NAC Appliance and Novell

Unanswered Question
May 9th, 2007

Hello,

We have a Novell environment and want to use NAC Appliance.

I've set up a lab to simulate NAC Appliance in our environment.

When we log in, the login script that is configured in the Novell directory server is run to map drives.

Problem here is that, because of the limited access for the unauthenticated role, these mappings fail.

We have tried to make the CCA agent popup prior to the mappings, but this doesn't work because the process is as follows:

- login to the domain with the Novell client.

- Login script is executed

- Windows environment is loaded (desktop, menu bar, etc...)

- agent pops up

- network access is permitted if authenticated.

So the problem is that we cannot run the CCA Agent because he needs the Windows environment to be able to run. But here the problem is that the login script has to be terminated, but this will fail because of limited network access.

In a AD environment, you can put the login script on hold until full network access is granded. But this seems impossible with the Novell login script.

I know we can grand access in the unauthenticated role for the drive mappings. This can't be done in my case for security purposes.

Does someone of you has faced this problem, or has a clue how this can be solved?

If you have further question, please ask and I will answer ASAP.

Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
cygateandper Sun, 05/13/2007 - 23:03

I have a simular problem.

Because of the limited network access my novell clients can't log in to the Novell domain/tree at all. When starting their computers they got no tree to log in to and instead they have to log in locally. When the nac agent pops up and the log in is successfull they gain access to the network but don't have any mappings and so on.

Sorry but I have no ideas of how to solve this. I will be just as happy as you will if someone got any idea.

dario.didio Sun, 05/13/2007 - 23:26

Hello,

Concerning the login to the Novell tree, I've made this traffic pass in the "unauthenticated rol". This is not ideal, and could also solve our problem with the mappings, but I assume there should be a better way to do this.

cygateandper Sun, 05/13/2007 - 23:39

Hi,

"I've made this traffic pass in the "unauthenticated role"

How have you done that? By accepting all the traffic at some specific ports in the unauthenticated role? Which ports do I need to allow?

I have just talked with a Cisco SE in Sweden about our problems and he promised to get back to me asap with some ideas. As soon as I hear anything from him, I will post it here.

cygateandper Sun, 05/13/2007 - 23:29

From a Novell point of view, is there any way to trigger the login script to run at a specific time?

Since there is a possibillity in NAC to execute code after the NAC agent login is complete, I'm thinking that there might be some Novell command that could be executeded to trigger and/or terminate the login script.

dario.didio Mon, 05/14/2007 - 00:05

Hi,

I'm not at all a Novell specialist so I don't have a clue concerning the triggering the login script.

Concerning the ports, let me check and I will post them ASAP. I don't know them by heart so I need to check.

regards

dario.didio Mon, 05/14/2007 - 00:11

Hello,

If I'm not mistaken it should be 524 (TCP) and 427 (UDP).

I will verify it, but you can also find them by sniffing a login session.

Kr

charles.demers-... Mon, 05/14/2007 - 10:02

As far as I know, Cisco NAC support for Novell is very limited and I don't think it will be better soon as Cisco is, I think, putting all effort on Ciso NAC vs MS Longhorn coexistence.

From my research, if any novell product (network client, zenworks...)exist in the path of Cisco NAC, something will go wrong or with limited functionality.

oabduo983 Mon, 05/14/2007 - 10:57

Hi Guys...

Looks you are so much confused on this issue...

I have already solved it...

Novell has the global standard of authentication. The well known LDAP authentication which uses port TCP 389 in addition to the other two ports mentioned previously...

These ports to the Novell server HAVE TO BE OPENED in the UNAUTHENTICATED ROLE and there is no other way to pass authentication traffic throu otherwise... This is not a security risk as you are opening only these ports to verify the username and password sitting on the other side of the CAS... BTW, DNS is already allowed by default in the unauthenticated role, so don't be surprised that you need to open more of the required ports...

The way Novell client works with the AD, is that the user authenticates in the Novell and then to the Active directory... therefore you also need to make sure that the right ports are opened to the AD in the unauthenticated role. port Tcp 389 is also used in the AD case...

Note: if you use Real-ip gw mode, make sure you have a static route to reach the untrusted network on the CAS...

Please rate if this is helpful!

dario.didio Mon, 05/14/2007 - 23:07

Hello,

I don't know for the other person, but my issue is the login script with drive mappings.

The Novell login to the domain/tree is working fine (except SSO but that's normal). I just need to find a valid method to execute a login script.

I see two possibilities:

- We let the traffic pass in the unauthenticated role

- We make the login script run after the CCA agent has logged in.

I'm not a Novell expert, so I don't have a clue how this can be done.

tnx in advance.

Anonymous (not verified) Tue, 05/22/2007 - 13:10

I have this with a customer who is running a Novell environment without a Microsoft Domain/AD.

Configure the Novell client not to run the login script at the initial login.

Punch holes in the CCA Unauthenticated role to allow workstation access to the relevant Novell authentication servers running the following:

Service Location Protocol Directory Agents (SLP DAs) (UDP Port 427)

eDirectory (aka NDS) (TCP 524)

LDAP (TCP 389/636) (Optional - used by contextless login)

Once CCA Agent has run and logged the user in successfully, you can run a command, loginw32 /na /cont, to execute the Novell Login script after a person has logged in.

We do this in a more complex manner and include Single SignOn by using a solution from a company called Imprivata.

Cheers

Phil

dario.didio Wed, 05/23/2007 - 04:10

Hello,

Could you please explain a bit more the command

loginw32 /na /cont

because I can't find much info on the net concerning the parameters.

Tnx.

tsteger1 Wed, 05/23/2007 - 14:27

Something else you might want to test is changing the registry key "GinaDLL"="NWgina to "GinaDLL"="MSgina under:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

This sets it to authenticate to Windows first, then Novell.

If the username and context is already correctly set in the Novell client location profile (and it should be) the machines will use the same credentials to authenticate to Novell and they have to log in only once.

If it isn't, they'll get prompted a second time for their Novell credentials.

It will then log in and process the login script.

I don't know if it would work in your environment but it might be worth a shot.

Tom

dario.didio Fri, 05/25/2007 - 00:10

Hello Tom,

How will the Novell login then proceed?

I mean, what will the process flow be?

How many time will be inbetween the Windows login and the Novell login?

Is this configurable? Can this be done by clicking an icon? Is is processed as a SSO? Does the client has to do some interaction (click a button, activate the login screen...?)

The problem I'm facing is:

We need to be able to login to the CCA Agent, prior then the Novell Login.

So when you look at the flow, it should be something like this:

- login to the machine (windows)

- start up the Windows Environment (desktop, taskbar...)

- After a couple of seconds, the CCA Agent pops up.

- Log in to the CCA Agent

- Maybe you have to remediate, install patches, update AV...

- You get the screen: Successfully logged in

- IP is being refreshed and port is moved to the VLAN of a user

- After all this, the user has his/her rights, and should be able to login to Novell.

Could this be achieved by changing the initial login from Novell to Windows?

Thanks in advance.

Dario

tsteger1 Fri, 05/25/2007 - 14:24

I believe it can. By changing to the MSGINA, the user is prompted first with a Windows logon. After they log in, it passes the same credentials to the Novell authenticator. If they match, it processes the login and runs whatever the client is set to do (including login scripts).

It takes about the same time as when a user logs on to Novell first, maybe less.

Give it a try and post back what you find out.

Tom

julfp Wed, 06/27/2007 - 05:07

I?m working in a project with the same problem, my client want SSO with the Novell Client and don?t find any solution, besides Novell Client, the client still run ZenWorks after the logon. Auyone can help me with the SSO???...The solution exists??

Thanks.

dario.didio Wed, 06/27/2007 - 05:10

Hi,

it is not natively supported by Cisco nor Novell. You could use a third party apllication, which is called Imprivata (www.imprivata.com).

I haven't used it, but normally it should work.

Have you faced a problem with the CCA Agent and the login scipt of Novell?

Thanks for a response!

Kr,

Dario

julfp Wed, 06/27/2007 - 05:18

Hi Dario,

Unfortenately NOT, beacause I still making the project to my client, in the next week I will work in the lab environment and I hope help your question.

In my company I have the Novell Specialist and I?ll use the knowledge of this guy.

Next week I tell my experience in the lab.

tsteger1 Wed, 06/27/2007 - 07:26

Hi Dario, did you try switching the GINAs?

I'm doing it for different reasons and it seems to work OK. The only thing I ran in to is when I take my laptop home, it still tries to connect to Novell and fails after 30 seconds. I removed NDS authentication from my home location profile and it works OK now.

Tom

Tom

julfp Mon, 07/16/2007 - 16:32

Hi Dario and Tom,

I?m now trying to do the authentication in lab deployment and I have the same problem like Dario, if I open the ports os Novell authentication I run the login script before the user checked against CCA, I?ll try the msgina solution tomorrow, anyone try this test?

I have another question about mapping the user to vlan, how the attributes of LDAP I will use to make this mapping?...my client creates a lot of vlan and his wants mapping user or groups in this vlans..I don?t know how make this assignments, anyone can help me?

Thanks.

tsteger1 Tue, 07/31/2007 - 09:53

Hi Juliano, I am not using the NAC appliance but we did find a way to make ACS work by changing the GINA from NWGINA to MSGINA. This allows Windows to log in first and then authenticate to Novell and run the login script. This may work with the NAC appliance too.

Change

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"GinaDLL"="NWGina.DLL"

to

"GinaDLL"="MSGina.DLL"

Tom

Tiago Andrade d... Thu, 01/06/2011 - 11:50

Hi everyone

Enjoying the title ( problems with novell ), I'd like to post here my problem with workstation that have Novell Software.

So, I have a customer who´s have Nac in his network.

Nac appliance works in Out-of-band Mode - Virtual Ip Gateway.

So the Nac works in almost 99% the totally network. And works very very well.

We have a problems  in some workstation with novell software...(about 6 machines)  Until now I teste 2 workstation with to end-users ( employees ).

So the first workstation since first moment ( windows logon (novel logon), windows initiation, desktop appears,initialization of the software in general, software Cisco Agent appears doing the SSO (authentication, checks Antivirus in AUDIT mode only)... and worked very very well.

The second workstation with other end-user, when the user restart the pc (simulate turnOn the PC), The Nac put the user in authenticated vlan (untrusted vlan), so when appears the windows logon(novell logon) - user put the credencials.

After that , windows start initiating but DON´T appears the Desktop (Blue screen). If the end-user type a Ctrl+Alt+Del and start a new task :  Explorer.exe, appears the Desktop, and we can see all softwares start iniating include the Cisco Agent Software doing SSO and put the user to Access Vlan normally.

So, remeber...  my network works very fine with Cisco Nac. I have 1 machine with novell software works fine without any additional configuration In Nac Manager.

But the rest of this workstation (iqual second machine) have the same problema. (blue screen without initiating the desktop). 

IF I take out  the portprofile in the user interface. The workstation works fine when initiated.

Someone have any ideia about this problem ???????

Ps: sorry about any incorrect word, or expression.

Actions

This Discussion