Preparing for Deployment
Topics in this chapter include:
•Determination of Required Endpoint Profiles
•Considerations for NetMap in Cisco NAC Profiler System Deployments
•Cisco NAC Profiler System Configuration Workflow
Before deploying and configuring Cisco NAC Profiler, there are a number of planning tasks to complete, based on how Cisco NAC Profiler will interact with the existing infrastructure.
As outlined in Chapter 2, "Cisco NAC Profiler Architecture Overview", the Cisco NAC Profiler system consists of a Cisco NAC Profiler Server component which runs on a dedicated standalone Profiler appliance or optionally as an HA pair of Profiler appliances. The NAC Profiler system will also include one or more Cisco NAC Profiler Collectors.The Collector service can run on the NAC Server appliances (NAC-3310 only, or NAC-3350) deployed as part of the Cisco NAC Appliance system. Alternatively, the NAC Profiler Collector may be deployed on appliances running only the Profiler Collector service on NAC Servers (e.g, without the NAC Server services enabled). The NAC Profiler Server manages and receives collected endpoint data from the NAC Profiler Collectors deployed in the system over an encrypted TCP connection.
Chapter 1, "Introduction to Cisco NAC Profiler" provided an overview of Endpoint Profiling and Identity Monitoring emphasizing the flexible nature of Cisco NAC Profiler and approaches that may be employed in engineering a system that meets the needs of each environment. The various data collection techniques outlined can be selected and combined to create a system that utilizes the sources of endpoint data that can be provided to it in each environment.
The following steps guide the collection of data and considerations to be taken into account prior to implementing Cisco NAC Profiler in a given enterprise network. Note that this list is not exhaustive. There are other options such as the use of external data sources such as NetFlow and RADIUS accounting, and the options to use the NetInquiry module for Active Profiling of endpoints. These topics are covered in later chapters of this guide. The following steps are designed to assist with the initial configuration of Cisco NAC Profiler systems that can be built upon via tuning of the system and employment of optional capabilities as the endpoint profiling strategy is developed and implemented for a given enterprise network environment.
Step 1 Determine Cisco NAC Profiler System IP Configurations
Step 2 Determine Digital Certificate Parameters for Cisco NAC Profiler Server
Step 3 Determine Cisco NAC Profiler System License Requirements
Step 4 Internal Network Address Blocks
Step 5 Network Device List
Step 6 DHCP Traffic Analysis
Step 7 Monitoring Interface Requirements
Step 8 SNMP Trap Configuration
Determine Cisco NAC Profiler System IP Configurations
Cisco NAC Profiler is managed via secure HTTP as described in Chapter 2, "Cisco NAC Profiler Architecture Overview". The Cisco NAC Profiler Server provides system management for all components of the NAC Profiler system and those components communicate with one another and with network devices and services via TCP/IP. The NAC Profiler server utilizes the eth0 interface of the appliance it is running on for communication with the other system components by default. The NAC Profiler Server startup scripts allow for the configuration of this interface with basic IP parameters to enable it for network communications.
The Cisco NAC Profiler Collectors use the eth0 interface of the NAC Server for communication with the NAC Profiler Server. When the Collector service is running on the NAC Server, the same network interface on the appliance used for management of the NAC Server is used for management of the Collector service as well. When the Collector service is running on the NAC Server, it utilizes the IP configuration of the eth0 interface completed during startup configuration of the NAC Server services.
Note When the Collector service is deployed on a NAC Server that does not have the NAC Server services running, the startup of the NAC Server appliance in accordance with the NAC Appliance configuration is required so that the OS and network services required by the Profiler Collector are configured.
Determine the following operating environment-specific parameters for the Management Interface of Profiler Server appliance:
•IP host address and netmask
•IP address for the default gateway to be used by the system
•IP address of the Name Server
•DNS Name or IP Address of NTP server(s) to configure the NAC Profiler Server for NTP.
Note If the NAC Profiler Server is to be implemented as an HA-pair, the above parameters for both appliances in the pair must be determined. In addition, there are several other parameters specific to the HA pair configuration such as the VIP for the pair.
Note For NAC Profiler Server HA-pairs, configuration of NTP on both members of the HA pair is mandatory, and highly recommended for standalone systems. As part of pre-deployment of the NAC Profiler system, internal NTP servers that will be used by the NAC Profiler Servers should be identified.
The IP configuration the NAC Profiler Server (or HA pair VIP) is required when performing the initial configuration of the NAC Profiler Collectors. It needs to be determined prior to initial Collector startup as described in Chapter 4, "Installation and Initial Configuration".
In addition, the IP addresses of each of the Collectors that are to be deployed in the NAC Profiler system should be determined and noted. As mentioned previously, if the NAC Profiler Collectors on Cisco NAC Appliance NAC Servers and rely on the underlying OS and IP configuration of the NAC Server. Having the IP addresses of the NAC Profiler Collectors deployed on the NAC Servers in the system will facilitate the configuration of the Profiler Server as described in Chapter 6, "Cisco NAC Profiler Server Configuration".
Consider any ACLs or other potential issues with network communication between the Collectors and the NAC Profiler Server, and between the Collectors and the network devices (e.g., switches, routers and Active Directory Servers), and the computer that will be used to manage Cisco NAC Profiler via HTTPS.
Note SSH is utilized for command line access to Cisco NAC Profiler components over the network. Enabling SSH access from the management computer to the Profiler Server and Collectors should also be considered.
Determine Digital Certificate Parameters for Cisco NAC Profiler Server
The Cisco NAC Profiler user interface is secured using HTTPS and supports the use of Digital Certificates so that the authenticity of the embedded web server can be verified by the browser as it connects for access to the Cisco NAC Profiler user interface.
During the startup of the NAC Profiler Server, a self-signed digital certificate and CSR are created which will require the entry of organization-specific information. The following information is entered to create the self-signed certificate and CSR:
1. FQDN of the NAC Profiler system. (Note: for HA systems, this should be for the VIP/Service Address of the NAC Profiler Server HA-pair.)
2. "Organization Unit Name
3. "Organization Name
4. "City Name
5. "State or Province Name
6. "2-letter Country code
Note The Certificate Signing Request (CSR) created during startup can be submitted to a CA for digital signature, and the self-signed certificate created during Profiler Server startup replaced the CA-signed certificate. Having the desired digital certificate parameters established before the startup of the NAC Profiler Server will allow the creation/download of the CSR once at system startup facilitating installation of the signed certificate as outlined in Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment".
Determine Cisco NAC Profiler System License Requirements
The licensing for the Cisco NAC Profiler system is managed by the Cisco NAC Profiler Server. Whenever the NAC Profiler Server starts, and periodically while it is running, the license subsystem checks for the presence of the required license key files. There are two types of license key files for NAC Profiler: Profiler (Server) and Collector licenses. Both Profiler and Collector license key files are generated using the eth0 MAC Address of the Profiler Server appliance. The Profiler and Collector license key files are specific to a NAC Profiler Server appliance or pair of appliances in the case of HA pair. They will only be validated if the eth0 MAC of the appliance(s) matches the MAC(s) encoded in the license file.
When licensing NAC Profiler Server HA-pairs, the license file generation site allows the creation of what is termed a ''Failover Bundle" license key which enables the encoding of the eth0 MAC address of both Cisco NAC Profiler Appliances in a single license key file. This allows a single license key file to be loaded on both members of a NAC Profiler Server HA pair and will be validated by either NAC Profiler Server that is the Primary node of the pair and running the Server for the system.
Both Profiler (Server) and Collector licenses can be generated. The use of the Failover Bundle license option for Cisco NAC Profiler Systems running in HA mode is highly recommended.
The following figure provides a flow chart that guides the determination of the licensing requirements for standalone NAC Profiler servers, and NAC Profiler Server HA pairs:
Figure 3-1 Cisco NAC Profiler Licensing Flow Chart
Note The online license key generator will generate a file with the .lic extension for each Profiler and Collector license key file successfully generated. There is no designation within the filename that allows determination that a key file is a Profiler versus Collector license, or the MAC address that is encoded in the file. When creating Cisco NAC Profiler license keys it is a good practice to create separate directories for Profiler and Collector licenses and save the files to the proper directory as the key files are generated.
Once a license key file is successfully uploaded to a NAC Profiler Server, the Type (e.g., Server or Collector) is displayed in the Cisco NAC Profiler UI along with an easy to interpret indicator that the license file does or does not contain the MAC (or MACs in the case of HA pairs/failover bundle licenses) of the eth0 MAC address(es) of the Profiler Server appliance(s). See Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment".
Internal Network Address Blocks
The Cisco NAC Profiler configuration specifies the range of host addresses of the devices that should be Profiled by the system. These address blocks consist of typically one or more IP subnets or networks that are used for assigning host IP addresses to the endpoints on the physical networks for which Cisco NAC Profiler will provide Endpoint Profiling and Behavior Monitoring. This prevents the system from maintaining profile information on endpoints with source addresses outside the address space controlled by the organization.
Collect the address block(s) (CIDR format: x.x.x.x/mask bits) that specify the host addresses of all the endpoints to be profiled in the network(s) targeted for the Cisco NAC Profiler deployment.
In version 3.1, the ability to specify ''exclude'' network blocks was added so that one or more address ranges could be specified as exclusion ranges so that the NAC Profiler Collectors will not collect IP-learned endpoint data for host addresses on the excluded nets/subnets. For example, if the 10.0.1.0/24 through the 10.0.10.0/24 networks were used within an organization, but it is not desirable to include hosts on the 10.0.5 and 10.0.6 subnets, these subnets could be excluded from endpoint data collection by specifying them in the "exclude" blocks for the Organization Name within the My Network configuration.
Network Device List
Cisco NAC Profiler maintains a model of the network infrastructure and communicates with the network infrastructure devices (switches and routers) via SNMP to gather information about the network topology when available. In order to utilize this functionality, Cisco NAC Profiler must be provided a list of the IP addresses of the network devices, and SNMP Read Only community strings in order to enable this communication. If SNMP is not enabled on the edge devices, it is highly recommended that SNMP be enabled in order to allow polling by Cisco NAC Profiler in order for the system to maintain a model of the network topology.
Note Version 3.1 of Cisco NAC Profiler includes an Active Response option for NAC Profiler Events. Active Response to selected events can include bouncing or forcing re-authentication of an endpoint, or can be used to administratively down a port when specified events occur. Use of this feature requires that the Cisco NAC Profiler also have the read-write community string of devices in order to perform the active response function via SNMP.
A list of network devices (switches and routers) that provide connectivity to the endpoints to be profiled should be compiled including IP address, device name, and read-only community string, preferably in a spreadsheet in CSV format to facilitate the data entry task.
Chapter 8, "Network Devices" describes the addition of network devices to Cisco NAC Profiler configuration in detail.
Many Network Management software solutions provide the capability to export device lists in CSV format with the information required by Cisco NAC Profiler. Cisco NAC Profiler provides the capability to import network device information provided in CSV format.
For basic, read-only connectivity with read-only devices compile a list of network devices in a CSV file formatted as follows:
If Cisco NAC Profiler will be used to provision infrastructure devices to facilitate network management tasks associated with the deployment and management of NAC as described in Chapter 2, "Cisco NAC Profiler Architecture Overview" or with Active Response Events, the Read-write community string must also be provided so that Cisco NAC Profiler can perform SNMP sets to network devices.
In order to use Cisco NAC Profiler in the port provisioning mode, create a list of network devices in a CSV file formatted as follows:
DHCP Traffic Analysis
Cisco NAC Profiler can utilize DHCP requests from endpoints as sources of data for Endpoint Profiling. If some or all of the hosts to be Profiled are using DHCP for their addressing, consideration should be given to making DHCP requests from endpoints visible to Cisco NAC Profiler. If Cisco NAC Profiler is not able to collect the DHCP requests directly (e.g., not on the same LAN as the hosts using DHCP) a way to accomplish this is the use of the IP Helper Address used to redirect broadcast DHCP request packets from the router interfaces connecting the LANs to the rest of the network or by simply using SPAN or RSPAN to send the traffic from Ethernet ports to which the DHCP servers connect.
In the case of redirection, an IP-Helper address can be added to the configuration file of the router(s) specifying the appliance interface IP address of the desired Collector that should process DHCP information (more specifically the NetWatch module on that Collector). With this configuration, the router(s) forwards DHCP broadcasts not only to the DHCP server(s), but also to Cisco NAC Profiler for analysis for Endpoint Profiling and Identity Monitoring purposes.
Cisco NAC Profiler does not get involved in the DHCP process regardless of how it receives DHCP requests. It simply passively collects the request packets and uses the data for the purposes of endpoint profiling and or behavior monitoring, and therefore has no effect on the DHCP service for the network.
Note NetWatch performs the DHCP analysis function. NetWatch cannot be run on the trusted interface (eth0) of the Profiler Collector running on the NAC Server. To use IP Helper redirection with NetWatch, an unused interface must be numbered (given an address) and the IP Helper configuration set to forward the DHCP packets to that interface.
Monitoring Interface Requirements
A Cisco NAC Profiler Collector service can utilize unused network interfaces on the NAC Server appliance to collect and analyze packets useful for Endpoint Profiling and Identity Monitoring. These passive analyzer interfaces are used to gather network traffic for analysis by the NetWatch collector component module running on the Collector. For standalone (non-HA) NAC Servers, the eth2 and or eth3 interfaces can be used as NetWatch monitor interfaces. If the NAC Server is deployed as an HA-pair, only the eth3 interface can be used to receive traffic of interest redirected via SPAN or RSPAN.
One of the most useful sources of endpoint profiling information for Cisco NAC Profiler is DHCP. If DHCP is in use in the environment, placing a NetWatch monitoring interface on the link that services the DHCP server or servers can provide highly useful data to Cisco NAC Profiler. As an alternative, routers servicing the LAN segments can be configured with an IP helper-address as described in DHCP Traffic Analysis.
Note The use of IP Helper for the redirection of DHCP requests to the NAC Profiler system requires that the NetWatch monitoring interface be configured with an IP configuration so that the packets forwarded by the routers via IP helper can be delivered to the NAC Server interface. The procedure for the configuration of these interfaces is provided in Chapter 4, "Configuration of Profiler Collectors for Use with DHCP Analysis via IP Helper" section on page 4-54.
Consideration should be given to using the eth3 interface for receiving re-directed traffic (through the use of SPAN, RSPAN) of endpoint traffic traversing from the edge of the network to server farms and the Internet link which yield traffic useful for endpoint profiling and behavior monitoring.
Refer to Chapter 7, "Configuring Collector Modules" for additional information.
SNMP Trap Configuration
The NetTrap module running on one or more NAC Profiler Collectors in the Cisco NAC Profiler system can utilize traps from edge devices in performing the Endpoint Profiling and Identity Monitoring functions. Network devices providing endpoint connectivity to endpoints aRE configured to send SNMP Traps for Link State changes and MAC-address-change notification traps (the latter being available on only Cisco switches) to a Collector for processing by NetTrap. Ensure that infrastructure devices providing endpoint connectivity are configured to send Link State and New MAC Notification traps (when available) to the IP address of the management interface of the Collector designated to receive traps for the NAC Profiler system. Refer to the device manufacturer's documentation for detailed instructions on the configuration of SNMP traps.
An illustrative SNMP trap configuration for Cisco IOS-based switches is provided below:
The following notes provide instruction for configuration access switches to send desired traps to a Cisco NAC Profiler Collector. The configuration commands shown are applicable to most Cisco IOS-based switches with the most recent releases of firmware. Some switches may not support all trap-types, check the documentation and release notes to determine the SNMP trap capability of the switch types deployed in the network the NAC Profiler System is being deployed on.
The following IOS commands will enable the sending of desired SNMP traps to a Cisco NAC Profiler Collector:
(config)# snmp-server enable traps mac-notification
(config)# snmp-server enable traps snmp linkup linkdown
(config)# snmp-server host <Collector eth0-IP-address> traps version 1 <community-string>
This will enable link-status traps for all interfaces and configure the switch to potentially send MAC-address-change notification traps. For MAC-address-change notifications to actually occur, the following command must be utilized for each interface of interest:
(config)# interface GigabitEthernet 2/29
(config-iface)# snmp trap mac-notification change added
MAC-address-change notification should be enabled on access switch ports where endpoints connect. Of particular interest are ports connecting wireless controllers (such as the Cisco WLC). MAC-address-change notification should never be enabled on inter-switch links (e.g., trunk) ports.
The network devices should be configured such that the Collector receives only Link State and MAC-address-change notification traps. Forwarding all network device traps to a Profiler Collector is undesirable in that it provides no additional useful information to the NAC Profiler system and can potentially negatively impact system performance.
Determination of Required Endpoint Profiles
As outlined in detail in the Chapter 1, "Introduction to Cisco NAC Profiler", profiles are logical containers used to discover, locate and classify devices into device-types or classes that have similar operating characteristics, capabilities and limitations. Cisco NAC Profiler is a rule-based system. It collects endpoint data and evaluates that data against the rules in the enabled profiles to find a ''best match.'' Refer to Table 1-1 on page 1-4 that outlined the endpoint identity attributes available to the system, and how they are collected (e.g., by which Collector component module).
Understanding that the overarching goals in most Cisco NAC Profiler deployments is to discover all endpoints, and accurately profile each discovered endpoint, the determination of the required profiles and how they will be configured in terms of rules is the ''heavy lifting'' of both the initial implementation and ongoing tuning the system will require in production. Endpoints remaining in the Not Profiled state are anathema to the Cisco NAC Profiler administrator. That being said, eventually it boils down to answering the following questions about each of the major endpoint types using the network and needing to be profiled:
1. What attributes of endpoint identity available to the Cisco NAC Profiler System could be used to uniquely identify an endpoint of the given type?
2. How and where can the data by which the identity attribute is exhibited by endpoints of this type be collected by the available NAC Profiler Collectors?
The answer to these questions have implications for both the configuration of Profiles and profile rules, as well as Collector placement and required data feeds to those Collectors and component module configuration. That is why this discussion is included in the system planning chapter.
In order to provide the Cisco NAC Profiler administrator with a head start on this process, Cisco NAC Profiler ships with a number of Endpoint Profiles pre-configured based on deployment experience to date. Many of these profiles utilize tried and true approaches for profiling endpoints that are universally applicable (e.g., don't depend on environment-specific attributes). That is, they rely on endpoint identity attributes such as MAC Vendor and DHCP Vendor Class Identifiers that are consistent across all network environments and provided that the Collectors are provided with the data feeds necessary for the collection of this data, will begin profiling endpoints out-of-the box.
Tip Using the Cisco NAC Profiler factory profiles that are enabled by default, the quickest path to the Profiling of endpoints requires that at least one Collector be enabled for NetWatch processing of DHCP traffic using one of the techniques outlined earlier in the chapter along, with initiating polling of network devices by NetMap.
Several of the existing profiles that ship pre-configured on the system may be applicable in the environment. The following are examples of pre-configured profiles that ship with the Cisco NAC Profiler product and are enabled by default:
•Cisco WLAN Access Point
•HP Jet Direct Printer
As part of the preparation for the deployment of the product, the types of endpoint devices known to be connected to the network, the needs for a contextual inventory along with plans for authentication and or NAC deployment should be discussed and a preliminary list of the required profiles developed and discussed so that as the system is initially configured, some measurable progress toward profiling discovered endpoints can be made early on.
Also of note is the fact that when one or more NetWatch modules has network traffic delivered to its monitor interface(s), the Cisco NAC Profiler system will begin collecting endpoint identity attributes observed for endpoints on the network with no specific configuration. NetWatch will collect all identity attributes available from DHCP, TCP Open Ports, Web User Agents, Web and SMTP Server banners, Network Stack Information attributes from the traffic received on the monitor interface. The Cisco NAC Profiler administrator can view this data to find identity attributes exhibited by endpoints of a particular type and collected by the Cisco NAC Profiler system in order to configure new profiles or add rules to existing ones. Endpoint Profiling on large enterprise networks with a large and diverse endpoint population is inherently an iterative process.
Considerations for NetMap in Cisco NAC Profiler System Deployments
SNMP polling of network devices is done at specified intervals by the Cisco NAC Profiler system according to system-level parameters. When link up/MAC notification traps and link down traps signalling an endpoint joining or leaving the network are received by a NetTrap module, the Server module will direct a designated NetMap module to poll for the port-specific parameters it needs to gather on an endpoint join or leave.
Each network device in the Cisco NAC Profiler configuration is assigned a NetMap module that will be responsible for the SNMP polling (regular and trap-based) of the device.
When planning the implementation of a Cisco NAC Profiler system with two or more Collectors it is good practice to distribute SNMP polling responsibility amongst the NetMap modules on the two or more Collectors so that the workload associated with endpoint data gathering by SNMP is split between the Collectors.
Tip The NetMap module polling assignment can be done per network device group rather than at the individual device level. All devices in a group will be assigned to an available NetMap module in accordance with the group configuration. The network device list referred to earlier in the chapter can be broken into multiple CSV files (e.g., one CSV file per group/NetMap module and imported into the Cisco NAC Profiler system configuration per group.
SNMP trap processing by NetTrap and SNMP polling of network devices by NetMap are decoupled. Any NAC Profiler Collector receiving a Link State/MAC Notification trap will inform the Profiler Server, and the Server will in turn create a task for the responsible NetMap module to poll the network device to determine what changed on the port. It is not necessary for traps to be sent to the same Collector that the NetMap module is running on that is responsible for polling a given network device.
Tip In version 3.1, the option to trust Cisco MAC notifications was added to the Profiler Server SNMP trap handling capability. When this option is selected in the Profiler Server configuration, the information in the MAC Notification trap is processed directly by the Profiler Server when forwarded by the receiving NetMap. A single poll from NetMap follows the MAC notification to collect only PAE MIB information from the trapping device.
Cisco NAC Profiler System Configuration Workflow
System configuration of Cisco NAC Profiler is a multi-step process. Prior to beginning implementation of the system, it is highly recommended that a system-level plan be developed. Of primary importance is understanding Cisco NAC Profiler components: how they will be addressed, where they will be placed in the network, and how polling of network devices will be distributed amongst the NetMap modules in the system running on the Collectors.
This information should be well established prior to the startup of the Profiler Server and the Profiler Collector(s) that will comprise the Cisco NAC Profiler system. The startup procedure requires the input of these parameters as the system is setup and should be readily available by personnel performing the initialization as outlined in Chapter 4, "Installation and Initial Configuration".
Table 3-1 represents the workflow for configuration of Cisco NAC Profiler. The remaining chapters in this guide provide instructions for completion of the configuration tasks described in Table 3-1. The workflow begins with completion of the appliance startup procedures for the Profiler Server and the Collectors running on the NAC Servers to be deployed in the system. Appliance start-up procedures are completed on each appliance using keyboard and monitor, or a terminal session. Detailed instructions for initial startup of Profiler Server appliance and NAC Profiler Collectors are provided in Chapter 4, "Installation and Initial Configuration". Once the Server and Collector(s) have been initially configured, all further system configuration is completed via the web interface.
Table 3-1 Task Flowchart
1. Appliance Start-Up
Complete appliance start-up procedure for the Profiler Server and Collector(s) by following procedures outlined in Chapter 4, "Installation and Initial Configuration". These steps initialize and address all components as well as enable network communications for all components. Establish web session with the Profiler Server to complete system configuration.
2. My Networks Configuration
Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment" outlines procedures for licensing the NAC Profiler system and for configuring Cisco NAC Profiler for the target environment. In addition it outlines the procedures for saving system configuration changes that are used for all future system configuration accomplished via the Cisco NAC Profiler User Interface.
3. Configure Profiler Server
Chapter 6, "Cisco NAC Profiler Server Configuration" outlines the configuration procedure for the NAC Profiler Server component via the User Interface. Completion of the configuration of the Profiler Server, specifically the configuration of required Network Connections should be completed prior to adding the Profiler Collector(s) to the system configuration.
4. Add Collectors
Chapter 7, "Configuring Collector Modules" outlines the procedure for adding each of the Collectors to the system, and the configuration of each of the component modules (such as the Forwarder, NetMap, NetWatch, NetInquiry, and NetTrap) that run on each Collector as required for each Collector.
It is emphasized throughout the chapter that enablement of the Collector component modules is done selectively on a per-Collector basis: only the components necessary for the collection techniques planned for a given Collector should be configured/enabled.
5. Configure Network Devices
Chapter 8, "Network Devices" outlines the procedures for adding the network devices to the system configuration. Polling of network devices is distributed amongst the NetMap modules running on the Collectors in the system. Network devices and the necessary SNMP information are added or imported to the system configuration, and a NetMap module is designated to poll each network device.
In version 3.1 of Cisco NAC Profiler, NetMap collection of endpoint data from Active Directory Servers was added. If this optional collection technique will be used, it is configured at this juncture as well.
6. Configure Endpoint Profiles
Chapter 9, "Endpoint Profile Configuration: Part 1", Chapter 10, "Endpoint Profile Configuration: Part II", and Chapter 11, "Configuration of Advanced XML Rules" outline the procedures for enabling the endpoint Profiles included with the Cisco NAC Profiler, and for creating new Endpoint Profiles using the available endpoint attribute types. The use of the rule types used in Profile creation for both passive and active endpoint profiling is outlined in these chapters to provide guidance with the configuration of a workable Profile Hierarchy and the Endpoint Profiles that enable that design for Endpoint Profiling and Identity Monitoring in the target environment.
Endpoint Profile Tuning is an ongoing, iterative process in the operation of the Cisco NAC Profiler system, but from the outset, a basic profiling strategy is put into place using the guidance provided in these chapters.
7. Configure Cisco NAC Appliance Integration (Optional)
Chapter 13, "Integration with Cisco NAC Appliance" outlines instructions for enabling the integration between a Cisco NAC Profiler system and a Cisco NAC Appliance system.
If the NAC Profiler System will be employed alongside NAC Appliance, providing discovery and provisioning of non-responsive hosts, the integration between the systems is configured in accordance with the guidelines provided in this chapter
8. Configure LDAP Integration (Optional - for integration with Cisco Secure ACS)
Chapter 17, "Enabling LDAP Integration" outlines procedures for adding, editing, and deleting NAC Profile user accounts.
The remaining chapters of the Cisco NAC Profiler Installation and Configuration Guide provide guidance for the configuration of optional features and functionalities provided by the system, for example NAC Profiler Events that can be used to both inform and act dynamically to events such as the discovery of a new endpoint of a specific type, or the change in Endpoint Profile of an endpoint as examples.
The operation of the system, use of the Endpoint Console and Utilities tab for viewing and reporting on endpoint and system data, as well as a command line reference for the NAC Profiler Server is also provided in the guide.
At this time, if the Profiler Server and Collectors have yet to be initialized, collect the necessary information outlined in this chapter and proceed with initialization of the Server and each Collector as outlined in the next Chapter.