Configuring Cisco NAC Profiler for the Target Environment

This chapter includes the following topics:

•Overview

•Accessing the Cisco NAC Profiler User Interface

•Installing Licenses

•Adding Additional Networks to the Configuration

•Editing Networks Previously Configured

•Saving Configuration Changes

Overview

The first task to complete in the configuration of Cisco NAC Profiler is the installation of the license files necessary to enable the operation of the system components. Upon successful installation of the license files, the system is configured with the information it needs to define the bounds of the address space for which it will provide Endpoint Profiling and Behavior Monitoring.

Follow the instructions outlined in this chapter to install the license and describe the specifics of the target environment for Cisco NAC Profiler.

Accessing the Cisco NAC Profiler User Interface

Prior to beginning this procedure, all Cisco NAC Profiler Server appliance(s) in the system should have been installed and started up according to the instructions in Chapter 4, "Installation and Initial Configuration". Perform the initial installation steps before continuing with the following instructions.

To begin configuring your Cisco NAC Profiler system, open the Cisco NAC Profiler user interface. Open a web browser and enter the IP address of the management interface of the appliance running the Profiler Server for the system to be managed in the URL field in the following format:

https://[configured IP address]/

For HA pairs, the system is managed via the GUI using the VIP for the HA pair.

Prior to opening the interface, a valid user name and password for the system must be provided. The web UI password for the administrator user (`admin') is set during the appliance start up scripts for Profiler Server appliances. Providing the admin user name and the password set during startup for web user authentication results in the display of the Cisco NAC Profiler user interface home page in the browser, shown in Figure 5-1.

Figure 5-1 Cisco NAC Profiler Web-Based UI Home Page

The Cisco NAC Profiler user interface is designed to provide multiple methods of navigation to support the varied preferences of administrators and operators. The tabs along the top of the page are organized to provide quick access to the interfaces for the primary areas of functionality of Cisco NAC Profiler: Configuration, Endpoint Console, and Utilities. Selecting one of these tabs at any times redirects the interface to the main page for each primary area of functionality. Each of the main pages has a left navigation bar, and a table that provides links to the applicable sub-interfaces for each primary area of functionality.

The Home tab is the main page for the Cisco NAC Profiler application user interface, as well as the landing page. The left navigation bar on the Home tab provides general links to the Cisco NAC Profiler product: Getting Started, Support, and Upload Licenses.

Installing Licenses

Prior to beginning configuration of standalone or HA-pair Profiler Servers, it is necessary to install licenses to enable all features. The licenses for the Profiler Server(s) and the Collector(s) for a given system are managed through the Cisco NAC Profiler web interface served by the Profiler Server(s) and accessed via a web browser.

Prior to beginning the procedure that follows, ensure the license files required to enable your Cisco NAC Profiler system are available either on the system being used to access the web interface or on a network resource accessible from that machine. The license files have a ".lic" extension, and the license for each component of the system is tied to the physical address of the hardware for that component. Ensure that the license file is correct for the specific hardware of the system being configured.

A valid license file is required for the Profiler Server, or Profiler Server pair in the case of HA implementations. A valid license file is also required for each Collector (or HA-Collector pair).

As shown in Figure 5-1, the home page menu includes an option entitled `Upload Licenses.' Select this option to bring up the Import FlexLM License form. See Figure 5-2.

Figure 5-2 Import FlexLM License Form

Use the Browse button to locate the each of license files required for the system being configured, and then select the Import License button to import the file and enable full functionality of the system. Remember, each component of the system (e.g., Server or Server pair and Collector or Collector pair) requires a valid license in order to run.

To verify that the Server license has been installed correctly, navigate to the Configuration Tab and select Profiler Modules -> List Profiler Modules. In the Table of Modules that is displayed. If the Server is reporting the `Running' status (see Figure 5-3), the license for the Profiler Server has been successfully installed.

Figure 5-3 Profiler Server Indicating Running Status

In order to verify that the Collector license(s) have been properly installed, follow the procedure outlined in Chapter 7, "Configuring Collector Modules," to add the Collector(s) to the system configuration. If Collectors are added to the system configuration without valid license keys installed as outlined above, the status for the Collector in the Table of Modules will indicate `Licensing issue.' A valid license key file must be installed in order to enable the Collector for configuration and normal operation.

Configuration Tab

The Configuration tab is used to perform a variety of Cisco NAC Profiler system configuration management tasks such as defining the bounds of the network (e.g., My Network configuration), adding and configuring the Profiler Server system and the Collector modules, specifying the network devices that Cisco NAC Profiler will interact with, creating and managing Endpoint Profiles, creating and managing Endpoint events, and adding and managing user accounts. Essentially all configurable parameters of Cisco NAC Profiler are accessible from this tab through the left-hand navigation pane or the links in the main pane. See Figure 5-4.

Figure 5-4 Cisco NAC Profiler Configuration Tab

My Network

The My Network configuration enables the specification of the address space or spaces for which Cisco NAC Profiler will perform its Endpoint Profiling and Behavior Monitoring functions. The NetWatch module or modules deployed for use by Cisco NAC Profiler monitors all network traffic forwarded to the defined monitoring interface(s) which may extend across multiple Collectors. Depending on the placement of the interface(s), this traffic may include packets not originating from the internal network. The My Network configuration assures that Cisco NAC Profiler is only performing its functions on traffic for the desired network addresses and only profiling endpoints in the specified range of devices.

To access the My Network configurations, select the Configuration tab and then select the My Network option in the left side navigation menu. Figure 5-5 shows a Network Description form. Complete this form to provide the My Network configuration for Cisco NAC Profiler.

This form is intended to gather general information about the overall characteristics of the network. The only required fields are the Organization Name and Internal Address Blocks.

Figure 5-5 Network Description Form

In addition to the required fields of Organization Name and Internal Address Blocks, the Network Description dialog contains optional fields for entering host IP addresses of print servers and voice gateways pertinent to Endpoint Profiling and Behavior Monitoring. These addresses can be utilized by Cisco NAC Profiler to perform Inference Based Profiling. Inference Based Profiling is an optional profiling feature in Cisco NAC Profiler that combines specified IP addresses with the equivalent well known communication port to infer that any end node communicating with it is of a particular type. For example in the case of a print server, the communication port would be 9100 and any end nodes communicating with the server would be considered printers.

The following sections provide an overview of each of the fields on the Network Description form, and instructions for entering the data to define My Network parameters for the target environment.

Organization Name

Enter a name which will indicate what this address space is representing. This value is for the user's reference only and can be any value that is useful in understanding what segment of the network this group of addresses represents.

The organizational name will be used when adding interfaces to the NetWatch module(s) in the Cisco NAC Profiler system to determine the traffic of interest for each monitoring interface.

Internal Address Blocks

Specify the IP Address space in the Internal Address Blocks field. The format is X.X.X.X/CIDR, for example 10.10.0.0/16 means any IP Address in which the first two octets are 10.

Print Servers

Optionally enter the IP address of each printer server, one per line. This is used for inverse rule creation in which devices that are communicated with by the print server using the specified protocols (hard coded in this case) are profiled as printers.

Voice Gateways

Optionally enter the IP address of each voice gateway, one per line. This is used for inverse rule creation in which endpoints that are communicated with by the voice gateway via SIP are Profiled as phones.

Save the MyNetworks by selecting the Save Settings button.

As the MyNetwork data is saved, to the system configuration for the first time, the system prompts the user to proceed to the NAC Profiler Modules configuration page. To proceed with module configuration, click on the link provided and proceed to the next chapter for instructions on NAC Profiler Module Configuration.

Adding Additional Networks to the Configuration

To add additional Networks to the system configuration, at any time after initial system configuration, select My Network from the left navigation menu on the Configuration Tab. This will result in the Choose Network form being displayed in the main pane (see Figure 5-6). This form allows the selection from any of the previously configured MyNetworks for editing, or enables the addition of new networks to the configuration by entering a new Organization\Division name.

Figure 5-6 Network Name Form

When adding additional Networks to Cisco NAC Profiler configuration, type a name for the new Network in the New Organization/Division Name field and select the Continue button. The Network Description form described earlier in this section will be displayed to gather the details on the new network being added to the configuration.

Editing Networks Previously Configured

To edit previously saved Networks, select My Networks from the left navigation bar to display the Choose Network form illustrated above. Use the drop-down list to select the desired network for Editing and select the Continue button. The previously described Network Description form is displayed with the fields populated with the last saved data. To make changes, edit the necessary fields and select the Save Settings button to save changes to the configuration.

Saving Configuration Changes

Cisco NAC Profiler configuration is stored in the database maintained by the Profiler Server. Changes are made to the system configuration through the web-based User Interface through the forms illustrated in this chapter and the remainder of the Configuration Guide. Most of the forms include a control that allows saving or updating the data captured in the form. However, the majority of configuration changes, particularly those made to the configuration of the modules are not committed to the running configuration until the administrator performs an update of the modules. To update the configuration of Cisco NAC Profiler modules, and ensure any configuration changes are made to the running configuration, following the following procedure:

Select the Configuration tab, and select Apply Changes from the left-hand navigation pane, or the Apply Changes link in the Configuring NAC Profiler table in the main pane. Figure 5-7 shows an Update Profiler Modules page.

Figure 5-7 Update Profiler Modules Page

Update Modules

To update the configuration of all modules, and to commit configuration changes to the running configuration. Upon the selection of the Update Modules button, the Cisco NAC Profiler system will update the configuration of all system and Collector component modules then perform a system restart with the new configuration. Using Update Modules ensures that all configuration changes made and saved using the UI will be committed to the running configuration of the Cisco NAC Profiler system.

The Apply Changes contains two other options in addition to Update Modules: Re-Map and Re-Model.

Re-Map is

Used to direct all NetMap modules to initiate a poll of the network devices they have been designated to monitor to update the map of the network topology maintained in the Cisco NAC Profiler database.

Re-Model

Used to direct the Modeler component of the Server module to re-model all endpoints in the database against the most current information without forcing a restart of the entire Cisco NAC Profiler system. Re-Model is used when new Profiles are added to the configuration, and it is desirable to re-evaluate all endpoints against the new Profiles and the rules bound to them.

.