User Guide: AMF Security Controller version 1.8.0

Adding Devices from List



AT-SESC can learn MAC addresses of the devices that are connecting to the OpenFlow Switches and AMF Members it manages. This section covers the steps to register devices from the MAC address list which is maintained by AT-SESC.


Searching a Device by IP Address

You can see the list of devices detected by AT-SESC on the Device > Active Device List page. AT-SESC detects them by examining MAC addresses of the packets received by the OpenFlow Switches and AMF Members it manages.
However, some types of network devices (e.g. multifunction printers) may not be listed on the Device > Active Device List page because those devices are quite passive and do not transmit packets by themselves.
For those devices, you can use the Device Search feature to make AT-SESC instruct the OpenFlow Switches and AMF Members to send out Probe ARP or ARP packets.
When the OpenFlow Switches and the AMF Members receive a response from the Probe ARP or ARP packets, they ask AT-SESC to authenticate the devices.
As a result, AT-SESC lists those "silent" devices on the Device > Active Device List page by referring to the MAC addresses queried by the OpenFlow Switches and AMF Members.

  1. Open the Device > Active Device List page.


  2. Click the "Search Devices" button at the top right corner to open the Device > Search Devices dialog.


  3. Enter an IPv4 address or an IPv4 address range to search for devices.
    A range can be specified either in "xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx" (The first to the last address) or "xxx.xxx.xxx.xxx/xx" (a base address and a mask length).


  4. Click "Search" to go back to the Device > Active Device List page.

    Search packets are sent to the address or address range three times.

    Progress of the search operation is being displayed in the "Search Progress" field at the top right of the page.
    When you click the "Update" button at the top right corner of the Device > Active Device List page, MAC address of the devices newly found by the search is added to the list. The devices found by the Device Search are processed by existing security policies such as actions, devices and the UnAuth Group. If they do not match any policies, they are treated as unauthenticated.
    Those elements are collectively referred to as security policies. Here is a list of elements of security policies: In this case, you can detect those devices by properly configuring Detect-Only the UnAuth Group security policies following the steps described in the Adding Devices from List > Detecting Devices Using UnAuth Group.


Registering Device from Active Device List

The Device > Active Device List page lists the MAC addresses of the devices which are connected to the OpenFlow Switches and AMF Members managed by AT-SESC.
Unregistered MAC addresses on the Device > Active Device List page can be added either as a new device or a new interface of the existing device.


Registering MAC Address as a New Device

  1. Open the Device > Active Device List page.
    When AT-SESC learns the unregistered MAC address of a device that is connected to and transmits packets to the OpenFlow Switches, the page shows its status as "Authentication Failed".


  2. Click "Register" in the "Device ID" column of the unregistered MAC address to open the Device > Add Device dialog.


  3. Select "Register this MAC Address as a new device" on the Device > Add Device dialog and click "Submit".

  4. The Device > Add Device page is displayed.
    "Interfaces" section shows the MAC address you selected on the Device > Active Device List page.
    Enter a Device ID (Mandatory), a Tag and a Note for the device.
    Here you can configure a security policy depending on your needs. You can also add more interfaces here if the device has more than one interface and you know MAC addresses of those additional interfaces.


  5. Click "Submit".

  6. The Device > Device List page is displayed.
    You can see the newly added device on the list.


Associating a MAC Address to the Existing Device

If you know that an unregistered MAC address is the address of an existing device's another interface, you can associate the address to the existing device's interfaces on the Device > Active Device List page.

  1. Open the Device > Active Device List page.
    When AT-SESC learns the unregistered MAC address of a device that is connected to and transmits packets to the OpenFlow Switches or the AMF Members, it shows its status as "Authentication Failed".


  2. Click "Register" in the "Device ID" column of the unregistered MAC address to open the Device > Add Device dialog.


  3. Select "Add this MAC address to an existing device" on Device > Add Device dialog.

  4. Select a device ID for the device to which you want to associate the MAC address.
    Maximum 100 device IDs are shown in the dropdown list. If you enter text in the field, device IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Device ID, Tag or Note (it shows maximum 100 elements). From the dropdown list, select a Device ID for the device.


  5. Click "Submit".

  6. The Device > Update Device page is displayed.
    "Interfaces" section shows the MAC address you selected on the Device > Active Device List page.
    Here you can configure a Device ID, tag, Note and security policy depending on your needs. You can also add more interfaces here if the device has more than one interface and you know MAC addresses of those additional interfaces.


  7. Click "Submit".

  8. The Device > Device List page is displayed.


Automatically Adding Device Flow Entries on OpenFlow Switch

With the "Static Register" feature, you can configure AT-SESC to automatically install a flow entry on the OpenFlow Switches for a passive device such as multifunction printer.
This allows the communication to the passive device by making the device authenticated without receiving any packets from the device.

Note
When "Static Register" is used, network broadcasts matching a flow entry are transmitted from OpenFlow ports. Use the feature with this limitation on security in mind.
Note
When a device for which AT-SESC is configured to automatically add a flow entry on OpenFlow Switches is connected to other OpenFlow Switch or port than configured on its policy, a normal authentication is performed and the device failed to authenticate. Because the automatically added flow entry is also deleted on an authentication failure, the device may stay unauthenticated even if it gets connected to the correct OpenFlow Switch or port again. If the device becomes unable to communicate, connect it to the correct OpenFlow Switch or port, then perform a Device Search by following the steps described in Quick Tour's Adding Devices from List > Searching a Device by IP Address.

  1. Open the Device > Active Device List page.

    When AT-SESC learns the unregistered MAC address of a device that is connected to and transmits packets to the OpenFlow Switches, the page shows its status as "Authentication Failed".
    If a device is passive and does not send packets spontaneously, follow the steps in Quick Tour's Adding Devices from List > Searching a Device by IP Address to list it.
    If the OpenFlow Switch the device connects is registered in AT-SESC, the "Static Register" button appears in the Device ID column.

  2. Click "Static Register" for the new MAC address to add.

  3. The Device > Add Device page is displayed.
    "Interfaces" section shows the MAC address you selected on the Device > Active Device List page.
    In Policy section, you can see an OpenFlow Switch ID and port the MAC address is connected to. And "Indefinite expiration date" option is also automatically configured.

    Note
    When a device is configured with all of an OpenFlow Switch ID, an OpenFlow Switch port and "Indefinite expiration date" option enabled, its flow entry is automatically added to the OpenFlow Switch.
    When you manually add a device with the same set of configurations on the Device > Add Device page, a flow entry for the device is automatically added too.

    Enter a Device ID (Mandatory), a Tag and a Note for the device.
    You can also add other interfaces and security policies depending on your needs.


  4. Click "Submit".

  5. The Device > Device List page is displayed.



Detecting Devices Using the UnAuth Group

With the UnAuth Group feature, you can categorize and identify new devices by its location and schedule.
If you checked the "Only detecting the device" when creating the UnAuth Group, the MAC addresses matching its policy are listed on the Device > Active Device List page, with the status "Detected" and the UnAuth Group ID in the Device ID column.
In this case, devices in the UnAuth Group cannot immediately access the network.

  1. Open the Group > UnAuth Group List page.


  2. Click the "Add UnAuth Group" button at the top right corner to move to the Group > Adding UnAuth Group page.


  3. Make sure that "Enabled" is checked.

  4. Enter a Group ID and a Note for the group.
    In this example, set the Group ID to "1F Unauthenticated Devices" and set the Note to blank.

  5. If "Only detecting the device." is not checked, leaving Network blank connects the device as follows: " is checked.


  6. Click the "Add" button next to "Policies" to open the Group > Edit Policy dialog.


  7. Now let's specify a priority for the security policy.
    In this example, set the priority to "10".

  8. This group only performs detection, leave Network blank.
    Note
    If "Only detecting the device." is not checked, leaving Network blank connects the device as follows: OpenFlow Switch connects to untagged VLANs (subnets without VLANs). AMF Member connects to VLAN set in AMF Member. If a device can access untagged VLAN, depending on the switch settings, the device may be able to connect to devices on the control plane.

  9. Then specify conditions for devices to be in the UnAuth Group.
    In this example, set the location to "1F".
    With those settings, unknown devices which are connected to one of the OpenFlow Switches in the location "1F" are detected as members of the UnAuth Group "1F Unauthenticated Devices".


  10. Click "Submit" to go back to the Group > Add UnAuth Group page.


  11. Click "Submit" to go back to the Group > UnAuth Group List page.


  12. Open the Device > Active Device List page.
    The MAC addresses of devices connected to OpenFlow Switches and AMF Members managed by AT-SESC are listed.
    Now you can see unauthenticated MAC address which is connected to any of the OpenFlow Switches in the location "1F" is marked with the status "Detected".


  13. You can filter the device list to detected devices only by selecting "Detected" on the "Status" dropdown list on the Device > Active Device List page.
    Now you can see only devices in the "Detected" status, which are the devices connecting to the OpenFlow Switches in the location "1F".

  14. Now you can add those devices using the steps described in Quick Tour's Adding Devices from List > Registering Device from Active Device List.


Adding Detected or Found Devices

Following the steps in Quick Tour's Adding Devices from List > Registering Device from Active Device List, you can add unregistered devices detected on the Device > Active Device List page by the UnAuth Group or Device Search.
Those elements are collectively referred to as security policies. Here is a list of elements of security policies:
In case the large number of devices are found to be added, please consider exporting devices listed the Device > Active Device List page and importing an edited CSV file.
Refer to Creating Authentication Data from CSV in Appendix for details.



14 Jun 2021 09:30