Page 1 Sentriant AG Software Users Guide, Version 5.2 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published: January 2009 Part number: 120502-00 Rev 01...
Page 2 ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc.
Page 3: Table Of Contents
Table of Contents List of Figures ..........................15 List of Tables ..........................21 Chapter 1: Introduction........................23 Sentriant AG Home Window .......................23 System Monitor.........................24 Sentriant AG v5.2 for v4.x Users ....................26 Overview ..........................29 The Sentriant AG Process.....................31 About Sentriant AG ......................31 NAC Policy Definition ....................31 Endpoint Testing ......................31 Compliance Enforcement ....................32...
Page 4 Adding an Enforcement Cluster ....................49 Editing Enforcement Clusters ....................51 Viewing Enforcement Cluster Status..................51 Deleting Enforcement Clusters....................52 Enforcement Servers .........................53 Adding an ES........................53 Cluster and Server Icons ......................54 Editing ESs ........................55 Changing the ES Network Settings ..................56 Changing the ES Date and Time ...................57 Modifying the ES SNMP Settings..................58 Modifying the ES root Account Password ................58 Viewing ES Status .......................58...
Page 5 Selecting the RADIUS Authentication method..............85 Configuring Windows Domain Settings................86 Configuring OpenLDAP Settings..................88 Adding 802.1X Devices .......................91 Testing the Connection to a Device ..................92 Cisco IOS ...........................93 Cisco CatOS ........................95 CatOS User Name in Enable Mode ..................97 Enterasys ...........................98 Extreme ExtremeWare......................99 Extreme XOS ........................101 Foundry..........................102 HP ProCurve Switch ......................104...
Page 6 Specifying the End-user Test Failed Pop-up Window ............138 Agentless Credentials ......................139 Adding Windows Credentials..................139 Testing Windows Credentials ..................140 Editing Windows Credentials ..................141 Deleting Windows Credentials..................141 Sorting the Windows Credentials Area ................142 Logging ..........................142 Setting ES Logging Levels ....................142 Setting 802.1X Devices Logging Levels ................144 Advanced Settings ........................144 Setting the Agent Read Timeout ..................144 Setting the RPC Command Timeout ..................145...
Page 7 Configuring Windows Vista for Agentless Testing ............173 Defining the Agentless Group Policy Object..............174 Ports Used for Testing ....................182 Allowing the Windows RPC Service through the Firewall ..........182 ActiveX Test Method......................184 Ports Used for Testing ....................184 Windows Vista Settings ....................184 Mac OS X Endpoint Settings ....................184 Ports Used for Testing .......................184 Allowing Sentriant AG through the OS X Firewall ..............184 End-user Access Windows......................187...
Page 8 Viewing Information About Tests..................230 Selecting Test Properties ....................230 Entering Software Required/Not Allowed................230 Entering Service Names Required/Not Allowed ...............231 Entering the Browser Version Number ................231 Test Icons ........................232 Chapter 7: Quarantined Networks ....................233 Endpoint Quarantine Precedence....................233 Using Ports in Accessible Services and Endpoints ..............234 Always Granting Access to an Endpoint ..................236 Always Quarantining an Endpoint....................237 New Users..........................237...
Page 9 Enterasys® Matrix 1H582-25 ..................294 Extreme® Summit 48si ....................294 ExtremeWare ......................295 ExtremeXOS........................296 Foundry® FastIron® Edge 2402...................296 HP ProCurve 420AP ....................297 HP ProCurve 530AP ....................297 HP ProCurve 3400/3500/5400 ..................299 Nortel® 5510......................299 Creating Custom Expect Scripts ..................300 Chapter 12: API........................... 305 Overview ..........................305 Setting Sentriant AG Properties ....................306 Setting Firewall Rules......................307 Sentriant AG Events Generated....................307...
Page 10 Editing DHCP Server Plug-in Configurations.................348 Deleting a DHCP Server Plug-in Configuration..............348 Disabling a DHCP Server Plug-in Configuration ..............349 Enabling a DHCP Server Plug-in Configuration ..............349 Chapter 16: System Administration....................351 Launching Sentriant AG......................351 Launching and Logging into Sentriant AG ................351 Logging out of Sentriant AG ....................351 Important Browser Settings ....................351 Restarting Sentriant AG System Processes.................351...
Page 11 When the Password is Unknown..................390 NTLM 2 Authentication ......................391 Working with Ranges .......................391 Creating and Replacing SSL Certificates..................393 Creating a New Self-signed Certificate.................393 Using an SSL Certificate from a known Certificate Authority (CA)...........395 Moving an ES from One MS to Another..................396 Recovering Quickly from a Network Failure ................397 VLAN Tagging .........................398 iptables Wrapper Script ......................399...
Page 12 Allowing Sentriant AG Through the Firewall ................419 Appendix C: Tests Help........................ 421 Browser Security Policy—Windows....................421 Browser Version ........................423 Internet Explorer (IE) Internet Security Zone ................423 Internet Explorer (IE) Local Intranet Security Zone ...............424 Internet Explorer (IE) Restricted Site Security Zone ..............424 Internet Explorer (IE) Trusted Sites Security Zone ..............425 Operating System—Windows ....................426 IIS Hotfixes ........................426...
Page 13 Installation Requirements ....................463 Installing the Standby MS ....................463 Ongoing Maintenance ......................464 Failover process ........................464 Appendix G: Licenses ........................467 Extreme Networks End-User License Agreement.................467 Other Licenses........................469 Apache License Version 2.0, January 2004 .................470 ASM ..........................471 Open SSH ........................472 Postgresql ........................474 Postgresql jdbc ........................475...
Page 14 Activation .........................496 JAVA OPTIONAL PACKAGE ....................497 jsp-api package.........................498 Appendix H: Glossary........................503 Index ............................513 Sentriant AG Software Users Guide, Version 5.2...
Page 15: List Of Figures
List of Figures Figure 1: Sentriant AG Home Window ..................24 Figure 2: System Monitor Window ...................25 Figure 3: System Monitor Window Legend ................26 Figure 4: Online help......................39 Figure 5: Index tab ........................40 Figure 6: Search tab ......................41 Figure 7: Single-server Installation ..................44 Figure 8: Multiple-server Installation ..................45 Figure 9:...
Page 16 List of Figures Figure 42: Add Extreme XOS Device ..................101 Figure 43: Add Foundry Device....................103 Figure 44: Add HP ProCurve Device ..................105 Figure 45: Add HP ProCurve WESM xl/zl Device ...............108 Figure 46: Add HP ProCurve 420/530 AP Device ..............110 Figure 47: Add Nortel Device ....................112 Figure 48: Add Other Device ....................114 Figure 49: System Configuration, Quarantining, DHCP Enforcement...........116...
Page 17 List of Figures Figure 88: Remote Procedure Call Properties Window ...............178 Figure 89: Remote Registry Properties Window ................179 Figure 90: Windows Firewall Window ..................180 Figure 91: Microsoft Peer-to-Peer Window ................181 Figure 92: Double Arrow Icon ....................182 Figure 93: Mac System Preferences ..................185 Figure 94: Mac Sharing ......................186 Figure 95: Mac Ports ......................187 Figure 96: End-user Opening Window..................188...
Page 18 List of Figures Figure 134: DHCP Installation....................243 Figure 135: 802.1X Installation ....................244 Figure 136: Inline Installations....................248 Figure 137: DHCP Installation....................250 Figure 138: 802.1X Components....................254 Figure 139: Sentriant AG 802.1X Enforcement ................256 Figure 140: 802.1X Communications..................257 Figure 141: Windows Components Wizard .................259 Figure 142: Networking Services ....................259 Figure 143: IAS, Register Server in Active Directory ..............260 Figure 144: IAS, Properties Option ...................261...
Page 19 List of Figures Figure 180: The DAC InstallShield Wizard Welcome Window ............317 Figure 181: RDAC Installer, Setup Type ..................317 Figure 182: RDAC Installer, Choose Destination Location............318 Figure 183: RDAC Installer, Confirm New Folder ................318 Figure 184: RDAC Installer, Select Features ................319 Figure 185: RDAC Installer, NIC Selection ................319 Figure 186: RDAC Installer, TCP Port Filter Specification ............320 Figure 187: RDAC Installer, Enforcement Server Specification ............320...
Page 20 List of Figures Sentriant AG Software Users Guide, Version 5.2...
Page 21: List Of Tables
List of Tables Table 1: Sentriant AG v5.2 for v4.x Users................26 Table 2: Test Methods ......................29 Table 3: Sentriant AG Technical Support................33 Table 4: Default Menu Options ....................47 Table 5: Default User Roles ....................70 Table 6: User Role Permissions .....................76 Table 7: Accessible Services and Endpoints Tips..............132 Table 8:...
Page 22 List of Tables Sentriant AG Software Users Guide, Version 5.2...
Page 23: Chapter 1: Introduction
Introduction This chapter provides the following: A description of the Home window (“Sentriant AG Home Window” on page ● A description of the System monitor window (“Sentriant AG Home Window” on page ● A quick-reference for v4.1 users ● (“Sentriant AG v5.2 for v4.x Users” on page An overview of Sentriant AG and the key features ●...
Page 24: System Monitor
Introduction 7 Access control status area—The Access control area displays the total number of endpoints that have attempted to connect to your network, and what the access state is as a percentage and as a number. Click on the number of endpoints to view details. 8 Enforcement server (ES) status area—The Enforcement server status area provides status on your ESs.
Page 25: Figure 2: System Monitor Window
Introduction Server name by cluster—The servers for each cluster are listed by name in the order they were ● created. Click on a server name to view server details. You must have cluster-editing permissions to view and edit server details. Cluster access mode—The cluster access mode is either normal or allow all.
Page 26: Sentriant Ag V5.2 For V4.X Users
Introduction The following figure shows the legend for the System monitor window icons: Figure 3: System Monitor Window Legend Sentriant AG v5.2 for v4.x Users The user interface has been completely redesigned in this release of Sentriant AG. The following table provides a quick-reference for users familiar with Sentriant AG v4.x.
Page 27 Introduction Table 1: Sentriant AG v5.2 for v4.x Users (continued) Sentriant AG 4.x Sentriant AG 5.0 Notes System tab • Interface and DNS configuration— System tab tasks are on the System configuration window. System configuration>>Select a server>>Configuration • Date & time settings—System configuration>>Management server Quarantine tab •...
Page 28 Introduction Table 1: Sentriant AG v5.2 for v4.x Users (continued) Sentriant AG 4.x Sentriant AG 5.0 Notes Credentials tab System configuration>>Agentless Windows domain credentials are on credentials the System configuration window (Agentless credentials). They are set as cluster defaults, but can be overridden when creating or editing a cluster.
Page 29: Overview
Introduction Overview Sentriant AG protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. Sentriant AG systematically tests endpoints—with or without the use of a client or agent—for compliance with organizational security policies, quarantining non-compliant machines before they damage the network.
Page 30 Introduction Table 2: Test Methods (continued) Trade-offs Test method Pros Cons ActiveX plug-in • No installation or upgrade to • No retesting of endpoint once maintain. browser is closed. • Supports all Windows operating • Not supported by non-Windows systems. operating systems.
Page 31: The Sentriant Ag Process
Introduction Self-remediation—Reduces IT administration by empowering users to bring their machines into ● compliance. Subscription-based licensing—Includes all test updates and software upgrades. ● The Sentriant AG Process Sentriant AG administrators create NAC policies that define which applications and services are permitted, and specify the actions to be taken when endpoints do not comply.
Page 32: Compliance Enforcement
Introduction initial compliance tests, Sentriant AG periodically tests endpoints that have been granted access to ensure that real-time system changes do not violate the NAC policy. NOTE Sentriant AG passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single Sentriant AG server for a single testing session with the High Security NAC policy (approximately 20 tests).
Page 33: Targeted Reporting
Introduction Patch Management—Sentriant AG can integrate with patch management software, automating the ● process to get an endpoint updated and on the network. Targeted Reporting Sentriant AG reports provide concise security status information on endpoint compliance and access activity. Specific reports are available for auditors, managers, and IT staff members. For more information, see “Reports”...
Page 34: Installing And Upgrading
Sentriant AG release upgrades or patch installs, compromising the third-party software functionality. Additionally, installing third-party software and/or modifying the Sentriant AG software can violate your license agreement. Please refer to the Extreme Networks, Inc. EULA: “Extreme Networks End-User License Agreement”...
Page 35: Warning Paragraph
Introduction Example: CAUTION Do not rename the files or they will not be seen by Sentriant AG. Warning Paragraph Warnings notify you of conditions that can lock your system or cause damage to your data. Example: WARNING! Do not log in using SSH—this kills your session and causes your session to hang. Bold Font Bold font indicates the text that appears on a window or screen.
Page 36: Courier Font
Introduction Indicating a variable entry in a command— ● <IP_address> https:// /index.html In this case, you must replace <IP_address> with the actual IP address, such as . Do not 10.0.16.99 type the angled brackets. Courier Font Courier font is used in the following cases: Indicating path names—...
Page 37: Terms
Introduction Indicating a variable section in a *.INI file— ● [Global] NASList=192.168.200.135 Indicating a list in a properties file— ● Compliance.ObjectManager.DHCPConnectorServers=[192.168.51.130, 192.168.99.1] Terms Terms are defined in the “Glossary” on page 503. Example: Media Access Control The unique number that identifies a physical —...
Page 38: Users' Guide Online Help
Introduction http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Next, open a DOS (command) window on the Windows machine, and enter the commands as follows: To copy a file from a Linux machine to a Windows machine, enter the following: <pscp directory> \pscp fred@example.com:/etc/hosts c:\temp\example-hosts.txt You will be prompted to enter a password for the Linux/UNIX machine. To copy a file from a Windows machine to a Linux machine, enter the following: <pscp directory>...
Page 39: Figure 4: Online Help
Introduction Figure 4: Online help The following options are available: Previous – Click the upward pointing icon to go to the previous page. ● Next – Click the downward pointing icon to go to the next page. ● Print topic – Click the printer icon to print the current topic. ●...
Page 40: Figure 5: Index Tab
Introduction Figure 5: Index tab 1 Click on a letter link at the top of the index column to see the index entries. 2 Click on an index entry to see the location in the text. 3 Click on cross reference items in highlighted text to see more information on these items. To search for a term: Online help document>>Shown navigation icon>>Search tab Sentriant AG Software Users Guide, Version 5.2...
Page 41: Figure 6: Search Tab
Introduction Figure 6: Search tab 1 Enter a term in the search box. 2 Click Go. 3 Click on one of the results returned to display it in the right-side pane. 4 Click on the red arrow to see the contents of the collapsed section of the document. NOTE Red arrows that point to the right denote collapsed sections.
Page 42 Introduction Sentriant AG Software Users Guide, Version 5.2...
Page 43: Chapter 2: Clusters And Servers
Clusters and Servers Sentriant AG introduces clusters and servers. A cluster is a logical grouping of one or more ESs that are managed by one MS. A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster.
Page 44: Single-Server Installation
Clusters and Servers Single-server Installation The simplest installation is where the MS and ES are installed on the same physical server as shown in the following figure: Figure 7: Single-server Installation Multiple-server Installations By using at least three servers, one for the MS and two for ESs, you gain the advantage of high availability and load balancing.
Page 45: Figure 8: Multiple-Server Installation
Clusters and Servers High availability is where ESs take over for any other ES or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the ESs. A three-server installation is shown in the following figure: Figure 8: Multiple-server Installation Sentriant AG Software Users Guide, Version 5.2...
Page 46: Figure 9: Multiple-Server, Multiple-Cluster Installation
Clusters and Servers When your network is more complex, you can continue to add clusters as shown in the following figure: Figure 9: Multiple-server, Multiple-cluster Installation The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis.
Page 47: Chapter 3: System Configuration
System Configuration The System configuration window allows the system administrator to set the operating parameters for Sentriant AG. Introduction User logins and associated user roles determine the access permissions for specific functionality within Sentriant AG. The following table shows the default home window menu options that are available by user role: Table 4: Default Menu Options User role...
Page 48: Enforcement Clusters And Servers
System Configuration User roles—“User Roles” on page 74 ● License—“License” on page 78 ● Test updates—“Test Updates” on page 79 ● Quarantining—“Quarantining, General” on page 82 ● Maintenance—“Maintenance” on page 125 ● Cluster setting defaults ● Testing Methods—“Testing Methods” on page 128 ■...
Page 49: Enforcement Clusters
System Configuration Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster: Home window>>System configuration>>Enforcement clusters & servers Figure 10: System Configuration, Enforcement Clusters & Servers Sentriant AG Software Users Guide, Version 5.2...
Page 50: Figure 11: Add Enforcement Cluster
System Configuration 1 Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add Enforcement cluster window appears. The General area is displayed by default. Figure 11: Add Enforcement Cluster a Enter a name for the Enforcement cluster in the Cluster name field. b Select a NAC policy group from the NAC policy group drop-down list (see “NAC Policies”...
Page 51: Editing Enforcement Clusters
System Configuration Testing methods—See “Testing Methods” on page 128 ■ Accessible services—See “Accessible Services” on page 130 ■ Exceptions—See “Exceptions” on page 132 ■ Notifications—See “Notifications” on page 134 ■ End-user screens—See “End-user Screens” on page 136 ■ “Agentless Credentials” on page 139 Agentless credentials—See ■...
Page 52: Deleting Enforcement Clusters
System Configuration To view Enforcement cluster statistics: Home window>>System configuration>>Enforcement clusters & servers Click a cluster name, for example Austin. The Enforcement cluster window appears: Figure 12: Enforcement Cluster, General The statistics shown in this window are per cluster, where the statistics shown in the Home window are system-wide.
Page 53: Enforcement Servers
System Configuration 2 Click yes. The System configuration window appears (Figure 10). Enforcement Servers Adding an ES To add an ES: Home window>>System configuration>>Enforcement clusters & servers Figure 13: System Configuration, Enforcement Clusters & Servers Sentriant AG Software Users Guide, Version 5.2...
Page 54: Cluster And Server Icons
System Configuration 1 Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Figure 14: Add Enforcement Server 2 Select a cluster from the Cluster drop-down list. 3 Enter the IP address for this ES in the IP address text box. 4 Enter the fully qualified hostname to set on this server in the Host name text box.
Page 55: Editing Ess
System Configuration 2 Move the mouse away from the legend icon to hide pop-up window. Figure 15: Enforcement Cluster Legend Editing ESs To edit ES settings: Home window>>System configuration>>Enforcement clusters & servers 1 Click the ES you want to edit. The Enforcement server window appears, as shown in Figure 16 on page Sentriant AG Software Users Guide, Version 5.2...
Page 56: Changing The Es Network Settings
System Configuration 2 Click the Configuration menu option to access the Enforcement Server’s settings. The Configuration area is displayed: Figure 16: Enforcement Server 3 Edit the following settings: settings—“Changing the ES Network Settings” on page 56 ES Network ■ ES Date and time—“Changing the ES Date and Time”...
Page 57: Changing The Es Date And Time
System Configuration To change the ES network settings: Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration Modify any of the following Network settings you want to change: Enter a new ES in the Host name text field. For example, ● garp.mycompany.com Enter a new ES address in the IP address text field.
Page 58: Modifying The Es Snmp Settings
System Configuration Modifying the ES SNMP Settings To change the ES SNMP settings: Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration 1 Select the Enable SNMP check box. 2 Enter a Read community string, such as Public2 3 Enter the Allowed source network. This value must be either or a network specified in default CIDR notation.
Page 59: Deleting Ess
System Configuration 1 Click the server for which you want to view the status. The Enforcement server window appears: Figure 17: Enforcement Server, Status 2 Click ok or cancel. Deleting ESs NOTE Servers need to be powered down for the delete option to appear next to the name in the Sentriant AG user interface.
Page 60: Es Recovery
System Configuration 1 Click delete next to the server you want to remove from the cluster. The Delete Enforcement server confirmation window appears. 2 Click yes. The System configuration window appears. ES Recovery If an existing ES goes down and comes back up, it can participate in its assigned cluster, even if the MS is not available.
Page 61: Figure 18: System Configuration, Management Server
System Configuration Figure 18: System Configuration, Management Server 1 Server status is shown in the Network settings area. 2 Click ok or cancel. Sentriant AG Software Users Guide, Version 5.2...
Page 62: Modifying Ms Network Settings
System Configuration Modifying MS Network Settings CAUTION Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems.
Page 63: Selecting A Proxy Server
System Configuration Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or spaces in the ■ DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1 3 Click ok. Selecting a Proxy Server Connecting to the Internet is necessary for updating tests, validating license keys, and sending support packages.
Page 64: Automatically Setting The Time
System Configuration Set date ■ Set time ■ NOTE Date and time settings are applied to the MS; however, you can set the time zone for each ES. Automatically Setting the Time To automatically set the time: Home window>>System configuration>>Management server 1 Select Automatically receive NTP updates from and enter one or more Network Time Protocol (NTP) servers, separated by commas.
Page 65: Selecting The Time Zone
System Configuration 4 Click ok. 5 Click ok. CAUTION Manually changing the date/time (other than a time zone change) a large amount will require a restart of all servers. Rolling back the clock will have adverse effects on the system. Selecting the Time Zone To set the time zone: Home window>>System configuration>>Management server...
Page 66: Modifying The Ms Root Account Password
System Configuration NOTE NAC policy tests can be configured such that if an endpoint fails the test, it will be granted network access temporarily. In these cases, it might be desirable not to send an SNMP notification. b Select the Do not send notifications when an endpoint has been granted temporary network access check box to disable these notifications.
Page 67: Changing The Sentriant Ag Upgrade Timeout
Changing the Sentriant AG Upgrade Timeout Since upgrading can take longer than the default timeout (45 minutes) setting of the Sentriant AG Update, Extreme Networks, Inc. recommends that you increase the timeout value when you have limited bandwidth by performing these steps.
Page 68: Figure 21: System Configuration, User Accounts
System Configuration Figure 21: System Configuration, User Accounts Sentriant AG Software Users Guide, Version 5.2...
Page 69: Figure 22: Add User Account
System Configuration 1 Click Add a user account. The Add user account window appears: Figure 22: Add User Account 2 Enter the following information: User ID—The user ID used to log into Sentriant AG ■ Password—The password used to log into Sentriant AG ■...
Page 70: Searching For A User Account
System Configuration NOTE Users must be assigned at least one role. 5 In the Clusters area, select a cluster or clusters. NOTE Users must be assigned at least one Enforcement cluster. 6 Click ok. Table 5: Default User Roles User Role Name Description Cluster Administrator For their clusters, users having this role can configure their...
Page 71: Sorting The User Account Area
System Configuration NOTE Click reset to clear the text field and to refresh the display to show all accounts after a search. Sorting the User Account Area To sort the user account area: Home window>>System configuration>>User accounts Click the column heading for user id, full name, email address, user roles, or clusters. The user accounts reorder according to the column heading selected.
Page 72: Editing A User Account
System Configuration 1 Click copy next to the user account you want to duplicate. The Copy user account window appears. The account information is duplicated from the original account. Figure 23: Copy User Account 2 Enter the User ID of the new account. 3 Enter the Password.
Page 73: Deleting A User Account
System Configuration 1 Click the name of the user account that you want to edit. The User account window appears: Figure 24: User Account 2 Change or enter information in the fields you want to change. See “Adding a User Account” on page 67 for information on user account settings.
Page 74: User Roles
System Configuration 2 Click yes. User Roles The User roles menu option allows you to configure the following: View current user roles and details associated with those roles ● Add a new user role ● Name the new user role ■...
Page 75: Figure 25: System Configuration, User Roles
System Configuration Figure 25: System Configuration, User Roles Sentriant AG Software Users Guide, Version 5.2...
Page 76: Figure 26: Add User Role
System Configuration 1 Click add a user role in the User roles area. The Add user role window appears. Figure 26: Add User Role 2 Enter a descriptive name in the Role name field. 3 Enter a description of the role in the Description field. 4 Select the permissions for the user role.
Page 77: Editing User Roles
System Configuration Table 6: User Role Permissions(continued) Permission Description Retest Allows you to have endpoints in your clusters retested endpoints Editing User Roles NOTE You cannot edit the System Administrator user role. To edit user roles: Home window>>System configuration>>User roles 1 Click the role you want to edit.
Page 78: Deleting User Roles
System Configuration Deleting User Roles NOTE You cannot delete the System Administrator role. To delete user roles: Home window>>System configuration>>User roles 1 Click delete next to the user role you want to remove. The Delete user role confirmation window appears. 2 Click yes.
Page 79: Test Updates
Guide). If you need to update your license key, in the New license key field, enter your Sentriant AG license key, which Extreme Networks, Inc. sends to you by email. Copy and paste the license key directly from the text file.
Page 80: Manually Checking For Test Updates
System Configuration Check for test updates (forces an immediate check for test updates) ● Set time or times for downloading test updates ● View test update logs ● Manually Checking for Test Updates To manually check for test updates: Home window>>System configuration>>Test updates Figure 29: System Configuration, Test Updates 1 In the Last successful test update area, click check for test updates.
Page 81: Selecting Test Update Times
1 Using the hour check boxes, select the time periods in which you would like Sentriant AG to check for available test updates. By default, Sentriant AG checks once every hour using the Extreme Networks, Inc. Secure Rule Distribution Center. All times listed are dependent upon the clock setting and time zone of the hardware on which Sentriant AG is running.
Page 82: Quarantining, General
System Configuration 1 Click the View test update log link just to the right of the Check for test updates button. The Test update log window appears: Figure 30: Test Update Log The Test update log window legend is shown in the following figure: Figure 31: Test Update Log Window Legend Quarantining, General The Quarantining menu option allows you to configure the following by cluster:...
Page 83: Selecting The Quarantine Method
System Configuration Selecting the Quarantine Method To select the quarantine method: Home window>>System configuration>>Quarantining Figure 32: System Configuration, Quarantining 1 Select a cluster. 2 In the Quarantine method area, select one of the following quarantine methods: Sentriant AG Software Users Guide, Version 5.2...
Page 84: Selecting The Access Mode
System Configuration 802.1X—When using the 802.1X quarantine method, Sentriant AG must sit in a place on the ■ network where it can communicate with your RADIUS server, which communicates with your switch or router, which performs the quarantining. DHCP—When configured with a DHCP quarantine area, Sentriant AG must sit inline with your ■...
Page 85: Entering Basic 802.1X Settings
System Configuration Entering Basic 802.1X Settings To enter basic 802.1X settings: Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button 1 In 802.1X enforcement mode, the Enforcement servers must be able monitor DHCP conversations and detect endpoints by sniffing network traffic as it flows between the DHCP server and the endpoints.
Page 86: Configuring Windows Domain Settings
System Configuration Windows domain—Authentication requests are handled by a Windows domain through NTLM ■ protocol. The ES must be able to join to the domain for this to work. See “Configuring Windows Domain Settings” on page 86 for more information. OpenLDAP—User credentials are queried from an OpenLDAP directory service.
Page 87: Figure 33: System Configuration, Windows Domain
System Configuration 1 Select Windows domain from the End-user authentication method drop-down list. Figure 33: System Configuration, Windows Domain 2 Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field. 3 Enter the user name of an account with sufficient administrative rights to join an ES to the domain in the Administrator user name text field.
Page 88: Configuring Openldap Settings
System Configuration 4 Enter the password of the account entered into the Administrator user name field in the Administrator password text field. 5 Enter the list of domain controllers, separated by commas, for this domain in the Domain controllers text field. 6 To test the Windows domain settings: a Select one of the following from the Server to test from drop-down list in the Test Windows domain settings area:...
Page 89: Figure 34: System Configuration, Openldap
System Configuration 1 Select OpenLDAP from the End-user authentication method drop-down list. Figure 34: System Configuration, OpenLDAP Sentriant AG Software Users Guide, Version 5.2...
Page 90 System Configuration 2 Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 3 Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA 4 Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
Page 91: Adding 802.1X Devices
System Configuration Adding 802.1X Devices To add an 802.1X device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 35: Add 802.1X Device 1 Enter the IP address of the 802.1X device in the IP address text field. 2 Enter a shared secret in the Shared secret text field.
Page 92: Testing The Connection To A Device
System Configuration HP ProCurve WESM—See “HP ProCurve WESM xl or HP ProCurve WESM zl” on page 107. ■ HP ProCurve 420/530 AP—See “HP ProCurve 420 AP or HP ProCurve 530 AP” on page 110. ■ Nortel—See “Nortel” on page 112. ■...
Page 93: Cisco Ios
System Configuration 2 For ProCurve, Nortel, Other switches (Figure 36),: a Select the Method to execute the re-authentication command in test: 802.1X ● MAC auth ● b Enter the port of the endpoint being tested in the Port text field. c Enter the MAC address of the endpoint being tested in the MAC address text field.
Page 94: Figure 38: Add Cisco Ios Device
System Configuration Figure 38: Add Cisco IOS Device 1 Enter the IP address of the Cisco IOS device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 95: Cisco Catos
System Configuration 10 Enter the Cisco port mask in the text field. This specifies which characters within the endpoint identifier returned by the Cisco device contain the bank and port information of the endpoint. All offsets start at 0, so a mask of 2/34 indicates character 3 for the bank and characters 4 and 5 for the port.
Page 96: Figure 39: Add Cisco Catos Device
System Configuration Figure 39: Add Cisco CatOS Device 1 Enter the IP address of the Cisco CatOS device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 97: Catos User Name In Enable Mode
System Configuration 10 Enter the password with which to enter enable mode. 11 Re-enter the enable mode password. 12 Enter the networks (using CIDR notation) that this device is in direct control over in the Network list text field. This is only necessary if the device does not send its IP address with its supplicant request.
Page 98: Enterasys
System Configuration Enterasys To add an Enterasys device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 40: Add Enterasys Device 1 Enter the IP address of the Enterasys device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 99: Extreme Extremeware
System Configuration 9 Re-enter the console password. 10 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset. 11 Select the Show scripts plus symbol to show the following scripts: Initialization script—The expect script used to log into the console and enter enable mode.
Page 100: Figure 41: Add Extremeware Device
System Configuration Figure 41: Add ExtremeWare Device 1 Enter the IP address of the ExtremeWare device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 101: Extreme Xos
System Configuration Initialization script—The expect script used to log into the console and enter enable mode. ■ Re-authentication script—The expect script used to perform endpoint re-authentication. ■ Exit script—The expect script used to exit the console. ■ 12 Click ok. NOTE Click revert to defaults to restore the default settings.
Page 102: Foundry
System Configuration 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3 Re-enter the shared secret in the Re-enter shared secret text field. 4 Enter an alias for this device that appears in log files in the Short name text field.
Page 103: Figure 43: Add Foundry Device
System Configuration Figure 43: Add Foundry Device 1 Enter the IP address of the Foundry device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 104: Hp Procurve Switch
System Configuration 11 Re-enter the enable mode password. 12 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console can remain idle or unused before it is reset. 13 Select the Show scripts plus symbol to show the following scripts: Initialization script—The expect script used to log into the console and enter enable mode.
Page 105: Figure 44: Add Hp Procurve Device
System Configuration Figure 44: Add HP ProCurve Device 1 Enter the IP address of the HP ProCurve device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 106 System Configuration c To help confirm accuracy, type the same password you entered into the Password field in the Re- enter Password field. d Enter the Enable mode user name that is used to enter enable mode on this device. e Enter the Password used to enter enable mode on this device.
Page 107: Hp Procurve Wesm Xl Or Hp Procurve Wesm Zl
System Configuration NULLOBJ ● d Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. e Select the Use a different OID for MAC authentication check box to re-authenticate using a different OID when the supplicant request is for a MAC authenticated device. 1) Enter the Re-authenticate OID used to re-authenticate an endpoint.
Page 108: Figure 45: Add Hp Procurve Wesm Xl/Zl Device
System Configuration Figure 45: Add HP ProCurve WESM xl/zl Device 1 Enter the IP address of the HP ProCurve WESM device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 109 System Configuration 8 Select the type of the re-authentication OID from the OID type drop-down list: INTEGER ■ unsigned INTEGER ■ TIMETICKS ■ IPADDRESS ■ OBJID ■ STRING ■ HEX STRING ■ DECIMAL STRING ■ BITS ■ NULLOBJ ■ 9 Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.
Page 110: Hp Procurve 420 Ap Or Hp Procurve 530 Ap
System Configuration HP ProCurve 420 AP or HP ProCurve 530 AP To add an HP ProCurve 420 AP or HP ProCurve 530 AP device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 46: Add HP ProCurve 420/530 AP Device 1 Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field.
Page 111 System Configuration 7 Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port and MAC address of the endpoint to be re-authenticated. 8 Select the type of the re-authentication OID from the OID type drop-down list: INTEGER ■...
Page 112: Nortel
System Configuration Nortel To add a Nortel device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 47: Add Nortel Device 1 Enter the IP address of the Nortel device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 113: Other
System Configuration 7 Enter the User name with which to log into the device's console. 8 Enter the Password with which to log into the device's console. 9 Re-enter the console password. 10 Enter the Enable mode user name. 11 Enter the password with which to enter enable mode. 12 Re-enter the enable mode password.
Page 114: Figure 48: Add Other Device
System Configuration Figure 48: Add Other Device 1 Enter the IP address of the new device in the IP address text field. 2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 115: Quarantining, Dhcp
System Configuration 10 Select the Show scripts plus symbol to show the following scripts: NOTE You must enter the script contents yourself for the 802.1X device you are adding. Initialization script—The expect script used to log into the console and enter enable mode. ■...
Page 116: Figure 49: System Configuration, Quarantining, Dhcp Enforcement
System Configuration Figure 49: System Configuration, Quarantining, DHCP Enforcement 1 Inline DHCP server is selected by default. If you wish to use multiple DHCP servers, see the instructions in “DHCP Plug-in” on page 339. 2 Select one of the following radio buttons: Enforce DHCP requests from all IP addresses—Allows DHCP requests from all IP addresses.
Page 117: Adding A Dhcp Quarantine Area
System Configuration limits the enforcement scope to DHCP requests relayed via these IP addresses, allowing you to restrict enforcement to only those DHCP requests which are forwarded via particular routers or Layer 3 switches. If set, DHCP traffic coming from a source IP not listed will be passed without intervention.
Page 118 System Configuration Gateway—The gateway temporarily assigned to endpoints. ■ Domain suffix—The domain name assigned to DHCP clients. ■ Non-quarantined subnets—All subnetworks on your LAN except those specified in the ■ quarantined subnet field, separated by a carriage return. NOTE The quarantine area subnets and non-quarantined subnets should be entered using Classless Inter-domain Routing address (CIDR) notation (see “Entering Networks Using CIDR Format”...
Page 119: Sorting The Dhcp Quarantine Area
System Configuration Sorting the DHCP Quarantine Area To sort the quarantine area: Home window>>System configuration>>Quarantining>>DHCP radio button 1 Click one of the following the column headings to sort the quarantine area by category: subnet ■ dhcp ip range ■ gateway ■...
Page 120: Deleting A Dhcp Quarantine Area
System Configuration Deleting a DHCP Quarantine Area To delete a DHCP quarantine area: Home window>>System configuration>>Quarantining 1 Click delete next to the quarantine area you want to remove. The Delete quarantine area confirmation window appears 2 Click yes. Quarantining, Inline To select the Inline quarantine method: Home window>>System configuration>>Quarantining 1 Select a cluster.
Page 121: First Time Selection
System Configuration First Time Selection The first time you select the Post-connect menu option, you are prompted to configure your external system: Home>>Post-connect Figure 52: Post-connect Configuration Message Configure your post-connect system as described in “Configuring a Post-connect System” on page 121.
Page 122: Figure 53: System Configuration, Post-Connect
System Configuration Figure 53: System Configuration, Post-connect 1 Enter the name of your post-connect service in the Service name text field. This is the name used in the Post-connect and Endpoint activity windows. 2 Enter the URL of the post-connect service in the Service URL text field. When the post-connect configuration is complete, you will be able to launch this URL from the Sentriant AG Post-connect window.
Page 123: Launching Post-Connect Systems
System Configuration Notifications will be sent by email from the enforcement cluster quarantining the endpoint in accordance with its notifications settings. 5 Click ok to save your changes and return to the Home window. Launching Post-connect Systems After you have configured a post-connect system, you must launch it before Sentriant AG can communicate with it.
Page 124: Adding Post-Connect System Logos And Icons
System Configuration The icons on the Endpoint activity window show that the endpoint is quarantined by an external service. When you hover the cursor over the icon, the quarantine details are presented in a pop-up window: Figure 55: Post-connect Quarantine Details Post-connect service name Post-connect service logo Adding Post-connect System Logos and Icons...
Page 125: Maintenance
System Configuration <PRODUCTID> <Logo filename> Compliance.PostConnect.Agents. .Logo= <PRODUCTID> <Icon filename> Compliance.PostConnect.Agents. .Icon= <PRODUCTID> <Friendly Product Name> Compliance.PostConnect.Agents. .Name= Where: <PRODUCTID> is the identifier for the post-connect service. For example, PostConnectServiceName <Logo filename> is the name of the logo file. For example, logo_post_connect.gif <Icon filename>...
Page 126: Initiating A New Backup
System Configuration directory ● /usr/local/nac/keystore directory ● /usr/local/nac/subscription Initiating a New Backup To initiate a new backup: Home window>>System configuration>>Maintenance Figure 56: System Configuration, Maintenance 1 Click begin backup now in the Backup area. The Operation in progress confirmation window appears.
Page 127: Restoring From A Backup
System Configuration 3 The System backup completed successfully message appears at the top of the System configuration window: Figure 57: Backup Successful Message Restoring From a Backup “Restoring from Backup” on page 362 for information about restoring from a backup file. NOTE If you are using Backup and Restore to move configuration files from one physical server to another, you must have the same version of Sentriant AG installed on both servers.
Page 128: Testing Methods
System Configuration Testing Methods The Testing methods menu option allows you to configure the following: Select testing methods ● Define order of that the test method screens appear to the end-user ● Select end-user options ● Selecting Test Methods To select test methods: Home window>>System configuration>>Testing methods Figure 58: System Configuration, Testing Methods 1 Select one or more of the following...
Page 129: Ordering Test Methods
System Configuration b ActiveX plug-in—This test method downloads an ActiveX control each time the user connects to the network. Testing is accomplished through the browser. If the browser window is closed, retesting is not performed. c Agentless—This test method uses an existing Windows service (RPC). 2 Click ok.
Page 130: Selecting End-User Options
System Configuration A guest user may be uncomfortable supplying their Windows username and password to an ● unknown system Windows endpoints on your Windows domain are tested automatically when you specify the domain admin credentials in the System configuration>>Agentless credentials>>Add administrator credentials window.
Page 131: Figure 59: System Configuration, Accessible Services
System Configuration Figure 59: System Configuration, Accessible Services 1 Enter one or more Web sites, host names, IP addresses, ports, endpoints, or networks, that are accessible to connecting endpoints when they fail their compliance tests. You can enter these endpoints and services in the following formats separated by a carriage return. Enter a range of IPs using CIDR addresses.
Page 132: Exceptions
System Configuration The following table provides additional information about accessible services and endpoints. Table 7: Accessible Services and Endpoints Tips Topic Modes and IP When using inline mode, enter IP addresses rather than addresses domain names. When using DHCP mode, use domain names for sites the user needs to access, such as update servers, and use IP addresses for endpoints that sit behind Sentriant AG, such as authentication servers.
Page 133: Figure 60: System Configuration, Exceptions
System Configuration Figure 60: System Configuration, Exceptions 1 To exempt endpoints from testing, in the Whitelist area, enter the endpoints by MAC or IP address, or NetBIOS name. NOTE You can use a MAC prefix (one to five bytes or octets) to act on more than one endpoint at a time. For example entering 00:13 matches all MAC addresses that begin with 00:13.
Page 134: Always Quarantine Endpoints And Domains
System Configuration Always Quarantine Endpoints and Domains To always quarantine endpoints and domains: Home window>>System configuration>>Exceptions 1 To always quarantine endpoints when testing, in the Blacklist area, enter the endpoints by MAC or IP address, or NetBIOS name. 2 To always quarantine domains when testing, in the Blacklist area, enter the domains. NOTE In DHCP mode, the Sentriant AG firewall quarantines based on MAC address (everything entered must be translated to the corresponding endpoint's MAC address).
Page 135: Figure 61: System Configuration, Notifications
System Configuration Figure 61: System Configuration, Notifications 1 To send email notifications, you must provide Sentriant AG with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the Sentriant AG machine.
Page 136: End-User Screens
System Configuration 1 Select a cluster. The Enforcement cluster window appears. 2 Select the Notifications menu item. 3 Select the For this cluster, override the default settings check box. 4 Select Do not send email notifications. 5 Click ok. End-user Screens The End-user screens menu option allows you to configure the end-user screens with the following: Define logo image to be displayed ●...
Page 137: Specifying The End-User Screen Text
Organization logo image—Enter a path to your organization’s logo, or click Browse to select a file on your network. Extreme Networks, Inc. recommends you place your logo here to help end-users feel secure about having their computers tested. The logo should be no larger than 450x50 pixels.
Page 138: Specifying The End-User Test Failed Pop-Up Window
Footer (most screens) —Enter the text for the footer that appears on most of the end-user windows. Extreme Networks, Inc. recommends that this text includes a way to contact you if they need further assistance. You can format the text in this field with HTML characters.
Page 139: Agentless Credentials
System Configuration Agentless Credentials When Sentriant AG accesses and tests endpoints, it needs to know the administrator credentials for that endpoint. If your network uses a Windows domain controller and the connecting endpoint is a member of a configured domain, Sentriant AG uses the information supplied to access and test the endpoint. NOTE Setting windows credentials here sets them as default settings for all clusters.
Page 140: Testing Windows Credentials
System Configuration 1 Click Add administrator credentials. The Add Windows administrator credentials window appears: Figure 64: Agentless Credentials, Add Windows Administrator Credentials 2 In the Add Windows administrator credentials window, enter the following: Windows domain name—Enter the domain name of the Windows machine, for example: ■...
Page 141: Editing Windows Credentials
System Configuration NOTE When using a multi-server installation, the credentials are stored on the ES, but the test is initiated from the MS. You will need to have a route identified between the MS and the ES in order for this test to work. 3 Click test.
Page 142: Sorting The Windows Credentials Area
System Configuration Sorting the Windows Credentials Area To sort the Windows credentials area: Home window>>System configuration>>Agentless credentials 1 Sort the Windows administrator credentials by clicking on a column heading. 2 Click ok. Logging Setting ES Logging Levels You can configure the amount of diagnostic information written to log files, ranging from error (error- level messages only) to trace (everything).
Page 143: Figure 65: System Configuration, Logging Option
System Configuration Figure 65: System Configuration, Logging Option 1 To configure the amount of diagnostic information written to log files, select a logging level from the Enforcement servers drop-down list: error—Log error-level messages only ■ warn—Log warning-level and above messages only ■...
Page 144: Setting 802.1X Devices Logging Levels
System Configuration Setting 802.1X Devices Logging Levels You can configure the amount of diagnostic information written to log files related to 802.1X re- authentication, ranging from error (error-level messages only) to trace (everything). To set 802.1X logging levels: Home window>>System configuration>>Logging 1 To configure the amount of diagnostic information written to log files related to 802.1X re- authentication, select a logging level from the 802.1X devices drop-down list: error—Log error-level messages only...
Page 145: Setting The Rpc Command Timeout
System Configuration Figure 66: System Configuration, Advanced Option 1 Enter a number of seconds in the Agent connection timeout period text field. The agent connection timeout period is the time in seconds that Sentriant AG waits on a connection to the agent. Use a larger number for systems with network latency issues.
Page 146 System Configuration Sentriant AG Software Users Guide, Version 5.2...
Page 147: Chapter 4: Endpoint Activity
Endpoint Activity Use the Endpoint activity window, to monitor end-user connection activity. Home window>>Endpoint activity The Endpoint activity window has the following sections: Endpoint selection area—The left column of the window provides links that allow you to quickly ● filter the results area by Access control status or Endpoint test status. Search criteria area—The top right area of the window allows you to filter the results by cluster, ●...
Page 148: Filtering The Endpoint Activity Window
Endpoint Activity Filtering the Endpoint Activity Window You can modify the results shown in the Endpoint activity window to include activity for the following: Access control status ● Endpoint test status ● Cluster ● NetBIOS name ● IP address ● MAC address ●...
Page 149: Filtering By Time
Endpoint Activity Select a method for filtering the results window; by a specific access control status or endpoint status as shown in the following figure: Figure 68: Endpoint Activity, Menu Options NOTE This part of the window reflects the total number of endpoints in the network at the current time. The filters do not affect this area.
Page 150: Limiting Number Of Endpoints Displayed
Endpoint Activity Figure 69: Timeframe Drop-down List 1 Select Disconnected in the Access control status area. 2 Select one of the options from the Timeframe drop-down list. 3 Click search. The results area updates to match the time frame selected, and the Timeframe selected is highlighted to show that this filter option has been applied.
Page 151: Access Control States
Endpoint Activity Figure 71: Search Criteria 1 Select any or all of the following: A Cluster from the drop-down list ■ A NAC policy from the drop-down list ■ Enter any text string in any of the text boxes (you can also leave these blank) ■...
Page 152: Endpoint Test Status
Endpoint Activity NOTE To view access status, see “Viewing Endpoint Access Status” on page 156. Quarantined— ● By NAC Policy—The endpoint has been assigned a quarantined IP address. For example, an ■ endpoint could have been quarantined because it failed a test or it could not be tested. By administrator—The administrator has selected Temporarily quarantine for an assigned time ■...
Page 153: Figure 73: Endpoint Mouseover Pop-Up Window
● Networks, Inc.. Try to force a retest from the Sentriant AG user interface. If that does not work, call Extreme Networks, Inc. Technical Assistance Center (TAC) and be prepared to generate a support package (see “Generating a Support Package” on page 364).
Page 154 Endpoint Activity Endpoint always granted access—Sentriant AG shows this status when an endpoint has been listed ● in the System configuration>>Exceptions window to always grant access (Whitelist). These endpoints are never tested and always allowed access. Endpoint always quarantined—Sentriant AG shows this status when an endpoint has been listed in ●...
Page 155: Enforcement Cluster Access Mode
Endpoint Activity Connection failed—endpoint/domain trust failure—The supplied credentials failed to authenticate ● because a previous trust relationship established between the endpoint and the Windows directory is broken in some way. Resolve this problem by adding the endpoint again as a member of the appropriate Windows domain, then retest the endpoint.
Page 156: Viewing Endpoint Access Status
Endpoint Activity The admin changes the access mode from normal to allow all (System Configuration>>Quarantining>>Access mode area, allow all radio button). Figure 75 shows that the previously quarantined endpoint is now allowed access (green icon in the ac column); however, the Endpoint test status still shows Failed (red X in the et column). Figure 75: Failed Endpoint Allow All Mode Hover the mouse over the green icon in the ac column and a window pops up (Figure...
Page 157: Selecting Endpoints To Act On
Endpoint Activity 2 The first column is the selection column, the second column is the Endpoint test status column, and the third column is the Access control status column. The icons shown in the following figure provide status: Figure 77: Access Control and Endpoint Test Status Default Post-connect service icon...
Page 158: Acting On Selected Endpoints
Endpoint Activity NOTE Click the box at the top of the column to select all of the endpoints. Acting on Selected Endpoints Once you have filtered the Endpoint activity window and selected which endpoints to take action on, you can perform the following actions: Retest an endpoint (“Manually Retest an Endpoint”...
Page 159: Immediately Quarantine An Endpoint
Endpoint Activity NOTE To quarantine again, select the endpoint, click change access, select Clear temporary access control status, and click ok. NOTE If an endpoint that has been granted or denied access temporarily by the administrator disconnects, the next time the endpoint attempts to connect it will be retested;...
Page 160: Viewing Endpoint Information
Endpoint Activity 4 Click ok. Viewing Endpoint Information To view information about an endpoint: Home window>>Endpoint activity 1 Click on an endpoint name to view the Endpoint window: Figure 78: Endpoint, General Option Sentriant AG Software Users Guide, Version 5.2...
Page 161: Figure 79: Endpoint Activity, Endpoint Test Results Option
Endpoint Activity 2 Click Test results to view the details of the test: Figure 79: Endpoint Activity, Endpoint Test Results Option NOTE Click on any underlined link (for example, change access) to make changes such as changing access or test credentials.
Page 162: Troubleshooting Quarantined Endpoints
Endpoint Activity Troubleshooting Quarantined Endpoints The following table describes the various components that affect an endpoint attempting to access the network: Table 8: Troubleshooting Quarantined Endpoints How endpoints are quarantined and How quarantined endpoints reach Enforcement Mode redirected to Sentriant AG accessible devices DHCP mode Endpoint...
Page 163 Endpoint Activity Table 8: Troubleshooting Quarantined Endpoints (continued) How endpoints are quarantined and How quarantined endpoints reach Enforcement Mode redirected to Sentriant AG accessible devices DHCP mode Network DHCP server (Sentriant AG) gives the Sentriant AG (fake root) DNS—As enforcement endpoint: in endpoint enforcement (for access to names in Accessible services).
Page 164 Endpoint Activity Table 8: Troubleshooting Quarantined Endpoints (continued) How endpoints are quarantined and How quarantined endpoints reach Enforcement Mode redirected to Sentriant AG accessible devices Inline / VPN split Sentriant AG acts as the man-in-the- No need to allow public sites Gateway tunnel middle, iptables rewrites packets,...
Page 165 Endpoint Activity Table 8: Troubleshooting Quarantined Endpoints (continued) How endpoints are quarantined and How quarantined endpoints reach Enforcement Mode redirected to Sentriant AG accessible devices 802.1X DHCP server (MS DHCP server, and Sentriant AG DNS—As in endpoint so on) gives the endpoint: enforcement (for access to names in Accessible services) •...
Page 166 Endpoint Activity Sentriant AG Software Users Guide, Version 5.2...
Page 167: Chapter 5: End-User Access
End-user Access End-users can connect to your network from a number of different types of computers (see “Endpoints Supported” on page 168), be tested for compliance based on your definitions in the standard (high, medium, or low security) or custom NAC policies (see “NAC Policies”...
Page 168: Endpoints Supported
End-user Access _nac ● _sentriantag ● _extreme ● _nac1 ● _nac2 ● If no contact can be made, try the following A names: NOTE The endpoints DNS suffix must be correctly configured for your domain for the Agent Callback feature to work correctly.
Page 169: Browser Version
End-user Access Vista Ultimate ■ Vista Business ■ Vista Enterprise ■ ActiveX testing ● Windows 2000 ■ Windows Server (2000, 2003) ■ Windows XP Professional ■ Windows XP Home ■ Vista Ultimate ■ Vista Home Basic ■ Vista Home Premium ■...
Page 170: Firewall Settings
End-user Access Firewall Settings Sentriant AG can perform tests through firewalls on both managed and unmanaged endpoints. Managed Endpoints Typically, a managed endpoint’s firewall is controlled with the Domain Group Policy for Windows, or a central policy manager for other firewalls. In this case, the network administrator opens up the agent port or agentless ports only to the Sentriant AG server using the centralized policy.
Page 171: Agent-Based Test Method
End-user Access Agent-based Test Method Ports Used for Testing You might need to configure some firewalls and routers to allow Sentriant AG to access port 1500 for agent-based testing. NOTE “Ports used in Sentriant AG” on page 457 for a complete description of the ports used in Sentriant AG. Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the agent to install successfully.
Page 172: Configuring Windows Xp Professional For Agentless Testing
End-user Access 3 Select Properties. The Local area connection properties window appears: Figure 80: Local Area Connection Properties 4 On the General tab, in the Components checked are used by this connection area, verify that File and Printer sharing is listed and that the check box is selected. 5 Click OK.
Page 173: Configuring Windows Vista For Agentless Testing
End-user Access 3 Select Properties. The Local area connection properties window appears: Figure 81: Local Area Connection Properties 4 On the General tab, in the This connection uses the following area, verify that File and Printer sharing is listed and that the check box is selected. 5 Click OK.
Page 174: Defining The Agentless Group Policy Object
End-user Access Group policies may be applied at many different levels (for example, domain, subnet, OU, security group, and so on). A discussion of selecting the appropriate level is beyond the scope of this document. This section describes the Group Policy Object applied only at the domain level (affecting all members of the domain).
Page 175: Figure 83: New Gpo Window
End-user Access 3 Right-click on the domain you wish to use for the Vista endpoints and select Create and Link a GPO Here. The New GPO window appears: Figure 83: New GPO Window 4 Enter Agentless Testing in the Name text field. 5 Click OK.
Page 176: Figure 85: Network Access Window
End-user Access 1) In the right pane, scroll down and right-click on Network access: sharing and security model for local accounts policy, select Properties. The Network Access window appears: Figure 85: Network Access Window 2) Select the Define this policy setting check box. 3) Select Classic—local users authenticate as themselves from the drop-down list.
Page 177: Figure 86: Network Security Window
End-user Access 5) In the right pane, scroll down and right-click on Network Security: LAN Manager authentication level and select Properties. The following window appears: Figure 86: Network Security Window 6) Select the Define this policy setting check box. 7) Select Send LM & NTLM responses from the drop-down list. 8) Click OK.
Page 178: Figure 87: Network Connection Properties Window
End-user Access 1) In the right pane, right-click Network Connections and select Properties.The following window appears: Figure 87: Network Connection Properties Window 2) Select the Define this policy setting check box. 3) Select the Automatic radio button. 4) Click OK. 5) In the right pane, right-click Remote Procedure Call (RPC) and select Properties.
Page 179: Figure 89: Remote Registry Properties Window
End-user Access 7) Select the Automatic radio button. 8) Click OK. 9) In the right pane, right-click Remote Registry and select Properties. The following window appears: Figure 89: Remote Registry Properties Window 10) Select the Define this policy setting check box. 11) Select the Automatic radio button.
Page 180: Figure 90: Windows Firewall Window
End-user Access 1) In the right pane, right-click Windows Firewall: Allow file and printer sharing exception and select Properties. The following window appears: Figure 90: Windows Firewall Window 2) Select the Enabled radio button. 3) Click OK. g In the left pane, click the plus symbols to expand Administrative Templates>>Network. h In the left pane, select Microsoft Peer-to-Peer Networking Services.
Page 181: Figure 91: Microsoft Peer-To-Peer Window
End-user Access 1) In the right pane, right-click on Turn off Microsoft Peer-to-Peer Networking Services and select Properties. The following window appears: Figure 91: Microsoft Peer-to-Peer Window 2) Select the Disabled radio button. 3) Click OK. Close the Group Policy Object Editor window. 7 Move the Agentless Testing policy to the top of the list to process it first and take precedence over any local configuration: a In the Group Policy Management window, select the Linked Group Policy Objects tab in the...
Page 182: Ports Used For Testing
End-user Access c Click the double arrow icon to the left of the policies to move it to the top. The following window shows the double arrow icon: Figure 92: Double Arrow Icon double arrow icon 8 Close the Group Policy Management window. This Agentless Group Policy Object is applicable to all Windows endpoints used in the domain.
Page 183 End-user Access 1 Select File and Print Sharing. (Verify that the check box is also selected.) 2 Click Edit. 3 Verify that the check boxes for all four ports are selected. 4 Select TCP 139. 5 Click Change Scope. 6 Select Custom List. 7 Enter the Sentriant AG Server IP address and the mask.
Page 184: Activex Test Method
End-user Access ActiveX Test Method Ports Used for Testing You might need to configure some firewalls and routers to allow Sentriant AG to access port 1500 for ActiveX testing. NOTE “Ports used in Sentriant AG” on page 457 for a complete description of the ports used in Sentriant AG. Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the ActiveX component to install successfully.
Page 185: Figure 93: Mac System Preferences
End-user Access Figure 93: Mac System Preferences Sentriant AG Software Users Guide, Version 5.2...
Page 186: Figure 94: Mac Sharing
End-user Access 1 Select the Sharing icon. The Sharing window opens. Figure 94: Mac Sharing 2 Select the Firewall tab. 3 The firewall settings must be one of the following: ■ On with the following: ■ OS X NAC Agent check box selected ●...
Page 187: End-User Access Windows
End-user Access 2 Click Edit. The port configuration window appears: Figure 95: Mac Ports 3 Enter in the Port Number, Range or Series text field. 1500 4 Click OK. End-user Access Windows Several end-user access templates come with Sentriant AG. The End-user window provides a way to customize these templates from within the user interface (see “End-user Screens”...
Page 188: Opening Window
End-user Access NOTE Upgrading the Sentriant AG software does not overwrite your template changes. Your updated templates are preserved. CAUTION Do not rename the files or they will not be seen by Sentriant AG. End-users begin the login process by opening their browser. If their home page is defined on the Accessible services window, they are allowed to access that page.
Page 189: Windows Nac Agent Test Windows
End-user Access Windows NAC Agent Test Windows Automatically Installing the Windows Agent When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears: Figure 97: End-user Installing Window NOTE The end-user can also manually install the agent as described in...
Page 190: Figure 98: End-User Agent Installation Failed
End-user Access If Active Content is disabled in the browser, the following error window appears: Figure 98: End-user Agent Installation Failed NOTE To enable active content, see the instructions in the Installation Guide, in the “Important Browser settings, Active Content” section. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears.
Page 191: Removing The Agent
End-user Access Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation: Figure 99: End-user Agent Installation Window (Start) The user must click Finish to complete the agent installation and begin testing: Figure 100: End-user Agent Installation Window (Finish) As soon as the installation is complete, the endpoint is tested.
Page 192: Manually Installing The Windows Agent
End-user Access Figure 101: Add/Remove Programs 1 Find the Sentriant AG Agent in the list of installed programs. 2 Click Remove. NOTE The Sentriant AG Agent also appears in the services list: Start button>>Settings>>Control panel>>Administrative tools>>Services Manually Installing the Windows Agent To manually install the agent (using Internet Explorer): Windows endpoint>>IE browser window 1 Point the browser to the following URL:...
Page 193: How To View The Windows Agent Version Installed
End-user Access The security certificate window appears: Figure 102: Security Certificate 2 Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file: Figure 103: Run or Save to Disk 3 Click Run to begin the install process. 4 The Agent Installation Wizard starts (Figure 99 on page 191).
Page 194: Mac Os Agent Test Windows
End-user Access The version number is returned. For example: 4,0,0,567 Mac OS Agent Test Windows When the test method selected is agent-based, the first time the end-user logs in to their Macintosh computer and opens a browser window, Sentriant AG attempts to test the endpoint. If the agent is required, they receive the Installation Failed window shown in Figure Installing the MAC OS Agent...
Page 195: Figure 105: Mac Os Installer 1 Of 5
End-user Access 4 Click Continue. The installer appears: Figure 105: Mac OS Installer 1 of 5 5 Click Continue. The Select a Destination window appears: Figure 106: Mac OS Installer 2 of 5 Sentriant AG Software Users Guide, Version 5.2...
Page 196: Figure 107: Mac Os Installer 3 Of 5
End-user Access 6 Click Continue. The Easy Install window appears: Figure 107: Mac OS Installer 3 of 5 7 Click Install. The Authenticate window appears: Figure 108: Mac OS Installer 4 of 5 Sentriant AG Software Users Guide, Version 5.2...
Page 197: Verifying The Mac Os Agent
End-user Access 8 Enter your password. Click OK. The agent is installed and the confirmation window appears: Figure 109: Mac OS Installer 5 of 5 9 Click Close. Verifying the Mac OS Agent To verify that the Mac OS agent is running properly: Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Sentriant AG Software Users Guide, Version 5.2...
Page 198: Figure 110: Applications, Utilities Folder
End-user Access Figure 110: Applications, Utilities Folder Sentriant AG Software Users Guide, Version 5.2...
Page 199: Figure 111: Activity Monitor
End-user Access 1 Double-click Activity Monitor. The Activity Monitor window appears: Figure 111: Activity Monitor 2 Verify that the osxnactunnel process is running. 3 If the osxnactunnel process is not running, start it by performing the following steps: Sentriant AG Software Users Guide, Version 5.2...
Page 200: Removing The Mac Os Agent
End-user Access a Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Figure 112: Mac Terminal b Enter the following at the command line: OSXNACAgent -v The build and version number are returned. c If an error message is returned indicating that the agent could not be found, the agent was not installed properly.
Page 201: Activex Test Windows
End-user Access 2 Enter the following at the command line: remove_osxnacagent 3 Remove the firewall entry: a Select Apple Menu>>System Preferences>>Sharing->Firewall tab. b Select OS X NAC Agent. c Click Delete. ActiveX Test Windows For the ActiveX test, the Testing window appears (see “Testing Window”...
Page 202: Agentless Test Windows
End-user Access NOTE Install any needed patches before installing the Agent. Agentless Test Windows If the end-users select Agentless test, Sentriant AG needs login credentials in order to test the endpoint. Credentials can be obtained from the following: Automatically connect the user through domain authentication (“Agentless Credentials”...
Page 203: Figure 115: End-User Login Failed
End-user Access If the login credentials are correct, the Testing window is displayed (see “Testing Window” on page 204). If the end-users do not enter the correct information in the login window fields, a login failure window appears: Figure 115: End-user Login Failed NOTE You can customize the logo and contact paragraph that appear on this window.
Page 204: Testing Window
End-user Access Testing Window The following figure shows the window that appears during the testing process: Figure 116: End-user Testing The possible outcomes from the test are as follows: Test successful window (see “Test Successful Window” on page 204) ● Testing cancelled window (see “Testing Cancelled Window”...
Page 205: Testing Cancelled Window
End-user Access Testing Cancelled Window If the Allow end users to cancel testing option on the System configuration>>Testing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled: Figure 118: End-user Testing Cancelled Testing Failed Window When the end-user’s endpoints fail to meet the test criteria defined in the NAC policy, the end-users are...
Page 206: Figure 119: End-User Testing Failed Example 1
End-user Access For each NAC policy, you can specify a temporary access period should the end-users fail the tests. See “Selecting Action Taken” on page 228 for more information. Figure 119: End-user Testing Failed Example 1 NOTE You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configuration>>Accessible services window (see “Accessible Services”...
Page 207: Error Windows
End-user Access End-users can click Printable version to view the testing results in a printable format, as shown in the following figure: Figure 120: End-user Testing Failed, Printable Results Error Windows End-users might see any of the following error windows: Unsupported endpoint ●...
Page 208 End-user Access You can create custom error message strings that appear in the test result reports, and on the test results access window that the end-user views by editing or creating the following file: /usr/local/nac/scripts/BaseClasses/CustomStrings.py To customize the error messages: 1 Create a file using a text editor, and name it as follows: /usr/local/nac/scripts/BaseClasses/CustomStrings.py using the following format:...
Page 209: Table 9: Default Test Names And Descriptions
End-user Access NOTE While editing the description avoid the use of double quotes “”. Use single quotes instead. Double quotes will get interpreted by the software and can cut the string short or cause the replacement to fail. 2 Once your custom strings script is complete, and you are ready to push it out to all of the ESs: a Verify that the scripts and base classes are under the Custom directory tree as specified above.
Page 210 End-user Access Table 9: Default Test Names and Descriptions (continued) Test name Description checkAutoUpdateStatus.String.5 Automatic Updates must be configured to %s. For Windows 2000, install Service Pack 4, then enable Automatic Updates by selecting: Control Panel>>Automatic Updates. For Windows XP: select Control Panel>>System>>Automatic Updates tab., checkAutoUpdateStatus.String.6...
Page 211 End-user Access Table 9: Default Test Names and Descriptions (continued) Test name Description checkIEVersion.String.2 Internet Explorer version %s is acceptable., checkIEVersion.String.3 The required Internet Explorer browser was not found or is not current. Install the latest version., checkMicrosoftOfficeMacroSecurityLevel.String.1 The office_program and the security_level_required parameters are required., checkMicrosoftOfficeMacroSecurityLevel.String.2 The specified office_program or...
Page 212 End-user Access Table 9: Default Test Names and Descriptions (continued) Test name Description checkServicesNotAllowed.String.2 The following services are not allowed: %s. Stop the service by selecting Control Panel>>Administrative Tools (located in the Performance and Maintenance category folder)>>Services application>>right-click on the service and select properties.
Page 213 End-user Access Table 9: Default Test Names and Descriptions (continued) Test name Description checkWindowsSecurityPolicy.String.2 An unsupported operating system was encountered., checkWindowsSecurityPolicy.String.3 The OS is not relevant to this test., checkWindowsSecurityPolicy.String.4 The security setting required parameter '%s' is invalid, checkWindowsSecurityPolicy.String.5 The following Windows security policies are configured incorrectly: %s.
Page 214 End-user Access Sentriant AG Software Users Guide, Version 5.2...
Page 215: Chapter 6: Nac Policies
NAC Policies NAC policies are collections of tests that evaluate remote endpoints attempting to connect to your network. You can use the standard tests installed with Sentriant AG, or you can create your own custom tests. NOTE The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name. See “Selecting the Default NAC Policy”...
Page 216: Standard Nac Policies
NAC Policies The following figure shows the legend explaining the NAC policies icons: Figure 123: NAC Policies Window Legend Standard NAC Policies Sentriant AG ships with three standard NAC policies: High security ● Low security ● Medium security ● NAC policies are organized in groups. Groups include the clusters defined for your system, a Default group, and any other groups you create.
Page 217: Editing A Nac Policy Group
NAC Policies 1 Click Add an NAC policy group. The Add NAC policy group window opens: Figure 124: Add NAC Policy Group 2 Type a name for the group in the Name of NAC policy group text box. 3 Optional: Select the check box next to any NAC policy to move to this group. 4 Optional: Select the check box next to any cluster to move to this group.
Page 218: Deleting A Nac Policy Group
NAC Policies 1 Click on an existing NAC policy group name (for example, Default). The NAC policy group window opens. Figure 125: Edit NAC Policy Group 2 Make any changes required. See “Add a NAC Policy Group” on page 216 for details on NAC policy group options.
Page 219: Nac Policy Tasks
NAC Policies NAC Policy Tasks Enabling or Disabling an NAC Policy Select which NAC polices are enabled or disabled. To enable/disable a NAC policy: Home window>>NAC policies Click on the enable or disable link. An X indicates disabled. Selecting the Default NAC Policy To select the default NAC policy: Home window>>NAC policies Click on the up or down arrow to move the NAC policy.
Page 220: Figure 127: Add A Nac Policy, Basic Settings Area
NAC Policies 1 Click Add a NAC policy. The Add NAC policy window opens as shown in the following figure: Figure 127: Add a NAC Policy, Basic Settings Area 2 Enter a policy name. 3 Enter a description in the Description text box. 4 Select a NAC policy group.
Page 221 NAC Policies All other unsupported OSs ■ NOTE In DHCP mode, if an endpoint with an unsupported OS already has a DHCP-assigned IP address, Sentriant AG cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with an unsupported OS has a static IP address, Sentriant AG cannot affect this endpoint in any way.
Page 222: Figure 128: Add A Nac Policy, Domains And Endpoints
NAC Policies 9 Click the Domains and endpoints menu option to open the Domains and endpoints window, shown in the following figure: Figure 128: Add a NAC Policy, Domains and Endpoints 10 Click on a cluster name. 11 Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a carriage return.
Page 223 NAC Policies NOTE You can leave the Domains and Endpoints areas blank if you do not want to assign domains and endpoints to this policy. NOTE Hover the mouse cursor over the question mark (?) by the word Endpoints, then click on the CIDR notation link to see the CIDR conversion table pop-up window.
Page 224: Figure 129: Add Nac Policy, Tests Area
NAC Policies 13 Click the Tests menu option to open the Tests window: Figure 129: Add NAC Policy, Tests Area Sentriant AG Software Users Guide, Version 5.2...
Page 225: Editing A Nac Policy
NAC Policies NOTE The icons to the right of the tests indicate the test failure actions. See “Test Icons” on page 232. 14 Select a test to include in the NAC policy by clicking on the check box next to the test name. 15 Select a test by clicking on the test name to view the properties.
Page 226: Deleting A Nac Policy
NAC Policies Deleting a NAC Policy To delete an existing NAC policy: Home window>>NAC policies 1 Click the delete link to the right of the NAC policy you want to delete. A confirmation window appears. 2 Click yes. Moving a NAC Policy Between NAC Policy Groups To move a NAC policy between NAC policy groups: Home window>>NAC policies 1 To open the NAC policies window, click a NAC policy name.
Page 227: Nac Policy Hierarchy
NAC Policies NOTE Adding an endpoint or domain to multiple policies results in the endpoint being assigned to the first enabled NAC policy in the list. NAC Policy Hierarchy If an endpoint is listed in more than one NAC policy, the order of use is as alphabetical by name of NAC policy (not including the default NAC policy).
Page 228: Defining Non-Supported Os Access Settings
NAC Policies NOTE A lower number ensures higher security. 2 Click ok. Defining Non-supported OS Access Settings To define what actions to take for endpoints with non-supported operating systems: Home window>>NAC policies>>Select a NAC Policy>>Basic settings area 1 In the Operating systems area, select the check box beside any operating system that you will allow access without being tested.
Page 229 NAC Policies To select the action to take: Home window>>NAC policies>>Select a NAC Policy>>Tests menu option 1 Click on the name of test to display the test’s options. NOTE Click a test name to display the options; select the test check box to enable the test for the policy you are modifying.
Page 230: About Sentriant Ag Tests
NAC Policies About Sentriant AG Tests Sentriant AG tests are assigned to NAC policies. NAC policies are used to test endpoints attempting to connect to your network. Sentriant AG tests might be updated as often as hourly; however, at the time of this release, the tests shown in “Tests Help”...
Page 231: Entering Service Names Required/Not Allowed
NAC Policies To find the software registry keys on the endpoint: 1 Select Start>>Run 2 Type: regedit 3 Click OK. 4 Expand the key. HKEY_LOCAL_MACHINE 5 Expand the SOFTWARE key. 6 View the sub-trees for various vendors software and versions. NOTE If you’re looking for a registry key, you enter a trailing slash.
Page 232: Test Icons
NAC Policies 2 For Internet Explorer on Windows XP and Windows 2003: a Clear the Check For Internet Explorer for Windows XP and Windows 2003 [6.0.2900.2180] check box. b Type a version number in the text entry field. 3 For Internet Explorer on Windows 2000: a Clear the Check For Internet Explorer for Windows 2000 [6.0.2800.1106] check box.
Page 233: Chapter 7: Quarantined Networks
Quarantined Networks This chapter describes the following general Sentriant AG quarantine information: “Endpoint Quarantine Precedence” on page 233 ● “Using Ports in Accessible Services and Endpoints” on page 234 ● “Always Granting Access to an Endpoint” on page 236 ● “Always Quarantining an Endpoint”...
Page 234: Using Ports In Accessible Services And Endpoints
Quarantined Networks Have been designated Whitelist (System configuration>>Exceptions) ● Are defined in NAC policies and have passed tests ● Use Temporarily grant access for to allow temporary access to endpoints that: ■ Have been designated Blacklist (System configuration>>Exceptions). ● Are defined in NAC policies and have failed tests ●...
Page 235: Figure 131: System Configuration, Accessible Services
Quarantined Networks The following figure shows the Accessible services window: Figure 131: System Configuration, Accessible Services In order to grant access for quarantined endpoints to needed services, add entries to the Accessible services list. For inline enforcement mode, enter the IP addresses of the servers that provide the services.
Page 236: Always Granting Access To An Endpoint
Quarantined Networks NOTE Enter a range of ports as follows: 10.0.16.100:53:65 Always Granting Access to an Endpoint To always grant access to a endpoint without testing: Home window>>System configuration>>Exceptions The following figure shows the Exceptions window. Figure 132: System Configuration, Exceptions 1 In the Whitelist area: a In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns.
Page 237: Always Quarantining An Endpoint
Quarantined Networks 2 Click ok. CAUTION If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without testing option is used. CAUTION Please read “Untestable Endpoints and DHCP Mode” on page 238 so that you fully understand the ramifications of allowing untested endpoints on your network.
Page 238: Shared Resources
Quarantined Networks 802.1X mode—An endpoint attempts to connect to the network. The end-user’s identity is verified ● via an authentication server. If the endpoint is not authenticated, it is quarantined (allowed access to a limited VLAN). If the endpoint is authenticated, it is tested by Sentriant AG. If the endpoint fails the Sentriant AG testing, it is quarantined (allowed access to a limited VLAN).
Page 239: Windows Domain Authentication And Quarantined Endpoints
Quarantined Networks the initial login process. Once the lease expires (in at most, three minutes), a new IP address (the non- quarantined IP address) can be assigned and access is actually granted. To define access settings for non-supported operating systems, see “Defining Non-supported OS Access Settings”...
Page 240 Quarantined Networks Sentriant AG Software Users Guide, Version 5.2...
Page 241: Chapter 8: High Availability And Load Balancing
High Availability and Load Balancing High Availability High availability occurs when one or more ESs takes over for an ES that has become unavailable in a multiple-server installation. Once an ES becomes unavailable, the other ESs take over enforcement from the ES that is now unavailable.
Page 242: Figure 133: Inline Installations
High Availability and Load Balancing unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 133: Inline Installations Sentriant AG Software Users Guide, Version 5.2...
Page 243: Figure 134: Dhcp Installation
High Availability and Load Balancing Figure 134: DHCP Installation Sentriant AG Software Users Guide, Version 5.2...
Page 244: Figure 135: 802.1X Installation
High Availability and Load Balancing Figure 135: 802.1X Installation Sentriant AG Software Users Guide, Version 5.2...
Page 245: Load Balancing
High Availability and Load Balancing Load Balancing Load balancing distributes the testing of endpoints across all Sentriant AG ESs in a cluster. Sentriant AG uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the ESs. If the MAC address is unavailable (untestable endpoint) the IP address is used to determine which ES should test an endpoint.
Page 246 High Availability and Load Balancing Sentriant AG Software Users Guide, Version 5.2...
Page 247: Chapter 9: Inline Quarantine Method
Inline Quarantine Method Inline is the most basic Sentriant AG installation. When deploying Sentriant AG inline, Sentriant AG monitors and enforces all endpoint traffic. Sentriant AG allows endpoints to access the network or blocks endpoints from accessing the network based on their Internet Protocol (IP) address with a built- in firewall (iptables).
Page 248: Figure 136: Inline Installations
Inline Quarantine Method Figure 136: Inline Installations NOTE You can install Sentriant AG at any “choke point” in your network; a VPN is not required. Sentriant AG Software Users Guide, Version 5.2...
Page 249: Chapter 10: Dhcp Quarantine Method
DHCP Quarantine Method When configured with a Dynamic Host Configuration Protocol (DHCP) quarantine area, all endpoints requesting a DHCP IP address are issued a temporary address on a quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to the main LAN.
Page 250: Configuring Sentriant Ag For Dhcp
DHCP Quarantine Method See the Sentriant AG Installation Guide for more information on installing Sentriant AG in DHCP mode. Figure 137: DHCP Installation Configuring Sentriant AG for DHCP The primary configuration required for using Sentriant AG and DHCP is setting up the quarantine area (see “Setting up a Quarantine Area”...
Page 251: Setting Up A Quarantine Area
DHCP Quarantine Method Action to take for failed tests (see “Selecting Action Taken” on page 228) ● DHCP quarantine options: ● Router Access Control List (ACL) settings (see “Configuring the Router ACLs” on page 251). ■ Static routes assigned to the endpoint (see “Adding a DHCP Quarantine Area”...
Page 252 DHCP Quarantine Method error is displayed once the user clicks on the Express or Custom download buttons that invoke the WU client software. Short of a Microsoft fix, the only way to update XP SP2 endpoints in quarantine is to deploy a local update server (such as Microsoft's free Windows Server Update Services, WSUS -- see http://www.microsoft.com/technet/windowsserver/wsus/default.mspx) and make sure that this server is listed in Accessible Services and Devices...
Page 253: Chapter 11: 802.1X Quarantine Method
802.1X Quarantine Method About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows: Supplicant—The client; the endpoint that wants to access the network. ● Authenticator– The access point, such as a switch, that prevents access when authentication fails. ●...
Page 254: Sentriant Ag And 802.1X
802.1X Quarantine Method 7 The AP (authenticator) allows or blocks the client’s (supplicant’s) access to the network by controlling which ports are open or closed. Figure 138: 802.1X Components Sentriant AG and 802.1X When configured as 802.1X-enabled, Sentriant AG can be installed with three different configurations depending on your network environment: Microsoft IAS and Sentriant AG IAS Plug-in ●...
Page 255 802.1X Quarantine Method requests. On successful authentication, when the end RADIUS server returns the proxied request Sentriant AG overrides the RADIUS attributes which specify to the switch which VLAN to place the endpoint in if necessary. Sentriant AG then returns the authentication results to the switch. Using the built-in Sentriant AG RADIUS server ●...
Page 256: Figure 139: Sentriant Ag 802.1X Enforcement
802.1X Quarantine Method Figure 139: Sentriant AG 802.1X Enforcement Sentriant AG Software Users Guide, Version 5.2...
Page 257: Figure 140: 802.1X Communications
802.1X Quarantine Method Figure 140: 802.1X Communications Sentriant AG Software Users Guide, Version 5.2...
Page 258: Setting Up The 802.1X Components
802.1X Quarantine Method Setting up the 802.1X Components In order to use Sentriant AG in an 802.1X environment, Extreme Networks, Inc. recommends configuring your environment first, then installing and configuring Sentriant AG. This section provides instructions for the following: “Setting up the RADIUS Server” on page 258 ●...
Page 259: Figure 141: Windows Components Wizard
802.1X Quarantine Method A Windows NT domain ● The local Security Accounts Manager (SAM) ● To add IAS to the Windows Server 2003 installation: Windows desktop>>Start>>Settings>>Control Panel>>Add or remove programs 1 In the left column, click Add/Remove Windows Components. The Windows Components Wizard window appears, as shown in the following figure.
Page 260: Configuring The Microsoft Ias Radius Server
802.1X Quarantine Method 5 Click OK. 6 Click Next. 7 Click Finish. 8 Install any IAS and 802.1X updates that are available. http://www.microsoft.com/downloads/search.aspx?displaylang=en Configuring the Microsoft IAS RADIUS Server For an explanation of how the components communicate, see “Sentriant AG and 802.1X” on page 254.
Page 261: Figure 144: Ias, Properties Option
802.1X Quarantine Method b Select Properties (Figure 144). The Properties window appears (Figure 145). Figure 144: IAS, Properties Option Figure 145: IAS, Properties c General tab— 1) Enter a descriptive name in the Server Description text box. For example, 2) Select the Rejected authentication requests check box. 3) Select the Successful authentication requests check box.
Page 262: Figure 146: Ias, New Client, Name And Address
802.1X Quarantine Method 2) Enter the accounting port numbers in the Accounting text box. The accounting port (1813) is used to track the user’s network use. e Click OK. 5 Define the authenticators that use this RADIUS server for authentication. a Right-click on RADIUS Clients.
Page 263: Figure 147: Ias, New Client, Additional Information
802.1X Quarantine Method e Click Next. Figure 147: IAS, New Client, Additional Information Select RADIUS Standard from the Client Vendor drop-down list g Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator.
Page 264: Figure 148: Ias, New Remote Access Policy
802.1X Quarantine Method c Click Next. The New Remote Access Policy Wizard window appears: Figure 148: IAS, New Remote Access Policy d Select the Use the wizard radio button. e Enter a meaningful name in the Policy Name text field. Click Next.
Page 265: Figure 150: Ias, Remote Access Policy, Group Access
802.1X Quarantine Method h Click Next. Figure 150: IAS, Remote Access Policy, Group Access You can configure your Access policy by user or group. This example uses the group method. Select the Group radio button. Click Add. The Select Groups pop-up window appears: Figure 151: IAS, Remote Access Policy, Find Group Sentriant AG Software Users Guide, Version 5.2...
Page 266: Figure 152: Remote Access Policy, Select Group
802.1X Quarantine Method k Click Advanced. Figure 152: Remote Access Policy, Select Group Click Find Now to populate the Search Results area. m Select Domain Guests. n Click OK. o Click OK. p Click Next. Figure 153: IAS, Remote Access Policy, Authentication Method Sentriant AG Software Users Guide, Version 5.2...
Page 267 802.1X Quarantine Method NOTE If you choose PEAP as your authentication mechanism in step q, see step 8 before completing step r step Adding a certificate, if your server does not already have one, and configuring PEAP is explained in step q Select the EAP type from the drop-down list.
Page 268: Figure 154: Error Message
802.1X Quarantine Method 9 To request a certificate from a Domain Certificate Authority: Figure 154: Error Message a Open the Microsoft management console by choosing Start>>Run and entering b Choose File>>Add/Remove Snap-in. c Click Add. d Choose the certificates snap-in and click Add. e Select Computer account and click Next.
Page 269: Figure 155: Protected Eap Properties
802.1X Quarantine Method template snap-in, right-click on the template, select properties, and change the permissions for your user) on the certificate authority. The Computer or RAS and IAS templates both work. k Once the Certificate is granted by the certificate authority, return to the IAS policy editor to continue the setup.
Page 270: Figure 156: Iap, Remote Access Policy, Properties
802.1X Quarantine Method 10 Configure the new Remote Access Policy. Figure 156: IAP, Remote Access Policy, Properties a Select Remote Access Policies. b In the right pane, right-click the new policy name and select Properties. The Guest Policy Properties window appears: Figure 157: IAS, Remote Access Policy, Configure c Click Edit Profile.
Page 271: Figure 158: Ias, Remote Access Policy, Add Attribute
802.1X Quarantine Method NOTE The attributes you select might be different for different switch types. Contact Extreme Networks, Inc. Technical Assistance Center (TAC) at (800) 998-2408 or support@extremenetworks.com if you would like assistance. a) Click Add. Figure 158: IAS, Remote Access Policy, Add Attribute b) Select Tunnel-Medium-Type.
Page 272 802.1X Quarantine Method n) Select Tunnel-Type. (Adding the third of the three attributes.) o) Click Add. p) Click Add again on the next window. q) From the Attribute value drop-down list, select Virtual LANS (VLAN). r) Click OK. s) Click OK. t) Click OK.
Page 273: Figure 159: Ias, Remote Access Logging Properties
802.1X Quarantine Method c Select Properties. The Local File Properties window appears: Figure 159: IAS, Remote Access Logging Properties d Settings tab—Select any of the request and status options you are interested in logging. e Log file tab— 1) In the Format area, select the IAS radio button. 2) In the Create a new log file area, select a frequency, such as Daily.
Page 274: Figure 160: Sentriant Ag-To-Ias Connector
802.1X Quarantine Method NOTE If you have an existing Sentriant AG v4.1 certificate (compliance.keystore.cer), you need to replace it with the v5.2 certificate. Figure 160: Sentriant AG-to-IAS Connector a Copy the following Sentriant AG IAS Connector files from the Sentriant AG CD-ROM to the directory on your Windows Server 2003 machine.
Page 275: Figure 161: Ias, Add/Remove Snap-In
802.1X Quarantine Method 4) Click OK. Figure 161: IAS, Add/Remove Snap-in 5) Select File>>Add/Remove Snap-in. 6) Click Add. Figure 162: IAS, Add/Remove Snap-in, Certificates 7) Select Certificates. 8) Click Add. 9) Select the Computer account radio button. 10) Click Next. 11) Select the Local computer: (the computer this console is running on) radio button.
Page 276: Figure 163: Ias, Import Certificate
802.1X Quarantine Method 14) Click OK. Figure 163: IAS, Import Certificate 15) Right-click on Console Root>>Certificates (Local Computer)>>Trusted Root Certificate Authorities. 16) Select All tasks>>import. 17) Click Next. 18) Click Browse and choose the certificate. The Sentriant AG server certificate ) is located on the CD-ROM compliance.keystore.cer 19) Click Next.
Page 277 802.1X Quarantine Method Unknown—The endpoint has not been tested. Infected—The endpoint failed the Worms, Virus, and Trojans test. To configure the response, edit the file. This file was copied from the CD in SAIASConnector.ini step step a on page 274. b Enable the Authorization DLL file.
Page 278: Figure 164: Active Directory, Properties
802.1X Quarantine Method 1) From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers. Figure 164: Active Directory, Properties 2) Right-click on your directory name and select Properties. 3) Select the Group Policy tab. 4) Click Open. 5) Right-click Default Domain Policy and select Edit (click OK if you get a global changes pop- up message).
Page 279 802.1X Quarantine Method 10) Click OK. 11) Close the Group Policy Object Editor window. 12) Close the Group Policy Management window. 13) Close the <Active Directory Name> Properties window. 16 Create active directory user accounts. a From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers.
Page 280: Figure 166: Active Directory Users And Computers
802.1X Quarantine Method c Select the Users folder. Figure 166: Active Directory Users and Computers d Right-click a user name and select Properties. The Properties windows appears: Figure 167: Active Directory, User Account Properties e Select the Dial-in tab. Sentriant AG Software Users Guide, Version 5.2...
Page 281: Proxying Radius Requests To An Existing Radius Server Using The Built-In Sentriant Ag Radius Server
802.1X Quarantine Method In the Remote Access Permission area, select the Allow Access radio button. g Select the Account tab. h Verify that you are using Microsoft’s version of the challenge-handshake authentication protocol (CHAP) MSCHAPv2. If for some reason, you cannot upgrade to MSCHAPv2 at this time, perform the following workaround for MSCHAPv1: In the Account options area, select the Store password using reversible encryption check box.
Page 282 802.1X Quarantine Method NOTE The realm NULL section must go after the realm LOCAL section, or you can comment out the realm LOCAL section. 2 Configure your RADIUS server to allow the Sentriant AG IP address as a client with the shared secret specified in the previous step.
Page 283 802.1X Quarantine Method "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches #"HealthyRadiusAttributes"...
Page 284: Using The Built-In Sentriant Ag Radius Server For Authentication
802.1X Quarantine Method 4 Test the RADIUS server proxy: radtest <user> <passwd> <radius-server[:port]> <nas-port-number><secret> Using the Built-in Sentriant AG RADIUS Server for Authentication If you selected the Manual End-user authentication method in the Authentication settings area of the System configuration>>Quarantining>>802.1X window, configure Sentriant AG according to the instructions in this section.
Page 285: Setting Up The Supplicant
802.1X Quarantine Method 1 In the Select a quarantine method area, select the 802.1X quarantine method radio button. Figure 168: Enabling 802.1X in the User Interface 2 In 802.1X enforcement mode, the ESs must be able watch DHCP conversations and detect endpoints by sniffing network traffic as it flows between the DHCP server and the endpoints.
Page 286: Windows Xp Professional Setup
802.1X Quarantine Method using Classic View. The instructions in this section assume you are using Classic View in both cases. Windows XP Professional Setup To enable a Windows XP Professional endpoint for 802.1X: Windows desktop>>Start>>Settings>>Network Connections 1 Right-click on Local Area Connection. 2 Select Properties.
Page 287: Windows Xp Home Setup
802.1X Quarantine Method 5 Select the Authentication tab. Figure 170: Windows XP Pro Local Area Connection Properties, Authentication Tab 6 Select the Enable IEE 802.1X authentication for this network check box. 7 Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
Page 288: Windows 2000 Professional Setup
802.1X Quarantine Method b Close the Services window. 2 Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network Connections 3 Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears (Figure 169 on page 286). 4 Select the General tab. 5 Select the Show icon in notification area when connected check box.
Page 289: Figure 171: Windows 2000 Local Area Connection Properties, General Tab
802.1X Quarantine Method a Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears. Figure 171: Windows 2000 Local Area Connection Properties, General Tab b Select the General tab. c Select the Show icon in taskbar when connected check box. d Select the Authentication tab.
Page 290: Windows Vista Setup
802.1X Quarantine Method IMPORTANT: This EAP type must match the EAP type selected in “Setting up the RADIUS Server”, step step q on page 267. g Clear or select the Authenticate as computer when computer information is available check box. The choice is yours.
Page 291: Figure 174: Windows Vista Local Area Connection, Networking Tab
802.1X Quarantine Method d Click OK. e Close the Services window. 2 Configure the network connections: Windows desktop>>Start>>Settings>>Network Connections 3 Right-click on Local Area Connection. 4 Select Properties. The Local Area Connection windows appears: Figure 174: Windows Vista Local Area Connection, Networking Tab Sentriant AG Software Users Guide, Version 5.2...
Page 292: Setting Up The Authenticator
802.1X Quarantine Method 5 Select the Authentication tab. Figure 175: Windows Vista Local Area Connection Properties, Authentication Tab 6 Select the Enable IEE 802.1X authentication check box. 7 Select an EAP type from the Choose a network authentication method drop-down list. For this example, select Protected EAP (PEAP).
Page 293: Cisco® 2950 Ios
802.1X Quarantine Method “HP ProCurve 530AP” on page 297 ● “HP ProCurve 3400/3500/5400” on page 299 ● “Nortel® 5510” on page 299 ● The lines that apply to 802.1X are shown in green italic text. Make sure that you add this information when configuring your switch.
Page 294: Enterasys® Matrix 1H582-25
802.1X Quarantine Method set feature dot1x-radius-keepalive disable #radius set radius server 172.17.20.150 auth-port 1812 primary set radius key mysecretpassword #module 2 : 48-port 10/100BaseTx Ethernet set port dot1x 2/15 port-control auto set port dot1x 2/17 port-control auto set port dot1x 2/18 port-control auto set port dot1x 2/19 port-control auto set port dot1x 2/15 re-authentication enable set port dot1x 2/17 re-authentication enable...
Page 295: Extremeware
802.1X Quarantine Method create vlan "Guest" create vlan "Temp" # RADIUS configuration enable radius configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa" configure radius primary server 10.10.100.10 1812 client-ip 10.10.100.1 # Network Login Configuration configure vlan Temp dhcp-address-range 10.10.5.100 - 10.10.5.150 configure vlan Temp dhcp-options default-gateway 10.10.5.1 configure vlan Temp dhcp-options dns-server 10.10.100.11 configure vlan Temp dhcp-options wins-server 10.10.100.10 enable netlogin port 33 vlan Temp...
Page 296: Extremexos
802.1X Quarantine Method configure netlogin mac auth-retry-count 3 configure netlogin mac reauth-period 1800 ExtremeXOS create vlan "Quarantine" create vlan "Test" enable radius netlogin configure radius netlogin timeout 3 configure radius-accounting netlogin timeout 3 # Module netLogin configuration. configure netlogin vlan Test enable netlogin dot1x mac enable netlogin ports 1-8 dot1x configure netlogin dot1x timers server-timeout 30 quiet-period 60 reauth-period...
Page 297: Hp Procurve 420Ap
802.1X Quarantine Method sflow-forwarding interface ethernet 4 dot1x port-control auto sflow-forwarding HP ProCurve 420AP This section shows how to configure the security settings on the 420AP so that user access may be controlled using Dynamic VLAN provisioning. HP ProCurve Access Point 420#configure HP ProCurve Access Point 420(config)#interface ethernet Enter Ethernet configuration commands, one per line.
Page 298 802.1X Quarantine Method ProCurve Access Point 530(ethernet)#management-vlan 200 ProCurve Access Point 530(ethernet)#untagged-vlan 200 ProCurve Access Point 530(radio1-wlan1)#ssid Enterprise530 ProCurve Access Point 530(radio1-wlan1)#closed ProCurve Access Point 530(radio1-wlan1)#vlan 100 ProCurve Access Point 530(radio1-wlan1)#security wpa-8021x ProCurve Access Point 530(radio1-wlan1)#radius primary ip <IP of RADIUS Server> The RADIUS shared secret key must also be set to enable communication between this device and the RADIUS server.
Page 299: Hp Procurve 3400/3500/5400
802.1X Quarantine Method ProCurve Access Point 530(config)#exit HP ProCurve 3400/3500/5400 radius-server host 10.60.1.3 key hpsecret aaa accounting network start-stop radius aaa authentication port-access eap-radius aaa port-access authenticator 1-8 aaa port-access authenticator 1-8 auth-vid 100 aaa port-access authenticator 1-8 unauth-vid 101 aaa port-access authenticator active Nortel®...
Page 300: Creating Custom Expect Scripts
802.1X Quarantine Method port-mirroring mode XrxOrXtx monitor-port 9 mirror-port-X 12 Creating Custom Expect Scripts Expect is a tool that uses simple scripts to automate interactive applications. Sentriant AG utilizes expect scripts when communicating with 802.1X devices. You can add 802.1X devices in the Sentriant AG user interface (Home>>System configuration>>Quarantining menu option>>Add 802.1X device).
Page 301: Figure 177: Nortel Re-Authentication Script
802.1X Quarantine Method Figure 177: Nortel Re-authentication Script send interface FastEthernet ${PORT} expect (config-if)# send eapol re-authenticate expect (config-if)# send exit expect (config)# Figure 178: Nortel Exit Script send exit expect # send exit expect press <Return> or <Enter> to select option. send -noreturn l Expect Script Commands.
Page 302 802.1X Quarantine Method Table 10: Expect Script Commands and Parameters Command Description and parameters Writes text to the connection output followed by a carriage send [OPTIONS] TEXT return. Where OPTION is one of three optional parameters: • noreturn Omits the carriage return. •...
Page 303 802.1X Quarantine Method Escape Sequences. Special characters can be included by escaping them as "\XXX" where XXX is an octal value representing an ASCII character, or as "\uXXXX" where XXXX is a hexadecimal value representing a unicode character. Comments. Lines that start with the # character are ignored. Examples.
Page 304 802.1X Quarantine Method The following script works when any combination of Username and Password prompt appear (and thus also works with both telnet and SSH without needing to check which the user selected): Initialization script: expect -regex (Username:|Password:|>) send -ifmatched Username: ${USERNAME} expect -ifmatched Username: -regex (Password:|>) send -ifmatched Password: ${PASSWORD} expect -ifmatched Password: >...
Page 305: Chapter 12: Api
Overview The Sentriant AG Application Programming Interface (API) is based on the Java Message Service (JMS). Sentriant AG ships with version 3.1 of the ActiveMQ JMS provider (http://activemq.apache.org/), an open source implementation of JMS. Sentriant AG API communication is illustrated in Figure 179, where: JMS Message Bus—Sentriant AG ships with ActiveMQ Java Messanging Service (JMS).
Page 306: Setting Sentriant Ag Properties
Figure 179: Sentriant AG API Communication Sentriant AG is continually testing endpoints that attempt to connect to your network and publishes information about those endpoints as Events to Topics. An endpoint attempts to connect that is untestable. Sentriant AG quarantines the endpoint and publishes a DeviceChangeEvent to that topic. Setting Sentriant AG Properties Most Sentriant AG properties are set by default.
Page 307: Setting Firewall Rules
Compliance.System.JMSProvider.UserName ● Compliance.System.JMSProvider.Password ● Test results are published when they happen. To change or set API properties: Sentriant AG MS command line window 1 Create the XML file in the following directory with a text editor such as /usr/local/nac/bin 2 Edit any properties. 3 Save and exit the file.
Page 308: Examples Of Events Generated
Examples of Events Generated The following shows examples of information returned for generated events: ------------------------------------------------------------------------- <MNMDeviceChangeEvent> <device> <uniqueId>5928e8f98d4ce49c6c03529ca4325b5e</uniqueId> <ip>10.1.13.29</ip> <mac>00:11:43:4F:15:D6</mac> <netbiosName>SSLJDOE</netbiosName> <domainName>MyCompany</domainName> <userName>administrator</userName> <loggedOnUser>administrator</loggedOnUser> <os>Windows</os> <osDetails>XP SP2</osDetails> <policyId>LowSecurity</policyId> <lastTestTime>1157042366000</lastTestTime> <lastTestStatusId>PASSED</lastTestStatusId> <gracePeriod>-1</gracePeriod> <gracePeriodStart>0</gracePeriodStart> <createTime>1156536669000</createTime> <lastActivityTime>1157045939456</lastActivityTime> <lastConnectTime>1157044195000</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>healthy</postureToken> <nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId> <clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId> <accessStatusId>QUARANTINED_BY_POLICY</accessStatusId> <nextTestTime>1157049566000</nextTestTime>...
Page 309 <gracePeriodStart>1157042301000</gracePeriodStart> <createTime>1157042283000</createTime> <lastActivityTime>1157046201262</lastActivityTime> <lastConnectTime>1157040486000</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>checkup</postureToken> <nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId> <clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId> <accessStatusId>ALLOWED_BY_POLICY</accessStatusId> <nextTestTime>1157053406845</nextTestTime> <nadPort></nadPort> <nadIP></nadIP> <sessionAccess>-1</sessionAccess> <sessionAccessEnd>0</sessionAccessEnd> <otherDeviceProperties> <entry> <string>OS</string> <string>Windows</string> </entry> </otherDeviceProperties> <lastUpdateTime>1157046206846</lastUpdateTime> <testingMethod>AGENTLESS</testingMethod> </device> <testResults> <TestResultInfo> <timestamp>1157046206801</timestamp> <gracePeriod>604800</gracePeriod> <testName>Windows 2000 hotfixes</testName> <testClass>Check2000HotFixes</testClass> <testModule>check2000HotFixes</testModule> <testGroup>OperatingSystem</testGroup> <actionsTaken>access allowed, temporary access period continuing from 8/31/ 06 10:38 AM, email not sent</actionsTaken>...
Page 310: Java Program And Command For Events
<previousResultCode>pass</previousResultCode> </TestResultInfo> <TestResultInfo> <timestamp>1157046206801</timestamp> <gracePeriod>0</gracePeriod> <testName>Worms, viruses, and trojans</testName> <testClass>CheckWormsVirusesAndTrojans</testClass> <testModule>checkWormsVirusesAndTrojans</testModule> <testGroup>Software</testGroup> <actionsTaken>none</actionsTaken> <debugInfo>None</debugInfo> <severity>1</severity> <statusCode>1</statusCode> <resultCode>pass</resultCode> <resultMessage>No worms, viruses or trojans were found.</resultMessage> <policyId>LowSecurity</policyId> <mostSeriousInRun>false</mostSeriousInRun> <previousResultCode>pass</previousResultCode> </TestResultInfo> </testResults> <ip>10.1.70.101</ip> <id>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</id> <originalTimeStamp>1157046206882</originalTimeStamp> </MNMDeviceTestedEvent> ------------------------------------------------------------------------- Java Program and Command for Events Sentriant AG ships with a sample shell script that invokes Java code that can be used to listen for JMS events.
Page 311: Examples Of Requests
Sets endpoint properties ● PutDeviceInfo— Examples of Requests The following shows examples of information for requests supported: ------------------------------------------------------------------------ <TemporarilyAllowAccessRequest> <requestParameters> <entry> <string>DURATION</string> <int>24</int> </entry> <entry> <string>DEVICE_LIST</string> <list> <DeviceType> <ip>192.168.1.128</ip> </DeviceType> </list> </entry> </requestParameters> </TemporarilyAllowAccessRequest> <TemporarilyDenyAccessRequest> <requestParameters> <entry> <string>DURATION</string> <int>24</int> </entry> <entry>...
Page 312 <requestParameters> <entry> <string>DEVICE_LIST</string> <list> <DeviceType> <ip>192.168.1.128</ip> </DeviceType> </list> </entry> </requestParameters> </DeviceInfoRequest> <PutDeviceInfoRequest> <requestParameters> <entry> <string>DEVICE_LIST</string> <list> <DeviceType> <ip>192.168.1.128</ip> <otherDeviceProperties> <entry> <string>key1</string> <string>value1</string> </entry> <entry> <string>key2</string> <string>value2</string> </entry> </otherDeviceProperties> </DeviceType> </list> </entry> </requestParameters> </PutDeviceInfoRequest> ------------------------------------------------------------- command replies with output that includes a special XML file as DeviceInfoRequest NacResponse...
Page 313: Post-Connect Request Example
<gracePeriod>0</gracePeriod> <gracePeriodStart>0</gracePeriodStart> <createTime>1186594414243</createTime> <lastActivityTime>1186603364486</lastActivityTime> <lastConnectTime>1186594301738</lastConnectTime> <lastDisconnectTime>0</lastDisconnectTime> <postureToken>unknown</postureToken> <nodeId>158251f6-2ce8-4d34-b9e8-d724c175d34a</nodeId> <clusterId>4e193379-a492-4fd8-a31c-37e722b14449</clusterId> <accessStatusId>QUARANTINED_BY_POLICY</accessStatusId> <nextTestTime>1186597121116</nextTestTime> <nadPort/> <nadPortId/> <nadIP/> <nadUser/> <sessionAccess>-1</sessionAccess> <sessionAccessEnd>0</sessionAccessEnd> <otherDeviceProperties> <entry> <string>key1</string> <string>value1</string> </entry> <entry> <string>OS</string> <string>Windows XP SP1+, 2000 SP3</string> </entry> <entry> <string>key2</string> <string>value2</string> </entry> </otherDeviceProperties> <lastUpdateTime>1186603474724</lastUpdateTime> <testingMethod>NONE</testingMethod> <expectingIpTransitionStartTime>-1</expectingIpTransitionStartTime> <expectingIpTransitionEndTime>-1</expectingIpTransitionEndTime> <expectingIpTransition>false</expectingIpTransition> <lastFetchUniqueIdTime>0</lastFetchUniqueIdTime>...
Page 314: Java Program And Command For Requests
<TemporarilyDenyAccessRequest> <requestParameters> <entry> <string>DURATION</string> <int>10</int> </entry> <entry> <string>EXTERNAL_QUARANTINE_PRODUCT_ID</string> <string>StrataGuard</string> </entry> <entry> <string>EXTERNAL_QUARANTINE_INSTANCE_NAME</string> <string>Warehouse Monitor</string> </entry> <entry> <string>EXTERNAL_QUARANTINE_REASONS</string> <list> <string>WEB-CLIENT Microsoft ANI file parsing overflow</string> <string>DOS Ipswitch WS_FTP log server long unicode string</string> </list> </entry> <entry> <string>DEVICE_LIST</string> <list> <DeviceType> <ip>10.1.102.2</ip> </DeviceType> </list>...
Page 315: Chapter 13: Remote Device Activity Capture
Remote Device Activity Capture This section describes two ways to achieve Remote Device Activity Capture (RDAC): Creating a DAC host ● Using the Infoblox connector ● Creating a DAC Host Sentriant AG auto-discovers endpoints on your network so that the testing and transition from quarantine to non-quarantine areas happens quickly and smoothly after an endpoint is booted up.
Page 316: Downloading The Exe File
Remote Device Activity Capture First, download the executable file to your Windows server, then run the installer to install the first interface. For this release, if you want to add additional interfaces, you must install them manually. A future release will expand the options in the installer to include multiple interfaces. Add any additional interfaces and start the service.
Page 317: Figure 180: The Dac Installshield Wizard Welcome Window
Remote Device Activity Capture Figure 180: The DAC InstallShield Wizard Welcome Window 3 Click Next. The Setup Type window appears Figure 181: RDAC Installer, Setup Type 4 Select Complete to install the DAC software, the JavaJRE software, and the WinPcap software. If you already have JavaJRE or WinPcap installed, select Custom.
Page 318: Figure 182: Rdac Installer, Choose Destination Location
Remote Device Activity Capture 5 Click Next. The Choose Destination Location window appears: Figure 182: RDAC Installer, Choose Destination Location 6 In most cases, you should accept the default location. (Click Change to select a different location.) Click Next. The Confirm New Folder window appears: Figure 183: RDAC Installer, Confirm New Folder Sentriant AG Software Users Guide, Version 5.2...
Page 319: Figure 184: Rdac Installer, Select Features
Remote Device Activity Capture 7 Click Yes. If you selected Custom in step 4 on page 317, the Select Features window appears; otherwise the NIC Selection window appears (Figure 185): Figure 184: RDAC Installer, Select Features 8 Select the features to install. Click Next. The NIC Selection window appears: Figure 185: RDAC Installer, NIC Selection Sentriant AG Software Users Guide, Version 5.2...
Page 320: Figure 186: Rdac Installer, Tcp Port Filter Specification
Remote Device Activity Capture 9 All of the interfaces installed on your Windows server are listed in this window. Select the one you want to use and click Next. The TCP Port Filter Specification window appears: Figure 186: RDAC Installer, TCP Port Filter Specification 10 In most cases you should accept the default entry.
Page 321: Figure 188: Rdac Installer, Ready To Install The Program
Remote Device Activity Capture 11 Enter the IP address of the Enforcement Server (ES) to use. Click Next. The Ready to Install the Program window appears: Figure 188: RDAC Installer, Ready to Install the Program 12 Click Install. 13 If you selected Complete in step 4 on page 317, the InstallShield Wizard launches the Java installer first and then the WinPcap installer.
Page 322: Figure 189: Rdac Installer, Installshield Wizard Complete
Remote Device Activity Capture When the installation is complete, the InstallShield Wizard Complete window appears: Figure 189: RDAC Installer, InstallShield Wizard Complete 14 The following folders and files are created: ■ VERSION ● InstallSSDAC.bat rdac SSDAC.bat UninstallSSDAC.bat wrapper.exe ● conf wrapper.conf ●...
Page 323: Adding Additional Interfaces
Remote Device Activity Capture Adding Additional Interfaces For this release, if you want to add additional interfaces, you must install them manually. A future release will expand the options in the installer to include multiple interfaces. To add additional interfaces to the DAC host: Windows server 1 Open the file with a text editor.
Page 324: Configuring The Ms And Es For Dac
Remote Device Activity Capture 2 Perform the steps detailed in “Configuring the MS and ES for DAC” on page 324. 3 Go to “Starting the Windows Service”. Configuring the MS and ES for DAC 1 Create a keystore file containing a unique key, signed certificate, and a CA certificate that is required for SSL communication.
Page 325: Starting The Windows Service
Remote Device Activity Capture 1 Open the file with a text editor. DAC/conf/wrapper.conf a Locate the Application Parameters section in the wrapper.conf file. You will see a list of entries like the following: wrapper.app.parameter.X Where X is the numerical value representing the order in which the parameter will be added to the command.
Page 326: Viewing Version Information
Remote Device Activity Capture 1 Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. The Services window appears: Figure 191: NAC Endpoint Activity Capture Service 2 Right-click on the NAC Endpoint Activity Capture service and select Start. The service is set to automatic start at the next reboot by default. Viewing Version Information To view version information: Windows server...
Page 327: Figure 192: Rdac Uninstall Complete
Remote Device Activity Capture 1 Select Start>>Settings>>Control Panel>>Add or Remove Programs. 2 Click once on the DAC listing. 3 Click Remove. 4 Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears: Figure 192: RDAC Uninstall Complete 5 Select one of the options and click Finish.
Page 328: Sentriant Ag To Infoblox Connector
Remote Device Activity Capture 1 Select Start>>Settings>>Control Panel>>Add or Remove Programs. 2 Click once on the WinPcap listing. 3 Click Remove. 4 Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears: 5 Select one of the options and click Finish.
Page 329 Remote Device Activity Capture 1 In the Quarantine method area, select the 802.1X radio button. 2 In the Basic 802.1X settings area, select the remote Endpoint detection location radio button. 3 Click ok. Command line window NOTE Perform the following steps on each ES in your system. 4 Log in as to the Sentriant AG ES using SSH or directly with a keyboard.
Page 330 Remote Device Activity Capture e Save and exit the file. Enter the following at the command line to restart the service: service syslog-ng restart 7 Add the iptables firewall rule to allow this syslog traffic: a Stop iptables by entering the following at the command line: service nac-es stop fw_control stop b Open the following file with a text editor such as...
Page 331: Chapter 14: Reports
Reports Sentriant AG generates the following types of reports: Table 11: Report Types and Fields Report Description Report columns NAC policy results Lists each NAC policy and the last • policy name pass/fail policy results • test status • # of times •...
Page 332: Generating Reports
Reports Table 11: Report Types and Fields (continued) Report Description Report columns Test results by IP address Lists the number of tests that • ip address passed or failed for each IP • cluster address. • netbios • user • test status •...
Page 333: Figure 193: Reports
Reports The following figure shows the Reports window. Figure 193: Reports 1 In the Report drop-down list, select the report to run. 2 Select the Report period. 3 Select the Rows per page. 4 In the Endpoint search criteria area, select any of the following options to use for filtering the report: a Cluster b Endpoint NetBIOS...
Page 334: Viewing Report Details
Reports 5 Select Generate report. After a short period of time the compiled report is displayed in a separate browser window. The following figure shows an example report. Figure 194: NAC Policy Results Report CAUTION The reports capability uses pop-up windows; if you have blocked pop-up windows in your browser, you will not be able to view reports.
Page 335: Figure 195: Test Details Report
Reports Figure 195: Test Details Report Sentriant AG Software Users Guide, Version 5.2...
Page 336: Printing Reports
Reports Printing Reports To print a report: Home window>>Reports 1 Select the options for the report you want to run. 2 Click Generate report. 3 Select Print. 4 Select the printer options and properties. 5 Select Print. Saving Reports to a File To save a report: Home window>>Reports 1 Select the options for the report you want to run.
Page 337 Reports 6 Click Save. This creates a standalone file that retains all of its graphics and formatting. 7 To print, you might need to reduce the border sizes in File>>Page Setup dialog box for the report to print correctly. Sentriant AG Software Users Guide, Version 5.2...
Page 338 Reports Sentriant AG Software Users Guide, Version 5.2...
Page 339: Chapter 15: Dhcp Plug-In
DHCP Plug-in The Dynamic Host Configuration Protocol (DHCP) plug-in is an optional feature that allows you to use one or more DHCP servers (without an installation of Sentriant AG in front of each DHCP server) as shown in the following figure: Figure 196: DHCP Plug-in The DHCP plug-in is a Microsoft DHCP plug-in that utilizes the Microsoft DHCP Server Callout Application Programming Interface (API).
Page 340: Installation Overview
DHCP Plug-in If the DHCP server cannot communicate with Sentriant AG at any time, the DHCP server goes in to ● an allow all or deny all state, depending on the parameter setting in the failopen C:\WINDOWS\SYSTEM32\DHCP\ file (true = allow all, false = deny all). config.xml Sentriant AG attempts to connect to known DHCP servers on start-up, and continuously attempts to ●...
Page 341: Table 12: Dhcp Plug-In Configuration File Values
DHCP Plug-in 4 The DHCP Plug-in is configured using config.xml that resides on the Windows 2003 Server in C:\WINDOWS\SYSTEM32\DHCP\config.xml. Table 12 (in the Users Guide) shows options used in config.xml. Table 12: DHCP Plug-in Configuration File Values Group Item Description failopen failopen=“true”...
Page 342: Dhcp Plug-In And The Sentriant Ag User Interface
DHCP Plug-in <dhcpconnector> <listener failopen="true"> <port>*:4433</port> <looprate>10</looprate> </listener> <certificates> <cadir /> <certfile>c:\windows\system32\dhcp\server.pem</certfile> <clientCN enforce="false">nac</clientCN> </certificates> <logging> <location>c:\windows\system32\dhcp\nac_DHCP.log</location> <level>3</level> <maxsize>1024</maxsize> </logging> </dhcpconnector> DHCP Plug-in and the Sentriant AG User Interface In order to use the DHCP plug-in, you need to select DHCP as the quarantine (enforcement) method, select the DHCP servers using the DHCP plug-in check box, and add your DHCP servers.
Page 343: Figure 197: System Configuration, Quarantining, Dhcp
DHCP Plug-in 2 Select the DHCP servers using the DHCP plug-in radio button. Figure 197: System Configuration, Quarantining, DHCP 3 Click download the DHCP plug-in. A Windows save window appears. 4 Browse to a location on the DHCP server you will remember and save the file. 5 On the DHCP server, navigate to the location of the saved file and double-click it.
Page 344: Figure 198: Dhcp Plug-In Installshield Wizard Window
DHCP Plug-in 6 Double-click the file. The InstallShield Wizard starts. *.exe installer Figure 198: DHCP Plug-in InstallShield Wizard window 7 Click Next. The Customer Information window appears. Figure 199: DHCP Plug-in Customer Information window 8 Enter your User Name and Company Name. Sentriant AG Software Users Guide, Version 5.2...
Page 345: Enabling The Plug-In And Adding Servers
DHCP Plug-in 9 Click Next. The Ready to Install the Program window appears. Figure 200: DHCP Plug-in Ready to Install the Program window 10 Click Install. The progress is displayed on a Status window. When installation is complete, the InstallShield Wizard Complete window appears. Figure 201: DHCP Plug-in InstallShield Wizard Complete window 11 Click Finish.
Page 346: Figure 202: Add Dhcp Plug-In Configuration
DHCP Plug-in NOTE Changes made while one or more DHCP servers cannot be communicated with will be sent to those DHCP servers as soon as communication is re-established. 3 Select Add a DHCP plug-in configuration. The Add DHCP plug-in configuration window appears as shown in the following figure: Figure 202: Add DHCP Plug-in Configuration 4 Enter the IP address or host name of the DHCP server where the plug-in is to be installed in the...
Page 347: Viewing Dhcp Server Plug-In Status
DHCP Plug-in 8 Click ok. The added DHCP server appears as shown in the following figure: Figure 203: DHCP Plug-in Server Added Example 9 Continue to add DHCP servers until you have added all of them. The possible DHCP server plug-in status states are shown in the following figure: Figure 204: DHCP Plug-in Legend NOTE...
Page 348: Editing Dhcp Server Plug-In Configurations
DHCP Plug-in Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio ● button>>DHCP servers using the DHCP plug-in radio button>>Click edit next to a DHCP server configuration Editing DHCP Server Plug-in Configurations To edit DHCP Server Plug-in Configurations: Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio button>>DHCP servers using the DHCP plug-in radio button 1 Click edit next to the DHCP server you wish to edit.
Page 349: Disabling A Dhcp Server Plug-In Configuration
DHCP Plug-in 1 Click remove next to the DHCP server plug-in configuration you wish to delete. 2 Click yes at the Remove DHCP plug-in configuration prompt. 3 Click ok to save the changes and return to the Home window. Disabling a DHCP Server Plug-in Configuration Disable a DHCP server plug-in configuration when you do not wish to use it, but wish to save the configuration and certificates.
Page 350 DHCP Plug-in Sentriant AG Software Users Guide, Version 5.2...
Page 351: Chapter 16: System Administration
Any Sentriant AG window Click Logout in the upper right corner of the Sentriant AG home window. When the logout procedure completes, the Extreme Networks, Inc. login window appears. Important Browser Settings There are several browser configuration settings to make, depending on which browser you are using.
Page 352: Managing Your Sentriant Ag License
(if notifications are enabled). Entering a New License Key Extreme Networks, Inc. distributes license keys as text files. Due to the license key’s length, copy and paste the license key directly out of the text file.
Page 353: Downloading New Tests
If the license key information (such as an expired notice) does not update, clear the browser cache and refresh the page. Downloading New Tests To download the latest tests from the Extreme Networks, Inc. server: Home window>>System configuration>>Test updates>>Check for test updates button NOTE...
Page 354: System Settings
System Administration System Settings DNS/Windows Domain Authentication and Quarantined Endpoints In order to satisfy the following scenarios: A guest user gets redirected ● A user is redirected if their home page is the Intranet ● The only host that is resolved is the domain controller (DC); and no other intranet hosts are resolved. ●...
Page 355: Matching Windows Domain Policies To Nac Policies
System Administration -> lookup intranet.mycompany.com.quarantine.bad <- Sentriant AG IP address When the end-user logs in, they will be able to authenticate from quarantine even if credentials are not cached: -> service location lookup _kerberos _ldap <- & receive dc01.mycompany.com dc02.mycompany.com ->...
Page 356: Naming Your Enforcement Cluster
System Administration 1 Select one of the following from the Access mode area: normal—Access is regulated by the NAC policies ■ allow all—All requests for access are granted, but endpoints are still tested ■ 2 Click ok. Naming Your Enforcement Cluster To name your Enforcement cluster: Home window>>System configuration>>Enforcement clusters &...
Page 357: Resetting Your System
System Administration <ip address> is the new IP address for the MS or ES. For example, 192.168.40.10 <netmask> is the netmask. For example, 255.255.255.0 <gateway> is the gateway. For example, 10.1.1.1 Resetting your System There are times when you may wish to revert to the as-shipped state for your system; reverting the configuration and database to that of a freshly installed system.
Page 358: Resetting Your Test Data
System Administration Resetting your Test Data There are times when you may wish to revert to the as-shipped state for test data; clearing the database of all endpoints and test results, and resetting SAPQ and DHCP leases. To reset your test data to the as-shipped state: Command line window 1 For single-server installations: a Log in as root to the Sentriant AG MS, either using SSH or directly with a keyboard.
Page 359: Changing Properties
System Administration resetTestData.py NOTE The resetTestData.py file is in the following directory: cd /usr/local/nac/bin Changing Properties To change the property values in the properties files: Command line window 1 Log in as to the Sentriant AG MS using SSH. root 2 Enter the following at the command line: <DESTINATION>...
Page 360: Specifying An Email Server For Sending Notifications
System Administration Specifying an Email Server for Sending Notifications Sentriant AG Enforcement clusters send alerts and notifications when certain events occur. You must specify an SMTP email server for sending these notifications. The server must allow SMTP messages from the Sentriant AG ES. To specify an email server for sending notifications: “Notifications”...
Page 361: Database
System Administration Table 14: CIDR Naming Conventions (continued) Block Netmask Networks Hosts 255.252.0.0 3 Class B networks 262,144 255.248.0.0 8 Class B networks 512,000 Database Creating a Backup File To create a backup file of system configuration and data: “Initiating a New Backup” on page 126.
Page 362: Restoring From Backup
System Administration Restoring from Backup NOTE You must have backed up your system at least one time before you can restore from a backup. See “Initiating a New Backup” on page 126. You can restore backed-up data to the same physical server or to a new physical server. Restoring to a new Server To restore system configuration and data from a backup file to a new server: 1 Contact Technical Assistance Center (TAC) at support@extremenetworks.com or (800) 998-2408 and...
Page 363: Restoring The Original Database
System Administration 1 Click restore system from backup file. The Restore system window appears: Figure 206: Restore System 2 Enter the backup file name or click Browse and navigate to the backup file. 3 Click ok. A status window appears. 4 The system data is restored and the login window appears: Figure 207: Login Restoring the Original Database...
Page 364: Generating A Support Package
System Administration 2 Enter the following commands: resetSystem.py This script shuts down all of the services, cleans the database, iptables, and DHCP server, and restarts everything. Generating a Support Package To generate a support package: “Downloading Support Packages” on page 127.
Page 365: Supported Vpns
It is strongly recommended that you use the server-class Intel NIC cards. If you use a different NIC card, you might be unable to connect, or experience unpredictable results and availability. NOTE Your license key is emailed to you. If you did not receive one, contact Extreme Networks, Inc. Technical Assistance Center (TAC) (support@extremenetworks.com or (800) 998-2408). Supported VPNs Sentriant AG works with any VPN endpoint, since Sentriant AG does not directly interface or inter- operate with VPN endpoints.
Page 366: Adding Custom Tests
System Administration Adding Custom Tests Introduction Sentriant AG is an efficient, flexible and extensible testing platform. All tests are implemented in the object oriented programming language called Python. Python is a well- respected, clean, and efficient scripting language. Because the language is object oriented and the Sentriant AG test platform is extensible, new tests can be developed easily.
Page 367: Figure 208: Test Script Code
System Administration 3 Examine the code. The comments explain each section of code. The following example shows the contents of the file. Figure 208: Test Script Code #!/usr/bin/python from checkSoftwareNotAllowed import CheckSoftwareNotAllowed # This allows a script to be tested from the command line. if __name__ == '__main__': import myCheckSoftwareNotAllowed t = myCheckSoftwareNotAllowed.MyCheckSoftwareNotAllowed()
Page 368 System Administration 4 You can change the to whatever text you want. This message is what result["result_message"] the end-user sees in the access windows. This text also appears in the management user interface when you run reports. 5 Every test must return a hash with the following keys: status_code –...
Page 369: Figure 209: Example Installcustomtests Output
System Administration Figure 209: Example InstallCustomTests Output # installCustomTests Creating custom test script RPM version 5.0-51 Found 5 python files + Compiling python scripts + Generating test script XML files If you continue, this will generate an RPM file containing your custom scripts and will send the new custom script RPM to the Management Server and all Enforcement Servers.
Page 370: Creating A Custom Test Class Script From Scratch
System Administration Figure 209: Example InstallCustomTests Output (continued) 00:22:34 DEBUG Waiting for a response on :TemporaryQueue-{TD{ID:perf-ms1- 40612-1162365754580-1:0}TD}ID:perf-ms1-40612-1162365754580-6:0 00:22:36 DEBUG Message received: ACTIVEMQ_TEXT_MESSAGE: id = 0 ActiveMQMessage{ , jmsMessageID = ID:perf-ms1-51331-1162363440379-15:3, bodyAsBytes = org.activemq.io.util.ByteArray@1362012, readOnlyMessage = true, jmsClientID = '93baaf5a-b0ed-4fc2-a3ae-ec6460caedc0' , jmsCorrelationID = 'null' , jmsDestination = TemporaryQueue-{TD{ID:perf- ms1-40612-1162365754580-1:0}TD}ID:perf-ms1-40612-1162365754580-6:0, jmsReplyTo = null, jmsDeliveryMode = 2, jmsRedelivered = false, jmsType =...
Page 371: Figure 210: Testtemplate.py
System Administration Figure 210: testTemplate.py #!/usr/bin/python from BaseClasses.SABase import SABase as SABase # This allows a script to be tested from the command line. if __name__ == '__main__': import testTemplate t = testTemplate.TestTemplate() t.processCommandLine() # The class definition. All classes must be derived from the SABase class. class TestTemplate(SABase): # Make up a test id.
Page 372 System Administration Figure 210: testTemplate.py (continued) # A short summary for the test. This will show up in the description field # when editing NAC policies in the management UI. testSummary = \ """ My short description """ # This is field is unused at the moment. # field in the policy editor.
Page 373 System Administration Figure 210: testTemplate.py (continued) try: # Replace 'pass' with your test here. Modify the returnHash accordingly. pass except: # Set the return status when exception occurs import sys returnHash['status_code'] = 0 returnHash['result_code'] = "unknown_error" returnHash['result_message'] = sys.exc_type, sys.exc_value return(returnHash) # Always use the doReturn function;...
Page 374: Figure 211: Checkopenports.py Script
System Administration All tests contain a reference to the class called . The class gives you ■ BasicTests self.bt self.bt access to commonly used functions for testing endpoints including registry operations and service operations. See “BasicTests API” on page 378 for more information on the BasicTests API.
Page 375 System Administration Figure 211: checkOpenPorts.py script (continued) testConfig = \ """ <div id="test_parameters"> <table height="100%" width="100%" border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td colspan="2" style="padding: 5px 3px 5px 3px;"> Enter a list of ports that are not allowed to be open on the endpoint.
Page 376 System Administration Figure 211: checkOpenPorts.py script (continued) # These are the arguments to run the test. This is displayed in the command # line help. testArguments = \ """ --host=<hostname, IP, or NETBIOS> --input ports_not_allowed=<comma delimited list of ports> Example: <this script> --host=somehost --input "ports_not_allowed=23,80"...
Page 377 System Administration Figure 211: checkOpenPorts.py script (continued) if debug: print "Checking ports " + str(ports) + " on host " + self.session.host() # Do your test here. Modify the returnHash accordingly. portsOpen = "" # Use a Python socket to connect directly to the target host import socket for p in ports: hp = self.session.host()+":"+str(p)
Page 378: Basictests Api
System Administration Figure 211: checkOpenPorts.py script (continued) import sys print "checkOpenPorts(host="+self.session.host()+", session="+self.session.id()+"): ", sys.exc_type, sys.exc_value if debug: print "Could not connect to "+hp+". Port not open." # Good, it wasn't open # There are ports open, so set the returnHash values # to indicate that the endpoint failed the test.
Page 379: Table 16: Basictests Api
System Administration self.bt.getregKeyExists( “HKEY_LOCAL_MACHINE\\Software\\America Online\\AIM”) except: import sys returnHash["status_code"] = 0 returnHash["result_code"] = "unknown_error" returnHash["result_message"] = sys.exc_type, sys.exc_value … The following table describes the BasicTests API. Table 16: BasicTests API The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs.
Page 380 System Administration Table 16: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Boolean getCapicomExists() Checks for Capicom on the machine. Returns the following •...
Page 381 System Administration Table 16: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Dict getFileInfo(self, filename, debug=0) Returns Dict containing •...
Page 382 System Administration Table 16: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method List getMcmsHotFixList() Returns the hotfixes of Microsoft Content Management Server (MCMS).
Page 383 System Administration Table 16: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getOfficeVersion() Checks for which of the following Microsoft Office Version is installed on the end point.
Page 384 System Administration Table 16: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getUser() Returns the user name of the current user logged in. If none of the user has logged in function returns the string “No user logged in.”...
Page 385 System Administration Table 16: BasicTests API (continued) The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getWMPVersion() Returns the Version of Windows Media Player installed on the end point.
Page 386: End-User Access Windows
NOTE If you need more end-user access window customization than is described in this Users’ Guide, please contact Extreme Networks, Inc. Technical Assistance Center (TAC) at support@extremenetworks.com. To edit the end-user access window logo and general text: “End-user Screens” on page 136.
Page 387: How Sentriant Ag Handles Static Ip Addresses
Sentriant AG ES is 10.0.16.18, point an IE browser window to: http://10.0.16.18:88 NOTE If you would like to use a port other than 88, contact Extreme Networks, Inc. Technical Assistance Center (TAC) at support@extremenetworks.com for assistance in making the necessary changes. How Sentriant AG Handles Static IP Addresses The following list details how Sentriant AG handles static IP addresses: Inline Mode—Sentriant AG can detect, test, and quarantine static IP addresses.
Page 388: Managing Passwords
System Administration Managing Passwords The passwords associated with your Sentriant AG installation are listed in the following table: Table 17: Sentriant AG Passwords Sentriant AG Set during Recovery process password “Resetting the Sentriant AG Sentriant AG Initial install process * Management Server Password”...
Page 389: Resetting The Sentriant Ag Server Password
System Administration Table 17: Sentriant AG Passwords Sentriant AG Set during Recovery process password Novell Manually entered after installation on Novell eDirectory password recovery eDirectory the System is beyond the scope of this configuration>>Quarantining>>802.1 document. X Quarantine method radio button window.
Page 390: Resetting The Sentriant Ag Database Password
System Administration 5 Press . You are now in Single User Mode. 6 Enter the following command: passwd 7 Enter a new password at the New Password prompt. 8 Press [ ENTER] 9 Retype the password at the Retype new password prompt. 10 Press .
Page 391: Ntlm 2 Authentication
System Administration 4 Enter the following command: <filename> setProperty.py -f 5 From a workstation, open a browser window and point to the Sentriant AG MS. 6 Enter a new User Name and Password when prompted. NTLM 2 Authentication If your network is configured for Windows NT LAN Manager version 2 (NTLMv2) challenge/response authentication only, make the following change to the file: smb.conf...
Page 392 System Administration NOTE There is one caveat to note with ranges to monitor and ranges to ignore; if endpoints have IP addresses outside of the ranges to monitor and ranges to ignore, and if the ES is capable of controlling network access for those endpoints, the endpoints can still be quarantined by consequence of the NAC policy rules for Operating Systems and Inactive endpoints.
Page 393: Creating And Replacing Ssl Certificates
System Administration NOTE When using Extreme switches running ExtremeWare or ExtremeXOS prior to release 11.6, DHCP relay IP addresses to enforce will NOT work when the quarantine subnet is a subset of the production network. This is because Extreme switches forward the packets from the IP address closest to Sentriant AG and not the IP address of the interface closest to the endpoint, so all the DHCPRelay packets will appear to come from a production network IP address.
Page 394 System Administration 1 Log in as to the Sentriant AG server via SSH or directly using a keyboard. root 2 Remove the existing keystore by entering the following at the command line: rm -f /usr/local/nac/keystore/compliance.keystore 3 Enter the following at the command line: <key_alias>...
Page 395: Using An Ssl Certificate From A Known Certificate Authority (Ca)
System Administration keytool -import -file /tmp/cacerts -alias <key_alias> -keystore /usr/local/nac/keystore/cacerts c keytool prompts for the password of the cacerts file, that should be the default: changeit. d If you are prompted, enter to trust the certificate. e Restart the nac-ms (or nac-es) service: service nac-ms restart service nac-es restart Using an SSL Certificate from a known Certificate Authority (CA)
Page 396: Moving An Es From One Ms To Another
System Administration Where: <CA_alias> is an alias unique to your cacerts file and preferably identifies the CA to which it pertains <ca_root_cert_file> is the file containing the CA's root certificate prompts for the password for the cacerts file, which should be the default: keytool changeit 7 If you are prompted, enter...
Page 397: Recovering Quickly From A Network Failure
System Administration 5 Click delete next to the ES you want to move. 6 In the command line window of the ES, enter the following command: resetSystem.py 7 Log in to the MS user interface of the server that you want to manage the ES. 8 Add the ES by following the directions in “Adding an ES”...
Page 398: Vlan Tagging
System Administration VLAN Tagging In some cases, such as when the DHCP server is in a separate VLAN than the span/mirror port, the mirrored port traffic is 802.1q tagged. In this case, in order for Sentriant AG to recognize the traffic, the following workaround must be performed.
Page 399: Iptables Wrapper Script
System Administration a Log in to the MS using SSH or directly with a keyboard. b For 802.1X mode, enter the following command at the command line: setProperty.py -c <cluster name> Compliance.ObjectManager.NACModeTcpdumpInterface=eth1.1 3 Verify the change: a Log in to each ES using SSH or directly with a keyboard. b Enter the following command at the command line: ifconfig c Verify that the virtual interface you created is listed.
Page 400: Updating Rules Without An Internet Connection
1 Get the latest test update RPM file: a On a computer with Internet access login to: http://eSupport.extremenetworks.com If you do not have an eSupport account, please contact Extreme Networks Technical Assistance Center (TAC) (support@extremenetworks.com or (800) 998-2408). b Navigate to the Sentriant AG section.
Page 401: Updating Rules
System Administration 2 Copy the RPM file to a directory on the Sentriant AG server that you will remember (for multiple- server installations, copy the RPM file to the MS): a See “Copying Files” on page 37, or copy the file to a USB fob and then copy the file from the USB fob to the Sentriant AG server.
Page 402: Enable Persistent Ping
System Administration Enable Persistent Ping To persistently enable ICMP echo requests: Command line 1 Log in to the Sentriant AG server as root using SSH or directly with a keyboard. 2 Open the rc.local file with a text editor such as For example: /etc/rc.d/rc.local 3 In the # Ignore All ICMP requests area, change the following line:...
Page 403: Changing The Community Name For Snmpd
System Administration iptables-save > /etc/sysconfig/iptables.save Changing the Community Name for SNMPD Sentriant AG includes and it is started by default. You need to change the snmpd notpublicsnmp community name to something specific for your community. To change the community name: Command line window 1 Log in as to the Sentriant AG MS using SSH.
Page 404: Snmp Mibs
System Administration For example: 10.0.16.0/24 <customer-specific community> = your customer-specific community name. For example: Public2 4 Save and exit the file. NOTE iptables already allows snmpd through UDP port 161. NOTE Please be careful with this functionality as a lot of information is available. SNMP MIBs A Management Information Base (MIB) is a database that manages devices in a network.
Page 405 System Administration See the following link for more information on SNMP and MIBs: http://en.wikipedia.org/wiki/Management_information_base ● http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol ● Sentriant AG Software Users Guide, Version 5.2...
Page 406 System Administration Sentriant AG Software Users Guide, Version 5.2...
Page 407: Chapter 17: Patch Management
Patch Management Sentriant AG can integrate with patch management software. When an endpoint fails due to a missing patch, Sentriant AG wakes the patch manager client, checks for the completion of the patch, and then retests upon completion. The patch management capability uses the following test statuses: fail –...
Page 408: Selecting The Patch Manager
Patch Management 4 Click ok. Selecting the Patch Manager To select the patch manager: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option 1 Select the check box for a test in the left column. 2 Click on the test name in the left column. 3 Select the Initiate patch manager check box.
Page 409: Sms Patch Management
SMS information. NOTE SMS server has a setting that allows users to interact with and cancel patch installation. Extreme Networks, Inc. recommends that you do not allow users to cancel patch installation. Once a patch installation has been canceled, the patch does not automatically attempt to install later and the endpoint will never pass the NAC policy test without manual intervention by the SMS administrator.
Page 410: Sentriant Ag Setup
Patch Management NOTE SMS patch management works with agent-based testing only. NOTE Endpoints must be identified in SMS and have the SMS client installed. Sentriant AG Setup To set up Sentriant AG for use with SMS: 1 Install and configure Sentriant AG (see the Sentriant AG Installation guide). 2 Log into the Sentriant AG user interface.
Page 411: Appendix A: Requirements
Not all anti-virus and anti-spyware tests check for signature file updates. Some anti-virus and anti-spyware products do not lend themselves to be tested for signature file updates. NOTE Sentriant AG has the capability to have custom tests created in Python; however, Extreme Networks takes no responsibility for custom scripts. Self Remediation: Messenger service needs to be running on the end-user endpoint.
Page 412 Requirements RADIUS ■ 802.1X ■ Must have privileges / access to the network to make configuration changes. ● Sentriant AG Software Users Guide, Version 5.2...
Page 413: Appendix B: Configuring The Post-Connect Server
Extracting the ZIP File Windows To download and extract the ZIP file to a Windows machine: 1 Create a directory for the contents of the ZIP file on the Windows machine. Extreme Networks, Inc. recommends . These instructions assume that you used the...
Page 414: Linux
Configuring the Post-connect Server Linux To download and extract the ZIP file to a Linux machine: 1 Create a directory for the contents of the ZIP file on the Linux machine. Extreme Networks, Inc. recommends . These instructions assume that you used the directory.
Page 415: Setting Up A Post-Connect Host
Configuring the Post-connect Server log4j-1.2.13.jar log4j.properties wrapper.dll wrapper.jar ■ Setting up a Post-connect Host Windows Your post-connect host can be a Linux or Windows server. This section provides instructions on setting up a Windows host. To set up a Windows post-connect host: 1 Install WinPcap on a Windows machine if it is not already installed: a Log into your Windows server.
Page 416: Linux
Configuring the Post-connect Server b Copy the file from the MS into the folder on the post- /usr/local/nac/keystore/cacerts \lib connect server where you extracted the ZIP file. See “Copying Files” on page 37 for information on how to copy files securely. 5 Edit the file: connector.properties...
Page 417 Configuring the Post-connect Server b Install Java: 1) Navigate to http://java.sun.com/javase/downloads/index.jsp. 2) Download and install the Java 1.5 update 10 or later. 2 Install Python 2.5 or later if it is not already installed: a Log into your Linux machine. b Install Python: 1) Navigate to http://www.python.org/download/.
Page 418: Viewing Logs
Configuring the Post-connect Server 4) Save and exit the file. c Edit the file: JMSConnection.properties 1) Open the file with a text editor /usr/local/postconnect/lib/JMSConnection.properties such as 2) Enter the MS IP address. For example: URL=ssl://172.16.128.100:61616 3) Enter the MS username. For example: USER_NAME=root 4) Enter the MS password.
Page 419: Configuring Your Sensor
Configuring the Post-connect Server Where: <endpoint IP> is the IP address of an endpoint known to Sentriant AG. For example, 192.168.40.40 are text strings that describe the reasons to quarantine the specified “Reason 1” “Reason 2” endpoint. For example, “P2P Software Installed”, or “Latest Windows XP Service Pack not applied”. Configuring Your Sensor Configure your post-connect sensor to call with the IP address of the...
Page 420 Configuring the Post-connect Server Sentriant AG Software Users Guide, Version 5.2...
Page 421: Appendix C: Tests Help
Tests Help The tests performed on endpoints attempting to connect to the network are listed on the Sentriant AG Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting Sentriant AG Home window>>System Configuration>>Test Updates>>Check for Test Updates.
Page 422 Tests Help Table 18: Browser Vulnerabilities Item Description Cache Cache is a user-specifiable amount of disk space where temporary files are stored. These files contain graphics and Web pages you visit. The primary purposes for storing Web page information is to save time reloading pages and graphics, and to reduce network traffic by not having to repeatedly send the information over the network.
Page 423: Browser Version
Tests Help Browser Version Description. This test verifies that the endpoint attempting to connect to your system has the latest browser version installed. Test Properties. Select the check box for the required browser software. Enter a version in the text box. If no version is specified in the text box, the default version shown in the square brackets is required.
Page 424: Internet Explorer (Ie) Local Intranet Security Zone
Tests Help 3 Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings. Internet Explorer (IE) Local Intranet Security Zone Description. This test verifies that the endpoint attempting to connect to your system is configured according to your specified local intranet security zone standards.
Page 425: Internet Explorer (Ie) Trusted Sites Security Zone
Tests Help Medium. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a mix of ● enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login for intranet Medium-low. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a ●...
Page 426: Operating System-Windows
Tests Help Low. A mix of enabled and prompt ActiveX controls, enables downloads, a mix of enabled and ● prompt for Miscellaneous options, enables Scripting, enables automatic login How Does this Affect Me? The trusted sites security zone defines a security level for all trusted Web sites that you visit.
Page 427: Internet Explorer Hotfixes
Tests Help http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6C8AFC1C-5008-4AC8- 84E1-1632937DBD74 Internet Explorer Hotfixes Description. Checks for hotfixes to Microsoft Internet Explorer (IE). Test Properties. Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Page 428: Microsoft Applications Hotfixes
Tests Help Microsoft Applications Hotfixes Description. Checks for hotfixes to Microsoft Applications. Test Properties. Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Page 429: Service Packs
Tests Help microsoftupdate&ln=en-us or by clicking on one of the update numbers underlined at the right side of the window as shown in Figure 214. Service Packs Description. This test verifies that the endpoint attempting to connect to your system has the latest operating system (OS) service packs installed.
Page 430: Windows 2003 Sp2 Hotfixes
Tests Help How Does this Affect Me?. Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a patch includes multiple hotfixes. What Do I Need to Do?.
Page 431: Windows Media Player Hotfixes
Tests Help What Do I Need to Do?. Enable automatic updates. See the following link for instructions: http://www.microsoft.com/protect/computer/updates/mu.mspx Enable automatic updates for Windows 2000: 1 Select Start>>Settings>>Control Panel>>Automatic Updates 2 Select Keep my computer up to date. 3 Select Download the updates automatically and notify me when they are ready to be installed. 4 Click OK.
Page 432: Windows Xp Sp1 Hotfixes
Tests Help What Do I Need to Do?. Manually initiate an update check at http://www.update.microsoft.com/ microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/ microsoftupdate&ln=en-us or by clicking on one of the update numbers underlined at the right side of the window as shown in Figure 214. Windows XP SP1 Hotfixes Description.
Page 433: Security Settings-Os X
Tests Help Security Settings—OS X Mac AirPort WEP Enabled Description. This test verifies that WEP encryption is enabled for Airport. Test Properties. There are no properties to set for this test. How Does this Affect Me?. Wired Equivalent Privacy (WEP) is a wireless network security standard that provides the same level of security as the security in a wired network.
Page 434: Mac Anti-Virus
Tests Help Mac Anti-virus Description. This test passes if at least one of the required anti-virus software programs for Mac endpoints is installed. Test Properties. Select the anti-virus software allowed on your network. Any endpoint that does not have at least one of the anti-virus software packages selected will fail this test. How Does this Affect Me?.
Page 435: Mac Internet Sharing
Tests Help Test Properties. There are no properties to set for this test. How Does this Affect Me?. See the description of firewalls under “How Does this Affect Me?” on page 446. What Do I Need to Do? . Enable the firewall on the endpoint. Mac endpoint>>Apple Menu>>System Preferences>>Sharing>>Firewall 1 Select the services and ports you want to allow in the Allow area.
Page 436: Mac Security Updates
Tests Help Mac Security Updates Description. This test verifies that the security updates have been applied on this endpoint. Test Properties. .When an endpoint fails this test, it can be granted temporary access in the following ways: Select the Quarantine access check box and enter a temporary access period. This is the amount of ●...
Page 437: Allowed Networks
Tests Help Allowed Networks Description. Checks for the presence of an unauthorized connection on a endpoint. These might include connections to a rogue wireless access point, VPN, or other remote network. Test Properties. Enter a list of IP ranges that are legitimate for your network. Add the ranges separating the start and end IP with a "-".
Page 438: Microsoft Outlook Macros
Tests Help Microsoft Outlook Macros Description. This test verifies that the endpoint attempting to connect to your system has the Microsoft Outlook macro security level specified by your security standards. Test Properties. Select the minimum Microsoft Outlook macro setting for that is required in order for an endpoint to connect to your network.
Page 439: Services Not Allowed
Tests Help How Does this Affect Me?. Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document. When you open an infected document, the macro virus runs.
Page 440: Services Required
Tests Help 3 Select Manual or Disabled from the Startup type drop-down list. 4 Click OK. 5 Close the Services window. 6 Close the Administrative Tools window. Services Required Description. This test verifies that the endpoint attempting to connect to your system is running the services specified by your security standards.
Page 441: Windows Bridge Network Connection
Tests Help Windows Bridge Network Connection Description. This test verifies that the endpoint attempting to connect to the network does not have a bridged network connection present. A bridged network connection allows the connecting endpoint to transparently send traffic to and from another network. An example use of this type of connection would be to bridge a high-speed cellular network connection in and out of the local network.
Page 442: Windows Startup Registry Entries Allowed
Tests Help Enable "Network access: Do not allow storage of credentials or .NET Passports for network ● authentication" Disable "Network access: Let Everyone permissions apply to anonymous users" ● Enable "Accounts: Limit local account use of blank passwords to console logon only" ●...
Page 443: Wireless Network Connections
Tests Help updater::C:\Program Files\Common files\Updater\wupdater.exe will allow Windows update to run on startup. How Does this Affect Me?. The Microsoft Windows Registry contains information that Windows uses during normal operations, including system options, property settings, applications installed, types of documents each application can create, ports used, and so on. Information is stored in keys, such as run and runOnce.
Page 444: Software-Windows
Tests Help Software—Windows The Software tests verify that any endpoint attempting to connect to your system meets your specified software requirements. Installing the most recent version of your software helps protect your system against exploits targeting the latest vulnerabilities. Anti-spyware Description.
Page 445: High-Risk Software
Tests Help What Do I Need to Do?. Make sure you have an anti-virus program installed, and that the virus definitions are kept up-to-date. The following link provides more information on anti-virus software and protecting your computer: http://www.us-cert.gov/cas/tips/ST04-005.html High-risk Software Description.
Page 446: Personal Firewalls
Tests Help What Do I Need to Do?. Remove or disable any disallowed P2P software. Personal Firewalls Description. This test verifies that the endpoint attempting to connect to your system has the latest personal firewall software installed and running. Test Properties. Select the personal firewalls that meet your requirements. Any endpoint that does not have at least one of the personal firewalls selected will fail this test.
Page 447: Software Required
Tests Help Software Required Description. This test verifies that the endpoint attempting to connect to your system has the required software packages installed. Test Properties. Enter a list of applications that are required on all connecting endpoints, separated with a carriage return. The format for an application is vendor\software package[\version]. Using this format stores the value in the HKEY_LOCAL_MACHINE\Software key.
Page 448 Tests Help Sentriant AG Software Users Guide, Version 5.2...
Page 449: Appendix D: Database Design (Data Dictionary)
Database Design (Data Dictionary) This section provides information on the following tables for the Sentriant AG database: “test_result table” on page 450 ● “Device table” on page 451 ● “sa_cluster” on page 453 ● “sa_node” on page 453 ● “sa_user” on page 454 ●...
Page 450: Test_Result Table
Database Design (Data Dictionary) test_result table test_result This table is a history of test results for all endpoints test_result_id INT4 DEFAULT PRIMARY KEY nextval('test_result_test_result_id_s eq') run_id INT4 NOT NULL An ID used for associating test results to a particular test run. timestamp INT4 NOT NULL The time the test was run.
Page 451: Device Table
Database Design (Data Dictionary) Device table device This table contains information about known endpoints unique_id VARCHAR(100) NOT NULL PRIMARY KEY ip_address_str VARCHAR(30) NOT NULL The IP address (string in dotted quad notation) of the endpoint. mac_address VARCHAR(30) DEFAULT NULL The MAC address of the endpoint. netbiosname VARCHAR(50) DEFAULT NULL The NetBIOS of the endpoint.
Page 452 Database Design (Data Dictionary) device (continued) last_connect_dt INT4 NOT NULL The date the endpoint was first seen if it has never been disconnected, or the last time the endpoint reconnected. last_disconnect_dt INT4 NOT NULL The date the endpoint was disconnected for inactivity.
Page 453: Sa_Cluster
Database Design (Data Dictionary) sa_cluster sa_cluster This table contains information about all known clusters. cluster_id VARCHAR(64) PRIMARY KEY cluster_name VARCHAR(30) The name of the cluster. policy_set_id INT4 The unique ID of the policy set used by the cluster. TEXT Not used. devices current_licenses INT4...
Page 454: Sa_User
Database Design (Data Dictionary) sa_user sa_user This table contains information about users. user_id INT4 PRIMARY KEY username VARCHAR(64) The login of the user. passwd VARCHAR(64) MD5 hash of the user's password. full_name VARCHAR(64) The full name of the user. email VARCHAR(256) The email address of the user.
Page 455: User_To_Groups
Database Design (Data Dictionary) user_to_groups user_to_groups This table contains information about a user and their assigned role. group_id INT4 The unique ID of the user role in the many-to- many relationship. user_id INT4 The unique ID of the user in the many-to-many relationship.
Page 456 Database Design (Data Dictionary) Sentriant AG Software Users Guide, Version 5.2...
Page 457: Appendix E: Ports Used In Sentriant Ag
Ports used in Sentriant AG The following table provides information about Ports used in Sentriant AG: Table 19: Ports in Sentriant AG Port Parties Description Comments Ports used for testing endpoints: 88 (TCP) Endpoint to When using agent-based testing, the Not configurable 89 (TCP) endpoint must point (using a browser...
Page 458 Ports used in Sentriant AG Table 19: Ports in Sentriant AG (continued) Port Parties Description Comments Ports used for internal communications: 7483 (TCP) ES to MS Message bus communications between Not configurable the ES and MS occur on port 7483. MS to ES 22 (TCP) MS to ES...
Page 459 Ports used in Sentriant AG Table 19: Ports in Sentriant AG (continued) Port Parties Description Comments Ports used for NTP: 123 (UDP) MS to NTP Destination port 123 for NTP. Not configurable server 123 (UDP) ES to MS NTP communication between the ES and Not configurable MS occurs on destination port 123.
Page 460 Ports used in Sentriant AG Table 19: Ports in Sentriant AG (continued) Port Parties Description Comments Ports used for DHCP and domain controllers: 88 (TCP) ES to DC/ DHCP Server and Domain Controller Configure in the Sentriant AG 159 (TCP) DHCP server behind Sentriant AG: user interface:...
Page 461 Ports used in Sentriant AG Table 19: Ports in Sentriant AG (continued) Port Parties Description Comments Ports used for SNMPD: 161 (UDP) admin user to Used for SNMP monitoring of the server. Not Configurable MS or ES NOTE: See “Enabling SNMP” on page for instructions on enabling SNMP.
Page 462 Ports used in Sentriant AG Sentriant AG Software Users Guide, Version 5.2...
Page 463: Appendix F: Ms Disaster Recovery
MS Disaster Recovery Overview If the Primary Management Server (primary MS) goes down due to an unrecoverable hardware failure, management server duties can be migrated to an online Standby Management Server (standby MS) using a simple backup and restore process. After failover, the standby MS is able to perform all necessary MS functions, including communicating with Enforcement Servers (ESs), reporting, and making configuration changes.
Page 464: Ongoing Maintenance
MS Disaster Recovery Ongoing Maintenance Certain considerations must be noted regarding the ongoing maintenance of your system in the recovery process for an MS: As part of an ongoing maintenance plan or during backup, check the status of the NAC-testscripts ●...
Page 465 MS Disaster Recovery 7 Log in to the UI of the standby MS again (at this point, all UI users from the primary should be able to log in). 8 Navigate to System configuration>>Management server>>edit network settings 9 Change the IP address to be that of the old or primary MS. See “Modifying MS Network Settings”...
Page 466 MS Disaster Recovery Sentriant AG Software Users Guide, Version 5.2...
Page 467: Appendix G: Licenses
The Software is protected by United States’ and other copyright laws, international treaty provisions and other applicable laws in the country in which it is being used. Extreme Networks and its suppliers own and retain all right, title and interest in and to the Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual property rights therein.
Page 468: Limitation Of Liability
Networks’ and its suppliers' entire liability and your exclusive remedy for any breach of the foregoing warranty shall be, at Extreme Networks’ option, either (i) return of the purchase price paid for the license, if any, or (ii) replacement of the defective media in which the Software is contained.
Page 469: Other Licenses
Extreme Networks, unless such audit discloses an underpayment or amount due to Extreme Networks in excess of five percent (5%) of the initial license fee for the Software or you are using the Software in an unauthorized manner, in which case you shall pay the cost of the audit, in addition to any other amounts owed.
Page 470: Apache License Version 2.0, January 2004
Licenses at www.extremenetworks.com/GLOBAL_DOCS/termsofsale.asp. Please see the Release Notes for this software for additional information and copies of third party licenses. Apache License Version 2.0, January 2004 w.apache.org/licenses/ The Apache Software License Version 2.0 applies to the following software packages: activemq, Commons-codec, Commons-collections, Commons-dbcp, Commons-digester, Commons- fileupload, Commons-httpclient, Commons-lang, Commons-logging, Commons-pool, Genonimo- spec-jms, Geronimo-spec-j2ee-management, Geronimo-spec-jta, Log4j, Mockfu, Tomcat, Xerces,...
Page 471: Asm
Licenses You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5.
Page 472: Open Ssh
Licenses THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;...
Page 473 Licenses PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED...
Page 474: Postgresql
Licenses 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
Page 475: Postgresql Jdbc
Licenses Postgresql jdbc Copyright (c) 1997-2005, PostgreSQL Global Development Group All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Page 476: Junit Common Public License - V 1.0
Licenses Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Page 477 Licenses hereunder, each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed, if any. For example, if a third party patent license is required to allow Recipient to distribute the Program, it is Recipient's responsibility to acquire that license before distributing the Program. d) Each Contributor represents that to its knowledge it has sufficient copyright rights in its Contribution, if any, to grant the copyright license set forth in this Agreement.
Page 478: Open Ssl
Licenses Everyone is permitted to copy and distribute copies of this Agreement, but in order to avoid inconsistency the Agreement is copyrighted and may only be modified in the following manner. The Agreement Steward reserves the right to publish new versions (including revisions) of this Agreement from time to time.
Page 479: The Gnu General Public License (Gpl) Version 2, June 1991
Licenses * All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code;...
Page 480 Licenses 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 481 Licenses may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
Page 482: Pullparser
Licenses signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.
Page 483: The Gnu Lesser General Public License (Lgpl) Version 2.1
Licenses 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
Page 484 Licenses We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.
Page 485 Licenses If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.
Page 486 Licenses may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.
Page 487: Ojdbc
Licenses Ojdbc Oracle Technology Network Development and Distribution License Terms Export Controls on the Programs Selecting the "Accept License Agreement" button is a confirmation of your agreement that you comply, now and during the trial term, with each of the following statements: -You are not a citizen, national, or resident of, and are not under control of, the government of Cuba, Iran, Sudan, Libya, North Korea, Syria, nor any country to which the United States has prohibited export.
Page 488 Licenses shipped with the programs, or documentation may accessed online at http://otn.oracle.com/docs Ownership and Restrictions We retain all ownership and intellectual property rights in the programs. You may make a sufficient number of copies of the programs for the licensed use and one copy of the programs for backup purposes. You may not: - use the programs for any purpose other than as provided above;...
Page 489: Javamail Sun Microsystems, Inc
Licenses restrictions in FAR 52.227-19, Commercial Computer Software-Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065." End of Agreement You may terminate this agreement by destroying all copies of the programs. We have the right to terminate your right to use the programs if you fail to comply with any of the terms of this agreement, in which case you shall destroy all copies of the programs.
Page 490 Licenses 4.DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EX LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN...
Page 491: Jcharts
Licenses this Agreement. Source code may not be redistributed unless expressly provided for in this Agreement. 6. Termination for Infringement. Either party may terminate this Agreement immediately should any Software become, or in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right. For inquiries please contact: Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A (LFI#132726/Form ID#011801) jcharts...
Page 492: Io-Stty And Io-Tty
Licenses 4. CNRI is making Python 1.6b1 available to Licensee on an "AS IS" basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6b1WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.
Page 493: Concurrent
Licenses 6. The scripts and library files supplied as input to or produced as output from the programs of this Package do not automatically fall under the copyright of this Package, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this Package.
Page 494: Winpcap
Licenses Chris Morgan - rijndael.cpp Paulo Baretto - rijndael.cpp, skipjack.cpp, square.cpp Richard De Moliner - safer.cpp Matthew Skala - twofish.cpp Permission to use, copy, modify, and distribute this compilation for any purpose, including commercial applications, is hereby granted without fee, subject to the following restrictions: 1.
Page 495 Licenses Portions Copyright (c) 1983 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by the University of California, Berkeley.
Page 496: Activation
Licenses Portions Copyright (c) 1996 Juniper Networks, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph in its entirety in the documentation or other materials provided with the distribution.
Page 497: Java Optional Package
Licenses 4. DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Page 498: Jsp-Api Package
Licenses 3. Java Technology Restrictions. You may not modify the Java Platform Interface ("JPI", identified as classes contained within the "java" package or any subpackages of the "java" package), by creating additional classes within the JPI or otherwise causing the addition to or modification of the classes in the JPI. In the event that you create an additional class and associated API(s) which (i) extends the functionality of the Java platform, and (ii) is exposed to third party software developers for the purpose of developing additional software which invokes such additional API, you must promptly publish broadly an accurate specification for such API for free use by all developers.
Page 499 Licenses 2. RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property rights is retained by Sun and/or its licensors. Except as specifically authorized in any Supplemental License Terms, you may not make copies of Software, other than a single copy of Software for archival purposes. Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software.
Page 500 Licenses B. License to Evaluate Message Queue EE. If you have not paid the applicable fees for Message Queue EE, Sun grants you a non-exclusive, non-transferable, royalty-free and limited license to use Message Queue EE internally for the sole purpose of evaluation, for a period of ninety (90) days from the date you begin using the Message Queue EE features.
Page 501 Licenses 5. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA, JINI, JDK, FORTE, STAROFFICE, STARPORTAL and iPLANET trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, STAROFFICE, STARPORTAL and iPLANET-related trademarks, service marks, logos and other brand designations ("Sun Marks"), and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http:// www.sun.com/policies/trademarks.
Page 502 Licenses Sentriant AG Software Users Guide, Version 5.2...
Page 503: Appendix H: Glossary
Glossary 802.1X A port-based authentication protocol that can dynamically vary encryption keys, and has three components: a supplicant, an authenticator, and an authentication server. Access control list A list or set of rules that routers (and other — networking endpoints) use to control and regulate access through the endpoint and subsequently onto the network.
Page 504 Glossary APIC Advanced Programmable Interrupt Controller—A device that provides support for multiple processors by allowing for multiple programable interrupts. authenticator A component of 802.1X that is the access point, such as a switch, that prevents access when authentication fails. The authenticator can be simple and dumb.
Page 505 Glossary Certificate Signing Request—A request sent by a system when applying for a public key certificate. Cisco Trust Agent Device Activity Capture A utility used that listens or sniffs the — network for DHCP traffic and can be configured to discover other types of IP traffic if needed (such as from static IP addresses) Domain controller A server that manages and controls the activities...
Page 506 Glossary Enforcement server FQDN Fully Qualified Domain Name—A domain name that uniquely identifies a host computer. It includes the host name and the domain name. For example, myhost.mycompany.com. High Availability A multiple-server Sentriant AG deployment is — mutually supporting. Should one server fail, other nodes within a cluster will automatically provide coverage for the affected network segment.
Page 507 Glossary inline An installation of Sentriant AG where it is placed on the network and all traffic to be quarantined passes through Sentriant AG. Internet protocol A protocol by which data is sent from one computer — to another on the Internet. IPSec IP security A Linux package used to manage packet filtering and Network...
Page 508 Glossary Management Information Base—A database used to manage components in a network. MultiMediaCard—A portable storage device. Management server multinet A physical network of two or more logical networks. Network Admission Control NAC policies In Sentriant AG, collections of individual tests that evaluate endpoints attempting to access the network.
Page 509 Glossary Person-to-person or Peer-to-peer A Peer-to-peer (P2P) network is one — that is comprised of peer nodes (computers) rather than clients and servers. These peer nodes function both as clients and servers to other nodes and can perform any client or server function. P2P software allows users to connect directly to other users and is used for file sharing.
Page 510 Glossary root An account on a UNIX or Linux system that has administrator privileges. Security Accounts Manager server A computer that provides services to another (client). shared secret Used for security and integrity purposes to verify RADIUS messages. Both the sender and the receiver of the messages must know the shared secret.
Page 511 Glossary User Access Control User Datagram Protocol VLAN Virtual Local Area Network Virtual private network A secure method of using the Internet to gain — access to an organization's network. Wireless Equivalent Privacy whitelist A list of devices or endpoints that are allowed access to a system or are allowed privileges.
Page 512 Glossary Sentriant AG Software Users Guide, Version 5.2...
Page 513: Index
Index Numerics add 91 Cisco CatOS device 95 3rd-party software, installing 34 Cisco IOS device 93 802.1X 253 custom tests 366 communication flow 255 Enforcement cluster 49 configuring the RADIUS server 260 Enforcement server 53 connections 253 Enterasys device 98 enable 84 Extreme XOS device 101 enable Vista endpoint 290...
Page 514 Index endpoints 134 check for available test updates settings 81 AP 253 CIDR 360 API 305 clear a temporary state 159 change or set properties 307 ClearTemporaryAccess 310 API communication 306 client 253 Application Programming Interface 305 cluster_id 450 assign endpoints and domains to a policy 226 cluster_name 453 authentication cluster_to_user database table 454...
Page 515 Index DAC host matching policies 355 add additional interfaces 324 Domain Controller data dictionary 449 IP address 132 database 449 specifying the name 132 date and time domainname 451 change ES 57 domains 453 domains, always quarantine 134 name 132 double-equal sign 79 ports to specify 132 download the latest tests 353...
Page 516 Index immediately grant access 158 enforcement, set DHCP 115 immediately quarantine 159 enforcing ranges 392 managed 170 enter quarantine hierarchy 233 license key 352 quarantine without testing 237 enter license key 352 retest 158 error unmanaged 170 ActiveX 201 view information 160 license key 79 endpoints per ES 46 message, customize 208...
Page 517 Index Add HP ProCurve 420/530 AP Device 110 End-user Testing Failed Example 1 206 Add HP ProCurve Device 105 End-user Testing Failed, Printable Results 207 Add HP ProCurve WESM Device 108 End-user Testing Successful 204 Add NAC Policy Group 217 Enforcement Cluster Legend 55 Add NAC Policy, Tests Area 224 Enforcement Cluster, General 52...
Page 518 Index NAC Policies 215 System Configuration, Notifications 135 NAC Policies Window Legend 216 System Configuration, OpenLDAP 89 NAC Policy Results Report 334 System Configuration, Post-connect 122 NAC Policy Test Icon 232 System Configuration, Quarantining 83 NAC Policy Test Icons 232 System Configuration, Quarantining, DHCP Networking Services 259 Nortel Exit Script 301...
Page 519 Index post-connect service 120 ICMP echo requests enable persistently 402 settings 170 ICMP echo requests enable temporarily 401 testing the end-user through 184 icons, viewing 54 testing through 170 ignoring ranges 392 XP configuration 182 immediately firewall & end-user 170 grant access to an endpoint 158 full_name 454 quarantine an endpoint 159...
Page 520 Index JMS 305 set up post-connect 416 JMS Event Receiver 305 JMS Message Bus 305 post-connect 418 JMS Requestor 305 log out 351 logged_on_user 450 login 351 credentials 139 Kerberos 253 delay 238 key features 31 domain 139 known clusters database table 453 save 130 known devices database table 451 saving 202...
Page 521 Index NAC Policy opening screen 188 change to not run Windows automatic update operating systems test 355 non-supported 228 NAC policy not tested 220 add group 216 supported 238 assign domains to 226 ordering test methods 129 assign endpoint to 226 os 451 assign endpoints to 226 os_details 451...
Page 522 Index set up Windows host 415 quarantined 152 test service 418 view logs 418 post-connect service RADIUS 253 firewall open 120 authentication method, setting 85 posture built-in 284 Checkup 276 configure 260 Healthy 276 server and SA plug-in 258 Infected 277 use existing server 281 Quarantined 276 using a proxy 258...
Page 523 Index required services hardware 364 find names 231 software 364 not allowed 231 requirements, software and test updates 411 required 231 reset services, Agent 192 a database 363 session_access 452 ES password 389 session_access_end 452 MS password 389 password 390 802.1X logging levels 144 system 357 action to take 228...
Page 524 Index generate 364 updates, checking for 80 supported test method end-user endpoints 168 ActiveX error 201 operating systems 238 agent 189 protocols 365 agent-based 189 VPNs 365 select 128 switch select order 129 Cisco 2950 293 test methods Enterasys Matrix 1H582-25 294 defined 29 Extreme Summit 48si 294 options 32...
Page 525 Index Topics 306 MS status 60 troubleshooting browser settings 351 NAC policies window 215 report details 334 test update logs 81 tests information 230 unique_id 451 version information 326 unmanaged endpoint 170 VPNs supported 365 untested endpoint 220 and lease expiration 238 update server names 131 window...
Page 526 Index Sentriant AG Software Users Guide, Version 5.2...

This manual is also suitable for:

Sentriant ag 5.2

Extreme Networks Sentriant AG Software User's Manual

List of Figures

List of Tables

Chapter 1: Introduction

Chapter 2: Clusters and Servers

Chapter 3: System Configuration

Chapter 4: Endpoint Activity

Chapter 5: End-User Access

Quick Links

Related Manuals for Extreme Networks Sentriant AG

Summary of Contents for Extreme Networks Sentriant AG