Extreme Networks AG200 User Manual
Version 5.0
Hide thumbs
Also See for AG200:
- Installation manual (80 pages) ,
- Hardware installation manual (40 pages) ,
- Hardware quick start manual (2 pages)
Table of Contents
Advertisement
Quick Links
Download this manual
See also:
Installation Manual
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for Extreme Networks AG200
Summary of Contents for Extreme Networks AG200
- Page 1 Sentriant AG Users’ Guide, Version 5.0 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published: June 2007 Part number: 120395-00 Rev 06...
- Page 2 48i, SummitRPS, SummitGbX, Triumph, vMAN, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Summit logos, the Extreme Turbodrive logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and other countries. Other names and marks may be the property of their respective owners.
-
Page 3: Table Of Contents
Table of Contents Table of Contents ..........................3 List of Figures ..........................15 List of Tables ..........................19 Chapter 1: Introduction........................21 Sentriant AG Home Window .......................21 System Monitor.........................22 Sentriant AG v5.0 for v4.x Users ....................24 Overview ..........................27 The Sentriant AG Process.....................29 About Sentriant AG ......................29 NAC Policy Definition ....................29 Endpoint Testing ......................29... - Page 4 Table of Contents Enforcement Clusters ........................45 Adding an Enforcement Cluster ....................45 Editing Enforcement Clusters ....................47 Viewing Enforcement Cluster Status..................48 Deleting Enforcement Clusters....................49 Enforcement Servers .........................50 Adding an ES........................50 Cluster and Server Icons ......................51 Editing ESs ........................52 Changing the ES Network Settings ..................54 Changing the ES Date and Time ...................54 Modifying the ES root Account Password ................55 Viewing ES Status .......................55...
- Page 5 Testing the Connection to a Device ..................84 Cisco IOS ...........................85 Cisco CatOS ........................87 Enterasys ...........................89 Extreme ExtremeWare......................90 Extreme XOS ........................92 Foundry..........................93 HP ProCurve Switch ......................95 HP ProCurve WESM ......................98 HP ProCurve 420 AP or HP ProCurve 530 AP ..............100 Nortel ..........................102 Other ..........................104...
- Page 6 Table of Contents Filtering the Endpoint Activity Window ..................134 Filtering by Access Control or Test Status ................135 Filtering by Time .......................136 Limiting Number of Endpoints Displayed................136 Searching .........................137 Access Control States ......................138 Test Status States ........................139 Viewing Endpoint Access Status ....................141 Selecting Endpoints to Act on ....................142 Acting on Selected Endpoints....................142 Manually Retest an Endpoint....................142...
- Page 7 Table of Contents Standard NAC Policies......................186 NAC Policy Group Tasks ......................186 Add a NAC Policy Group ....................186 Editing a NAC Policy Group....................187 Deleting a NAC Policy Group ....................188 NAC Policy Tasks ........................188 Enabling or Disabling an NAC Policy ...................188 Selecting the Default NAC Policy ..................188 Creating a New NAC Policy ....................189 Editing a NAC Policy ......................193 Copying a NAC Policy ......................193...
- Page 8 Setting up the Supplicant ....................262 Setting up the Authenticator ....................265 Cisco® 2950 IOS......................266 Cisco® 4006 CatOS ....................267 Enterasys® Matrix 1H582-25 ..................267 Extreme® Summit 48si ....................267 ExtremeWare ......................268 ExtremeXOS........................269 Foundry® FastIron® Edge 2402...................269 HP ProCurve® 420AP ....................270 HP ProCurve® 530AP ....................271 HP ProCurve®...
- Page 9 Table of Contents Managing your Sentriant AG License ..................293 Entering a New License Key ....................294 Downloading New Tests ......................294 System Settings ........................295 Matching Windows Domain Policies to NAC Policies .............295 Setting the Access Mode....................296 Naming your Enforcement Cluster..................296 Changing the MS Host Name....................296 Changing the ES Host Name ....................296 Resetting your System .......................297 Changing Properties ......................298...
- Page 10 Table of Contents Internet Explorer (IE) Internet Security Zone ................339 Description .........................339 Test Properties......................339 How Does this Affect Me? ....................340 What Do I Need to Do? ....................340 Internet Explorer (IE) Local Intranet Security Zone ...............340 Description .........................340 Test Properties......................340 How Does this Affect me? ....................341 What Do I Need to Do? ....................341 Internet Explorer (IE) Restricted Site Security Zone ..............341 Description .........................341...
- Page 11 Table of Contents What Do I Need to Do? ....................346 Windows Server 2003 SP2 Hotfixes ..................347 Description .........................347 Test Properties......................347 How Does this Affect Me? ....................347 What Do I Need to Do? ....................347 Windows Server 2003 Hotfixes ...................347 Description .........................347 Test Properties......................347 How Does this Affect Me? ....................347 What Do I Need to Do? ....................348...
- Page 12 Table of Contents Description .........................352 Test Properties......................352 How Does this Affect Me? ....................353 What Do I Need to Do? ....................353 Mac Services ........................353 Description .........................353 Test Properties......................353 How Does this Affect Me? ....................353 What Do I Need to Do? ....................353 Security Settings—Windows.....................354 Allowed Networks ......................354 Description .........................354...
- Page 13 Table of Contents How Does this Affect Me? ....................361 What Do I Need to Do? ....................361 Software—Windows.........................362 Anti-spyware ........................362 Description .........................362 Test Properties......................362 How Does this Affect Me? ....................362 What Do I Need to Do? ....................363 Anti-virus .........................363 Description .........................363 Test Properties......................363 How Does this Affect Me? ....................363 What Do I Need to Do? ....................363...
- Page 14 ..........................374 cluster_to_user ........................374 user_group ..........................374 user_to_groups ........................375 group_to_permission .......................375 Appendix D: Licenses ........................377 Extreme Networks, Inc. End-User License Agreement ..............377 Other Licenses........................379 Apache License Version 2.0, January 2004 .................380 ASM 2.2.3 ........................381 Open SSH 3.8p1 ......................382 Postgresql 8.1.8 .......................384 Postgresql jdbc 8.1-408 ....................385...
-
Page 15: List Of Figures
Figure 34: Add Cisco CatOS Device Window ................87 Figure 35: Add Enterasys Device Window ..................89 Figure 36: Add ExtremeWare Device Window ................90 Figure 37: Add Extreme XOS Device Window ................92 Figure 38: Add Foundry Device Window..................93 Figure 39: Add HP ProCurve Device Window ................95 Figure 40: Add HP ProCurve WESM Device Window ..............98... - Page 16 List of Figures Figure 42: Add Nortel Device Window ..................102 Figure 43: Add Other Device Window ..................104 Figure 44: DHCP Enforcement Window ...................106 Figure 45: Add a Quarantine Area Window................107 Figure 46: Quarantine Area ....................109 Figure 47: System Configuration Window, Maintenance ............111 Figure 48: Backup Successful Message ...................112 Figure 49: System Configuration Window, Testing Methods ............113 Figure 50: System Configuration Window, Accessible Services...........115...
- Page 17 List of Figures Figure 88: End-user ActiveX Plug-in Failed Window ..............170 Figure 89: End-user Login Credentials Window.................171 Figure 90: End-user Login Failed ....................172 Figure 91: End-user Testing Window ..................173 Figure 92: End-user Testing Successful Window...............173 Figure 93: Temporary Quarantine Window................174 Figure 94: End-user Testing Cancelled Window ................175 Figure 95: End-user Testing Failed Window Example 1 .............175 Figure 96: End-user Testing Failed, Printable Results Window...........176...
- Page 18 List of Figures Figure 134:IAP, Remote Access Policy, Properties ..............243 Figure 135:IAS, Remote Access Policy, Configure ..............244 Figure 136:IAS, Remote Access Policy, Add Attribute ...............245 Figure 137:IAS, Remote Access Logging Properties..............246 Figure 138:Sentriant AG-to-IAS Connector ................247 Figure 139:IAS, Add/Remove Snap-in ..................248 Figure 140:IAS, Add/Remove Snap-in, Certificates..............248 Figure 141:IAS, Import Certificate...................249 Figure 142:Active Directory, properties ..................255...
-
Page 19: List Of Tables
List of Tables List of Tables Table 1: Sentriant AG v5.0 for v4.x Users................24 Table 2: Test Methods ......................27 Table 3: Sentriant AG Technical Support................31 Table 4: Default Menu Options ....................43 Table 5: Default User Roles ....................65 Table 6: User Role Permissions .....................70 Table 7: Accessible Services and Endpoints Tips..............116 Table 8:... - Page 20 List of Tables Sentriant AG Users’ Guide, Version 5.0...
-
Page 21: Chapter 1: Introduction
Introduction This chapter provides the following: A description of the Home window (“Sentriant AG Home Window” on page ● A description of the System monitor window (“Sentriant AG Home Window” on page ● A quick-reference for v4.1 users ● (“Sentriant AG v5.0 for v4.x Users” on page An overview of Sentriant AG and the key features ●... -
Page 22: System Monitor
Introduction 7 Access control status area—The Access control area displays the total number of endpoints that have attempted to connect to your network, and what the access state is as a percentage and as a number. Click on the number of endpoints to view details. 8 Enforcement server (ES) status area—The Enforcement server status area provides status on your ESs. -
Page 23: Figure 2: System Monitor Window
Introduction Cluster access mode—The cluster access mode is either normal, allow all, or quarantine all. See ● “Enforcement Clusters and Servers” on page 44 for instructions on making the access mode selection. Health status—Health status shows ok for servers with no problems, and either warning or error for ●... -
Page 24: Sentriant Ag V5.0 For V4.X Users
Introduction The following figure shows the legend for the System monitor window icons: Figure 3: System Monitor Window Legend Sentriant AG v5.0 for v4.x Users The console has been completely redesigned in this release of Sentriant AG. The following table provides a quick-reference for users familiar with Sentriant AG v4.x. - Page 25 Introduction Table 1: Sentriant AG v5.0 for v4.x Users (continued) Sentriant AG 4.x Sentriant AG 5.0 Notes System tab • Interface and DNS configuration— System tab tasks are on the System configuration window. System configuration>>Select a server>>Configuration • Date & time settings—System configuration>>Management server Quarantine tab •...
- Page 26 Introduction Table 1: Sentriant AG v5.0 for v4.x Users (continued) Sentriant AG 4.x Sentriant AG 5.0 Notes Credentials tab System configuration>>Agentless Windows domain credentials are on credentials the System configuration window (Agentless credentials). They are set as cluster defaults, but can be overridden when creating or editing a cluster.
-
Page 27: Overview
NOTE Agentless testing uses an existing Windows service (RPC). ActiveX testing uses an ActiveX control. Extreme Networks, Inc. agent testing installs an agent (Sentriant AG Agent) and runs as a new Windows service. - Page 28 Introduction Table 2: Test Methods (continued) Trade-offs Test method Pros Cons ActiveX plug-in • No installation or upgrade to • No retesting of endpoint once maintain. browser is closed. • Supports all Windows operating • Not supported by non-Windows systems. operating systems.
-
Page 29: The Sentriant Ag Process
Introduction Self-remediation—Reduces IT administration by empowering users to bring their machines into ● compliance. Subscription-based licensing—Includes all test updates and software upgrades. ● The Sentriant AG Process Sentriant AG administrators create NAC policies that define which applications and services are permitted, and specify the actions to be taken when endpoints do not comply. -
Page 30: Compliance Enforcement
Introduction NOTE Sentriant AG passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single Sentriant AG server for a single testing session with the High Security NAC policy (approximately 20 tests). It typically takes between 5 and 10 seconds to all tests in a policy on a 100Mb LAN. If your endpoints are taking longer to test, there might be a configuration problem with DNS on the Sentriant AG server. -
Page 31: Targeted Reporting
Introduction Targeted Reporting Sentriant AG reports provide concise security status information on endpoint compliance and access activity. Specific reports are available for auditors, managers, and IT staff members. For more information, see “Reports” on page 285. Technical Support Table 3 lists the available technical support options. -
Page 32: Installing And Upgrading
Sentriant AG release upgrades or patch installs, compromising the third-party software functionality. Additionally, installing third-party software and/or modifying the Sentriant AG software can violate your license agreement. Please refer to the Extreme Networks, Inc. EULA: “Extreme Networks, Inc. End-User License Agreement”... -
Page 33: Caution Paragraph
Introduction Caution Paragraph Cautions notify you of conditions that can cause errors or unexpected results. Example: CAUTION Do not rename the files or they will not be seen by Sentriant AG. Warning Paragraph Warnings notify you of conditions that can lock your system or cause damage to your data. Example: WARNING! Do not log in using SSH—this kills your session and causes your session to hang. -
Page 34: Courier Font
Introduction Indicating document titles— ● Sentriant AG Installation Guide Indicating a variable entry in a command— ● <IP_address> https:// /index.html In this case, you must replace <IP_address> with the actual IP address, such as . Do not 10.0.16.99 type the angled brackets. Courier Font Courier font is used in the following cases: Indicating path names—... -
Page 35: Terms
Introduction Indicating a variable section in a *.INI file— ● [Global] NASList=192.168.200.135 Indicating a list in a properties file— ● Compliance.ObjectManager.DHCPConnectorServers=[192.168.51.130, 192.168.99.1] Terms Terms are defined in the “Glossary” on page 407. Example: Media Access Control The unique number that identifies a physical —... -
Page 36: Pscp
Introduction PSCP is a program used to copy files between Windows and Linux/UNIX machines. pscp To use , you must first save it from the following location to the Windows machine: pscp http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Next, open a DOS (command) window on the Windows machine, and enter the commands as follows: To copy a file from a Linux machine to a Windows machine, enter the following: <pscp directory>... -
Page 37: Chapter 2: Clusters And Servers
Clusters and Servers This version of Sentriant AG introduces clusters and servers. A cluster is a logical grouping of one or more ESs that are managed by one MS. A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster. -
Page 38: Single-Server Installation
Clusters and Servers Single-server Installation The simplest installation is where the MS and ES are installed on the same physical server as shown in the following figure: Figure 4: Single-server Installation Sentriant AG Users’ Guide, Version 5.0... -
Page 39: Multiple-Server Installations
Clusters and Servers Multiple-server Installations By using at least three servers, one for the MS and two for ESs, you gain the advantage of high availability and load balancing. High availability is where ESs take over for any other ES or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the ESs. -
Page 40: Figure 6: Multiple-Server, Multiple-Cluster Installation
Clusters and Servers When your network is more complex, you can continue to add clusters as shown in the following figure: Figure 6: Multiple-server, Multiple-cluster Installation The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis. - Page 41 “System Requirements” on page 302; however, Extreme Networks, Inc. has tested and certified Sentriant AG on the following systems: Dell Xeon 5130, 2 GB RAM, 73 GB Hard drive, 15 k SAS, 3 NICs Dell Xeon E5335, 4 GB RAM, 146 GB Hard drive, 15 k SAS, 3 NICs...
- Page 42 Clusters and Servers Sentriant AG Users’ Guide, Version 5.0...
-
Page 43: Chapter 3: System Configuration
System Configuration The System configuration window allows the system administrator to set the operating parameters for Sentriant AG. Introduction User logins and associated user roles determine the access permissions for specific functionality within Sentriant AG. The following table shows the default home window menu options that are available by user role: Table 4: Default Menu Options User role... -
Page 44: Enforcement Clusters And Servers
System Configuration Sentriant AG configuration includes the following: Enforcement clusters & servers —“Enforcement Clusters and Servers” on page 44 ● MS—“Management Server” on page 57 ● User accounts—“User Accounts” on page 63 ● User roles—“User Roles” on page 68 ● License—“License”... -
Page 45: Enforcement Clusters
System Configuration ● Add, edit, or delete ESs ■ Set ES network settings, date and time, SNMP settings, and password ■ View available ESs ■ View status, memory usage, and disk space usage of ESs ■ Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster: Sentriant AG Home window>>System configuration>>Enforcement clusters &... -
Page 46: Figure 8: Add Enforcement Cluster Window
System Configuration 1 Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add Enforcement cluster window appears. The General area is displayed by default. Figure 8: Add Enforcement Cluster Window a Enter a name for the Enforcement cluster in the Cluster name field. b Select one of the following access modes: normal—Either allows or quarantines endpoints depending on the setup of the enforcement ●... -
Page 47: Editing Enforcement Clusters
System Configuration 3 The following cluster settings take on default values set from the System configuration window. To set up operating parameters that differ from those default settings, select the menu item of the settings you want to change, then select the For this cluster, override the default settings check box, and make the desired changes. -
Page 48: Viewing Enforcement Cluster Status
System Configuration Viewing Enforcement Cluster Status There are two ways Sentriant AG provides Enforcement cluster status: The icons next to the cluster name (see Figure 10 on page ● The Enforcement cluster window (see the following steps) ● To view Enforcement cluster statistics: Sentriant AG Home window>>System configuration>>Enforcement clusters &... -
Page 49: Deleting Enforcement Clusters
System Configuration Deleting Enforcement Clusters NOTE Enforcement clusters need to be empty before the delete option appears next to the name in the Sentriant AG console. To delete Enforcement clusters: Sentriant AG Home window>>System configuration>>Enforcement clusters & servers 1 Click delete next to the cluster you want to remove. The Delete Enforcement cluster confirmation window appears. -
Page 50: Enforcement Servers
System Configuration Enforcement Servers Adding an ES To add an ES: Sentriant AG home window>>System configuration>>Enforcement clusters & servers Figure 10: System Configuration Window, Enforcement Clusters & Servers Area Sentriant AG Users’ Guide, Version 5.0... -
Page 51: Cluster And Server Icons
System Configuration 1 Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Figure 11: Add Enforcement Server Window 2 Select a cluster from the Cluster drop-down list. 3 Enter the IP address for this ES in the IP address text box. 4 Enter the fully qualified hostname to set on this server in the Host name text box. -
Page 52: Editing Ess
System Configuration 2 Move the mouse away from the legend icon to hide pop-up window. Figure 12: Enforcement Cluster Legend Editing ESs To edit ES settings: Sentriant AG Home window>>System configuration>>Enforcement clusters & servers 1 Click the ES you want to edit. The Enforcement server window appears, as shown in Figure 13 on page Sentriant AG Users’... -
Page 53: Figure 13: Enforcement Server Configuration Window
System Configuration 2 Click the Configuration menu option to access the Enforcement Server’s settings. The Configuration area is displayed: Figure 13: Enforcement Server Configuration Window 3 Edit the following setting(s): ES network settings—“Changing the ES Network Settings” on page 54 ■... -
Page 54: Changing The Es Network Settings
System Configuration Changing the ES Network Settings CAUTION Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems. -
Page 55: Modifying The Es Root Account Password
System Configuration NOTE See “Selecting the Time Zone” on page 61 for information on changing the time zone settings for the MS. WARNING! Manually changing the date/time by a large amount (other than a time zone change) will require a restart of all servers. -
Page 56: Deleting Ess
System Configuration To view ES status: Sentriant AG Home window>>System configuration>>Enforcement clusters & servers 1 Click the server for which you want to view the status. The Enforcement server window appears: Figure 14: Enforcement Server Window, Status Option 2 Click ok or cancel. Deleting ESs NOTE Servers need to be powered down for the delete option to appear next to the name in the Sentriant AG console. -
Page 57: Es Recovery
System Configuration ES Recovery If an existing ES goes down and comes back up, it can participate in its assigned cluster, even if the MS is not available. When a new ES is created, the MS must be available before the ES can participate in a cluster. Management Server Viewing Network Settings To view MS status:... -
Page 58: Modifying Ms Network Settings
System Configuration Modifying MS Network Settings CAUTION Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems. -
Page 59: Setting The Date And Time
System Configuration 2 Enter the IP address of the server that will act as the proxy for Internet connections in the Proxy server IP address text field. 3 Enter the port used for connecting to the proxy server in the Proxy server port text field. 4 If your proxy server requires authentication, select the Proxy server is authenticated check box. -
Page 60: Automatically Setting The Time
System Configuration Automatically Setting the Time To automatically set the time: Sentriant AG Home window>>System configuration>>Management server 1 Select Automatically receive NTP updates from and enter one or more Network Time Protocol (NTP) servers, separated by commas. The NTP protocol allows Sentriant AG to synchronize its date and time with other endpoints on your network. -
Page 61: Selecting The Time Zone
System Configuration Selecting the Time Zone To set the time zone: Sentriant AG Home window>>System configuration>>Management server 1 Select the following: a Select a region from the Region drop-down list in the Date and time area. b Select a time zone from the Time zone drop-down list. 2 Click ok. -
Page 62: Checking For Sentriant Ag Upgrades
Sentriant AG will automatically shutdown and restart after the software downloads. NOTE Since upgrading can take longer than the default timeout setting of the Sentriant AG Console, Extreme Networks, Inc. recommends that you increase the timeout value when you have limited bandwidth by performing the steps described in “Changing the Sentriant AG Console... -
Page 63: User Accounts
System Configuration User Accounts Sentriant AG allows you to create multiple user accounts. User accounts provide and limit access to Sentriant AG functions based on permissions (user roles) and clusters assigned. See “User Roles” on page 68 for more information on setting permissions for the user roles. The User accounts menu option allows you to do the following: View user accounts ●... -
Page 64: Figure 18: Add User Account
System Configuration 1 Click Add a user account. The Add user account window appears: Figure 18: Add User Account 2 Enter the following information: User ID—The user ID used to log into Sentriant AG ■ Password—The password used to log into Sentriant AG ■... -
Page 65: Searching For A User Account
System Configuration 5 In the Clusters area, select a cluster or clusters. NOTE Users must be assigned at least one Enforcement cluster. Table 5: Default User Roles User Role Name Description Cluster Administrator For their clusters, users having this role can configure their assigned clusters, view endpoint activity, change endpoint access control, retest endpoints, and generate reports. -
Page 66: Sorting The User Account Area
System Configuration Sorting the User Account Area To sort the user account area: Sentriant AG Home window>>System configuration>>User accounts Click the column heading for user id, full name, email address, user roles, or clusters. The user accounts reorder according to the column heading selected. Click the column heading again to change from ascending to descending. -
Page 67: Editing A User Account
System Configuration 7 Select the Cluster(s) that the user account can access. 8 Click ok. Editing a User Account To edit a user account: Sentriant AG Home window>>System configuration>>User accounts 1 Click the name of the user account that you want to edit. The User account window appears: Figure 20: User Account 2 Change or enter information in the fields you want to change. -
Page 68: Deleting A User Account
System Configuration Deleting a User Account You must always have at least one account with System Administrator permissions. CAUTION Do not delete or edit the account with which you are currently accessing the interface. Doing so can produce an error and lock you out of the interface until your session has timed out. To delete a user account: Sentriant AG Home window>>System configuration>>User accounts 1 Click delete next to the user account you want to remove. -
Page 69: Adding A User Role
System Configuration Adding a User Role To add a user role: Sentriant AG Home window>>System configuration>>User roles Figure 21: System Configuration Window, User Roles Sentriant AG Users’ Guide, Version 5.0... -
Page 70: Figure 22: Add User Role Window
System Configuration 1 Click add a user role in the User roles area. The Add user role window appears. Figure 22: Add User Role Window 2 Enter a descriptive name in the Role name field. 3 Enter a description of the role in the Description field. 4 Select the permissions for the user role. -
Page 71: Editing User Roles
System Configuration Editing User Roles NOTE You cannot edit the System Administrator user role. To edit user roles: Sentriant AG Home window>>System configuration>>User roles 1 Click the role you want to edit. The user role window appears: Figure 23: User Role Window 2 Enter the information in the fields you want to change. -
Page 72: Deleting User Roles
System Configuration Deleting User Roles NOTE You cannot delete the System Administrator role. To delete user roles: Sentriant AG Home window>>System configuration>>User roles 1 Click delete next to the user role you want to remove. The Delete user role confirmation window appears. -
Page 73: Updating Your License Key
Guide). If you need to update your license key, in the New license key field, enter your Sentriant AG license key, which Extreme Networks, Inc. sends to you by email. Copy and paste the license key directly from the text file. -
Page 74: Test Updates
System Configuration Test Updates The Test updates menu option allows you to configure the following: View last successful test update date/time ● Check for test updates (forces an immediate check for test updates) ● Set time or times for downloading test updates ●... -
Page 75: Selecting Test Update Times
1 Using the hour check boxes, select the time periods in which you would like Sentriant AG to check for available test updates. By default, Sentriant AG checks once every hour using the Extreme Networks, Inc. Secure Rule Distribution Center. All times listed are dependent upon the clock setting and time zone of the hardware on which Sentriant AG is running. -
Page 76: Quarantining
System Configuration Quarantining The Quarantining menu option allows you to configure the following by cluster: Select the quarantine method ● Basic 802.1X settings ● Set up authentication method ● Add, edit, delete 802.1X devices ● Selecting the Quarantine Method To select the quarantine method: Sentriant AG Home window>>System configuration>>Quarantining Figure 28: System Configuration Window, Quarantining Sentriant AG Users’... -
Page 77: Entering Basic 802.1X Settings
System Configuration 1 Select a cluster. 2 In the Quarantine method area, select one of the following quarantine methods: 802.1X—When using the 802.1X quarantine method, Sentriant AG must sit in a place on the ■ network where it can communicate with your RADIUS server, which communicates with your switch or router, which performs the quarantining. -
Page 78: Selecting The Radius Authentication Method
System Configuration 3 Select a RADIUS server type by selecting one of the following radio buttons: Local—Enables a local RADIUS server on the ES which can be configured to perform ■ authentication itself or proxy to another server. Remote IAS—Disables the local RADIUS server so that an IAS server configured with the NAC ■... -
Page 79: Configuring Windows Domain Settings
System Configuration Configuring Windows Domain Settings To configure Windows domain settings: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 1 Select Windows domain from the End-user authentication method drop-down list. Figure 29: System Configuration, Windows Domain Window 2 Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field. - Page 80 System Configuration 4 Enter the password of the account entered into the Administrator user name field in the Administrator password text field. 5 Enter the list of domain controllers, separated by commas, for this domain in the Domain controllers text field. 6 To test the Windows domain settings: a Select one of the following from the Server to test from drop-down list in the Test Windows domain settings area:...
-
Page 81: Configuring Openldap Settings
System Configuration Configuring OpenLDAP Settings To configure OpenLDAP settings: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 1 Select OpenLDAP from the End-user authentication method drop-down list. Figure 30: System Configuration Window, OpenLDAP 2 Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Sentriant AG Users’... - Page 82 System Configuration 3 Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA 4 Enter the password that authenticates the DN entered into the Identity text field in the Password text field. 5 Type the same password you entered into the Password field in the Re-enter password field.
-
Page 83: Adding 802.1X Devices
“Cisco IOS” on page ■ Cisco CatOS—See “Cisco CatOS” on page ■ Enterasys—See “Enterasys” on page ■ Extreme ExtremeWare—See “Extreme ExtremeWare” on page ■ Extreme XOS—See “Extreme XOS” on page ■ Foundry—See “Foundry” on page ■ “HP ProCurve Switch” on page HP ProCurve switch—See... -
Page 84: Testing The Connection To A Device
System Configuration 7 Click ok. Testing the Connection to a Device To test the connection to an 802.1X device: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button NOTE You must have already added devices for them to appear in the 802.1X devices area. You can also test the device as you add it. -
Page 85: Cisco Ios
System Configuration Cisco IOS To add a Cisco IOS device: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 33: Add Cisco IOS Device Window 1 Enter the IP address of the Cisco IOS device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. - Page 86 System Configuration port. If the Cisco device were to return 50210 for an endpoint, a port mask of 2/34 would indicate that the endpoint is on bank 2 and port 10 (2/10), where 210 are the third, fourth and fifth bytes in the identifier.
-
Page 87: Cisco Catos
System Configuration Cisco CatOS To add a Cisco CatOS device: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 34: Add Cisco CatOS Device Window 1 Enter the IP address of the Cisco CatOS device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. - Page 88 System Configuration 8 Enter the Password with which to log into the device's console. 9 Re-enter the console password. 10 Enter the password with which to enter enable mode. 11 Re-enter the enable mode password. 12 Enter the networks (using CIDR notation) that this device is in direct control over in the Network list text field.
-
Page 89: Enterasys
System Configuration Enterasys To add an Enterasys device: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 35: Add Enterasys Device Window 1 Enter the IP address of the Enterasys device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. -
Page 90: Extreme Extremeware
Exit script—The expect script used to exit the console. ■ 12 Click ok. NOTE Click revert to defaults to restore the default settings. Extreme ExtremeWare To add an ExtremeWare device: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 36: Add ExtremeWare Device Window 1 Enter the IP address of the ExtremeWare device in the IP address text field. - Page 91 3 Re-enter the shared secret in the Re-enter shared secret text field. 4 Enter an alias for this device that appears in log files in the Short name text field. 5 Select Extreme ExtremeWare from the Device type drop-down list. 6 Select telnet or SSH from the Connection method drop-down list.
-
Page 92: Extreme Xos
Figure 37: Add Extreme XOS Device Window 1 Enter the IP address of the Extreme XOS device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. -
Page 93: Foundry
System Configuration 9 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet/SSH console can remain idle or unused before it is reset. 10 Select the Show scripts plus symbol to show the following scripts: Initialization script—The expect script used to log into the console and enter enable mode. - Page 94 System Configuration 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3 Re-enter the shared secret in the Re-enter shared secret text field. 4 Enter an alias for this device that appears in log files in the Short name text field.
-
Page 95: Hp Procurve Switch
System Configuration HP ProCurve Switch To add an HP ProCurve switch: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 39: Add HP ProCurve Device Window 1 Enter the IP address of the HP ProCurve device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. - Page 96 System Configuration 7 SSH settings: a Enter the User name used to log into this device's console. b Enter the Password used to log into this device's console. c To help confirm accuracy, type the same password you entered into the Password field in the Re- enter Password field.
- Page 97 System Configuration 9 SNMPv2 settings: a Enter the Community string used to authorize writes to SNMP objects. b Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings "${Port}" and "${MAC}" will be substituted for the port and MAC address of the endpoint to be re-authenticated.
-
Page 98: Hp Procurve Wesm
System Configuration NOTE Click revert to defaults to restore the default settings. HP ProCurve WESM To add an HP ProCurve WESM device: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 40: Add HP ProCurve WESM Device Window 1 Enter the IP address of the HP ProCurve WESM device in the IP address text field. - Page 99 System Configuration 8 Select the type of the re-authentication OID from the OID type drop-down list: INTEGER ■ unsigned INTEGER ■ TIMETICKS ■ IPADDRESS ■ OBJID ■ STRING ■ HEX STRING ■ DECIMAL STRING ■ BITS ■ NULLOBJ ■ 9 Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.
-
Page 100: Hp Procurve 420 Ap Or Hp Procurve 530 Ap
System Configuration HP ProCurve 420 AP or HP ProCurve 530 AP To add an HP ProCurve 420 AP or HP ProCurve 530 AP device: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 41: Add HP ProCurve 420/530 AP Device Window 1 Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field. - Page 101 System Configuration 8 Select the type of the re-authentication OID from the OID type drop-down list: INTEGER ■ unsigned INTEGER ■ TIMETICKS ■ IPADDRESS ■ OBJID ■ STRING ■ HEX STRING ■ DECIMAL STRING ■ BITS ■ NULLOBJ ■ 9 Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.
-
Page 102: Nortel
System Configuration Nortel To add a Nortel device: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 42: Add Nortel Device Window 1 Enter the IP address of the Nortel device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. - Page 103 System Configuration 10 Enter the Enable mode user name. 11 Enter the password with which to enter enable mode. 12 Re-enter the enable mode password. 13 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet/SSH console can remain idle or unused before it is reset.
-
Page 104: Other
System Configuration Other To add a non-listed 802.1X device: Sentriant AG home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 43: Add Other Device Window 1 Enter the IP address of the new device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. - Page 105 System Configuration 9 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet/SSH console can remain idle or unused before it is reset. 10 Select the Show scripts plus symbol to show the following scripts: NOTE You must enter the script contents yourself for the 802.1X device you are adding.
-
Page 106: Setting Dhcp Enforcement
System Configuration Setting DHCP Enforcement NOTE See “Configuring Windows Update Service for XP SP2” on page 225 for information on using Windows Update Service for devices in quarantine. To set DHCP enforcement: Sentriant AG Home window>>System configuration>>Quarantining>>DHCP quarantine method radio button Figure 44: DHCP Enforcement Window 1 Select one of the following radio buttons:... -
Page 107: Adding A Dhcp Quarantine Area
Construction of the DHCP relay packet's source IP address is vendor-dependent. Some implementations (for example, Extreme) use the IP address of the interface closest to the DHCP server as the source IP for DHCP forwarding, which means the resultant packet may not have a source IP that corresponds to those used on the endpoint's physical subnet. - Page 108 System Configuration NOTE The quarantine area subnet(s) and non-quarantined subnet(s) should be entered using Classless Inter-domain Routing address (CIDR) notation (see “Entering Networks Using CIDR Format” on page 299). 2 Choose a DHCP quarantine option: Static routes assigned on the endpoint —This option restricts the network access of non- ■...
-
Page 109: Sorting The Dhcp Quarantine Area
System Configuration Sorting the DHCP Quarantine Area To sort the quarantine area: Sentriant AG Home window>>System configuration>>Quarantining>>DHCP radio button 1 Click one of the following the column headings to sort the quarantine area by category: subnet ■ dhcp ip range ■... -
Page 110: Deleting A Dhcp Quarantine Area
System Configuration Deleting a DHCP Quarantine Area To delete a DHCP quarantine area: Sentriant AG Home window>>System configuration>>Quarantining 1 Click delete next to the quarantine area you want to remove. The Delete quarantine area confirmation window appears 2 Click yes. Maintenance The Maintenance window allows you to back up the MS database, properties files, keystore files, and subscription files in a file with the following name:... -
Page 111: Initiating A New Backup
System Configuration The following file are backed up: Database ● directory ● /usr/local/nac/properties directory ● /usr/local/nac/keystore directory ● /usr/local/nac/subscription Initiating a New Backup To initiate a new backup: Sentriant AG Home window>>System configuration>>Maintenance Figure 47: System Configuration Window, Maintenance 1 Click begin backup now in the Backup area. The Operation in progress confirmation window appears. -
Page 112: Restoring From A Backup
System Configuration 3 The System backup completed successfully message appears at the top of the System configuration window: Figure 48: Backup Successful Message Restoring From a Backup See “Restoring from Backup” on page 300 for information about restoring from a backup file. Downloading Support Packages Support packages are useful when debugging your system with the Technical Assistance Center (TAC). -
Page 113: Testing Methods
System Configuration Testing Methods The Testing methods menu option allows you to configure the following: Select testing methods ● Define order of that the test method screens appear to the end-user ● Select end-user options ● Selecting Test Methods To select test methods: Sentriant AG Home window>>System configuration>>Testing methods Figure 49: System Configuration Window, Testing Methods 1 Select one or more of the following... -
Page 114: Ordering Test Methods
System Configuration Ordering Test Methods The Sentriant AG backend attempts to test an endpoint transparently in the following order: 1 Sentriant AG tries to test with the agent-based test method. 2 If no agent is available, Sentriant AG tries to test with the ActiveX test method. 3 If ActiveX is not available and if credentials for the endpoint or domain exist, Sentriant AG tries to test with the agentless test method. -
Page 115: Selecting End-User Options
System Configuration Selecting End-user Options To select end-user options: Sentriant AG Home window>>System configuration>>Testing methods 1 Select one or more of the following options: Allow end-users to have their administrator login information saved for future access ■ (Agentless testing method only)—This option allows the end-users to elect to save their login credentials so they do not have to enter them each time they connect. -
Page 116: Table 7: Accessible Services And Endpoints Tips
System Configuration 1 Enter one or more Web sites, host names, IP addresses, ports, endpoints, or networks, that are accessible to connecting endpoints when they fail their compliance tests. You can enter these endpoints and services in the following formats separated by a carriage return. Enter a range of IPs with a dash (-) between the IPs, or use CIDR addresses. - Page 117 System Configuration Table 7: Accessible Services and Endpoints Tips Topic DHCP server and In DHCP mode, when your DHCP server and Domain Domain controller Controller are behind Sentriant AG, you must specify ports 88, 135 to 159, 389, 1025, 1026, and 3268 as part of the address.
-
Page 118: Exceptions
System Configuration Exceptions The Exceptions menu option allows you to define the following: The endpoints and domains that are always allowed access ● The endpoints and domains that are always quarantined ● Always Granting Access to Endpoints and Domains To always grant access to endpoints and domains: Sentriant AG Home window>>System configuration>>Exceptions Figure 51: System Configuration, Exceptions 1 To exempt endpoints from testing, in the Always grant access and never test area, enter the... -
Page 119: Always Quarantine Endpoints And Domains
System Configuration Always Quarantine Endpoints and Domains To always quarantine endpoints and domains: Sentriant AG Home window>>System configuration>>Exceptions 1 To always quarantine endpoint(s) when testing, in the Always quarantine and never test area, enter the endpoint(s) by MAC or IP address, or NetBIOS name. 2 To always quarantine domain(s) when testing, in the Always quarantine and never test area, enter the domain(s). -
Page 120: Enabling Notifications
System Configuration Enabling Notifications To enable email notifications: Sentriant AG Home window>>System configuration>>Notifications Figure 52: System Configuration, Notifications 1 To send email notifications, you must provide Sentriant AG with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the Sentriant AG machine. -
Page 121: End-User Screens
System Configuration To disable email notifications: Sentriant AG Home window>>System configuration 1 Select a cluster. The Enforcement cluster window appears. 2 Select the Notifications menu item. 3 Select the For this cluster, override the default settings check box. 4 Select Do not send email notifications. 5 Click ok. -
Page 122: Specifying An End-User Screen Logo
Organization logo image—Enter a path to your organization’s logo, or click Browse to select a file on your network. Extreme Networks, Inc. recommends you place your logo here to help end-users feel secure about having their computers tested. The logo should be no larger than 450x50 pixels. -
Page 123: Specifying The End-User Screen Text
Footer (most screens) —Enter the text for the footer that appears on most of the end-user windows. Extreme Networks, Inc. recommends that this text includes a way to contact you if they need further assistance. You can format the text in this field with HTML characters. -
Page 124: Agentless Credentials
System Configuration NOTE You can verify your changes to the end-user access screens immediately by pointing a browser window to port 88 of your Sentriant AG installation. For example, if the IP address of your Sentriant AG installation is 10.0.16.18, point the browser window to: http://10.0.16.18:88 3 Click ok. -
Page 125: Adding Windows Credentials
System Configuration Adding Windows Credentials To add Windows credentials: Sentriant AG Home window>>System configuration>>Agentless credentials Figure 54: System Configuration Window, Agentless Credentials Sentriant AG Users’ Guide, Version 5.0... -
Page 126: Testing Windows Credentials
System Configuration 1 Click Add administrator credentials. The Add Windows administrator credentials window appears: Figure 55: Agentless Credentials, Add Windows Administrator Credentials Window 2 In the Add Windows administrator credentials window, enter the following: Windows domain name—Enter the domain name of the Windows machine, for example: ■... -
Page 127: Editing Windows Credentials
System Configuration NOTE Sentriant AG saves authentication information encrypted on the Sentriant AG server. When a user connects with the same browser, Sentriant AG looks up this information and uses it for testing. NOTE When using the Windows administrator account connection method, Sentriant AG performs some user-based tests with the administrator account's user registry settings, rather than those of the actual user logged into the endpoint. -
Page 128: Logging
System Configuration Logging Setting ES Logging Levels You can configure the amount of diagnostic information written to log files, ranging from error (error- level messages only) to trace (everything). To set ES logging levels: Sentriant AG home window>>System configuration>>Logging Figure 56: System Configuration Window, Logging Option Sentriant AG Users’... -
Page 129: Setting 802.1X Devices Logging Levels
System Configuration 1 To configure the amount of diagnostic information written to log files, select a logging level from the Enforcement servers drop-down list: error—log error-level messages only ■ warn—log warning-level and above messages only ■ info—log info-level messages and above only ■... -
Page 130: Advanced Settings
System Configuration Advanced Settings This section describes setting the timeout periods. Endpoint detection is described in “Working with Ranges” on page 328. Setting the Agent Read Timeout To set the Agent read timeout period: Sentriant AG home window>>System configuration>>Advanced Figure 57: System Configuration Window, Advanced Option 1 Enter a number of seconds in the Agent read timeout period text field. -
Page 131: Setting The Rpc Connection Timeout
System Configuration Setting the RPC Connection Timeout To set the RPC connection timeout period: Sentriant AG home window>>System configuration>>Advanced 1 Enter a number of seconds in the RPC connection timeout period text field. The RPC connection timeout is the time in seconds that Sentriant AG waits on a connection to the RPC port. Use a larger number for systems with network latency issues. - Page 132 System Configuration Sentriant AG Users’ Guide, Version 5.0...
-
Page 133: Chapter 4: Endpoint Activity
Endpoint Activity Use the Endpoint activity window, to monitor end-user connection activity. Sentriant AG Home window>>Endpoint activity The Endpoint activity window has the following sections: Endpoint selection area—The left column of the window provides links that allow you to quickly ●... -
Page 134: Filtering The Endpoint Activity Window
Endpoint Activity Filtering the Endpoint Activity Window You can modify the results shown in the Endpoint activity window to include activity for the following: Access control status ● Endpoint test status ● Configurable time frame ● Cluster ● NetBIOS name ●... -
Page 135: Filtering By Access Control Or Test Status
Endpoint Activity Filtering by Access Control or Test Status Sentriant AG Home window>>Endpoint activity window Select a method for filtering the results window; by a specific access control status or endpoint status as shown in the following figure: Figure 59: Endpoint Activity, Menu Options Sentriant AG Users’... -
Page 136: Filtering By Time
Endpoint Activity Filtering by Time To filter the information displayed: Sentriant AG Home window>>Endpoint Activity Figure 60: View Activity for the Last Drop-down List The View activity for the last drop-down list is a high-level filter that drives all the information displayed. -
Page 137: Searching
Endpoint Activity Searching To search the Endpoint activity window. Sentriant AG Home window>>Endpoint activity>>Search criteria area Figure 63: Search Criteria Window 1 Select a Cluster or NAC policy from the drop-down lists and enter any text string in one of the text boxes you want to search for (you can leave these blank). -
Page 138: Access Control States
Error—This is most likely a problem that cannot be resolved without contacting Extreme Networks, ● Inc.. Try to force a retest from the Sentriant AG console. If that does not work, call Extreme Networks, Inc. Technical Assistance Center (TAC) and be prepared to generate a support package (see “Generating a Support Package”... -
Page 139: Test Status States
“Viewing Endpoint Access Status” on page 141. Unknown error—This is most likely a problem that cannot be resolved without contacting Extreme ● Networks, Inc.. Try to force a retest from the Sentriant AG console. If that does not work, call Extreme Networks, Inc. - Page 140 Endpoint Activity Installing test service—Sentriant AG shows this status briefly while the agent is being installed. ● Install canceled—Sentriant AG shows this status when the end-user has cancelled the installation of ● the agent. Testing (installed test)—Sentriant AG shows this status briefly while the endpoint is being tested by ●...
-
Page 141: Viewing Endpoint Access Status
Endpoint Activity Test failed - insufficient test privileges—The credentials Sentriant AG used to test the endpoint do ● not have sufficient privileges to read the registry or enumerate the services. An easy way to debug this is to run and connect to the remote endpoint using the same admin credentials regedit supplied to Sentriant AG. -
Page 142: Selecting Endpoints To Act On
Endpoint Activity NOTE If an endpoint is seen by two different clusters, the endpoint state can get lost. This could happen, for example, if you had a Training cluster and an Engineering cluster and a laptop that was connected in the Engineering cluster attempted to connect by way of the Training cluster. -
Page 143: Immediately Grant Access To An Endpoint
Endpoint Activity Immediately Grant Access to an Endpoint To immediately grant access to an endpoint: Sentriant AG Home window>>Endpoint activity 1 Select a box or boxes to select the endpoints of interest. 2 Click change access. 3 Select the Temporarily grant access for radio button. 4 Select minutes, hours, or days from the drop-down list. -
Page 144: Clearing Temporary Endpoint States
Endpoint Activity Clearing Temporary Endpoint States Endpoints can have a temporary state designated through the Quarantine for or Allow access for radio buttons. This state is indicated with the words “by admin” in parenthesis in the access states column. To clear a temporary state set by the admin: Sentriant AG Home window>>Endpoint activity 1 Select a box or boxes to select the endpoints of interest. -
Page 145: Figure 66: Endpoint Activity, Endpoint Test Results Option
Endpoint Activity 2 Click Test results to view the details of the test: Figure 66: Endpoint Activity, Endpoint Test Results Option NOTE Click on any underlined link (for example, change access) to make changes such as changing access or test credentials. - Page 146 Endpoint Activity Sentriant AG Users’ Guide, Version 5.0...
-
Page 147: Chapter 5: End-User Access
End-user Access End-users can connect to your network from a number of different types of computers (see “Endpoints Supported” on page 147), be tested for compliance based on your definitions in the standard (high, medium, or low security) or custom NAC policies (see “NAC Policies” on page 185), and are allowed or denied access based on test results and your quarantine settings (see “Quarantining”... -
Page 148: Browser Settings
End-user Access Browser Settings If the end-user has their IE Internet security zone set to High, the endpoint is not testable. Using one of the following options will allow the endpoint to be tested: The end-user could change the Internet security to Medium (Tools>>Internet ●... -
Page 149: Ports Used For Testing
End-user Access 3 Select Properties. The Local area connection properties window appears: Figure 67: Local Area Connection Properties Window 4 On the General tab, in the This connection uses the following area, verify that File and Printer sharing is listed and that the check box is selected. 5 Click OK. -
Page 150: Managed Endpoints
End-user Access Managed Endpoints Typically, a managed endpoint’s firewall is controlled with the Domain Group Policy for Windows, or a central policy manager for other firewalls. In this case, the network administrator opens up the agent port or agentless ports only to the Sentriant AG server using the centralized policy. If the Domain Group Policy is not used for Windows endpoints, the appropriate ports are opened during the agent installation process by the Sentriant AG installer. - Page 151 End-user Access 5 In the Service Settings window, enter the following information: Description: Sentriant AG Server 138 IP: <IP of the Sentriant AG Server> External port number: 138 Select UDP. 6 Click OK. 7 Click Add. 8 In the Service Settings window, enter the following information: Description: Sentriant AG Server 139 IP: <IP of the Sentriant AG Server>...
- Page 152 End-user Access The following method is an alternate method: To configure the Windows XP Professional firewall to allow the RPC service to connect: Windows>>Start>>Settings>>Control Panel>>Windows Firewall>>Exceptions tab 1 Select File and Print Sharing. (Verify that the check box is also selected.) 2 Click Edit.
-
Page 153: Allowing Sentriant Ag Through The Os X Firewall
End-user Access NOTE You can add more security by specifying the endpoints allowed for File and Print Sharing as follows: Select File and Print Sharing, Click Edit, Select Change Scope, and select either My Network or Custom List (and then specify the endpoints). Allowing Sentriant AG through the OS X Firewall To verify that Sentriant AG can test the end-user through the end-user’s firewall: Apple Menu>>System Preferences... -
Page 154: Figure 69: Mac Sharing Window
End-user Access 1 Select the Sharing icon. The Sharing window opens. Figure 69: Mac Sharing Window 2 Select the Firewall tab. 3 The firewall settings must be one of the following: ■ On with the following: ■ OS X NAC Agent check box selected ●... -
Page 155: End-User Access Windows
/usr/local/nac/webapps/HoldingArea There are two ways you can edit the Sentriant AG end-user access templates outside of the Extreme Networks, Inc. console configuration window: UNIX command line and vi text editor—Connect to the Sentriant AG server using SSH, then edit ●... -
Page 156: Opening Window
End-user Access NOTE Upgrading the Sentriant AG software does not overwrite your template changes. Your updated templates are preserved. CAUTION Do not rename the files or they will not be seen by Sentriant AG. End-users begin the login process by opening their browser. If their home page is defined on the Accessible services window, they are allowed to access that page. -
Page 157: Windows Nac Agent Test Windows
End-user Access Windows NAC Agent Test Windows Automatically Installing the Windows Agent When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears: Figure 72: End-user Installing Window NOTE The end-user can also manually install the agent as described in “Manually Installing the Windows Agent”... -
Page 158: Figure 73: End-User Agent Installation Failed
End-user Access If Active Content is disabled in the browser, the following error window appears: Figure 73: End-user Agent Installation Failed NOTE To enable active content, see the instructions in the Installation Guide, in the “Important Browser settings, Active Content” section. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears. -
Page 159: Figure 74: End-User Agent Installation Window (Start)
End-user Access Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation: Figure 74: End-user Agent Installation Window (Start) The user must click Finish to complete the agent installation and begin testing: Figure 75: End-user Agent Installation Window (Finish) As soon as the installation is complete, the endpoint is tested. -
Page 160: Removing The Agent
End-user Access Removing the Agent To remove the agent: Start button>>Settings>>Control panel>>Add/remove programs Figure 76: Add/Remove Programs 1 Find the Sentriant AG Agent in the list of installed programs. 2 Click Remove. NOTE The Sentriant AG Agent also appears in the services list: Start button>>Settings>>Control panel>>Administrative tools>>Services Manually Installing the Windows Agent To manually install the agent (using Internet Explorer):... -
Page 161: How To View The Windows Agent Version Installed
How to View the Windows Agent Version Installed To see what version of the agent the endpoint is running: Command line window on the endpoint 1 Change the working directory to the following: C:\Program Files\Extreme\Sentriant AG Agent Sentriant AG Users’ Guide, Version 5.0... -
Page 162: Mac Os Agent Test Windows
End-user Access 2 Enter the following command: SAService version The version number is returned. For example: 4,0,0,567 Mac OS Agent Test Windows When the test method selected is agent-based, the first time the end-user logs in to their Macintosh computer and opens a browser window, Sentriant AG attempts to test the endpoint. If the agent is required, they receive the Installation Failed window shown in Figure Installing the MAC OS Agent... -
Page 163: Figure 80: Mac Os Installer Window 1 Of 5
End-user Access 4 Click Continue. The installer appears: Figure 80: Mac OS Installer Window 1 of 5 5 Click Continue. The Select a Destination window appears: Figure 81: Mac OS Installer Window 2 of 5 Sentriant AG Users’ Guide, Version 5.0... -
Page 164: Figure 82: Mac Os Installer Window 3 Of 5
End-user Access 6 Click Continue. The Easy Install window appears: Figure 82: Mac OS Installer Window 3 of 5 7 Click Install. The Authenticate window appears: Figure 83: Mac OS Installer Window 4 of 5 Sentriant AG Users’ Guide, Version 5.0... -
Page 165: Figure 84: Mac Os Installer Window 5 Of 5
End-user Access 8 Enter your password. Click OK. The agent is installed and the confirmation window appears: Figure 84: Mac OS Installer Window 5 of 5 9 Click Close. Sentriant AG Users’ Guide, Version 5.0... -
Page 166: Verifying The Mac Os Agent
End-user Access Verifying the Mac OS Agent To verify that the Mac OS agent is running properly: Double-click Desktop icon>>Aplication folder>>Utilities folder Figure 85: Applications Window, Utilities Folder Sentriant AG Users’ Guide, Version 5.0... -
Page 167: Figure 86: Activity Monitor Window
End-user Access 1 Double-click Activity Monitor. The Activity Monitor window appears: Figure 86: Activity Monitor Window 2 Verify that the osxnactunnel process is running. Sentriant AG Users’ Guide, Version 5.0... -
Page 168: Figure 87: Mac Terminal Window
End-user Access 3 If the osxnactunnel process is not running, start it by performing the following steps: a Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Figure 87: Mac Terminal Window b Enter the following at the command line: OSXNACAgent -v The build and version number are returned. -
Page 169: Removing The Mac Os Agent
End-user Access Removing the Mac OS Agent To remove the Mac OS agent: Double-click Desktop icon>>Aplication folder>>Utilities folder 1 Select Mac OS X Terminal. A terminal window opens (Figure 87). 2 Enter the following at the command line: remove_osxnacagent 3 Remove the firewall entry: a Select Apple Menu>>System Preferences>>Sharing->Firewall tab. -
Page 170: Activex Test Windows
End-user Access ActiveX Test Windows For the ActiveX test, the Testing window appears (see “Testing Window” on page 173) and an ActiveX component is downloaded. If there is an error running the ActiveX component, an error window appears: Figure 88: End-user ActiveX Plug-in Failed Window NOTE To enable active content, see the instructions in the Installation Guide, in the “Important Browser settings, Active Content”... -
Page 171: Figure 89: End-User Login Credentials Window
End-user Access NOTE Sentriant AG uses the Windows Messenger Service when using agentless testing. If you have disabled this service (http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx), agentless testing will not work. NOTE If the end-user has not defined a login/password combination, the default login is usually administrator with a blank password. -
Page 172: Figure 90: End-User Login Failed
End-user Access If the end-users do not enter the correct information in the login window fields, a login failure window appears: Figure 90: End-user Login Failed NOTE You can customize the logo and contact paragraph that appear on this window. See “Customizing Error Messages” on page 177 for more details. -
Page 173: Testing Window
End-user Access Testing Window The following figure shows the window that appears during the testing process: Figure 91: End-user Testing Window The possible outcomes from the test are as follows: Test successful window (see “Test Successful Window” on page 173) ●... -
Page 174: Temporary Quarantine Window
End-user Access Temporary Quarantine Window When the end-users meet the test criteria defined in the NAC policy, but the Sentriant AG Quarantine all setting is enabled, the quarantine window appears: Figure 93: Temporary Quarantine Window NOTE You can customize the logo and contact paragraph that appear on this window. See “Customizing Error Messages” on page 177 for more details. -
Page 175: Testing Cancelled Window
End-user Access Testing Cancelled Window If the Allow end users to cancel testing option on the System configuration>>Testing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled: Figure 94: End-user Testing Cancelled Window Testing Failed Window When the end-user’s endpoints fail to meet the test criteria defined in the NAC policy, the end-users are... -
Page 176: Setting The Temporary Access Period
End-user Access NOTE You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configuration>>Accessible services window (see “Accessible Services” on page 115). NOTE You can customize the logo and contact paragraph that appear on this window. See “Customizing Error Messages” on page 177 for more details. -
Page 177: Error Windows
End-user Access 2 Click OK. Error Windows End-users might see any of the following error windows: Unsupported endpoint ● Unknown error ● The following figure shows an example of an error window: Figure 97: End-user Error Window Customizing Error Messages The default error message strings (remediation messages) are defined in the following file: /usr/local/nac/scripts/BaseClasses/Strings.py You can create custom error message strings that appear in the test result reports, and on the test results... - Page 178 End-user Access To customize the error messages: 1 Create a file using a text editor, and name it as follows: /usr/local/nac/scripts/BaseClasses/CustomStrings.py using the following format: class CustomStrings: stringTable = { "name1" : "message1", "name2" : "message2", Where: The name value ( ) matches the name of the test (see Table 8 on page 179).
-
Page 179: Table 8: Default Test Names And Descriptions
End-user Access Table 8: Default Test Names and Descriptions Test name Description checkAntiVirusUpdates.String.1 The required anti-virus software was not found. Install anti-virus software and keep the virus definitions up-to-date. Supported Anti Virus software: %s, checkAntiVirusUpdates.String.2 %s is installed but the service is not running and the virus signatures are not up-to-date (installed: %s required: %s)., checkAntiVirusUpdates.String.3... - Page 180 End-user Access Table 8: Default Test Names and Descriptions (continued) Test name Description checkHotFixes.String.4 The %s installed are not current. Run Windows Update to install the most recent service packs and hotfixes. The missing hotfixes are: %s. You may need to run Windows Update multiple times to install all the hotfixes.
- Page 181 End-user Access Table 8: Default Test Names and Descriptions (continued) Test name Description checkMicrosoftOfficeMacroSecurityLevel.String.6 The Microsoft %s macro security level setting must be set to %s or above. To change the security level, open %s and do the following: Select \'Options...\' under the \'Tools\' menu.
- Page 182 End-user Access Table 8: Default Test Names and Descriptions (continued) Test name Description checkServicesRequired.String.2 The following required services were not found: %s. Start the service by selecting Control Panel>>Administrative Tools>>Services application>>right-click on the service and select properties. Change the startup type to automatic and click start.
- Page 183 End-user Access Table 8: Default Test Names and Descriptions (continued) Test name Description checkWindowsStartupRegistryEntriesAllowed.String All Windows startup registry entries are acceptable., checkWindowsStartupRegistryEntriesAllowed.String The following Windows startup registry entries are not allowed in the HKEY_LOCAL_MACHINE>>Software>>Microsoft>> Windows Run and RunOnce registry keys: %s. Contact your network administrator for removal of these items from the registry., checkWormsVirusesAndTrojans.String.1...
- Page 184 End-user Access Sentriant AG Users’ Guide, Version 5.0...
-
Page 185: Chapter 6: Nac Policies
NAC Policies NAC policies are collections of tests that evaluate remote endpoints attempting to connect to your network. You can use the standard tests installed with Sentriant AG, or you can create your own custom tests. NOTE The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name. See “Selecting the Default NAC Policy”... -
Page 186: Standard Nac Policies
NAC Policies The following figure shows the legend explaining the NAC policies icons: Figure 99: NAC Policies Window Legend Standard NAC Policies Sentriant AG ships with three standard NAC policies: High security ● Low security ● Medium security ● NAC policies are organized in groups, which include the clusters defined for your system, a Default group, and any other groups you create. -
Page 187: Editing A Nac Policy Group
NAC Policies 1 Click Add an NAC policy group. The Add NAC policy group window opens: Figure 100: Add NAC Policy Group Window 2 Type a name for the group in the Name of NAC policy group text box. 3 Optional: Select the check box next to any NAC policy to move to this group. 4 Optional: Select the check box next to any cluster to move to this group. -
Page 188: Deleting A Nac Policy Group
NAC Policies 2 Make any changes required. See “Add a NAC Policy Group” on page 186 for details on NAC policy group options. 3 Click OK to save or Cancel to return without saving. Deleting a NAC Policy Group To delete a NAC policy group: Sentriant AG home window>>NAC policies NOTE You cannot delete a NAC policy group if any clusters are using it;... -
Page 189: Creating A New Nac Policy
NAC Policies Click on the up or down arrow to move the NAC policy. The default NAC policy is the one toward the bottom of the list with the highest selection number as shown in the following figure: Figure 102: Default NAC Policy Creating a New NAC Policy Create custom policies that are based on existing policies, or create new policies from scratch. - Page 190 NAC Policies 2 Enter a policy name. 3 Enter a description in the Description text box. 4 Select a NAC policy group. 5 Select either the enabled radio button or the disabled radio button. 6 Select the Operating systems that will not be tested but are allowed network access. Windows Vista Windows ME or Windows 95 ■...
-
Page 191: Figure 104:Add An Nac Policy, Domains And Endpoints Window
NAC Policies 9 Click the Domains and endpoints menu option to open the Domains and endpoints window, shown in the following figure: Figure 104: Add an NAC Policy, Domains and Endpoints Window 10 Click on a cluster name. 11 Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a carriage return. -
Page 192: Figure 105:Add Nac Policy, Tests Area
NAC Policies 13 Click the Tests menu option to open the Tests window: Figure 105: Add NAC Policy, Tests Area NOTE The icons to the right of the tests indicate the test failure actions. See “Test Icons” on page 200. 14 Select a test to include in the NAC policy by clicking on the check box next to the test name. -
Page 193: Editing A Nac Policy
NAC Policies 15 Select a test by clicking on the test name to view the properties. For more information about test properties, see “Selecting Test Properties” on page 198. 16 Select the test properties for this test. For more information about the specific tests, see “Tests Help” on page 337. -
Page 194: Deleting A Nac Policy
NAC Policies Deleting a NAC Policy To delete an existing NAC policy: Sentriant AG Home window>>NAC policies 1 Click the delete link to the right of the NAC policy you want to delete. A confirmation window appears. 2 Click yes. Moving a NAC Policy Between NAC Policy Groups To move a NAC policy between NAC policy groups: Sentriant AG Home window>>NAC policies... -
Page 195: Nac Policy Hierarchy
NAC Policies NAC Policy Hierarchy If an endpoint is listed in more than one NAC policy, the order of use is as alphabetical by name of NAC policy (not including the default NAC policy). Setting Retest Time Retest endpoints connected to your network frequently to guard against potential changes in the remote endpoint configurations. -
Page 196: Defining Non-Supported Os Access Settings
NAC Policies Defining Non-supported OS Access Settings To define what actions to take for endpoints with non-supported operating systems: Main Sentriant AG window>>NAC policies>>Select a NAC Policy>>Basic settings area 1 In the Operating systems area, select the check box beside any operating system that you will allow access without being tested. -
Page 197: Selecting Action Taken
NAC Policies Selecting Action Taken Actions can be passive (send an email), active (quarantine) or a combination of both. To select the action to take: Sentriant AG Home window>>NAC policies>>Select a NAC Policy>>Tests menu option 1 Click on the name of test to display the test’s options. NOTE Click a test name to display the options;... -
Page 198: Viewing Information About Tests
NAC Policies Viewing Information About Tests To view the most current list of tests and descriptions: Sentriant AG Home window>>NAC policies>>Select a NAC Policy>>Tests menu option Click on a test name. The test description and selectable properties are shown for the selected test. If the icons (Figure 106 on page 200) are red, the test is enabled and the actions selected will take effect... -
Page 199: Entering Service Names Required/Not Allowed
NAC Policies 5 Expand the Software key. 6 View the sub-trees for various vendors software and versions. NOTE If you’re looking for a registry key, you enter a trailing slash. If you’re looking for a registry value, you do not enter a trailing slash. -
Page 200: Test Icons
NAC Policies 3 For Internet Explorer on Windows 2000: a Clear the Check For Internet Explorer for Windows 2000 [6.0.2800.1106] check box. b Type a version number in the text entry field. Test Icons The NAC policy tests show icons that represent the test failure action selected as shown in the following figure: Figure 106: NAC Policy Test Icons Sentriant AG Users’... -
Page 201: Chapter 7: Quarantined Networks
Quarantined Networks This chapter describes the following general Sentriant AG quarantine information: “Endpoint Quarantine Precedence” on page 201 ● “Using Ports in Accessible Services and Endpoints” on page 203 ● “Determining Accessible Services Example” on page 204 ● “Always Granting Access to an Endpoint” on page 210 ●... - Page 202 Quarantined Networks The following describes the process in more detail: Access mode (1) overrides the items below it in the previous list (2, 3, and 4). Use the Access mode ● radio buttons (System monitor>>select a cluster) to act globally on all endpoints in an Enforcement cluster.
-
Page 203: Using Ports In Accessible Services And Endpoints
Quarantined Networks Using Ports in Accessible Services and Endpoints To use a port number when specifying accessible services and endpoints (cluster default): Sentriant AG Home window>>System configuration>>Accessible services The following figure shows the Accessible services window: Figure 107: Accessible Services Window In order to grant access for quarantined endpoints to needed services, add entries to the Accessible services list. -
Page 204: Determining Accessible Services Example
Quarantined Networks NOTE Enter a range of ports as follows: 10.0.16.100:53:65 Determining Accessible Services Example Determining which services to add in the Accessible services area can be tricky. This section details the steps used to determine all of the accessible services required to allow a quarantined endpoint to access the Windows Update service and retrieve the required service packs and/or hotfixes. -
Page 205: Figure 108:Clear Temporary Tiles Window
Quarantined Networks 6 Navigate to the Accessible services window (System configuration>>Accessible services). 7 Add microsoft.com to the accessible services and endpoints list. 8 Click OK. 9 On the endpoint, clear the temporary files. For Internet Explorer, select Tools>>Internet Options>>Delete Files as shown in the following figure. Figure 108: Clear Temporary Tiles Window 10 Repeat step 3... -
Page 206: Figure 109:Final List Of Accessible Services Example
Quarantined Networks The final list of accessible services for this example is shown in the following figure. Figure 109: Final List of Accessible Services Example The complete results for this example are shown below: tcpdump tcpdump -i eth0 -s0 -w /tmp/dns.pcap port 53 and host 172.21.20.20 waldo:~ # tcpdump -i eth0 -s0 port 53 and host 172.21.20.20 tcpdump: WARNING: eth0: no IPv4 address assigned... - Page 207 Quarantined Networks 16:23:56.245644 IP SA00.domain > 172.21.20.20.2586: 55115 2/7/7 CNAME windowsupdate.microsoft.nsatc.net., A 207.46.225.221 (353) 16:23:56.981306 IP 172.21.20.20.2586 > SA00.domain: 34378+ A? update.microsoft.com. (38) 16:23:56.981667 IP SA00.domain > 172.21.20.20.2586: 34378 NXDomain* 0/1/0 (89) 16:25:03.645582 IP 172.21.20.20.2586 > SA00.domain: 12872+ A? windowsupdate.microsoft.com. (45) 16:25:03.646869 IP SA00.domain >...
- Page 208 Quarantined Networks 16:27:09.137238 IP SA00.domain > 172.21.20.20.2586: 5201* 1/1/1 A SA00 (100) 16:27:09.172260 IP 172.21.20.20.2586 > SA00.domain: 27984+ A? download.microsoft.com. (40) 16:27:09.172793 IP SA00.domain > 172.21.20.20.2586: 27984 2/1/1 CNAME main.dl.ms.akadns.net., A SA00 (131) 16:27:09.991527 IP 172.21.20.20.2586 > SA00.domain: 5968+ A? c.microsoft.com. (33) 16:27:09.992035 IP SA00.domain >...
- Page 209 Quarantined Networks 16:29:56.590312 IP 172.21.20.20.2586 > SA00.domain: 3934+ A? download.microsoft.com. (40) 16:29:56.715218 IP SA00.domain > 172.21.20.20.2586: 3934 4/1/1 CNAME main.dl.ms.akadns.net., CNAME dom.dl.ms.akadns.net., CNAME dl.ms.d4p.net., A SA00 (173) 16:29:57.402083 IP 172.21.20.20.2586 > SA00.domain: 25181+ A? c.microsoft.com. (33) 16:29:57.403740 IP SA00.domain > 172.21.20.20.2586: 25181 2/1/1 CNAME c.microsoft.akadns.net., A 64.4.52.124 (129) 16:29:57.594467 IP 172.21.20.20.2586 >...
-
Page 210: Always Granting Access To An Endpoint
Quarantined Networks 16:37:40.332613 IP SA00.domain > 172.21.20.20.1045: 28344 6/1/1 CNAME main.dl.wu.akadns.net., CNAME dom.dl.wu.akadns.net., CNAME dl.wu.ms.edgesuite.net., CNAME a258.g.akamai.net., A 89.149.169.57, A 89.149.169.66 (234) 16:37:40.332723 IP SA00.domain > 172.21.20.20.1045: 28344 6/1/1 CNAME main.dl.wu.akadns.net., CNAME dom.dl.wu.akadns.net., CNAME dl.wu.ms.edgesuite.net., CNAME a258.g.akamai.net., A 89.149.169.57, A 89.149.169.66 (234) 16:37:40.332837 IP SA00.domain >... -
Page 211: Always Quarantining An Endpoint
Quarantined Networks 1 In the Always grant access and never test area: a In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns. b In the Windows domains area, enter one or more domain names separated by carriage returns. 2 Click ok. -
Page 212: New Users
Quarantined Networks New Users The process Sentriant AG follows for allowing end-users to connect is: Inline mode—An IP address is assigned to the endpoint outside of Sentriant AG. When the end-user ● attempts to connect to the network, Sentriant AG either blocks access or allows access by adding the endpoint IP address to the internal firewall. -
Page 213: Dns/Windows Domain Authentication And Quarantined Endpoints
Quarantined Networks NOTE It is strongly recommended that if you are going to allow untested endpoints on your network, you set extremely short lease times (use hours rather than days) on your DHCP server. This process results in the following condition for an untested endpoint: When new end-users log in for the first time, are tested, and are allowed access, there is up to a three- minute delay between the time the Sentriant AG server determines that they are allowed access and the point at which they are actually allowed access, potentially causing concern to the end-user. - Page 214 Quarantined Networks 5 Ensure that the following ports on the domain controller/active directory (DC/AD) servers are available from quarantine: ■ ■ 135-139 ■ 1025 ■ Sentriant AG will then lookup the Kerberos and LDAP services, and resolve those services within its own DNS server used for quarantined devices.
-
Page 215: Chapter 8: High Availability And Load Balancing
High Availability and Load Balancing High Availability High availability occurs when one or more ESs takes over for an ES that has become unavailable in a multiple-server installation. Once an ES becomes unavailable, the other ESs take over enforcement from the ES that is now unavailable. -
Page 216: Figure 111:Inline Installations
High Availability and Load Balancing unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 111: Inline Installations Sentriant AG Users’ Guide, Version 5.0... -
Page 217: Figure 112:Dhcp Installation
High Availability and Load Balancing Figure 112: DHCP Installation Sentriant AG Users’ Guide, Version 5.0... -
Page 218: Figure 113:802.1X Installation
High Availability and Load Balancing Figure 113: 802.1X Installation Sentriant AG Users’ Guide, Version 5.0... -
Page 219: Load Balancing
High Availability and Load Balancing Load Balancing Load balancing distributes the testing of endpoints across all Sentriant AG ESs in a cluster. Sentriant AG uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the ESs. If the MAC address is unavailable (untestable endpoint) the IP address is used to determine which ES should test an endpoint. - Page 220 High Availability and Load Balancing Sentriant AG Users’ Guide, Version 5.0...
-
Page 221: Chapter 9: Inline Quarantine Method
Inline Quarantine Method Inline is the most basic Sentriant AG installation. When deploying Sentriant AG inline, Sentriant AG monitors and enforces all endpoint traffic. When Sentriant AG is installed in a single-server installation, Sentriant AG becomes a Layer 2 bridge that requires no changes to the network configuration settings. -
Page 222: Figure 114:Inline Installations
Inline Quarantine Method Figure 114: Inline Installations NOTE You can install Sentriant AG at any “choke point” in your network; a VPN is not required. Sentriant AG Users’ Guide, Version 5.0... -
Page 223: Chapter 10: Dhcp Quarantine Method
DHCP Quarantine Method When configured with a Dynamic Host Configuration Protocol (DHCP) quarantine area, all endpoints requesting a DHCP IP address are issued a temporary address on a quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to the main LAN. -
Page 224: Configuring Sentriant Ag For Dhcp
DHCP Quarantine Method Configuring Sentriant AG for DHCP The primary configuration required for using Sentriant AG and DHCP is setting up the quarantine area (see “Setting up a Quarantine Area” on page 224). You should also review the following topics related to quarantining endpoints: Endpoint quarantine precedence (see “Endpoint Quarantine Precedence”... -
Page 225: Configuring Windows Update Service For Xp Sp2
DHCP Quarantine Method NOTE Restrict access to and from the quarantined network at the switch level as well. Configuring Windows Update Service for XP SP2 If you plan to use Endpoint Routing Enforcement, note that most endpoints running Windows XP Service Pack 2 cannot run Windows Update successfully from within quarantine, because of a WinHTTP bug that as of this writing has not been fixed (see http://support.microsoft.com/kb/919477/... - Page 226 DHCP Quarantine Method Sentriant AG Users’ Guide, Version 5.0...
-
Page 227: Chapter 11: 802.1X Quarantine Method
802.1X Quarantine Method About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows: Supplicant—The client; the endpoint that wants to access the network. ● Authenticator– The access point, such as a switch, that prevents access when authentication fails. ●... -
Page 228: Sentriant Ag And 802.1X
802.1X Quarantine Method 7 The AP (authenticator) allows or blocks the client’s (supplicant’s) access to the network by controlling which ports are open or closed. Figure 116: 802.1X Components Sentriant AG and 802.1X When configured as 802.1X-enabled, Sentriant AG can be installed with three different configurations depending on your network environment: Microsoft IAS and Sentriant AG IAS Plug-in ●... - Page 229 802.1X Quarantine Method Proxying RADIUS requests to an existing RADIUS server ● With this method, the switch is configured with the Sentriant AG IP address as the RADIUS server host. When the switch performs the RADIUS authentication against the Sentriant AG server, Sentriant AG proxies the request to another RADIUS server.
-
Page 230: Figure 117:Sentriant Ag 802.1X Enforcement
802.1X Quarantine Method Figure 117: Sentriant AG 802.1X Enforcement Sentriant AG Users’ Guide, Version 5.0... -
Page 231: Figure 118:802.1X Communications
802.1X Quarantine Method Figure 118: 802.1X Communications Sentriant AG Users’ Guide, Version 5.0... -
Page 232: Setting Up The 802.1X Components
802.1X Quarantine Method Setting up the 802.1X Components In order to use Sentriant AG in an 802.1X environment, Extreme Networks, Inc. recommends configuring your environment first, then installing and configuring Sentriant AG. This section provides instructions for the following: “Setting up the RADIUS Server” on page 232 ●... -
Page 233: Figure 119:Windows Components Wizard Window
802.1X Quarantine Method In addition to installing the Windows Server 2003 software, you also need to have a database of users for authentication purposes. The Windows IAS implementation of RADIUS can use the following: Active Directory (recommended) ● A Windows NT domain ●... -
Page 234: Configuring The Microsoft Ias Radius Server
802.1X Quarantine Method 4 Click Details. The Networking Services window appears, as shown in the following figure. Figure 120: Networking Services Window 5 Select the check box for Internet Authentication Service and any other Windows Internet Authentication Service (IAS) components you want to install. 6 Click OK. -
Page 235: Figure 121:Ias, Register Server In Active Directory Window
802.1X Quarantine Method 3 Configure IAS to use Active Directory: a Right-click on Internet Authentication Service (Local). b Select Register Server in Active Directory 121). (Figure c Click OK if a registration completed window appears. 4 Configure the RADIUS server parameters: Figure 121: IAS, Register Server in Active Directory Window a Right-click on Internet Authentication Service (local) b Select Properties... -
Page 236: Figure 123:Ias, Properties Window
802.1X Quarantine Method Figure 123: IAS, Properties Window c General tab— 1) Enter a descriptive name in the Server Description text box. For example, 2) Select the Rejected authentication requests check box. 3) Select the Successful authentication requests check box. d Ports tab—... -
Page 237: Figure 124:Ias, New Client, Name And Address Window
802.1X Quarantine Method 5 Define the authenticators that use this RADIUS server for authentication. a Right-click on RADIUS Clients. b Select New RADIUS Client. The New RADIUS Client window appears: Figure 124: IAS, New Client, Name and Address Window c Enter a descriptive name for the Friendly name, such as Foundry d Enter the IP address of the authenticator in the Client address text box. -
Page 238: Figure 126:Ias, New Remote Access Policy
802.1X Quarantine Method Select RADIUS Standard from the Client Vendor drop-down list g Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator. NOTE See your system administrated to obtain the shared secret for your switch. h Re-enter the password in the Confirm shared secret text box. -
Page 239: Figure 127:Ias, Remote Access Policy, Access Method
802.1X Quarantine Method d Select the Use the wizard radio button. e Enter a meaningful name in the Policy Name text field. Click Next. Figure 127: IAS, Remote Access Policy, Access Method g Select the Ethernet radio button. (The Ethernet option will not work for authenticating wireless clients with this policy.) h Click Next. -
Page 240: Figure 129:Ias, Remote Access Policy, Find Group
802.1X Quarantine Method You can configure your Access policy by user or group. This example uses the group method. Select the Group radio button. Click Add. The Select Groups pop-up window appears: Figure 129: IAS, Remote Access Policy, Find Group k Click Advanced. -
Page 241: Figure 131:Ias, Remote Access Policy, Authentication Method
802.1X Quarantine Method Click Find Now to populate the Search Results area. m Select Domain Guests. n Click OK. o Click OK. p Click Next. Figure 131: IAS, Remote Access Policy, Authentication Method NOTE If you choose PEAP as your authentication mechanism in step q, see step 8... -
Page 242: Figure 132:Error Message
802.1X Quarantine Method These steps assume there is a Domain Certificate Authority (CA) available to request a certificate. If there is not a CA available, the certificate needs to be imported manually. To request a certificate from a Domain Certificate Authority: Figure 132: Error Message a Open the Microsoft management console by choosing Start>>Run and entering b Choose File>>Add/Remove Snap-in. -
Page 243: Figure 133:Protected Eap Properties
802.1X Quarantine Method m Select the certificate you created in the previous steps, select the EAP types you want to use, and click OK. n Once the Certificate is granted by the certificate authority, edit the IAS policy. o On the authentication tab click authentication methods. p Select PEAP and click Edit. -
Page 244: Figure 135:Ias, Remote Access Policy, Configure
2) Advanced tab—Add three RADIUS attributes: NOTE The attributes you select might be different for different switch types. Contact Extreme Networks, Inc. Technical Assistance Center (TAC) at (800) 998-2408 or support@extremenetworks.com if you would like assistance. Sentriant AG Users’ Guide, Version 5.0... -
Page 245: Figure 136:Ias, Remote Access Policy, Add Attribute
802.1X Quarantine Method 1) Click Add. Figure 136: IAS, Remote Access Policy, Add Attribute 2) Select Tunnel-Medium-Type. (Adding the first of the three attributes.) 3) Click Add. 4) Click Add again on the next window. 5) From the Attribute value drop-down list, select 802 (includes all 802 media. 6) Click OK. -
Page 246: Figure 137:Ias, Remote Access Logging Properties
802.1X Quarantine Method 11 Turn on remote access logging a Click on Remote Access Logging. b In the right pane, right-click Local File. c Select Properties. The Local File Properties window appears: Figure 137: IAS, Remote Access Logging Properties d Settings tab—Select any of the request and status options you are interested in logging. e Log file tab—... -
Page 247: Figure 138:Sentriant Ag-To-Ias Connector
802.1X Quarantine Method The connector contacts Sentriant AG and asks for the posture of the endpoint. Depending on the posture of the endpoint, the plug-in can return RADIUS attributes to your switch instructing it into which VLAN to place an endpoint. The following figure illustrates this process: NOTE If you have an existing Sentriant AG v4.1 certificate (compliance.keystore.cer), you need to replace it with the v5.0 certificate. -
Page 248: Figure 139:Ias, Add/Remove Snap-In
802.1X Quarantine Method a Copy the following Sentriant AG IAS Connector files from the Sentriant AG CD-ROM directory) to the directory on your Windows Server 2003 machine. /support WINDOWS/system32 support/ias/SAIASConnector.dll support/ias/SAIASConnector.ini b Import the Sentriant AG server’s certificate so the connector can communicate with Sentriant AG over SSL: 1) On the Windows Server 2003 machine, click Start. -
Page 249: Figure 141:Ias, Import Certificate
802.1X Quarantine Method 7) Select Certificates. 8) Click Add. 9) Select the Computer account radio button. 10) Click Next. 11) Select the Local computer: (the computer this console is running on) radio button. 12) Click Finish. 13) Click Close. 14) Click OK. Figure 141: IAS, Import Certificate 15) Right-click on Console Root>>Certificates (Local Computer)>>Trusted Root Certificate Authorities. - Page 250 802.1X Quarantine Method 21) Click Finish. 13 Configure the Sentriant AG-to-IAS connector— a Modify the INI file for your network environment. Sentriant AG returns one of five postures for an endpoint attempting to authenticate. For each posture received, a different RADIUS response to the switch can be configured using RADIUS attributes.
- Page 251 ; These timeouts should be coordinated with the RADIUS server and switch timeouts for authentication. ;ResolveTimeout=0 ;ConnectTimeout=60000 ;SendTimeout=30000 ;ReceiveTimeout=30000 ; Use these settings for non-Extreme switches ; Uncomment if you want to assign a VLAN for endpoints with a healthy or checkup posture ; HealthyRadiusAttributes=Tunnel-Medium-Type,Healthy-Tunnel-Pvt-GroupId,Tunnel-Type ; CheckupRadiusAttributes=Tunnel-Medium-Type,Healthy-Tunnel-Pvt-GroupId,Tunnel-Type QuarantineRadiusAttributes=Tunnel-Medium-Type,Quarantine-Tunnel-Pvt-GroupId,Tunnel-...
- Page 252 ; The following sections are the RADIUS attributes that will be returned to the switch as configured ; in the <Posture>RadiusAttribute settings above. ; TO DO - Use these settings for Extreme switches. Change the Value setting to match the VLAN names on your switch. [Healthy]...
- Page 253 802.1X Quarantine Method ; TO DO - Use the following settings for all non-Extreme switches. Change the Tunnel- Pvt-GroupId settings to match the VLAN ids on your switch [Healthy-Tunnel-Pvt-GroupId] Type=81 DataType=1 Value=50 [Healthy-Session-Timeout] Type=27 DataType=3 Value=3600 [Healthy-Termination-Action] Type=29 DataType=3 Value=1...
- Page 254 802.1X Quarantine Method b Enable the Authorization DLL file. At startup, IAS checks the registry for a list of third-party DLL files to call. 1) Click Start. 2) Select Run. 3) Enter regedit 4) Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 5) Create an folder if it does not already exist.
-
Page 255: Figure 142:Active Directory, Properties
802.1X Quarantine Method 1) From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers. Figure 142: Active Directory, properties 2) Right-click on your directory name and select Properties. 3) Select the Group Policy tab. 4) Click Open. 5) Right-click Default Domain Policy and select Edit (click OK if you get a global changes pop- up message). - Page 256 802.1X Quarantine Method 10) Click OK. 11) Close the Group Policy Object Editor window. 12) Close the Group Policy Management window. 13) Close the <Active Directory Name> Properties window. 15 Create active directory user accounts. a From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers.
-
Page 257: Figure 144:Active Directory Users And Computers Window
802.1X Quarantine Method c Select the Users folder. Figure 144: Active Directory Users and Computers Window d Right-click a user name and select Properties. The Properties windows appears: Figure 145: Active Directory, User Account Properties e Select the Dial-in tab. Sentriant AG Users’... -
Page 258: Proxying Radius Requests To An Existing Radius Server Using The Built-In Sentriant Ag Radius Server
802.1X Quarantine Method In the Remote Access Permission area, select the Allow Access radio button. g Select the Account tab. h Verify that you are using Microsoft’s version of the challenge-handshake authentication protocol (CHAP) MSCHAPv2. If for some reason, you cannot upgrade to MSCHAPv2 at this time, perform the following workaround for MSCHAPv1: In the Account options area, select the Store password using reversible encryption check box. - Page 259 Password=nacpwd # TO DO - Modify the vlan ids and names to match your switch configuration # Use these attributes for all non-Extreme switches # Uncomment these two sections if you want the connector to specify the normal user vlan # rather than specifying it for each user in the users configuration file.
- Page 260 "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches #"HealthyRadiusAttributes" Extreme-Netlogin-Vlan := HealthyVlanName #"CheckupRadiusAttributes" Extreme-Netlogin-Vlan := HealthyVlanName #"QuarantineRadiusAttributes" Extreme-Netlogin-Vlan := QuarantineVlanName #"InfectedRadiusAttributes"...
-
Page 261: Using The Built-In Sentriant Ag Radius Server For Authentication
802.1X Quarantine Method 4 Test the RADIUS server proxy: radtest <user> <passwd> <radius-server[:port]> <nas-port-number><secret> Using the Built-in Sentriant AG RADIUS Server for Authentication If you selected the Manual End-user authentication method in the Authentication settings area of the System configuration>>Quarantining>>802.1X window, configure Sentriant AG according to the instructions in this section. -
Page 262: Setting Up The Supplicant
802.1X Quarantine Method 1 In the Select a quarantine method area, select the 802.1X quarantine method radio button. Figure 146: Enabling 802.1X in the Console 2 In 802.1X enforcement mode, the ESs must be able watch DHCP conversations and detect endpoints by sniffing network traffic as it flows between the DHCP server and the endpoints. -
Page 263: Figure 147:Ias, Windows Client Authentication
802.1X Quarantine Method 2 Select Properties. Figure 147: IAS, Windows Client Authentication 3 General tab – a Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors. - Page 264 802.1X Quarantine Method 4 Authentication tab— a Select the Enable IEE 802.1X authentication for this network check box. b Select an EAP type from the drop-down list. For this example, select MD5-Challenge. Important: This EAP type must match the EAP type selected in step step q on page 241.
-
Page 265: Setting Up The Authenticator
“Cisco® 2950 IOS” on page 266 ● “Cisco® 4006 CatOS” on page 267 ● “Enterasys® Matrix 1H582-25” on page 267 ● “Extreme® Summit 48si” on page 267 ● “ExtremeWare” on page 268 ● “ExtremeXOS” on page 269 ● “Foundry® FastIron® Edge 2402” on page 269 ●... -
Page 266: Cisco® 2950 Ios
802.1X Quarantine Method The lines that apply to 802.1X are shown in green italic text. Make sure that you add this information when configuring your switch. Cisco® 2950 IOS aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius dot1x system-auth-control interface FastEthernet0/1 switchport mode access... -
Page 267: Cisco® 4006 Catos
! radius set radius timeout 30 set radius server 1 10.11.100.10 1812 02108000AE5BA9C47EDC24F2CA6529EE4CCC8930B BD70F5AAA2CF0C5DBAA5DA97FADFE95 set radius enable Extreme® Summit 48si NOTE When authenticating via the onboard FreeRadius server, you need to add the administrative line in the RADIUS users file. NOTE Change the admin password to a non-blank password. -
Page 268: Extremeware
802.1X Quarantine Method create vlan "Operations" create vlan "CommandControl" create vlan "Quarantine" create vlan "Guest" create vlan "Temp" # Radius configuration enable radius configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa" configure radius primary server 10.10.100.10 1645 client-ip 10.10.100.1 # Network Login Configuration configure vlan Temp dhcp-address-range 10.10.5.100 - 10.10.5.150 configure vlan Temp dhcp-options default-gateway 10.10.5.1 configure vlan Temp dhcp-options dns-server 10.10.100.11... -
Page 269: Extremexos
802.1X Quarantine Method enable netlogin port 6 vlan Default enable netlogin port 7 vlan Default enable netlogin port 8 vlan Default configure netlogin mac auth-retry-count 3 configure netlogin mac reauth-period 1800 ExtremeXOS create vlan "Quarantine" create vlan "Test" enable radius netlogin configure radius netlogin timeout 3 configure radius-accounting netlogin timeout 3 # Module netLogin configuration. -
Page 270: Hp Procurve® 420Ap
802.1X Quarantine Method interface ethernet 3 dot1x port-control auto sflow-forwarding interface ethernet 4 dot1x port-control auto sflow-forwarding HP ProCurve® 420AP This section shows how to configure the security settings on the 420AP so that user access may be controlled using Dynamic VLAN provisioning. HP ProCurve Access Point 420#configure HP ProCurve Access Point 420(config)#interface ethernet Enter Ethernet configuration commands, one per line. -
Page 271: Hp Procurve® 530Ap
802.1X Quarantine Method HP ProCurve® 530AP This section shows how to configure the security settings on the 530AP so that user access may be controlled using Dynamic VLAN provisioning. ProCurve Access Point 530#conf ProCurve Access Point 530(config)#interface ethernet ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway>... -
Page 272: Hp Procurve® 3400/3500/5400
802.1X Quarantine Method ProCurve Access Point 530(radio1-wlan1)#wep-key-ascii ProCurve Access Point 530(radio1-wlan1)#wep-key-1 1q2w3e4r5t6y7 ProCurve Access Point 530(radio1-wlan1)#write mem ProCurve Access Point 530(radio1-wlan1)#enable ProCurve Access Point 530(radio2-wlan1)#enable ProCurve Access Point 530(config)#radio 1 ProCurve Access Point 530(radio1)#enable ProCurve Access Point 530(radio1)#radio 2 ProCurve Access Point 530(radio2)#enable ProCurve Access Point 530(config)#write mem ProCurve Access Point 530(config)#exit HP ProCurve®... - Page 273 802.1X Quarantine Method eapol enable interface FastEthernet ALL eapol port 1-2 status auto traffic-control in-out re-authentication enable re- authentication-period 3600 re-authenticate quiet-interval 60 transmit-interval 3 0 supplicant-timeout 30 server-timeout 30 max-request 2 ! *** Port Mirroring *** port-mirroring mode XrxOrXtx monitor-port 9 mirror-port-X 12 Sentriant AG Users’...
- Page 274 802.1X Quarantine Method Sentriant AG Users’ Guide, Version 5.0...
-
Page 275: Chapter 12: Api
The Sentriant AG Application Programming Interface (API) is based on the Java Message Service (JMS). Sentriant AG ships with version 3.1 of the ActiveMQ JMS provider (http://activemq.codehaus.org/), an open source implementation of JMS. Sentriant AG API communication is illustrated in Figure 148, where: JMS Message Bus—Sentriant AG ships with ActiveMQ Java Messanging Service (JMS). -
Page 276: Setting Sentriant Ag Properties
The JMS bus is used to send requests (such as test endpoints, change access status, and set configuration properties that cannot be set via the Sentriant AG console), and to publish events (such as test results and endpoint status change) to external third parties. Figure 148: Sentriant AG API Communication Sentriant AG is continually testing endpoints that attempt to connect to your network and publishes information about those endpoints as Events to Topics. -
Page 277: Setting Firewall Rules
You can set the following properties: Compliance.JMSProvider.ForwardJMSEvents ● Compliance.System.JMSProvider.UserName ● Compliance.System.JMSProvider.Password ● Test results are published when they happen. To change or set API properties: Sentriant AG MS command line window 1 Create the XML file in the following directory with a text editor such as /usr/local/nac/bin 2 Edit any properties. -
Page 278: Examples Of Events Generated
Examples of Events Generated The following shows examples of information returned for generated events: ------------------------------------------------------------------------- <MNMDeviceChangeEvent> <device> <uniqueId>5928e8f98d4ce49c6c03529ca4325b5e</uniqueId> <ip>10.1.13.29</ip> <mac>00:11:43:4F:15:D6</mac> <netbiosName>SSLSHAUSAFUS</netbiosName> <domainName>MyCompany</domainName> <userName>administrator</userName> <loggedOnUser>administrator</loggedOnUser> <os>Windows</os> <osDetails>XP SP2</osDetails> <policyId>LowSecurity</policyId> <lastTestTime>1157042366000</lastTestTime> <lastTestStatusId>PASSED</lastTestStatusId> <gracePeriod>-1</gracePeriod> <gracePeriodStart>0</gracePeriodStart> <createTime>1156536669000</createTime> <lastActivityTime>1157045939456</lastActivityTime> <lastConnectTime>1157044195000</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>healthy</postureToken> <nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId> <clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId> <accessStatusId>QUARANTINED_BY_POLICY</accessStatusId> <nextTestTime>1157049566000</nextTestTime>... - Page 279 <gracePeriodStart>1157042301000</gracePeriodStart> <createTime>1157042283000</createTime> <lastActivityTime>1157046201262</lastActivityTime> <lastConnectTime>1157040486000</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>checkup</postureToken> <nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId> <clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId> <accessStatusId>ALLOWED_BY_POLICY</accessStatusId> <nextTestTime>1157053406845</nextTestTime> <nadPort></nadPort> <nadIP></nadIP> <sessionAccess>-1</sessionAccess> <sessionAccessEnd>0</sessionAccessEnd> <otherDeviceProperties> <entry> <string>OS</string> <string>Windows</string> </entry> </otherDeviceProperties> <lastUpdateTime>1157046206846</lastUpdateTime> <testingMethod>AGENTLESS</testingMethod> </device> <testResults> <TestResultInfo> <timestamp>1157046206801</timestamp> <gracePeriod>604800</gracePeriod> <testName>Windows 2000 hotfixes</testName> <testClass>Check2000HotFixes</testClass> <testModule>check2000HotFixes</testModule> <testGroup>OperatingSystem</testGroup> <actionsTaken>access allowed, temporary access period continuing from 8/31/ 06 10:38 AM, email not sent</actionsTaken>...
-
Page 280: Java Program And Command For Events
<previousResultCode>pass</previousResultCode> </TestResultInfo> <TestResultInfo> <timestamp>1157046206801</timestamp> <gracePeriod>0</gracePeriod> <testName>Worms, viruses, and trojans</testName> <testClass>CheckWormsVirusesAndTrojans</testClass> <testModule>checkWormsVirusesAndTrojans</testModule> <testGroup>Software</testGroup> <actionsTaken>none</actionsTaken> <debugInfo>None</debugInfo> <severity>1</severity> <statusCode>1</statusCode> <resultCode>pass</resultCode> <resultMessage>No worms, viruses or trojans were found.</resultMessage> <policyId>LowSecurity</policyId> <mostSeriousInRun>false</mostSeriousInRun> <previousResultCode>pass</previousResultCode> </TestResultInfo> </testResults> <ip>10.1.70.101</ip> <id>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</id> <originalTimeStamp>1157046206882</originalTimeStamp> </MNMDeviceTestedEvent> ------------------------------------------------------------------------- Java Program and Command for Events Sentriant AG ships with a sample shell script that invokes Java code that can be used to listen for JMS events. -
Page 281: Sentriant Ag Requests Supported
Sentriant AG Requests Supported The following Sentriant AG requests are supported: GetDeviceInfo—Requests the endpoint identification ● StartTests—Requests that the endpoint be tested ● PutDeviceInfo—Sets endpoint properties ● TemporarilyDenyAccess—Specifies to temporarily deny access to the specified endpoint or ● endpoints. TemporarilyAllowAccess—Specifies to temporarily allow access to the specified endpoint or ●... - Page 282 <device> <mac>00:0c:29:12:4b:4a</mac> <deviceProps> <entry> <string>keya</string> <string>valuea</string> </entry> <entry> <string>keyb</string> <string>valueb</string> </entry> </deviceProps> </device> </devices> </NACRequest> <NACRequest> <operation>TemporarilyDenyAccess</operation> <duration>24</duration> <devices> <device> <ip>172.17.5.2</ip> </device> </devices> </NACRequest> <NACRequest> <operation>TemporarilyAllowAccess</operation> <duration>24</duration> <devices> <device> <ip>172.17.5.2</ip> </device> </devices> </NACRequest> <NACRequest> <operation>ClearTemporaryAccess</operation> <devices> <device> <ip>172.17.5.2</ip> </device> </devices> </NACRequest>...
-
Page 283: Java Program And Command For Requests
Java Program and Command for Requests Sentriant AG ships with a sample shell script that invokes Java code that can be used to send JMS requests. Invoke the program by entering the following command: sendRequest.sh [-u broker URL] [-t topicName] [-l login -p password] -f <request.xml> Where: —The URL of the JMS message bus. - Page 284 Sentriant AG Users’ Guide, Version 5.0...
-
Page 285: Chapter 13: Reports
Reports Sentriant AG generates the following types of reports: Table 9: Report Types and Fields Report Description Report columns NAC policy results Lists each NAC policy and the last • policy name pass/fail policy results • test status • # of times •... - Page 286 Reports Table 9: Report Types and Fields (continued) Report Description Report columns Test results by IP address Lists the number of tests that • ip address passed or failed for each IP • cluster address. • netbios • user • test status •...
-
Page 287: Generating Reports
Reports Generating Reports To generate a report: Sentriant AG Home window>>Reports The following figure shows the Reports window. Figure 149: Reports Window 1 In the Report drop-down list, select the report to run. 2 Select the Report period. 3 Select the Rows per page. 4 In the Endpoint search criteria area, select any of the following options to use for filtering the report: a Cluster... -
Page 288: Viewing Report Details
Reports 1) All of the selected criteria 2) Any of the selected criteria 5 Select Generate report. After a short period of time the compiled report is displayed in a separate browser window. The following figure shows an example report. Figure 150: NAC Policy Results Report CAUTION The reports capability uses pop-up windows;... -
Page 289: Figure 151:Report, Test Details Window
Reports Figure 151: Report, Test Details Window Sentriant AG Users’ Guide, Version 5.0... -
Page 290: Printing Reports
Reports Printing Reports To print a report: Sentriant AG Home window>>Reports 1 Select the options for the report you want to run. 2 Click Generate report. 3 Select Print. 4 Select the printer options and properties. 5 Select Print. Saving Reports to a File To save a report: Sentriant AG Home window>>Reports 1 Select the options for the report you want to run. - Page 291 Reports 6 Click Save. This creates a standalone file that retains all of its graphics and formatting. 7 To print, you might need to reduce the border sizes in File>>Page Setup dialog box for the report to print correctly. Sentriant AG Users’ Guide, Version 5.0...
- Page 292 Reports Sentriant AG Users’ Guide, Version 5.0...
-
Page 293: Chapter 14: System Administration
Any Sentriant AG window Click Logout in the upper right corner of the Sentriant AG home window. When the logout procedure completes, the Extreme Networks, Inc. login window appears. Important Browser Settings There are several browser configuration settings to make, depending on which browser you are using. -
Page 294: Entering A New License Key
System Administration Entering a New License Key Extreme Networks, Inc. distributes license keys as text files. Due to the license key’s length, copy and paste the license key directly out of the text file. To enter a new license key: Sentriant AG Home window>>System Configuration>>License... -
Page 295: System Settings
System Administration NOTE Your outbound SSL connection needs to access: For license validation and test updates: http://update.sentriantag.extremenetworks.com port 443 For software and operating system updates http://download.sentriantag.extremenetworks.com (216.183.121.206) port 80 System Settings Matching Windows Domain Policies to NAC Policies Using a Windows domain might affect the end-user’s ability to change their system configuration to pass the tests. -
Page 296: Setting The Access Mode
System Administration Setting the Access Mode The access mode selection is a quick way to shut down all traffic into an Enforcement cluster, or open it up for trial-use purposes. To change the access mode: Sentriant AG Home window>>System monitor>>Select an Enforcement cluster 1 Select one of the following from the Access mode area: normal—Access is regulated by the NAC policies ■... -
Page 297: Resetting Your System
System Administration Resetting your System To reset your system to the as-shipped state: Command line window 1 Log in as to the Sentriant AG MS, either using SSH or directly with a keyboard. root 2 Enter the following command at the command line: resetSystem.py [both | ms | es] Where: No arguments—The system is reset to the same type (either a single-server installation with the MS... -
Page 298: Changing Properties
System Administration Changing Properties To change the property values in the properties files: Command line window 1 Log in as to the Sentriant AG MS using SSH. root 2 Enter the following at the command line: <DESTINATION> <TYPE> <V ALUES> setProperty.py Where: <DESTINATION>... -
Page 299: Windows 2003 Server Settings
System Administration Windows 2003 Server Settings Windows 2003 Server has the Enhanced Security Configuration option Enabled by default. This option must be disabled for the following reasons: A Windows 2003 Server host cannot be tested. ● The Windows 2003 Server endpoint cannot download the agent. ●... -
Page 300: Database
System Administration Table 10: CIDR Naming Conventions (continued) Block Netmask Networks Hosts 255.255.192.0 64 Class C networks 16,384 255.255.128.0 128 Class C networks 32,768 255.255.0.0 1 Class B network 65,536 255.254.0.0 2 Class B networks 131,072 255.252.0.0 3 Class B networks 262,144 255.248.0.0 8 Class B networks... -
Page 301: Restoring The Original Database
System Administration 3 Click ok. A status window appears. 4 The system data is restored and the login window appears: Figure 153: Login Window Restoring the Original Database CAUTION Running this script resets your entire system, not just the database. See “Resetting your System”... -
Page 302: System Requirements
System Administration System Requirements The following hardware and software is required to install and operate Sentriant AG. Table 11: Sentriant AG System Requirements Item Required — Server A dedicated server or servers for product installation with the following minimum system requirements: Processor Intel Dual Core (Core 2 Duo/Xeon... -
Page 303: Supported Vpns
It is strongly recommended that you use the server-class Intel NIC cards. If you use a different NIC card, you might be unable to connect, or experience unpredictable results and availability. NOTE Your license key is emailed to you. If you did not receive one, contact Extreme Networks, Inc. Technical Assistance Center (TAC) (support@extremenetworks.com or (800) 998-2408). Supported VPNs Sentriant AG works with any VPN endpoint, since Sentriant AG does not directly interface or inter- operate with VPN endpoints. -
Page 304: References
System Administration You need some programming experience to extend and add tests. If you have previously used Perl to complete these tasks, you might find that Python is a better choice as a programming language for the tasks described in the following sections. CAUTION You should familiarize yourself with Python and with the rest of the Sentriant AG product before attempting to create custom test scripts. -
Page 305: Figure 154:Test Script Code
System Administration 3 Examine the code. The comments explain each section of code. The following example shows the contents of the file. Figure 154: Test Script Code #!/usr/bin/python from checkSoftwareNotAllowed import CheckSoftwareNotAllowed # This allows a script to be tested from the command line. if __name__ == '__main__': import myCheckSoftwareNotAllowed t = myCheckSoftwareNotAllowed.MyCheckSoftwareNotAllowed() - Page 306 System Administration Figure 154: Test Script Code (continued) # All test classes must define the runTest method with the self and debug # parameters def runTest(self,debug=0): # Get the result hash from the CheckSoftwareNotAllowed test # and modify the result message based on the result code. result = CheckSoftwareNotAllowed.runTest(self,debug) if result["result_code"] == "fail": result["result_message"] = "The MyCheckSoftwareNotAllowed test...
-
Page 307: Figure 155:Example Installcustomtests Output
System Administration 6 Once you have completed your edits and saved the file, copy it to myCheckSoftwareNotAllowed.py the following directory on the Sentriant AG MS: /usr/local/nac/scripts/Custom/Tests 7 If you have created new base classes, copy them to the following directory on the Sentriant AG MS: /usr/local/nac/scripts/Custom/BaseClasses CAUTION When updating or modifying files, use the Custom directory tree (Custom/BaseClasses, Custom/Tests). - Page 308 System Administration Figure 155: Example InstallCustomTests Output (continued) --> Press Enter to proceed or Ctrl-C to abort <-- + Generating RPM spec file + Creating RPM file 'NAC-custom-testscripts-5.0-51.i386.rpm' + Creating update package file (/tmp/customUpdatePkg.29285.tar.gz) + Creating XML file to send custom scripts to the MS (/tmp/ installCustomTest.29285.xml) + Sending XML message to MS to install and distribute custom scripts 00:22:34 INFO...
-
Page 309: Creating A Custom Test Class Script From Scratch
System Administration Figure 155: Example InstallCustomTests Output (continued) 00:22:36 DEBUG Message received: ACTIVEMQ_TEXT_MESSAGE: id = 0 ActiveMQMessage{ , jmsMessageID = ID:perf-ms1-51331-1162363440379-15:3, bodyAsBytes = org.activemq.io.util.ByteArray@1362012, readOnlyMessage = true, jmsClientID = '93baaf5a-b0ed-4fc2-a3ae-ec6460caedc0' , jmsCorrelationID = 'null' , jmsDestination = TemporaryQueue-{TD{ID:perf-ms1-40612-1162365754580- 1:0}TD}ID:perf-ms1-40612-1162365754580-6:0, jmsReplyTo = null, jmsDeliveryMode = 2, jmsRedelivered = false, jmsType = 'null' , jmsExpiration = 1162365766750, jmsPriority = 4, jmsTimestamp = 1162365756750, properties = null, readOnlyProperties = true, entryBrokerName = '172.30.1.50' , entryClusterName... -
Page 310: Figure 156:Testtemplate.py
System Administration Figure 156: testTemplate.py #!/usr/bin/python from BaseClasses.SABase import SABase as SABase # This allows a script to be tested from the command line. if __name__ == '__main__': import testTemplate t = testTemplate.TestTemplate() t.processCommandLine() # The class definition. All classes must be derived from the SABase class. class TestTemplate(SABase): # Make up a test id. - Page 311 System Administration Figure 156: testTemplate.py (continued) # Assign the test to an existing group or create a new group. # Groups are configured and created in the policies.xml file <group> # section (See the Adding new groups section). testGroupId = "TestGroup" # This is the HTML that will be displayed in the test properties page # in the policy editor.
- Page 312 System Administration Figure 156: testTemplate.py (continued) # All tests must define the runTest method with the self and the debug # parameters. def runTest(self,debug=0): # All tests must call the initialize routine self.initTest() # Create a hash to store the return results. # All tests must fill return a hash with the following keys: status_code - 0 if an unexpected error occurred, 1 if...
- Page 313 System Administration Figure 156: testTemplate.py (continued) # Always use the doReturn function; this allows superclass to add or modify # any items in the returnHash as necessary. return(self.doReturn(returnHash)) 1 Use the template, as shown in Figure 156, to create a new test script. As an example, the new test script is called and it fails if any of the specified ports are open on the target checkOpenPorts.py,...
-
Page 314: Figure 157:Checkopenports.py Script
System Administration Figure 157 shows the code for the new test. The file is included on the checkOpenPorts.py Sentriant AG CD as . Review the code. The comments explain /sampleTests/checkOpenPorts.py each section of the code. Figure 157: checkOpenPorts.py script #!/usr/bin/python from BaseClasses.SABase import SABase as SABase # This allows a script to be tested from the command line. - Page 315 System Administration Figure 157: checkOpenPorts.py script (continued) testConfig = \ """ <div id="test_parameters"> <table height="100%" width="100%" border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td colspan="2" style="padding: 5px 3px 5px 3px;"> Enter a list of ports that are not allowed to be open on the endpoint.
- Page 316 System Administration Figure 157: checkOpenPorts.py script (continued) # Make up a summary for the test. This will show up in the description # field in the policy editor. testSummary = "This test takes a list of ports that should NOT be found open on the remote host.
- Page 317 System Administration Figure 157: checkOpenPorts.py script (continued) try: ports = [] if self.inputParams.has_key("ports_not_allowed"): ports = self.inputParams["ports_not_allowed"].split(",") else: # No ports not allowed, pass return(self.doReturn(returnHash)) if debug: print "Checking ports " + str(ports) + " on host " + self.session.host() # Do your test here. Modify the returnHash accordingly. portsOpen = ""...
- Page 318 System Administration Figure 157: checkOpenPorts.py script (continued) s.close() if debug: print "Connected to "+hp+". Port open!" # Add the port to our list of open ports for use later portsOpen += str(p) + "," except: if s is not None: try: s.close() except:...
-
Page 319: Basictests Api
System Administration 3 Once you have completed your test script modifications, save the script as described in step 6 on page 307. 4 Save any new classes as described in step 7 on page 307. 5 Push the new test out to all ESs as described in step 8 on page 307. - Page 320 System Administration Table 12: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getOs(debug=0) Retrieves the operating system of the targetHost. Returns one of the following strings: •...
- Page 321 System Administration Table 12: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getServiceStatus(list serviceNames, debug=0) Gets the status for a list of services.
- Page 322 System Administration Table 12: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Boolean getRegKeyExists(string key, debug=0) Check to see if a single key exists in the registry.
-
Page 323: End-User Access Windows
NOTE If you need more end-user access window customization than is described in this Users’ Guide, please contact Extreme Networks, Inc. Technical Assistance Center (TAC) at support@extremenetworks.com. Editing the end-user access window logo and general text: See “End-user Screens” on page 121. - Page 324 Sentriant AG ES is 10.0.16.18, point an IE browser window to: http://10.0.16.18:88 NOTE If you would like to use a port other than 88, contact Extreme Networks, Inc. Technical Assistance Center (TAC) at support@extremenetworks.com for assistance in making the necessary changes. Sentriant AG Users’ Guide, Version 5.0...
-
Page 325: How Sentriant Ag Handles Static Ip Addresses
System Administration How Sentriant AG Handles Static IP Addresses The following list details how Sentriant AG handles static IP addresses: Inline Mode—Sentriant AG can detect, test, and quarantine static IP addresses. The end-user cannot ● circumvent a quarantine. DHCP mode ●... -
Page 326: Resetting The Sentriant Ag Server Password
System Administration Table 13: Sentriant AG passwords Sentriant AG Set during Recovery process password Sentriant AG Initial install process * • For known passwords — console, Sentriant AG Home window >> administrator System configuration >> User account accounts • For unknown passwords —... -
Page 327: Resetting The Sentriant Ag Database Password
System Administration 2 As the machine boots, you are presented with a list of kernels. Interrupt the boot process by pressing key. 3 Press to edit the line. 4 Enter a space and type: single 5 Press . You are now in Single User Mode. 6 Enter the following command: passwd 7 Enter a new password at the New Password prompt. -
Page 328: Ntlm 2 Authentication
System Administration 2 Save the file and copy it to the Sentriant AG server (either MS or ES). 3 Log into the Sentriant AG server as root. 4 Enter the following command: <filename> setProperty.py -f 5 From a workstation, open a browser window and point to the Sentriant AG MS. 6 Enter a new User Name and Password when prompted. - Page 329 NOTE When using Extreme switches, DHCP relay IP addresses to enforce will NOT work when the quarantine subnet is a subset of the production network. This is because Extreme switches forward the packets from the IP address closest to Sentriant AG and not the IP address of the interface closest to the endpoint, so all the DHCPRelay packets will appear to come from a production network IP address.
-
Page 330: Creating And Replacing Ssl Certificates
System Administration Creating and Replacing SSL Certificates The Secure Sockets Layer (SSL) protocol uses encryption by way of certificates to provide security for data or information sent over HTTP. Certificates are digitally signed statements that verify the authenticity of a server for security purposes. They use two keys;... -
Page 331: Using An Ssl Certificate From A Known Certificate Authority (Ca)
System Administration 5 Review the information you've entered so far, enter if it is correct. 6 The utility prompts you for the following information: keytool Key password for key_alias—Do not enter a password; press to use the same password [Return] that was given for the keystore password. -
Page 332: Moving An Es From One Ms To Another
System Administration 8 Once you get your signed certificate back from the CA, import it into your keystore (see “Copying Files” on page 35), replacing the previously self-signed public certificate for your key by entering the following command on the command line of the Sentriant AG server: <key_alias>... -
Page 333: Recovering Quickly From A Network Failure
System Administration Recovering Quickly from a Network Failure If you have a network with a very large number of endpoints (around 3000 endpoints per ES), and your network goes down, perform the following steps to make sure that your endpoints can reconnect as quickly as possible: 1 Place all of the clusters that have a large number of endpoints in allow all mode: a Select System configuration. - Page 334 System Administration Sentriant AG Users’ Guide, Version 5.0...
-
Page 335: Appendix A: Requirements
Not all anti-virus and anti-spyware tests check for signature file updates. Some anti-virus and anti-spyware products do not lend themselves to be tested for signature file updates. NOTE Sentriant AG has the capability to have custom tests created in Python; however, Extreme Networks, Inc. takes no responsibility for custom scripts. Self Remediation: Messenger service needs to be running on the end-user endpoint. - Page 336 Requirements Sentriant AG administrator qualifications necessary: Networking abilities: ● Switch / router configuration ■ ACLs, VLANs, routing, ■ DHCP ■ Radius ■ 802.1x ■ Must have privileges / access to the network to make configuration changes. ● Sentriant AG Users’ Guide, Version 5.0...
-
Page 337: Appendix B: Tests Help
Tests Help The tests performed on endpoints attempting to connect to the network are listed on the Sentriant AG Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting Sentriant AG Home window>>System Configuration>>Test Updates>>Check for Test Updates. - Page 338 Tests Help Table 14: Browser Vulnerabilities Item Description Cache Cache is a user-specifiable amount of disk space where temporary files are stored. These files contain graphics and Web pages you visit. The primary purposes for storing Web page information is to save time reloading pages and graphics, and to reduce network traffic by not having to repeatedly send the information over the network.
-
Page 339: Browser Version
Tests Help Browser Version Description This test verifies that the endpoint attempting to connect to your system has the latest browser version installed. Test Properties Select the check box for the required browser software. Enter a version in the text box. If no version is specified in the text box, the default version shown in the square brackets is required. -
Page 340: How Does This Affect Me
Tests Help How Does this Affect Me? The Internet security zone defines a security level for all external Web sites that you visit (unless you have specified exceptions in the trusted and restricted site configurations). The default setting is Medium. The following link provides details about the specific security options in the Custom Level window: http://www.microsoft.com/windows/ie/using/howto/security/setup.asp The following link provides details on how to find and change the settings in IE:... -
Page 341: Internet Explorer (Ie) Restricted Site Security Zone
Tests Help How Does this Affect me? The intranet security zone defines a security level for all internal Web sites that you visit (unless you have specified exceptions in the trusted and restricted site configurations). The default setting is Medium-low. The following link provides details about the specific security options in the Custom Level window: http://www.microsoft.com/windows/ie/using/howto/security/setup.asp The following link provides details on how to find and change the settings in IE:... -
Page 342: Internet Explorer (Ie) Trusted Sites Security Zone
Tests Help How Does this Affect Me? The restricted sites security zone defines a security level for all restricted Web sites that you visit. The default setting is High. You also define the specific sites by name and IP address that are restricted. For example, you could specify www.unsafesite.com as a restricted site. -
Page 343: Iis Hotfixes
Tests Help Medium-low. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a ● mix of enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login for intranet Low. A mix of enabled and prompt ActiveX controls, enables downloads, a mix of enabled and ●... -
Page 344: Test Properties
Tests Help Test Properties Select the hotfixes required on your network. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft. How Does this Affect Me? Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. -
Page 345: Windows 2000 Hotfixes
Tests Help Test Properties The service packs are listed here by operating system. How Does this Affect Me? Service packs are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually more than one fix in a service pack, whereas a hotfix is usually one fix. -
Page 346: Windows Server 2003 Sp1 Hotfixes
Tests Help Test Properties Select the hotfixes required on your network. Selecting All critical updates requires all the critical patches that have been released or will be released by Microsoft. How Does this Affect Me? Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. -
Page 347: Windows Server 2003 Sp2 Hotfixes
Tests Help Windows Server 2003 SP2 Hotfixes Description This test verifies that the endpoint attempting to connect to your system has the latest Windows Server 2003 SP2 hotfixes installed. Test Properties Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. -
Page 348: Windows Xp Sp2 Hotfixes
Tests Help What Do I Need to Do? Manually initiate an update check (http://v4.windowsupdate.microsoft.com/en/default.asp) if automatic update is not enabled, or is not working. Windows XP SP2 Hotfixes Description This test verifies that the endpoint attempting to connect to your system has the latest Windows XP SP2 hotfixes installed. -
Page 349: Windows Automatic Updates
Tests Help How Does this Affect Me? Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a service pack includes multiple hotfixes. What Do I Need to Do? Manually initiate an update check (http://v4.windowsupdate.microsoft.com/en/default.asp) if automatic update is not enabled, or is not working. -
Page 350: Mac Airport Preference
Tests Help 3 Select Download the updates automatically and notify me when they are ready to be installed. 4 Click OK. Security Settings—OS X Mac AirPort Preference Description This test verifies that the Mac AirPort® joins only preferred networks. Test Properties There are no properties to set for this test. -
Page 351: Mac Airport Wep Enabled
Tests Help What Do I Need to Do? Configure the Mac endpoint to prompt before joining open networks. Select Mac Help, or refer to the following link for assistance on configuring AirPort: http://www.apple.com/support/airport/ Mac AirPort WEP Enabled Description This test verifies that WEP encryption is enabled for Airport. Test Properties There are no properties to set for this test. -
Page 352: Mac Firewall
Tests Help What Do I Need to Do? Disable Bluetooth, or configure Bluetooth so that it is not discoverable on the endpoint. Select Mac Help, or refer to the following for assistance on configuring Bluetooth: http://www.apple.com/bluetooth/ http://www.bluetooth.com/bluetooth/ Mac Firewall Description This test verifies that the firewall is enabled. -
Page 353: How Does This Affect Me
Tests Help How Does this Affect Me? Mac internet sharing allows one computer to share its internet connection with other computers. This can present security risks by allowing other users to access the network. What Do I Need to Do? Disable internet sharing on the endpoint. -
Page 354: Security Settings-Windows
Tests Help Security Settings—Windows The Security settings tests verify that any endpoint attempting to connect to your system meets your specified security settings requirements. Allowed Networks Description Checks for the presence of an unauthorized connection on a endpoint. These might include connections to a rogue wireless access point, VPN, or other remote network. -
Page 355: How Does This Affect Me
Tests Help How Does this Affect Me? Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document. When you open an infected document, the macro virus runs. -
Page 356: What Do I Need To Do
Tests Help What Do I Need to Do? Set the Microsoft Outlook macro security level as follows: 1 Open Outlook. 2 Select Tools>>Macro>>Security>>Security Level tab. 3 Select High, Medium, or Low. 4 Click ok. MS Word Macros Description This test verifies that the endpoint attempting to connect to your system has the Microsoft Word macro security level specified by your security standards. -
Page 357: Services Not Allowed
Tests Help Services Not Allowed Description This test verifies that the endpoint attempting to connect to your system is running only compliant services. Test Properties Enter a list of services that are not allowed on connecting endpoints. Separate additional services with a carriage return. -
Page 358: Services Required
Tests Help Services Required Description This test verifies that the endpoint attempting to connect to your system is running the services specified by your security standards. Test Properties Enter a list of services that are required for connecting endpoints. Separate additional services with a carriage return. -
Page 359: Windows Bridge Network Connection
Tests Help Windows Bridge Network Connection Description This test verifies that the endpoint attempting to connect to the network does not have a bridged network connection present. A bridged network connection allows the connecting endpoint to transparently send traffic to and from another network. An example use of this type of connection would be to bridge a high-speed cellular network connection in and out of the local network. -
Page 360: How Does This Affect Me
Tests Help How Does this Affect Me? Certain configurations, such as the ones listed above, create potential holes that can leak sensitive information if your system is compromised. Selecting the above policy options creates a more secure network environment. The following links provide detailed information on these security settings: Enable "Network access: Do not allow storage of credentials or .NET Passports for network ●... -
Page 361: Test Properties
Tests Help Test Properties Enter a list of registry key and values that are allowed in the run and runOnce Windows registry keys. If the endpoint has any other values in those keys, the test will fail. Separate entries by semicolons in the format <key>... -
Page 362: Software-Windows
Tests Help 4 Select Edit>>Find. Search for the run and runOnce keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup 5 If the keys have any other value than the one specified, delete the unauthorized value by double- clicking the item, deleting the data, and clicking OK. -
Page 363: What Do I Need To Do
Tests Help What Do I Need to Do? Make sure you have an anti-spyware program installed, that the spyware definitions are kept up-to- date, and that your system is scanned often. Anti-virus Description This test verifies that the endpoint attempting to connect to your system has the latest anti-virus software installed, that it is running, and that the virus definitions are up-to-date. -
Page 364: Test Properties
Tests Help Test Properties Select the high-risk software not allowed on your network. Any endpoint that has at least one of the high-risk software packages selected fails this test. How Does this Affect Me? Some software provides security risks, such as allowing data to be stored on external servers, or not encrypting sensitive data. -
Page 365: Test Properties
Tests Help Test Properties Select the P2P software allowed on your network. If none of the P2P packages are selected, this means that you do not allow P2P software and any endpoint with P2P software enabled will fail this test. How Does this Affect Me? A Peer-to-peer (P2P) network is one that is comprised of peer nodes (computers) rather than clients and servers. -
Page 366: Software Not Allowed
Tests Help Software Not Allowed Description: This test verifies that the endpoint attempting to connect to your system does not have the software packages listed installed. Test Properties Enter a list of applications that are not allowed on connecting endpoints, separated with a carriage return. -
Page 367: How Does This Affect Me
Tests Help You can also specify which key to use for the specific value by entering the key at the beginning of the value. For example: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Messenger How Does this Affect Me? Connecting to a network may be impossible if the correct software is not installed and operational. What Do I Need to Do? Contact the vendor and install the missing software. - Page 368 Tests Help Sentriant AG Users’ Guide, Version 5.0...
- Page 369 Database Design (Data Dictionary) This section provides information on the following tables for the Sentriant AG database: “test_result table” on page 370 ● “Device table” on page 371 ● “sa_cluster” on page 373 ● “sa_node” on page 373 ● “sa_user” on page 374 ●...
-
Page 370: Test_Result Table
Database Design (Data Dictionary) test_result table test_result This table is a history of test results for all endpoints test_result_id INT4 DEFAULT PRIMARY KEY nextval('test_result_test_result_id_s eq') run_id INT4 NOT NULL An ID used for associating test results to a particular test run. timestamp INT4 NOT NULL The time the test was run. -
Page 371: Device Table
Database Design (Data Dictionary) Device table Device This table contains information about known endpoints unique_id VARCHAR(100) NOT NULL PRIMARY KEY ip_address_str VARCHAR(30) NOT NULL The IP address (string in dotted quad notation) of the endpoint. mac_address VARCHAR(30) DEFAULT NULL The MAC address of the endpoint. netbiosname VARCHAR(50) DEFAULT NULL The NetBIOS of the endpoint. - Page 372 Database Design (Data Dictionary) Device (continued) last_connect_dt INT4 NOT NULL The date the endpoint was first seen if it has never been disconnected, or the last time the endpoint reconnected. last_disconnect_dt INT4 NOT NULL The date the endpoint was disconnected for inactivity.
-
Page 373: Sa_Cluster
Database Design (Data Dictionary) sa_cluster sa_cluster This table contains information about all known clusters. cluster_id VARCHAR(64) PRIMARY KEY cluster_name VARCHAR(30) The name of the cluster. policy_set_id INT4 The unique ID of the policy set used by the cluster. TEXT Not used. devices current_licenses INT4... -
Page 374: Sa_User
Database Design (Data Dictionary) sa_user sa_user This table contains information about users. user_id INT4 PRIMARY KEY username VARCHAR(64) The login of the user. passwd VARCHAR(64) MD5 hash of the user's password. full_name VARCHAR(64) The full name of the user. email VARCHAR(256) The email address of the user. -
Page 375: User_To_Groups
Database Design (Data Dictionary) user_to_groups user_to_groups This table contains information about a user and their assigned role. group_id INT4 The unique ID of the user role in the many-to- many relationship. user_id INT4 The unique ID of the user in the many-to-many relationship. - Page 376 Database Design (Data Dictionary) Sentriant AG Users’ Guide, Version 5.0...
-
Page 377: Appendix D: Licenses
The Software is protected by United States’ and other copyright laws, international treaty provisions and other applicable laws in the country in which it is being used. Extreme Networks and its suppliers own and retain all right, title and interest in and to the Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual property rights therein. -
Page 378: Limitation Of Liability
Networks’ and its suppliers' entire liability and your exclusive remedy for any breach of the foregoing warranty shall be, at Extreme Networks’ option, either (i) return of the purchase price paid for the license, if any, or (ii) replacement of the defective media in which the Software is contained. -
Page 379: Other Licenses
Extreme Networks, unless such audit discloses an underpayment or amount due to Extreme Networks in excess of five percent (5%) of the initial license fee for the Software or you are using the Software in an unauthorized manner, in which case you shall pay the cost of the audit, in addition to any other amounts owed. -
Page 380: Apache License Version 2.0, January 2004
Licenses Below are copies of the licenses and the applicable acknowledgements and attribution notices in connection with the third party software used in Sentriant AG v5.0. The source code for this third party software is located at http:// www.extremenetworks.com/GLOBAL_DOCS/termsof use.asp. Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ The Apache Software License Version 2.0 applies to the following software packages: activemq... -
Page 381: Asm 2.2.3
Licenses of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. -
Page 382: Open Ssh 3.8P1
Licenses THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;... - Page 383 Licenses IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH...
-
Page 384: Postgresql 8.1.8
Licenses 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -
Page 385: Postgresql Jdbc 8.1-408
Licenses Postgresql jdbc 8.1-408 Copyright (c) 1997-2005, PostgreSQL Global Development Group All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. -
Page 386: Junit 4.1 Common Public License - V 1.0
Licenses Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. - Page 387 Licenses hereunder, each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed, if any. For example, if a third party patent license is required to allow Recipient to distribute the Program, it is Recipient's responsibility to acquire that license before distributing the Program. d) Each Contributor represents that to its knowledge it has sufficient copyright rights in its Contribution, if any, to grant the copyright license set forth in this Agreement.
-
Page 388: Open Ssl 0.9.7D
Licenses Everyone is permitted to copy and distribute copies of this Agreement, but in order to avoid inconsistency the Agreement is copyrighted and may only be modified in the following manner. The Agreement Steward reserves the right to publish new versions (including revisions) of this Agreement from time to time. -
Page 389: The Gnu General Public License (Gpl) Version 2, June 1991
Licenses This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. - Page 390 Licenses Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program).
- Page 391 Licenses It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices.
-
Page 392: Pullparser 2.1.10
Alternatively, this acknowledgment may appear in the software itself, and wherever such third-party acknowledgments normally appear. 4) The name "Indiana Univeristy" and "Indiana Univeristy Extreme! Lab" shall not be used to endorse or promote products derived from this software without prior written permission from Indiana University. For written permission, please contact http://www.extreme.indiana.edu/... -
Page 393: Jcifs 1.1.6, Mm.mysql 2.0.14 And P0F 2.05
Licenses THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS, COPYRIGHT HOLDERS OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;... - Page 394 Licenses 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License").
- Page 395 Licenses Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.
-
Page 396: Jpcap 0.5.1
Licenses 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. - Page 397 Licenses 1.4. ''Electronic Distribution Mechanism'' means a mechanism generally accepted in the software development community for the electronic transfer of data. 1.5. ''Executable'' means Covered Code in any form other than Source Code. 1.6. ''Initial Developer'' means the individual or entity identified as the Initial Developer in the Source Code notice required by Exhibit A.
- Page 398 Licenses such recipients. You are responsible for ensuring that the Source Code version remains available even if the Electronic Distribution Mechanism is maintained by a third party. 3.3. Description of Modifications. You must cause all Covered Code to which You contribute to contain a file documenting the changes You made to create that Covered Code and the date of any change.
- Page 399 Licenses ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. 8.
-
Page 400: Ojdbc 14.10G
Licenses Contributor(s): ______________________________________. Alternatively, the contents of this file may be used under the terms of the _____ license (the [___] License), in which case the provisions of [______] License are applicable instead of those above. If you wish to allow use of your version of this file only under the terms of the [____] License and not to allow others to use your version of this file under the MPL, indicate your decision by deleting the provisions above and replace them with the notice and other provisions required by the [___] License. - Page 401 Licenses We are willing to license the programs to you only upon the condition that you accept all of the terms contained in this agreement. Read the terms carefully and select the "Accept" button at the bottom of the page to confirm your acceptance. If you are not willing to be bound by these terms, select the "Do Not Accept"...
-
Page 402: Javamail 1.3.1 Sun Microsystems, Inc
Licenses right to independently develop or distribute software that is functionally similar to the other party's products, so long as proprietary information of the other party is not included in such software. Open Source "Open Source" software - software available without charge for use, modification and distribution - is often licensed under terms that require the user to make the user's modifications to the Open Source software or any software that the user 'combines' with the Open Source software freely available in source code form. -
Page 403: Jcharts
Licenses 10. Severability. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will immediately terminate. 11. -
Page 404: Pyxml 0.8.3 And Xmlproc 0.70 Python License (Cnri Python License)
Licenses MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL jCharts OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE... -
Page 405: Concurrent 1.3.4
Licenses "Freely Available" means that no fee is charged for the item itself, though there may be fees involved in handling the item. It also means that recipients of the item may redistribute it under the same conditions they received it. 1. -
Page 406: Crypto ++ 5.2.1
Licenses MICROSYSTEMS, INC. OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN MICROSYSTEMS, INC. -
Page 407: Appendix E: Glossary
Glossary 802.1X A port-based authentication protocol that can dynamically vary encryption keys, and has three components: a supplicant, an authenticator, and an authentication server. NAC policies In Sentriant AG, NAC policies consist of individual tests that evaluate endpoints attempting to access the network. These tests assess operating systems, verify that key hotfixes and patches have been installed, ensure anti-virus and other security applications are present and up-to-date, detect the presence of worms,... - Page 408 Glossary cache A location where information is stored that can be accessed quickly. This location can be in memory or in a file. Compact disc Classless InterDomain Routing a method of specifying networks and CIDR — sub networks (subnets) that allows grouping and results in less router overhead.
- Page 409 Glossary High Availability A multiple-server Sentriant AG deployment is — mutually supporting. Should one server fail, other nodes within a cluster will automatically provide coverage for the affected network segment. HTML Hyper text markup language A language that tells a web browser —...
- Page 410 Glossary Media Access Control The unique number that identifies a physical — endpoint. Generally referred to as the MAC address. Management server When using Sentriant AG in a multiple-server installation, the server that is used for managing ESs. Management server multinet A physical network of two or more logical networks.
- Page 411 Glossary Random access memory Remote access server RDBMS Relational Database Management System (RDBMS) used to store — information in related tables. Remote procedure call a procedure where arguments or parameters — are sent to a program on a remote system. The remote program executes and returns the results.
- Page 412 Glossary Virtual private network A secure method of using the Internet to gain — access to an organization's network. Sentriant AG Users’ Guide, Version 5.0...
-
Page 413: Index
Index Numerics ActiveMQ 275 ActiveX 27 3rd-party software, installing 32 testing method 113 802.1X 227 communication flow 229 custom tests 303 configuring the RADIUS server 234 Enforcement cluster 45 connections 227 Enforcement server 50 enable 77 NAC policy group 186 enable XP endpoint 262 quarantine area 107 installing the RADIUS server 233... - Page 414 Index Authenticator 227 connections, 802.1X 227 authenticators, define 237 connector, IAS 246 authorization DLL file 254 console timeout, changing 62 converting reports to MS Word doc 290 copy existing NAC policy 193 backup 111 user account 66 system and data 300 create BaseTests API 319 custom test script 309...
- Page 415 Index details, view report 288 enable device database table 371 802.1X 77 device_unique_id 370 a NAC policy 188 DeviceAccessChangeEvent 277 dll file 254 devices 373 file and printer sharing 148 DeviceTestedEvent 277 the Authorization DLL file 254 DHCP Windows XP Professional endpoint for 802.1X configuration 224 ports to specify 117 enabled 374...
- Page 416 Index specify test failed pop-up 123 XP configuration 150 specify text 123 firewall & end-user 150 end-user template directory 155 full_name 374 Enforcement cluster add 45 delete 49 generate edit 47 a CSR 331 view statistics 48 report 287 Enforcement server GetDeviceInfo 281 add 50 grace_period 371...
- Page 417 Index import license certificate 248 agreement, violation of 32 the server’s certificate 248 concurrent IPs 293 inactive, set time 195 entering new 294 INI file, connector 250 key 73 inline 221 key errors 73 install key, entering 294 agent 157 keys 294 agent manually 160 open-source 379...
- Page 418 Index NAC policy to new set 194 NTLM v2, enabling 328 MS, view status 57 one-time passwords 227 NAC policies 185 online help 31 window, view 185 open NAC policy -source license 379 add group 186 opening screen 156 assign domains to 194 operating systems assign endpoint to 194 non-supported 196...
- Page 419 Index posture token 372 remote access logging 246 PPTP 303 Remote Access Policy, configure 243 prev_run_id 371 remove print a report 290 Mac OS agent 169 process flow 29 the agent 160 properties re-naming installation 296 changing 298 report set test 196 convert HTML to Word 290 test 198 convert to DOC 290...
- Page 420 Agent read timeout period 130 Cisco 2950 266 connection time 195 Enterasys Matrix 1H582-25 267 DHCP Extreme Summit 48si 267 setting enforcement Foundry Fast Ironedge 2402 269 ES logging levels 128 restrict access at 225 RADIUS authentication method 78...
- Page 421 Index temporarily quarantined 138 three-minute delay 213 TemporarilyAllowAccess 281 time TemporarilyDenyAccess 281 between tests 190 temporary set automatically 60 access period 176 set connection 195 state, clearing 144 set manually 60 test set retest 195 add custom 303 zone set 61 base functionality 319 timeout 32 connection to 802.1X device 84...
- Page 422 Index table 375 user roles database table 374 user_group database table 374 user_id 374 user_to_groups database table 375 user-based tests 127 username 371 users assigned to clusters database table 374 users database table 374 vi 155 view access status 141 cluster and server icons 51 current list of tests 198 endpoint information 144...
Need help?
Do you have a question about the AG200 and is the answer not in the manual?
Questions and answers