Port-based Network Access Control (NAC) uses the 802.1x standard.  It provides increased network security by requiring authentication for computers before they access a network. Typically, this relies on dividing the network into two sets of VLANs:

  • authenticated VLANs (also known as the main, live or corporate network).
  • corresponding unauthenticated VLANs, that act as a holding ground for computers that have not yet been authenticated (also known as guest network).

In this model, the division into authenticated and unauthenticated VLANs is handled by the network switches. The unauthenticated network ports are in a blocking state and do not allow traffic to or from a computer unless part of the authentication process. In practice, this means that computers move off of the authenticated network and onto the unauthenticated network as soon as they are turned off.  Depending on the authentication mechanism, this move can also occur when the computer goes to sleep.  When off or asleep, the computer does not respond to ARP queries and will respond only to broadcasts.

On this page:

WakeUp does not know if a powered down computer is on an authenticated or unauthenticated network, and the normal methods used by WakeUp will not work.  Normally, to wake a computer from off or from sleep, the WakeUp system only needs to send a Wake-On-LAN (WOL) magic packet as a directed broadcast to the last-known subnet of the target computer, which is the authenticated subnet.  When NAC is implemented, WakeUp must send an additional broadcast to the unauthenticated subnet.  When the computer wakes, it uses its normal authentication method to get back onto the authenticated network.

The problem of sending wakeups to unauthenticated subnets has two parts:

  • WakeUp configuration - determines how WakeUp identifies the corresponding unauthenticated subnet where the computer has moved
  • Network configuration - determines how the network allows a subnet directed broadcast to reach the computer on the unauthenticated subnet

Solutions

The WakeUp system identifies unauthenticated subnets using one of two methods described below that are subject to various considerations. Each method uses a list of unauthenticated subnets specified in a WakeUp Agent registry value called SubnetOverride.

ConsiderationsWakeUp Agent methodWakeUp Server method
OverviewA WakeUp Agent on each authenticated subnet uses a list of unauthenticated subnet(s) to send WOL packets via subnet directed broadcast.  The list contains all the unauthenticated subnet(s) that correspond to the authenticated subnet on which the Agent resides. All configuration is done on WakeUp Agents and network switches.Each WakeUp Server uses a list of unauthenticated subnet(s) to send WOL packets via subnet directed broadcast.  The list contains all the unauthenticated subnets that correspond to the authenticated subnets for which the WakeUp Server is responsible. All configuration is done on the WakeUp Agent running on the WakeUp Server(s) and network switches.
Supported WakeUp ScenariosThis method is supported by a WakeUp Server in Multi-agent or Dedicated agent scenarios. This method is not supported by the Standalone Server scenario.This method is supported by a WakeUp Server in Multi-agent, Dedicated agent or Standalone Server scenarios. This is the only method supported if the WakeUp Server is operating in Standalone Server scenario.
WakeUp Configuration (for details see Configuring subnet override on a WakeUp Agent)The SubnetOverride registry value is configured on each WakeUp Agent, to contain the list of unauthenticated subnet(s) that correspond to the authenticated subnet on which the Agent resides. In Multi-agent mode, all Agents on a subnet are configured identically. In Dedicated agent mode, only the dedicated Agent needs to be configured.

In some instances, AdditionalSubnets registry value also needs to be configured the same as SubnetOverride. The Agent method does not use the AlwaysQueueToLocalAgent registry value.
The SubnetOverride registry value is configured on the WakeUp Agent of each WakeUp Server, to contain the list of all unauthenticated subnets that correspond to the authenticated subnets for which the WakeUp Server is responsible. The AlwaysQueueToLocalAgent registry value is configured on each WakeUp Server.  In Multi-agent and Dedicated agent modes, this registry value should be set to ON.  In Standalone Server mode, this registry value should be set to OFF, or not used.
Network ConfigurationNetwork switches are configured to allow directed broadcast in one direction only. The network is configured to permit forwarding of UDP packets on the WakeUp port 1776 (default, but is configurable). The network is optionally configured with an Access Control List (ACL) that specifies the WakeUp UDP port 1776 and the IP address of the host computer(s) that send the WOL packets.

In Dedicated agent scenario, the ACL should specify the IP Address of the Dedicated agent on the corresponding authenticated subnet. In Multi-agent scenario, any Agent can broadcast, therefore the ACL should specify an IP wildcard for Agents on the corresponding authenticated subnet.
Network switches are configured to allow directed broadcast in one direction only. The network is configured to permit forwarding of UDP packets on the WakeUp port 1776 (default, but is configurable). The network is optionally configured with an Access Control List (ACL) that specifies the WakeUp UDP port 1776 and the IP address of each WakeUp Server.
Best PracticeThe Multi-agent scenario is recommended. The SubnetOverride list on each Agent need only contain the subnet for the unauthenticated subnet corresponding to the authenticated subnet on which the agent resides.The SubnetOverride list should be limited to a maximum of 10 subnets. This best practice should prevent overloading network components with excessive wakeup broadcasts causing unacceptable network performance for all uses of the network.

WakeUp is designed to handle wakeups of large numbers of clients across multiple subnets. Each attempt by the WakeUp Server to wake a single client, causes a broadcast to the client’s last known subnet. However, the WakeUp Server then has to send a broadcast to each of the subnets listed in the SubnetOverride list, before repeating the process for the next client in the wake list.

For example, to wake 1,000 clients with a list of 10 unauthenticated subnets causes 11,000 broadcasts (1,000 x 1 authenticated subnet + 10 unauthenticated subnets).  The WakeUp Server in the 1E lab took approx. 4 minutes to process this many broadcasts, before it could process any other requests.

If a subnet is unreachable, the process is slowed down by approx. 3 seconds per client due to multiple ARP queries. Using the WakeUp console describes Maximum Burst Size (100) and Burst Delay (5 seconds).  These WakeUp Server settings can be used to avoid overloading the server's WakeUp Agent, but will not remove any backlog.

Configuring SubnetOverride on a WakeUp Agent

This registry value should be populated in the WakeUp Agent registry with a comma separated list of values each of which defines a subnet.  Duplicate subnets are ignored.  The subnet on which the Agent resides is also ignored because it has already been sent a broadcast.  The WakeUp Server first instructs the relevant WakeUp Agent to broadcast to the Authenticated subnet on which it resides, before processing the SubnetOverride list.

The Server method requires the registry for the WakeUp Agent on the WakeUp Server(s) to be configured.  The Agent method requires the registry for the WakeUp Agent on the 1E Agents to be configured.

HKLM\Software\1E\WakeUpAgt\SubnetOverride (REG_SZ)

The format for each value can be one of the following:

NotationFormatExample
Classless Inter-Domain Routing (CIDR)Base address/bit length
192.168.13.0/24
Subnet maskBase address/subnet mask
192.168.13.0/255.255.255.0
Subnet broadcast addressBroadcast address
192.168.13.255

You can mix different format values in the same string as long as each value is consistent with one of the above formats. For example:

192.168.13.0/24,192.168.34.0/255.255.255.0,192.168.10.255

Configuring AdditionalSubnets on a WakeUp Agent

This registry value is not always necessary, but may be required when using the Agent method in Multi-agent or Dedicated agent scenarios.  If the WakeUp Agent starts up before the computer has authenticated, it will attempt to report the unauthenticated subnet as the last known subnet.  The information is not reported back until the computer switches to the authenticated network, but it means the WakeUp Server will attempt to use its normal process to discover an Agent on both subnets on the next wakeup attempt.  The discovery process will fail for the unauthenticated subnet and delay the wakeup. 

If this problem should occur, this registry value allows the WakeUp Agent to inform the WakeUp Server that it will also act as the Agent for the additional subnets, and should be populated with the same list of subnets as specified in the SubnetOverride list.

HKLM\Software\1E\WakeUpAgt\AdditionalSubnets  (REG_SZ)

Each subnet must be in the following format (which is different to the formats available for SubnetOverride).

NotationFormatExample
Subnet maskBase address,subnet mask
192.168.13.0,255.255.255.0

Multiple subnets would be represented as follows, for example:

192.168.13.0,255.255.255.0,192.168.34.0,255.255.255.0,192.168.10.0,255.255.255.0 

Configuring AlwaysQueueToLocalAgent on a WakeUp Server

This registry value must be set to ON when using WakeUp Server in Multi-agent and Dedicated agent scenarios, so that the WakeUp Server will instruct its local WakeUp Agent to send the additional WOL broadcasts. 

This registry value is either not used, or set to OFF, when using WakeUp Server in Standalone Server scenario, because the WakeUp Server will always use its local WakeUp Agent to send WOL broadcasts, and setting this value to ON would cause these broadcasts to be duplicated.

HKLM\Software\1E\WakeUpSrv\AlwaysQueueToLocalAgent (REG_SZ)