3.1.10.2. Plugins

In the Plugins tab, you can see all OpenNAC Enterprise plugins and configure them with their corresponding variables.

Note

When enabling or disabling a plugin, we must click on the Save button to save the changes.

Synchronous plugins

The synchronous plugins are executed during the device authentication process using poleval, allowing to change certain device parameters.

During the execution of a synchronous plugin, a poleval can trap and notify possible errors by showing a message in the poleval status message. If the plugin execution time exceeds 10 seconds, it will trigger a warning message.

After the execution of each synchronous plugin, the VLAN ID will be checked, and if the VLAN ID is set to “rejected,” the session status will be automatically updated accordingly. This ensures that the status change is enforced.

Asynchronous plugins

On the other hand, the asynchronous plugins are executed to complement the information or execute other functions when the device is already authenticated. Whenever an asynchronous plugin is executed, it is assigned a tag in the format PLE_<plugin_name>.

Asynchronous plugins are executed using workers, so the log is stored in /var/log/opennac/opennac-job.log file, and it can be viewed from OpenNAC Enterprise server command line or from OpenNAC Enterprise admin UI in Status -> File Log Viewer.

Plugin execution order ensures that during a poleval execution, the plugins are executed in the following order:

1. Synchronous plugins (based on their Execute order attribute)

2. Synchronous plugins

3. Asynchronous plugins

Note

Enabling Verbose Mode in Configuration > Configuration vars in the Logs section, could generate a huge increase in their size.

Control your free disk space in “/var/log” volume.

In the View plugin management option, we can change the plugins view for a table that shows what plugins have which policies activated.

The output options for the table are: Save as SVG , Save as PNG, View Source and Open in Vega Editor.

In ON NAC -> Policies, you can add the plugins in the policy rule postconditions. When a device passes a policy, the plugins configured on that policy will be executed.

Administrators can overwrite the plugin parameters using a single policy rule in the Custom params section in postconditions. You can modify the plugins parameters using the respective variable.

• 3.1.10.2.1. airwatch
• 3.1.10.2.2. airwatchSync
• 3.1.10.2.3. checkHostDomain
• 3.1.10.2.4. ciscoprime
• 3.1.10.2.5. cynerio
• 3.1.10.2.6. discover
• 3.1.10.2.7. fortiGateAccounting
  • 3.1.10.2.7.1. (Feature) fortiGateAccounting Firewall Autodiscover
• 3.1.10.2.8. getADGroup
• 3.1.10.2.9. getUserInfoSync
• 3.1.10.2.10. ipdiscover
  • 3.1.10.2.10.1. Requirements
• 3.1.10.2.11. ironchipSync
  • 3.1.10.2.11.1. Ironchip authorization process
• 3.1.10.2.12. maas360
• 3.1.10.2.13. maas360Sync
• 3.1.10.2.14. manageTags
• 3.1.10.2.15. maxFailedAuthentications
• 3.1.10.2.16. maxFailedAuthenticationsSync
• 3.1.10.2.17. maxMacConnected
• 3.1.10.2.18. medigate
• 3.1.10.2.19. mobileApp2FASync
• 3.1.10.2.20. mobileIron
• 3.1.10.2.21. mobileIronSync
• 3.1.10.2.22. openPorts
• 3.1.10.2.23. paloAlto
• 3.1.10.2.24. radius2FASync
• 3.1.10.2.25. sendHttpRequest
• 3.1.10.2.26. setVlanSync
• 3.1.10.2.27. snmpQuarantine
• 3.1.10.2.28. staticNetworkPortSync
• 3.1.10.2.29. tagsLogoutSync
• 3.1.10.2.30. UserDeviceProfiling
• 3.1.10.2.31. wireGuardSync