Claude
Skills
Sign in
Back

implementing-network-access-control

Included with Lifetime
$97 forever

Implements 802.1X port-based network access control using RADIUS authentication, PacketFence NAC, and switch configurations to enforce identity-based access policies, posture assessment, and automatic VLAN assignment for authorized devices.

Generalnetwork-securitynac802.1xradiuspacketfencescripts

What this skill does

# Implementing Network Access Control

## When to Use

- Enforcing identity-based network access where only authenticated and compliant devices connect to the network
- Implementing zero-trust networking at the access layer with dynamic VLAN assignment based on user role
- Quarantining non-compliant devices that fail endpoint posture checks (missing patches, disabled AV)
- Meeting compliance requirements (PCI-DSS, HIPAA, SOC 2) for network access controls
- Onboarding BYOD devices with automated provisioning and limited network access

**Do not use** as a standalone security solution without complementary controls, for networks with devices that do not support 802.1X supplicants, or without proper fallback mechanisms for critical infrastructure.

## Prerequisites

- RADIUS server (FreeRADIUS, Microsoft NPS, or Cisco ISE) configured with user/device authentication
- Managed switches supporting 802.1X port-based authentication
- Certificate Authority for EAP-TLS certificate distribution (optional but recommended)
- PacketFence or similar NAC platform for posture assessment and remediation
- Active Directory or LDAP directory for centralized user authentication
- DHCP server integration for dynamic IP assignment per VLAN

## Workflow

### Step 1: Install and Configure FreeRADIUS

```bash
# Install FreeRADIUS
sudo apt install -y freeradius freeradius-utils freeradius-ldap

# Configure RADIUS clients (switches that authenticate against RADIUS)
sudo tee /etc/freeradius/3.0/clients.conf << 'EOF'
client switch-core-01 {
    ipaddr = 10.10.100.1
    secret = R4d1u5_S3cr3t_K3y!
    shortname = core-switch
    nastype = cisco
}

client switch-access-01 {
    ipaddr = 10.10.100.10
    secret = R4d1u5_S3cr3t_K3y!
    shortname = access-switch-01
    nastype = cisco
}

client switch-access-02 {
    ipaddr = 10.10.100.11
    secret = R4d1u5_S3cr3t_K3y!
    shortname = access-switch-02
    nastype = cisco
}
EOF

# Configure LDAP module for Active Directory integration
sudo tee /etc/freeradius/3.0/mods-available/ldap << 'EOF'
ldap {
    server = 'ldap://dc01.corp.example.com'
    identity = 'CN=radius-svc,OU=Service Accounts,DC=corp,DC=example,DC=com'
    password = 'ServiceAccountPassword123!'
    base_dn = 'DC=corp,DC=example,DC=com'

    user {
        base_dn = "${..base_dn}"
        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
    }

    group {
        base_dn = "${..base_dn}"
        filter = "(objectClass=group)"
        membership_attribute = 'memberOf'
    }
}
EOF

sudo ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ldap
```

### Step 2: Configure VLAN Assignment Policies

```bash
# Configure authorization policies for dynamic VLAN assignment
sudo tee /etc/freeradius/3.0/policy.d/vlan-assignment << 'EOF'
# VLAN assignment based on group membership
vlan_assignment {
    if (&LDAP-Group[*] == "CN=IT-Staff,OU=Groups,DC=corp,DC=example,DC=com") {
        update reply {
            Tunnel-Type = VLAN
            Tunnel-Medium-Type = IEEE-802
            Tunnel-Private-Group-ID = "10"
        }
    }
    elsif (&LDAP-Group[*] == "CN=Developers,OU=Groups,DC=corp,DC=example,DC=com") {
        update reply {
            Tunnel-Type = VLAN
            Tunnel-Medium-Type = IEEE-802
            Tunnel-Private-Group-ID = "15"
        }
    }
    elsif (&LDAP-Group[*] == "CN=Finance,OU=Groups,DC=corp,DC=example,DC=com") {
        update reply {
            Tunnel-Type = VLAN
            Tunnel-Medium-Type = IEEE-802
            Tunnel-Private-Group-ID = "20"
        }
    }
    else {
        # Default: Guest VLAN for unknown users
        update reply {
            Tunnel-Type = VLAN
            Tunnel-Medium-Type = IEEE-802
            Tunnel-Private-Group-ID = "40"
        }
    }
}
EOF

# Add vlan_assignment to the authorize section
# Edit /etc/freeradius/3.0/sites-enabled/default
# In the authorize section, add: vlan_assignment

# Configure EAP for 802.1X authentication
sudo tee /etc/freeradius/3.0/mods-available/eap << 'EAPEOF'
eap {
    default_eap_type = peap
    timer_expire = 60
    max_sessions = 4096

    tls-config tls-common {
        private_key_file = /etc/freeradius/3.0/certs/server.key
        certificate_file = /etc/freeradius/3.0/certs/server.pem
        ca_file = /etc/freeradius/3.0/certs/ca.pem
        dh_file = /etc/freeradius/3.0/certs/dh
        cipher_list = "HIGH:!aNULL:!MD5"
        tls_min_version = "1.2"
    }

    peap {
        tls = tls-common
        default_eap_type = mschapv2
        virtual_server = inner-tunnel
    }

    tls {
        tls = tls-common
    }
}
EAPEOF

# Start FreeRADIUS in debug mode for testing
sudo freeradius -X

# Test authentication
radtest testuser TestPassword123 localhost 0 testing123
```

### Step 3: Configure 802.1X on Cisco Switches

```
! Enable AAA on the switch
enable
configure terminal

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

! Configure RADIUS server
radius server FREERADIUS
  address ipv4 10.10.100.200 auth-port 1812 acct-port 1813
  key R4d1u5_S3cr3t_K3y!
  exit

! Enable 802.1X globally
dot1x system-auth-control

! Configure access ports for 802.1X
interface range GigabitEthernet1/0/1-24
  switchport mode access
  switchport access vlan 999
  authentication port-control auto
  authentication order dot1x mab
  authentication priority dot1x mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  mab
  authentication event fail action authorize vlan 999
  authentication event no-response action authorize vlan 40
  authentication host-mode multi-auth
  spanning-tree portfast
  exit

! Configure MAB (MAC Authentication Bypass) for devices without 802.1X
! Devices like printers, IP phones that cannot run a supplicant
interface range GigabitEthernet1/0/25-36
  switchport mode access
  switchport access vlan 999
  authentication port-control auto
  authentication order mab
  mab
  authentication event fail action authorize vlan 999
  authentication host-mode single-host
  spanning-tree portfast
  exit

! Configure guest VLAN for unauthenticated devices
interface range GigabitEthernet1/0/1-24
  authentication event no-response action authorize vlan 40
  authentication event fail action authorize vlan 999
  exit

! Configure critical VLAN for RADIUS server unavailability
interface range GigabitEthernet1/0/1-36
  authentication event server dead action authorize vlan 10
  authentication event server alive action reinitialize
  exit
```

### Step 4: Deploy PacketFence NAC for Posture Assessment

```bash
# Install PacketFence
curl -fsSL https://inverse.ca/downloads/GPG_PUBLIC_KEY | sudo gpg --dearmor -o /etc/apt/keyrings/inverse.gpg
echo "deb [signed-by=/etc/apt/keyrings/inverse.gpg] https://inverse.ca/downloads/PacketFence/debian bookworm bookworm" | \
  sudo tee /etc/apt/sources.list.d/packetfence.list
sudo apt update && sudo apt install -y packetfence

# Run the PacketFence configurator
sudo /usr/local/pf/bin/pfcmd configreload

# Access web admin: https://<packetfence-ip>:1443

# Configure PacketFence connection profiles
# Admin UI: Configuration > Policies and Access Control > Connection Profiles

# Create compliance check (Windows Update status)
# Admin UI: Configuration > Compliance > Scan Engines
# Add: Windows Update compliance check
# Remediation VLAN: 999 (quarantine)

# Configure RADIUS integration
# PacketFence acts as a RADIUS proxy, receiving requests from switches
# and enforcing posture-based VLAN assignment

# Edit /usr/local/pf/conf/switches.conf
sudo tee -a /usr/local/pf/conf/switches.conf << 'EOF'
[10.10.100.10]
description=Access Switch 01
type=Cisco::Catalyst_2960
mode=production
radiusSecret=R4d1u5_S3cr3t_K3y!
SNMPVersion=2c
SNMPCommunityRead=public
SNMPCommunityWrite=private
VlanMap=Y
registrationVlan=40
isolationVlan=999
normalVlan=10
EOF
```

### Step 5: Configure Supplicant on Endpoints

```bash
# Windows
Files: 4
Size: 36.1 KB
Complexity: 66/100
Category: General
Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/implementing-network-access-control

Related in General

modeling-omnistudio-epc-catalog

Included

Salesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).

Generalscripts

relationship-science-coach

Included

Use this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.

Generalscripts

building-sf-integrations

Included

Salesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).

Generalscripts

venue-templates

Included

Access comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.

Generalscripts

let-fate-decide

Included

Draws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.

Generalscripts

net-ops

Included

Cross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.

Generalscripts
Sign up & unlock — $97