Skip to main content

NightWatchman Enterprise 7.3

Configuring network access control security

Port-based Network Access Control (NAC) uses the 802.1x standard. It provides increased network security by requiring authentication for computers before they access a network. Typically, this relies on dividing the network into two sets of VLANs:

  • authenticated VLANs (also known as the main, live or corporate network).

  • corresponding unauthenticated VLANs, that act as a holding ground for computers that have not yet been authenticated (also known as guest network).

In this model, the division into authenticated and unauthenticated VLANs is handled by the network switches. The unauthenticated network ports are in a blocking state and do not allow traffic to or from a computer unless part of the authentication process. In practice, this means that computers move off of the authenticated network and onto the unauthenticated network as soon as they are turned off. Depending on the authentication mechanism, this move can also occur when the computer goes to sleep. When off or asleep, the computer does not respond to ARP queries and will respond only to broadcasts.

WakeUp does not know if a powered down computer is on an authenticated or unauthenticated network, and the normal methods used by WakeUp will not work. Normally, to wake a computer from off or from sleep, the WakeUp system only needs to send a Wake-On-LAN (WOL) magic packet as a directed broadcast to the last-known subnet of the target computer, which is the authenticated subnet. When NAC is implemented, WakeUp must send an additional broadcast to the unauthenticated subnet. When the computer wakes, it uses its normal authentication method to get back onto the authenticated network.

The problem of sending wakeups to unauthenticated subnets has two parts:

  • WakeUp configuration - determines how WakeUp identifies the corresponding unauthenticated subnet where the computer has moved

  • Network configuration - determines how the network allows a subnet directed broadcast to reach the computer on the unauthenticated subnet

Configuring SubnetOverride on a WakeUp Agent

This registry value should be populated in the WakeUp Agent registry with a comma separated list of values each of which defines a subnet. Duplicate subnets are ignored. The subnet on which the Agent resides is also ignored because it has already been sent a broadcast. The WakeUp Server first instructs the relevant WakeUp Agent to broadcast to the Authenticated subnet on which it resides, before processing the SubnetOverride list.

The Server method requires the registry for the WakeUp Agent on the WakeUp Server(s) to be configured. The Agent method requires the registry for the WakeUp Agent on the 1E Agents to be configured.

HKLM\Software\1E\WakeUpAgt\SubnetOverride (REG_SZ)

The format for each value can be one of the following:

Notation

Format

Example

Classless Inter-Domain Routing (CIDR)

Base address/bit length

192.168.13.0/24

Subnet mask

Base address/subnet mask

192.168.13.0/255.255.255.0

Subnet broadcast address

Broadcast address

192.168.13.255

You can mix different format values in the same string as long as each value is consistent with one of the above formats. For example:

192.168.13.0/24,192.168.34.0/255.255.255.0,192.168.10.255
Configuring AdditionalSubnets on a WakeUp Agent

This registry value is not always necessary, but may be required when using the Agent method in Multi-agent or Dedicated agent scenarios. If the WakeUp Agent starts up before the computer has authenticated, it will attempt to report the unauthenticated subnet as the last known subnet. The information is not reported back until the computer switches to the authenticated network, but it means the WakeUp Server will attempt to use its normal process to discover an Agent on both subnets on the next wakeup attempt. The discovery process will fail for the unauthenticated subnet and delay the wakeup.

If this problem should occur, this registry value allows the WakeUp Agent to inform the WakeUp Server that it will also act as the Agent for the additional subnets, and should be populated with the same list of subnets as specified in the SubnetOverride list.

HKLM\Software\1E\WakeUpAgt\AdditionalSubnets  (REG_SZ)

Each subnet must be in the following format (which is different to the formats available for SubnetOverride).

Notation

Format

Example

Subnet mask

Base address,subnet mask

192.168.13.0,255.255.255.0

Multiple subnets would be represented as follows, for example:

192.168.13.0,255.255.255.0,192.168.34.0,255.255.255.0,192.168.10.0,255.255.255.0 
Configuring AlwaysQueueToLocalAgent on a WakeUp Server

This registry value must be set to ON when using WakeUp Server in Multi-agent and Dedicated agent scenarios, so that the WakeUp Server will instruct its local WakeUp Agent to send the additional WOL broadcasts.

This registry value is either not used, or set to OFF, when using WakeUp Server in Standalone Server scenario, because the WakeUp Server will always use its local WakeUp Agent to send WOL broadcasts, and setting this value to ON would cause these broadcasts to be duplicated.

HKLM\Software\1E\WakeUpSrv\AlwaysQueueToLocalAgent (REG_SZ)