Configuring NAC Profiler for the Target Environment
Available Languages
Table Of Contents
Configuring NAC Profiler for the Target Environment
Accessing the NAC Profiler User Interface
Adding Additional Networks to the Configuration
Editing Networks Previously Configured
Configuring NAC Profiler for the Target Environment
This chapter includes the following topics:
•
Accessing the NAC Profiler User Interface
•
•
Overview
The first task to complete in the configuration of Cisco NAC Profiler is the installation of the license files necessary to enable the operation of the system components. Upon successful installation of the license files, the system is configured with the information it needs to define the bounds of the address space for which it will provide Endpoint Profiling and Behavior Monitoring.
Follow the instructions outlined in this chapter to install the license and describe the specifics of the target environment for Cisco NAC Profiler.
Accessing the NAC Profiler User Interface
Prior to beginning this procedure, all NAC Profiler appliance(s) in the system should have been installed and started up according to the instructions in Chapter 4, "Installation and Initial Configuration". Perform the initial installation steps before continuing with the following instructions.
To begin configuring NAC Profiler system, open the NAC Profiler user interface. Open a web browser and enter the IP address of the management interface of the appliance running the NAC Profiler Server for the system to be managed in the URL field in the following format:
https://[configured IP address]/
Prior to opening the interface, a valid user name and password for the system must be provided. The web UI password for the administrator user (`admin') is set during the appliance start up scripts for NAC Profiler Server appliances. Providing the admin user name and the password set during startup for web user authentication results in the display of the NAC Profiler user interface home page in the browser, shown in Figure 5-1.
Figure 5-1 NAC Profiler Web-Based UI Home Page
The NAC Profiler user interface is designed to provide multiple methods of navigation to support the varied preferences of administrators and operators. The tabs along the top of the page are organized to provide quick access to the interfaces for the primary areas of functionality of Cisco NAC Profiler: Configuration, Endpoint Console, and Utilities. Selecting one of these tabs at any times redirects the interface to the main page for each primary area of functionality. Each of the main pages has a left navigation bar, and a table that provides links to the applicable sub-interfaces for each primary area of functionality.
The Home tab is the main page for the NAC Profiler application user interface, as well as the landing page. The left navigation bar on the Home tab provides general links to the NAC Profiler product: Getting Started, Support, and Upload Licenses.
Installing License Keys
Prior to beginning configuration of Cisco NAC Profiler, it is necessary to install the license keys to enable all features. The license keys for the NAC Profiler Server and the Collector(s) for a given system are managed through the NAC Profiler UI served by the NAC Profiler Server and accessed via a web browser as outlined immediately above.
Prior to beginning the procedure that follows, ensure the license files required to enable NAC Profiler system are available either on the system being used to access the UI or on a network resource accessible from that machine. The license files have a .lic extension, and the license for each component of the system is tied to the physical address of the hardware for that component. Ensure that the license key is correct for the specific hardware of the system being configured.
A valid license file is required for the NAC Profiler Server, or NAC Profiler Server pair in the case of HA implementations. In addition, each NAC Profiler Collector (or collector pair) requires a license file as well.
As shown in Figure 5-1, the home page menu includes an option entitled `Upload Licenses.' Select this option to bring up the Import FlexLM License form. See Figure 5-2.
Figure 5-2 Import FlexLM License Form
Use the Browse button to locate the each of license files required for the system being configured, and then select the Import License button to import the file and enable full functionality of the system. Remember, each component of the system (e.g., Server or Server pair and Collector or Collector pair) requires a valid license in order to run.
To verify that the Server license has been installed correctly, navigate to the Configuration Tab and select Profiler Modules -> List Profiler Modules. In the Table of Modules that is displayed. If the Server is reporting the `Running' status (see Figure 5-3), the license for the NAC Profiler Server has been successfully installed.
Figure 5-3 NAC Profiler Server Indicating Running Status
In order to verify that the Collector license(s) have been properly installed, follow the procedure outlined in Chapter 7, "Configuring Cisco NAC Collector Modules," to add the Collector(s) to the system configuration. If Collectors are added to the system configuration without valid license keys installed as outlined above, the status for the Collector in the Table of Modules will indicate `Licensing issue.' A valid license key file must be installed in order to enable the Collector for configuration and normal operation.
Configuration Tab
The Configuration tab is used to perform a variety of NAC Profiler system configuration management tasks such as defining the bounds of the network (e.g., My Network configuration), adding and configuring the NAC Profiler Server system and the NAC Profiler Collector modules, specifying the network devices that Cisco NAC Profiler will interact with, creating and managing Endpoint Profiles, creating and managing Endpoint events, and adding and managing user accounts. Essentially all configurable parameters of Cisco NAC Profiler are accessible from this tab through the left-hand navigation pane or the links in the main pane. See Figure 5-4.
Figure 5-4 NAC Profiler Configuration Tab
My Network
The My Network configuration enables the specification of the address space or spaces that Cisco NAC Profiler will perform its Endpoint Profiling and Behavior Monitoring functions for. The NAC Profiler NetWatch module or modules deployed for use by Cisco NAC Profiler monitors all network traffic forwarded to the defined monitoring interface(s) which may extend across multiple NAC Profiler Collectors. Depending on the placement of the interface(s), this traffic may include packets not originating from the internal network. The My Network configuration assures that NAC Profiler is only performing its functions on traffic for the desired network addresses and only profiling endpoints in the specified range of devices.
To access the My Network configurations, please select the Configuration tab and then select the My Network option in the left side navigation menu. Figure 5-5 shows a Network Description form. Complete this form to provide the My Network configuration for Cisco NAC Profiler.
Figure 5-5 Network Description Form
In addition to the required fields of Organization Name and Internal Address Blocks, the Network Description dialog contains optional fields for entering host IP addresses of servers and gateways pertinent to Endpoint Profiling and Behavior Monitoring. These addresses can be utilized by NAC Profiler to perform Inference Based Profiling. Inference Based Profiling is an optional profiling feature in NAC Profiler that combines specified IP addresses with the equivalent well known communication port to infer that any end node communicating with it is of a particular type. For example in the case of a print server, the communication port would be 9100 and any end nodes communicating with the server would be considered printers.
The following sections provide an overview of each of the fields on the Network Description form, and instructions for entering the data to define My Network parameters for the target environment.
Organization Name
Enter a name which will indicate what this address space is representing. This value is for the user's reference only and can be any value that is useful in understanding what segment of the network this group of addresses represents.
Internal Address Blocks
Specify the IP Address space in the Internal Address Blocks field. The format is X.X.X.X/CIDR, for example 10.10.0.0/16 means any IP Address in which the first two octets are 10.
Print Servers
Optionally enter the IP address of each printer server, one per line. This is used for inverse rule creation in which devices that are communicated with by the print server using the specified protocols (hard coded in this case) are profiled as printers.
Voice Gateways
Optionally enter the IP address of each voice gateway, one per line. This is used for inverse rule creation in which endpoints that are communicated with by the voice gateway via SIP are Profiled as phones.
Save the configuration by selecting the Save Settings button. As the MyNetwork data is saved, the system prompts the user to proceed to the NAC Profiler Modules configuration page. To proceed with module configuration, click on the link provided and proceed to the next chapter for instructions on NAC Profiler Module Configuration.
Adding Additional Networks to the Configuration
To add additional Networks to the system configuration, select My Network from the left navigation menu on the Configuration Tab. This will result in the Choose Network form being displayed in the main pane (see Figure 5-6). This form allows the selection from among existing networks for editing, or enables the addition of new networks to the configuration.
Figure 5-6 Network Name Form
When adding additional Networks to Cisco NAC Profiler configuration, type a name for the new Network in the New Organization/Division Name field and select the Continue button. The Network Description form described earlier in this section will be displayed to gather the details on the new network being added to the configuration.
Editing Networks Previously Configured
To edit previously saved Networks, select My Networks from the left navigation bar to display the Choose Network form illustrated above. Use the drop-down list to select the desired network for Editing and select the Continue button. The previously described Network Description form is displayed with the fields populated with the last saved data. To make changes, edit the necessary fields and select the Save Settings button to save changes to the configuration.
Saving Configuration Changes
Cisco NAC Profiler configuration is stored in the database maintained by the NAC Profiler Server. Changes are made to the system configuration through the web-based User Interface through the forms illustrated in this chapter and the remainder of the Configuration Guide. Most of the forms include a control that allows saving or updating the data captured in the form. However, the majority of configuration changes, particularly those made to the configuration of the modules are not committed to the running configuration until the administrator performs an update of the modules. To update the configuration of NAC Profiler modules, and ensure any configuration changes are made to the running configuration, following the following procedure:
Select the Configuration tab, and select Apply Changes from the left-hand navigation pane, or the Apply Changes link in the Configuring NAC Profiler table in the main pane. Figure 5-7 shows an Update Profiler Modules page.
Figure 5-7 Update Profiler Modules Page
Select the Update Modules to update the configuration of all modules, and to commit configuration changes to the running configuration. Upon the selection of the Update Modules button, Cisco NAC Profiler will perform a system restart of all components of the system.
Feedback