ExtremeConnect Assessment Configuration

TheExtremeConnectAssessment Configuration includes Assessment Map Entries and the Assessment Adapter, which provide you with health tests and results for your Connect modules.

This Help topic provides information on the following:

Assessment MAP Entries

Assessment Adapter

Assessment MAP Entries

All modules except McAfee EMM currently use the assessment adapter to report health results toExtremeCloud IQ Site Engine. The assessment adapter creates 30 new assessment tests or PluginIDs to use by NAC. Each test is reported to NAC by a pluginID created as follows:

  • base value = 100.000
  • plugin id = base value + ENUM ID ( i.e. OWNERSHIP -> 100.000 + 22 = 100.022)

The following is the complete list of tests and IDs:

  • EXISTS(1)
  • COMPLIANT(2)
  • JAILBROKEN(3)
  • AUTHORIZED(4)
  • WIPED(5)
  • UNINSTALLED(6)
  • COMPROMISED(7)
  • OSOUTOFDATE(8)
  • POLICYOUTOFDATE(9)
  • DEVICEOUTOFDATE(10)
  • BLOCKED(11)
  • INFECTED(12)
  • LOST(13)
  • RETIRED(14)
  • UDID(15)
  • SERIALNUMBER(16)
  • IMEI(17)
  • ASSETNUMBER(18)
  • NAME(19)
  • LOCATION(20)
  • USER(21)
  • OWNERSHIP(22)
  • PLATFORM(23)
  • MODEL(24)
  • OSVERSION(25)
  • PHONENUMBER(26)
  • LASTSEEN(27)
  • PASSCODEPRESENT(28)
  • PASSCODECOMPLIANT(29)
  • DATAENCRYPTION(30)

You can map each test to different variables in each MDM connector.

In JAMF Casper module’s default configuration, the test EXISTS (pluginID 100001) is mapped to the value of the variable ‘managed’ in JAMF Casper’s database.

NAC Manager can assign risk values and scores to each test using their pluginID. This is needed in order to quarantine devices based on their risk level.

Assessment Adapter

The assessment adapter infrastructure reports health results from ExtremeConnect modules to the NAC, if available. To make the assessment adapter available, it needs to be extracted. To extract the assessment adapter:

  NOTE: This procedure expects the application to be installed in the default directory/usr/local/Extreme_Networks/NetSight/. If the application is not installed in this directory, please adjust the path in the procedure below.
  1. Run the connectAssessmentAdapter.sh extraction script to extract the adapter on the XIQ-SE server.

    /usr/local/Extreme_Networks/NetSight/scripts/connectAssessmentAdapter.sh

     NOTE:The version of the Connect Assessment Adapter must match the version of the ExtremeCloud IQ Site Engine. Please extract the new version of the Connect Assessment Adapter after upgrading ExtremeCloud IQ Site Engine.
  2. Launch the extracted assessment adapter using the following command.

    cd /usr/local/Extreme_Networks/NetSight/wildfly/standalone/deployments/Connect.ear/assessment/
    ./launchAS.sh &

     NOTE:

    McAfee Enterprise Mobility Management (EMM) uses a separate assessment plugin to gather data from the server and report it as health results to the ExtremeCloud IQ Site Engine server. This path points to the location of the MDMAssessment.jar that must be in this directory.

    /usr/local/Extreme_Networks/NetSight/wildfly/standalone/deployments/Connect.ear/assessment/lib

  3. Configure the OS to start the assessment adapter after the restart.

    echo -e '#! /bin/sh\n cd /usr/local/Extreme_Networks/NetSight/wildfly/standalone/deployments/Connect.ear/assessment/\n ./launchAS.sh &\n' >> /etc/rc.local

  4. Before the assessment adapter can be used in ExtremeCloud IQ Site Engine, it has to be created as a valid assessment server.

    1. To add an Assessment Server:
      1. Select Control > Access Control > Configuration > Profiles > Assessment > Default or an assessment configuration
      2. Select Manage > Assessment Servers
      3. Select Addto add a new assessment server
      4. Select Close
    2. In the new server dialog, provide the required data:
      • Assessment Server IP
        The IP Address of the ExtremeCloud IQ Site Engine server.
      • Assessment Server Name
        This can be any name to easily identify the server.
      • Assessment Server Port
        If launched with the launchAS commands, the agent runs on server 8448.
      • Assessment Server Type
        Select FusionAssessmentAgent. FusionAssessmentAgent converts health/compliance information from various ExtremeConnect modules and transforms the data to the health results in the end-system details.
      • Max Concurrent Scans
        Leave this empty. This can be used to increase the capacity of the server. By default, the server allows 10 concurrent scans. In order to use this server for assessment purposes, the server must be in an assessment pool and the assessment pool must be used by an assessment configuration.

    3. Create a scoring override for one or more of these test cases to quarantine end-systems in case they match a certain result string within their description field.

    4. If you want to quarantine all iPads with an iOS version of 5.x, make sure you have enabled Use Quarantine Policy in the corresponding NAC profile and that the corresponding policy on the WLAN controller has a redirect configured within that policy that points to the NAC captive portal.

    5. Enable Assisted Remediation within the NAC configuration in order for NAC to display the remediation/self-help page.

    6. Customize your remediation portal if needed. For example, you can add a remediation link that allows users to register their devices on the MDM portal.

    7. Another customization that is recommended is to define the Custom Remediation Actions to improve the user experience with the help texts on the remediation page.