|
|
Before you install URT, review the planning information in "Planning for URT." Because URT is integral to the overall functioning of your network, careful planning prior to installation is essential to successful URT deployment.
 |
Note This chapter describes the process of installing URT Release 2.5 for the first time. If you are upgrading your system from Release 2.0 to Release 2.5, see "Upgrading URT from Release 2.0 to Release 2.5." |
|
Note You must log on to the system with an account that has local administrator privileges. |
During the installation, you will be asked to enter:
Step 2 Select Start>Run and enter:
Replace d: with the drive letter for your CD-ROM.
Step 3 After the installation program unpacks the URT files and prepares the Install Shield, it displays the Welcome screen. Click Next to continue.
Step 4 In the User Information dialog box, enter the user's name and the company name.
Step 5 The installation program displays the destination location. Click Next to continue.
Step 6 In the URT VPS Port Number dialog box, click Next.
|
Note Do not change the port number that the URT VLAN Policy Server uses to connect to the URT Administrative Server. The port number is preconfigured on the server. |
Step 7 In the Create URT Administrative Services text box, enter the user ID and password for the system (the user ID must have administrator privileges on the system).
The installation program begins copying files to your system.
Step 8 To complete the installation, select Yes to reboot your system.
After you restart the system, the URT Administrative Server runs on the system, the URT Administrative Client Interface is installed, and URT is added to the program list on the Start>Programs menu.
|
Note A single URT Administrative Server is recommended. If more than one URT Administrative Server is installed, URT will not coordinate logons among the servers. |
During the installation you will be asked to enter the URT Administrative Server port number. The preconfigured port number is displayed; do not change this number.
Step 2 Select Start>Run, then enter:
Replace d: with the drive letter for your CD-ROM.
When the installation program starts, follow the onscreen instructions.
For detailed information on installing the URT VLAN Policy Server, see Installation and Setup Guide for the Cisco 1101 VLAN Policy Server.
Because of the role of URT in your network, there are several steps you must complete to remove URT from your network. For complete uninstallation instructions, See Chapter 5, "Removing URT," in User Guide for the Cisco Secure User Registration Tool.
To use the URT Administrative Client Interface, you must log on to the system where the URT Administrative Server is installed. However, you do not need to be logged on as a local administrator. The only tasks that require you to be logged on to an account with particular privileges are adding domains to URT and installing the URT logon script on the domain server. However, if you are not logged on to an account with appropriate privileges, URT prompts you for the username and password of an account with appropriate privileges.
To start the User Registration Tool, select Start>Programs>URT>Start User Registration Tool.
|
Note If you get the error message "Failed to establish connection to URT Administrative Server," select Control Panel>Services and scroll to URT Administrative Service. Enable automatic startup for URT Administrative Service by creating a username and password with administrator privileges. |
After you have successfully installed the URT software, you must finish configuring URT for it to be active and working correctly on the network. The "Configuring URT: A Roadmap" section describes what you will need and what you must do to complete the configuration. See User Guide for the Cisco Secure User Registration Tool for complete implementation details.
All configuration tasks are completed from the URT Administrative Client Interface. The roadmap in this section provides a high-level overview of the configuration process. This roadmap is provided to allow you to gather any data you may need and to perform any additional tasks prior to beginning the configuration process. User Guide for the Cisco Secure User Registration Tool supplies all of the details for each of the steps in this roadmap.
Network information must be loaded into URT and configured before you activate URT. The tables throughout this section are provided as sample information-gathering aids. For cases in which you plan to import information from another system or from a file, there is no need to use such aids.
To add a URT VLAN Policy Server to the URT configuration, you will need to provide the server IP address. Although the installation program prompts you for a port number to use with the URT Administrative Server, port numbers are preconfigured on the server and should not be changed.
Use the following table to record the URT VLAN Policy Server IP address and port number.
You can add VTP, VLAN, and switch data to URT in one of three ways:
If you are adding individual switches, you may want to use the following table to record the required information.
For each VLAN in each VTP domain, you must enter all subnet/mask pairs. For each VTP domain, you must designate one VLAN to be the URT logon VLAN.
URT logon VLANs function as the default VLANs for all users. Initially, all users log on to the URT logon VLAN for the VTP domain. When selecting the VLANs to use as URT logon VLANs, keep the following recommendations in mind:
Use the following table to record the required information.
You can add NT domains and NDS directories from an NT domain server or NetWare server using URT. URT can automatically add the users, groups, or organizational units from the domain or directory.
To add NT domains and NDS directories, you must have Administrator authority in every NT domain that you are adding; or, when prompted, enter a username and password for an account that does have Administrator authority. In addition, you must be logged on to the NDS directory that you are adding; or, enter a username and password for an account that has browse and read privileges.
Use the following table to record the required information.
You do not have to create any (or all) of these associations to have a valid URT configuration. Any users, groups, or organizational units not associated with a specific VLAN can use the logon VLANs.
If you want to associate users, groups, or organizational units to VLANs, you can either use the URT menus to configure the associations, or you can use the URT command-line interface to import the associations from a comma-separated values file.
Use the following table to record the required information.
URT does not support user-based VLAN assignments on all systems. You can include Macintosh, Linux, UNIX, and other types of hosts in your dynamic VLAN planning by assigning VLANs based on the host MAC address. However, user-based VLAN policies take precedence over MAC-based VLAN policies.
You can force URT to give precedence to MAC-based VLAN policies instead of user-based policies by setting the URT option Retain MAC to VLAN Associations.
To assign VLANs based on the host MAC address, you can either use the URT Administrative Client Interface to configure the associations, or you can use the URT command-line interface to import the associations from a comma-separated values file.
Use the following table to record the required information.
Activating URT is a two-step process:
For switches to work with URT, they must already be configured as dynamic. See the "Defining Switch Ports as Dynamic" section.
In addition, you will have to use the URT Administrative Client Interface to configure the switches to use the URT VLAN Policy Server. Configure each switch to use one URT VLAN Policy Server as primary and one (or optionally two) servers as secondary for failover capability. You must have already decided how to divide your switches into groups over the URT VLAN Policy Server. See the "Configuration" section.
At this point, all switches use the URT VLAN Policy Server to determine VLAN membership. Users are assigned to MAC-based dynamic VLANs or to the URT logon VLAN only. No user-based, group-based, or organizational unit-based VLAN assignments work until you install the URT logon script on the domain servers and install the URT Client Module on user workstations.
Use the following table to record the required information.
For user logons to be processed by URT and for your user-based, group-based, and organizational unit-based VLANs to become active, you must configure the logon script options using the URT Administrative Client Interface. Note that the options include one that enables the automatic installation of the URT Client Module on user workstations in a Microsoft Networking network. If you select this option, you do not need to install the URT Client Module manually on user workstations. This option is not supported on NetWare networks.
For NetWare, you must also have installed the ZENworks Starter Pack and created the WINNT User Package and WINNT Workstation Package policy objects. These policy objects must be associated with the organizational object that contains the users and groups on whose workstations you will install the URT Client Module.
You must install the URT logon script on the NT domain server or NetWare server in all NT domains and NDS directories you want URT to manage. To install the script, you must have Administrator authority on the NT domain, or Administrator (or Administrator-equivalent) authority on the NetWare directory. Then configure the domain server to run the URT logon script.
URT automatically prompts you to reinstall the logon script when you make changes that require it (for example, when changing domain logon options). For more detailed information on the URT logon script, see User Guide for the Cisco Secure User Registration Tool.
If you did not install the logon script when prompted, you can do so later using the instructions in this section.
You must have NT Administrator authority in the domain or NDS read and browse privileges in the directory.
Step 2 Select Customize>Install URT Logon Script.
URT displays a list of domain servers or NDS NetWare servers found in the selected domain.
URT installs the URT logon script (urt.bat) on the domain servers and NDS NetWare servers, and displays a message box to show the status of the installation.
Step 4 If necessary, repeat Step 2 and Step 3 for every NT domain or NDS directory in your network.
|
Note You must manually add any NT domains or NDS directories that are missing from the NT and NDS Domains folder. To do so, select the NT and NDS Domains folder, then click Add or select Edit>Add. Enter the name of the missing domain or directory (or select one from the list), then click OK. |
On your primary domain server, you must update (or create) the URT logon script (urt.bat). This is a procedure you run once to make sure that users run the logon script at logon. Running the script directs user logons to the URT VPSs.
If you do not already have a logon script, you must either create one or associate users directly with urt.bat as the logon script.
For NT domain servers, the urt.bat file is installed in the NETLOGON directory.
The directory is %SYSTEMROOT%\system32\repl\import\scripts, where%SYSTEMROOT% is the root directory for operating system files.
For example, if you installed Windows NT into C:\WINNT, the NETLOGON directory is C:\WINNT\system32\repl\import\scripts.
|
Note If you set NT replication to include logon scripts and one of the backup NT domain servers is unavailable during Client Module installation, the logon scripts are copied to that domain server. If you are not using replication for logon scripts, you must update the logon script on all domain servers. |
To edit the logon script on the NT domain server, you must log onto the system from an account that has Administrator privileges, or be able to connect to the drive containing the script from another workstation where you have Administrator privileges.
Step 2 To associate users directly with urt.bat as the logon script:
a. Start the Windows User Manager administrative tool.
c. In the User Properties window, click Profile.
d. In the User Environment Profile, enter urt.bat in the Logon Script Name text box, then click OK.
 |
Caution If you are using Novell NetWare, do not edit the urt.bat file. |
For NDS, you must have read and browse privileges in the directory.
Use the Novell Application Launcher (NAL) program to add the following instruction to the logon properties for the organization object that contains the users, groups, and other organizational units you want to manage:
@\\%FILE.SERVER\sys\public\urt\urt.bat %FILE_SERVER
The URT Client Module is usually installed automatically.
The following sections describe:
When automatic installation is enabled, the Client Module is installed after you install the URT logon script on the domain server.
If automatic installation is enabled in a Microsoft Networking environment, and a Windows NT or Windows 2000 system logs onto the network, the following events occur:
1. The logon script tries to run a utility on the system that verifies whether the latest version of the Client Module is installed.
2. If the logon script does not find this utility on the system, the script copies the utility to the system and runs it.
3. If the Client Module is not installed, or the installed Client Module is not the latest version, the utility:
a. Obtains the latest version of the executable files from the domain server.
b. Tries to install or upgrade to the latest version of the Client Module.
4. If the attempt to install or upgrade fails:
a. The utility sends a packet to the VLAN Policy Server to request installation of the Client Module on the system.
b. The VLAN Policy Server requests the URT Administrative Server to install the Client Module on the specified system.
After installation, the client then runs normally.
Manual installation of the Client Module is different for Microsoft Networking and Novell NetWare clients. If a workstation runs both Microsoft Networking and NetWare, follow both of these procedures:
Follow the instructions in this section to manually install the URT Client Module on a Windows NT, Windows 2000, or Windows XP (Professional) workstation running Microsoft Networking.
|
Note You must follow this procedure for every NT domain in your network. |
Alternately, if you are installing the Client Module on all Windows NT or Windows 2000 systems in a domain, you can select the domain. (You can select multiple systems by using the Shift key or the Ctrl key.)
|
Note You can install the Client Module only on systems that use DHCP. If a selected system does not use DHCP, the Client Module installation fails. |
A list of Windows NT and Windows 2000 clients is shown in the right-side pane. The client attributes are described in Table 4-1.
Step 2 To install the Client Module on all listed NT hosts, do not select any systems in the list. Otherwise, select the system on which you want to install the Client Module.
Step 3 Click Install Client Module or select Customize>Install Client Module.
URT installs the Client Module on the selected clients, and displays a message window so that you can monitor the status of the installation.
Table 4-1 NT Hosts: Right-Side Pane (List Pane)
Use the instructions in this section to manually install the Client Module on a Windows NT or Windows 2000 workstation running Novell NetWare.
See the documentation at the Novell web site for more information.
Step 2 In NAL, double-click the NWAdmin32 application.
The NDS directory tree is displayed in the NWAdmin32 application.
If no NWAdmin32 icon displays, you must log on again to NDS as administrator.
Step 3 In the NDS directory tree, double-click the WINNT Workstation Package.
Step 4 In the WINNT Workstation Package, click Add Action.
NAL opens the Create Scheduled Action window.
Step 5 In the Create Scheduled Action window, enter a meaningful name for the action (for example, "Install URT") and click Create.
NAL creates the action and opens the Scheduled Action window.
Step 6 In the Scheduled Action window, select the newly created action and click Details.
Step 7 Select Ignore package default schedule and use the settings described here.
NAL opens the Action Properties window.
b. In the Action Properties window, select the General tab, and then select these characteristics (allowing the others to default):
c. Select the Items tab, and click Add. NAL opens the Item Properties window.
d. Enter the filename of the Client Module installation program, in the following format:
\\Novellserver\sys\public\urt\UrtClientInstall.bat
Novellserver is the name of the server where you install the URT logon script. URT installs the client module installation and uninstallation program on the server when the URT logon script is installed.
e. In the Action Properties window, select the Schedule tab, and then select User Logon for Event.
f. In the Action Properties window, select the Advanced tab, and then select the Disable action after completion checkbox.
The Client Module is installed the first time the user logs on to the NetWare domain.
 |
Tip To save time later, while you are creating the Install URT object, you might want to also create an Uninstall URT object. This object would have the same properties described above, except the file name is \\Novellserver\sys\public\urt\UrtClientUninstall.bat. Make sure that you deselect the Uninstall URT item in the Scheduled Action window, unless you are uninstalling the client. If you are uninstalling the client, make sure that you deselect the Install URT object. |
For more information about uninstalling software from NetWare clients, see the Novell ZENworks documentation.
Web-based clients use the URT Web Client Interface to authenticate and assign VLANs to web users. Any configured LDAP or RADIUS domain can authenticate web clients.
For information on adding LDAP directories and RADIUS servers, see the "Adding LDAP Servers" section and the "Adding RADIUS Servers" section.
These topics describe administrative and client tasks for using the web interface:
In the DNS field of the DHCP server Logon VLAN scope, add the IP addresses of your VLAN Policy Servers. Doing this allows the web client to be redirected to the VLAN Policy Server for the URT web logon page. If one VLAN Policy Server is down, the secondary VLAN Policy Server is accessed to display the web logon page.
Before logon, any URL the web user enters into the browser is automatically redirected to the URT web logon page. After logon, the user can browse to any allowed URL without changing any browser settings.
The DNS server that runs on the VLAN Policy Server replies to all queries from the current system IP address.
|
Note You must modify the DHCP setting for the logon VLAN to use the VLAN Policy Server as the DNS setting. When a user logs on from the web, the web page address is queried in DNS. The response to the query is the IP address of the current VLAN Policy Server, and the URT web logon page is displayed. |
The VLAN Policy Server generates a web page for web clients to their user ID, password, and domain name for authentication. The web logon page is the page users see when they first start their browsers.
You can add customized advertisements or announcement text to this page. When you edit the customized text, the page is regenerated.
The web logon page is also regenerated whenever you add or remove an LDAP domain or RADIUS server.
For detailed information on customizing your web logon page, see User Guide for the Cisco Secure User Registration Tool or the URT online help.
To use the web client, the user must log onto the local system as an Administrator or root user.
The VLAN Policy Server generates a web page for web logon clients. Web clients see this page when they first start their browsers. The web logon page has user ID, password, and domain name fields.
Before logon, any URL the web user enters into the browser is automatically redirected to the URT web logon page. After logon, the user can browse to any allowed URL without changing any browser settings.
|
Note In an environment with several web users, you should consider setting up a dedicated VLAN Policy Server for authenticating web logons. For detailed information, see User Guide for the Cisco Secure User Registration Tool or the URT online help. |
Users can enter their logon information in the URT web logon page.
URT authenticates the user, then gathers MAC address DHCP data from the system to send to the VLAN Policy Server. If necessary, URT releases and renews the web user's IP address.
|
Note All web users must have root privileges to release and renew their current IP address so that URT can perform this step, if necessary. See User Guide for the Cisco Secure User Registration Tool or the URT online help for more information. |
Step 2 In the Password field, enter your password.
Step 3 From the Domains list, select your domain.
Every LDAP and RADIUS domain added to URT is displayed.
Step 4 Click Logon.
The URT logoff page shows your connection time.
|
Note If you selected the Log on user and remove logoff window option, the connection time is not displayed. |
For web logons, URT supports Active Directory (AD) and Novell Directory Services (NDS) domains that use Lightweight Directory Access Protocol (LDAP). When a web client logs on from an LDAP domain, the VLAN Policy Server searches that LDAP tree to locate the user. URT searches the LDAP tree from bottom to top until it finds a VLAN association for the user. If no VLAN associations are found, the user remains in the current (logon) VLAN.
You must add the LDAP servers you want URT to manage to the Directories folder in URT. You can add multiple LDAP directories and assign VLANs at any point in the LDAP tree to users, groups, or organizational units. The tree supports multiple tree levels.
cn=username, cn=Users, dc=domainname, dc=company, dc=com) and enter your LDAP password.Step 2 To add a new directory, click Add or select Edit>Add.
Step 3 In the Add Directory window, click the AD (default) or NDS tab (depending on your platform).
Step 4 Enter the LDAP server host and port information for the LDAP server.
Step 5 Enter your LDAP user ID in LDAP format; for example, cn=username, cn=Users, dc=domainname, dc=company, dc=com.
Step 6 Enter your LDAP password.
Step 7 Select the interval at which the Client Module looks up the user in the LDAP tree to determine if the user's Distinguished Name (DN) has changed.
Step 8 Enter the base DN.
The base DN is the base name used to search for organizational units and users. To get the base DN on the server, click Get Initial DN.
Step 9 If you are adding a directory exclusively for web logons, select the Web-only logon domain checkbox. Then do one of the following:
URT installs the logon batch script on the domain controller and supports auto-install of NT clients.
URT cannot retrieve the domain name for NDS servers. NDS does not support auto-install, the NT user ID and password are not required. (NDS has a proprietary Novell logon screen that prompts for a user ID and password during installation of the NDS logon script.)
Step 10 Click OK.
URT creates a folder for the domain or directory, and all defined users are listed in the new folder.
|
Note |
You might need to change configuration settings after adding an LDAP server.
cn=username, cn=Users, dc=domainname, dc=company, dc=com) and enter your LDAP password.Step 2 Click Configure, or select Customize>Configure.
Step 3 Make the desired changes to the configuration setup.
Step 4 Click OK.
For web logons, URT supports the use of RADIUS server authentication from Cisco Secure ACS and other AAA servers. You can add multiple RADIUS servers to authenticate web clients. See User Guide for the Cisco Secure User Registration Tool or the URT online help for more information.
To manage RADIUS servers, you must enter your RADIUS authentication and accounting keys.
Step 2 Click Add or select Edit>Add.
The Add RADIUS Server window opens.
Step 3 Enter the RADIUS server IP address.
Step 4 Enter the RADIUS server authentication port number.
Step 5 Enter the RADIUS server accounting port number.
Step 6 Enter the RADIUS reconfirm interval (in seconds). This entry specifies the frequency for sending accounting packets for currently logged on users.
Step 7 To verify client attributes while a client is logged on, select the Verify associations while logged on checkbox.
|
Note If you do not select this checkbox, the VLAN Policy Server does not verify whether client attributes have changed while a client is logged on. Attributes are checked the next time the client logs on. |
Step 8 Enter the interval for verifying client attributes. A client sync message takes 5 minutes and the default interval is 12 minutes; therefore, verification occurs every 60 minutes (12 x 5).
Step 9 Enter the domain name to display during web client logon.
Step 10 From the URT VPS list, select the desired server.
Step 11 Enter the RADIUS authentication key.
Step 12 Enter the RADIUS accounting key.
Step 13 Click Add.
You might need to edit configuration settings after adding a RADIUS server.
To manage RADIUS servers, you must enter your RADIUS authentication and accounting keys.
Step 2 Click Configure or select Customize>Configure.
Step 3 Make the desired changes to the configuration setup.
Posted: Wed May 21 07:07:17 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
