Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - 09-22-2008 User Manual

Table of Contents

Quick Links

Download this manual

AUTHORIZED DOCUMENTATION

Users Guide

Novell

ZENworks

Network Access Control

5.0

September 22, 2008

www.novell.com

Novell ZENworks Network Access Control Users Guide

Table of Contents

Summary of Contents for Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - 09-22-2008

Page 1 AUTHORIZED DOCUMENTATION Users Guide Novell ® ZENworks Network Access Control ® September 22, 2008 www.novell.com Novell ZENworks Network Access Control Users Guide...
Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3 All third-party trademarks are the property of their respective owners. This Novell software product includes open-source software components. Novell conforms to the terms and conditions that govern the use of the open source components included in this product. Users of this product have the right to access the open source code and view all applicable terms and conditions governing opens source component usage.
Page 4 Novell ZENworks Network Access Control Users Guide...
Page 5: Table Of Contents
1 Introduction Novell ZENworks Network Access Control Home Window ......15 System Monitor ............16 Novell ZENworks Network Access Control v5.0 for v4.x Users .
Page 6 Modifying the MS root Account Password ....... . . 55 3.5.10 Checking for Novell ZENworks Network Access Control Upgrades ... . . 56 3.5.11 Changing the Novell ZENworks Network Access Control Upgrade Timeout.
Page 7 First Time Selection ..........109 3.14.3 Setting Novell ZENworks Network Access Control Properties ....110 3.14.4 Configuring a Post-connect System .
Page 8 Selecting Action Taken ..........211 About Novell ZENworks Network Access Control Tests ......212 6.4.1...
Page 9 About 802.1X ............. 235 11.2 Novell ZENworks Network Access Control and 802.1X ......236 11.3 Setting up the 802.1X Components .
Page 10 16 System Administration 16.1 Launching Novell ZENworks Network Access Control......329 16.1.1 Launching and Logging into Novell ZENworks Network Access Control.
Page 11 Novell ZENworks Network Access Control Setup ....... . . 382...
Page 12 Location and Connections ........... 438 Novell ZENworks Network Access Control Users Guide...
Page 13 Novell End-user License Agreement ........
Page 14 Glossary Novell ZENworks Network Access Control Users Guide...
Page 15: Introduction
Section 1.1, “Novell ZENworks Network Access Control Home Window,” on page 15 Section 1.2, “System Monitor,” on page 16 Section 1.3, “Novell ZENworks Network Access Control v5.0 for v4.x Users,” on page 17 Section 1.4, “Overview,” on page 20 Section 1.5, “Technical Support,” on page 25 Section 1.6, “Additional Documentation,”...
Page 16: System Monitor
6. Endpoint test status area — The Endpoint tests area displays the total number of endpoints that Novell ZENworks Network Access Control has attempted to test, and what the test status is for each endpoint. Click the number of endpoints to view details.
Page 17: Novell Zenworks Network Access Control V5.0 For V4.X Users
1.3 Novell ZENworks Network Access Control v5.0 for v4.x Users The user interface has been completely redesigned in this release of Novell ZENworks Network Access Control. The following table provides a quick-reference for users familiar with Novell ZENworks Network Access Control v4.x. The first column shows the v4.x task with the corresponding v5.0 user interface location in the second column.
Page 18 Novell ZENworks Network Novell ZENworks Network Access Control 5.0 Notes Access Control 4.x General tab License key — System The General tab tasks are now configuration>>License on two different windows: System configuration and NAC Name of network — System policies.
Page 19 Novell ZENworks Network Novell ZENworks Network Access Control 5.0 Notes Access Control 4.x End-user access tab End-user testing methods — System End-user tab tasks are on the configuration>>Testing methods System configuration window. They are set as cluster defaults, End-user testing options — System but can be overridden when configuration>>Testing methods...
Page 20: Overview
TIP: Agentless testing uses an existing Windows service (RPC). ActiveX testing uses an ActiveX control. Novell agent testing installs an agent (NAC Agent) and runs as a new Windows service. Novell ZENworks Network Access Control Users Guide...
Page 21 Enforcement options — Novell ZENworks Network Access Control provides multiple enforcement options for quarantining endpoints that do not comply with your security policy (Inline, DHCP, and 802.1X). This enables Novell ZENworks Network Access Control to enforce compliance across complex, heterogeneous networks.
Page 22: The Novell Zenworks Network Access Control Process
NAC policy tests (or is otherwise granted access), the endpoint is allowed access to the network. If you have external Intrusion Detection System/Intrusion Prevention System (IDS/IPS) systems that monitor your network for attacks, you can configure these external systems in Novell ZENworks Network Access Control so they can request that Novell ZENworks Network Access Control quarantine an endpoint after it has been connected (post-connect).
Page 23 TIP: Novell ZENworks Network Access Control passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single Novell ZENworks Network Access Control server for a single testing session with the High Security NAC policy (approximately 20 tests). It typically takes between 5 and 10 seconds to all tests in a policy on a 100Mb LAN.
Page 24 Compliance Enforcement Based on endpoint test results, Novell ZENworks Network Access Control takes the appropriate action. Endpoints that test compliant with the applied policy are permitted access. Non-compliant endpoints are either quarantined, or are given access for a temporary period. Implement the necessary fixes during this period.
Page 25: Technical Support
IMPORTANT: Installing third-party software on the Novell ZENworks Network Access Control server is not supported. If you install additional software on the Novell ZENworks Network Access Control server, you need to remove it in order to troubleshoot any Novell ZENworks Network...
Page 26: Conventions Used In This Document
1.8.4 Important Paragraph Importants notify you of conditions that can cause errors or unexpected results. Example: IMPORTANT: Do not rename the files or they will not be seen by Novell ZENworks Network Access Control. 1.8.5 Warning Paragraph Warnings notify you of conditions that can lock your system or cause damage to your data.
Page 27: Italic Text
The SMS server contains a database of logical groups with common attributes called collections. SMS operates only on clients (endpoints) that are members of a collection. Indicating document titles — Novell ZENworks Network Access Control Installation Guide Indicating a variable entry in a command — https://<IP_address>...
Page 28: Square Brackets
Secure Shell (SSH) protocol. The exact syntax of the copy command will vary based on the utility you use. Example: 1 Copy the /usr/local/nac/properties/NACAVPs.txt file from the Novell ZENworks Network Access Control server to the ACS server using PSCP (or other secure copy utility).
Page 29: Users' Guide Online Help
PSCP.EXE file before entering the pscp command. 1.10 Users’ guide online help In Novell ZENworks Network Access Control, the help links in the product open an HTML version of the Novell ZENworks Network Access Control documents. The PDF version is still available in the /docs directory on the CD, and by clicking the Open Users’...
Page 30 When you click a help link from within Novell ZENworks Network Access Control, the help topic opens in a new window, as shown in the following figure: Online Help Figure 1-4 The following options are available: Previous — Click the upward pointing icon to go to the previous page.
Page 31 To view the index: Online help document>>Show navigation icon>>Index tab Index Tab Figure 1-5 1 Click on a letter link at the top of the index column to see the index entries. 2 Click on an index entry to see the location in the text. 3 Click on cross reference items in highlighted text to see more information on these items.
Page 32 NOTE: Red arrows that point to the right denote collapsed sections. The default is for these sections to show as closed. Clicking on these red arrows turns them downward to open their content. Novell ZENworks Network Access Control Users Guide...
Page 33: Clusters And Servers
Clusters and Servers Novell ZENworks Network Access Control introduces clusters and servers. A cluster is a logical grouping of one or more ESs that are managed by one MS. A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster.
Page 34: Single-Server Installation
High availability is where ESs take over for any other ES or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the ESs. A three-server installation is shown in the following figure: Novell ZENworks Network Access Control Users Guide...
Page 35 Multiple-server Installation Figure 2-2 When your network is more complex, you can continue to add clusters as shown in the following figure: Multiple-server, Multiple-cluster Installation Figure 2-3 The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis.
Page 36 NOTE: The minimum and recommended hardware requirements are listed in Section 16.8, “System Requirements,” on page 341; however, Novell has tested and certified Novell ZENworks Network Access Control on the following systems: Dell Xeon 5130, 2 GB RAM, 73 GB Hard drive, 15 k SAS, 3 NICs...
Page 37: System Configuration
System Configuration The System configuration window allows the system administrator to set the operating parameters for Novell ZENworks Network Access Control. The following sections contain more information: Section 3.1, “Introduction,” on page 38 Section 3.2, “Enforcement Clusters and Servers,” on page 39 Section 3.3, “Enforcement Clusters,”...
Page 38: Introduction
3.1 Introduction User logins and associated user roles determine the access permissions for specific functionality within Novell ZENworks Network Access Control. The following table shows the default home window menu options that are available by user role: Default Menu Options...
Page 39: Enforcement Clusters And Servers
Notifications — Section 3.17.5, “Notifications,” on page 123 End-user screens — Section 3.17.6, “End-user Screens,” on page 125 Agentless credentials — Section 3.17.7, “Agentless Credentials,” on page 127 Logging — Section 3.18, “Logging,” on page 131 Advanced — Section 3.19, “Advanced Settings,” on page 133 NOTE: You can override any of the cluster default settings on a per-cluster basis.
Page 40: Adding An Enforcement Cluster
System Configuration, Enforcement Clusters & Servers Figure 3-1 1 Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add Enforcement cluster window appears. The General area is displayed by default. Novell ZENworks Network Access Control Users Guide...
Page 41 1a Enter a name for the Enforcement cluster in the Cluster name field. 1b Select a NAC policy group from the NAC policy group drop-down list (see Chapter 6, “NAC Policies,” on page 201). 2 Click Quarantining in the Add Enforcement cluster window. Complete the steps described in Section 3.10, “Quarantining, General,”...
Page 42: Editing Enforcement Clusters
Section 3.3.1, “Adding an Enforcement Cluster,” on page 4 Click ok. 3.3.3 Viewing Enforcement Cluster Status There are two ways Novell ZENworks Network Access Control provides Enforcement cluster status: The icons next to the cluster name (see Figure 3-3 on page...
Page 43: Deleting Enforcement Clusters
3.3.4 Deleting Enforcement Clusters NOTE: Enforcement clusters need to be empty before the delete option appears next to the name in the Novell ZENworks Network Access Control user interface. To delete Enforcement clusters: Home window>>System configuration>>Enforcement clusters & servers 1 Click delete next to the cluster you want to remove.
Page 44: Adding An Es
Home window>>System configuration>>Enforcement clusters & servers System Configuration, Enforcement Clusters & Servers Figure 3-3 1 Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Add Enforcement Server Figure 3-4 Novell ZENworks Network Access Control Users Guide...
Page 45: Cluster And Server Icons
2 Select a cluster from the Cluster drop-down list. 3 Enter the IP address for this ES in the IP address text box. 4 Enter the fully qualified hostname to set on this server in the Host name text box. 5 Enter one or more DNS resolver IP addresses, separated by a commas, semicolons, or spaces in the DNS IP addresses text box.
Page 46: Changing The Es Network Settings
ES error condition and cause authentication problems. See Section 3.15, “Maintenance,” on page 114 for instructions on backing up and restoring your system. To change the ES network settings: Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration Novell ZENworks Network Access Control Users Guide...
Page 47: Changing The Es Date And Time
Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or spaces in the DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1 NOTE: The Novell ZENworks Network Access Control ESs host name must be a fully qualified domain name (FQDN). For example, the FQDN should include the host and the domain name—...
Page 48: Modifying The Es Root Account Password
2 Re-enter the password in the Re-enter root password text box. 3 Click ok. 3.4.8 Viewing ES Status There are two ways Novell ZENworks Network Access Control provides ES status: The icons next to the server name (see Figure 3-5 on page The Status window (see the following steps).
Page 49: Deleting Ess
2 Click ok or cancel. 3.4.9 Deleting ESs NOTE: Servers need to be powered down for the delete option to appear next to the name in the Novell ZENworks Network Access Control user interface. To delete ESs: Home window>>System configuration>>Enforcement clusters & servers 1 Click delete next to the server you want to remove from the cluster.
Page 50: Management Server
Section 3.5.8, “Enabling SNMP,” on page 55 Section 3.5.9, “Modifying the MS root Account Password,” on page 55 Section 3.5.10, “Checking for Novell ZENworks Network Access Control Upgrades,” on page 56 Section 3.5.11, “Changing the Novell ZENworks Network Access Control Upgrade Timeout,”...
Page 51: Viewing Network Settings
3.5.1 Viewing Network Settings To view MS status: Home window>>System configuration>>Management server System Configuration, Management Server Figure 3-8 System Configuration...
Page 52: Modifying Ms Network Settings
Enter a new gateway in the Gateway IP address text field. For example 192.168.153.2 Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or spaces in the DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1 3 Click ok. Novell ZENworks Network Access Control Users Guide...
Page 53: Selecting A Proxy Server
3.5.3 Selecting a Proxy Server Connecting to the Internet is necessary for updating tests, validating license keys, and sending support packages. To select a proxy server: Home window>>System configuration>>Management server 1 Select Use a proxy server for Internet connections. 2 Enter the IP address or hostname of the server that will act as the proxy for Internet connections in the Proxy server IP address text field.
Page 54: Automatically Setting The Time
Home window>>System configuration>>Management server 1 Select Automatically receive NTP updates from and enter one or more Network Time Protocol (NTP) servers, separated by commas. The NTP protocol allows Novell ZENworks Network Access Control to synchronize its date and time with other endpoints on your network.
Page 55: Selecting The Time Zone
3 Enter a comma-separated list of IP address or hostnames that can receive the SNMP notifications. 4 Enter the community string used to authorize SNMP notifications from Novell ZENworks Network Access Control. 5 Select one or both of the following: 5a Select the Resend notifications check box and enter the resend interval, for example 60.
Page 56: Checking For Novell Zenworks Network Access Control Upgrades
To change the inactivity timeout value for upgrades: Command window 1 Log in to the Novell ZENworks Network Access Control server as root, either using SSH or directly with a keyboard. 2 Enter the following at the command line: setProperty.py -m Compliance.UpgradeManager.UpgradeTimeout=<minutes>...
Page 57: User Accounts
3.6 User Accounts Novell ZENworks Network Access Control allows you to create multiple user accounts. User accounts provide and limit access to Novell ZENworks Network Access Control functions based on permissions (user roles) and clusters assigned. See Section 3.7, “User Roles,” on page 63 for more information on setting permissions for the user roles.
Page 58: Adding A User Account
3.6.1 Adding a User Account To add a user account: Home window>>System configuration>>User accounts System Configuration, User Accounts Figure 3-11 1 Click Add a user account. The Add user account window appears: Novell ZENworks Network Access Control Users Guide...
Page 59 2 Enter the following information: User ID — The user ID used to log into Novell ZENworks Network Access Control Password — The password used to log into Novell ZENworks Network Access Control Full name — The name associated with the user account Email address —...
Page 60: Searching For A User Account
Click the column heading for user id, full name, email address, user roles, or clusters. The user accounts reorder according to the column heading selected. Click the column heading again to change from ascending to descending. Novell ZENworks Network Access Control Users Guide...
Page 61: Copying A User Account
3.6.4 Copying a User Account To copy a user account: Home window>>System configuration>>User accounts 1 Click copy next to the user account you want to duplicate. The Copy user account window appears. The account information is duplicated from the original account. Copy User Account Figure 3-12 2 Enter the User ID of the new account.
Page 62: Editing A User Account
IMPORTANT: Do not delete or edit the account with which you are currently accessing the interface. Doing so can produce an error and lock you out of the interface until your session has timed out. Novell ZENworks Network Access Control Users Guide...
Page 63: User Roles
To delete a user account: Home window>>System configuration>>User accounts 1 Click delete next to the user account you want to remove. The Delete user account confirmation window appears. 2 Click yes. 3.7 User Roles The User roles menu option allows you to configure the following: View current user roles and details associated with those roles Add a new user role Name the new user role...
Page 64: Adding A User Role
3.7.1 Adding a User Role To add a user role: Home window>>System configuration>>User roles System Configuration, User Roles Figure 3-14 1 Click add a user role in the User roles area. The Add user role window appears. Novell ZENworks Network Access Control Users Guide...
Page 65 2 Enter a descriptive name in the Role name field. 3 Enter a description of the role in the Description field. 4 Select the permissions for the user role. For more information about permissions, the following table: User Role Permissions Table 3-3 Permission Description...
Page 66: Editing User Roles
NOTE: You cannot delete the System Administrator role. To delete user roles: Home window>>System configuration>>User roles 1 Click delete next to the user role you want to remove. The Delete user role confirmation window appears. 2 Click yes. Novell ZENworks Network Access Control Users Guide...
Page 67: Sorting The User Roles Area
3.7.4 Sorting the User Roles Area To sort the user roles area: Home window>>System configuration>>User roles 1 Click user role name or description column heading. The selected category sorts in ascending or descending order. 2 Click ok. 3.8 License The License menu option allows you to configure the following: Enter and submit a new license key View license start and end dates View number of days remaining on license, and associated renewal date...
Page 68: Updating Your License Key
Installation Guide). If you need to update your license key, in the New license key field, enter your Novell ZENworks Network Access Control license key, which Novell sends to you by email. Copy and paste the license key directly from the text file.
Page 69: Manually Checking For Test Updates
System Configuration, Test Updates Figure 3-17 1 In the Last successful test update area, click check for test updates. 2 Click ok. NOTE: It is important to check for test updates during the initial configuration of Novell ZENworks Network Access Control. System Configuration...
Page 70: Selecting Test Update Times
To select test update times: Home window>>System configuration>>Test updates 1 Using the hour check boxes, select the time periods in which you would like Novell ZENworks Network Access Control to check for available test updates. By default, Novell ZENworks Network Access Control checks once every hour using the Novell Secure Rule Distribution Center.
Page 71: Selecting The Quarantine Method
Authentication settings Add, edit, delete 802.1X devices The following sections contain more information: Section 3.10.1, “Selecting the Quarantine Method,” on page 71 Section 3.10.2, “Selecting the Access Mode,” on page 72 3.10.1 Selecting the Quarantine Method To select the quarantine method: Home window>>System configuration>>Quarantining System Configuration, Quarantining Figure 3-20...
Page 72: Selecting The Access Mode
Inline — When using the inline quarantine method, Novell ZENworks Network Access Control must be placed on the network where all traffic to be quarantined passes through Novell ZENworks Network Access Control. It must be inline with an endpoint like a VPN.
Page 73: Entering Basic 802.1X Settings
Section 3.11.2, “Authentication Settings,” on page 74 Section 3.11.3, “Adding 802.1X Devices,” on page 79 Section 3.11.4, “Testing the Connection to a Device,” on page 80 Section 3.11.5, “Cisco IOS,” on page 82 Section 3.11.6, “Cisco CatOS,” on page 84 Section 3.11.7, “Enterasys,”...
Page 74: Authentication Settings
2 Select an End-user authentication method: Manual — RADIUS server authentication settings are configured manually from the command line. See Section 11.3.2, “Enabling Novell ZENworks Network Access Control for 802.1X,” on page 264 for configuration information. Windows domain — Authentication requests are handled by a Windows domain through NTLM protocol.
Page 75 Configuring Windows Domain Settings To configure Windows domain settings: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 1 Select Windows domain from the End-user authentication method drop-down list. System Configuration, Windows Domain Figure 3-21 System Configuration...
Page 76 1. Enter the user name of the end-user in the User name text box. 2. Enter the password of the end-user in the Password text box. 3. Re-enter the password of the end-user in the Re-enter password text box. 6c Click test settings. 7 Click ok. Novell ZENworks Network Access Control Users Guide...
Page 77 Configuring OpenLDAP Settings To configure OpenLDAP settings: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 1 Select OpenLDAP from the End-user authentication method drop-down list. System Configuration, OpenLDAP Figure 3-22 System Configuration...
Page 78 1. Enter the user name of the end-user in the User name text box. 2. Enter the password of the end-user in the Password text box. 3. Re-enter the password of the end-user in the Re-enter password text box. 10c Click test settings. 11 Click ok. Novell ZENworks Network Access Control Users Guide...
Page 79: Adding 802.1X Devices
3.11.3 Adding 802.1X Devices To add an 802.1X device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Add 802.X Device Figure 3-23 1 Enter the IP address of the 802.1X device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 80: Testing The Connection To A Device
802.1X MAC auth 2b Enter the port of the endpoint being tested in the Port text field. 2c Enter the MAC address of the endpoint being tested in the MAC address text field. Novell ZENworks Network Access Control Users Guide...
Page 81 3 For Cisco CATOS, Cisco IOS, Enterasys, Extreme, Foundry switches (Figure 3-25 on page 80) if you want to include the re-authentication command as part of the test, select the Re-authenticate an endpoint during test check box and: 3a Enter the port of the endpoint being tested in the Port text field. 3b Enter the MAC address of the endpoint being tested in the MAC address text field.
Page 82: Cisco Ios
5 Select Cisco IOS from the Device type drop-down list. 6 Select telnet or SSH from the Connection method drop-down list. 7 Enter the User name with which to log into the device's console. Novell ZENworks Network Access Control Users Guide...
Page 83 8 Enter the Password with which to log into the device's console. 9 Re-enter the console password. 10 Enter the Cisco port mask in the text field. This specifies which characters within the endpoint identifier returned by the Cisco device contain the bank and port information of the endpoint.
Page 84: Cisco Catos
5 Select Cisco CatOS from the Device type drop-down list. 6 Select telnet or SSH from the Connection method drop-down list. 7 Enter the User name with which to log into the device's console. Novell ZENworks Network Access Control Users Guide...
Page 85 If you have your CatOS switch configured to run in enable mode with a user name, the expect script supplied with Novell ZENworks Network Access Control will not run “out of the box.” Workaround: Do not use a user name with your switch, or modify the expect script in the console to include the user name.
Page 86: Enterasys
6 Select telnet or SSH from the Connection method drop-down list. 7 Enter the User name with which to log into the device's console. 8 Enter the Password with which to log into the device's console. 9 Re-enter the console password. Novell ZENworks Network Access Control Users Guide...
Page 87 10 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet / SSH console can remain idle or unused before it is reset. 11 Select the Show scripts plus symbol to show the following scripts: Initialization script —...
Page 88: Extreme Extremeware
6 Select telnet or SSH from the Connection method drop-down list. 7 Enter the User name with which to log into the device's console. 8 Enter the Password with which to log into the device's console. 9 Re-enter the console password. Novell ZENworks Network Access Control Users Guide...
Page 89 10 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet / SSH console can remain idle or unused before it is reset. 11 Select the Show scripts plus symbol to show the following scripts: Initialization script —...
Page 90: Extreme Xos
8 Enter the Password with which to log into the device's console. 9 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet / SSH console can remain idle or unused before it is reset. Novell ZENworks Network Access Control Users Guide...
Page 91 10 Select the Show scripts plus symbol to show the following scripts: Initialization script — The expect script used to log into the console and enter enable mode. Re-authentication script — The expect script used to perform endpoint re- authentication. Exit script —...
Page 92: Foundry
6 Select telnet or SSH from the Connection method drop-down list. 7 Enter the User name with which to log into the device's console. 8 Enter the Password with which to log into the device's console. Novell ZENworks Network Access Control Users Guide...
Page 93 9 Re-enter the console password. 10 Enter the password with which to enter enable mode. 11 Re-enter the enable mode password. 12 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet / SSH console can remain idle or unused before it is reset. 13 Select the Show scripts plus symbol to show the following scripts: Initialization script —...
Page 94: Hp Procurve Switch
4 Enter an alias for this device that appears in log files in the Short name text field. 5 Select ProCurve Switch from the Device type drop-down list. 6 Select whether to connect to this device using telnet, SSH, or SNMPv2 in the Connection method drop-down list. Novell ZENworks Network Access Control Users Guide...
Page 95 7 SSH settings: 7a Enter the User name used to log into this device's console. 7b Enter the Password used to log into this device's console. 7c To help confirm accuracy, type the same password you entered into the Password field in the Re-enter Password field.
Page 96 HEX STRING DECIMAL STRING BITS NULLOBJ 3. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. Novell ZENworks Network Access Control Users Guide...
Page 97: Hp Procurve Wesm Xl Or Hp Procurve Wesm Zl
3.11.12 HP ProCurve WESM xl or HP ProCurve WESM zl To add an HP ProCurve WESM xl or HP ProCurve WESM zl device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Add HP ProCurve WESM xl/zl Device Figure 3-33 1 Enter the IP address of the HP ProCurve WESM device in the IP address text field.
Page 98 HEX STRING DECIMAL STRING BITS NULLOBJ 10c Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. Novell ZENworks Network Access Control Users Guide...
Page 99: Hp Procurve 420 Ap Or Hp Procurve 530 Ap
3.11.13 HP ProCurve 420 AP or HP ProCurve 530 AP To add an HP ProCurve 420 AP or HP ProCurve 530 AP device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Add HP ProCurve 420/530 AP Device Figure 3-34 1 Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field.
Page 100 HEX STRING DECIMAL STRING BITS NULLOBJ 10c Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. 100 Novell ZENworks Network Access Control Users Guide...
Page 101: Nortel
3.11.14 Nortel To add a Nortel device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Add Nortel Device Figure 3-35 1 Enter the IP address of the Nortel device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 102 Re-authentication script — The expect script used to perform endpoint re- authentication. Exit script — The expect script used to exit the console. 16 Click ok. TIP: Click revert to defaults to restore the default settings. 102 Novell ZENworks Network Access Control Users Guide...
Page 103: Other
3.11.15 Other To add a non-listed 802.1X device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Add Other Device Figure 3-36 1 Enter the IP address of the new device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 104: Quarantining, Dhcp
Chapter 15, “DHCP Plug-in,” on page 317. 3.12.2 Setting DHCP Enforcement NOTE: See Section 10.1.3, “Configuring Windows Update Service for XP SP2,” on page 233 information on using Windows Update Service for devices in quarantine. 104 Novell ZENworks Network Access Control Users Guide...
Page 105 To set DHCP enforcement: Home window>>System configuration>>Quarantining>>DHCP quarantine method radio button System Configuration, Quarantining, DHCP Enforcement Figure 3-37 1 Inline DHCP server is selected by default. If you wish to use multiple DHCP servers, see the instructions in Chapter 15, “DHCP Plug-in,” on page 317.
Page 106: Adding A Dhcp Quarantine Area
NOTE: The quarantine area subnets and non-quarantined subnets should be entered using Classless Inter-domain Routing address (CIDR) notation (see Section 16.6, “Entering Networks Using CIDR Format,” on page 338). 106 Novell ZENworks Network Access Control Users Guide...
Page 107: Sorting The Dhcp Quarantine Area
Static routes assigned on the endpoint — This option restricts the network access of non-compliant endpoints by vending DHCP settings with no gateway and a netmask of 255.255.255.255. Static routes and a Web proxy server built into Novell ZENworks Network Access Control allow the endpoint access to specific networks, IP addresses, and Web sites.
Page 108: Editing A Dhcp Quarantine Area
1 Click delete next to the quarantine area you want to remove. The Delete quarantine area confirmation window appears 2 Click yes. 3.13 Quarantining, Inline To select the Inline quarantine method: Home window>>System configuration>>Quarantining 1 Select a cluster. 108 Novell ZENworks Network Access Control Users Guide...
Page 109: Post-Connect
To open the firewall for your post-connect service: Command line window 1 Log in to the Novell ZENworks Network Access Control MS as root using SSH or directly with a keyboard. 2 Enter the following command at the command prompt: iptables -I INPUT -s<host>...
Page 110: Setting Novell Zenworks Network Access Control Properties
“Launching Post-connect Systems,” on page 112. 3.14.3 Setting Novell ZENworks Network Access Control Properties Most Novell ZENworks Network Access Control properties are set by default. To change or set properties, you must change the properties as described in Section 16.5.10, “Changing Properties,” on page 337.
Page 111: Configuring A Post-Connect System
3 Select the Automatically log into service check box to log into the post-connect service automatically when it is launched by clicking the post-connect service name on the Novell ZENworks Network Access Control Post-connect window (Home>>Post- connect). 3a Enter the user name of the account to be used for logging into the post-connect service in the User name text field.
Page 112: Launching Post-Connect Systems
3.14.6 Post-connect in the Endpoint Activity Window When an external service requests that an endpoint be quarantined, it sends the request to Novell ZENworks Network Access Control, which quarantines the endpoint based on the hierarchy rules described in Section 7.1, “Endpoint Quarantine Precedence,”...
Page 113: Adding Post-Connect System Logos And Icons
Section 1.9, “Copying Files,” on page 28): /usr/local/nac/webapps/ROOT/images 3 Log in to the Novell ZENworks Network Access Control MS as root using SSH or directly with a keyboard. 4 Modify the following properties in the nac-ms.properties file (see Section 16.5.10, “Changing Properties,”...
Page 114: Maintenance
The following file are backed up: Database /usr/local/nac/properties directory /usr/local/nac/keystore directory /usr/local/nac/subscription directory The following sections contain more information: Section 3.15.1, “Initiating a New Backup,” on page 115 Section 3.15.2, “Restoring From a Backup,” on page 116 114 Novell ZENworks Network Access Control Users Guide...
Page 115: Initiating A New Backup
3.15.1 Initiating a New Backup To initiate a new backup: Home window>>System configuration>>Maintenance System Configuration, Maintenance Figure 3-44 1 Click begin backup now in the Backup area. The Operation in progress confirmation window appears. 2 Depending on your browser settings, a pop-up window may appear asking if you want to save or open the file.
Page 116: Restoring From A Backup
TIP: If you are using Backup and Restore to move configuration files from one physical server to another, you must have the same version of Novell ZENworks Network Access Control installed on both servers. 3.16 Downloading Support Packages...
Page 117: Testing Methods
3.17.1 Testing Methods The Testing methods menu option allows you to configure the following: Select testing methods Define order of that the test method screens appear to the end-user Select end-user options Selecting Test Methods To select test methods: Home window>>System configuration>>Testing methods System Configuration, Testing Methods Figure 3-46 1 Select one or more of the following...
Page 118 1 Novell ZENworks Network Access Control tries to test with the agent-based test method. 2 If no agent is available, Novell ZENworks Network Access Control tries to test with the ActiveX test method. 3 If ActiveX is not available and if credentials for the endpoint or domain exist, Novell ZENworks Network Access Control tries to test with the agentless test method.
Page 119: Selecting End-User Options
Windows endpoints on your Windows domain are tested automatically when you specify the domain admin credentials in the System configuration>>Agentless credentials>>Add administrator credentials window. The agent-based test method is recommended for any environment where enforcement is enabled on Windows Vista endpoints. 3.17.2 Selecting End-user Options To select end-user options: Home window>>System configuration>>Testing methods...
Page 120 Windows domain controller. Examples: Web sites — www.mycompany.com Host names — bagle.com IP addresses — 10.0.16.100 Ports — 10.0.16.100:53 Networks — 10.0.16.1/24 Range of IP addresses — 10.0.16.1/30 120 Novell ZENworks Network Access Control Users Guide...
Page 121: Exceptions
You do not need to enter the IP address of the Novell ZENworks Network Access Control server here. If you do, it can cause redirection problems when end-users try to connect. You do need to add any update server names, such as the ones that provide anti-virus and software updates.
Page 122 2 To exempt end-user domains from testing, in the Whitelist area, enter the domain names. 3 Click ok. IMPORTANT: If you enter the same endpoint in both the Whitelist and the Blacklist areas in the Exceptions window, the Whitelist option is used. 122 Novell ZENworks Network Access Control Users Guide...
Page 123: Notifications
2 To always quarantine domains when testing, in the Blacklist area, enter the domains. TIP: In DHCP mode, the Novell ZENworks Network Access Control firewall quarantines based on MAC address (everything entered must be translated to the corresponding endpoint's MAC address).
Page 124 1c In the Via SMTP server IP address text box, enter the IP address of the SMTP email server from which Novell ZENworks Network Access Control sends email notifications. This must be a valid IP address that is reachable from where the Novell ZENworks Network Access Control machine is located on your network.
Page 125: End-User Screens
To disable email notifications: Home window>>System configuration 1 Select a cluster. The Enforcement cluster window appears. 2 Select the Notifications menu item. 3 Select the For this cluster, override the default settings check box. 4 Select Do not send email notifications. 5 Click ok.
Page 126 Organization logo image — Enter a path to your organization’s logo, or click Browse to select a file on your network. Novell recommends you place your logo here to help end-users feel secure about having their computers tested. The logo should be no larger than 450x50 pixels.
Page 127: Agentless Credentials
1c Footer (most screens) — Enter the text for the footer that appears on most of the end-user windows. Novell recommends that this text includes a way to contact you if they need further assistance. You can format the text in this field with HTML characters.
Page 128 “Adding Windows Credentials” on page 129 “Testing Windows Credentials” on page 130 “Editing Windows Credentials” on page 131 “Deleting Windows Credentials” on page 131 “Sorting the Windows Credentials Area” on page 131 128 Novell ZENworks Network Access Control Users Guide...
Page 129 Adding Windows Credentials To add Windows credentials: Home window>>System configuration>>Agentless credentials System Configuration, Agentless Credentials Figure 3-51 1 Click Add administrator credentials. The Add Windows administrator credentials window appears: System Configuration 129...
Page 130 2 Click test. The operation in progress window appears. Testing the credentials might take a few minutes to complete. 3 When the credentials testing is complete, the test status is displayed at the top of the credentials window. 130 Novell ZENworks Network Access Control Users Guide...
Page 131: Logging
NOTE: Novell ZENworks Network Access Control saves authentication information encrypted on the Novell ZENworks Network Access Control server. When a user connects with the same browser, Novell ZENworks Network Access Control looks up this information and uses it for testing.
Page 132: Setting Es Logging Levels
— Log info-level and above messages only debug — Log debug-level and above messages only trace — Log everything IMPORTANT: Setting the log level to trace may adversely affect performance. 2 Click ok. 132 Novell ZENworks Network Access Control Users Guide...
Page 133: Setting 802.1X Devices Logging Levels
3.18.2 Setting 802.1X Devices Logging Levels You can configure the amount of diagnostic information written to log files related to 802.1X re- authentication, ranging from error (error-level messages only) to trace (everything). To set 802.1X logging levels: Home window>>System configuration>>Logging 1 To configure the amount of diagnostic information written to log files related to 802.1X re- authentication, select a logging level from the 802.1X devices drop-down list: error —...
Page 134: Setting The Agent Read Timeout
2 Enter a number of seconds in the Agent read timeout period text field. The agent read time is the time in seconds that Novell ZENworks Network Access Control waits on an agent read. Use a larger number for systems with network latency issues.
Page 135: Setting The Rpc Command Timeout
1 Enter a number of seconds in the RPC command timeout period text field. The RPC command timeout is the time in seconds that Novell ZENworks Network Access Control waits on an rpcclient command to finish. Use a larger number for systems with network latency issues.
Page 136 136 Novell ZENworks Network Access Control Users Guide...
Page 137: Endpoint Activity
Endpoint Activity Use the Endpoint activity window, to monitor end-user connection activity. Home window>>Endpoint activity The Endpoint activity window has the following sections: Endpoint selection area — The left column of the window provides links that allow you to quickly filter the results area by Access control status or Endpoint test status.
Page 138: Filtering The Endpoint Activity Window
Section 4.1.2, “Filtering by Time,” on page 139 Section 4.1.3, “Limiting Number of Endpoints Displayed,” on page 140 Section 4.1.4, “Searching,” on page 141 4.1.1 Filtering by Access Control or Test Status Home window>>Endpoint activity window 138 Novell ZENworks Network Access Control Users Guide...
Page 139: Filtering By Time
Select a method for filtering the results window; by a specific access control status or endpoint status as shown in the following figure: Endpoint, Activity, Menu Options Figure 4-2 NOTE: This part of the window reflects the total number of endpoints in the network at the current time.
Page 140: Limiting Number Of Endpoints Displayed
Home window>>Endpoint Activity Desplay Endpoints Drop-down Figure 4-4 Select a number from the drop down list. The results area updates to show only the number of endpoints selected with page navigation breadcrumbs. 140 Novell ZENworks Network Access Control Users Guide...
Page 141: Searching
TIP: The search box is not case-sensitive. Searching matches entire words. You must enter wildcard characters (*) to match substrings. For example, 192.168.*. 4.2 Access Control States Novell ZENworks Network Access Control provides on-going feedback on the access status of endpoints in the Endpoint activity window as follows: Endpoint Activity 141...
Page 142: Endpoint Test Status
Section 4.5, “Viewing Endpoint Access Status,” on page 147. Failed — Novell ZENworks Network Access Control shows this status after the endpoint has failed testing. Click on the plus (+) symbol to show the test failed categories. Passed — Novell ZENworks Network Access Control shows this status after the endpoint has passed the test and is connected to the network.
Page 143 Failed — Novell ZENworks Network Access Control shows this status after the endpoint has failed testing. Could not be tested — Novell ZENworks Network Access Control shows this status after the endpoint could not be tested. License limit exceeded — Novell ZENworks Network Access Control shows this status when the number of endpoints allowed on your license has been exceeded.
Page 144 Connection failed- endpoint busy or file and print sharing disabled — During the connection to the endpoint, the endpoint is not able to complete the requested testing by Novell ZENworks Network Access Control. This condition can occur when then endpoint is busy...
Page 145 Novell ZENworks Network Access Control. If the endpoint is still on the network, retest it with Novell ZENworks Network Access Control.
Page 146: Enforcement Cluster Access Mode
Failed Endpoint Allow All Mode Mouse Over Figure 4-10 146 Novell ZENworks Network Access Control Users Guide...
Page 147: Viewing Endpoint Access Status
4.5 Viewing Endpoint Access Status To view access status for a endpoint: Home window>>Endpoint activity window 1 Locate the endpoint you are interested in. 2 The first column is the selection column, the second column is the Endpoint test status column, and the third column is the Access control status column. The icons shown in the following figure provide status: Access Control and Endpoint Test Status Figure 4-11...
Page 148: Acting On Selected Endpoints
4.7.3 Immediately Quarantine an Endpoint To immediately quarantine an endpoint: Home window>>Endpoint activity 1 Select a box or boxes to select the endpoints of interest. 2 Click change access. 148 Novell ZENworks Network Access Control Users Guide...
Page 149: Clearing Temporary Endpoint States
3 Select the Temporarily Quarantine for radio button. 4 Select minutes, hours, or days from the drop-down list. 5 Enter the number of minutes, hours, or days that the endpoint will be temporarily quarantined. 6 Click ok. TIP: To quarantine again, select the endpoint, click change access, select Clear temporary access control status, and click ok.
Page 150 Endpoint, General Option Figure 4-12 2 Click Test results to view the details of the test: Endpoint Activity, Endpoint Test Results Option Figure 4-13 150 Novell ZENworks Network Access Control Users Guide...
Page 151: Troubleshooting Quarantined Endpoints
TIP: Click on any underlined link (for example, change access) to make changes such as changing access or test credentials. 4.9 Troubleshooting Quarantined Endpoints The following table describes the various components that affect an endpoint attempting to access the network: Endpoint Activity 151...
Page 152 AND IP addresses to Accessible services, or Manually setting Novell ZENworks Network Access Control as the proxy (this would require reversing this setting it once a system was out of quarantine). 152 Novell ZENworks Network Access Control Users Guide...
Page 153 How endpoints are quarantined and How quarantined endpoints reach Enforcement Mode redirected to Novell ZENworks Network accessible devices Access Control DHCP Network DHCP server (Novell ZENworks Novell ZENworks Network Access mode enforcement Network Access Control) gives the Control (fake root) DNS — As in...
Page 154 VPN users by iptables acting as a firewall. VPN users can only get through iptables by becoming compliant with a Novell ZENworks Network Access Control policy, after which a hole is opened for their VPN IP address. 154 Novell ZENworks Network Access Control Users Guide...
Page 155 Control:443 --> Novell ZENworks Network Access Control:89 Traffic coming from non-quarantine ranges will not be rewritten, so that users can get to the Novell ZENworks Network Access Control user interface on port 443. NOTES: (*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the endpoint on real broadcast domain), as long as it is in the same (Layer 2) subnet—the...
Page 156 156 Novell ZENworks Network Access Control Users Guide...
Page 157: End-User Access
Section 5.6, “Mac OS X Endpoint Settings,” on page 170 Section 5.7, “End-user Access Windows,” on page 174 Section 5.8, “Customizing Error Messages,” on page 194 5.1 Test Methods Used Novell ZENworks Network Access Control tests endpoints using one of the following methods: Agent-based Agentless ActiveX Section 3.17.1, “Testing Methods,”...
Page 158: Endpoints Supported
Enforcement Server (ES) — The server that communicates with the agent to initiate tests, and quarantines or allows network access based on the test results. Endpoint — The computer being tested by Novell ZENworks Network Access Control. SRV record — A DNS record that contains information regarding a specific service on a network.
Page 159: Browser Version
Agent-based test methods — Windows or Linux — IE, Firefox, or Mozilla Mac OS X — Firefox or Safari. 5.4 Firewall Settings Novell ZENworks Network Access Control can perform tests through firewalls on both managed and unmanaged endpoints. End-user Access 159...
Page 160: Managed Endpoints
Typically, a managed endpoint’s firewall is controlled with the Domain Group Policy for Windows, or a central policy manager for other firewalls. In this case, the network administrator opens up the agent port or agentless ports only to the Novell ZENworks Network Access Control server using the centralized policy.
Page 161: Agent-Based Test Method
The end-user could add the IP address of the Novell ZENworks Network Access Control server to the Trusted sites zone, and then set the Trusted sites zone to Medium. The end-user could customize the High setting to allow the options necessary for Novell ZENworks Network Access Control to test successfully.
Page 162 To enable file and printer sharing on Windows XP Professional: Windows endpoint>>Start>>Settings>>Control Panel 1 Double-click Network connections. 2 Right-click Local area connection. 3 Select Properties. The Local area connection properties window appears: 162 Novell ZENworks Network Access Control Users Guide...
Page 163 Local Area Connection Properties Figure 5-2 4 On the General tab, in the This connection uses the following area, verify that File and Printer sharing is listed and that the check box is selected. 5 Click OK. For more information on file and printer sharing, refer to the following: To configure File and Printer Sharing for Microsoft Networks —...
Page 164 2 Click Start>>Welcome Center. The Welcome Center window appears: Windows Vista, Welcome Center Figure 5-3 164 Novell ZENworks Network Access Control Users Guide...
Page 165 3 Double-click View computer details. The Control Panel>System and Maintenance>System window appears. Windows Vista, System Figure 5-4 4 Click Change settings. End-user Access 165...
Page 166 7 Click Change. The Computer Name/Domain Changes window appears. Windows Vista, Computer Name/Domain Changes Figure 5-6 8 Select the Member of Domain radio button. 9 Enter the domain name in the text box. 166 Novell ZENworks Network Access Control Users Guide...
Page 167 NOTE: Windows Vista endpoints are not tested until they are logged in to the domain. Ports Used for Testing You might need to configure some firewalls and routers to allow Novell ZENworks Network Access Control to access the following ports for agentless testing: TIP: See Appendix E, “Ports used in Novell ZENworks Network Access Control,”...
Page 168 1 Click Add. 2 In the Service Settings window, enter the following information: Description : Novell ZENworks Network Access Control Server 137 IP : <IP of the Novell ZENworks Network Access Control Server> External port number : 137 Select UDP.
Page 169 3 Verify that the check boxes for all four ports are selected. 4 Select TCP 139. 5 Click Change Scope. 6 Select Custom List. 7 Enter the Novell ZENworks Network Access Control Server IP address and the 255.255.255.0 mask. 8 Click OK. 9 Select UDP 137.
Page 170: Activex Test Method
“Ports Used for Testing” on page 170 “Windows Vista Settings” on page 170 Ports Used for Testing You might need to configure some firewalls and routers to allow Novell ZENworks Network Access Control to access port 1500 for ActiveX testing. TIP: See Appendix E, “Ports used in Novell ZENworks Network Access Control,”...
Page 171: Allowing Novell Zenworks Network Access Control Through The Os X Firewall
5.6.2 Allowing Novell ZENworks Network Access Control through the OS X Firewall To verify that Novell ZENworks Network Access Control can test the end-user through the end-user’s firewall: Mac endpoint>>Apple Menu>>System Preferences End-user Access 171...
Page 172 Mac System Preferences Figure 5-8 1 Select the Sharing icon. The Sharing window opens. 172 Novell ZENworks Network Access Control Users Guide...
Page 173 2 Select the Firewall tab. 3 The firewall settings must be one of the following: On with the following: OS X NAC Agent check box selected Port 1500 open To change the port: Mac endpoint>>Apple Menu>>System Preferences>>Sharing icon>>Firewall tab 1 Select OS X NAC Agent. End-user Access 173...
Page 174: End-User Access Windows
NOTE: Upgrading the Novell ZENworks Network Access Control software does not overwrite your template changes. Your updated templates are preserved. IMPORTANT: Do not rename the files or they will not be seen by Novell ZENworks Network Access Control. End-users begin the login process by opening their browser. If their home page is defined on the Accessible services window, they are allowed to access that page.
Page 175: Opening Window
The following sections contain more information: Section 5.7.1, “Opening Window,” on page 175 Section 5.7.2, “Windows NAC Agent Test Windows,” on page 176 Section 5.7.3, “Mac OS Agent Test Windows,” on page 181 Section 5.7.4, “ActiveX Test Windows,” on page 188 Section 5.7.5, “Agentless Test Windows,”...
Page 176: Windows Nac Agent Test Windows
End-user Installing Window Figure 5-11 TIP: The end-user can also manually install the agent as described in “Manually Installing the Windows Agent” on page 179. 176 Novell ZENworks Network Access Control Users Guide...
Page 177 If Active Content is disabled in the browser, the following error window appears: End-user Agent Installation Failed Figure 5-12 TIP: To enable active content, see the instructions in the Installation Guide, in the “Important Browser settings, Active Content” section. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears.
Page 178 Next to start the agent installation: End-user Agent Installation Window (Start) Figure 5-13 The user must click Finish to complete the agent installation and begin testing: End-user Agent Installation Window (Finish) Figure 5-14 178 Novell ZENworks Network Access Control Users Guide...
Page 179 As soon as the installation is complete, the endpoint is tested. See Section 5.7.6, “Testing Window,” on page 191. Removing the Agent To remove the agent: Windows endpoint>>Start button>>Settings>>Control panel>>Add/remove programs Add/Remove Programs Figure 5-15 1 Find the ZENworks Network Access Control Agent in the list of installed programs.
Page 180 To see what version of the agent the endpoint is running: Windows endpoint>>Command line window 1 Change the working directory to the following: C:\Program Files\StillSecure\NAC Agent 2 Enter the following command: SAService version The version number is returned. For example: 4,0,0,567 180 Novell ZENworks Network Access Control Users Guide...
Page 181: Mac Os Agent Test Windows
When the test method selected is agent-based, the first time the end-user logs in to their Macintosh computer and opens a browser window, Novell ZENworks Network Access Control attempts to test the endpoint. If the agent is required, they receive the Installation Failed window shown in “End-...
Page 182 Mac OS Installer 1 of 5 Figure 5-19 5 Click Continue. The Select a Destination window appears: Mac OS Installer 2 of 5 Figure 5-20 6 Click Continue. The Easy Install window appears: 182 Novell ZENworks Network Access Control Users Guide...
Page 183 Mac OS Installer 3 of 5 Figure 5-21 7 Click Install. The Authenticate window appears: Mac OS Installer 4 of 5 Figure 5-22 8 Enter your password. Click OK. The agent is installed and the confirmation window appears: End-user Access 183...
Page 184 Mac OS Installer 5 of 5 Figure 5-23 9 Click Close. Verifying the Mac OS Agent To verify that the Mac OS agent is running properly: Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder 184 Novell ZENworks Network Access Control Users Guide...
Page 185 Applications, Utilities Folder Figure 5-24 1 Double-click Activity Monitor. The Activity Monitor window appears: End-user Access 185...
Page 186 3a Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Mac Terminal Figure 5-26 3b Enter the following at the command line: OSXNACAgent -v The build and version number are returned. 186 Novell ZENworks Network Access Control Users Guide...
Page 187 3c If an error message is returned indicating that the agent could not be found, the agent was not installed properly. Re-install the agent as described in “Installing the MAC OS Agent” on page 181. 3d If the agent is installed but not running, enter the following at the command line: sudo OSXNACAgentDaemon restart 3e Check the Activity Monitor window again to see if the osxnactunnel process is running.
Page 188: Activex Test Windows
127) Require the user to log in. End-users must set up their local endpoints to have a Windows administrator account with a password in order to be tested by Novell ZENworks Network Access Control. 188 Novell ZENworks Network Access Control Users Guide...
Page 189 NOTE: Novell ZENworks Network Access Control uses the Windows Messenger Service when using agentless testing. If you have disabled this service (http://www.microsoft.com/windowsxp/ using/security/learnmore/stopspam.mspx (http://www.microsoft.com/windowsxp/using/security/ learnmore/stopspam.mspx)), agentless testing will not work. TIP: If the end-user has not defined a login/password combination, the default login is usually administrator with a blank password.
Page 190 End-user Login Failed Figure 5-29 TIP: You can customize the logo and contact paragraph that appear on this window. See Section 5.8, “Customizing Error Messages,” on page 194 for more details. 190 Novell ZENworks Network Access Control Users Guide...
Page 191: Testing Window
5.7.6 Testing Window The following figure shows the window that appears during the testing process: End-user Testing Figure 5-30 The possible outcomes from the test are as follows: Test successful window (see Section 5.7.7, “Test Successful Window,” on page 191) Testing cancelled window (see Section 5.7.8, “Testing Cancelled Window,”...
Page 192: Testing Cancelled Window
When the end-user’s endpoints fail to meet the test criteria defined in the NAC policy, the end-users are not allowed access to the network (are quarantined) and the following testing failed window appears. 192 Novell ZENworks Network Access Control Users Guide...
Page 193 For each NAC policy, you can specify a temporary access period should the end-users fail the tests. Section 6.3.14, “Selecting Action Taken,” on page 211 for more information. End-user Testing Failed Example 1 Figure 5-33 TIP: You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configuration>>Accessible services window (see Section 3.17.3, “Accessible Services,”...
Page 194: Error Windows
You can create custom error message strings that appear in the test result reports, and on the test results access window that the end-user views by editing or creating the following file: /usr/local/nac/scripts/Custom/BaseClasses/CustomStrings.py 194 Novell ZENworks Network Access Control Users Guide...
Page 195 2 Once your custom strings script is complete, and you are ready to push it out to all of the ESs: 2a Verify that the scripts and base classes are under the Custom directory tree as specified above. 2b Enter the following on the command line of the Novell ZENworks Network Access Control MS: installCustomTests This command compiles the Python source files, builds an RPM, updates the policy groups, and sends these changes to all ESs.
Page 196 The missing hotfixes are: %s. You may need to run Windows Update multiple times to install all the hotfixes. Some of the hotfixes listed may be contained in a cumulative patch., 196 Novell ZENworks Network Access Control Users Guide...
Page 197 Test name Description checkHotFixes.String.5 All required %s are installed., checkHotFixes.String.6 There are no %s installed. Run Windows Update to install the most recent service packs and hotfixes. You may need to run Windows Update multiple times to install all the hotfixes., checkIESecurityZoneSettings.String.1 There was no security zone specified., checkIESecurityZoneSettings.String.2...
Page 198 %s, # placeholder for link location for each service. checkSoftwareNotAllowed.String.1 Could not import the re module required by this test., checkSoftwareNotAllowed.String.2 All software found is allowed., 198 Novell ZENworks Network Access Control Users Guide...
Page 199 Test name Description checkSoftwareNotAllowed.String.3 Do not specify the HKEY_LOCAL_MACHINE\SOFTWARE registry key., checkSoftwareNotAllowed.String.4 The following software is not allowed: %s. Uninstall the software listed. Also, remove any file types listed by double-clicking My Computer>>select Tools>>Folder Options>>File Types and remove the file type mentioned., checkSoftwareNotAllowed.String.5 %s, # placeholder for link location for each software package.
Page 200 There were no unauthorized network connections found., checkBadIP.String.2 An unsupported operating system was encountered., checkBadIP.String.3 The IP addresses %s are on unauthorized networks., checkBadIP.String.4 The IP address %s is on an unauthorized network., 200 Novell ZENworks Network Access Control Users Guide...
Page 201: Nac Policies
NAC Policies NAC policies are collections of tests that evaluate remote endpoints attempting to connect to your network. You can use the standard tests installed with Novell ZENworks Network Access Control, or you can create your own custom tests. NOTE: The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name.
Page 202: Standard Nac Policies
The following figure shows the legend explaining the NAC policies icons: NAC Policies Window Legend Figure 6-2 6.1 Standard NAC Policies Novell ZENworks Network Access Control ships with three standard NAC policies: High security Low security Medium security NAC policies are organized in groups. Groups include the clusters defined for your system, a Default group, and any other groups you create.
Page 203: Add A Nac Policy Group
6.2.1 Add a NAC Policy Group To add a NAC policy group: Home window>>NAC policies 1 Click Add a NAC policy group. The Add NAC policy group window opens: Add NAC Policy Group Figure 6-3 2 Type a name for the group in the Name of NAC policy group text box. 3 Optional : Select the check box next to any NAC policy to move to this group.
Page 204: Editing A Nac Policy Group
NAC policies associated with the group. 3 Select delete next to the NAC policy group you want to delete. A confirmation window appears. 4 Click yes on the Delete NAC policy group confirmation window. 204 Novell ZENworks Network Access Control Users Guide...
Page 205: Nac Policy Tasks
6.3 NAC Policy Tasks The following sections contain more information: Section 6.3.1, “Enabling or Disabling a NAC Policy,” on page 205 Section 6.3.2, “Selecting the Default NAC Policy,” on page 205 Section 6.3.3, “Creating a New NAC Policy,” on page 206 Section 6.3.4, “Editing a NAC Policy,”...
Page 206: Creating A New Nac Policy
5 Select either the enabled radio button or the disabled radio button. 6 Select the Operating systems that will not be tested but are allowed network access. Windows ME, Windows 98, Windows 95, Windows NT UNIX All other unsupported OSs 206 Novell ZENworks Network Access Control Users Guide...
Page 207 7 In the Retest frequency area, enter how frequently Novell ZENworks Network Access Control should retest a connected machine. TIP: A lower number ensures higher security, but puts more load on the Novell ZENworks Network Access Control server. 8 In the Inactive endpoints area, enter how long an end-user can be inactive before they are quarantined.
Page 208 16 Select the test properties for this test. For more information about the specific tests, see Appendix B, “Tests Help,” on page 393. 17 Select an action to take when an endpoint fails this test (see Section 6.3.14, “Selecting Action Taken,” on page 211). 18 Click ok. 208 Novell ZENworks Network Access Control Users Guide...
Page 209: Editing A Nac Policy
TIP: Selecting the Send an email notification option sends an email to the address you identified in Novell ZENworks Network Access Control Home window>>System Configuration>>Notifications area. This option is defined per cluster. 6.3.4 Editing a NAC Policy To edit an existing NAC policy: Home window>>NAC policies...
Page 210: Assigning Endpoints And Domains To A Policy
To set the time to wait before retesting a connected endpoint: Home window>>NAC policies>>Select a NAC Policy>>Basic settings menu option 1 In the Retest frequency area, enter how frequently in minutes, hours, or days Novell ZENworks Network Access Control should retest a connected endpoint.
Page 211: Defining Non-Supported Os Access Settings
To set the time an end-user can be inactive: Home window>>NAC policies>>Select a NAC Policy>>Basic settings menu option 1 In the Inactive endpoints area, enter how long an end-user can be inactive before they are quarantined. TIP: A lower number ensures higher security. 2 Click ok.
Page 212: About Novell Zenworks Network Access Control Tests
6.4 About Novell ZENworks Network Access Control Tests Novell ZENworks Network Access Control tests are assigned to NAC policies. NAC policies are used to test endpoints attempting to connect to your network. Novell ZENworks Network Access Control tests might be updated as often as hourly; however, at the time of this release, the tests shown in Appendix B, “Tests Help,”...
Page 213: Viewing Information About Tests
<vendor>\<software package>\<version> For example, Mozilla\Mozilla Firefox 1.5.0.6 You can enter any combination of these keys in the Novell ZENworks Network Access Control text entry fields to detect a vendor, software package and version on an endpoint (for example, you can also enter Mozilla\Firefox or simply Mozilla) and Novell ZENworks Network Access Control searches for them in the HKEY_LOCAL_MACHINE\Software registry key sub-tree.
Page 214 Service names must be entered exactly as they appear in Control panel>>Administrative tools>>Services application. TIP: Enter the names of software and services in the Novell ZENworks Network Access Control text entry field separated by a carriage return. For example, the following are examples of services:...
Page 215: Test Icons
6.4.3 Test Icons The NAC policy tests show icons that represent the test failure action selected as shown in the following figure: NAC Policy Test Icons Figure 6-9 NAC Policies 215...
Page 216 216 Novell ZENworks Network Access Control Users Guide...
Page 217: Quarantined Networks
NOTE: In DHCP mode, if an endpoint with an unsupported OS already has a DHCP-assigned IP address, Novell ZENworks Network Access Control cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with an unsupported OS has a static IP address, Novell ZENworks Network Access Control cannot affect this endpoint in any way.
Page 218: Using Ports In Accessible Services And Endpoints
7.2 Using Ports in Accessible Services and Endpoints To use a port number when specifying accessible services and endpoints (cluster default): Home window>>System configuration>>Accessible services 218 Novell ZENworks Network Access Control Users Guide...
Page 219 The following figure shows the Accessible services window: System Configuration, Accessible Services Figure 7-1 In order to grant access for quarantined endpoints to needed services, add entries to the Accessible services list. For inline enforcement mode, enter the IP addresses of the servers that provide the services.
Page 220: Always Granting Access To An Endpoint
1b In the Windows domains area, enter one or more domain names separated by carriage returns. 2 Click ok. IMPORTANT: If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without testing option is used. 220 Novell ZENworks Network Access Control Users Guide...
Page 221: Always Quarantining An Endpoint
If the endpoint is not authenticated, it is quarantined (allowed access to a limited VLAN). If the endpoint is authenticated, it is tested by Novell ZENworks Network Access Control. If the endpoint fails the Novell ZENworks Network Access Control testing, it is quarantined (allowed access to a limited VLAN).
Page 222: Untestable Endpoints And Dhcp Mode
The IP address granted by your DHCP server has a lease expiration period that cannot be affected by the Novell ZENworks Network Access Control server. Once an untested endpoint has been allowed access and assigned a non-quarantined IP address by your DHCP server, that endpoint has continual access through that IP address until the IP address lease expires.
Page 223 5 Ensure that the following ports on the domain controller/active directory (DC/AD) servers are available from quarantine: 135-139 1025 Novell ZENworks Network Access Control will then lookup the Kerberos and LDAP services, and resolve those services within its own DNS server used for quarantined devices. For example: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88 dc01.lvh.com...
Page 224 224 Novell ZENworks Network Access Control Users Guide...
Page 225: High Availability And Load Balancing
Home window. For example, if an ES is unavailable, the notification indicates that at the top of the Home window. When Novell ZENworks Network Access Control is installed inline in a multiple-server configuration (Figure 8-1 on page 226), the multiple ESs form a network loop (an undesired condition).
Page 226 Inline Installations Figure 8-1 226 Novell ZENworks Network Access Control Users Guide...
Page 227 DHCP Installation Figure 8-2 High Availability and Load Balancing 227...
Page 228: Load Balancing
Load balancing distributes the testing of endpoints across all Novell ZENworks Network Access Control ESs in a cluster. Novell ZENworks Network Access Control uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the ESs.
Page 229: Inline Quarantine Method
This is an undesirable situation. To prevent this, you may have to configure the switch that connects the Novell ZENworks Network Access Control ESs to use Spanning Tree Protocol (STP), if STP is not already configured. The STP automatically detects the loop, and closes one of the offending ports on the switch based on the switch configuration.
Page 230 Inline Installations Figure 9-1 TIP: You can install Novell ZENworks Network Access Control at any “choke point” in your network; a VPN is not required. 230 Novell ZENworks Network Access Control Users Guide...
Page 231: Dhcp Quarantine Method
Quarantine areas are defined on a per-cluster basis and pushed down to all ESs joined to that cluster. See the Novell ZENworks Network Access Control Installation Guide for more information on installing Novell ZENworks Network Access Control in DHCP mode.
Page 232: Configuring Novell Zenworks Network Access Control For Dhcp
10.1 Configuring Novell ZENworks Network Access Control for DHCP The primary configuration required for using Novell ZENworks Network Access Control and DHCP is setting up the quarantine area (see Section 10.1.1, “Setting up a Quarantine Area,” on page 232). You should also review the following topics related to quarantining endpoints: Endpoint quarantine precedence (see Section 7.1, “Endpoint Quarantine Precedence,”...
Page 233: Configuring Windows Update Service For Xp Sp2
In order to sufficiently restrict access to and from the quarantine area, you must configure your router Access Control Lists (ACLs) as follows: Allow traffic to and from the Novell ZENworks Network Access Control server and the quarantined network. If you want to allow access to other endpoints outside of the quarantine area (for example a Software Update Service (SUS) server), allow access to the server and port to and from the quarantined network.
Page 234 234 Novell ZENworks Network Access Control Users Guide...
Page 235: 802.1X Quarantine Method
802.1X Quarantine Method The following sections contain more information: Section 11.1, “About 802.1X,” on page 235 Section 11.2, “Novell ZENworks Network Access Control and 802.1X,” on page 236 Section 11.3, “Setting up the 802.1X Components,” on page 239 11.1 About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has...
Page 236: Novell Zenworks Network Access Control And 802.1X
If successful, IAS then calls the Novell ZENworks Network Access Control plug-in, which asks Novell ZENworks Network Access Control for the health status of the endpoint. You can configure up to six Novell ZENworks Network Access Control server URLs. The plug-in reads the list of servers over and over (iterates) attempting to connect to one of them.
Page 237 Novell ZENworks Network Access Control overrides the RADIUS attributes which specify to the switch which VLAN to place the endpoint in if necessary. Novell ZENworks Network Access Control then returns the authentication results to the switch. Using the built-in Novell ZENworks Network Access Control RADIUS server With this method, all authentication takes place on the Novell ZENworks Network Access Control server.
Page 238 When Novell ZENworks Network Access Control is used in an 802.1X network, the configuration is as shown in Figure 11-2 on page 238, and the communication flow is shown in Figure 11-3 on page 239. ZENworks Network Access Control 802.1X Enforcement...
Page 239: Setting Up The 802.1X Components
802.1X Communications Figure 11-3 11.3 Setting up the 802.1X Components In order to use Novell ZENworks Network Access Control in an 802.1X environment, Novell recommends configuring your environment first, then installing and configuring Novell ZENworks Network Access Control. This section provides instructions for the following: Section 11.3.1, “Setting up the RADIUS Server,”...
Page 240: Setting Up The Radius Server
Using the Novell ZENworks Network Access Control IAS Plug-in to the Microsoft IAS RADIUS Server This section provides instructions for how to install the Microsoft IAS to the Novell ZENworks Network Access Control IAS plug-in. TIP: For an explanation of how the components communicate, see Section 11.2, “Novell...
Page 241 To add IAS to the Windows Server 2003 installation: Windows desktop>>Start>>Settings>>Control Panel>>Add or remove programs 1 In the left column, click Add/Remove Windows Components. The Windows Components Wizard window appears, as shown in the following figure. Windows Components Wizard Figure 11-4 2 Select the Networking Services check box.
Page 242 IAS, Register Server in Active Directory Figure 11-6 4a Right-click on Internet Authentication Service (local) 4b Select Properties (Figure 11-7 on page 242). The Properties window appears (Figure 11-8 on page 243). IAS, Properties Option Figure 11-7 242 Novell ZENworks Network Access Control Users Guide...
Page 243 IAS, Properties Figure 11-8 4c General tab — 1. Enter a descriptive name in the Server Description text box. For example, IAS. 2. Select the Rejected authentication requests check box. 3. Select the Successful authentication requests check box. 4d Ports tab — 1.
Page 244 5g Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator. NOTE: See your system administrator to obtain the shared secret for your switch. 5h Re-enter the password in the Confirm shared secret text box. 244 Novell ZENworks Network Access Control Users Guide...
Page 245 5i Select the Request must contain the Message Authenticator attribute check box. 5j Click Finish. 6 Repeat Step 5 on page 243 for every authenticator in your system that uses this RADIUS server. 7 Create a Remote Access Policy: If you already have an 802.1X environment configured, you already have a Remote Access Policy defined;...
Page 246 7h Click Next. IAS, Remote Access Policy, Group Access Figure 11-13 7i You can configure your Access policy by user or group. This example uses the group method. Select the Group radio button. 246 Novell ZENworks Network Access Control Users Guide...
Page 247 7j Click Add. The Select Groups pop-up window appears: IAS, Remote Access Policy, Find Group Figure 11-14 7k Click Advanced. IAS, Remote Access Policy, Select Group Figure 11-15 7l Click Find Now to populate the Search Results area. 7m Select Domain Guests. 7n Click OK.
Page 248 NOTE: To import the certificate manually: 1.Right-click on the Personal folder>>select All Tasks>>Import. 2.When the wizard opens, click Next. 3.Enter the path to the Novell ZENworks Network Access Control certificate, for example: D:\support\ias\compliance.keystore.cer 4.Click Next, Next, and Finish. 248 Novell ZENworks Network Access Control Users Guide...
Page 249 Certificate. NOTE: To import the certificate manually: 1.Right-click on the Personal folder>>select All Tasks>>Import. 2.When the wizard opens, click Next. 3.Enter the path to the Novell ZENworks Network Access Control certificate, for example: D:\support\ias\compliance.keystore.cer 4.Click Next, Next, and Finish. 9j Follow the instructions to generate a certificate request. If there are no certificate...
Page 250 The Protected EAP Properties window appears, as shown in the following figure: Protected EAP Properties Figure 11-18 10 Configure the new Remote Access Policy. IAP, Remote Access Policy, Properties Figure 11-19 10a Select Remote Access Policies. 250 Novell ZENworks Network Access Control Users Guide...
Page 251 10b In the right pane, right-click the new policy name and select Properties. The Guest Policy Properties window appears: IAS, Remote Access Policy, Configure Figure 11-20 10c Click Edit Profile. The Edit Dial-in Profile window appears. 1. Authentication tab — Select the check boxes for the authentication methods you will allow.
Page 252 14. Select Tunnel-Type. (Adding the third of the three attributes.) 15. Click Add. 16. Click Add again on the next window. 17. From the Attribute value drop-down list, select Virtual LANS (VLAN). 18. Click OK. 252 Novell ZENworks Network Access Control Users Guide...
Page 253 19. Click OK. 20. Click OK. 11 Repeat step 9 for every VLAN group defined in Active Directory. IMPORTANT: The order of the connection attributes should be most-specific at the top, and most-general at the bottom. 12 Turn on remote access logging 12a Click on Remote Access Logging.
Page 254 IAS after the RADIUS authentication of an endpoint and during the authorization phase. The connector contacts Novell ZENworks Network Access Control and asks for the posture of the endpoint. Depending on the posture of the endpoint, the plug-in can return RADIUS attributes to your switch instructing it into which VLAN to place an endpoint.
Page 255 4. Click OK. IAS, Add/Remove Snap-in Figure 11-24 5. Select File>>Add/Remove Snap-in. 6. Click Add. IAS, Add/Remove Snap-in, Certificates Figure 11-25 7. Select Certificates. 8. Click Add. 9. Select the Computer account radio button. 10. Click Next. 11. Select the Local computer: (the computer this console is running on) radio button.
Page 256 15. Right-click on Console Root>>Certificates (Local Computer)>>Trusted Root Certificate Authorities. 16. Select All tasks>>import. 17. Click Next. 18. Click Browse and choose the certificate. The Novell ZENworks Network Access Control server certificate is located on the CD-ROM in support/ias/compliance.keystore.cer 19. Click Next.
Page 257 14b Enable the Authorization DLL file. At startup, IAS checks the registry for a list of third- party DLL files to call. 1. Click Start. 2. Select Run. 3. Enter regedit. 4. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 5. Create an AuthSrv folder if it does not already exist. (Edit>>New>>Key) 6.
Page 258 5. Right-click Default Domain Policy and select Edit (click OK if you get a global changes pop-up message). Active Directory, Store Passwords Figure 11-28 6. Navigate to Computer Configuration>>Windows Settings>>Security Settings>>Account Policies>>Password Policy. 7. Select Password Policy. 8. Right-click Store passwords using reversible encryption. 258 Novell ZENworks Network Access Control Users Guide...
Page 259 9. Select the Enabled check box. 10. Click OK. 11. Close the Group Policy Object Editor window. 12. Close the Group Policy Management window. 13. Close the <Active Directory Name> Properties window. 16 Create active directory user accounts. 16a From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers.
Page 260 17c Select the Users folder. Active Directory Users and Computers Figure 11-29 17d Right-click a user name and select Properties. The Properties windows appears: Active Directory User Account Properties Figure 11-30 260 Novell ZENworks Network Access Control Users Guide...
Page 261 17i Click OK. 17j Repeat from step a for each user account. Proxying RADIUS Requests to an Existing RADIUS Server Using the Built-in Novell ZENworks Network Access Control RADIUS Server TIP: For an explanation of how the components communicate, see Section 11.2, “Novell...
Page 262 NOTE: The realm NULL section must go after the realm LOCAL section, or you can comment out the realm LOCAL section. 2 Configure your RADIUS server to allow the Novell ZENworks Network Access Control IP address as a client with the shared secret specified in the previous step. See your RADIUS server’s documentation for instructions on how to configure allowed clients.
Page 263 Tunnel-Type := VLAN, "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches #"HealthyRadiusAttributes"...
Page 264: Enabling Novell Zenworks Network Access Control For 802.1X
11.3.2 Enabling Novell ZENworks Network Access Control for 802.1X To enable Novell ZENworks Network Access Control for use in an 802.1X network, you need to select it in the user interface, and make a few changes to the properties using JMS and an XML file.
Page 265: Setting Up The Supplicant
2 In 802.1X enforcement mode, the ESs must be able watch DHCP conversations and detect endpoints by sniffing network traffic as it flows between the DHCP server and the endpoints. Select one of the following radio buttons: remote — In more complex deployments, it is often impossible (in the case of multiple ESs or multiple DHCP servers) or undesirable to span switch ports.
Page 266 3 Select the General tab. 4 Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors. 266 Novell ZENworks Network Access Control Users Guide...
Page 267 5 Select the Authentication tab. Windows XP Pro Local Area Connection Properties, Authentication Tab Figure 11-33 6 Select the Enable IEE 802.1X authentication for this network check box. 7 Select an EAP type from the drop-down list. For this example, select MD5-Challenge. IMPORTANT: This EAP type must match the EAP type selected in Step 7q on page 248.
Page 268 Windows desktop>>Start>>Settings>>Control Panel>>Administrative Tools>>Services 1a Select Wireless Configuration. If the Status column does not already show Started, start the service: 1. Right click on Wireless Configuration. 2. Select Start. 1b Close the Services window. 268 Novell ZENworks Network Access Control Users Guide...
Page 269 2 Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network and Dial-up Connections 2a Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears. Windows 2000 Local Area connection Properties, General Tab Figure 11-34 2b Select the General tab. 2c Select the Show icon in taskbar when connected check box.
Page 270 Figure 11-36 1b Select Automatic from the Startup type drop-down list. 1c Click Start in the Service status area. 1d Click OK. 1e Close the Services window. 2 Configure the network connections: 270 Novell ZENworks Network Access Control Users Guide...
Page 271 Windows desktop>>Start>>Settings>>Network Connections 3 Right-click on Local Area Connection. 4 Select Properties. The Local Area Connection windows appears: Windows Vista Local Area Connection, Networking Tab Figure 11-37 5 Select the Authentication tab. Windows Vista Local Area Connection Properties, Authentication Tab Figure 11-38 6 Select the Enable IEE 802.1X authentication check box.
Page 272: Setting Up The Authenticator
30 dot1x guest-vlan 5 dot1x reauthentication spanning-tree portfast interface FastEthernet0/2 switchport mode access dot1x port-control auto dot1x timeout quiet-period 30 dot1x guest-vlan 5 dot1x reauthentication spanning-tree portfast interface FastEthernet0/3 272 Novell ZENworks Network Access Control Users Guide...
Page 273 switchport mode access dot1x port-control auto dot1x timeout quiet-period 30 dot1x guest-vlan 5 dot1x reauthentication spanning-tree portfast interface FastEthernet0/4 switchport mode access dot1x port-control auto dot1x timeout quiet-period 30 dot1x guest-vlan 5 dot1x reauthentication spanning-tree portfast ip http server radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 key mysecretpassword radius-server retransmit 3 ®...
Page 274 RADIUS users file. TIP: Change the admin password to a non-blank password. create vlan "Quarantine" create vlan "Test" # RADIUS configuration enable radius configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa" 274 Novell ZENworks Network Access Control Users Guide...
Page 275 configure radius primary server 10.50.32.10 1812 client-ip 10.50.32.254 # Network Login Configuration enable netlogin port 1 vlan Default enable netlogin port 2 vlan Default enable netlogin port 3 vlan Default enable netlogin port 4 vlan Default enable netlogin port 5 vlan Default enable netlogin port 6 vlan Default enable netlogin port 7 vlan Default enable netlogin port 8 vlan Default...
Page 276 5 instead of security-suite 6 wpa-wpa2. HP ProCurve 530AP This section shows how to configure the security settings on the 530AP so that user access may be controlled using Dynamic VLAN provisioning. 276 Novell ZENworks Network Access Control Users Guide...
Page 277 ProCurve Access Point 530#conf ProCurve Access Point 530(config)#interface ethernet ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway> ProCurve Access Point 530(ethernet)#management-vlan 200 ProCurve Access Point 530(ethernet)#untagged-vlan 200 ProCurve Access Point 530(radio1-wlan1)#ssid Enterprise530 ProCurve Access Point 530(radio1-wlan1)#closed ProCurve Access Point 530(radio1-wlan1)#vlan 100 ProCurve Access Point 530(radio1-wlan1)#security wpa-8021x...
Page 278 ! *** EAP *** eapol enable interface FastEthernet ALL eapol port 1-2 status auto traffic-control in-out re-authentication enable re- authentication-period 3600 re-authenticate quiet-interval 60 transmit-interval 3 0 supplicant-timeout 30 server-timeout 30 max-request 2 278 Novell ZENworks Network Access Control Users Guide...
Page 279 As an example, the following figures show the initial scripts used for a Nortel device in the Novell ZENworks Network Access Control user interface.
Page 280 Skips the command if the value captured from the last regular expression doesn't match the specified expression (the expression may contain spaces if wrapped in double quotes). ifset Skips the command if the specified variable is not set. 280 Novell ZENworks Network Access Control Users Guide...
Page 281 Expect Script Variables Variables referenced with the syntax ${VARIABLE_NAME} will be substituted with the value of the variable at execution time. The following variables may be referenced anywhere: USERNAME — The username used to log in to the device PASSWORD — The password used to log in to the device ENABLE_USERNAME —...
Page 282 -regex (Username:|Password:|>) send -ifmatched Username: ${USERNAME} expect -ifmatched Username: -regex (Password:|>) send -ifmatched Password: ${PASSWORD} expect -ifmatched Password: > Reauthorization script: send set dot1x port ${PORT} init expect > Exit script: send exit 282 Novell ZENworks Network Access Control Users Guide...
Page 283: Api
Section 12.5, “Novell ZENworks Network Access Control Requests Supported,” on page 289 12.1 Overview The Novell ZENworks Network Access Control Application Programming Interface (API) is based on the Java Message Service (JMS). Novell ZENworks Network Access Control ships with version 3.1 of the ActiveMQ JMS provider (http://activemq.apache.org/), an open source implementation of...
Page 284: Setting Novell Zenworks Network Access Control Properties
DeviceChangeEvent to that topic. 12.2 Setting Novell ZENworks Network Access Control Properties Most Novell ZENworks Network Access Control properties are set by default. To change or set properties, you must change the properties as described inSection 16.5.10, “Changing Properties,”...
Page 285: Setting Firewall Rules
12.4 Novell ZENworks Network Access Control Events Generated The following Novell ZENworks Network Access Control events can be generated: DeviceTestedEvent — Identifies the endpoint that was tested and the results of the tests DeviceChangeEvent — Identifies the endpoint and it’s current state The following sections contain more information: Section 12.4.1, “Examples of Events Generated,”...
Page 286: Examples Of Events Generated
<postureToken>healthy</postureToken> <nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId> <clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId> <accessStatusId>QUARANTINED_BY_POLICY</accessStatusId> <nextTestTime>1157049566000</nextTestTime> <nadPort></nadPort> <nadIP></nadIP> <sessionAccess>-1</sessionAccess> <sessionAccessEnd>0</sessionAccessEnd> <otherDeviceProperties> <entry> <string>OS</string> <string>Windows</string> </entry> </otherDeviceProperties> <lastUpdateTime>1157045949373</lastUpdateTime> <testingMethod>NONE</testingMethod> </device> <ip>10.1.70.101</ip> <id>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</id> <originalTimeStamp>1157045949373</originalTimeStamp> </MNMDeviceChangeEvent> <MNMDeviceTestedEvent> <device> <uniqueId>58511c4a0895a1c33792de48264262f4</uniqueId> <ip>10.1.1.13</ip> <mac>00:11:25:AB:92:7A</mac> <netbiosName>UNITY</netbiosName> <domainName>MyCompany</domainName> <userName>administrator</userName> <password>changeme</password> <loggedOnUser>administrator</loggedOnUser> 286 Novell ZENworks Network Access Control Users Guide...
Page 287 <os>Windows</os> <osDetails>2000 SP4</osDetails> <policyId>LowSecurity</policyId> <lastTestTime>1157046206801</lastTestTime> <lastTestStatusId>FAILED</lastTestStatusId> <gracePeriod>604800</gracePeriod> <gracePeriodStart>1157042301000</gracePeriodStart> <createTime>1157042283000</createTime> <lastActivityTime>1157046201262</lastActivityTime> <lastConnectTime>1157040486000</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>checkup</postureToken> <nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId> <clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId> <accessStatusId>ALLOWED_BY_POLICY</accessStatusId> <nextTestTime>1157053406845</nextTestTime> <nadPort></nadPort> <nadIP></nadIP> <sessionAccess>-1</sessionAccess> <sessionAccessEnd>0</sessionAccessEnd> <otherDeviceProperties> <entry> <string>OS</string> <string>Windows</string> </entry> </otherDeviceProperties> <lastUpdateTime>1157046206846</lastUpdateTime> <testingMethod>AGENTLESS</testingMethod> </device> <testResults> <TestResultInfo> <timestamp>1157046206801</timestamp> <gracePeriod>604800</gracePeriod> <testName>Windows 2000 hotfixes</testName> <testClass>Check2000HotFixes</testClass> <testModule>check2000HotFixes</testModule> <testGroup>OperatingSystem</testGroup> <actionsTaken>access allowed, temporary access period continuing from 8/31/ 06 10:38 AM, email not sent</actionsTaken>...
Page 288: Java Program And Command For Events
------------------------------------------------------------------------- 12.4.2 Java Program and Command for Events Novell ZENworks Network Access Control ships with a sample shell script that invokes Java code that can be used to listen for JMS events. Invoke the program by entering the following command: eventListener.sh [-u broker URL] [-t topicName] [-l login -p password]...
Page 289: Novell Zenworks Network Access Control Requests Supported
12.5 Novell ZENworks Network Access Control Requests Supported The following Novell ZENworks Network Access Control requests are supported: TemporarilyAllowAccess — Specifies to temporarily allow access to the specified endpoint or endpoints. TemporarilyDenyAccess — Specifies to temporarily deny access to the specified endpoint or endpoints.
Page 290 <otherDeviceProperties> <entry> <string>key1</string> <string>value1</string> </entry> <entry> <string>key2</string> <string>value2</string> </entry> </otherDeviceProperties> </DeviceType> </list> </entry> </requestParameters> </PutDeviceInfoRequest> ------------------------------------------------------------- The DeviceInfoRequest command replies with output that includes a special NacResponse XML file as shown below: 290 Novell ZENworks Network Access Control Users Guide...
Page 291 ------------------------------------------------------------- <NacResponse> <resultStatus>true</resultStatus> <response class="DeviceList"> <devices> <DeviceInfo> <uniqueId>00:0C:29:5D:30:B5</uniqueId> <ip>192.168.1.128</ip> <mac>00:0C:29:5D:30:B5</mac> <netbiosName>WINXPPROVM</netbiosName> <domainFromNMB>WORKGROUP</domainFromNMB> <credentialsEnabled>false</credentialsEnabled> <os>Windows</os> <osDetails>XP SP1+, 2000 SP3</osDetails> <policyId>LowSecurity</policyId> <lastTestTime>0</lastTestTime> <lastTestStatusId>AWAITING_TEST_INITIATION</lastTestStatusId> <gracePeriod>0</gracePeriod> <gracePeriodStart>0</gracePeriodStart> <createTime>1186594414243</createTime> <lastActivityTime>1186603364486</lastActivityTime> <lastConnectTime>1186594301738</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>unknown</postureToken> <nodeId>158251f6-2ce8-4d34-b9e8-d724c175d34a</nodeId> <clusterId>4e193379-a492-4fd8-a31c-37e722b14449</clusterId> <accessStatusId>QUARANTINED_BY_POLICY</accessStatusId> <nextTestTime>1186597121116</nextTestTime> <nadPort/> <nadPortId/> <nadIP/> <nadUser/> <sessionAccess>-1</sessionAccess> <sessionAccessEnd>0</sessionAccessEnd> <otherDeviceProperties> <entry> <string>key1</string>...
Page 292: Post-Connect Request Example
</TemporarilyDenyAccessRequest> ------------------------------------------------------------------------ NOTE: The EXTERNAL_QUARANTINE_PRODUCT_ID entry in the previous post-connect example is configured in the connector.properties file. See Section 3.14.7, “Adding Post-connect System Logos and Icons,” on page 113 for more information. 292 Novell ZENworks Network Access Control Users Guide...
Page 293: Java Program And Command For Requests
12.5.3 Java Program and Command for Requests Novell ZENworks Network Access Control ships with a sample shell script that invokes Java code that can be used to send JMS requests. Invoke the program by entering the following command: sendRequest.sh [-u broker URL] [-t topicName] [-l login -p password] -f <request.xml>...
Page 294 294 Novell ZENworks Network Access Control Users Guide...
Page 295: Remote Device Activity Capture
Novell ZENworks Network Access Control also relies on auto-discovery functionality to track DHCP IP address transitions so that it can continue to communicate seamlessly with endpoints after an IP change.
Page 296: Downloading The Exe File
Installs DAC as a Windows service NOTE: If you have already installed DAC, you must uninstall it before attempting to install a newer version. See the Section 13.1.8, “Removing the Software,” on page 306 for instructions. 296 Novell ZENworks Network Access Control Users Guide...
Page 297 NOTE: If you have made configuration changes to the wrapper.conf file in a previous version of DAC, when you remove and re-install DAC, your changes are not saved. You will need to re-enter any changes, such as adding additional interfaces or ESs to the wrapper.conf file after installing DAC.
Page 298 6 In most cases, you should accept the default location. (Click Change to select a different location.) Click Next. The Confirm New Folder window appears: RDAC Installer, Confirm New Folder Figure 13-4 298 Novell ZENworks Network Access Control Users Guide...
Page 299 7 Click Yes. If you selected Custom in Step 4 on page 298, the Select Features window appears; otherwise the NIC Selection window appears (Figure 13-6 on page 299): RDAC Installer, Select Features Figure 13-5 8 Select the features to install. Click Next. The NIC Selection window appears: RDAC Installer, NIC Selection Figure 13-6 Remote Device Activity Capture 299...
Page 300 RDAC Installer, TCP Port Filter Specification Figure 13-7 10 In most cases you should accept the default entry. Click Next. The Enforcement Server Specification window appears: RDAC Installer, Enforcement Server Specification Figure 13-8 300 Novell ZENworks Network Access Control Users Guide...
Page 301 11 Enter the IP address of the Enforcement Server (ES) to use. Click Next. The Ready to Install the Program window appears: RDAC Installer, Ready to Install the Program Figure 13-9 12 Click Install. 13 If you selected Complete in Step 4 on page 298, the InstallShield Wizard launches the Java installer first and then the WinPcap installer.
Page 302: Adding Additional Interfaces
Windows server 1 Open the DAC/conf/wrapper.conf file with a text editor. 1a Locate the Application Parameters section in the wrapper.conf file. You will see a list of entries like the following: wrapper.app.parameter.X 302 Novell ZENworks Network Access Control Users Guide...
Page 303: Configuring The Ms And Es For Dac
13.1.4 Configuring the MS and ES for DAC 1 Create a keystore file containing a unique key, signed certificate, and a CA certificate that is required for SSL communication. 1a On the Novell ZENworks Network Access Control MS, enter the following command at the command line: /usr/local/nac/bin/SSL-createRemoteDACCertificate...
Page 304: Adding Additional Ess
Where X is the numerical value representing the order in which the parameter will be added to the command. 1b Add additional ESs: 1. Locate the line that represents the initial ES, for example: wrapper.app.parameter.8=172.17.100.100 304 Novell ZENworks Network Access Control Users Guide...
Page 305: Starting The Windows Service
2. Add another line just below the initial ES with the new IP address or addresses: wrapper.app.parameter.9=172.17.100.150 wrapper.app.parameter.10=172.50.50.7 3. Increment the rest of the wrapper.app.parameter numbers by the number of ESs added. For this example of adding two ESs, increment by two; change 10 to 12, 11 to 13, and so on wrapper.app.parameter.11=-i wrapper.app.parameter.12="\Device\NPF_{54052575-E4CC-46A5-B626-...
Page 306: Removing The Software
4 Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears: 5 Select one of the options and click Finish. 306 Novell ZENworks Network Access Control Users Guide...
Page 307: Novell Zenworks Network Access Control To Infoblox Connector
Section 13.2.2, “Configuring Novell ZENworks Network Access Control,” on page 308 13.2.1 Configuring the Infoblox Server You must configure syslog on the Infoblox server to send debug level DHCP logs to the Novell ZENworks Network Access Control ES IPs on TCP port 514, using the local3 facility. The actual steps to set this up may vary by NIOS.
Page 308: Configuring Novell Zenworks Network Access Control
3 Click ok. Command line window NOTE: Perform the following steps on each ES in your system. 4 Log in as root to the Novell ZENworks Network Access Control ES using SSH or directly with a keyboard. 5 Enter the following command: egrep DeviceActivityCapture /usr/local/nac/properties/nac-es.properties...
Page 309 /etc/sysconfig/iptables 7c Add the following line before the # REJECT lines in the RH-Lokkit-0-50-INPUT section, and after the RELATED,ESTABLISHED line: 7d -A RH-Lokkit-0-50-INPUT -s <INFOBLOX_IP> -p tcp -m tcp -- dport 514 -m state --state NEW -j ACCEPT Where: <INFOBLOX_IP> is the IP address of the Infoblox server. 7e Restart iptables by entering the following at the command line: fw_control start service nac-es start...
Page 310 310 Novell ZENworks Network Access Control Users Guide...
Page 311: Reports
Reports Novell ZENworks Network Access Control generates the following types of reports: Report Types and Fields Table 14-1 Report Description Report columns NAC policy results Lists each NAC policy and the last pass/fail policy name policy results test status # of times...
Page 312 Section 14.2, “Viewing Report Details,” on page 314 Section 14.3, “Printing Reports,” on page 315 Section 14.4, “Saving Reports to a File,” on page 315 Section 14.5, “Converting an HTML Report to a Word Document,” on page 316 312 Novell ZENworks Network Access Control Users Guide...
Page 313: Generating Reports
14.1 Generating Reports To generate a report: Home window>>Reports The following figure shows the Reports window. Reports Figure 14-1 1 In the Report drop-down list, select the report to run. 2 Select the Report period. 3 Select the Rows per page. 4 In the Endpoint search criteria area, select any of the following options to use for filtering the report: 4a Cluster...
Page 314: Viewing Report Details
See “Important browser settings” in the Installation Guide for more information. 14.2 Viewing Report Details To view report details: Home window>>Reports 1 Select the options for the report you want to run. 314 Novell ZENworks Network Access Control Users Guide...
Page 315: Printing Reports
2 Click Generate report. 3 Click the details link. The Test details window appears: Test Details Report Figure 14-3 14.3 Printing Reports To print a report: Home window>>Reports 1 Select the options for the report you want to run. 2 Click Generate report. 3 Select Print.
Page 316: Converting An Html Report To A Word Document
This creates a standalone file that retains all of its graphics and formatting. 7 To print, you might need to reduce the border sizes in File>>Page Setup dialog box for the report to print correctly. 316 Novell ZENworks Network Access Control Users Guide...
Page 317: Dhcp Plug-In
The Dynamic Host Configuration Protocol (DHCP) plug-in is an optional feature that allows you to use one or more DHCP servers (without an installation of Novell ZENworks Network Access Control in front of each DHCP server) as shown in the following figure:...
Page 318: Installation Overview
When Novell ZENworks Network Access Control does not sit inline with the DHCP server, you need to set up a remote host for Device Activity Capture (DAC) to allow Novell ZENworks Network Access Control to listen on the network. This is done by installing a small program on the DHCP server or other remote (non-Novell ZENworks Network Access Control) host, which then sends relevant endpoint device information back to Novell ZENworks Network Access Control.
Page 319 Specifies the port on which the Dynamic Link Library (DLL) file should listen for Novell ZENworks Network Access Control connections. looprate The rate in seconds at which the DHCP server will check for a broken connection.
Page 320: Dhcp Plug-In And The Novell Zenworks Network Access Control User Interface
Section 15.2.7, “Enabling a DHCP Server Plug-in Configuration,” on page 327 15.2.1 Installing the Plug-in To install the DHCP plug-in: Home window>>System configuration>>Quarantining 1 Select the DHCP radio button in the Quarantine area. 320 Novell ZENworks Network Access Control Users Guide...
Page 321 2 Select the DHCP servers using the DHCP plug-in radio button. System Configuration, Quarantining, DHCP Figure 15-2 3 Click download the DHCP plug-in. A Windows save window appears. 4 Browse to a location on the DHCP server you will remember and save the file. 5 On the DHCP server, navigate to the location of the saved file and double-click it.
Page 322 6 Double-click the *.exe installer file. The InstallShield Wizard starts. DHCP Plug-in InstallShield Wizard window Figure 15-3 7 Click Next. The Customer Information window appears. DHCP Plug-in Customer Information window Figure 15-4 8 Enter your User Name and Company Name. 322 Novell ZENworks Network Access Control Users Guide...
Page 323: Enabling The Plug-In And Adding Servers
9 Click Next. The Ready to Install the Program window appears. DHCP Plug-in Ready to Install the Program window Figure 15-5 10 Click Install. The progress is displayed on a Status window. When installation is complete, the InstallShield Wizard Complete window appears. DHCP Plug-in Installation Wizard Complete window Figure 15-6 11 Click Finish.
Page 324 IMPORTANT: Setting the log level to debug may adversely affect performance. 8 Click ok. The added DHCP server appears as shown in the following figure: DHCP Plug-in Server Added Example Figure 15-8 324 Novell ZENworks Network Access Control Users Guide...
Page 325: Viewing Dhcp Server Plug-In Status
DHCP Plug-in Legend Figure 15-9 NOTE: Novell ZENworks Network Access Control automatically attempts to connect to the DHCP server. The possible DHCP server status states are shown in Figure 15-9 on page 325.
Page 326: Editing Dhcp Server Plug-In Configurations
1 Click remove next to the DHCP server plug-in configuration you wish to delete. 2 Click yes at the Remove DHCP plug-in configuration prompt. 3 Click ok to save the changes and return to the Home window. 326 Novell ZENworks Network Access Control Users Guide...
Page 327: Disabling A Dhcp Server Plug-In Configuration
15.2.6 Disabling a DHCP Server Plug-in Configuration Disable a DHCP server plug-in configuration when you do not wish to use it, but wish to save the configuration and certificates. To disable a DHCP Server Plug-in Configuration: Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio button>>DHCP servers using the DHCP plug-in radio button 1 Click disable next to the DHCP server plug-in configuration you wish to disable.
Page 328 328 Novell ZENworks Network Access Control Users Guide...
Page 329: System Administration
The following sections contain more information: Section 16.1.1, “Launching and Logging into Novell ZENworks Network Access Control,” on page 330 Section 16.1.2, “Logging out of Novell ZENworks Network Access Control,” on page 330 Section 16.1.3, “Important Browser Settings,” on page 330 System Administration...
Page 330: Launching And Logging Into Novell Zenworks Network Access Control
To log out of Novell ZENworks Network Access Control: Any Novell ZENworks Network Access Control window Click Logout in the upper right corner of the Novell ZENworks Network Access Control home window. When the logout procedure completes, the Novell login window appears.
Page 331: Managing Your Novell Zenworks Network Access Control License
(if notifications are enabled). 16.3.1 Entering a New License Key Novell distributes license keys as text files. Due to the license key’s length, copy and paste the license key directly out of the text file. To enter a new license key: Home window>>System Configuration>>License...
Page 332: Downloading New Tests
TIP: If the license key information (such as an expired notice) does not update, clear the browser cache and refresh the page. 16.4 Downloading New Tests To download the latest tests from the Novell server: Home window>>System configuration>>Test updates>>Check for test updates button TIP: If you are not receiving test updates, try the following checks:...
Page 333: Dns/Windows Domain Authentication And Quarantined Endpoints
5 Ensure that the following ports on the domain controller/active directory (DC/AD) servers are available from quarantine: 135-139 1025 Novell ZENworks Network Access Control will then lookup the Kerberos and LDAP services, and resolve those services within its own DNS server used for quarantined devices. For example: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88 dc01.lvh.com...
Page 334: Matching Windows Domain Policies To Nac Policies
IE security settings. The Novell ZENworks Network Access Control administrator needs to make sure the global policy on their network matches the NAC policy defined, or skip the test.
Page 335: Naming Your Enforcement Cluster
16.5.4 Naming Your Enforcement Cluster To name your Enforcement cluster: Home window>>System configuration>>Enforcement clusters & servers>>Select an Enforcement cluster 1 In the Cluster name text field, enter a name. Choose a name that describes the cluster, such as a geographic location (like a street or city name), a building, or your company name. 2 Click ok.
Page 336: Resetting Your Test Data
To reset your system to the as-shipped state: Command line window 1 Log in as root to the Novell ZENworks Network Access Control MS or ES, either using SSH or directly with a keyboard. 2 Enter the following command at the command line: resetSystem.py [both | ms | es]...
Page 337: Changing Properties
2b Stop the nac-ms service on the MS: 1. Log in as root to the Novell ZENworks Network Access Control MS, either using SSH or directly with a keyboard. 2. Enter the following at the command line:...
Page 338: Specifying An Email Server For Sending Notifications
Novell ZENworks Network Access Control Enforcement clusters send alerts and notifications when certain events occur. You must specify an SMTP email server for sending these notifications. The server must allow SMTP messages from the Novell ZENworks Network Access Control ES. To specify an email server for sending notifications: Section 3.17.5, “Notifications,”...
Page 339: Database
2a The Novell ZENworks Network Access Control version must be the same as the previously installed Novell ZENworks Network Access Control version. 2b The Novell ZENworks Network Access Control server IP address must be the same as the previously installed Novell ZENworks Network Access Control server IP address.
Page 340 339), you will not be able to validate the license key at this step. 2e After the installation is complete, log in to the Novell ZENworks Network Access Control user interface and check for rule updates (System configuration>>Test updates>>Check for test updates).
Page 341: Restoring The Original Database
To reset a Novell ZENworks Network Access Control database to its pristine state: Command window 1 Log in as root to the Novell ZENworks Network Access Control MS using SSH. 2 Enter the following commands: resetSystem.py This script shuts down all of the services, cleans the database, iptables, and DHCP server, and restarts everything.
Page 342 Linux — Mozilla version 1.7 License — A subscription license key Product updates — The latest Novell ZENworks Network Access Control product updates TIP: It is strongly recommended that you use the server-class Intel NIC cards. If you use a different NIC card, you might be unable to connect, or experience unpredictable results and availability.
Page 343: Supported Vpns
All tests are implemented in the object oriented programming language called Python. Python is a well- respected, clean, and efficient scripting language. Because the language is object oriented and the Novell ZENworks Network Access Control test platform is extensible, new tests can be developed easily.
Page 344: Changing The Error Messages In A Test Script
Python language reference: http://www.python.org/doc/2.4.1/ (http://www.python.org/doc/ 2.4.1/) Sample test scripts are on the Novell ZENworks Network Access Control CD in the / sampleScripts folder. 16.10.3 Changing the Error Messages in a Test Script Using Python, try changing the error messages in an existing test script. This task can help you to familiarize yourself with the Novell ZENworks Network Access Control scripting API.
Page 345 6 Once you have completed your edits and saved the myCheckSoftwareNotAllowed.py file, copy it to the following directory on the Novell ZENworks Network Access Control MS: /usr/local/nac/scripts/Custom/Tests 7 If you have created new base classes, copy them to the following directory on the Novell ZENworks Network Access Control MS: /usr/local/nac/scripts/Custom/BaseClasses IMPORTANT: When updating or modifying files, use the Custom directory tree (Custom/ BaseClasses, Custom/Tests).
Page 346 = 'null' , consumerNos = null, transactionId = 'null' , xaTransacted = false, consumerIdentifer = 'null' , messageConsumed = false, transientConsumed = false, sequenceNumber = 0, deliveryCount = 1, dispatchedFromDLQ = false, messageAcknowledge = null, jmsMessageIdentity = null, producerKey = ID:perf- 346 Novell ZENworks Network Access Control Users Guide...
Page 347: Creating A Custom Test Class Script From Scratch
ms1-40612-1162365754580-7: }, text = <UpdateRequest> _____________________________________________________________________________ <requestParameters> <entry> <string>UPDATE_DATA</string> <string>/tmp/customUpdatePkg.29285.tar.gz</string> </entry> </requestParameters> </UpdateRequest> _____________________________________________________________________________ 00:22:34 DEBUG Waiting for a response on :TemporaryQueue-{TD{ID:perf-ms1- 40612-1162365754580-1:0}TD}ID:perf-ms1-40612-1162365754580-6:0 _____________________________________________________________________________ 00:22:36 DEBUG Message received: ACTIVEMQ_TEXT_MESSAGE: id = 0 ActiveMQMessage{ , jmsMessageID = ID:perf-ms1-51331-1162363440379-15:3, bodyAsBytes = org.activemq.io.util.ByteArray@1362012, readOnlyMessage = true, jmsClientID = '93baaf5a-b0ed-4fc2-a3ae-ec6460caedc0' , jmsCorrelationID = 'null' , jmsDestination = TemporaryQueue-{TD{ID:perf-ms1-40612-1162365754580- 1:0}TD}ID:perf-ms1-40612-1162365754580-6:0, jmsReplyTo = null, jmsDeliveryMode...
Page 348 # in the policy editor. testConfig = \ """ <HTML>Test Config HTML</HTML> """ # These are any default values you want to assign to the input parameters # in the testConfig HTML. defaultConfigValues = {} _____________________________________________________________________________ 348 Novell ZENworks Network Access Control Users Guide...
Page 349 # A short summary for the test. This will show up in the description field # when editing NAC policies in the management UI. testSummary = \ """ My short description """ _____________________________________________________________________________ # This is field is unused at the moment. # field in the policy editor.
Page 350 BasicTests API. This example does not use this API. “checkOpenPorts.py script” on page 351 shows the code for the new checkOpenPorts.py test. The file is included on the Novell ZENworks Network Access Control CD as / sampleScripts/checkOpenPorts.py. Review the code. The comments explain each section of the code.
Page 351 # This is the HTML that will be displayed in the test properties page # in the policy editor. All this HTML isn't REALLY necessary, but we # to keep the Novell ZENworks Network Access Control Web UI pretty. _____________________________________________________________________________ testConfig = \ """...
Page 352 _____________________________________________________________________________ # These are the arguments to run the test. This is displayed in the command # line help. testArguments = \ 352 Novell ZENworks Network Access Control Users Guide...
Page 353 """ --host=<hostname, IP, or NETBIOS> --input ports_not_allowed=<comma delimited list of ports> _____________________________________________________________________________ Example: <this script> --host=somehost --input "ports_not_allowed=23,80" """ # All tests must define the runTest method with the self and the debug # parameters. def runTest(self,debug=0): # All tests must call the initialize routine self.initTest() if debug: print "Starting checkOpenPorts(host="+self.session.host()+",...
Page 354 # Try to open the port. Throws an exception if connection # is refused or times out (set timeout to 5 seconds). # Note that Novell ZENworks Network Access Control uses a restricted Python socket # library that doesn't allow connections to arbitrary # hosts.
Page 355 # Always use the doReturn function. This will record test timings as well as # encode the result_message into a format compatible with Novell ZENworks Network Access Control return(self.doReturn(returnHash)) 3 Once you have completed your test script modifications, save the script as described in...
Page 356: Basictests Api
16.10.5 BasicTests API Every Novell ZENworks Network Access Control test has a base functionality described as follows: … try: self.bt.getregKeyExists( “HKEY_LOCAL_MACHINE\\Software\\America Online\\AIM”) except: import sys returnHash["status_code"] = 0 returnHash["result_code"] = "unknown_error" returnHash["result_message"] = sys.exc_type, sys.exc_value … The following table describes the BasicTests API.
Page 357 The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Boolean getCapicomExists() Checks for Capicom on the machine. Returns the following True, if installed None, if not installed String...
Page 358 Returns the version of Microsoft Data Access Component (MDAC) installed on the end point. String getMsnVersion() Returns the MSN version. Boolean getMVMInstalled() Checks whether MVM is installed or not. Returns the following. True, if MVM is installed None, if MVM is not installed. 358 Novell ZENworks Network Access Control Users Guide...
Page 359 The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Boolean getOfficeInstalled() Checks whether Microsoft Office is installed or not. Returns the following. True, if Microsoft Office is installed None, if Microsoft Office not installed.
Page 360 Returns the updates installed for Microsoft Exchange. List listHotfixesRegKeys() Returns all the hotfixes installed on the endpoint. List listMediaPlayerRegKeys() Returns updates installed for MediaPlayer. List listVisualStudioDotNetRegKeys() Returns the update installed for Visual Studio Dot Net 2003. 360 Novell ZENworks Network Access Control Users Guide...
Page 361: End-User Access Windows
16.11 End-user Access Windows The end-user access windows are completely customizable. You can enter general text through the Novell ZENworks Network Access Control interface and edit the file that contains the messages that are returned to the end-user. TIP: If you need more end-user access window customization than is described in this Users’...
Page 362: How Novell Zenworks Network Access Control Handles Static Ip Addresses
To view the end-user access windows: IE browser window Point the IE browser to port 88 of your Novell ZENworks Network Access Control ES. For example, if the IP address of your Novell ZENworks Network Access Control ES is 10.0.16.18, point an IE browser window to: http://10.0.16.18:88...
Page 363: Managing Passwords
ZENworks Network Access Control Enforcement server IP address>:88. This includes endpoints with static IP addresses. 16.13 Managing Passwords The passwords associated with your Novell ZENworks Network Access Control installation are listed in the following table: ZENworks Network Access Control Passwords Table 16-5...
Page 364: Resetting The Novell Zenworks Network Access Control Server Password
If you can remember the Novell ZENworks Network Access Control user interface password, but cannot remember the root login password for the Novell ZENworks Network Access Control MS or ES, log in to the Novell ZENworks Network Access Control user interface and navigate to one of the following windows: To reset the MS Password: Home>>System configuration>>Management server...
Page 365: Resetting The Novell Zenworks Network Access Control Database Password
If you cannot remember either password, this process allows you to enter a new one: To reset the Novell ZENworks Network Access Control server root password: 1 At the Novell ZENworks Network Access Control MS or ES server (not through the Web or SSH), reboot the MS or ES server by pressing: [CTRL]+[ALT]+[DELETE] 2 As the machine boots, you are presented with a list of kernels.
Page 366: Ntlm 2 Authentication
Compliance.UI.FirstTimeConfigCompleted=true Enter characters following the equal sign that are the password (for example, CwR0(tW). 2 Save the file and copy it to the Novell ZENworks Network Access Control server (either MS or ES). 3 Log into the Novell ZENworks Network Access Control server as root.
Page 367: Working With Ranges
This is because Extreme switches forward the packets from the IP address closest to Novell ZENworks Network Access Control and not the IP address of the interface closest to the endpoint, so all the DHCPRelay packets will appear to come from a production network IP address.
Page 368: Creating And Replacing Ssl Certificates
To generate a private keystore containing a new private key/public certificate pair: Command line window 1 Log in as root to the Novell ZENworks Network Access Control server via SSH or directly using a keyboard. 2 Remove the existing keystore by entering the following at the command line: rm -f /usr/local/nac/keystore/compliance.keystore...
Page 369: Using An Ssl Certificate From A Known Certificate Authority (Ca)
Authority (CA), first create a new self-signed certificate following the instructions in the previous section, then continue as follows: 1 Log in as root to the Novell ZENworks Network Access Control server via SSH or directly using a keyboard. 2 Enter the following at the command line: keytool -certreq -alias <key_alias>...
Page 370: Moving An Es From One Ms To Another
Section 1.9, “Copying Files,” on page 28), replacing the previously self-signed public certificate for your key by entering the following command on the command line of the Novell ZENworks Network Access Control server: keytool -import -alias <key_alias> -trustcacerts -file <signed_cert_file> - keystore /usr/local/nac/keystore/compliance.keystore...
Page 371: Recovering Quickly From A Network Failure
In some cases, such as when the DHCP server is in a separate VLAN than the span/mirror port, the mirrored port traffic is 802.1q tagged. In this case, in order for Novell ZENworks Network Access Control to recognize the traffic, the following workaround must be performed.
Page 372 3a Log in to each ES using SSH or directly with a keyboard. 3b Enter the following command at the command line: ifconfig 3c Verify that the virtual interface you created is listed. 3d Open the following file: 372 Novell ZENworks Network Access Control Users Guide...
Page 373: Iptables Wrapper Script
/var/log/nac/nac-es.log 3e Verify that the EDAC is using the virtual interface you created. The log should contain a line similar to the following: [070509-MDT 10:53:11.366 DeviceActivityCapture-INFO ] Listening on: eth1:1 16.20 iptables Wrapper Script To avoid creating conflicts between iptables and the nac-es service, do not run the following commands manually: /etc/init.d/iptables service iptables start...
Page 374: Enabling Icmp Echo Requests
Enable Temporary Ping To temporarily (until reboot) enable ICMP echo requests: Command line 1 Log in to the Novell ZENworks Network Access Control server as root using SSH or directly with a keyboard. 2 Enter the following command at the command line: echo 0 >...
Page 375: Changing The Community Name For Snmpd
> /etc/sysconfig/iptables.save 16.21.2 Changing the Community Name for SNMPD Novell ZENworks Network Access Control includes snmpd and it is started by default. You need to change the notpublicsnmp community name to something specific for your community. To change the community name: Command line window 1 Log in as root to the Novell ZENworks Network Access Control MS using SSH.
Page 376: Snmp Mibs
Network Management Protocol (SNMP) is a protocol used for communication between devices that uses MIBs to obtain SNMP message formats. Novell ZENworks Network Access Control supports SNMP v2c for both incoming and outgoing SNMP notifications. The following MIBs (located in /usr/share/snmp/mibs/ ) define the...
Page 377 TCP-MIB UCD-DLMOD-MIB UCD-SNMP-MIB UDP-MIB Enter the following MIB to define outgoing SNMP notifications: /usr/share/snmp/mibs/NAC-MIB.txt See the following link for more information on SNMP and MIBs: http://en.wikipedia.org/wiki/Management_information_base (http://en.wikipedia.org/wiki/ Management_information_base) http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol (http:// en.wikipedia.org/wiki/Simple_Network_Management_Protocol) System Administration 377...
Page 378 378 Novell ZENworks Network Access Control Users Guide...
Page 379: Patch Management
Novell ZENworks Network Access Control can integrate with patch management software. When an endpoint fails due to a missing patch, Novell ZENworks Network Access Control wakes the patch manager client, checks for the completion of the patch, and then retests upon completion.
Page 380: Flagging A Test To Launch A Patch Manager
Home window>>NAC Policies>>Select or create an access policy>>Tests menu option 1 Select the check box for a test in the left column. 2 Click on the test name in the left column. 3 Select the Initiate patch manager check box. 380 Novell ZENworks Network Access Control Users Guide...
Page 381: Specifying The Number Of Retests
4 Select a patch manager from the Select a patch manager drop-down list. 5 Click ok. 17.3 Specifying the Number of Retests To select the maximum number of retest attempts: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option 1 Select the check box for a test in the left column.
Page 382: Novell Zenworks Network Access Control/Sms/Novell Zenworks Network Access Control
NOTE: SMS server has a setting that allows users to interact with and cancel patch installation. Novell recommends that you do not allow users to cancel patch installation. Once a patch installation has been canceled, the patch does not automatically attempt to install later and the endpoint will never pass the NAC policy test without manual intervention by the SMS administrator.
Page 383 http://www.microsoft.com/smserver/evaluation/default.asp (http://www.microsoft.com/ smserver/evaluation/default.asp) Available SMS documentation http://www.microsoft.com/smserver/techinfo/productdoc/default.asp (http:// www.microsoft.com/smserver/techinfo/productdoc/default.asp) Pre-requisites to using SMS http://www.microsoft.com/technet/itsolutions/techguide/msm/swdist/pmsms/2003/ pmsms031.mspx#XSLTsection126121120120 (http://www.microsoft.com/technet/itsolutions/ techguide/msm/swdist/pmsms/2003/pmsms031.mspx#XSLTsection126121120120) Concepts, planning, and deployment guide http://www.microsoft.com/resources/documentation/sms/2003/all/cpdg/en-us/default.mspx (http://www.microsoft.com/resources/documentation/sms/2003/all/cpdg/en-us/default.mspx) Patch Management 383...
Page 384 384 Novell ZENworks Network Access Control Users Guide...
Page 385: A Configuring The Post-Connect Server
391 A.1 Overview This section describes how to configure the remote server for use with the Novell ZENworks Network Access Control post-connect feature. The post-connect server can be a Windows server or a Linux server. This section details the following: Section A.2, “Extracting the ZIP File,”...
Page 386: Windows
A.2.2 Linux To download and extract the ZIP file to a Linux machine: 1 Create a directory for the contents of the ZIP file on the Linux machine. Novell recommends / usr/local. These instructions assume that you used the /usr/local directory.
Page 387: Setting Up A Post-Connect Host
activemq-core-4.1.1.jar backport-util-concurrent-2.1.jar commons-logging-1.0.3.jar concurrent-1.3.4.jar connector.jar connector.properties geronimo-spec-j2ee-management-1.0-rc4.jar jms.jar JMSConnection.properties log4j-1.2.13.jar log4j.properties wrapper.dll wrapper.jar A.4 Setting up a Post-connect Host The following sections contain more information: Section A.4.1, “Windows,” on page 387 Section A.4.2, “Linux,” on page 388 A.4.1 Windows Your post-connect host can be a Linux or Windows server. This section provides instructions on setting up a Windows host.
Page 388: Linux
2. Download and install the Python for Windows version. 4 Copy the cacerts file to the Windows server: 4a Log in the Novell ZENworks Network Access Control MS as root using SSH or directly with a keyboard. 4b Copy the /usr/local/nac/keystore/cacerts file from the MS into the \lib folder on the post-connect server where you extracted the ZIP file.
Page 389 2. Download and install the Python for UNIX version. 3 Copy the cacerts file to the Linux server: 3a Log in the Novell ZENworks Network Access Control MS as root using SSH or directly with a keyboard. 3b Copy the /usr/local/nac/keystore/cacerts file from the MS into the /usr/ local/postconnect/lib folder on the post-connect server where you extracted the ZIP file.
Page 390: Viewing Logs
/usr/local/postconnect/bin/Connector_ActionScript.py <endpoint ip> "Reason 1" "Reason 2" Where: <endpoint IP> is the IP address of an endpoint known to Novell ZENworks Network Access Control. For example, 192.168.40.40 “Reason 1” and “Reason 2” are text strings that describe the reasons to quarantine the specified endpoint.
Page 391: Configuring Your Sensor
A.8 Allowing Novell ZENworks Network Access Control Through the Firewall Novell ZENworks Network Access Control needs to communicate with the post-connect server through port 61616. See “Allowing the Windows RPC Service through the Firewall” on page 167 for instructions on how to open a port on a Windows machine.
Page 392 392 Novell ZENworks Network Access Control Users Guide...
Page 393: B Tests Help
Tests Help The tests performed on endpoints attempting to connect to the network are listed on the Novell ZENworks Network Access Control Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting Novell ZENworks Network Access Control Home window>>System Configuration>>Test Updates>>Check for Test Updates.
Page 394 "controls" that enable developers to make Web pages "active". ActiveX is Microsoft's brand for active scripting. The following links provide more detailed information about ActiveX: http://www.active-x.com/articles/whatis.htm (http://www.active-x.com/ articles/whatis.htm) http://www.active-x.com/ (http://www.active-x.com/) http://www.newportinc.com/software/activex/whatisAX.htm (http:// www.newportinc.com/software/activex/whatisAX.htm) 394 Novell ZENworks Network Access Control Users Guide...
Page 395: Browser Version
Item Description Java Java is a programming language and a collection of platforms that are targeted toward a specific hardware platform. Java programs are not limited by the operating system (OS) as they are interpreted (run) by another program called the Java Virtual Machine (JVM).
Page 396: Internet Explorer (Ie) Internet Security Zone
The Internet security zone defines a security level for all external Web sites that you visit (unless you have specified exceptions in the trusted and restricted site configurations). The default setting is Medium. The following link provides details about the specific security options: http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/ security.mspx?mfr=true (http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/ en/security.mspx?mfr=true) 396 Novell ZENworks Network Access Control Users Guide...
Page 397: Internet Explorer (Ie) Local Intranet Security Zone
What Do I Need to Do? Perform the following steps: 1 Select Tools>>Internet Options>>Security>>Internet 2 Select Default Level to return to the default settings. 3 Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings. B.1.3 Internet Explorer (IE) Local Intranet Security Zone The following sections contain more information: “Description”...
Page 398: Internet Explorer (Ie) Restricted Site Security Zone
The default setting is High. You also define the specific sites by name and IP address that are restricted. For example, you could specify www.unsafesite.com as a restricted site. The following link provides details about the specific security options: http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/ security.mspx?mfr=true (http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/ en/security.mspx?mfr=true) 398 Novell ZENworks Network Access Control Users Guide...
Page 399: Internet Explorer (Ie) Trusted Sites Security Zone
What Do I Need to Do? Perform the following steps: 1 Select Tools>>Internet Options>>Security>>Restricted sites 2 Select one of the following: Default Level to return to the default settings. Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings.
Page 400: Operating System - Windows
Section B.2.12, “Windows Media Player Hotfixes,” on page 409 Section B.2.13, “Windows VistaTM SP0 Hotfixes,” on page 409 Section B.2.14, “Windows XP SP1 Hotfixes,” on page 410 Section B.2.15, “Windows XP SP2 Hotfixes,” on page 411 400 Novell ZENworks Network Access Control Users Guide...
Page 401: Iis Hotfixes
B.2.1 IIS Hotfixes The following sections contain more information: “Description” on page 401 “Test Properties” on page 401 “How Does this Affect Me?” on page 401 “What Do I Need to Do?” on page 401 Description Checks for updates to Microsoft Internet Information Services (IIS). Test Properties Select the check box for each IIS update to verify.
Page 402: Microsoft Office Hotfixes
Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a patch includes multiple hotfixes. 402 Novell ZENworks Network Access Control Users Guide...
Page 403: Microsoft Applications Hotfixes
What Do I Need to Do? Manually initiate an update check at http://www.update.microsoft.com/microsoftupdate/v6/ muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=en-us (http:// www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?returnurl=http:// www.update.microsoft.com/microsoftupdate&ln=en-us) or by clicking on one of the update numbers underlined at the right side of the window as shown in Figure B-1. Microsoft Office Hotfixes Critical Updates Figure B-1 B.2.4 Microsoft Applications Hotfixes The following sections contain more information:...
Page 404: Microsoft Servers Hotfixes
Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft. 404 Novell ZENworks Network Access Control Users Guide...
Page 405: Service Packs
How Does this Affect Me? Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a patch includes multiple hotfixes. What Do I Need to Do? Manually initiate an update check at http://www.update.microsoft.com/microsoftupdate/v6/ muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=en-us (http://...
Page 406: Windows 2003 Sp1 Hotfixes
The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft. You don't have to keep checking by patch number. 406 Novell ZENworks Network Access Control Users Guide...
Page 407: Windows 2003 Sp2 Hotfixes
How Does this Affect Me? Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a patch includes multiple hotfixes. What Do I Need to Do? Manually initiate an update check at http://www.update.microsoft.com/microsoftupdate/v6/ muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=en-us (http://...
Page 408: Windows Automatic Updates
1 Select Start>>Settings>>Control Panel>>Automatic Updates 2 Select Keep my computer up to date. 3 Select Download the updates automatically and notify me when they are ready to be installed. 4 Click OK. 408 Novell ZENworks Network Access Control Users Guide...
Page 409: Windows Media Player Hotfixes
B.2.12 Windows Media Player Hotfixes The following sections contain more information: “Description” on page 409 “Test Properties” on page 409 “How Does this Affect Me?” on page 409 “What Do I Need to Do?” on page 409 Description Checks for Windows Media Player hotfixes. Test Properties Select the hotfixes required on your network.
Page 410: Windows Xp Sp1 Hotfixes
Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a service pack includes multiple hotfixes. 410 Novell ZENworks Network Access Control Users Guide...
Page 411: Windows Xp Sp2 Hotfixes
What Do I Need to Do? Manually initiate an update check at http://www.update.microsoft.com/microsoftupdate/v6/ muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=en-us (http:// www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?returnurl=http:// www.update.microsoft.com/microsoftupdate&ln=en-us) or by clicking on one of the update numbers underlined at the right side of the window as shown in Figure B-1 on page 403.
Page 412: Mac Airport Wep Enabled
The following sections contain more information: “Description” on page 413 “Test Properties” on page 413 “How Does this Affect Me?” on page 413 “What Do I Need to Do?” on page 413 412 Novell ZENworks Network Access Control Users Guide...
Page 413: Mac Airport User Prompt
Description ® This test verifies that the Mac AirPort joins only preferred networks. Test Properties There are no properties to set for this test. How Does this Affect Me? If you move between different locations, and you use an AirPort network in each one, you can choose your preferred AirPort network for each network location you create.
Page 414: Mac Anti-Virus
The following sections contain more information: “Description” on page 415 “Test Properties” on page 415 “How Does this Affect Me?” on page 415 “What Do I Need to Do?” on page 415 414 Novell ZENworks Network Access Control Users Guide...
Page 415: Mac Firewall
Description This test verifies that Bluetooth is either completely disabled or if enabled is not discoverable. Test Properties There are no properties to set for this test. How Does this Affect Me? Bluetooth is a wireless technology that allows computers and other endpoints (such as mobile phones and personal digital assistants (PDAs)) to communicate.
Page 416: Mac Internet Sharing
“Test Properties” on page 417 “How Does this Affect Me?” on page 417 “What Do I Need to Do?” on page 417 Description This test verifies that the QuickTime updates have been applied on this endpoint. 416 Novell ZENworks Network Access Control Users Guide...
Page 417: Mac Security Updates
Select the Quarantine access check box and enter a temporary access period. This is the amount of time the endpoint will have access starting from when the endpoint was detected by Novell ZENworks Network Access Control. Enter an Allowed grace period in the Test properties area. This is the amount of time that has elapsed since the security update was issued.
Page 418: Mac Services
The following sections contain more information: “Description” on page 419 “Test Properties” on page 419 “How Does this Affect Me?” on page 419 “What Do I Need to Do?” on page 419 418 Novell ZENworks Network Access Control Users Guide...
Page 419: Microsoft Excel Macros
Description Checks for the presence of an unauthorized connection on a endpoint. These might include connections to a rogue wireless access point, VPN, or other remote network. Test Properties Enter a list of IP ranges that are legitimate for your network. Add the ranges separating the start and end IP with a "-".
Page 420: Microsoft Outlook Macros
Low . (not recommended). You are not protected from potentially unsafe macros. Use this setting only if you have virus scanning software installed, or you have checked the safety of all documents you open. 420 Novell ZENworks Network Access Control Users Guide...
Page 421: Microsoft Word Macros
How Does this Affect Me? Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document. When you open an infected document, the macro virus runs.
Page 422: Services Not Allowed
Panel>>Administrative Tools>>services application. For example: Telnet Messenger Remote Desktop Help Session Manager How Does this Affect Me? Services are Windows operating system applications that run automatically, without manual intervention. Services explained: http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx (http:// www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx) 422 Novell ZENworks Network Access Control Users Guide...
Page 423: Services Required
How to identify the services running in a process: http://www.microsoft.com/resources/documentation/windows/2000/server/scriptguide/en-us/ sas_ser_arwi.mspx (http://www.microsoft.com/resources/documentation/windows/2000/server/ scriptguide/en-us/sas_ser_arwi.mspx) Tips on Windows XP services: http://www.theeldergeek.com/services_guide.htm (http://www.theeldergeek.com/ services_guide.htm) What do I need to do? For services you never use, disable the service. For services you may use occasionally, change the startup type from automatic to manual.
Page 424: Windows Bridge Network Connection
An example use of this type of connection would be to bridge a high-speed cellular network connection in and out of the local network. A bridged network connection poses a significant security risk. 424 Novell ZENworks Network Access Control Users Guide...
Page 425: Windows Wireless Network Ssid Connections
Test Properties Any endpoint which has a Windows bridge Network Connection will fail this test. How Does this Affect Me? Using network bridges can be useful in some environments; however, they also create a security risk. What Do I Need to Do? Do not use network bridges.
Page 426: Windows Security Policy
(http://technet2.microsoft.com/windowsserver/en/library/ 66a6776a-b1ef-43dd-8f18-d694fd07494b1033.mspx?mfr=true) Disable "Network access: Let Everyone permissions apply to anonymous users" http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ loc_sec_set.mspx?mfr=true (http://www.microsoft.com/resources/documentation/windows/xp/ all/proddocs/en-us/loc_sec_set.mspx?mfr=true) Enable "Accounts: Limit local account use of blank passwords to console logon only" 426 Novell ZENworks Network Access Control Users Guide...
Page 427: Windows Startup Registry Entries Allowed
http://www.microsoft.com/resources/documentation/IIS/6/all/proddocs/en-us/ Default.asp?url=/resources/documentation/IIS/6/all/proddocs/en-us/636.asp (http:// www.microsoft.com/resources/documentation/IIS/6/all/proddocs/en-us/Default.asp?url=/ resources/documentation/IIS/6/all/proddocs/en-us/636.asp) What Do I Need to Do? To select the security policies: 1 Select Start>>Settings>>Control Panel>>Administrative Tools. 2 Double-click Local Security Policy. 3 Double-click Local Policies. 4 Double-click Security Options. 5 Double-click a security policy. 6 Select Enabled or Disabled. 7 Click OK.
Page 428: Wireless Network Connections
The following sections contain more information: “Description” on page 429 “Test Properties” on page 429 “How Does this Affect Me?” on page 429 “What Do I Need to Do?” on page 429 428 Novell ZENworks Network Access Control Users Guide...
Page 429: Software - Windows
Description Checks for the presence of an unauthorized connection on an endpoint. This might include connections to a rogue wireless access point, VPN, or other remote network. Test Properties Select one of the items listed to specify wireless and wired connections. The following wireless adapters are supported: NetGear, LinkSYS, D-Link.
Page 430: Anti-Virus
It searches for known files and automatically removes them. A virus is a program that infects other programs and files and can spread when a user opens a program or file containing the virus. A virus needs a host (the program or file) to spread. 430 Novell ZENworks Network Access Control Users Guide...
Page 431: High-Risk Software
A worm is a program that can also perform malicious acts (such as delete files and send email); however, it replicates itself and does not need a host (program or file) to spread. Frequently, worms are used to install a backdoor (a way for an attacker to gain access without having to login). A trojan horse is a stand-alone program that is not what it seems.
Page 432: P2P
P2P software allows users to connect directly to other users and is used for file sharing. Many P2P software packages are considered spyware and their use is generally discouraged. 432 Novell ZENworks Network Access Control Users Guide...
Page 433: Personal Firewalls
What Do I Need to Do? Remove or disable any disallowed P2P software. B.5.6 Personal Firewalls The following sections contain more information: “Description” on page 433 “Test Properties” on page 433 “How Does this Affect Me?” on page 433 “What Do I Need to Do?” on page 433 Description This test verifies that the endpoint attempting to connect to your system has the latest personal firewall software installed and running.
Page 434: Software Required
Enter a list of applications that are required on all connecting endpoints, separated with a carriage return. The format for an application is vendor\software package[\version]. Using this format stores the value in the HKEY_LOCAL_MACHINE\Software key. For example: Adobe\Acrobat Reader, Adobe\Acrobat Reader\6.0 434 Novell ZENworks Network Access Control Users Guide...
Page 435: Worms, Viruses, And Trojans
You can also specify which key to use for the specific value by entering the key at the beginning of the value. For example: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Messenger How Does this Affect Me? Connecting to a network may be impossible if the correct software is not installed and operational. What Do I Need to Do? Contact the vendor and install the missing software.
Page 436 436 Novell ZENworks Network Access Control Users Guide...
Page 437: C Ha Bypass Card
Section C.6, “Operating the Bypass Card,” on page 441 C.1 Overview The bypass card functions as a normally open switch. In the event of a problem with Novell ZENworks Network Access Control, the card bypasses Novell ZENworks Network Access Control...
Page 438: Location And Connections
HA Bypass Card Location Figure C-2 The bypass card is normally provided as an optional internal component for the Novell ZENworks Network Access Control server. C.3 HA Bypass Supported The following Interface Masters models are supported: Niagara 2261 (Two Gigabit Ethernet Copper Ports, 1000 Base —...
Page 439: Configuring The Bypass Card
To configure the Novell ZENworks Network Access Control server for the bypass card: 1 Log into the Novell ZENworks Network Access Control Enforcement server via SSH or directly. 2 Open the following file with a text editor such as vi: /etc/modprobe.conf...
Page 440 STATE Indicates the state the card is in. A variety of states are possible as shown in Table C-3 on page 441. 440 Novell ZENworks Network Access Control Users Guide...
Page 441: Operating The Bypass Card
IMPORTANT: If you are connected using SSH and use the following instructions to force a bypass card into bypass mode, you will lose connectivity. To force the system into bypass mode: 1 Log into the Novell ZENworks Network Access Control server via SSH or directly. 2 Enter the following command: service bypass bypass To force the system into a closed or normal mode, so traffic flows through it: 1 Log into the Novell ZENworks Network Access Control server via SSH or directly.
Page 442 442 Novell ZENworks Network Access Control Users Guide...
Page 443: D Database Design (Data Dictionary)
Database Design (Data Dictionary) This section provides information on the following tables for the Novell ZENworks Network Access Control database: Section D.1, “test_result table,” on page 443 Section D.2, “Device table,” on page 444 Section D.3, “sa_cluster,” on page 447 Section D.4, “sa_node,”...
Page 444: Device Table
VARCHAR(50) DEFAULT NULL The domain name of the endpoint. username VARCHAR(50) DEFAULT NULL The user name used during the test. VARCHAR(100) DEFAULT NULL The operating system of the endpoint (eg, 'Windows', 'Linux') 444 Novell ZENworks Network Access Control Users Guide...
Page 445 os_details VARCHAR(100) The specific version of the operating system of the endpoint. password VARCHAR(50) DEFAULT NULL The password used during the test. logged_on_user VARCHAR(100) The user logged onto endpoint last time it was tested. policy_id VARCHAR(50) DEFAULT NULL The identification number of the last policy used.
Page 446 VARCHAR(32) The identifier of the product that externally quarantined this device. ext_quarantine_instance_name VARCHAR(32) The instance name of the system that externally quarantined this device. 446 Novell ZENworks Network Access Control Users Guide...
Page 447: Sa_Cluster
D.3 sa_cluster sa_cluster Table D-3 This table contains information about all known clusters. cluster_id VARCHAR(64) PRIMARY KEY cluster_name VARCHAR(30) The name of the cluster. policy_set_id INT4 The unique ID of the policy set used by the cluster. devices TEXT Not used. current_licenses INT4 The number of endpoint licenses allocated to the...
Page 448: Cluster_To_User
D.9 group_to_permission group_to_permission Table D-9 This table contains information about the user role and its associated permissions. group_id INT4 The unique id of the user role in the many-to-many relationship 448 Novell ZENworks Network Access Control Users Guide...
Page 449 permission_enum VARCHAR(64) One of: CONFIG_CLUSTER, CONFIG_SERVER, CONFIG_SYSTEM, VIEW_ALERTS, REPORTS, POLICY, DEVICE, MONITOR, ENDPOINT_ACCESS, RETEST Database Design (Data Dictionary) 449...
Page 450 450 Novell ZENworks Network Access Control Users Guide...
Page 451: E Ports Used In Novell Zenworks Network Access Control
Ports used in Novell ZENworks Network Access Control The following table provides information about Ports used in Novell ZENworks Network Access Control: Ports in Novell ZENworks Network Access Control Table E-1 Port Parties Description Comments Ports used for testing endpoints:...
Page 452 Internet through the MS. 443 (TCP) MS to Internet For license validation and test Configure on the firewall/router updates: between MS and Internet http://nacupdate.novell.com port NOTE: The ES communicates to the Internet through the MS. 452 Novell ZENworks Network Access Control Users Guide...
Page 453 Configure in the Novell the proxy server. ZENworks Network Access Control user interface: System configuration >>Management server option >>Proxy server area >>Proxy server port text field Example: 8080 Ports used for LDAP: Ports used in Novell ZENworks Network Access Control 453...
Page 454 >>Select the SSH Connection method 1812 (TCP) Switch to ES Used to relay credentials to Not configurable RADIUS when you are using the local RADIUS server. Ports used for DHCP and domain controllers: 454 Novell ZENworks Network Access Control Users Guide...
Page 455 3268 (TCP) to your domain controller on ports 88, 135-159, 389, 1025, 1026, and 3268. Ports used for accessible services and endpoints: Ports used in Novell ZENworks Network Access Control 455...
Page 456 Used for SNMP monitoring of Not Configurable or ES the server. NOTE: See Section 3.5.8, “Enabling SNMP,” on page 55 for instructions on enabling SNMP. 162 (UDP/ MS to SNMP Traps for SNMP Not configurable TCP) 456 Novell ZENworks Network Access Control Users Guide...
Page 457: F Ms Disaster Recovery
Section F.4, “Failover process,” on page 458 F.1 Installation Requirements The following items are required as part of the installation of Novell ZENworks Network Access Control and are essential elements for recovery of an MS. Primary and Standby Management Servers must each have their own unique license keys, with...
Page 458: Ongoing Maintenance
Rule updates must be applied to both the primary and standby MS (so they have the same version) Novell ZENworks Network Access Control upgrades must be applied to both the primary and standby MS Regular backups need to be taken of the primary MS, and stored in a safe location F.4 Failover process...
Page 459 10 Log in to the UI of the standby MS again (at this point, all UI users from the primary should be able to log in). 11 Navigate to System configuration>>Management server>>edit network settings 12 Change the IP address to be that of the old or primary MS. See Section 3.5.2, “Modifying MS Network Settings,”...
Page 460 460 Novell ZENworks Network Access Control Users Guide...
Page 461: G Licenses
Subscription License Grant. Subject to the payment of the applicable license fees, taxes, and subject to the terms and conditions of this Agreement, Novell hereby grants to you a non-exclusive, non-transferable right to use for internal purposes only one copy of the specified version of the Software and the accompanying documentation (the "Documentation") for the time period specified...
Page 462 Perpetual License Grant. Subject to the payment of the applicable license fees, taxes, and subject to the terms and conditions of this Agreement, Novell hereby grants to you a perpetual, revocable, non-exclusive, non-transferable right to use for internal purposes only one copy of the specified version of the Software and the accompanying Documentation (the "Documentation").
Page 463 Renewal Periods. For Subscription Licenses, the license subscription will renew automatically unless written notification of intent to cancel is received by Novell no later than 30 days before the expiration date of the then current term, and a renewal invoice will be generated that will reflect the greater of the license subscription renewal price in effect at that time and the previous year’s...
Page 464 4a. Ownership Rights. United States copyright laws and international treaty provisions protect the Software. Novell and its suppliers own and retain all right, title and interest in and to the Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual property rights therein.
Page 465 Software via a timesharing, service bureau or other arrangement, except to the extent such use is otherwise agreed to by Novell in writing. You may not use the Software for any benchmarking or other testing services. You may not transfer any of the rights granted to you under this Agreement.
Page 466 Any replacement media will be warranted for the remainder of the original warranty period. Outside the United States, this remedy is not available to the extent Novell is subject to restrictions under United States export control laws and regulations.
Page 467 This Agreement sets forth all rights for your use of the Software and is the entire agreement between the parties. Novell reserves the right to periodically audit you to ensure that you are not using any Software in violation of this Agreement. During your standard business hours and upon prior written notice, Novell may visit you and you will make available to Novell or its representatives any records pertaining to the Software to Novell.
Page 468: Other Licenses
Below are copies of the licenses and the applicable acknowledgements and attribution notices in connection with the third party software used in Novell ZENworks Network Access Control v5.0. The source code for this third party software is located at http://www.novell.com/products/...
Page 469 "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
Page 470 Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. 470 Novell ZENworks Network Access Control Users Guide...
Page 471: Asm 2.2.3
END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format.
Page 472: Open Ssh 4.5P1
- GMP is no longer used, and instead we call BN code from OpenSSL - Zlib is now external, in a library - The make-ssh-known-hosts script is no longer included - TSS has been removed 472 Novell ZENworks Network Access Control Users Guide...
Page 473 - MD5 is now external, in the OpenSSL library - RC4 support has been replaced with ARC4 support from OpenSSL - Blowfish is now external, in the OpenSSL library [The licence continues] Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore, scientific library, and patent office worldwide.
Page 474 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 474 Novell ZENworks Network Access Control Users Guide...
Page 475 THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;...
Page 476: Postgresql 8.1.8
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 476 Novell ZENworks Network Access Control Users Guide...
Page 477: Xstream 1.2.1
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Page 478 The reason behind this being stated in this direct manner is past experience in code simply being copied and the attribution removed from it and then being distributed as part of other packages. This implementation was a non-trivial and unpaid effort. 478 Novell ZENworks Network Access Control Users Guide...
Page 479: Junit 4.4 Common Public License - V 1.0
G.2.8 Junit 4.4 Common Public License - v 1.0 THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. 1. DEFINITIONS "Contribution" means: a) in the case of the initial Contributor, the initial code and documentation distributed under this Agreement, and b) in the case of each subsequent Contributor:...
Page 480 Program in a commercial product offering. The obligations in this section do not apply to any claims or Losses relating to any actual or alleged intellectual property infringement. In order to qualify, an Indemnified Contributor must: a) promptly notify the Commercial Contributor in 480 Novell ZENworks Network Access Control Users Guide...
Page 481 writing of such claim, and b) allow the Commercial Contributor to control, and cooperate with the Commercial Contributor in, the defense and any related settlement negotiations. The Indemnified Contributor may participate in any such claim at its own expense. For example, a Contributor might include the Program in a commercial product offering, Product X. That Contributor is then a Commercial Contributor.
Page 482: Open Ssl 1.1.2
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 482 Novell ZENworks Network Access Control Users Guide...
Page 483 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/ (http://www.openssl.org/))" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission.
Page 484 The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] 484 Novell ZENworks Network Access Control Users Guide...
Page 485: The Following License Applies To Sapq 2.0, Samba-Tng 0.4 And Bridgeutil 1.1
G.2.10 The following license applies to SAPQ 2.0, samba-tng 0.4 and bridgeutil 1.1 The GNU General Public License (GPL) Version 2, June 1991 The following license applies to SAPQ 2.0, samba-tng 0.4 and bridgeutil 1.1 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
Page 486 In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 486 Novell ZENworks Network Access Control Users Guide...
Page 487 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software...
Page 488 PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 488 Novell ZENworks Network Access Control Users Guide...
Page 489 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A...
Page 490: Pullparser 2.1.10
WARRANTIES AS TO CAPABILITIES OR ACCURACY ARE MADE. INDIANA UNIVERSITY GIVES NO WARRANTIES AND MAKES NO REPRESENTATION THAT SOFTWARE IS FREE OF INFRINGEMENT OF THIRD PARTY PATENT, COPYRIGHT, OR OTHER PROPRIETARY RIGHTS. INDIANA UNIVERSITY MAKES NO WARRANTIES THAT 490 Novell ZENworks Network Access Control Users Guide...
Page 491: Xpp3 1.1.3.4D
SOFTWARE IS FREE FROM "BUGS", "VIRUSES", "TROJAN HORSES", "TRAP DOORS", "WORMS", OR OTHER HARMFUL CODE. LICENSEE ASSUMES THE ENTIRE RISK AS TO THE PERFORMANCE OF SOFTWARE AND/OR ASSOCIATED MATERIALS, AND TO THE PERFORMANCE AND VALIDITY OF INFORMATION GENERATED USING SOFTWARE. G.2.12 Xpp3 1.1.3.4d Indiana University Extreme! Lab Software License Version 1.1.1...
Page 492: Jcifs 1.2.15, Mm.mysql 2.0.14, P0F 2.06, Jarapac,Ncacn_Np, Ntlm-Security Jpcap
Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. 492 Novell ZENworks Network Access Control Users Guide...
Page 493 Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.
Page 494 Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. 494 Novell ZENworks Network Access Control Users Guide...
Page 495 In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3.
Page 496 Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 496 Novell ZENworks Network Access Control Users Guide...
Page 497 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
Page 498 "copyright" line and a pointer to where the full notice is found. one line to give the library's name and an idea of what it does. Copyright (C) year name of author 498 Novell ZENworks Network Access Control Users Guide...
Page 499: Ojdbc 14.10G
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;...
Page 500 Oracle reseller, to obtain the appropriate license. We may audit your use of the programs. Program documentation is either shipped with the programs, or documentation may accessed online at http://otn.oracle.com/docs (http://otn.oracle.com/docs). Ownership and Restrictions 500 Novell ZENworks Network Access Control Users Guide...
Page 501 We retain all ownership and intellectual property rights in the programs. You may make a sufficient number of copies of the programs for the licensed use and one copy of the programs for backup purposes. You may not: - use the programs for any purpose other than as provided above; - distribute the programs unless accompanied with your applications;...
Page 502 If you use Open Source software in conjunction with the programs, you must ensure that your use does not: (i) create, or purport to create, obligations of us with respect 502 Novell ZENworks Network Access Control Users Guide...
Page 503: Javamail 1.3.1 Sun Microsystems, Inc
to the Oracle programs; or (ii) grant, or purport to grant, to any third party any rights to or immunities under our intellectual property or proprietary rights in the Oracle programs. For example, you may not develop a software program using an Oracle program and an Open Source program where such use results in a program file(s) that contains code from both the Oracle program and the Open Source program (including without limitation libraries) if the Open Source program is licensed under a license that requires any "modifications"...
Page 504 11. Integration. This Agreement is the entire agreement between you and Sun relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms of any quote, 504 Novell ZENworks Network Access Control Users Guide...
Page 505 order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party. JAVAMAIL(TM), VERSION 1.3.1 SUPPLEMENTAL LICENSE TERMS These supplemental license terms ("Supplemental Terms") add to or modify the terms of the Binary Code License Agreement (collectively, the "Agreement").
Page 506: Jcharts
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL jCharts OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 506 Novell ZENworks Network Access Control Users Guide...
Page 507: Pyxml 0.8.4 Python License (Cnri Python License)
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE G.2.17 PyXML 0.8.4 Python License (CNRI Python License) CNRI OPEN SOURCE LICENSE AGREEMENT...
Page 508: Io-Stty .02 And Io-Tty1.02
3. You may otherwise modify your copy of this Package in any way, provided that you insert a prominent notice in each changed file stating how and when you changed that file, and provided that you do at least ONE of the following: 508 Novell ZENworks Network Access Control Users Guide...
Page 509: Concurrent 1.3.4
a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major archive site such as ftp.uu.net, or by allowing the Copyright Holder to include your modifications in the Standard Version of the Package.
Page 510: Crypto ++ 5.2.1
Compilation Copyright (c) 1995-2003 by We Dai. All rights reserved. This copyright applies only to this software distribution package as a compilation, and does not imply a copyright on any particular file in the package. 510 Novell ZENworks Network Access Control Users Guide...
Page 511 The following files are copyrighted by their respective original authors, and their use is subject to additional licenses included in these files. mars.cpp - Copyright 1998 Brian Gladman. All other files in this compilation are placed in the public domain by Wei Dai and other contributors. I would like to thank the following authors for placing their works into the public domain: Joan Daemen - 3way.cpp Leonard Janke - cast.cpp, seal.cpp...
Page 512: Winpcap 4.0.1A
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 512 Novell ZENworks Network Access Control Users Guide...
Page 513 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes software developed by the University of California, Berkeley and its contributors."...
Page 514 ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 514 Novell ZENworks Network Access Control Users Guide...
Page 515 LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Portions Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
Page 516: Activation 1.0.2 Package
Software for archival purposes. Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software. You acknowledge that Software is not designed, licensed or intended for use in the design, construction, operation or maintenance of any nuclear 516 Novell ZENworks Network Access Control Users Guide...
Page 517 facility. Sun disclaims any express or implied warranty of fitness for such uses. No right, title or interest in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement. 3. LIMITED WARRANTY. Sun warrants to you that for a period of ninety (90) days from the date of purchase, as evidenced by a copy of the receipt, the media on which Software is furnished (if any) will be free of defects in materials and workmanship under normal use.
Page 518: Java Optional Package
5. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA, JINI, FORTE, and iPLANET trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, and iPLANET-related trademarks, service marks, logos and other brand designations 518 Novell ZENworks Network Access Control Users Guide...
Page 519: Jsp-Api Package
("Sun Marks"), and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http://www.sun.com/policies/trademarks. Any use you make of the Sun Marks inures to Sun's benefit. 6. Source Code. Software may contain source code that is provided solely for reference purposes pursuant to the terms of this Agreement.
Page 520 Government's rights in Software and accompanying documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions). 520 Novell ZENworks Network Access Control Users Guide...
Page 521 9. Governing Law. Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply. 10. Severability. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will immediately terminate.
Page 522 4. Java Technology Restrictions. You may not create or modify, or authorize your licensees to create or modify, additional classes, interfaces, or sub- packages that are in any way identified as "java", "javax", "sun" or similar convention as specified by Sun in any naming convention designation. 522 Novell ZENworks Network Access Control Users Guide...
Page 523 5. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA, JINI, JDK, FORTE, STAROFFICE, STARPORTAL and iPLANET trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, STAROFFICE, STARPORTAL and iPLANET-related trademarks, service marks, logos and other brand designations ("Sun Marks"), and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http://www.sun.com/policies/trademarks.
Page 524 524 Novell ZENworks Network Access Control Users Guide...
Page 525 If your network uses a Windows domain controller and the connecting endpoint is a member of a configured domain, Novell ZENworks Network Access Control uses the information supplied to access and test the endpoint.
Page 526 A list of devices or endpoints that are denied access to a system or are denied privileges. In Novell ZENworks Network Access Control, endpoints and domains that are always quarantined. CA/PKI...
Page 527 Cisco Trust Agent Device Activity Capture — A utility used that listens or sniffs the network for DHCP traffic and can be configured to discover other types of IP traffic if needed (such as from static IP addresses). Domain controller — A server that manages and controls the activities (such as user access) in the domain.
Page 528 In Novell ZENworks Network Access Control, the process of upholding the access rules set in the NAC policies. Enforcement server FQDN Fully Qualified Domain Name — A domain name that uniquely identifies a host computer. It includes the host name and the domain name. For example, myhost.mycompany.com.
Page 529 An installation of Novell ZENworks Network Access Control where it is placed on the network and all traffic to be quarantined passes through Novell ZENworks Network Access Control. Internet protocol — A protocol by which data is sent from one computer to another on the Internet.
Page 530 Management server When using Novell ZENworks Network Access Control in a multiple-server installation, the server that is used for managing ESs. (MS) Management Information Base — A database used to manage components in a network. MultiMediaCard — A portable storage device.
Page 531 Packet InterNet Groper — A utility used to test the connection to a host. post-connect Post-connect in Novell ZENworks Network Access Control provides an interface where you can configure external systems, such as IDS/IPS, that request quarantining of an endpoint based on activity that occurs after the endpoint has connected to the network (post- connect).
Page 532 A component of 802.1X that is the client; the endpoint that wants to access the network Software Update Service Tape ARchive — A type of file that contains multiple files and directory structures. Transfer Control Protocol 532 Novell ZENworks Network Access Control Users Guide...
Page 533 In Novell ZENworks Network Access Control, a temporary period of time where an end- user is allowed access. Transport Layer Security User Access Control User Datagram Protocol VLAN Virtual Local Area Network Virtual private network — A secure method of using the Internet to gain access to an organization's network.
Page 534 534 Novell ZENworks Network Access Control Users Guide...

This manual is also suitable for:

Zenworks network access control 5.0

Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - 09-22-2008 User Manual

1 Introduction

2 Clusters and Servers

3 System Configuration

4 Endpoint Activity

5 End-User Access

6 NAC Policies

7 Quarantined Networks

8 High Availability and Load Balancing

9 Inline Quarantine Method

10 DHCP Quarantine Method

11 1X Quarantine Method

12 Api

13 Remote Device Activity Capture

14 Reports

15 DHCP Plug-In

16 System Administration

Quick Links

Related Manuals for Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - 09-22-2008

Summary of Contents for Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - 09-22-2008