Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1
Endpoint Profile Configuration: Part 2
Downloads: This chapterpdf (PDF - 1.01MB) The complete bookPDF (PDF - 15.68MB) | Feedback

Endpoint Profile Configuration: Part 2

Table Of Contents

Endpoint Profile Configuration: Part 2

Overview

Configuration of TCP Open Port Profile Rules

Configuration of Profile Rules in the Application Rule Family

Adding an Application Rule to an Endpoint Profile

Configuration of Web Server Type Application Rules

Configuration of Web User Agent Application Rules

Configuration of Web URL Application Rules

Configuration of SMTP Server Banner Application Rules

Configuration of DHCP Client Vendor Application Rules

Configuration of DHCP Host Name Application Rules

Configuration of DNS Name Application Rules

Configuration of SNMP System Description Application Rules

Configuration of RADIUS Username Rules

Configuration of CDP Platform Rules

Configuration of Active Directory Data Rules

Profile Rules, NetInquiry and Active Profile Data Collection


Endpoint Profile Configuration: Part 2


Topics in this chapter include:

Overview

Configuration of TCP Open Port Profile Rules

Configuration of Web Server Type Application Rules

Configuration of Web User Agent Application Rules

Configuration of Web URL Application Rules

Configuration of SMTP Server Banner Application Rules

Configuration of DHCP Client Vendor Application Rules

Configuration of DHCP Host Name Application Rules

Configuration of DNS Name Application Rules

Configuration of SNMP System Description Application Rules

Configuration of RADIUS Username Rules

Configuration of CDP Platform Rules

Configuration of Active Directory Data Rules

Profile Rules, NetInquiry and Active Profile Data Collection

Overview

Chapter nine provided the basics for the administration of endpoint profiles on the Cisco NAC Profiler system, as well as detailed instructions for the configuration and use of three of the available endpoint profile rule types: MAC Address, IP Address and Traffic Rules.

In this chapter, the remaining endpoint profile rule types that are accessible without using Advanced XML Rules are covered in detail, specifically the TCP Open Port, Application Rule family, RADIUS, CDP and Active Directory Data profile rule types.

The TCP Open Port and three members of the Application Rule family support the Active Profiling option in conjunction with the NetInquiry Collector component. Active Profiling is covered in detail in a later section of this chapter.

The interface and procedures for adding/editing/removing endpoint profiles and profile rules along with the profile certainty concepts introduced in chapter nine are still applicable to the profile rule types covered in this chapter, therefore the emphasis of this chapter is on the specifics of the rule types and configuration options, assuming the reader is familiar with endpoint profile administration as outlined in Chapter 9, "Endpoint Profile Configuration: Part 1".

Configuration of TCP Open Port Profile Rules

A TCP Open Port rule enables Endpoint Profiling decisions based on Cisco NAC Profiler observing endpoints accepting TCP connections from other endpoints on TCP ports specified in the TCP Open Port rule. This requires a NAC Profiler Collector to observe network traffic to the endpoint indicative of the successful establishment of a TCP connection with any other endpoint. Therefore, passive collection of the endpoint data necessary for TCP Open Port rule matches can be performed only by the NetWatch module(s) employed by the system. Alternatively, TCP Open Ports can be used in Active mode, utilizing the NetInquiry module(s) to generate necessary traffic and update the endpoint database accordingly if selected endpoints will establish a TCP connection on ports specified in "active" TCP Open Port rules with the Collector running NetInquiry.

This rule can be useful when endpoints accepting TCP communications on a known port is indicative of endpoint type. For example, Compaq Insight Manager is known to use TCP port 2301 to communicate with servers running the Compaq Insight Manager Agent. When traffic is observed by Cisco NAC Profiler that indicates a particular endpoint has established a TCP connection on port 2301, it is a highly reliable indicator that the device that accepted the connection is running the Agent and is likely a server being managed by Insight Manager.


Note The mechanism used for determination that an endpoint has an open port is valid only for TCP, and not applicable for UDP.


While adding/editing an endpoint profile via the Save from, follow the procedure below to add a TCP Open Port rule to the Profile:


Step 1 Select TCP Open Port from the Add Rule drop-down menu of the Save Profile form, then select the Add Rule button. The Add Port rule form will display, as illustrated in Figure 10-1.

Figure 10-1 Add TCP Open Port Rule Form


Tip Like the Add MAC Address rule form, the Add Port Rule form includes the Show Data button. Clicking the Show Data button on systems that have observed endpoints accepting TCP connections passively via NetWatch (or actively via NetInquiry as described later in the chapter), will display a table of all such endpoint data collected by the system. An example of the Table of TCP Open Ports from an operational NAC Profiler system is shown in Figure 10-2:


Figure 10-2 Sample Table of Open TCP Ports

The endpoint data specific to the environment presented in this table can be used in researching techniques for profiling endpoints of a particular type.

Step 2 Specify the matching TCP Open Port for this rule.

Enter the TCP Port number to specify the matching TCP connection of interest for this rule.


Tip The current version of Cisco NAC Profiler supports only discrete TCP port numbers (for example, 9100, 31417, etc.) as the matching data of a TCP Open Port Rule. Port ranges are not currently supported.


Step 3 Specify Certainty for this rule

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 4 Set the Active (optional) control for this Open Port rule as desired

Checking this option enables this TCP Open Port rule for Active endpoint data collection by the NAC Profiler system. When this option is selected for a given TCP Open Port rule, and a NetInquiry module is configured and running on one or more of the NAC Profiler Collectors in the system (see Chapter 7, "Configuring Collector Modules"), each NetInquiry module will attempt to open a TCP session with the endpoints specified in their configuration, the Network Blocks configuration specifically.

The system will perform the active endpoint data collection specified by the rule and the NetInquiry module(s) configured on the system at the frequency specified by the Active Profiling Configuration...Frequency parameter of the Server module configuration (See Chapter 6, "Configuring the Cisco NAC Profiler Server" for Server module configuration).

More information on Active Profiling using TCP Open Port rules is provided later in "Profile Rules, NetInquiry and Active Profile Data Collection" section.

Step 5 Select the Add Port Rule button at the bottom of the Add Port Rule form to save the changes, adding the Port Rule to the Profile.


Upon successfully saving the Rule to the Profile, the Save Profile page for the Profile being configured will display in the browser as illustrated in Figure 10-3.

Figure 10-3 Save Profile Form showing TCP Open Port Rule

Note that the TCP Open Port Rule added in the previous steps will now be displayed in the Save Profile form with all other Profile attributes. At this point further edits/adds may be made to the Endpoint Profile, or the Profile changes may be saved.

The parameters of an existing TCP Open Port rule can be edited at any time by navigating to the endpoint profile containing the rule, displaying the Save Profile form, then select the edit check box for the TCP Open Port rule to be opened for editing.

A TCP Open port rule may be removed from a Profile by opening the Save Profile form for the Profile, selecting the Remove check box for the rule, and then selecting the Remove button.

Change the parameters as desired and save the rule and profile changes as described previously, remembering that an Apply Changes -> Re-model is necessary to make the changes to the Profile effective on the system.

Configuration of Profile Rules in the Application Rule Family

Application rules enable Endpoint Profiling decisions based upon Cisco NAC Profiler observing network traffic containing application data that can be indicative of device type. Application rules are in fact a family of rules that use observable attributes of several different types of endpoint traffic at the application layer to make inferences about the endpoint using its network traffic. In addition, the DNS Name type of application rules can make use of data held in the name service on the network in order to determine information about endpoints.


Tip Collection of the endpoint data used for matching the rules in the application rule family is performed in the passive mode by the NetWatch module(s) employed by the NAC Profiler system.


In order for Application Rules to be effective in passive mode, endpoint traffic containing the data matching the various rule types within the application data such as DHCP transactions, traffic containing web user agents, endpoint web traffic destined to specified URLs must be redirected to a NetWatch monitor interface on the system.

In the case of Web URL rules specifically, NetWatch will collect only traffic that matches Web URL rules in enabled profiles. The ''Specific Collection'' technique that results in the collection of only traffic that matches against Traffic Rules described in Chapter 18, "Using the Cisco NAC Profiler Server Command Line", NetWatch will only collect web URL data for URLs specified in Web URL rules present in enabled endpoint profiles.

Two the rule types in the family can be used in conjunction with NetInquiry to collect the endpoint data actively: Web Server Type and SMTP Server Banner rules can be made Active optionally, which will result in enabled NetInquiry module(s) in the system querying the endpoints in their respective Network Blocks configuration to determine if a web or mail server is running, capture the banner and save that data to the database which in turn will be used by the modeler to find matches to these rules present in enabled profiles.

A third member of the Application Rule family, the DNS Name rule can only be used in the active mode: it is dependent on one or more NetInquiry modules on the system being configured correctly to collect endpoint DNS name information from the DNS Service on the network. NetInquiry collects the DNS information that is used by the modeler to find matches to DNS Name rules enabled on the system.

Similarly, the SNMP Description rule type is used against the SysDescription information collected for each device in the Network Devices configuration of the system. For all network devices polled by NetMap, the contents of the System Description (if populated) is collected and stored in the endpoint database for the endpoint (MAC) that responded to the SNMP query by a NAC Profiler NetMap module. This data can be used for profiling of devices that respond to SNMP queries.

Table 10-1 summarizes the individual rule types within the Application Rule family. The rule types that can be made active (or used only in Active Mode) are called-out in the table, along with a description of the operation of each rule type.

Table 10-1 Application Rule Types 

Rule Type
Active-mode Capable
Description

Web Server Type

Yes

Matches endpoint data collected when web servers on the network respond to client requests to determine that the responding endpoint is a web server, along with its type (for example, Apache or Microsoft IIS, for example) if a banner is displayed in the traffic.

When used optionally as an Active rule, Cisco NAC Profiler will attempt to initiate an HTTP session with the device(s) specified in the configurations of the NetInquiry module(s) \running throughout the system. Responses from endpoints to the request to initiate an HTTP session are analyzed further to determine the web server banner the responding system presents which is indicative of web server type.

A text string is specified in a Web Server Rules to specify a match to the contents of server banners displayed by systems running web server variants.

Web User Agent

No

Matches data gathered by NetWatch from endpoint web traffic, specifically client's requests to a web server and the User-Agent string present in these requests that specify version/capability of the agent running on the endpoint. The User Agent string can be used to determine attributes of the endpoint that sent the traffic in many cases to make the profiling decision. For example, that the machine is running the Microsoft Internet Explorer on Windows.

A text string is specified in a Web User Agent rule to match the contents of the agent displayed by systems running web-client such as browsers.

Web URL

No

Matches data gathered from examining HTTP traffic from endpoints to look for specific URLs (request URIs).

An example would be examining HTTP traffic to identify which endpoints are communicating with an anti-virus vendor's automatic updates site to identify devices likely to be Windows PCs.

SMTP Server Banner

Yes

Matches protocol header information in endpoint traffic to identify e-mail traffic, and gleans the email server(s) address and type(s) passively from e-mail traffic.

When used optionally as an Active rule, SMTP Server Banner rules will result in the Cisco NAC Profiler communicating with hosts on address ranges specified in the configuration of the NetInquiry modules. Communication with existing SMTP servers in the range(s) will generate the traffic necessary to identify those servers and delivering it to the interface of the Collector where it can be analyzed.

DHCP Host Name

No

Matches the host name carried in the payload of DHCP requests to find matches with specified text strings.

This rule is helpful if the host name is indicative of the end node type. For example, a host name beginning with the prefix of 'BSTXP' could be known to be a Windows XP machine, while a host name prefix of BSTPS is known to be a printer, DHCP Client Name rules could be utilized to Profile Windows machines and printers in this environment using data gleaned from DHCP traffic.

DHCP Client Vendor

No

Matches the data collected from endpoint DHCP packets. Many vendors will include information in this portion of the DHCP that is indicative of device type making the request. This rule can be used to identify endpoint type based on their DHCP traffic.

For example Cisco 7960G IP Phones include the string 'Cisco Systems, Inc. IP Phone CP-7960G' in the DHCP Client Vendor portion of DHCP requests sent by these devices. Examining DHCP requests from endpoints and finding requests from endpoints containing this string is a high probability indicator that the device sending the request is a Cisco IP Phone.

DNS Name

Only

Matches endpoint DNS information actively collected by NetInquiry (through the enablement of the DNS Collection option) for the purpose of discovering an endpoint's DNS name, thereby making it possible to match against endpoints with DNS names that contain specified strings.

Similar to DHCP Client Name rules, DNS Name Rules can be utilized to identify endpoints based on their names as registered in the DNS.

SNMP System Description

NA

Cisco NAC Profiler captures the SysDescr contents for network devices polled by NetMap via SNMP.

This rule type allows endpoints to be profiled using by specifying matches to SysDescr contents.


Adding an Application Rule to an Endpoint Profile

To add a rule from the Application Rule family to an endpoint profile:


Step 1 select the Application button from the Add rule section of the Save Profile form. The Add Application Rule form illustrated in Figure 10-4 is presented in the interface.

Figure 10-4 Add Application Rule Form

Step 2 The type of Application Rule to be added is selected via the drop-down menu in the Application Type field allows the choice of one of the available Application rule types, from the types listed in the table above.


The remainder of this section will describe the configuration of each of the rule types in the Application Rule family in detail.

Configuration of Web Server Type Application Rules

The Web Server Type rule allows the profiling of endpoints based on the fact that the endpoint displays a web server banner when HTTP sessions are initiated with it. The crucial element of the Web Server Type rule is the specification of the search data, which is typically a text string that is included in the web server banner, and captured in the endpoint database for each endpoint that Cisco NAC Profiler ascertains is running a web server via the passive or active techniques outlined previously.

When adding/editing a Web Server Type rule, the Add Application Rule form will appear as illustrated in the next figure:

Figure 10-5 Adding/Editing a Web Server Type Rule


Tip The Show Data button is available for this rule type to assist in the setting of the rule parameters. If the Cisco NAC Profiler system has collected Web Server Type data from endpoints on the network via NetWatch or NetInquiry, clicking the Show Data button when configuring a Web Server Type rule will display the Table of Web Servers like the one from an example system shown in Figure 10-6.


Figure 10-6 Sample Table of Web Servers

The web server type data stored in the database is the text string in the Web Servers column of the table.

Follow the steps below to configure a Web Server rule:


Step 1 Specify the Search Data for the Web Server rule.

The Search Data can be a simple string or a Regular Expression that is designed to match multiple strings so that the single rule matched multiple types of web server.

For example, to profile all endpoints running a version of the Apache web server, entering `Apache' in the Search Data field would match all the variations (versions) of web servers that included the word Apache.

To specify a rule that matched Apache or Microsoft IIS, the Regular Expression:

/Apache|IIS/

would be specified so that endpoints displaying a web server banner containing either the string Apache or IIS would match the rule.

Step 2 Select the "Active" option as desired for this Web Server Rule

The Active check box controls whether or not the n system will use the active endpoint data collection technique described earlier. If one or more Web Server Type rules is present in an enabled endpoint profile, and one or more NetInquiry modules are configured, the NAC Profiler system will attempt a port 80 connection to the endpoints specified in the Network Blocks configuration of the enabled NetInquiry module(s) employed in the NAC Profiler system.

More detail on active profiling is provided in "Profile Rules, NetInquiry and Active Profile Data Collection" section.

Step 3 Specify Certainty for this rule

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 4 Select Add Application Rule button to save the rule to the endpoint profile.


Figure 10-7 is an example of a typical Web Server Type rule added to an endpoint Profile. The edit and remove buttons are provided to edit/remove Web Server Type rules previously added to a Profile.

Figure 10-7 Sample Web Server Rule Added to a Profile

Configuration of Web User Agent Application Rules

Web User Agent rules are another member of the Application Rule family that are used to match endpoints observed running a specific web user agent as an indicator of endpoint identity.

When endpoints employ HTTP to access web sites using a web browser or a variety of other client/agent technologies, a text string is generally sent to identify the user agent to the server when connecting. The HTTP request may include information such as the application name (for example, Internet Explorer, Mozilla Firefox, Windows Update, etc.), host operating system, and language.

All of these attributes can provide information about the endpoint initiating the request and can be very valuable for endpoint profiling and identity monitoring. Whenever network traffic from endpoints using HTTP to connect to network services is delivered to NetWatch monitor ports, HTTP requests including an agent are recorded into the database and associated with the known endpoints displaying the agent.

When adding/editing a Web User Agent rule, the Add Application Rule form will appear as illustrated in Figure 10-8:

Figure 10-8 Add Application Rule Form


Tip The Show Data button is available for this rule type to assist in the setting of the rule parameters, the Search Data specifically. If the NAC Profiler system has collected Web User Agent data from endpoints on the network via NetWatch, clicking the Show Data button when configuring a Web User Agent rule will display the Table of User Agents like the one from an example system in Figure 10-9.


Figure 10-9 Sample Table of User Agents

The user agent data stored in the database is the text string in the User Agents column of the table.

Follow the steps below to create a Web User Agent rule and add it to a profile:


Step 1 Enter the Search Data entered for the Web User Agent rule.

This can be a simple string or a Regular Expression that is designed to match multiple strings so that the single rule matched multiple user agent strings that had similar contents.

For example, to profile all endpoints displaying a user agent containing the string 'Windows', entering 'Windows' in the Search Data field would match all the variations (versions) of user agents that included the word Windows. Regular Expressions enable a single rule to match multiple terms, for example to match various user agents displayed by Apple systems, the Regular Expression:

/Apple|Mac|CFNet/

This Regular expression might be used in a Web User Agent rule to identify Apple endpoints based on strings that are seen in a number of different user agents specific to endpoints running Apple operating systems. This rule is used in the Apple User factory Profile included with Cisco NAC Profiler.

Step 2 Specify Certainty for this rule

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 3 Select Add Application Rule button to save the rule to the endpoint profile.



Tip There is no ''Active'' option for Web User Agent rules, they can only be used against endpoint data collected passively by the NetWatch module(s) in the system resulting from monitoring interfaces receiving endpoint traffic destined for services using HTTP such as web browsing, OS and anti-virus updates as some common examples.


Figure 10-10 is an example of a typical Web User Agent rule added to a Profile. The edit and remove buttons are provided to edit/remove Web User Agent rules previously added to a Profile.

Figure 10-10 Sample Web User Agent Rule Added to a Profile

Configuration of Web URL Application Rules

Web URL rules are used to profile endpoints based on the observation that they are communicating via HTTP to specific URLs. Similar to user agents, the web URL rule is used to match attributes in the outbound HTTP request packets from endpoints. Most specifically, the Search Data for web URL rules is a Request URI. The Request URI identifies a page or a set of pages on a selected website by the path and/or query parameters in the HTTP request from the endpoint.

The use of Web URL rules typically requires a bit more research using tools outside of Cisco NAC Profiler to determine if their are endpoints using HTTP to specific URLs that could be used as a unique attribute of identity. Unlike some of the other endpoint data types discussed previously, Cisco NAC Profiler does not capture each web URL it observes endpoints initiating HTTP with and store it to the database. Like in the case of Traffic Rules, the presence of Web URL Rules in enabled profiles determines what web URL data will be collected by the NetWatch modules across the system. Network Traffic containing outbound HTTP requests from the endpoints must be analyzed by a NetWatch monitor interface for this data to be collected so that endpoint matches can be found by the Modeler.

Cisco NAC Profiler does not collect the URLs in endpoint HTTP requests promiscuously for obvious reasons. In a large network with a lot of active web users, the list of URLs would essentially grow unbounded. So like traffic rules discussed in Chapter 18, "Using the Cisco NAC Profiler Server Command Line", configuration of endpoint profiles utilizing this rule type requires that the NetWatch module be configured for specific collection via the addition of a Web URL rule to an enabled Profile and an Apply Changes -> Update Modules which re-generates the XML configuration for the NetWatch modules in the system. This essentially instructs the system to collect observed HTTP requests that contain the URL specified in the Web URL rule, or rules, present in enabled profiles in the system configuration. In this way, Cisco NAC Profiler can collect URL data specified to be of interest for endpoint profiling without the database growing too large in size.

As this suggests however, the Cisco NAC Profiler administrator must know the Request URIs that endpoints are initiating HTTP sessions to. Again, HTTP is used in enterprise environments for more than just web site browsing. For example, some IP Phones utilize HTTP to connect with the server that has their firmware image for download. Enterprise Anti-virus solutions often use HTTP for updating of signature files. Observing traffic outbound from an endpoint type known or suspected to use HTTP for this purpose using a traffic analyzer set to filter destination port 80 packets may yield some interesting results of how endpoints utilize agents and the HTTP protocol for a number of things, some without any direct user intervention, that can in turn be used as indicators of endpoint identity and captured in a Web URL rule.

When adding/editing a Web URL rule, the Add Application Rule form will appear as illustrated in the next figure:

Figure 10-11 Adding/Editing a Web URL Rule

Note the absence of the Show Data and Active buttons, neither of which are applicable to Web URL rules.

To configure a Web URL rule, complete the following steps:


Step 1 Enter the Search Data entered for the Web URL rule.

The Web URL rule uses Regular Expressions to specify the matching text string in the URI Request portion of an endpoint request outbound, so when creating these rules it is a matter of identifying the portion of the URI Request that is common in requests from endpoints of this type.

Step 2 Specify Certainty for this rule

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 3 Select Add Application Rule button to save the rule to the endpoint profile.


Figure 10-12 is an example of a typical Web URL rule added to a Profile. The edit and remove buttons are provided to edit/remove Web URL rules previously added to a Profile.

Figure 10-12 Web URL Rule Added to a Profile

Configuration of SMTP Server Banner Application Rules

The SMTP Server Banner rule allows the profiling of endpoints based on the fact that the endpoint displays a mail server banner when SMTP sessions are initiated with it. This is a similar functionality to that described for the Web Server rule type.

The crucial element of the SMTP Server Banner rule is the specification of the search data, which is typically a text string that is included in the SMTP server banner, and captured in the endpoint database for each endpoint that Cisco NAC Profiler ascertains is running an SMTP mail server via the passive or active techniques outlined previously.

When adding/editing a SMTP Server Banner rule, the Add Application Rule form will appear as illustrated in Figure 10-12:

Figure 10-13 Adding/Editing an SMTP Server Banner Rule


Tip The Show Data button is available for this rule type to assist in the setting of the rule parameters. If the Cisco NAC Profiler system has collected SMTP Server Banner data from endpoints on the network via NetWatch or NetInquiry, clicking the Show Data button when configuring a SMTP Server Banner rule will display the Table of SMTP Servers.The SMTP server banner data stored in the database is the text string in the SMTP Servers column of the table.


To add a SMPT Server Banner rule to an Endpoint Profile, complete the following steps:


Step 1 Specify the Search Data for the SMTP Server Banner rule.

The Search Data entered for the rule can be a simple string or a Regular Expression that is designed to match multiple strings so that the single rule matched multiple types of SMTP mail server.

For example, to profile all endpoints running ESMTP Postfix, entering 'ESMTP' in the Search Data field would match all the variations (versions) of mail server that included the word ESMTP in the server banner.

Step 2 Select the "Active" option as desired for this Web Server Rule.

The Active check box controls whether or not the NAC Profiler system will use the active endpoint data collection technique described earlier. If one or more SMTP Server Banner rules is present in an enabled endpoint profile, and one or more NetInquiry modules are configured, the NAC Profiler system will attempt a port 25 connection to the endpoints specified in the Network Blocks configuration of the enabled NetInquiry module(s) employed in the system.

Step 3 Specify Certainty for this rule.

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 4 Select Add Application Rule button to save the rule to the endpoint profile.


Figure 10-14 is an example of a typical SMTP Server Banner rule added to a Profile. The edit and remove buttons are provided to edit/remove SMTP Banner rules previously added to a Profile.

Figure 10-14 Example SMTP Server Banner Rule Added to a Profile

Configuration of DHCP Client Vendor Application Rules

The DHCP Vendor Class Identifier is an extremely useful attribute for profiling endpoints addressed via DHCP. The Vendor Class Identifier is an optional DHCP implementation parameter, but for endpoints that do utilized the option it is typically very descriptive.

For DHCP clients that do not use the option, its value will be recorded as either 'null' or 'No DHCP Vendor Class' by Cisco NAC Profiler (as can be seen in the figure later in this section showing a summary table from an operational system, a large number of DHCP stacks do not use this option). All DHCP options are defined in RFC 2132. The Vendor Class Identified (option 60) is defined as follows in the RFC:

''This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. The information is a string of n octets, interpreted by servers. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration.''

Many devices will include this value in their DHCP packets and they are often highly descriptive as to the identity of the endpoint sending the packet.


Note In order for Cisco NAC Profiler to collect endpoint data from endpoint DHCP packets (for example, discover, request, informs), endpoints have to initiate the DHCP process, and a NetWatch module must observe the DHCP client-side packets from the endpoint.

When an endpoint is connected to a network port (link up), is rebooted, or reaches the half-time of the lease of the offer it last accepted, the endpoint will source a DHCP packet that contains all or part of the information collected by NetWatch. It is important to understand the lease half-time value in order to form an expectation as to the period of time the system will need to be in operation prior to collecting DHCP information for all endpoints using DHCP. In no case will it be instantaneous for all endpoints.


When adding/editing a DHCP Client Vendor rule, the Add Application Rule form will appear as illustrated in the next figure:

Figure 10-15 Adding/Editing a DHCP Client Vendor Rule

The Show Data button is available for this rule type to assist in the setting of the rule parameters, the Search Data specifically. If the NAC Profiler system has collected DHCP Client Vendor data from endpoints on the network via NetWatch through the analysis of DHCP traffic from endpoints, clicking the Show Data button when configuring a DHCP Client Vendor rule will display the Table of DHCP Vendor Class/Table of DHCP Data (options/requested options by vendor class) like the one from an example system shown in Figure 10-16.

Figure 10-16 Example Table of DHCP Vendor Class data

The DHCP Client Vendor data stored in the database for an endpoint is the text string in the DHCP Vendor Class column of the table.

To configure a DHCP Client Vendor rule in an endpoint profile, follow the steps below:


Step 1 Specify the Search Data for the DHCP Client Vendor rule.

The Search Data for the DHCP Vendor Class rule specifies a string to match in the Vendor Class Identifier.

One of the most illustrative examples of profiling using this rule type is Cisco IP telephones. Cisco IP telephones include in their DHCP requests a Vendor Class Identifier that indicates not only that the endpoint is a Cisco IP Phone, but the model of the IP telephone instrument as well. The CP-7940G, 7960G and 7970G use the following Vendor Class Identifiers respectively:

Cisco Systems, Inc. IP Phone CP-7940G

Cisco Systems, Inc. IP Phone CP-7960G

Cisco Systems, Inc. IP Phone CP-7970G

When DHCP Discover/Request/Inform packets from endpoints addressed via DHCP are delivered to a NetWatch Monitor interface on a Collector in the system, NetWatch would have visibility into the DHCP Vendor Class Identifier from each phone as it sent a DHCP request upon being rebooted or upon its regular renewal of its address lease. This provides another example of how the Regular Expression functionality supported in profile rules could be used to match a string that occurs in several different forms.

A single regular expression could be created and used in a DHCP Vendor Class Application Rule that matched a common portion in all of the strings used by the models of Cisco IP phones (used in the Cisco IP Phone factory profile that ships with Cisco NAC Profiler):

/Cisco IP Phone/i

Alternatively, if it was desirable to break the different Cisco IP phone models out into separate profiles, a DHCP Vendor Class Identifier rule specific to each model could be added to the respective profiles:

/Cisco Systems, Inc. IP Phone CP-7940G/

This rule would match the CP-7940G specifically and could be configure either alone or in combination with a MAC Vendor rule to contain all CP-7940G endpoints.


Tip The Cisco NAC Profiler factory profiles contain a number of profiles that utilize DHCP Vendor Class rules standalone or in conjunction with other rule types. Reviewing these profiles and the DHCP rules provides examples or templates for this rule type that can be re-used, especially the RegEx.


Step 2 Specify Certainty for this rule.

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 3 Select Add Application Rule button to save the rule to the endpoint profile.



Note There is no Active option for this rule type. The only way that the NAC Profiler System can collect this data is via NetWatch analysis of endpoint DHCP packets redirected to a monitor interface using the techniques (for example, traffic redirection or IP Helper).


Figure 10-17 following is an example of a typical DHCP Client Vendor added to a Profile. The edit and remove buttons are provided to edit/remove DHCP Client Vendor rules previously added to a Profile.

Figure 10-17 Example DHCP Client Vendor Rule Added to a Profile

Configuration of DHCP Host Name Application Rules

The DHCP request from endpoints can also optionally contain the host name of the endpoint requesting DHCP service. Like the Vendor Class Identifier, for DHCP client configurations that utilize this option (option 12) the DHCP request packet will also include the host name of the endpoint. When DHCP packets from endpoints are observed by Cisco NAC Profiler via NetWatch, the system will also record the host name in the endpoint database for the MAC of the endpoint, and can be used in profile rules for identifying specific endpoints

When adding/editing a DHCP Host Name rule, the Add Application Rule form will appear as illustrated in Figure 10-18:

Figure 10-18 Add DHCP Host Name Application Rule

Note the absence of the Show Data and Active buttons, neither of which are applicable to DHCP Host name rules.

Complete the following steps to add a DHCP Host Name rule to an endpoint profile:


Step 1 Specify the Search Data for the DHCP Host Name rule.

The DHCP Host Name rule uses Regular Expressions to specify the matching host name recorded by Cisco NAC Profiler for endpoints in order to profile them into the endpoint profile containing the DHCP Host Name application rule.

As an example of how this rule type might be used in practice in Cisco NAC Profiler deployments, assume all the Windows endpoints owned by an organization were known to be configured with host names that were a string beginning with the letter "L" followed by exactly 7 digits, for example, L0123456. A rule could be created to look for endpoints in the database that were observed sending a DHCP request containing a host name that was a string beginning with upper-case L followed by exactly seven digits to place them in a profile that contained Windows endpoints believed to be company-owned laptops or desktops. A regular expression could be defined for the Search Data of a DHCP host name rule as follows:

/^L[0-9]{7}/

This rule would match any endpoint sending a DHCP request with the host name option enabled and a host name that was a string that started with the character "L" followed by exactly seven digits. Again, this rule might be combined with other rules such as a DHCP Vendor Class Identifier rule using the MSFT 5.0 value so that endpoints with both attributes would be profiled as Windows endpoints that used a host name according to internal host name convention for enterprise-owned Windows PCs. It is important to recall that Cisco NAC Profiler could profile in this manner using only the DHCP request data, and that data is considered MAC-learned for the endpoint and therefore persistent through changes in IP.

Step 2 Specify Certainty for this rule.

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 3 Select Add Application Rule button to save the rule to the endpoint profile.


Figure 10-19 is an example of a typical DHCP Host Name rule added to a Profile. The edit and remove buttons are provided to edit/remove DHCP Vendor Class rules previously added to a Profile.

Figure 10-19 Example DHCP Host Name Rule Added to a Profile

Configuration of DNS Name Application Rules

The name for an endpoint registered in the Domain Name System (DNS) is another attribute that may be used for profiling via the DNS Name rule. The DNS Name rule matches endpoint data collected actively via NetInquiry, which as an option, can be configured to query the name server(s) on a network to get name-to-IP mappings for each endpoint in DNS. A specified string (or strings) in the domain name of endpoints can be specified as the Search Data for a DNS Name rule, and the modeler will find matches based on the data collected by NetInquiry.

This is similar in principle to the DHCP Host Name rule, but the endpoint data is gathered by a different means, and the underlying attribute are very different. In environments that use a DNS name convention where endpoints of the same type are assigned a DNS name including a common string (for example, hp501.printers.greatbaysoftware.com), this may be an effective approach to profiling devices.

The proper operation of DNS Name rules in a network is dependent on the proper configuration of NetInquiry so that DNS Name data for endpoints is collected in the most efficient manner from the DNS Service. Refer to Chapter 7, "Configuring a NetInquiry Collector Module" section on page 7-21 for instructions on NetInquiry module configuration and the enablement of the DNS Collection options.

When adding/editing a DNS Name rule, the Add Application Rule form will appear as illustrated in the next figure:

Figure 10-20

Add DNS Name Rule

The Show Data button is available for this rule type to assist in the setting of the rule parameters, the Search Data specifically. If the NAC Profiler system has collected the DNS Name data for endpoints on the network in DNS via NetInquiry, clicking the Show Data button when configuring a DNS Name rule will display the Table of DNS Names like the one from an example system shown in Figure 10-21. Note that in the example, the IP address column for each system in DNS was removed in the figure.


Note If this table is empty it is indicative of the NAC Profiler system being unable to collect DNS name information via the NetInquiry modules. This condition must be corrected in order for DNS Name rules to function as designed.


Note that there is no "Active" control for this rule type, although by definition they operate exclusively in active mode. DNS Name collection however is enabled in the NetInquiry module and will be performed if selected regardless of whether there are DNS Name rules present in one or more enabled profiles. This is unique to DNS Name rules in the current implementation.

Figure 10-21 Table Of DNS Names on System Collecting DNS Information

The DNS Name data stored in the database for each endpoint is the text string in the DNS Name column of the table.

To create DNS Name rules, follow the steps outlined below:


Step 1 Specify the Search Data for the DNS Name rule.

The Search Data entered for the rule can be a simple string or a Regular Expression that is designed to match multiple strings so that the single rule matched multiple endpoints that had the string in their assigned DNS name.

Again, when it is determined that endpoints of a particular type utilize a consistent DNS naming convention, this approach to profiling endpoints may be particularly useful.

Step 2 Specify Certainty for this rule

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 3 Select Add Application Rule button to save the rule to the endpoint profile.


Figure 10-22 is an example of a typical DNS Name rule added to a Profile. The edit and remove buttons are provided to edit/remove DNS Name rules previously added to a Profile.

Figure 10-22 Example DNS Name Rule Added to a Profile

Configuration of SNMP System Description Application Rules

SNMP System Description rules are seldom used, but can be an effective way to profile endpoints that run an SNMP agent and respond to a NetMap query for System Description with a unique string.

This rule type is unique in that the collection of this attribute requires that endpoints be polled using SNMP via NetMap, which requires that the endpoint be entered into the Network Device list configuration for the NAC Profiler system as outlined in Chapter 8, "Managing Network Devices".

Further, the endpoint must respond to a SNMP query for System Description information from the device's MIB. This would include the switches and routers added to the system configuration for the purposes of creating the model of the network, but the addition of other devices that support SNMP but are not part of the network infrastructure is supported. This is the purpose of the ''Device'' device type that can be selected for the Type attribute when adding a device/group.

When adding/editing a SNMP System Description rule, the Add Application Rule form will appear as illustrated in the next figure:

Figure 10-23 Add SNMP System Description Rule

The Show Data button is available for this rule type to assist in the setting of the rule parameters, the Search Data specifically. If the NAC Profiler system has collected SNMP System Description data for endpoints via at least one successful NetMap poll, clicking the Show Data button when configuring a SNMP System Description rule will display the Table of SNMP data (Figure 10-24).

Figure 10-24 Table of SNMP Data

When an endpoint in the network device list responds to an SNMP poll for System Description contents by NetMap, the returned sysDescr string is stored in the database. The strings returned for each endpoint is the text string in the SNMP Data column of the table.

Complete the following steps to configure an SNMP Description rule in an endpoint profile:


Step 1 Specify the Search Data for the SNMP System Description rule.

The Search Data entered for the rule can be a simple string or a Regular Expression that is designed to match multiple strings so that the single rule matched multiple endpoints that had the string in their system description.

Step 2 Specify Certainty for this rule.

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 3 Select Add Application Rule button to save the rule to the endpoint profile.


Figure 10-25 following is an example of a typical SNMP System Description rule added to a Profile. The edit and remove buttons are provided to edit/remove SNMP System Description rules previously added to a Profile.

Figure 10-25 Example SNMP Description Rule Added to a Profile

Configuration of RADIUS Username Rules

As described earlier in the Configuration Guide, the Profiler system can be configured to collect RADIUS accounting information from the NASs (access switches configured as RADIUS clients for MAC and or 802.1X authentication typically) across the network.

The RADIUS Username attribute (see section 5.1 of RFC 2865 for a discussion of this attribute) can be collected for endpoints that RADIUS accounting has logged the fact that a user has attempted/completed user authentication via RADIUS from an endpoint MAC via that RADIUS client.

RADIUS endpoint profiling rules can be created that match endpoints by the data collected via RADIUS accounting, the username specifically.


Note Endpoint data collected via RADIUS accounting must be viewed on a per-endpoint basis via the Endpoint Summary form.


Follow the steps below to configure a RADIUS Username rule in an endpoint profile:


Step 1 From the Save Profile form, ensure RADIUS is shown in the Add Rule drop-down then click the Add Rule button on the form. The Add RADIUS Rule form shown in Figure 10-26 will display on the page for entry of the rule parameters.

Figure 10-26 Add RADIUS Rule Form

Step 2 Specify the Search Data for the RADIUS User Name rule.

The Search Data entered for the rule can be a simple string or a Regular Expression that is designed to match multiple usernames.

Step 3 Specify Certainty for this rule.

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 4 Select Add RADIUS Rule button to save the rule to the endpoint profile.


Figure 10-27 is illustrative of a typical RADIUS Username rule added to an endpoint profile. The edit and remove buttons are provided to edit/remove RADIUS Username rules previously added to a Profile.

Figure 10-27 RADIUS Username Rule added to a Profile

Configuration of CDP Platform Rules

Some endpoints utilize CDP (Cisco Discovery Protocol) to inform the switch connecting them to the network of their platform type and capabilities. Endpoints such as IP Phones, cameras and others utilize the protocol and this information is captured on the access switch and stored in the CDP MIB. NetMap when querying a switch as part of the regular polling process, will collect all CDP neighbor information from the MIB and store it in the database for the purposes of modeling the topology and enabling the CDP Platform rule type. Endpoints sending CDP identify themselves by MAC, so Profiler is able to attribute CDP Platform name directly to known endpoint MACs.


Tip The information that is collected for endpoints via this process is commonly referred to as the Platform Name. The specific OID is named cdpCachePlatform (1.3.6.1.4.1.9.9.23.1.2.1.1.8).


This endpoint data can be very effective in the profiling of endpoint types that utilize CDP, using matches to the CDP Platform Name as an attribute of endpoint identity. Complete the following steps to configure a CDP rule in an endpoint profile:


Step 1 From the Save Profile form, ensure CDP is shown in the Add Rule drop-down then click the Add Rule button on the form. The Add CDP Rule form shown in Figure 10-28 will display on the page for entry of the rule parameters.

Figure 10-28 Add CDP Rule Form

The Show Data button is available for this rule type to assist in the setting of the rule parameters, the Search Data specifically. If the NAC Profiler system has collected CDP Platform data for endpoints via NetMap, clicking the Show Data button when configuring a CDP rule will display the Table of CDP Data like that shown in Figure 10-29.

Figure 10-29 Example Table of CDP Data

Step 2 Specify the Search Data for the CDP rule.

The Search Data entered for the rule can be a simple string or a Regular Expression that is designed to match multiple strings so that the single rule matched multiple endpoints CDP Platform data.

Step 3 Specify Certainty for this rule.

Enter a 'Certainty' value to apply to this rule as it is being used in this endpoint profile.

Step 4 Select Add CDP Rule button to save the rule to the endpoint profile.


Figure 10-30 illustrates a typical CDP rule added to an endpoint profile. The edit and remove buttons are provided to edit/remove CDP rules previously added to a Profile.

Figure 10-30 CDP Rule added to a Profile

Configuration of Active Directory Data Rules

NetMap can be configured to collect endpoint data from the Microsoft Active Directory infrastructure in enterprise environments. This data collection results in the collection of the following information for endpoints from their Active Directory information:

1. Is/Is not a member of the Domain

2. Computer (Common) Name

3. Operating System Name

4. Operating System Version

5. Operating System Service Pack Number

6. Domain Name - Version 3.1.1 includes a new Endpoint Profile Rule type that allows endpoints that have a Computer Object entry in an AD server being polled by NetMap to be profiled using their Active Directory Domain Name. This enables further granularity to Profiling based on AD information, allowing endpoints that are domain members to be profiled based on their domain or sub-domain.

In order for a system to collect Active Directory information, the AD Servers must be entered into the system configuration as described in Chapter 8, "Managing Network Devices". In addition, understanding that the primary identifier of endpoints in Active Directory is the Common Name and not MAC or IP, the Profiler must have data available to make the mapping between an endpoint (MAC) and its Active Directory entry. In order to make the mapping, the Profiler must meet the following condition before attributing AD data to an endpoint in the Profiler database:

DHCP hostname and or DNS name must have been collected and matched to a Common Name found in the Active Directory Data.

As these conditions are met for a given endpoint, collected AD attributes for the endpoint are stored for the endpoint MAC. If AD rules are present in enabled Endpoint Profiles, matches can occur and the endpoint profiled accordingly.

Like Application Rules, AD Rules are better described as a family of rules as four discrete variants can be defined and used in Profiler deployments:

1. Membership Only - Tests true for endpoints

2. Common Name Rule - Used to match endpoints that are in Active Directory with a common name containing the Search String.

3. AD Information Rule - Used to identify endpoints that are found in Active directory and have the specified OS Name, version, and or Service Pack.

4. AD Domain Name - Used to identify endpoints that are found in Active Directory and have the specified Domain Name attributes.

Follow the steps below to configure an Active Directory rule of any of the three types in an endpoint profile:


Step 1 From the Save Profile form, ensure Active Directory is shown in the Add Rule drop-down then click the Add Rule button on the form. The Add Active Directory Rule form shown in Figure 10-31 will display on the page for entry of the rule parameters.

Figure 10-31 Add Active Directory Rule

The Select Type control on the Add Active Directory Rule form is a drop-down menu that enables selection of the desired Active Directory rule sub-type.

Step 2 Select the desired Active Directory rule sub-type from the drop-down menu. Follow the steps below depending on the sub-type selected.

Membership Only

Upon the selection of this sub-type, the Add Active Directory Rule form changes as shown in Figure 10-32

Figure 10-32 Add Active Directory Rule: Membership Only sub-type

a. Set the ''Computer is Member'' parameter as desired via drop down: 'Yes' designates that the endpoint MAC has been mapped to a Computer Name that is known to be a member of the Domain. 'No' designates that the endpoint has not yet been mapped to a Computer Name that is a known member of the Domain.

b. Set the desired Certainty Factor.

c. Select the Add Active Directory Rule button to save the rule.

Active Directory Computer Name Rule

Upon selection of this sub-type the Add Active Directory Rule form changes as shown in Figure 10-33.

Figure 10-33 Add Active Directory Rule: Computer Name Sub-Type

a. Set the ''Computer Name'' search string. The Search Data entered for the rule can be a simple string or a Regular Expression that is designed to match multiple strings so that the single rule matched multiple endpoints with computer names in Active Directory matching the expression.

b. Set the desired Certainty Factor.

c. Select the Add Active Directory Rule button to save the rule.

Active Directory Information Rule


Tip The AD Information Rule allows one or multiple parameters (OS name, version, service pack) to be specified as search criteria in a single rule. The underlying logical operator for the rule however is AND, meaning that endpoints that match ALL of the specified search parameters will satisfy the AD information rule. If nothing is specified for a parameter, that is interpreted as "any" value for that parameter.


Upon the selection of this sub-type, the Add Active Directory Rule form changes as shown in Figure 10-34.

Figure 10-34 Add Active Directory Rule: Information Sub-Type

a. Set one or more of the parameters for OS Name, OS Version and Service Pack.

The Search Data entered for the rule can be a simple string or a Regular Expression that is designed to match multiple strings so that the single rule matched multiple endpoints with OS information from Active Directory matching the expression.

If a parameter is left blank, that is interpreted as matching any value.

For example, an AD Information Rule that had the Computer OS parameter set as Windows, with no Computer OS Version or Computer OS Service Pack, would match all endpoints with AD information indicating it was running an OS Version containing the string 'Windows,' all versions and service pack levels.

b. Set the desired Certainty Factor.

c. Select the Add Active Directory Rule button to save the rule.

Active Directory Domain Name

Upon selection of this sub-type the Add Active Directory Rule form changes as shown in Figure 10-35.

Figure 10-35 Active Directory Domain Name Rule

a. Set the ''Domain Name'' search string. The UI will post-process the entry in this field so that the standard dotted decimal notation is accepted (for example: ad.mysubdomain.mydomain.com), which would match all AD domain member computers that were members of mysubdomain sub-domain of mydomain.com.

The string specified in this field should specify the exact-match of the end of the domain name. So, if it was desired to match all subdomains of mydomain.com, entering 'mydomain.com' in this field would specify matching for all AD domain names ending with mydomain.com

b. Set the desired Certainty Factor.

c. Select the Add Active Directory Rule button to save the rule.

Figure 10-36 illustrates a typical Active Directory rule (membership only) added to an endpoint profile. The edit and remove buttons are provided to edit/remove an Active Directory rule previously added to a Profile.

Figure 10-36 Active Directory Rule Added to a Profile

Profile Rules, NetInquiry and Active Profile Data Collection

The NetInquiry module and its configuration were introduced in Chapter 7, "Configuring Collector Modules". NetInquiry is the Cisco NAC Profiler module that provides a means within the NAC Profiler system to actively probe selected endpoints or selected network services (DNS in the current version) in order to generate a response from endpoints or gather data that is useful for Endpoint Profiling.

In the Active mode of endpoint profile data collection, the NAC Profiler system (Collectors with an enabled NetInquiry module specifically) communicate with the endpoints directly in order to generate traffic at the management interface of the Collector so that it can be analyzed by NetInquiry.

The active method does not require redirection of native endpoint traffic to the monitoring interface of the Collector. Essentially, in active mode the Collector is inducing the endpoints in the specified range to send directed traffic of interest to the management interface of the Collector where it can be analyzed by NetInquiry to determine if the traffic contains data useful for endpoint profiling (for example, does it indicate that an endpoint has a specified TCP port open, is it displaying a web/SMTP banner, or does it contain DNS name information for endpoints of interest).

NetInquiry can be used to initiate communications from a specified set of endpoints in a way that is not harmful to endpoints or the network while aiding in the Cisco NAC Profiler endpoint profiling function.

A given NetInquiry module relies upon both its own configuration and the configuration Profile rules in enabled Profiles to define how (if) it will operate in a given environment. The Cisco NAC Profiler rule types that are pertinent to NetInquiry are as follows, and were described in detail earlier in this chapter:

TCP Open Port rules

and the following Application rule types:

Web Server Type

SMTP Server Banner

DNS Name rules, which are a special case in that they only operate in ''Active'' mode. That is, in order for the data to be collected that enable matches to be made based on DNS name, at least one NetInquiry module must be configured to collect DNS name information.

In the cases of TCP Open Port, Web Server Type and SMTP Server Banner rule types, whether or not the optional Active Profiling provided by the NetInquiry functionality is used by the NAC Profiler system is controlled via a configuration option in each rule of the types that may be made to be active. (Assuming that is, that a NetInquiry module has been added to the configuration as described in Chapter 7, "Configuring Collector Modules" of this document, and is running on the system.)

Recall that the NetInquiry modules in the NAC Profiler system run on the NAC Profiler Collector(s) deployed in the system. If one or more Collectors have had their NetInquiry module(s) configured as described in Chapter 7, "Configuring Collector Modules", and Profiles containing active rules of the aforementioned types are enabled, the NAC Profiler system will utilize Active Profiling techniques in addition to the passive techniques outlined throughout this and the following chapter.

DNS Collection is an exception to this. NetInquiry modules that have the ''Enable DNS Name Collection'' option checked will attempt to collect DNS information with their designated name server, whether or not a DNS Name rule is present in an enabled profile.

The decision to employ passive versus active techniques is dependent on the specifics of each network environment. There are trade-offs associated with both methods, and full consideration should be given to devising a Profiling strategy that best meets the objectives of each implementation.