Adding Network Devices to Cisco NAC Profiler Configuration

This chapter includes the following topics:

•Overview

•Adding Device Groups

•Importing Network Devices

•Adding Network Devices to the Configuration Individually

•Network Devices

Overview

After the necessary Profiler Server and Collector configurations are in place, the next step is to add the network infrastructure devices (switches and routers) that provide connectivity to the network attached endpoints.

For efficiency in SNMP polling, Network devices are associated with the appropriate Collector so that the Collectors themselves perform the SNMP queries from the distributed points in the network where the CAS appliances are deployed. This allows the SNMP traffic to be localized and not consume core network processing resources. Each Collector periodically polls the network devices that have been associated to it to gather information about attached endpoints and their status. The NetMap module on each Collector communicates with the network devices at the intervals specified in the Profiler Server configuration. Communication between NetMap and network devices is via the SNMP protocol. To ensure changes in the endpoint topology are learned in real-time, the network devices can optionally to be configured to send SNMP Traps to the Collector running the NetTrap module assigned to poll them. Doing so provides the system with near real-time indications when endpoints join or leave the network so the Cisco NAC Profiler is able to maintain an accurate model of the endpoint topology.

Since Cisco NAC Profiler's primary functionality is Endpoint Profiling and Behavior Monitoring, the network devices added to the system configuration should be those devices in that comprise the network access layer, or "edge" of the network the system will be deployed on; that is, the devices (typically Layer 2 switches) that end-users, printers, copiers, FAXes, IP telephony devices and other network endpoints use for connectivity to the network infrastructure. Layer 3 devices (routers) should also be included so that their Address Resolution Protocol (ARP) tables can be accessed, but these can be limited to either the routers that serve as the distribution layer for some number of L2 edge devices, or left out of the devices list entirely if the edge switches are capable of providing ARP table level visibility. Cisco Cisco NAC Profiler uses information from Layer 3 devices to create a mapping between endpoint IP addresses and MAC (hardware) addresses. Layer 2 Source Address Tables (SAT) information from switches and switch/routers is used by the system to locate endpoints.

Network devices added to the NAC Profiler System configuration are added to a Table of Network Devices commonly referred to as the Device List. To perform network device management tasks such as adding the network devices to the system configuration, select the Configuration tab. In the left hand navigation pane, select Network Devices to display the Configure Network Devices page in the main pane as shown in Figure 8-1.

Figure 8-1 Configure Network Devices Page

The Configure Network Devices table lists a number of administrative task options for managing the network devices in the system configuration, the task names are links that will navigate the interface to the page(s) associated with the task. The configure network device tasks are:

•Add Device—Enables adding a single network device to the system configuration.

•Add Group—Network devices with similar attributes may be grouped logically for easier administration. This option allows for the creation of network device groups.

•List Network Devices—Displays the Table of Network Devices which lists all of the network devices currently in the system configuration and their status.

•Find Device—Search tool for finding a network device or devices by specifying device criteria such as device name and or IP address.

•Import Devices—Utility to import a list of network devices into Cisco NAC Profiler using a .csv file.

To initiate any of the network device list management functions, select the link in the leftmost column of the Configure Network Devices table. The remainder of this chapter provides instructions for using these functions to manage the network device list in the system configuration.m configuration.

Adding Device Groups

Note The use of Network Device Groups is optional and may not be usable in some environments where network devices do not share common configuration parameters such as community strings and VLAN IDs. In addition if SNMPv3 is in use, this functionality is available, as long as all the devices belonging to the group use the exact same SNMPv3 parameters. If the grouping functionality is not going to be utilized, proceed to the sections on Adding and or Importing Network Devices later in this chapter.

In many network environments, it may be desirable to define groups of devices to give a clearer picture of the network topology and to make the Cisco NAC Profiler network device configuration task easier. As mentioned, in addition to the fact that groups of devices are associated with a specified Collector, it makes the administration of the system easier if the device groups are aligned with the network devices associated with each of the Collectors, and it is additionally recommended that he naming convention for the Collectors and the device groups be similar if not identical. When the network devices in an environment use similar configuration parameters such as community strings, VLAN IDs, etc., the use of groups can streamline the management of devices. If a network device is designated a member of a device group, that device inherits the General Settings, Access Method, VLAN Settings, and Endpoint Roles (if applicable) for the device group, and will not require these parameters to be specified individually for the devices belonging to the group. Network devices added to the system configuration individually or imported can be designated as a member of a group and inherit the group configuration parameters.

To add a network device group to Cisco NAC Profiler configuration, select Add Group from the Configure Network Device table. This will open the Add Group form in the main pane as shown in Figure 8-2.

Figure 8-2 Add Network Device Group Form

Enter the following information for the network device group to be added:

Group Name

Enter a unique name to identify this group of network devices. Once a group is created and stored, the Select Group drop-down list in the Add Network Device and Edit Network Device forms will be populated with all groups saved to the system configuration.

General Settings

Select Type

Select the device type (Layer 2, Layer 3, or Device) for devices in the group being added from the drop down list. The device option is for managed devices that might have information for useful to the Collector, but is neither a Layer 2 or Layer 3 network device. An example would be managed Novell Servers that contain the MAC/IP binding information and will provide that information if queried via SNMP.

Select mapping module

This entry is used to specify the name of the Collector that will be assigned to poll the devices in this network device group, from the list of configured Collectors listed in the pull-down. The default option should not be selected.

The pull-down menu will show an entry for each Collector(s) currently in Cisco NAC Profiler configuration. Note that each of the Collector names has "-nm" added to the Collector name. This designates that the mapping module for device polling via SNMP is the NetMap component on the collector.

Save Configuration

If the network devices in this group have a mechanism for making configuration changes effected via SNMP persistent, selecting the `save configuration' checkbox will configure Cisco NAC Profiler to save all configuration changes it makes to any devices in the group to the saved configuration file on the effected network device(s). This is applicable when using Cisco NAC Profiler in the Port Provisioning mode to change port settings as described earlier in this document.

Access

Method

This parameter determines which version of SNMP will be used for communication with network devices in the group. Select the radio button of the SNMP version that devices in this group are running. By default Cisco NAC Profiler will use SNMP version 1 for communication with network devices. SNMP version 2c or version 3 may be selected as options for groups of devices using one of these versions of SNMP

Read-Only Community String

Enter the read-only community string that has been configured on all devices in the group for read-only SNMP access.

The web interface will obscure the text being entered in the community string fields to protect it. In order to ensure that the community string is entered correctly, it may be desirable to cut-and-paste the community string in clear text (from Notepad, for example) to ensure that it is entered into the Cisco NAC Profiler interface correctly. If the community string is not entered correctly, Cisco NAC Profiler will not communicate with the device.

Read-Write Community String (optional)

Providing the Read-Write Community string for the group is only applicable when using Cisco NAC Profiler in the Port Provisioning mode to change port settings as described earlier in this document. If Cisco NAC Profiler will not be used in the Port Provisioning mode, do not specify the Read-Write Community String.

Enter the read-write community string that has been configured on all devices in the group for read-write SNMP access.

The remainder of the parameters in this portion of the form applies only to groups of devices using SNMPv3. The following parameters are only displayed if the radio button for the SNMPv3 is selected for the method type. If the version of SNMP in use on the network devices in this group being added is SNMPv3, complete these parameters:

Figure 8-3 Access Parameters for SNMPv3

SNMPv3 Username

Provide the SNMPv3 Username to use when authenticating a SNMPv3 session with devices in the group.

SNMPv3 Authentication Password

Provide the SNMPv3 authentication Passphrase for use for the Hash Type that was selected.

SNMPv3 Privacy Password

The Privacy Passphrase required for privacy (encryption algorithm type) service that was selected.

SNMPv3 Security Level

Select the radio button of the SNMPv3 security level in use for SNMPv3 sessions with the devices in the group.

•NoAuthNoPriv - No authentication, no privacy (least secure)

•AuthNoPriv - Authentication, no privacy (more secure)

•AuthPriv - Authentication, Privacy (most secure)

SNMPv3 Hash Type

Select the radio button of the SNMPv3 hash type in use for SNMPv3 sessions with the devices in the group: select either the MD5 or SHA1 protocol.

Both protocols are hashing algorithms, which given a message concatenated with a user's key, generate a fingerprint for the string. After the hash is performed, the fingerprint is added to the message (without the key). If any of the data in the packet is modified in-flight, it will be detected when the hash is performed on the received message (minus the fingerprint, plus the user's key), and then the result is compared to the fingerprint that was received.

The two protocols are similar, although MD5 is somewhat faster and SHA is somewhat stronger.

SNMPv3 Encryption Type

Select the radio button of the SNMPv3 encryption type to use for SNMPv3 sessions with the devices in the group, select either DES or AES encryption.

Virtual LAN Settings (Optional)

Providing the Virtual LAN Settings for a device group is applicable only when using Cisco NAC Profiler in the Port Provisioning mode to change port settings as described earlier in this document. If the Cisco NAC Profiler system will not be employed in the Port Provisioning mode, do not enter these parameters for the device group.

Default VLAN ID

Enter the VLAN ID that has been configured as the Default VLAN on devices in this group. The VLAN name, "Default", will be used in the Cisco NAC Profiler user interface when managing port parameters on devices in the group. Although the value presented to the user will be the VLAN name: `Default', the setting of the VLAN ID on each interface of the device or devices in the group will be based on the configuration in this section. This allows Cisco NAC Profiler to be easily deployed and used in the Port Provisioning mode in environments where disparate VID values are used for the same VLAN in different parts of the enterprise network.

An example of this is the Printer VLAN, which can vary by floor, building, or campus in some environments. When the VLAN name Printer is selected for applications to a particular port, the specific VID appropriate for each port on each device will be applied according to the network device configuration by Cisco NAC Profiler.

Authorized VLAN ID

Enter the VLAN ID that has been configured as the Authorized VLAN on the devices in this group. The VLAN name, "Authorized", and not the VID value will be used in the administrative screens for managing ports and endpoints when the user is configuring network access for groups of endpoints. Although the value presented to the user will be the VLAN name `Authorized,' the setting of the VLAN ID parameter on each interface will be based on the configuration in this section for the specific device being configured. This allows Cisco NAC Profiler to be easily deployed in environments where multiple VID values are used throughout the enterprise for similar endpoint types.

Other VLANs

Define other VLANs which have been configured on the network devices in this group as applicable by specifying one per line in the format VLANname:vid. Like the Default and Authorized VLAN, VLANs specified as available on the device will be presented by VLAN name as pull-down options in the Port Control views enabling the setting of the VLAN parameter on network device ports. The VLAN name provides a level of abstraction in the user interface to allow for disparate VLAN IDs used for the same named VLAN in different areas of the network. Cisco NAC Profiler will track what VID is being used for each VLAN name on a per-switch basis, allowing assignment by VLAN name rather than VID.

Once Device Groups are added to the system configuration, they are accessible in the Add Network Device and Edit Network Device forms. Defining device groups prior to adding network devices either individually or through the Import function can save significant time by entering device configuration parameters common to the group once instead for each device individually.

Importing Network Devices

The most efficient manner to add network devices to Cisco NAC Profiler configuration is through the Import Device feature. Cisco NAC Profiler has the ability to import a device list from an external CSV file accessible by the computer accessing the Cisco NAC Profiler web user interface. Many network management systems provide the ability to export the list of devices it is monitoring into a CSV file that can be edited using spreadsheet software such as Microsoft Excel. Alternatively, a list of the network devices to be added to the system configuration can be created manually.

The procedure for importing network devices into the Cisco NAC Profiler system configuration is dependent on the version of SNMP the devices are running. For network devices running v1 and v2c of the SNMP protocol, the input file and import process are identical. For devices running SNMPv3, a different input file and import process are required to handle the additional parameters required in that version of the SNMP protocol.

The next two subsections outline the processes for importing network devices for the different SNMP versions.

Importing Network Devices running SNMPv1 and v2c

The Import Device utility for v1 and v2c devices requires that the input list of devices have the format illustrated in Figure 8-4 , saved in a comma separated format. Essentially the format is a table with four columns with no column headings that contains a row for each device to be imported containing the device name, IP address, read-only community name and read-write community name (if Port Provisioning mode is to be utilized). If Port Provisioning mode will not be used, leave the fourth column blank.

Note Providing the read-write community strings for network devices is an optional parameter for network device configuration. It is required only when the Cisco NAC Profiler will be used in Port Provisioning mode to make configuration changes to network device configuration parameters as outlined in Chapter 13, "Using the Endpoint Console." If Cisco NAC Profiler will not be used in Port Provisioning mode, simply leave the fourth column of the spreadsheet empty.

Figure 8-4 Example Device List in Spreadsheet Application: SNMPv1 & v2c devices

Once the list of network devices has been edited to this format, save the file as a CSV file (in Microsoft Excel select Save As, Select Save as type CSV (comma delimited) noting the location and filename. Ensure the computer being used to manage Cisco NAC Profiler via the web interface can access the CSV file.

Select Import Devices from the Configure Network Devices table or from the menu at the top of any network device management page (Figure 8-5).

Figure 8-5 Import Devices

The Import Network Device form will display in the main pane (Figure 8-6).

Figure 8-6 Import Network Device Form

After selecting the appropriate file it is entered into the `CSV File Name' field in Cisco NAC Profiler. Click the Import File button. The list of devices in the CSV file successfully imported will display in the Import Device Information form shown in Figure 8-7 . This form enables editing of fields or manual population of any empty fields with the appropriate information.

Figure 8-7 Import Device Information Form

Note The "Pass #1" and "Pass #2" columns in the Import Device Information dialog represent the read-only and read-write (if desired) community names (if provided in the CSV file) of the network devices, masked with asterisks. Entering the community names into the CSV file to be imported is optional; however, if the community names are not imported it will be necessary to edit each device and enter the correct community names.

If the devices being imported will be assigned to a Group, all devices will inherit the group community names regardless of whether community names were imported or not. Group parameters always take precedence over individual device configuration for any device in a group

Once any corrections or additions are made to the individual device entries, the form allows assigning all the devices being imported to a Device Group. Assigning the devices to a device group results in all the devices being imported inheriting the parameters specified for the group (including the designated Collector to be associated with these devices), as described in the previous section. If the imported devices are being assigned to a Device Group, select the group from the drop-down list.

If the devices are not going to be assigned to a Device Group, leave `None' in the Select Group drop-down and specify the following parameters for the devices being imported:

Access Method

This parameter determines which version of SNMP will be used for communication with network devices being imported from this file. Note that all devices imported in a given import operation must be of the same SNMP type. Select the SNMP version (v1 or v2c) that the network devices being imported are running from the drop-down list. By default Cisco NAC Profiler will use SNMP version 1 for communication with network devices. SNMP version 2c may be selected as an option for importing devices using SNMP v2c.

Device Type

Select either Layer 2 or Layer 3 to designate the type of devices being imported (switch or router) Note that all devices being imported in a given operation will be given the same device type upon import.

Click the Import Devices button at the bottom of the window. A message stating "Imported device information saved" will be presented. The list of imported devices will now be accessible in tabular format by selecting List Network Devices from the Configure Network Devices table.

Import Network Devices running SNMPv3

The Import Device utility for SNMPv3 requires that the list of devices have the format illustrated in Figure 8-8 . Essentially the format is a table with eight columns with no column headings that contains a row for each device to be imported containing the Device Name, IP Address, SNMPv3 User, SNMPv3 Authentication Password, SNMPv3 Privacy Password, SNMPv3 Security Level, SNMPv3 Hash Type, and SNMPv3 Encryption Algorithm Type

Figure 8-8 Example of a SNMPv3 network device list in a spreadsheet application

After selecting the appropriate file it is entered into the 'CSV File Name' field in Cisco NAC Profiler. Select Import Device List from the Configure Network Devices table or from the menu at the top of any network device management page.

Figure 8-9 Import Devices

The Import Network Device form will display in the main pane (Figure 8-10).

Figure 8-10 Import Network Device form

Click the Browse... button to select the device list CSV file created previously. After selecting the appropriate file it is entered into the 'CSV File Name' field in Cisco NAC Profiler. Click the Import File button. The list of devices in the CSV file successfully imported will display in the Import Device Information form shown in Figure 8-11. This form enables editing of fields or manual population of any empty fields with the appropriate information.

If the devices being imported will be assigned to a Group, all devices will inherit the group community names regardless of whether community names were imported or not. Group parameters always take precedence over individual device configuration for any device in a group.

Figure 8-11 Import SNMPv3 Information Form

When importing SNMPv3 devices, the SNMPv3 parameters for each device will be imported as shown in Figure 8-11. If a parameter for a device is left blank, the appropriate entry can be made in the form prior to selecting Import Devices.

The SNMPv3 parameters for each device are as follows:

User

Provide the SNMPv3 Username to use when authenticating a SNMPv3 session with the devices being imported.

Authentication Password

Provide the SNMPv3 authentication password for use for the Hash Type that was selected.

Privacy Password

The password required for privacy (encryption algorithm type) service that was selected.

Security Level

SNMPv3 security level in use for SNMPv3 sessions with the devices in the group.

•NoAuthNoPriv - No authentication, no privacy (least secure)

•AuthNoPriv - Authentication, no privacy (more secure)

•AuthPriv - Authentication, Privacy (most secure)

Hash Type

Select the radio button of the SNMPv3 hash type in use for SNMPv3 sessions with the devices in the group; select either MD5 or SHA1 protocol.

Both protocols are hashing algorithms, which given a message concatenated with a user's key, generate a fingerprint for the string. After the hash is performed, the fingerprint is added to the message (without the key). If any of the data in the packet is modified in-flight, it will be detected when the hash is performed on the received message (minus the fingerprint, plus the user's key), and then the result is compared to the fingerprint that was received.

The two protocols are similar, although MD5 is somewhat faster and SHA is somewhat stronger.

Encryption Algorithm Type

Select the radio button of the SNMPv3 encryption type to use for SNMPv3 sessions with the devices in the group, select either DES or AES encryption.

Click the Import Devices button at the bottom of the window. A message stating "Imported device information saved" will be presented. The list of imported devices will now be accessible in tabular format by selecting List Network Devices from the Configure Network Devices table.

Adding Network Devices to the Configuration Individually

To enter network devices one at a time, select the Add Device option from the Configure Network Device table. This opens the Add Network Device form in the main pane (Figure 8-12).

Figure 8-12 Add Network Device Form

This forms allows the entry of all required information about a network device as it is added to the system configuration. To add a network device, complete the fields of the form with the device specifics as outlined below.

Name and Identifying Information

Device Name

Enter a unique name to identify this device. Cisco NAC Profiler will show the location of endpoints by switch and port—choosing a name for switches (e.g., Bldg10-floor8, etc.) may be useful to easily differentiate between multiple switches in a large enterprise network.

IP Address

Enter the IP Address of the network device.

Alternate Addresses

(Optional) Allows the specification of other interface addresses that may be used by the network device (Layer 3 devices typically).

General Information

Select Type

Select the device type (Layer 2, Layer 3, or Device) from the drop down list. The device option is for managed devices that might have information for useful to the Collector, but is neither a Layer 2 or Layer 3 network device. An example would be managed Novell Servers that contain the MAC/IP binding information and will provide that information if queried via SNMP.

Select mapping module

This entry is used to specify the name of the Collector that should poll this device, or group of devices, from the list of configured Collectors listed in the pull-down. The default option should not be used in the case of Cisco NAC Profiler as the pull down will be populated with the list of Collectors that are associated with the Profiler Server.

Select Group

If network device groups have been defined, as described in the previous section entitled Add Network Device Groups; select the group that this device should belong to from the drop-down list if applicable for the device being added.

Note Designating a device to be a member of a group results in the override of settings made at the individual device level. For example, if the SNMP community strings set at the device level are different than those specified for the group, the community strings set for the group level are the strings that Cisco NAC Profiler will use to attempt SNMP communications with the device.

Trunk Ports (Optional)

(Optional) Allows designation of known trunk ports on the network device. Trunk ports are ports providing connectivity to other infrastructure devices, not endpoints.

Save Configuration (Optional)

If this network device provides a mechanism for making configuration changes effected via SNMP persistent to the device configuration, selecting the `save configuration' checkbox will configure Cisco NAC Profiler to save all configuration changes it makes to the device to the saved configuration file. This is applicable when using Cisco NAC Profiler in the Port Provisioning mode to change port settings as described earlier in this document.

1. Access

Method

This parameter determines which version of SNMP will be used for communication with this network devices. Select the radio button of the SNMP access method that this device is configured. By default Cisco NAC Profiler will use SNMP version 1.

Read-Only Community String

Enter the read-only community string that has been configured on the device for read-only SNMP access.

Read-Write Community String (Optional)

Providing the Read-Write Community string for a network device is only applicable when using Cisco NAC Profiler in the Port Provisioning mode to change port settings as described earlier in this document. If Cisco NAC Profiler will not be used in the Port Provisioning mode, do not specify the Read-Write Community String

Enter the read-write community string that has been configured on the device for read-write SNMP access.

Note Providing the read-write community strings for network devices is an optional parameter for network device configuration. It is required only when the Cisco NAC Profiler will be used in Port Provisioning mode to make configuration changes to network device configuration parameters as outlined in Chapter 13, "Using the Endpoint Console."

The remainder of the parameters in this portion of the form is applicable only to devices using SNMPv3. If the version of SNMP in use on the network device is SNMPv3, complete these parameters. The following parameters will only be displayed, if the radio button for the SNMPv3 was selected for the method type:

Figure 8-13 SNMPv3 Access Parameters

SNMPv3 User

Provide the SNMPv3 Username to use when authenticating a SNMPv3 session with this network device.

SNMPv3 Authentication Password

Provide the SNMPv3 authentication password for use for the Hash Type that was selected.

SNMPv3 Privacy Password

The password required for privacy (encryption algorithm type) service that was selected.

SNMPv3 Security Level

Select the SNMPv3 security level in use for SNMPv3 sessions with this network device.

•NoAuthNoPriv - No authentication, no privacy (least secure)

•AuthNoPriv - Authentication, no privacy (more secure)

•AuthPriv - Authentication, Privacy (most secure)

SNMPv3 Hash Type

Select the radio button of the SNMPv3 hash type in use for SNMPv3 sessions with this network device; select either MD5 or SHA1 protocol.

Both protocols are hashing algorithms, which given a message concatenated with a user's key, generate a fingerprint for the string. After the hash is performed, the fingerprint is added to the message (without the key). If any of the data in the packet is modified in-flight, it will be detected when the hash is performed on the received message (minus the fingerprint, plus the user's key), and then the result is compared to the fingerprint that was received.

The two protocols are similar, although MD5 is somewhat faster and SHA is somewhat stronger.

SNMPv3 Encryption Algorithm Type

Select the radio button of the SNMPv3 encryption type to use for SNMPv3 sessions with this device, select either DES or AES encryption.

Virtual LAN Settings (Optional)

Providing the Virtual LAN information applicable when using Cisco NAC Profiler in the Port Provisioning mode to change port settings as described earlier in this document. If Cisco NAC Profiler will not be used in the Port Provisioning mode, do not specify the Read-Write Community String.

Default VLAN ID

Enter the VLAN ID that has been configured as the Default VLAN on this device. The VLAN name, "Default", will be used in the Cisco NAC Profiler user interface when managing device port parameters. Although the value presented to the user will be the VLAN name: `Default', the setting of the VLAN ID on each interface of the device will be based on the configuration in this section, specific to the device being configured. This allows Cisco NAC Profiler to be easily deployed in environments where disparate VID values are used for the same VLAN in different parts of the enterprise network.

An example of this is the Printer VLAN, which can vary by floor, building, or campus in some environments. When the VLAN name Printer is selected for applications to a particular port, the specific VID appropriate for each port on each device will be applied to the device configuration by Cisco NAC Profiler.

Authorized VLAN ID

Enter the VLAN ID that has been configured as the Authorized VLAN on this device. The VLAN name, "Authorized", and not the VID value will be used in the administrative screens for managing ports and endpoints when the user is configuring network access for groups of endpoints. Although the value presented to the user will be the VLAN name `Authorized,' the setting of the VLAN ID parameter on each interface will be based on the configuration in this section for the specific device being configured. This allows Cisco NAC Profiler to be easily deployed in environments where multiple VID values are used throughout the enterprise for similar endpoint types.

Other VLANs

Define other VLANs which have been configured on the network device as applicable by specifying one per line in the format VLANname:VID. Like the Default and Authorized VLAN, VLANs specified as available on the device will be presented by VLAN name as pull-down options in the Port Control views enabling the setting of the VLAN parameter on network device ports. The VLAN name provides a level of abstraction in the user interface to allow for inconsistent VLAN IDs used in different areas of the network. Cisco NAC Profiler will track what VID is being used for each VLAN name on a per-switch basis, allowing assignment by name rather than VID.

Network Devices

List Network Devices

At any time it is possible to get a list of all network devices currently in the system configuration, and determine the last time the Cisco NAC Profiler system has successfully polled the device.

From the Configuration Tab, select Network Devices from the left hand navigation pane to display the Configure Network Devices table. Selecting the List Network Devices link in the leftmost column of the table will provide a list of all the network devices currently in the system configuration.

The Table of Network Devices has eight columns providing the following information for each device in the configuration:

•Name - name assigned to the device when it was added to the configuration

•IP Address - address of the primary interface of the device. The IP address of each device is a link to the Edit Network Device form for the device. See Editing a Network Device later in this section.

•System Description - Provides the current value of the SysDescr OID on the device which should contain a textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software.

•Location - Provides the current value (if set) of the SysLocation OID which can be used to describe the physical location of a device.

•Contact - Provides the current value (if set) of the SysContact OID which can be used to describe the contact person for this device, together with information on how to contact the person.

•Type - device type, either Switch (layer 2) or Router (layer 3).

•Group - if the device is assigned to a group the group name is provided.

•Last Scan - timestamp of last successful SNMP communication with the device.

Note The Last Scan field can be used as a means to determine if Cisco NAC Profiler has been unable to initiate or has lost SNMP contact with a device (e.g., time of last scan is more than 60 minutes for a Layer 2 device and 10 minutes for a Layer 3 device if defaults are in use). Some examples why this would happen include incorrect community strings, changes to the firewall, ACLs, or onboard issues with the SNMP agent which can usually be cleared by resetting the device. If this field displays `No Contact' this an indication that Cisco NAC Profiler has never been able to communicate with the device via SNMP.

Figure 8-14 Table of Network Devices

Device Tree

Cisco NAC Profiler helps organize your devices and device groups by maintaining a Network Devices `tree view' in the left side bar panel. This expandable view shows all the devices that have been configured in Cisco NAC Profiler and which group(s), if any, they belong to.

Expanding the Network Devices tree view will display grouped and ungrouped devices. Figure 8-15 illustrates an expanded Network Device Tree view.

Figure 8-15 Network Device Tree View

Editing a Network Device

It may be necessary from time-to-time to edit devices added to the system configuration. An example of when this might be necessary is enabling Profiler Events as described in Chapter 11, "Integration with Cisco NAC Appliance." Profiler Events cannot be enabled on the ports of a network device until the device has been successfully polled by the Cisco NAC Profiler. This would be done using the Edit procedure outlined in this section. In addition, if community strings are changed or other parameters of the network device change, those changes must be entered in the network device's configuration in Cisco NAC Profiler configuration.

To edit a device already added to the system configuration, navigate to the Table of Network Devices to list all the network devices in the system configuration and their status.

The IP address of each network device (second column of the Table of Network Devices) is a link that opens the Edit Network Device form for the selected device. Figure 8-16 illustrates an example Edit Network Device form. Current values for all network device parameters are shown in the form, and can be edited as necessary.

If Profiler Events have been configured as described in Chapter 10, "Configuring Cisco NAC Profiler Events," a section appears on the Edit Device form that is not present when the device is added. In order for these options to be present in the Edit Device form, Profiler Events that are enabled per-device, such as MAC Change or Profile Change events, have to be added to the system configuration and the device must have polled by NetMap before these controls appear on the Edit Device form.

This section of the form allows the configured Profiler Events to be enabled on a per device basis, on selected ports. See Figure 8-16.

Figure 8-16 Edit Network Device Form

For each Event in the system configuration, a check box appears by the event name which is used to enable the event in the configuration of the network device being edited. This checkbox must be checked in order for the selected event to be triggered on this device.

At the bottom of the Edit Device form, there are 4 buttons: Update Device, Remove Device, Clear Device Ports and Query Now as illustrated above. The function of each of these buttons is as follows:

•Update Device is used to save any changes to the network device configuration to the Profiler Server Database.

•Remove Device is used to delete the network device from the Profiler Server database.

•Clear Device Ports is used when the physical configuration of a network device has been changed. If ports or blades are added to a network device for example, clear device ports can be used to synchronize the current configuration of the device and the Profiler Server Database.

•Query Now will result in the Cisco NAC Profiler signaling the NetMap module on the Collector assigned to poll the network device to begin a poll immediately.

Note If changes have been made to a network device configuration, selecting Query Now before updating the device will result in device configuration changes being lost. Whenever Query Now is selected a dialog box will appear reminding the user that configuration changes will be lost. Select yes to proceed with the device poll, or no to return to the form.

If Query Now is selected, the interface displays the message in Figure 8-17:

Figure 8-17 Query Now Message

Find Network Device

Cisco NAC Profiler's Find Device option enables searching for a particular device using its IP address and/or device name as well as contents of the System Description. To utilize the Find Network Device tool, navigate to the Configuration Tab and select Network Devices. Select Find Device from the table on Configure Network Device page to display the form illustrated in Figure 8-18. (The Find Network Device tool can be launched from any of the Network Device Configuration pages from the link at the top of the main pane.) Select Find Device using either of these methods to bring up the Find Network Device form illustrated in Figure 8-18.

Figure 8-18 Find Network Device Form

The fields of the form are utilized to enter search criteria about the device(s) to be searched for:

Device Name

If the exact name of the device is unknown, enter a portion of the name. Cisco NAC Profiler will search based on the input character string and return all matches of that string. For example, if searching for a Cisco Catalyst 3750 for which the device name is unknown simply enter `3750' in the `Device name' field. Cisco NAC Profiler will return every record in the database containing `3750'.

IP Address

Enter the complete host IP address of the network device for which to search the database.

Note Cisco NAC Profiler will 'OR' the information entered into both fields and present a table of matches. Additionally, the search algorithm will look for matches of the string entered in the Device Name field will perform matches against the contents of the SysDescription OID in the device MIB as well as the name assigned to the device in the Profiler Server Database.

The results of a find network device are returned as a subset of the Table of Devices based on the search criteria entered in the find network device form. An example of a network device search in which the device name field of the Find Device form was specified as `Archimedes' is shown in Figure 8-19.

Figure 8-19 Find Network Device Results

The Table of Network devices returned from a find device operation operates identically to the Table of Network devices as described earlier. Clicking on the device IP address opens the Edit Network Device form, and all options described in editing a network device above are available.