Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1
Overview: Cisco NAC Profiler Architecture
Downloads: This chapterpdf (PDF - 351.0KB) The complete bookPDF (PDF - 15.68MB) | Feedback

Overview: Cisco NAC Profiler Architecture

Table Of Contents

Overview: Cisco NAC Profiler Architecture

Overview

Cisco NAC Profiler System Deployment Model

Cisco NAC Profiler Usage: Port Provisioning and Endpoint Directory

Profiler Server High Availability Option (HA)

Profiler Collector High Availability

Version 3.1.1 User Interface Overview

User Interface Organization and Navigation

Cisco NAC Profiler System Dashboard


Overview: Cisco NAC Profiler Architecture


Topics in this chapter include:

Overview

Cisco NAC Profiler System Deployment Model

Cisco NAC Profiler Usage: Port Provisioning and Endpoint Directory

Profiler Server High Availability Option (HA)

Profiler Collector High Availability

Version 3.1.1 User Interface Overview

Overview

Cisco NAC Profiler is a modular, network appliance-based system that provides two critical functions in enterprise networks. Those two functionalities are Endpoint Profiling and Identity Monitoring. Cisco NAC Profiler performs these functions utilizing a unique approach and technologies that are both highly reliable and result in negligible impact to the endpoints and network. Cisco NAC Profiler performs the Endpoint Profiling and Identity Monitoring functions by communication with network devices and services, passively analyzing network traffic and several other methods described in Chapter 1, "Introduction to the Cisco NAC Profiler" to profile endpoints using the network into an appropriate Profile.

Cisco NAC Profiler is a rules-based system. The endpoint profiling decision is made on a "best match" basis according to pre-determined criteria or rules that guide the classification of all endpoints into the most appropriate Profile based on most current data for each endpoint. In addition, the system reports changes in endpoint connection status and stores the data for future retrieval. It also allows the user to take action with respect to changing selected port parameters of edge network infrastructure devices, parameters pertinent to the implementation and ongoing management of authentication and NAC solutions. All of these functions are controlled by the administrator using the web-based graphical user interface (GUI) accessible through a standard web browser.

Ethicist Cisco NAC Profiler solution is provided as two software components that reside on two or more network appliances:

A Cisco NAC Profiler Server appliance that can be implemented as a standalone appliance, or as a High Availability (HA) pair.

One or more Cisco NAC Profiler Collectors, which run as an additional software service on the Cisco NAC Server. NAC Profiler Collectors can, as an option, be configured to run on NAC Server HA pairs.

The Cisco NAC Profiler Server houses the Profiler database that contains all of the endpoint information, gathered from the associated Collectors, including endpoint type, location, and the identity attributes exhibited by the endpoint. In addition the Profiler Server serves the web-based interface and includes an integration layer implementation that communicates with the Cisco NAC Manager to keep the Device Filter list current and relevant.

Endpoints that are in profiles used to containerize endpoints known to require special handling by the NAC or port-based authentication system are added to the Device Filter list via this integration layer, and maintained there unless Cisco NAC Profiler gets data from the Collectors indicating an identity change.In addition to the integration with Cisco NAC Appliance, Cisco NAC Profiler can be queried by other systems such as Cisco ACS.

The NAC Profiler Server maintains an LDAP directory that is synchronized with the Cisco NAC Profiler endpoint database. The NAC Profiler Server will service LDAP queries by endpoint MAC address and for endpoints which it has discovered and profiled into designated profiles, and espond that the endpoint is known to be of a designated type. This functionality is used to support MAC Authentication of non-802.1X-capable endpoints, commonly referred to as MAC Authentication Bypass.

The Cisco NAC Profiler Collectors may reside on the same appliances with the Cisco NAC Servers in an integrated Cisco NAC Profiler/Cisco NAC Appliance system or on standalone NAC Profiler Collector appliances. The NAC Profiler Collector consists of a number of software modules (referred to as Collector Component Modules) that discover/collect information about the network attached endpoints including a network mapping module (NetMap), an SNMP trap receiver/analyzer (NetTrap), a passive network analysis module (NetWatch), an active inquiry module (NetInquiry), and a module that collects information from existing data sources such as NetFlow and RADIUS Accounting (NetRelay).

The Forwarder module on each NAC Profiler Collector establishes and maintains communication with the NAC Profiler Server module in the system. The major functions of the Collector are to gather all of the salient identity attributes about the endpoints using the passive and active techniques utilized by each of the component modules, and to minimize and aggregate the information that is sent over the network to the Profiler Server. Table 2-1 and Table 2-2 summarize the functions of the NAC Profiler Server and the Collector.

Table 2-1 Cisco NAC Profiler Server Module 

Profiler Server Module
Purpose

Server

Cisco NAC Profiler system management, modeling engine, web UI and database server for the Cisco NAC Profiler system. Collects, classifies and logs incoming data. Serves web-based User Interface. Manages the Device Filters list in the NAC Manager for Cisco NAC Profiler systems integrated with Cisco NAC Appliances. Maintains the LDAP directory and responds to LDAP queries initiated by Cisco Secure ACS.


Table 2-2 Cisco NAC Profiler Collector Component Modules 

Collector Module
Purpose
Data Collection Methodology

NetMap

Collector Module that queries network devices via SNMP for:

System information

Interface information

Bridge information

802.1x information

Routing/IP information

Builds and maintains a model of the network topology and discovers endpoints connected to the network.

Utilizes LDAP to query designated Active Directory servers to gather information about computer objects.

SNMP (v1, v2c and v3 supported) communication with network devices (switches and routers).

LDAP query of Active Directory servers.

NetTrap

Receives selected traps from network devices to assist NetMap in maintaining the model of the network topology. Used to detect endpoints joining or leaving the network; triggers a NetMap poll of the device port sending the trap.

SNMP Traps (v1 and v2c) from edge switches.

NetWatch

Passive network analyzer collector modules. Collects information about endpoints using network traffic

Traffic analysis via redirection (SPAN, mirror port) to Collector monitor port(s)

NetInquiry

Used optionally on some Collectors configured for Active profiling.Used to collect information about endpoints using active techniques: TCP Open ports, web & SMTP banners, and DNS name information.

Network communication initiated/analyzed by Collector

NetRelay

Receives exported data from other systems such as NetFlow and RADIUS clients and prepares it for processing for Endpoint Profiling and Identity Monitoring. In the case of NetFlow, NetRelay processes NetFlow XDRs for matches to Traffic Rules.

RADIUS Accounting is used to transfer RADIUS information from RADIUS Clients (switches) to NetRelay.

Analysis of NetFlow XDRs forwarded by NetFlow Collectors/Aggregators (for example, routers)

RADIUS Accounting

Forwarder

Facilitates communication and, acts as middleware between Cisco NAC Profiler Collectors and the Cisco NAC Profiler Server in the Cisco NAC Profiler system

Not applicable


Cisco NAC Profiler System Deployment Model

Cisco NAC Profiler is designed and implemented as a modular system which employs one or more remote Collectors to distribute the data gathering and provide distributed points of visibility while centralizing the Endpoint Profiling and Identity Monitoring functions onto a centralized Profiler Server. The remote Collectors run one or more instances of the desired Collector modules plus the Forwarder system module. The Forwarder module on each NAC Profiler Collector forwards collected endpoint data to the designated Profiler Server. The Profiler Server aggregates the data received from all the Collectors in the system and provides centralized management of the distributed Cisco NAC Profiler system.


Note Cisco NAC Profiler Collectors must be combined with a Cisco NAC Profiler Server in order to be managed, so that Endpoint Profiling and Identity Monitoring data is aggregated analyzed, presented. The NAC Profiler Server provides the user interface and maintains the database as well as provides the integration point for external systems such as Cisco NAC Appliance and Cisco Secure ACS.


Figure 2-1 shows the Cisco NAC Profiler system, where one or more Collectors are deployed in conjunction with a central Profiler Server. The Collectors send their Endpoint Profiling and Identity Monitoring data to the central appliance via the onboard Forwarder module, and are managed by the central appliance. Communications between the appliances is accomplished over the local or wide area network via an encrypted TCP session using the Management interfaces on the Cisco NAC Profiler appliances. The central appliance maintains the endpoint database and provides centralized management for the entire Cisco NAC Profiler system via the web based UI served by that appliance. In deployments where the Cisco NAC Profiler is integrated with Cisco NAC appliance, Profiler provisions the NAC Manager with information to enable authentication/admission of non-responsive hosts via the NAC API.

The NAC Profiler Server supports LDAP as well so that the Endpoint Profiling and Identity Monitoring functionality provided by the system can be leveraged by authentication servers such as Cisco Secure ACS. In this model, Cisco NAC Profiler can maintain an external database of non-authentication hosts that can be queried as needed for the purposes of MAC Authentication/MAC Authentication Bypass.


Note The Cisco NAC Profiler Server can be implemented as a standalone (single) appliance, or optionally as a High Availability-pair (HA). See Profiler Server High Availability Option (HA).NAC Profiler Collectors can as an option be deployed on NAC Server HA-pairs to provide redundancy to the Collectors. Standalone NAC Profiler Collectors (for example, running on NAC Servers not deployed as HA pairs) do not have a HA-pair option in the current version.


Figure 2-1 Distributed Cisco NAC Profiler System

Cisco NAC Profiler Usage: Port Provisioning and Endpoint Directory

There are two available operating modes of Cisco NAC Profile are termed Port Provisioning and Endpoint Directory. In the Port Provisioning mode, the port provisioning functions of the Cisco NAC Profiler are used as an augmentation to the network management platform, providing purpose-built configuration management tools designed to assist with deployment and ongoing management of NAC and other authentication solutions such as 802.1X in enterprise networks.

Port Provisioning provides the network administrator with a UI for interacting with the edge network infrastructure devices (for example, switches), and allows the manipulation of port parameters on those network edge devices providing access to a selected endpoint or group of endpoints for the purpose of provisioning authentication and or NAC-specific parameters.

Cisco NAC Profiler utilizes SNMP communications to make persistent configuration changes on selected ports of selected edge devices enabling network managers to have fine-grained control of the infrastructure providing endpoint connectivity. In order for the Port Provisioning mode to be employed, the Cisco NAC Profiler must have read-write SNMP access to network devices in order to make configuration changes.

In the Endpoint Directory mode, which is by far the more common usage mode, the Cisco NAC Profiler provides and endpoint directory service for other systems such as the Cisco NAC Appliance NAC Manager or Cisco Secure ACS. When Cisco NAC Profiler is integrated with Cisco NAC Appliance, endpoint information from Cisco NAC Profiler is provisioned to the NAC Manager, most frequently managing the list of those endpoints that are unable to interact with the NAC system directly. In this usage mode, the Cisco NAC Profiler is integrated with the NAC Manager using the methods described in Chapter 13, "Integrating with the Cisco NAC Appliance", providing valuable and up-to-date information about non-user devices so that they can be provided reliable and secure access in an automated and dynamic fashion, regardless of their physical location.

Similarly, Cisco NAC Profiler can also serve as a proxy-authenticator for non-authenticating endpoints in 802.1X environments utilizing MAC Authentication Bypass (MAB) for handling endpoints that cannot authenticate via 802.1X. Cisco Secure ACS can query the Cisco NAC Profiler System when these endpoints attempt to authenticate to determine if the endpoint is known by the Cisco NAC Profiler system, along with its current profile. In this usage mode, the Cisco NAC Profiler is configured for LDAP as described in Chapter 17, "Enabling LDAP Integration" of this Configuration Guide.

Via the enablement of the LDAP integration feature, the Cisco NAC Profiler Endpoint Directory is made extensible for the purposes of authentication of non-authenticating endpoints, via MAC Authentication.

The Endpoint Directory mode of operation is by far the most common in Cisco NAC Profiler deployments. The current best practice for Cisco NAC Profiler/Cisco NAC Appliance interaction, as well as the LDAP integration mode used when Cisco NAC Profiler is deployed with Cisco Secure ACS relies on this operating mode of the Cisco NAC Profiler. The Endpoint Directory maintained by Cisco NAC Profiler is a list of all profiled and un-profiled endpoints that are known to the Cisco NAC Profiler based on most current information provided by the Cisco NAC Profiler Collectors.

From this list, the selected endpoint types (profiles) can be provisioned to the NAC Manager Device Filter list or will be successfully authenticated by MAC upon a query by ACS. As new devices are discovered they can be added to the list. Endpoints that have been retired, or are found to be behaving in ways not appropriate for their known device type can be removed from the Device Filter list or have MAC authentication privileges revoked.

Profiler Server High Availability Option (HA)

Cisco NAC Profiler (release 2.1.8 and later) provides a high-availability option in the Profiler Server software. The HA option allows Cisco NAC Profiler Server appliances to be deployed as a pair of physical appliances that operate as a single entity, with a single, shared database manageable via single Virtual IP (VIP). This option is provided to protect against either appliance hardware or software failure, or the loss of network connectivity to a single appliance so that the Cisco NAC Profiler system remains available.

The following key points provide a high-level summary of High Availability operation for Cisco NAC Profiler Server appliances:

The Profiler Server appliance high-availability mode is an Active/Passive two-appliance configuration in which a Secondary appliance acts as a backup to an active Primary appliance. The pair is managed via a single IP address (VIP) which will be transferred to the Primary at any given point and bound to its management interface along with its assigned host IP.

The Primary appliance performs all tasks for the system. The standby monitors the active appliance and keeps its database synchronized with the active appliance's database.

Both Profiler Server appliances share a virtual Service IP for the eth0 (management) interface. In the event of a failover, the system continues to operate normally with no manual intervention.

The Primary and Secondary nodes in an operational HA pair exchange UDP heartbeat packets every 2 seconds. If the heartbeat timer expires, stateful failover occurs.

The eth1 interfaces on the both the active and standby appliances are directly connected for the reliable exchange of heartbeat packets and Profiler database synchronization.

In 3.1 and later versions, heartbeat is also maintained on the eth0 interfaces of the appliances in the pair, providing further assurance that the appliances in the pair can rapidly detect a failure of their peer.

While the active Profiler Server appliance carries most of the workload under normal conditions, the standby continually monitors the active and keeps the database synchronized with the active appliance's data. The data store includes system configuration information as well as the endpoint database.

If a failover event occurs, such as the active appliance being inadvertently shut down or if it stops responding to the peer's "heartbeat" signal for any other reason, the standby assumes the role of the active Profiler Server appliance.

The HA option also includes an additional feature to guard against the failure of a network interface. A designated "external ping host" is specified for the nodes in the HA pair and is monitored independently by each member of the pair. If an appliance determines that the external ping host has failed (due to the failure of a network interface, or other condition preventing network communication with the ping host via the primary network connection), the appliance will contact the other appliance in the pair to determine if it has better connectivity.

In the case of the Primary Profiler Server node sensing loss of network connectivity, if the Secondary node does have better connectivity, failover is initiated to the Secondary. This additional protective measure enables the appliances to monitor the state of their network connectivity to guard against failures of their network interface hardware or other disruptions of network connectivity only. When a loss of network connectivity occurs, failover will be initiated although the appliance hardware and software is still operating normally otherwise.

Typically, the HA option is configured at the initial startup when the Cisco NAC Profiler system is initially deployed. When both appliances to be utilized in a HA pair are new (created during a fresh Profiler Server software ISO installation), the proper procedure for the configuration of the NAC Profiler Server HA pair is contained in Chapter 4, "Installing and Performing an Initial Configuration"of this document. A second appliance can also be added to an existing operating NAC Profiler Server standalone system. Instructions for this procedure are included in Chapter 18, "Using the Cisco NAC Profiler Server Command Line".

Profiler Collector High Availability

In the current release, the HA option is only available for NAC Profiler Collectors deployed on NAC Server HA-pairs utilizing the HA service provided by the NAC Server HA service. The Collector service relies on the HA protocol provided by and configured via the NAC Server software. The Collector service itself does not include a built-in HA capability.


Note Proper operation of the Collector service on NAC Server HA-pairs requires a specific configuration of both the NAC Profiler Server and the Profiler Collector service on both members of the NAC Server pair. See Chapter 4, "Installing and Performing an Initial Configuration".


Version 3.1.1 User Interface Overview

The Cisco NAC Profiler system is managed via a web-based UI which runs alongside the Server module on the NAC Profiler Server. The UI for the system is accessed via the DNS/IP of the NAC Profiler Server appliance for standalone systems, or via the VIP for a NAC Profiler Server HA-pair. The UI is secured using HTTPS and supports the use of Digital Certificates to so that the authenticity of the embedded web server can be verified by the browser as it connects for access to the NAC Profiler user interface. Accessing the NAC Profiler UI with a browser is accomplished by pointing to the URL for the Server appliance or VIP DNS or IP address, for example:

https://nacprofiler.lab.cisco.com/

The Cisco NAC Profiler UI is user-based. Access to the UI requires authentication that can be performed locally by the embedded web server, or via an external RADIUS server such as Cisco Secure ACS. There are three user types/privilege levels within the UI: Admin (super user), Operator, and Analyst. Each Cisco NAC Profiler system will have one Admin user account which has the highest level of UI privilege and is able to view all system data and make system configuration changes, including the management of other UI users.

During the initial startup of NAC Profiler Server appliances, the Admin user account is established and the password set, allowing initial access to the UI. The Operator account type allows viewing of all Cisco NAC Profiler data and includes privileges to change the system configuration except User Management. Multiple Operator accounts can be added to a Cisco NAC Profiler system. The Analyst User type is the least privileged. Analyst users can view most Cisco NAC Profiler data screens but are unable to view or edit any system configuration parameters. Like the Operator account type, multiple Analyst user accounts can be configured on a Cisco NAC Profiler system


Note After initial NAC Profiler system configuration, the admin UI account use should be limited to the management of user accounts. Operator and Analyst accounts should be created and utilized for day-to-day operation and configuration of the Cisco NAC Profiler system.


Beginning in version 3.1 of the Cisco NAC Profiler, the UI includes an automated idle timeout feature for the Admin and Operator users. After 30 minutes of idle time, a user logged in as Admin will be forced to re-authenticate. The idle timer for the Admin user cannot be disabled, nor can the timeout be adjusted. For Operator users there is an idle timer as well, but the idle time can be configured to be 5, 15, or 30 minutes, but it cannot be disabled. There is no idle timer/re-authentication of Analyst users.

User Interface Organization and Navigation

The top-level organization of the Cisco NAC Profiler UI is tab-based, with each tab corresponding to related workflows: Home, Configuration, Endpoint Console, and Utilities. The organization of the Cisco NAC Profiler UI in 3.1 and later versions is similar to previous versions, but users familiar with earlier versions of Cisco NAC Profiler (prior to 3.1) will find significant changes to the individual pages and their content in the UI as well as navigation in version 3.1.1.

A brief overview of each of the main tabs is provided below:

Home Tab

The Home tab is the landing page for new sessions to the Cisco NAC Profiler UI. The home tab includes the Cisco NAC Profiler System Dashboard, and contains three distinct areas of the UI accessible by the links in the secondary menu: Getting Started, Documentation, and Upload Licenses (license management). Further discussion of the dashboard is provided in the next section.

Configuration Tab

The Configuration Tab as the name suggests provides access to the pages used for creating, viewing and editing all Cisco NAC Profiler system configuration parameters, including integration with other systems.

Endpoint Console Tab

The Endpoint Console tab provides access to the primary endpoint data views such as viewing the Endpoint Directory, viewing endpoints by profile and device port, as well as the Cisco NAC Profiler event viewer.

Utilities Tab

The Utilities tab provides access to a number of system utilities, including the Advanced Search feature, and tools for managing the Cisco NAC Profiler system and viewing collected endpoint data.

Cisco NAC Profiler System Dashboard

Starting with version 3.1, the Home tab was completely redesigned in the Cisco NAC Profiler so as to provide a dashboard for the entire system. The redesigned page provides "at-a-glance" status of the system, while at the same time providing access to the most commonly used areas of the user interface in 2 clicks or less. Figure 2-2 illustrates an example of the home tab for an operational Cisco NAC Profiler system (HA pair). The same page banner is found on every page of the UI, and this figure shows the main pane of the dashboard page with its four distinct functional sections.

Figure 2-2 Cisco NAC Profiler System Dashboard

The following subsections outline what is displayed in each major section in the figure above, along with the navigation options provided from each object on the dashboard.

Re-Designed Page Banner with Quick Search

Beginning in version 3.1, the page banner for each UI page contains the main tabs and secondary menus for the current tab, and includes the Quick Search tool. Quick search enables the entry of a single endpoint attribute type and value for a search of the endpoint database from anywhere in the Cisco NAC Profiler UI. Figure 2-3 illustrates the Quick Search control, which consists of a drop-down menu used to select the search attribute and a free-form field for entering the search data.

Figure 2-3 Quick Search Control

Note the Advanced Search link immediately below the Quick Search controls. Clicking on this link takes the user directly to the Query form for the Advanced Endpoint Search described inChapter 16, "Using the Cisco NAC Profiler Utilities Tab" covering the Utilities Tab. The endpoint attribute types that can be specified for a Quick Search are as follows:

MAC Vendor

Enter a string (matches any case) found in the MAC Vendor(s) to search the database for. All endpoints with MAC vendors matching the search string will be returned by the search.

MAC Address

Enter a full MAC address in hexadecimal format with a ':' or '-' separator between octets (for example, 00:12:f0:dd:c7:0c)

IP/CIDR block

Enter either a host IP address or a subnet (in CIDR format for example, 10.1.174.0/24) to search for one or more endpoints based on their host address or subnet

Profile Name

Enter a string (matches any case) found in the Profile name(s) to search the database. All endpoints in the matching Profile(s) will be returned by the search.

Authenticated User

Specific to 802.1X enabled networks. Allows searching for endpoints based on the current username authenticated via that endpoint. Requires the use of EAP types that support user name (for example, PEAP) and that the authenticating switch supports the 802.1X PAE MIB.

Profile Data

Allows searching the database based on Profiling data such as DNS Name, DHCP Host Name, CDP Platform, and other parameters using text string values.

DNS Name

Allows searching the database to find endpoints with a DNS name containing the specified string. DNS name information collection must be configured for the system so that DNS name information is collected for endpoints.

DHCP Host Name

Allows searching the database to find endpoints with a DHCP host name containing the specified string. DHCP packet analysis by NetWatch must be configured for the system so that DHCP host name information is collected for endpoints.

Any one of these options is selected from the drop-down, and the appropriate search criteria (or criterion) specified. The Search results, consisting of one or more endpoints that have matching attributes are displayed in a pop-up table as illustrated in Figure 2-4.

Figure 2-4 Results of an Example Quick Search

When the results of a Quick Search return more than 5 matching endpoints, the paging controls in the upper left corner of the pop-up can be used to advance/return in order to see all the endpoints matching the search criteria specified. Note that the MAC and IP address of each endpoint in the quick search results table is a link. Clicking on the MAC or IP address will take the user to the Summary Information screen for the MAC or IP of the endpoint.

Endpoint Directory Pie Chart

The Home tab, as well as all other tabs in the Cisco NAC Profiler UI, contains a pie chart that provides both a graphical representation of key NAC Profiler data and an alternative navigation path to the more common Endpoint Console & Configuration tab pages. The pie chart on the Home tab is a graphical representation of the current Endpoint Directory, with each slice of the pie depicting an enabled profile that contained at least one endpoint when the page was drawn.

The animated, interactive, data-driven flash charts on the main tab landing pages enable several new analysis and reporting options new in the Cisco NAC Profiler UI. The information below about the home tab pie chart is charts is illustrative for all the pie charts found on each tab of the Cisco NAC Profiler user interface.

The pie charts are interactive, providing additional information and navigation options directly from the chart. Highlights of the possible user interactions with the UI charts include:

On mouse-over of each slice, the profile name as well as the percentage of the total endpoint inventory the endpoints currently in that profile are presented.

Clicking on any of the pie chart slices results in the display of the Endpoint Directory table view of all endpoints currently in the profile, including the new CSV and XML data export buttons which enable instantaneous export of Cisco NAC Profiler data from the system for reporting or offline analysis.

Right-clicking on the pie charts brings-up the context-specific menus for the pie chart, with the following options made available for manipulating the chart:

1. Print Chart - sends the pie chart to the printer for printing.

2. Enable Rotation - when selected, enables click & drag for rotating the chart either clockwise or counterclockwise to reposition the slices.

3. Enable Slicing Movement - allows the selection of individual slices (mouse click) to move in or out of the chart, see Figure 2-5 below for an example.

4. View 2D - Changes the chart from 3D to 2D and vice versa. Default is 3D.

Figure 2-5 Pie Chart with Slicing Movement Enabled

Events Viewer and List

The events viewer is a self-updating line graph of Cisco NAC Profiler events of interest. The X-axis is system time with a 5 minute interval between points on the axis. The Y-axis is a count of the event(s) occurring at each interval, and the scale is re-drawn automatically on each refresh dependent on the volume of events to be displayed. Each event type in the Events Viewer is represented by a different color line.

Event types that can be tracked by the Events Viewer of the home tab in the 3.1 and later versions are:

New Endpoints (All)- The only event type in the Event Viewer that is enabled by default. Indicates when a new endpoint MAC has been discovered by the Cisco NAC Profiler, along with the Profile name (or Not Profiled) that the endpoint has been added to upon discovery.

Newly Profiled (when configured) - enabled when one or more Newly Profiled events are configured on the system. (See for instructions on Cisco NAC Profiler Event configuration)

Profile Change (when configured) - enabled when one or more Profile Change events are configured on the system.

Alarm Events (when configured)

Profile Consistency Events (when configured)


Note In some cases the individual event line graphs in the Events Viewer will overlap. For example, if 5 new endpoints were discovered by Cisco NAC Profiler and immediately profiled into a profile matching a Newly Profiled event, the event lines for new endpoints and newly profiled events would overlap on the graph. Mouse-over the points on the event lines for further description.


The Events List is a tabular representation of the last twenty events and updates on each page refresh, The home tab automatically refreshes every five minutes while the browser is pointed at the dashboard. The events shown in the Events List are the same as those shown graphically in the Events Viewer: Note that the MAC address of endpoints in the Event List entries are links. Selecting the MAC of an endpoint in an Events List entry will open the Endpoint Summary for the endpoint from the endpoint console, providing the ability to quickly drill-down into individual endpoint data (current and historical) when they are involved in the aforementioned events.

System Status Summary and High Availability State

The System Status table is present on the dashboard for all Cisco NAC Profiler systems and provides a top-level view of the Server and Collectors in the system. The top row provides the current state of the NAC Profiler Server: running or stopped, and shows the current version of Cisco NAC Profiler software running on the NAC Profiler Server. Clicking on the Server link in the system status table takes the user directly to the Configure Server form to review/edit current Server module configuration parameters.

The remaining rows of the table indicate the summary status (or statuses) of the NAC Profiler Collectors currently in the system configuration. Clicking on any of the Collector summary links will take the user to the Table of Cisco NAC Profiler system which lists the individual Collectors currently in the Cisco NAC Profiler system configuration by name, along with current status of each Collector. Clicking on a Collector Name link results in the Edit Collector form for that Collector being displayed. Via this form a determination of the state of each the component modules on the Collector can be ascertained, and changes can be made to the Collector configuration.

All Collectors currently in the normal state of 'All Running' are consolidated in one row of the system status table on the dashboard. A system with all modules in a running state with no errors would have a system status similar to that illustrated in Figure 2-6.

Figure 2-6 System Status: All Collectors in ''All Running'' status

Other than 'All Running,' one or more collectors may be reported in the following states in a separate row of the System Status summary table at any given time:

Not Contacted - One or more Collectors has been added to the configuration but has yet to establish communications with the Server

Stopped - One or more Collectors has component modules reporting stopped. This may be a transitory state while Collectors are restarting after an Apply Changes -> Update Modules.

Stalled - One or more Collectors has component modules in the Stalled state. This is indicative of a component module (or modules) having established communications with the NAC Profiler Server and then communications with that module were subsequently lost. Generally indicative of a problem with the Forwarder component module configuration.

Error - One or more Collectors has component modules reporting an error. This is typically caused by the NetWatch interface not having monitor interfaces configured for it.

Restarting - One or more Collectors is in the transitory state of restarting. This is a very brief, transitory state when the page is drawn just as the Collector was restarted.

License Issue - One or more Collectors could not be started because the number of Collectors added to the configuration exceeds the number of Collector licenses currently uploaded to the NAC Profiler Server.

The High Availability table, found directly under the System Status summary table on HA systems only, provides an at-a-glance status of the HA-pair state. The table shows which appliance in the NAC Profiler Server HA-pair is currently the Primary node (by host name), and shows the current state of the Secondary node (on or offline). Figure 2-7 shows an example to the HA status indicator for an HA-pair that is in normal, steady state operation (for example, automatic failover enabled).

Figure 2-7 HA Status Indicator: Normal Operation

The High Availability table provides the Cisco NAC Profiler system administrator with a quick indication of the state of the HA without resorting to the command line tools.