http://www.greatbaysoftware.com/forum/recent.aspx - Recent Posts en-us http://blogs.law.harvard.edu/tech/rss Jitbit AspNetForum Tue, 31 Aug 2010 05:20:05 GMT Tue, 31 Aug 2010 05:20:05 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=21
Here's a list of profile identifying each type of Virtual Machine.

Note that these profiles are only using MAC Vendor rules with a certainty of 30% so any other OS/User profile with a higher certainty would override this one in case of OS/User profile rule matching: for example the Windows profile would override the VMware Virtual Machine profile if the endpoint happen to match profiling rules in the Windows profile.

Also note that these profiles can be customized in Beacon if needed (name, description, certainty, additional profiling rules, etc).


Profile Name: Microsoft Hyper-V Virtual Machine
Profile Description: Based on MAC Vendor
Profile Group: Virtual Machine
Maximum Certainty: 30.00%

Rule 1 Type: MAC Vendor
Rule 1 Value: /^00:15:5d/i
Rule 1 Certainty: 30%
--------------------------------------------------------------------------------------------------
Profile Name: Microsoft Virtual PC or Server Virtual Machine
Profile Description: Based on MAC Vendor
Profile Group: Virtual Machine
Maximum Certainty: 30.00%

Rule 1 Type: MAC Vendor
Rule 1 Value: /^00:03:ff/i
Rule 1 Certainty: 30%
--------------------------------------------------------------------------------------------------
Profile Name: Parallels Virtual Machine
Profile Description: Based on MAC Vendor
Profile Group: Virtual Machine
Maximum Certainty: 30.00%

Rule 1 Type: MAC Vendor
Rule 1 Value: /^Parallels, Inc\./
Rule 1 Certainty: 30%
--------------------------------------------------------------------------------------------------
Profile Name: Virtual Iron Virtual Machine
Profile Description: Based on MAC Vendor
Profile Group: Virtual Machine
Maximum Certainty: 30.00%

Rule 1 Type: MAC Vendor
Rule 1 Value: /^Virtual Iron Software, Inc\./
Rule 1 Certainty: 30%
--------------------------------------------------------------------------------------------------
Profile Name: VirtualBox Virtual Machine
Profile Description: Based on MAC Vendor
Profile Group: Virtual Machine
Maximum Certainty: 30.00%

Rule 1 Type: MAC Vendor
Rule 1 Value: /^08:00:27/i
Rule 1 Certainty: 30%
--------------------------------------------------------------------------------------------------
Profile Name: VMware Virtual Machine
Profile Description: Based on MAC Vendor
Profile Group: Virtual Machine
Maximum Certainty: 30.00%

Rule 1 Type: MAC Vendor
Rule 1 Value: /^VMware, Inc\./
Rule 1 Certainty: 30%
--------------------------------------------------------------------------------------------------
Profile Name: Xen Virtual Machine
Profile Description: Based on MAC Vendor
Profile Group: Virtual Machine
Maximum Certainty: 30.00%

Rule 1 Type: MAC Vendor
Rule 1 Value: /^Xensource, Inc\./
Rule 1 Certainty: 30%


Now here's a generic profile for Virtual Machines encompassing all implementations:

Profile Name: Virtual Machines
Profile Description: Based on MAC Vendor
Profile Group: Virtual Machine
Maximum Certainty: 29.00%

Rule 1 Type: MAC Vendor
Rule 1 Value: /^VMware, Inc\.|^Xensource, Inc\.|^Parallels, Inc\.|^Virtual Iron Software, Inc\.|^00:15:5d|^00:03:ff|^08:00:27/i
Rule 1 Certainty: 29%

Note that the certainty is a bit lower so if the specific profiles and the generic one were both enabled, the specific one would override the generic one.]]> Tue, 31 Aug 2010 05:20:05 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=12 Tue, 31 Aug 2010 04:13:16 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=9 Mon, 04 Jan 2010 14:27:22 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=9 Thu, 12 Nov 2009 23:15:41 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=20
Ty Powers
Blue Spruce Technologies]]> Fri, 18 Sep 2009 11:23:30 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=20
This test client is a free, graphically interactive (via web based GUI) that acts as a test client for RADIUS systems and has the ability to send RADIUS Authentication and Accounting messages at a high rate of speed through iterations of up to 1,000,000 requests per run.

http://www.iea-software.com/products/radlogin4.cfm]]> Thu, 17 Sep 2009 10:20:22 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=20
As a start, from http://freeradius.org/features/fast.html (the horse's mouth, so to speak):

"The best way to determine the performance of a server is via testing. FreeRADIUS comes with a tool called radclient, which can be used for basic peformance testing. A third party tool called RadPerf is also available. It uses the FreeRADIUS libraries to implement the RADIUS portion, and then builds more complex functionality on top of that. It can be used to simulate user logins, and can auto-generate accounting packets for user sessions. "

The referenced tool is at http://networkradius.com/radperf.html]]> Thu, 17 Sep 2009 09:27:45 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=20 Thu, 17 Sep 2009 08:44:09 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=19 Cisco web authentication is possible to integrate with Great Bay’s Sponsored Guest Access (SGA). For example a Cisco 3750 allowing an alternative “HTTP” redirected authentication to Great Bay’s SGA LDAP data store. Specifically we configured for 802.1x and MAC Auth Bypass with fallback to HTTP via redirect. Although this is not a requirement, you may also configure web authentication only.

If a user fails 802.1x and MAC Auth Bypass, they would receive an authentication page (hosted on the switch) after attempting to access a web based resource. Login credentials are passed to RADIUS for LDAP lookup against Great Bay’s SGA.

There are a few working parts for this solution, here is a short list
- Cisco Firmware 12.2(50)SE2
- Earlier versions were having issues sending RADIUS Authentication requests when using HTTP authentication
- Configured AAA Authentication and Authorization for RADIUS
- Enabled IP device tracking
- Set authentication proxy banners
- Configured fallback profile not necessary if you want only WEB authentication)
- Created web authentication acl to apply to associated ports
- Configured RADIUS
- “radius-server vsa send authentication” command required
- Configured individual interfaces
- Applied ip admission
- Applied access control list
- Configure your RADIUS server to perform LDAP lookups against Great Bay SGA
- Microsoft IAS does not support external LDAP]]> Fri, 22 May 2009 11:12:22 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=10
Ty Powers
Blue Spruce Technologies]]> Thu, 21 May 2009 13:24:43 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=19 Thu, 21 May 2009 10:48:07 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=18
https://www.greatbayswsupport.com/documentation.php

Note that the StartUp Guides are now incorporated in the Configuration Guide (Chapter 4)--they are not separate docs as they were for version 2.1.8.

Enjoy!]]> Wed, 06 May 2009 11:25:38 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=18 Wed, 06 May 2009 11:21:38 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=17 Wed, 29 Apr 2009 09:59:43 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=3
Hey, I've encountered an interesting scenario recently where one company didn't want corporate users to EVER land in the guest VLAN (thus circumventing the corporate network for potentially unscrupulous purposes). Beacon to the rescue! Let me know if you're interested in discussing that matter on a separate thread. ]]> Tue, 21 Apr 2009 13:10:58 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=3 Wed, 01 Apr 2009 11:01:10 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=16
--Thanks]]> Wed, 01 Apr 2009 10:55:58 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=15 I did narrow the range, and deslected the ping option, and the profile works.
I should know better, and should have checked the release notes!
Cheers,
Greg]]> Thu, 26 Mar 2009 08:36:56 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=15
I think upgrading to -38 will resolve your issue.

One other important point to consider with such a large range of host addresses for active data collection: This will result in the Collector with NetInquiry configured communicating with the hosts in that range (all 65K plus of them if my math is correct) at the frequency you have set in the Server module config.

You may want to consider scoping the active profiling a bit, and tightening your Network Blocks in the NetInquiry module config.]]> Wed, 25 Mar 2009 17:48:46 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=15
I'm trying to do an active tcp open port query using the netinquiry module to test for hp printers on port 9100. I have a MAC rule looking for Hewlett which works fine (50%), but the active TCP Port rule isn't. I am certain that there are printers on the /16 network I've defined, and I test connected to a printer on port 9100.

I've attached a word doc with screen captures of my configuration.

Any suggestions are greatly appreciated!
edited by gregschmitt31 on 3/25/2009]]> Wed, 25 Mar 2009 14:05:04 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=14
Ty Powers

Blue Spruce Technologies, Inc.]]> Tue, 24 Mar 2009 11:51:10 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=14
Unless I misunderstand, your post seems to imply that this method will work regardless of the phone (Cisco, Nortel, Avaya, etc.), correct? Also, you mean RADIUS attributes need to be defined on the ACS server right?]]> Mon, 23 Mar 2009 19:37:27 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=14
The answers to your questions will vary greatly based on variables such as switch manufacturer, phone manufacturer, and authentication server.

I've recently set up this scenario utilizing Polycom phones, Cisco 3750s, and Cisco ACS. This is possible thanks to the addition of multi-domain authentication in Cisco IOS. I believe that it was introduced back in version 12.2(35)xx. The Polycom phones have been profiled by Great Bay Software's Beacon and are authenticating via MAC Auth Bypass, while the client stations attached directly to the VoIP phones are utilizing PEAP for authentication. The switch configuration is pretty straight forward but Radius attributes should be defined to ensure that the switch knows that the phone is a voice device and that re-authentication won't stomp on the connection in the middle of a call.

Ty Powers
Blue Spruce Technologies, Inc.]]> Mon, 23 Mar 2009 15:03:22 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=14 Mon, 23 Mar 2009 14:04:12 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=13 Wed, 11 Mar 2009 15:04:57 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=13
vi /etc/rc.conf

Add the following lines to the conf file:

static_routes="native"
route_native="-net 192.168.1.0/24 192.168.1.1"
defaultrouter="172.168.1.1"

The first line sets labels to the the routes which are referenced below.
The second line tells the route command what route to add. This example 192.168.1.0/24 network has a default gateway of 192.168.1.1. This way when the request to poll the devices on the native network the beacon system will route to the correct network.
The last line is your route of last resort or default route. This is for the web interface of the beacon system.

All of this is documented at : http://www.freebsd.org/doc/en/books/handbook/network-routing.html
Look under section 31.2.5.2.]]> Wed, 11 Mar 2009 14:47:13 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=11
Ty Powers

Blue Spruce Technologies, Inc.]]> Tue, 03 Mar 2009 22:50:07 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=12 Wed, 25 Feb 2009 20:09:12 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=9
interface GigabitEthernet1/0/19
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 10
dot1x timeout reauth-period 60
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 1
dot1x reauthentication
dot1x auth-fail max-attempts 1
spanning-tree portfast
!]]> Wed, 25 Feb 2009 19:04:06 GMT http://www.greatbaysoftware.com/forum/messages.aspx?TopicID=12 are talking CDP to the switch. Beacon will mark ports
with CDP information as trunks. Currently the only
exception is for Cisco IP Phones.

Could you check the CDP information on that the port?]]> Wed, 25 Feb 2009 18:56:15 GMT