Extreme Networks Sentriant AG, Sentriant AG 5.3 Software User's Manual

Sentriant®AG Software Users Guide, Version 5.3

Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800

http://www.extremenetworks.com

Published: July 2009 Part number: 120513 Rev 01

AccessAdapt, Alpine, Altitude, BlackDiamond, EPICenter, Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ScreenPlay, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries.

sFlow is a registered trademark of InMon Corporation.

Specifications are subject to change without notice.

All other registered trademarks, trademarks, and service marks are property of their respective owners.

Table of Contents

List of Figures ............................................................................................................................... 15

List of Tables ................................................................................................................................ 21

Chapter 1: Introduction.................................................................................................................. 23

Sentriant AG Home Window .......................................................................................................23

System Monitor.........................................................................................................................24

Overview ..................................................................................................................................26

The Sentriant AG Process.....................................................................................................28

About Sentriant AG .............................................................................................................28

NAC Policy Definition ....................................................................................................28

Endpoint Testing...........................................................................................................29

Compliance Enforcement ...............................................................................................29

Automated and Manual Repair........................................................................................30

Targeted Reporting ........................................................................................................30

Technical Support.....................................................................................................................30

Additional Documentation..........................................................................................................31

Installing and Upgrading............................................................................................................31

Conventions Used in This Document ...........................................................................................31

Navigation Paragraph...........................................................................................................31

Note Paragraph ...................................................................................................................32

Caution Paragraph...............................................................................................................32

Warning Paragraph ..............................................................................................................32

Bold Font ...........................................................................................................................32

Task Paragraph ...................................................................................................................32

Italic Text...........................................................................................................................33

Courier Font .......................................................................................................................33

Angled Brackets..................................................................................................................33

Square Brackets..................................................................................................................34

Terms ................................................................................................................................34

Copying Files ............................................................................................................................34

SCP ...................................................................................................................................35

PSCP .................................................................................................................................35

Users’ guide online help ............................................................................................................35

Chapter 2: Clusters and Servers ..................................................................................................... 39

Single-server Installation......................................................................................................40

Multiple-server Installations .................................................................................................40

Chapter 3: System Configuration .................................................................................................... 43

Introduction .............................................................................................................................43

Enforcement Clusters and Servers...............................................................................................44

Enforcement Clusters ................................................................................................................45

Adding an Enforcement Cluster ............................................................................................45

Sentriant AG Software Users Guide, Version 5.3

Editing Enforcement Clusters ...............................................................................................47

Viewing Enforcement Cluster Status......................................................................................47

Deleting Enforcement Clusters..............................................................................................48

Enforcement Servers .................................................................................................................49

Adding an ES......................................................................................................................49

Cluster and Server Icons ......................................................................................................50

Editing ESs ........................................................................................................................51

Changing the ES Network Settings........................................................................................52

Changing the ES Date and Time ...........................................................................................53

Modifying the ES SNMP Settings..........................................................................................53

Modifying the ES root Account Password ...............................................................................54

Viewing ES Status ...............................................................................................................54

Deleting ESs.......................................................................................................................55

ES Recovery .......................................................................................................................56

Management Server...................................................................................................................56

Viewing Network Settings.....................................................................................................56

Modifying MS Network Settings ............................................................................................58

Selecting a Proxy Server.......................................................................................................59

Setting the Date and Time ...................................................................................................59

Automatically Setting the Time.............................................................................................60

Manually Setting the Time ...................................................................................................60

Selecting the Time Zone ......................................................................................................61

Enabling SNMP ..................................................................................................................61

Modifying the MS root Account Password ..............................................................................62

Checking for Sentriant AG Upgrades .....................................................................................62

Changing the Sentriant AG Upgrade Timeout .........................................................................63

User Accounts ..........................................................................................................................63

Adding a User Account ........................................................................................................63

Searching for a User Account ...............................................................................................66

Sorting the User Account Area..............................................................................................67

Copying a User Account .......................................................................................................67

Editing a User Account ........................................................................................................68

Deleting a User Account ......................................................................................................69

User Roles................................................................................................................................69

Adding a User Role .............................................................................................................69

Editing User Roles ..............................................................................................................71

Deleting User Roles.............................................................................................................72

Sorting the User Roles Area..................................................................................................72

License ....................................................................................................................................73

Updating Your License Key ..................................................................................................73

Test Updates ............................................................................................................................74

Manually Checking for Test Updates .....................................................................................74

Selecting Test Update Times................................................................................................75

Viewing Test Update Logs ....................................................................................................76

Quarantining, General................................................................................................................77

Selecting the Quarantine Method..........................................................................................77

Selecting the Access Mode...................................................................................................79

Quarantining, 802.1X................................................................................................................79

Entering Basic 802.1X Settings............................................................................................79

Authentication Settings .......................................................................................................80

Selecting the RADIUS Authentication method..................................................................80

Sentriant AG Software Users Guide, Version 5.3

Configuring Windows Domain Settings.............................................................................80

Configuring OpenLDAP Settings......................................................................................82

Adding 802.1X Devices .......................................................................................................85

Testing the Connection to a Device .......................................................................................86

Cisco IOS ...........................................................................................................................87

Cisco CatOS .......................................................................................................................89

CatOS User Name in Enable Mode..................................................................................91

Enterasys ...........................................................................................................................91

ExtremeWare ......................................................................................................................93

ExtremeXOS .......................................................................................................................94

Foundry..............................................................................................................................96

HP ProCurve Switch ............................................................................................................97

HP ProCurve WESM xl or HP ProCurve WESM zl ..................................................................100

HP ProCurve 420 AP or HP ProCurve 530 AP ......................................................................102

Nortel ..............................................................................................................................104

Other ...............................................................................................................................106

Quarantining, DHCP ................................................................................................................108

DHCP Server Configuration ................................................................................................108

Setting DHCP Enforcement ................................................................................................108

Adding a DHCP Quarantine Area.........................................................................................109

Sorting the DHCP Quarantine Area......................................................................................111

Editing a DHCP Quarantine Area.........................................................................................111

Deleting a DHCP Quarantine Area .......................................................................................112

Quarantining, Inline ................................................................................................................112

Post-connect ..........................................................................................................................113

Allowing the Post-connect Service Through the Firewall ........................................................113

First Time Selection ..........................................................................................................113

Setting Sentriant AG Properties ..........................................................................................114

Configuring a Post-connect System .....................................................................................114

Launching Post-connect Systems........................................................................................116

Post-connect in the Endpoint Activity Window......................................................................116

Adding Post-connect System Logos and Icons ......................................................................117

Maintenance...........................................................................................................................118

Initiating a New Backup.....................................................................................................119

Restoring From a Backup ...................................................................................................120

Downloading Support Packages ................................................................................................120

Cluster Setting Defaults ...........................................................................................................121

Testing Methods ...............................................................................................................121

Selecting Test Methods................................................................................................121

Ordering Test Methods.................................................................................................122

Recommended Test Methods........................................................................................122

Selecting End-user Options ................................................................................................123

Quarantine/guest resources ................................................................................................123

Notifications.....................................................................................................................126

Enabling Notifications .................................................................................................126

End-user Screens ..............................................................................................................128

Specifying an End-user Screen Logo .............................................................................128

Specifying the End-user Screen Text .............................................................................129

Specifying the End-user Test Failed Pop-up Window.......................................................130

Agentless Credentials ........................................................................................................131

Adding Windows Credentials.........................................................................................131

Testing Windows Credentials ........................................................................................133

Sentriant AG Software Users Guide, Version 5.3

Editing Windows Credentials ........................................................................................133

Deleting Windows Credentials.......................................................................................134

Sorting the Windows Credentials Area ...........................................................................134

Logging..................................................................................................................................134

Setting ES Logging Levels..................................................................................................134

Setting 802.1X Devices Logging Levels ...............................................................................135

Advanced Settings ..................................................................................................................136

Setting Timeout Periods.....................................................................................................136

Chapter 4: Endpoint Activity......................................................................................................... 139

Finding Endpoints...................................................................................................................140

Primary Endpoint Filtering .................................................................................................140

Secondary Endpoint Filtering..............................................................................................141

Limiting the Number of Endpoints Displayed at One Time.....................................................143

Managing Endpoints................................................................................................................143

Quickly Viewing Endpoint Access Control Status ..................................................................144

Quickly Viewing Endpoint Test Status..................................................................................146

Viewing Detailed Endpoint Information................................................................................147

Temporarily Granting Access to Endpoints ...........................................................................149

Temporarily Quarantining Endpoints....................................................................................150

Clearing Temporary Access Control for Endpoints .................................................................150

Having Endpoints Retested ................................................................................................151

Additional Information.............................................................................................................151

Chapter 5: End-user Access ......................................................................................................... 153

Test Methods Used .................................................................................................................153

Agent Callback..................................................................................................................153

Endpoints Supported...............................................................................................................154

Browser Version ......................................................................................................................155

Firewall Settings .....................................................................................................................156

Managed Endpoints...........................................................................................................156

Unmanaged Endpoints.......................................................................................................156

Making Changes to the Firewall ..........................................................................................156

Windows Endpoint Settings......................................................................................................156

IE Internet Security Setting................................................................................................156

Agent-based Test Method...................................................................................................157

Ports Used for Testing .................................................................................................157

Windows Vista Settings ................................................................................................157

Agentless Test Method.......................................................................................................157

Configuring Windows 2000 Professional for Agentless Testing .........................................157

Configuring Windows XP Professional for Agentless Testing .............................................158

Configuring Windows Vista for Agentless Testing ............................................................159

Defining the Agentless Group Policy Object....................................................................160

Ports Used for Testing .................................................................................................168

Allowing the Windows RPC Service through the Firewall..................................................168

ActiveX Test Method..........................................................................................................170

Ports Used for Testing .................................................................................................170

Windows Vista Settings ................................................................................................170

Mac OS X Endpoint Settings ....................................................................................................170

Ports Used for Testing .......................................................................................................170

Sentriant AG Software Users Guide, Version 5.3

Allowing Sentriant AG through the OS X Firewall ..................................................................170

End-user Access Windows........................................................................................................173

Opening Window ...............................................................................................................174

Windows NAC Agent Test Windows .....................................................................................175

Automatically Installing the Windows Agent ...................................................................175

Removing the Agent ....................................................................................................177

Manually Installing the Windows Agent..........................................................................178

How to View the Windows Agent Version Installed...........................................................179

Mac OS Agent Test Windows ..............................................................................................180

Installing the MAC OS Agent ........................................................................................180

Verifying the Mac OS Agent..........................................................................................183

Removing the Mac OS Agent ........................................................................................186

ActiveX Test Windows ........................................................................................................187

Agentless Test Windows.....................................................................................................188

Testing Window.................................................................................................................190

Test Successful Window ....................................................................................................190

Testing Cancelled Window..................................................................................................191

Testing Failed Window.......................................................................................................191

Error Windows...................................................................................................................193

Customizing Error Messages .....................................................................................................193

Chapter 6: NAC Policies .............................................................................................................. 201

Standard NAC Policies.............................................................................................................202

NAC Policy Group Tasks ..........................................................................................................202

Adding a NAC Policy Group ................................................................................................203

Editing a NAC Policy Group................................................................................................203

Deleting a NAC Policy Group ..............................................................................................204

NAC Policy Tasks ....................................................................................................................205

Enabling or Disabling a NAC Policy.....................................................................................205

Changing the NAC Policy Selection Order ............................................................................205

Selecting the Default NAC Policy ........................................................................................206

Creating a New NAC Policy ................................................................................................206

Editing a NAC Policy .........................................................................................................214

Copying a NAC Policy ........................................................................................................214

Deleting a NAC Policy........................................................................................................215

Moving a NAC Policy Between NAC Policy Groups ................................................................215

Chapter 7: Quarantined Networks .................................................................................................217

New End-Users .......................................................................................................................217

Shared Resources ...................................................................................................................217

Untestable Endpoints and DHCP Mode .....................................................................................217

Windows Domain Authentication and Quarantined Endpoints ......................................................218

Chapter 8: High Availability and Load Balancing ........................................................................... 221

High Availability......................................................................................................................221

Load Balancing.......................................................................................................................225

Chapter 9: Inline Quarantine Method ............................................................................................ 227

Chapter 10: DHCP Quarantine Method .......................................................................................... 229

Configuring Sentriant AG for DHCP ...........................................................................................230

Sentriant AG Software Users Guide, Version 5.3

Setting up a Quarantine Area..............................................................................................231

Router Configuration .........................................................................................................231

Configuring the Router ACLs ........................................................................................231

Configuring Windows Update Service for XP SP2..................................................................231

Chapter 11: 802.1X Quarantine Method........................................................................................ 233

About 802.1X.........................................................................................................................233

Sentriant AG and 802.1X.........................................................................................................234

Setting up the 802.1X Components ..........................................................................................237

Setting up the RADIUS Server ............................................................................................237

Proxying RADIUS Requests to an Existing RADIUS Server Using the Built-in Sentriant AG

RADIUS Server ...........................................................................................................237

Using the Built-in Sentriant AG RADIUS Server for Authentication...................................240

Enabling Sentriant AG for 802.1X.......................................................................................240

Sentriant AG User Interface Configuration .....................................................................240

Setting up the Supplicant ..................................................................................................241

Windows XP Professional Setup ....................................................................................242

Windows XP Home Setup .............................................................................................243

Windows 2000 Professional Setup................................................................................244

Windows Vista Setup ...................................................................................................246

Setting up the Authenticator ..............................................................................................248

Cisco® 2950 IOS........................................................................................................248

Cisco® 4006 CatOS ....................................................................................................249

Enterasys® Matrix 1H582-25 ......................................................................................249

Extreme Networks® Summit 48si .................................................................................250

ExtremeWare ..............................................................................................................251

ExtremeXOS................................................................................................................251

Foundry® FastIron® Edge 2402...................................................................................252

HP ProCurve 420AP ....................................................................................................252

HP ProCurve 530AP ....................................................................................................253

HP ProCurve 3400/3500/5400 ....................................................................................254

Nortel® 5510.............................................................................................................254

Creating Custom Expect Scripts ....................................................................................255

Chapter 12: API........................................................................................................................... 261

Overview ................................................................................................................................261

Setting Sentriant AG Properties ................................................................................................262

Setting Firewall Rules..............................................................................................................263

Sentriant AG Events Generated.................................................................................................263

Examples of Events Generated............................................................................................264

Java Program and Command for Events ...............................................................................266

Sentriant AG Requests Supported.............................................................................................266

Examples of Requests........................................................................................................267

Post-connect Request Example...........................................................................................269

Java Program and Command for Requests ...........................................................................270

Chapter 13: Remote Device Activity Capture ................................................................................. 271

Creating a DAC Host................................................................................................................271

Downloading the EXE File ..................................................................................................272

Running the Windows Installer ...........................................................................................272

Adding Additional Interfaces ..............................................................................................279

Sentriant AG Software Users Guide, Version 5.3

Configuring the MS and ES for DAC ....................................................................................280

Adding Additional ESs .......................................................................................................280

Starting the Windows Service .............................................................................................281

Viewing Version Information ...............................................................................................282

Removing the Software ......................................................................................................282

Sentriant AG to Infoblox Connector ...........................................................................................284

Configuring the Infoblox Server...........................................................................................284

Configuring Sentriant AG ...................................................................................................284

Chapter 14: Reports .................................................................................................................... 287

Generating Reports..................................................................................................................288

Viewing Report Details.............................................................................................................290

Printing Reports......................................................................................................................292

Saving Reports to a File ...........................................................................................................292

Converting an HTML Report to a Word Document .......................................................................292

Chapter 15: DHCP Plug-in............................................................................................................ 295

Preparing for DHCP Plug-in Installation.....................................................................................296

DHCP Plug-in and the Sentriant AG User Interface.....................................................................297

Installing the Plug-in .........................................................................................................297

Enabling the Plug-in and Adding Servers .............................................................................301

Viewing DHCP Server Plug-in Status ...................................................................................303

Editing DHCP Server Plug-in Configurations.........................................................................304

Deleting a DHCP Server Plug-in Configuration......................................................................304

Disabling a DHCP Server Plug-in Configuration ....................................................................305

Enabling a DHCP Server Plug-in Configuration .....................................................................305

Chapter 16: System Administration...............................................................................................307

Launching Sentriant AG...........................................................................................................307

Launching and Logging into Sentriant AG ............................................................................307

Logging out of Sentriant AG ...............................................................................................307

Important Browser Settings ................................................................................................307

Restarting Sentriant AG System Processes.................................................................................307

Managing your Sentriant AG License.........................................................................................308

Entering a New License Key ...............................................................................................308

Downloading New Tests ...........................................................................................................309

System Settings ......................................................................................................................310

DNS/Windows Domain Authentication and Quarantined Endpoints .........................................310

Matching Windows Domain Policies to NAC Policies .............................................................311

Setting the Access Mode....................................................................................................311

Naming Your Enforcement Cluster ......................................................................................312

Changing the MS Host Name..............................................................................................312

Changing the ES Host Name ..............................................................................................312

Changing the MS or ES IP Address .....................................................................................312

Resetting your System .......................................................................................................313

Resetting your Test Data ....................................................................................................314

Changing Properties ..........................................................................................................315

Specifying an Email Server for Sending Notifications............................................................316

Entering Networks Using CIDR Format ......................................................................................316

Database................................................................................................................................317

Sentriant AG Software Users Guide, Version 5.3

Creating a Backup File.......................................................................................................317

Changing the Backup Timeouts ..........................................................................................317

Restoring from Backup ......................................................................................................318

Restoring to a new Server.............................................................................................318

Restoring to the Same Server .......................................................................................318

Restoring the Original Database..........................................................................................319

Generating a Support Package............................................................................................320

System Requirements..............................................................................................................320

Supported VPNs......................................................................................................................321

Adding Custom Tests...............................................................................................................322

Introduction......................................................................................................................322

References .......................................................................................................................322

Changing the Error Messages in a Test Script.......................................................................322

Creating a Custom Test Class Script from Scratch ................................................................326

BasicTests API..................................................................................................................334

End-user Access Windows........................................................................................................342

How Sentriant AG Handles Static IP Addresses ..........................................................................343

Managing Passwords ...............................................................................................................344

Resetting the Sentriant AG Server Password.........................................................................345

Resetting the Sentriant AG Database Password ....................................................................346

Changing the Sentriant AG Administrator Password ..............................................................346

When the Password is Known .......................................................................................346

When the Password is Unknown....................................................................................346

NTLM 2 Authentication ...........................................................................................................347

Working with Ranges ...............................................................................................................347

Installing SSL Certificates........................................................................................................349

Moving an ES from One MS to Another......................................................................................350

Recovering Quickly from a Network Failure ................................................................................351

VLAN Tagging.........................................................................................................................352

iptables Wrapper Script ...........................................................................................................353

Updating Rules without an Internet Connection .........................................................................354

Downloading the Files........................................................................................................354

Updating Rules .................................................................................................................355

Supporting Network Management System ..................................................................................355

Enabling ICMP Echo Requests ...........................................................................................355

Enable Temporary Ping ................................................................................................356

Enable Persistent Ping.................................................................................................356

Restricting the ICMP Request.......................................................................................356

Changing the Community Name for SNMPD.........................................................................357

SNMP MIBs......................................................................................................................359

Appendix A: Requirements ........................................................................................................... 361

Chapter B: Patch Management .....................................................................................................363

Flagging a Test to Launch a Patch Manager ...............................................................................363

Selecting the Patch Manager....................................................................................................364

Specifying the Number of Retests.............................................................................................364

Specifying the Retest Frequency...............................................................................................364

SMS Patch Management..........................................................................................................365

Sentriant AG Software Users Guide, Version 5.3

SMS Concepts ........................................................................................................................365

Sentriant AG/SMS/Sentriant AG Process....................................................................................365

Sentriant AG Setup .................................................................................................................366

Learning More About SMS .......................................................................................................366

Appendix C: Access Control Precedence....................................................................................... 367

Appendix D: Endpoint Testing Conditions ...................................................................................... 369

Appendix E: Troubleshooting Quarantined Endpoints...................................................................... 373

Appendix F: Enforcement Server Processes and Threads ............................................................... 377

Appendix G: Configuring the Post-connect Server.......................................................................... 381

Overview ................................................................................................................................381

Extracting the ZIP File.............................................................................................................381

Windows...........................................................................................................................381

Linux ...............................................................................................................................382

ZIP File Contents ....................................................................................................................382

Setting up a Post-connect Host ................................................................................................383

Windows...........................................................................................................................383

Linux ...............................................................................................................................384

Viewing Logs ..........................................................................................................................386

Testing the Service..................................................................................................................386

Windows.......................................................................................................................................................386

Linux ............................................................................................................................................................386

Configuring Your Sensor...........................................................................................................387

Allowing Sentriant AG Through the Firewall ...............................................................................387

Appendix H: Tests Help................................................................................................................ 389

Browser Security Policy—Windows............................................................................................389

Browser Version ................................................................................................................391

Internet Explorer (IE) Internet Security Zone ........................................................................391

Internet Explorer (IE) Local Intranet Security Zone ...............................................................392

Internet Explorer (IE) Restricted Site Security Zone ..............................................................392

Internet Explorer (IE) Trusted Sites Security Zone ................................................................393

Operating System—Windows ....................................................................................................394

IIS Hotfixes ......................................................................................................................394

Internet Explorer Hotfixes ..................................................................................................395

Microsoft Office Hotfixes....................................................................................................395

Microsoft Applications Hotfixes ..........................................................................................396

Microsoft Servers Hotfixes..................................................................................................396

Microsoft Tools Hotfixes.....................................................................................................396

Service Packs ...................................................................................................................397

Windows 2000 SP4 Hotfixes..............................................................................................397

Windows 2003 SP1 Hotfixes..............................................................................................397

Windows 2003 SP2 Hotfixes..............................................................................................398

Windows Automatic Updates ..............................................................................................398

Windows Media Player Hotfixes ..........................................................................................399

Windows Vista™ SP0 Hotfixes ...........................................................................................399

Windows XP SP1 Hotfixes .................................................................................................400

Sentriant AG Software Users Guide, Version 5.3

Windows XP SP2 Hotfixes .................................................................................................400

Security Settings—OS X ..........................................................................................................401

Mac AirPort WEP Enabled..................................................................................................401

Mac AirPort Preference ......................................................................................................401

Mac AirPort User Prompt ...................................................................................................401

Mac Anti-virus ..................................................................................................................402

Mac Bluetooth ..................................................................................................................402

Mac Firewall .....................................................................................................................402

Mac Internet Sharing.........................................................................................................403

Mac QuickTime® Updates .................................................................................................403

Mac Security Updates........................................................................................................404

Mac Services ....................................................................................................................404

Security Settings—Windows.....................................................................................................404

Allowed Networks..............................................................................................................405

Microsoft Excel Macros ......................................................................................................405

Microsoft Outlook Macros...................................................................................................406

Microsoft Word Macros ......................................................................................................406

Services Not Allowed .........................................................................................................407

Services Required .............................................................................................................408

Windows Bridge Network Connection...................................................................................409

Windows Wireless Network SSID Connections ......................................................................409

Windows Security Policy ....................................................................................................409

Windows Startup Registry Entries Allowed ...........................................................................410

Wireless Network Connections ............................................................................................411

Software—Windows.................................................................................................................412

Anti-spyware.....................................................................................................................412

Anti-virus .........................................................................................................................412

High-risk Software.............................................................................................................413

Microsoft Office Version Check ...........................................................................................413

P2P .................................................................................................................................413

Personal Firewalls .............................................................................................................414

Software Not Allowed ........................................................................................................414

Software Required.............................................................................................................415

Worms, Viruses, and Trojans ..............................................................................................415

Appendix I: Database Design (Data Dictionary).............................................................................. 417

test_result table ......................................................................................................................418

Device table ...........................................................................................................................419

sa_cluster...............................................................................................................................421

sa_node .................................................................................................................................421

sa_user ..................................................................................................................................422

cluster_to_user .......................................................................................................................422

user_group .............................................................................................................................422

user_to_groups .......................................................................................................................423

group_to_permission ...............................................................................................................423

Appendix J: Ports used in Sentriant AG ......................................................................................... 425

Appendix K: MS Disaster Recovery ............................................................................................... 431

Overview ................................................................................................................................431

Installation Requirements ..................................................................................................431

Sentriant AG Software Users Guide, Version 5.3

Installing the Standby MS..................................................................................................431

Ongoing Maintenance ........................................................................................................432

Failover process ................................................................................................................432

Appendix L: Licenses................................................................................................................... 435

Extreme Networks End-User License Agreement.........................................................................435

Other Licenses........................................................................................................................437

Apache License Version 2.0, January 2004 .........................................................................438

ASM ................................................................................................................................439

Open SSH ........................................................................................................................440

Postgresql ........................................................................................................................442

Postgresql jdbc ................................................................................................................443

xstream ............................................................................................................................443

Libeay (Open SSL) ............................................................................................................443

Junit Common Public License - v 1.0 .................................................................................444

Open SSL.........................................................................................................................446

The GNU General Public License (GPL) Version 2, June 1991...............................................447

Pullparser ........................................................................................................................450

Xpp3................................................................................................................................450

The GNU Lesser General Public License (LGPL) Version 2.1 .................................................451

Ojdbc ..............................................................................................................................455

JavaMail Sun Microsystems, Inc. ........................................................................................457

jcharts .............................................................................................................................459

PyXML Python License (CNRI Python License).....................................................................459

IO-Stty and IO-Tty .............................................................................................................460

Concurrent .......................................................................................................................461

Crypto ++ .........................................................................................................................461

WinPcap...........................................................................................................................462

Activation.........................................................................................................................464

JAVA OPTIONAL PACKAGE ................................................................................................465

jsp-api package.................................................................................................................466

Appendix M: Glossary .................................................................................................................. 471

Index .......................................................................................................................................... 481

Sentriant AG Software Users Guide, Version 5.3

List of Figures

Figure 1: Sentriant AG Home Window .....................................................................................24

Figure 2: System Monitor Window...........................................................................................25

Figure 3: System Monitor Window Legend ...............................................................................26

Figure 4: Online help.............................................................................................................36

Figure 5: Index tab ................................................................................................................37

Figure 6: Search tab..............................................................................................................38

Figure 7: Single-server Installation..........................................................................................40

Figure 8: Multiple-server Installation .......................................................................................41

Figure 9: Multiple-server, Multiple-cluster Installation ..............................................................42

Figure 10: System Configuration, Enforcement Clusters & Servers................................................45

Figure 11: Add Enforcement Cluster .........................................................................................46

Figure 12: Enforcement Cluster, General ...................................................................................48

Figure 13: System Configuration, Enforcement Clusters & Servers................................................49

Figure 14: Add Enforcement Server ..........................................................................................50

Figure 15: Enforcement Cluster Legend.....................................................................................51

Figure 16: Enforcement Server .................................................................................................52

Figure 17: Enforcement Server, Status ......................................................................................55

Figure 18: System Configuration, Management Server ................................................................57

Figure 19: Management Server Network Settings........................................................................58

Figure 20: Date & Time ...........................................................................................................60

Figure 21: System Configuration, User Accounts ........................................................................64

Figure 22: Add User Account ...................................................................................................65

Figure 23: Copy User Account ..................................................................................................67

Figure 24: User Account ..........................................................................................................68

Figure 25: System Configuration, User Roles .............................................................................70

Figure 26: Add User Role.........................................................................................................70

Figure 27: User Role ...............................................................................................................72

Figure 28: System Configuration, License..................................................................................73

Figure 29: System Configuration, Test Updates ..........................................................................75

Figure 30: Test Update Log......................................................................................................76

Figure 31: Test Update Log Window Legend ..............................................................................76

Figure 32: System Configuration, Quarantining ..........................................................................78

Figure 33: System Configuration, Windows Domain ....................................................................81

Figure 34: System Configuration, OpenLDAP .............................................................................83

Figure 35: Add 802.1X Device .................................................................................................85

Figure 36: Add 802.1X Device, Test Connection Area Option 1 ...................................................86

Figure 37: Add 802.1X Device, Test Connection Area Option 2 ...................................................86

Figure 38: Add Cisco IOS Device ..............................................................................................88

Figure 39: Add Cisco CatOS Device...........................................................................................89

Figure 40: Add Enterasys Device ..............................................................................................92

Figure 41: Add ExtremeWare Device .........................................................................................93

Sentriant AG Software Users Guide, Version 5.3

List of Figures

Figure 42: Add ExtremeXOS Device ..........................................................................................95

Figure 43: Add Foundry Device.................................................................................................96

Figure 44: Add HP ProCurve Device ..........................................................................................98

Figure 45: Add HP ProCurve WESM xl/zl Device .......................................................................101

Figure 46: Add HP ProCurve 420/530 AP Device .....................................................................103

Figure 47: Add Nortel Device .................................................................................................105

Figure 48: Add Other Device ..................................................................................................107

Figure 49: System Configuration, Quarantining, DHCP Enforcement...........................................109

Figure 50: Add a Quarantine Area ...........................................................................................110

Figure 51: Quarantine Area ....................................................................................................112

Figure 52: Post-connect Configuration Message .......................................................................113

Figure 53: System Configuration, Post-connect ........................................................................115

Figure 54: Post-connect Launch Window .................................................................................116

Figure 55: Post-connect Quarantine Details .............................................................................117

Figure 56: System Configuration, Maintenance ........................................................................119

Figure 57: Backup Successful Message...................................................................................120

Figure 58: System Configuration, Testing Methods ...................................................................121

Figure 59: System Configuration, Quarantine/Guest Resources Area ...........................................124

Figure 60: System Configuration, Notifications.........................................................................127

Figure 61: System Configuration, End-user Screens..................................................................129

Figure 62: System Configuration, Agentless Credentials ............................................................131

Figure 63: Agentless Credentials, Add Windows Administrator Credentials ..................................132

Figure 64: System Configuration, Logging Option .....................................................................135

Figure 65: System Configuration, Advanced Option ..................................................................137

Figure 66: Endpoint Activity, Connected Endpoints ..................................................................139

Figure 67: Endpoint Activity, Primary Filtering Options .............................................................140

Figure 68: Endpoint Activity, Secondary Filtering Options .........................................................141

Figure 69: Search Criterion Affecting Endpoint Activity Results .................................................143

Figure 70: Display Endpoints Drop-down .................................................................................143

Figure 71: Access Control Status Rollover................................................................................145

Figure 72: Endpoint Activity Icon Legend ................................................................................146

Figure 73: Endpoint Test Status Rollover.................................................................................147

Figure 74: Endpoint, General Information................................................................................148

Figure 75: Endpoint, Test Results...........................................................................................149

Figure 76: Local Area Connection Properties............................................................................158

Figure 77: Local Area Connection Properties............................................................................159

Figure 78: Group Policy Management Window..........................................................................160

Figure 79: New GPO Window..................................................................................................161

Figure 80: Group Policy Object Editor .....................................................................................161

Figure 81: Network Access Window.........................................................................................162

Figure 82: Network Security Window.......................................................................................163

Figure 83: Network Connection Properties Window ...................................................................164

Figure 84: Remote Procedure Call Properties Window ...............................................................164

Figure 85: Remote Registry Properties Window ........................................................................165

Figure 86: Windows Firewall Window ......................................................................................166

Figure 87: Microsoft Peer-to-Peer Window ...............................................................................167

Sentriant AG Software Users Guide, Version 5.3

List of Figures

Figure 88: Double Arrow Icon .................................................................................................168

Figure 89: Mac System Preferences ........................................................................................171

Figure 90: Mac Sharing .........................................................................................................172

Figure 91: Mac Ports .............................................................................................................173

Figure 92: End-user Opening Window......................................................................................174

Figure 93: End-user Installing Window ....................................................................................175

Figure 94: End-user Agent Installation Failed...........................................................................176

Figure 95: End-user Agent Installation Window (Start) ..............................................................177

Figure 96: End-user Agent Installation Window (Finish) ............................................................177

Figure 97: Add/Remove Programs ...........................................................................................178

Figure 98: Security Certificate................................................................................................179

Figure 99: Run or Save to Disk ...............................................................................................179

Figure 100: Agent Version........................................................................................................180

Figure 101: Start Mac OS Installer ...........................................................................................180

Figure 102: Mac OS Installer 1 of 5..........................................................................................181

Figure 103: Mac OS Installer 2 of 5..........................................................................................181

Figure 104: Mac OS Installer 3 of 5..........................................................................................182

Figure 105: Mac OS Installer 4 of 5..........................................................................................182

Figure 106: Mac OS Installer 5 of 5..........................................................................................183

Figure 107: Applications, Utilities Folder ..................................................................................184

Figure 108: Activity Monitor .....................................................................................................185

Figure 109: Mac Terminal........................................................................................................186

Figure 110: End-user ActiveX Plug-in Failed ..............................................................................187

Figure 111: End-user Login Credentials.....................................................................................188

Figure 112: End-user Login Failed ............................................................................................189

Figure 113: End-user Testing ...................................................................................................190

Figure 114: End-user Testing Successful...................................................................................190

Figure 115: End-user Testing Cancelled ....................................................................................191

Figure 116: End-user Testing Failed Example 1 .........................................................................192

Figure 117: End-user Testing Failed, Printable Results ...............................................................193

Figure 118: End-user Error.......................................................................................................193

Figure 119: NAC Policies Window.............................................................................................201

Figure 120: NAC Policies Window Legend .................................................................................202

Figure 121: Add NAC Policy Group ...........................................................................................203

Figure 122: Edit NAC Policy Group ...........................................................................................204

Figure 123: NAC Policy Selection Order Buttons ........................................................................205

Figure 124: The Default NAC Policy for a NAC Policy Group, Indicated by a Blue Checkmark Icon..206

Figure 125: Add a NAC Policy, Basic Settings Area ....................................................................207

Figure 126: Add a NAC Policy, Endpoints Area ..........................................................................210

Figure 127: Add NAC Policy, Tests Area ....................................................................................212

Figure 128: NAC Policy Test Failure Icons .................................................................................213

Figure 129: Inline Installations.................................................................................................222

Figure 130: DHCP Installation..................................................................................................223

Figure 131: 802.1X Installation ...............................................................................................224

Figure 132: Inline Installations.................................................................................................228

Figure 133: DHCP Installation..................................................................................................230

Sentriant AG Software Users Guide, Version 5.3

List of Figures

Figure 134: 802.1X Components..............................................................................................234

Figure 135: Sentriant AG 802.1X Enforcement ..........................................................................235

Figure 136: 802.1X Communications........................................................................................236

Figure 137: Enabling 802.1X in the User Interface ....................................................................241

Figure 138: Windows XP Pro Local Area Connection, General Tab ................................................242

Figure 139: Windows XP Pro Local Area Connection Properties, Authentication Tab ......................243

Figure 140: Windows 2000 Local Area Connection Properties, General Tab ..................................245

Figure 141: Windows 2000 Local Area Connection Properties, Authentication Tab ........................245

Figure 142: Wired AutoConfig Properties ...................................................................................246

Figure 143: Windows Vista Local Area Connection, Networking Tab .............................................247

Figure 144: Windows Vista Local Area Connection Properties, Authentication Tab .........................247

Figure 145: Nortel Initialization Script ......................................................................................256

Figure 146: Nortel Re-authentication Script ..............................................................................256

Figure 147: Nortel Exit Script ..................................................................................................256

Figure 148: Sentriant AG API Communication ...........................................................................262

Figure 149: The DAC InstallShield Wizard Welcome Window .......................................................273

Figure 150: RDAC Installer, Setup Type ....................................................................................273

Figure 151: RDAC Installer, Choose Destination Location............................................................274

Figure 152: RDAC Installer, Confirm New Folder ........................................................................274

Figure 153: RDAC Installer, Select Features ..............................................................................275

Figure 154: RDAC Installer, NIC Selection ................................................................................275

Figure 155: RDAC Installer, TCP Port Filter Specification ...........................................................276

Figure 156: RDAC Installer, Enforcement Server Specification ....................................................276

Figure 157: RDAC Installer, Ready to Install the Program ...........................................................277

Figure 158: RDAC Installer, InstallShield Wizard Complete .........................................................278

Figure 159: Example wrapper.conf File .....................................................................................279

Figure 160: NAC Endpoint Activity Capture Service ....................................................................282

Figure 161: RDAC Uninstall Complete ......................................................................................283

Figure 162: Reports ................................................................................................................289

Figure 163: NAC Policy Results Report .....................................................................................290

Figure 164: Test Details Report ................................................................................................291

Figure 165: DHCP Plug-in .......................................................................................................295

Figure 166: System Configuration, Quarantining, DHCP ..............................................................298

Figure 167: DHCP Plug-in InstallShield Wizard window ..............................................................299

Figure 168: DHCP Plug-in Customer Information window ............................................................299

Figure 169: DHCP Plug-in Ready to Install the Program window ..................................................300

Figure 170: DHCP Plug-in InstallShield Wizard Complete window................................................300

Figure 171: Add DHCP Plug-in Configuration.............................................................................302

Figure 172: DHCP Plug-in Server Added Example ......................................................................303

Figure 173: DHCP Plug-in Legend ............................................................................................303

Figure 174: DHCP Plug-in Configuration ...................................................................................304

Figure 175: Restore System .....................................................................................................319

Figure 176: Login ...................................................................................................................319

Figure 177: Test Script Code....................................................................................................323

Figure 178: Example InstallCustomTests Output ........................................................................325

Figure 179: testTemplate.py

.........................................................327

Sentriant AG Software Users Guide, Version 5.3

List of Figures

Figure 180: checkOpenPorts.py script .......................................................................................330

Figure 181: snmpd.conf Example File .......................................................................................358

Figure 182: Initiate a Patch Manager Check Box ........................................................................363

Figure 183: Microsoft Office Hotfixes Critical Updates................................................................395

Sentriant AG Software Users Guide, Version 5.3

List of Figures

Sentriant AG Software Users Guide, Version 5.3

List of Tables

Table 1: Test Methods ..........................................................................................................27

Table 2: Sentriant AG Technical Support................................................................................30

Table 3: Default Menu Options ..............................................................................................43

Table 4: Default User Roles ..................................................................................................66

Table 5: User Role Permissions .............................................................................................71

Table 6: Resource Tips .......................................................................................................125

Table 7: Default Test Names and Descriptions ......................................................................195

Table 8: Expect Script Commands and Parameters ................................................................257

Table 9: Report Types and Fields.........................................................................................287

Table 10: DHCP Plug-in Configuration File Settings ................................................................300

Table 11: Service Stop and Restart Commands .......................................................................308

Table 12: CIDR Naming Conventions .....................................................................................316

Table 13: Sentriant AG System Requirements.........................................................................320

Table 14: BasicTests API ......................................................................................................335

Table 15: Sentriant AG Passwords .........................................................................................344

Table 16: Access Control Precedence.....................................................................................367

Table 17: Conditions Affecting Endpoint Testing .....................................................................369

Table 18: Troubleshooting Quarantined Endpoints...................................................................373

Table 19: Enforcement Server Processes and Threads..............................................................377

Table 20: Browser Vulnerabilities...........................................................................................389

Table 21: Ports in Sentriant AG .............................................................................................425

Sentriant AG Software Users Guide, Version 5.3

List of Tables

Sentriant AG Software Users Guide, Version 5.3

1 Introduction

This chapter provides the following:

● A description of the Home window (“Sentriant AG Home Window” on page 23)

● A description of the System monitor window (“System Monitor” on page 24)

● An overview of the Sentriant

(“Overview” on page 26)

● How to get help (“Technical Support” on page 30)

● Other documents (“Additional Documentation” on page 31)

● Where to get installation and upgrading information (“Installing and Upgrading” on page 31)

● How to read this document (“Conventions Used in This Document” on page 31)

● How to copy files between systems (“Copying Files” on page 34)

Sentriant AG Home Window

The Sentriant AG software Home window (Figure 1) is a centralized management user interface that allows you to quickly assess the status of your network. The following list and figure describe and show the key features:

AG software and the key features

1 Important status announcements—If there is anything that needs your immediate attention, a status

announcement is displayed at the top of the window. Click clear to remove the announcement.

2 My account—Click this icon to open the user account editing window. See “User Accounts” on page

63 for details on creating and editing user accounts. You must have administrator privileges to

create user accounts; however, any user can edit their own account.

3 Top 5 failed tests area—The Top 5 failed tests area indicates the tests that fail the most. Click on an

endpoint number or the Test results report option to view details.

4 Window actions—Use these buttons to refresh the window, log out of the user interface, and access

online help.

5 Navigation pane—The menu items shown in this pane vary depending on your permission level.

See “User Roles” on page 69 for more information on permissions. You must have administrator privileges to create and edit user roles. Once you select a menu item from the navigation pane, use the bread crumbs at the top of the windows to navigate throughout the user interface (see Figure 2.

System Monitor Window on page 25).

6 Endpoint test status area—The Endpoint tests area displays the total number of endpoints that

Sentriant AG has attempted to test, and what the test status is for each endpoint. Click the number of endpoints to view details.

Sentriant AG Software Users Guide, Version 5.3

Introduction

7 Access control status area—The Access control area displays the total number of endpoints that

have attempted to connect to your network, and what the access state is as a percentage and as a number. Click on the number of endpoints to view details.

8 Enforcement server (ES) status area—The Enforcement server status area provides status on your

ESs. Click the System monitor option to view details.

Figure 1: Sentriant AG Home Window

3. Top 5 failed tests area

1. Important status announcements

2. My account

4. Window actions

5. Navigation pane

6. Test status area

System Monitor

The System monitor window provides the following information:

● Enforcement cluster name—The Enforcement clusters are listed by name in the order they were

created. Click on a cluster name to view cluster details. You must have cluster-editing permissions to view and edit cluster details.

7. Access control status area

Sentriant AG Software Users Guide, Version 5.3

8. Enforcement server status area

Introduction

● Server name by cluster—The servers for each cluster are listed by name in the order they were

created. Click on a server name to view server details. You must have cluster-editing permissions to view and edit server details.

● Cluster access mode—The cluster access mode is either normal or allow all. See “Enforcement

Clusters and Servers” on page 44 for instructions on making the access mode selection.

● Health status—Health status shows ok for servers with no problems, and either warning or error for

servers with problems. Click the server name to view details.

● Upgrade status—Upgrade status shows the status of any upgrades in process.

● % memory used—The amount of memory currently used by each server is shown as a percentage of

total memory available.

● Endpoints tested/minute—The number of endpoints tested over the last 15 minutes or less.

● Endpoints queued—The number of tests running or scheduled to run on that ES.

● System load average—The number of processes waiting to run (top command). In Linux, entering

top at the command line returns a real-time look at processor activity.

Figure 2: System Monitor Window

Breadcrumbs for navigation

Sentriant AG Software Users Guide, Version 5.3

Introduction

The following figure shows the legend for the System monitor window icons:

Figure 3: System Monitor Window Legend

Overview

Sentriant AG protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. Sentriant AG systematically tests endpoints—with or without the use of a client or agent—for compliance with organizational security policies, quarantining non-compliant machines before they damage the network.

Sentriant AG ensures that the applications and services running on endpoints (such as LAN, RAS, VPN, and WiFi endpoints) are up-to-date and free of worms, viruses, trojans, P2P and other potentially damaging software. It dramatically reduces the cost and effort of securing your network's weakest links—the endpoints your IT group might not adequately control.

There are advantages and disadvantages inherent with each of the test method technologies. Having a choice of testing solutions enables you to maximize the advantages and minimize the disadvantages.

NOTE

Agentless testing uses an existing Windows service (RPC). ActiveX testing uses an ActiveX control. Extreme Networks

agent testing installs an agent (Sentriant AG Agent) and runs as a new Windows service.

Sentriant AG Software Users Guide, Version 5.3

The trade-offs in the test methods are described in the following table:

Table 1: Test Methods

Trade-offs

Test method

Pros Cons

Introduction

Agentless • Truly agentless, no install or

download.

• No extra memory load on the client machine.

• Can begin testing, view test results, and give network access without any end-user interaction for your Windows domains.

• Easiest of the three test methods to deploy.

• Saves administration time and is therefore less expensive than agent-based solutions.

ActiveX plug-in • No installation or upgrade to

maintain.

• Supports all Windows operating systems.

• Only Internet Explorer application access required through personal firewall. Must open port 1500.

endpoints on

• Requires RPC Service to be available to the Sentriant AG server (ports 139 or 445).

• Requires file and print sharing to be enabled.

• Not supported by legacy Windows™ operating systems and non-Windows operating systems.

• If the endpoint is not on a domain, the user must specify local credentials. A user often does not know what credentials to enter.

• No retesting of endpoint once browser is closed.

• Not supported by non-Windows operating systems.

• Browser security settings must allow ActiveX control operation of signed and safe controls. This is the default for the Internet zone. Raise the Internet zone setting and make

Sentriant AG part of the trusted

zone.

• Requires interaction from end-users—they must download the control before they can access network.

Sentriant AG Agent

• Always available for retesting.

• The agent is automatically updated with product updates.

• Supports all Windows platforms.

The following list highlights key features:

● Enforcement options—Sentriant AG provides multiple enforcement options for quarantining

endpoints that do not comply with your security policy (Inline, DHCP, and 802.1X). This enables Sentriant AG to enforce compliance across complex, heterogeneous networks.

Sentriant AG Software Users Guide, Version 5.3

• Install and upgrade to maintain.

• Requires one-time interaction from end-users—they must download and install before they can access network.

Introduction

● High availability and load balancing—A multi-server Sentriant AG deployment is mutually

supporting. Should one server fail, other nodes within a cluster will automatically provide coverage for the affected network segment.

Load balancing is achieved by an algorithm that spreads the endpoint testing load across all ESs in a cluster.

● Multiple-user, role-based access—In enterprise deployments numerous individuals, each with

varying responsibilities, typically require access to information within Sentriant AG. Role-based access enables system administrators to control who has access to the data, the functions they are allowed to perform, and the information they can view and act on. Role-based access ensures the integrity of the enterprise-wide Sentriant AG deployment and creates the separation of duties that conforms to security best-practices.

● Extensible—Sentriant AG’s easy-to-use open API allows administrators to create custom tests for

meeting unique organizational requirements. The API is fully exposed and thoroughly documented. Custom tests are created using scripts and can be seamlessly added to existing policies.

● Compatible with existing heterogeneous network infrastructure—No upgrades to your existing

network infrastructure are required.

● Variety of enforcement options—Permit, deny, or quarantine based on test results.

● Self-remediation—Reduces IT administration by empowering users to bring their machines into

compliance.

● Subscription-based licensing—Includes all test updates and software upgrades.

The Sentriant AG Process

Sentriant AG administrators create NAC policies that define which applications and services are permitted, and specify the actions to be taken when endpoints do not comply. Sentriant AG automatically applies the NAC policies to endpoints as they log into the network, and periodically as the endpoints remain logged into the network. Based on results, endpoints are either permitted or quarantined to a specific part of the network, thus enforcing the organizational security standards. Sentriant AG tracks all testing and connection activity and produces a range of reports for auditors, managers, and IT staff.

Sentriant AG performs pre-connect testing; when an endpoint passes the NAC policy tests (or is otherwise granted access), the endpoint is allowed access to the network. If you have external Intrusion Detection System/Intrusion Prevention System (IDS/IPS) systems that monitor your network for attacks, you can configure these external systems in Sentriant AG so they can request that Sentriant AG quarantine an endpoint after it has been connected (post-connect).

About Sentriant AG

NAC Policy Definition

NAC policies consist of individual tests that evaluate the security status of endpoints attempting to access the network. Specific tests assess operating systems, verify that key hotfixes and patches have been installed, ensure antivirus and other security applications are present and up-to-date, detect the presence of worms, trojans, and viruses, and check for potentially dangerous applications such as file sharing, peer-to-peer (P2P), or spyware. See “Tests Help” on page 389 for more information.

Sentriant AG Software Users Guide, Version 5.3

Introduction

Key features include:

● Out-of-the-box NAC policies—High, medium, and low security are ready to use with no additional

configuration required.

● Standard and custom tests—Sentriant AG comes with a broad range of tests. You can also create

custom tests through the Sentriant AG application programming interface (API).

● Automatic test updates—Sentriant AG is automatically updated with tests that cover newly released

patches, hotfixes, software updates, worms, and trojans, and recommended security settings for common applications. New tests are automatically added to the test database as frequently as hourly, ensuring immediate protection against newly discovered threats.

● Organization-specific policies—Any number of NAC policies can be created and tailored to your

organizational needs. Create policies for like endpoints (for example, all Windows 2000 workstations), for an IP range or specific IPs, or by geographic location.

Endpoint Testing

Sentriant AG automatically tests all endpoints attempting to access your network through a LAN, RAS, VPN, or WiFi connection. Tests are fast and you are kept informed of test progress and results. After the initial compliance tests, Sentriant AG periodically tests endpoints that have been granted access to ensure that real-time system changes do not violate the NAC policy.

NOTE

Sentriant AG passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single Sentriant AG server for a single testing session with the High Security NAC policy (approximately 20 tests). It typically takes between 5 and 10 seconds to all tests in a policy on a 100Mb LAN. If your endpoints are taking longer to test, there might be a configuration problem with DNS on the Sentriant AG server.

NOTE

If the end-user selects ActiveX test and then closes the browser, their endpoint is not retested until the end-user opens another browser session, reloading the ActiveX agent.

Key features include:

● Multiple test method options—Agentless, ActiveX, or Sentriant AG Agent. Select the most

appropriate method for your environment or endpoint.

● Rapid testing and robust endpoint management—Thousands of endpoints can be tested and

managed simultaneously.

● Continual testing—Endpoints are retested on an administrator-defined interval as long as they

remain connected to the network.

Compliance Enforcement

Based on endpoint test results, Sentriant AG takes the appropriate action. Endpoints that test compliant with the applied policy are permitted access. Non-compliant endpoints are either quarantined, or are given access for a temporary period. Implement the necessary fixes during this period.

Sentriant AG Software Users Guide, Version 5.3

Introduction

Key features include:

● Flexible enforcement options—Grant or quarantine access criteria is designated by the

administrator and driven by the criticality of selected tests and corporate security standards.

● Manual overrides—Administrators can retest, quarantine, or grant access to endpoints on demand.

● User notifications—Users of non-compliant endpoints receive immediate notification about the

location of the endpoint deficiencies, as well as step-by-step information about implementing the corrections to achieve compliance.

● Administrator notifications—Administrators receive a variety of notifications and alerts based on

testing and access activity.

● Graduated enforcement—Allows controlled system rollout.

Automated and Manual Repair

● Self-remediation—End-users are notified of where their endpoints are deficient and provided with

remediation instructions.

● Access grace period—Non-compliant endpoints are granted access for a temporary, administrator-

defined period to facilitate remediation.

● Patch Management—Sentriant AG can integrate with patch management software, automating the

process to get an endpoint updated and on the network.

Targeted Reporting

Sentriant AG reports provide concise security status information on endpoint compliance and access activity. Specific reports are available for auditors, managers, and IT staff members.

For more information, see “Reports” on page 287.

Technical Support

Table 2 lists the available technical support options.

Table 2: Sentriant AG Technical Support

Option Contact Hours

Email Technical Assistance Center (TAC)

Call Technical Assistance Center (TAC)

Web support http://

support@extremenetworks.com Seven days a week

24x7x365

(800) 998-2408 Seven days a week

24x7x365

www.extremenetworks.com/ services/resources/

Sentriant AG Software Users Guide, Version 5.3

+ 464 hidden pages

Extreme Networks Sentriant AG, Sentriant AG 5.3 Software User's Manual

Specifications and Main Features

Frequently Asked Questions

User Manual