Page 1 ® Sentriant AG Software Users Guide, Version 5.3 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published: July 2009 Part number: 120513 Rev 01...
Page 2 ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc.
Page 3: Table Of Contents
Table of Contents List of Figures ..........................15 List of Tables ..........................21 Chapter 1: Introduction........................23 Sentriant AG Home Window .......................23 System Monitor.........................24 Overview ..........................26 The Sentriant AG Process.....................28 About Sentriant AG ......................28 NAC Policy Definition ....................28 Endpoint Testing ......................29 Compliance Enforcement ....................29 Automated and Manual Repair..................30 Targeted Reporting ......................30...
Page 4 Editing Enforcement Clusters ....................47 Viewing Enforcement Cluster Status..................47 Deleting Enforcement Clusters....................48 Enforcement Servers .........................49 Adding an ES........................49 Cluster and Server Icons ......................50 Editing ESs ........................51 Changing the ES Network Settings ..................52 Changing the ES Date and Time ...................53 Modifying the ES SNMP Settings..................53 Modifying the ES root Account Password ................54 Viewing ES Status .......................54 Deleting ESs........................55...
Page 5 Configuring Windows Domain Settings................80 Configuring OpenLDAP Settings..................82 Adding 802.1X Devices .......................85 Testing the Connection to a Device ..................86 Cisco IOS ...........................87 Cisco CatOS ........................89 CatOS User Name in Enable Mode ..................91 Enterasys ...........................91 ExtremeWare ........................93 ExtremeXOS ........................94 Foundry..........................96 HP ProCurve Switch ......................97 HP ProCurve WESM xl or HP ProCurve WESM zl ..............100 HP ProCurve 420 AP or HP ProCurve 530 AP ..............102 Nortel ..........................104...
Page 6 Editing Windows Credentials ..................133 Deleting Windows Credentials..................134 Sorting the Windows Credentials Area ................134 Logging ..........................134 Setting ES Logging Levels ....................134 Setting 802.1X Devices Logging Levels ................135 Advanced Settings ........................136 Setting Timeout Periods.....................136 Chapter 4: Endpoint Activity......................139 Finding Endpoints ........................140 Primary Endpoint Filtering ....................140 Secondary Endpoint Filtering....................141 Limiting the Number of Endpoints Displayed at One Time.............143...
Page 7 Allowing Sentriant AG through the OS X Firewall ..............170 End-user Access Windows......................173 Opening Window .......................174 Windows NAC Agent Test Windows ..................175 Automatically Installing the Windows Agent ..............175 Removing the Agent ....................177 Manually Installing the Windows Agent................178 How to View the Windows Agent Version Installed............179 Mac OS Agent Test Windows ....................180 Installing the MAC OS Agent ..................180 Verifying the Mac OS Agent ..................183...
Page 8 Windows Vista Setup ....................246 Setting up the Authenticator ....................248 Cisco® 2950 IOS......................248 Cisco® 4006 CatOS ....................249 Enterasys® Matrix 1H582-25 ..................249 Extreme Networks® Summit 48si .................250 ExtremeWare ......................251 ExtremeXOS........................251 Foundry® FastIron® Edge 2402...................252 HP ProCurve 420AP ....................252 HP ProCurve 530AP ....................253 HP ProCurve 3400/3500/5400 ..................254...
Page 9 Configuring the MS and ES for DAC ..................280 Adding Additional ESs .......................280 Starting the Windows Service .....................281 Viewing Version Information ....................282 Removing the Software ......................282 Sentriant AG to Infoblox Connector ...................284 Configuring the Infoblox Server...................284 Configuring Sentriant AG ....................284 Chapter 14: Reports ........................287 Generating Reports........................288 Viewing Report Details......................290 Printing Reports........................292...
Page 10 Creating a Backup File.......................317 Changing the Backup Timeouts ..................317 Restoring from Backup ......................318 Restoring to a new Server.....................318 Restoring to the Same Server ..................318 Restoring the Original Database..................319 Generating a Support Package ....................320 System Requirements......................320 Supported VPNs........................321 Adding Custom Tests.......................322 Introduction........................322 References ........................322 Changing the Error Messages in a Test Script...............322...
Page 11 SMS Concepts ........................365 Sentriant AG/SMS/Sentriant AG Process ..................365 Sentriant AG Setup .........................366 Learning More About SMS .......................366 Appendix C: Access Control Precedence..................367 Appendix D: Endpoint Testing Conditions ..................369 Appendix E: Troubleshooting Quarantined Endpoints..............373 Appendix F: Enforcement Server Processes and Threads ............... 377 Appendix G: Configuring the Post-connect Server................
Page 12 Windows XP SP2 Hotfixes ....................400 Security Settings—OS X ......................401 Mac AirPort WEP Enabled ....................401 Mac AirPort Preference ......................401 Mac AirPort User Prompt ....................401 Mac Anti-virus ........................402 Mac Bluetooth ........................402 Mac Firewall ........................402 Mac Internet Sharing ......................403 Mac QuickTime® Updates ....................403 Mac Security Updates......................404 Mac Services ........................404 Security Settings—Windows.....................404...
Page 13 Installing the Standby MS ....................431 Ongoing Maintenance ......................432 Failover process ........................432 Appendix L: Licenses........................435 Extreme Networks End-User License Agreement.................435 Other Licenses........................437 Apache License Version 2.0, January 2004 .................438 ASM ..........................439 Open SSH ........................440 Postgresql ........................442 Postgresql jdbc ........................443 xstream ..........................443 Libeay (Open SSL) ......................443...
Page 14 Sentriant AG Software Users Guide, Version 5.3...
Page 15: List Of Figures
List of Figures Figure 1: Sentriant AG Home Window ..................24 Figure 2: System Monitor Window ...................25 Figure 3: System Monitor Window Legend ................26 Figure 4: Online help......................36 Figure 5: Index tab ........................37 Figure 6: Search tab ......................38 Figure 7: Single-server Installation ..................40 Figure 8: Multiple-server Installation ..................41 Figure 9:...
Page 16 List of Figures Figure 42: Add ExtremeXOS Device ..................95 Figure 43: Add Foundry Device....................96 Figure 44: Add HP ProCurve Device ..................98 Figure 45: Add HP ProCurve WESM xl/zl Device ...............101 Figure 46: Add HP ProCurve 420/530 AP Device ..............103 Figure 47: Add Nortel Device ....................105 Figure 48: Add Other Device ....................107 Figure 49: System Configuration, Quarantining, DHCP Enforcement...........109 Figure 50: Add a Quarantine Area ...................110...
Page 17 List of Figures Figure 88: Double Arrow Icon ....................168 Figure 89: Mac System Preferences ..................171 Figure 90: Mac Sharing ......................172 Figure 91: Mac Ports ......................173 Figure 92: End-user Opening Window..................174 Figure 93: End-user Installing Window ..................175 Figure 94: End-user Agent Installation Failed................176 Figure 95: End-user Agent Installation Window (Start) ..............177 Figure 96: End-user Agent Installation Window (Finish) ............177 Figure 97: Add/Remove Programs ...................178...
Page 18 List of Figures Figure 134: 802.1X Components....................234 Figure 135: Sentriant AG 802.1X Enforcement ................235 Figure 136: 802.1X Communications..................236 Figure 137: Enabling 802.1X in the User Interface ..............241 Figure 138: Windows XP Pro Local Area Connection, General Tab ..........242 Figure 139: Windows XP Pro Local Area Connection Properties, Authentication Tab ......243 Figure 140: Windows 2000 Local Area Connection Properties, General Tab ........245 Figure 141: Windows 2000 Local Area Connection Properties, Authentication Tab ......245 Figure 142: Wired AutoConfig Properties ...................246...
Page 19 List of Figures Figure 180: checkOpenPorts.py script ..................330 Figure 181: snmpd.conf Example File ..................358 Figure 182: Initiate a Patch Manager Check Box ................363 Figure 183: Microsoft Office Hotfixes Critical Updates..............395 Sentriant AG Software Users Guide, Version 5.3...
Page 20 List of Figures Sentriant AG Software Users Guide, Version 5.3...
Page 21: List Of Tables
List of Tables Table 1: Test Methods ......................27 Table 2: Sentriant AG Technical Support................30 Table 3: Default Menu Options ....................43 Table 4: Default User Roles ....................66 Table 5: User Role Permissions .....................71 Table 6: Resource Tips .......................125 Table 7: Default Test Names and Descriptions ..............195 Table 8: Expect Script Commands and Parameters ..............257 Table 9:...
Page 22 List of Tables Sentriant AG Software Users Guide, Version 5.3...
Page 23: Chapter 1: Introduction
Introduction This chapter provides the following: A description of the Home window (“Sentriant AG Home Window” on page ● A description of the System monitor window (“System Monitor” on page ● ® An overview of the Sentriant AG software and the key features ●...
Page 24: System Monitor
Introduction 7 Access control status area—The Access control area displays the total number of endpoints that have attempted to connect to your network, and what the access state is as a percentage and as a number. Click on the number of endpoints to view details. 8 Enforcement server (ES) status area—The Enforcement server status area provides status on your ESs.
Page 25: Figure 2: System Monitor Window
Introduction Server name by cluster—The servers for each cluster are listed by name in the order they were ● created. Click on a server name to view server details. You must have cluster-editing permissions to view and edit server details. Cluster access mode—The cluster access mode is either normal or allow all.
Page 26: Overview
NOTE Agentless testing uses an existing Windows service (RPC). ActiveX testing uses an ActiveX control. ® Extreme Networks agent testing installs an agent (Sentriant AG Agent) and runs as a new Windows service. Sentriant AG Software Users Guide, Version 5.3...
Page 27: Table 1: Test Methods
Introduction The trade-offs in the test methods are described in the following table: Table 1: Test Methods Trade-offs Test method Pros Cons Agentless • Truly agentless, no install or • Requires RPC Service to be download. available to the Sentriant AG server (ports 139 or 445).
Page 28: The Sentriant Ag Process
Introduction High availability and load balancing—A multi-server Sentriant AG deployment is mutually ● supporting. Should one server fail, other nodes within a cluster will automatically provide coverage for the affected network segment. Load balancing is achieved by an algorithm that spreads the endpoint testing load across all ESs in a cluster.
Page 29: Endpoint Testing
Introduction Key features include: Out-of-the-box NAC policies—High, medium, and low security are ready to use with no additional ● configuration required. Standard and custom tests—Sentriant AG comes with a broad range of tests. You can also create ● custom tests through the Sentriant AG application programming interface (API). Automatic test updates—Sentriant AG is automatically updated with tests that cover newly released ●...
Page 30: Automated And Manual Repair
Introduction Key features include: Flexible enforcement options—Grant or quarantine access criteria is designated by the ● administrator and driven by the criticality of selected tests and corporate security standards. Manual overrides—Administrators can retest, quarantine, or grant access to endpoints on demand. ●...
Page 31: Additional Documentation
Sentriant AG release upgrades or patch installs, compromising the third-party software functionality. Additionally, installing third-party software and/or modifying the Sentriant AG software can violate your license agreement. Please refer to the Extreme Networks, Inc. EULA: “Extreme Networks End-User License Agreement”...
Page 32: Note Paragraph
Introduction Note Paragraph Notes notify you of important information. Example: NOTE If there is no activity for 30 minutes, the configuration window times out and you must log in again. Caution Paragraph Cautions notify you of conditions that can cause errors or unexpected results. Example: CAUTION Do not rename the files or they will not be seen by Sentriant AG.
Page 33: Italic Text
Introduction Example: To enter LDAP information: Italic Text Italic text is used in the following cases: Showing emphasis— ● Low – You are not protected from potentially unsafe macros. (Not recommended). Introducing new terms— ● The SMS server contains a database of logical groups with common attributes called collections. SMS operates only on clients (endpoints) that are members of a collection.
Page 34: Square Brackets
Introduction Example: <IP_address> https:// /index.html In this case, you must replace <IP_address> with the actual IP address, such as . Do not type 10.0.16.99 the angled brackets. Square Brackets Square brackets are used in the following cases: Indicating keys to press on the keyboard— ●...
Page 35: Scp
Introduction is a Linux/UNIX command used to copy files between Linux/UNIX machines. It has the following syntax: scp user@source:/directory/file user@destination:/directory/file is included with Linux/UNIX. PSCP is a program used to copy files between Windows and Linux/UNIX machines. pscp To use , you must first save it from the following location to the Windows machine: pscp http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html...
Page 36: Figure 4: Online Help
Introduction Figure 4: Online help The following options are available: Previous – Click the upward pointing icon to go to the previous page. ● Next – Click the downward pointing icon to go to the next page. ● Print topic – Click the printer icon to print the current topic. ●...
Page 37: Figure 5: Index Tab
Introduction Figure 5: Index tab 1 Click on a letter link at the top of the index column to see the index entries. 2 Click on an index entry to see the location in the text. 3 Click on cross reference items in highlighted text to see more information on these items. To search for a term: Online help document>>Shown navigation icon>>Search tab Sentriant AG Software Users Guide, Version 5.3...
Page 38: Figure 6: Search Tab
Introduction Figure 6: Search tab 1 Enter a term in the search box. 2 Click Go. 3 Click on one of the results returned to display it in the right-side pane. 4 Click on the red arrow to see the contents of the collapsed section of the document. NOTE Red arrows that point to the right denote collapsed sections.
Page 39: Chapter 2: Clusters And Servers
Clusters and Servers Sentriant AG introduces clusters and servers. A cluster is a logical grouping of one or more ESs that are managed by one MS. A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster.
Page 40: Single-Server Installation
Clusters and Servers Single-server Installation The simplest installation is where the MS and ES are installed on the same physical server as shown in the following figure: Figure 7: Single-server Installation Multiple-server Installations By using at least three servers, one for the MS and two for ESs, you gain the advantage of high availability and load balancing.
Page 41: Figure 8: Multiple-Server Installation
Clusters and Servers High availability is where ESs take over for any other ES or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the ESs. A three-server installation is shown in the following figure: Figure 8: Multiple-server Installation Sentriant AG Software Users Guide, Version 5.3...
Page 42: Figure 9: Multiple-Server, Multiple-Cluster Installation
Clusters and Servers When your network is more complex, you can continue to add clusters as shown in the following figure: Figure 9: Multiple-server, Multiple-cluster Installation The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis.
Page 43: Chapter 3: System Configuration
System Configuration The System configuration window allows the system administrator to set the operating parameters for Sentriant AG. Introduction User logins and associated user roles determine the access permissions for specific functionality within Sentriant AG. The following table shows the default home window menu options that are available by user role: Table 3: Default Menu Options User role...
Page 44: Enforcement Clusters And Servers
System Configuration User roles—“User Roles” on page 69 ● License—“License” on page 73 ● Test updates—“Test Updates” on page 74 ● Quarantining—“Quarantining, General” on page 77 ● Maintenance—“Maintenance” on page 118 ● Cluster setting defaults ● Testing Methods—“Testing Methods” on page 121 ■...
Page 45: Enforcement Clusters
System Configuration Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster: Home window>>System configuration>>Enforcement clusters & servers Figure 10: System Configuration, Enforcement Clusters & Servers Sentriant AG Software Users Guide, Version 5.3...
Page 46: Figure 11: Add Enforcement Cluster
System Configuration 1 Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add Enforcement cluster window appears. The General area is displayed by default. Figure 11: Add Enforcement Cluster a Enter a name for the Enforcement cluster in the Cluster name field. b Select a NAC policy group from the NAC policy group drop-down list (see “NAC Policies”...
Page 47: Editing Enforcement Clusters
System Configuration Testing methods—See “Testing Methods” on page 121 ■ Quarantine/guest resources—See “Quarantine/guest resources” on page 123 ■ Notifications—See “Notifications” on page 126 ■ End-user screens—See “End-user Screens” on page 128 ■ Agentless credentials—See “Agentless Credentials” on page 131 ■ “Logging”...
Page 48: Deleting Enforcement Clusters
System Configuration Click a cluster name, for example Austin. The Enforcement cluster window appears: Figure 12: Enforcement Cluster, General The statistics shown in this window are per cluster, where the statistics shown in the Home window are system-wide. See “System Monitor” on page 24 for column descriptions.
Page 49: Enforcement Servers
System Configuration Enforcement Servers Adding an ES To add an ES: Home window>>System configuration>>Enforcement clusters & servers Figure 13: System Configuration, Enforcement Clusters & Servers Sentriant AG Software Users Guide, Version 5.3...
Page 50: Cluster And Server Icons
System Configuration 1 Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Figure 14: Add Enforcement Server 2 Select a cluster from the Cluster drop-down list. 3 Enter the IP address for this ES in the IP address text box. 4 Enter the fully qualified hostname to set on this server in the Host name text box.
Page 51: Editing Ess
System Configuration 2 Move the mouse away from the legend icon to hide pop-up window. Figure 15: Enforcement Cluster Legend Editing ESs To edit ES settings: Home window>>System configuration>>Enforcement clusters & servers 1 Click the ES you want to edit. The Enforcement server window appears, as shown in Figure 16 on page Sentriant AG Software Users Guide, Version 5.3...
Page 52: Changing The Es Network Settings
System Configuration 2 Click the Configuration menu option to access the Enforcement Server’s settings. The Configuration area is displayed: Figure 16: Enforcement Server 3 Edit the following settings: ES Network settings—“Changing the ES Network Settings” on page 52 ■ ES Date and time—“Changing the ES Date and Time”...
Page 53: Changing The Es Date And Time
System Configuration Enter a new ES in the Host name text field. For example, ● garp.mycompany.com Enter a new ES address in the IP address text field. For example, ● 192.168.153.35 Enter a new netmask in the Network mask text field. For example, ●...
Page 54: Modifying The Es Root Account Password
System Configuration 1 Select the Enable SNMP check box. 2 Enter a Read community string, such as Public2 3 Enter the Allowed source network. This value must be either or a network specified in default CIDR notation. Modifying the ES root Account Password To change the ES root account password: Home window>>System configuration>>Enforcement clusters &...
Page 55: Deleting Ess
System Configuration 1 Click the server for which you want to view the status. The Enforcement server window appears: Figure 17: Enforcement Server, Status Click ok or cancel. Deleting ESs NOTE Servers need to be powered down for the delete option to appear next to the name in the Sentriant AG user interface.
Page 56: Es Recovery
System Configuration ES Recovery If an existing ES goes down and comes back up, it can participate in its assigned cluster, even if the MS is not available. When a new ES is created, the MS must be available before the ES can participate in a cluster. Management Server Viewing Network Settings To view MS status:...
Page 57: Figure 18: System Configuration, Management Server
System Configuration Figure 18: System Configuration, Management Server 1 Server status is shown in the Network settings area. 2 Click ok or cancel. Sentriant AG Software Users Guide, Version 5.3...
Page 58: Modifying Ms Network Settings
System Configuration Modifying MS Network Settings CAUTION Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems.
Page 59: Selecting A Proxy Server
System Configuration Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or spaces in the ■ DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1 3 Click ok. Selecting a Proxy Server Connecting to the Internet is necessary for updating tests, validating license keys, and sending support packages.
Page 60: Automatically Setting The Time
System Configuration Set date ■ Set time ■ NOTE Date and time settings are applied to the MS; however, you can set the time zone for each ES. Automatically Setting the Time To automatically set the time: Home window>>System configuration>>Management server 1 Select Automatically receive NTP updates from and enter one or more Network Time Protocol (NTP) servers, separated by commas.
Page 61: Selecting The Time Zone
System Configuration 5 Click ok. CAUTION Manually changing the date/time (other than a time zone change) a large amount will require a restart of all servers. Rolling back the clock will have adverse effects on the system. Selecting the Time Zone To set the time zone: Home window>>System configuration>>Management server 1 Select the following:...
Page 62: Modifying The Ms Root Account Password
System Configuration b Select the Do not send notifications when an endpoint has been granted temporary network access check box to disable these notifications. Modifying the MS root Account Password To change the MS root account password: Home window>>System configuration>>Management server 1 Enter the new password in the Root password text box in the Other settings area.
Page 63: Changing The Sentriant Ag Upgrade Timeout
Changing the Sentriant AG Upgrade Timeout Since upgrading can take longer than the default timeout (45 minutes) setting of the Sentriant AG Update, Extreme Networks, Inc. recommends that you increase the timeout value when you have limited bandwidth by performing these steps.
Page 64: Figure 21: System Configuration, User Accounts
System Configuration Figure 21: System Configuration, User Accounts Sentriant AG Software Users Guide, Version 5.3...
Page 65: Figure 22: Add User Account
System Configuration 1 Click Add a user account. The Add user account window appears: Figure 22: Add User Account 2 Enter the following information: User ID—The user ID used to log into Sentriant AG ■ Password—The password used to log into Sentriant AG ■...
Page 66: Searching For A User Account
System Configuration 5 In the Clusters area, select a cluster or clusters. NOTE Users must be assigned at least one Enforcement cluster. 6 Click ok. Table 4: Default User Roles User Role Name Description Cluster Administrator For their clusters, users having this role can configure their assigned clusters, view endpoint activity, change endpoint access control, retest endpoints, and generate reports.
Page 67: Sorting The User Account Area
System Configuration Sorting the User Account Area To sort the user account area: Home window>>System configuration>>User accounts Click the column heading for user id, full name, email address, user roles, or clusters. The user accounts reorder according to the column heading selected. Click the column heading again to change from ascending to descending.
Page 68: Editing A User Account
System Configuration 7 Select the Clusters that the user account can access. 8 Click ok. Editing a User Account To edit a user account: Home window>>System configuration>>User accounts 1 Click the name of the user account that you want to edit. The User account window appears: Figure 24: User Account 2 Change or enter information in the fields you want to change.
Page 69: Deleting A User Account
System Configuration Deleting a User Account You must always have at least one account with System Administrator permissions. CAUTION Do not delete or edit the account with which you are currently accessing the interface. Doing so can produce an error and lock you out of the interface until your session has timed out. To delete a user account: Home window>>System configuration>>User accounts 1 Click delete next to the user account you want to remove.
Page 70: Figure 25: System Configuration, User Roles
System Configuration Figure 25: System Configuration, User Roles 1 Click add a user role in the User roles area. The Add user role window appears. Figure 26: Add User Role Sentriant AG Software Users Guide, Version 5.3...
Page 71: Editing User Roles
System Configuration 2 Enter a descriptive name in the Role name field. 3 Enter a description of the role in the Description field. 4 Select the permissions for the user role. For more information about permissions, the following table: Table 5: User Role Permissions Permission Description Configure clusters...
Page 72: Deleting User Roles
System Configuration 1 Click the role you want to edit. The user role window appears: Figure 27: User Role 2 Enter the information in the fields you want to change. See “Adding a User Role” on page 69 information on user role settings. 3 Click ok.
Page 73: License
System Configuration 1 Click user role name or description column heading. The selected category sorts in ascending or descending order. 2 Click ok. License The License menu option allows you to configure the following: Enter and submit a new license key ●...
Page 74: Test Updates
Guide). If you need to update your license key, in the New license key field, enter your Sentriant AG license key, which Extreme Networks, Inc. sends to you by email. Copy and paste the license key directly from the text file.
Page 75: Selecting Test Update Times
System Configuration Figure 29: System Configuration, Test Updates 1 In the Last successful test update area, click check for test updates. 2 Click ok. NOTE It is important to check for test updates during the initial configuration of Sentriant AG. NOTE “Updating Rules without an Internet Connection”...
Page 76: Viewing Test Update Logs
1 Using the hour check boxes, select the time periods in which you would like Sentriant AG to check for available test updates. By default, Sentriant AG checks once every hour using the Extreme Networks, Inc. Secure Rule Distribution Center. All times listed are dependent upon the clock setting and time zone of the hardware on which Sentriant AG is running.
Page 77: Quarantining, General
System Configuration Quarantining, General The Quarantining menu option allows you to configure the following by cluster: Select the quarantine method ● Select the access mode ● Basic 802.1X settings ● Authentication settings ● Add, edit, delete 802.1X devices ● Selecting the Quarantine Method To select the quarantine method: Home window>>System configuration>>Quarantining Sentriant AG Software Users Guide, Version 5.3...
Page 78: Figure 32: System Configuration, Quarantining
System Configuration Figure 32: System Configuration, Quarantining 1 Select a cluster. 2 In the Quarantine method area, select one of the following quarantine methods: 802.1X—When using the 802.1X quarantine method, Sentriant AG must sit in a place on the ■ network where it can communicate with your RADIUS server, which communicates with your switch or router, which performs the quarantining.
Page 79: Selecting The Access Mode
System Configuration Inline—When using the inline quarantine method, Sentriant AG must be placed on the network ■ where all traffic to be quarantined passes through Sentriant AG. It must be inline with an endpoint like a VPN. 3 Click ok. Selecting the Access Mode To select the access mode: Home window>>System configuration>>Quarantining...
Page 80: Authentication Settings
System Configuration Remote—In more complex deployments, it is often impossible (in the case of multiple ■ Enforcement servers or multiple DHCP servers) or undesirable to span switch ports. In this case the DHCP traffic monitoring and endpoint detection can be run remotely by installing and configuring the endpoint activity capture software on each DHCP server involved in the 802.1X deployment.
Page 81: Figure 33: System Configuration, Windows Domain
System Configuration 1 Select Windows domain from the End-user authentication method drop-down list. Figure 33: System Configuration, Windows Domain 2 Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field. 3 Enter the user name of an account with sufficient administrative rights to join an ES to the domain in the Administrator user name text field.
Page 82: Configuring Openldap Settings
System Configuration 4 Enter the password of the account entered into the Administrator user name field in the Administrator password text field. 5 Enter the list of domain controllers, separated by commas, for this domain in the Domain controllers text field. 6 To test the Windows domain settings: a Select one of the following from the Server to test from drop-down list in the Test Windows domain settings area:...
Page 83: Figure 34: System Configuration, Openldap
System Configuration 1 Select OpenLDAP from the End-user authentication method drop-down list. Figure 34: System Configuration, OpenLDAP Sentriant AG Software Users Guide, Version 5.3...
Page 84 System Configuration 2 Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 3 Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA 4 Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
Page 85: Adding 802.1X Devices
System Configuration Adding 802.1X Devices To add an 802.1X device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 35: Add 802.1X Device 1 Enter the IP address of the 802.1X device in the IP address text field. 2 Enter a shared secret in the Shared secret text field.
Page 86: Testing The Connection To A Device
System Configuration HP ProCurve 420/530 AP—See “HP ProCurve 420 AP or HP ProCurve 530 AP” on page 102. ■ Nortel—See “Nortel” on page 104. ■ Other—See “Other” on page 106. ■ 7 Click ok. Testing the Connection to a Device The test connection area has different options based on the switch you select: Cisco CATOS, Cisco IOS, Enterasys, Extreme, Foundry switches—See Figure...
Page 87: Cisco Ios
System Configuration a Select the Method to execute the re-authentication command in test: 802.1X ● MAC auth ● b Enter the port of the endpoint being tested in the Port text field. c Enter the MAC address of the endpoint being tested in the MAC address text field. 3 For Cisco CATOS, Cisco IOS, Enterasys, Extreme, Foundry switches (Figure 37) if you want to...
Page 88: Figure 38: Add Cisco Ios Device
System Configuration Figure 38: Add Cisco IOS Device 1 Enter the IP address of the Cisco IOS device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 89: Cisco Catos
System Configuration 11 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset. 12 Select the Show scripts plus symbol to show the following scripts: Initialization script—The expect script used to log into the console and enter enable mode.
Page 90 System Configuration 1 Enter the IP address of the Cisco CatOS device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3 Re-enter the shared secret in the Re-enter shared secret text field.
Page 91: Catos User Name In Enable Mode
System Configuration CatOS User Name in Enable Mode If you have your CatOS switch configured to run in enable mode with a user name, the expect script supplied with Sentriant AG will not run “out of the box.” Workaround: Do not use a user name with your switch, or modify the expect script in the console to include the user name.
Page 92: Figure 40: Add Enterasys Device
System Configuration Figure 40: Add Enterasys Device 1 Enter the IP address of the Enterasys device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 93: Extremeware
System Configuration Exit script—The expect script used to exit the console. ■ 12 Click ok. NOTE Click revert to defaults to restore the default settings. ExtremeWare ® To add an ExtremeWare device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 41: Add ExtremeWare Device 1 Enter the IP address of the ExtremeWare device in the IP address text field.
Page 94: Extremexos
System Configuration 6 Select telnet or SSH from the Connection method drop-down list. 7 Enter the User name with which to log into the device's console. 8 Enter the Password with which to log into the device's console. 9 Re-enter the console password. 10 Enter the Reconnect idle time.
Page 95: Figure 42: Add Extremexos Device
System Configuration Figure 42: Add ExtremeXOS Device 1 Enter the IP address of the ExtremeXOS device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 96: Foundry
System Configuration NOTE Click revert to defaults to restore the default settings. Foundry To add a Foundry device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 43: Add Foundry Device 1 Enter the IP address of the Foundry device in the IP address text field. 2 Enter a shared secret in the Shared secret text field.
Page 97: Hp Procurve Switch
System Configuration 7 Enter the User name with which to log into the device's console. 8 Enter the Password with which to log into the device's console. 9 Re-enter the console password. 10 Enter the password with which to enter enable mode. 11 Re-enter the enable mode password.
Page 98: Figure 44: Add Hp Procurve Device
System Configuration Figure 44: Add HP ProCurve Device 1 Enter the IP address of the HP ProCurve device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 99 System Configuration e Enter the Password used to enter enable mode on this device. To help confirm accuracy, type the same password you entered into the Enable password field in the Re-enter Password field. g Enter the amount of time, in milliseconds, before an idle open SSH session is reset. The default is 60000 (60 seconds) in the Reconnect idle time field.
Page 100: Hp Procurve Wesm Xl Or Hp Procurve Wesm Zl
System Configuration e Select the Use a different OID for MAC authentication check box to re-authenticate using a different OID when the supplicant request is for a MAC authenticated device. 1) Enter the Re-authenticate OID used to re-authenticate an endpoint. The strings "${PORT}" and "${MAC_DOTTED_DECIMAL}"...
Page 101: Figure 45: Add Hp Procurve Wesm Xl/Zl Device
System Configuration Figure 45: Add HP ProCurve WESM xl/zl Device 1 Enter the IP address of the HP ProCurve WESM device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 102: Hp Procurve 420 Ap Or Hp Procurve 530 Ap
System Configuration TIMETICKS ■ IPADDRESS ■ OBJID ■ STRING ■ HEX STRING ■ DECIMAL STRING ■ BITS ■ NULLOBJ ■ 9 Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. 10 Select the Use a different OID for MAC authentication check box to re-authenticate using a different OID when the supplicant request is for a MAC authenticated device.
Page 103: Figure 46: Add Hp Procurve 420/530 Ap Device
System Configuration Figure 46: Add HP ProCurve 420/530 AP Device 1 Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 104: Nortel
System Configuration OBJID ■ STRING ■ HEX STRING ■ DECIMAL STRING ■ BITS ■ NULLOBJ ■ 9 Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. 10 Select the Use a different OID for MAC authentication check box to re-authenticate using a different OID when the supplicant request is for a MAC authenticated device.
Page 105: Figure 47: Add Nortel Device
System Configuration Figure 47: Add Nortel Device 1 Enter the IP address of the Nortel device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 106: Other
System Configuration 13 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset. 14 Select the Device is stacked check box if the device is in a stacked configuration. 15 Select the Show scripts plus symbol to show the following scripts: Initialization script—The expect script used to log into the console and enter enable mode.
Page 107: Figure 48: Add Other Device
System Configuration Figure 48: Add Other Device 1 Enter the IP address of the new device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 108: Quarantining, Dhcp
System Configuration NOTE You must enter the script contents yourself for the 802.1X device you are adding. Initialization script—The expect script used to log into the console and enter enable mode. ■ Re-authentication script—The expect script used to perform endpoint re-authentication. ■...
Page 109: Adding A Dhcp Quarantine Area
System Configuration Figure 49: System Configuration, Quarantining, DHCP Enforcement 1 Inline DHCP server is selected by default. If you wish to use multiple DHCP servers, see the instructions in “DHCP Plug-in” on page 295. 2 Click ok. Adding a DHCP Quarantine Area To add a quarantine area: Home window>>System configuration>>Quarantining>>DHCP quarantine method radio button>>DHCP quarantine areas area...
Page 110: Figure 50: Add A Quarantine Area
System Configuration 1 Click add a quarantine area. The Add quarantine area window appears. Figure 50: Add a Quarantine Area 2 In the Add quarantine area window, enter the following information: Quarantined subnet—The CIDR network that represents the IP space and netmask. ■...
Page 111: Sorting The Dhcp Quarantine Area
System Configuration sites are configured in the quarantine/guest resource list (System configuration>>Quarantine/ guest resources). The quarantine areas can either be a subset of your existing DHCP scopes or a separate network multinetted on your router. For endpoints to see the outside Web sites listed in Quarantine/guest resources, the browser being used on the endpoint must have the Auto-proxy setting turned on.
Page 112: Deleting A Dhcp Quarantine Area
System Configuration 1 Click edit next to the quarantine area you want to edit. The Quarantine area window appears: Figure 51: Quarantine Area 2 Edit the information in the fields you want to change. See “Adding a DHCP Quarantine Area” on page 109 for information on Quarantine area options.
Page 113: Post-Connect
System Configuration Post-connect Post-connect in Sentriant AG provides an interface where you can configure external systems, such as IDS/IPS, that request quarantining of an endpoint based on activity that occurs after the endpoint has connected to the network (post-connect). Allowing the Post-connect Service Through the Firewall The firewall must be opened for each post-connect service that communicates with Sentriant AG.
Page 114: Setting Sentriant Ag Properties
System Configuration Setting Sentriant AG Properties Most Sentriant AG properties are set by default. To change or set properties, you must change the properties as described in “Changing Properties” on page 315. You must set the following properties for <product name variable> to communicate with your external post-connect server (see “Configuring the Post-connect Server”...
Page 115: Figure 53: System Configuration, Post-Connect
System Configuration Figure 53: System Configuration, Post-connect 1 Enter the name of your post-connect service in the Service name text field. This is the name used in the Post-connect and Endpoint activity windows. 2 Enter the URL of the post-connect service in the Service URL text field. When the post-connect configuration is complete, you will be able to launch this URL from the Sentriant AG Post-connect window.
Page 116: Launching Post-Connect Systems
System Configuration Notifications will be sent by email from the enforcement cluster quarantining the endpoint in accordance with its notifications settings. 5 Click ok to save your changes and return to the Home window. Launching Post-connect Systems After you have configured a post-connect system, you must launch it before Sentriant AG can communicate with it.
Page 117: Adding Post-Connect System Logos And Icons
System Configuration The icons on the Endpoint activity window show that the endpoint is quarantined by an external service. When you hover the cursor over the icon, the quarantine details are presented in a pop-up window: Figure 55: Post-connect Quarantine Details Post-connect service name Post-connect service logo Adding Post-connect System Logos and Icons...
Page 118: Maintenance
System Configuration 4 Modify the following properties in the file nac-ms.properties (see “Changing Properties” on page 315): <PRODUCTID> <Logo filename> Compliance.PostConnect.Agents. .Logo= <PRODUCTID> <Icon filename> Compliance.PostConnect.Agents. .Icon= <PRODUCTID> <Friendly Product Name> Compliance.PostConnect.Agents. .Name= Where: <PRODUCTID> is the identifier for the post-connect service. For example, PostConnectServiceName <Logo filename>...
Page 119: Initiating A New Backup
System Configuration Database ● directory ● /usr/local/nac/properties directory ● /usr/local/nac/keystore directory ● /usr/local/nac/subscription Initiating a New Backup To initiate a new backup: Home window>>System configuration>>Maintenance Figure 56: System Configuration, Maintenance 1 Click begin backup now in the Backup area. The Operation in progress confirmation window appears.
Page 120: Restoring From A Backup
System Configuration NOTE A system backup does not work using Internet Explorer 7 as a browser window. Use Internet Explorer 6, Mozilla or Firefox for system backup if you encounter a problem. 3 The System backup completed successfully message appears at the top of the System configuration window: Figure 57: Backup Successful Message Restoring From a Backup...
Page 121: Cluster Setting Defaults
System Configuration Cluster Setting Defaults The following sections describe how to globally set the default settings for all clusters. For information on overriding the default settings for a specific cluster, see “Enforcement Clusters and Servers” on page Testing Methods The Testing methods menu option allows you to configure the following: Select testing methods ●...
Page 122: Ordering Test Methods
System Configuration 1 Select one or more of the following a Sentriant AG Agent—This test method installs a service (Sentriant AG Agent) the first time the user connects. b ActiveX plug-in—This test method downloads an ActiveX control each time the user connects to the network.
Page 123: Selecting End-User Options
System Configuration If the end-user is not on a Windows domain they have to change the “Network access... Classic ● mode” setting The user they log in as has to have certain permissions to resources on the system which they may ●...
Page 124: Figure 59: System Configuration, Quarantine/Guest Resources Area
System Configuration Figure 59: System Configuration, Quarantine/Guest Resources Area 1 Select the Default resource accessibility for quarantined endpoints. accessible - By default, all resources are accessible to quarantined endpoints. ■ inaccessible - By default, no resources may be accessed by quarantined endpoints. ■...
Page 125: Table 6: Resource Tips
System Configuration FQDN - Enter the fully qualified domain name (FQDN) of the resource. This resource can be an ● Internet domain or the hostname of a network-attached device such as a file server or DNS server. The accessibility of a more specific FQDN takes precedence over that of a less specific domain name.
Page 126: Notifications
System Configuration Table 6: Resource Tips Topic DHCP server IP In inline mode, you might need to specify the DHCP server address IP address in this field. Domain controller Regardless of where the Domain Controller (DC) is installed, name you must specify the DC name on the Quarantine tab in the Quarantine area domain suffix field for each quarantine area defined.
Page 127: Figure 60: System Configuration, Notifications
System Configuration Figure 60: System Configuration, Notifications 1 To send email notifications, you must provide Sentriant AG with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the Sentriant AG machine.
Page 128: End-User Screens
System Configuration 2 Select the Notifications menu item. 3 Select the For this cluster, override the default settings check box. 4 Select Do not send email notifications. 5 Click ok. End-user Screens The End-user screens menu option allows you to configure the end-user screens with the following: Define logo image to be displayed ●...
Page 129: Specifying The End-User Screen Text
Organization logo image—Enter a path to your organization’s logo, or click Browse to select a file on your network. Extreme Networks, Inc. recommends you place your logo here to help end-users feel secure about having their computers tested. The logo should be no larger than 450x50 pixels.
Page 130: Specifying The End-User Test Failed Pop-Up Window
Footer (most screens) —Enter the text for the footer that appears on most of the end-user windows. Extreme Networks, Inc. recommends that this text includes a way to contact you if they need further assistance. You can format the text in this field with HTML characters.
Page 131: Agentless Credentials
System Configuration Agentless Credentials When Sentriant AG accesses and tests endpoints, it needs to know the administrator credentials for that endpoint. If your network uses a Windows domain controller and the connecting endpoint is a member of a configured domain, Sentriant AG uses the information supplied to access and test the endpoint. NOTE Setting windows credentials here sets them as default settings for all clusters.
Page 132: Figure 63: Agentless Credentials, Add Windows Administrator Credentials
System Configuration 1 Click Add administrator credentials. The Add Windows administrator credentials window appears: Figure 63: Agentless Credentials, Add Windows Administrator Credentials 2 In the Add Windows administrator credentials window, enter the following: Administrator user ID—Enter the domain administrator or local administrator login name of the ■...
Page 133: Testing Windows Credentials
System Configuration Testing Windows Credentials To test Windows credentials: Home window>>System configuration>>Agentless credentials 1 If you want to test these credentials, select the ES in this cluster or the MS from the Server to test from drop-down list. 2 In the Test these credentials area, enter the IP address of the endpoint. NOTE When using a multi-server installation, the credentials are stored on the ES, but the test is initiated from the MS.
Page 134: Deleting Windows Credentials
System Configuration Deleting Windows Credentials To delete Windows credentials: Home window>>System configuration>>Agentless credentials 1 Click delete next to the name of the Windows administrator credentials you want to remove. The Delete Windows administrative credentials conformation window appears. 2 Click yes. Sorting the Windows Credentials Area To sort the Windows credentials area: Home window>>System configuration>>Agentless credentials...
Page 135: Setting 802.1X Devices Logging Levels
System Configuration Figure 64: System Configuration, Logging Option 1 To configure the amount of diagnostic information written to log files, select a logging level from the Enforcement servers drop-down list: error—Log error-level messages only ■ warn—Log warning-level and above messages only ■...
Page 136: Advanced Settings
System Configuration To set 802.1X logging levels: Home window>>System configuration>>Logging 1 To configure the amount of diagnostic information written to log files related to 802.1X re- authentication, select a logging level from the 802.1X devices drop-down list: error—Log error-level messages only ■...
Page 137: Figure 65: System Configuration, Advanced Option
System Configuration Figure 65: System Configuration, Advanced Option 1 Enter a number of seconds in the Agent connection timeout period text field. The agent connection timeout period is the time in seconds that Sentriant AG waits on a connection to the agent. Use a larger number for systems with network latency issues.
Page 138 System Configuration Sentriant AG Software Users Guide, Version 5.3...
Page 139: Chapter 4: Endpoint Activity
Endpoint Activity Use the Endpoint activity window to monitor and control endpoint network activity. Home window>>Endpoint activity The Endpoint activity window has the following sections: Primary filtering area—The left column of the window provides links that allow you to quickly ●...
Page 140: Finding Endpoints
Endpoint Activity Finding Endpoints You can manage the list of endpoints using a variety of options. The primary filtering area allows you to select a broad category of endpoints. Within these selected endpoints, you can use secondary filtering to narrow the endpoint list even more. Finally, you can limit the number of endpoints that are displayed at one time.
Page 141: Secondary Endpoint Filtering
Endpoint Activity Grace period provided - All endpoints that Failed testing and were given a grace period to ● address failed compliance tests after their most recent testing. No quarantine action - All endpoints that Failed testing and were assigned to a NAC policy ●...
Page 142 Endpoint Activity MAC address - Use this search criterion to filter the endpoint list by MAC address. Wildcards (*) are ● allowed (for example, 00:13:*). Operating system - Use this search criterion to filter the endpoint list by operating system. ●...
Page 143: Limiting The Number Of Endpoints Displayed At One Time
Endpoint Activity all—Endpoints listed in the results will match all of the specified search criteria. ■ any—Endpoints listed in the results match at least one of the specified search criteria. ■ 3 Click search. The endpoint list area updates to match the primary and secondary filtering specified. In addition, the backgrounds of the search criteria affecting the results are highlighted as shown in the following figure: Figure 69: Search Criterion Affecting Endpoint Activity Results...
Page 144: Quickly Viewing Endpoint Access Control Status
Endpoint Activity Quickly Viewing Endpoint Access Control Status The following list describes most common reasons why an endpoint could have been given the access control status quarantined or granted access: Quarantined—The endpoint has been assigned a quarantined IP address. ● Administratively quarantined—In the Change endpoint access status window, the administrator ■...
Page 145: Figure 71: Access Control Status Rollover
Endpoint Activity NOTE If an endpoint is seen by two different clusters simultaneously, the endpoint access control status can get lost. This situation could occur, for example, if you had a Training cluster and an Engineering cluster and an endpoint that was connected in the Engineering cluster also attempted to connect by way of the Training cluster.
Page 146: Quickly Viewing Endpoint Test Status
Endpoint Activity For a description of all of these icons, hover the mouse pointer over the legend icon in the upper right- hand corner of the screen as shown in this figure. Figure 72: Endpoint Activity Icon Legend Quickly Viewing Endpoint Test Status The following list describes the high-level endpoint test statuses: Failed—Sentriant AG shows this status after the endpoint has failed testing.
Page 147: Viewing Detailed Endpoint Information
Endpoint Activity If you hover the mouse cursor over the icon in the endpoint test status (et) column, you will get additional information about the test status of the endpoint. Figure 73: Endpoint Test Status Rollover Viewing Detailed Endpoint Information To view information about an endpoint: Home window>>Endpoint activity>>Endpoint Sentriant AG Software Users Guide, Version 5.3...
Page 148: Figure 74: Endpoint, General Information
Endpoint Activity 1 Click on an endpoint NetBIOS name to view the Endpoint window: Figure 74: Endpoint, General Information NOTE For Windows Vista Home Edition endpoints, the Windows domain will always be blank, since these endpoints cannot join Windows domains. Sentriant AG Software Users Guide, Version 5.3...
Page 149: Temporarily Granting Access To Endpoints
Endpoint Activity 2 Click Test results to view the details of the test: Figure 75: Endpoint, Test Results Temporarily Granting Access to Endpoints To temporarily grant access to and endpoint or endpoints: Home window>>Endpoint activity>>Endpoint list area 1 In the first column of the endpoint list, select the checkbox of one or more endpoints. NOTE Select the checkbox at the top of the first column to select all of the endpoints on that page.
Page 150: Temporarily Quarantining Endpoints
Endpoint Activity 5 Enter the number of minutes, hours, or days that the endpoints are to be granted network access. 6 Click ok. NOTE To quarantine the endpoints again, select the endpoint’s checkboxes, click change access, select Clear temporary access control status, and click ok. NOTE If an endpoint that has been granted or denied access temporarily by the administrator disconnects, the next time the endpoint attempts to connect it will be retested;...
Page 151: Having Endpoints Retested
Endpoint Activity To clear a temporary access control status set by an administrator: Home window>>Endpoint activity>>Endpoint list area 1 Select one or more endpoints by using their corresponding checkboxes. 2 Click change access. 3 Select the Clear temporary access control status radio button. 4 Click ok.
Page 152 Endpoint Activity Sentriant AG Software Users Guide, Version 5.3...
Page 153: Chapter 5: End-User Access
End-user Access End-users can connect to your network from a number of different types of computers (see “Endpoints Supported” on page 154), be tested for compliance based on your definitions in the standard (high, medium, or low security) or custom NAC policies (see “NAC Policies”...
Page 154: Endpoints Supported
End-user Access _nac ● _sentriantag ● _extreme ● _nac1 ● _nac2 ● If no contact can be made, try the following A names: NOTE The endpoints DNS suffix must be correctly configured for your domain for the Agent Callback feature to work correctly.
Page 155: Browser Version
End-user Access Vista Ultimate ■ Vista Business ■ Vista Enterprise ■ ActiveX testing ● Windows 2000 ■ Windows Server (2000, 2003) ■ Windows XP Professional ■ Windows XP Home ■ Vista Ultimate ■ Vista Home Basic ■ Vista Home Premium ■...
Page 156: Firewall Settings
End-user Access Firewall Settings Sentriant AG can perform tests through firewalls on both managed and unmanaged endpoints. Managed Endpoints Typically, a managed endpoint’s firewall is controlled with the Domain Group Policy for Windows, or a central policy manager for other firewalls. In this case, the network administrator opens up the agent port or agentless ports only to the Sentriant AG server using the centralized policy.
Page 157: Agent-Based Test Method
End-user Access Agent-based Test Method Ports Used for Testing You might need to configure some firewalls and routers to allow Sentriant AG to access port 1500 for agent-based testing. NOTE “Ports used in Sentriant AG” on page 425 for a complete description of the ports used in Sentriant AG. Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the agent to install successfully.
Page 158: Configuring Windows Xp Professional For Agentless Testing
End-user Access 3 Select Properties. The Local area connection properties window appears: Figure 76: Local Area Connection Properties 4 On the General tab, in the Components checked are used by this connection area, verify that File and Printer sharing is listed and that the check box is selected. 5 Click OK.
Page 159: Configuring Windows Vista For Agentless Testing
End-user Access 3 Select Properties. The Local area connection properties window appears: Figure 77: Local Area Connection Properties 4 On the General tab, in the This connection uses the following area, verify that File and Printer sharing is listed and that the check box is selected. 5 Click OK.
Page 160: Defining The Agentless Group Policy Object
End-user Access Details on setting up the Group Policy Management Console (GPMC) can be found at: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/ stepbystep/gpmcinad.mspx#EFE Group policies may be applied at many different levels (for example, domain, subnet, OU, security group, and so on). A discussion of selecting the appropriate level is beyond the scope of this document. This section describes the Group Policy Object applied only at the domain level (affecting all members of the domain).
Page 161: Figure 79: New Gpo Window
End-user Access 3 Right-click on the domain you wish to use for the Vista endpoints and select Create and Link a GPO Here. The New GPO window appears: Figure 79: New GPO Window 4 Enter Agentless Testing in the Name text field. 5 Click OK.
Page 162: Figure 81: Network Access Window
End-user Access 1) In the right pane, scroll down and right-click on Network access: sharing and security model for local accounts policy, select Properties. The Network Access window appears: Figure 81: Network Access Window 2) Select the Define this policy setting check box. 3) Select Classic—local users authenticate as themselves from the drop-down list.
Page 163: Figure 82: Network Security Window
End-user Access 5) In the right pane, scroll down and right-click on Network Security: LAN Manager authentication level and select Properties. The following window appears: Figure 82: Network Security Window 6) Select the Define this policy setting check box. 7) Select Send LM & NTLM responses from the drop-down list. 8) Click OK.
Page 164: Figure 83: Network Connection Properties Window
End-user Access 1) In the right pane, right-click Network Connections and select Properties.The following window appears: Figure 83: Network Connection Properties Window 2) Select the Define this policy setting check box. 3) Select the Automatic radio button. 4) Click OK. 5) In the right pane, right-click Remote Procedure Call (RPC) and select Properties.
Page 165: Figure 85: Remote Registry Properties Window
End-user Access 7) Select the Automatic radio button. 8) Click OK. 9) In the right pane, right-click Remote Registry and select Properties. The following window appears: Figure 85: Remote Registry Properties Window 10) Select the Define this policy setting check box. 11) Select the Automatic radio button.
Page 166: Figure 86: Windows Firewall Window
End-user Access 1) In the right pane, right-click Windows Firewall: Allow file and printer sharing exception and select Properties. The following window appears: Figure 86: Windows Firewall Window 2) Select the Enabled radio button. 3) Click OK. g In the left pane, click the plus symbols to expand Administrative Templates>>Network. h In the left pane, select Microsoft Peer-to-Peer Networking Services.
Page 167: Figure 87: Microsoft Peer-To-Peer Window
End-user Access 1) In the right pane, right-click on Turn off Microsoft Peer-to-Peer Networking Services and select Properties. The following window appears: Figure 87: Microsoft Peer-to-Peer Window 2) Select the Disabled radio button. 3) Click OK. Close the Group Policy Object Editor window. 7 Move the Agentless Testing policy to the top of the list to process it first and take precedence over any local configuration: a In the Group Policy Management window, select the Linked Group Policy Objects tab in the...
Page 168: Ports Used For Testing
End-user Access c Click the double arrow icon to the left of the policies to move it to the top. The following window shows the double arrow icon: Figure 88: Double Arrow Icon double arrow icon 8 Close the Group Policy Management window. This Agentless Group Policy Object is applicable to all Windows endpoints used in the domain.
Page 169 End-user Access 1 Select File and Print Sharing. (Verify that the check box is also selected.) 2 Click Edit. 3 Verify that the check boxes for all four ports are selected. 4 Select TCP 139. 5 Click Change Scope. 6 Select Custom List. 7 Enter the Sentriant AG Server IP address and the mask.
Page 170: Activex Test Method
End-user Access ActiveX Test Method Ports Used for Testing You might need to configure some firewalls and routers to allow Sentriant AG to access port 1500 for ActiveX testing. NOTE “Ports used in Sentriant AG” on page 425 for a complete description of the ports used in Sentriant AG. Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the ActiveX component to install successfully.
Page 171: Figure 89: Mac System Preferences
End-user Access Figure 89: Mac System Preferences Sentriant AG Software Users Guide, Version 5.3...
Page 172: Figure 90: Mac Sharing
End-user Access 1 Select the Sharing icon. The Sharing window opens. Figure 90: Mac Sharing 2 Select the Firewall tab. 3 The firewall settings must be one of the following: ■ On with the following: ■ OS X NAC Agent check box selected ●...
Page 173: End-User Access Windows
End-user Access 2 Click Edit. The port configuration window appears: Figure 91: Mac Ports 3 Enter in the Port Number, Range or Series text field. 1500 4 Click OK. End-user Access Windows Several end-user access templates come with Sentriant AG. The End-user window provides a way to customize these templates from within the user interface (see “End-user Screens”...
Page 174: Opening Window
End-user Access NOTE Upgrading the Sentriant AG software does not overwrite your template changes. Your updated templates are preserved. CAUTION Do not rename the files or they will not be seen by Sentriant AG. End-users begin the login process by opening their browser. If their home page is defined on the Quarantine/guest resources window, they are allowed to access that page.
Page 175: Windows Nac Agent Test Windows
End-user Access Windows NAC Agent Test Windows Automatically Installing the Windows Agent When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears: Figure 93: End-user Installing Window NOTE The end-user can also manually install the agent as described in...
Page 176: Figure 94: End-User Agent Installation Failed
End-user Access If Active Content is disabled in the browser, the following error window appears: Figure 94: End-user Agent Installation Failed NOTE To enable active content, see the instructions in the Installation Guide, in the “Important Browser settings, Active Content” section. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears.
Page 177: Removing The Agent
End-user Access Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation: Figure 95: End-user Agent Installation Window (Start) The user must click Finish to complete the agent installation and begin testing: Figure 96: End-user Agent Installation Window (Finish) As soon as the installation is complete, the endpoint is tested.
Page 178: Manually Installing The Windows Agent
End-user Access Figure 97: Add/Remove Programs 1 Find the Sentriant AG Agent in the list of installed programs. 2 Click Remove. NOTE The Sentriant AG Agent also appears in the services list: Start button>>Settings>>Control panel>>Administrative tools>>Services Manually Installing the Windows Agent To manually install the agent (using Internet Explorer): Windows endpoint>>IE browser window 1 Point the browser to the following URL:...
Page 179: How To View The Windows Agent Version Installed
End-user Access The security certificate window appears: Figure 98: Security Certificate 2 Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file: Figure 99: Run or Save to Disk 3 Click Run to begin the install process. 4 The Agent Installation Wizard starts (Figure 95 on page 177).
Page 180: Mac Os Agent Test Windows
End-user Access 3 Hover your mouse or other pointing device over the file as shown in the following SAService.exe figure. Figure 100: Agent Version The version number is shown. In this example, the version is 5.0.0.16. Mac OS Agent Test Windows When the test method selected is agent-based, the first time the end-user logs in to their Macintosh computer and opens a browser window, Sentriant AG attempts to test the endpoint.
Page 181: Figure 102: Mac Os Installer 1 Of 5
End-user Access 4 Click Continue. The installer appears: Figure 102: Mac OS Installer 1 of 5 5 Click Continue. The Select a Destination window appears: Figure 103: Mac OS Installer 2 of 5 Sentriant AG Software Users Guide, Version 5.3...
Page 182: Figure 104: Mac Os Installer 3 Of 5
End-user Access 6 Click Continue. The Easy Install window appears: Figure 104: Mac OS Installer 3 of 5 7 Click Install. The Authenticate window appears: Figure 105: Mac OS Installer 4 of 5 Sentriant AG Software Users Guide, Version 5.3...
Page 183: Verifying The Mac Os Agent
End-user Access 8 Enter your password. Click OK. The agent is installed and the confirmation window appears: Figure 106: Mac OS Installer 5 of 5 9 Click Close. Verifying the Mac OS Agent To verify that the Mac OS agent is running properly: Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Sentriant AG Software Users Guide, Version 5.3...
Page 184: Figure 107: Applications, Utilities Folder
End-user Access Figure 107: Applications, Utilities Folder Sentriant AG Software Users Guide, Version 5.3...
Page 185: Figure 108: Activity Monitor
End-user Access 1 Double-click Activity Monitor. The Activity Monitor window appears: Figure 108: Activity Monitor 2 Verify that the osxnactunnel process is running. 3 If the osxnactunnel process is not running, start it by performing the following steps: Sentriant AG Software Users Guide, Version 5.3...
Page 186: Removing The Mac Os Agent
End-user Access a Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Figure 109: Mac Terminal b Enter the following at the command line: OSXNACAgent -v The build and version number are returned. c If an error message is returned indicating that the agent could not be found, the agent was not installed properly.
Page 187: Activex Test Windows
End-user Access 2 Enter the following at the command line: remove_osxnacagent 3 Remove the firewall entry: a Select Apple Menu>>System Preferences>>Sharing->Firewall tab. b Select OS X NAC Agent. c Click Delete. ActiveX Test Windows For the ActiveX test, the Testing window appears (see “Testing Window”...
Page 188: Agentless Test Windows
End-user Access NOTE Install any needed patches before installing the Agent. Agentless Test Windows If the end-users select Agentless test, Sentriant AG needs login credentials in order to test the endpoint. Credentials can be obtained from the following: Automatically connect the user through domain authentication (“Agentless Credentials”...
Page 189: Figure 112: End-User Login Failed
End-user Access If the login credentials are correct, the Testing window is displayed (see “Testing Window” on page 190). If the end-users do not enter the correct information in the login window fields, a login failure window appears: Figure 112: End-user Login Failed NOTE You can customize the logo and contact paragraph that appear on this window.
Page 190: Testing Window
End-user Access Testing Window The following figure shows the window that appears during the testing process: Figure 113: End-user Testing The possible outcomes from the test are as follows: Test successful window (see “Test Successful Window” on page 190) ● Testing cancelled window (see “Testing Cancelled Window”...
Page 191: Testing Cancelled Window
End-user Access Testing Cancelled Window If the Allow end users to cancel testing option on the System configuration>>Testing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled: Figure 115: End-user Testing Cancelled Testing Failed Window When the end-user’s endpoints fail to meet the test criteria defined in the NAC policy, the end-users are...
Page 192: Figure 116: End-User Testing Failed Example 1
End-user Access For each NAC policy, you can specify a temporary access period should the end-users fail the tests. See “NAC Policy Tasks” on page 205 for more information. Figure 116: End-user Testing Failed Example 1 NOTE You can elect to allow access to specific services and endpoints by including them in the Quarantine/guest resources area of the System configuration>>Quarantine/guest resources window (see “Quarantine/guest resources”...
Page 193: Error Windows
End-user Access End-users can click Printable version to view the testing results in a printable format, as shown in the following figure: Figure 117: End-user Testing Failed, Printable Results Error Windows End-users might see any of the following error windows: Unsupported endpoint ●...
Page 194 End-user Access You can create custom error message strings that appear in the test result reports, and on the test results access window that the end-user views by editing or creating the following file: /usr/local/nac/scripts/Custom/BaseClasses/CustomStrings.py To customize the error messages: 1 Create a file using a text editor, and name it as follows: /usr/local/nac/scripts/Custom/BaseClasses/CustomStrings.py using the following format:...
Page 195: Table 7: Default Test Names And Descriptions
End-user Access NOTE While editing the description avoid the use of double quotes “”. Use single quotes instead. Double quotes will get interpreted by the software and can cut the string short or cause the replacement to fail. 2 Once your custom strings script is complete, and you are ready to push it out to all of the ESs: a Verify that the scripts and base classes are under the Custom directory tree as specified above.
Page 196 End-user Access Table 7: Default Test Names and Descriptions (continued) Test name Description checkAutoUpdateStatus.String.5 Automatic Updates must be configured to %s. For Windows 2000, install Service Pack 4, then enable Automatic Updates by selecting: Control Panel>>Automatic Updates. For Windows XP: select Control Panel>>System>>Automatic Updates tab., checkAutoUpdateStatus.String.6...
Page 197 End-user Access Table 7: Default Test Names and Descriptions (continued) Test name Description checkIEVersion.String.2 Internet Explorer version %s is acceptable., checkIEVersion.String.3 The required Internet Explorer browser was not found or is not current. Install the latest version., checkMicrosoftOfficeMacroSecurityLevel.String.1 The office_program and the security_level_required parameters are required., checkMicrosoftOfficeMacroSecurityLevel.String.2 The specified office_program or...
Page 198 End-user Access Table 7: Default Test Names and Descriptions (continued) Test name Description checkServicesNotAllowed.String.2 The following services are not allowed: %s. Stop the service by selecting Control Panel>>Administrative Tools (located in the Performance and Maintenance category folder)>>Services application>>right-click on the service and select properties.
Page 199 End-user Access Table 7: Default Test Names and Descriptions (continued) Test name Description checkWindowsSecurityPolicy.String.2 An unsupported operating system was encountered., checkWindowsSecurityPolicy.String.3 The OS is not relevant to this test., checkWindowsSecurityPolicy.String.4 The security setting required parameter '%s' is invalid, checkWindowsSecurityPolicy.String.5 The following Windows security policies are configured incorrectly: %s.
Page 200 End-user Access Sentriant AG Software Users Guide, Version 5.3...
Page 201: Chapter 6: Nac Policies
NAC Policies NAC policies determine the network access control status for endpoints. When an endpoint attempts a network connection, its attributes such as IP address, MAC address, or NetBIOS name are compared against the endpoints specified in each NAC policy until it matches a policy. The matching NAC policy determines whether the endpoint should be granted network access or quarantined.
Page 202: Standard Nac Policies
NAC Policies The following figure shows the legend explaining the NAC policy icons: Figure 120: NAC Policies Window Legend Standard NAC Policies Sentriant AG ships with three standard NAC policies: High security ● Low security ● Medium security ● NAC policies are organized in groups. Groups include the clusters defined for your system, a Default group, and any other groups you create.
Page 203: Adding A Nac Policy Group
NAC Policies Adding a NAC Policy Group To add a NAC policy group: Home window>>NAC policies 1 Click Add a NAC policy group. The Add NAC policy group window opens: Figure 121: Add NAC Policy Group 2 Type a name for the group in the Name of NAC policy group text box. 3 Optional: Select the check box next to any NAC policy to move to this group.
Page 204: Deleting A Nac Policy Group
NAC Policies 1 Click on an existing NAC policy group name (for example, Default). The NAC policy group window opens. Figure 122: Edit NAC Policy Group 2 Make any changes required. See “Adding a NAC Policy Group” on page 203 for details on NAC policy group options.
Page 205: Nac Policy Tasks
NAC Policies NAC Policy Tasks This section describes the following NAC policy tasks: “Enabling or Disabling a NAC Policy” on page 205 ● “Changing the NAC Policy Selection Order” on page 205 ● “Selecting the Default NAC Policy” on page 206 ●...
Page 206: Selecting The Default Nac Policy
NAC Policies determine the access control status of the endpoint. If the endpoint does not match any NAC policy, the default, or last, policy in the group is assigned to the endpoint. Changing the selection order is useful for a variety of reasons. Consider the following scenarios: You might want to place a NAC policy containing blacklisted endpoints first within the selection ●...
Page 207: Figure 125: Add A Nac Policy, Basic Settings Area
NAC Policies To create a new NAC policy: Home window>>NAC policies 1 Click Add a NAC policy. The Add NAC policy window opens, as shown in the following figure: Figure 125: Add a NAC Policy, Basic Settings Area 2 Enter a NAC Policy name. This name will appear with endpoint information throughout the Sentriant AG management user interface, so we suggest you use a name that is meaningful and memorable.
Page 208 NAC Policies innocent until proven guilty - Endpoints assigned to the policy are granted access to the network ■ by default, but they must comply with the policy. After being allowed on the network, all enabled Tests are performed on the endpoint. It will be quarantined only if it fails a test that stipulates a quarantine action.
Page 209 NAC Policies endpoints, you can disable or delete the policy and re-enable the copied policy to re-establish the previous access control behavior. 9 In the Untestable endpoints area, select the Allowed unsupported OSs of endpoints assigned to the NAC policy which cannot be tested but will be granted network access. Unsupported Windows (Windows 3.x, NT, 95, 98, ME) ■...
Page 210: Figure 126: Add A Nac Policy, Endpoints Area
NAC Policies 11 Click the Endpoints menu option to open the Endpoints window, shown in the following figure: Figure 126: Add a NAC Policy, Endpoints Area 12 Enter one or more sets of endpoints to be assigned to the NAC policy. a Select an ID type.
Page 211 NAC Policies NetBIOS name - Select this option to enter one or more NetBIOS names of individual ● endpoints. Wildcards (*) may be used to specify multiple NetBIOS names. Windows domain - Select this option to enter one or more Windows domain names configured ●...
Page 212: Figure 127: Add Nac Policy, Tests Area
NAC Policies NOTE Compliance tests can be configured only if the setting Compliance-test endpoints is set to yes. Figure 127: Add NAC Policy, Tests Area Sentriant AG Software Users Guide, Version 5.3...
Page 213: Figure 128: Nac Policy Test Failure Icons
NAC Policies A legend for the test failure icons can be accessed in the upper right-hand corner as shown in the following figure. Figure 128: NAC Policy Test Failure Icons 14 Enable a test in the NAC policy by clicking the checkbox next to the test name. 15 Select a test by clicking the test’s name to the right of its associated checkbox.
Page 214: Editing A Nac Policy
NAC Policies NOTE The endpoint must have the patch manager client already installed, the service must be available on the network, and the patch manager must be configured to fix this test failure. In addition, you must have purchased a patch management license.
Page 215: Deleting A Nac Policy
NAC Policies Deleting a NAC Policy To delete an existing NAC policy: Home window>>NAC policies 1 Click the delete link to the right of the NAC policy you want to delete. A confirmation window appears. 2 Click yes. Moving a NAC Policy Between NAC Policy Groups To move a NAC policy between NAC policy groups: Home window>>NAC policies 1 To open the NAC policies window, click a NAC policy name.
Page 216 NAC Policies Sentriant AG Software Users Guide, Version 5.3...
Page 217: Chapter 7: Quarantined Networks
Quarantined Networks This chapter describes the following general Sentriant AG quarantine information: “New End-Users” on page 217 ● “Shared Resources” on page 217 ● “Untestable Endpoints and DHCP Mode” on page 217 ● New End-Users The process Sentriant AG follows for allowing end-users to connect is: Inline mode—An IP address is assigned to the endpoint outside of Sentriant AG.
Page 218: Windows Domain Authentication And Quarantined Endpoints
Quarantined Networks If you allow an untested endpoint to have access, there are several important items to keep in mind. The IP address granted by your DHCP server has a lease expiration period that cannot be affected by the Sentriant AG server. Once an untested endpoint has been allowed access and assigned a non- quarantined IP address by your DHCP server, that endpoint has continual access through that IP address until the IP address lease expires.
Page 219 Quarantined Networks 3 Ensure that each ES has a valid, fully qualified domain name (FQDN) and that the domain portion matches the domain for the registered windows domain. 4 Ensure that each ES is configured with one or more valid DNS servers that can fully resolve (both A and PTR records) each ES.
Page 220 Quarantined Networks Sentriant AG Software Users Guide, Version 5.3...
Page 221: Chapter 8: High Availability And Load Balancing
High Availability and Load Balancing High Availability High availability occurs when one or more ESs takes over for an ES that has become unavailable in a multiple-server installation. Once an ES becomes unavailable, the other ESs take over enforcement from the ES that is now unavailable.
Page 222: Figure 129: Inline Installations
High Availability and Load Balancing unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 129: Inline Installations Sentriant AG Software Users Guide, Version 5.3...
Page 223: Figure 130: Dhcp Installation
High Availability and Load Balancing Figure 130: DHCP Installation Sentriant AG Software Users Guide, Version 5.3...
Page 224: Figure 131: 802.1X Installation
High Availability and Load Balancing Figure 131: 802.1X Installation Sentriant AG Software Users Guide, Version 5.3...
Page 225: Load Balancing
High Availability and Load Balancing Load Balancing Load balancing distributes the testing of endpoints across all Sentriant AG ESs in a cluster. Sentriant AG uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the ESs. If the MAC address is unavailable (untestable endpoint) the IP address is used to determine which ES should test an endpoint.
Page 226 High Availability and Load Balancing Sentriant AG Software Users Guide, Version 5.3...
Page 227: Chapter 9: Inline Quarantine Method
Inline Quarantine Method Inline is the most basic Sentriant AG installation. When deploying Sentriant AG inline, Sentriant AG monitors and enforces all endpoint traffic. Sentriant AG allows endpoints to access the network or blocks endpoints from accessing the network based on their Internet Protocol (IP) address with a built- in firewall (iptables).
Page 228: Figure 132: Inline Installations
Inline Quarantine Method Figure 132: Inline Installations NOTE You can install Sentriant AG at any “choke point” in your network; a VPN is not required. Sentriant AG Software Users Guide, Version 5.3...
Page 229: Chapter 10: Dhcp Quarantine Method
DHCP Quarantine Method When configured with a Dynamic Host Configuration Protocol (DHCP) quarantine area, all endpoints requesting a DHCP IP address are issued a temporary address on a quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to the main LAN.
Page 230: Configuring Sentriant Ag For Dhcp
DHCP Quarantine Method See the Sentriant AG Installation Guide for more information on installing Sentriant AG in DHCP mode. Figure 133: DHCP Installation Configuring Sentriant AG for DHCP The primary configuration required for using Sentriant AG and DHCP is setting up the quarantine area (see “Setting up a Quarantine Area”...
Page 231: Setting Up A Quarantine Area
DHCP Quarantine Method Static routes assigned to the endpoint (see “Adding a DHCP Quarantine Area” on page 109) ■ “Deploying Sentriant AG using DHCP” in the Sentriant AG Installation Guide. ● Setting up a Quarantine Area Set up a restricted area of your network that users can access when you do not want to allow full access to the network.
Page 232 DHCP Quarantine Method http://www.microsoft.com/technet/windowsserver/wsus/default.mspx) and make sure that this server is listed in Quarantine/guest resources (“Quarantine/guest resources” on page 123). Sentriant AG Software Users Guide, Version 5.3...
Page 233: Chapter 11: 802.1X Quarantine Method
802.1X Quarantine Method About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows: Supplicant—The client; the endpoint that wants to access the network. ● Authenticator– The access point, such as a switch, that prevents access when authentication fails. ●...
Page 234: Sentriant Ag And 802.1X
802.1X Quarantine Method 7 The AP (authenticator) allows or blocks the client’s (supplicant’s) access to the network by controlling which ports are open or closed. Figure 134: 802.1X Components Sentriant AG and 802.1X When configured as 802.1X-enabled, Sentriant AG can be installed with two different configurations depending on your network environment: Proxying RADIUS requests to an existing RADIUS server ●...
Page 235: Figure 135: Sentriant Ag 802.1X Enforcement
802.1X Quarantine Method Figure 135: Sentriant AG 802.1X Enforcement Sentriant AG Software Users Guide, Version 5.3...
Page 236: Figure 136: 802.1X Communications
802.1X Quarantine Method Figure 136: 802.1X Communications Sentriant AG Software Users Guide, Version 5.3...
Page 237: Setting Up The 802.1X Components
802.1X Quarantine Method Setting up the 802.1X Components In order to use Sentriant AG in an 802.1X environment, Extreme Networks, Inc. recommends configuring your environment first, then installing and configuring Sentriant AG. This section provides instructions for the following: “Setting up the RADIUS Server” on page 237 ●...
Page 238 802.1X Quarantine Method type= radius authhost= <RADIUS host or IP>:<RADIUS auth port> accthost= <RADIUS host or IP>:<RADIUS acct port> secret= <the shared secret for your RADIUS server> d Save and exit the file. NOTE The realm NULL section must go after the realm LOCAL section, or you can comment out the realm LOCAL section. 2 Configure your RADIUS server to allow the Sentriant AG IP address as a client with the shared secret specified in the previous step.
Page 239 802.1X Quarantine Method #"HealthyRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 50, Tunnel-Type := VLAN, #"CheckupRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 50, Tunnel-Type := VLAN, "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes"...
Page 240: Using The Built-In Sentriant Ag Radius Server For Authentication
802.1X Quarantine Method # TO DO - Uncomment if you want different switches to have different attributes. Posture is Healthy, Checkup, Quarantine, Infected, or Unknown. This entry must come after the default set of attributes in the file. #"<POSTURE>RadiusAttributes-<NAS IP ADDRESS>" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN,...
Page 241: Setting Up The Supplicant
802.1X Quarantine Method 1 In the Select a quarantine method area, select the 802.1X quarantine method radio button. Figure 137: Enabling 802.1X in the User Interface 2 In 802.1X enforcement mode, the ESs must be able watch DHCP conversations and detect endpoints by sniffing network traffic as it flows between the DHCP server and the endpoints.
Page 242: Windows Xp Professional Setup
802.1X Quarantine Method using Classic View. The instructions in this section assume you are using Classic View in both cases. Windows XP Professional Setup To enable a Windows XP Professional endpoint for 802.1X: Windows desktop>>Start>>Settings>>Network Connections 1 Right-click on Local Area Connection. 2 Select Properties.
Page 243: Windows Xp Home Setup
802.1X Quarantine Method 5 Select the Authentication tab. Figure 139: Windows XP Pro Local Area Connection Properties, Authentication Tab 6 Select the Enable IEE 802.1X authentication for this network check box. 7 Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
Page 244: Windows 2000 Professional Setup
802.1X Quarantine Method 2 Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network Connections 3 Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears (Figure 138 on page 242). 4 Select the General tab. 5 Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors.
Page 245: Figure 140: Windows 2000 Local Area Connection Properties, General Tab
802.1X Quarantine Method a Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears. Figure 140: Windows 2000 Local Area Connection Properties, General Tab b Select the General tab. c Select the Show icon in taskbar when connected check box. d Select the Authentication tab.
Page 246: Windows Vista Setup
802.1X Quarantine Method g Clear or select the Authenticate as computer when computer information is available check box. The choice is yours. h Click OK. 3 Select to reboot if necessary. Windows Vista Setup NOTE Frequently when performing actions on Windows Vista, the User Account Control window pops up and asks you to select Continue to authorize the action.
Page 247: Figure 143: Windows Vista Local Area Connection, Networking Tab
802.1X Quarantine Method 2 Configure the network connections: Windows desktop>>Start>>Settings>>Network Connections 3 Right-click on Local Area Connection. 4 Select Properties. The Local Area Connection windows appears: Figure 143: Windows Vista Local Area Connection, Networking Tab 5 Select the Authentication tab. Figure 144: Windows Vista Local Area Connection Properties, Authentication Tab Sentriant AG Software Users Guide, Version 5.3...
Page 248: Setting Up The Authenticator
“Cisco® 2950 IOS” on page 248 ● “Cisco® 4006 CatOS” on page 249 ● “Enterasys® Matrix 1H582-25” on page 249 ● “Extreme Networks® Summit 48si” on page 250 ● “ExtremeWare” on page 251 ● “ExtremeXOS” on page 251 ● “Foundry® FastIron® Edge 2402” on page 252 ●...
Page 249: Cisco® 4006 Catos
802.1X Quarantine Method dot1x guest-vlan 5 dot1x reauthentication spanning-tree portfast interface FastEthernet0/3 switchport mode access dot1x port-control auto dot1x timeout quiet-period 30 dot1x guest-vlan 5 dot1x reauthentication spanning-tree portfast interface FastEthernet0/4 switchport mode access dot1x port-control auto dot1x timeout quiet-period 30 dot1x guest-vlan 5 dot1x reauthentication spanning-tree portfast...
Page 250: Extreme Networks® Summit 48Si
30 set radius server 1 10.11.100.10 1812 02108000AE5BA9C47EDC24F2CA6529EE4CCC8930B BD70F5AAA2CF0C5DBAA5DA97FADFE95 set radius enable Extreme Networks® Summit 48si NOTE When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS users file. NOTE Change the admin password to a non-blank password.
Page 251: Extremeware
802.1X Quarantine Method ExtremeWare NOTE When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS users file. NOTE Change the admin password to a non-blank password. create vlan "Quarantine" create vlan "Test" # RADIUS configuration enable radius configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa"...
Page 252: Foundry® Fastiron® Edge 2402
802.1X Quarantine Method enable netlogin session-refresh 3 configure netlogin base-url "network-access.com" configure netlogin redirect-page "http://www.extremenetworks.com" configure netlogin banner "" Foundry® FastIron® Edge 2402 dot1x-enable auth-fail-action restricted-vlan auth-fail-vlanid 5 mac-session-aging no-aging permitted-mac-only enable ethe 1 to 4 aaa authentication dot1x default radius radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 default key 1 $6\- ndUnoS!--+sU@ interface ethernet 1...
Page 253: Hp Procurve 530Ap
802.1X Quarantine Method HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius-authentication-server address <IP of RADIUS Server> HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius-authentication-server key <Shared RADIUS secret> HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius-authentication-server vlan- format ascii HP ProCurve Access Point 420(if-wireless-g-ssid-1)#ssid Enterprise420 HP ProCurve Access Point 420(if-wireless-g-ssid-1)#vlan 100 tagged HP ProCurve Access Point 420(if-wireless-g-ssid-1)#security-suite 6 wpa-wpa2 HP ProCurve Access Point 420(if-wireless-g-ssid-1)#enable HP ProCurve Access Point 420(if-wireless-g-ssid-1)#end...
Page 254: Hp Procurve 3400/3500/5400
802.1X Quarantine Method Dynamic WEP. ProCurve Access Point 530#conf ProCurve Access Point 530(config)#interface ethernet ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway> ProCurve Access Point 530(ethernet)#management-vlan 200 ProCurve Access Point 530(ethernet)#untagged-vlan 200 ProCurve Access Point 530(radio1-wlan1)#ssid Enterprise530 ProCurve Access Point 530(radio1-wlan1)#closed ProCurve Access Point 530(radio1-wlan1)#vlan 100...
Page 255: Creating Custom Expect Scripts
802.1X Quarantine Method radius-server host 10.0.0.5 radius-server secondary-host 0.0.0.0 radius-server port 1812 ! radius-server key ******** Enable 802.1X: eapol enable interface FastEthernet ALL eapol port 1-2 status auto traffic-control in-out re-authentication enable re-a uthentication-period 3600 re-authenticate quiet-interval 60 transmit-interval 3 0 supplicant-timeout 30 server-timeout 30 max-request 2 Vlan Info: vlan create 10 name "production"...
Page 256: Figure 145: Nortel Initialization Script
802.1X Quarantine Method authentication script, it is logged and returned to the user. If an expect command times out the current expect buffer is logged and returned to the user. As an example, the following figures show the initial scripts used for a Nortel device in the Sentriant AG user interface.
Page 257: Table 8: Expect Script Commands And Parameters
802.1X Quarantine Method The expect scripts use the following commands: Table 8: Expect Script Commands and Parameters Command Description and parameters Waits for TEXT to appear on the connection input expect [OPTIONS] TEXT Where OPTION is one of three optional parameters: •...
Page 258 802.1X Quarantine Method —Set to "true" for an SSH connection (otherwise unset) ● IS_SSH The following variables may be referenced from re-authentication script: —The endpoint's port ● PORT —The endpoint's port ID, usually the same as ● PORT_ID PORT —The MAC address of the endpoint in colon/hex format (hh:hh:hh:hh:hh:hh) ●...
Page 259 802.1X Quarantine Method send exit expect (config)# Exit script: send exit expect # send exit expect press or to select option. send -noreturn l The conditions in the above scripts are driven by the values of the variables entered by the user, but sometimes it is necessary to drive conditions from interactions with the switch.
Page 260 802.1X Quarantine Method Sentriant AG Software Users Guide, Version 5.3...
Page 261: Chapter 12: Api
Overview The Sentriant AG Application Programming Interface (API) is based on the Java Message Service (JMS). Sentriant AG ships with version 3.1 of the ActiveMQ JMS provider (http://activemq.apache.org/), an open source implementation of JMS. Sentriant AG API communication is illustrated in Figure 148, where: JMS Message Bus—Sentriant AG ships with ActiveMQ Java Messanging Service (JMS).
Page 262: Setting Sentriant Ag Properties
Figure 148: Sentriant AG API Communication Sentriant AG is continually testing endpoints that attempt to connect to your network and publishes information about those endpoints as Events to Topics. An endpoint attempts to connect that is untestable. Sentriant AG quarantines the endpoint and publishes a DeviceChangeEvent to that topic. Setting Sentriant AG Properties Most Sentriant AG properties are set by default.
Page 263: Setting Firewall Rules
Compliance.System.JMSProvider.UserName ● Compliance.System.JMSProvider.Password ● Test results are published when they happen. To change or set API properties: Sentriant AG MS command line window 1 Create the XML file in the following directory with a text editor such as /usr/local/nac/bin 2 Edit any properties. 3 Save and exit the file.
Page 264: Examples Of Events Generated
Examples of Events Generated The following shows examples of information returned for generated events: ------------------------------------------------------------------------- <MNMDeviceChangeEvent> <device> <uniqueId>5928e8f98d4ce49c6c03529ca4325b5e</uniqueId> <ip>10.1.13.29</ip> <mac>00:11:43:4F:15:D6</mac> <netbiosName>SSLJDOE</netbiosName> <domainName>MyCompany</domainName> <userName>administrator</userName> <loggedOnUser>administrator</loggedOnUser> <os>Windows</os> <osDetails>XP SP2</osDetails> <policyId>LowSecurity</policyId> <lastTestTime>1157042366000</lastTestTime> <lastTestStatusId>PASSED</lastTestStatusId> <gracePeriod>-1</gracePeriod> <gracePeriodStart>0</gracePeriodStart> <createTime>1156536669000</createTime> <lastActivityTime>1157045939456</lastActivityTime> <lastConnectTime>1157044195000</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>healthy</postureToken> <nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId> <clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId> <accessStatusId>QUARANTINED_BY_POLICY</accessStatusId> <nextTestTime>1157049566000</nextTestTime>...
Page 265 <gracePeriodStart>1157042301000</gracePeriodStart> <createTime>1157042283000</createTime> <lastActivityTime>1157046201262</lastActivityTime> <lastConnectTime>1157040486000</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>checkup</postureToken> <nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId> <clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId> <accessStatusId>ALLOWED_BY_POLICY</accessStatusId> <nextTestTime>1157053406845</nextTestTime> <nadPort></nadPort> <nadIP></nadIP> <sessionAccess>-1</sessionAccess> <sessionAccessEnd>0</sessionAccessEnd> <otherDeviceProperties> <entry> <string>OS</string> <string>Windows</string> </entry> </otherDeviceProperties> <lastUpdateTime>1157046206846</lastUpdateTime> <testingMethod>AGENTLESS</testingMethod> </device> <testResults> <TestResultInfo> <timestamp>1157046206801</timestamp> <gracePeriod>604800</gracePeriod> <testName>Windows 2000 hotfixes</testName> <testClass>Check2000HotFixes</testClass> <testModule>check2000HotFixes</testModule> <testGroup>OperatingSystem</testGroup> <actionsTaken>access allowed, temporary access period continuing from 8/31/ 06 10:38 AM, email not sent</actionsTaken>...
Page 266: Java Program And Command For Events
<previousResultCode>pass</previousResultCode> </TestResultInfo> <TestResultInfo> <timestamp>1157046206801</timestamp> <gracePeriod>0</gracePeriod> <testName>Worms, viruses, and trojans</testName> <testClass>CheckWormsVirusesAndTrojans</testClass> <testModule>checkWormsVirusesAndTrojans</testModule> <testGroup>Software</testGroup> <actionsTaken>none</actionsTaken> <debugInfo>None</debugInfo> <severity>1</severity> <statusCode>1</statusCode> <resultCode>pass</resultCode> <resultMessage>No worms, viruses or trojans were found.</resultMessage> <policyId>LowSecurity</policyId> <mostSeriousInRun>false</mostSeriousInRun> <previousResultCode>pass</previousResultCode> </TestResultInfo> </testResults> <ip>10.1.70.101</ip> <id>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</id> <originalTimeStamp>1157046206882</originalTimeStamp> </MNMDeviceTestedEvent> ------------------------------------------------------------------------- Java Program and Command for Events Sentriant AG ships with a sample shell script that invokes Java code that can be used to listen for JMS events.
Page 267: Examples Of Requests
Sets endpoint properties ● PutDeviceInfo— Examples of Requests The following shows examples of information for requests supported: ------------------------------------------------------------------------ <TemporarilyAllowAccessRequest> <requestParameters> <entry> <string>DURATION</string> <int>24</int> </entry> <entry> <string>DEVICE_LIST</string> <list> <DeviceType> <ip>192.168.1.128</ip> </DeviceType> </list> </entry> </requestParameters> </TemporarilyAllowAccessRequest> <TemporarilyDenyAccessRequest> <requestParameters> <entry> <string>DURATION</string> <int>24</int> </entry> <entry>...
Page 268 <requestParameters> <entry> <string>DEVICE_LIST</string> <list> <DeviceType> <ip>192.168.1.128</ip> </DeviceType> </list> </entry> </requestParameters> </DeviceInfoRequest> <PutDeviceInfoRequest> <requestParameters> <entry> <string>DEVICE_LIST</string> <list> <DeviceType> <ip>192.168.1.128</ip> <otherDeviceProperties> <entry> <string>key1</string> <string>value1</string> </entry> <entry> <string>key2</string> <string>value2</string> </entry> </otherDeviceProperties> </DeviceType> </list> </entry> </requestParameters> </PutDeviceInfoRequest> ------------------------------------------------------------- command replies with output that includes a special XML file as DeviceInfoRequest NacResponse...
Page 269: Post-Connect Request Example
<gracePeriod>0</gracePeriod> <gracePeriodStart>0</gracePeriodStart> <createTime>1186594414243</createTime> <lastActivityTime>1186603364486</lastActivityTime> <lastConnectTime>1186594301738</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>unknown</postureToken> <nodeId>158251f6-2ce8-4d34-b9e8-d724c175d34a</nodeId> <clusterId>4e193379-a492-4fd8-a31c-37e722b14449</clusterId> <accessStatusId>QUARANTINED_BY_POLICY</accessStatusId> <nextTestTime>1186597121116</nextTestTime> <nadPort/> <nadPortId/> <nadIP/> <nadUser/> <sessionAccess>-1</sessionAccess> <sessionAccessEnd>0</sessionAccessEnd> <otherDeviceProperties> <entry> <string>key1</string> <string>value1</string> </entry> <entry> <string>OS</string> <string>Windows XP SP1+, 2000 SP3</string> </entry> <entry> <string>key2</string> <string>value2</string> </entry> </otherDeviceProperties> <lastUpdateTime>1186603474724</lastUpdateTime> <testingMethod>NONE</testingMethod> <expectingIpTransitionStartTime>-1</expectingIpTransitionStartTime> <expectingIpTransitionEndTime>-1</expectingIpTransitionEndTime> <expectingIpTransition>false</expectingIpTransition> <lastFetchUniqueIdTime>0</lastFetchUniqueIdTime>...
Page 270: Java Program And Command For Requests
<TemporarilyDenyAccessRequest> <requestParameters> <entry> <string>DURATION</string> <int>10</int> </entry> <entry> <string>EXTERNAL_QUARANTINE_PRODUCT_ID</string> <string>StrataGuard</string> </entry> <entry> <string>EXTERNAL_QUARANTINE_INSTANCE_NAME</string> <string>Warehouse Monitor</string> </entry> <entry> <string>EXTERNAL_QUARANTINE_REASONS</string> <list> <string>WEB-CLIENT Microsoft ANI file parsing overflow</string> <string>DOS Ipswitch WS_FTP log server long unicode string</string> </list> </entry> <entry> <string>DEVICE_LIST</string> <list> <DeviceType> <ip>10.1.102.2</ip> </DeviceType> </list>...
Page 271: Chapter 13: Remote Device Activity Capture
Remote Device Activity Capture This section describes two ways to achieve Remote Device Activity Capture (RDAC): Creating a DAC host ● Using the Infoblox connector ● Creating a DAC Host Sentriant AG auto-discovers endpoints on your network so that the testing and transition from quarantine to non-quarantine areas happens quickly and smoothly after an endpoint is booted up.
Page 272: Downloading The Exe File
Remote Device Activity Capture First, download the executable file to your Windows server, then run the installer to install the first interface. For this release, if you want to add additional interfaces, you must install them manually. A future release will expand the options in the installer to include multiple interfaces. Add any additional interfaces and start the service.
Page 273: Figure 149: The Dac Installshield Wizard Welcome Window
Remote Device Activity Capture Figure 149: The DAC InstallShield Wizard Welcome Window 3 Click Next. The Setup Type window appears Figure 150: RDAC Installer, Setup Type 4 Select Complete to install the DAC software, the JavaJRE software, and the WinPcap software. If you already have JavaJRE or WinPcap installed, select Custom.
Page 274: Figure 151: Rdac Installer, Choose Destination Location
Remote Device Activity Capture 5 Click Next. The Choose Destination Location window appears: Figure 151: RDAC Installer, Choose Destination Location 6 In most cases, you should accept the default location. (Click Change to select a different location.) Click Next. The Confirm New Folder window appears: Figure 152: RDAC Installer, Confirm New Folder Sentriant AG Software Users Guide, Version 5.3...
Page 275: Figure 153: Rdac Installer, Select Features
Remote Device Activity Capture 7 Click Yes. If you selected Custom in step 4 on page 273, the Select Features window appears; otherwise the NIC Selection window appears (Figure 154): Figure 153: RDAC Installer, Select Features 8 Select the features to install. Click Next. The NIC Selection window appears: Figure 154: RDAC Installer, NIC Selection Sentriant AG Software Users Guide, Version 5.3...
Page 276: Figure 155: Rdac Installer, Tcp Port Filter Specification
Remote Device Activity Capture 9 All of the interfaces installed on your Windows server are listed in this window. Select the one you want to use and click Next. The TCP Port Filter Specification window appears: Figure 155: RDAC Installer, TCP Port Filter Specification 10 In most cases you should accept the default entry.
Page 277: Figure 157: Rdac Installer, Ready To Install The Program
Remote Device Activity Capture 11 Enter the IP address of the Enforcement Server (ES) to use. Click Next. The Ready to Install the Program window appears: Figure 157: RDAC Installer, Ready to Install the Program 12 Click Install. 13 If you selected Complete in step 4 on page 273, the InstallShield Wizard launches the Java installer first and then the WinPcap installer.
Page 278: Figure 158: Rdac Installer, Installshield Wizard Complete
Remote Device Activity Capture When the installation is complete, the InstallShield Wizard Complete window appears: Figure 158: RDAC Installer, InstallShield Wizard Complete 14 The following folders and files are created: ■ VERSION ● InstallSSDAC.bat rdac SSDAC.bat UninstallSSDAC.bat wrapper.exe ● conf wrapper.conf ●...
Page 279: Adding Additional Interfaces
Remote Device Activity Capture Adding Additional Interfaces For this release, if you want to add additional interfaces, you must install them manually. A future release will expand the options in the installer to include multiple interfaces. To add additional interfaces to the DAC host: Windows server 1 Open the file with a text editor.
Page 280: Configuring The Ms And Es For Dac
Remote Device Activity Capture 2 Perform the steps detailed in “Configuring the MS and ES for DAC” on page 280. 3 Go to “Starting the Windows Service”. Configuring the MS and ES for DAC 1 Create a keystore file containing a unique key, signed certificate, and a CA certificate that is required for SSL communication.
Page 281: Starting The Windows Service
Remote Device Activity Capture 1 Open the file with a text editor. DAC/conf/wrapper.conf a Locate the Application Parameters section in the wrapper.conf file. You will see a list of entries like the following: wrapper.app.parameter.X Where X is the numerical value representing the order in which the parameter will be added to the command.
Page 282: Viewing Version Information
Remote Device Activity Capture 1 Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. The Services window appears: Figure 160: NAC Endpoint Activity Capture Service 2 Right-click on the NAC Endpoint Activity Capture service and select Start. The service is set to automatic start at the next reboot by default. Viewing Version Information To view version information: Windows server...
Page 283: Figure 161: Rdac Uninstall Complete
Remote Device Activity Capture 1 Select Start>>Settings>>Control Panel>>Add or Remove Programs. 2 Click once on the DAC listing. 3 Click Remove. 4 Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears: Figure 161: RDAC Uninstall Complete 5 Select one of the options and click Finish.
Page 284: Sentriant Ag To Infoblox Connector
Remote Device Activity Capture 1 Select Start>>Settings>>Control Panel>>Add or Remove Programs. 2 Click once on the WinPcap listing. 3 Click Remove. 4 Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears: 5 Select one of the options and click Finish.
Page 285 Remote Device Activity Capture 1 In the Quarantine method area, select the 802.1X radio button. 2 In the Basic 802.1X settings area, select the remote Endpoint detection location radio button. 3 Click ok. Command line window NOTE Perform the following steps on each ES in your system. 4 Log in as to the Sentriant AG ES using SSH or directly with a keyboard.
Page 286 Remote Device Activity Capture e Save and exit the file. Enter the following at the command line to restart the service: service syslog-ng restart 7 Add the iptables firewall rule to allow this syslog traffic: a Stop iptables by entering the following at the command line: service nac-es stop fw_control stop b Open the following file with a text editor such as...
Page 287: Chapter 14: Reports
Reports Sentriant AG generates the following types of reports: Table 9: Report Types and Fields Report Description Report columns NAC policy results Lists each NAC policy and the last • policy name pass/fail policy results • test status • # of times •...
Page 288: Generating Reports
Reports Table 9: Report Types and Fields (continued) Report Description Report columns Test results by IP address Lists the number of tests that • ip address passed or failed for each IP • cluster address. • netbios • user • test status •...
Page 289: Figure 162: Reports
Reports The following figure shows the Reports window. Figure 162: Reports 1 In the Report drop-down list, select the report to run. 2 Select the Report period. 3 Select the Rows per page. 4 In the Endpoint search criteria area, select any of the following options to use for filtering the report: a Cluster b Endpoint NetBIOS...
Page 290: Viewing Report Details
Reports 5 Select Generate report. After a short period of time the compiled report is displayed in a separate browser window. The following figure shows an example report. Figure 163: NAC Policy Results Report CAUTION The reports capability uses pop-up windows; if you have blocked pop-up windows in your browser, you will not be able to view reports.
Page 291: Figure 164: Test Details Report
Reports Figure 164: Test Details Report Sentriant AG Software Users Guide, Version 5.3...
Page 292: Printing Reports
Reports Printing Reports To print a report: Home window>>Reports 1 Select the options for the report you want to run. 2 Click Generate report. 3 Select Print. 4 Select the printer options and properties. 5 Select Print. Saving Reports to a File To save a report: Home window>>Reports 1 Select the options for the report you want to run.
Page 293 Reports 6 Click Save. This creates a standalone file that retains all of its graphics and formatting. 7 To print, you might need to reduce the border sizes in File>>Page Setup dialog box for the report to print correctly. Sentriant AG Software Users Guide, Version 5.3...
Page 294 Reports Sentriant AG Software Users Guide, Version 5.3...
Page 295: Chapter 15: Dhcp Plug-In
DHCP Plug-in The Dynamic Host Configuration Protocol (DHCP) plug-in is an optional feature that allows you to use one or more DHCP servers (without an installation of Sentriant AG in front of each DHCP server) as shown in the following figure: Figure 165: DHCP Plug-in The DHCP plug-in is a Microsoft DHCP plug-in that utilizes the Microsoft DHCP Server Callout Application Programming Interface (API).
Page 296: Preparing For Dhcp Plug-In Installation
DHCP Plug-in If Sentriant AG can communicate with more than one DHCP server, all of the DHCP servers will ● behave normally, each vending IP addresses to endpoints as prescribed by Sentriant AG. However, a DHCP server will discontinue vending IP addresses if Sentriant AG loses communication with that server.
Page 297: Dhcp Plug-In And The Sentriant Ag User Interface
DHCP Plug-in Examples: MakeDHCPCert “CN=es1.example.com,OU=Development,O=Example Inc.,L=Superior,ST=Colorado,C=US,E=security@example.com” MakeDHCPCert “CN=es1.example.com” MakeDHCPCert “CN=192.168.10.10” This command generates files named in the current cert8.db, key3.db, secmod.db directory. These files contain a keypair and certificate chain for communication between the ES and the DHCP plug-in. b Using , or other file transfer program, copy the files cert8.db, key3.db, from the directory where it was created in...
Page 298: Figure 166: System Configuration, Quarantining, Dhcp
DHCP Plug-in 2 Select the DHCP servers using the DHCP plug-in radio button. Figure 166: System Configuration, Quarantining, DHCP 3 Click download the DHCP plug-in installer. A save window appears. 4 Browse to a location on the DHCP server you will remember and save the file. 5 On the DHCP server, navigate to the location of the saved file and double-click it.
Page 299: Figure 167: Dhcp Plug-In Installshield Wizard Window
DHCP Plug-in 6 Double-click the file. The InstallShield Wizard starts. *.exe installer Figure 167: DHCP Plug-in InstallShield Wizard window 7 Click Next. The Customer Information window appears. Figure 168: DHCP Plug-in Customer Information window 8 Enter your User Name and Company Name. Sentriant AG Software Users Guide, Version 5.3...
Page 300: Figure 169: Dhcp Plug-In Ready To Install The Program Window
DHCP Plug-in 9 Click Next. The Ready to Install the Program window appears. Figure 169: DHCP Plug-in Ready to Install the Program window 10 Click Install. The progress is displayed on a Status window. When installation is complete, the InstallShield Wizard Complete window appears. Figure 170: DHCP Plug-in InstallShield Wizard Complete window 11 Click Finish.
Page 301: Enabling The Plug-In And Adding Servers
DHCP Plug-in Table 10: DHCP Plug-in Configuration File Settings (continued) Setting Type Description Default dbDir String Directory where the Netscape Security C:\Windows\System32\dhcp Services (NSS) database resides. Certificates and keys are stored in this secure, encrypted database. failOpen Boolean Whether to vend IP addresses while in true the failover state.
Page 302: Figure 171: Add Dhcp Plug-In Configuration
DHCP Plug-in NOTE Changes made while one or more DHCP servers cannot be communicated with will be sent to those DHCP servers as soon as communication is re-established. 3 Select Add a DHCP plug-in configuration. The Add DHCP plug-in configuration window appears as shown in the following figure: Figure 171: Add DHCP Plug-in Configuration 4 Enter the IP address or host name of the DHCP server where the plug-in is to be installed in the...
Page 303: Viewing Dhcp Server Plug-In Status
DHCP Plug-in 8 Click ok. The added DHCP server appears as shown in the following figure: Figure 172: DHCP Plug-in Server Added Example 9 Continue to add DHCP servers until you have added all of them. The possible DHCP server plug-in status states are shown in the following figure: Figure 173: DHCP Plug-in Legend NOTE...
Page 304: Editing Dhcp Server Plug-In Configurations
DHCP Plug-in Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio ● button>>DHCP servers using the DHCP plug-in radio button>>Click edit next to a DHCP server configuration Editing DHCP Server Plug-in Configurations To edit DHCP Server Plug-in Configurations: Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio button>>DHCP servers using the DHCP plug-in radio button 1 Click edit next to the DHCP server you wish to edit.
Page 305: Disabling A Dhcp Server Plug-In Configuration
DHCP Plug-in 2 Click yes at the Remove DHCP plug-in configuration prompt. 3 Click ok to save the changes and return to the Home window. Disabling a DHCP Server Plug-in Configuration Disable a DHCP server plug-in configuration when you do not wish to use it, but wish to save the configuration and certificates.
Page 306 DHCP Plug-in Sentriant AG Software Users Guide, Version 5.3...
Page 307: Chapter 16: System Administration
Any Sentriant AG window Click Logout in the upper right corner of the Sentriant AG home window. When the logout procedure completes, the Extreme Networks, Inc. login window appears. Important Browser Settings There are several browser configuration settings to make, depending on which browser you are using.
Page 308: Managing Your Sentriant Ag License
(if notifications are enabled). Entering a New License Key Extreme Networks, Inc. distributes license keys as text files. Due to the license key’s length, copy and paste the license key directly out of the text file.
Page 309: Downloading New Tests
If the license key information (such as an expired notice) does not update, clear the browser cache and refresh the page. Downloading New Tests To download the latest tests from the Extreme Networks, Inc. server: Home window>>System configuration>>Test updates>>Check for test updates button NOTE...
Page 310: System Settings
System Administration System Settings DNS/Windows Domain Authentication and Quarantined Endpoints In order to satisfy the following scenarios: A guest user gets redirected ● A user is redirected if their home page is the Intranet ● The only host that is resolved is the domain controller (DC); and no other intranet hosts are resolved. ●...
Page 311: Matching Windows Domain Policies To Nac Policies
System Administration -> lookup intranet.mycompany.com.quarantine.bad <- Sentriant AG IP address When the end-user logs in, they will be able to authenticate from quarantine even if credentials are not cached: -> service location lookup _kerberos _ldap <- & receive dc01.mycompany.com dc02.mycompany.com ->...
Page 312: Naming Your Enforcement Cluster
System Administration 1 Select one of the following from the Access mode area: normal—Access is regulated by the NAC policies ■ allow all—All requests for access are granted, but endpoints are still tested ■ 2 Click ok. Naming Your Enforcement Cluster To name your Enforcement cluster: Home window>>System configuration>>Enforcement clusters &...
Page 313: Resetting Your System
System Administration <ip address> is the new IP address for the MS or ES. For example, 192.168.40.10 <netmask> is the netmask. For example, 255.255.255.0 <gateway> is the gateway. For example, 10.1.1.1 Resetting your System There are times when you may wish to revert to the as-shipped state for your system; reverting the configuration and database to that of a freshly installed system.
Page 314: Resetting Your Test Data
System Administration Resetting your Test Data There are times when you may wish to revert to the as-shipped state for test data; clearing the database of all endpoints and test results, and resetting SAPQ and DHCP leases. To reset your test data to the as-shipped state: Command line window 1 For single-server installations: a Log in as root to the Sentriant AG MS, either using SSH or directly with a keyboard.
Page 315: Changing Properties
System Administration resetTestData NOTE The resetTestData file is in the following directory: cd /usr/local/nac/bin Changing Properties To change the property values in the properties files: Command line window 1 Log in as to the Sentriant AG MS using SSH. root 2 Enter the following at the command line: <DESTINATION>...
Page 316: Specifying An Email Server For Sending Notifications
System Administration Specifying an Email Server for Sending Notifications Sentriant AG Enforcement clusters send alerts and notifications when certain events occur. You must specify an SMTP email server for sending these notifications. The server must allow SMTP messages from the Sentriant AG ES. To specify an email server for sending notifications: “Notifications”...
Page 317: Database
System Administration Table 12: CIDR Naming Conventions (continued) Block Netmask Networks Hosts 255.252.0.0 3 Class B networks 262,144 255.248.0.0 8 Class B networks 512,000 Database Creating a Backup File To create a backup file of system configuration and data: “Initiating a New Backup” on page 119.
Page 318: Restoring From Backup
System Administration Restoring from Backup NOTE You must have backed up your system at least one time before you can restore from a backup. See “Initiating a New Backup” on page 119. You can restore backed-up data to the same physical server or to a new physical server. Restoring to a new Server To restore system configuration and data from a backup file to a new server: 1 Contact Technical Assistance Center (TAC) at support@extremenetworks.com or (800) 998-2408 and...
Page 319: Restoring The Original Database
System Administration 1 Click restore system from backup file. The Restore system window appears: Figure 175: Restore System 2 Enter the backup file name or click Browse and navigate to the backup file. 3 Click ok. A status window appears. 4 The system data is restored and the login window appears: Figure 176: Login Restoring the Original Database...
Page 320: Generating A Support Package
System Administration 2 Enter the following commands: resetSystem.py This script shuts down all of the services, cleans the database, iptables, and DHCP server, and restarts everything. Generating a Support Package To generate a support package: “Downloading Support Packages” on page 120.
Page 321: Supported Vpns
It is strongly recommended that you use the server-class Intel NIC cards. If you use a different NIC card, you might be unable to connect, or experience unpredictable results and availability. NOTE Your license key is emailed to you. If you did not receive one, contact Extreme Networks, Inc. Technical Assistance Center (TAC) (support@extremenetworks.com or (800) 998-2408). Supported VPNs Sentriant AG works with any VPN endpoint, since Sentriant AG does not directly interface or inter- operate with VPN endpoints.
Page 322: Adding Custom Tests
System Administration Adding Custom Tests Introduction Sentriant AG is an efficient, flexible and extensible testing platform. All tests are implemented in the object oriented programming language called Python. Python is a well- respected, clean, and efficient scripting language. Because the language is object oriented and the Sentriant AG test platform is extensible, new tests can be developed easily.
Page 323: Figure 177: Test Script Code
System Administration 3 Examine the code. The comments explain each section of code. The following example shows the contents of the file. Figure 177: Test Script Code #!/usr/bin/python from checkSoftwareNotAllowed import CheckSoftwareNotAllowed # This allows a script to be tested from the command line. if __name__ == '__main__': import myCheckSoftwareNotAllowed t = myCheckSoftwareNotAllowed.MyCheckSoftwareNotAllowed()
Page 324 System Administration 4 You can change the to whatever text you want. This message is what result["result_message"] the end-user sees in the access windows. This text also appears in the management user interface when you run reports. 5 Every test must return a hash with the following keys: status_code –...
Page 325: Figure 178: Example Installcustomtests Output
System Administration Figure 178: Example InstallCustomTests Output # installCustomTests Creating custom test script RPM version 5.0-51 Found 5 python files + Compiling python scripts + Generating test script XML files If you continue, this will generate an RPM file containing your custom scripts and will send the new custom script RPM to the Management Server and all Enforcement Servers.
Page 326: Creating A Custom Test Class Script From Scratch
System Administration Figure 178: Example InstallCustomTests Output (continued) 00:22:34 DEBUG Waiting for a response on :TemporaryQueue-{TD{ID:perf-ms1- 40612-1162365754580-1:0}TD}ID:perf-ms1-40612-1162365754580-6:0 00:22:36 DEBUG Message received: ACTIVEMQ_TEXT_MESSAGE: id = 0 ActiveMQMessage{ , jmsMessageID = ID:perf-ms1-51331-1162363440379-15:3, bodyAsBytes = org.activemq.io.util.ByteArray@1362012, readOnlyMessage = true, jmsClientID = '93baaf5a-b0ed-4fc2-a3ae-ec6460caedc0' , jmsCorrelationID = 'null' , jmsDestination = TemporaryQueue-{TD{ID:perf- ms1-40612-1162365754580-1:0}TD}ID:perf-ms1-40612-1162365754580-6:0, jmsReplyTo = null, jmsDeliveryMode = 2, jmsRedelivered = false, jmsType =...
Page 327: Figure 179: Testtemplate.py
System Administration Figure 179: testTemplate.py #!/usr/bin/python from BaseClasses.SABase import SABase as SABase # This allows a script to be tested from the command line. if __name__ == '__main__': import testTemplate t = testTemplate.TestTemplate() t.processCommandLine() # The class definition. All classes must be derived from the SABase class. class TestTemplate(SABase): # Make up a test id.
Page 328 System Administration Figure 179: testTemplate.py (continued) # A short summary for the test. This will show up in the description field # when editing NAC policies in the management UI. testSummary = \ """ My short description """ # This is field is unused at the moment. # field in the policy editor.
Page 329 System Administration Figure 179: testTemplate.py (continued) try: # Replace 'pass' with your test here. Modify the returnHash accordingly. pass except: # Set the return status when exception occurs import sys returnHash['status_code'] = 0 returnHash['result_code'] = "unknown_error" returnHash['result_message'] = sys.exc_type, sys.exc_value return(returnHash) # Always use the doReturn function;...
Page 330: Figure 180: Checkopenports.py Script
System Administration All tests contain a reference to the class called . The class gives you ■ BasicTests self.bt self.bt access to commonly used functions for testing endpoints including registry operations and service operations. See “BasicTests API” on page 334 for more information on the BasicTests API.
Page 331 System Administration Figure 180: checkOpenPorts.py script (continued) testConfig = \ """ <div id="test_parameters"> <table height="100%" width="100%" border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td colspan="2" style="padding: 5px 3px 5px 3px;"> Enter a list of ports that are not allowed to be open on the endpoint.
Page 332 System Administration Figure 180: checkOpenPorts.py script (continued) # These are the arguments to run the test. This is displayed in the command # line help. testArguments = \ """ --host=<hostname, IP, or NETBIOS> --input ports_not_allowed=<comma delimited list of ports> Example: <this script> --host=somehost --input "ports_not_allowed=23,80"...
Page 333 System Administration Figure 180: checkOpenPorts.py script (continued) if debug: print "Checking ports " + str(ports) + " on host " + self.session.host() # Do your test here. Modify the returnHash accordingly. portsOpen = "" # Use a Python socket to connect directly to the target host import socket for p in ports: hp = self.session.host()+":"+str(p)
Page 334: Basictests Api
System Administration Figure 180: checkOpenPorts.py script (continued) import sys print "checkOpenPorts(host="+self.session.host()+", session="+self.session.id()+"): ", sys.exc_type, sys.exc_value if debug: print "Could not connect to "+hp+". Port not open." # Good, it wasn't open # There are ports open, so set the returnHash values # to indicate that the endpoint failed the test.
Page 335: Table 14: Basictests Api
System Administration self.bt.getregKeyExists( “HKEY_LOCAL_MACHINE\\Software\\America Online\\AIM”) except: import sys returnHash["status_code"] = 0 returnHash["result_code"] = "unknown_error" returnHash["result_message"] = sys.exc_type, sys.exc_value … The following table describes the BasicTests API. Table 14: BasicTests API The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs.
Page 336 System Administration Table 14: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Boolean getCapicomExists() Checks for Capicom on the machine. Returns the following •...
Page 337 System Administration Table 14: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Dict getFileInfo(self, filename, debug=0) Returns Dict containing •...
Page 338 System Administration Table 14: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method List getMcmsHotFixList() Returns the hotfixes of Microsoft Content Management Server (MCMS).
Page 339 System Administration Table 14: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getOfficeVersion() Checks for which of the following Microsoft Office Version is installed on the end point.
Page 340 System Administration Table 14: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getUser() Returns the user name of the current user logged in. If none of the user has logged in function returns the string “No user logged in.”...
Page 341 System Administration Table 14: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getWMPVersion() Returns the Version of Windows Media Player installed on the end point.
Page 342: End-User Access Windows
NOTE If you need more end-user access window customization than is described in this Users’ Guide, please contact Extreme Networks, Inc. Technical Assistance Center (TAC) at support@extremenetworks.com. To edit the end-user access window logo and general text: “End-user Screens” on page 128.
Page 343: How Sentriant Ag Handles Static Ip Addresses
Sentriant AG ES is 10.0.16.18, point an IE browser window to: http://10.0.16.18:88 NOTE If you would like to use a port other than 88, contact Extreme Networks, Inc. Technical Assistance Center (TAC) at support@extremenetworks.com for assistance in making the necessary changes. How Sentriant AG Handles Static IP Addresses The following list details how Sentriant AG handles static IP addresses: Inline Mode—Sentriant AG can detect, test, and quarantine static IP addresses.
Page 344: Managing Passwords
System Administration Managing Passwords The passwords associated with your Sentriant AG installation are listed in the following table: Table 15: Sentriant AG Passwords Sentriant AG Set during Recovery process password “Resetting the Sentriant AG Sentriant AG Initial install process * Management Server Password”...
Page 345: Resetting The Sentriant Ag Server Password
System Administration Table 15: Sentriant AG Passwords Sentriant AG Set during Recovery process password Novell Manually entered after installation on Novell eDirectory password recovery eDirectory the System is beyond the scope of this configuration>>Quarantining>>802.1 document. X Quarantine method radio button window.
Page 346: Resetting The Sentriant Ag Database Password
System Administration 5 Press . You are now in Single User Mode. 6 Enter the following command: passwd 7 Enter a new password at the New Password prompt. 8 Press [ ENTER] 9 Retype the password at the Retype new password prompt. 10 Press .
Page 347: Ntlm 2 Authentication
System Administration 4 Enter the following command: <filename> setProperty.py -f 5 From a workstation, open a browser window and point to the Sentriant AG MS. 6 Enter a new User Name and Password when prompted. NTLM 2 Authentication If your network is configured for Windows NT LAN Manager version 2 (NTLMv2) challenge/response authentication only, make the following change to the file: smb.conf...
Page 348 System Administration NOTE There is one caveat to note with ranges to monitor and ranges to ignore; if endpoints have IP addresses outside of the ranges to monitor and ranges to ignore, and if the ES is capable of controlling network access for those endpoints, the endpoints can still be quarantined by consequence of the NAC policy rules for Operating Systems and Inactive endpoints.
Page 349: Installing Ssl Certificates
System Administration NOTE When using Extreme switches running ExtremeWare or ExtremeXOS prior to release 11.6, DHCP relay IP addresses to enforce will NOT work when the quarantine subnet is a subset of the production network. This is because Extreme switches forward the packets from the IP address closest to Sentriant AG and not the IP address of the interface closest to the endpoint, so all the DHCPRelay packets will appear to come from a production network IP address.
Page 350: Moving An Es From One Ms To Another
System Administration 3 Submit the CSR (see “Copying Files” on page 34) to your chosen CA (such as Thawte or Verisign) along with anything else they might require: http://www.verisign.com/ http://www.thawte.com/ 4 If you are using a non-traditional CA (such as your own private Certificate Authority/Public Key Infrastructure (CA/PKI), or if you are using a less well-known CA, you will need to import the CA’s root certificates into the java cacerts file by entering the following command on the command line of the Sentriant AG server:...
Page 351: Recovering Quickly From A Network Failure
System Administration service nac-es stop 3 Log in the MS user interface that currently manages the ES you want to move. 4 Select System Configuration>>Enforcement clusters & servers. 5 Click delete next to the ES you want to move. 6 In the command line window of the ES, enter the following command: resetSystem.py 7 Log in to the MS user interface of the server that you want to manage the ES.
Page 352: Vlan Tagging
System Administration a Select System configuration. b Click a cluster name. c Select the normal radio button. d Click ok. VLAN Tagging In some cases, such as when the DHCP server is in a separate VLAN than the span/mirror port, the mirrored port traffic is 802.1q tagged.
Page 353: Iptables Wrapper Script
System Administration e Modify the line if needed. IPADDR Save and exit the file. g Restart the network interface by entering the following at the command line: service network restart 2 Change the interface the EDAC listens on: a Log in to the MS using SSH or directly with a keyboard. b For 802.1X mode, enter the following command at the command line: setProperty.py -c <cluster name>...
Page 354: Updating Rules Without An Internet Connection
System Administration service must be shutdown before making changes to the firewall. This script nac-es iptables ensures that errors are not introduced by making changes when is running. nac-es Use the following commands to control from the command line: iptables To stop iptables: fw_control stop To start iptables:...
Page 355: Updating Rules
System Administration a On a computer with Internet access login to: http://eSupport.extremenetworks.com If you do not have an eSupport account, please contact Extreme Networks Technical Assistance Center (TAC) (support@extremenetworks.com or (800) 998-2408). b Navigate to the Sentriant AG section. c Click on the link to download the latest AirgapTests RPM.
Page 356: Enable Temporary Ping
System Administration Enable Temporary Ping To temporarily (until reboot) enable ICMP echo requests: Command line 1 Log in to the Sentriant AG server as root using SSH or directly with a keyboard. 2 Enter the following command at the command line: echo 0 >...
Page 357: Changing The Community Name For Snmpd
System Administration To restrict ping entries to a specific interface: Command line 1 At the MS command line, enter the following iptables entries in this order: iptables -A RH-Lokkit-0-50-INPUT -p icmp --icmp-type echo-request -i ethx -j ACCEPT iptables -A RH-Lokkit-0-50-INPUT -p icmp --icmp-type echo-request -j DROP Where: is the interface that you wish to be "pingable".
Page 358: Figure 181: Snmpd.conf Example File
System Administration 2 Open the following file with a text editor such as /etc/snmp/snmpd.conf Figure 181: snmpd.conf Example File ------------------------------------------------------------------------------------- # Thu Jul 05 15:14:53 MDT 2007 # This file is generated automatically. Please do not edit. Edit the snmpd.conf.template file instead. # This is a template for the snmpd.conf file.
Page 359: Snmp Mibs
System Administration SNMP MIBs A Management Information Base (MIB) is a database that manages devices in a network. Simple Network Management Protocol (SNMP) is a protocol used for communication between devices that uses MIBs to obtain SNMP message formats. Sentriant AG supports SNMP v2c for incoming SNMP notifications. The following MIBs (located in ) define the data that Sentriant AG can read: usr/share/snmp/mibs/ HOST-RESOURCES-MIB...
Page 360 System Administration Sentriant AG Software Users Guide, Version 5.3...
Page 361: Appendix A: Requirements
Not all anti-virus and anti-spyware tests check for signature file updates. Some anti-virus and anti-spyware products do not lend themselves to be tested for signature file updates. NOTE Sentriant AG has the capability to have custom tests created in Python; however, Extreme Networks takes no responsibility for custom scripts. Self Remediation: Messenger service needs to be running on the end-user endpoint.
Page 362 Requirements RADIUS ■ 802.1X ■ Must have privileges / access to the network to make configuration changes. ● Sentriant AG Software Users Guide, Version 5.3...
Page 363: Chapter B: Patch Management
Patch Management Sentriant AG can integrate with patch management software. When an endpoint fails due to a missing patch, Sentriant AG wakes the patch manager client, checks for the completion of the patch, and then retests upon completion. The patch management capability uses the following test statuses: fail –...
Page 364: Selecting The Patch Manager
Patch Management 2 Click on the test name in the left column. 3 Select the Initiate patch manager check box. 4 Click ok. Selecting the Patch Manager To select the patch manager: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option 1 Select the check box for a test in the left column.
Page 365: Sms Patch Management
SMS information. NOTE SMS server has a setting that allows users to interact with and cancel patch installation. Extreme Networks, Inc. recommends that you do not allow users to cancel patch installation. Once a patch installation has been canceled, the patch does not automatically attempt to install later and the endpoint will never pass the NAC policy test without manual intervention by the SMS administrator.
Page 366: Sentriant Ag Setup
Patch Management looping until patching completes. If the test passes, Sentriant AG allows the endpoint access to the network. NOTE SMS patch management works with agent-based testing only. NOTE Endpoints must be identified in SMS and have the SMS client installed. Sentriant AG Setup To set up Sentriant AG for use with SMS: 1 Install and configure Sentriant AG (see the Sentriant AG Installation guide).
Page 367: Appendix C: Access Control Precedence
Access Control Precedence The following table lists the conditions, in order of precedence, that determine an endpoint’s access control status. Table 16: Access Control Precedence NAC policy trust Resulting access Precedence Short name Description level control status Allow all access The enforcement cluster (EC) granted access mode...
Page 368 Access Control Precedence Table 16: Access Control Precedence NAC policy trust Resulting access Precedence Short name Description level control status Unsupported OS The operating system of the guilty until proven granted access endpoint has been identified, but innocent or or quarantined it is not supported innocent until based on the All...
Page 369: Appendix D: Endpoint Testing Conditions
Networks, Inc.. Try to force a retest from the Sentriant AG user interface (see Endpoints Retested” on page 151). If that does not work, call Extreme Networks, Inc. Technical Assistance Center (TAC) and be prepared to generate a support package (see “Generating a Support Package”...
Page 370 Endpoint Testing Conditions Table 17: Conditions Affecting Endpoint Testing Short name Description Testing (NAC agent) Sentriant AG shows this status briefly while the endpoint is being tested by the NAC agent. Testing (ActiveX plug- Sentriant AG shows this status briefly while the endpoint is being tested by the ActiveX plug-in.
Page 371 Endpoint Testing Conditions Table 17: Conditions Affecting Endpoint Testing Short name Description Failed testing - The credentials Sentriant AG used to test the endpoint do not have sufficient privileges insufficient test to read the registry or enumerate the services. An easy way to debug this is to run privileges regedit and connect to the remote endpoint using the same admin credentials supplied to Sentriant AG.
Page 372 Endpoint Testing Conditions Sentriant AG Software Users Guide, Version 5.3...
Page 373: Appendix E: Troubleshooting Quarantined Endpoints
Troubleshooting Quarantined Endpoints The following table describes the various components that affect an endpoint attempting to access the network: Table 18: Troubleshooting Quarantined Endpoints How endpoints are quarantined and How quarantined endpoints reach accessible Enforcement Mode redirected to Sentriant AG devices DHCP Endpoint...
Page 374 Troubleshooting Quarantined Endpoints Table 18: Troubleshooting Quarantined Endpoints (continued) How endpoints are quarantined and How quarantined endpoints reach accessible Enforcement Mode redirected to Sentriant AG devices DHCP Network DHCP server (Sentriant AG) gives the Sentriant AG (fake root) DNS—As in mode enforcement endpoint:...
Page 375 Troubleshooting Quarantined Endpoints Table 18: Troubleshooting Quarantined Endpoints (continued) How endpoints are quarantined and How quarantined endpoints reach accessible Enforcement Mode redirected to Sentriant AG devices Inline / VPN split Sentriant AG acts as the man-in-the- No need to allow public sites (endpoint Gateway tunnel middle, iptables rewrites packets, and...
Page 376 Troubleshooting Quarantined Endpoints Table 18: Troubleshooting Quarantined Endpoints (continued) How endpoints are quarantined and How quarantined endpoints reach accessible Enforcement Mode redirected to Sentriant AG devices 802.1X DHCP server (MS DHCP server, and so Sentriant AG DNS—As in endpoint on) gives the endpoint: enforcement (for access to names in Quarantine/guest resources) •...
Page 377: Appendix F: Enforcement Server Processes And Threads
Enforcement Server Processes and Threads The following table describes the processes and threads on an enforcement server (ES), along with the implications of each process or thread failing: Table 19: Enforcement Server Processes and Threads Enforcement Process Description Criticality Failure implications mode client manager Reads...
Page 378 Enforcement Server Processes and Threads Table 19: Enforcement Server Processes and Threads Enforcement Process Description Criticality Failure implications mode input chain sapq DHCP Determines whether an High If the nac-es process is also endpoint should be down, all endpoints are granted granted access to the network access.
Page 379 Enforcement Server Processes and Threads Table 19: Enforcement Server Processes and Threads Enforcement Process Description Criticality Failure implications mode postgresql The database server for High If this process is down, the Sentriant AG, this process nac-es process is likely to go is used to store endpoint down shortly thereafter.
Page 380 Enforcement Server Processes and Threads Table 19: Enforcement Server Processes and Threads Enforcement Process Description Criticality Failure implications mode test service Schedules and manages High If this process is down, the compliance testing of all system cannot test endpoints testable endpoints. to determine their compliance status: •...
Page 381: Appendix G: Configuring The Post-Connect Server
Extracting the ZIP File Windows To download and extract the ZIP file to a Windows machine: 1 Create a directory for the contents of the ZIP file on the Windows machine. Extreme Networks, Inc. recommends . These instructions assume that you used the...
Page 382: Linux
Configuring the Post-connect Server Linux To download and extract the ZIP file to a Linux machine: 1 Create a directory for the contents of the ZIP file on the Linux machine. Extreme Networks, Inc. recommends . These instructions assume that you used the directory.
Page 383: Setting Up A Post-Connect Host
Configuring the Post-connect Server log4j-1.2.13.jar log4j.properties wrapper.dll wrapper.jar ■ Setting up a Post-connect Host Windows Your post-connect host can be a Linux or Windows server. This section provides instructions on setting up a Windows host. To set up a Windows post-connect host: 1 Install WinPcap on a Windows machine if it is not already installed: a Log into your Windows server.
Page 384: Linux
Configuring the Post-connect Server b Copy the file from the MS into the folder on the post- /usr/local/nac/keystore/cacerts \lib connect server where you extracted the ZIP file. See “Copying Files” on page 34 for information on how to copy files securely. 5 Edit the file: connector.properties...
Page 385 Configuring the Post-connect Server b Install Java: 1) Navigate to http://java.sun.com/javase/downloads/index.jsp. 2) Download and install the Java 1.5 update 10 or later. 2 Install Python 2.5 or later if it is not already installed: a Log into your Linux machine. b Install Python: 1) Navigate to http://www.python.org/download/.
Page 386: Viewing Logs
Configuring the Post-connect Server 4) Save and exit the file. c Edit the file: JMSConnection.properties 1) Open the file with a text editor /usr/local/postconnect/lib/JMSConnection.properties such as 2) Enter the MS IP address. For example: URL=ssl://172.16.128.100:61616 3) Enter the MS username. For example: USER_NAME=root 4) Enter the MS password.
Page 387: Configuring Your Sensor
Configuring the Post-connect Server Where: <endpoint IP> is the IP address of an endpoint known to Sentriant AG. For example, 192.168.40.40 are text strings that describe the reasons to quarantine the specified “Reason 1” “Reason 2” endpoint. For example, “P2P Software Installed”, or “Latest Windows XP Service Pack not applied”. Configuring Your Sensor Configure your post-connect sensor to call with the IP address of the...
Page 388 Configuring the Post-connect Server Sentriant AG Software Users Guide, Version 5.3...
Page 389: Appendix H: Tests Help
Tests Help The tests performed on endpoints attempting to connect to the network are listed on the Sentriant AG Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting Sentriant AG Home window>>System Configuration>>Test Updates>>Check for Test Updates.
Page 390 Tests Help Table 20: Browser Vulnerabilities Item Description Cache Cache is a user-specifiable amount of disk space where temporary files are stored. These files contain graphics and Web pages you visit. The primary purposes for storing Web page information is to save time reloading pages and graphics, and to reduce network traffic by not having to repeatedly send the information over the network.
Page 391: Browser Version
Tests Help Browser Version Description. This test verifies that the endpoint attempting to connect to your system has the latest browser version installed. Test Properties. Select the check box for the required browser software. Enter a version in the text box. If no version is specified in the text box, the default version shown in the square brackets is required.
Page 392: Internet Explorer (Ie) Local Intranet Security Zone
Tests Help 3 Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings. Internet Explorer (IE) Local Intranet Security Zone Description. This test verifies that the endpoint attempting to connect to your system is configured according to your specified local intranet security zone standards.
Page 393: Internet Explorer (Ie) Trusted Sites Security Zone
Tests Help Medium. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a mix of ● enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login for intranet Medium-low. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a ●...
Page 394: Operating System-Windows
Tests Help Low. A mix of enabled and prompt ActiveX controls, enables downloads, a mix of enabled and ● prompt for Miscellaneous options, enables Scripting, enables automatic login How Does this Affect Me? The trusted sites security zone defines a security level for all trusted Web sites that you visit.
Page 395: Internet Explorer Hotfixes
Tests Help http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6C8AFC1C-5008-4AC8- 84E1-1632937DBD74 Internet Explorer Hotfixes Description. Checks for hotfixes to Microsoft Internet Explorer (IE). Test Properties. Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Page 396: Microsoft Applications Hotfixes
Tests Help Microsoft Applications Hotfixes Description. Checks for hotfixes to Microsoft Applications. Test Properties. Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Page 397: Service Packs
Tests Help microsoftupdate&ln=en-us or by clicking on one of the update numbers underlined at the right side of the window as shown in Figure 183. Service Packs Description. This test verifies that the endpoint attempting to connect to your system has the latest operating system (OS) service packs installed.
Page 398: Windows 2003 Sp2 Hotfixes
Tests Help How Does this Affect Me?. Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a patch includes multiple hotfixes. What Do I Need to Do?.
Page 399: Windows Media Player Hotfixes
Tests Help What Do I Need to Do?. Enable automatic updates. See the following link for instructions: http://www.microsoft.com/protect/computer/updates/mu.mspx Enable automatic updates for Windows 2000: 1 Select Start>>Settings>>Control Panel>>Automatic Updates 2 Select Keep my computer up to date. 3 Select Download the updates automatically and notify me when they are ready to be installed. 4 Click OK.
Page 400: Windows Xp Sp1 Hotfixes
Tests Help What Do I Need to Do?. Manually initiate an update check at http://www.update.microsoft.com/ microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/ microsoftupdate&ln=en-us or by clicking on one of the update numbers underlined at the right side of the window as shown in Figure 183. Windows XP SP1 Hotfixes Description.
Page 401: Security Settings-Os X
Tests Help Security Settings—OS X Mac AirPort WEP Enabled Description. This test verifies that WEP encryption is enabled for Airport. Test Properties. There are no properties to set for this test. How Does this Affect Me?. Wired Equivalent Privacy (WEP) is a wireless network security standard that provides the same level of security as the security in a wired network.
Page 402: Mac Anti-Virus
Tests Help Mac Anti-virus Description. This test passes if at least one of the required anti-virus software programs for Mac endpoints is installed. Test Properties. Select the anti-virus software allowed on your network. Any endpoint that does not have at least one of the anti-virus software packages selected will fail this test. How Does this Affect Me?.
Page 403: Mac Internet Sharing
Tests Help Test Properties. There are no properties to set for this test. How Does this Affect Me?. See the description of firewalls under “How Does this Affect Me?” on page 414. What Do I Need to Do? . Enable the firewall on the endpoint. Mac endpoint>>Apple Menu>>System Preferences>>Sharing>>Firewall 1 Select the services and ports you want to allow in the Allow area.
Page 404: Mac Security Updates
Tests Help Mac Security Updates Description. This test verifies that the security updates have been applied on this endpoint. Test Properties. .When an endpoint fails this test, it can be granted temporary access in the following ways: Select the Quarantine access check box and enter a temporary access period. This is the amount of ●...
Page 405: Allowed Networks
Tests Help Allowed Networks Description. Checks for the presence of an unauthorized connection on a endpoint. These might include connections to a rogue wireless access point, VPN, or other remote network. Test Properties. Enter a list of IP ranges that are legitimate for your network. Add the ranges separating the start and end IP with a "-".
Page 406: Microsoft Outlook Macros
Tests Help Microsoft Outlook Macros Description. This test verifies that the endpoint attempting to connect to your system has the Microsoft Outlook macro security level specified by your security standards. Test Properties. Select the minimum Microsoft Outlook macro setting for that is required in order for an endpoint to connect to your network.
Page 407: Services Not Allowed
Tests Help How Does this Affect Me?. Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document. When you open an infected document, the macro virus runs.
Page 408: Services Required
Tests Help 3 Select Manual or Disabled from the Startup type drop-down list. 4 Click OK. 5 Close the Services window. 6 Close the Administrative Tools window. Services Required Description. This test verifies that the endpoint attempting to connect to your system is running the services specified by your security standards.
Page 409: Windows Bridge Network Connection
Tests Help Windows Bridge Network Connection Description. This test verifies that the endpoint attempting to connect to the network does not have a bridged network connection present. A bridged network connection allows the connecting endpoint to transparently send traffic to and from another network. An example use of this type of connection would be to bridge a high-speed cellular network connection in and out of the local network.
Page 410: Windows Startup Registry Entries Allowed
Tests Help Enable "Network access: Do not allow storage of credentials or .NET Passports for network ● authentication" Disable "Network access: Let Everyone permissions apply to anonymous users" ● Enable "Accounts: Limit local account use of blank passwords to console logon only" ●...
Page 411: Wireless Network Connections
Tests Help updater::C:\Program Files\Common files\Updater\wupdater.exe will allow Windows update to run on startup. How Does this Affect Me?. The Microsoft Windows Registry contains information that Windows uses during normal operations, including system options, property settings, applications installed, types of documents each application can create, ports used, and so on. Information is stored in keys, such as run and runOnce.
Page 412: Software-Windows
Tests Help Software—Windows The Software tests verify that any endpoint attempting to connect to your system meets your specified software requirements. Installing the most recent version of your software helps protect your system against exploits targeting the latest vulnerabilities. Anti-spyware Description.
Page 413: High-Risk Software
Tests Help What Do I Need to Do?. Make sure you have an anti-virus program installed, and that the virus definitions are kept up-to-date. The following link provides more information on anti-virus software and protecting your computer: http://www.us-cert.gov/cas/tips/ST04-005.html High-risk Software Description.
Page 414: Personal Firewalls
Tests Help What Do I Need to Do?. Remove or disable any disallowed P2P software. Personal Firewalls Description. This test verifies that the endpoint attempting to connect to your system has the latest personal firewall software installed and running. Test Properties. Select the personal firewalls that meet your requirements. Any endpoint that does not have at least one of the personal firewalls selected will fail this test.
Page 415: Software Required
Tests Help Software Required Description. This test verifies that the endpoint attempting to connect to your system has the required software packages installed. Test Properties. Enter a list of applications that are required on all connecting endpoints, separated with a carriage return. The format for an application is vendor\software package[\version]. Using this format stores the value in the HKEY_LOCAL_MACHINE\Software key.
Page 416 Tests Help Sentriant AG Software Users Guide, Version 5.3...
Page 417: Appendix I: Database Design (Data Dictionary)
Database Design (Data Dictionary) This section provides information on the following tables for the Sentriant AG database: “test_result table” on page 418 ● “Device table” on page 419 ● “sa_cluster” on page 421 ● “sa_node” on page 421 ● “sa_user” on page 422 ●...
Page 418: Test_Result Table
Database Design (Data Dictionary) test_result table test_result This table is a history of test results for all endpoints. test_result_id INT4 DEFAULT PRIMARY KEY nextval('test_result_test_result_id_s eq') run_id INT4 NOT NULL An ID used for associating test results to a particular test run. timestamp INT4 NOT NULL The time the test was run.
Page 419: Device Table
Database Design (Data Dictionary) Device table device This table contains information about known endpoints. unique_id VARCHAR(100) NOT NULL PRIMARY KEY ip_address_str VARCHAR(30) NOT NULL The IP address (string in dotted quad notation) of the endpoint. mac_address VARCHAR(30) DEFAULT NULL The MAC address of the endpoint. netbiosname VARCHAR(50) DEFAULT NULL The NetBIOS of the endpoint.
Page 420 Database Design (Data Dictionary) device (continued) last_connect_dt INT4 NOT NULL The date the endpoint was first seen if it has never been disconnected, or the last time the endpoint reconnected. last_disconnect_dt INT4 NOT NULL The date the endpoint was disconnected for inactivity.
Page 421: Sa_Cluster
Database Design (Data Dictionary) sa_cluster sa_cluster This table contains information about all known clusters. cluster_id VARCHAR(64) PRIMARY KEY cluster_name VARCHAR(30) The name of the cluster. policy_set_id INT4 The unique ID of the policy set used by the cluster. devices TEXT Not used.
Page 422: Sa_User
Database Design (Data Dictionary) sa_user sa_user This table contains information about users. user_id INT4 PRIMARY KEY username VARCHAR(64) The login of the user. passwd VARCHAR(64) MD5 hash of the user's password. full_name VARCHAR(64) The full name of the user. email VARCHAR(256) The email address of the user.
Page 423: User_To_Groups
Database Design (Data Dictionary) user_to_groups user_to_groups This table contains information about a user and their assigned role. group_id INT4 The unique ID of the user role in the many-to- many relationship. user_id INT4 The unique ID of the user in the many-to-many relationship.
Page 424 Database Design (Data Dictionary) Sentriant AG Software Users Guide, Version 5.3...
Page 425: Appendix J: Ports Used In Sentriant Ag
Ports used in Sentriant AG The following table provides information about Ports used in Sentriant AG: Table 21: Ports in Sentriant AG Port Parties Description Comments Ports used for testing endpoints: 88 (TCP) Endpoint to When using agent-based testing, the Not configurable 89 (TCP) endpoint must point (using a browser...
Page 426 Ports used in Sentriant AG Table 21: Ports in Sentriant AG (continued) Port Parties Description Comments Ports used for internal communications: 7483 (TCP) ES to MS Message bus communications between Not configurable the ES and MS occur on port 7483. MS to ES 22 (TCP) MS to ES...
Page 427 Ports used in Sentriant AG Table 21: Ports in Sentriant AG (continued) Port Parties Description Comments Ports used for NTP: 123 (UDP) MS to NTP Destination port 123 for NTP. Not configurable server 123 (UDP) ES to MS NTP communication between the ES and Not configurable MS occurs on destination port 123.
Page 428 Ports used in Sentriant AG Table 21: Ports in Sentriant AG (continued) Port Parties Description Comments Ports used for DHCP and domain controllers: 88 (TCP) ES to DC/ DHCP Server and Domain Controller Configure in the Sentriant AG 135-159 (TCP) DHCP server behind Sentriant AG: user interface:...
Page 429 Ports used in Sentriant AG Table 21: Ports in Sentriant AG (continued) Port Parties Description Comments Ports used for SNMPD: 161 (UDP) admin user to Used for SNMP monitoring of the server. Not Configurable MS or ES NOTE: See “Enabling SNMP” on page for instructions on enabling SNMP.
Page 430 Ports used in Sentriant AG Sentriant AG Software Users Guide, Version 5.3...
Page 431: Appendix K: Ms Disaster Recovery
MS Disaster Recovery Overview If the Primary Management Server (primary MS) goes down due to an unrecoverable hardware failure, management server duties can be migrated to an online Standby Management Server (standby MS) using a simple backup and restore process. After failover, the standby MS is able to perform all necessary MS functions, including communicating with Enforcement Servers (ESs), reporting, and making configuration changes.
Page 432: Ongoing Maintenance
MS Disaster Recovery Ongoing Maintenance Certain considerations must be noted regarding the ongoing maintenance of your system in the recovery process for an MS: As part of an ongoing maintenance plan or during backup, check the status of the NAC-testscripts ●...
Page 433 MS Disaster Recovery 7 Log in to the UI of the standby MS again (at this point, all UI users from the primary should be able to log in). 8 Navigate to System configuration>>Management server>>edit network settings 9 Change the IP address to be that of the old or primary MS. See “Modifying MS Network Settings”...
Page 434 MS Disaster Recovery Sentriant AG Software Users Guide, Version 5.3...
Page 435: Appendix L: Licenses
The Software is protected by United States’ and other copyright laws, international treaty provisions and other applicable laws in the country in which it is being used. Extreme Networks and its suppliers own and retain all right, title and interest in and to the Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual property rights therein.
Page 436: Limitation Of Liability
Networks’ and its suppliers' entire liability and your exclusive remedy for any breach of the foregoing warranty shall be, at Extreme Networks’ option, either (i) return of the purchase price paid for the license, if any, or (ii) replacement of the defective media in which the Software is contained.
Page 437: Other Licenses
Extreme Networks, unless such audit discloses an underpayment or amount due to Extreme Networks in excess of five percent (5%) of the initial license fee for the Software or you are using the Software in an unauthorized manner, in which case you shall pay the cost of the audit, in addition to any other amounts owed.
Page 438: Apache License Version 2.0, January 2004
Licenses at www.extremenetworks.com/GLOBAL_DOCS/termsofsale.asp. Please see the Release Notes for this software for additional information and copies of third party licenses. Apache License Version 2.0, January 2004 w.apache.org/licenses/ The Apache Software License Version 2.0 applies to the following software packages: activemq, Commons-codec, Commons-collections, Commons-dbcp, Commons-digester, Commons- fileupload, Commons-httpclient, Commons-lang, Commons-logging, Commons-pool, Genonimo- spec-jms, Geronimo-spec-j2ee-management, Geronimo-spec-jta, Log4j, Mockfu, Tomcat, Xerces,...
Page 439: Asm
Licenses You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5.
Page 440: Open Ssh
Licenses THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;...
Page 441 Licenses PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED...
Page 442: Postgresql
Licenses 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
Page 443: Postgresql Jdbc
Licenses Postgresql jdbc Copyright (c) 1997-2005, PostgreSQL Global Development Group All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Page 444: Junit Common Public License - V 1.0
Licenses Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Page 445 Licenses hereunder, each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed, if any. For example, if a third party patent license is required to allow Recipient to distribute the Program, it is Recipient's responsibility to acquire that license before distributing the Program. d) Each Contributor represents that to its knowledge it has sufficient copyright rights in its Contribution, if any, to grant the copyright license set forth in this Agreement.
Page 446: Open Ssl
Licenses Everyone is permitted to copy and distribute copies of this Agreement, but in order to avoid inconsistency the Agreement is copyrighted and may only be modified in the following manner. The Agreement Steward reserves the right to publish new versions (including revisions) of this Agreement from time to time.
Page 447: The Gnu General Public License (Gpl) Version 2, June 1991
Licenses * All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code;...
Page 448 Licenses 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 449 Licenses may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
Page 450: Pullparser
Licenses signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.
Page 451: The Gnu Lesser General Public License (Lgpl) Version 2.1
Licenses 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
Page 452 Licenses We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.
Page 453 Licenses If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.
Page 454 Licenses may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.
Page 455: Ojdbc
Licenses Ojdbc Oracle Technology Network Development and Distribution License Terms Export Controls on the Programs Selecting the "Accept License Agreement" button is a confirmation of your agreement that you comply, now and during the trial term, with each of the following statements: -You are not a citizen, national, or resident of, and are not under control of, the government of Cuba, Iran, Sudan, Libya, North Korea, Syria, nor any country to which the United States has prohibited export.
Page 456 Licenses shipped with the programs, or documentation may accessed online at http://otn.oracle.com/docs Ownership and Restrictions We retain all ownership and intellectual property rights in the programs. You may make a sufficient number of copies of the programs for the licensed use and one copy of the programs for backup purposes. You may not: - use the programs for any purpose other than as provided above;...
Page 457: Javamail Sun Microsystems, Inc
Licenses restrictions in FAR 52.227-19, Commercial Computer Software-Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065." End of Agreement You may terminate this agreement by destroying all copies of the programs. We have the right to terminate your right to use the programs if you fail to comply with any of the terms of this agreement, in which case you shall destroy all copies of the programs.
Page 458 Licenses 4.DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EX LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN...
Page 459: Jcharts
Licenses this Agreement. Source code may not be redistributed unless expressly provided for in this Agreement. 6. Termination for Infringement. Either party may terminate this Agreement immediately should any Software become, or in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right. For inquiries please contact: Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A (LFI#132726/Form ID#011801) jcharts...
Page 460: Io-Stty And Io-Tty
Licenses 4. CNRI is making Python 1.6b1 available to Licensee on an "AS IS" basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6b1WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.
Page 461: Concurrent
Licenses 6. The scripts and library files supplied as input to or produced as output from the programs of this Package do not automatically fall under the copyright of this Package, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this Package.
Page 462: Winpcap
Licenses Chris Morgan - rijndael.cpp Paulo Baretto - rijndael.cpp, skipjack.cpp, square.cpp Richard De Moliner - safer.cpp Matthew Skala - twofish.cpp Permission to use, copy, modify, and distribute this compilation for any purpose, including commercial applications, is hereby granted without fee, subject to the following restrictions: 1.
Page 463 Licenses Portions Copyright (c) 1983 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by the University of California, Berkeley.
Page 464: Activation
Licenses Portions Copyright (c) 1996 Juniper Networks, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph in its entirety in the documentation or other materials provided with the distribution.
Page 465: Java Optional Package
Licenses 4. DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Page 466: Jsp-Api Package
Licenses 3. Java Technology Restrictions. You may not modify the Java Platform Interface ("JPI", identified as classes contained within the "java" package or any subpackages of the "java" package), by creating additional classes within the JPI or otherwise causing the addition to or modification of the classes in the JPI. In the event that you create an additional class and associated API(s) which (i) extends the functionality of the Java platform, and (ii) is exposed to third party software developers for the purpose of developing additional software which invokes such additional API, you must promptly publish broadly an accurate specification for such API for free use by all developers.
Page 467 Licenses 2. RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property rights is retained by Sun and/or its licensors. Except as specifically authorized in any Supplemental License Terms, you may not make copies of Software, other than a single copy of Software for archival purposes. Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software.
Page 468 Licenses B. License to Evaluate Message Queue EE. If you have not paid the applicable fees for Message Queue EE, Sun grants you a non-exclusive, non-transferable, royalty-free and limited license to use Message Queue EE internally for the sole purpose of evaluation, for a period of ninety (90) days from the date you begin using the Message Queue EE features.
Page 469 Licenses 5. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA, JINI, JDK, FORTE, STAROFFICE, STARPORTAL and iPLANET trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, STAROFFICE, STARPORTAL and iPLANET-related trademarks, service marks, logos and other brand designations ("Sun Marks"), and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http:// www.sun.com/policies/trademarks.
Page 470 Licenses Sentriant AG Software Users Guide, Version 5.3...
Page 471: Appendix M: Glossary
Glossary 802.1X A port-based authentication protocol that can dynamically vary encryption keys, and has three components: a supplicant, an authenticator, and an authentication server. Access control list—A list or set of rules that routers (and other networking endpoints) use to control and regulate access through the endpoint and subsequently onto the network.
Page 472 Glossary APIC Advanced Programmable Interrupt Controller—A device that provides support for multiple processors by allowing for multiple programable interrupts. authenticator A component of 802.1X that is the access point, such as a switch, that prevents access when authentication fails. The authenticator can be simple and dumb.
Page 473 Glossary Certificate Signing Request—A request sent by a system when applying for a public key certificate. Cisco Trust Agent Device Activity Capture—A utility used that listens or sniffs the network for DHCP traffic and can be configured to discover other types of IP traffic if needed (such as from static IP addresses).
Page 474 Glossary Enforcement server FQDN Fully Qualified Domain Name—A domain name that uniquely identifies a host computer. It includes the host name and the domain name. For example, myhost.mycompany.com. guilty until proven innocent A trust level for a NAC policy, requiring all endpoints assigned to the policy to be quarantined initially and to comply with the policy prior to be granted access to the network.
Page 475 Glossary Internet Explorer Instant Messenging inline An installation of Sentriant AG where it is placed on the network and all traffic to be quarantined passes through Sentriant AG. innocent until proven guilty A trust level for a NAC policy, initially granting network access to all endpoints assigned to the policy, but requiring them to be compliant with the policy.
Page 476 Glossary Media Access Control—The unique number that identifies a physical endpoint. Generally referred to as the MAC address. Management server When using Sentriant AG in a multiple-server installation, the server that is used for managing ESs. (MS) Management Information Base—A database used to manage components in a network.
Page 477 Glossary Organizational unique identifier - The first 24 bits of a MAC address for a network-connected device, which indicate the specific vendor for that device. Person-to-person or Peer-to-peer—A Peer-to-peer (P2P) network is one that is comprised of peer nodes (computers) rather than clients and servers.
Page 478 Glossary Remote procedure call—a procedure where arguments or parameters are sent to a program on a remote system. The remote program executes and returns the results. Redhat package manager root An account on a UNIX or Linux system that has administrator privileges.
Page 479 Glossary Transfer Control Protocol In Sentriant AG, a temporary period of time where an end-user is temporary access period allowed access. Transport Layer Security User Access Control User Datagram Protocol VLAN Virtual Local Area Network Virtual private network—A secure method of using the Internet to gain access to an organization's network.
Page 480 Glossary Sentriant AG Software Users Guide, Version 5.3...
Page 481: Index
Index Numerics HP ProCurve 420 AP or HP ProCurve 530 AP device 102 3rd-party software, installing 31 HP ProCurve WESM device 100 802.1X 233 NAC policy group 203 communication flow 234 non-listed 802.1X device 106 connections 233 Nortel device 104 enable 78 quarantine area 109 enable Vista endpoint 246...
Page 482 Index end-user version 130 new NAC policy 207 important settings 307 create date 419 pop-ups required for reports 290 createCSR update 309 script 349 version 155 credentials button delete Windows 134 check for test updates 309 edit Windows 133 configure system 45 for agentless test 188 copy policy 214 login 131...
Page 483 Index details, view report 290 server 316 device database table 419 set up notification 127 device_unique_id 418 specifying server 316 DeviceAccessChangeEvent 263 email notifications DeviceInfoRequest 266 disable 127 devices 421 enable 126 DeviceTestedEvent 263 enable DHCP 802.1X 78 configuration 230 a NAC policy 205 ports to specify 126 file and printer sharing 157...
Page 484 Index editing 342 Activity Monitor 185 viewing 343 Add 802.1X Device 85 end-user options, selecting 123 Add 802.1X Device, Test Connection Area Op- end-user screen tion 1 86 specify logo 128 Add 802.1X Device, Test Connection Area Op- specify test failed pop-up 130 tion 2 86 specify text 129 Add a NAC Policy, Basic Settings Area 207...
Page 485 Index Endpoint Activity Icon Legend 146 NAC Policy Results Report 290 Endpoint Activity, Connected Endpoints 139 NAC Policy Selection Order Buttons 205 Endpoint Activity, Endpoint Test Results 149 NAC Policy Test Failure Icons 213 Endpoint Activity, Primary Filtering Options NAC Policy Test Icons 213 Nortel Exit Script 256 Endpoint Activity, Secondary Filtering Options Nortel Initialization Script 256...
Page 486 Index firewall & end-user 156 System Configuration, Quarantining, DHCP full_name 422 Enforcement 109 System Configuration, Test Updates 75 System Configuration, Testing Methods 121 generate System Configuration, User Accounts 64 report 288 System Configuration, User Roles 70 generate-support-package.py System Configuration, Windows Domain 81 script 120 System Monitor Window 25 grace_period 419...
Page 487 Index IP address keys 308 change MS or ES IP 312 open-source 437 IP address, static 343 other 437 ip_address_str 418 updating 73 IPSec 321 viewing 437 license key not updating 309 limit endpoints displayed at once 143 Java Message Service 261 limit ping entries to specific interface 357 JavaJRE Linux 155...
Page 488 Index NTLM v2, enabling 347 NAC policies 201 window, view 201 NAC Policy one-time passwords 233 change to not run Windows automatic update online help 31 test 311 open NAC policy -source license 437 add group 203 opening screen 174 changing the selection order 205 operating systems copy 214...
Page 489 Index post-connect range configure 114 of IP addresses 125 set up Linux host 384 ranges set up Windows host 383 to enforce 348 test service 386 to ignore 348 view logs 386 to monitor 348 post-connect service RDAC firewall open 113 remove 282 posture token 420 reconnect...
Page 490 Index system and data 318 services, Agent 178 restrict session_access 420 ping entries, specific interface 357 session_access_end 420 result_code 418 result_message 418 802.1X logging levels 136 retest DHCP setting enforcement an endpoint 151 ES logging levels 134 router 231 RADIUS authentication method 80 RPC 26 setProperty.py service 168...
Page 491 Index Extreme Summit 48si 250 pros & cons 26 Foundry Fast Ironedge 2402 252 to display 123 restrict access at 231 test_class 418 sample configurations 248 test_module 418 switches test_name 418 add Enterasys 91 test_result database table 418 add, Cisco CatOS 89 test_result_id 418 add, Cisco IOS 87 test_update_version 421...
Page 492 Index update browser 309 credentials 131 upgrade timeout, changing 63 domain and end-user settings 311 upgrades 62 domain settings, configure 80 user account download and extract Zip file 381 add 63 download EXE file 272 copy 67 Group policy 168 delete 69 install 272 edit 68...
Page 493 Index Sentriant AG Software Users Guide, Version 5.3...
Page 494 Index Sentriant AG Software Users Guide, Version 5.3...

This manual is also suitable for:

Sentriant ag 5.3

Extreme Networks Sentriant AG Software User's Manual

List of Figures

List of Tables

Chapter 1: Introduction

Chapter 2: Clusters and Servers

Chapter 3: System Configuration

Chapter 4: Endpoint Activity

Chapter 5: End-User Access

Quick Links

Related Manuals for Extreme Networks Sentriant AG

Summary of Contents for Extreme Networks Sentriant AG