Installation

Please see the Windows GUI Installation chapter of the FreeNAC Installation Guide (http://FreeNAC.net/en/installguide).

Starting the GUI: Overview & Edit Tabs

After starting the Windows GUI (vmps.exe) and pressing on 'connect', the user's name and permissions are shown in the title bar.

The initial tab show is either the Overview or Welcome tab, depend on the version. 

 

In the title bar one sees the name of the use logged on, the organisation short name (INO above) and the rights that user has (read-only, edit, or administtrator)

Overview Tab

The overview tab contains a list of end-devices on the network.

Key fields are noted in blue.

• The ‘today’ and ‘unknowns’ toggle buttons are in the “down” state when you start the GUI, meaning that only unknown systems seen in the last 24 hours are displayed.
• Press each button again to put them in the “up” status, or press the “all” button to see every systems in the overview.
• There are also several drop-down lists for showing the systems per user, per switch, per group of switches, per vlan, and vlan group.
• Each of these filters inserts an appropriate text into the filter row in the grid. In fact you can add your own manual filters there too!

Edit Tab

In blue below is the crucial information: mac address, the status (which must be active if a device is allowed access) and the vlan assigned.
The red box is information about when the end-device was last seen, and where.

All other fields are informational, and thus an option. You need to decide what is best for your environment. We come back to the Edit Tab in more detail later
There are several optional modules (nmap, static inventory, patch cables, McAfee Anti-virus), if these are not enabled in your environment, they will be disabled or invisible.

Device expiry: With v2.2, one can set an expiry date for devices in NAC. This may be useful in limiting how long external visitors have access.
When an expired device is detected, its is set to the "killed" state, and an email alert is sent. In the killed state the device is blocked, but no alerts are sent.

Status: Is this system enabled, not yet authorised, not actively managed by NAC, or to be explicitly denied?

DNS forward/reverse lookups are used to verify naming consistency. The 'copy' button write the DNS name as the system name.

 

Edit Tab: nmap and Anti-Virus

The Nmap scanning module can detection operating system version and open ports. It can scan one device immediately (on demand), or automatically scan (via cron) the list of IP addresses in the NAC database on a scheduled basis.

If the McAfee EPO module is enabled, the operating system of end devices, as reported by McAfee, and the current Anti-Virus status, can be displayed.

Beside the Anti-Virus tab, we also see an “inventory” tab above. This provides access to static inventory data, if an interface to your In-House inventory management has been created.

GUI Change Log: who is logged on, what have they done?

A trace of key changes made within the GUI is available, allowing historical changes to be attributed.

 

Patch Cables

The Cabling screen is design to allow complete documentation of cabling rooms, not just LAN cables, but telephone, point to point etc.

In the blue box is a switch a port referenced by a specific cable. The other fields are:

• Rack: consists of floor number, room number, and rack number
• Rack socket: which unit number, counted from the ground up, and which socket, counted from the left
• Office socket: the name written on the final Socket (at the user’s desk)
• Office: the location of the final socket.
• Users in that office: this information is automatically looked up from a central user directory
• Cable type: dynamic (i.e. computer LAN with NAC), static (static LAN port), telco, phone, point-to-point, adsl
• Switch port: a reference to an existing switches / ports documented in NAC
• Destination: floor number - room number, rack number (1 digit), switch port (e.g. 6/36)

Report generation

The reporting tab allows some standard reports to be generated, and these can optionally be exported to excel. The reporting interface is very flexible with sorting & filtering allowing custom reports to be generated.

In the above example, the “Unused Systems” report was run.
Note that if you let the mouse hover over the button of each report it tells you what the report does, e.g. “Devices not seen in over 30 days”.

All reports are presented in a generic grid

• Column header features: for sorting click one on the header.
• Select the header drop-down selection list, to filter specific elements
• Click and hold between columns to resize
• Click a column header and drag to reorder columns.
• The 2nd row is a generic filter field: e.g. enter ‘HR*’ in the Department column to get all HR systems.
• For the group by function: drag column headers to the top part
• To select what fields are visible, click the botton to the left of 'name' above and tick the fields needed.

 

Server Log: what is the server doing?

Server-side vents are viewed in the 'server log' tab

 

Switches

Switches

When adding a new switch, the key fields to complete are the name and IP address.

Control of switch activity is set in the scan and 'vlan for switch' fields. The first enables or disables passive SNMP scanning, the second sets a Vlan to be assigned to all Known End-Devices that connect to that switch (if this feature is enabled in the policy).

Some fields are automatically queried by FreeNAC and cannot be changed manually, such as the last monitored time, up/down status and hardware/software version.

The following fields are for documenting & alerting purposes:

• location
• group field, used in the overview tab for grouping
• comment
• Emails list for notifications of new unknown devices

Ports

Each Switches has ports. On a port basis, the basic fields are:

• switch name, port name
• Documentation fields: Location/office, comment, patch cable details (if the PatchCable option is enabled, and the table filled)
• Fields automatically filed by FreeNAC: last vlan used on that port, and when that port was last used (read-only fields)

Certain values can also be programmed onto switches:

• Default vlan, for that port (i.e. override the global default)
• static or dynamic assignement
• port shutdown
• Restart

Configuration / Advanced administration

Introduction to Initial Configuration

Advanced administration is group together in several sub-tabs within the "Administration" tab (version 2.2 RC2 and later). This tab is only visible to Administration (users with nac_rights=99), and not read-only or write users.

There are several tabs:

• config
• NmapSubnets
• Locations
• DeviceTypes
• OperatingSystem
• Vlans
• Users

To get running initially,

• an administrator needs to be configured in the Users tab, with nac_rights=99.
• the vlan names and numbers need to be defined in the 'vlan' tab.
• appropriate modules and configuration options need to be enabled in the 'config tab'

Optionally, for better documentation and device tracking, the Location, DeviceTabs and OperatingSystems tabs should be examines.

'Config' tab

The config table contains a list of settings on the server, that can be changed via this GUI. Do not make changes here, unless you understand the consequences.

Each entry has a type, name, value, comment (explaining what the variable is) and a date indicating when it was last changed.

Some key entries are listed below:

• DemoMode: Allows the GUI to be used by anyone without rights checking (value='1'), for initial testing. This should be set to '0' in production.
• Disable or enable server side modules.
  e.g. AntiVirusEnabled, check_for_expire, detect_hubs, lastseen_sms, NmapEnabled, PatchCableEnabled, StaticInvEnabled.
  ==> It is recommended to disable all of these after an initial install, to keep the system as simple as possible. Then enable each option one by one and test.
• GUI user authentication: guidomain
• default_vlan: what is the DB index of the global default valn to be used for unknown end-devices?
• set_vlan_for_unknowns: When unknowns are added to the DB automatically, what vlan index should they be assigned? This is typically the same as default_vlan.
• router_*:  Router relevant configuration.

To do: references to documentation where all of these options are described!

Configuration: Users

Users can be created locally with NAC, but are usually synchronised via an external Enterprise data source such as Active Directory.

The Key fields are the

• Username
• NAC GUI rights: Administrator, Edit mode, Readonly (Otherwise, no access)
  See also the WinGUI installation.

A new field 'Gui Vlan Rights' was introduced in v3. This restricts the Vlans which the GUI users can select from in the Edit tab. This improves ease of use (a specific user can be shown only the vlans relevant to him/her) and security (if there are sensitive vlans that should not be visible to all). The field contains a comma separated list of vlan indices (not vlan numbers).
This field can only be changed if you have Administrator rights.

The Comment field is not synchronised with Directories, so its information stored locally only on the user stored in NAC.

The Manual Directory Sync is used for forcing a single user synchronisation, for advanced administration only.

The queries on the right provide a list of NAC configured administrators, those who can make changes, and the list of users with read-only access.

Configuration: Vlans

The VLAN table must contain the exact VLAN name as configured on the switch, this table needs to be filled out when FreeNAC is initially installed.

Fields:

• The Group is used is collect VLANs of the same security level and physical location: if hub detection is enabled, NAC will switch a users VLAN within a VLAN group, to avoid conflicts on hubs.
• The ‘Gui Description’ is the name shown in the Edit tab, and should be easy to understand for first level support staff.
• The Number corresponds to the VLAN number on the switch. This number is only used for documentation.
• The Name must correspond exactly to the VLAN name on the switch.

The “VLAN exception” table is a feature allowing location dependant VLANs i.e. when VLAN naming is not consistent across switches, or not all VLANs are available on all switches. The also the Technical Guide chapter .

• The Switch and DefaultVLAN fields are the standard values, lookups (i.e. indices) into the switch and vlan tables.
• The ‘VLAN on this switch’ is a text field containing the name of the VLAN to be assigned to end-devices that connect to this switch.
• So lets say there is an OfficeLAN and PrinterLAN in the main vlan table, but on switch 'sw101', there is only one LAN called 'LAN1'.
  Then two entries need to be created in the VLAN exception table:
  

  sw101 OfficeLAN LAN1
  sw101 PrinterLAN LAN1
  

Configuration: locations, device types

The documentation of where Users and Devices depending on buildings being defined, and then a list of locations or offices defined within that building. When locations have been defined, they are available in drop down lists on the Edit, Switch, Users and PatchCable tabs.

On some sites the Buildings and Locations are automatically synchronised from Enterprise sources.

The device type tables are just categories that you would find useful in for organisation for the end devices. They are used in the Edit Tab.

Configuration: Operating System

Four lookup tables are used to define the list of operating system options presented in the ‘Edit Tab’. These lookup are visible under the 'administration' tab.

These values are purely documentary in nature and are not automatically detected.

tail -f /var/log/messages | egrep "MACNOTRECONFIRMED|000000000000" 

egrep "MACNOTRECONFIRMED|000000000000"  /var/log/messages   

tail -f /var/log/messages | egrep "DENY|ALLOW"

tail -f /var/log/messages | egrep "Note"

tail -f /var/log/messages | egrep "vmpsd_external|postconnect"

tail -f /var/log/messages | grep vmpsd

egrep -v `uname -n` /var/log/messages |awk '{print $4}'| sort| uniq -c |sort   

tail -1000 /var/log/messages | egrep "DENY|ALLOW"  | awk '{print $6, $7, $9}'| sort -u

 pgrep -l mysqld

  pgrep -l vmpsd

  pgrep -l vmps_lastseen

reboot 

/etc/init.d/mysql restart
/etc/init.d/vmps restart
/etc/init.d/vmps_lastseen restart

/etc/init.d/vmps start

 /opt/nac/bin/vmpsd -e /opt/nac/bin/vmpsd_external.php  -l 0x0204

 /opt/nac/bin/vmpsd -e /opt/nac/bin/vmpsd_external.php  -l 0x0204 -a 10.10.10.10

/opt/nac/bin/vmpsd -e /opt/nac/bin/vmpsd_external.php

 echo test | /opt/nac/bin/vmpsd_external.php

  tcpdump -n port 1589                   [sniff vmps requests]

  tcpdump -i eth1 host MYSWITCH and not port telnet

  snoop –d qfe0 port 1589

vqpcli.pl -v domain1 -s 192.168.245.19 -w 10.0.0.1 -i 2/4 -m 0010.0000.0000

./vqpcli.pl -s 192.168.245.40 -v VTP_DOM -w 193.5.222.1 -i 'Fa0/17' -m '0800.20b0.cb95' -c VLAN1

./vqpcli.pl -s 127.0.0.1  -v VTP_DOM -w 193.5.222.1 -i 'Fa0/17' -m '0800.20b0.cb95' -c VLAN1

tail -500 /usr/local/var/log/radius/radius.log|egrep "User-Name|Exec-Program output|NAS-|Calling-Station-Id|check_mac" 

tail /usr/local/var/log/radius/radius.log

tail -1000 /usr/local/var/log/radius/radius.log 

tcpdump -i eth0 -n host 10.0.0.1    (IP=Access Point)

tail /opt/samba/var/log.nmbd
tail /opt/samba/var/log.smbd
tail /opt/samba/var/log.winbindd
tail /opt/samba/var/log.wb-DOMAINANME 

NAC server: command line tips

The following are some example for advanced troubleshooting on the server command line.