cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1914
Views
4
Helpful
23
Replies

NAC Appliance and Novell

dario.didio
Level 4
Level 4

Hello,

We have a Novell environment and want to use NAC Appliance.

I've set up a lab to simulate NAC Appliance in our environment.

When we log in, the login script that is configured in the Novell directory server is run to map drives.

Problem here is that, because of the limited access for the unauthenticated role, these mappings fail.

We have tried to make the CCA agent popup prior to the mappings, but this doesn't work because the process is as follows:

- login to the domain with the Novell client.

- Login script is executed

- Windows environment is loaded (desktop, menu bar, etc...)

- agent pops up

- network access is permitted if authenticated.

So the problem is that we cannot run the CCA Agent because he needs the Windows environment to be able to run. But here the problem is that the login script has to be terminated, but this will fail because of limited network access.

In a AD environment, you can put the login script on hold until full network access is granded. But this seems impossible with the Novell login script.

I know we can grand access in the unauthenticated role for the drive mappings. This can't be done in my case for security purposes.

Does someone of you has faced this problem, or has a clue how this can be solved?

If you have further question, please ask and I will answer ASAP.

Thanks in advance!

23 Replies 23

cygateandper
Level 1
Level 1

I have a simular problem.

Because of the limited network access my novell clients can't log in to the Novell domain/tree at all. When starting their computers they got no tree to log in to and instead they have to log in locally. When the nac agent pops up and the log in is successfull they gain access to the network but don't have any mappings and so on.

Sorry but I have no ideas of how to solve this. I will be just as happy as you will if someone got any idea.

Hello,

Concerning the login to the Novell tree, I've made this traffic pass in the "unauthenticated rol". This is not ideal, and could also solve our problem with the mappings, but I assume there should be a better way to do this.

Hi,

"I've made this traffic pass in the "unauthenticated role"

How have you done that? By accepting all the traffic at some specific ports in the unauthenticated role? Which ports do I need to allow?

I have just talked with a Cisco SE in Sweden about our problems and he promised to get back to me asap with some ideas. As soon as I hear anything from him, I will post it here.

cygateandper
Level 1
Level 1

From a Novell point of view, is there any way to trigger the login script to run at a specific time?

Since there is a possibillity in NAC to execute code after the NAC agent login is complete, I'm thinking that there might be some Novell command that could be executeded to trigger and/or terminate the login script.

Hi,

I'm not at all a Novell specialist so I don't have a clue concerning the triggering the login script.

Concerning the ports, let me check and I will post them ASAP. I don't know them by heart so I need to check.

regards

Hello,

If I'm not mistaken it should be 524 (TCP) and 427 (UDP).

I will verify it, but you can also find them by sniffing a login session.

Kr

As far as I know, Cisco NAC support for Novell is very limited and I don't think it will be better soon as Cisco is, I think, putting all effort on Ciso NAC vs MS Longhorn coexistence.

From my research, if any novell product (network client, zenworks...)exist in the path of Cisco NAC, something will go wrong or with limited functionality.

Hi Guys...

Looks you are so much confused on this issue...

I have already solved it...

Novell has the global standard of authentication. The well known LDAP authentication which uses port TCP 389 in addition to the other two ports mentioned previously...

These ports to the Novell server HAVE TO BE OPENED in the UNAUTHENTICATED ROLE and there is no other way to pass authentication traffic throu otherwise... This is not a security risk as you are opening only these ports to verify the username and password sitting on the other side of the CAS... BTW, DNS is already allowed by default in the unauthenticated role, so don't be surprised that you need to open more of the required ports...

The way Novell client works with the AD, is that the user authenticates in the Novell and then to the Active directory... therefore you also need to make sure that the right ports are opened to the AD in the unauthenticated role. port Tcp 389 is also used in the AD case...

Note: if you use Real-ip gw mode, make sure you have a static route to reach the untrusted network on the CAS...

Please rate if this is helpful!

Hello,

I don't know for the other person, but my issue is the login script with drive mappings.

The Novell login to the domain/tree is working fine (except SSO but that's normal). I just need to find a valid method to execute a login script.

I see two possibilities:

- We let the traffic pass in the unauthenticated role

- We make the login script run after the CCA agent has logged in.

I'm not a Novell expert, so I don't have a clue how this can be done.

tnx in advance.

Not applicable

I have this with a customer who is running a Novell environment without a Microsoft Domain/AD.

Configure the Novell client not to run the login script at the initial login.

Punch holes in the CCA Unauthenticated role to allow workstation access to the relevant Novell authentication servers running the following:

Service Location Protocol Directory Agents (SLP DAs) (UDP Port 427)

eDirectory (aka NDS) (TCP 524)

LDAP (TCP 389/636) (Optional - used by contextless login)

Once CCA Agent has run and logged the user in successfully, you can run a command, loginw32 /na /cont, to execute the Novell Login script after a person has logged in.

We do this in a more complex manner and include Single SignOn by using a solution from a company called Imprivata.

Cheers

Phil

thanks alot!

Will try this for sure.

Hello,

Could you please explain a bit more the command

loginw32 /na /cont

because I can't find much info on the net concerning the parameters.

Tnx.

Something else you might want to test is changing the registry key "GinaDLL"="NWgina to "GinaDLL"="MSgina under:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

This sets it to authenticate to Windows first, then Novell.

If the username and context is already correctly set in the Novell client location profile (and it should be) the machines will use the same credentials to authenticate to Novell and they have to log in only once.

If it isn't, they'll get prompted a second time for their Novell credentials.

It will then log in and process the login script.

I don't know if it would work in your environment but it might be worth a shot.

Tom

Hello Tom,

How will the Novell login then proceed?

I mean, what will the process flow be?

How many time will be inbetween the Windows login and the Novell login?

Is this configurable? Can this be done by clicking an icon? Is is processed as a SSO? Does the client has to do some interaction (click a button, activate the login screen...?)

The problem I'm facing is:

We need to be able to login to the CCA Agent, prior then the Novell Login.

So when you look at the flow, it should be something like this:

- login to the machine (windows)

- start up the Windows Environment (desktop, taskbar...)

- After a couple of seconds, the CCA Agent pops up.

- Log in to the CCA Agent

- Maybe you have to remediate, install patches, update AV...

- You get the screen: Successfully logged in

- IP is being refreshed and port is moved to the VLAN of a user

- After all this, the user has his/her rights, and should be able to login to Novell.

Could this be achieved by changing the initial login from Novell to Windows?

Thanks in advance.

Dario

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: