Mojo Networks SS300ATC60 SpectraGuard Access Point / Sensor User Manual 5

AirTight Networks, Inc. SpectraGuard Access Point / Sensor Users Manual 5

Users Manual-5

Administration Tab SpectraGuard® Enterprise User Guide 221 View Logs Recommendation: In order to properly view the multilingual characters, download the log file in .TSV format and view it in Excel. In the log file, different log records are listed in different rows. For each row, following columns are provided:  Date (UTC): Specifies the date and the time of the record in UTC format  Module: Specifies if the user action was performed from the Console (GUI), API, or the Config Shell (CLI)  Host Address: Specifies the IP Address/Client Name/API Client Identifier/Hostname from where the system was accessed by the user  Role: Specifies the role of the user  Login Name: Specifies the login name of the user whose action has triggered the specific log record  Type: This column indicates the type of record. Type is one of: Access, Devices, Events, Reports, Location Tree, Local Settings, Global Settings, Start/Stop Functions, System, Others.  Status: This column indicates if the record pertains to success or failure of the action.  Message: Describes the record in detail. Upgrade Upgrade the Server The system enables you to upgrade the existing version of the server to a newer version, if available. This section describes the steps to upgrade the server working in Standalone mode. For steps to upgrade the server working in High availability (HA) mode, refer to the High Availability Configuration Guide.
Administration Tab SpectraGuard® Enterprise User Guide 222 Select the check box, Check for availability of Server upgrade at each login, to enable the system automatically check if an upgrade is available when you log into the console. Upgrade If you have modified the Upgrade Link, to save it click <Apply> on the Upgrade screen. To check if an upgrade is available for the server, click <Check for Upgrade Now>. If an upgrade is available, an Upgrade Available dialog appears. Upgrade Available Dialog Click the hyperlink, support center, to go to the AirTight® Networks Support Portal, from where you can download the server upgrade bundle.
Administration Tab SpectraGuard® Enterprise User Guide 223 Click OK or close the dialog to close the Upgrade Available dialog. Alternatively, click Ignore Upgrade Notification to ignore the upgrade notification until you log out of the Console. If an upgrade is not available, an Upgrade Not Available dialog appears. Click <OK> to close the dialog. Upgrade Not Available Dialog Upgrade SpectraGuard Enterprise Now Prerequisites: 1 Sun Java Runtime Environment (JRE) version 1.6 update 22 or above must be installed on the computer from where you access the Console. 2 Popup blockers on the computer from which the Console is accessed must allow popup windows from the server. 3 If there is a firewall between the computer from which the Console is accessed and the server, TCP port 8080 of the server must be accessible from that computer. 4 Users with the ‘Superuser’ user role only can initiate server upgrade using this method. Recommended: To upgrade the server to a higher version, ensure that you access the Console using a computer whose IP address is not behind Network Address Translation (NAT). If you access the Console, using a NATed IP, upgrade will continue in the background but you cannot view the upgrade progress messages. Steps for Server Upgrade 1 Click Browse to select the Upgrade Bundle. 2 Click Upgrade Now to transfer the Upgrade Bundle to the server. 3 On the Confirm Upgrade dialog, click Yes to proceed with the upgrade. Confirm Upgrade Dialog 4 The Uploading Upgrade Bundle message with the progress bar appears.
Administration Tab SpectraGuard® Enterprise User Guide 224 Uploading Upgrade Bundle Progress Bar 5 You can cancel the upgrade by clicking Cancel anytime while the Upgrade Bundle upload is in progress. 6 After the Server Upgrade Bundle upload is complete, Server Upgrade starts automatically. 7 Close the current browser window. A new window, Server Upgrade Progress, is launched which displays the status of the Server Upgrade process. Follow the instructions displayed on the Server Upgrade Progress window.
Administration Tab SpectraGuard® Enterprise User Guide 225 Server Upgrade Progress Window Note: You cannot abort or cancel the Server Upgrade process once the Server Upgrade Progress window is launched. Additionally, the Server Upgrade process continues even if the Server Upgrade Progress window is closed. 8 After the server upgrade is successful, the server reboots automatically. 9 After you have read all instructions on the Server Upgrade Progress window, close all the Web browser windows including the Server Upgrade Progress window. 10 Wait for five minutes for the server to reboot. After this, you can access the server again. High Availability High Availability (HA) mode allows two servers to be connected in a redundant configuration to form an HA cluster. One server acts as the Active server, while the other as a Standby server. If the Active server fails, the Standby server takes over. This screen shows the status of the servers in HA cluster.
Administration Tab SpectraGuard® Enterprise User Guide 226 HA Status HA Status: This is a read-only section and displays the following information:  HA Status: Displays the status of the HA Cluster.  Standalone: This state indicates that the server is in Standalone mode.  Up: This state indicates that the HA Cluster is up and running.  Other Server Not Reachable: This state indicates that the Standby server is not reachable over the HA interface link. Check whether the HA interfaces of both the servers are securely connected using a crossover Ethernet cable.  Temporarily In Transition: This is an intermediate state. You need to wait for up to 30 minutes and then check the HA Status again. If this state persists, contact Technical Support.  HA Setup In Progress: This state indicates that an HA setup is in progress using Config Shell or an earlier HA setup session was abnormally terminated. If you are sure HA setup is not in progress, reboot both the servers. After reboot, both the servers come up in the 'Standalone' mode. You need to wait for five minutes after the reboot and then login to these servers.  Server Upgrade In Progress: This state indicates that server Upgrade is in progress or an earlier server Upgrade session was abnormally terminated. If you are sure server Upgrade is not in progress, reboot the server. After reboot, the server will come up in the 'Standalone' mode. You need to wait for five minutes after the reboot and then login to the server.  Database Operation In Progress: This state indicates that some database operation is in progress. If you are sure no database operation is in progress, please contact Technical Support.  Internal System Recovery In Progress: This state indicates that internal system recovery is in progress. If the same state persists for more than 30 minutes, please ensure that both the HA servers are up and the HA interfaces of these servers are securely connected using a crossover Ethernet cable. If the same state persists even after the above checks, please contact Technical Support.
Administration Tab SpectraGuard® Enterprise User Guide 227  Error: This state indicates an error in HA state. Contact Technical Support.  Cluster IP Address: This IP Address can be used by the Console and Sensors to connect to the HA cluster. This is a virtual IP Address used to connect to the HA cluster. Cluster IP address is optional. It can not be used in Layer3 HA configuration.  Data Sync State: Displays the state of data synchronization from Active Server to Standby Server after enabling HA Service or after database operation such as database restore.  Data Sync Link: Data sync link is the link which carries data from the Active Server to Standby. HA interface or Network Interface can be used as ‘Data Sync Link’ between the servers. During HA setup, user can skip use of HA interface. This field indicates whether two servers are reachable over ‘Data Sync Link’ interface.  HA Failover Mode: Indicates HA failover mode – Automatic/Manual. Active Server: This section displays IP addresses of the Active server.  Network IP Address: This is the IP Address of the network interface of the Active server.  HA IP Address: This is the IP Address of the HA interface of the Active server. Standby Server: This section displays IP Addresses of the Standby Server.  Network IP Address: This is the IP Address of the network interface of the Standby server.  HA IP Address: This is the IP Address of the HA interface of the Standby server. Login Configuration The system enables you to configure a login message through the Login Configuration screen. Superuser of the system has the right to enter the login message that will be flashed in the Login screen.
Administration Tab SpectraGuard® Enterprise User Guide 228 Login Configuration Under Configure Login Message:  Select the checkbox, View Login Message to show the login message on the Console login page.  Console Login Message: Specifies the login message to display on the Console and on the banner message of SGE CLI screen. The Login screen with the specified Console Login Message appears as follows.
Administration Tab SpectraGuard® Enterprise User Guide 229 Login Screen with the Console Login Message Under Concurrent Console Login Settings:  Concurrent Sessions per User: Configures the maximum number of concurrent console login sessions per user. (Minimum: 1, Maximum: 5, Default: 5) Wizard The system’s Setup Wizard systematically takes you through a recommended sequence of configuration screens that enable you to set up your system completely. This wizard does not remember or apply any configuration changes. It is simply a tour guide. You must explicitly apply changes on the individual configuration screens for them to take effect. You can exit the wizard or skip a step at any time.
Administration Tab SpectraGuard® Enterprise User Guide 230 Wizards Click Start Setup Wizard to open a Confirm message dialog that confirms your navigation through the wizard. SpectraGuard Manager Configuration SpectraGuard Manager establishes a communication channel with SpectraGuard Enterprise through a digital certificate. Version 6.6 onwards, digital certificate-based authentication replaces the username-password authentication required to log in to the SpectraGuard Enterprise Console through the SpectraGuard Manager Console. To use certificate-based authentication, you need to have version 6.6 or above, of both SpectraGuard Manager and SpectraGuard Enterprise. The certificate needs to be downloaded first from the SpectraGuard Manager and then added to the SpectraGuard Enterprise server. Both SpectraGuard Manager and SpectraGuard Enterprise need to have the same certificate to communicate with each other. The SpectraGuard Manager Configuration option allows you to add, view or delete the certificate that serves as the link between SpectraGuard Enterprise server and SpectraGuard Manager. This is a license-based feature. You will be able to see this option under Administration->Global->System Settings only if you have the appropriate license. The following figure displays the SpectraGuard Manager Configuration screen.
Administration Tab SpectraGuard® Enterprise User Guide 231 SpectraGuard Manager Configuration Adding the digital certificate to SpectraGuard Enterprise Server Before adding the certificate to the SpectraGuard Enterprise server, it must be downloaded from the SpectraGuard Manager console, and saved to the desired location. To add the certificate to the SpectraGuard Enterprise server, click Add on the SpectraGuard Manager Configuration screen. Select the certificate from the folder where you have saved it and add it to the SpectraGuard Enterprise server. Viewing the digital certificate Before adding the certificate to the SpectraGuard Enterprise server, it must be downloaded from the SpectraGuard Manager Console, and saved to the desired location. To view the certificate on the SpectraGuard Enterprise Console, click the View on the SpectraGuard Manager Configuration screen. Disassociating the SpectraGuard Enterprise Server from SpectraGuard Manager To end the association with SpectraGuard Manager, click Disassociate. On clicking Disassociate, the digital certificate used to communicate with SpectraGuard Manager is deleted from the SpectraGuard Enterprise server. After the disassociation, the SpectraGuard Enterprise server is no longer able to communicate with the SpectraGuard Manager. WLAN Integration The WLAN Integration dialog enables the system to be integrated with various WLAN Management tools. Aruba Mobility Controllers
Administration Tab SpectraGuard® Enterprise User Guide 232 The system integrates with Aruba Mobility Controllers. It fetches wireless device details and RSSI information from the Aruba Mobility Controllers and thus helps to manage the WLAN infrastructure. The Aruba WLAN architecture consists of Aruba Mobility Controllers and APs. At any time, the Aruba Mobility Controller has all the information about the APs and devices seen/associated with these APs. Integration with Aruba allows the system to fetch this information from Aruba Mobility Controller. Using this information the system can automatically classify devices managed by Aruba Mobility Controllers, and do location tracking of devices seen by Aruba APs in sensor-less or sensor and AP mixed environment. Aruba Integration  Aruba Integration Status: If Aruba integration is enabled, the system obtains data from the configured mobility controllers, which are individually enabled.  Aruba Integration Enabled: When you select the Aruba Integration Enabled check box, you can configure Automatic Synchronization Settings. The system disables a mobility controller, by default. However, automatically enables Aruba integration when you add a new Aruba Mobility Controller.  Current Status: Displays the Current Status of the Aruba mo: Running, In Process or Stopped. An Error status is shown in one of the following cases:  One of the configured and enabled Aruba Mobility Controllers has a hostname, which cannot be resolved  One of the configured and enabled Aruba Mobility Controllers is not reachable  System server is stopped  Internal error, in which case you need to contact Technical Support  Imported APs: This percentage indicates total number of APs imported from enabled Aruba mobility controllers as a fraction of maximum allowed. The maximum allowed depends on type of appliance. The status displayed is as of the last synchronization event. It is recommended that the utilization remains below
Administration Tab SpectraGuard® Enterprise User Guide 233 80%. If the utilization exceeds 80%,the system performance may degrade and result in side effects such as sluggish UI and sensor disconnections.  Under Automatic Synchronization Settings, select the System-Aruba Mobility Controller synchronization interval.  Synchronization Interval (Minutes): Specifies the interval for which the server synchronizes with the enabled Aruba mobility controllers (Minimum: 15 minutes; Maximum: 60 minutes; Default: 30 minutes) Click Apply to save the changes made to the Aruba Integration dialog. Click Cancel to cancel the changes made to the Aruba Integration dialog. Click Restore Defaults to restore the default values for the fields on the Aruba Integration dialog. Adding an Aruba Mobility Controller Under Aruba Mobility Controllers, click Add to open Aruba Mobility Controller dialog where you can add Aruba Mobility Controller details. Aruba Mobility Controller Dialog Aruba Mobility Controller contains the following fields:  Controller (IP Address/Hostname): Specifies the IP address or the hostname of the Aruba Mobility Controller with which the system should communicate.
Administration Tab SpectraGuard® Enterprise User Guide 234 Note: Configured Aruba Mobility Controllers will use the DNS names and DNS suffixes configured by the user in the Server Initialization and Setup Wizard on the Config Shell.  Community String: Specifies the user defined community string using which the system communicates with the Aruba Mobility Controller. (Default: public)  Port Number: Specifies the port number of the Aruba Mobility Controller from which data is imported. (Default: 161)  Data Import Enabled?: Indicates if the Aruba Mobility Controller is enabled to communicate with the system, for data import by the system. (Default: Selected)  Import Managed APs?: Indicates if the AP’s managed by the Aruba Mobility Controller, are to be imported into the system. (Default: Selected)  Import Managed Clients?: Indicates if clients associated with APs managed by the Aruba Mobility Controller are to be imported into the system. (Default: Selected)  Import Managed Clients Associations?: Indicates if information related to AP-client association, for AP’s managed by the Aruba Mobility Controller, is to be imported into the system. This check box is disabled, if Import Managed Clients check box is deselected.  Import Unmanaged APs?: Indicates if APs not managed by the Aruba Mobility Controller are to be imported into the system. (Default: Selected)  Import Unmanaged Clients?: Indicates if Clients associated with APs not managed by the Aruba Mobility Controller, are to be imported into the system. (Default: Deselected)  Import Unmanaged Clients Associations?: Indicates if information related to AP-client association, for AP’s managed by the Aruba Mobility Controller, is to be imported into the system. This check box is enabled, only if Import Unmanaged Clients check box is selected.  Import Signal Strength Information?: Indicates if the signal strength of the managed devices is to be imported into the system. (Default: Enabled) Note: Location Tracking results may vary depending on the Aruba AP models used in the network. Click Add to add the details for the new Aruba Mobility Controller. Click Test to confirm the validity of IP Address/Hostname. Editing Aruba Mobility Controller settings Double-click a row to open the Aruba Mobility Controller Dialog similar to the one shown above, to update the Aruba Mobility Controller details. Alternatively, select a row and click Edit to open the Aruba Mobility Controller Dialog. Edit the required fields. Click Save to save the changes. Deleting an Aruba Mobility Controller Select a row and click Delete to discard the details of an existing Aruba Mobility Controller. You can delete multiple Aruba Mobility Controller details using click-and-drag or using the <Shift> + <Down Arrow> keys and then clicking Delete. Cisco WLC The Wireless LAN Controller (WLC) governs a collection of thin AP. LWAPP defines the network protocol between the APs and WLC. The advantages of this solution are:
Administration Tab SpectraGuard® Enterprise User Guide 235  Increased scalability  Simplified, centralized management  Zero-touch AP deployment and configuration  Network-wide monitoring Cisco WLC The Cisco Unified WLAN architecture consists of Wireless LAN Controllers (WLC) and APs. The APs are managed using Light Weight Access Point Protocol (LWAPP). At any time, the WLC has all the information about the APs and devices seen/associated with these APs. Integration with Cisco WLC allows the system to fetch this information from WLC. Using this information the system can automatically classify devices managed by WLC and do location tracking of devices seen by LWAPP APs in sensor-less or sensor and AP mixed environment. Important: Currently, the system supports the following managed APs: Cisco Aironet 1000 Series, Cisco Aironet 1100 Series, Cisco Aironet 1130 Series, Cisco Aironet 1140 Series, Cisco Aironet 1200 Series, Cisco Aironet 1230 AG Series, Cisco Aironet 1240 AG Series, Cisco Aironet 1250 Series, and Cisco Aironet 1300 Series. The system supports WLC version 4.2 to 6.0.182.0.  WLC Integration Status: If WLC integration is enabled, the system obtains data from the configured WLCs, which are individually enabled.  If you select WLC Integration Enabled, you can configure Automatic Synchronization Settings. The system disables WLC by default. However, automatically enables WLC Integration when you add a new WLC.  Current Status: Displays the Current Status of the WLC: Running or Stopped. An Error status is shown in one of the following cases:  One of the configured and enabled WLCs has a hostname, which cannot be resolved  One of the configured and enabled WLCs is not reachable
Administration Tab SpectraGuard® Enterprise User Guide 236  System server is stopped  Internal error, in which case you need to contact Technical Support  Imported APs: This percentage indicates total number of APs imported from WLC(s) as a fraction of maximum allowed. The maximum allowed depends on type of appliance. The status displayed is as of the last synchronization event. It is recommended that the utilization remains below 80%. If the utilization exceeds 80%,the system performance may degrade and result in side effects such as sluggish UI and sensor disconnections.  Under Automatic Synchronization Settings, select the System-WLC synchronization interval.  Synchronization Interval (Minutes): Specifies the interval for which the server synchronizes with the WLC (Minimum: 15 minutes; Maximum: 60 minutes; Default: 30 minutes)  If the customer has some Lightweight Access Points (LAPs) whose type (like ap1030, ap1130) is not supported by SGE, then these LAPs can be supported by importing the WLC configuration bundle received from the AirTight Support on request. After the bundle is received, click <Advanced Configuration> The Import Custom WLC Configuration File dialog appears. The custom WLC configuration file from this bundle is used for all future WLC synchronization. The bundle is imported as .tgz. Import Custom WLC Configuration File Dialog Click Browse to specify the appropriate location of the WLC Configuration bundle and click <Import>, a progress bar appears. After the file is imported, the date and time when file was imported is displayed as in the screen. Import Custom WLC Configuration File Dialog showing date and time of the file imported If the file is not imported for some reason or if the file is corrupted, an error message is displayed. Note: Only the Super User is allowed to import WLC configuration file. All other users, including the administrator has only the viewing rights. Adding a WLAN Controller Under Wireless LAN Controllers, click <Add> to open WLAN Controller dialog where you can add WLC details.
Administration Tab SpectraGuard® Enterprise User Guide 237 WLAN Controller Dialog WLAN Controller contains the following fields:  Controller (IP Address/Hostname): Specifies the IP address or the hostname of the WLC with which the system communicates. Note: Configured WLCs will use the DNS names and DNS suffixes configured by the user in the Server Initialization and Setup Wizard on the Config Shell.  Community String: Specifies the user defined community string using which the system communicates with the WLC. (Default: public)  Port Number: Specifies the port number of the WLC from which data is imported. (Default: 161)  Enabled?: Indicates if the WLC is enabled to communicate with the system. (Default: Enabled)  Import Managed APs?: Indicates if WLC managed APs managed are to be imported into the system. (Default: Enabled)  Import Clients Associated to Managed APs?: Indicates if Clients associated to APs managed by a WLC are to be imported into the system. (Default: Enabled)  Import Unmanaged APs?: Indicates if APs not managed by a WLC are to be imported into the system. (Default: Enabled)  Import Unmanaged Clients?: Indicates if Clients associated with APs not managed by a WLC are to be imported into the system.
Administration Tab SpectraGuard® Enterprise User Guide 238 (Default: Disabled)  Import Signal Strength Information?: Indicates if the signal strength of the managed devices is to be imported into the system. (Default: Enabled) Note: Location Tracking results may vary depending on the Channel scan settings set on the WLC. Click <Add> to add the details for a new WLC. Click <Test> to confirm the validity of IP Address/Hostname, SNMP settings, and version compatibility of the newly added Lwapp Controller. Editing a WLAN Controller Double-click a row or click Edit to open an LWAPP Configuration dialog similar to the one shown above, to update the WLC details. Click <Save> to save all settings. Deleting a WLAN Controller Select a row and click Delete to discard the details of an existing WLC. You can delete multiple WLC details using click-and-drag or using the <Shift> + <Down Arrow> keys and then clicking Delete. Note: From 6.2 release onwards, WLC will support the H-REAP mode along with the Local mode. Integration with Cisco WLSE Wireless LAN Solution Engine (WLSE) is a centralized, systems-level application that manages and controls an entire Cisco AirTight WLAN infrastructure. WLSE eases Cisco’s WLAN deployments, enhances network security, maximizes network availability, and reduces operating expenses. Integration with Cisco WLSE allows the system to automatically classify WLSE managed APs and enables manual switch port blocking to contain Rogue APs.
Administration Tab SpectraGuard® Enterprise User Guide 239 Cisco WLSE  WLSE Integration Status: If WLSE integration is enabled, the system interacts with the configured WLSE server. Else, WLSE integration services are shut off.  If you select WLSE Integration Enabled, you can configure the following WLSE Server Settings. The system disables WLSE by default.  Current Status: Displays the Current Status of the WLSE server: Running or Stopped.  WLSE Server Settings: If a valid WLSE server is not specified, the system does not interface with the WLSE Server.  WLSE Server IP Address/Hostname: Port: Specifies the IP address or the name and the port number of the WLSE server  Username: Specifies the username for the WLSE server  Password: Specifies the password for the WLSE server To test the WLSE server settings, click <Test WLSE Server Settings>. The settings used for this test are those that you have specified. A dialog appears on completion of the test. Note: The user created for the system should have XML API privileges on the WLSE server. You should add the IP address of the server to the Access Control List of the WLSE server.  WLSE Operating Policies: Specifies policies to integrate the system with the WLSE server.  If you select Enable AP Classification integrated with WLSE, you can integrate the system’s AP Classification and Intrusion Prevention policies with the WLSE sever such that:  WLSE-managed APs that are Potentially Authorized automatically move to the Authorized AP folder  All WLSE-managed APs automatically move to the Authorized AP folder
Administration Tab SpectraGuard® Enterprise User Guide 240 Note: When you select the option All WLSE-managed APs automatically move to the Authorized AP folder and connect a Rogue AP to the network, the port to which the AP is connected is not blocked. This is a limitation of the WLSE API. In other words, the WLSE API provides only tracing functionality and not shutdown functionality.  Automatic Synchronization Settings: Specifies the interval at which the server should automatically synchronize with the WLSE server.  Synchronization Interval (Days): Specifies the number of days: that is, the interval for which the server synchronizes with the WLSE server. (Minimum: 1 day; Maximum: 30 days; Default: 7 Days)  Synchronization Start Date and Time: Specifies the start date and time for the synchronization interval. (Default: Current Date and Time)  Manual Synchronization: Click <Synchronize> to manually synchronize the server with the WLSE server. HiveManager HiveManagers can synchronize devices and associations with the system. It reports both managed Hive APs with their associations and devices visible in background scans. HiveManager WLAN Integrations displays the status of the HiveManager:  Client ID: Displays the Unique Integration Identifier of the HiveManager  Total APs: Displays the total number of import AP calls made by the HiveManager  Total Clients: Displays the total number of import Client calls made by the HiveManager  Total Associations: Displays the total number of AP-Client Association import calls made by the HiveManager  Last Sync Time: Displays the date and time of the last call made by the HiveManager Note: Total gives the total number of HiveManagers.
Administration Tab SpectraGuard® Enterprise User Guide 241 HP MSM Controller The HP MSM Controller manages a collection of thin APs. The HP MSM architecture consists of MSM Controllers and the APs that are managed by these controllers. Integration with HP MSM Controller allows the system to fetch information about Synchronized APs. Using this information, the system automatically classifies these devices. HP MSM Controller Integration Important: The system supports HP MSM Controller version 5.4.2 or higher. Integration Status: Enabling the MSM Controller integration allows the system to obtain data from the configured controllers. Enabling / Disabling individual controllers is also possible.  Selecting Integration Enabled enables integration for all configured controllers.  Current Status: Displays Running if Integration is enabled. Displays Stopped if controller integration is switched off. The Status field for each individual controller displays Error if  One of the configured and enabled MSM Controllers has a hostname which cannot be resolved  One of the configured and enabled MSM Controllers is not reachable  System server is stopped  Internal error (Contact Technical Support) Under Automatic Synchronization Settings, select the System synchronization interval.  Synchronization Interval (Minutes): Specifies the interval after which the server synchronizes with the MSM Controller. (Minimum: 15 minutes; Maximum: 60 minutes; Default: 15 minutes) Client Certificate Management: When the MSM Controller is configured to communicate with Client programs using Secure HTTP and Client Authentication, a Client Certificate is uploaded into the MSM Controller’s Trusted CA
Administration Tab SpectraGuard® Enterprise User Guide 242 Certificate Store. Click Download to download a pre-generated Client Certificate for the system. Following figure displays the dialog box that appears on clicking the Download button. Client Certificate Download Dialog Click Save to download and save the Client Certificate to the appropriate directory. Upload this Client Certificate into the MSM Controller’s Trusted CA Certificate Store using its management tool. The system is now setup and ready to communicate with the MSM Controller. Note: To customize the Client Certificate refer to the CLI commands: get msmcontroller cert, get msmcontroller certreq, and set msmcontroller cert as described in Config Shell Commands in the Installation guide. Adding an HP MSM Controller Under MSM Controllers, click Add to configure an MSM Controller for integration. The following figure displays the Add HP MSM Controller dialog.
Administration Tab SpectraGuard® Enterprise User Guide 243 Add HP MSM Controller Dialog HP MSM Controller contains the following fields:  Controller Name or IP Address: Specifies the Controller Name or IP address of the HP MSM Controller with which the system communicates.  Port Number: Specifies the port number of the HP MSM Controller from which data is imported. (Default: 448) Authentication:  Secure Http (SSL/TLS): Select this option if the MSM Controller is configured to use HTTPS for authentication. In addition, if the MSM Controller is setup to use Client Authentication, ensure that the System’s Client Certificate is uploaded into the MSM Controller’s Trusted CA Certificate Store.  Http Authentication: If enabled, specifies whether the HP MSM Controller requires Http authentication  Username: Specifies the user name for HP MSM Controller authentication  Password: Specifies the password for HP MSM Controller authentication Click the Add button to save the details for a new HP MSM Controller. Editing an HP MSM Controller Double-click a row or click Edit to open an HP MSM Controller dialog similar to the one shown above, to update the HP MSM Controller details. Click Save to save all settings. Deleting an HP MSM Controller Select a row and click Delete to discard the details of an existing HP MSM Controller. You can delete multiple HP MSM Controller details using click-and-drag or using the <Shift> + <Down Arrow> keys and then clicking Delete. Enabling an HP MSM Controller Select a row and click Enable to enable the selected HP MSM Controller. You can enable multiple HP MSM Controller details using click-and-drag or using the <Shift> + <Down Arrow> keys and then clicking Enable. Disabling an HP MSM Controller
Administration Tab SpectraGuard® Enterprise User Guide 244 Select a row and click Disable to disable the selected HP MSM Controller. You can disable multiple HP MSM Controller details using click-and-drag or using the <Shift> + <Down Arrow> keys and then clicking Disable. Checking configuration status of an HP MSM Controller Select a MSM Controller row under MSM Controllers and click the Test button. The System will return Pass status if the HP MSM Controller has been correctly configured. The System will return Fail status if the HP MSM Controller has been not been correctly configured. The following figure displays the message box displayed on evaluation of the HP MSM Controller setup. MSM Controller Integration Test Result Meru Meru Integration enables the system to use Virtual Cell and Virtual Port Architecture for reporting accurate AP inventory. System also detects the physical APs to which the Clients are associated. This helps the user for accurate location tracking and to protect against advanced threats.
Administration Tab SpectraGuard® Enterprise User Guide 245 Meru Select Enable Virtual Cell and Virtual Port Support check box to activate support for Meru Virtual Cell and Virtual Port architecture. Click <Apply> a dialog appears to restart the server to activate the changes. Server restart dialog Click Yes. A confirmation dialog appears that the configuration settings have been saved successfully. Confirmation dialog ESM Integration ArcSight ESM Server
Administration Tab SpectraGuard® Enterprise User Guide 246 The Enterprise Security Management (ESM) Integration screen allows configuration of various ESM integrations that collect, analyze, and display events. The system integrates with ArcSight’s Enterprise Security Management (ESM) infrastructure by sending events to the designated ArcSight server. The ArcSight server is configured to accept syslog messages having detailed event information in ArcSight’s Common Event Format (CEF). The system needs the IP Address or the hostname and the port on which the ArcSight server receives events. ArcSight ESM Server  ArcSight Integration Status: If ArcSight integration is enabled, the system sends messages to the configured ArcSight servers. Otherwise, ArcSight integration services are shut off.  If you select ArcSight Integration Enabled, you can manage ArcSight servers. The system enables ArcSight Integration by default.  Current Status: Displays the Current Status of the ArcSight Integration: Running or Stopped. An Error status is shown in one of the following cases:  One of the configured and enabled ArcSight servers has a hostname, which cannot be resolved  System server is stopped  Internal error, in which case you need to contact Technical Support Adding an ArcSight Server  Under ArcSight Servers, click <Add>to open to ArcSight Configuration dialog where you can add ArcSight server details.
Administration Tab SpectraGuard® Enterprise User Guide 247 ArcSight Configuration Dialog ArcSight Configuration dialog contains the following fields:  ArcSight Server (IP Address/Hostname): Specifies the IP Address or the hostname of the destination ArcSight server to which the CEF formatted messages are sent. Note: Configured ArcSight servers will use the DNS names and DNS suffixes configured by the user in the Server Initialization and Setup Wizard on the Config Shell.  Port Number: Specifies the port number of the ArcSight server to which the system should send CEF messages.  Enabled?: If the checkbox is selected, the system sends CEF messages to the configured and enabled ArcSight servers. The delivery of the CEF messages cannot be guaranteed due to use of UDP/unreliable transport. (Default: Enabled) Click Add to add the details for a new ArcSight server. Editing an ArcSight Server Double-click a row or click Edit to open ArcSight Configuration dialog similar to the one shown above. Click Save to save all settings. Deleting an ArcSight Server Select a row and click Delete to discard the configuration of the selected ArcSight server. You can delete multiple ArcSight server details using click-and-drag or using the <Shift> + <Down Arrow> keys and then clicking Delete. Note: Total gives the total number of ArcSight servers configured to receive events from the system. SNMP The SNMP dialog enables the system to send events as SNMP traps to designated SNMP trap receivers. It also allows SNMP managers to query server operating parameters using IF-MIB, MIB-II, and Host Resources MIB.
Administration Tab SpectraGuard® Enterprise User Guide 248 SNMP  SNMP Integration Status: If SNMP integration is enabled, the system sends SNMP traps to the configured SNMP servers. Other systems can do an SNMP Get to this server. Otherwise, SNMP integration services are shut off.  If you select SNMP Integration Enabled, you can edit and manage SNMP server details. The system enables SNMP by default.  Current Status: Displays the Current Status of the SNMP server: Running or Stopped. An Error status is shown in one of the following cases:  System server is stopped  Internal error, in which case you need to contact Technical Support  Under SNMP Settings, configure SNMP Gets or Traps.  SNMP Gets Enabled: Allows SNMP managers to query server-operating parameters enlisted in IF-MIB, MIB-II, and Host Resources MIB. You can block queries related to all of the above listed MIBs by de-selecting the checkbox.  SNMP Traps Enabled: Allows SNMP traps to be sent to configured SNMP servers. Additionally, select the SNMP versions to be enabled and configure the relevant settings. The SNMP agent residing on the server uses the SNMP version parameters to deliver traps to the SNMP Trap receivers.  SNMP v1, v2: If selected, traps are sent to all Trap receivers accepting traps using SNMP v1, v2 protocol. You can change the Community String for the SNMP agent. All SNMP v1, v2 Trap receivers configured, should use this community string to receive traps. (Default: public)  SNMP v3: If selected, traps are sent to all Trap receivers accepting traps using SNMP v3 protocol. You can change the Username and Password for the SNMP agent. All SNMP v3 Trap receivers configured, should use these parameters to receive traps. The Engine ID field is un-editable. (Default Username: admin; Default Password: password)  Under SNMP MIBs, you can choose to query by enabling or disabling the following SNMP MIBs individually.
Administration Tab SpectraGuard® Enterprise User Guide 249  IF MIB  Host Resources MIB  AirTight-MIB: If selected, the system enables the external SNMP Trap receivers to receive traps  MIB-II: If selected, configure the System Contact, System Name, and System Location. (Default System Name: Wi-Fi Security Sever) Note: IF MIB, Host Resources MIB, an MIB II are standard MIBs that you can download from the Internet. For AirTight-MIB, contact AirTight Technical Support. Adding a SNMP Trap Destination Server  Under SNMP Trap Destination Servers, click Add to open SNMP Configuration dialog where you can add SNMP server details. Add SNMP Configuration Dialog Trap Destination Details contains the following fields:  Destination Server (IP Address/Hostname): Specifies the IP address or the hostname of the SNMP server to which events should be sent. Note: Configured SNMP servers will use the DNS names and DNS suffixes configured by the user in the Server Initialization and Setup Wizard on the Config Shell.  SNMP Protocol Version: Specifies the SNMP protocol version for the SNMP agent. (Default: SNMP v1, v2)  Port Number: Specifies the port number on the receiving system to which the SNMP trap is sent. (Default: 162)  Enabled?: Specifies if the SNMP server is enabled to receive SNMP traps. (Default: Enabled) Note: You must specify a different port number if another application uses the default port. Click Add to add the details for a new SNMP server.
Administration Tab SpectraGuard® Enterprise User Guide 250 Editing a SNMP Trap Destination Server Double-click a row or click Edit to open SNMP Configuration dialog similar to the one shown above to update the SNMP server details. Click Save to save all settings. Deleting an SNMP Trap Destination Server Select a row and click Delete to discard the details of an existing SNMP server. Syslog Integrating with Syslog servers The Syslog screen allows the server to send events to designated Syslog receivers. Syslog  Syslog Integration Status: If Syslog integration is enabled, the system sends messages to the configured Syslog servers. Otherwise, Syslog integration services are shut off.  If you select Syslog Integration Enabled, you can manage Syslog servers. The system enables Syslog by default.  Current Status: Displays the Current Status of the Syslog server: Running or Stopped. An Error status is shown in one of the following cases:  One of the configured and enabled Syslog servers has a hostname, which cannot be resolved  System server is stopped  Internal error, in which case you need to contact Technical Support Adding a Syslog Server
Administration Tab SpectraGuard® Enterprise User Guide 251  Under Manage Syslog Severs, click <Add> to open Syslog Configuration dialog where you can add Syslog server details. Syslog Configuration Dialog Syslog Configuration contains the following fields:  Syslog Server (IP Address/Hostname): Specifies the IP address or the hostname of the Syslog server to which events should be sent. Note: Configured Syslog servers will use the DNS names and DNS suffixes configured by the user in the Server Initialization and Setup Wizard on the Config Shell.  Port Number: Specifies the port number of the Syslog server to which the system sends events. (Default: 514)  Message Format: Specifies the format in which the event is sent, which is Intrusion Detection Message Exchange Format (IDMEF) or Plain text. (Default: Plain text) Note: If you upgrade a server pre-6.2 to 6.6, all previously configured Syslog servers would send events in Plain text Message Format by default. You can select the IDMEF format by editing the Syslog server settings.  Enabled?: Specifies if the events are to be sent to this Syslog server. (Default: Enabled) Click Add to add the details for a new Syslog server. Editing a Syslog Server Double-click a row or select a row and click Edit to open Syslog Configuration dialog similar to the one shown above. Click Save to save all settings. Deleting a Syslog Server Select a row and click Delete to discard the details of an existing Syslog server.
Administration Tab SpectraGuard® Enterprise User Guide 252 OPSEC Operations Security (OPSEC) is an analytic process used to deny an adversary information – generally unclassified – concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. OPSEC does not replace other security disciplines – it supplements them. OPSEC Integration with OPSEC enables the system to send events to the specified OPSEC server.  OPSEC Integration Status: If OPSEC integration is enabled, the system sends events to the configured OPSEC servers. Otherwise, OPSEC integration services are shut off.  If you select OPSEC Integration Enabled, you can configure OPSEC server settings. The system disables OPSEC by default.  Current Status: Displays the Current Status of the OPSEC server: Running or Stopped. An Error status is shown in one of the following cases:  System server is stopped  OPSEC configuration is either incomplete or incorrect or if the OPSEC server is stopped  Internal error, in which case you need to contact Technical Support  Under OPSEC Server Settings specify the OPSEC server details.  Server Name: Specifies the name of the OPSEC server  Server IP: Specifies the IP Address of the OPSEC server  Authentication Port: Specifies the OPSEC server authentication port used for communication with the system  Specify the authentication type you can select one of the following types of authentication:  Clear
Administration Tab SpectraGuard® Enterprise User Guide 253  SSL  SSL OPSEC  SSL Clear  SSL Clear OPSEC  FWN  Auth OPSEC  SSL CA  SSL CA Comp  SSL CA RC4  SSL CA RC4 Comp  Asymmetric SSL CA  Asymmetric SSL CA Comp  Asymmetric SSL CA RC4  Asymmetric SSL CA RC4 Comp  SSLA Clear  Under SIC Settings, you need to specify the following settings for the Simple Instructional Computer (SIC) for all the authentication types except ‘Clear’:  Server SIC Name: Specifies the server name of the SIC  Client SIC Name: Specifies the Client name of the SIC  Under CA Settings, if you have selected an authentication type that has a CA in it, select Create new digital certificate, then, you need to configure the following parameters for the Certifying Authority (CA).  IP/Hostname: Specifies the IP address or the hostname of the CA  Object Name: Specifies the object name of the CA  Password: Specifies the one time password needed to acquire the certificate  Under Symmetric Key Based Settings, if you have selected an authentication type that does not have a CA in it, select Create New Secret Key, then, you need to create a new secret key. SpectraGuard SAFE The SpectraGuard SAFE screen enables you to setup and manage groups for wireless Clients running SAFE. Group Management Group Management allows the user to manage SAFE policy groups. SAFE groups can be created manually. The system can also be configured to create SAFE groups automatically from the users’ domain and logged in group as reported by SAFE. Each group can have a SAFE policy attached to it. The SAFE policies are created using a SAFE Client. The policy configuration is then imported in the system. The system gives the administrators the option to categorize the SpectraGuard SAFE Clients into groups automatically. Automatic movement of SpectraGuard SAFE Client is based on the SAFE user’s domain and group name information. Manual assignment of SAFE Clients to a group overrides any automatic assignment. You cannot edit the default group.
Administration Tab SpectraGuard® Enterprise User Guide 254 SAFE Group Management Note: For Automatically created groups, “SAFE Reported Group” column displays information about the domain name and group name (OU Hierarchy) reported by SAFE Client as “<Domain Name>/<Group Name (OU Hierarchy)>”. For Manually created groups, it displays “ - -“. Adding a SAFE Group Manually Click Add Group to open Add SpectraGuard SAFE Group dialog where you can add the details for various SAFE groups.
Administration Tab SpectraGuard® Enterprise User Guide 255 Add SAFE Group Dialog Under Group Details, specify the following:  Name: Specify a group name for the newly created group.  Description: Specify a brief description for the group.  Is Policy Attached?: Indicates if a policy is attached to the newly defined group. Click Attach Policy to navigate to the path where the SAFE Configuration file is saved. Attach the policy. Configuration File: Displays the entire path or location of the SAFE Configuration file. Click Save to save the details for the new group. Note: Duplicate group names are allowed for manually defined groups. The group name of a SAFE reported group and manually created group can be the same. Attaching SAFE Policy to existing SAFE Group Use the following steps to attach a policy to an existing SAFE group: 1 On the SpectraGuard SAFE Group Management screen, select the SAFE group to which you want to attach a policy. 2 On the Edit SpectraGuard SAFE Group dialog that appears, click Attach Policy. 3 On the Confirm dialog that appears, click Yes. 4 On the Select SAFE Configuration File dialog, specify the path of the SAFE configuration file (.XML format) and click Open. 5 Click Save to attach the policy to the SAFE group. Note: It is not mandatory to export the IP Address and Shared Key information from the SAFE Client as it already has this information when it connects to the server. Editing a SAFE Group
Administration Tab SpectraGuard® Enterprise User Guide 256 Select a group from the List of Groups and click Edit Group to open Edit SpectraGuard SAFE Group dialog where you can edit the details of an existing SAFE Group. Additionally, in this dialog you can do the following:  Click the hyperlink View Policy to view the attached policy.  Click Overwrite Policy to overwrite the existing policy attached to the SAFE group with the policy contained in a SAFE Configuration file.  Click Detach Policy to detach the existing policy attached to the SAFE group. If no policy is attached to a group, the server does not push any policy to the Clients in that group. The Clients retain their previous policy. When you do not attach a policy or you detach a policy from a SAFE group, the system does not send the Activity Parameter information such as Keep-alive Interval, Keep-alive Timeout, and Synchronization Interval to the Clients belonging to that SAFE group. Edit a SAFE Group Viewing a SAFE Group Policy On the SpectraGuard SAFE Group Management screen, for the selected SAFE group, click the hyperlink View Policy. Alternatively, on the Edit SpectraGuard SAFE Group dialog, click the hyperlink View Policy. A report showing the details of the policy group attached to the selected SAFE group appears.
Administration Tab SpectraGuard® Enterprise User Guide 257 View a SAFE Group Policy
Administration Tab SpectraGuard® Enterprise User Guide 258 Deleting a SAFE Group Select a group from the List of Groups and click Delete Group. The Delete Group message appears. Click Yes to confirm deletion. After deleting the group all the Clients in that group are assigned to 'Default' group. Delete a SAFE Group Settings A shared key is used for authentication of Clients running SAFE. SAFE cannot connect to the server for synchronization without a shared key. This shared key should be distributed to all the users of wireless Clients running SAFE. SAFE Settings Under Shared Key Authentication, do one of the following:  Select Change Shared Key to change the existing shared key. Note: You need to be very careful about changing the Shared Key if it has already been circulated to existing SAFE Clients. This is because, if you change the Shared Key, existing SAFE users will not be able to connect to the server unless they re-activate their SAFE Clients using the new Shared Key.
Administration Tab SpectraGuard® Enterprise User Guide 259  Click Generate Key Automatically to enable the system to automatically generate a shared key of up to 10 alphanumeric characters using which SAFE Clients can connect with the system. Under Activity Parameters, specify the following:  Keep-alive Interval: Defines the duration at which SAFE sends a heartbeat to the server indicating that it is active. (Minimum: 1 minute; Maximum: 30 minutes; Default: 2 minutes)  Keep-alive Timeout: Indicates the number of consecutive heartbeat packets missed by the server before it declares that SAFE instance as inactive. (Minimum: 2 heartbeats; Maximum: 10 heartbeats; Default: 5 heartbeats)  Synchronization Interval: Defines the minimum period at which SAFE synchronizes with the server. (Minimum: 30 minutes; Maximum: 300 minutes; Default: 60 minutes) Manage Clients This screen displays details of the SAFE Clients registered with the server. Manage SAFE Clients This screen shows the following information about SAFE Clients:  SAFE Status Icon: Identifies the SAFE status – Active or Not Active.  SAFE Risk Level Icon: Identifies the SAFE risk level – High, Medium, or Low.  Report Availability for SAFE Client: Indicates one of the following Report available, Report not available, or Report Scheduled.  Name: Specifies the First name and Last name or hostname of the Client.  Wireless MAC: Specifies the first detected wireless MAC address of the Client in case of multiple wireless interfaces.  Wired MAC: Specifies the first detected wired MAC address of the Client in case of multiple wired interfaces.
Administration Tab SpectraGuard® Enterprise User Guide 260  Version: Specifies the build and version number of the software loaded in the Client.  Group: Specifies the group name as defined through Group Management. The asterisk before a group name indicates that the group has been manually changed for the client, from a SAFE reported group to manually created group.  SAFE Reported Group: Specifies the SAFE reported group to which the Client belongs. , “SAFE Reported Group” column displays information about the domain name and group name (OU Hierarchy) reported by SAFE Client as “<Domain Name>/<Group Name (OU Hierarchy)>”.  Last Synch: Specifies the time when the SAFE Client last synchronized with the system.  Activation: Specifies the date and time when the SAFE Client was activated.  Last Available Report: Specifies the time when a report was last generated for the selected SAFE Client.  Configure Display Columns: Clicking on the Column Visibility icon opens a window showing the columns available for display and their current selection and display order. You can check/uncheck the checkbox before the column name to select/deselect it from SAFE Client List display. You can change the display order of a column by selecting the column name and moving it up/down with Up/Down buttons. Save the display settings by clicking <Save> button.  Max Allowed: Specifies the maximum number of SAFE Clients that can be connected to the system. This number depends on the number of users permitted by your SGE license. SAFE Client List – Display Columns Screen Note: The Console displays either a SAFE Client that has only a wired interface or a SAFE Client not yet categorized on a white row on the Manage SAFE Clients screen. Double-clicking a SAFE Client row displays the SAFE Details dialog.
Administration Tab SpectraGuard® Enterprise User Guide 261 SAFE Client Details Dialog Note: The servers with version 5.7, 5.9, 6.0, 6.1, and 6.2 are compatible with SAFE versions 2.5 and 2.7. Right-clicking a SAFE Client row displays the context sensitive menu. SAFE Client Context Sensitive Menu Items in the SAFE Client Context Sensitive Menu The SAFE Client context-sensitive menu includes the following items.  SAFE Details: Enables you to view details of the SAFE Client as shown in the Client Details dialog.  Delete: Allows you to delete a SAFE Client. It displays a Confirm dialog that enables you to delete a selected SAFE Client. Click <Yes> to delete the SAFE Client.  Fetch Report: Available for a SAFE Client which is Active, this option if selected, displays a progress bar and then fetches a fresh report from the SAFE Client.  Schedule Report: Available for a SAFE Client which is Inactive, this option enables you to schedule a report for the selected SAFE Client. A fresh report is generated for the Client when it becomes Active.  View available report: Available for a SAFE Client for which a report is fetched earlier, this option displays a progress bar and then a report that enables you to view various reports generated earlier for the selected SAFE Client. Each time the system generates a SAFE report, it updates the Last Available Report column on the Manage SAFE Clients screen.
Administration Tab SpectraGuard® Enterprise User Guide 262 SAFE Client Report Change SAFE Group: Enables you to change the group of the selected Client to any group except the group currently associated with the selected Client. After the Clients group changes, the new policy is applied to the SAFE Client. Filtering in SAFE To focus your attention to a subset of SAFE Client List based on a filtering criteria (such as SAFE Status, SAFE Risk Status, and so on) system provides you with the capability to filter SAFE Client List. Use the following steps to filter SAFE Client List: 1 Click the Filter icon to open the SAFE Listing Filter dialog.
Administration Tab SpectraGuard® Enterprise User Guide 263 SAFE Listing Filter 2 Under Text Filter, select one or more of the following check boxes and enter the appropriate values manually for searching data related to it:  Name  Wired/Wireless MAC  Group  SAFE Reported Group 3 Select the SAFE Status check box, select one or more of the following check boxes:  Active  Inactive 4 Select the SAFE Risk Status check box, select one or more of the following check boxes:  High  Medium  Low 5 Select the Activation check box, click the icon to specify the date and time of the activation of the SAFE Client and then click OK. The search displays the SAFE Client list, which were first detected by the system after the date as specified above 6 Select the Group check box, select the Group Name from the drop down box for searching data related to it. 7 To save and apply the SAFE Client List filtering criteria, click OK. When the filter is applied it is denoted by Filter On on the Console, if no filter is applied it is denoted by Filter Off on the Console. Local Policies Local Policies About Local Policies Local Policies are those that you can customize for a particular location. When you create a new location, by default, all the policies for this new location are always the same as its parent location. In other words, this newly created location inherits policies from its parent. You can change these inherited policies. Specifically a user with administrative rights can configure these policies for a location. Click the Local tab in the Administration screen to view the policies groups under this tab. The Local tab consists of two trees:  Location tree on the top  Administration tree at the bottom
Administration Tab SpectraGuard® Enterprise User Guide 264 Recommended: Do not use distinct policies for two locations that represent geographically close-by areas. This is because if two locations are very close, it is possible that sensors from both these locations see a device, thereby affecting the accuracy of location tagging for the device. Policy and Policy Groups The system clubs policies in Local Policies with related functionality into groups called Policy Groups. Examples of policy groups and policies within them are as shown below. Example 1 Operating Policies (Policy Group)  AP Auto-classification(Policy1)  Client Auto-classification (Policy 2)  Intrusion Prevention (Policy 3) Example 2 Event Settings (Policy Group)  Configuration (Policy 1)  Email Notification (Policy 2) Customizing v/s Inheriting Policies By default, a location inherits policies from its parent location. You can break the inheritance and customize the policies at a location. You can customize or inherit policies only at the policy group level. Customize or inherit of individual policies is not allowed at the individual policy level within the policy group. By customizing or inheriting a policy in a policy group, the policy group gets customized or inherited. Policy Inheritance v/s Customization Customizing Policies Use the following steps to customize policies in a policy group for a location that inherits policies from its parent:
Administration Tab SpectraGuard® Enterprise User Guide 265 1. Select the Local tab. 2. Select a location in the Location tree for which you want to customize the policies. 3. Select a policy group from the Administration tree. 4. Right-click either the selected location or the selected policy group. A context sensitive menu appears. Click Customize Policy Group – ‘<Policy Group Name>’. Customizing a Policy Group 5. Alternatively, click on the right side of the policy group pane. 6. Alternatively click the hyperlink Customize in the sentence ‘Click Customize to re-define this policy at this location.’ on the individual policy page. By customizing the individual policy, the entire policy group is customized. You can now custom define the individual policies within the policy node. Inheriting Policies: (Re)establishing Inheritance Use the following steps to inherit policies in a policy group for a location which has customized policies: 1. Select the Local tab. 2. Select a location in the Location tree for which you want to inherit policies from its parent. 3. Select a policy group from the Administration tree. 4. Right-click either the selected location or the selected policy group. A context sensitive menu appears. Click Inherit Policy Group – ‘<Policy Group Name>’.
Administration Tab SpectraGuard® Enterprise User Guide 266 Inheriting Policies for a Policy Group 5. Alternatively, click on the right side of the policy group pane. 6. Alternatively click the hyperlink Inherit in the sentence ‘Click Inherit to inherit this policy from its parent location.’ on the individual policy page. By inheriting the individual policy, the entire policy group is inherited from its parent location. This re-establishes the inheritance link for the selected policy group. The policy group loses any existing customization for the selected location and starts using the parent policies instead. Once policies are inherited, action items like checkboxes, buttons, and so on are de-activated in the policy pane. You will see the policies in a Read-only mode. Template Based Policies In the system, some policies are made up of one or more templates. In a large setup with several locations, the administrator would like to create templates on a single location and reuse these templates, if other locations in the sub-tree need to have similar templates to define their policies. Applying a Template A user can create templates at locations to which access has been granted. You can then select one or more such templates to be applied at a particular location. Thus, when you apply one or more templates to a location, you define the policy for that location. Template Availability at Sub-locations
Administration Tab SpectraGuard® Enterprise User Guide 267 When you create a new template at a location, it is available for viewing and applying to all the locations in its sub-tree. Templates can only be modified and deleted at the location at which they are created. Copying and Pasting of Local Policies In a large setup with several locations, the administrator would like to custom define policies for just one location. If other locations need to have policies similar to the ones already defined, you can Copy the policies from the first location and Paste them to the other locations. Copy allows you to copy one or all policy groups customized for a particular location to another location. If all the policy groups for a location are inherited from its parent, you cannot copy policies from that location. Paste allows you to paste the policies to a policy group on any location. By pasting a policy group on a location inheriting that policy group, the inheritance is broken. Copying and Pasting all Local Policies Use the following steps to copy and paste all Local policies: 1. Right-click a location from the Location tree which you choose to copy (source location). 2. From the resultant context-sensitive menu, select Copy Local Policies for ‘<Location Name>’. 3. Select All Local Policy Groups or Policy Group-‘<Policy Group Name>’. The Policy Group-‘<Policy Group Name>’ option is available only if a policy group node is selected in the Administration tree. Copying all Local Policies 4. Right-click a location to which you want to paste the copied policies.
Administration Tab SpectraGuard® Enterprise User Guide 268 5. From the resultant context-sensitive menu, select Paste All Policies from ‘<Location Name>’ or Paste ‘<Policy Group Name>’ from ‘<Location Name>’. The Paste All Policies from ‘<Location Name>’ is displayed if all the policies were copied during the copy operation. The Paste ‘<Policy Group Name>’ from ‘<Location Name>’ option is displayed if only a policy group is copied during the copy operation. Pasting all Local Policies Copying and Pasting a Local Policy Group Use the following steps to copy and paste a Local policy group: 1. Right-click a location from the Location tree. 2. Right-click a policy group from the Administration tree which you choose to copy. 3. From the resultant context-sensitive menu, select Copy Policy Group-‘<Policy Group Name>’.
Administration Tab SpectraGuard® Enterprise User Guide 269 Copying a Local Policy Group 4. Right-click a location to which you want to paste the copied policies. 5. From the resultant context-sensitive menu, select Paste ‘<Policy Group>’ from ‘<Location Name>’. Note: The copy operation is not allowed if no local policy group is custom defined or customized on that location. Wireless Policies-Authorized WLAN Setup Select the Wireless Policies screen to specify the Authorized Wi-Fi policies for a particular location. Authorized WLAN Setup The system uses the details of the Authorized Wi-Fi setup at a particular location to detect the presence of Mis-configured or Rogue APs in your network. You can specify the details of authorized SSIDs and a list of networks to which Authorized APs can connect.
Administration Tab SpectraGuard® Enterprise User Guide 270 Authorized WLAN Setup Select one of the following to characterize a particular location:  This is a No Wi-Fi location: If no Authorized Wi-Fi APs are installed at this location. If you configure a location as a no Wi-Fi location, the Specify Authorized SSID section is grayed out.  Wi-Fi is allowed at this location: To specify the details of the Authorized Wi-Fi APs in this location. Specify Authorized SSIDs Under this tab, specify the Authorized SSIDs at this location. For each SSID, you can specify the detailed configuration. This per SSID configuration is called an SSID template. Creating a Configuration Template for an Authorized 802.11 SSID Add Authorized SSIDs allows you to create an SSID template in one of the following ways:  Add Visible SSID: To create an SSID template from a list of visible SSIDs. The visible SSID list is built using the data received from sensors.  Add Custom SSID: To create a template using a user-defined SSID. Click Add SSID template to create a new SSID template. The Template for an Authorized 802.11 SSID dialog appears where you can select multiple items in some fields.

Navigation menu