Alcatel-Lucent 6850-48 Guida Di Rete
Configuring Access Guardian
Configuring Host Integrity Check
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 34-39
Configuring Host Integrity Check
The Access Guardian Host Integrity Check (HIC) feature provides an integrated solution for device integ-
rity verification. This solution involves switch-based functionality that interacts with the InfoExpress HIC
server (CyberGatekeeper) and host devices using InfoExpress compliance agents.
rity verification. This solution involves switch-based functionality that interacts with the InfoExpress HIC
server (CyberGatekeeper) and host devices using InfoExpress compliance agents.
This section describes how to configure the switch-based functionality. See the InfoExpress user docu-
mentation for more information regarding the configuration of compliance agents and the CyberGate-
keeper server.
mentation for more information regarding the configuration of compliance agents and the CyberGate-
keeper server.
The Host Integrity Check (HIC) process is triggered when a HIC-enabled User Network Profile (UNP) is
applied to a client device. See
applied to a client device. See
for more
information. When a profile is created, HIC is disabled by default. To enable HIC for the profile, use the
command. For example:
-> aaa user-network-profile name Engineering vlan 500 hic enable
In addition to enabling HIC for a UNP, the following configuration tasks are involved in setting up the
HIC feature to run on the switch:
HIC feature to run on the switch:
1 Configure the identity of the HIC server. Use the
command to configure the
name and IP address of the InfoExpress CyberGatekeeper server, a shared secret, and the UDP port
number used for HIC requests.
number used for HIC requests.
-> aaa hic server-name hic-srv1 ip-address 2.2.2.2 secret wwwtoe
Note that configuring the server is required before HIC can be enabled for the switch.
2 Configure the Web agent download server URL. A host can use the InfoExpress desktop compli-
ance agent or a Web-based agent. If the desktop agent is not installed on the host, the switch redirects the
host to a Web agent download server. The URL of the download server is configured for the switch using
the
ance agent or a Web-based agent. If the desktop agent is not installed on the host, the switch redirects the
host to a Web agent download server. The URL of the download server is configured for the switch using
the
command.
-> aaa hic web-agent-url http://10.10.10.10:2146
When the HIC process is initiated for a host device, the host has limited access to the network for commu-
nicating with the HIC server and any servers included in the exception list. Make sure the Web agent
download server is added to the server exception list, as described below.
nicating with the HIC server and any servers included in the exception list. Make sure the Web agent
download server is added to the server exception list, as described below.
3 Configure a server exception list.There are specific servers that a host device may need access to
during the HIC process. For example, if the host is going to use the Web-based compliance agent, access
to the Web agent download server is required. Use the
during the HIC process. For example, if the host is going to use the Web-based compliance agent, access
to the Web agent download server is required. Use the
command to add the name
and IP address of up to four servers to the HIC server exception list.
-> aaa hic allowed-name websrv1 ip-address 123.10.5.1 ip-mask 255.255.255.0
4 Configure a custom proxy port number. By default, the switch uses 8080 for the host proxy port
number. If a different number is used by the host device, use the
number. If a different number is used by the host device, use the
command to
configure the switch to use the host value.
-> aaa hic custom-proxy-port 8878
5 Enable the HIC feature for the switch. By default, the HIC feature is disabled for the switch. This
means that all HIC functionality is disabled. For example, if the HIC attribute of a UNP is enabled, the
HIC process is not invoked when the profile is applied if the HIC feature is not enabled for the switch. Use
the
means that all HIC functionality is disabled. For example, if the HIC attribute of a UNP is enabled, the
HIC process is not invoked when the profile is applied if the HIC feature is not enabled for the switch. Use
the
command to enable or disable the HIC feature for the switch.
-> aaa hic enable