The URT logon VLAN is assigned to users during the initial stages of logon, before URT can determine the correct VLAN. If you do not associate a user to a specific VLAN, the user remains in the URT logon VLAN.
Also, when a user logs off, they are switched to the logon VLAN.
This logon VLAN is used for the entire VTP domain.
Procedure
Step 1 Select the VTP domain in the VTP Domains folder. The logon VLAN is set for the VTP domain.
Step 2 Select Edit>Assign Logon VLAN.
Step 3 In the VTP Domain Configuration Dialog window, select the appropriate settings, as described in Table 4-1.
Table 4-1 VTP Domain Configuration Dialog
Field
Description
VTP Domain
Shows the selected VTP domain. The VLAN you select will be for this domain only.
Logon VLAN
Select the VLAN that should be used as the default logon VLAN.
Subnet/Mask
Displays the subnet and mask pairs (for example, 10.10.10.0/255.255.255.240) that are used on the VLAN. URT uses all of these pairs: it does not matter which pair is displayed in the field.
Adding, Changing, or Deleting Subnet/Mask Pairs for a VLAN
It is important that all of the subnet and mask pairs used on the VLAN are shown in this field. If a pair is missing, click Add. In the resulting VLAN Configuration Dialog window, enter the IP addresses for the subnet and mask that are missing, and repeat until all pairs are reflected in the VTP Domain Configuration Dialog window.
If an existing pair is incorrect, select it in the Subnet/Mask field and click Edit. Change the subnet or mask as required.
If there is an extra pair (one that is not used on the VLAN), select it in the Subnet/Mask field and click Remove.
Step 4 Click OK.
Tips
Do not use the management VLAN as the URT logon VLAN. The management VLAN includes the IP addresses of the switches, and is usually VLAN 1.
Be sure you select a VLAN that has a subnet with sufficient IP addresses for all the users in the VTP domain. Otherwise, users might have problems logging into and out of the network, because they might not be able to obtain an IP address.
Your changes do not take effect until you save them to the URT database.
The Cisco discovery protocol (CDP) must be running on the routers in the network in order for URT to automatically pick up the subnet and mask information for a VLAN. If you are not running CDP, you must directly enter the subnet and mask information into URT.
You can determine the logon VLAN for a VTP domain by selecting the VTP domain's folder in URT. The Logon VLAN list in the right-hand pane shows the details.
Adding a VLAN
Use the CWSI Campus VlanDirector application to add VLANs to a VTP domain.
After you have added the VLANs, you can associate users, groups, and organizational units to the new VLANs. If URT is already running, select the Vlan folder and select View>Refresh to refresh this list of VLANs for the VTP domain. (If you created VLANs in several VTP domains, select the VTP Domain folder and refresh it.)
Although you cannot delete a VLAN using URT, you should first reassociate users in URT before deleting a VLAN.
Caution
If the deleted VLAN is defined as a logon VLAN for a VTP domain, Windows users will get a network error when logging into the network in that VTP domain. Also, users associated with a non-existent VLAN get a network error when logging in.
Procedure
Step 1 Select the VLAN in the Vlan folder for the VTP domain in URT.
All users associated to the VLAN are shown in the Assigned Users list in the right-hand pane. The names are in the NT_domain\username or NDS_Directory\username.context format. Groups and organizational units are not shown in this list.
Step 2 Select each user, group, or organizational unit in the URT folders for the NT/NDS domains. Click the Associate VLAN with Users/Groups button, or select Edit>Associate VLAN, and associate them with a different VLAN.
Step 3 Make sure the VLAN is not being used as a logon VLAN. Select the VTP domain's folder, and look at the Logon VLAN list in the right-hand pane, to determine if the VLAN is named there. If it is, change the logon VLAN by selecting Edit>Assign Logon VLAN.
Tips
If you delete a VLAN without reassociating users, groups, and organizational units, users still associated to the deleted VLAN are placed in the logon VLAN.
Users, groups, or organizational units associated with a non-existent VLAN are shown with a blue X in their icon.
If your NT user account does not have Administrator authority in an NT domain that contains users whose VLAN assignments you are changing, you are prompted for a user name and password that does have Administrator authority. Enter the user name in the NT_domain\username format.
If you are not logged into the NDS directory that contains users whose VLAN assignments you are changing, you are prompted to log in with a user account that has browse and read privileges. If you are logged into NDS with a user account does not have browse and read privileges to the directory, you must exit URT and log into the NetWare network with an appropriate account.
Determining Which Users Are Associated with a VLAN
When you click on a VLAN in the URT folder pane (left-hand pane), the Assigned Users list in the right-hand pane shows the users that are associated with the VLAN. This list shows the mappings defined in URT. The Logged In Users list in the bottom half of the right-hand pane shows the users currently logged into the network on that VLAN.
User names are displayed in these formats:
NT-DOMAIN\username
NDS-Directory\username.context
For example, the Microsoft Networking user user0304 in the NT domain ENG_MAIN would appear as ENG_MAIN\user0304, whereas the NetWare user user0304 in the HQ Directory might appear as HQ\user0304.org.company.us.
Groups and organizational units associated with the VLAN are not shown in these lists.
Managing Users in the Network
This section describes the broader tasks of managing users within your network. Some of these tasks require the use of several software products, not only URT. This section is meant to help you understand how URT fits into your normal network administration procedures relating to user management.
You must add the NT domains and NDS directories you want URT to manage to the NT/NDS Domains folder in URT.
Procedure
Step 1 Click the Add Domain button, or select Edit>Add Domain.
Step 2 In the Domain Name window, select the name of the NT domain or NDS directory you want to add. If the domain or directory is not in the drop-down list, enter it into the field.
Step 3 Click OK.
URT creates a folder for the domain or directory, and all users defined on the NT domain controller or NetWare directory are listed in the new folder.
Tips
If there are a large number of users, groups, or organizational units in the domain or directory, it can take several minutes for URT to download the list from the domain controller or NetWare server.
Users, groups, and organizational units that are not assigned to a VLAN are shown with grayed icons.
Users, groups, and organizational units assigned to a VLAN are shown with blue icons.
If you add an NT domain or NDS directory to your network, remember to add the domain or directory to the URT database.
If your NT user account does not have Administrator authority in an NT domain that you are adding, you are prompted for a user name and password that does have Administrator authority. Enter the user name in the NT_domain\username format.
If you are not logged into the NDS directory that you are adding, you are prompted to log in with a user account that has browse and read privileges. If you are logged into NDS with a user account does not have browse and read privileges to the directory, you must exit URT and log into the NetWare network with an appropriate account.
Deleting NT or NDS Domains from the URT Domain List
If you no longer want to manage the users in a particular NT domain for NDS directory, you can remove the domain or directory from the NT/NDS Domain list in URT. If you delete a domain or directory, you lose all user associations to VLANs for that domain or directory.
Procedure
Step 1 Select the NT domain or NDS directory in the NT/NDS Domain folder.
Step 2 Click the Delete Domain button, or select Edit>Delete Domain.
You are asked for confirmation.
Tips
Your changes do not take effect until you save them to the URT database.
If your NT user account does not have Administrator authority for the NT domain that you are deleting, you are prompted for a user name and password that does have Administrator authority. Enter the user name in the NT_domain\username format.
If you are not logged into the NDS directory that you are deleting, you are prompted to log in with a user account that has browse and read privileges. If you are logged into NDS with a user account does not have browse and read privileges to the directory, you must exit URT and log into the NetWare network with an appropriate account.
Adding Users to the Network
When adding users to the network, consider the types of systems the user requires access to. Although a user might normally work on a UNIX or Macintosh workstation, they might also require a Microsoft Networking or NetWare account for occasional access from a Windows 95, Windows 98, or Windows NT machine.
If the user requires a Microsoft Networking or NetWare user account, follow this general procedure for adding the user to the network.
Procedure
Step 1 Add the user to the appropriate NT domain controller or NDS directory.
Step 2 If URT is already running, select the folder for the NT domain or NDS directory and select View>Refresh.
The newly added user appears in the folder for the domain or directory.
Step 3 Add the user to the URT database, following the procedure described in "Associating a User, Group, or Organizational Unit to a VLAN." If you assign the user to an existing NT group or NDS organizational unit, and the group or unit has an appropriate VLAN association, you do not need to create a VLAN association for the user.
If the user has a Windows 95 or Windows 98 machine, the URT client service is automatically installed on the machine the first time the user logs into the NT domain or NDS directory.
For machines that are not Windows 95, Windows 98, or Windows NT 4.0, use the CWSI Campus UserTracking application to assign the machines to a VLAN.
Removing Users from the Network
When you remove a user from the network, you should delete all of the user's accounts.
If the user has an NT or NDS user account, and you have associated the user to a VLAN in URT, deleting the user's NT or NDS account also deletes the mapping in URT. When you start URT (or refresh the user list for the NT domain or NDS directory), users that are no longer defined in the NT domain controller or NDS directory appear with gray icons with a red X. When you save the URT configuration (File>Save to Database), these users are removed from the URT database. (Sometimes you might have to refresh the list of users before these deleted users are removed.)
Deleting a user from the network does not remove the URT client from the user's machine.
Moving Users to Another NT or NDS Domain
URT does not maintain a user's VLAN associations if you move the user account from one NT domain or NDS directory to another.
Procedure
Step 1 Move the user's account on the NT domain controllers or NDS directories. See the Microsoft or Novell documentation for information on how to move user accounts.
Step 2 In URT, select the old user name in the old NT domain or NDS directory.
The VLAN Associations list in the right-hand pane shows the old VLAN associations for the user. If you want to keep these same associations, make a note of them.
Determining Which Users Are Logged Into the Network
URT keeps track of which Windows users are logged into the network. You can view these user lists based on:
Switches—Select a switch, and URT shows the users currently connected to the network through the switch.
VTP domains—Select a VTP domain folder, and URT shows the users currently connected to switches within the domain.
VLANs—Select a VLAN, and URT shows the users currently connected to the network in that VLAN.
NT/NDS domain—Select an NT domain or NDS directory, and URT shows the users currently connected to the network in that domain or directory.
User name—Select a user name, and URT shows all of the machines to which the user is currently logged on.
Table 4-2 describes the information shown for logged-in users.
Table 4-2 Logged on Users List (Login Information)
Column
Description
User Name
The NT or NDS user name. This column does not appear when you view this list by selecting a user name. Names are shown in one of these formats:
NT_DOMAIN\username
NDS_Directory\username.context
(Not shown for login information for a user.)
Hostname
The NT name of the machine on which the user is logged in.
IP address
The IP address of the machine.
Subnet
The subnet on which the machine is connected.
Gateway
The IP address of the router (gateway) used by the machine.
VLAN
The VLAN to which the machine is connected. (Not shown for login information for a VLAN.)
Switch
The IP address of the switch to which the machine is connected. (Not shown for login information for a switch.)
MAC Address
The media access control (MAC) address for the network interface card (NIC) in the machine.
Port
The port on the switch to which the machine is connected.
Last Seen
The date and time the user was last seen on the network, in yyyy/mm/ddHH:MM:SS format.
yyyy is the year
mm is the month
dd is the day
HH is the hour
MM is the minutes
SS is the seconds
Monitoring Users with UserTracking
Use CWSI Campus UserTracking to monitor users. With UserTracking, you can determine if a user is logged in, and to which VLAN and subnet the user is connected. You can also print reports and troubleshoot connections.
If a user is mapped to a VLAN through URT, the user name in UserTracking appears in the NT_domain\username or NDS_Directory\username.context format. For example, if the user is user0304 in the ENG_NEWBU NT domain, the user name field in UserTracking would display:
ENG_NEWBU\user0304
Do not use UserTracking to change the VLAN membership for these users; only use URT to change VLAN membership. Any mappings you make in UserTracking are overridden by any conflicting mapping made in URT.
See the online help for UserTracking for more information on UserTracking.
This section describes the tasks involved in using URT to associate users and groups to VLANs. These tasks only involve the use of the URT interface; they do not directly involve changes to the URT server or client.
Associating a User, Group, or Organizational Unit to a VLAN
By associating a user, group, or organizational unit to a VLAN, you ensure that the user connects to the network in the appropriate VLAN, even if the user logs in on different machines or through different switch ports (for example, if the user's machine is a laptop). Because the user always connects to the network in the same VLAN, you can create security policies based on VLANs and avoid MAC-address-based VLAN mappings.
If you do not create a VLAN association for a user, but you create one for a group or organizational unit to which the user belongs, the user uses the VLAN associated to the group or organizational unit.
Before You Begin
Determine how you want to map users, groups, and organizational units to VLANs. Although you can change VLAN mappings later, if you develop a plan for user-to-VLAN mappings now, you can simplify your network management tasks.
If a user is likely to connect to the network from different locations, consider creating a VLAN mapping for every VTP domain the user is likely to access. To simplify VLAN associations, you can associate groups or organizational units to VLANs instead of users.
Step 1 Double-click the user, group, or organizational unit name in the NT/NDS Domain folder, or:
Select the user, group, or organizational unit name in the list and select Edit>Associate VLAN.
Select the user, group, or organizational unit name in the list and click the Associate VLAN with Users/Groups button.
If you are adding more than one user, you must use the button or the menu command.
Step 2 In the Associate VLAN window, select the appropriate settings as described in Table 4-3.
Table 4-3 Associate VLAN Window
Field
Description
VTP Domain
Select the VTP domain that contains the VLAN to which you want to map the user, group, or organizational unit.
VLAN
Select the VLAN that you want the user, group, or organizational unit to use.
Step 3 Click OK.
Tips
You can select a range of users, groups, or organizational units by using Shift+click, or multiple individual users by using Ctrl+click. All names you select must be associated with the same VLAN.
You cannot drag and drop users or groups to the desired VLAN.
For Microsoft Networking, URT only recognizes Windows NT global groups. It does not recognize Windows NT local groups. If an NT group does not show up in URT, it is probably defined as a local group.
If a user belongs to a group or organizational unit, the user's VLAN association overrides the group or organizational unit VLAN association.
For Microsoft Networking, if there is no user VLAN association, and the user belongs to multiple groups, the VLAN association for the user's primary group takes precedence. If there is no primary group or no association for the primary group, URT selects the VLAN association for the first group in the groups list, scanning from top to bottom, to which the user belongs.
For NetWare, if there is no user VLAN association, the VLAN association for the organizational unit that directly contains the user takes precedence. If there is no association for that organizational unit, URT goes up the NDS tree until an organizational unit is encountered that has a VLAN mapping.
If a user is assigned to a VLAN, the user icon is shown in blue.
When you select a user that is assigned to a VLAN, the details of that assignment are shown in the list pane. If the user is currently logged into the network, the Login Information list shows the machines to which the user is logged on.
You can map a user to one VLAN per VTP domain. If a user connects to the network in a VTP domain for which you have not provided a VLAN mapping, the user is logged into the default logon VLAN for the local VTP domain. The user also remains in the default logon VLAN if the assigned VLAN is not defined on the switch.
Your mapping does not take effect until you save your changes to the URT database. If the user was already assigned to a different VLAN, the user is changed into the new VLAN the next time the switch polls the VMPS server.
If your NT user account does not have Administrator authority in an NT domain that contains users whose VLAN assignments you are changing, you are prompted for a user name and password that does have Administrator authority. Enter the user name in the NT_domain\username format.
If you are not logged into the NDS directory that contains users whose VLAN assignments you are changing, you are prompted to log in with a user account that has browse and read privileges. If you are logged into NDS with a user account does not have browse and read privileges to the directory, you must exit URT and log into the NetWare network with an appropriate account.
Users or groups that are not mapped to VLANs are shown with a grayed-out icon in the folder pane (left-hand pane). To find these users or groups, you must open each NT domain or NDS directory in the folder pane and look for gray icons.
Viewing the Current Information for a User
If you select a user in the URT folder pane (left-hand pane), you can view the current information for the user in the URT list pane (right-hand pane). Use this information to troubleshoot or evaluate mappings.
Table 4-4 shows the information displayed for each user. If you select a group or organizational unit, only the VLAN Associations list is shown.
Table 4-4 User Information: Right-Hand Pane (List Pane)
List
Description
Notes
VLAN Associations
VTP Domain—The VTP domain that contains the VLAN to which the user is mapped.
VLAN—The VLAN to which the user is mapped.
The top list is empty if you have not mapped the user to a VLAN.
If you mapped the user to VLANs in more than one VTP domain, each VTP domain is shown on a separate line.
The bottom list is empty if the user is not currently logged into the network. If the user is logged in on more than one machine, each machine is displayed on a separate line.
Tips
There can be a mismatch between your VLAN association and the VLAN to which the user is actually attached. This can happen for a variety of reasons:
The switch to which the user is attached is not in a VTP domain for which you have defined a mapping. In this case, the user is placed in the default VLAN for the VTP domain.
The switch port is defined as static instead of dynamic. In this case, the user is placed in the VLAN defined on the switch port instead of the VLAN to which you have mapped the user.
The user belongs to more than one group or organizational unit, and the VLAN associations are for the groups or units, not the user.
Moving a User, Group, or Organizational Unit to a Different VLAN
If you determine that a user or group needs to be associated with a different VLAN than the current association, for example, if the user has changed jobs within the company, you can move the user to the appropriate VLAN.
Procedure
Step 1 Double-click the user, group, or organizational unit name in the NT/NDS Domain folder, or:
Select the user, group, or organizational unit name in the list and select Edit>Associate VLAN.
Select the user, group, or organizational unit name in the list and click the Associate VLAN with Users/Groups button.
If you are moving more than one user, group or organizational unit, you must use the button or the menu command.
Step 2 In the Associate VLAN window, select the appropriate settings as described in Table 4-5.
Table 4-5 Associate VLAN Window
Field
Description
VTP Domain
Select the VTP domain that contains the VLAN to which you want to map the user, group, or organizational unit.
Mask
Shows the subnet mask for the VLAN.
Step 3 Click OK.
Tips
You can select a range of users, groups, or organizational units by using Shift+click, or multiple individual users, groups, or organizational units by using Ctrl+click. All names you select must be associated with the same VLAN.
You cannot drag and drop users, groups, or organizational units to the desired VLAN.
The change does not take effect until you save your changes. The user is changed into the new VLAN the next time the switch polls the VMPS server.
If a user, group, or organizational unit is assigned to a VLAN, the icon is shown in blue.
The details of the user's, group's, or organizational unit's current VLAN assignment are shown in the list window.
You can map a user, group, or organizational unit to one VLAN per VTP domain. If a user connects to the network in a VTP domain for which you have not provided a VLAN mapping, the user is logged into the default logon VLAN for the local VTP domain. The user also remains in the default logon VLAN if the assigned VLAN is not defined on the switch.
If your NT user account does not have Administrator authority in an NT domain that contains users whose VLAN assignments you are changing, you are prompted for a user name and password that does have Administrator authority. Enter the user name in the NT_domain\username format.
If you are not logged into the NDS directory that contains users whose VLAN assignments you are changing, you are prompted to log in with a user account that has browse and read privileges. If you are logged into NDS with a user account does not have browse and read privileges to the directory, you must exit URT and log into the NetWare network with an appropriate account.
Deleting Users, Groups, or Organizational Units from a VLAN
If you no longer want a user, group, or organizational unit to be associated with a particular VLAN, you can delete the VLAN association. If you do not assign the user, group, or organizational unit to another VLAN, the user, group, or organizational unit uses the logon VLAN.
Procedure
Step 1 Select the user, group, or organizational unit in the NT/NDS Domain list.
Step 2 Select Edit>Delete VLAN Association.
You are asked to confirm the deletion. The user, group, or organizational unit is not removed from the NT/NDS Domain list—only the VLAN association is removed.
Tips
Users, groups, or organizational units that are not assigned to a VLAN are shown with grayed icons.
Your change does not take effect until you save it to the URT database.
If your NT user account does not have Administrator authority in an NT domain that contains users whose VLAN assignments you are changing, you are prompted for a user name and password that does have Administrator authority. Enter the user name in the NT_domain\username format.
If you are not logged into the NDS directory that contains users whose VLAN assignments you are changing, you are prompted to log in with a user account that has browse and read privileges. If you are logged into NDS with a user account does not have browse and read privileges to the directory, you must exit URT and log into the NetWare network with an appropriate account.
Updating NT Group or NDS Organizational Unit Lists in the URT Servers
The URT servers refresh their lists of NT group and NDS organizational unit membership once a day at midnight. If you make a lot of changes to NT group or NDS organizational unit membership, those changes do not affect user logons until the URT servers refresh their lists.
Use this procedure to force URT to update the NT group and NDS organizational unit lists in the NT or NetWare servers.
Procedure
Step 1 Select the groups or organizational units whose user lists you want to update in the URT servers.
If you select a group or organizational unit name, only that name is updated.
If you select the Groups folder in an NT domain or the Organizational Units folder in an NDS directory, all names in that domain are updated.
If you select the NT/NDS Domains folder, all groups and organizational units in all listed domains are updated.
Step 2 Select Configure>Update URT Server Group Entries.
The URT servers update the group and organizational unit membership lists with the information currently in the domain controllers or NetWare servers.
Ensuring that Logged-Out Users Do Not Hold an IP Address
When a user logs out of the NT network, URT places the user's machine in the logon VLAN for that VTP domain, and gives the machine an IP address appropriate for that VLAN.
If you have a limited number of IP addresses, you can prevent the user from obtaining an IP address when logged out of the NT network. However, you cannot prevent the user from obtaining an IP address if you are using NetWare networking.
Procedure
Step 1 Select View>Options.
Step 2 In the URT Options Dialog window, check Release IP address on logout on the Install tab.
Step 3 Reinstall the URT client service on the Windows NT clients that use Microsoft Networking. See "Installing the URT Client Service on Workstations" in Chapter 6 for the procedure. Make sure that users reboot their workstations after installation is complete.
The Release IP address on logout option applies to all Microsoft Networking Windows NT users managed by URT in every VTP domain. It does not work for Windows 95 or Windows 98 users, or for NetWare users.
Users must reboot their machines whenever you change the Release IP on logout setting.
Because the Windows NT machines do not have IP addresses when no user is logged into the machine, users cannot access resources on Windows NT machines unless a user is logged in if you are using Release IP address on logout.
You cannot print a list of VLAN associations or other settings created in URT.
Coordinating User-to-VLAN and MAC-to-VLAN Mappings
You can use the CWSI Campus UserTracking application to map MAC addresses (the address on the network interface card in a machine) to VLANs. However, in general, you should not create MAC-based mappings for machines normally used by a user associated to a VLAN in URT. If a user mapped in URT logs in on a machine mapped in UserTracking, the URT VLAN association always takes precedence.
If you are combining MAC-based mappings with user-based ones, you must use URT to update the VMPS tables with the information from UserTracking. You cannot use UserTracking to update these tables for switches that are using the URT servers.
Procedure
Step 1 Do a UserTracking discovery, make all of your desired changes in UserTracking, and save your changes.
Step 2 In URT, select Configure>Update MAC to VLAN Mappings.
URT updates the URT servers with information from UserTracking.
Select each user, group, or organizational unit in the URT folders for the NT/NDS domains. Click the Associate VLAN with Users/Groups button, or select Edit>Associate VLAN, and associate them with a different VLAN.
Click the Add Domain button, or select Edit>Add Domain.
Click the Delete Domain button, or select Edit>Delete Domain.