point at in the below steps

To remove RBE from the RADIUS path of your network, you must remove (or demote) the entry pertaining to the RBE server from the controllers RADIUS configurations.

Through the Web UI, navigate to Configuration->Authentication->AAA Profiles and select the 802.1X Authentication Server Group of the profile used by your SSID. You can either delete or demote the entry for Safe•Connect's RBE device:

images/impulsepoint.atlassian.net/wiki/download/thumbnails/791238/aruba_demote.JPG

Alternatively, this can be done from the CLI (replace devradius.pd.impulse.com with the SafeConnect appliance and replace rbetest2.pd.impulse.com with an alternate RADIUS server)

conf t
!
aaa server-group "Imp_PD_Dev_srvgrp-cdp10"
no auth-server "devradius.pd.impulse.com"
auth-server "rbetest2.pd.impulse.com" position 1
!
end
!
write mem

To have any devices in a quarantine state be marked as compliant (to ensure no devices are stuck in a block state), execute the following:

aaa user delete role "SC_Quarantine_Role"

To re-integrate SafeConnect:

conf t
!
aaa server-group "Imp_PD_Dev_srvgrp-cdp10"
auth-server "devradius.pd.impulse.com" position 1
!
end
!
write mem

Cisco Controllers

Cisco Open SSIDS (AireOS versions earlier than 8.3.102.0)

  1. Turn MAC filtering off (Click on WLAN > Security > Layer 2 and uncheck Mac Filtering)

    1. images/impulsepoint.atlassian.net/wiki/download/attachments/791238/image2014-7-7_17_54_35.png
  2. Set Layer 3 Security to None (Click on WLAN > Security > Layer 3, and select None from the dropdown)

    1. images/impulsepoint.atlassian.net/wiki/download/attachments/791238/image2014-7-7_17_57_13.png
  3. Uncheck AAA Override (Click on WLAN > Advanced, and uncheck AAA Override)

    1. images/download/attachments/7186717/image2019-3-5_15-30-2.png

To re-integrate SafeConnect:

  1. Turn MAC filtering on (Click on WLAN > Security > Layer 2 and check Mac Filtering)

    1. images/download/attachments/7186717/image2019-7-17_13-20-20.png
  2. Set Layer 3 Security to Web Policy (Click on WLAN > Security > Layer 3, and select Web Policy from the dropdown, ensure that On MAC Filter Failure is selected and the sc_quarantine_acl ACL is selected.)

    1. images/download/attachments/7186717/image2019-7-17_13-23-22.png
  3. Check AAA Override (Click on WLAN > Advanced, and check AAA Override)

    1. images/download/attachments/7186717/image2019-7-17_13-26-41.png

Cisco Open SSIDS (AireOS version 8.3.102.0 and later)

  1. Turn MAC filtering off (Click on WLAN > Security > Layer 2 and uncheck Mac Filtering)

    1. images/impulsepoint.atlassian.net/wiki/download/attachments/791238/image2014-7-7_17_54_35.png
  2. Uncheck AAA Override (Click on WLAN > Advanced, and uncheck AAA Override)

    1. images/download/attachments/7186717/image2019-3-5_15-30-2.png

To re-integrate SafeConnect:

  1. Turn MAC filtering on (Click on WLAN > Security > Layer 2 and check Mac Filtering)

    1. images/download/attachments/7186717/image2019-7-17_13-20-20.png
  2. Check AAA Override and set NAC State (Click on WLAN > Advanced, check AAA Override and select Radius NAC or ISE NAC)

    1. images/download/attachments/7186717/image2019-7-17_13-51-57.png

Cisco WPA2E SSIDS

This method cannot be used if SafeConnect is the only RADIUS server, as there must be an alternate RADIUS server to point at in the below steps

  1. Set RADIUS authentication server to an alternative RADIUS server (WLAN > Security >AAA Servers > Set Server 1 to Alternate RADIUS Server)

    1. images/impulsepoint.atlassian.net/wiki/download/attachments/791238/image2014-7-7_17_58_26.png
  2. Set Allow AAA override to Disabled, and set NAC State to None (WLAN > Advanced > Uncheck "Allow AAA Override" and set NAC State to "None")

    1. images/impulsepoint.atlassian.net/wiki/download/attachments/791238/image2014-7-7_17_59_30.png

To re-enable SafeConnect:

  1. Set RADIUS authentication server to SafeConnect RADIUS server (WLAN > Security >AAA Servers > Set Server 1 to SafeConnect RADIUS Server)

    1. images/impulsepoint.atlassian.net/wiki/download/attachments/791238/image2014-7-7_17_58_26.png
  2. Check AAA Override and set NAC State (Click on WLAN > Advanced, check AAA Override and select Radius NAC or ISE NAC)

    1. images/download/attachments/7186717/image2019-7-17_13-51-57.png

Aerohive Controllers

Aerohive HM6 Open, WEP, WPAPSK WLANS

Navigate to Configuration > SSIDs > (Name of Open, WEP or WPAPSK SSID) and deselect Enable MAC Authentication. Click Save. Push updated policy.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/791238/image2017-12-11_14-49-48.png

To re-integrate SafeConnect:

Navigate to Configuration > SSIDs > (Name of Open, WEP or WPAPSK SSID) and select Enable MAC Authentication. Click Save. Push updated policy.

Aerohive HM6 WPA2E/802.1X WLANs

Navigate to Configuration > SSIDs > (Name of Secure SSID) and change SSID Access Security to Open. Click Save. Push updated policy.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/791238/image2017-12-11_14-50-46.png

To re-integrate SafeConnect:

Navigate to Configuration > SSIDs > (Name of Secure SSID) and change SSID Access Security to WPA/WPA2 802.1X (Enterprise). Click Save. Push updated policy.

Aerohive HMNG Open, WEP, or WPAPSK WLANs

Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) > MAC Authentication and turn off Mac Authentication. Click Save. Push updated policy.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/791238/image2017-12-11_14-51-58.png

To re-integrate SafeConnect:

Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) > MAC Authentication and turn on Mac Authentication. Click Save. Push updated policy.

Aerohive HMNG WPA2E/802.1X WLANs

Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) and change SSID Access Security to Open. Click Save. Push updated policy

images/impulsepoint.atlassian.net/wiki/download/thumbnails/791238/image2017-12-11_14-52-40.png

To re-integrate SafeConnect:

Navigate to Configure > (Name of policy) > Wireless Settings > (Name of secure SSID) and change SSID Access Security to Enterprise. Click Save. Push updated policy

PBR (Layer 3 / Policy Based Routing)

Clearing the impulse_block ACL

NEXUS Router

conf t
!
no ip access-list impulse_block
!
ip access-list impulse_block
permit ip any host 198.31.193.211
!
end

Cisco/Brocade ICX Router (Non NEXUS Router)

conf t
!
no ip access-list extended impulse_block
!
ip access-list extended impulse_block
permit ip any host 198.31.193.211
!
end

Alcatel Router

Confirm the name of the policy network group, as the group may be called "blockedhost" rather than "impulse_block" on some legacy devices. If so, replace "impulse_block" with "blockedhost" or whatever the name of the policy network group may be, before executing the script.

no policy rule block
!
no policy condition noncompliant
!
no policy network group impulse_block
!
policy network group impulse_block 169.254.0.1
!
policy condition noncompliant source network group impulse_block vrf default
!
policy rule block precedence XXX condition noncompliant action next-hop-enforcer
!
qos apply
!
write memory
!
copy working certified

HP Router

config
!
policy pbr impulse
no class ipv4 impulse_block
exit
!
no class ipv4 impulse_block
!
class ipv4 impulse_block
match ip any 198.31.193.211/32
exit
!
policy pbr impulse
class ipv4 impulse_block
action ip next-hop x.x.x.x - Must replace with Enforcer IP
exit
!
exit
!
wr mem

Huawei Router

config
!
traffic policy impulse
undo classifier impulse_block behavior impulse_block precedence 5
!
traffic classifier impulse_block type or
undo if-match acl impulse_block
!
undo acl name impulse_block advance
!
acl name impulse_block advance
rule 5 permit ip destination 198.31.193.211 0
!
traffic classifier impulse_block type or
if-match acl impulse_block
!
traffic policy impulse
classifier impulse_block behavior impulse_block precedence 5
!
commit
!
quit

MLX Router

conf t
!
no ip access-list extended impulse_block
!
ip access-list extended impulse_block
permit ip any host 198.31.193.211
!
ip rebind-acl impulse_block
!
end
!
wr mem

If you encounter the following error:

telnet@BG-MLX8-Core2(config)#no ip access-list extended impulse_block
Cannot delete l4 access-list impulse_block : Currently in use by PBR.
error - ACL In Use.

Execute:

acl-policy
force-delete-bound-acl

Removing the SafeConnect route mapWhere "X" = Layer3 interface that has route-map applied. X can be determined be issuing "show ip policy" and reviewing the results to determine which interfaces have the route-map applied

conf t
!
interface X
no ip policy route-map impulse
!
end

To restore the SafeConnect route-map:

conf t
!
interface X
ip policy route-map impulse
!
end