Novell ZENworks Network Access Control Users Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
This Novell software product includes open-source software components. Novell conforms to the terms and
conditions that govern the use of the open source components included in this product. Users of this product have
the right to access the open source code and view all applicable terms and conditions governing opens source
component usage. Visit http://www.novell.com/products/zenworks/networkaccesscontrol/opensource to access
open source code, applicable terms and conditions, and related information.
novdocx (en) 24 March 2009
novdocx (en) 24 March 2009
4Novell ZENworks Network Access Control Users Guide
14Novell ZENworks Network Access Control Users Guide
1
Introduction
This section contains the following information:
Section 1.1, “Novell ZENworks Network Access Control Home Window,” on page 15
Section 1.2, “System Monitor,” on page 16
Section 1.3, “Novell ZENworks Network Access Control v5.0 for v4.x Users,” on page 17
Section 1.4, “Overview,” on page 20
Section 1.5, “Technical Support,” on page 25
Section 1.6, “Additional Documentation,” on page 25
Section 1.7, “Installing and Upgrading,” on page 25
Section 1.8, “Conventions Used in This Document,” on page 26
Section 1.9, “Copying Files,” on page 28
Section 1.10, “Users’ guide online help,” on page 29
novdocx (en) 24 March 2009
1
1.1 Novell ZENworks Network Access Control
Home Window
The Novell ZENworks Network Access Control Home window is a centralized management user
interface that allows you to quickly assess the status of your network. The following figure and list
describe and show the key features:
Figure 1-1 Novell ZENworks Network Access Control Home Window
1. Important status announcements — If there is anything that needs your immediate attention,
a status announcement is displayed at the top of the window. Click clear to remove the
announcement.
Introduction
15
2. My account — Click this icon to open the user account editing window. See Section 3.6, “User
Accounts,” on page 57 for details on creating and editing user accounts. You must have
administrator privileges to create user accounts; however, any user can edit their own account.
3. Top 5 failed tests area — The Top 5 failed tests area indicates the tests that fail the
most. Click on an endpoint number or the Test results report option to view details.
4. Window actions — Use these buttons to refresh the window, log out of the user interface, and
access online help.
5. Navigation pane — The menu items shown in this pane vary depending on your permission
level. See Section 3.7, “User Roles,” on page 63 for more information on permissions. You
must have administrator privileges to create and edit user roles. Once you select a menu item
from the navigation pane, use the bread crumbs at the top of the windows to navigate
throughout the user interface (Figure 1-1 on page 15).
6. Endpoint test status area — The Endpoint tests area displays the total number of
endpoints that Novell ZENworks Network Access Control has attempted to test, and what the
test status is for each endpoint. Click the number of endpoints to view details.
7. Access control status area — The Access control area displays the total number of
endpoints that have attempted to connect to your network, and what the access state is as a
percentage and as a number. Click on the number of endpoints to view details.
novdocx (en) 24 March 2009
8. Enforcement server (ES) status area — The Enforcement server status area
provides status on your ESs. Click the System monitor option to view details.
1.2 System Monitor
The System monitor window provides the following information:
Enforcement cluster name — The Enforcement clusters are listed by name in the order they
were created. Click on a cluster name to view cluster details. You must have cluster-editing
permissions to view and edit cluster details.
Server name by cluster — The servers for each cluster are listed by name in the order they
were created. Click on a server name to view server details. You must have cluster-editing
permissions to view and edit server details.
Cluster access mode — The cluster access mode is either normal or allow all. See
Section 3.2, “Enforcement Clusters and Servers,” on page 39 for instructions on making the
access mode selection.
Health status — Health status shows ok for servers with no problems, and either warning or
error for servers with problems. Click the server name to view details.
Upgrade status — Upgrade status shows the status of any upgrades in process.
% memory used — The amount of memory currently used by each server is shown as a
percentage of total memory available.
Endpoints tested/minute — The number of endpoints tested over the last 15 minutes or less.
Endpoints queued — The number of tests running or scheduled to run on that ES.
System load average — The number of processes waiting to run (top command). In Linux,
entering top at the command line returns a real-time look at processor activity.
16Novell ZENworks Network Access Control Users Guide
Figure 1-2 System Monitor Window
The following figure shows the legend for the System monitor window icons:
Figure 1-3 System Monitor Window Legend
novdocx (en) 24 March 2009
1.3 Novell ZENworks Network Access Control
v5.0 for v4.x Users
The user interface has been completely redesigned in this release of Novell ZENworks Network
Access Control. The following table provides a quick-reference for users familiar with Novell
ZENworks Network Access Control v4.x. The first column shows the v4.x task with the
corresponding v5.0 user interface location in the second column.
Table 1-1 Novell ZENworks Network Access Control v5.0 for v4.x Users
Novell ZENworks Network
Access Control 4.x
System configuration
button
Novell ZENworks Network Access Control 5.0 Notes
System configuration menu option The System configuration
button was previously towards
the top right of the main window.
The System configuration menu
option is now at the bottom left
of the home window.
Introduction17
novdocx (en) 24 March 2009
Novell ZENworks Network
Access Control 4.x
General tab License key — System
Novell ZENworks Network Access Control 5.0 Notes
configuration>>License
Name of network — System
configuration>>Enforcement clusters
& servers
Default NAC policy — NAC policy
Administrator login — System
configuration>>User accounts
System tab
Interface and DNS configuration —
System configuration>>Select a
server>>Configuration
Date & time settings — System
configuration>>Management server
Quarantine tab
Accessible services and endpoints —
System configuration>>Accessible
services
configuration>>Enforcement clusters
& servers>>Select add an
Enforcement cluster or Select an
existing cluster>>Accessible services
OR System
Quarantine method — System
configuration>>Quarantining>>Select
a cluster to override the default setting
Quarantine area — System
configuration>>Quarantining>>DHCP
quarantine method>>Add a quarantine
area
Routing on the endpoint — System
configuration>>Quarantining>>DHCP
quarantine method>>Add a quarantine
area
The General tab tasks are now
on two different windows:
System configuration and NAC
policies.
The Network name no longer
applies; use cluster and server
names instead.
System tab tasks are on the
System configuration window.
Accessible services are set as
cluster defaults. These defaults
can be overridden when
creating or editing a cluster.
The default quarantine method
for all clusters is 802.1X. This
default can be overridden for all
clusters and per cluster.
The DHCP quarantine option
has two selections now: Static
routes on the endpoints or
Router access control lists.
System configuration>>Select an
Enforcement cluster>>Notifications
Tests tab
Check for test updates — System
configuration>>Test updates
Endpoint testing exemptions —
System configuration>>Exceptions
Thresholds tabThe thresholds and stoplight have been
removed.
18Novell ZENworks Network Access Control Users Guide
OR
Notifications are set as cluster
defaults, but can be overridden
when creating or editing a
cluster.
Exemptions is now called
exceptions.
The home window now provides
system status.
novdocx (en) 24 March 2009
Novell ZENworks Network
Access Control 4.x
End-user access tab End-user testing methods — System
Novell ZENworks Network Access Control 5.0 Notes
End-user tab tasks are on the
configuration>>Testing methods
End-user testing options — System
configuration>>Testing methods
System configuration window.
They are set as cluster defaults,
but can be overridden when
creating or editing a cluster.
End-user testing screen customization
— System configuration>>End-user
screens
Enable test failed pop-up — System
configuration>>End-user screens
Credentials tabSystem configuration>>Agentless
credentials
Monitor and report zone Home windowSystem status is shown on the
Windows domain credentials
are on the System configuration
window (Agentless credentials).
They are set as cluster defaults,
but can be overridden when
creating or editing a cluster.
RDBMS and LDAP credentials
have been removed.
home window and on the
System monitor window.
Manage system
zone>>System mode
Access policies zoneHome window>>NAC policiesAccess policies are now called
View activity tabHome window>>Endpoint activityDevices are now called
N/AHome window>>System monitor
Access policy
editor>>Viewing last
device results
Reports tabHome window>>Reports
Proxy settings
(command line)
nac.properties file
updates
Backing up data
(command line)
System configuration>>Enforcement
clusters & servers>>Select or add an
Enforcement cluster>>General
Endpoint activity
System configuration>>Management server
and via the command line for times when
the license has not yet been validated.
Use a script to update properties files (nac-
es.properties and nacms.properties).
System configuration>>Maintenance
NAC policies.
Endpoints.
Proxy servers can be configured
for test updates and license
validation only.
Property file updates should no
longer be made directly, but
imported using the
setProperty.py script.
Introduction19
novdocx (en) 24 March 2009
Novell ZENworks Network
Access Control 4.x
Restoring data
(command line)
Diagnostics linkNot currently available. May be added in a
Tests tab>>View test
update logs
Novell ZENworks Network Access Control 5.0 Notes
System configuration>>Maintenance
future release.
System configuration>>Test
updates>>View test update log.
1.4 Overview
Novell ZENworks Network Access Control protects the network by ensuring that endpoints are free
from threats and in compliance with the organization's IT security standards. Novell ZENworks
Network Access Control systematically tests endpoints—with or without the use of a client or
agent—for compliance with organizational security policies, quarantining non-compliant machines
before they damage the network.
Novell ZENworks Network Access Control ensures that the applications and services running on
endpoints (such as LAN, RAS, VPN, and WiFi endpoints) are up-to-date and free of worms, viruses,
trojans, P2P and other potentially damaging software. It dramatically reduces the cost and effort of
securing your network's weakest links—the endpoints your IT group might not adequately control.
There are advantages and disadvantages inherent with each of the test method technologies. Having
a choice of testing solutions enables you to maximize the advantages and minimize the
disadvantages.
TIP: Agentless testing uses an existing Windows service (RPC). ActiveX testing uses an ActiveX
control. Novell agent testing installs an agent (NAC Agent) and runs as a new Windows service.
20Novell ZENworks Network Access Control Users Guide
The trade-offs in the test methods are described in the following table:
Table 1-2 Test Methods
Trade-offs
Tes t method
ProsCons
novdocx (en) 24 March 2009
Agentless Truly agentless, no install or
download.
No extra memory load on the client
machine.
Can begin testing, view test results,
and give network access without any
end-user interaction for endpoints on
your Windows domains.
Easiest of the three test methods to
deploy.
Saves administration time and is
therefore less expensive than
agent-based solutions.
ActiveX plug-in
No installation or upgrade to
maintain.
Supports all Windows operating
systems.
Only Internet Explorer application
access required through personal
firewall. Must open port 1500.
Requires RPC Service to be
available to the Novell ZENworks
Network Access Control server
(ports 139 or 445).
Requires file and print sharing to be
enabled.
Not supported by legacy Windows
operating systems and non-Windows
operating systems.
TM
If the endpoint is not on a domain,
the user must specify local
credentials. A user often does not
know what credentials to enter.
No retesting of endpoint once
browser is closed.
Not supported by non-Windows
operating systems.
Browser security settings must allow
ActiveX control operation of signed
and safe controls. This is the default
for the Internet zone. Raise the
Internet zone setting and make
Novell ZENworks Network Access
Control part of the trusted zone.
Requires interaction from
end-users—they must download the
control before they can access
network.
NAC Agent
Always available for retesting.
The agent is automatically updated
with product updates.
Supports all Windows platforms.
Install and upgrade to maintain.
Requires one-time interaction from
end-users—they must download and
install before they can access
network.
enforcement options for quarantining endpoints that do not comply with your security policy
(Inline, DHCP, and 802.1X). This enables Novell ZENworks Network Access Control to
enforce compliance across complex, heterogeneous networks.
High availability and load balancing — A multi-server Novell ZENworks Network Access
Control deployment is mutually supporting. Should one server fail, other nodes within a cluster
will automatically provide coverage for the affected network segment.
Introduction21
Load balancing is achieved by an algorithm that spreads the endpoint testing load across all
ESs in a cluster.
Multiple-user, role-based access — In enterprise deployments numerous individuals, each
with varying responsibilities, typically require access to information within Novell ZENworks
Network Access Control. Role-based access enables system administrators to control who has
access to the data, the functions they are allowed to perform, and the information they can view
and act on. Role-based access ensures the integrity of the enterprise-wide Novell ZENworks
Network Access Control deployment and creates the separation of duties that conforms to
security best-practices.
Extensible — Novell ZENworks Network Access Control’s easy-to-use open API allows
administrators to create custom tests for meeting unique organizational requirements. The API
is fully exposed and thoroughly documented. Custom tests are created using scripts and can be
seamlessly added to existing policies.
Compatible with existing heterogeneous network infrastructure — No upgrades to your
existing network infrastructure are required.
Variety of enforcement options — Permit, deny, or quarantine based on test results.
Self-remediation — Reduces IT administration by empowering users to bring their machines
into compliance.
novdocx (en) 24 March 2009
Subscription-based licensing — Includes all test updates and software upgrades.
1.4.1 The Novell ZENworks Network Access Control Process
Novell ZENworks Network Access Control administrators create NAC policies that define which
applications and services are permitted, and specify the actions to be taken when endpoints do not
comply. Novell ZENworks Network Access Control automatically applies the NAC policies to
endpoints as they log into the network, and periodically as the endpoints remain logged into the
network. Based on results, endpoints are either permitted or quarantined to a specific part of the
network, thus enforcing the organizational security standards. Novell ZENworks Network Access
Control tracks all testing and connection activity and produces a range of reports for auditors,
managers, and IT staff.
Novell ZENworks Network Access Control performs pre-connect testing; when an endpoint passes
the NAC policy tests (or is otherwise granted access), the endpoint is allowed access to the network.
If you have external Intrusion Detection System/Intrusion Prevention System (IDS/IPS) systems
that monitor your network for attacks, you can configure these external systems in Novell
ZENworks Network Access Control so they can request that Novell ZENworks Network Access
Control quarantine an endpoint after it has been connected (post-connect).
1.4.2 About Novell ZENworks Network Access Control
The following sections contain more information:
“NAC Policy Definition” on page 23
“Endpoint Testing” on page 23
“Compliance Enforcement” on page 24
“Automated and Manual Repair” on page 24
“Targeted Reporting” on page 24
22Novell ZENworks Network Access Control Users Guide
NAC Policy Definition
NAC policies consist of individual tests that evaluate the security status of endpoints attempting to
access the network. Specific tests assess operating systems, verify that key hotfixes and patches
have been installed, ensure antivirus and other security applications are present and up-to-date,
detect the presence of worms, trojans, and viruses, and check for potentially dangerous applications
such as file sharing, peer-to-peer (P2P), or spyware. See Appendix B, “Tests Help,” on page 393 for
more information.
Key features include:
Out-of-the-box NAC policies — High, medium, and low security are ready to use with no
additional configuration required.
Standard and custom tests — Novell ZENworks Network Access Control comes with a
broad range of tests. You can also create custom tests through the Novell ZENworks Network
Access Control application programming interface (API).
Automatic test updates — Novell ZENworks Network Access Control is automatically
updated with tests that cover newly released patches, hotfixes, software updates, worms, and
trojans, and recommended security settings for common applications. New tests are
automatically added to the test database as frequently as hourly, ensuring immediate protection
against newly discovered threats.
novdocx (en) 24 March 2009
Organization-specific policies — Any number of NAC policies can be created and tailored to
your organizational needs. Create policies for like endpoints (for example, all Windows 2000
workstations), for an IP range or specific IPs, or by geographic location.
Endpoint Testing
Novell ZENworks Network Access Control automatically tests all endpoints attempting to access
your network through a LAN, RAS, VPN, or WiFi connection. Tests are fast and you are kept
informed of test progress and results. After the initial compliance tests, Novell ZENworks Network
Access Control periodically tests endpoints that have been granted access to ensure that real-time
system changes do not violate the NAC policy.
TIP: Novell ZENworks Network Access Control passes approximately 9 to 16 kilobytes of total
data between a single endpoint and a single Novell ZENworks Network Access Control server for a
single testing session with the High Security NAC policy (approximately 20 tests). It typically takes
between 5 and 10 seconds to all tests in a policy on a 100Mb LAN. If your endpoints are taking
longer to test, there might be a configuration problem with DNS on the Novell ZENworks Network
Access Control server.
NOTE: If the end-user selects ActiveX test and then closes the browser, their endpoint is not
retested until the end-user opens another browser session, reloading the ActiveX agent.
Key features include:
Multiple test method options — Agentless, ActiveX, or NAC Agent. Select the most
appropriate method for your environment or endpoint.
Introduction23
Rapid testing and robust endpoint management — Thousands of endpoints can be tested
and managed simultaneously.
Continual testing — Endpoints are retested on an administrator-defined interval as long as
they remain connected to the network.
Compliance Enforcement
Based on endpoint test results, Novell ZENworks Network Access Control takes the appropriate
action. Endpoints that test compliant with the applied policy are permitted access. Non-compliant
endpoints are either quarantined, or are given access for a temporary period. Implement the
necessary fixes during this period.
Key features include:
Flexible enforcement options — Grant or quarantine access criteria is designated by the
administrator and driven by the criticality of selected tests and corporate security standards.
Manual overrides — Administrators can retest, quarantine, or grant access to endpoints on
demand.
User notifications — Users of non-compliant endpoints receive immediate notification about
the location of the endpoint deficiencies, as well as step-by-step information about
implementing the corrections to achieve compliance.
Administrator notifications — Administrators receive a variety of notifications and alerts
based on testing and access activity.
novdocx (en) 24 March 2009
Graduated enforcement — Allows controlled system rollout.
Automated and Manual Repair
Self-remediation — End-users are notified of where their endpoints are deficient and provided
with remediation instructions.
Access grace period — Non-compliant endpoints are granted access for a temporary,
administrator-defined period to facilitate remediation.
Patch Management — Novell ZENworks Network Access Control can integrate with patch
management software, automating the process to get an endpoint updated and on the network.
Targeted Reporting
Novell ZENworks Network Access Control reports provide concise security status information on
endpoint compliance and access activity. Specific reports are available for auditors, managers, and
IT staff members.
For more information, seeChapter 14, “Reports,” on page 311.
24Novell ZENworks Network Access Control Users Guide
1.5 Technical Support
Table 1-3 on page 25 lists the available technical support options.
Table 1-3 Novell ZENworks Network Access Control Technical Support
OptionContactHours
Call Novell Support(800) 858-4000Monday - Friday
8:00 AM - 6:00 PM Mountain Time
Web supporthttp://www.novell.com/support
(http://www.novell.com/support)
1.6 Additional Documentation
Novell ZENworks Network Access Control documentation is available in a number of media
formats and is accessible in a variety of ways:
novdocx (en) 24 March 2009
Quick-start card — The Quick-start card provides a high-level overview of the physical
deployment options, software installation, post-installation configuration, the Users’ Guide,
and how to get support.
Novell ZENworks Network Access Control Installation Guide — The Novell ZENworks
Network Access Control Installation Guide is designed to get Novell ZENworks Network
Access Control up and running on your network quickly. It provides instructions on installation
and on system configuration. The Installation Guide is available on the installation CD in the /docs directory.
Online help — Online help is an essential component that assists in the installation,
configuration, and ongoing management of Novell ZENworks Network Access Control. You
can access the online help by clicking the question mark displayed in the upper-right corner of
the primary interface elements. See Section 1.10, “Users’ guide online help,” on page 29 for
additional information.
1.7 Installing and Upgrading
Installation instructions are provided in the Installation Guide.
Upgrading is described in Section 3.5.10, “Checking for Novell ZENworks Network Access Control
Upgrades,” on page 56.
IMPORTANT: Installing third-party software on the Novell ZENworks Network Access Control
server is not supported. If you install additional software on the Novell ZENworks Network Access
Control server, you need to remove it in order to troubleshoot any Novell ZENworks Network
Access Control issues, and it will likely be partially or fully overwritten during Novell ZENworks
Network Access Control release upgrades or patch installs, compromising the third-party software
functionality. Additionally, installing third-party software and/or modifying the Novell ZENworks
Network Access Control software can violate your license agreement. Please refer to the Novell
EULA: “Licenses” on page 461.
Introduction25
1.8 Conventions Used in This Document
The conventions used in this document are described in this section:
1.8.1 Navigation Paragraph
Navigation paragraphs provide a quick visual on how to get to the screen or area discussed.
Example:
Home window>>Configure system
1.8.2 Tip Paragraph
Tips provide helpful, but not required information.
Example:
novdocx (en) 24 March 2009
TIP: Hover the cursor over the “x dhcp servers with errors” text to get additional information in a
pop-up window.
1.8.3 Note Paragraph
Notes notify you of important information.
Example:
NOTE: If there is no activity for 30 minutes, the configuration window times out and you must log
in again.
1.8.4 Important Paragraph
Importants notify you of conditions that can cause errors or unexpected results.
Example:
IMPORTANT: Do not rename the files or they will not be seen by Novell ZENworks Network
Access Control.
1.8.5 Warning Paragraph
Warnings notify you of conditions that can lock your system or cause damage to your data.
Example:
WARNING: Do not log in using SSH—this kills your session and causes your session to hang.
26Novell ZENworks Network Access Control Users Guide
1.8.6 Italic Text
Italic text is used in the following cases:
Showing emphasis —
Low — You are not protected from potentially unsafe macros. (Not recommended).
Introducing new terms —
The SMS server contains a database of logical groups with common attributes called
collections. SMS operates only on clients (endpoints) that are members of a collection.
Indicating document titles —
Novell ZENworks Network Access Control Installation Guide
Indicating a variable entry in a command —
https://<IP_address>
/index.html
In this case, you must replace <IP_address> with the actual IP address, such as
10.0.16.99. Do not type the angled brackets.
novdocx (en) 24 March 2009
1.8.7 Courier Font
Courier font is used in the following cases:
Indicating path names —
Change the working directory to the following:
C:\Program Files\<MyCompany>\
Indicating text; enter exactly as shown —
NAC Agent
Enter the following URL in the browser address field:
https://<IP_address>/index.html
In this case, you must replace <IP_address> with the actual IP address, such as
10.0.16.99. Do not type the angled brackets.
Indicating file names —
SAIASConnector.ini
1.8.8 Angled Brackets
Angled brackets enclose variable text that needs to be replaced with your specific values.
Example:
https://<IP_address>/index.html
In this case, you must replace <IP_address> with the actual IP address, such as 10.0.16.99. Do
not type the angled brackets.
MACMedia Access Control — The unique number that identifies a physical
endpoint. Generally referred to as the MAC address.
1.9 Copying Files
Whenever you copy a file from one machine to another, copy it using a secure copy utility that uses
the Secure Shell (SSH) protocol. The exact syntax of the copy command will vary based on the
utility you use.
Example:
1 Copy the /usr/local/nac/properties/NACAVPs.txt file from the Novell
ZENworks Network Access Control server to the ACS server using PSCP (or other secure copy
utility).
1.9.1 SCP
scp is a Linux/UNIX command used to copy files between Linux/UNIX machines. It has the
following syntax:
You will be prompted to enter a password for the Linux/UNIX machine.
NOTE: You can either enter the path to the PSCP.EXE file as part of the command, or cd to the
directory where you saved the PSCP.EXE file before entering the pscp command.
novdocx (en) 24 March 2009
1.10 Users’ guide online help
In Novell ZENworks Network Access Control, the help links in the product open an HTML version
of the Novell ZENworks Network Access Control documents. The PDF version is still available in
the /docs directory on the CD, and by clicking the Open Users’ guide or Open Installation guide PDF links in the HTML document. This section briefly describes the key
components to the HTML version. The online help contains the same content as this Users’ guide.
Introduction29
When you click a help link from within Novell ZENworks Network Access Control, the help topic
opens in a new window, as shown in the following figure:
Figure 1-4 Online Help
novdocx (en) 24 March 2009
The following options are available:
Previous — Click the upward pointing icon to go to the previous page.
Next — Click the downward pointing icon to go to the next page.
Print topic — Click the printer icon to print the current topic.
Bread crumbs — Click on any of the non-graylinks in the bread crumbs trail to go to that
section.
Open PDF — Click the Open PDF file link to open the PDF file.
TIP: To print the entire document, open and print the PDF file. Selecting the print icon in the HTML
version will print only the topic you are viewing.
Click anywhere in the Contents pane to navigate through the document.
30Novell ZENworks Network Access Control Users Guide
To view the index:
Online help document>>Show navigation icon>>Index tab
Figure 1-5 Index Tab
novdocx (en) 24 March 2009
1 Click on a letter link at the top of the index column to see the index entries.
2 Click on an index entry to see the location in the text.
3 Click on cross reference items in highlighted text to see more information on these items.
Introduction31
To search for a term:
Online help document>>Shown navigation icon>>Search tab
Figure 1-6 Search tab
novdocx (en) 24 March 2009
1 Enter a term in the search box.
2 Click Go.
3 Click on one of the results returned to display it in the right-side pane.
4 Click on the red arrow to see the contents of the collapsed section of the document.
NOTE: Red arrows that point to the right denote collapsed sections. The default is for these sections
to show as closed. Clicking on these red arrows turns them downward to open their content.
32Novell ZENworks Network Access Control Users Guide
2
Clusters and Servers
Novell ZENworks Network Access Control introduces clusters and servers. A cluster is a logical
grouping of one or more ESs that are managed by one MS.
A single-server installation is one where the MS and ES are on one server. The ES is assigned to a
Default cluster. This configuration is illustrated in Figure 2-1 on page 34.
A multiple-server installation is one where the MS is on one server and there are one or more ESs on
separate servers. Each ES must be assigned to a cluster. This configuration is illustrated in Figure 2-
2 on page 35.
The responsibilities of the MS and ES are as follows:
MS
Configuration
NAC policies
Quarantining
novdocx (en) 24 March 2009
2
Endpoint activity
License
Test updates
ES
Testing
Access control
The quarantine method is defined per cluster; all of the ESs in a given cluster use the same
quarantine method (Inline, DHCP, or 802.1X). When using multiple clusters, each cluster can have a
different quarantine method. Clusters cooperate to test and control access to the network, although
the ESs in each cluster are not able to communicate with any ES in any other cluster.
The following sections contain more information:
Section 2.1, “Single-server Installation,” on page 34
Section 2.2, “Multiple-server Installations,” on page 34
Clusters and Servers
33
2.1 Single-server Installation
The simplest installation is where the MS and ES are installed on the same physical server as shown
in the following figure:
Figure 2-1 Single-server Installation
novdocx (en) 24 March 2009
2.2 Multiple-server Installations
By using at least three servers, one for the MS and two for ESs, you gain the advantage of high
availability and load balancing.
High availability is where ESs take over for any other ES or servers that become unavailable. Load
balancing is where the testing of endpoints is spread evenly over all of the ESs. A three-server
installation is shown in the following figure:
34Novell ZENworks Network Access Control Users Guide
Figure 2-2 Multiple-server Installation
novdocx (en) 24 March 2009
When your network is more complex, you can continue to add clusters as shown in the following
figure:
The system configuration area allows you to select default settings for all clusters, as well as
override the default settings on a per-cluster basis. See Chapter 3, “System Configuration,” on
page 37 for task-based instructions.
Clusters and Servers35
The following recommendations should be followed when configuring your network for best
performance results:
A maximum of 300,000 endpoints per MS (4 GB RAM required)
A maximum of five ESs per cluster
A maximum of 3000 endpoints per ES
There is no inherent limitation in the number of clusters per MS
When these recommendations are followed, the following applies:
80% of the 3000 endpoints will be tested in 30 seconds or less
All endpoints are returned to the proper status within 15 minutes after a network recovery
(power failure, all endpoints attempting to reconnect, 3000 endpoints per ES)
NOTE: The minimum and recommended hardware requirements are listed in Section 16.8, “System
Requirements,” on page 341; however, Novell has tested and certified Novell ZENworks Network
Access Control on the following systems:
Dell Xeon 5130, 2 GB RAM, 73 GB Hard drive, 15 k SAS, 3 NICs
Dell Xeon E5335, 4 GB RAM, 146 GB Hard drive, 15 k SAS, 3 NICs
Dell Xeon E5335, 8 GB RAM, 300 GB Hard drive, 15 k SAS, 3 NICs
Dell Dual Xeon E5335, 8 GB RAM, 600 GB Hard drive, RAID 10, 3 NICs, 2 PSU
novdocx (en) 24 March 2009
36Novell ZENworks Network Access Control Users Guide
3
System Configuration
The System configuration window allows the system administrator to set the operating
parameters for Novell ZENworks Network Access Control.
The following sections contain more information:
Section 3.1, “Introduction,” on page 38
Section 3.2, “Enforcement Clusters and Servers,” on page 39
Section 3.3, “Enforcement Clusters,” on page 39
Section 3.4, “Enforcement Servers,” on page 43
Section 3.5, “Management Server,” on page 50
Section 3.6, “User Accounts,” on page 57
Section 3.7, “User Roles,” on page 63
Section 3.8, “License,” on page 67
Section 3.9, “Test Updates,” on page 68
Section 3.10, “Quarantining, General,” on page 70
novdocx (en) 24 March 2009
3
Section 3.11, “Quarantining, 802.1X,” on page 72
Section 3.12, “Quarantining, DHCP,” on page 104
Section 3.13, “Quarantining, Inline,” on page 108
Section 3.14, “Post-connect,” on page 109
Section 3.15, “Maintenance,” on page 114
Section 3.16, “Downloading Support Packages,” on page 116
Section 3.17, “Cluster Setting Defaults,” on page 116
Section 3.18, “Logging,” on page 131
Section 3.19, “Advanced Settings,” on page 133
System Configuration
37
3.1 Introduction
User logins and associated user roles determine the access permissions for specific functionality
within Novell ZENworks Network Access Control. The following table shows the default home
window menu options that are available by user role:
Table 3-1 Default Menu Options
User roleHome window menu options available
System Administrator Endpoint activity
NAC policies
System monitor
Reports
System configuration
novdocx (en) 24 March 2009
Cluster Administrator
Help Desk Technician
View-Only User
Endpoint activity
System monitor
Reports
Enforcement clusters & servers
Endpoint activity
Reports
Endpoint activity
Reports
Only a system administrator can assign access permissions and access the System
configuration window. See Figure 1-1 on page 15 for the Novell ZENworks Network Access
Control home window of a user with system administration permissions. If you do not see the
System configuration menu option, you do not have system administrator permissions.
Novell ZENworks Network Access Control configuration includes the following:
Enforcement clusters & servers — Section 3.2, “Enforcement Clusters and Servers,” on
page 39
MS — Section 3.5, “Management Server,” on page 50
User accounts — Section 3.6, “User Accounts,” on page 57
User roles — Section 3.7, “User Roles,” on page 63
License — Section 3.8, “License,” on page 67
Test updates — Section 3.9, “Test Updates,” on page 68
Quarantining — Section 3.10, “Quarantining, General,” on page 70
Maintenance — Section 3.15, “Maintenance,” on page 114
Advanced — Section 3.19, “Advanced Settings,” on page 133
NOTE: You can override any of the cluster default settings on a per-cluster basis.
3.2 Enforcement Clusters and Servers
The Enforcement clusters & servers menu option (Figure 3-2 on page 43) is where
you configure Enforcement clusters and servers. You can perform the following tasks:
Enforcement clusters
Add, edit, or delete Enforcement clusters
Set operating parameters for specific Enforcement clusters, which differ from the default
Enforcement cluster and server settings set up on the System configuration
window
View available Enforcement clusters and associated servers
View status of Enforcement clusters and servers
novdocx (en) 24 March 2009
Select cluster access mode (normal or allow all)
ESs
Add, edit, or delete ESs
Set ES network settings, date and time, and password
View available ESs
View status, memory usage, and disk space usage of ESs
3.3 Enforcement Clusters
The following sections contain more information:
Section 3.3.1, “Adding an Enforcement Cluster,” on page 40
Section 3.3.2, “Editing Enforcement Clusters,” on page 42
Section 3.3.3, “Viewing Enforcement Cluster Status,” on page 42
Section 3.3.4, “Deleting Enforcement Clusters,” on page 43
System Configuration39
3.3.1 Adding an Enforcement Cluster
To add an Enforcement cluster:
Home window>>System configuration>>Enforcement clusters & servers
Figure 3-1 System Configuration, Enforcement Clusters & Servers
novdocx (en) 24 March 2009
1 Click Add an Enforcement cluster in the Enforcement clusters &
servers area. The Add Enforcement cluster window appears. The General area is
displayed by default.
40Novell ZENworks Network Access Control Users Guide
novdocx (en) 24 March 2009
1a Enter a name for the Enforcement cluster in the Cluster name field.
1b Select a NAC policy group from the NAC policy group drop-down list (see
Chapter 6, “NAC Policies,” on page 201).
2 Click Quarantining in the Add Enforcement cluster window. Complete the steps
described in Section 3.10, “Quarantining, General,” on page 70.
TIP: You can also access the quarantine area Enforcement cluster by clicking Quarantining in
the System configuration window (see Section 3.10, “Quarantining, General,” on page 70 for
more information).
3 The following cluster settings take on default values set from the System configuration
window. To set up operating parameters that differ from those default settings, select the menu
item of the settings you want to change, then select the For this cluster, override the default settings check box, and make the desired changes. Refer to the sections
listed below to set up the default values, or for more information on the specific settings.
Testing methods — See Section 3.17.1, “Testing Methods,” on page 117
Accessible services — See Section 3.17.3, “Accessible Services,” on page 119
Exceptions — See Section 3.17.4, “Exceptions,” on page 121
Notifications — See Section 3.17.5, “Notifications,” on page 123
End-user screens — See Section 3.17.6, “End-user Screens,” on page 125
Agentless credentials — See Section 3.17.7, “Agentless Credentials,” on page 127
Logging — See Section 3.18, “Logging,” on page 131
Advanced — See Section 3.19, “Advanced Settings,” on page 133
System Configuration41
3.3.2 Editing Enforcement Clusters
To edit the Enforcement clusters settings:
Home window>>System configuration>>Enforcement clusters & servers
1 Click the cluster you want to edit. The Enforcement cluster window appears, as shown
in Figure 3-2 on page 43.
2 Click a menu option to access the cluster settings:
General
Quarantining
Testing methods
Accessible services
Exceptions
Notifications
End-user screens
Agentless credentials
Logging
novdocx (en) 24 March 2009
Advanced
3 Enter or change information in the fields you want to modify, as described in Section 3.3.1,
“Adding an Enforcement Cluster,” on page 40.
4 Click ok.
3.3.3 Viewing Enforcement Cluster Status
There are two ways Novell ZENworks Network Access Control provides Enforcement cluster
status:
The icons next to the cluster name (see Figure 3-3 on page 44)
The Enforcement cluster window (see the following steps)
To view Enforcement cluster statistics:
Home window>>System configuration>>Enforcement clusters & servers
42Novell ZENworks Network Access Control Users Guide
Click a cluster name, for example Austin. The Enforcement cluster window appears:
Figure 3-2 Enforcement Cluster, General
novdocx (en) 24 March 2009
The statistics shown in this window are per cluster, where the statistics shown in the Home window
are system-wide. See Section 1.2, “System Monitor,” on page 16 for column descriptions.
3.3.4 Deleting Enforcement Clusters
NOTE: Enforcement clusters need to be empty before the delete option appears next to the name in
the Novell ZENworks Network Access Control user interface.
To delete Enforcement clusters:
Home window>>System configuration>>Enforcement clusters & servers
1 Click delete next to the cluster you want to remove. The Delete Enforcement
cluster confirmation window appears.
2 Click yes. The System configuration window appears (Figure 3-3 on page 44).
3.4 Enforcement Servers
The following sections contain more information:
Section 3.4.1, “Adding an ES,” on page 44
Section 3.4.2, “Cluster and Server Icons,” on page 45
Section 3.4.3, “Editing ESs,” on page 45
Section 3.4.4, “Changing the ES Network Settings,” on page 46
Section 3.4.5, “Changing the ES Date and Time,” on page 47
Section 3.4.6, “Modifying the ES SNMP Settings,” on page 47
Section 3.4.7, “Modifying the ES root Account Password,” on page 48
Section 3.4.8, “Viewing ES Status,” on page 48
System Configuration43
Section 3.4.9, “Deleting ESs,” on page 49
Section 3.4.10, “ES Recovery,” on page 49
3.4.1 Adding an ES
To add an ES :
Home window>>System configuration>>Enforcement clusters & servers
Figure 3-3 System Configuration, Enforcement Clusters & Servers
novdocx (en) 24 March 2009
1 Click Add an Enforcement server in the Enforcement clusters & servers
area. The Add Enforcement server window appears.
Figure 3-4 Add Enforcement Server
44Novell ZENworks Network Access Control Users Guide
2 Select a cluster from the Cluster drop-down list.
3 Enter the IP address for this ES in the IP address text box.
4 Enter the fully qualified hostname to set on this server in the Host name text box.
5 Enter one or more DNS resolver IP addresses, separated by a commas, semicolons, or spaces in
the DNS IP addresses text box. For example, 10.0.16.100,10.0.1.1
6 Enter the password to set for the root user of the ES server’s operating system in the Root
password text box.
7 Re-enter the password to set for the root user of the ES server’s operating system in the Re-
enter root password text box.
8 Click ok.
3.4.2 Cluster and Server Icons
To view the cluster and server icons:
Home window>>System configuration>>Enforcement clusters & servers
novdocx (en) 24 March 2009
1 Move the mouse over the legend icon. The legend pop-up window appears.
2 Move the mouse away from the legend icon to hide pop-up window.
Figure 3-5 Enforcement Cluster Legend
3.4.3 Editing ESs
To edit ES settings:
Home window>>System configuration>>Enforcement clusters & servers
1 Click the ES you want to edit. The Enforcement server window appears, as shown in
Figure 3-6 on page 46.
System Configuration45
2 Click the Configuration menu option to access the Enforcement Server’s settings. The
Configuration area is displayed:
Figure 3-6 Enforcement Server
novdocx (en) 24 March 2009
3 Edit the following settings:
ES Network settings — Section 3.4.4, “Changing the ES Network Settings,” on page 46
ES Date and time — Section 3.4.5, “Changing the ES Date and Time,” on page 47
ES SNMP settings — Section 3.4.6, “Modifying the ES SNMP Settings,” on page 47
Other settings — Section 3.4.7, “Modifying the ES root Account Password,” on page 48
4 Click ok.
3.4.4 Changing the ES Network Settings
IMPORTANT: Back up your system immediately after changing the MS or ES IP address. If you
do not back up with the new IP address, and later restore your system, it will restore the previous IP
address which can show an ES error condition and cause authentication problems. See Section 3.15,
“Maintenance,” on page 114 for instructions on backing up and restoring your system.
To change the ES network settings:
Home window>>System configuration>>Enforcement clusters & servers>>Select an
ES>>Configuration
46Novell ZENworks Network Access Control Users Guide
Modify any of the following Network settings you want to change:
Enter a new ES in the Host name text field. For example, garp.mycompany.com
Enter a new ES address in the IP address text field. For example, 192.168.153.35
Enter a new netmask in the Network mask text field. For example, 255.255.255.0
Enter a new gateway in the Gateway IP address text field. For example
192.168.153.2
Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or spaces in
the DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1
NOTE: The Novell ZENworks Network Access Control ESs host name must be a fully qualified
domain name (FQDN). For example, the FQDN should include the host and the domain name—
including the top-level domain.
For example, waldo.mycompany.com. Select names that are short, easy to remember, have no
spaces or underscores, and the first and last character cannot be a dash (-).
NOTE: You cannot change the ES IP address for a single-server installation. You can change the
MS IP address for a single-server installation.
novdocx (en) 24 March 2009
3.4.5 Changing the ES Date and Time
To change the ES date and time:
Home window>>System configuration>>Enforcement clusters & servers>>Select an
ES>>Configuration
1 Select a Region from the Region drop-down list in the Date and time area.
2 Select a time zone from the Time zone drop-down list.
3 Click ok.
NOTE: See Section 3.5.7, “Selecting the Time Zone,” on page 55 for information on changing the
time zone settings for the MS.
WARNING: Manually changing the date/time by a large amount (other than a time zone change)
will require a restart of all servers. Rolling back the clock will have adverse effects on the system.
3.4.6 Modifying the ES SNMP Settings
To change the ES SNMP settings:
Home window>>System configuration>>Enforcement clusters & servers>>Select an
ES>>Configuration
1 Select the Enable SNMP check box.
System Configuration47
2 Enter a Read community string, such as Public2.
3 Enter the Allowed source network. This value must be either default or a network
specified in CIDR notation.
3.4.7 Modifying the ES root Account Password
To change the ES root account password:
Home window>>System configuration>>Enforcement clusters & servers>>Select an
ES>>Configuration
1 Enter the new password in the Root password text box in the Other settings area.
2 Re-enter the password in the Re-enter root password text box.
3 Click ok.
3.4.8 Viewing ES Status
There are two ways Novell ZENworks Network Access Control provides ES status:
novdocx (en) 24 March 2009
The icons next to the server name (see Figure 3-5 on page 45)
The Status window (see the following steps). The Enforcement server window
allows you to view the following information:
Health status
Upgrade status
Process/thread status
System load average for the server
Current endpoints being tested/minute for the server
Percentage of memory used on the server
Disk space usage for the server
48Novell ZENworks Network Access Control Users Guide
To view ES status:
Home window>>System configuration>>Enforcement clusters & servers
1 Click the server for which you want to view the status. The Enforcement server window
appears:
Figure 3-7 Enforcement Server, Status
novdocx (en) 24 March 2009
2 Click ok or cancel.
3.4.9 Deleting ESs
NOTE: Servers need to be powered down for the delete option to appear next to the name in the
Novell ZENworks Network Access Control user interface.
To delete ESs:
Home window>>System configuration>>Enforcement clusters & servers
1 Click delete next to the server you want to remove from the cluster. The Delete
Enforcement server confirmation window appears.
2 Click yes. The System configuration window appears.
3.4.10 ES Recovery
If an existing ES goes down and comes back up, it can participate in its assigned cluster, even if the
MS is not available.
When a new ES is created, the MS must be available before the ES can participate in a cluster.
System Configuration49
3.5 Management Server
The following sections contain more information:
Section 3.5.1, “Viewing Network Settings,” on page 51
Section 3.5.2, “Modifying MS Network Settings,” on page 52
Section 3.5.3, “Selecting a Proxy Server,” on page 53
Section 3.5.4, “Setting the Date and Time,” on page 53
Section 3.5.5, “Automatically Setting the Time,” on page 54
Section 3.5.6, “Manually Setting the Time,” on page 54
Section 3.5.7, “Selecting the Time Zone,” on page 55
Section 3.5.8, “Enabling SNMP,” on page 55
Section 3.5.9, “Modifying the MS root Account Password,” on page 55
Section 3.5.10, “Checking for Novell ZENworks Network Access Control Upgrades,” on
page 56
Section 3.5.11, “Changing the Novell ZENworks Network Access Control Upgrade Timeout,”
on page 56
novdocx (en) 24 March 2009
50Novell ZENworks Network Access Control Users Guide
3.5.1 Viewing Network Settings
To view MS status:
Home window>>System configuration>>Management server
Figure 3-8 System Configuration, Management Server
novdocx (en) 24 March 2009
System Configuration51
1 Server status is shown in the Network settings area.
2 Click ok or cancel.
3.5.2 Modifying MS Network Settings
IMPORTANT: Back up your system immediately after changing the MS or ES IP address. If you
do not back up with the new IP address, and later restore your system, it will restore the previous IP
address which can show an ES error condition and cause authentication problems. See Section 3.15,
“Maintenance,” on page 114 for instructions on backing up and restoring your system.
To modify MS network settings:
Home window>>System configuration>>Management server
WARNING: Changing the MS network settings will cause the network interface to restart.
1 Click edit network settings in the Network settings area.
novdocx (en) 24 March 2009
Figure 3-9 Management Server Network Settings
2 Enter the values you want to modify:
Enter a new name in the Host name text field. For example, garp.mycompany.com
NOTE: Select names that are short, easy to remember, have no spaces or underscores, and
the first and last character cannot be a dash (-).
Enter a new address in the IP address text field. For example, 192.168.153.35
Enter a new netmask in the Network mask text field. For example, 255.255.255.0
Enter a new gateway in the Gateway IP address text field. For example
192.168.153.2
Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or
spaces in the DNS IP addresses text box. For example:
10.0.16.100,10.0.1.1
3 Click ok.
52Novell ZENworks Network Access Control Users Guide
3.5.3 Selecting a Proxy Server
Connecting to the Internet is necessary for updating tests, validating license keys, and sending
support packages.
To select a proxy server:
Home window>>System configuration>>Management server
1 Select Use a proxy server for Internet connections.
2 Enter the IP address or hostname of the server that will act as the proxy for Internet connections
in the Proxy server IP address text field.
3 Enter the port used for connecting to the proxy server in the Proxy server port text field.
4 If your proxy server requires authentication, select the Proxy server is
authenticated check box.
4a Authentication method — Select the scheme used to authenticate credentials on the
proxy server. The following methods are supported:
Basic (not recommended) — The original and most compatible authentication
scheme for HTTP. Also the least secure because it sends the user ID and password to
the server unencrypted.
novdocx (en) 24 March 2009
Digest — Added in the HTTP 1.1 protocol, this scheme is significantly more secure
than basic authentication because it never transfers the actual password across the
network, but instead uses it to encrypt a "nonce" value sent from the server.
Negotiable — Using this scheme, the client and the proxy server negotiate a scheme
for authentication. Ultimately, either the basic or digest scheme will be used.
4b Enter the ID of a user account on the proxy server in the User name text box.
4c Enter the password of the user account specified in the User name text box in the
Password text box.
4d Re-enter the password.
5 Click ok.
3.5.4 Setting the Date and Time
The Date and time area allows you to configure the following:
Allow automatic synchronization with an NTP server
Manually set date and time for the MS
Edit date and time:
Set time zone
Set date
Set time
NOTE: Date and time settings are applied to the MS; however, you can set the time zone for each
ES.
System Configuration53
3.5.5 Automatically Setting the Time
To automatically set the time:
Home window>>System configuration>>Management server
1 Select Automatically receive NTP updates from and enter one or more
Network Time Protocol (NTP) servers, separated by commas. The NTP protocol allows Novell
ZENworks Network Access Control to synchronize its date and time with other endpoints on
your network. For example, time.nist.gov.
2 Click ok.
TIP: Use of NTP is strongly recommended.
3.5.6 Manually Setting the Time
To manually set the time:
novdocx (en) 24 March 2009
Home window>>System configuration>>Management server
1 Select Manually set date & time.
2 Click edit. The Date and time window appears:
Figure 3-10 Date & Time
3 Select the correct date and time.
4 Click ok.
5 Click ok.
IMPORTANT: Manually changing the date/time (other than a time zone change) a large amount
will require a restart of all servers. Rolling back the clock will have adverse effects on the system.
54Novell ZENworks Network Access Control Users Guide
3.5.7 Selecting the Time Zone
To set the time zone:
Home window>>System configuration>>Management server
1 Select the following:
1a Select a region from the Region drop-down list in the Date and time area.
1b Select a time zone from the Time zone drop-down list.
2 Click ok.
3.5.8 Enabling SNMP
To select SNMP settings:
Home window>>System configuration>>Management server>>SNMP settings
1 Select the Enable SNMP check box to select the SNMP settings.
1a Enter the SNMP read community string.
1b Enter the SNMP allowed source network. The value must be either “default” or a network
specified in CIDR notation.
2 Select the Outgoing SNMP notifications check box.
3 Enter a comma-separated list of IP address or hostnames that can receive the SNMP
notifications.
4 Enter the community string used to authorize SNMP notifications from Novell ZENworks
Network Access Control.
novdocx (en) 24 March 2009
5 Select one or both of the following:
5a Select the Resend notifications check box and enter the resend interval, for
example 60.
NOTE: NAC policy tests can be configured such that if an endpoint fails the test, it will
be granted network access temporarily. In these cases, it might be desirable not to send an
SNMP notification.
5b Select the Do not send notifications when an endpoint has been
granted temporary network access check box to disable these
notifications.
3.5.9 Modifying the MS root Account Password
To change the MS root account password:
Home window>>System configuration>>Management server
1 Enter the new password in the Root password text box in the Other settings area.
2 Re-enter the password in the Re-enter root password text box.
3 Click ok.
System Configuration55
3.5.10 Checking for Novell ZENworks Network Access Control
Upgrades
To check for system upgrades:
Home window>>System configuration>>Management server
1 Click check for upgrades in the System upgrade area. A progress window appears.
2 If your license is expired, you will get a System upgrade error window that provides
instructions on how to renew your license.
3 A status window appears indicating if upgrades are available.
3a If no upgrades are available, click ok to clear the status window.
3b Click ok to return to System configuration.
3c If an upgrade is available, click yes to upgrade your system.
IMPORTANT: Installation of an upgrade can take several hours to download all the software. You
can continue to use Novell ZENworks Network Access Control during the download process.
Novell ZENworks Network Access Control will automatically shutdown and restart after the
software downloads.
novdocx (en) 24 March 2009
TIP: Since upgrading can take longer than the default timeout (45 minutes) setting of the Novell
ZENworks Network Access Control Update, Novell recommends that you increase the timeout
value when you have limited bandwidth by performing the steps described in Section 3.5.11,
“Changing the Novell ZENworks Network Access Control Upgrade Timeout,” on page 56.
3.5.11 Changing the Novell ZENworks Network Access Control
Upgrade Timeout
Since upgrading can take longer than the default timeout (45 minutes) setting of the Novell
ZENworks Network Access Control Update, Novell recommends that you increase the timeout
value when you have limited bandwidth by performing these steps.
To change the inactivity timeout value for upgrades:
Command window
1 Log in to the Novell ZENworks Network Access Control server as root, either using SSH or
<minutes> is the number of minutes of inactivity Novell ZENworks Network Access Control
will wait before assuming the upgrade failed. For example, 30. The default value is 45.
56Novell ZENworks Network Access Control Users Guide
3.6 User Accounts
Novell ZENworks Network Access Control allows you to create multiple user accounts. User
accounts provide and limit access to Novell ZENworks Network Access Control functions based on
permissions (user roles) and clusters assigned. See Section 3.7, “User Roles,” on page 63 for more
information on setting permissions for the user roles.
The User accounts menu option allows you to do the following:
View user accounts
Search by user ID, user name, or email address
Add a user account
Edit a user account
Delete a user account
The following sections contain more information:
Section 3.6.1, “Adding a User Account,” on page 58
Section 3.6.2, “Searching for a User Account,” on page 60
novdocx (en) 24 March 2009
Section 3.6.3, “Sorting the User Account Area,” on page 60
Section 3.6.4, “Copying a User Account,” on page 61
Section 3.6.5, “Editing a User Account,” on page 62
Section 3.6.6, “Deleting a User Account,” on page 62
System Configuration57
3.6.1 Adding a User Account
To add a user account:
Home window>>System configuration>>User accounts
Figure 3-11 System Configuration, User Accounts
novdocx (en) 24 March 2009
1 Click Add a user account. The Add user account window appears:
58Novell ZENworks Network Access Control Users Guide
novdocx (en) 24 March 2009
2 Enter the following information:
User ID — The user ID used to log into Novell ZENworks Network Access Control
Password — The password used to log into Novell ZENworks Network Access Control
Full name — The name associated with the user account
Email address — The email address used for notifications
3 Select an Account status:
enabled — This status allows an account to log into the user interface
disabled — This status prevents an account from logging into the user interface
4 In the User roles area, select one of the following default roles for the user account: (See
Section 3.7, “User Roles,” on page 63 for more information about user roles and permissions
associated with user roles.)
Cluster Administrator
View-Only User
System Administrator
Help Desk Technician
You can select a custom user role if you have created any.
NOTE: Users must be assigned at least one role.
5 In the Clusters area, select a cluster or clusters.
System Configuration59
NOTE: Users must be assigned at least one Enforcement cluster.
6 Click ok.
Table 3-2 Default User Roles
User Role NameDescription
Cluster AdministratorFor their clusters, users having this role can configure their assigned
View-Only UserUsers having this role can view endpoint activity and generate reports
about their clusters.
System AdministratorUsers having this role have all permissions.
Help Desk TechnicianFor their clusters, users having this role can view endpoint activity,
change endpoint access control, retest endpoints, and run reports.
User-defined roleCreate your own user roles and definitions.
novdocx (en) 24 March 2009
3.6.2 Searching for a User Account
To search for a user account:
Home window>>System configuration>>User accounts
1 Select one of the following from the Search drop-down list:
user ID
full name
email address
2 Enter the text to search for in the for field.
3 Click search.
TIP: Click reset to clear the text field and to refresh the display to show all accounts after a
search.
3.6.3 Sorting the User Account Area
To sort the user account area:
Home window>>System configuration>>User accounts
Click the column heading for user id, full name, email address, user roles, or
clusters. The user accounts reorder according to the column heading selected. Click the column
heading again to change from ascending to descending.
60Novell ZENworks Network Access Control Users Guide
3.6.4 Copying a User Account
To copy a user account:
Home window>>System configuration>>User accounts
1 Click copy next to the user account you want to duplicate. The Copy user account
window appears. The account information is duplicated from the original account.
Figure 3-12 Copy User Account
novdocx (en) 24 March 2009
2 Enter the User ID of the new account.
3 Enter the Password.
4 Re-enter the password.
5 Select the Account status (enable or disable).
6 Select the User role for the account.
7 Select the Clusters that the user account can access.
8 Click ok.
System Configuration61
3.6.5 Editing a User Account
To edit a user account:
Home window>>System configuration>>User accounts
1 Click the name of the user account that you want to edit. The User account window
appears:
Figure 3-13 User Account
novdocx (en) 24 March 2009
2 Change or enter information in the fields you want to change. See Section 3.6.1, “Adding a
User Account,” on page 58 for information on user account settings.
3 Click ok.
3.6.6 Deleting a User Account
You must always have at least one account with System Administrator permissions.
IMPORTANT: Do not delete or edit the account with which you are currently accessing the
interface. Doing so can produce an error and lock you out of the interface until your session has
timed out.
62Novell ZENworks Network Access Control Users Guide
To delete a user account:
Home window>>System configuration>>User accounts
1 Click delete next to the user account you want to remove. The Delete user account
confirmation window appears.
2 Click yes.
3.7 User Roles
The User roles menu option allows you to configure the following:
View current user roles and details associated with those roles
Add a new user role
Name the new user role
Provide a detail description for the new user role
Assign permissions to the new user role
Edit a user role
Edit the name of the user role
novdocx (en) 24 March 2009
Edit the detail description of the user role
Edit the assigned permissions for the user role
Delete a user role
System Configuration63
3.7.1 Adding a User Role
To add a user role:
Home window>>System configuration>>User roles
Figure 3-14 System Configuration, User Roles
novdocx (en) 24 March 2009
1 Click add a user role in the User roles area. The Add user role window
appears.
64Novell ZENworks Network Access Control Users Guide
novdocx (en) 24 March 2009
2 Enter a descriptive name in the Role name field.
3 Enter a description of the role in the Description field.
4 Select the permissions for the user role. For more information about permissions, the following
table:
Table 3-3 User Role Permissions
PermissionDescription
Configure clustersAllows you to add clusters, configure the settings of all your
assigned clusters, and delete any of your clusters.
Configure serversAllows you to configure all servers within your clusters
Configure the systemAllows you to configure all system-level settings
View system alertsAllows you to view system alerts on your home screen
Generate reportsAllows you to generate reports about any of your assigned clusters
Manage NAC policiesAllows you to manage the NAC policies for all of your clusters
View endpoint activityAllows you to view details about all endpoints in your clusters
Monitor system statusAllows you to monitor the system status
Control AccessAllows you to quarantine or grant network access to endpoints in
your clusters
Retest endpointsAllows you to have endpoints in your clusters retested
System Configuration65
3.7.2 Editing User Roles
NOTE: You cannot edit the System Administrator user role.
To edit user roles:
Home window>>System configuration>>User roles
1 Click the role you want to edit. The user role window appears:
Figure 3-15 User Role
novdocx (en) 24 March 2009
2 Enter the information in the fields you want to change. See Section 3.7.1, “Adding a User
Role,” on page 64 for information on user role settings.
3 Click ok.
3.7.3 Deleting User Roles
NOTE: You cannot delete the System Administrator role.
To delete user roles:
Home window>>System configuration>>User roles
1 Click delete next to the user role you want to remove. The Delete user role
confirmation window appears.
2 Click yes.
66Novell ZENworks Network Access Control Users Guide
3.7.4 Sorting the User Roles Area
To sort the user roles area:
Home window>>System configuration>>User roles
1 Click user role name or description column heading. The selected category sorts in
ascending or descending order.
2 Click ok.
3.8 License
The License menu option allows you to configure the following:
Enter and submit a new license key
View license start and end dates
View number of days remaining on license, and associated renewal date
View remaining endpoints and servers available under license
novdocx (en) 24 March 2009
The following sections contain more information:
Section 3.8.1, “Updating Your License Key,” on page 68
System Configuration67
3.8.1 Updating Your License Key
To update your license key:
Home window>>System configuration>>License
Figure 3-16 System Configuration, License
novdocx (en) 24 March 2009
1 The license key should be pre-populated from the first-time login (as described in the
Installation Guide). If you need to update your license key, in the New license key field,
enter your Novell ZENworks Network Access Control license key, which Novell sends to you
by email. Copy and paste the license key directly from the text file.
TIP: The double-equal sign (==) is part of the license key. Include it with the rest of the
numbers.
2 Click Submit Now.
Novell ZENworks Network Access Control is enabled through the license key. The license key
is validated, and it appears in the Registered license key field.
3 Click ok on the license validated pop-up window.
3.9 Test Updates
The Test updates menu option allows you to configure the following:
View last successful test update date/time
Check for test updates (forces an immediate check for test updates)
Set time or times for downloading test updates
View test update logs
68Novell ZENworks Network Access Control Users Guide
The following sections contain more information:
Section 3.9.1, “Manually Checking for Test Updates,” on page 69
Section 3.9.2, “Selecting Test Update Times,” on page 70
Section 3.9.3, “Viewing Test Update Logs,” on page 70
3.9.1 Manually Checking for Test Updates
To manually check for test updates:
Home window>>System configuration>>Test updates
Figure 3-17 System Configuration, Test Updates
novdocx (en) 24 March 2009
1 In the Last successful test update area, click check for test updates.
2 Click ok.
NOTE: It is important to check for test updates during the initial configuration of Novell
ZENworks Network Access Control.
System Configuration69
3.9.2 Selecting Test Update Times
To select test update times:
Home window>>System configuration>>Test updates
1 Using the hour check boxes, select the time periods in which you would like Novell ZENworks
Network Access Control to check for available test updates.
By default, Novell ZENworks Network Access Control checks once every hour using the
Novell Secure Rule Distribution Center. All times listed are dependent upon the clock setting
and time zone of the hardware on which Novell ZENworks Network Access Control is running.
2 Click ok.
3.9.3 Viewing Test Update Logs
To view test update logs:
Home window>>System configuration>>Test updates
novdocx (en) 24 March 2009
1 Click the View test update log link just to the right of the Check for test
updates button. The Test update log window appears:
Figure 3-18 Test Update Log
The Test update log window legend is shown in the following figure:
Figure 3-19 Test Update Log Window Legend
3.10 Quarantining, General
The Quarantining menu option allows you to configure the following by cluster:
Select the quarantine method
Select the access mode
Basic 802.1X settings
70Novell ZENworks Network Access Control Users Guide
Authentication settings
Add, edit, delete 802.1X devices
The following sections contain more information:
Section 3.10.1, “Selecting the Quarantine Method,” on page 71
Section 3.10.2, “Selecting the Access Mode,” on page 72
3.10.1 Selecting the Quarantine Method
To select the quarantine method:
Home window>>System configuration>>Quarantining
Figure 3-20 System Configuration, Quarantining
novdocx (en) 24 March 2009
1 Select a cluster.
System Configuration71
2 In the Quarantine method area, select one of the following quarantine methods:
802.1X — When using the 802.1X quarantine method, Novell ZENworks Network
Access Control must sit in a place on the network where it can communicate with your
RADIUS server, which communicates with your switch or router, which performs the
quarantining.
DHCP — When configured with a DHCP quarantine area, Novell ZENworks Network
Access Control must sit inline with your DHCP server. All endpoints requesting a DHCP
IP address are issued a temporary address on a quarantine subnetwork. Once the endpoint
is allowed access, the IP address is renewed, and the main DHCP server assigns an
address to the main LAN. With a multiple subnetwork or VLAN network, one quarantine
area must be configured for each subnetwork. See Chapter 13, “Remote Device Activity
Capture,” on page 295 for information on using multiple DHCP servers.
Inline — When using the inline quarantine method, Novell ZENworks Network Access
Control must be placed on the network where all traffic to be quarantined passes through
Novell ZENworks Network Access Control. It must be inline with an endpoint like a
VPN.
3 Click ok.
novdocx (en) 24 March 2009
3.10.2 Selecting the Access Mode
To select the access mode:
Home window>>System configuration>>Quarantining
1 Select one of the following in the Access mode area:
normal — Either allows or quarantines endpoints depending on the setup of the
enforcement sever.
allow all — Endpoints are tested; however, they are always given access to the production
network.
NOTE: If you are setting up a cluster for the first time, and you have not yet added an ES, select
allow all until you have finished configuring Novell ZENworks Network Access Control.
3.11 Quarantining, 802.1X
The 802.1X quarantine (enforcement) method is enabled by default.
To select the 802.1X quarantine method:
Home window>>System configuration>>Quarantining
1 Select a cluster.
2 In the Quarantine method area, select the 802.1X radio button.
3 Click ok.
The following sections contain more information:
Section 3.11.1, “Entering Basic 802.1X Settings,” on page 73
72Novell ZENworks Network Access Control Users Guide
Section 3.11.2, “Authentication Settings,” on page 74
Section 3.11.3, “Adding 802.1X Devices,” on page 79
Section 3.11.4, “Testing the Connection to a Device,” on page 80
Section 3.11.5, “Cisco IOS,” on page 82
Section 3.11.6, “Cisco CatOS,” on page 84
Section 3.11.7, “Enterasys,” on page 86
Section 3.11.8, “Extreme ExtremeWare,” on page 88
Section 3.11.9, “Extreme XOS,” on page 90
Section 3.11.10, “Foundry,” on page 92
Section 3.11.11, “HP ProCurve Switch,” on page 94
Section 3.11.12, “HP ProCurve WESM xl or HP ProCurve WESM zl,” on page 97
Section 3.11.13, “HP ProCurve 420 AP or HP ProCurve 530 AP,” on page 99
Section 3.11.14, “Nortel,” on page 101
Section 3.11.15, “Other,” on page 103
novdocx (en) 24 March 2009
3.11.1 Entering Basic 802.1X Settings
To enter basic 802.1X settings:
Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button
1 In 802.1X enforcement mode, the Enforcement servers must be able monitor DHCP
conversations and detect endpoints by sniffing network traffic as it flows between the DHCP
server and the endpoints. Select an Endpoint detection location radio button as
follows:
Remote — In more complex deployments, it is often impossible (in the case of multiple
Enforcement servers or multiple DHCP servers) or undesirable to span switch ports. In
this case the DHCP traffic monitoring and endpoint detection can be run remotely by
installing and configuring the endpoint activity capture software on each DHCP server
involved in the 802.1X deployment. In this case, choose the remote option.
Local — In simple configurations, it is possible to span, or mirror, the switch port into
which the DHCP server is connected. The eth1 interface of the Enforcement server is then
plugged into the spanned port and endpoint traffic is monitored on the eth1 interface. In
this case, choose the local option.
2 Enter one or more non-quarantined subnets, separated by commas in the Quarantine
subnets text field. All subnets should be entered using CIDR addresses.
3 Select a RADIUS server type by selecting one of the following radio buttons:
Local — Enables a local RADIUS server on the ES which can be configured to perform
authentication itself or proxy to another server.
Remote IAS — Disables the local RADIUS server so that an IAS server configured with
the NAC IAS plug-in to point to an ES can be used instead. When possible, a local
RADIUS server that proxies to the IAS server should be the preferred configuration.
4 Click ok.
System Configuration73
3.11.2 Authentication Settings
The following sections contain more information:
“Selecting the RADIUS Authentication method” on page 74
“Configuring Windows Domain Settings” on page 75
“Configuring OpenLDAP Settings” on page 77
Selecting the RADIUS Authentication method
To select the RADIUS authentication method:
Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button
1 Select the Local radio button in the Basic 802.1X settings area.
2 Select an End-user authentication method:
Manual — RADIUS server authentication settings are configured manually from the
command line. See Section 11.3.2, “Enabling Novell ZENworks Network Access Control
for 802.1X,” on page 264 for configuration information.
Windows domain — Authentication requests are handled by a Windows domain through
NTLM protocol. The ES must be able to join to the domain for this to work. See
“Configuring Windows Domain Settings” on page 75 for more information.
OpenLDAP — User credentials are queried from an OpenLDAP directory service. See
“Configuring OpenLDAP Settings” on page 77 for more information.
novdocx (en) 24 March 2009
Proxy — Authentication requests are proxied to a remote RADIUS server configured to
allow the ES as a client NAS.
3 Click ok.
74Novell ZENworks Network Access Control Users Guide
Configuring Windows Domain Settings
To configure Windows domain settings:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Local radio button
1 Select Windows domain from the End-user authentication method drop-down
list.
Figure 3-21 System Configuration, Windows Domain
novdocx (en) 24 March 2009
System Configuration75
2 Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain
name text field.
3 Enter the user name of an account with sufficient administrative rights to join an ES to the
domain in the Administrator user name text field.
4 Enter the password of the account entered into the Administrator user name field in
the Administrator password text field.
5 Enter the list of domain controllers, separated by commas, for this domain in the Domain
controllers text field.
6 To test the Windows domain settings:
6a Select one of the following from the Server to test from drop-down list in the
Test Windows domain settings area:
The ES in this cluster to test from, or
The MS
NOTE: If you have a single-server installation, the Server to test from drop-down
list is not available.
novdocx (en) 24 March 2009
6b To verify a specific set of user credentials in addition to the Windows domain settings,
select the Verify credentials for an end-user check box, and specify the
following:
1. Enter the user name of the end-user in the User name text box.
2. Enter the password of the end-user in the Password text box.
3. Re-enter the password of the end-user in the Re-enter password text box.
6c Click test settings.
7 Click ok.
76Novell ZENworks Network Access Control Users Guide
Configuring OpenLDAP Settings
To configure OpenLDAP settings:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Local radio button
1 Select OpenLDAP from the End-user authentication method drop-down list.
Figure 3-22 System Configuration, OpenLDAP
novdocx (en) 24 March 2009
System Configuration77
2 Enter the LDAP server hostname or IP address and optional port number in the Server text
field. For example: 10.0.1.2:636
3 Enter the DN under which LDAP searches should be done in the Identity text field. For
example: cn=admin,o=My Org,c=UA
4 Enter the password that authenticates the DN entered into the Identity text field in the
Password text field.
5 Type the same password you entered into the Password field in the Re-enter password
field.
6 Enter the base DN of LDAP searches in the Base DN text field. For example: o=My
Org,c=UA
7 Enter the LDAP search filter used to locate user objects from name supplied by endpoint in the
Filter text field. For example: (uid=%u)
8 Enter the LDAP attribute which contains end-user passwords in the Password attribute
text field. This is initially set to userPassword to use the universal password of the
eDirectory user.
9 To use a secure Transport Layer Security (TLS) connection with the LDAP server that is
verified with a certificate authority:
9a Select the Use a secure connection (TLS) check box.
novdocx (en) 24 March 2009
9b Enter a PEM-encoded file name that contains the CA certificate used to sign the LDAP
server's TLS certificate in the New certificate text field. Click Browse to search
for file names. The current certificate selected is shown by Current certificate.
10 To test the OpenLDAP settings:
10a Select one of the following from the Server to test from drop-down list in the
Test Windows domain settings area:
The ES in this cluster to test from, or
The MS
10b To verify a specific set of user credentials in addition to the OpenLDAP settings, select the
Verify credentials for an end-user check box, and specify the following:
1. Enter the user name of the end-user in the User name text box.
2. Enter the password of the end-user in the Password text box.
3. Re-enter the password of the end-user in the Re-enter password text box.
10c Click test settings.
11 Click ok.
78Novell ZENworks Network Access Control Users Guide
3.11.3 Adding 802.1X Devices
To add an 802.1X device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-23 Add 802.X Device
novdocx (en) 24 March 2009
1 Enter the IP address of the 802.1X device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
NOTE: See your system administrator to obtain the shared secret for your switch.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select an 802.1X device from the Device type drop-down list.
6 Enter the configuration settings for the specific device:
Cisco IOS — See Section 3.11.5, “Cisco IOS,” on page 82.
Cisco CatOS — See Section 3.11.6, “Cisco CatOS,” on page 84.
Enterasys — See Section 3.11.7, “Enterasys,” on page 86.
Extreme ExtremeWare — See Section 3.11.8, “Extreme ExtremeWare,” on page 88.
Extreme XOS — See Section 3.11.9, “Extreme XOS,” on page 90.
Foundry — See Section 3.11.10, “Foundry,” on page 92.
HP ProCurve switch — See Section 3.11.11, “HP ProCurve Switch,” on page 94.
HP ProCurve WESM — See Section 3.11.12, “HP ProCurve WESM xl or HP ProCurve
WESM zl,” on page 97.
HP ProCurve 420/530 AP — See Section 3.11.13, “HP ProCurve 420 AP or HP
ProCurve 530 AP,” on page 99.
System Configuration79
Nortel — See Section 3.11.14, “Nortel,” on page 101.
Other — See Section 3.11.15, “Other,” on page 103.
7 Click ok.
3.11.4 Testing the Connection to a Device
The test connection area has different options based on the switch you select:
Cisco CATOS, Cisco IOS, Enterasys, Extreme, Foundry switches — See Figure 3-24 on
page 80.
ProCurve, Nortel, Other switches — See Figure 3-25 on page 80.
To test the connection to an 802.1X device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button
NOTE: You must have already added devices for them to appear in the 802.1X devices area. You
can also test the device as you add it.
novdocx (en) 24 March 2009
1 In the 802.1X devices area, click edit next to the device you want to test. The 802.1X
device window appears. The Test connection to this device area is near the
bottom of the window:
Figure 3-24 Add 802.X Device, Test Connection Area Option 1
Figure 3-25 Add 802.X Device, Test Connection Area Option 2
2 For ProCurve, Nortel, Other switches (Figure 3-24 on page 80),:
2a Select the Method to execute the re-authentication command in test:
802.1X
MAC auth
2b Enter the port of the endpoint being tested in the Port text field.
2c Enter the MAC address of the endpoint being tested in the MAC address text field.
80Novell ZENworks Network Access Control Users Guide
3 For Cisco CATOS, Cisco IOS, Enterasys, Extreme, Foundry switches (Figure 3-25 on
page 80) if you want to include the re-authentication command as part of the test, select the
Re-authenticate an endpoint during test check box and:
3a Enter the port of the endpoint being tested in the Port text field.
3b Enter the MAC address of the endpoint being tested in the MAC address text field.
NOTE: You must enter the port, the MAC address, or both, depending on the reauthentication OID.
4 Click test connection to this device.
novdocx (en) 24 March 2009
System Configuration81
3.11.5 Cisco IOS
To add a Cisco IOS device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-26 Add Cisco IOS Device
novdocx (en) 24 March 2009
1 Enter the IP address of the Cisco IOS device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Cisco IOS from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
82Novell ZENworks Network Access Control Users Guide
8 Enter the Password with which to log into the device's console.
9 Re-enter the console password.
10 Enter the Cisco port mask in the text field. This specifies which characters within the
endpoint identifier returned by the Cisco device contain the bank and port information of the
endpoint. All offsets start at 0, so a mask of 2/34 indicates character 3 for the bank and
characters 4 and 5 for the port. If the Cisco device were to return 50210 for an endpoint, a port
mask of 2/34 would indicate that the endpoint is on bank 2 and port 10 (2/10), where 210 are
the third, fourth and fifth bytes in the identifier.
11 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /
SSH console can remain idle or unused before it is reset.
12 Select the Show scripts plus symbol to show the following scripts:
Initialization script — The expect script used to log into the console and enter enable
mode.
Re-authentication script — The expect script used to perform endpoint re-
authentication.
Exit script — The expect script used to exit the console.
13 Click ok.
novdocx (en) 24 March 2009
TIP: Click revert to defaults to restore the default settings.
System Configuration83
3.11.6 Cisco CatOS
To add a Cisco CatOS device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-27 Add Cisco CatOS Device
novdocx (en) 24 March 2009
1 Enter the IP address of the Cisco CatOS device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Cisco CatOS from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
84Novell ZENworks Network Access Control Users Guide
8 Enter the Password with which to log into the device's console.
9 Re-enter the console password.
10 Enter the password with which to enter enable mode.
11 Re-enter the enable mode password.
12 Enter the networks (using CIDR notation) that this device is in direct control over in the
Network list text field. This is only necessary if the device does not send its IP address
with its supplicant request.
13 Enter the Cisco port mask in the text field. This specifies which characters within the
endpoint identifier returned by the Cisco device contain the bank and port information of the
endpoint. All offsets start at 0, so a mask of 2/34 indicates character 3 for the bank and
characters 4 and 5 for the port. If the Cisco device were to return 50210 for an endpoint, a port
mask of 2/34 would indicate that the endpoint is on bank 2 and port 10 (2/10), where 210 are
the third, fourth and fifth bytes in the identifier.
14 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /
SSH console can remain idle or unused before it is reset.
15 Select the Show scripts plus symbol to show the following scripts:
Initialization script — The expect script used to log into the console and enter enable
mode.
novdocx (en) 24 March 2009
Re-authentication script — The expect script used to perform endpoint re-
authentication.
Exit script — The expect script used to exit the console.
16 Click ok.
TIP: Click revert to defaults to restore the default settings.
CatOS User Name in Enable Mode
If you have your CatOS switch configured to run in enable mode with a user name, the expect script
supplied with Novell ZENworks Network Access Control will not run “out of the box.”
Workaround: Do not use a user name with your switch, or modify the expect script in the console to
include the user name.
To modify the expect script in the Novell ZENworks Network Access Control user
interface:
Home window>>System configuration>>Quarantining menu option
1 Click edit next to an 802.1X device. (You can also perform these steps while you are adding an
802.1X device.)
2 Click the plus sign next to Show scripts.
3 Add the correct expect script syntax to the text box for enable mode user name. See your switch
documentation for more information on the correct syntax.
4 Click ok.
System Configuration85
3.11.7 Enterasys
To add an Enterasys device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-28 Add Enterasys Device
novdocx (en) 24 March 2009
1 Enter the IP address of the Enterasys device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Enterasys from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
9 Re-enter the console password.
86Novell ZENworks Network Access Control Users Guide
10 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /
SSH console can remain idle or unused before it is reset.
11 Select the Show scripts plus symbol to show the following scripts:
Initialization script — The expect script used to log into the console and enter enable
mode.
Re-authentication script — The expect script used to perform endpoint re-
authentication.
Exit script — The expect script used to exit the console.
12 Click ok.
TIP: Click revert to defaults to restore the default settings.
novdocx (en) 24 March 2009
System Configuration87
3.11.8 Extreme ExtremeWare
To add an ExtremeWare device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-29 Add ExtremeWare Device
novdocx (en) 24 March 2009
1 Enter the IP address of the ExtremeWare device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Extreme ExtremeWare from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
9 Re-enter the console password.
88Novell ZENworks Network Access Control Users Guide
10 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /
SSH console can remain idle or unused before it is reset.
11 Select the Show scripts plus symbol to show the following scripts:
Initialization script — The expect script used to log into the console and enter enable
mode.
Re-authentication script — The expect script used to perform endpoint re-
authentication.
Exit script — The expect script used to exit the console.
12 Click ok.
TIP: Click revert to defaults to restore the default settings.
novdocx (en) 24 March 2009
System Configuration89
3.11.9 Extreme XOS
To add an Extreme XOS device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-30 Add Extreme XOS Device
novdocx (en) 24 March 2009
1 Enter the IP address of the Extreme XOS device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Extreme XOS from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
9 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /
SSH console can remain idle or unused before it is reset.
90Novell ZENworks Network Access Control Users Guide
10 Select the Show scripts plus symbol to show the following scripts:
Initialization script — The expect script used to log into the console and enter enable
mode.
Re-authentication script — The expect script used to perform endpoint re-
authentication.
Exit script — The expect script used to exit the console.
11 Click ok.
TIP: Click revert to defaults to restore the default settings.
novdocx (en) 24 March 2009
System Configuration91
3.11.10 Foundry
To add a Foundry device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-31 Add Foundry Device
novdocx (en) 24 March 2009
1 Enter the IP address of the Foundry device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Foundry from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
92Novell ZENworks Network Access Control Users Guide
9 Re-enter the console password.
10 Enter the password with which to enter enable mode.
11 Re-enter the enable mode password.
12 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /
SSH console can remain idle or unused before it is reset.
13 Select the Show scripts plus symbol to show the following scripts:
Initialization script — The expect script used to log into the console and enter enable
mode.
Re-authentication script — The expect script used to perform endpoint re-
authentication.
Exit script — The expect script used to exit the console.
14 Click ok.
TIP: Click revert to defaults to restore the default settings.
novdocx (en) 24 March 2009
System Configuration93
3.11.11 HP ProCurve Switch
To add an HP ProCurve switch:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-32 Add HP ProCurve Device
novdocx (en) 24 March 2009
1 Enter the IP address of the HP ProCurve device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select ProCurve Switch from the Device type drop-down list.
6 Select whether to connect to this device using telnet, SSH, or SNMPv2 in the
Connection method drop-down list.
94Novell ZENworks Network Access Control Users Guide
7 SSH settings:
7a Enter the User name used to log into this device's console.
7b Enter the Password used to log into this device's console.
7c To help confirm accuracy, type the same password you entered into the Password field
in the Re-enter Password field.
7d Enter the Enable mode user name that is used to enter enable mode on this device.
7e Enter the Password used to enter enable mode on this device.
7f To help confirm accuracy, type the same password you entered into the Enable password
field in the Re-enter Password field.
7g Enter the amount of time, in milliseconds, before an idle open SSH session is reset. The
default is 60000 (60 seconds) in the Reconnect idle time field.
8 Telnet settings:
8a Enter the User name used to log into this device's console.
8b Enter the Password used to log into this device's console.
8c To help confirm accuracy, type the same password you entered into the Password field
in the Re-enter Password field.
8d Enter the Enable mode user name that is used to enter enable mode on this device.
8e Enter the Password used to enter enable mode on this device.
novdocx (en) 24 March 2009
8f To help confirm accuracy, type the same password you entered into the Enable password
field in the Re-enter Password field.
8g Enter the amount of time, in milliseconds, before an idle open telnet session is reset. The
default is 60000 (60 seconds) in the Reconnect idle time field.
9 SNMPv2 settings:
9a Enter the Community string used to authorize writes to SNMP objects.
9b Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text
field. The strings "${Port}" and "${MAC}" will be substituted for the port and MAC
address of the endpoint to be re-authenticated.
9c Select the type of the re-authentication OID from the
INTEGER
unsigned INTEGER
TIMETICKS
IPADDRESS
OBJID
STRING
HEX STRING
DECIMAL STRING
BITS
NULLOBJ
OID type drop-down list:
System Configuration95
9d Enter the OID re-authentication value used to re-authenticate an endpoint in the OID
value text field.
9e Select the Use a different OID for MAC authentication check box to re-
authenticate using a different OID when the supplicant request is for a MAC authenticated
device.
1. Enter the Re-authenticate OID used to re-authenticate an endpoint. The
strings "${PORT}" and "${MAC_DOTTED_DECIMAL}" are substituted for the
port and MAC address of the endpoint to be re-authenticated.
2. Select the type of the re-authentication OID from the OID type drop-down list:
INTEGER
unsigned INTEGER
TIMETICKS
IPADDRESS
OBJID
STRING
HEX STRING
DECIMAL STRING
BITS
novdocx (en) 24 March 2009
NULLOBJ
3. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID
value text field.
TIP: Click revert to defaults to restore the default settings.
96Novell ZENworks Network Access Control Users Guide
3.11.12 HP ProCurve WESM xl or HP ProCurve WESM zl
To add an HP ProCurve WESM xl or HP ProCurve WESM zl device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-33 Add HP ProCurve WESM xl/zl Device
novdocx (en) 24 March 2009
1 Enter the IP address of the HP ProCurve WESM device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select ProCurve WESM from the Device type drop-down list.
6 Enter the Community string used to authorize writes to SNMP objects.
7 Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field.
The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port
and MAC address of the endpoint to be re-authenticated.
System Configuration97
NOTE: Figure 3-33 on page 97 shows an example for WESM zl.
8 Select the type of the re-authentication OID from the OID type drop-down list:
INTEGER
unsigned INTEGER
TIMETICKS
IPADDRESS
OBJID
STRING
HEX STRING
DECIMAL STRING
BITS
NULLOBJ
9 Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value
text field.
10 Select the Use a different OID for MAC authentication check box to re-
authenticate using a different OID when the supplicant request is for a MAC authenticated
device.
10a Enter the Re-authenticate OID used to re-authenticate an endpoint. The strings
"${Port}" and "${MAC_DOTTED_DECIMAL}" are substituted for the port and MAC
address of the endpoint to be re-authenticated.
10b Select the type of the re-authentication OID from the OID type drop-down list:
novdocx (en) 24 March 2009
INTEGER
unsigned INTEGER
TIMETICKS
IPADDRESS
OBJID
STRING
HEX STRING
DECIMAL STRING
BITS
NULLOBJ
10c Enter the OID re-authentication value used to re-authenticate an endpoint in the OID
value text field.
TIP: Click revert to defaults to restore the default settings.
98Novell ZENworks Network Access Control Users Guide
3.11.13 HP ProCurve 420 AP or HP ProCurve 530 AP
To add an HP ProCurve 420 AP or HP ProCurve 530 AP device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Add an 802.1X device
Figure 3-34 Add HP ProCurve 420/530 AP Device
novdocx (en) 24 March 2009
1 Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP
address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt
and sign packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select ProCurve 420 AP or ProCurve 530 AP from the Device type drop-
down list.
6 Enter the Community string used to authorize writes to SNMP objects.
System Configuration99
7 Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field.
The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port
and MAC address of the endpoint to be re-authenticated.
8 Select the type of the re-authentication OID from the OID type drop-down list:
INTEGER
unsigned INTEGER
TIMETICKS
IPADDRESS
OBJID
STRING
HEX STRING
DECIMAL STRING
BITS
NULLOBJ
9 Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value
text field.
10 Select the Use a different OID for MAC authentication check box to re-
authenticate using a different OID when the supplicant request is for a MAC authenticated
device.
10a Enter the Re-authenticate OID used to re-authenticate an endpoint. The strings
"${Port}" and "${MAC_DOTTED_DECIMAL}" are substituted for the port and MAC
address of the endpoint to be re-authenticated.
10b Select the type of the re-authentication OID from the OID type drop-down list:
INTEGER
novdocx (en) 24 March 2009
unsigned INTEGER
TIMETICKS
IPADDRESS
OBJID
STRING
HEX STRING
DECIMAL STRING
BITS
NULLOBJ
10c Enter the OID re-authentication value used to re-authenticate an endpoint in the OID
value text field.
TIP: Click revert to defaults to restore the default settings.
100 Novell ZENworks Network Access Control Users Guide
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.