This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- NAC exclusions for Qualys scans
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
NAC exclusions for Qualys scans
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-05-2019 02:05 PM
Hello everybody,
I can use your advice or help.
When we run a Qualys scan, it produces random MAC addresses and tries "logging" into some of the appliances for vulnerability testing.
This starts chewing up a chunk of our NAC licenses.
Is there a way to exclude the Qualys scanner IPs or MAC from the NAC so as to not occupy NAC licenses and keep things clean in general?
Any advice or assistance is greatly appreciated!
Thank you,
Billy
I can use your advice or help.
When we run a Qualys scan, it produces random MAC addresses and tries "logging" into some of the appliances for vulnerability testing.
This starts chewing up a chunk of our NAC licenses.
Is there a way to exclude the Qualys scanner IPs or MAC from the NAC so as to not occupy NAC licenses and keep things clean in general?
Any advice or assistance is greatly appreciated!
Thank you,
Billy
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-05-2019 10:54 PM
Hi Billy,
If we are talking about EXOS switches (are we?) the authentication is enabled globally and then you select ports in which you want to authenticate connected devices.
I don't see right now a way to use authentication with Extreme Access Control and not have an end-system in the cache that is used to calculate license usage. You can just 'exclude' ports on which the appliance is connected, by disabling authentication on these ports (or doing 'auth-override' to have just one MAC address authenticated, in the end-system table and consuming end-system license).
Hope that helps,
Tomasz
If we are talking about EXOS switches (are we?) the authentication is enabled globally and then you select ports in which you want to authenticate connected devices.
I don't see right now a way to use authentication with Extreme Access Control and not have an end-system in the cache that is used to calculate license usage. You can just 'exclude' ports on which the appliance is connected, by disabling authentication on these ports (or doing 'auth-override' to have just one MAC address authenticated, in the end-system table and consuming end-system license).
Hope that helps,
Tomasz
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2019 01:59 PM
Hi Tomasz,
Thank you for your latest response.
I understand you and Ron have said the same thing a couple times but the way you phrased the answer helped me understand the context better.
Thank you!
Billy
Thank you for your latest response.
I understand you and Ron have said the same thing a couple times but the way you phrased the answer helped me understand the context better.
Thank you!
Billy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-05-2019 10:54 PM
Hi Billy,
If we are talking about EXOS switches (are we?) the authentication is enabled globally and then you select ports in which you want to authenticate connected devices.
I don't see right now a way to use authentication with Extreme Access Control and not have an end-system in the cache that is used to calculate license usage. You can just 'exclude' ports on which the appliance is connected, by disabling authentication on these ports (or doing 'auth-override' to have just one MAC address authenticated, in the end-system table and consuming end-system license).
Hope that helps,
Tomasz
If we are talking about EXOS switches (are we?) the authentication is enabled globally and then you select ports in which you want to authenticate connected devices.
I don't see right now a way to use authentication with Extreme Access Control and not have an end-system in the cache that is used to calculate license usage. You can just 'exclude' ports on which the appliance is connected, by disabling authentication on these ports (or doing 'auth-override' to have just one MAC address authenticated, in the end-system table and consuming end-system license).
Hope that helps,
Tomasz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-05-2019 07:54 PM
Hi Tomasz,
I appreciate the detail you put in your post!
Would you elaborate on this sentence some more?
Disabling authentication on a port (not globally for the entire device!)
Does that mean there is a way to globally exclude the Qualys scanner appliances?
Thank you,
Billy
I appreciate the detail you put in your post!
Would you elaborate on this sentence some more?
Disabling authentication on a port (not globally for the entire device!)
Does that mean there is a way to globally exclude the Qualys scanner appliances?
Thank you,
Billy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-05-2019 06:16 PM
Hi Billy,
Disabling authentication on a port (not globally for the entire device!) means the MAC address will be passed through according to static port configuration (PVID, Policy, ACLs etc.). This is the way for exclusion as even if you planned to assign 'Full Access' policy to the device, any authentication request will always end up in NAC end-system table. When Extreme Access Control is an AAA server from the switch perspective, it receives all the authentication requests and that's how it learns of the connected end-system, and that's how your licenses can get saturated. So as Ron said, disabling authentication on the port to Qualys scanner might be helpful.
You can disable authentication and if you wish to run scans from particular user role perspective, you can assign policy/VLAN statically to a port for scanning time.
On EXOS switches you can also assign a policy role with 'HTTP Aware' (aka 'auth-override') flag, so only the first MAC seen on a port will be authenticated, and all the rest on that port will be treated according to the same policy.
Hope that helps,
Tomasz
Disabling authentication on a port (not globally for the entire device!) means the MAC address will be passed through according to static port configuration (PVID, Policy, ACLs etc.). This is the way for exclusion as even if you planned to assign 'Full Access' policy to the device, any authentication request will always end up in NAC end-system table. When Extreme Access Control is an AAA server from the switch perspective, it receives all the authentication requests and that's how it learns of the connected end-system, and that's how your licenses can get saturated. So as Ron said, disabling authentication on the port to Qualys scanner might be helpful.
You can disable authentication and if you wish to run scans from particular user role perspective, you can assign policy/VLAN statically to a port for scanning time.
On EXOS switches you can also assign a policy role with 'HTTP Aware' (aka 'auth-override') flag, so only the first MAC seen on a port will be authenticated, and all the rest on that port will be treated according to the same policy.
Hope that helps,
Tomasz
