How do I validate and examine the information for authenticated agents? (NETIQKB33528)

  • 7733528
  • 02-Feb-2007
  • 18-Mar-2008

Resolution

goal
How do I validate and examine the information for authenticated agents?

fact
Security Manager 5.x

fact
Security Manager 4.20

fact
Security Manager 4.50

fix

You can use the 'Agent Initialization Events' view to verify the information for an authenticated agent computer. The 'Agent Initialization Events' view provides identifying information about each agent computer with which the Consolidator has exchanged a key. For example, this view provides events containing the serial number of the system drive and the MAC address of the network adapter card for all authenticated agent computers.

You can compare the system drive serial number and MAC address detected for authenticated agent computers to the computers in your environment. A mismatch indicates a successful spoofing attempt and requires immediate attention.

Examining Agent Initialization Events

To examine initialization events, see the 'Agent Initialization Events' view located in the Security Views | Security Manager Self-monitoring |Agents folder in the Monitor console.

Examining the Agent Computer

After you have obtained the agent initialization events, compare the identification information in the event with information on the agent computer. A mismatch indicates a successful spoofing attempt and requires immediate attention. To compare the system drive serial number, log on to the computer and enter the following line at the command prompt:

dir

Consider the following example output containing the serial number:

Volume in drive C has no label.
Volume Serial Number is FGH1-B1AA

The first available MAC address is reported in the agent initialization event. To compare the MAC address, enter the following line at the command prompt:

ipconfig /all

Consider the following example output containing the MAC address:

Physical Address...00-A0-B1-C2-34-DE

You can also find the MAC address information in the System Information | Components | Network | Adapter folder in the 'System Tools snap-in' extension of the Computer Management administrative tool. Administrative Tools are located in the Control Panel.



note

Please refer to the following knowledgebase articles related to Agent Authentication process:

Overview of Agent Authentication mechanism in Security Manager.

https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33349

How the Agent and Consolidator exchange keys using an initialize, rekey, and reinitialize process?

https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33523

How can I troubleshoot and resolve errors with Agent Authentication failures?

https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33348

What ports, communication and encryption methods does Security Manager use?

 https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB1092



Additional Information

Formerly known as NETIQKB33528

Feedback service temporarily unavailable. For content questions or problems, please contact Support.