Table Of Contents
The Cisco NAC Profiler Utilities Tab
Authenticated User Search
Query MAC History
Query IP History
Find Network Device
Network Readiness for 802.1X Enablement
Network Device Change Logs
The Cisco NAC Profiler Utilities Tab
Topics in this chapter include:
•Network Readiness for 802.1X Enablement
•Network Device Change Logs
The Utilities tab of the Cisco NAC Profiler UI provides access to a number of utilities that provide additional functionality, management and troubleshooting tools for the NAC Profiler system.
Like all the tabs in the user interface beginning in Version 3.1, the Utilities tab of an operational system will display a pie chart when navigating to the tab, with the options available from the tab displayed as links at the top of the window. The pie chart displayed on the Utilities tab is not user-selectable and is dependent on the state of the system:
•On systems that have yet to discover any endpoint information, there will be no pie chart on the Utilities tab.
•If the system has observed DHCP Vendor Class Identifiers via NetWatch analysis of endpoint DHCP packets, the DHCP Vendors pie chart will be displayed.
•If no DHCP information has been collected but the system has successfully learned endpoint MAC addresses via the mechanisms other than DHCP, the MAC Vendor pie chart will be displayed on the Utilities tab.
Like the other pie charts in the interface, these pie charts are interactive allowing 1-click access to the underlying data. Right-clicking on the pie chart will display the context-sensitive menu enabling the chart-specific options described in section providing an overview of the Cisco NAC Profiler Version 3.1 User Interface found in Chapter 2, "Cisco NAC Profiler Architecture Overview".
Figure 16-1 The Cisco NAC Profiler Utilities Tab
As shown in Figure 16-1, the Utilities tab will also provide some top-level statistics for the NAC Profiler Server hardware and the endpoint database:
Note For HA NAC Profiler Server pairs, the system statistics shown in this view are for the Primary node only.
•Current disk usage of the NAC Profiler Server system (free/total)
•Average processor utilization
•The number of endpoints (MAC Addresses) discovered by the system
•The number of IP-only endpoints discovered by the system
The Utilities tab provides access to several functionalities via the secondary menu links which are as follows:
The remaining sections of this chapter review the functionality and usage of each of the main functional areas of the Utilities tab accessed by clicking the associated link on the secondary menu.
The Cisco NAC Profiler advanced search console, accessed by selection of the Search link from the secondary menu of the Utilities tab, provides several options for searching the NAC Profiler database for information about endpoints, endpoint profiling data and network devices known by the NAC Profiler system and or added to the database via configuration. When the Search option is chosen from the Utilities tab, the Search Console menu table providing access to the different search functions is displayed as illustrated in Figure 16-2
Figure 16-2 Search Console Main Menu
The features and functionality of each option of the Search Console menu are outlined in the following sections.
The Endpoint Search is a comprehensive search and reporting tool that complements the ''Quick Search'' function outlined earlier in the guide. The Advanced Endpoint Search provides a comprehensive endpoint search capability combined with a search results data export function. Both simple and complex searches of the endpoint database can be executed from the Advanced Search console, and the search results quickly and easily exported to CSV and XML formats for offline analysis and reporting.
When 'Endpoint Search' is selected from the main Search Console menu, the Advanced Endpoint Search Query form illustrated in Figure 16-3 is presented in the UI:
Figure 16-3 Endpoint Search Query
The Advanced Endpoint Search Query form allows the user to specify one or more search criteria by which to query the NAC Profiler database for endpoints matching the search criteria.
Note The Advanced Search will only return endpoints that are in a non-retired state and have a MAC Model in the database. The Advanced Search will not return endpoints that are currently in an IP-only status, or are currently in the Retired status (e.g., subjected to timeout).
Simple searches can be performed using this query by specifying a single endpoint search attribute. In this mode, the advanced endpoint search works exactly like the quick search. Note however the CSV and XML export buttons that appear in the upper right hand corner of search results returned by the advanced endpoint search. Whenever search results are displayed in the UI, the results table can be immediately exported to CSV or XML format and saved off-appliance by selecting the respective button in the NAC Profiler UI and standard web browser controls.
Multiple endpoint search attributes (e.g., MAC Vendor and Profile Name, for example) can be specified in a single search query. For example, if the database was to be searched for endpoints with both a MAC Vendor that contained 'intel' and were also currently in the Windows OS profile, the string 'intel' would be entered in the MAC Vendor field of the query form, and 'Windows OS' in the Profile Name field. The search results would contain all the endpoints that have a MAC Vendor containing Intel and are currently in the Windows OS profile. Any combination of valid search attributes can be used in this way: it could also be specified that these endpoints contained a specified string in their DHCP host name for example by specifying that attribute along with the MAC Vendor and Profile.
Note When multiple endpoint search attributes are specified in an endpoint search query, the logical operation is always AND. That is, the search will return only endpoints that satisfy ALL the criteria specified.
Search attributes can also be designated as exclude by prefixing the attribute with a '-'.
For example, to find the endpoints in the database that had a MAC Vendor containing Intel, but were currently profiled, the query would have the MAC Vendor field set to 'intel', and the Profile Name set to '-Not Profiled'. This search would return all the endpoints with an Intel MAC Vendor that were currently in an any enabled Profile (e.g., not in the Not Profiled state) on the system.
In Figure 16-4 below, note the Refine Search link adjacent to the Search Results title on the table returned by the search, and the CSV and XML buttons in the upper right hand corner of the page.
Figure 16-4 Advanced Endpoint Search Results
Clicking on the CSV or XML button when Search Results are displayed will result in the browser giving the user the option to open the results in a selected application (e.g., Microsoft Excel for CSV) or saving the export file on a location of her/his choice.
When viewing the results of a search, clicking on the Refine Search link will return the user interface back to the Query form with the search attributes last used populated in the search query form. The search criterion can be revised further, and the query re-run with new search criteria to allow the search to refined iteratively.
For example, a search could be started to find all the endpoints with a MAC Address from a particular vendor. The search results from that query could then be scanned so that the profiles containing endpoints with this MAC vendor were enumerated. The search could then be refined by specifying the profiles to include (or exclude) from the results in an iterative fashion to arrive at a results table that included endpoints with MAC from a specific vendor in specified profiles.
All advanced endpoint search attributes and options within those attributes are outlined below.
Requires the entry of a single MAC address in hexadecimal format with either '-'or ':' separator between octets (e.g. 00-0d-60-2f-8a-8a, or 00:0d:60:2f:8a:8a). Only a single MAC address can be specified, no exclusions or logical OR allowed for this attribute.
One or more text strings matching MAC Vendor(s) of the endpoints being searched for can be entered. Exclude and logical or is supported. For example, to exclude a particular MAC Vendor, prefix the string in the MAC vendor name with a '-'. If it is desired to include endpoints with multiple MAC vendors, wrap the multiple strings in parenthesis and use the '|' between the strings, for example:
entered in the MAC vendor field (and no other search criterion specified) would return all endpoints in the database that had MAC addresses with OUIs registered to Intel, IBM and Dell (in any form). Note that MAC vendor strings are not case sensitive and partial matches will be returned, e.g., searching on 'intel' will return endpoints with OUIs registered to Intel Corporation, Intel Corporate, etc.
For MAC Vendor and other attributes that accept multiple parameters, it is possible to specify AND between those parameters as well. For example, Intel has OUIs that are registered as ''Intel Corporation'' and ''Intel Corporate.'' The AND could be used to exclude endpoints with OUI registered as Intel Corporate by changing the search criteria above to:
Accepts either a host IP address, or a subnet (CIDR format, e.g., 10.1.174.0/24) to match all endpoints known by the system to have host addresses on the specified subnet.
One or more text strings matching the Profile name(s) of the endpoints being searched for can be entered. Exclude and compound entries using logical OR and AND are supported when searching on Profile name. For example, if it was desirable to exclude all currently un-profiled endpoints in the results of an endpoint search, -Not Profiled could be entered as the Profile Name criteria. Strings entered are not case sensitive—they will match strings in profile names regardless of case, and partial matches will be included.
The Profile Name attribute can be used in conjunction with the Time attribute when the `By Profile' radio button at the bottom of the Query form is selected. This allows the search criterion to be expanded to only return endpoints that have been profiled into the selected profile(s) within the specified number of days.
Available only in 802.1X-enabled networks where the switches support the population of the 802.1X PAE MIB with the username of the user that successfully completed user authentication on that port1 . NAC Profiler will associate the authenticated user to the MAC of the endpoint they authenticated on as reported by the switch via SNMP poll of the switch MIBs. This data can be searched on like other parameters to search the database for endpoints that a user authenticated via 802.1X from (typically a PC or other computer asset).
Available only when Profiler has NetInquiry properly enabled for DNS name collection and DNS Name data has been collected by the system. One or more text strings matching the DNS name(s) of the endpoints being searched for can be entered. Exclude and compound entries using logical OR are supported when searching on DNS name.
DHCP Host Name
If one or more NetWatch modules are processing DHCP packets sent by endpoints configured for DHCP, the DHCP host name attribute is collected. One or more text strings matching the DHCP host name(s) of the endpoints being searched for can be entered. Exclude and compound entries using logical OR are supported when searching on DHCP Host Name
Searches endpoints based on their known location by switch name. This attribute matches the network device name assigned to the access device in the Profiler configuration. When used as a search criteria, returns only endpoints with a current location on the specified access device—endpoints with no location, or with a location not matching the specified access device will be excluded from the results. For example, a search could be constructed so that only Printers on a specified switch were returned.
The access device attribute can be used in conjunction with the Time attribute when the 'By Location' radio button is selected. This allows the search criterion to be expanded to only return endpoints that have been located on the specified access device(s) within the specified number of days.
If endpoints using CDP are connected to switches polled by NetMap, this search attribute allows for matches based on CDP information collected from the CDP message stored in the MIB of the connecting switch. Many devices such as IP Phones, Video Cameras and other endpoints utilize CDP to announce their presence to their upstream neighbor.
When Active Directory data collection is enabled, endpoints that are members of the Domain will have Operating System, Operating System Version and Service Pack information collected. This search attribute looks for this information either alone or in combination with other search parameters.
If RADIUS accounting data is being collected for endpoints, endpoints with matching collected RADIUS accounting information can be searched using this attribute.
This parameter is used in conjunction with the Profile Name and Access Device searches as described above.
Authenticated User Search
In 802.1X environments Cisco NAC Profiler allows for the search of endpoints based on the authenticated user (by user name) that has completed 802.1X user authentication via the endpoint. This is essentially the same as an advanced endpoint search using just the Authenticated User search attribute, with the same caveats outlined in the last section.
The Cisco NAC Profiler system compiles historical data for the active endpoints in the database so that the system administrator can view information about endpoints in their environment over the length of the Historical Timer as set in the Server module configuration.
For the purposes of endpoint historical data compilation, Cisco NAC Profiler collects historical data for each MAC address and each host IP address it learns about in the network environment. When the NAC Profiler system is able to make an IP-to-MAC mapping for a given endpoint the IP and MAC histories intersect, but it is important to understand that the MAC and IP historical views are not the same. Particularly in the case of the IP history for host addresses assigned to a DHCP scope, it is possible that a single host address may be used at different times by a number of endpoints, and that information is captured in the IP history. MAC history should be conceptualized as the history of a given physical device: where it has been connected to the network, if it has used multiple IP addresses, and how the endpoint has been Profiled as over the selected historical timer. The IP history provides a similar report of how the logical endpoint address has been used by endpoints over time.
It is important to note that endpoints that are cleared from the database via the 'Clear Endpoint' function or that are retired will have their historical data maintained in the database subject to the historical timer. If endpoints that are cleared or are moved automatically to a retired status by the endpoint timeout function return to the network while historical information is still being retained in the database, the old historical information will be brought forward and will be shown when viewing the MAC history for cleared/retired endpoints that rejoin the network.
The Endpoint History has another option that is specific to environments where IEEE 802.1X port-based authentication is in use. When Cisco NAC Profiler finds the PAE MIB active on a switch indicating that 802.1X is configured on one or more ports, it will walk the PAE MIB. For 802.1X-enabled ports connecting an endpoint from which a user has successfully completed user-authentication (as opposed to machine-authentication), the PAE MIB will contain the user name of the authenticated user. In 802.1X environments, Cisco NAC Profiler will track the history of each authenticated user: what switch and port they authenticated on and the last time a NAC Profiler poll indicated the user was in the authenticated state at that location.
Query MAC History
Selecting Utilities -> Search -> Endpoint History provides access to the three available Historical queries: MAC, IP and User. Selecting Query MAC History displays the MAC Query form shown in Figure 16-5.
Figure 16-5 Query MAC History
The form allows the entry of a single MAC address to query the database for the available MAC History for a given MAC address. The MAC History for an endpoint consists of three tables of information for each endpoint in the database:
1. Table of MAC History by Port. Provides a list of the switch/port location(s) that the endpoint has been determined by the NAC Profiler system to have connected to the network through over the course of the historical period, with the current location shown in the top row of the table. An example is shown in Figure 16-6.
Figure 16-6 MAC History by Port
2. Table of MAC History by IP (Figure 16-7). Shows the IP address(es) the endpoint has utilized over the historical period. Note that in order for an entry to be shown in this table, the endpoint has to have had a change in IP-to-MAC mapping observed by the system.
Figure 16-7 MAC History by IP
3. Table of MAC History by Profile (Figure 16-8). Shows the profile(s) that the endpoint has been a member of during the historical period. The current profile is shown in the first row of the table. The 'Last Modified' column indicates the date and time that the endpoint was added to the profile.
Figure 16-8 MAC History by Profile
Query IP History
Selecting Utilities -> Search -> Endpoint History provides access to the three available Historical queries: MAC, IP and User. Selecting Query IP History displays the IP Query form Figure 16-9.
Figure 16-9 Query IP History
The form allows the entry of a single IP address to query the database for the available history for a given IP address. The IP address history for a host address consists of two tables of information regarding the use of that IP address on the network:
1. Table of IP History by MAC (Figure 16-10). This shows which endpoint(s) (unique MAC address(es)) have used the IP host address entered in the query.
Figure 16-10 IP History by MAC
2. Table of IP History by Profile (Figure 16-11). Shows the profile(s) the endpoint(s) using this host address have been profiled to currently and during the historical period.
Figure 16-11 IP History by Profile
Query User History
Selecting Utilities -> Search -> Endpoint History provides access to the three available Historical queries: MAC, IP and User. Selecting Query User History displays the User Query form shown in Figure 16-12.
Figure 16-12 Query User History
The form allows the entry of a string to query the database for the available history for authenticated usernames in an 802.1X-enabled network. Enter the search information that matches one or more usernames of users that have completed authentication on switches that the NAC Profiler system is polling via NetMap. The username history consists of a single table that provides information about the 802.1X-enabled switch port(s) the username(s) that match the user-entered search data NAC Profiler has determined successfully authenticated on via an SNMP poll of the PAE MIB.
Find Network Device
The Find Network Device search is designed to allow the user to search the network devices in the NAC Profiler system configuration from the search console using a variety of attributes of the device. To search for a device based on its IP address, enter the host address of the device in the IP address field of the Find Network Device form.
When specifying a name to search with, the system will search the network device names as well as the SNMP description strings for the devices successfully polled by NAC Profiler for the entered string, matching either attribute. For example, entering the string 'Cisco' will match devices that have Cisco in their assigned name in the NAC Profiler database, or if their System Description string includes the word Cisco. See the example output for a network device search in Figure 16-13.
Figure 16-13 Network Device Search Results
The results of Find Network device are presented as a table, the Table of Network Devices. For each row in the table, the network device name and IP address are links. Clicking on the device name will take the NAC Profiler Admin and Operator users to the Edit Network Device form for the network device which allows viewing/editing the device configuration. Remember that if the device is currently in a device group, the group parameters override the individual device configuration parameters.
Clicking on the IP Address of the network device will open the Display Endpoints by Device Port view for that network device.
The Data Search allows the endpoint database to be searched for an entered string. For this search, only a subset of collected endpoint is searched. MAC address, MAC Vendor and DNS name data is not searched in a data search, therefore entering an endpoint MAC address or MAC Vendor string will not return any results unless that string also appears in other elements of endpoint data such as DHCP host name or DHCP VCI, user agent, etc. The main purpose of this search is to find endpoints that have had endpoint data collected for them in the categories not called out in the other searches. Endpoint data such as web user agents, URL rules, banners, etc. can be searched for matches quickly using the Data Search.
Enter a string that you would like to search on, for example entering 'iTunes' would search the database for endpoints that have exhibited a user agent associated with the iTunes application.
Figure 16-14 the results of a data search on an operational system. The search term for the example was the word 'skype'.
Figure 16-14 Endpoint Data Search Results
The search results table shows all endpoints that had data matching the entered search criterion. In this example, these are all endpoints that exhibited a web user agent that included the string Skype—the matching variations are shown in the Data column.
The MAC Address and IP Address columns of the results table are active links that when clicked on, bring up the MAC or IP Summary pages (described in Chapter 15, "Using the Cisco NAC Profiler Endpoint Console") for the endpoint respectively. Note that for IP-only endpoints (endpoints for which NAC Profiler has no IP-to-MAC binding for currently), 'no MAC' is displayed and the MAC Summary page is not accessible.
Network Readiness for 802.1X Enablement
The Network Readiness feature of the Utilities tab does an assessment of the network devices in the NAC Profiler configuration. As described earlier in this chapter, NetMap will determine if the standard MIB for 802.1X devices is present on devices it polls and if it is, if the 802.1X authentication functionality is currently enabled on the device (as of the last successful poll). Selecting Network Readiness from the Utilities tab will return a table that reports on this discovery by NetMap on each network device by device name/IP address in the NAC Profiler configuration as shown in Figure 16-15.
Figure 16-15 Network Device Readiness Results Table
This feature can provide an automated analysis of the current infrastructure in terms of firmware support for the 802.1X protocol.
This functionality of the Utilities tab is invaluable to the development and tuning of Profile rules on a given network. It provides a window into the Profiler database allowing users to see the endpoint data being collected by the system, organized by data type.
The profile data reports available under Profile Data are made available in two forms: Endpoint Data Summary and Unprofiled Endpoint Data.
The Endpoint Data Summary is an all-inclusive report, by endpoint data type, of the endpoint profiling data the system has collected and stored in the database for all endpoints.
Unprofiled Endpoint Data as the name suggests, is the data observed for endpoints that are currently in the Not Profiled state. This means of course that a rule matching this data either has yet to be added to an enabled profile, or is present in a disabled profile.
For both of these views of Profile Data, the observations for many of the endpoint data types utilized for endpoint profiling can be viewed, and this information used in the design or tuning of profile rules.
Note The profile rule creation forms that include the 'Show data' button pull their data from the endpoint data summary reports.
Figure 16-16 shows the page that is presented when choosing either of the Profile Data Reports, used to select the given endpoint data attribute to view.
Figure 16-16 Select Endpoint Data Report
For example, the endpoint data report for MAC Vendors on an example system is shown in Figure 16-17.
Figure 16-17 MAC Vendor Data Report
This table lists all the MAC vendors of the endpoints learned by the Profiler on the network. The table can be sorted by MAC Vendor or Count, in ascending or descending order by clicking the column heading.
Note Note that MAC addresses with OUIs not in the NAC Profiler database will show in the table with a MAC Vendor of 'Unregistered MAC.'
For a given MAC Vendor there may be two rows in the table. The reason for this is as follows: MAC Vendor and DHCP VCI/Options are MAC-learned and therefore always tagged with a MAC address. Note that all rows in the table have a link at the end of the MAC Vendor name, Show MACs, which pops-up a table of the MAC addresses in the database that are registered to that vendor, but don't have a current IP-to-MAC mapping. If there are endpoints with MACs registered to the MAC Vendor that NAC Profiler currently has an IP-to-MAC mapping for, there will also be a row with the link Show MAC/IP which will pop-up a table with the MACs and IPs of the endpoints.
Note that for the IP-learned parameters: User Agents, Banners, Open Ports, DNS Names, and SNMP data, the link will always be Show IPs because this data is attributed to IP addresses only for the purposes of these data views.
The System Summary page provides top-level statistics about the Profiler system and contains the controls for accessing the troubleshooting tools available from the UI.
From the Utilities Tab, clicking on System Summary will display the following page in the UI (Figure 16-18).
Figure 16-18 Cisco NAC Profiler System Summary
The Profiler System Summary is divided into four major sections:
The endpoints section of the System Summary provides at-a-glance statistics about the system: Total number of MAC addresses (endpoints) discovered, including those that have been retired/removed (if applicable). Total Number of IP-only endpoints shows the number of IP-only endpoints known by the system currently.
The infrastructure section of the System Summary shows the number of L2 Network Devices (switches) and L3 devices (routers) in the Profiler configuration that are being polled according to the Server module settings.
The Server Statistics section of the System Summary provides some basic health indicators for the appliance hosting the Server module for the system. Note that these statistics are specific to the Server appliance. In NAC Profiler systems, only the health of the Profiler Server system can be monitored through the system summary.
•Disk usage [free / total]:
This indicator shows the amount of free and total disk space in the Beacon partition on the NAC Profiler Server, and provides a snap-shot of the state of the health of the NAC Profiler file system. Cisco NAC Profiler provides several mechanisms such as log file rotation and the Server module timeouts described in Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment" to self-manage its use of the disk partition. If the file system shows greater than 90% of the partition in use and continuing to grow, this should be investigated further to determine the size of the database and or other files in the Beacon partition that may be growing unusually large. Contact Cisco TAC for specific instructions if the Beacon partition of the NAC Profiler Server has grown large.
This indicator shows the days, hours, minutes since last reboot of the appliance hosting the Server module. Note that this is indicative of an appliance re-boot, not the NAC Profiler application uptime.
•Memory Usage [free / total] in kB
Reflects the amount of physical memory (RAM) for the entire NAC Profiler Server appliance and how much of the physical memory is currently in use by all components running on the appliance, those associated with the Cisco NAC Profiler software and other components. Consistently low free memory on the system can be an indication of potential problems with a Cisco NAC Profiler or other system component.
•Swap Usage [free / total] in kB
Reflects the amount of space allocated on the hard drive that is used for swapping RAM when an appliance's physical memory begins to be depleted by the processes running on the appliance: those associated with Cisco NAC Profiler and others. The amount of swap allocated to the NAC Profiler system is calculated and allocated automatically by the system and equal to 2x the amount of physical memory on the appliance. Moderate to high swap usage on the NAC Profiler server can be a concern when accompanied by other performance-related discrepancies.
•Average Processor Utilization (% Idle)
Provides an indication of how much of the CPU has been used across all CPUs installed in the system which is dependent on appliance model. The average processor utilization is an average of the loads placed on user, nice, system and idle since the system was last booted.
•Access to UI-based system maintenance/troubleshooting tools via buttons across the bottom of the form.
Access to three tools used for troubleshooting/routine maintenance of the NAC Profiler system is provided by 4 buttons at the bottom of the System Summary page, labeled as follows and clearly visible on figure above:
1. Display Server Log
This button results in the display of the last 500 entries in the NAC Profiler server log (Server.out) within the UI as shown in Figure 16-19. Note that the last entry in the log is shown at the top, just below the time. Each time the page is refreshed, the UI will fetch the last 500 entries in the log and update the time.
Figure 16-19 View NAC Profiler Server Log
In the normal operating mode of the system, the Server log will contain regular time-stamped messages that allow real-time monitoring of the NAC Profiler system operation. The Server logging can be placed into a verbose or debug mode from the command line as directed by Great Bay Software technical support in the process of troubleshooting.
2. Backup Database
This button provides the ability to take a snapshot of the NAC Profiler database including all configuration and endpoint data directly from the UI, and uses the browser functionality to save the database backup to the PC or any reachable file share. Taking a database snapshot does not interrupt the normal operation of the system.
When Backup Database is selected, the browser will open the save file dialog that will allow the naming and saving of the database backup as desired by the operator. Note that the resulting file type (extension) is GZIP which should be maintained as this is the file format expected by the database restore scripts. The filename itself can be changed to a name that helps identify this particular backup, or the default of `beacondb.gz) may be maintained.
Note that the Server will perform an automated backup of the database every 24 hours, placing that backup in the /backup directory on the Server appliance (primary of HA pair). Daily system backups are maintained on a 30-day rotation so that the backups for the last 30 days are available on the Server appliance. The latest server backup is always via a symbolic link in the /backup directory named: 'dailyDB-latest.gz'. To determine the date of each backup file, simply do an ls -la on the /backup directory to see the save date of each file.
3. Collect Technical Logs
In the course of troubleshooting, it may be necessary to collect the logs and other files on the Server appliance for analysis by Cisco TAC. Selection of this button on the System Summary pages results in the system collecting all logs and other files of interest for troubleshooting into a single GZIP bundle which can be saved on the PC or any available file share so that it can be forwarded to TAC as necessary in the course of troubleshooting.
4. Cleanup Database
By default, Collectors running NetWatch will collect TCP Open Port and Web User Agent data on configured monitor ports for endpoints with source addresses within the MyNetwork range from traffic received on the monitor port. Depending on the volume of network traffic received on monitor ports, the collected data for these attributes of endpoint identity can grow quite large over time.
Selecting this button from the System Summary results in the NAC Profiler Server evaluating enabled endpoint profiles on the system to determine which Web User Agent(s) and TCP Open Port rules are being used (if any). All Web User Agent and TCP Open Port data that is not being used by the system (e.g., not specified in a rule in an enabled endpoint profile) will then be permanently deleted from the NAC Profiler database in order to reclaim space and improve efficiency of the Modeler.
As outlined in the "Profile Data" section, Web User Agent and TCP Open Port data collected by the system can be viewed at any time. If these tables are growing large and contain data not currently used in endpoint profiling, it is recommended to use the Cleanup Database button to clear this data regularly.
Network Device Change Logs
The Change Log available from the Utilities tab is specific to the use of Cisco NAC Profiler in the port provisioning mode, and when the Active Response feature for NAC Profiler Events is in use. Port provisioning mode was outlined in Chapter 2, "Cisco NAC Profiler Architecture Overview" and the Active Response option is outlined in detail in Chapter 12, "Configure Cisco NAC Profiler Events".
When the NAC Profiler system is provided with the read-write community strings for edge switches in the environment, the NAC Profiler system itself can be used to make authentication and policy parameter configuration changes on edge infrastructure devices via the port provisioning mode and or Active Response Events. The Change Logs provide records of changes that Cisco NAC Profiler has made to switches on the network via SNMP.
Figure 16-20 shows an example Change Log with entries made for device port configuration changes by Cisco NAC Profiler.
Figure 16-20 Network Device Change Logs
In order to review a detailed report of the change made by each entry in the change logs, the XML report of the change must be viewed by clicking the View link in the View XML column of the table. This will display a complete report of the change made via SNMP as shown in Figure 16-21).
Figure 16-21 XML Record of Network Device Change