Monitor Extreme Access Control Health

The following sections provide detailed information on how to use specific Extreme Management Center reports and NAC Manager features to monitor Extreme Access Control health. These reports provide you with the information you need to monitor, analyze, and troubleshoot Access Control problems.

Monitor Extreme Access Control Engine Performance

The Access Control engine Device Availability report provides a historical overview of the engine status. The report shows at-a-glance when an engine is offline, or whether an engine is consistently on and offline over time. The report lets you quickly determine the specific date when an engine is unavailable without having to review log data to determine the date.

For a backup engine, the report can provide a good indication of possible engine or network issues that may go otherwise undetected until the moment when the engine is needed.

If the report indicates a problem, review the Access Control engine logs for the dates in question (see Access Control Engine Log Locations), to gain additional insight into the possible root cause of the problem.

Access the Device Availability report from the Network tab. Right-click on an Access Control engine and select View Device Details > System > Device Availability, as shown here.

Accessing the Device Availability Report

The Access Control engine Device Availability report is displayed in a new tab, as shown below.

Device Availability Report

Monitor Extreme Access Control Engine Memory Use

The Extreme Management Center Host Resources report lets you monitor physical, virtual, and swap memory usage on an Access Control engine.

As you monitor an engine's physical and virtual memory, keep in mind that it is common for Linux-based systems (such as the Access Control engine) to show high memory utilization. Once a process consumes memory, the memory remains allocated to the process under the assumption it may be required in the future. If a different process calls for that memory, and it is not in use, it is made available.

It is also important to monitor swap memory statistics for your Access Control engines. When an engine starts using swap memory, it indicates a potential issue, and more active monitoring of the engine may be required. Running commands such as the "top" command (see Linux "top" Command section under NAC Troubleshooting) provides more accurate and up-to-date information on whether swap memory is actively being used, and which processes are consuming the highest memory and CPU.

Use the Network tab to access the Host Resources report for an Access Control engine. Right-click on an Access Control engine and select View Device Details > System > Host Resources, as shown here.

Accessing the Host Resources Report

A Host Resources report for the Access Control engine is displayed in a new tab, as shown below.

Host Resources Report

View Extreme Access Control Engine Historical Data

The NAC History report provides a detailed view of the overall Access Control engine load based on critical Access Control functions including authentication requests, captive portal statistics, and connected agents. The report displays the latest load data as well as minimum, maximum, and average statistics for an overview of activity by function. This provides a historical view for each individual engine and is similar to the Access Control Engine Load report, which presents current load data for all engines.

In Extreme Management Center, select the Network tab. Right-click on an Access Control engine and select View Device Details > NAC > NAC History, as shown here.

Accessing the NAC History Report

The NAC History report is displayed in a new tab, as shown below. Look at the NAC Appliance Summary report for engine load data.

NAC History Report

Monitor Extreme Access Control Critical Events

The Extreme Access Control report on Most Severe Access Control Events displays the 10 most severe Access Control events. If the most recent events indicate a current issue, further in-depth review of the events may be required. A good place to start would be the server.log on the Extreme Management Center server (see Accessing the Server Log File in the Management Center Troubleshooting section of the Management Center Technical Reference) and the tag.log on the Access Control engine (see Access Control engine Log Locations). Depending on the error, additional debug options may be required to obtain more in-depth log data. For more information, see Access Control Troubleshooting.

In Management Center, select the Reports tab. Expand the Identity and Access - Health folder and select the report.

Most Severe NAC Events Report

Monitor Extreme Access Control Appliance Load

The Extreme Access Control Appliance Load report provides a summary of end-system usage for each Access Control engine on the network, including the number of active end-systems on the engine, and the number of authentication and captive portal requests per minute.

This report is useful for determining whether action may be required in order to more evenly distribute the client load among available Access Control engines. The report shows which engine may have too many end-systems authenticating against it and which engine may be underutilized and available to handle additional end-system requests. The report also provides helpful information for capacity planning and determining future needs for additional Access Control hardware.

In Extreme Management Center, select the Control tab. Click on System to view the Appliance Load report.

Appliance Load Report

Monitor Extreme Access Control End-System Health

The Extreme Access Control Health reports provide information on overall end-system health.

The Risk Level report helps you quickly determine the overall status of threats and vulnerabilities to the entire Access Control environment. Select a specific section of the chart to launch a report of all end-systems that meet that criteria. Select the "High" portion of the chart to display a report of all end-systems that have a high-risk vulnerability.

The Most Frequent Vulnerabilities report lists the top vulnerabilities detected and the number of end-systems reporting that vulnerability. This report is useful in identifying specific areas of the user environment that may need immediate attention, or in determining the scale of a specific vulnerability.

In Extreme Management Center, select the Control tab. Click on Health to view the end-system reports.

Identity and Access Health Reports

Create Alerts with Extreme Access Control Notifications

Extreme Access Control Notifications let you create alerts for when specific events or triggers take place in Access Control. Each notification can be defined for a specific type and trigger. The notification type defines the source of the event that activates the notification, such as end-system, end-system group, user group, or health result. The trigger determines when a notification action is performed, based on filtering for a specific event. For example, if you select end-system group as your type, the trigger may be when entries in the group are added or removed.

Notifications can be further defined by specific conditions that, in addition to the trigger, determine when actions are performed. For example, you can configure a condition that filters notifications based on selected engines, user groups, and device groups, as well as Access Control profile, time, and location.

Notifications can have a variety of actions configured such as sending an email, generating a syslog message, sending an SNMP trap, or launching a custom program or script. Email notifications can be customized so that only certain groups are notified for specific events based on the selected mailing list.

In NAC Manager, click on the Notifications toolbar icon and use the Manage Notifications window to create your notifications.

Manage Notifications Window

Here are some examples of how notifications can be used to alert you of changes or events in NAC:

  • Send an email to the Help desk when an end-system changes location, for example if it moves from a wired connection in a building to a wireless connection outside.
  • Send a trap if an end-system fails registration.
  • Send a syslog message if an end-system reports a high-risk assessment result.
  • Send an email if an end-system that is reported as a stolen laptop authenticates on the network.
  • Send an email if someone logs into the network after normal work hours.
  • Send an email when an end-system is added or removed from an end-system group, such as the Blacklist end-system group or another defined end-system group.
  • Send an email when a user is added or removed from a user group, such as an Administrator or Help Desk user group.

For more information, see the Manage Notifications window and Edit Notification Action window Help topics in the NAC Manager User Guide.

Verify Extreme Access Control RADIUS Configuration

Use the NAC Manager Verify RADIUS Configuration tool to ensure that the RADIUS configurations on your switches are consistent with your Access Control configuration. The verify operation alerts you to any RADIUS configurations that are out of sync and could cause RADIUS authentication problems on the network.

Switch RADIUS configurations can be modified independently of Access Control; for example, they can be manually edited through the CLI, through Policy Manager, or by applying an archived switch configuration that was archived prior to the device being added to NAC Manager. This can cause an authentication failure or a loss of visibility to the devices on the network. The Verify RADIUS Configuration tool can help you troubleshoot this problem.

For more information, see How to Verify RADIUS Configuration in the NAC Manager User Guide.

In NAC Manager, right-click on an engine and select Verify RADIUS Configuration as shown here.

Accessing Verify RADIUS Configuration

Verification results are displayed in the Verify RADIUS Configuration window.

Verify RADIUS Configuration Window

Extreme Management Center Custom Reports

Extreme Management Center Custom Reports let you create specialized reports for monitoring Access Control engine performance. Create reports on a variety of Access Control engine statistics including CPU load, disk usage, memory usage, and device availability. Individual reports of interest can be bookmarked for ease of use in accessing the desired information.

On the Reports tab, expand the Custom folder and select Custom Report. Use the Options panel to configure your custom report by selecting a report target (such as Access Control), the statistic to monitor (such as CPU utilization), and the time period and date range to display. Click the Submit button to generate the report. An example report on Access Control engine CPU utilization is shown below.

  TIP: CPU usage can be monitored more closely in real-time using diagnostic tools such as the Linux "top" command.

Management Center Custom Report

06/2017
7.1 Revision -00

Contents Subject to Change Without Notice