How to Set NAC Manager Options

---

Use the Options window (Tools > Options) to set options for the NAC Manager application. In the Options window, the right-panel view changes depending on what you have selected in the left-panel tree. Expand the NAC Manager folder in the tree to view all the different options you can set.

Instructions on setting the following NAC Manager options:

• Advanced Settings
• Assessment Server
• Data Persistence
• Display
• End-System Event Cache
• Enforce Warning Settings
• Features
• Notification Engine
• Policy Defaults
• Port Wizard Defaults
• Status Polling and Timeout

Advanced Settings

Use the Advanced Settings view to configure advanced settings for NAC Manager. These settings apply to all users on all clients.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the NAC Manager folder and select Advanced Settings.
3. Use the Capacity option configure the NetSight resources allocated to end-system and configuration processing services. The greater the number of end-systems and appliances in your NAC deployment, the more resources it will require.
   • Low - For low performance shared systems.
   • Low-Medium - For medium performance shared systems, or low performance dedicated systems
   • Medium - For medium performance shared systems, or medium performance dedicated systems.
   • Medium-High - For high performance shared systems, or medium performance dedicated systems.
   • High - For high performance dedicated systems.
   • Maximum - For extremely high performance dedicated systems.
4. Use the Hybrid Mode option to enable Hybrid Mode for Layer 2 Controllers. Hybrid Mode allows a Layer 2 NAC Controller appliance to act as a RADIUS proxy for switches, like a NAC Gateway appliance. Select this option to enable Hybrid Mode for your Layer 2 Controllers at a global level. When the option is selected, the Configuration tab for a Layer 2 Controller will display an option to enable Hybrid Mode for that specific controller. For more information, see the Configuration tab Help topic. Disabling Hybrid Mode at the global level when a controller has switches will have a similar effect to deleting a gateway: the switches will have the controller removed as a reference.
5. The Enable distributed end-system cache option is intended for large enterprise environments as a way to improve response times when handling end-system mobility. Enabling this option will improve NAC performance when discovering new end-systems as they connect, or when end-systems move from one place to another in the network.
   
   To use the end-system cache feature, it must be enabled on both the NetSight Server (using this option) and on the NAC appliances that will be using the cache (using the NAC Appliance Advanced Configuration window).
   
   When this feature is enabled, the NetSight Server and the NAC appliance exchange additional data each time end-system data is updated. This feature is not recommended unless there is sufficient network bandwidth for the additional data, a fast connection between the NetSight Server and the NAC appliance, and end-systems are adding or moving frequently.
   
   When you enable or disable this option, you must click the Reload button to reload the cache configuration on the NetSight server.
   
   The Reload button is also used if you have configured communication channels for the appliance groups on your network. You must reload when you first configure your channels and also any time you change your channel configuration. Reload will redistribute the end-system information to the new channels.

CAUTION:

The Reload operation may take some time and network communication may be temporarily disrupted.

6. The Enable IPv6 Addresses for end-systems option allows NAC to collect, report, and display IPv6 addresses for end-systems in the end-systems table. When this option is changed, you must enforce your appliances before the new settings will take effect. In addition, end-systems will need to rediscover their IP addresses in order to reflect the change in the end-system table. This can be done by either deleting the end-system or performing a Force Reauth on the end-system. Only end-systems that have a valid IPv4 address as well as one or more IPv6 addresses are supported. End-systems that have only IPv6 addresses are not supported. End-system functionality support varies for IPv6 end-systems. For complete information, see NAC Manager IPv6 Support in the NetSight Configuration Considerations Help topic.
7. The Enable Communication Channels for Appliance Groups option allows you to create logical groupings of your NAC appliance groups in order to segment data and limit network traffic between geographical or customer sensitive locations This is an advanced NAC Manager feature and is only appropriate in certain network scenarios. For more information and complete configuration instructions, see How to Configure Communication Channels.
8. Click OK.

Assessment Server

Use the Assessment Server view to schedule updates to NAC assessment server software and provide assessment agent adapter credentials. The options apply to all users on all clients.

The Schedule Updates option pertains only to on-board agent-less assessment servers and allows you to schedule routine checks for assessment server software updates using the web update operation. The web update feature automatically recognizes when an updated version of NAC assessment server software is available and allows you to download the newer version to keep your software current. The update operation uses the Suite Web Update server and proxy settings, which are configured in the Suite Options Web Update view. If your network is behind a firewall, you must specify the HTTP Proxy server being used.

	NOTE:	The web update feature will download any updated assessment server software but will not perform the actual upgrade to the assessment server. The actual upgrade must be performed using the Upgrade button in the Manage Assessment Settings window with the Assessment Servers tab selected. You should perform the Check for Assessment Updates and the Upgrade operation at least every two weeks to ensure that the assessment servers are running the latest scanner software that includes the most up-to-date virus definitions. Because the on-board agent-less assessment license is subscription-based, the Upgrade operation must be performed at least once a month in order to upgrade the license. If the appliance is unable to contact the upgrade server, you should contact Extreme Networks Support so that a special license can be provided.

The assessment agent adapter credentials are used by the NAC appliance when attempting to connect to network assessment servers, including Extreme Networks Agent-less, Nessus, or a third-party assessment server (an assessment server that is not supplied or supported by NAC Manager). The password is used by the assessment agent adapter (installed on the assessment server) to authenticate assessment server requests. NAC Manager provides a default password that can be changed, if desired. However, if you change the password here, you will need to change the password on the assessment agent adapter as well, or connection between the appliance and assessment agent adapter will be lost and assessments will not be performed. For instructions, see How to Change the Assessment Agent Adapter Password.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the NAC Manager folder and select Assessment Server Web Update.
3. To schedule updates to NAC assessment server software:
   1. Use the drop-down list to select the desired frequency (Daily, Weekly, Disabled) for checking for updates. If you specify a Weekly check, use the drop-down list to select the day of the week you wish the check to be performed, and set the desired time. If you specify a Daily update, set the desired time.
   2. Verify the web update server and proxy server settings in the Suite Options Web Update view.
4. Specify the assessment agent adapter credentials.
5. Click OK.

Data Persistence

Use the Data Persistence view to customize how NAC Manager will age-out or delete end-systems, end-system events, and end-system health results (assessment results) from the tables and charts in the End-Systems tab and the Statistics tab. These settings apply to all users on all clients.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the NAC Manager folder and select Data Persistence.
3. Set the time that you would like the Data Persistence Check to be performed each day.
4. In the Age End-Systems section, enter the number of days the Data Persistence Check will use as criteria for aging end-systems. Each day, when the Data Persistence check runs, it searches the database for end-systems that NAC Manager has not received an event for in the number of days specified (90 days by default). It will remove those end-systems from the tables in the End-Systems tab.
5. If you select the Remove Associated MAC Locks and Occurrences in Groups checkbox, the aging check will also remove any MAC locks or group memberships associated with the end-systems being removed. The Remove Associated Registration Data checkbox is selected by default, so that the aging check also removes any registration data associated with the end-systems being removed.
6. In the End-System Event Persistence section, select the checkbox if you want NAC Manager to store non-critical end-system events, which are events caused by an end-system reauthenticating. End-system events are stored in the database. Each day, when the Data Persistence check runs, it removes end-system events which are older than the number of days specified (90 days by default).
7. In the End-System Information Events section, select the checkbox if you want NAC Manager to generate an event when end-system information is modified.
8. In the Transient End-Systems section, configure the number of days to keep transient end-systems in the database before they will be deleted as part of the nightly database cleanup task. The default value is 1 day. A value of 0 will disable the deletion of transient end-systems. Transient end-systems are end-systems that are Unregistered and have not been seen for the specified number of days. End-systems will not be deleted if they are part of an End-System group or there are MAC locks associated with them. Select the Delete Rejected End-Systems checkbox if you want end-systems in the Rejected state to be deleted as part of the cleanup. You can also delete transient end-systems using the Tools > End-System Operations > Data Persistence option.
9. In the Health Result Persistence section, specify how many health result (assessment results) summaries and details will be saved and displayed in the End-Systems tab for each end-system. By default, the Data Persistence check will save the last 30 health result summaries for each end-system along with detailed information for the last five health result summaries per end-system.
   There are two additional options:
   • You can specify to only save the health result details for quarantined end-systems (with the exception of agent-based health result details, which are always saved for all end-systems).
   • You can specify to save duplicate health result summaries and detail. By default, duplicate health results obtained during a single scan interval are not saved. For example, if the assessment interval is one week, and an end-system is scanned five times during the week with identical assessment results each time, the duplicate health results are not saved (with the exception of administrative scan requests such as Force Reauth and Scan, which are always saved). This reduces the number of health results saved to the database. If you select this option, all duplicate results will be saved.
10. Click OK.

Display

Use the Display view to select different display options in NAC Manager. These settings apply only to the current user.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the NAC Manager folder and select Display.
3. Configure the following display options:
   • Specify how you want to display NAC appliance names in the left-panel tree. You can display the appliance's IP address, the name that was assigned when the appliance was created, or a combination of the name and IP address.
   • Limit the number of table rows displayed in the End-Systems Activity tab and NAC Appliances Events tab in the Event View.
   • Click the Re-Show All button to turn on the display of messages that have been turned off in individual message dialog box(es).
   • Click the Reset All button to reset all NAC Manager secondary windows to their default size and screen placement.
   • Show or hide the Welcome Panel that is displayed when you first open NAC Manager and the All NAC Appliances folder is selected in the left-panel tree.
   • Use the Custom End-System Information Labels section to specify new text for the Custom column headings in the End-System table on the End-Systems tab.
   • Use the End-System Table Performance option to display group membership data in the End-Systems tab. Deselecting this option removes the Groups column from the End-Systems table and allows the table data to display faster. The option will take effect when the table is loaded (e.g. when you click on the End-Systems tab and the table is displayed).
   • Increase the number of redundant NAC Gateways per switch in the Add or Edit Switches in NAC Appliance Group windows. By default, these windows allow you to configure two NAC Gateways per switch for redundancy. You can use this option to increase the number up to three or four gateways per switch.
4. Click OK.

End-System Event Cache

End-system events are stored daily in the database. In addition, the end-system event cache stores in memory the most recent end-system events and displays them in the End-System Events tab. This cache allows NAC Manager to quickly retrieve and display end-system events without having to search through the database. Use the End-System Event Cache view to configure the amount of resources used by the end-system event cache. This setting applies to all users on all clients.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the NAC Manager folder and select End-System Event Cache.
3. Specify the number of events to cache. Keep in mind that the more events you cache, the faster data is returned, but that caching uses more memory.
4. The End-System Event Cache also keeps a secondary cache of events by MAC address. This means that a particular end-system's events can be more quickly accessed in subsequent requests. Specify the number of MAC addresses kept in the secondary cache. Keep in mind that the more MAC addresses you cache, the more memory used. Also, note that the secondary cache may includes events that are not in the main cache, but were retrieved by scanning the database outside the cache boundary.
5. Specify the time Extreme Management Center spends when searching for older events outside of the cache. (The search is initiated by using the Search for Older Events button in the End-System Events tab.) The search is ended when the number of seconds entered is reached.
6. Click OK.

Enforce Warning Settings

Use the Enforce Warning Settings view to specify warning messages that you don't want displayed during the Enforce appliance audit.

When an appliance configuration audit is performed during an Enforce operation,warning messages may be displayed in the audit results listed in the Enforce window. If an appliance has a warning associated with it, you are given the option to acknowledge the warning and proceed with the enforce anyway.

These settings allow you to select specific warning messages that you do not want to have displayed in the audit results. This allows you to proceed with the Enforce without having to acknowledge the warning message. For example, you may have a NAC configuration that always results in one of these warning messages. By selecting that warning here, it will be ignored in future audit results and you will no longer have to acknowledge it before proceeding with the Enforce.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the Suite folder and select Enforce Warning Settings. The Enforce Warning Settings view opens.
3. Select the checkbox in the Ignore column next to the warning messages that you don't want displayed.
4. Click OK.

Setting Features Options

Use the Features view to enable registration and web access configuration support, as well as assessment/remediation for end-system access support. If you are not using these features, you can disable them to remove sections that pertain only to those features from certain NAC Manager windows.

Setting Notification Engine Options

Use the Notification Engine view to define the default content contained in NAC Manager notification action messages. For example, with an email notification action, you can define the information contained in the email subject line and body. With a syslog or trap notification action, you can specify certain information that you want contained in the syslog or trap message. These settings apply to all users.

There are certain "keywords" that you can use in your email, syslog, and trap messages to provide specific information. Following is a list of the most common keywords used. For a complete list of available keywords for NAC Manager notifications, see the Edit Action Overrides window Help topic.

• $type - the notification type.
• $trigger - the notification trigger.
• $conditions - a list of the conditions specified in the notification action.
• $ipaddress - the IP address of the end-system that is the source of the event.
• $macaddress - the MAC address of the end-system that is the source of the event.
• $switchIP - the IP address of the switch where the end-system connected.
• $switchPort - the port number on the switch where the end-system connected.
• $username - the username provided by the end user upon connection to the network.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the Suite folder and select Notification Engine. The Notification Engine view opens.
3. Use the fields to define the default content contained in notification action messages. For a definition of each field, see the Notification Engine view Help topic.
4. Click the Advanced Settings button to open the Notification Advanced Settings window where you can set parameters for the Action and Event queues processed by the Notification engine.
5. Click OK.

Policy Defaults

Use the Policy Defaults view to specify a default policy role for each of the four access policies. These default policy roles will be displayed as the first selection in the drop-down lists when you create a NAC profile. For example, if you specify an Assessment policy called "New Assessment" as the Policy Default, then "New Assessment" will be automatically displayed as the first selection in the Assessment Policy drop-down list in the New NAC Profile window.

NAC Manager supplies seven policy role names to select from. You can add more policies in the Edit Policy Mapping window, where you can also define policy to VLAN associations for RFC 3580-enabled switches. Once a policy has been added, it becomes available for selection in this view.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the NAC Manager folder and select Policy Defaults.
3. Select the desired policies.
   • The Assessment policy is applied to an end-system while it is being assessed (scanned).
   • The Accept policy is applied to an end-system when an end-system has been authorized locally by the NAC Gateway and has passed an assessment (if an assessment was required), or the "Replace RADIUS Attributes with Accept Policy" option was used when the end-system authenticated.
   • The Quarantine policy is applied to an end-system if the end-system fails an assessment.
   • The Failsafe policy is applied to an end-system when it is in an Error connection state. An Error state results if the end-system's IP address could not be determined from its MAC address, or if there was a scanning error and an assessment of the end-system could not take place.
4. Click OK.

Port Wizard Defaults

Use the Port Wizard Defaults view to define the default behavior for the MAC, 802.1X, or MAC + 802.1X authentication port configuration wizards. The wizards can be accessed by right-clicking one or more switches in the Switches tab and selecting Policy Manager Port Configuration Wizard. The options you define here will be used as the wizard defaults. These settings apply to all users on the client.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the NAC Manager folder and select Port Wizard Defaults.
3. Select the Port Mode - Unauthenticated Behavior, which defines how the traffic of unauthenticated end users will be handled on the port.
   • Default Role - If the end user is unauthenticated, the port will implement its default role. You can select to use the current default role on the device or set a default role. If there is no default role specified, there will be no role on the port.
   • Discard - If the end user is unauthenticated, no traffic is allowed on the port.
4. Enable Automatic Re-Authentication if you want to set up the periodic automatic re-authentication of logged-in users on the port. Without disrupting the user's session, the device repeats the authentication process using the most recently obtained user login information, to see if the same user is still logged in. Authenticated logged-in users are not required to log in again for re-authentication, as this occurs "behind the scenes." Select the Active radio button to enable Automatic Re-Authentication. Specify the Re-Authentication Frequency, which determines how often (in seconds) the device checks the port to re-authenticate the logged in user.
5. Set the Hold Time, which is the amount of time (in seconds) authentication will remain timed out after the allowed number of authentication attempts has been exceeded.
6. Click OK.

Status Polling and Timeout

Use the Status Polling and Timeout view to specify polling and timeout options for NAC Appliances. These settings apply to all users on all clients.

1. Select Tools > Options in the menu bar. The Options window opens.
2. In the left-panel tree, expand the NAC Manager folder and select Status Polling and Timeout.
3. In the NAC Appliance Enforce Timeout section, specify the amount of time that NAC Manager waits for an enforce response from the appliance before determining that the NAC appliance is not responding. During an enforce, a NAC appliance responds every second to report that the enforce operation is either in-progress or complete. Typically, you should not need to increase this timeout value, unless you are experiencing network delays that require a longer timeout value.
4. In the Status Polling section, specify the Polling Interval, which is the frequency that NAC Manager will poll the NAC Appliances to determine appliance status.
5. When communicating with NAC appliances for status polling, the Length of Timeout specifies the amount of time NAC Manager waits before determining that contact has failed. If NAC Manager does not receive a response from an appliance in the defined amount of time, NAC Manager will consider the appliance to be "down" and the appliance icon will change from a green up-arrow to a red down-arrow in the left-panel tree. The appliance status refers to Messaging connectivity, not SNMP connectivity. This means that if the appliance is "down," NAC Manager will not be able to enforce a new configuration to it.
6. In the NAC Inactivity Check section, you can enable a check to verify end-system NAC activity is taking place on the network. If no end-system activity is detected, a NAC Inactivity event is sent to the NAC Manager Events view. You can use the Console Alarms Manager (in Console, Tools > Alarm/Event > Alarms Manager) to configure custom alarm criteria based on the NAC Inactivity event to create an alarm, if desired.
7. Click OK.

---

Related Information

For information on related windows:

• Options Window, NAC Manager Options