Configuring Host Integrity Check - Alcatel-Lucent OmniSwitch 6850-48 Network Configuration Manual
Software release 6
Hide thumbs
Also See for OmniSwitch 6850-48:
- Cli reference manual (3706 pages) ,
- Management manual (312 pages) ,
- Hardware user's manual (188 pages)
Table of Contents
Advertisement
Configuring Access Guardian
Configuring Host Integrity Check
The Access Guardian Host Integrity Check (HIC) feature provides an integrated solution for device integ-
rity verification. This solution involves switch-based functionality that interacts with the InfoExpress HIC
server (CyberGatekeeper) and host devices using InfoExpress compliance agents.
This section describes how to configure the switch-based functionality. See the InfoExpress user docu-
mentation for more information regarding the configuration of compliance agents and the CyberGate-
keeper server.
The Host Integrity Check (HIC) process is triggered when a HIC-enabled User Network Profile (UNP) is
applied to a client device. See
information. When a profile is created, HIC is disabled by default. To enable HIC for the profile, use the
aaa user-network-profile
-> aaa user-network-profile name Engineering vlan 500 hic enable
In addition to enabling HIC for a UNP, the following configuration tasks are involved in setting up the
HIC feature to run on the switch:
1
Configure the identity of the HIC server. Use the
name and IP address of the InfoExpress CyberGatekeeper server, a shared secret, and the UDP port
number used for HIC requests.
-> aaa hic server-name hic-srv1 ip-address 2.2.2.2 secret wwwtoe
Note that configuring the server is required before HIC can be enabled for the switch.
2
Configure the Web agent download server URL. A host can use the InfoExpress desktop compli-
ance agent or a Web-based agent. If the desktop agent is not installed on the host, the switch redirects the
host to a Web agent download server. The URL of the download server is configured for the switch using
the
aaa hic web-agent-url
-> aaa hic web-agent-url http://10.10.10.10:2146
When the HIC process is initiated for a host device, the host has limited access to the network for commu-
nicating with the HIC server and any servers included in the exception list. Make sure the Web agent
download server is added to the server exception list, as described below.
3
Configure a server exception list.There are specific servers that a host device may need access to
during the HIC process. For example, if the host is going to use the Web-based compliance agent, access
to the Web agent download server is required. Use the
and IP address of up to four servers to the HIC server exception list.
-> aaa hic allowed-name websrv1 ip-address 123.10.5.1 ip-mask 255.255.255.0
4
Configure a custom proxy port number. By default, the switch uses 8080 for the host proxy port
number. If a different number is used by the host device, use the
configure the switch to use the host value.
-> aaa hic custom-proxy-port 8878
5
Enable the HIC feature for the switch. By default, the HIC feature is disabled for the switch. This
means that all HIC functionality is disabled. For example, if the HIC attribute of a UNP is enabled, the
HIC process is not invoked when the profile is applied if the HIC feature is not enabled for the switch. Use
the
aaa hic
command to enable or disable the HIC feature for the switch.
-> aaa hic enable
OmniSwitch AOS Release 6 Network Configuration Guide
"User Network Profiles (Role-Based Access)" on page 34-16
command. For example:
command.
Configuring Host Integrity Check
aaa hic server-name
command to configure the
aaa hic allowed-name
aaa hic custom-proxy-port
September 2009
for more
command to add the name
command to
page 34-39
Hide quick links:
Advertisement
Table of Contents
