NACCompanion User Guide

From NACCompanionWiki

Jump to: navigation, search

Contents

Introduction:

NACCompanion is a product suite containing multiple modules that are meant to assist the Cisco Network Admission Control solution (NAC) in functionality. NACCompanion is a software application running as a virtual appliance.

Cisco’s Network Admission Control is an industry leading solution that forces host authentication prior to allowing the host to gain access to network resources (optional host scanning and remediation for compliance is an additional subset of Cisco’s NAC.)

NACCompanion, leveraging application specific modules (specific software applications), will extend visibility and control of your network beyond what Cisco NAC as a standalone product is capable of offering today. Using NACCompanion will give CxO’s complete visibility into things like user utilization, scanning and remediation reporting/trending while subsequently providing network/security administrators a supplemental tool-box to assist in the management of their Cisco NAC product set.

NACCompanion has been designed with simplicity and stability in mind with setup usually taking no longer than 10 minutes.

Refer to the “Options” section of this document for specifics on modules and their associated functionality.

Contacts:

For sales or technical assistance, please call or email one of the following:

  • Sales: Phone 866-561-3722 or Email at sales@naccompanion.com
  • 8x5x5 Technical support: Phone 866-561-3722 or Email at support@naccompanion.com
  • Web site for additional information specific to NACCompanion – http://www.naccompanion.com
  • Web site for additional information specific to Cisco NAC – http://www.cisco.com/go/cca

Options (Licensable Modules):

Product Features: Note that each module listed below is licensed for functionality.

  • NACDashboard module – A standalone, self updating browser window, that is capable of providing real-time statistical utilization of NAC “roles”, host operating system compilation of NAC users, NAC server health and licensing utilization, both “authentication server” and NAC “out-of-band” switch health, and key (triggered) NAC system events. This browser window is meant to be left open and to be monitored by security, network, and help-desk administrators as a snapshot tool providing visibility into key network events. Thresholds can be set within NACCompanion to trigger SMTP events that can assist with network awareness.
  • NACReports module – Via the NACCompanion administration console, administrators will have a subset of both static and user-definable report options. This report module will allow report generators to execute specific NAC information, formatting this information into clear and concise executive-level reports for further viewing/archiving/printing via an integrated PDF generator. All reports will be available via PDF and/or CSV output.

Examples: many other reports are available --User specific: subset of reports that allowing trending specific to a given user. --Date (range) specific: subset of reports that allow information gathering over a specific date range. --Scan/requirement specific: a comprehensive list of requirements and their associated scan triggers. --Role specific: a list of each NAC role and the associated scan/requirements that must be meet by role users in order to meet policy. --Executive-level summary: a single page report outlining NAC licensing utilization per NAC manager/server, providing per-role compliancy statistics (what % of users were able to eventually meet policy, what % were unable to gain access to the network at all), determine peak user counts – all over a 24 hour and 7 day period.

  • NACUpgrade module – The upgrade module will allow NAC administrators to do a full batch upgrade of all Cisco NAC managers and servers simultaneously, to include high-availability deployments. A complete NAC manager backup will be completed prior to batch upgrade. All NAC managers and servers will be monitored for batch execution and completion with NACDashboard providing real-time capable health monitoring. NACUpgrade will greatly reduce network downtime and administration associated with upgrading your Cisco NAC solution. NACUpgrade will also allow administrators to take better advantage of upcoming releases specific to Cisco’s NAC solution by allowing them to do upgrades more frequently. NACUpgrade takes the hassle out of doing Cisco NAC code upgrades.
  • NACBackup module – Administrators can schedule one or many fully automatic Cisco NACBackups to be archived within the NACCompanion server. The archived backups can later be used as restore points for Cisco NAC. Scheduled backups allow for automatic archiving of specific administrative changes and user information without the need for manual intervention. These backups are stored on the NACCompanion server so as to create an “off-site” capable solution for Cisco NAC backups.

NACCompanion as a virtual (VMware) appliance: To take advantage of an existing VMware server farm, NACCompanion is offered as a fully self contained virtual machine solution. VMware is the only virtual machine offering to date. Please refer to the “Requirements” section of this document for hardware/network specific requirements.

Support: NACCompanion requires a technical support contract to be purchased at time of initial product purchase. This contract provides 8x5x5 phone and/or email technical support specific to the configuration or operation of NACCompanion. This contract will also entitle you to free software upgrades. An FTP user account will be assigned to you upon purchase. Additional support may be available specific to Cisco NAC and/or network configurations upon request. For contact information, please visit the “Contacts” section of this document.

Requirements:

NACCompanion:

  • Virtual Machine option – The NACCompanion VM is only available using the VMware virtual machine format. In addition, the NACCompanion VM must have a static IP address assigned at time of install.

The NACCompanion VM is set to use the following VM options: Note that these parameters should not be changed.

  • 40 GB SCSI hard-drive space (not fully allocated, but can grow to 40 GB)
  • 1 CPU
  • 1 GB RAM
  • No floppy
  • No CD-ROM
  • Bridged Ethernet
  • User “root” access with “root” password to Cisco NAC Manager and Cisco NAC servers.

Network: – Full Ethernet connectivity between the NACCompanion solution and all Cisco NAC managers, Cisco NAC servers, Authentication Servers, and out of band NAC managed switches. Full IP connectivity is mandatory if full monitoring and reporting is desired on each individual component listed. This Ethernet connectivity may extend over an L3 boundary if desired.

Cisco NAC: – A fully functional Cisco NAC solution to include a Cisco NAC manager (or HA pair) and a Cisco NAC server (or HA pair.)

Technical Specifications:

Impact

  • NACCompanion is generally considered a “non-mission critical application.” The loss of the NACCompanion server or the NACCompanion VM will not affect the normal operations of the Cisco NAC solution in any way. All operations, with the exception of NACUpgrade, are read only.

“Estimated” Ethernet and CPU/Memory utilizations of the NACCompanion application:

  • Estimated Ethernet utilization under normal operation 
NACDashboard module – 758 Kbpm
NACReports – 1.2 Mb per each report generated
NACUpgrade – the size in MB for the Cisco NACUpgrade file + the size in MB to backup the Cisco NAC Manager file + 768 Kb to execute and manage the upgrade process
NACBackup – the size in MB to backup the Cisco NAC Manager file + 256 Kb to execute and manage the backup process
  • Estimated impact to Cisco NAC Manager 
CPU utilization increase – 1.2 %  per in-use NACCompanion module (an active query against the Cisco NAC Manager database.)
Memory usage increase – 2 MB per in-use NACCompanion module (an active query against the Cisco NAC Manager database.)
  • Estimated impact to Cisco NAC Server – no real impact because NACCompanion does not contact the NAS’s directly with 2 exceptions 
NACUpgrade – cost of doing the upgrade
NACDashboard memory/CPU utilization – cost of executing a small script every 120 seconds and viewing the collective output of the script.  The overhead for this process is virtually undetectable from a CPU/memory perspective.
  • Estimated impact to VM Server 
CPU utilization increase – 2.5% per in-use NACCompanion module (a module processing a Cisco NAC or local function.)
Memory usage increase – 1 GB for base system

Installation:

The NACCompanion VM comes preinstalled with everything you need for a functional system. When you receive your system, unzip it and load it on your VMware server. All management can be done through the web interface.

  • When your NACCompanion VM is fully online you should be able to browse directly to the management console at the address http://192.168.200.200 
Note: If you need to change the IP address manually within the OS of the VM:
1 - login locally on the NACCompanion VM (user: naccompanion; password: naccompanion)
2 - issue the command 'sudo nano /etc/network/interfaces'
3 - within this window, edit the IP information for your NACCompanion VM (only change the IP information for the eth0 interface)
4 - save the file by hitting CTRL-X, then y
5 - issue the command 'sudo /etc/init.d/networking restart'
  • The default web admin user ID and password are admin/admin respectively.
  • Once you successfully login, you will automatically be taken to the Configuration page were you must fill out some basic information about your Cisco NAC Appliance manager. Note: in order for proper NACCompanion functionality, ensure that your ‘root’ user password is set for all Cisco NAC appliances (both NAM and NAS.)
    • You must also add your licenses at this point or you will be unable to access any of the module pages.
    • You may also want to change the IP address at this time.
    • It is recommended to change the user ID and password of the admin web user – default is admin/admin
    • You may also want to change the user ID and password of the ‘root’ level command-line (SSH) user – default un/psw is naccompanion/naccompanion.
      • To change this user password, SSH into your NACCompanion server and use the default credentials. Next, issue the command sudo passwd naccompanion. Input your new password at this point. Type “exit” to leave the SSH session. When you change the naccompanion SSH user password, make sure you set the new password in NACCompanion on the Configuration | Configure NACCompanion System Wide Details page. NACBackup will not work properly without the correct SSH user password.

At this point your NACCompanion server should be ready for use and in communication with the Cisco NAC Appliance manager.

  • Note: a system reboot should not necessary at any point.

How to use NACCompanion:

Additional configuration options:

NACDashboard: This module is ready to use immediately with no configuration necessary. Fine tuning can and should be done in order for its reporting to be completely accurate however.

  • Tuning (completed on the Companion Configuration page)
    • NAM/NAS licensing – by default NACCompanion assumes you are using a NAM (NAC Appliance manager) 20 and a NAS (NAC Appliance server) 1500. Change these numbers according to your actual Cisco license agreement. If your NAS devices don’t share the same root password as your NAM, you can also change them individually here. Your changes take affect within 2 minutes on the NACDashboard.
  • Key system events – by default the red alerts being reported by the NAM are reported to this section of the NACDashboard. Additional alerts can be added to this section of NACDashboard by setting key query values on the Companion Configuration page. Your changes take effect immediately on the NACDashboard.
  • The key system events shown on NACDashboard will cover a period of 24 hours in which the oldest events will be over-written.
  • SMTP messaging of these events can be enabled on the Companion Configuration page. If enabled, all events on the NACDashboard will be SMTP relayed as a red alert.
    • SMTP settings can be set on the Companion Configuration page by clicking on the ‘Email Notification Setup’ link

Examples of email setup: 

SMTP Server: smtp.comcast.net
Port: 587
Encryption: None
Uses Authentication: Yes
Use Comcast un/psw

SMTP Server: smtp.mail.yahoo.com
Port: 587
Encryption: SSL
Uses Authentication: Yes
Use yahoo email un/psw

SMTP Server: smtp.gmail.com
Port 465
Encryption: SSL
Uses Authentication: Yes
Use gmail un/psw
  • NAM/NAS CPU/MEM usage is based on a snapshot done by NACDashboard every 2 minutes.

NACReports: NACReports has 2 individual components.

1. Email notification – select the mail icon next to the report name in order to automatically email reports to the selected individuals. Filters selected on the report page will be applied to the emailed reports and the reports may be sent in either PDF or CSV format. These filters may be changed on the report email page that comes-up. The report, with filters, can be sent to an arbitrary list of recipients and may be configured to send the emails daily, on week days or once a week at the specified time. Each report may scheduled to be sent to different groups of recipients at different times with different filters. 2. Report generation – on-demand reports can be viewed in PDF or CSV format.

  • PDF – if your system is capable of viewing PDF files, simply input the query parameters and click on the PDF icon next to the report you wish to run. The result should be the entire output viewed in PDF format. Save this PDF file off to your local PC for further use. If your PC does not have a PDF viewer, your can find one by visiting Adobe Reader online.
  • CSV – Simply input the query parameters and click on the CSV icon next to the report you wish to run. The result should be viewed in your CSV editor (i.e. Microsoft Excel or OpenOffice Calc.) This CSV file enables you to save the results of a query off to your local system for further modification/charting, etc.

Additional notes on reporting:

  • Next to each query parameter there is a sort arrow. Choose the sorting characteristic desired prior to running your report.
  • Most query input fields allow for multiple values separated by commas.

NACUpgrade:

NACUpgrade has many fail-safe features built in. NACCompanion is constantly monitoring the upgrade processes of each NAC Manager and NAC Server for completeness. If at any point something goes wrong, NACCompanion terminates the upgrade process.

The first step in the upgrade process is to make sure all servers are online and responsive. NACCompanion verifies the status of each NAM and NAS server in the system and displays the status of each system. If any system is not ready for the upgrade process, the upgrade will not be allowed to continue.

The second step in the upgrade process is to make a backup of the Cisco NAC system.

Once the backup completes, you will be prompted to upload the CISCO NAC upgrade file. Once the upgrade file has been successfully uploaded to NACCompanion, The upgrade process begins.

From this point in the upgrade process, an on-screen display shows that status of each server as the upgrade process proceeds. First the upgrade file is simultaneously copied to each NAM and NAS server in the Cisco NAC system. The simultaneous copy of the backup file to each server is designed to get the upgrade file to each server as quickly as possible.

  • With this in mind, it makes sense to ensure that NACCompanion has a high speed network connection.

If the copy fails on any of the systems the upgrade process is aborted.

If the copy to each system succeeds, a command is simultaneously issued to each system to untar the upgrade file. Once again, progress is displayed on the on-screen display. If any system fails to untar the upgrade file, the upgrade process is aborted.

At this point, if all systems have successfully untarred the upgrade file, each system is simultaneously issued a command to run the upgrade. This is the point of no return. Once the upgrade files are executed, NACCompanion will wait for all systems to complete the upgrade and then issue a reboot command to each server to complete the upgrade process.

  • The details of the upgrade script are similar to a standard Cisco NAC upgrade and can be found in the latest Cisco NAC documentation.

The user may abort the upgrade process at any time up to the point where the upgrade scripts are actually executed on each machine.

Additional considerations:

  • Once the upgrade begins, the NAM and NAS processes will stop rendering all affected networks unusable. Not until they have been rebooted and have completely come back online, will they start passing traffic again (estimated time of < 5 minutes for total upgrade.)
  • A loss of power or inadvertent reboot of the NAM/NAS or NACCompanion server during an upgrade may leave your system in an undesirable state.
  • All active and passive NAM’s and NAS’s will be upgraded simultaneously. Differences in hardware speed, thus affecting the upgrade speed, may make a new NAM/NAS primary upon system activation.
  • Prior to the upgrade, NACCompanion will ensure that all IP addresses being reported in the NAM database, as being either a NAM or NAS, are responsive. If not, Companion will terminate the upgrade process until these addresses have been removed. A message in the Companion Logs will report the failing IP information. This information will also show up on the NACDashboard as a red button.
  • The upgrade file will be copied to each system and monitored for completion. If the file does not make it to all intended destinations, the upgrade will terminate. The process must be started again as there is no resume capability.
  • Not until all NAM and NAS systems have a complete copy of the upgrade file, will the actual upgrade begin. The batch copy of this file to all systems is monitored to ensure a successful completion. At this point, the actual upgrade script is run and network outage will ensue.

Benefits:

  • This makes upgrades to remote systems with varying link speeds possible and stable.
  • This ensures that the Cisco NAC system is only “out of service” for the exact time necessary to execute the backup script (~5 minutes.)

NACBackup: Doing a backup of the Cisco NAC Manager is automated using this module. Simply select the “day” and “hour” you want to do a backup, assign this task a name and click save. You should now have a scheduled backup. You can have multiple scheduled backups.

When a scheduled backup runs, NACCompanion will contact the Cisco NAC manager via SSH and execute a backup script. This script will archive all configuration information resident in much the same way as is done via the Cisco NAC GUI backup. Once the backup has run, the script copies the backup file over to NACCompanion via FTP where the backup file becomes available as a file immediately available for download or deletion. NACCompanion can host as many backups as the hard drive will permit. These backup files will be named specific to the time and date that they were run. Restoring Cisco NAC from one of these backup files is as simple as going into the NAC GUI and uploading the backup file.

Companion Configuration: This screen is the heart and sole of the NACCompanion setup. All things necessary to configure NACCompanion are available on this page within the highlighted section. At the top of the page the highlighted sections are sections that must have valid input in order to get basic functionality working properly.

There are 3 grey sections that require input:

  • NAM information – input the IP address of the NAM ‘Service IP’. This is the address by which you manage your Cisco NAC manager. Additionally, input the password of the ‘root’ account on your Cisco NAC manager. All NACCompanion communications between your Cisco NAC managers and servers will use the user ID of root and the password input into this field. Do not confuse this with the Web administration password. Lastly, if your Cisco NAC Server uses a different password than the NAM, you need to individually input the proper password for each on the ‘Setup NAC Licensing and Passwords’ page. This will also ensure that the proper CPU/MEM usage is shown.

Note that this section and a proper license are the minimum setup requirements for NACCompanion. All other fields are optional.

  • License Keys – each module within NACCompanion is licensed. If your NACCompanion system has not been licensed, as soon as you log into the web administration console, you will be taken directly to the Companion Configuration page where a license must be input. Once a license has been input, you will have immediate access to that specific module. All NACCompanion licenses are specific to that NACCompanion server. These licenses will not work on any other server (to include trial licenses.)
  • User Administration – by default your NACCompanion server uses the user ID of admin and the password of admin. It is recommended to change this admin password immediately upon setup. To change the admin password simply click on the user admin, and in the password input fields, enter the new password. This password takes affect the next time the admin user logs onto the NACCompanion system.

In addition to these sections, additional Configuration options are available.

  • Update NAC manager and server license #'s – by default, NACDashboard uses the NAM 20 and the NAS 1500 as display results. To change these defaults values, click on this URL and input the proper NAM/NAS license value. This will cause NACDashboard to display customer specific licensing values.
  • SMTP gateway setup for reporting of alerts – NACCompanion has the ability to email reports to individuals that have been selected for notification. Visit this link and input either a specific address or group address for email notification. Note that only 1 email notification will be sent for a given alarm.
    • Red – A general notification when a red status occurs on NACDashboard. Red indicates that NACCompanion has been unsuccessful in determining the up/down status of a given device (obtained from the Cisco NAC manager.)
  • Configure (Key System Events) that will be reported to NACDashboard – these system events are ‘interesting’ events that happen within the logs of the Cisco NAC system. If an event is queried for on this page, it will show up on NACDashboard as a (Key System Event) and will be emailed to a configured SMTP recipient as a ‘red’ event. Note that for email notification, you must select ‘Enable (Key System Events) email notification’ on the ‘Companion Configuration’ page otherwise only key events will be displayed on NACDashboard with no email notification.
  • Enable (Key System Events) email notification – by selecting these checkboxes, all events that are found ‘interesting’ within the query results of ‘Configure (Key System Events) that will be reported to NACDashboard’ will be immediately delivered via email to all users who are configured to receive such notifications.
  • NACCompanion Backup – clicking on this URL will take an immediate snapshot of the NACCompanion system and backup this snapshot for off-file archiving to a local administrative PC. All information unique to the NACCompanion system will be stored in this file.
    • NACCompanion restore – using a previously existing NACCompanion backup file, a system administrator will be able to restore a NACCompanion server to its original settings (all system-wide settings.)
  • Change IP address – this URL allows administrators to change the current IP address, subnet mask, default gateway, and DNS server information specific to the given NACCompanion system.

Companion Logs: The logs shown on this page are specific to NACCompanion. When an interesting event happens within the NACCompanion console, it should get reported to this log. Within these logs you can:

  • Set the filter type
  • Filter for a specific user
  • Filter for specific text
  • Set the maximum number of records shown within the log.

To limit the number of NACCompanion logs stored within the database, go to the ‘Configure NACCompanion Details’ page found on the Companion Configuration page. Select the number of days to be stored and click the submit button..

These same companion logs will be saved in the Companion database as well as be sent to /usr/local/tomcat/webapps/naccompanion/logs. This allows an administrator to have log access without having to open a browser and log in.

Troubleshooting:

FAQs:

  • “What is the default user ID and password for the NACCompanion server (web interface?)”
    • admin/admin
  • “What is the default user ID and Password of the NACCompanion command-line system?”
    • naccompanion/naccompanion
  • “What do I have to do in order to get NACCompanion configured for my environment?”
    • When you login into NACCompanion, if the basic configuration has not been completed, you will be sent directly to the Companion Configuration page where you will need to install any available licenses, input the IP address of the Cisco NAC manager, and provided the ‘root’ password of your Cisco NAC manager. This is all that is required in order to communicate properly with Cisco NAC.
  • “What is the default IP address of the NACCompanion server?”
    • 192.168.200.200/24
  • “Can I have NACCompanion notify me in the event there is a critical event with my Cisco NAC solution?”
    • Yes. NACCompanion will send an SMTP message (if configured) if any “red” event happens.
  • “Should my NAM and NAS passwords all be the same in order to have NACCompanion function properly?”
    • No. Passwords for your NAC Servers can be changed from the default provided in the NAC Manager IP/password. They can be changed on the Companion Configuration page.
  • “NACDashboard does not show any data. What’s wrong?”
    • Check that you have provided the proper IP address and ‘root’ password of the Cisco NAC manager on the Companion Configuration page. Also ensure that SSH access between the NAM and NACCompanion is not blocked.
  • “NACDashboard has valid information on it, but some of my auth servers and OOB switches show up red when they are in fact functioning just fine. What’s wrong?”
    • Ensure that NACCompanion has unimpeded access to these devices. NACCompanion checks the status of each device by attempting to open a specific socket to these devices. If the connection setup is unsuccessful, NACCompanion will report that specific device as unavailable (red.)
  • “What impact will NACCompanion have on my Cisco NAC system from a resource perspective? What impact will it have on the network?”
    • Refer to the “Technical Specification” section of this guide for a detailed breakdown.
  • “What happens to my Cisco NAC system if NACCompanion becomes unavailable?”
    • NACCompanion is simply a supplementary product that is not considered mission critical. If the NACCompanion system is shut off, Cisco NAC will function in its entirety, completely unaffected.
  • “Why does NACDashboard take so long to show the proper red/green status results?”
    • NACDashboard checks all devices for connectivity every 2 minutes. Upon startup of NACCompanion or after a NACCompanion upgrade, a delay of up to 2 minutes is normal before it can show proper red/green status and to SMTP alerts. Once NACCompanion has been running for at least 2 minutes, NACDashboard should always have the latest information from the last refresh.
  • "Why isn't the IP address of the NAS showing on reports generated by NACReports?"
    • The missing NAS/CAS IP address is because the "Cisco NAC Server" did not record the scan transaction into the database using it's source IP as the scanning device.
    • If the user is "known" to Cisco NAC (exists on Certified Devices List) and a user gets scanned, the NAS IP who did the scanning is recorded in the Cisco NAC database, thus on the NACReports.
    • If the user is "unknown" to Cisco NAC (no previous entry in the NAC database and/or has aged out of the NAC database), AND the user fails a "Mandatory" scan, thus not allowed on the network, the NAS that did the scanning does not report it's IP address. The NAS field is empty.
    • NACReports, when it detects an empty field, reports an "Unavailable" in the report entry and puts a comment at the top of the report explaining why.
  • “Why am I receiving Red Alert Notifications?”
    • There are two kinds of Red Alert Notifications.
    • 1. A Red Alert is sent when NACCompanion can no longer communicate with a device.
    • 2. A Red Alert is sent when a key system event is found in the NAM log file.
  • “How do I configure Red Alert Notifications?”
    • Go to the Configuration tab and select "Email Notification Setup"
  • “Does NACCompanion alter anything on my NAM or NAS servers?”
    • No. NACCompanion does NOTHING to alter data or settings on any NAM or NAS server EXCEPT when upgrading the Cisco NAC system. NACCompanion reads data from the NAM database and it attempts communication with NAS servers, Authentication servers and Switches in order to determine if they are reachable and responsive. No additional communication takes place between NACCompanion and NAS servers, Authentication servers or switches.
  • “How does NACDashboard check to see if systems are responsive?”
    • NACDashboard attempts to open ports 21 (FTP), 22 (SSH) and 80 (HTTP) on each system to see if it is responsive. If NACCompanion cannot open any of those ports on the system, the system is considered to be unresponsive. NACCompanion makes no attempt to communicate with the system other than seeing if it can successfully open any of those ports.
  • “Why is my NAM or NAS system shown as red when I know it is working?”
    • There are a number of reasons that may be the case. At least one of the following ports must be open: 21 (FTP), 22 (SSH) or 80 (HTTP). The IP address must be reachable from NACCompanion and a firewall must not be blocking those ports.

File Structure:

  • All NACCompanion files start in the folder /usr/local/tomcat/webapps/naccompanion within the OS. Sub folders host specific features of NACCompanion.
  • Logging events specific to the NACCompanion process are available via the GUI or can be found at /usr/local/tomcat/webapps/naccompanion/logs.
  • NACCompanion uses the hardened Debian Linux OS Ubuntu.
Retrieved from "http://wiki.naccompanion.com/index.php/NACCompanion_User_Guide"
Personal tools