Configuring Access Guardian Using Quarantine Manager and Remediation
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-93
Using Quarantine Manager and Remediation
A client MAC address is determined to be in a quarantined state when one of the following occurs:
• The OmniVista Quarantine Manager (OVQM) application receives a TRAP indicating that the MAC
address has to be quarantined. The TRAP may come from a network anomaly detection application or
from an IDS running in the same subnet as the client.
• A list containing the quarantined MAC address is manually configured on OVQM.
• A list containing the quarantined MAC address is manually configured on every switch in the network.
After the list of quarantined MAC addresses is known, OVQM can add these addresses to the Quarantine
MAC group and push the configuration to the switches in a logical group or to all switches.
The Access Guardian Quarantine Manager and Remediation (QMR) feature moves the users associated
with the quarantined MAC addresses to a QMR restricted role. A built-in policy list is associated with the
QMR role that restricts quarantined users to communicating with a designated remediation server until
their quarantined status is corrected.
The following QMR components are configured through Access Guardian CLI commands:
• Quarantined MAC address group. The Access Guardian configures the name of the Quarantine
MAC group on the OmniSwitch. This MAC address group contains the MAC addresses of users that
are quarantined and are candidates for remediation.
The default name of the MAC group is "Quarantined”, but the name can be changed using the qos
quarantine mac-group command. For example:
-> qos quarantine mac-group badMacs
• Remediation server and exception subnets. When a client is quarantined, all the traffic from the
client is blocked by default. However, the administrator can configure access to some exception
subnets to which the quarantined client can be redirected, such as the IP address of a remediation
server to obtain updates and correct its quarantined state.
The qmr quarantine allowed-name command is used to designate IP addresses that a quarantined
client can access. For example:
-> qmr quarantine allowed-name it-helpdesk 10.1.1.0 ip-mask 255.255.255.0
Configuring a maximum of three IP subnets is allowed. Make sure the IP address for the remediation
server is included in the allowed list of subnets.
• Remediation server URL. The Access Guardian qmr quarantine path command is used to specify a
URL to which users are redirected for remediation. For example:
-> qmr quarantine path www.qmr.ale.com
• Quarantined Page. When a client is quarantined and a remediation server URL is not configured,
QMR can send a Quarantine Page to notify the client of its quarantined state. To enable or disable the
sending of a Quarantine Page, use the qmr quarantine page command. For example:
-> qmr quarantine page enable
To Next Page
Loading...
