Integration Guide for Genian NAC and Monitrolab AISWG
This guide provides information on integrating Genian NAC with Monitrolab's AISWG (Application Insight Secure Web Gateway).
Overview
This document outlines the configuration and testing procedures required to integrate Genian NAC with Monitrolab's AISWG (Application Insight Secure Web Gateway).
By leveraging Genian NAC's user authentication data and real-time agent-based device information, the integration allows the AISWG admin console to automatically update certificate installation status and user additions in real time.
AISWG will update its user and certificate status by receiving data from Genian NAC. If a certificate is missing, AISWG will block web service access and present a guidance page to install the certificate.
Recommended Versions
| Product | Version | Remarks |
|---|---|---|
| AISWG | V3.0.2 or later | |
| Genian NAC | V5.0 or later | Post-May 2020 versions |
Integration Purpose
Genian NAC and AISWG integration offers the following capabilities:
- Real-time Detection of Certificate Installation
- Genian NAC collects certificate installation status in real time via its agent and forwards this data upon related events.
- Since AISWG updates this status only once during initial setup, integration with Genian NAC allows continuous updates.
- Guidance for Users Without Certificates
- AISWG uses Genian NAC data to distinguish between users with or without certificates. Users without a certificate receive a guidance page and are blocked from web access based on AISWG policy.
- Automatic Addition of New Users
- Previously, new users had to be manually added to the AISWG Web Console. With integration, Genian NAC automatically updates the console, or updates existing users' certificate status.
Prerequisites
Networking Prerequisites
Ensure Genian NAC Policy Server can communicate with the port configured in the AISWG Web Console. See SYSLOG Configuration.
- Default port for SYSLOG between NAC and AISWG is UDP/514. (AISWG currently supports only UDP; TCP/TLS support is planned.)
- The receiving port on AISWG may vary depending on your configuration.
- NAC ports are shown under System > Service Management > Connection Ports in the UI.
AISWG Configuration for Integration
This section introduces the minimum AISWG settings required to complete integration with Genian NAC. These steps need to be done only once.
SYSLOG Configuration to Receive from NAC
In the AISWG admin console, go to Policy Settings > Basic Settings, and configure the following under NAC Integration:
| Field | Value | Note |
|---|---|---|
| Enabled | Check 'Enabled' | Select the radio button for 'Enabled' |
| Service Port | 514 | Enter the SYSLOG port number (customizable; auto-opened) |
| Delimiter | Select box: | / Count: 1 | Set the delimiter (e.g. '|') and number for parsing messages |
Genian NAC Configuration for Integration
This section describes the minimal Genian NAC setup required to integrate with AISWG. These steps are also one-time only.
Step 1: Create Node Actions for Certificate Status Check
Go to Policy > Node Policy > Node Actions and create the following two node actions:
- Action for Certificate Installed:
| Field | Value | Note |
|---|---|---|
| Action Name | Certificate_Installed_Action | Enter action name |
| Description | Node action for certificate installed | |
| CWP Message | Certificate installed | Message shown on CWP page |
| OS Type | Windows | Choose Windows or macOS |
| Condition Logic | AND | AND or OR |
| Condition | File / Exists / C:\Readme_check_certificate.txt | File path to check |
| Plugin | Check condition only | Select plugin |
| Execution Cycle | Always | Choose 'Always' |
- Action for Certificate Not Installed:
| Field | Value | Note |
|---|---|---|
| Action Name | Certificate_Not_Installed_Action | Enter action name |
| Description | Node action for certificate not installed | |
| CWP Message | Certificate not installed | Message shown on CWP page |
| OS Type | Windows | Choose Windows or macOS |
| Condition Logic | AND | AND or OR |
| Condition | File / Does Not Exist / C:\Readme_check_certificate.txt | File path to check |
| Plugin | Check condition only | Select plugin |
| Execution Cycle | Always | Choose 'Always' |
Note
A file named Readme_check_certificate.txt is automatically generated on `C:` to track certificate installation. Genian NAC uses the existence of this file to determine the status.
Step 2: Create Node Groups for Certificate Status
Go to Policy > Group > Node and create two groups:
- Certificate Installed Group:
| Field | Value | Note |
|---|---|---|
| ID | Certificate_Installed_Group | Group ID |
| Description | Group for installed certificates | |
| CWP Message | Certificate installed | Message for CWP |
| Mode | Enabled | Enable group |
| Audit Log | On | Enable logging |
| Condition Logic | AND | AND or OR |
| Condition | Agent Action / If action matches (incl. pre-exec) / Certificate_Installed_Action | Select the action from Step 1 |
- Certificate Not Installed Group:
| Field | Value | Note |
|---|---|---|
| ID | Certificate_Not_Installed_Group | Group ID |
| Description | Group for uninstalled certificates | |
| CWP Message | Certificate not installed | Message for CWP |
| Mode | Enabled | Enable group |
| Audit Log | On | Enable logging |
| Condition Logic | AND | AND or OR |
| Condition | Agent Action / If action matches (incl. pre-exec) / Certificate_Not_Installed_Action | Select the action from Step 1 |
Step 3: Create Search Filters for Event Logs
Go to Audit > Logs > Search Logs and set filters to distinguish between installed and uninstalled certificate logs.
- Filter for Certificate Installed:
| Field | Value | Note |
|---|---|---|
| Description | RESULT=SUCCESS, ACTION=Certificate_Installed_Action | Search keywords |
| Log ID | Agent Action | Select 'Agent Action' |
- Filter for Certificate Not Installed:
| Field | Value | Note |
|---|---|---|
| Description | RESULT=SUCCESS, ACTION=Certificate_Not_Installed_Action | Search keywords |
| Log ID | Agent Action | Select 'Agent Action' |
After searching the logs with the conditions above, proceed to Step 4. (When searching the logs immediately after establishing the node group, the grouping task is in progress, so it may not appear in the search results.)
Step 4: Configure SYSLOG Transmission for Matching Logs
After creating the filters in Step 3, click Save on the top right to enter the SYSLOG transmission settings.
- For Certificate Installed:
| Field | Value | Note |
|---|---|---|
| Name | Send_SYSLOG_Cert_Installed | Filter name |
| Description | Send logs to AISWG | Description |
| SYSLOG Enabled | Checked | Enable SYSLOG |
| SYSLOG Field | Value | Note |
|---|---|---|
| Server Address | xxx.xxx.xxx.xxx | AISWG server IP |
| Protocol | UDP | Only UDP supported |
| Port | 514 | Configured port in AISWG |
| Format | Default | Use 'Default' |
| Message | cert_success|{_DATETIME}|DeptName|{_USERDEPT}|{_USERNAME}|{_IP}|{_USERID} | See SYSLOG format below |
| Charset | UTF-8 | Must be UTF-8 |
- For Certificate Not Installed:
| Field | Value | Note |
|---|---|---|
| Name | Send_SYSLOG_Cert_Not_Installed | Filter name |
| Description | Send logs to AISWG | Description |
| SYSLOG Enabled | Checked | Enable SYSLOG |
| SYSLOG Field | Value | Note |
|---|---|---|
| Server Address | xxx.xxx.xxx.xxx | AISWG server IP |
| Protocol | UDP | Only UDP supported |
| Port | 514 | Configured port in AISWG |
| Format | Default | Use 'Default' |
| Message | cert_fail|{_DATETIME}|DeptName|{_USERDEPT}|{_USERNAME}|{_IP}|{_USERID} | See SYSLOG format below |
| Charset | UTF-8 | Must be UTF-8 |
Through the process up to Step 4, Genian NAC collects information on the certificate installation status in real time and creates an environment where SYSLOG can be transmitted to Monitor Lab AISWG when an event occurs.
Step 5: SYSLOG Format Explanation
Do not modify the SYSLOG message structure arbitrarily, as it is pre-defined for integration between Genian NAC and AISWG.
The delimiter (e.g., |) used in the SYSLOG message must match the NAC Integration delimiter setting in the AISWG Web Console.
Note: If Genian NAC user authentication is not active on a node, the user info will not be sent. Duplicate usernames under the same department may also prevent updates.
| Format | Description |
|---|---|
| 'cert_success' or 'cert_fail' | Identifies certificate status. Must be placed at the beginning of the SYSLOG message. |
| {_DATETIME} | Time of event |
| DeptName | Top-level department in AISWG hierarchy |
| {_USERDEPT} | User's department from Genian NAC authentication |
| {_USERNAME} | Authenticated username (added/updated in AISWG) |
| {_IP} | IP address of the node |
| {_USERID} | User ID used for authentication |
Verification of Integration Results
After completing the configuration steps, perform the following test for the uninstalled certificate scenario.
Step 1: Delete the certificate file from the endpoint
- To test the uninstalled certificate behavior, delete the file
Readme_check_certificate.txtlocated in theC:\directory.
Step 2: Check event generation in the Genian NAC Web Console
- Go to Audit > Logs and confirm that the event for a missing certificate is generated.
Step 3: Verify certificate status updates in the AISWG Web Console
In the Monitrolab > Certificate Installation Status menu, search by username and verify certificate installation status:
- Before deleting the certificate, confirm its existence via the Installation Time column.
- After deletion, check that the Installation Time column has been updated.
In the Policy Settings > Policy Management > Policy > User Management menu, search by username and confirm certificate status:
- Before deletion, verify the Certificate column showed presence of a certificate.
- After deletion, confirm the Certificate column is updated to NO.
Note
If the certificate does not exist on the user's PC, AISWG policy will block normal web service usage, and a guidance page for certificate installation will be presented.