13.2 Novell ZENworks Network Access Control to Infoblox Connector

Infoblox™ is a DHCP server appliance that writes to syslog when it vends IP addresses. These syslog messages (DHCPACK syslog lines) are translated and forwarded to the Novell ZENworks Network Access Control Device Activity Capturer (DAC) by way of the connector (syslog-to-dac.py).

NOTE:Please verify that your Infoblox software is current (NIOS™ 4.1r5-0 or later).

HINT:After you upgrade or perform a new installation, the connector file (syslog-to-dac.py) is in the following directory:

/usr/local/nac/bin

The following sections contain more information:

13.2.1 Configuring the Infoblox Server

You must configure syslog on the Infoblox server to send debug level DHCP logs to the Novell ZENworks Network Access Control ES IPs on TCP port 514, using the local3 facility. The actual steps to set this up may vary by NIOS. Contact Infoblox support for assistance (http://www.infoblox.com/support/).

If the Infoblox DHCP is clustered, there is a floating/management IP and multiple LAN IPs (one for each of the nodes in the DHCP cluster). In this configuration:

  • The switches must be configured to forward DHCP requests (using iphelper, for example) to the floating/management IP (not the individual LAN IPs)

  • The iptables firewall on the ESs should be configured to allow syslog traffic from the individual LAN IPs (one entry per Infoblox DHCP node).

13.2.2 Configuring Novell ZENworks Network Access Control

To configure Novell ZENworks Network Access Control:

Home window>>System configuration>>Select an enforcement cluster>>Quarantining

  1. In the Quarantine method area, select the 802.1X radio button.

  2. In the Basic 802.1X settings area, select the remote Endpoint detection location radio button.

  3. Click ok.

    Command line window

    NOTE:Perform the following steps on each ES in your system.

  4. Log in as root to the Novell ZENworks Network Access Control ES using SSH or directly with a keyboard.

  5. Enter the following command:

    egrep DeviceActivityCapture /usr/local/nac/properties/nac-es.properties

    The expected results are: 

    Compliance.DeviceActivityCapture.RunningRemotely=true

    It can take a minute or two to contact Novell Support if your results are different.

    NOTE:It can take a minute or two after changing the property in the user interface for the change to propagate to all ESs.

  6. Edit the configuration file:

    1. Open the following file with a text editor such as vi:

      /etc/syslog-ng/syslog-ng.conf

    2. In the ### SOURCE ENTRIES HERE ### area, add the following line:

      source rdac     { tcp(); };

    3. In the ### DESTINATION ENTRIES HERE ### area, add the following line:

      destination d_dac { program("/usr/local/nac/bin/syslog-to-dac.py"); };

    4. In the ### LOG ENTRIES HERE ### area, add the following line:

      log { source(rdac); filter(f_mesg); destination(d_dac); };

    5. Save and exit the file.

    6. Enter the following at the command line to restart the service:

      service syslog-ng restart

  7. Add the iptables firewall rule to allow this syslog traffic:

    1. Stop iptables by entering the following at the command line:

      service nac-es stop
fw_control stop

    2. Open the following file with a text editor such as vi:

      /etc/sysconfig/iptables

    3. Add the following line before the # REJECT lines in the RH-Lokkit-0-50-INPUT section, and after the RELATED,ESTABLISHED line:

    4. -A RH-Lokkit-0-50-INPUT -s <INFOBLOX_IP> -p tcp -m tcp --dport 514 -m state --state NEW -j ACCEPT

      Where:

      <INFOBLOX_IP> is the IP address of the Infoblox server.

    5. Restart iptables by entering the following at the command line:

      fw_control start
service nac-es start