NAC Manager Options Window

These options apply only to your Extreme Access Control (Access Control) deployment and the settings in the NAC Manager application. In the Options window (Tools > Options), the right-panel view changes depending on what you select in the left-panel tree. Expand the NAC Manager folder to view all the different options you can set.

Information on the following NAC Manager options:

Advanced Settings
Assessment Server
Data Persistence
Display
End-System Event Cache
Enforce Warning Settings
Features
Notification Engine
Policy Defaults
Port Wizard Defaults
Status Polling and Timeout

Advanced Settings

This Options view lets you configure advanced settings for NAC Manager. These settings apply to all users on all clients.

Click areas in the window for more information.

Capacity

The Capacity option lets you configure the Extreme Management Center (Management Center) resources allocated to end-system and configuration processing services. The greater the number of end-systems and engines in your Access Control deployment, the more resources it requires.

Low - For low performance shared systems.
Low-Medium - For medium performance shared systems, or low performance dedicated systems
Medium - For medium performance shared systems, or medium performance dedicated systems.
Medium-High - For high performance shared systems, or medium performance dedicated systems.
High - For high performance dedicated systems.
Maximum - For extremely high performance dedicated systems.

Hybrid Mode: A Layer 2 Access Control Controller engine can be configured for Hybrid Mode, which allows it to act as a RADIUS proxy for switches, like an Access Control Gateway engine. Select this option to enable Hybrid Mode for your Layer 2 Controllers at a global level. When the option is selected, the Configuration tab for a Layer 2 Controller displays an option to enable Hybrid Mode for that specific controller. For more information, see the Configuration tab Help topic. Disabling Hybrid Mode at the global level when a controller acts as a reference to switches is similar to deleting a gateway: the controller is removed as a reference from the switches.

End-System Mobility: The Enable distributed end-system cache option is intended for large enterprise environments as a way to improve response times when handling end-system mobility. Enabling this option improves NAC Manager performance when discovering new end-systems as they connect, or when end-systems move from one place to another in the network.

To use the end-system cache feature, it must be enabled on both the Management Center Server (using this option) and on the Access Control engines using the cache (using the Access Control Appliance Advanced Configuration window).

When this feature is enabled, the Management Center Server and the Access Control engine exchange additional data each time end-system data is updated. This feature is not recommended unless there is sufficient network bandwidth for the additional data, a fast connection between the Management Center Server and the Access Control engine, and end-systems are adding or moving frequently.

When you enable or disable this option, you must click the Reload button to reload the cache configuration on the Management Center server.

The Reload button is also used if you configure communication channels for the engine groups on your network. Reload when you first configure your channels and also any time you change your channel configuration. Reload redistributes the end-system information to the new channels.

IPv6 End-System Support: The Enable IPv6 Addresses for end-systems option allows NAC Manager to collect, report, and display IPv6 addresses for end-systems in the end-systems table. When this option is changed, you must enforce your engines before the new settings take effect. In addition, end-systems needs to rediscover their IP addresses in order to reflect the change in the end-system table. This can be done by either deleting the end-system or performing a Force Reauth on the end-system.

Only end-systems with a valid IPv4 address as well as one or more IPv6 addresses are supported. End-systems with only IPv6 addresses are not supported. End-system functionality support varies for IPv6 end-systems. For complete information, see NAC Manager IPv6 Support in the Management Center Configuration Considerations Help topic.

Appliance Group Communication Channel Support: The Enable Communication Channels for Appliance Groups option allows you to create logical groupings of your Access Control engine groups in order to segment data and limit network traffic between geographical or customer sensitive locations. This is an advanced NAC Manager feature and is only appropriate in certain network scenarios. For more information and complete configuration instructions, see How to Configure Communication Channels.

Assessment Server

These options let you schedule updates to NAC Manager assessment server software and provide assessment agent adapter credentials. The options apply to all users on all clients.

The Schedule Updates option pertains only to on-board agent-less assessment servers and allows you to schedule routine checks for assessment server software updates using the web update operation. The web update feature automatically recognizes when an updated version of NAC Manager assessment server software is available and allows you to download the newer version to keep your software current. The update operation uses the Suite Web Update server and proxy settings, which are configured in the Suite Options Web Update view. If your network is behind a firewall, you must specify the HTTP Proxy server being used.

	NOTE:	The web update feature downloads any updated assessment server software but does not perform the actual upgrade to the assessment server. The actual upgrade must be performed using the Upgrade button in the Manage Assessment Settings window with the Assessment Servers tab selected. Perform the Check for Assessment Updates and the Upgrade operation at least every two weeks to ensure that the assessment servers are running the latest scanner software that includes the most up-to-date virus definitions. Because the on-board agent-less assessment license is subscription-based, the Upgrade operation must be performed at least once a month in order to upgrade the license. If the engine is unable to contact the upgrade server, contact Extreme Networks Support so they can provide a special license.

Click areas in the window for more information.

Schedule Updates: This section displays the last time a check occured and lets you define the specific time to check for updates. Use the drop-down menu to set the frequency (Daily, Weekly, Disabled) for checking for updates. If you specified a Weekly check, use the drop-down menu to select the day of the week you wish the check to be performed, and set the desired time. If you specified a Daily update, set the desired time.

Assessment Agent Adapter Credentials: The password the Access Control engine uses when attempting to connect to network assessment servers, including Extreme Networks Agent-less, Nessus, or a third-party assessment server (an assessment server that is not supplied or supported by NAC Manager). The password is used by the assessment agent adapter (installed on the assessment server) to authenticate assessment server requests. NAC Manager provides a default password that can be changed, if desired. However, if you change the password here, you need to change the password on the assessment agent adapter as well, or connection between the engine and assessment agent adapter is lost and assessments are not performed. For instructions, see How to Change the Assessment Agent Adapter Password.

Data Persistence

This Options view lets you customize how NAC Manager ages-out or deletes end-systems, end-system events, and end-system health results (assessment results) from the tables and charts in the End-Systems tab and the Statistics tab. These settings apply to all users on all clients.

Click areas in the window for more information.

Run Data Persistence Checks: Set the time that the Data Persistence Check are performed each day.

Age End-Systems: Each day, when the Data Persistence check runs, it searches the database for end-systems NAC Manager did not receive an event for in the number of days specified (90 days by default). It removes those end-systems from the End-System table in the End-Systems tab.

If you select the Remove Associated MAC Locks and Occurrences in Groups checkbox, the aging check also removes any MAC locks or group memberships associated with the end-systems being removed.

The Remove Associated Registration Data checkbox is selected by default, so that the aging check also removes any registration data associated with the end-systems being removed.

End-System Event Persistence: Select the checkbox if you want NAC Manager to store non-critical end-system events, which are events caused by an end-system reauthenticating. End-system events are stored in the database. Each day, when the Data Persistence check runs, it removes all end-system events which are older than the number of days specified (90 days by default).

End-System Information Events: Select the checkbox if you want NAC Manager to generate an event when end-system information is modified.

Transient End-Systems

This option lets you configure the number of days to keep transient end-systems in the database before they are deleted as part of the nightly database cleanup task. The default value is 1 day. A value of 0 disables the deletion of transient end-systems. Transient end-systems are Unregistered end-systems not seen for the specified number of days. End-systems are not deleted if they are part of an End-System group or there are MAC locks associated with them.

Select the Delete Rejected End-Systems checkbox if you want end-systems in the Rejected state to be deleted as part of the cleanup.

You can also delete transient end-systems using the Tools > End-System Operations > Data Persistence option.

Health Result Persistence

This section lets you specify how many health result (assessment results) summaries and details are saved and displayed in the End-Systems tab for each end-system. By default, the Data Persistence check saves the last 30 health result summaries for each end-system along with detailed information for the last five health results per end-system. You can change these values if desired.
There are two additional options:

You can specify to only save the health result details for quarantined end-systems (with the exception of agent-based health result details, which are always saved for all end-systems).
You can specify to save duplicate health result summaries and detail. By default, duplicate health results obtained during a single scan interval are not saved. For example, if the assessment interval is one week, and an end-system is scanned five times during the week with identical assessment results each time, the duplicate health results are not saved (with the exception of administrative scan requests such as Force Reauth and Scan, which are always saved). This reduces the number of health results saved to the database. If you select this option, all duplicate results are saved.

Wireless End-System Events: Select the checkbox if you want NAC Manager to generate an event when wireless end-system information is modified. This option is disabled by default.

Display

This Options view lets you select how you want to display Extreme Access Control (Access Control) engine names in the left-panel tree, how to display end-system MAC addresses in right-panel tables, and whether to limit table rows in the End-Systems Activity tab and NAC (Access Control) Appliances Activity tab in the Event View. These settings apply only to the current user.

Click areas in the window for more information.

Display NAC (Access Control) Appliance Names by: Specify how you want to display Access Control engines in the left-panel tree. You can display the engine's IP address, the name assigned when creating the engine, or a combination of the name and IP address.

Display MAC Addresses by: Specify how you want to display end-system MAC addresses in right-panel tables. You can display them as a full MAC address or with a MAC OUI (Organizational Unique Identifier) prefix. This allows you to display the associated vendor the MAC address belongs to, if an OUI mapping exists. You can also limit the vendor name to a certain number of characters, if desired.
When the Display Unknown MACs as Unknown checkbox is selected, the MAC address for unknown users is displayed as "Unknown" in the End-Systems view. If the checkbox is not selected, the pseudo MAC address assigned to each device is displayed instead of "Unknown" for end-systems learned on an L3 controller.

Limit Table Rows: These options allow you to limit the number of table rows displayed in the End-Systems Activity tab and NAC (Access Control) Appliances Events tab in the Event View.

Ignored Dialog Boxes: Click the Re-Show All button to turn on the display of messages that are turned off in individual message dialog box(es).

Dialog Settings: Click the Reset All button to reset all NAC Manager secondary windows to their default size and screen placement.

Welcome Panel: This option lets you hide and show the Welcome Panel that is displayed when you first open NAC Manager and the All NAC (Access Control) Appliances folder is selected in the left-panel tree.

Custom End-System Information Labels: This option lets you specify new text for the Custom column headings in the End-System table on the End-Systems tab.

End-System Table Performance: Use this option to display group membership data in the End-Systems tab. Deselecting this option removes the Groups column from the End-Systems table and allows the table data to display faster. The option takes effect when the table is loaded (e.g. when you click on the End-Systems tab and the table is displayed).

Display Counts: This option allows you to configure up to four redundant Access Control Gateways per switch in the Add or Edit Switches in NAC (Access Control) Appliance Group windows. By default, these windows allow you to configure two Access Control Gateways per switch for redundancy. You can use this option to increase the number up to three or four gateways per switch.

End-System Event Cache

End-system events are stored in the database. In addition, the end-system event cache stores in memory the most recent end-system events and displays them in the End-System Events tab. This cache allows NAC Manager to quickly retrieve and display end-system events without having to search through the database.

These options let you configure the amount of resources used by the end-system event cache. These settings apply to all users on all clients.

Click areas in the window for more information.

Number of events to cache: Specify the number of events to cache. Keep in mind that the more events you cache, the faster data is returned, but that caching uses more memory.

Number of MACs in secondary cache: The End-System Event Cache also keeps a secondary cache of events by MAC address. This means that a particular end-system's events can be more quickly accessed in subsequent requests. Use this field to specify the number of MAC addresses kept in the secondary cache. Keep in mind that the more MAC addresses you cache, the more memory used. Also, note that the secondary cache may includes events that are not in the main cache, but were retrieved by scanning the database outside the cache boundary.

Maximum time to spend searching for events (in seconds): This option specifies the time Extreme Management Center spends when searching for older events outside of the cache. (The search is initiated by using the Search for Older Events button in the End-System Events tab.) The search is ended when the number of seconds entered is reached.

Enforce Warning Settings

When an engine configuration audit is performed during an Enforce operation, warning messages may be displayed in the audit results listed in the Enforce window. If a warning occurs for an engine, acknowledge the warning and proceed with the enforce anyway.

These settings allow you to select specific warning messages you do not want to display in the audit results. This allows you to proceed with the Enforce without having to acknowledge the warning message. For example, a NAC configuration that always results in one of these warning messages. By selecting that warning here, it is ignored in future audit results and you no longer need to acknowledge it before proceeding with the Enforce.

Select the checkbox in the Ignore column next to the warning message that you don't want displayed and click OK.

Features

This Options view lets you enable registration and web access configuration support, as well as assessment/remediation for end-system access support. If you are not using these features, you can disable them to remove sections that pertain only to those features from certain NAC Manager windows.

Notification Engine

Selecting Notification Engine in the left panel of the Options window provides the following view where you can define the default content contained in NAC Manager notification action messages. For example, with an email notification action, you can define the information contained in the email subject line and body. With a syslog or trap notification action, you can specify certain information that you want contained in the syslog or trap message. These settings apply to all users.

Click areas in the window for more information.

There are certain "keywords" that you can use in your email, syslog, and trap messages to provide specific information. Following is a list of the most common keywords used. For a complete list of available keywords for NAC Manager notifications, see the Edit Action Overrides window Help topic.

$type - the notification type.
$trigger - the notification trigger.
$conditions - a list of the conditions specified in the notification action.
$ipaddress - the IP address of the end-system that is the source of the event.
$macaddress - the MAC address of the end-system that is the source of the event.
$switchIP - the IP address of the switch where the end-system connected.
$switchPort - the port number on the switch where the end-system connected.
$username - the username provided by the end user upon connection to the network.

E-Mail Subject: Defines the text and keyword values included in the e-mail subject line.

E-Mail Body: Defines the text and keyword values included in the e-mail body.

Syslog Tag: Defines the string used to identify the message issued by the syslog program.

Syslog Message: Defines the text and keyword values included in the syslog message.

Trap OID: The OID that defines the trap.

Trap Message: The varbind that is sent in the trap.

Trap Message OID: The OID of the varbind being sent that represents the message.

Custom Arguments: If the notification action specifies a custom program or script to be run on the Management Center Server, then you can use this field to enter the "all" option. Using the "all" option returns values for all the NAC Manager Notification keywords applicable to the notification type. The "all" option is the only valid option for this field. For a complete list of available keywords for NAC Manager notifications, see the Edit Action Overrides window Help topic

Advanced Settings: Click the Advanced Settings button to open the Notification Advanced Settings window where you can set parameters for the Action and Event queues processed by the Notification engine.

Policy Defaults

This Options view lets you specify a default policy role for each of the four access policies. These default policy roles display as the first selection in the drop-down menus when you create a NAC profile. For example, if you specify an Assessment policy called "New Assessment" as the Policy Default, then "New Assessment" automatically displays as the first selection in the Assessment Policy drop-down menu in the New NAC Profile window.

NAC Manager supplies seven policy role names from which to select. You can add more policies in the Edit Policy Mapping window, where you can also define policy to VLAN associations for RFC 3580-enabled switches. Once a you add a policy, it becomes available for selection in this view.

Click areas in the window for more information.

Assessment Policy: Select the default Assessment policy. The Assessment policy is applied to an end-system while it is being assessed (scanned).

Accept Policy: Select the default Accept policy. The Accept policy is applied to an end-system when the end-system is authorized locally by the Access Control Gateway and passed an assessment (if an assessment is required), or the "Replace RADIUS Attributes with Accept Policy" option is used when the end-system authenticated.

Quarantine Policy: Select the default Quarantine policy. The Quarantine policy is applied to an end-system if the end-system fails an assessment.

Failsafe Policy: Select the default Failsafe policy. The Failsafe policy is applied to an end-system if the end-system's IP address cannot be determined from its MAC address, or if a scanning error occurs and an assessment of the end-system did not take place.

Port Wizard Defaults

These options let you define the default behavior for the MAC, 802.1X, or MAC + 802.1X authentication port configuration wizards. The wizards can be accessed by right-clicking one or more switches in the Switches tab and selecting Policy Manager Port Configuration Wizard. The options you define here are used as the wizard defaults. These settings apply to all users on the client.

Click areas in the window for more information.

Port Mode - Unauthenticated Behavior

Defines how the traffic of unauthenticated end users are handled on the port.

Default Role - If the end user is unauthenticated, the port implements its default role. You can select to use the current default role on the device or set a default role. If there is no default role specified, there is no role on the port.
Discard - If the end user is unauthenticated, no traffic is allowed on the port.

Set Automatic Re-authentication: Automatic Re-Authentication lets you set up the periodic automatic re-authentication of logged-in users on the port. Without disrupting the user's session, the device repeats the authentication process using the most recently obtained user login information, to see if the same user is still logged in. Authenticated logged-in users are not required to log in again for re-authentication, as this occurs "behind the scenes." Select the Active radio button to enable Automatic Re-Authentication. Specify the Re-Authentication Frequency, which determines how often (in seconds) the device checks the port to re-authenticate the logged in user.

Set Hold Time: The amount of time (in seconds) authentication remains timed out after exceeding the allowed number of authentication attempts.

Status Polling and Timeout

This Options view lets you specify the enforce timeout and status polling options for Access Control engines. These settings apply to all users on all clients.

Click areas in the window for more information.

NAC (Access Control) Appliance Enforce Timeout: When enforcing to Access Control engines, this value specifies the amount of time NAC Manager waits for an enforce response from the engine before determining that the Access Control engine is not responding. During an enforce, an Access Control engine responds every second to report that the enforce operation is either in-progress or complete. Do not increase this timeout value unless you are experiencing network delays that require a longer timeout value.

Status Polling: Polling Interval (in seconds) - Specifies the frequency that NAC Manager polls the Access Control engines to determine engine status.
Length of Timeout (in seconds) - When communicating with Access Control engines for status polling, this value specifies the amount of time NAC Manager waits before determining that contact failed. If NAC Manager does not receive a response from an engine in the defined amount of time, NAC Manager considers the engine to be "down" and the engine icon changes from a green up-arrow to a red down-arrow in the left-panel tree. The engine status refers to Messaging connectivity, not SNMP connectivity. This means that if the engine is "down," NAC Manager is not able to enforce a new configuration to it.

NAC Inactivity Check: Enable a check to verify end-system NAC activity is taking place on the network. If no end-system activity is detected, a NAC Inactivity event is sent to the NAC Manager Events view. You can use the Console Alarms Manager (in Console, Tools > Alarm/Event > Alarms Manager) to configure custom alarm criteria based on the NAC Inactivity event to create an alarm, if desired.

Related Information

For information on related tasks:

How to Set NAC Manager Options