Extreme Networks Sentriant AG200 User manual
Extreme Networks, Inc.
3585 Monroe Street
Santa Clara, California 95051
(888) 257-3000
(408) 579-2800
http://www.extremenetworks.com
Sentriant AG Installation Guide, Version 5.0
Published: June 2007
Part number: 100277-00 Rev 07
Alpine, Alpine 3804, Alpine 3802, Altitude, BlackDiamond, BlackDiamond 6808, BlackDiamond 6816, EPICenter, Ethernet
Everywhere, Extreme Ethernet Everywhere, Extreme Networks, Extreme Turbodrive, Extreme Velocity, ExtremeWare,
ExtremeWorks, ExtremeXOS, GlobalPx Content Director, the Go Purple Extreme Solution Partners Logo, Sentriant,
ServiceWatch, Summit, Summit24, Summit48, Summit1i, Summit4, Summit5i, Summit7i, Summit 48i, SummitRPS,
SummitGbX, Triumph, vMAN, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Summit logos, the
Extreme Turbodrive logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks,
Inc. or its subsidiaries in the United States and other countries. Other names and marks may be the property of their respective
owners.
© 2007 Extreme Networks, Inc. All Rights Reserved.
Specifications are subject to change without notice.
Merit is a registered trademark of Merit Network, Inc. Solaris and Java are trademarks of Sun Microsystems, Inc. in the
U.S. and other countries. Avaya is a trademark of Avaya, Inc.
All other registered trademarks, trademarks and service marks are property of their respective owners.
Sentriant AG Installation Guide, Version 5.0 3
Table of contents
Table of contents ............................................................................................................................ 3
List of figures.................................................................................................................................. 5
List of tables ................................................................................................................................... 7
Chapter 1: What You Need to Get Started.......................................................................................... 9
Chapter 2: Deployment Flexibility ................................................................................................... 11
Deploying Sentriant AG Inline ....................................................................................................13
Deploying Sentriant AG Using DHCP...........................................................................................14
Deploying Sentriant AG Using 802.1x .........................................................................................17
Installing the Network Interface Cards.........................................................................................18
Inline.................................................................................................................................18
DHCP.................................................................................................................................19
802.1x...............................................................................................................................19
Determining eth0 and eth1 ..................................................................................................20
Deploying Sentriant AG in VPN Mode on a Different Network.........................................................21
Chapter 3: System Requirements.................................................................................................... 25
General System Requirements....................................................................................................25
Specific System Requirements ...................................................................................................27
Operating Systems Supported.....................................................................................................28
Enforcement Methods Requirements...........................................................................................29
Chapter 4: Important Browser Settings............................................................................................ 31
Pop-up Windows .......................................................................................................................31
Active Content ..........................................................................................................................32
Minimum Font Size ...................................................................................................................33
Page Caching............................................................................................................................34
Temporary Files ........................................................................................................................35
Chapter 5: Installing Sentriant AG .................................................................................................. 37
Installing Sentriant AG for the First Time.....................................................................................37
Downloading the New Install ISO Image ................................................................................37
Creating the Installation CD from the Sentriant AG Download ..................................................38
Installing Sentriant AG ........................................................................................................39
Locating and Verifying Server Hardware ...........................................................................40
Information Required During Installation .........................................................................41
Creating a Single-server Installation ................................................................................42
Creating a Multiple-Server Installation.............................................................................50
Initial Configuration.......................................................................................................53
Upgrading Sentriant AG to a Newer Version .................................................................................62
Upgrading from the Sentriant AG Console..............................................................................63
Table of contents
Sentriant AG Installation Guide, Version 5.0
4
Downloading the Upgrade ISO Image ....................................................................................64
Creating an upgrade CD from the download............................................................................64
Upgrading from a CD ...........................................................................................................64
Chapter 6: Configuring Sentriant AG ............................................................................................... 67
Appendix A: Installation and Configuration Check List ..................................................................... 69
Minimum System Requirements .................................................................................................69
Installation Location..................................................................................................................69
Installation Media .....................................................................................................................70
IP Addresses, Hostname, Logins, and Passwords..........................................................................70
Single-server Installation......................................................................................................70
Multiple-server Installations .................................................................................................70
Management Server.......................................................................................................71
Enforcement Server 1 ....................................................................................................71
Enforcement Server 2 ....................................................................................................72
Enforcement Server 3 ....................................................................................................72
Proxy Server........................................................................................................................73
Agentless Credentials ................................................................................................................73
Quarantine ...............................................................................................................................73
802.1x...............................................................................................................................74
802.1x Devices...................................................................................................................74
DHCP.................................................................................................................................75
Accessible services..............................................................................................................76
Notifications.............................................................................................................................76
Test Exemptions .......................................................................................................................77
Index ............................................................................................................................................ 79
Sentriant AG Installation Guide, Version 5.0 5
List of figures
Figure 1: Single-server Installation, Quarantine Method, Inline ..................................................12
Figure 2: Multiple-server Installation, Quarantine Method, Inline ...............................................12
Figure 3: Single-server Installation, Quarantine Method, DHCP, Flat Network..............................13
Figure 4: Multiple-server Installation, Quarantine Method, DHCP ...............................................13
Figure 5: Single-server Installation, DHCP Mode, Simple Example .............................................15
Figure 6: Single-server Installation, DHCP Mode, Complex Example ...........................................16
Figure 7: Single-server Installation, Endpoint Static Route Enforcement .....................................17
Figure 8: 802.1x Enforcement................................................................................................18
Figure 9: Single-server Installation, Ethernet Card Installation, Inline.........................................19
Figure 10: Single-server Installation, Ethernet Card Installation, DHCP ........................................19
Figure 11: Single-server Installation, Ethernet Card Installation, 802.1x.......................................20
Figure 12: Internet Explorer Security Warning Message...............................................................32
Figure 13: IE Security Message Options ....................................................................................32
Figure 14: IE Security Warning Pop-up Window..........................................................................32
Figure 15: IE Internet Options, Advanced Tab............................................................................33
Figure 16: Install Screen, Boot Prompt......................................................................................43
Figure 17: Install Screen, Installation Confirmation ....................................................................44
Figure 18: Install Screen, Network Configuration for eth0 ...........................................................45
Figure 19: Install Screen, Miscellaneous Network Settings ..........................................................45
Figure 20: Install Screen, Hostname Configuration .....................................................................46
Figure 21: Install Screen, Time Zone Selection ..........................................................................47
Figure 22: Install Screen, Root Password...................................................................................47
Figure 23: Install Screen, Database Password ............................................................................48
Figure 24: Install Screen, Installation Type................................................................................49
Figure 25: Install Screen, NTP Server Settings...........................................................................49
Figure 26: Install Screen, Installation Progress ..........................................................................50
Figure 27: Install Screen, Installation Type Screen .....................................................................51
Figure 28: Install Screen, Installation Type................................................................................52
Figure 29: Install Screen, Node Installation Settings ..................................................................53
Figure 30: Security Alert Window..............................................................................................54
Figure 31: Accept License Agreement Window ...........................................................................54
Figure 32: Enter Management Server Settings Window................................................................55
Figure 33: Enter License Key Window .......................................................................................57
Figure 34: Create Administrator Account Window .......................................................................57
Figure 35: Sentriant AG Home Window .....................................................................................58
Figure 36: Enforcement Clusters & Servers ................................................................................59
Figure 37: Add Enforcement Cluster Window .............................................................................60
Figure 38: Add Enforcement Server Window ..............................................................................61
Figure 39: System Configuration, Enforcement Clusters & Servers Window ...................................62
Figure 40: System Configuration Window, Management Server Option..........................................63
List of figures
Sentriant AG Installation Guide, Version 5.0
6
Sentriant AG Installation Guide, Version 5.0 7
List of tables
Table 1: Sentriant AG System Requirements...........................................................................25
List of tables
Sentriant AG Installation Guide, Version 5.0
8
Sentriant AG Installation Guide, Version 5.0 9
1What You Need to Get Started
You need the following prior to installing and running Sentriant AG:
●Minimum system (hardware and software) requirements—see “System Requirements” on page 25
●IP addresses you will enter during the set up process—see “Installation and Configuration Check List” on
page 69
●Install CD—See “Installing Sentriant AG” on page 39
This Installation Guide helps you install and set up Sentriant AG. The Sentriant AG Users Guide (available on the
CD in the /docs directory and through the online help links in Sentriant AG) provides Sentriant AG configuration
information and task-based instructions.
What You Need to Get Started
Sentriant AG Installation Guide, Version 5.0
10
Sentriant AG Installation Guide, Version 5.0 11
2Deployment Flexibility
Sentriant AG Version 5.0 allows you to deploy multiple Enforcement servers (ESs) across a network and manage
them from one central Management server (MS). You create logical groups of ESs by joining them to an
Enforcement cluster.
The Sentriant AG MS specifies many aspects of the Enforcement clusters; for example, the MS specifies the
enforcement method (inline, DHCP, or 802.1x), how often the endpoints are retested, the tests run on the
endpoints, and how to control the endpoints’ access.
The Sentriant AG ESs detect and test endpoints on the network for compliance.
You can deploy each Sentriant AG cluster in one of the following configurations:
●Inline—When deploying Sentriant AG inline, Sentriant AG monitors and enforces all endpoint traffic. When
Sentriant AG is deployed as a single-server installation, Sentriant AG becomes a Layer 2 bridge that requires
no changes to the network configuration settings. When Sentriant AG is installed in a multiple-server
installation, you might have to configure the switch that connects the Sentriant AG Enforcement servers to use
Spanning Tree Protocol (STP) if STP is not already configured. Sentriant AG allows endpoints to access the
network or blocks endpoints from accessing the network based on their Internet Protocol (IP) address with a
built-in firewall (iptables).
●DHCP—When deploying Sentriant AG inline with a Dynamic Host Configuration Protocol (DHCP) server, all
DHCP requests pass through the Sentriant AG server Layer 2 bridge. For a quarantined endpoint, Sentriant AG
distributes the quarantined IP address for the endpoint. If Sentriant AG allows the endpoint to have access,
Sentriant AG allows your real DHCP server to distribute a non-quarantined IP address. Sentriant AG assigns a
DHCP IP address based on the quarantine area parameters you define during configuration. You can place
restrictions on network access either at the gateway for the endpoint using Access Control Lists (ACLs), or on
the endpoint by removing the endpoint’s gateway and adding static routes for accessible networks.
●802.1x—When deploying Sentriant AG in an 802.1x environment, you must install it where it can
communicate with the Remote Authentication Dial-In User Service (RADIUS) server (or, Sentriant AG has a
built-in RADIUS server that you can use). The RADIUS server communicates with the switch, which performs
the quarantining by moving ports or MAC addresses in and out of virtual local area networks (VLANs).
The following figures illustrate various deployment methods.
Figure 1: Single-server Installation, Quarantine Method, Inline
Deployment Flexibility
Sentriant AG Installation Guide, Version 5.0
12
Figure 3: Single-server Installation, Quarantine Method, DHCP, Flat Network
Figure 2: Multiple-server Installation, Quarantine Method, Inline
Deployment Flexibility
Sentriant AG Installation Guide, Version 5.0 13
Deploying Sentriant AG Inline
The ES’s position in the network is between the endpoints and the rest of the network; acting as a gateway and
only allowing endpoints access to network resources that have met the necessary security requirements.
Sentriant AG uses two network interfaces to bridge traffic between endpoints and the rest of the network.
Sentriant AG uses a high-speed, Layer 2 bridge; network IP address changes are not required. Since Sentriant AG
itself denies endpoints access to the network, policy enforcement using internal routers, switches, or other
endpoints is not required.
Sentriant AG utilizes a pass-through authentication feature that allows it to work with any virtual private network
(VPN), remote access server (RAS), and network authentication protocol or directory.
By default, an onboard firewall blocks all traffic from endpoints. Sentriant AG allows network access to only
successfully tested endpoints (or when there is a grace period for failed tests). When a test or tests pass,
Sentriant AG inserts rules into the onboard firewall to allow all traffic from the endpoint. Sentriant AG uses a
proprietary method to uniquely identify each endpoint as it connects to the network, and does not install cookies
or software on the end-user’s endpoint.
NOTE
When the MS and ES are installed on the same server (single-server Installation), that server’s position in the
network must be between the endpoints and the rest of the network.
Figure 4: Multiple-server Installation, Quarantine Method, DHCP
Deployment Flexibility
Sentriant AG Installation Guide, Version 5.0
14
Deploying Sentriant AG Using DHCP
When you configure Sentriant AG with a DHCP quarantine area, the Sentriant AG ES must sit inline with your
DHCP server. With a quarantined endpoint, the ES responds to the DHCP request and blocks the request from
getting to the main DHCP server. When the endpoint is allowed access, Sentriant AG does not respond to the
DHCP request and lets the request through to the main DHCP server which responds with normal DHCP settings.
The Sentriant AG DHCP server can respond to quarantined endpoints with one of these two types of DHCP
settings:
●DHCP settings for a separate quarantine subnetwork—In this case, network access is restricted by adding
ACLs to your router between the quarantine subnetwork and all other networks. You must also add an IP
helper address for the Sentriant AG ES, and a secondary IP address for the quarantined subnetworks gateway
to the router.
●DHCP settings using static routes—In this case, network access is restricted by giving the endpoint a normal
IP address but not assigning a gateway. The advantage of this method is that it requires only one router change
to add an IP helper address for the Sentriant AG ES. Also, some routers do not like multi-netting, which is
required by the first method and not by this method of DHCP enforcement. The Sentriant AG ES uses the
following DHCP settings:
■Gateway—None
■Netmask—255.255.255.255
■DNS—Sentriant AG ES IP address
■Static routes—Configurable list of accessible IP addresses and networks
These DHCP settings effectively restrict all network access except to the IP addresses and networks specified as
static routes in the accessible endpoints and services area. A list of Web sites can also be configured as accessible.
You can access these Web sites through a proxy server, which is built into the Sentriant AG ES. The Sentriant AG
ES responds to DHCP INFO requests to automatically configure the proxy server in the browser.
Once the endpoint is allowed access, the IP address is automatically renewed and the main DHCP server assigns
an IP address in the main LAN.
NOTE
When the MS and ES are installed on the same server (single-server Installation), that server’s position in the
network must be inline with your DHCP server. It is the ES that responds to the DHCP request and blocks the
request from getting to the main DHCP server.
NOTE
When using DHCP mode and connecting directly to the DHCP server's network interface interface, be sure to use a
crossover cable.
Deployment Flexibility
Sentriant AG Installation Guide, Version 5.0 15
The following figure shows an example installation scenario for a simple (one LAN) setup with enforcement using
ACLs on a router.
Figure 5: Single-server Installation, DHCP Mode, Simple Example
Deployment Flexibility
Sentriant AG Installation Guide, Version 5.0
16
The following figure shows an example installation scenario for a complex (multiple LAN) setup with
enforcement using ACLs on a router.
Figure 6: Single-server Installation, DHCP Mode, Complex Example
Deployment Flexibility
Sentriant AG Installation Guide, Version 5.0 17
The following figure shows an example installation scenario for a setup with enforcement with static routes on the
endpoint.
Deploying Sentriant AG Using 802.1x
To configure Sentriant AG as 802.1x-enabled, install it with one of three different configurations, depending on
your network environment:
●Use the built-in Sentriant AG RADIUS server and user accounts. In this configuration, the switch performs the
802.1x authentication against the Sentriant AG RADIUS server. The Sentriant AG ES instructs the switch in
which VLAN to place the endpoint, based on its test status.
●Use the built-in Sentriant AG RADIUS server to proxy to any other RADIUS server. In this configuration, the
switch performs the 802.1x authentication against the Sentriant AG RADIUS server, which proxies the request
to another RADIUS server. During the return proxy of the authentication request, the Sentriant AG ES instructs
the switch in which VLAN is to place the endpoint based on its test status.
●Use the IAS plug-in to integrate with your existing radius server. In this configuration, the switch performs the
802.1x authentication against the Microsoft Internet Authentication Service (IAS) RADIUS server. A
Sentriant AG plug-in to the IAS RADIUS server is available that instructs the switch in which VLAN to place
the endpoint based on its test status.
Figure 7: Single-server Installation, Endpoint Static Route Enforcement
Deployment Flexibility
Sentriant AG Installation Guide, Version 5.0
18
NOTE
With a single-server Installation, the ES instructs the switch in which VLAN to place the endpoint.
A sample deployment is shown in the following figure:
Installing the Network Interface Cards
The number of network interface cards (NICs) required depends on the installation method selected as described
in this section.
Inline
The inline installation of Sentriant AG, where the MS and ES are installed on a single server, requires two
network interface cards (NICs) installed for Sentriant AG to operate properly.
The inline installation of Sentriant AG where the MS and ES are installed on different servers requires at least
three NICs; one for the MS and two for each ES.
The inline installation interfaces form a bridge from one part of your network to another as shown in the following
figure. The Linux® operating system assigns each interface a name (for example, eth0, eth1, and so on). It is
Figure 8: 802.1x Enforcement
Deployment Flexibility
Sentriant AG Installation Guide, Version 5.0 19
very important that you connect the eth0 interface to your local area network (LAN) side, and eth1 to the Virtual
Private Network (VPN) side (for inline mode or for the main DHCP server in DHCP mode).
DHCP
A DHCP installation requires two NICs where the MS and ES are installed on the same server (see Figure 10),
and at least three NICs where the MS and ES are installed on different servers; one for the MS and two for each
ES.
802.1x
802.1x-enabled Sentriant AG installations require one NIC where the MS and ES are installed on the same server
(see Figure 11), and two NICs where the MS and ES are installed on different servers. In 802.1x mode, eth1 on
Sentriant AG is used to discover endpoints on the network. To discover endpoints on the local network, eth1 can
simply be plugged into a port on that subnet because it receives broadcast traffic. To discover endpoints on other
Figure 9: Single-server Installation, Ethernet Card Installation, Inline
Figure 10: Single-server Installation, Ethernet Card Installation, DHCP
Deployment Flexibility
Sentriant AG Installation Guide, Version 5.0
20
networks, eth1 must be connected to a mirrored port or a port that is part of a tagged VLAN trunk to detect
traffic from endpoints on these other networks. Usually, mirroring the ports in which the DNS and DHCP server
resides detects new endpoints sufficiently.
NOTE
It is strongly recommended that you use the Intel NIC cards. If you use a different NIC card, you might be unable to
connect, or experience unpredictable results and availability.
Determining eth0 and eth1
To determine which interface is eth0 and which is eth1 using ethtool:
1After installing Sentriant AG, plug an Ethernet cable into only one of the interfaces.
2Log into the Sentriant AG MS as root and enter the following command:
ethtool eth0
3The return values are similar to the following, which also indicates that the connected interface is eth0:
# ethtool eth0
Settings for eth0:
Supported ports: [ MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
Figure 11: Single-server Installation, Ethernet Card Installation, 802.1x
Other manuals for Sentriant AG200
4
This manual suits for next models
1
Table of contents
Other Extreme Networks Network Accessories manuals
Extreme Networks
Extreme Networks Mini-GBIC Installation and operation manual
Extreme Networks
Extreme Networks Altitude 300-2 User manual
Extreme Networks
Extreme Networks Sentriant AG200 User manual
Extreme Networks
Extreme Networks Auto Configuration Quick guide
Extreme Networks
Extreme Networks PoS User manual
Extreme Networks
Extreme Networks Altitude 300-2 Manual
Extreme Networks
Extreme Networks GBIC Installation and operation manual
Extreme Networks
Extreme Networks GBX User manual
Extreme Networks
Extreme Networks Mogul-100 User manual
Extreme Networks
Extreme Networks NG300 User manual
