George Persian Logout

52-Patch Check for Access Users

Patch Check for Access Users

To view this video, click the download link.


Software Version Used

This video was recorded based on the following versions:

l          iMC: iMC PLAT 3.20-E2501, iMC UAM 3.60-E6101, iMC EAD 3.60-E6101

l          iNode: iNode 3.60-E6101

Web interfaces of different versions may vary.


Application Scenario

Installing updates timely for Windows operating system repairs system defects and effectively protects against various attacks. It becomes a great concern for administrators that how to ensure the latest updates are downloaded and installed in time for enterprise internal users.

Working with Microsoft WSUS, EAD provides the auto patching function. EAD authentication is performed after a user passes identification authentication. The system isolates a terminal PC without necessary updates and, the WSUS automatically patches the PC. After the updating completes, the user can successfully access the network. This function ensures all terminal PCs install the latest updates and eliminates manual updating operation.


Recommended Configuration Flow

To implement patching checking, WSUS configuration is required. For description on how to install and configure WSUS, refer to the related documentation.

This figure describes the recommended configuration flow for patch management.


Step1   Add Access Device

Add an access device that supports AAA to the iMC system, so that the access device acts as the AAA client to cooperate with the iMC system.

Step2   Add Security Level

Configure a security level, and define the actions to be taken when patch checking fails. The actions can be monitor, inform, isolate, or kick out, among which isolate is the most commonly selected.

Step3   Add Security Policy

This step shows how to add a security policy and configure the IP address of WSUS.

Step4   Add Service

A service is a set of policies for user authentication and authorization.

The service configured in this step includes the security policy configured at Step 3.

Step5   Add Account

Each user accessing the network must have an account configured in the iMC. It contains such information as account name and password.

This step shows how to add an account and apply for the service configured at Step 4.

Step6   Configure Policy Server Parameters

At this step, the patch checking interval is configured. Every time a user passes the patch checking, iMC will not perform such checking for the user during this interval. This reduces repeated patch checking and improves the efficiency of EAD authentication.

Step7   Configure Access Device

An access device controls access of users, including restricting users that fail the EAD authentication to access only the isolated area where WSUS server locates.

This step illustrates how to configure a RADIUS scheme, an ISP domain, the 802.1X feature, and security/isolation ACLs on the device.

Step8   Use iNode for Authentication, Patch Checking and Update(Verify Configuration)

This video will show how to verify the patch management function. Use iNode to initiate authentication on a PC where some critical patches are missing. The WSUS finds out what patches are missing and then automatically downloads and installs the necessary ones. At the same time, iMC takes the action configured at Step 2, isolate in this example, against the user. After updates are installed successfully, initiate authentication again. This time, the user passes the patch checking and can access the network.