3.1 Installing Novell ZENworks Network Access Control for the First Time

For first-time installations, use the install CD. Create an install CD from an International Organization for Standardization (ISO) image downloaded from the Novell Web site, or request one from Novell. The installation process loads both the Novell ZENworks Network Access Control application and the custom, hardened operating system (OS) on which Novell ZENworks Network Access Control runs.

HINT:If you already have a CD, skip to Section 3.1.2, Creating the Installation CD from the Novell ZENworks Network Access Control Download.

This section covers the following tasks:

3.1.1 Downloading the New Install ISO Image

After you download the ISO image, create a CD (see Section 3.1.2, Creating the Installation CD from the Novell ZENworks Network Access Control DownloadSection 3.1.3, Installing Novell ZENworks Network Access Control), and then perform the installation from the CD (see Section 3.1.3, Installing Novell ZENworks Network Access Control).

To download the new install ISO using Internet Explorer:

Internet Explorer (IE) or other browser

  1. Locate a computer that has a browser installed and is connected to the Internet.

  2. Open a browser window and open the Novell Downloads page.

    The approximate file size is 450 MB.

  3. A pop-up window appears with instructions about saving the file, click Save.

  4. A pop-up window appears instructing you to select a directory in which to save the file. Navigate to a location that you will remember when it is time to create the install CD. Click Save.

  5. The download window appears, showing the status of the download process. This download can take a lot of time, depending on your connection speed.

  6. After you download the file (ISO image), you need to create a CD (see Section 3.1.2, Creating the Installation CD from the Novell ZENworks Network Access Control Download), and then you can use that CD to install the Novell ZENworks Network Access Control software (see Section 3.1.3, Installing Novell ZENworks Network Access Control).

NOTE:Downloading an ISO image file and creating an installation CD is not the same process as just copying a file to a CD.

3.1.2 Creating the Installation CD from the Novell ZENworks Network Access Control Download

HINT:If you already have a Novell ZENworks Network Access Control installation CD, go to Section 3.1.3, Installing Novell ZENworks Network Access Control.

You must have a CD to install Novell ZENworks Network Access Control. This section describes how to create one from the downloaded ISO image.

To create the Novell ZENworks Network Access Control installation CD:

  1. For Windows:

    1. Most current CD-burning software supports creating CDs from ISO images. Open the ISO file with your CD-burning software. If it recognizes the ISO file, proceed with the CD-burning process.

      or

    2. Right-click on the ISO file and choose Open with>>Choose program and select your CD-burning software. After your CD program launches, create the CD using the typical procedures.

      HINT:A Free CD-burning application you can try is CDBurnerXP Pro.

  2. For Linux:

    Most Linux systems include the cdrecord command; however, cdrecord syntax varies depending on the specific distribution. Consult your documentation for the correct syntax for your version.

    For example:

    cdrecord -v speed=8 dev=0,0,0 /tmp/imagefile.iso

    Where 8 is the speed of your burner, and /tmp/imagefile.iso is the path and file name of the ISO file you wish to copy.

3.1.3 Installing Novell ZENworks Network Access Control

When you install the Novell ZENworks Network Access Control software for the first time, you need to put the Novell ZENworks Network Access Control CD directly into the computer that will be the Novell ZENworks Network Access Control server (MS or ES). You cannot install any other software on this computer. Installing the Novell ZENworks Network Access Control software also installs the operating system (OS) that Novell ZENworks Network Access Control uses. This OS is hardened making it very secure.

IMPORTANT:Installing third-party software on the Novell ZENworks Network Access Control server is not supported. If you install additional software on the Novell ZENworks Network Access Control server, you will have to remove it in order to troubleshoot any Novell ZENworks Network Access Control issues, and it will likely be partially or fully overwritten during Novell ZENworks Network Access Control release upgrades or patch installs, compromising the third-party software functionality. Additionally, installing third-party software and/or modifying the Novell ZENworks Network Access Control software may violate your license agreement. Please refer to the Novell EULA, which can be found in the Novell ZENworks Network Access Control Users Guide.

There are two scenarios for Novell ZENworks Network Access Control installation:

  • Single-server installation — Install Novell ZENworks Network Access Control as a single-server installation, where the MS and the ES are both on the same server. The ES is automatically joined to an Enforcement cluster. The high availability (HA) and load balancing (LB) functions are not available with this installation option.

  • Multiple-server installation — Install Novell ZENworks Network Access Control as a multiple-server installation where the MS and the ES or ESs are on different servers. One or more ESs are joined to a specified Enforcement cluster in the user interface. You must have two or more ESs joined to an Enforcement cluster for HA or LB functionality.

After you install Novell ZENworks Network Access Control, you need to use a computer (other than the MS or ES) with a browser for configuration and daily operation tasks.

See the Novell ZENworks Network Access Control Users Guide for more information on HA and LB.

To install Novell ZENworks Network Access Control:

  1. Locate and verify the server hardware (see Locating and Verifying Server Hardware).

  2. Locate the information required during the install process (see Information Required During Installation).

  3. Install the software:

    1. Install single-server MS/ES software (see Creating a Single-server Installation), or

    2. Install multiple-server MS software and ES software (see Creating a Multiple-server Installation)

  4. Log in to the Novell ZENworks Network Access Control MS.

  5. For multiple-server installations:

    1. Create clusters (see Creating an Enforcement Cluster).

    2. Add enforcement servers to defined clusters (seeAdding an ES to a Cluster)

  6. Configure Novell ZENworks Network Access Control (see the Novell ZENworks Network Access Control v5.0 Users Guide).

Locating and Verifying Server Hardware

To verify the server requirements:

  1. Locate the computer you will be using for the Novell ZENworks Network Access Control server.

  2. Verify that this computer has the following:

    1. Processor — Pentium 4

      • Linux — To list CPU-related information to the screen on a Linux computer, enter the following at the command line:

        cat /proc/cpuinfo | more

        Press the space bar to page down through the listed information

      • Windows — From the desktop, right click on My Computer and select Properties. Select the General tab.

    2. Processor speed — 2 GHz (or greater).

      • Linux — To list CPU-related information to the screen on a Linux computer, enter the following at the command line:

        cat /proc/cpuinfo | more

        Press the space bar to page down through the listed information.

      • Windows — From the desktop, right click on My Computer and select Properties. Select the General tab.

    3. Memory — 1 GB RAM

      • Linux — To list memory-related information to the screen on a Linux computer, enter the following at the command line:

        dmesg | grep Memory

        The number returned to the right of the / is the total memory.

      • Windows — From the desktop, right click on My Computer and select Properties. Select the General tab.

    4. Disk space — 36 GB(or greater)

      • Linux — To list disk-related information to the screen on a Linux computer, enter the following at the command line:

        For IDE drives:

        fdisk -l /dev/hda | more

        For SCSI drives:

        fdisk -l /dev/sda | more

        Press the space bar to page down through the listed information. If you don’t know the drive type, just pick one of the above commands and enter it. If you don’t have that type of drive, nothing will be returned.

      • Windows — From the desktop, double-click on My Computer.

    5. Ethernet cards — You must know the quarantine (deployment) method you are going to use when setting up your network, as each method has the following specific Ethernet card requirements:

      Single-server installation — When the MS and ES are installed on the same server, you need two Ethernet cards.

      Multiple-server installation — When the MS and ES are installed on multiple servers, you need one Ethernet card on the MS, and the following number of Ethernet cards for each ES:

      Inline — You need two Ethernet cards on each ES

      DHCP — You need two Ethernet cards on each ES

      802.1x — You need one Ethernet card on each ES

      • Linux – To list Ethernet card information to the screen on a Linux computer, enter the following at the command line:

        ifconfig

      • Windows – To list Ethernet card information to a DOS (cmd) window on a Windows computer, enter the following at the command line:

        ipconfig

    6. CDROM drive — This drive can be a read-only drive and is used for first-time installation.

NOTE:For more information about deployment options, see Section 1.0, Deployment Flexibility.

IMPORTANT:Make sure that your Ethernet cards are 10/100/1000 (Intel) server-class NICs. Inferior class network cards do not work at all, or work intermittently. You can get the best results from the Intel PRO-series NICs.

Information Required During Installation

You will be asked for the following information during the installation process (use the Section A.0, Installation and Configuration Check List for easy reference):

  • Static IP address — The IP address for each server you will use (both MS and ESs). For example: 10.0.16.180. You must have a static (always the same) (not dynamic—can be different every time) IP address to use for each server.

  • Netmask (Network mask) — A number that tells how much of the IP address is reserved for the network (255) and how much is reserved for the host (0). This must be defined when servers create subnetworks as part of the installation process. For example: 255.255.0.0.

  • Default gateway IP address — The IP address of your Internet connection—the IP address of the network endpoint that knows how to route packets outside of your local network. For example 10.0.16.1.

    To find the current Default Gateway:

    Linux — Enter route -n at the command line

    Windows — Enter ipconfig at the command line

    NOTE:Your system may require a different gateway. Check with your network administrator if you have problems or are unsure of which gateway IP address to use.

  • Primary nameserver IP address (DNS server) — The IP address of the server that you use to convert hostnames to IP addresses. For example: 204.74.112.1.

    To find the current DNS server:

    Linux — Look in the /etc/resolv.conf file for the nameserver entry.

    Windows — Enter ipconfig /all at the command line

    If you use secondary and tertiary nameservers, you will be asked for those IP addresses as well.

  • Novell ZENworks Network Access Control hostname — The names you give your Novell ZENworks Network Access Control servers (MS and ESs). Select names that are short, easy to remember, have no spaces or underscores, and the first and last character cannot be a dash (-).

    NOTE:The Novell ZENworks Network Access Control hostnames must be the fully qualified domain names (FQDN). The FQDN includes the host and the domain name—including the top-level domain. For example, waldo.mycompany.com.

  • Time zone — The time zones where your Novell ZENworks Network Access Control servers are located. The time zones must be specified for each MS and each ES.

  • Novell ZENworks Network Access Control server root password — The passwords you give to your Novell ZENworks Network Access Control servers (MS and ESs) when logging in as the root user. Note: This is not the Novell ZENworks Network Access Control user interface administrator password.

  • Installation type — The type is either MS or ES for multiple-server installations, or Both for single-server installations.

  • NTP server IP — The IP address you use for your Network Time Protocol (NTP) server

Creating a Single-server Installation

To install the MS and ES on a single server:

  1. Locate the server you are using for the Novell ZENworks Network Access Control installation.

  2. Insert the Novell ZENworks Network Access Control CD into the dedicated server and reboot (for example by pressing [Ctrl]+[Alt]+[Delete] or an appropriate method of reboot). Once the server reboots, the boot prompt screen appears (Figure 3-1).

    WARNING:The Novell ZENworks Network Access Control installation CD automatically reformats the hard drive on the host machine, erasing all existing data. Do not continue if you need any information that is stored on the hard drive! To abort the installation, press [Ctrl]+[Alt]+[Delete].

    HINT:If the dedicated server is not configured to boot from the CD drive, edit the basic input/output system (BIOS) options as described in your server’s documentation.

    Figure 3-1 Install Screen, Boot Prompt

  3. At the boot prompt, type one of the following:

    • install— This is the default option that works on most systems.

    • noacpi — If your system hangs shortly after install is entered, use this option which disables the [Advanced Configuration and Power Interface (ACPI)] allowing the Novell ZENworks Network Access Control system to use the chroot command.

    • nodma— If your system (such as some Compaq/HP systems) has problems using [Direct Memory Access (DMA)] to chip memory, this option disables DMA for the IDE subsystem.

    • noapic— If your system BIOS has an upgrade to fix the Advanced Programmable Interrupt Controller (APIC)] and the system continues to hang shortly after install is entered, use this option which disables the APIC. This tells the kernel to not make use of any IOAPICs that may be present in the system.

    • withoptions— If your system has problems not listed above, use this option to specify that No additional kernel parameters are passed to the kernel to allow greater flexibility.

  4. Press [Enter]. The Installation Confirmation screen appears:.

    Figure 3-2 Install Screen, Installation Confirmation

  5. On the Installation Confirmation screen, type install and select OK. The Network Configuration for eth0 screen appears.

    HINT:Use the [Tab], [spacebar], and [Enter] keys to navigate between fields and make selections on the install screens.

  6. On the Network Configuration for eth0 screen, enter the IP address of the Novell ZENworks Network Access Control MS/ES installation, as shown in Figure 3-3. The Netmask value is prepopulated; edit the Netmask value if necessary.

    HINT:You must use static IP addresses for Novell ZENworks Network Access Control servers. Novell ZENworks Network Access Control servers cannot receive DHCP IP addresses.

    Figure 3-3 Install Screen, Network Configuration for eth0

  7. Select OK. The Miscellaneous Network Settings screen appears:

    Figure 3-4 Install Screen, Miscellaneous Network Settings

  8. On the Miscellaneous Network Settings screen, enter the Gateway and Primary DNS, (and Secondary DNS and Tertiary DNS if you use them). Select OK. The Hostname Configuration screen appears:

    Figure 3-5 Install Screen, Hostname Configuration

  9. On the Hostname Configuration screen, enter the hostname. This name must be the fully qualified domain name (FQDN). Select OK. The Time Zone Selection screen appears:

    HINT:Select simple names that are short, easy to remember, have no spaces or underscores, and the first and last character cannot be a dash (-).

    Figure 3-6 Install Screen, Time Zone Selection

  10. On the Time Zone Selection screen, select the time zone. Select OK. The Root Password screen appears:

    HINT:Make sure that you select a root password that is easy for you to remember but difficult for others to guess.

    Figure 3-7 Install Screen, Root Password

  11. On the Root Password screen, enter a root password for the Novell ZENworks Network Access Control server. Enter a secure password that you can remember, and retype the password to confirm it. Select OK. The Novell Novell ZENworks Network Access Control installation type screen appears:

    Figure 3-8 Install Screen, Installation Type

  12. On the Novell Novell ZENworks Network Access Control installation type screen, select Both.

  13. Select OK. The Installation progress screen appears (Figure 3-9).

    Figure 3-9 Install Screen, Installation Progress

  14. Wait. Installation can take a few minutes.

  15. When installation is complete, remove the CD.

    HINT:If the server reboots before you remove the CD, the boot prompt appears again. Remove the CD and reboot the server to start Novell ZENworks Network Access Control.

  16. The server reboots and starts Novell ZENworks Network Access Control.

  17. Log in to the Novell ZENworks Network Access Control server and perform the initial configuration as described in Initial Configuration.

Creating a Multiple-server Installation

To install the MS and ES on different servers:

  1. Install the MS software:

    1. Perform the steps described in Creating a Single-server Installation: Step 1 through Step 11. The Novell Novell ZENworks Network Access Control installation type screen appears (Figure 3-8).

    2. Select Management server.

    3. Select ok. The Installation progress screen appears (Figure 3-9).

    4. Wait. Installation can take a few minutes.

    5. When installation is complete, remove the CD.

      HINT:If the server reboots before you remove the CD, the boot prompt appears again. Remove the CD and reboot the server to start Novell ZENworks Network Access Control.

    6. The server reboots and starts Novell ZENworks Network Access Control.

  2. Install the ES software:

    1. Perform the steps described in Creating a Single-server Installation: Step 1 through Step 11. The Novell Novell ZENworks Network Access Control installation type screen appears (Figure 3-8).

    2. Select Enforcement server.

    3. Select ok. The Installation progress screen appears (Figure 3-9).

    4. Wait. Installation can take a few minutes.

    5. When installation is complete, remove the CD.

      HINT:If the server reboots before you remove the CD, the boot prompt appears again. Remove the CD and reboot the server to start Novell ZENworks Network Access Control.

    6. The server reboots and starts Novell ZENworks Network Access Control.

  3. Add as many ESs as your system requires.

  4. Go to Initial Configuration.

Initial Configuration

NOTE:If you already have endpoints attached to a switch when you install Novell ZENworks Network Access Control, you must log in to each switch and send the NAC revalidate command before the endpoint can be tested and routed properly.

To configure the Novell ZENworks Network Access Control MS/ES:

  1. Log into a different computer with browser software installed. The following browsers are supported for this release:

    • Windows: IE 6.0 or later, Mozilla Firefox v1.5 or later, Mozilla v1.7

    • Linux: Mozilla Firefox v1.5 or later, Mozilla v1.7

    • Mac OS X: Mozilla Firefox v1.5 or later

  2. Using https://, point your browser to the IP address or host name of the Novell ZENworks Network Access Control server (for example, https://10.0.64.25).

  3. You might be prompted with a security alert because Novell ZENworks Network Access Control uses a secure communication connection (SSL) (Figure 3-10). Click Yes. The Accept license agreement window appears (Figure 3-10).

    Figure 3-10 Security Alert Window

    Figure 3-11 Accespt License Agreement Window

  4. Accept the license agreement:

    1. If you do not wish to accept the license agreement, click I do not accept this license agreement, or

    2. Read the Novell ZENworks Network Access Control End-User License Agreement (EULA) and select I Accept this license agreement.

    3. Click Next. The Enter management server settings window appears.

      Figure 3-12 Enter Management Server Settings Window

  5. The Date and time area is prepopulated with values entered during the initial installation process. Change any of the following if necessary:

    • Region — Select a region from the drop-down list.

    • Time zone — Select a time zone from the drop-down list.

    • NTP servers — Enter one or more Network Time Protocol (NTP) servers, separated by commas. The NTP protocol allows Novell ZENworks Network Access Control to synchronize its date and time with other endpoints on your network. For example, time.nist.gov.

  6. The Network settings area is prepopulated with values entered during the initial installation process. Change any of the following if necessary:

    • Host name — Enter a Fully Qualified Domain Name (FQDN). For example, crocus.mycompany.com.

    • DNS IP address — Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or spaces. For example, 10.0.16.100,10.0.1.1.

  7. If you use a proxy server, configure it as follows:

    1. Select the Use a proxy server for Internet connections check box. Connecting to the Internet is necessary for updating tests, validating license keys, and sending support packages.

    2. Enter the IP address of the server that will act as the proxy for Internet connections in the Proxy server IP address text box.

    3. Enter the port used for connecting to the proxy server in the Proxy server port text box. For example, 8080.

    4. If your proxy server is authenticated, select the Proxy server is authenticated check box and enter the following:

      1. Select the scheme used to authenticate credentials on the proxy server from the Authentication method drop-down list. The following methods are supported:

        Basic — The original and most compatible authentication scheme for HTTP. It is also the least secure because it sends the user ID and password to the server unencrypted.

        Digest — Added in the HTTP 1.1 protocol, this scheme is significantly more secure than basic authentication because it never transfers the actual password across the network, but instead uses it to encrypt a nonce value sent from the server.

        Negotiable — Using this scheme, the client and the proxy server negotiate a scheme for authentication. Ultimately, either the basic or digest scheme will be used.

      2. Enter the ID of a user account on the proxy server in the User name text box.

      3. Enter the password of the user account having the ID specified in User ID in the Password text box.

      4. To help confirm accuracy, type the same password you entered into the Password text box in the Re-enter password text box.

  8. Click Next. The Enter license key window appears.

    Figure 3-13 Enter License Key Window

  9. On the Enter license key window, in the License key field copy and paste your Novell ZENworks Network Access Control license key, which was emailed to you as a text file. Click Next. The Create administrator account window appears.

    NOTE:An internet connection is required to register/activate the license. The license key is registered to the server once the activation is complete and cannot be moved to another machine without first contacting Novell Support.

    HINT:The double-equal sign (==) is part of the license key. Include it with the rest of the key.

    IMPORTANT:If you use a proxy server, your license key will not validate from this window unless you have performed Step 7.

    Figure 3-14 Create Administrator Account Window

  10. On the Create administrator account window, create the initial Novell ZENworks Network Access Control administrator account. (This is not the same as the server’s root account that you created in during installation.)

    1. Enter a User ID and Password. We suggest the password be at least eight characters with a mix of numbers and letters.

    2. Click Finish.

    3. The final step of creating the single-server installation is to configure the default Enforcement cluster. See the Novell ZENworks Network Access Control Users Guide for instructions on editing Enforcement clusters.

      HINT:In the case of a single-server installation, the MS and ES are on the same server and the ES is automatically joined to a default Enforcement cluster. You can change the name of the Enforcement cluster from the user interface. See the Novell ZENworks Network Access Control Users Guide for instructions on editing Enforcement clusters.

Creating an Enforcement Cluster

When creating a multiple-server installation (the MS and ES are installed on different servers), you must create the clusters before you join the ESs to the cluster.

To create (name) the Enforcement cluster:

  1. Using https://, point your browser to the IP address or host name of the Novell ZENworks Network Access Control server (for example, https://10.0.64.25).

  2. Using the administrator User ID and Password you created in Step 10, log in to the Novell ZENworks Network Access Control user interface. The Novell ZENworks Network Access Control Home window appears:

    Figure 3-15 Novell ZENworks Network Access Control Home Window

    NOTE:The Novell ZENworks Network Access Control home window displays the System configuration menu option only for users with administrator permissions. You will see different menu options based on your permissions, which are defined as user roles.

  3. Select System Configuration. The System configuration, Enforcement clusters & servers window appears:

    Figure 3-16 Enforcement Clusters & Servers

  4. Click Add an Enforcement cluster. The Add an Enforcement cluster window appears, with the General menu option selected by default.

    Figure 3-17 Add Enforcement Cluster Window

  5. In the Add Enforcement cluster window, General area, enter a name for the cluster in the Cluster name field.

  6. On the NAC policy set drop-down list, select Default.

  7. Before Novell ZENworks Network Access Control is fully functional, you must select the operating parameters for each cluster; however, you do not have to do this now. When you are ready to configure the clusters, refer to the “Adding a cluster” section in the Novell ZENworks Network Access Control Users Guide.

  8. Click ok to save the cluster and return to the System configuration window.

Adding an ES to a Cluster

To add an ES to a cluster:

Home window>>System configuration

  1. Click add an enforcement server. The Add enforcement server window appears:

    Figure 3-18 Add Enforcement Server Window

  2. Select the cluster name for this enforcement server from the Cluster drop-down list.

  3. Enter the IP address of this enforcement server in the IP address text box.

  4. The SSH user name must be for an account with sufficient privileges to install certificates. Enter the user name in the SSH User name text box.

  5. Enter the SSH password for the SSH username account on this enforcement server in the SSH Password text box.

  6. Re-enter the SSH password for the SSH username account on this enforcement server in the Re-enter SSH Password text box.

  7. Click ok to add the server. A progress window appears. It can take a minute or so to add the server. The System configuration window appears showing the server joined to the cluster:

    Figure 3-19 System configuration, Enforcement Clusters & Servers Window

  8. Click ok to return to the Home window.

IMPORTANT:The MS must have the same version of software installed as the ES you are adding or you will get an exception error. If you are upgrading an existing system, upgrade the MS, then add new ESs. The upgrade process will automatically upgrade any existing ESs.