LevelBlue Knowledge Base » Knowledgebase » Legacy Products » NAC

What does a NAC TS-25 appliance look like?

Brian Abildgaard — Thu, 22 Feb 2018 08:11:31 GMT

This article applies to:

NAC TS-25

Question:

What does an NAC TS-25 appliance look like?

Reply:

Please find below photos of the NAC TS-25 appliance:

Front:

Back:

Gathering logs requested by Trustwave NAC TAC (NAC 5.X)

Brian Abildgaard — Thu, 22 Feb 2018 08:04:27 GMT

This article applies to:

NAC 4.x
NAC 5.x

Question:

Gathering logs requested by Trustwave NAC TAC

Procedure:

If Trustwave Technical Support needs your logs for troubleshooting, you can follow the procedures below.

All current versions of NAC allow you to gather logs using the command line interface (CLI). Version 5.1.2 and above allows you to gather logs from the Web interface.

Gathering logs from the CLI:

Use this procedure to gather logs from the command line interface:

For the commands below replace Case.CaseNumber with the full case number
The commands attempt to automatically insert the server name and date. However, if you have any issues you can try to replace the following by hand:
- $(uname -n) with the server name
- $(date '+%F') with the date in this format: YYYY-MM-DD
Example command with all information manually entered:
snapshot.sh -a -d /root/1234567_2015-09-20_myserver_TSLogs.tgz

SSH to the server as user root
On a Server, Server/Sensor or Standalone system type:
- snapshot.sh -a -d /root/Case.CaseNumber_$(date '+%F')_$(uname -n)_TSLogs.tgz
On a Sensor type:
- snapshot.sh -a -d /root/Case.CaseNumber_$(date '+%F')_$(uname -n)_TSLogs.tgz
- scp the file to the server
  - scp *_TSLogs.tgz root@server:
- remove it once it is copied to the server
  - rm -i *_TSLogs.tgz
Using a SCP client from your desktop, connect to the server via WinSCP and collect the file above.
Upload that file to your case in the portal. If the file is over 600Mb please contact support before uploading.

If you have any issues please contact Support.

Gathering logs from the Web Interface:

With version 5.1.2 and above, it is possible to gather the logs from the Web UI.

For the Sensor:

Open the web interface of the NAC and navigate to the Maintenance tab
Select the Sensor
Click the link "load fresh technical support logs"
The system reports the progress of log gathering:

Then:
When log gathering is complete a new line provides a link to download the logs
Click the link "Download data retrieved xxxx-yy-zz xx:yy:zz +xxxx" link to open a save file dialog. The file is already in archived format, ready to be uploaded to the ticket.

For the Central Manager:

The procedure for the CM is quite similar.

Open the web interface of the NAC and navigate to the Maintenance tab
Select the Central Manager
Click the link "Download technical support logs"
Save the file and attach to the ticket

Notes:

If you do not have a SCP client, one free option is available at www.winscp.net
The option "Download technical support overview" does not provide access to Logs. This option provides a plain text file with a general overview of the NAC configuration.

Dist service not starting after upgrade to NAC 5.1.2

Piotr Dłubisz — Fri, 30 Jun 2017 04:16:55 GMT

This article applies to:

NAC 5.1.2

Symptoms:

Upgraded to version 5.1.2
Dist service is stopped
The following errors are logged in /var/log/messages:

Jun 19 14:49:55 test-sensor Container: Starting containerJun 19 14:49:55 test-sensor Container: Invalid maximum heap size: -Xmx0mJun 19 14:49:55 test-sensor Container: Error: Could not create the Java Virtual Machine.Jun 19 14:49:55 test-sensor Container: Error: A fatal exception has occurred. Program will exit.

Causes:

This issue is caused by a problem with an upgrade script. The issue is fixed in the next release.

Resolution:

rm /usr/dist/config/appliance.conf ; configure-appliance; service dist start

Notes:

If you are still experiencing issues with dist startup after running the above command please contact support.

Enabling imaging of NAC 5.0 on a NAC SiS server

Piotr Dłubisz — Fri, 12 May 2017 07:39:51 GMT

This article applies to:

NAC 5.0 and above

Question:

How can I enable imaging of NAC 5.0 on a NAC SiS server?

Procedure:

Follow the normal procedure to add a NAC 5.0 image to the InstallationImages directory
Start the SiS server
Log in as root
At the configuration wizard window, press ctrl+c. This should give you a login prompt.
- If after pressing ctrl+c you do not see a login prompt, or nothing is showing on the screen when you type, do the following: press Enter, type reset and press Enter
Change directory:
```
# cd /mnt/hgfs/InstallationImages/
```

You can list directories using ls

[root@localhost InstallationImages]# lsHDIMAGE.template               install-1307161306-25227-v140  install-1504040804-25245-v140.tar.gz  install-5.0.0-94  system.cnf.tmplate  vmlinuz-2.6.13.41install-1108041430-25156-v140  install-1504040804-25245-v140  install-4200000-25227-v111            system.cnf        systems

Change to the directory containing your image:
```
# cd install-5.0.0-94 
```

Copy two files to the right directory:

# cp initramfs-3.18.17-nac02.tos2_4.nac.img /tftpboot/pxelinux.cfg/# cp vmlinuz-3.18.17-nac02.tos2_4.nac /tftpboot/pxelinux.cfg/

Restart the server
```
 # reboot
```

This will allow you to use 5.0 images during your SiS process. (Use the NACSIS-4.1.2 SIS image for Newer)

Configuring SNMP for Alerts

Piotr Dłubisz — Fri, 05 May 2017 05:12:26 GMT

This article applies to:

NAC 5.x

Question:

How do I configure SNMP alerts on NAC?

Procedure:

To alert to SNMP, set up the SNMP information as an Alert destination on NAC.

Navigate to the following location: Configuration > Organization > Alert Destination > SNMP
Complete these fields:
◾Name - Meaningful Name
◾Protocol - SNMP
◾IP - IP of SNMP Destination
◾Port - Default (162)
◾Protocol Data - Community String where applicable.

Configure Policy Alerts or Appliance Alerts and then manually trigger one of these events by matching on a condition.

Verifying Configuration:

You can test that NAC sent an event to the SNMP destination by running a packet capture with tcpdump.

To capture SNMP traffic to the default port, you can use the following tcpdump command. If you are not using the default SNMP port, adjust the command as needed.

tcpdump -vvi mgmt1 port 162

To trigger an event, a device must move from one zone to another.

Changing BIOS settings on NAC hardware devices to PXE boot

Andrew Davies — Thu, 20 Apr 2017 12:21:12 GMT

This article applies to:

NAC X model
NAC M model

Question:

How can I change BIOS settings on NAC to PXE boot?

Procedure:

With factory settings, pressing F12 during boot should boot from the network. If this doesn't happen changes must be made in the BIOS.

To alter BIOS settings, press the Delete key during boot.
In BIOS make sure that BIOS settings allow booting from the network: Advanced -> PCI Configuration -> Onboard G-LANX OPROM Configure is ENABLED
Change boot order (in Boot tab) so "PCI BEV: IBA GE" is at the top (use instructions provided on the screen). You can also one time boot from the network by pressing F12 during the boot process.
After the changes you should see the following screen (and then information about requesting IP from DHCP server) when the device starts booting from the network:

Notes:

The information above should be used only to start the reimaging process (SiS)

How to check that you are getting SSO logins

Andrew Davies — Wed, 12 Apr 2017 13:04:15 GMT

This article applies to:

NAC 5.x

Question:

How to check that you are getting SSO login information
How to check that "successful logins" is enabled in the audit logs

Information:

You can use this command to check that you are seeing logins from the AD systems. The command does not show the complete output, but will help you see if you are getting any logins at all.

This will be done on the sensor or sensor/server.

When entering the command below, change the following to the correct values:
$HOST
$USERNAME
$PASSWORD - If you do not want to put in the password in the command remove the %$PASSWORD and the system will prompt you for the login.

# /usr/dist/sso/rpcclient -I $HOST -U $USERNAME%$PASSWORD -c "eventlog_poll -m STDOUT -i -q security" \\\\$HOST

Notes:

Command text may wrap to a new line, but the command is a single entry.

The \ characters before "$Host" must be escaped and a total of four \ is correct.

If this command fails, ensure that the password is not using any special characters like # $ ! ^ @

This command cannot be used with a password that contains special characters, so you must change the password to not use these characters in order for the command to work.

To exit the program press CTRL+C

You can use the Administrator account or a Domain Administrator to test whether the connection is working only.

For security reasons DO NOT USE AN ACCOUNT WITH DOMAIN ADMINISTRATOR PRIVILEGES.

Examples:

The result of the command should be similar to the following:

# /usr/dist/sso/rpcclient -I 10.6.1.230 -U administrator%N0tYourPa$$word -c "eventlog_poll -m STDOUT -i -q security" \\\\10.6.1.230
Login N: 2133128 T: 540 User: SUP-DC$ Host: (null) IP: 127.0.0.1
Login N: 2133131 T: 528 User: adavies Host: SUP-DC IP: 10.244.1.186

User: SUP-DC$ Host: (null) - is a Computer login
User: adavies Host: SUP-DC - is a user login in to SUP-DC$

The following error results from an incorrect password:

# /usr/dist/sso/rpcclient -I 10.6.1.230 -U administrator -c "eventlog_poll -m STDOUT -i -q security" \\\\10.6.1.230
Password:
failed session setup with NT_STATUS_LOGON_FAILURE Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE

The following error results if the user does not have access to read the security logs (The password is correct).

# /usr/dist/sso/rpcclient -I 10.6.1.230 -U luser -c "eventlog_poll -m STDOUT -i -q security" \\\\10.6.1.230
Password:
result was NT_STATUS_ACCESS_DENIED

End-of-Sale for NAC Appliances

Andrew Davies — Tue, 11 Apr 2017 15:49:47 GMT

This article applies to:

NAC All versions

Information:

Trustwave is announcing the End-of-Sale (EOS) for the NAC appliances listed below. Maintenance contracts for these specific appliances will be available for a period of three years following the EOS date, provided the maintenance contract does not lapse during that period. The End-of-Life(EOL) dates for these appliances are also shown below.

NAC Appliance Model	EOS Date	EOL Date	Replacement Suggested
NAC-X20	May 31, 2015	May 31, 2018	TS-25
NAC-X50	May 31, 2015	May 31, 2018	TS-25
NAC-X100	May 31, 2015	May 31, 2018	TS-151
NAC-X500	May 31, 2015	May 31, 2018	TS-151
NAC-X500R	January 1, 2016	January 1, 2019	TS-500R
NAC-X1000	May 31, 2015	May 31, 2018	TS-151
NAC M1	Feb 1, 2016	Feb 1, 2019	TS-500
NAC-M10	Feb 1, 2016	Feb 1, 2019	TS-500
NAC X2500	Feb 1, 2016	Feb 1, 2019	TS-500
NAC X2500 F	Feb 1, 2016	Feb 1, 2019	TS-500 F

Notes:

Please contact your Trustwave sales representative if you have further questions.

Glossary:

End-of-Life (EOL): The last day that Trustwave will support a specified Hardware series.
End-of-Sale (EOS): The last day the specified Product will be available for sale.

Identifying the serial number for NAC TS-25

Andrew Davies — Wed, 11 Jan 2017 12:30:03 GMT

This article applies to:

NAC TS-25

Question:

How can I identify the serial number on a NAC TS-25 appliance that will not start?

Reply:

Trustwave devices may have multiple serial number labels as a result of the appliance production process.

The only labels that are significant are in the locations described below.

The serial number that should be used in all cases is the one with the earliest date stamp (that is, the oldest).

In the image below, that is the S/N xxxxxxx with a date of 07/15 (July, 2015).

In the case of dates in the same month, the lower (numerically) of the two numbers is the number to use.

The labels are located under the appliance.

Network Access Control (NAC) Appliance EOS Announcement

Andrew Davies — Tue, 01 Nov 2016 18:56:06 GMT

This article applies to:

NAC All Versions

Information:

Trustwave is announcing the End-of-Sale (EOS) of selected NetworkAccess Control (NAC) appliances (listed below) effective Feb 1, 2016, aswell as the availability of the new line of NAC appliances. Maintenancecontracts for the older appliances will be available for a period ofthree (3) years following the EOS date, provided the maintenancecontract does not lapse during that period and any maintenance contractpurchased does not extend past February 1, 2019. The End-of-Life (EOL)dates for all of the old appliances are shown in the table immediatelybelow.

End-of-Sale NAC Appliances and Key Dates

The following NAC appliance models are affected by this EOS announcement:

EOS NAC Appliance Model	EOS Date	EOL Date
NAC M1	Feb 1, 2016	Feb 1, 2019
NAC M10	Feb 1, 2016	Feb 1, 2019
NAC X 500 R	Feb 1, 2016	Feb 1, 2019
NAC X2500	Feb 1, 2016	Feb 1, 2019
NAC X2500 F	Feb 1, 2016	Feb 1, 2019

New NAC Appliances

The following new NAC appliances will be orderable in February 2016 and are expected to ship in March/April 2016.

NAC Appliance Model	Orderable	Shipping
TS-500 NAC	Feb 2016	March 2016
TS-500 F NAC	Feb 2016	March 2016

Notes:

New NAC appliances will use NAC 5.0 and are backward compatible with (can be used in the same installation as) existing appliances running NAC 4.3.4.
Please contact your Trustwave sales representative if you have further questions.

Glossary:

End-of-Life (EOL): The last day that Trustwave will support a specified Hardware series.
End-of-Sale (EOS): The last day the specified Product will be available for sale.

Verifying LDAP port connectivity

Andrew Davies — Fri, 21 Oct 2016 14:39:09 GMT

This article applies to:

SNAC (All Versions)

Question:

How can I confirm if a LDAP server is accessible on NAC?

Procedure:

LDAP authentication will only work if the LDAP server connection is configured properly and the server is available.

Here is a basic test that can be performed to diagnose LDAP authentication issues.

Navigate to: Configuration > Authorization > LDAP
The entries required to confirm port connectivity are in the first 2 fields.
- LDAP Server: The FQDN of your LDAP server
- LDAP Port: The port you are using to connect to LDAP. This is usually 389 (for the standard LDAP protocol) or 636 (for LDAP secure which also requires a certificate)
Use netcat to test connectivity:

These examples attempt a connection, with verbose output and a timeout. You should get a response quickly. If the command exits with no response then the connection did not succeed.

For more detailed information about netcat, see the man page.

Testing port 636 (LDAPS) with a timeout of 60 seconds.

nc <ldapserverip> 636 -v -w 60

Testing port 389 (LDAP) with a timeout of 60 seconds.
nc <ldapserverip> 389 -v -w 60
On older NAC appliances you can use telnet to test connectivity to this server and port. The syntax to test is:

telnet <ldap-server-fqdn> <ldap-port>

Example:

telnet mynameisldap.server.com 389

The example is a test to the server mynameisldap.server.com over port 389 which is the default LDAP port.

A successful connection will show you a blank screen which indicates that you have communicated successfully over that port.

If the output stalls on connecting To <ldap-server-fqdn> 389 then there is a networking, firewall, or configuration issue that must be addressed before the NAC can connect.

What versions of Java are supported in NAC 5.0.4

Piotr Dłubisz — Mon, 19 Sep 2016 10:47:41 GMT

This article applies to:

NAC 5.0.4

Question:

What versions of Java are supported in NAC 5.0.4?
What version of Java is required to run DSM scan in NAC 5.0.4

Reply:

Compliance scan client (DSM client) in NAC 5.0.4 requires Java version 8 (32 bit or 64 bit) to run.

Latest java client can be downloaded from here.

Software End of Life Announcement for Trustwave Network Access Control (NAC) 4.0.x and Earlier Versions

Andrew Davies — Tue, 26 Apr 2016 15:08:51 GMT

This article applies to:

NAC 4.x
NAC 3.x
NAC 2.x

Information:

Trustwave is announcing the End-of-Life (EOL) for NAC 4.0.x and prior software versions effective July 1, 2016. After July 1, 2016, no further software maintenance releases (including security patches and bug fixes) will be provided for these EOL software versions. Technical Assistance Center (TAC) support for these EOL versions will also end on July 1, 2016.

To help you in making the transition to a later, supported software version, Trustwave will be providing assistance with the upgrade process through July 1, 2016. Please contact customer support if you would like assistance and information on the upgrade process.

The latest NAC software version and documentation can be found on the Trustwave Customer Portal.

Notes:

Please contact your Trustwave sales representative if you have further questions.

Glossary

End-of-Life (EOL): The last day that Trustwave will support a specified software version.
End-of-Sale (EOS): The last day the specified Product will be available for sale.

Command Line administration tools in NAC 5.0

Charles — Wed, 13 Apr 2016 20:10:01 GMT

This article applies to:

NAC 5.0

Question:

What command line tools are available for server administration in NAC 5.0?
How do I reset a NAC server to factory default?
How do I join or rejoin a Sensor to a CM in NAC 5.0?

Information:

Command line tools available in NAC 5.0 include the following.

Note: Consult Trustwave TAC before using these tools. Incorrect usage can cause the NAC installation to be unusable and can permanently lose configuration data.

setup

This tool performs initial setup for a NAC appliance. Basic usage of this tool is fully covered in the Getting Started Guide.

You can re-run Setup to view and change network settings only. See article Q20587.

rejoin_to_cm

Usage: rejoin_to_cm -c [CM IP address] -p [password]

This command rejoins a Sensor to a CM. Use the -c flag to specify the IP of the CM. Use the -p flag to set the password. If an option is not passed it will be requested interactively.

This command cannot be run on a CM.

save-recovery-image

save-recovery-image does not take any options.

This command saves the current Trustwave NAC Configuration and OS Version to a separate partition that is recoverable with the system_reset command. One way to use this feature is to run this command before upgrading a Trustwave NAC Sensor in a lab environment. You can test the upgrade, then restore the setup from the time when this command was run using the -k option.

This command is not run during setup. To take advantage of this feature, you must run this command once (from the command line, or from the CM web interface).

system_reset

This tool allows you to reset or roll back configuration on a NAC device.

Usage: system_reset [-y] [-n] [-d|-k|-r] [-h]

You must provide one of -d, -r, or -k.

The recovery image mentioned can be saved using save-recovery-image (see above), or from the NAC CM web application.

-y   --yes    Yes: Default answers to yes
-n   --quiet Quiet: Quiet output
-d   --default Default: Reset to factory default configuration, keeping current software version.
-r   --reset Reset: Reset to factory default configuration, using software version saved in recovery image.
-k   --keep   Keep: Roll back to configuration in recovery image, using software version saved in recovery image.
-h   --help   Help: Print command usage then exit

remote

This tool allows you to connect to the CM and run specified commands on a sensor.

Commands:

remote cmd [command] [ARGUMENT...]: Runs command on sensor
remote copy [file]: Copies file to same path from CM to sensor
remote help [command]: Describe available commands or one specific command
remote ls: List connected sensors

Options for all commands:

-s, [--sensor=SENSOR]: Run on specified sensor name, or if omitted, run on all sensors
-l, [--limit=N]: Run on at most LIMIT sensors at once.
-o, [--output=OUTPUT]: Output sensor specific status to OUTPUT.SENSOR instead of standard output

Notes:

These commands replace some commands found in earlier versions of NAC.

Best Practice for deploying NAC configuration

Andrew Davies — Wed, 13 Apr 2016 16:04:39 GMT

This article applies to:

NAC 5.x

Question:

What are the best practices for deploying the NAC configuration?

Procedure:

Deploying a NAC configuration is not an instant change. The deployment involves writing to a database that takes time to perform MySQL transactions.

To ensure optimal performance and avoid issues, please follow our best practices.

Put the Sensor in test mode to avoid service interruption
Deploy the configuration to the Sensor
Wait a few minutes (This will vary depending on how busy your Sensor is).
Disable Test Mode
Confirm that NAC is behaving as expected

Notes:

If you still run into errors after disabling test mode, you may need to wait longer, or this could be an indicator of another issue. If you are not sure, please contact support and we can investigate.

Problem with joining 4.3.x sensors to 5.0.x CM

Andrew Davies — Wed, 13 Apr 2016 15:58:44 GMT

This article applies to:

NAC Sensor 4.3.x
NAC CM 5.0.x

Symptoms:

None of the 4.3.x sensors is connecting to 5.0.x CM
The rejoin_to_cm script is giving an error regarding wrong password
It is possible to connect from the sensor to the CM with join user via ssh using the password

Causes:

Problem with one of the libraries on NAC

Resolution:

The patch NAC-3635 patch needs to be installed. To obtain this patch, contact Trustwave Technical Assistance Center (TAC).

Installation procedure:

Transfer the file to the sensor using scp client to /root/ directory
Log in to the sensor via ssh as root
Unpack:

cd /root/
tar -zxvf NAC-3636.tgz
Install:

cd /root/NAC-3636
./install.sh

Running Setup for network settings only on NAC 5.0 and above

Andrew Davies — Wed, 13 Apr 2016 14:40:49 GMT

This article applies to:

NAC 5.x

Question:

How can I run through network setup only?

Procedure:

Log in to the NAC system as root
Run the command:

setup -n

This will take you through network setup only.

Example:

    Trustwave NAC setup    Gathering management interface IP configuration.    hostname        : nac.warsaw.local    mgmt ip         : 10.12.208.150    mgmt subnet mask: 255.255.255.128    mgmt gateway    : 10.12.208.129    Network Configuration:    hostname               IP address     netmask          gateway        mgmt interface    example.warsaw.local  10.12.208.150  255.255.255.128  10.12.208.129  mgmt1    Are these network settings correct? y

Creating a profile to detect communication on a specific port in NAC

Andrew Davies — Thu, 25 Feb 2016 10:54:59 GMT

This article applies to:

NAC 4.X and above
NAC 5.X

Question:

How can I create a profile in NAC that will detect communication on a specific port?

Procedure:

If you are planning to detect communication to (or from) a specific IP address or host on a specific port, start by creating a profile that defines the host.

In the example screenshot, the profile is named "pacific" and it contains the IP address 10.92.208.159

Next, create a behavioral profile that will detect the communication.

In the example below, the goal is to detect communication on port 62000:

In the example:

The communication is FROM the server only ("Transmit"). You can also choose to monitor "received" traffic or both directions.
The trigger threshold is one event during 60 seconds and the timeout is set to 120 seconds. If you want the profile to be assigned to a device permanently then set the timeout to 0.

The profile is now ready to use in a zone configuration.

NAC 5.0 DSM EOL FAQ

Charles — Tue, 23 Feb 2016 12:40:32 GMT

This article applies to:

NAC 3.X
NAC 4.X
SNAC 4.X

Overview

The DSM (Deep Scan Module) is a feature that allows the NAC device to perform system scans on endpoint devices that are attempting to access a NAC-protected environment. The scan can return different types of information about the end-client such as the type of anti-malware and firewall installed, system patches installed (Windows only), update settings, and more. NAC can then use the returned data to perform a number of different actions on the end device.

If the NAC settings have the Scan Pending zone enabled and restriction setup on that zone, a valid portal configured and compliance settings set, DSM is being used in that NAC environment.

The current certificate for the Java files used by the scanning function expires on April 2, 2016. End Users will receive a security warning and will need to allow the JAR to run without signing, and will have to accept it and continue anyway.

The New NAC 5.0 release contains the latest signed Java files, and also implements an updated version for the DSM module. As a result, we highly recommend you upgrade to NAC 5.0 to resolve this issue.

What is new in the latest version of DSM?

Anti-virus and Anti-spyware compliance sections have been combined into a single Anti-malware section.
Product matching for these features is no longer based on a list of supported versions, but instead uses a string matching function which allows users to enter the name and version for any product name and version that they wish to match.

What else is new in NAC 5.0?

Notable features:

NAC on TrustOS: Secure, customized Linux distribution
Fixed previous reported stability issues
Interoperability with 4.3.X versions
Enhanced maintenance features
Extended support for SSO
Improved NTP configurations

For more information, please refer to NAC 5.0 Release Notes and NAC 5.0 User Guide".

How can I get the upgrade/is there documentation about how to do the upgrade?

Upgrade packages and documentation are available on the Trustwave support portal. For further information on DSM, please refer to NAC 5.0 User Guide.

Who can I call for assistance?

If the account is under active maintenance, you can contact our TAC team and they will provide the information necessary for the upgrade. Maintenance does not include upgrade services. If you need on-site assistance, please contact Trustwave sales for further information.

Restrict-On-Demand and Full Restriction

Charles — Wed, 17 Feb 2016 17:29:49 GMT

This article applies to:

NAC 2.x and above

Question:

What is the difference between Restrict-On-Demand and Full Restriction?

Information:

To enable Restriction, Restricted Access must be checked in each access zone (and for earlier versions, also at the domain level). So what does the Restrict-on-Demand checkbox in each Managed Segment do?

Restrict on Demand does not turn Restrict on and off. The checkbox that does that is the Restrict Access checkbox in the Access Zones.

Restrict on Demand is a configurable parameter within the Managed Segment that only restricts hosts that are being targeted by a perceived threat. This assumes that Restriction has been turned on, both in an access zone and at the domain level.

Examples:

For example, suppose Host A did something forbidden by policy. Without Restrict on Demand, we would manipulate the ARP cache on every host on the LAN ARP cache so that each host could not talk to that bad actor. This is called Restrict All. With Restrict on Demand, we only manipulate the host itself and any hosts it is actively trying to communicate with.

Restrict on Demand:

Hosts A, B, C, D on the LAN.
Host A becomes a security threat by TCP scanning Host B.
Host A’s ARP cache is manipulated so that all of its traffic goes to the NAC appliance.
Host B’s ARP cache is updated for Host A so that if Host B tries to talk with Host A, that traffic goes to the NAC appliance.
Host B can freely go anywhere else.
Host C and D’s ARP cache (and thus all of their traffic) is unaffected.
If Host A then tries to contact Host C, Host C’s ARP cache is updated so that all of its traffic going to A is sent through the NAC appliance. Host D is still unaffected. Host C can still go anywhere freely except to Host A.

Restrict All:

Hosts A, B, C, D on the LAN
Host A becomes a potential threat by TCP scanning Host B.
Host A’s entire ARP cache is manipulated so that all traffic going to any host on the LAN (including default gateway) goes through the NAC appliance.
Host B, C, and D’s ARP caches are manipulated so that if any of them try to contact Host A, that traffic will go through the NAC appliance. They may go freely between each other or anywhere else.

More explanations of this concept:

The following describes how "Restrict All" works:

The NAC appliance immediately poisons all managed hosts for a new attacker, even though that attacker may never communicate with those devices. The NAC appliance continues to issue ARP poison frames to keep the device poisoned until a zone/response change indicates that poisoning is no longer necessary. The advantage of this approach is that an attacker is restricted for all devices almost immediately. This way a threat has less of a chance to propagate. The disadvantage is that the NAC appliance ARP poisons more clients than may be necessary.

With "Restrict on Demand" the NAC appliance only poisons hosts that are actively trying to contact a host that has been deemed a threat. Keep in mind, though, that once a host is determined to be a threat, that particular host is poisoned immediately regardless whether Restrict on Demand or Restrict All is used.

"Restrict All" and "Restrict On Demand" are only applicable on an Access Zone where Restrict Access has been checked.

In Restriction mode, the network interface configured as the writer port on the sensor will continuously ARP a MAC of restricted host(s) to every other host on the segment, telling them the restricted host(s) has a MAC address of 00:9c::::, referred to as a"zero-nine-charlie". The sensor will also send the restricted host a false MAC address of the segment default gateway and every other device on the network so that all traffic to and from the restricted host flows through the NAC sensor depending on the rules in the access zone. 00:9c:::: is a hex representation of the restricted host 192.168.0.1 = 00:9c:c0:a8:00:01

Notes:

Restrict On-Demand is for networks larger than a /24 subnet mask. One difference between Restriction and Restrict on Demand is that Restriction will flood the network with continuous ARP requests, and Restrict-On-Demand will only ARP the default gateway and the device in question. If the sensor sees a host attempting to access a restricted host, that traffic will be sent to the NAC sensor and processed, rather than going directly to the restricted host. Restrict On Demand also allows the administrator to configure ARP poisoning based on traffic rather than automatically poisoning all managed hosts towards a threat.
For NAC versions below 4.3.x, Restrict on Demand is not supported in Broadcast-only Environments. Broadcast-only deployments do not use a mirror port to send traffic to the NAC appliance. In versions below 4.3, with a broadcast-only environment, do not enable the checkbox for Restrict On Demand in the Managed Segment configuration. Restrict All is the default (where Restrict On Demand is not checked), so unless this default is changed, restriction will work as designed.

What ports should I open to allow access to Active Directory in a Restricted zone?

Piotr Dłubisz — Wed, 10 Feb 2016 06:26:32 GMT

This article applies to:

NAC (All Versions)

Question:

What ports should I open to allow access to Active Directory in a restricted zone?

Reply:

The following list of ports was taken from this Microsoft Knowledge Base article

UDP 88,123,389,464,636,3268,3269TCP 88,135,389,445,464,636,3268,3269

Dynamic (high) ports may also be required - see the Microsoft article.

These ports should be added to the allowed services part of your zone configuration.

SmartScreen Filter Compatibilty

Andrew Davies — Tue, 19 Jan 2016 14:25:02 GMT

This article applies to:

NAC (All Versions)

Question:

Why does NAC Endpoint Compliance Scanner not work with Internet Explorer SmartScreen Filter?

Reply:

NAC Endpoint Compliance Scanning is not compatible with SmartScreen Filter. SmartScreen Filter must be disabled for endpoints to be redirected to the NAC portal.

This is not a NAC issue. Internet Explorer's SmartScreen Filter is a conflicting security feature.

Procedure:

To disable SmartScreen in Internet Explorer:

Open Internet Explorer.
Select Tools > Internet Options > Advanced
Make sure that Enable SmartScreen Filter is not selected (unchecked).

Notes:

For more information regarding SmartScreen Filter, see this Microsoft article.

Upgrading NAC to 5.0 from 4.3.2 takes a long time

Andrew Davies — Wed, 30 Dec 2015 16:48:44 GMT

This article applies to:

NAC 4.3.2 and above
Upgrade to NAC 5.0

Question:

Why is my upgrade taking so long?

Information:

Upgrade to NAC 5.0 is supported from NAC 4.3.2 and above.

The amount of time required is platform dependent. The estimated upgrade time is between 30 minutes and one hour.

The NAC upgrade installs many components. It is important to make sure that power IS NOT interrupted during the upgrade process. This could prevent the system from starting.

Because the upgrade from 4.3.x to 5.0 is a major upgrade including kernel update and file system updates, please be aware that the first restart after the upgrade will take a long time.

Notes:

If you have any questions or concerns please contact Trustwave support for additional assistance.

Creating a group with the "Copy parent" option is not copying "target filters" in behavioral profiles

Andrew Davies — Wed, 09 Dec 2015 15:07:45 GMT

This article applies to:

NAC 4.3.4

Problem:

Creating a group with the "Copy parent" option is not copying "target filters" in behavioral profiles

Procedure:

To correct the behavior, you can change a configuration file.

Log in to the CM as root via ssh.
Create a backup directory, and take a backup of a file that requires a change:

# mkdir /root/esc-1871
# cp -p /usr/dist/snapple/app/models/target_filter.rb /root/esc-1871/
Run the following command to make changes in the file.
Note this is a single command line (wrapped in this article for readability):

# sed -i '41s/:sport\ =>\ self.sport,/:sport =>\ self.sport, :protocol\ =>\ self.protocol,/' /usr/dist/snapple/app/models/target_filter.rb
Verify that the changes were applied correctly by searching for the text in the file:

#grep ":sport => self.sport" /usr/dist/snapple/app/models/target_filter.rb

Sample output:

# grep ":sport => self.sport" /usr/dist/snapple/app/models/target_filter.rb
:sport => self.sport, :protocol => self.protocol,
If the ouput is correct then restart the services:

# service snac restart; service httpd restart;

Rollback procedure:

To roll back the change above, copy the backup file to the default location, and then restart services:

# cp -p /root/esc-1871/target_filter.rb /usr/dist/snapple/app/models/target_filter.rb
# service snac restart; service httpd restart;

Disabling automatic configuration push

Piotr Dłubisz — Thu, 03 Dec 2015 03:31:26 GMT

This article applies to:

NAC 4.x

Question:

Can I disable automatic configuration push when I am adding IP or MAC addresses to a profile?

Procedure:

To disable the automatic configuration push you can perform the following procedure.

Remember to reverse the change after you have completed the additions of addresses.

Log in to the CM as root via ssh.
Make a backup directory and back up the configuration file:

# mkdir /root/autopush_backup
# cp -p /usr/dist/snapple/config/config.yml /root/autopush_backup
Edit the configuration file

# vi /usr/dist/snapple/config/config.yml
Find the following line:

disable_list_policy_condition_autopush: false

Edit this line to appear as follows

disable_list_policy_condition_autopush: true

The same line in wider context:

production:
# Set to true to disable automatic pushes
disable_list_policy_condition_autopush: true
Save the file.
Restart CM services from the GUI.

Notes:

If you are comfortable using sed you can change the file using the following command (AFTER backing it up).
(Note that this is a single command line although the text below is wrapped.)

# sed -i.backup 's/disable_list_policy_condition_autopush.*/disable_list_policy_condition_autopush\:\ true/g' /usr/dist/snapple/config/config.yml

You can check that the changes were applied correctly:

# grep autopush /usr/dist/snapple/config/config.yml

Sample output:

# grep autopush /usr/dist/snapple/config/config.yml

disable_list_policy_condition_autopush: true