Resolution
How do I validate and examine the information for authenticated agents?
fact
Security Manager 5.x
fact
Security Manager 4.20
fact
Security Manager 4.50
fix
You can use the 'Agent Initialization Events' view to verify the information for an authenticated agent computer. The 'Agent Initialization Events' view provides identifying information about each agent computer with which the Consolidator has exchanged a key. For example, this view provides events containing the serial number of the system drive and the MAC address of the network adapter card for all authenticated agent computers.
You can compare the system drive serial number and MAC address detected for authenticated agent computers to the computers in your environment. A mismatch indicates a successful spoofing attempt and requires immediate attention.
Examining Agent Initialization Events
To examine initialization events, see the 'Agent Initialization Events' view located in the Security Views | Security Manager Self-monitoring |Agents folder in the Monitor console.
Examining the Agent Computer
After you have obtained the agent initialization events, compare the identification information in the event with information on the agent computer. A mismatch indicates a successful spoofing attempt and requires immediate attention. To compare the system drive serial number, log on to the computer and enter the following line at the command prompt:
dir
Consider the following example output containing the serial number:
Volume in drive C has no label.Volume Serial Number is FGH1-B1AA
The first available MAC address is reported in the agent initialization event. To compare the MAC address, enter the following line at the command prompt:
ipconfig /all
Consider the following example output containing the MAC address:
Physical Address...00-A0-B1-C2-34-DE
You can also find the MAC address information in the System Information | Components | Network | Adapter folder in the 'System Tools snap-in' extension of the Computer Management administrative tool. Administrative Tools are located in the Control Panel.
note
Please refer to the following knowledgebase articles related to Agent Authentication process:
Overview of Agent Authentication mechanism in Security Manager.
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33349
How the Agent and Consolidator exchange keys using an initialize, rekey, and reinitialize process?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33523
How can I troubleshoot and resolve errors with Agent Authentication failures?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33348
What ports, communication and encryption methods does Security Manager use?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB1092