The following sections contain more information:
A guest user gets redirected
A user is redirected if their home page is the Intranet
The only host that is resolved is the domain controller (DC); and no other intranet hosts are resolved.
Windows domain authentication can take place from quarantine with minimal configuration
Configure the domain suffixes in the quarantine areas to a placeholder, such as the following:
quarantine.bad
Enter the full domain controller hostnames in the System configuration>>Accessible services area (for example, dc01.mycompany.com, dc02.mycompany.com).
Ensure that each ES has a valid, fully qualified domain name (FQDN) and that the domain portion matches the domain for the registered windows domain.
Ensure that each ES is configured with one or more valid DNS servers that can fully resolve (both A and PTR records) each ES.
Ensure that the following ports on the domain controller/active directory (DC/AD) servers are available from quarantine:
88
389
135-139
1025
Novell ZENworks Network Access Control will then lookup the Kerberos and LDAP services, and resolve those services within its own DNS server used for quarantined devices.
For example:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88 dc01.lvh.com _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 389 dc01.lvh.com
When a browser is configured with an Intranet site as its home page, it will get redirected as shown in the following example process:
-> lookup intranet.mycompany.com
<- get an NXDomain (since dc01.mycompany.com is in the forwarders, all other mycompany.com hostnames get an NXDomain; that is the way named works).
-> lookup intranet.mycompany.com.quarantine.bad
<- get Novell ZENworks Network Access Control IP address
When the end-user logs in, they will be able to authenticate from quarantine even if credentials are not cached:
-> lookup the _kerberos and _ldap service location
<- receive dc01.mycompany.com& dc02.mycompany.com
-> lookup the dc01 IP address
<- receive the dc IP address forwarded through Novell ZENworks Network Access Control named to the real DNS server (since dc01.mycompany.com is in the accessible services list).
-> authenticate
Using a Windows domain might affect the end-user’s ability to change their system configuration to pass the tests. For example, in a corporate environment, each machine gets their domain information from the domain controller, and the user is not allowed to change any of the related settings, such as receiving automatic updates and other IE security settings.
The Novell ZENworks Network Access Control administrator needs to make sure the global policy on their network matches the NAC policy defined, or skip the test.
For example, if the global network policy is to not allow Windows automatic updates, any user attempting to connect through the High security NAC policy fails the test, and is not able to change their endpoint settings to pass the test.
Select the NAC policy that tests the domain's endpoints.
Select the Tests menu option.
Clear the Windows automatic updates check box.
Click ok.
The access mode selection is a quick way to select enforcement (normal mode) for all traffic into an Enforcement cluster, or open it up for trial-use purposes (allow all).
Select one of the following from the Access mode area:
normal— Access is regulated by the NAC policies
allow all— All requests for access are granted, but endpoints are still tested
Click ok.
In the Cluster name text field, enter a name. Choose a name that describes the cluster, such as a geographic location (like a street or city name), a building, or your company name.
Click ok.
The preferred method is to use the user interface:
However, if you cannot access the user interface, use the following instructions:
Log in to the MS or ES as root using SSH or directly with a keyboard.
Enter the following command at the command line:
network-settings.py <ip address> <netmask> <gateway>
Where:
<ip address> is the new IP address for the MS or ES. For example, 192.168.40.10
<netmask> is the netmask. For example, 255.255.255.0
<gateway> is the gateway. For example, 10.1.1.1
There are times when you may wish to revert to the as-shipped state for your system; reverting the configuration and database to that of a freshly installed system.
HINT:You must reset the system before you can change the personality of the server; that is, before you can change an MS to and ES or an ES to a MS.
Log in as root to the Novell ZENworks Network Access Control MS or ES, either using SSH or directly with a keyboard.
Enter the following command at the command line:
resetSystem.py [both | ms | es]
Where:
No arguments — The system is reset to the same type (either a single-server installation with the MS and ES on the same server, an MS, or an ES), the database is cleared, and the property files are restored to their defaults
both — The system is reset to be a single-server installation (MS and ES on one server), the database is cleared, and the property files are restored to their defaults
ms — The system is reset to be an MS, the database is cleared, and the property files are restored to their defaults
es — The system is reset to be an ES, the database is cleared, and the property files are restored to their defaults.
NOTE:The resetSystem.py file is in the following directory:
cd /usr/local/nac/bin
There are times when you may wish to revert to the as-shipped state for test data; clearing the database of all endpoints and test results, and resetting SAPQ and DHCP leases.
For single-server installations:
Log in as root to the Novell ZENworks Network Access Control MS, either using SSH or directly with a keyboard.
Run the script by entering the following at the command line:
resetTestData.py
For multiple-server installations:
Stop the nac-es service on all ESs:
Log in as root to each Novell ZENworks Network Access Control ES, either using SSH or directly with a keyboard.
Enter the following at the command line:
service nac-es stop
Stop the nac-ms service on the MS:
Log in as root to the Novell ZENworks Network Access Control MS, either using SSH or directly with a keyboard.
Enter the following at the command line:
service nac-ms stop
Run the script on each ES:
Log in as root to each Novell ZENworks Network Access Control ES, either using SSH or directly with a keyboard.
Enter the following at the command line:
resetTestData.py
Run the script on the MS:
Log in as root to each Novell ZENworks Network Access Control MS, either using SSH or directly with a keyboard.
Enter the following at the command line:
resetTestData.py
NOTE:The resetTestData.py file is in the following directory:
cd /usr/local/nac/bin
Log in as root to the Novell ZENworks Network Access Control MS using SSH.
Enter the following at the command line:
setProperty.py <DESTINATION> <TYPE> <VALUES>
Where:
<DESTINATION> is one or more of:
-c <cluster name> Set properties on all Enforcement Servers in cluster
-e <ES hostname> Set properties on Enforcement Server
-a Set properties on all Enforcement Servers
-m Set properties on Management Server
<TYPE> is one of:
blank, nothing specified
-l Properties are log4j properties
<VALUES> is one of:
-f <filename> Filename of lines containing key=value
- Standard input containing key=value
<key>=<value> One or more key=value settings
Note: a <value> of '-' will delete the property
For example, to change the upgrade timeout to 30 minutes, enter the following command:
setProperty.py -m Compliance.UpgradeManager.UpgradeTimeout=30
Novell ZENworks Network Access Control Enforcement clusters send alerts and notifications when certain events occur. You must specify an SMTP email server for sending these notifications. The server must allow SMTP messages from the Novell ZENworks Network Access Control ES.