HP ProCurve NAC 800, User Manual

Page 1: ...HP ProCurve Network Access Controller 800 Users Guide ...

Page 2: ......

Page 3: ...ProCurve Network Access Controller 800 Release 1 1 Users Guide ...

Page 4: ...n Group Disclaimer The information contained in this document is subject to change without notice HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in c...

Page 5: ...ir 1 12 Targeted Reporting 1 13 Technical Support 1 14 Upgrading 1 15 Conventions Used in This Document 1 16 Navigation Paragraph 1 16 Tip Paragraph 1 16 Note Paragraph 1 16 Caution Paragraph 1 16 Warning Paragraph 1 17 Bold Font 1 17 Task Paragraph 1 17 Italic Text 1 17 Courier Font 1 18 Angled Brackets 1 18 Square Brackets 1 18 Terms 1 19 Copying Files 1 20 SCP 1 20 PSCP 1 20 Users Guide Online ...

Page 6: ...ifying the ES SNMP Settings 3 18 Modifying the ES root Account Password 3 18 Viewing ES Status 3 19 Deleting ESs 3 21 ES Recovery 3 21 Management Server 3 22 Viewing Network Settings 3 22 Modifying MS Network Settings 3 24 Selecting a Proxy Server 3 25 Setting the Date and Time 3 26 Automatically Setting the Time 3 26 Manually Setting the Time 3 27 Selecting the Time Zone 3 27 Enabling SNMP 3 28 M...

Page 7: ...tion Settings 3 55 Selecting the RADIUS Authentication method 3 55 Configuring Windows Domain Settings 3 55 Configuring OpenLDAP Settings 3 57 Configuring Novell eDirectory Settings 3 60 Adding 802 1X Devices 3 63 Testing the Connection to a Device 3 64 Cisco IOS 3 66 Cisco CatOS 3 68 CatOS User Name in Enable Mode 3 70 Enterasys 3 71 Extreme ExtremeWare 3 73 Extreme XOS 3 75 Foundry 3 77 HP ProCu...

Page 8: ...ting Test Methods 3 110 Ordering Test Methods 3 111 Recommended Test Methods 3 112 Selecting End user Options 3 113 Accessible Services 3 113 Exceptions 3 116 Always Granting Access to Endpoints and Domains 3 116 Always Quarantine Endpoints and Domains 3 117 Notifications 3 117 Enabling Notifications 3 118 End user Screens 3 119 Specifying an End user Screen Logo 3 119 Specifying the End user Scre...

Page 9: ...points to Act on 4 18 Acting on Selected Endpoints 4 19 Manually Retest an Endpoint 4 19 Immediately Grant Access to an Endpoint 4 19 Immediately Quarantine an Endpoint 4 20 Clearing Temporary Endpoint States 4 20 Viewing Endpoint Information 4 21 Troubleshooting Quarantined Endpoints 4 23 5 End user Access Overview 5 2 Test Methods Used 5 3 Agent Callback 5 3 Endpoints Supported 5 5 Browser Versi...

Page 10: ...indows 5 29 Opening Window 5 30 Windows NAC Agent Test Windows 5 31 Automatically Installing the Windows Agent 5 31 Removing the Agent 5 34 Manually Installing the Windows Agent 5 34 How to View the Windows Agent Version Installed 5 36 Mac OS Agent Test Windows 5 36 Installing the MAC OS Agent 5 36 Verifying the Mac OS Agent 5 39 Removing the Mac OS Agent 5 43 ActiveX Test Windows 5 44 Agentless T...

Page 11: ...bout NAC 800 Tests 6 19 Viewing Information About Tests 6 19 Selecting Test Properties 6 19 Entering Software Required Not Allowed 6 19 Entering Service Names Required Not Allowed 6 20 Entering the Browser Version Number 6 21 Test Icons 6 21 7 Quarantined Networks Endpoint Quarantine Precedence 7 2 Using Ports in Accessible Services and Endpoints 7 4 Always Granting Access to an Endpoint 7 6 Alway...

Page 12: ...IUS Server Using the Built in NAC 800 RADIUS Server 11 33 Using the Built in NAC 800 RADIUS Server for Authentication 11 36 Configuring Non HP Switches 11 36 Enabling NAC 800 for 802 1X 11 39 NAC 800 User Interface Configuration 11 39 Setting up the Supplicant 11 40 Windows XP Professional Setup 11 40 Windows XP Home Setup 11 42 Windows 2000 Professional Setup 11 43 Windows Vista Setup 11 45 Setti...

Page 13: ...CP Plug in and the NAC 800 User Interface 13 7 Installing the Plug in 13 7 Enabling the Plug in and Adding Servers 13 11 Viewing DHCP Server Plug in Status 13 13 Editing DHCP Server Plug in Configurations 13 13 Deleting a DHCP Server Plug in Configuration 13 14 Disabling a DHCP Server Plug in Configuration 13 14 Enabling a DHCP Server Plug in Configuration 13 14 14 Reports Report Types 14 2 Genera...

Page 14: ... the Backup Timeouts 15 15 Restoring from Backup 15 16 Restoring the Original Database 15 17 Generating a Support Package 15 17 Supported VPNs 15 18 End user Access Windows 15 19 How NAC 800 Handles Static IP Addresses 15 20 Managing Passwords 15 21 Resetting the NAC 800 Server Password 15 22 Resetting the NAC 800 Database Password 15 23 Changing the NAC 800 Administrator Password 15 23 When the P...

Page 15: ...Management 16 7 SMS Concepts 16 8 NAC 800 SMS NAC 800 Process 16 9 NAC 800 Setup 16 10 Learning More About SMS 16 11 A Configuring the Post connect Server Overview A 2 Extracting the ZIP File A 3 Windows A 3 Linux A 3 ZIP File Contents A 4 Setting up a Post connect Host A 5 Windows A 5 Linux A 6 Viewing Logs A 9 Testing the Service A 10 Windows A 10 Linux A 10 Configuring Your Sensor A 11 Allowing...

Page 16: ...atic Updates B 16 Windows Media Player Hotfixes B 17 Windows Vista SP0 Hotfixes B 17 Windows XP SP1 Hotfixes B 18 Windows XP SP2 Hotfixes B 19 Security Settings OS X B 20 Mac AirPort WEP Enabled B 20 Mac AirPort Preference B 20 Mac AirPort User Prompt B 21 Mac Anti virus B 21 Mac Bluetooth B 22 Mac Firewall B 22 Mac Internet Sharing B 23 Mac QuickTime Updates B 23 Mac Security Updates B 24 Mac Ser...

Page 17: ...ndows C 2 Active Content C 4 Minimum Font Size C 6 Page Caching C 8 Temporary Files C 9 D Installation and Configuration Check List Minimum System Requirements D 2 Installation Location D 3 IP Addresses Hostname Logins and Passwords D 4 Single server Installation D 4 Multiple server Installations D 4 Management Server D 5 Enforcement Server 1 D 5 Enforcement Server 2 D 6 Enforcement Server 3 D 6 P...

Page 18: ...Contents xvi E Ports used in NAC 800 F MS Disaster Recovery Overview F 2 Installation Requirements F 2 Installing the Standby MS F 2 Ongoing Maintenance F 3 Failover process F 3 G Glossary Index ...

Page 19: ...hnical Support 1 14 Additional Documentation 1 3 Upgrading 1 15 Conventions Used in This Document 1 16 Navigation Paragraph 1 16 Tip Paragraph 1 16 Note Paragraph 1 16 Caution Paragraph 1 16 Warning Paragraph 1 17 Bold Font 1 17 Task Paragraph 1 17 Italic Text 1 17 Courier Font 1 18 Angled Brackets 1 18 Square Brackets 1 18 Terms 1 19 Copying Files 1 20 SCP 1 20 PSCP 1 20 ...

Page 20: ...indows Mozilla version 1 7 Mozilla Firefox version 1 5 or later Internet Explorer 6 0 Linux Mozilla version 1 7 Mozilla Firefox version 1 5 or later Mac OS X Mozilla Firefox version 1 5 or later A ProCurve NAC Implementation Start up Service from an autho rized ProCurve partner or ProCurve A ProCurve NAC Endpoint Integrity Agent License ProCurve NAC 800 is delivered as a hardware appliance that yo...

Page 21: ...ance and how to establish initial management access This document contains appliance specifications safety information and appliance certifications 2 ProCurve Network Access Controller 800 Configuration Guide Refer to this document second to understand the product s features capabilities and use This document explains how to configure the appliance based on the usage model you choose to deploy in ...

Page 22: ...e links to refresh the window log out of the user interface and access online help 5 Navigation pane The menu items shown in this pane vary depending on your permission level See User Roles on page 3 39 for more information on permissions You must have administrator privileges to create and edit user roles Once you select a menu item from the navigation pane use the bread crumbs at the top of the ...

Page 23: ... 1 5 Figure 1 1 NAC 800 Home Window 1 Important status announcements 2 User name 4 Window actions 5 Navigation pane 6 Test status area 7 Access control status area 3 Top 5 failed tests area status area 8 Enforcement server status area ...

Page 24: ...s either normal or allow all See Enforcement Clusters and Servers on page 3 6 for instructions on making the access mode selection Health status Health status shows ok for servers with no problems and either warning or error for servers with problems Click the server name to view details Upgrade status Upgrade status shows the status of any upgrades in process memory used The amount of memory curr...

Page 25: ...troduction System Monitor 1 7 The following figure shows the legend for the System monitor window icons Figure 1 2 System Monitor Window Breadcrumbs for navigation Figure 1 3 System Monitor Window Legend ...

Page 26: ... to maximize the advantages and minimize the disadvantages TIP Agentless testing uses an existing Windows service RPC ActiveX testing uses an ActiveX control ProCurve agent testing installs an agent ProCurve NAC EI Agent and runs as a new Windows service The trade offs in the test methods are described in the following table Test method Trade offs Pros Cons Agentless Truly agentless no install or ...

Page 27: ...rm and the information they can view and act on Role based access ensures the integrity of the enterprise wide NAC 800 deployment and creates the separation of duties that conforms to security best practices ActiveX plug in No installation or upgrade to maintain Supports all Windows operating systems Only Internet Explorer application access required through personal firewall Must open port 1500 N...

Page 28: ... log into the network and periodically as the endpoints remain logged into the network Based on results endpoints are either permitted or quaran tined to a specific part of the network thus enforcing the organizational security standards NAC 800 tracks all testing and connection activity and produces a range of reports for auditors managers and IT staff NAC 800 performs pre connect testing when an...

Page 29: ...P range or specific IPs or by geographic location Endpoint Testing NAC 800 automatically tests all endpoints attempting to access your network through a LAN RAS VPN or WiFi connection Tests are fast and you are kept informed of test progress and results After the initial compliance tests NAC 800 periodically tests endpoints that have been granted access to ensure that real time system changes do n...

Page 30: ...porate security standards Manual overrides Administrators can retest quarantine or grant access to endpoints on demand User notifications Users of non compliant endpoints receive imme diate notification about the location of the endpoint deficiencies as well as step by step information about implementing the corrections to achieve compliance Administrator notifications Administrators receive a var...

Page 31: ...ed Reporting NAC 800 reports provide concise security status information on endpoint compliance and access activity Specific reports are available for auditors managers and IT staff members For more information see Reports on page 14 1 ...

Page 32: ...Introduction Technical Support 1 14 Technical Support Technical support is available through www procurve com ...

Page 33: ...ou install additional software on the NAC 800 server you need to remove it in order to troubleshoot any NAC 800 issues and it will likely be partially or fully overwritten during NAC 800 release upgrades orpatchinstalls compromising the third party software functionality Additionally installing third party soft ware and or modifying the NAC 800 software can violate your license agree ment ...

Page 34: ...aph Tips provide helpful but not required information Example TIP Hover the cursor over the x dhcp servers with errors text to get additional information in a pop up window Note Paragraph Notes notify you of important information Example NOTE If there is no activity for 30 minutes the configuration window times out and you must log in again Caution Paragraph Cautions notify you of conditions that ...

Page 35: ...led Credentials tab enabled check box you must specify your Windows domain controller here Task Paragraph Task paragraphs summarize the instructions that follow Example To enter LDAP information Italic Text Italic text is used in the following cases Showing emphasis Low You are not protected from potentially unsafe macros Not recommended Indicating document titles NAC 800 Installation Guide Indica...

Page 36: ...tml In this case you must replace IP_address with the actual IP address such as 10 0 16 99 Do not type the angled brackets Indicating file names SAIASConnector ini Angled Brackets Angled brackets enclose variable text that needs to be replaced with your specific values Example https IP_address index html In this case you must replace IP_address with the actual IP address such as 10 0 16 99 Do not ...

Page 37: ...t 192 168 200 135 Indicating a list in a properties file Compliance ObjectManager DHCPConnec torServers 192 168 51 130 192 168 99 1 Terms Terms are defined in the Glossary on page G 1 Example MAC Media Access Control The unique number that identifies a physical endpoint Generally referred to as the MAC address ...

Page 38: ...chines It has the following syntax scp user source directory file user destination direc tory file scp is included with Linux UNIX PSCP pscp is a program used to copy files between Windows and Linux UNIX machines To use pscp you must first save it from the following location to the Windows machine http www chiark greenend org uk sgtatham putty download html Next open a DOS command window on the Wi...

Page 39: ...ing pscp directory pscp c documents foo txt fred exam ple com tmp foo You will be prompted to enter a password for the Linux UNIX machine NOTE You can either enter the path to the PSCP EXE file as part of the command or cd to the directory where you saved the PSCP EXE file before entering the pscp command ...

Page 40: ... HTML version The online help contains the same content as this Users guide When you click a help link from within NAC 800 the help topic opens in a new window as shown in the following figure Figure 1 4 Online help The following options are available Previous Click the upward pointing icon to go to the previous page Next Click the downward pointing icon to go to the next page Print topic Click th...

Page 41: ...pic you are viewing Click anywhere in the Contents pane to navigate through the document To view the index Online help document Show navigation icon Index tab Figure 1 5 Index tab 1 Click on a letter link at the top of the index column tosee the index entries 2 Click on an index entry to see the location in the text 3 Click on cross reference items in highlighted text to see more information on th...

Page 42: ... Shown navigation icon Search tab Figure 1 6 Search tab 1 Enter a term in the search box 2 Click Go 3 Click on one of the results returned to display it in the right side pane 4 Click on the orange arrow to see the contents of the collapsed section of the document ...

Page 43: ...2 1 2 Clusters and Servers Chapter Contents Overview 2 2 Installation Examples 2 3 ...

Page 44: ...te servers Each ES must be assigned to a cluster This configuration is illustrated in figure 2 2 The responsibilities of the MS and ES are as follows MS Configuration NAC policies Quarantining Endpoint activity License Test updates ES Testing Access control The quarantine method is defined per cluster all of the ESs in a given cluster use the same quarantine method Inline DHCP or 802 1X When using...

Page 45: ...st installation is where the MS and ES are installed on the same physical server as shown in the following figure Multiple server Installations By using at least three servers one for the MS and two for ESs you gain the advantage of high availability and load balancing Figure 2 1 Single server Installation ...

Page 46: ...ty is where ESs take over for any other ES or servers that become unavailable Load balancing is where the testing of endpoints is spread evenly over all of the ESs A three server installation is shown in the following figure Figure 2 2 Multiple server Installation ...

Page 47: ...basis See System Configuration on page 3 1 for task based instructions The following recommendations should be followed when configuring your network for best performance results A maximum of 30 000 endpoints per MS A maximum of five ESs per cluster A maximum of 3000 endpoints per ES A maximum of 10 ESs per MS When these recommendations are followed the following applies 80 of the 3000 endpoints w...

Page 48: ...ers and Servers Installation Examples 2 6 All endpoints are returned to the proper status within 15 minutes after a network recovery power failure all endpoints attempting to recon nect 3000 endpoints per ES ...

Page 49: ... ES Network Settings 3 17 Changing the ES Date and Time 3 17 Modifying the ES SNMP Settings 3 18 Modifying the ES root Account Password 3 18 Viewing ES Status 3 19 Deleting ESs 3 21 ES Recovery 3 21 Management Server 3 22 Viewing Network Settings 3 22 Modifying MS Network Settings 3 24 Selecting a Proxy Server 3 25 Setting the Date and Time 3 26 Automatically Setting the Time 3 26 Manually Setting...

Page 50: ... 3 48 Viewing Test Update Logs 3 49 Quarantining General 3 51 Selecting the Quarantine Method 3 51 Selecting the Access Mode 3 53 Quarantining 802 1X 3 54 Entering Basic 802 1X Settings 3 54 Authentication Settings 3 55 Adding 802 1X Devices 3 63 Testing the Connection to a Device 3 64 Cisco IOS 3 66 Cisco CatOS 3 68 Enterasys 3 71 Extreme ExtremeWare 3 73 Extreme XOS 3 75 Foundry 3 77 HP ProCurve...

Page 51: ...s 3 109 Cluster Setting Defaults 3 110 Testing Methods 3 110 Selecting End user Options 3 113 Accessible Services 3 113 Exceptions 3 116 Notifications 3 117 End user Screens 3 119 Agentless Credentials 3 122 Logging 3 127 Setting ES Logging Levels 3 127 Setting 802 1X Devices Logging Levels 3 128 Setting IDM Logging Levels 3 128 Advanced Settings 3 130 Setting the Agent Read Timeout 3 130 Setting ...

Page 52: ...menu option you do not have system administrator permissions NAC 800 configuration includes the following Enforcement clusters servers Enforcement Clusters and Servers on page 3 6 MS Management Server on page 3 22 User accounts User Accounts on page 3 31 User roles User Roles on page 3 39 License License on page 3 45 Test updates Test Updates on page 3 47 User role Home window menu options availab...

Page 53: ...10 Accessible services Accessible Services on page 3 113 Exceptions Exceptions on page 3 116 Notifications Notifications on page 3 117 End user screens End user Screens on page 3 119 Agentless credentials Agentless Credentials on page 3 122 Logging Logging on page 3 127 Advanced Advanced Settings on page 3 130 NOTE You can override any of the cluster default settings on a per cluster basis ...

Page 54: ...ent clusters Set operating parameters for specific Enforcement clusters which differ from the default Enforcement cluster and server settings set up on the System configuration window View available Enforcement clusters and associated servers View status of Enforcement clusters and servers Select cluster access mode normal or allow all ESs Add edit or delete ESs Set ES network settings date and ti...

Page 55: ...orcement Clusters 3 7 Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster Home window System configuration Enforcement clusters servers Figure 3 1 System Configuration Enforcement Clusters Servers ...

Page 56: ...luster name field b Select a NAC policy group from the NAC policy group drop down list see NAC Policies on page 6 1 2 Click Quarantining in the Add Enforcement cluster window Complete the steps described in Quarantining General on page 3 51 TIP You can also access the quarantine area Enforcement cluster by clicking Quarantining in the System configuration window see Quarantining Gen eral on page 3...

Page 57: ...on page 3 116 Notifications See Notifications on page 3 117 End user screens See End user Screens on page 3 119 Agentless credentials See Agentless Credentials on page 3 122 Logging See Logging on page 3 127 Advanced See Advanced Settings on page 3 130 Editing Enforcement Clusters To edit the Enforcement clusters settings Home window System configuration Enforcement clusters servers 1 Click the cl...

Page 58: ...atus The icons next to the cluster name see Figure 3 4 on page 3 12 The Enforcement cluster window see the following steps To view Enforcement cluster statistics Home window System configuration Enforcement clusters servers Click a cluster name for example Austin The Enforcement cluster window appears Figure 3 3 Enforcement Cluster General ...

Page 59: ...s Deleting Enforcement Clusters NOTE Enforcement clusters need to be empty before the delete option appears next to the name in the NAC 800 user interface To delete Enforcement clusters Home window System configuration Enforcement clusters servers 1 Clickdelete nexttothe cluster youwanttoremove The DeleteEnforcement cluster confirmation window appears 2 Click yes The System configuration window ap...

Page 60: ... Configuration Enforcement Servers 3 12 Enforcement Servers Adding an ES To add an ES Home window System configuration Enforcement clusters servers Figure 3 4 System Configuration Enforcement Clusters Servers ...

Page 61: ...ddress for this ES in the IP address text box 4 Enter the fully qualified hostname to set on this server in the Host name text box 5 Enter one or more DNS resolver IP addresses separated by a commas semicolons or spaces in the DNS IP addresses text box For example 10 0 16 100 10 0 1 1 6 Enter the password to set for the root user of the ES server s operating system in the Root password text box Fi...

Page 62: ... clusters servers 1 Move the mouse over the legend icon The legend pop up window appears 2 Move the mouse away from the legend icon to hide pop up window Moving ESs between Clusters CAUTION If you add an ES to the wrong cluster you must reset the system in order to move it to the correct cluster 9080 To move an ES to a different cluster 1 Disconnect the ES by shutting it down or removing the netwo...

Page 63: ...or this Enforcement server in the IPaddress text box 11 Enter the fully qualified hostname to set on this server in the Host name text box 12 Enter one or more DNS resolver IP addresses separated by a commas semicolons or spaces in the DNS IP addresses text box For example 10 0 16 100 10 0 1 1 13 Enter the password to set for the root user of the ES server s operating system in the Root password t...

Page 64: ...on area is displayed 3 Edit the following settings ES Network settings Changing the ES Network Settings on page 3 17 ES Date and time Changing the ES Date and Time on page 3 17 ES SNMP settings Modifying the ES SNMP Settings on page 3 18 Other settings Modifying the ES root Account Password on page 3 18 4 Click ok Figure 3 7 Enforcement Server ...

Page 65: ... ES address in the IP address text field For example 192 168 153 35 Enter a new netmask in the Network mask text field For example 255 255 255 0 Enter a new gateway in the Gateway IP address text field For example 192 168 153 2 Enter one or more DNS resolver IP addresses separated by commas semicolons or spaces in the DNS IP addresses text box For example 10 0 16 100 10 0 1 1 NOTE The NAC 800 ESs ...

Page 66: ...back the clock will have adverse effects on the system Modifying the ES SNMP Settings To change the ES SNMP settings Home window System configuration Enforcement clusters servers Select an ES Configuration 1 Select the Enable SNMP check box 2 Enter a Read community string such as Public2 3 Enter the Allowed source network This value must be either default or a network specified in CIDR notation Mo...

Page 67: ... see the following steps The Enforcement server window allows you to view the following information Health status Upgrade status Process thread status System load average for the server Current endpoints being tested minute for the server Percentage of memory used on the server Disk space usage for the server To view ES status Home window System configuration Enforcement clusters servers ...

Page 68: ...System Configuration Enforcement Servers 3 20 1 Click the server for which you want to view the status The Enforcement server window appears 2 Click ok or cancel Figure 3 8 Enforcement Server Status ...

Page 69: ...cement clusters servers 1 Click delete next to the server you want to remove from the cluster The Delete Enforcement server confirmation window appears 2 Click yes The System configuration window appears ES Recovery If an existing ES goes down and comes back up it can participate in its assigned cluster even if the MS is not available When a new ES is created the MS must be available before the ES...

Page 70: ...System Configuration Management Server 3 22 Management Server Viewing Network Settings To view MS status Home window System configuration Management server ...

Page 71: ...System Configuration Management Server 3 23 Figure 3 9 System Configuration Management Server ...

Page 72: ... which can show an ES error condition and cause authentication problems See Maintenance on page 3 106 for instructions on backing up and restoring your system To modify MS network settings Home window System configuration Management server WARNING Changing the MS network settings will cause the network interface to restart 1 Click edit network settings in the Network settings area 2 Enter the valu...

Page 73: ...iguration Management server 1 Select Use a proxy server for Internet connections 2 Enter the IP address or hostname of the server that will act as the proxy for Internet connections in the Proxy server IP address text field 3 Enter the port used for connecting to the proxy server in the Proxy server port text field 4 If your proxy server requires authentication select the Proxy server is authentic...

Page 74: ... configure the following Allow automatic synchronization with an NTP server Manually set date and time for the MS Edit date and time Set time zone Set date Set time NOTE Date and time settings are applied to the MS however you can set the time zone for each ES Automatically Setting the Time To automatically set the time Home window System configuration Management server 1 Select Automatically rece...

Page 75: ...rect date and time 4 Click ok 5 Click ok CAUTION Manually changing the date time other than a time zone change a large amount will require a restart of all servers Rolling back the clock will have adverse effects on the system Selecting the Time Zone To set the time zone Home window System configuration Management server 1 Select the following a Select a region from the Region drop down list in th...

Page 76: ...ommunity string used to authorize SNMP notifications from NAC 800 5 Select one or both of the following a SelecttheResendnotificationscheckboxandentertheresendinterval for example 60 NOTE NAC policy tests can be configured such that if an endpoint fails the test it will be granted network access temporarily In these cases it might be desirable not to send an SNMP notification b Select the Do not s...

Page 77: ...automatically shutdown and restart after the software downloads TIP Since upgrading can take longer than the default timeout 45 minutes setting of the NAC 800 Update ProCurve recommends that you increase the timeout value when you have limited bandwidth by performing the steps described in Changing the NAC 800 Upgrade Timeout Changing the NAC 800 Upgrade Timeout Since upgrading can take longer tha...

Page 78: ...System Configuration Management Server 3 30 Where minutes is the number ofminutes ofinactivityNAC800willwaitbefore assuming the upgrade failed For example 30 The default value is 45 ...

Page 79: ...oles and clusters assigned See User Roles on page 3 39 for more information on setting permissions for the user roles The User accounts menu option allows you to do the following View user accounts Search by user ID user name or email address Add a user account Edit a user account Delete a user account Adding a User Account To add a user account Home window System configuration User accounts ...

Page 80: ...System Configuration User Accounts 3 32 Figure 3 12 System Configuration User Accounts ...

Page 81: ... user account Email address The email address used for notifications 3 Select an Account status enabled This status allows an account to log into the user interface disabled This status prevents an account from logging into the user interface 4 In the User roles area select one of the following default roles for the user account See User Roles on page 3 39 for more information about user roles and...

Page 82: ...rom the Search drop down list user ID full name User Role Name Description Cluster Administrator For their clusters users having this role can configure their assigned clusters view endpoint activity change endpoint access control retest endpoints and generate reports View Only User Users having this role can view endpoint activity and generate reports about their clusters System Administrator Use...

Page 83: ...ing the User Account Area To sort the user account area Home window System configuration User accounts Click the column heading for user id full name email address user roles or clusters The user accounts reorder according to the column heading selected Click the column heading again to change from ascending to descending Copying a User Account To copy a user account Home window System configurati...

Page 84: ...ears The account information is duplicated from the original account 2 Enter the User ID of the new account 3 Enter the Password 4 Re enter the password 5 Select the Account status enable or disable 6 Select the User role for the account 7 Select the Clusters that the user account can access 8 Click ok Figure 3 14 Copy User Account ...

Page 85: ...stem configuration User accounts 1 Click the name of the user account that you want to edit The User account window appears 2 Change or enter information in the fields you want to change See Adding a User Account on page 3 31 for information on user account settings 3 Click ok Figure 3 15 User Account ...

Page 86: ...e or edit the account with which you are currently accessing the interface Doing so can produce an error and lock you out of the interface until your session has timed out To delete a user account Home window System configuration User accounts 1 Click delete next to the user account you want to remove The Delete user account confirmation window appears 2 Click yes ...

Page 87: ...s Add a new user role Name the new user role Provide a detail description for the new user role Assign permissions to the new user role Edit a user role Edit the name of the user role Edit the detail description of the user role Edit the assigned permissions for the user role Delete a user role Adding a User Role To add a user role Home window System configuration User roles ...

Page 88: ...System Configuration User Roles 3 40 Figure 3 16 System Configuration User Roles ...

Page 89: ...information about permissions the following table Figure 3 17 Add User Role Permission Description Configure clusters Allows you to add clusters configure the settings of all your assigned clusters and delete any of your clusters Configure servers Allows you to configure all servers within your clusters Configure the system Allows you to configure all system level settings View system alerts Allow...

Page 90: ...s Manage NAC policies Allows you to manage the NAC policies for all of your clusters View endpoint activity Allows you to view details about all endpoints in your clusters Monitor system status Allows you to monitor the system status Control Access Allows you to quarantine or grant network access to endpoints in your clusters Retest endpoints Allows you to have endpoints in your clusters retested ...

Page 91: ...ange See Adding a User Role on page 3 39 for information on user role settings 3 Click ok Deleting User Roles NOTE You cannot delete the System Administrator role To delete user roles Home window System configuration User roles 1 Click delete next to the user role you want to remove The Delete user role confirmation window appears Figure 3 18 User Role ...

Page 92: ... 2 Click yes Sorting the User Roles Area To sort the user roles area Home window System configuration User roles 1 Click user role name or description column heading The selected category sorts in ascending or descending order 2 Click ok ...

Page 93: ...u to configure the following View license start and end dates View number of days remaining on license and associated renewal date View remaining endpoints and servers available under license Updating Your License To update your license Home window System configuration License ...

Page 94: ...System Configuration License 3 46 1 Click submit license request 2 Click ok on the license validated pop up window Figure 3 19 System Configuration License ...

Page 95: ...the following View last successful test update date time Check for test updates forces an immediate check for test updates Set time or times for downloading test updates View test update logs Manually Checking for Test Updates To manually check for test updates Home window System configuration Test updates ...

Page 96: ...cessful test update area click check for test updates 2 Click ok NOTE It is important to check for test updates during the initial configuration of NAC 800 Selecting Test Update Times To select test update times Figure 3 20 System Configuration Test Updates ...

Page 97: ... every hour using the ProCurve Secure Rule Distribution Center All times listed are dependent upon the clock setting and time zone of the hardware on which NAC 800 is running 2 Click ok Viewing Test Update Logs To view test update logs Home window System configuration Test updates 1 Click the View test update log link just to the right of the Check for test updates button The Test update log windo...

Page 98: ...System Configuration Test Updates 3 50 The Test update log window legend is shown in the following figure Figure 3 22 Test Update Log Window Legend ...

Page 99: ...ption allows you to configure the following by cluster Select the quarantine method Select the access mode Basic 802 1X settings Authentication settings Add edit delete 802 1X devices Selecting the Quarantine Method To select the quarantine method Home window System configuration Quarantining ...

Page 100: ...System Configuration Quarantining General 3 52 1 Select a cluster Figure 3 23 System Configuration Quarantining ...

Page 101: ...le subnetwork or VLAN network one quarantine area must be configured for each subnetwork See Remote Device Activity Cap ture on page 12 1 for information on using multiple DHCP servers Inline When using the inline quarantine method NAC 800 must be placed on the network where all traffic to be quarantined passes through NAC 800 It must be inline with an endpoint like a VPN 3 Click ok Selecting the ...

Page 102: ...config ured with the NAC IAS plug in to point to an enforcement server can be used instead When possible a local RADIUS server that proxies to the IAS server should be the preferred configuration 2 Enter one or more non quarantined subnets separated by commas in the Quarantine subnets text field All subnets should be entered using CIDR addresses 3 Select a RADIUS server type by selecting one of th...

Page 103: ...indows domain through NTLM protocol The ES must be able to join to the domain for this to work See Configuring Windows Domain Settings on page 3 55 for more information OpenLDAP User credentials are queried from an OpenLDAP direc tory service See Configuring OpenLDAP Settings on page 3 57 for more information Novell eDirectory User credentials are queried from a Novell eDirec tory directory servic...

Page 104: ...System Configuration Quarantining 802 1X 3 56 1 SelectWindowsdomainfromtheEnd userauthenticationmethoddrop down list Figure 3 24 System Configuration Windows Domain ...

Page 105: ...Server to test from drop down list in the Test Windows domain settings area The ES in this cluster to test from or The MS NOTE If you have a single server installation the Server to test from drop down list is not available b To verify a specific set of user credentials in addition to the Windows domain settings select the Verifycredentialsforanend user check box and specify the following i Enter ...

Page 106: ...System Configuration Quarantining 802 1X 3 58 1 Select OpenLDAP from the End user authentication method drop down list Figure 3 25 System Configuration OpenLDAP ...

Page 107: ...iversal password of the eDirectory user 9 To use a secure Transport Layer Security TLS connection with the LDAP server that is verified with a certificate authority a Select the Use a secure connection TLS check box b Enter a PEM encoded file name that contains the CA certificate used to sign the LDAP server s TLS certificate in the New certificate text field Click Browse to search for file names ...

Page 108: ...ration Quarantining 802 1X 3 60 Configuring Novell eDirectory Settings To configuring Novell eDirectory settings Home window System configuration Quarantining 802 1X Quarantine method radio button Local radio button ...

Page 109: ...System Configuration Quarantining 802 1X 3 61 1 Select Novell eDirectory from the End user authentication type drop down list Figure 3 26 System Configuration Window RADIUS Novel eDirectory ...

Page 110: ...Password to use the universal password of the eDirectory user 9 To use a secure Transport Layer Security TLS connection with the LDAP server that is verified with a certificate authority a Select the Use a secure connection TLS check box b Enter a PEM encoded file name that contains the CA certificate used to sign the LDAP server s TLS certificate in the New certificate text field Click Browse to ...

Page 111: ...ed secret is used to encrypt and sign packets between the device and RADIUS server NOTE See your system administrator to obtain the shared secret for your switch 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select an 802 1X device from the Device type drop down list 6 Enter the config...

Page 112: ...r HP ProCurve 530 AP on page 3 85 Nortel See Nortel on page 3 87 Other See Other on page 3 89 7 Click ok Testing the Connection to a Device The test connection area has different options based on the switch you select Cisco CATOS Cisco IOS Enterasys Extreme Foundry switches See figure 3 28 ProCurve Nortel Other switches See figure 3 29 To test the connection to an 802 1X device Home window System ...

Page 113: ...ng tested in the Port text field c Enter the MAC address of the endpoint being tested in the MAC address text field 3 For Cisco CATOS Cisco IOS Enterasys Extreme Foundry switches figure 3 29 if you want to include the re authentication command as part of the test select the Re authenticate an endpoint during test check box and a Enter the port of the endpoint being tested in the Port text field b ...

Page 114: ...t enter the port the MAC address or both depending on the re authentication OID 4 Click test connection to this device Cisco IOS To add a Cisco IOS device Home window System configuration Quarantining 802 1X Quarantine method radio button Add an 802 1X device ...

Page 115: ...n packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Cisco IOS from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list 7 Enter the User name with which to log into the device s console Figure 3 ...

Page 116: ...is on bank 2 and port 10 2 10 where 210 are the third fourth and fifth bytes in the identifier 11 Enter the Reconnect idle time This is the amount of time in milliseconds that a Telnet SSH console can remain idle or unused before it is reset 12 Select the Show scripts plus symbol to show the following scripts Initialization script The expect script used to log into the console and enter enable mod...

Page 117: ...ecret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Cisco CatOS from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list Figure 3 31 Add Cisco CatOS Device ...

Page 118: ...rt mask of 2 34 would indicate that the endpoint is on bank 2 and port 10 2 10 where 210 are the third fourth and fifth bytes in the identifier 14 Enter the Reconnect idle time This is the amount of time in milliseconds that a Telnet SSH console can remain idle or unused before it is reset 15 Select the Show scripts plus symbol to show the following scripts Initialization script The expect script ...

Page 119: ...ice 2 Click the plus sign next to Show scripts 3 Add the correct expect script syntax to the text box for enable mode user name See your switch documentation for more information on the correct syntax 4 Click ok Enterasys To add an Enterasys device Home window System configuration Quarantining 802 1X Quarantine method radio button Add an 802 1X device ...

Page 120: ... RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Enterasys from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list 7 Enter the User name with which to log into the device s console 8 Enter the Password with which to log in...

Page 121: ...e following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 12 Click ok TIP Click revert to defaults to restore the default settings Extreme ExtremeWare To add an ExtremeWare device Home window System configu...

Page 122: ...S server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Extreme ExtremeWare from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list 7 Enter the User name with which to log into the device s console 8 Enter the Password with which to lo...

Page 123: ... the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 12 Click ok TIP Click revert to defaults to restore the default settings Extreme XOS To add an Extreme XOS device Home window System configuratio...

Page 124: ...ADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Extreme XOS from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list 7 Enter the User name with which to log into the device s console 8 Enter the Password with which to log in...

Page 125: ...ng scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 11 Click ok TIP Click revert to defaults to restore the default settings Foundry To add a Foundry device Home window System configuration Quarantining 802 1X...

Page 126: ...3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Foundry from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list 7 Enter the User name with which to log into the device s console 8 Enter the Password with which to log into the device s c...

Page 127: ...cripts plus symbol to show the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 14 Click ok TIP Click revert to defaults to restore the default settings HP ProCurve Switch To add an HP ProCurve switc...

Page 128: ...nd RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select ProCurve Switch from the Device type drop down list 6 Select whether to connect to this device using telnet SSH or SNMPv2 in the Connection method drop down list 7 SSH settings a Enter the User name used to log into ...

Page 129: ...e c To help confirm accuracy type the same password you entered into the Password field in the Re enter Password field d Enter the Enable mode user name that is used to enter enable mode on this device e Enter the Password used to enter enable mode on this device f To help confirm accuracy type the same password you entered into the Enable password field in the Re enter Password field g Enter the ...

Page 130: ...D_DECIMAL are substituted for the port and MAC address of the endpoint to be re authenticated ii Select the type of the re authentication OID from the OID type drop down list INTEGER unsigned INTEGER TIMETICKS IPADDRESS OBJID STRING HEX STRING DECIMAL STRING BITS NULLOBJ iii Enter the OID re authentication value used to re authenticate an endpoint in the OID value text field TIP Click revert to de...

Page 131: ...is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select ProCurve WESM from the Device type drop down list 6 Enter the Community string used to authorize writes to SNMP objects Figure 3 37 Add HP ProCurve WESM xl zl D...

Page 132: ... STRING HEX STRING DECIMAL STRING BITS NULLOBJ 9 Enter the OID re authentication value used to re authenticate an endpoint in the OID value text field 10 Select the Use a different OID for MAC authentication check box to re authenticate using a different OID when the supplicant request is for a MAC authenticated device a Enter the Re authenticateOID used tore authenticate an endpoint The strings P...

Page 133: ... add an HP ProCurve 420 AP or HP ProCurve 530 AP device Home window System configuration Quarantining 802 1X Quarantine method radio button Add an 802 1X device 1 Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field 2 Enter a shared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RAD...

Page 134: ...Select the type of the re authentication OID from the OID type drop down list INTEGER unsigned INTEGER TIMETICKS IPADDRESS OBJID STRING HEX STRING DECIMAL STRING BITS NULLOBJ 9 Enter the OID re authentication value used to re authenticate an endpoint in the OID value text field 10 Select the Use a different OID for MAC authentication check box to re authenticate using a different OID when the supp...

Page 135: ...r the OID re authentication value used to re authenticate an endpoint in the OID value text field TIP Click revert to defaults to restore the default settings Nortel To add a Nortel device Home window System configuration Quarantining 802 1X Quarantine method radio button Add an 802 1X device ...

Page 136: ...d RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Nortel from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list 7 Enter the User name with which to log into the device s console 8 Enter the Password with which to log into...

Page 137: ...acked check box if the device is in a stacked configuration 15 Select the Show scripts plus symbol to show the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 16 Click ok TIP Click revert to default...

Page 138: ...en the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Other from the Device type drop down list 6 Enter the User name with which to log into the device s console 7 Enter the Password with which to log into the device s console 8 Re enter the console passw...

Page 139: ...ymbol to show the following scripts NOTE You must enter the script contents yourself for the 802 1X device you are adding Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 11 Click ok TIP Click revert to defaults to re...

Page 140: ...guration Inline DHCP server is selected by default If you want to use the DHCP plug in which allows you to use multiple DHCP servers see the instructions in DHCP Plug in on page 13 1 Setting DHCP Enforcement NOTE See Configuring Windows Update Service for XP SP2 on page 10 5 for information on using Windows Update Service for devices in quarantine To set DHCP enforcement Home window System configu...

Page 141: ...lt If you wish to use multiple DHCP servers see the instructions in DHCP Plug in on page 13 1 2 Select one of the following radio buttons Enforce DHCP requests from all IP addresses Allows DHCP requests from all IP addresses Figure 3 41 System Configuration Quarantining DHCP Enforcement ...

Page 142: ...r Layer 3 switches If set DHCP traffic coming from a source IP not listed will be passed without intervention NOTE Construction of the DHCP relay packet s source IP address is vendor depen dent Some implementations for example Extreme use the IP address of the interface closest to the DHCP server as the source IP for DHCP forward ing which means the resultant packet may not have a source IP that c...

Page 143: ...ified in the quarantined subnet field separated by a carriage return NOTE The quarantine area subnets and non quarantined subnets should be entered using Classless Inter domain Routing address CIDR notation see Entering Networks Using CIDR Format on page 15 14 3 Choose a DHCP quarantine option Router access control lists ACLs This option restricts the network access of non compliant endpoints by a...

Page 144: ...outer For endpoints to see the outside Web sites listed in Accessible Ser vices the browser being used on the endpoint must have the Auto proxysettingturnedon FurthermorefortheWindowsUpdateservice to work theendpointwillneed manualproxy settings pointing toTCP port 3128 on the Enforcement Server assigned to this endpoint See Configuring Windows Update Service for XP SP2 on page 10 5 for more infor...

Page 145: ...tine area Home window System configuration Quarantining DHCP radio button 1 Click edit next to the quarantine area you want to edit The Quarantine area window appears 2 Edit the information in the fields you want to change See Adding a DHCP Quarantine Area on page 3 94 for information on Quarantinearea options 3 Click ok Deleting a DHCP Quarantine Area To delete a DHCP quarantine area Home window ...

Page 146: ...System Configuration Quarantining DHCP 3 98 1 Click delete next to the quarantine area you want to remove The Delete quarantine area confirmation window appears 2 Click yes ...

Page 147: ...Quarantining Inline 3 99 Quarantining Inline To select the Inline quarantine method Home window System configuration Quarantining 1 Select a cluster 2 In the Quarantine method area select the Inline radio button 3 Click ok ...

Page 148: ...rewall The firewall must be opened for each post connect service that communicates with NAC 800 To open the firewall for your post connect service Command line window 1 Log in to the NAC 800 MS as root using SSH or directly with a keyboard 2 Enter the following command at the command prompt iptables I INPUT s host m tcp p tcp dport 61616 j ACCEPT Where host is the external server IP address First ...

Page 149: ...as described in Changing Properties on page 15 12 You must set the following properties for product name variable to com municate with your external post connect server see Configuring the Post connect Server on page A 1 Compliance ActiveMQJMSProvider url ssl 0 0 0 0 61616 Compliance JMSProvider UserName username Compliance JMSProvider Password password Where username is the user name you use to l...

Page 150: ...ws 2 Enter the URL of the post connect service in the Service URL text field When the post connect configuration is complete you will be able to launch this URL from the NAC 800 Post connect window For example https 192 168 40 15 index jsp 3 Select the Automatically log into service check box to log into the post connect service automatically when it is launched by clicking the post connect servic...

Page 151: ...inistrators to be notified when a post connect service quarantines an endpoint Notifications will be sent by email from the enforcement cluster quarantining the endpoint in accordance with its notifications settings 5 Click ok to save your changes and return to the Home window Launching Post connect Systems After you have configured a post connect system you must launch it before NAC 800 can commu...

Page 152: ...s are presented in a pop up window Adding Post connect System Logos and Icons The post connect logo that appears in the mouseover help see figure 3 47 and the icon that appears in the Endpoint activity window is the logo for your post connect system If you have more than one post connect system you will see more than one logo and more than one icon You can use your own custom logos and icons for y...

Page 153: ...ct Agents PRODUCTID Logo Logo filename Compliance PostConnect Agents PRODUCTID Icon Icon filename Compliance PostConnect Agents PRODUCTID Name Frie ndly Product Name Where PRODUCTID is the identifier for the post connect service For example PostConnectServiceName Logo filename is the name of the logo file For example logo_post_connect gif Icon filename is the name of the icon file For example icon...

Page 154: ... is the day the system was backed up 04 hh is the hour when the system was backed up 12 mm is the minutes when the system was backed up 11 ss is the seconds when the system was backed up 22 For example a file backed up on March 4 2007 at 12 11 22 has the following name backup 2007 03 04T12 11 22 tar bz2 The following file are backed up Database usr local nac properties directory usr local nac keys...

Page 155: ...ing on your browser settings a pop up window may appear asking if you want to save or open the file Select Save to disk and click OK NOTE A system backup does not work using Internet Explorer 7 as a browser window Use Internet Explorer 6 Mozilla or Firefox for system backup if you encounter a problem Figure 3 48 System Configuration Maintenance ...

Page 156: ...ion window Restoring From a Backup See Restoring from Backup on page 15 16 for information about restoring from a backup file TIP If you are using Backup and Restore to move configuration files from one physical server to another you must have the same version of NAC 800 installed on both servers Figure 3 49 Backup Successful Message ...

Page 157: ...upload the generated package a TAR file To save a support package to your local computer Home window System configuration Maintenance 1 In the Support packages area click download support packages now A progress window appears 2 Once the support package is generated you will be prompted to save the file on your computer For example select a directory and click Save TIP If you cannot access the GUI...

Page 158: ...ding the default settings for a specific cluster see Enforcement Clusters and Servers on page 3 6 Testing Methods The Testing methods menu option allows you to configure the following Select testing methods Define order of that the test method screens appear to the end user Select end user options Selecting Test Methods To select test methods Home window System configuration Testing methods ...

Page 159: ... ActiveX control each time the user connects to the network Testing is accomplished through the browser If the browser window is closed retesting is not performed c Agentless This test method uses an existing Windows service RPC 2 Click ok Ordering Test Methods The NAC 800 backend attempts to test an endpoint transparently in the following order 1 NAC 800 tries to test with the agent based test me...

Page 160: ...ented to the end user if the second method fails These system level settings may be overridden and customized for each cluster To order test methods Home window System configuration Testing methods 1 For each test method selected in step 1 Use the arrows next to the testing method name to move the testing methods up or down in the selection order The order of the testing methods determines the ord...

Page 161: ...ers to have their administrator login information saved for future access Agentless testing method only This option allows the end users to elect to save their login credentials so they do not have to enter them each time they connect Allow end users to cancel installation agent based testing method only This option allows end users to cancel the installation of the agent Allow end users to cancel...

Page 162: ...turn Enter a range of IPs using CIDR addresses You might also need to specify the DHCP server IP address in this field If the Domains connection method is enabled System Configuration Quarantining 802 1X Windows domain End user authentication method you must specify your Windows domain controller Examples Web sites www mycompany com Host names bagle com IP addresses 10 0 16 100 Ports 10 0 16 100 5...

Page 163: ... need to specify the DHCP server IP address in this field Domain controller name Regardless of where the Domain Controller DC is installed you must specify the DC name on the Quarantine tab in the Quarantine area domain suffix field for each quarantine area defined DHCP server and Domain controller In DHCP mode when your DHCP server and Domain Controller are behind NAC 800 you must specify ports 8...

Page 164: ...ccess whitelist The endpoints and domains that are always quarantined blacklist Always Granting Access to Endpoints and Domains To always grant access to endpoints and domains Home window System configuration Exceptions 1 To exempt endpoints from testing in the Whitelist area enter the endpoints by MAC or IP address or NetBIOS name Figure 3 52 System Configuration Exceptions ...

Page 165: ... IP address or NetBIOS name 2 To always quarantine domains when testing in the Blacklist area enter the domains TIP In DHCP mode the NAC 800 firewall quarantines based on MAC address everything entered must be translated to the corresponding endpoint s MAC address This translation occurs each time activity from the endpoint is detected To reduce translation time use the MAC address initially CAUTI...

Page 166: ...s of a Simple Mail Transfer Protocol SMTP email server This SMTP email server must allow SMTP messages from the NAC 800 machine Use the following steps to configure the SMTP email server function a Select the radio button next to Send email notifications b In the Send emails to text box enter the email address of the person or group alias who should receive the notifications Figure 3 53 System Con...

Page 167: ...e email notifications Home window System configuration 1 Select a cluster The Enforcement cluster window appears 2 Select the Notifications menu item 3 Select the For this cluster override the default settings check box 4 Select Do not send email notifications 5 Click ok End user Screens The End user screens menu option allows you to configure the end user screens with the following Define logo im...

Page 168: ...your network ProCurve recommends you place your logo here to help end users feel secure about having their computers tested The logo should be no larger than 450x50 pixels 2 Click ok Specifying the End user Screen Text To specify the end user screen text Home window System configuration End user screens 1 Enter the customization information Figure 3 54 System Configuration End user Screens ...

Page 169: ... the End user Test Failed Pop up Window To specify the end user test failed pop up window Home window System configuration End user screens 1 Select the Pop up an end user notification when an endpoint fails one or more tests check box to turn the pop up window on clear the check box to turn it off 2 Enter the customization information a Notification pop up URL In the Notification pop up URL text ...

Page 170: ...endpoints it needs to know the adminis trator credentials for that endpoint If your network uses a Windows domain controller and the connecting endpoint is a member of a configured domain NAC 800 uses the information supplied to access and test the endpoint TIP Setting windows credentials here sets them as default settings for all clusters You can override these settings on a per cluster basis by ...

Page 171: ...System Configuration Cluster Setting Defaults 3 123 Figure 3 55 System Configuration Agentless Credentials ...

Page 172: ... or local admin istrator login name of the Windows machine for example jsmith Administrator password Enter the password for the administrator login name used in the ID text field NOTE When using a domain account to test many domain endpoints be sure to select a domain account with domain administrator privileges A lesser domain account may be able to authenticate to the endpoints but willnot have ...

Page 173: ...on information encrypted on the NAC 800 server When a user connects with the same browser NAC 800 looks up this infor mation and uses it for testing TIP WhenusingtheWindowsadministratoraccountconnectionmethod NAC800 performssomeuser basedtestswiththeadministratoraccount suserregistry settings rather than those of the actual user logged into the endpoint This only affects Internet Explorer security...

Page 174: ...ows administrator credentials you want to remove The Delete Windows administrative credentials conformation window appears 2 Click yes Sorting the Windows Credentials Area To sort the Windows credentials area Home window System configuration Agentless credentials 1 Sort the Windows administrator credentials by clicking on a column heading 2 Click ok ...

Page 175: ...vel messages only to trace everything To set ES logging levels Home window System configuration Logging 1 To configure the amount of diagnostic information written to log files select a logging level from the Enforcement servers drop down list error Log error level messages only warn Log warning level and above messages only Figure 3 57 System Configuration Logging Option ...

Page 176: ... Logging 1 To configure the amount of diagnostic information written to log files related to 802 1X re authentication select a logging level from the 802 1X devices drop down list error Log error level messages only warn Log warning level and above messages only info Log info level and above messages only debug Log debug level and above messages only trace Log everything CAUTION Setting the log le...

Page 177: ...elated to IDM select a logging level from the IDM drop down list error log error level messages only warn log warning level messages only info log info level messages only debug log debug level messages only trace log everything CAUTION Setting the log level to trace may adversely affect performance 2 Click ok ...

Page 178: ...the Agent Read Timeout To set the Agent read timeout period Home window System configuration Advanced 1 Enter a number of seconds in the Agentconnectiontimeout period text field The agent connection timeout period is the time in seconds that NAC 800 waits on a connection to the agent Use a larger number for systems with network latency issues Figure 3 58 System Configuration Advanced Option ...

Page 179: ...umber for systems with network latency issues 3 Click ok Setting the RPC Command Timeout To set the RPC command timeout period Home window System configuration Advanced 1 Enter a number of seconds in the RPC command timeout period text field The RPC command timeout is the time in seconds that NAC 800 waits on an rpcclient command to finish Use a larger number for systems with network latency issue...

Page 180: ... This page intentionally left blank ...

Page 181: ...Endpoints Displayed 4 6 Searching 4 7 Access Control States 4 9 Endpoint Test Status 4 10 Enforcement Cluster Access Mode 4 14 Selecting Endpoints to Act on 4 18 Acting on Selected Endpoints 4 19 Manually Retest an Endpoint 4 19 Immediately Grant Access to an Endpoint 4 19 Immediately Quarantine an Endpoint 4 20 Clearing Temporary Endpoint States 4 20 Viewing Endpoint Information 4 21 ...

Page 182: ...t allow you to quickly filter the results area by Access control status or Endpoint test status Search criteria area The top right area of the window allows you to filter the results by cluster NetBIOS name IP address MAC address User ID domain NAC policy operating system and time Search results area The lower right area of the window displays the combined results of the selection made in the left...

Page 183: ...Endpoint Activity Overview 4 3 Figure 4 1 Endpoint Activity All Endpoints Area 1 Endpoint selection area 2 Search criteria area 3 Search results area ...

Page 184: ...lude activity for the following Access control status Endpoint test status Cluster NetBIOS name IP address MAC address User ID Windows domain NAC policy Operating system Timeframe Number of endpoints to display NOTE Most Vista endpoints will not provide a User ID to list in the user id column Filtering by Access Control or Test Status Home window Endpoint activity window ...

Page 185: ...s control status or endpoint status as shown in the following figure NOTE This part of the window reflects the total number of endpoints in the network at the current time The filters do not affect this area Filtering by Time Filtering by time is available only for disconnected endpoints Figure 4 2 Endpoint Activity Menu Options ...

Page 186: ...ns from the Timeframe drop down list 3 Click search The results area updates to match the time frame selected and the Timeframe selected is highlighted to show that this filter option has been applied Click reset to clear the filter Limiting Number of Endpoints Displayed To limit the number of endpoints displayed Home window Endpoint Activity Figure 4 3 Timeframe Drop down List Figure 4 4 Display ...

Page 187: ...rop down list A NAC policy from the drop down list Enter any text string in any of the text boxes you can also leave these blank 2 Select one of the following from the Endpoints must match drop down list all Endpoints that match all of the search criteria are displayed any Endpoints that match at least one of the search criteria are displayed 3 Click Search The results area updates to match the se...

Page 188: ...vity Window 4 8 4 To refresh the Endpoint activity window to show all endpoint activity click reset TIP The search box is not case sensitive Searching matches entire words You must enter wildcard characters to match substrings For example 192 168 ...

Page 189: ...ting quarantine A temporary state indicating that an endpoint is in the process of being quarantined Granted access By NAC Policy The endpoint has been assigned a non quarantined IP address For example an endpoint could have access because it passed a test or could not be tested but is allowed access Temporarily by NAC policy The endpoint has been assigned a non quarantined IP address For example ...

Page 190: ... shows this status when a device cannot be tested Connecting NAC 800 shows this status briefly after the endpoint has been tested while the endpoint is being assigned a non quarantined IP address If you hover the mouse cursor over the icons in the Endpoint activity window you will get additional information about the status of the endpoint The following lists the possible test statuses Unknownerro...

Page 191: ...r the endpoint could not be tested License limit exceeded NAC 800 shows this status when the number of endpoints allowed on your license has been exceeded The endpoint is not tested or allowed access License expired NAC 800 shows this status when your license has expired No endpoints are tested or allowed access to the network Test canceled NAC 800 shows this status when the end user cancels the t...

Page 192: ...ed NAC 800 shows this status when the agent cannot be installed This is likely due to permission problems on the endpoint Agent not active NAC 800 shows this status when an endpoint that was previously running the agent is no longer running the agent This is likely due to a firewall being turned on Awaiting ip transition NAC 800 shows this status during a transition from a quarantined IP address a...

Page 193: ...session setup NAC 800 shows this status when the RPC client had problems communicating with the endpoint Failed testing insufficient test privileges The credentials NAC 800 used to test the endpoint do not have sufficient privileges to read the registry or enumerate the services An easy way to debug this is to run regedit and connect to the remote endpoint using the same admin credentials supplied...

Page 194: ...arantined figure 4 8 shows that the Endpoint test status is Failed red X in the et column and that the endpoint is quarantined red symbol with X in the ac column The admin changes the access mode from normal to allow all System Configu ration Quarantining Access mode area allow all radio button figure 4 9 shows that the previously quarantined endpoint is now allowed access green icon in the ac col...

Page 195: ...s Mode 4 15 the endpoint is allowed access because of the change to allow all mode however when the mode is changed back to normal the endpoint will again be quarantined for the reason listed Figure 4 10 Failed Endpoint Allow All Mode Mouse Over ...

Page 196: ...on column the second column is the Endpoint test status column and the third column is the Access control status column The icons shown in the following figure provide status Figure 4 11 Access Control and Endpoint Test Status Post connect service icon Post connect service name This legend is updated dynamically with any post connect service name and icons you have installed Configurable Configura...

Page 197: ...te can get lost This could happen for example if you had a Training cluster and an Engineering cluster and an endpoint that was connected in the Engineering cluster also attempted to connect by way of the Training cluster An error would occur in this case Make efforts when you are configuring your clusters to avoid allowing this condition ...

Page 198: ...on 4 18 Selecting Endpoints to Act on To select endpoint to act on Home window Endpoint activity Click a box or boxes in the first column to select the endpoints of interest TIP Click the box at the top of the column to select all of the endpoints ...

Page 199: ...ss state Clearing Temporary Endpoint States on page 4 20 Manually Retest an Endpoint To manually retest an endpoint Home window Endpoint activity 1 Select a box or boxes to select the endpoints of interest 2 Click retest Immediately Grant Access to an Endpoint To immediately grant access to an endpoint Home window Endpoint activity 1 Select a box or boxes to select the endpoints of interest 2 Clic...

Page 200: ...uarantine for radio button 4 Select minutes hours or days from the drop down list 5 Enter the number of minutes hours or days that the endpoint will be temporarily quarantined 6 Click ok TIP To quarantine again select the endpoint click change access select Clear temporary access control status and click ok Clearing Temporary Endpoint States Endpoints can have a temporary state designated through ...

Page 201: ...iewing Endpoint Information 4 21 Viewing Endpoint Information To view information about an endpoint Home window Endpoint activity 1 Click on an endpoint name to view the Endpoint window Figure 4 12 Endpoint General Option ...

Page 202: ...mation 4 22 2 Click Test results to view the details of the test TIP Click on any underlined link for example change access to make changes such as changing access or test credentials Figure 4 13 Endpoint Activity Endpoint Test Results Option ...

Page 203: ...point Activity Troubleshooting Quarantined Endpoints 4 23 Troubleshooting Quarantined Endpoints The following table describes the various components that affect an endpoint attempting to access the network ...

Page 204: ...olve the names to get the real IP Unless there are corresponding static routes the endpoint will not be able to access them directly NAC 800 Web Proxy The NAC 800 server also advertises a Web proxy server for endpoints that autodetect Webproxies Thisproxywillredirectall Web requests through NAC 800 and traffic destined for names in Accessible services will be proxied through NAC 800 NOTE Windows u...

Page 205: ...re will be different gateway IP addresses for the production and quarantine networks NAC 800 fake root DNS As in endpoint enforcement for access to names in Accessible services The DNS server forwards requests for accessible services to a real DHCP server for resolution ACLs on the switch prevent quarantined systems from talking to production systems but allow for the following specific traffic Qu...

Page 206: ... all traffic through VPN NAC800actsastheman in the middle iptablesrewritespackets andforwards traffic to the NAC 800 system itself The production network is protected from VPN users by iptables acting as a firewall VPNuserscanonlygetthrough iptables by becoming compliant with a NAC 800 policy after which a hole is opened for their VPN IP address iptables does NOT rewrite traffic destined for IP ad...

Page 207: ...rs can get to the NAC 800 user interface on port 443 NAC 800 DNS As in endpoint enforcement for access to names in Accessible services ACLs on the switch prevent quarantined systems from talking to production systems but allow for the following specific traffic Quarantine NAC 800 OK Production Quarantine Maybe Quarantine Production NO Quarantine Internet Maybe Enforcement Mode How endpoints are qu...

Page 208: ... This page intentionally left blank ...

Page 209: ...t based Test Method 5 9 Agentless Test Method 5 10 ActiveX Test Method 5 24 Mac OS X Endpoint Settings 5 25 Ports Used for Testing 5 25 Allowing NAC 800 through the OS X Firewall 5 25 End user Access Windows 5 29 Opening Window 5 30 Windows NAC Agent Test Windows 5 31 Mac OS Agent Test Windows 5 36 ActiveX Test Windows 5 44 Agentless Test Windows 5 44 Testing Window 5 47 Test Successful Window 5 4...

Page 210: ...y or custom NAC policies see NAC Policies on page 6 1 and are allowed or denied access based on test results and your quarantine settings see Quar antining General on page 3 51 During the login process the end users are presented with the end user access windows which display the testing status and required remediation steps This section describes the end user access windows and options and detail...

Page 211: ...ainst each ES until a successful request has occurred This request causes the ES to schedule the endpoint for testing The following terms are used in association with this feature Agent The software residing on the endpoint that performs the tests Enforcement Server ES The server that communicates with the agent to initiate tests and quarantines or allows network access based on the test results E...

Page 212: ...g A names NOTE The endpoints DNS suffix must be correctly configured for your domain for the Agent Callback feature to work correctly nac naces1 naces2 See the following links for more information about DNS record types http www ietf org IESG Implementations RFC1886 Implementation DNSrecords html ...

Page 213: ...Vista Home Basic Vista Home Premium Vista Business Vista Enterprise Agentless testing Windows 2000 Windows Server 2000 2003 Windows XP Professional Vista Ultimate Vista Business Vista Enterprise ActiveX testing Windows 2000 Windows Server 2000 2003 Windows XP Professional Windows XP Home Vista Ultimate Vista Home Basic Vista Home Premium Vista Business Vista Enterprise NOTE This release supports o...

Page 214: ...example Linux will be included in future releases Windows ME and Windows 95 are not supported in this release TIP If the end user switches the Windows view while connected such as from Classic view to Guest view the change may not be immediate due to the way sessions are cached ...

Page 215: ...uld be used by the endpoint is based on the test method as follows ActiveX test method Microsoft Internet Explorer IE version 6 0 or later Agentless test methods IE Firefox or Mozilla Agent based test methods Windows or Linux IE Firefox or Mozilla Mac OS X Firefox or Safari ...

Page 216: ... not used for Windows endpoints the appropri ate ports are opened during the agent installation process by the NAC 800 installer Unmanaged Endpoints For unmanaged endpoints the NAC Agent and the ActiveX control test methods automatically open the necessary ports for testing End users connecting with Windows XP but a non SP2 firewall such as Norton must configure that firewall to allow connection t...

Page 217: ...hese options are as follows The NAC Agent test uses ActiveX The ActiveX test uses ActiveX All of the tests use JavaScript Agent based Test Method Ports Used for Testing You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for agent based testing TIP See Ports used in NAC 800 on page E 1 for a complete description of the ports used in NAC 800 Windows Vista Set...

Page 218: ... and Windows Vista when using the Agentless test method Configuring Windows 2000 Professional for Agentless Testing The agentless test method requires file and printer sharing to be enabled To enable file and printer sharing on Windows 2000 Professional Windows endpoint Start Settings Control Panel 1 Double click Network and Dial up connections 2 Right click Local area connection 3 Select Properti...

Page 219: ...o be enabled To enable file and printer sharing on Windows XP Professional Windows endpoint Start Settings Control Panel 1 Double click Network connections 2 Right click Local area connection 3 Select Properties The Local area connection properties window appears 4 On the General tab in the This connection uses the following area verify that File and Printer sharing is listed and that the check bo...

Page 220: ...roller can be found at http www microsoft com technet prodtechnol windowsserver2003 tech nologies directory activedirectory stepbystep domcntrl mspx Details on setting up the Group Policy Management Console GPMC can be found at http www microsoft com technet prodtechnol windowsserver2003 tech nologies directory activedirectory stepbystep gpmcinad mspx EFE Group policies may be applied at many diff...

Page 221: ...roup Policy Management Window appears 3 Right click on the domain you wish to use for the Vista endpoints and select Create and Link a GPO Here The New GPO window appears 4 Enter Agentless Testing in the Name text field 5 Click OK 6 Edit the newly created Agentless Testing group policy object as follows Figure 5 3 Group Policy Management Window Figure 5 4 New GPO Window ...

Page 222: ...s Testing Policy name and select Edit The Group Policy Object Editor window appears b In the left pane click the plus symbols under Computer Configuration to expand Windows Settings SecuritySettings Local Policies c Select Security Options Figure 5 5 Group Policy Object Editor ...

Page 223: ... Network access sharing and security model for local accounts policy select Properties The Network Access window appears ii Select the Define this policy setting check box iii Select Classic local users authenticate as themselves from the drop down list iv Click OK Figure 5 6 Network Access Window ...

Page 224: ...Network Security LAN Manager authentication level and select Properties The following window appears vi Select the Define this policy setting check box vii Select Send LM NTLM responses from the drop down list viii Click OK d In the left pane select System Services Figure 5 7 Network Security Window ...

Page 225: ... In the right pane right click Network Connections and select Properties The following window appears ii Select the Define this policy setting check box iii Select the Automatic radio button iv Click OK Figure 5 8 Network Connection Properties Window ...

Page 226: ...ntherightpane right clickRemoteProcedureCall RPC andselect Properties The following window appears vi Select the Define this policy setting check box vii Select the Automatic radio button viii Click OK Figure 5 9 Remote Procedure Call Properties Window ...

Page 227: ...indow appears x Select the Define this policy setting check box xi Select the Automatic radio button xii Click OK e In the left pane under Computer Configuration click the plus symbols to expand Administrative Templates Network Network Connections Windows Firewall f Select Domain Profile Figure 5 10 Remote Registry Properties Window ...

Page 228: ...rinter sharing exception and select Properties The following window appears ii Select the Enabled radio button iii Click OK g In the left pane click the plus symbols to expand Administrative Templates Network h In the left pane select Microsoft Peer to Peer Networking Services Figure 5 11 Windows Firewall Window ...

Page 229: ...t the Disabled radio button iii Click OK i Close the Group Policy Object Editor window 7 Move the Agentless Testing policy to the top of the list to process it first and take precedence over any local configuration a In the Group Policy Management window select the Linked Group Policy Objects tab in the right pane b Select the Agentless Testing policy Figure 5 12 Microsoft Peer to Peer Window ...

Page 230: ...e firewalls and routers to allow NAC 800 to access the following ports for agentless testing 137 138 139 445 TIP See Ports used in NAC 800 on page E 1 for a complete description of the ports used in NAC 800 Allowing the Windows RPC Service through the Firewall If end users enable the XP SP2 Professional firewall they need to change the configuration to allow the agentless testing TIP These firewal...

Page 231: ...s are selected 4 Select TCP 139 5 Click Change Scope 6 Select Custom List 7 Enter the NAC 800 Server IP address and the 255 255 255 0 mask 8 Click OK 9 Select UDP 137 10 Click Change Scope 11 Select Custom List 12 Enter the NAC 800 Server IP address and the 255 255 255 0 mask 13 Click OK 14 Select TCP 445 15 Click Change Scope 16 Enter the NAC 800 Server IP address and the 255 255 255 0 mask 17 Cl...

Page 232: ...or a complete description of the ports used in NAC 800 Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the ActiveX component to install successfully If the end user is not logged in to the endpoint with administrator permissions the following occurs If User Account Control UAC is enabled Windows Vista prompts you for credentials After the credent...

Page 233: ...ing You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for agent based testing TIP See Ports used in NAC 800 on page E 1 for a complete description of the ports used in NAC 800 Allowing NAC 800 through the OS X Firewall To verify that NAC 800 can test the end user through the end user s firewall Mac endpoint Apple Menu System Preferences ...

Page 234: ...End user Access Mac OS X Endpoint Settings 5 26 Figure 5 14 Mac System Preferences ...

Page 235: ...tings 5 27 1 Select the Sharing icon The Sharing window opens 2 Select the Firewall tab 3 The firewall settings must be one of the following Off On with the following OS X NAC Agent check box selected Port 1500 open Figure 5 15 Mac Sharing ...

Page 236: ... change the port Mac endpoint Apple Menu System Preferences Sharing icon Firewall tab 1 Select OS X NAC Agent 2 Click Edit The port configuration window appears 3 Enter 1500 in the Port Number Range or Series text field 4 Click OK Figure 5 16 Mac Ports ...

Page 237: ...a There are two ways you can edit the NAC 800 end user access templates outside of the ProCurve user interface configuration window UNIX command line and vi text editor Connect to the NAC 800 server using SSH then edit the files with vi HTML editor on your local machine Connect to the NAC 800 server using SSH copy the files to your local machine edit the files with any HTML or text editor copy the...

Page 238: ...stallationwindow first time connection only see Windows NAC Agent Test Windows on page 5 31 ActiveX test Testing window see ActiveX Test Windows on page 5 44 Agentless test Testing window see Agentless Test Windows on page 5 44 If the Allow end users to cancel installation option on the System Configura tion Testing methods window is selected the end users have the option of clicking Cancel instal...

Page 239: ...test method used is NAC Agent test the first time the user attempts to connect the agent installation process should begin automatically and the installing window appears TIP The end user can also manually install the agent as described in Manually Installing the Windows Agent on page 5 34 Figure 5 18 End user Installing Window ...

Page 240: ...indow appears TIP To enable active content see Active Content on page C 4 If this is the first time the end user has selected NAC Agent test a security acceptance window appears In order to proceed with the test the user must select to Install the digital signature Figure 5 19 End user Agent Installation Failed ...

Page 241: ...er must click Next to start the agent installation The user must click Finish to complete the agent installation and begin testing As soon as the installation is complete the endpoint is tested See Testing Window on page 5 47 Figure 5 20 End user Agent Installation Window Start Figure 5 21 End user Agent Installation Window Finish ...

Page 242: ...ve programs 1 Find the ProCurve NAC EI Agent in the list of installed programs 2 Click Remove TIP The ProCurve NAC EI Agent also appears in the services list Start button Settings Control panel Administrative tools Services Manually Installing the Windows Agent To manually install the agent using Internet Explorer Figure 5 22 Add Remove Programs ...

Page 243: ...nt_server_ip 89 setup exe The security certificate window appears 2 Click Yes to accept the security certificate You are prompted to select Save to disk or Run the file 3 Click Run to begin the install process 4 The Agent Installation Wizard starts Figure 5 20 on page 5 33 Figure 5 23 Security Certificate Figure 5 24 Run or Save to Disk ...

Page 244: ...the test method selected is agent based the first time the end user logs in to their Macintosh computer and opens a browser window NAC 800 attempts to test the endpoint If the agent is required they receive the Installation Failed window shown in figure 5 19 Installing the MAC OS Agent To install the Mac OS agent The Mac OS agent must be installed manually and works with Mac OS X version 10 3 7 or...

Page 245: ... Access Windows 5 37 3 Double click the extracted file to launch the installer program A confirmation window appears 4 Click Continue The installer appears Figure 5 25 Start Mac OS Installer Figure 5 26 Mac OS Installer 1 of 5 ...

Page 246: ...ccess End user Access Windows 5 38 5 Click Continue The Select a Destination window appears 6 Click Continue The Easy Install window appears Figure 5 27 Mac OS Installer 2 of 5 Figure 5 28 Mac OS Installer 3 of 5 ...

Page 247: ...nticate window appears 8 Enter your password Click OK Theagentis installedandtheconfirmation window appears 9 Click Close Verifying the Mac OS Agent To verify that the Mac OS agent is running properly Figure 5 29 Mac OS Installer 4 of 5 Figure 5 30 Mac OS Installer 5 of 5 ...

Page 248: ...End user Access End user Access Windows 5 40 Mac endpoint Double click Desktop icon Aplication folder Utilities folder Figure 5 31 Applications Utilities Folder ...

Page 249: ... 5 41 1 Double click Activity Monitor The Activity Monitor window appears 2 Verify that the osxnactunnel process is running 3 If the osxnactunnel process is not running start it by performing the following steps Figure 5 32 Activity Monitor ...

Page 250: ... found the agent was not installed properly Re install the agent as described in Installing the MAC OS Agent on page 5 36 d If the agent is installed but not running enter the following at the command line sudo OSXNACAgentDaemon restart e Check the Activity Monitor window again to see if the osxnactunnel process is running If it is still not functioning properly after re installingtheagentandattem...

Page 251: ... Double click Desktop icon Aplication folder Utilities folder 1 Select Mac OS X Terminal A terminal window opens figure 5 33 2 Enter the following at the command line remove_osxnacagent 3 Remove the firewall entry a Select Apple Menu System Preferences Sharing Firewall tab b Select OS X NAC Agent c Click Delete ...

Page 252: ... an error running the ActiveX component an error window appears TIP To enable active content see Active Content on page C 4 TIP Install any needed patches before installing the Agent Agentless Test Windows If the end users select Agentless test NAC 800 needs login credentials in order to test the endpoint Credentials can be obtained from the following Figure 5 34 End user ActiveX Plug in Failed ...

Page 253: ... testing will not work TIP If the end user has not defined a login password combination the default login is usually administrator with a blank password If the end users are required to log in or if the automatic connection methods fail they must log in using the following window If theAllowend userstohavetheiradministratorlogininformationsavedforfutureaccess option is selected on the System Confi...

Page 254: ...not enter the correct information in the login window fields a login failure window appears TIP You can customize the logo and contact paragraph that appear on this window See Customizing Error Messages on page 5 52 for more details Figure 5 36 End user Login Failed ...

Page 255: ...g process The possible outcomes from the test are as follows Test successful window see Test Successful Window on page 5 48 Testing cancelled window see Testing Cancelled Window on page 5 49 Testing failed window see Testing Failed Window on page 5 49 Other error window see Error Windows on page 5 51 Figure 5 37 End user Testing ...

Page 256: ...ts meet the test criteria defined in the NAC policy they are allowed access to the network and a window indicating successful testing appears TIP You can customize the logo and text that appears on this window as described in End user Screens on page 3 119 Figure 5 38 End user Testing Successful ...

Page 257: ...as the option of clicking Cancel testing If the end users click Cancel testing a window appears indicating that testing is cancelled Testing Failed Window When the end user s endpoints fail to meet the test criteria defined in the NAC policy the end users are not allowed access to the network are quarantined and the following testing failed window appears Figure 5 39 End user Testing Cancelled ...

Page 258: ...You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configura tion Accessible services window see Accessible Services on page 3 113 TIP You can customize the logo and contact paragraph that appear on this window See Customizing Error Messages on page 5 52 for more details Figure 5 40 End user Testing Failed ...

Page 259: ...results in a printable format as shown in the following figure Error Windows End users might see any of the following error windows Unsupported endpoint Unknown error The following figure shows an example of an error window Figure 5 41 End user Testing Failed Printable Results Figure 5 42 End user Error ...

Page 260: ...ings py To customize the error messages 1 Create a file using a text editor and name it as follows usr local nac scripts BaseClasses CustomStrings py using the following format class CustomStrings stringTable name1 message1 name2 message2 Where The name value name1 matches the name of the test see Table 9 on page 179 of the Users Guide The message value message1 is the text you want to appear in t...

Page 261: ...hey should not be NOTE While editing the description avoid the use of double quotes Use single quotes instead Double quotes will get interpreted by the software and can cut the string short or cause the replacement to fail 2 Once your custom strings script is complete and you are ready to push it out to all of the ESs a Verify that the scripts and base classes are under the Custom directory tree a...

Page 262: ...s String 5 Automatic Updates must be configured to s For Windows 2000 install Service Pack 4 then enable Automatic Updates by selecting Control Panel Automatic Updates For Windows XP select Control Panel System Automatic Updates tab checkAutoUpdateStatus String 6 The Automatic Update client has been disabled Ask your local System Administrator for instructions on how to enable it checkHotFixes Str...

Page 263: ...heckIEVersion String 2 Internet Explorer version s is acceptable checkIEVersion String 3 The required Internet Explorer browser was not found or is not current Install the latest version checkMicrosoftOfficeMacroSecurityLevel String 1 The office_program and the security_level_required parameters are required checkMicrosoftOfficeMacroSecurityLevel String 2 The specified office_program or security_l...

Page 264: ... s or later checkServicesNotAllowed String 1 All services found are allowed checkServicesNotAllowed String 2 The following services are not allowed s Stop the service by selectingControl Panel Administrative Tools located in the Performance and Maintenance category folder Services application right click on the service andselectproperties Changethestartuptypetomanualand click stop Click OK to save...

Page 265: ...cy String 1 All Windows security policies are acceptable checkWindowsSecurityPolicy String 2 An unsupported operating system was encountered checkWindowsSecurityPolicy String 3 The OS is not relevant to this test checkWindowsSecurityPolicy String 4 The security setting required parameter s is invalid checkWindowsSecurityPolicy String 5 The following Windows security policies are configured incorre...

Page 266: ...ired anti spyware software was not found Supported anti spyware software s checkAntiSpyware String 4 The s software was found but a signature update has not been performed within the last s days checkAntiSpyware String 5 The s software was found but a scan has never been performed checkBadIP String 1 There were no unauthorized network connections found checkBadIP String 2 An unsupported operating ...

Page 267: ...ing a New NAC Policy 6 7 Editing a NAC Policy 6 13 Copying a NAC Policy 6 13 Deleting a NAC Policy 6 14 Moving a NAC Policy Between NAC Policy Groups 6 14 Assigning Endpoints and Domains to a Policy 6 14 NAC Policy Hierarchy 6 15 Setting Retest Time 6 15 Setting Connection Time 6 15 Defining Non supported OS Access Settings 6 16 Setting Test Properties 6 16 Selecting Action Taken 6 17 About NAC 80...

Page 268: ...he default NAC policy The NAC policies window shown in figure 6 1 is where you create NAC policies and groups disable NAC policies delete NAC policies and access specific NAC policies Once you access a specific policy you can perform the following tasks Basic settings Edit NAC policies assign NAC policies to a group enable or disable the NAC policy select which OSs are not tested but allowed acces...

Page 269: ...NAC Policies Overview 6 3 The following figure shows the legend explaining the NAC policies icons Figure 6 1 NAC Policies Figure 6 2 NAC Policies Window Legend ...

Page 270: ...d NAC policies High security Low security Medium security NAC policies are organized in groups Groups include the clusters defined for your system a Default group and any other groups you create Each standard policy has tests pre selected You can modify these policies or create custom policies ...

Page 271: ...AC policy group window opens 2 Type a name for the group in the Name of NAC policy group text box 3 Optional Select the check box next to any NAC policy to move to this group 4 Optional Select the check box next to any cluster to move to this group 5 Click ok Editing a NAC Policy Group To edit an existing NAC policy group Home window NAC policies Figure 6 3 Add NAC Policy Group ...

Page 272: ...up Home window NAC policies 1 Move any NAC policies associated with the group to a different NAC policy group a Click on a NAC policy name b Select the new group from the NAC policy group drop down list c Click ok NOTE You can either move or delete the NAC policies associated with the group 2 Repeat step 1 until there are no NAC policies associated with the group 3 Select delete next to the NAC po...

Page 273: ...e Default NAC Policy To select the default NAC policy Home window NAC policies Click on the up or down arrow to move the NAC policy The default NAC policy is the one toward the bottom of the list with the highest selection number as shown in the following figure Creating a New NAC Policy Create custom policies that are based on existing policies or create new policies from scratch To create a new ...

Page 274: ... policy window opens as shown in the following figure 2 Enter a policy name 3 Enter a description in the Description text box 4 Select a NAC policy group 5 Select either the enabled radio button or the disabled radio button Figure 6 6 Add a NAC Policy Basic Settings Area ...

Page 275: ...hows that the endpoint should be quarantined but the quarantine action was unsuccessful CAUTION Allowing untested endpoints on your network contains risks See Untestable Endpoints and DHCP Mode on page 7 11 for more information NOTE A security best practice is to not allow unsupported operating systems untested endpoints on your network It is more secure to allow untested endpoints access to your ...

Page 276: ...ws domains to be tested by this cluster for this NAC policy separated by a carriage return 12 Enter a single endpoint or list of endpoints separated by a carriage return using the endpoint IP address MAC address NetBIOS name or host name Enter a range of IPs using a dash between or by using CIDR notation see table 15 3 CIDR Naming Conventions on page 15 14 Figure 6 7 Add a NAC Policy Domains and E...

Page 277: ...he Domains and Endpoints areas blank if you do not want to assign domains and endpoints to this policy TIP Move the mouse cursor over the question mark by the word Endpoints then click on the CIDR notation link to see the CIDR conversion table pop up window ...

Page 278: ...NAC Policies NAC Policy Tasks 6 12 13 Click the Tests menu option to open the Tests window Figure 6 8 Add NAC Policy Tests Area ...

Page 279: ...elect an action to take when an endpoint fails this test see Selecting Action Taken on page 6 17 18 Click ok TIP Selecting the Send an email notification option sends an email to the address you identified in NAC 800 Home window System Configuration Notifications area This option is defined per cluster Editing a NAC Policy To edit an existing NAC policy Home window NAC policies 1 Click on a NAC po...

Page 280: ...Home window NAC policies 1 To open the NAC policies window click a NAC policy name 2 Select a new NAC policy group from the NAC policy group drop down list 3 Click ok Assigning Endpoints and Domains to a Policy Select which endpoints are associated with each policy To assign endpoints and domains to a policy Home window NAC policies Select a NAC Policy Domains and endpoints menu option 1 Enter a s...

Page 281: ...oints connected to your network frequently to guard against potential changes in the remote endpoint configurations To set the time to wait before retesting a connected endpoint Home window NAC policies Select a NAC Policy Basic settings menu option 1 In the Retest frequency area enter how frequently in minutes hours or days NAC 800 should retest a connected endpoint TIP A lower number ensures hig...

Page 282: ...cess Settings To define what actions to take for endpoints with non supported operating systems Home window NAC policies Select a NAC Policy Basic settings area 1 In the Operating systems area select the check box beside any operating system that you will allow access without being tested 2 Click ok Setting Test Properties Test properties are specific to the particular test Select the properties y...

Page 283: ... test for the policy you are modifying 2 Select one of the following when an endpoint fails this test Send an email notification Sends an email to the email address specified see Notifications on page 3 117 NOTE An email is sent for each retest Quarantine access Specify when the endpoint should be denied access immediately grant temporary access If you select a temporary access period here the end...

Page 284: ... patch manager from the Patch manager drop down list c Enter a number for the times to retest before failing in the Maximum number of retest attempts text box For example 10 d Enter a number of seconds between retests in the Retest interval text box For example 30 4 Click ok if you are done in the Tests window or continue making changes to other tests ...

Page 285: ...ure 6 9 on page 6 21 are red the test is enabled and the actions selected will take effect immediately If the icons are gray the test is not enabled and the actions will not take effect To enable the test select the check box next to the test name Selecting Test Properties Tests either have standard properties non selectable selectable properties or text entry fields Select the check box or radio ...

Page 286: ...eregistry thetest would match To find the software registry keys on the endpoint 1 Select Start Run 2 Type regedit 3 Click OK 4 Expand the HKEY_LOCAL_MACHINE key 5 Expand the SOFTWARE key 6 View the sub trees for various vendors software and versions TIP If you re looking for a registry key you enter a trailing slash If you re looking for a registry value you do not enter a trailing slash Entering...

Page 287: ...plorer on Windows XP and Windows 2003 a Clear the Check For Internet Explorer for Windows XP and Windows 2003 6 0 2900 2180 check box b Type a version number in the text entry field 3 For Internet Explorer on Windows 2000 a Clear the Check For Internet Explorer for Windows 2000 6 0 2800 1106 check box b Type a version number in the text entry field Test Icons The NAC policy tests show icons that r...

Page 288: ... This page intentionally left blank ...

Page 289: ...ce 7 2 Using Ports in Accessible Services and Endpoints 7 4 Always Granting Access to an Endpoint 7 6 Always Quarantining an Endpoint 7 8 New Users 7 9 Shared Resources 7 10 Untestable Endpoints and DHCP Mode 7 11 Windows Domain Authentication and Quarantined Endpoints 7 12 ...

Page 290: ...ints however if you hover your mouse over the post connect service icon the actual status shows that the endpoint should be quarantined but the quarantine action was unsuccess ful The following describes the process in more detail Access mode 1 overrides the items below it in the previous list 2 3 4 and 5 Use the Access mode radio buttons System monitor select a cluster Quarantining to act globall...

Page 291: ...ns System configuration Excep tions to always allow or always quarantine endpoints that are defined in NAC policies For example an NAC policy might have a range of IP addresses defined for testing but you want to exclude specific IP addresses within that range from the tests so you could specify them here as Whitelist or Blacklist Post connect overrides the item following it in the list 5 TIP The ...

Page 292: ...guration Accessible services The following figure shows the Accessible services window In order to grant access for quarantined endpoints to needed services add entries to the Accessible services list For inline enforcement mode enter the IP addresses of the servers that provide the services A port or ports can be added to limit the access to the servers from quarantined endpoints Figure 7 1 Syste...

Page 293: ...hind an ES a network firewall must be used to control access to only the desired ports 1 For inline enforcement mode in the Accessible services and endpoints area enter an endpoint followed by a colon followed by a port number as shown as follows 10 0 16 100 53 Separate multiple endpoint entries with a carriage return new line 10 0 16 100 53 10 0 16 100 80 10 0 16 100 81 10 0 16 100 82 2 Click ok ...

Page 294: ... System configuration Exceptions The following figure shows the Exceptions window 1 In the Whitelist area a In the Endpoints area enter one or more MAC addresses IP addresses or NetBIOS names separated by carriage returns b In the Windows domains area enter one or more domain names separated by carriage returns 2 Click ok Figure 7 2 System Configuration Exceptions ...

Page 295: ... the same endpoint for both options in the Endpoint testing exceptions area the Allow access without testing option is used CAUTION Please read Untestable Endpoints and DHCP Mode on page 7 11 so that you fully understand the ramifications of allowing untested endpoints on your network ...

Page 296: ...eptions 1 In the Blacklist area a In the Endpoints area enter one or more MAC addresses IP addresses or NetBIOS names separated by carriage returns b In the Windows domains area enter one or more domain names separated by carriage returns 2 Click ok CAUTION If you enter the same endpoint for both options in the Endpoint testing exceptions area the Allow access without testing option is used ...

Page 297: ...antined IP address is assigned The end users log in on the Windows login screen The end users start IE and NAC 800 attempts to test the endpoint The endpoints either retain the quarantined IP address or are assigned a non quarantined network IP address based on the testing result 802 1X mode An endpoint attempts to connect to the network The end user s identity is verified via an authentication se...

Page 298: ...twhile the endpoint has the quarantined IP address unless the services and endpoints are listed in the Accessible services and endpoints area see Accessible Services on page 3 113 Once the endpoints are assigned a non quarantined IP address the users can gain access to the shares by logging out of Windows and logging back into Windows Rebooting the endpoints also works but is not necessary ...

Page 299: ...xpiration time of three or more days NOTE The access status column on the Endpoint activity window shows unable to quarantine and the action cannot complete until the IP address lease expires TIP It is strongly recommended that if you are going to allow untested endpoints on your network you set extremely short lease times use hours rather than days on your DHCP server This process results in the ...

Page 300: ... the full domain controller hostnames in the System configuration Accessible services area for example dc01 mycompany com dc02 mycompany com 3 Ensure that each ES has a valid fully qualified domain name FQDN and that the domain portion matches the domain for the registered windows domain 4 Ensure that each ES is configured with one or more valid DNS servers that can fully resolve both A and PTR re...

Page 301: ...Quarantined Networks Windows Domain Authentication and Quarantined Endpoints 7 13 _ldap _tcp Default First Site Name _sites dc _msdcs lvh com 86400 IN SRV 0 100 389 dc01 lvh com ...

Page 302: ... This page intentionally left blank ...

Page 303: ...8 1 8 High Availability and Load Balancing Chapter Contents High Availability 8 2 Load Balancing 8 6 ...

Page 304: ...nt from the ES that is now unavailable All ESs participate in enforcement The MS provides notification in the user interface at the top of the Home window For example if an ES is unavailable the notification indicates that at the top of the Home window When NAC 800 is installed inline in a multiple server configuration figure 8 1 the multiple ESs form a network loop an undesired condition The Span...

Page 305: ... 3 ports on the switch based on the switch configuration If an ES becomes unavailable the switch reconnects so that there is always a path from the VPN to an ES All of the ES firewalls continuously stay in sync with each other Figure 8 1 Inline Installations ...

Page 306: ...High Availability and Load Balancing High Availability 8 4 Figure 8 2 DHCP Installation ...

Page 307: ...High Availability and Load Balancing High Availability 8 5 Figure 8 3 802 1X Installation ...

Page 308: ...e which ES should test an endpoint If an ES detects an endpoint for which it is not responsible it notifies the correct ES of the endpoint and that ES takes over testing If an ES fails any services that are protected by that ES may become inacces sible depending on the nature of the ES failure However the redundant services that are protected by the other ESs are still available TIP Protected serv...

Page 309: ...9 1 9 Inline Quarantine Method Chapter Contents Inline 9 2 ...

Page 310: ...he network configuration settings As shown in figure 9 1 NAC 800 is installed inline in a multiple server configuration the multiple ESs form a Layer 2 bridge that spans two switches resulting in a network loop This is an undesirable situation To prevent this you may have to configure the switch that connects the NAC 800 ESs to use Spanning Tree Protocol STP if STP is not already configured The ST...

Page 311: ...Inline Quarantine Method Inline 9 3 TIP You can install NAC 800 at any choke point in your network a VPN is not required Figure 9 1 Inline Installations ...

Page 312: ... This page intentionally left blank ...

Page 313: ... 1 10 DHCP Quarantine Method Chapter Contents Overview 10 2 Configuring NAC 800 for DHCP 10 4 Setting up a Quarantine Area 10 4 Router Configuration 10 4 Configuring Windows Update Service for XP SP2 10 5 ...

Page 314: ...sued a tempo rary address on a quarantine subnetwork Once the endpoint is allowed access the IP address is renewed and the main DHCP server assigns an address to the main LAN With a multiple subnetwork or VLAN network one quarantine area must be configured for each subnetwork Quarantine areas are defined on a per cluster basis and pushed down to all ESs joined to that cluster ...

Page 315: ...DHCP Quarantine Method Overview 10 3 Figure 10 1 DHCP Installation ...

Page 316: ...ne options Router Access Control List ACL settings see Configuring the Router ACLs on page 10 5 Static routes assigned to the endpoint see Adding a DHCP Quaran tine Area on page 3 94 Setting up a Quarantine Area Set up a restricted area of your network that users can access when you do not want to allow full access to the network See Quarantining General on page 3 51 for instructions Router Config...

Page 317: ...cement note that most endpoints running Windows XP Service Pack 2 cannot run Windows Update successfully from within quarantine because of a WinHTTP bug that as of this writing has notbeenfixed seehttp support microsoft com kb 919477 formoredetails Endpoints not in quarantine are not affected The problem occurs because the Windows Update WU client software uses WinHTTP to connect to Microsoft s do...

Page 318: ... This page intentionally left blank ...

Page 319: ...s About 802 1X 11 2 NAC 800 and 802 1X 11 4 Setting up the 802 1X Components 11 7 Setting up the RADIUS Server 11 7 Configuring Non HP Switches 11 36 Enabling NAC 800 for 802 1X 11 39 Setting up the Supplicant 11 40 Setting up the Authenticator 11 48 ...

Page 320: ...on system that uses an encrypted ticket to authenticate users One time passwords An authentication system that uses a set of rotating passwords each of which is used for only one login session Certificates A method for identifying a user that links a public key to the user s or company s identity allowing them to send digitally signed electronic messages Tokens A credit card or key fob sized authe...

Page 321: ...lient supplicant sends its identity 5 The AP authenticator passes the identity on to the authentication server 6 The authentication server performs the authentication and returns an accept or reject message to the AP authenticator 7 The AP authenticator allows or blocks the client s supplicant s access to the network by controlling which ports are open or closed Figure 11 1 802 1X Components ...

Page 322: ...requests to an existing RADIUS server With this method the switch is configured with the NAC 800 IP address as the RADIUS server host When the switch performs the RADIUS authentication against the NAC 800 server NAC 800 proxies the request to another RADIUS server As long as that server supports the appropriate authentication methods used by the client it should allow and authenticate the proxied ...

Page 323: ...802 1X Quarantine Method NAC 800 and 802 1X 11 5 Figure 11 2 NAC 800 802 1X Enforcement ...

Page 324: ...802 1X Quarantine Method NAC 800 and 802 1X 11 6 Figure 11 3 802 1X Communications ...

Page 325: ...d and integrated with RADIUS in the following three ways Install the NAC 800 Plug in to the Microsoft IAS RADIUS server see This section provides instructions for how to install the Microsoft IAS to the NAC 800 IAS plug in on page 11 7 Proxy requests from the built in NAC 800 RADIUS server to any other RADIUS server see Proxying RADIUS Requests to an Existing RADIUS Server Using the Built in NAC 8...

Page 326: ...ol windowsserver2003 tech nologies ias mspx In addition to installing the Windows Server 2003 software you also need to have a database of users for authentication purposes The Windows IAS implementation of RADIUS can use the following Active Directory recommended A Windows NT domain The local Security Accounts Manager SAM To add IAS to the Windows Server 2003 installation Windows desktop Start Se...

Page 327: ...want to install 5 Click OK 6 Click Next 7 Click Finish 8 Install any IAS and 802 1X updates that are available http www microsoft com downloads search aspx displaylang en Configuring the Microsoft IAS RADIUS Server For an explanation of how the components communicate see NAC 800 and 802 1X on page 11 4 Now that you have the RADIUS server installed you need to log into it and perform the configurat...

Page 328: ...tory a Right click on Internet Authentication Service Local b Select Register Server in Active Directory figure 11 6 c Click OK if a registration completed window appears 4 Configure the RADIUS server parameters a Right click on Internet Authentication Service local b Select Properties figure 11 7 The Properties window appears figure 11 8 Figure 11 6 IAS Register Server in Active Directory Figure ...

Page 329: ...hentication requests check box d Ports tab i Enter the authentication port numbers in the Authentication text box The authentication port 1812 is used to verify the user ii Enter the accounting port numbers in the Accounting text box The accounting port 1813 is used to track the user s network use e Click OK 5 Define the authenticators that use this RADIUS server for authentication a Right click o...

Page 330: ...Client window appears c Enter a descriptive name for the Friendly name such as Foundry d Enter the IP address of the authenticator in the Clientaddress text box TIP Click Verify to test the connection e Click Next Figure 11 9 IAS New Client Name and Address Figure 11 10 IAS New Client Additional Information ...

Page 331: ...st must contain the Message Authenticator attribute check box j Click Finish 6 Repeat step 5 for every authenticator in your system that uses this RADIUS server 7 Create a Remote Access Policy If you already have an 802 1X environment configured you already have a Remote Access Policy defined however you can create as many as you need a Right click on Remote Access Policy b Select New Remote Acces...

Page 332: ...thernet option will not work for authenticating wireless clients with this policy h Click Next i You can configure your Access policy by user or group This example uses the group method Select the Group radio button Figure 11 12 IAS Remote Access Policy Access Method Figure 11 13 IAS Remote Access Policy Group Access ...

Page 333: ...802 1X Quarantine Method Setting up the 802 1X Components 11 15 j Click Add The Select Groups pop up window appears Figure 11 14 IAS Remote Access Policy Find Group ...

Page 334: ...ntine Method Setting up the 802 1X Components 11 16 k Click Advanced l Click Find Now to populate the Search Results area m Select Domain Guests n Click OK o Click OK Figure 11 15 Remote Access Policy Select Group ...

Page 335: ...Important The type selected here must match the type selected for the endpoint described in step 5 step 7 on page 11 42 r Click Next s Click Finish 8 The PEAP authentication method requires that a specific type of SSL certificate is available for use during authentication These steps assume there is a Domain Certificate Authority CA available to request a certificate Click Configure If you receive...

Page 336: ... the wizard opens click Next 3 Enter the path to the NAC 800 certificate for example D support ias compliance keystore cer 4 Click Next Next and Finish 9 To request a certificate from a Domain Certificate Authority a Open the Microsoft management console by choosing Start Run and entering mmc b Choose File Add Remove Snap in c Click Add d Choose the certificates snap in and click Add e Select Comp...

Page 337: ...e permissions in mmc add the certificate template snap in right click on the template select properties and change the permissions for your user on the certificate authority The Computer or RAS and IAS templates both work k Once the Certificate is granted by the certificate authority return to the IAS policy editor to continue the setup l Click Configure to configure the certificate for use with t...

Page 338: ...the certificate for use with the PEAP authentication method The Protected EAP Properties window appears as shown in the following figure 10 Configure the new Remote Access Policy a Select Remote Access Policies Figure 11 18 Protected EAP Properties Figure 11 19 IAP Remote Access Policy Properties ...

Page 339: ...e Edit Dial in Profile window appears i Authentication tab Select the check boxes for the authenticationmethodsyouwillallow Thisexampledoesnotuse additional selections ii Advanced tab Add three RADIUS attributes TIP The attributesyouselect might be differentfor different switch types Contact ProCurve Networking by HP if you would like assistance Figure 11 20 IAS Remote Access Policy Configure ...

Page 340: ...nnel Pvt Group ID 9 Click Add 10 Click Add again on the next window Adding the second of the three attributes 11 In the Enter the attribute value area select the String radio button and type the VLAN ID usually a number such as 50 in the text box 12 Click OK 13 Click OK 14 Select Tunnel Type Adding the third of the three attributes 15 Click Add 16 Click Add again on the next window 17 From the Att...

Page 341: ...Active Directory IMPORTANT The order of the connection attributes should be most specific at the top and most general at the bottom 12 Turn on remote access logging a Click on Remote Access Logging b In the right pane right click Local File c Select Properties The Local File Properties window appears Figure 11 22 IAS Remote Access Logging Properties ...

Page 342: ...is installed on your Windows Server 2003 machine where the IAS component is enabled The connector is called by IAS after the RADIUS authentication of an endpoint and during the authorization phase The connector contacts NAC 800 and asks for the posture of the endpoint Depending onthe posture ofthe endpoint the plug incan return RADIUS attributes to your switch instructing it into which VLAN to pla...

Page 343: ...s for this such as DebugAttributes and DebugLevel should be modified only in conjunction with technical assistance through ProCurve ProCurve Networking by HP at or b Import the NAC 800 server s certificate so the connector can communicate with NAC 800 over SSL i On the Windows Server 2003 machine click Start ii Select run iii Enter mmc iv Click OK v Select File Add Remove Snap in Figure 11 24 IAS ...

Page 344: ...lick Add vii Select Certificates viii Click Add ix Select the Computer account radio button x Click Next xi Select the Local computer the computer this console is running on radio button xii Click Finish xiii Click Close Figure 11 25 IAS Add Remove Snap in Certificates ...

Page 345: ...xt xxi Click Finish 14 Configure the NAC 800 to IAS connector a Modify the INI file for your network environment NAC 800 returns one of postures for an endpoint attempting to authenticate Foreachposturereceived adifferentRADIUSresponse to the switch can be configured using RADIUS attributes This response determines into what VLAN the endpoint is placed Healthy The endpoint passed all tests or no f...

Page 346: ...rs folder inside the AuthSrv folder if it does not already exist New Key vii Right click on the Parameters folder name viii Select New Multi string value ix Type AuthorizationDLLs for the name and press Enter on the keyboard x Right click AuthorizationDLLs and select Modify xi Enter the following value in the Value Data text box C Windows System32 SAIASConnector dll xii Click OK c Restart the IAS ...

Page 347: ...on your directory name and select Properties iii Select the Group Policy tab iv Click Open v Right click Default Domain Policy and select Edit click OK if you get a global changes pop up message vi Navigate to Computer Configuration Windows Settings Security Settings Account Policies Password Policy vii Select Password Policy Figure 11 27 Active Directory Properties Figure 11 28 Active Directory S...

Page 348: ...nistrative Tools Active Directory Users and Computers b Right click on the user s entry under the appropriate domain under Active Directory Users and Computers c Enter the user information requested d Click Next e Enter the password information f Click Next g Click Finish h Repeat from step a for all users that need to authenticate using Active Directory 17 Configure user accounts for Dial in acce...

Page 349: ...802 1X Quarantine Method Setting up the 802 1X Components 11 31 c Select the Users folder Figure 11 29 Active Directory Users and Computers ...

Page 350: ...uthentication protocol CHAP MSCHAPv2 If for some reason you cannot upgrade to MSCHAPv2 at this time perform the following workaround for MSCHAPv1 In the Account options area select the Store password using reversible encryption check box NOTE If there are existing user accounts in your Active Directory installation when you enable reversible encryption the passwords must be reset either by the use...

Page 351: ... Open the following file with a text editor such as vi etc raddb proxy conf c Append the following section replacing the parameters in with your RADIUS servers information realm NULL type radius authhost RADIUS host or IP RADIUS auth port accthost RADIUS host or IP RADIUS acct port secret the shared secret for your RADIUS server d Save and exit the file NOTE The realm NULL section must go after th...

Page 352: ...l https localhost servlet AccessControlServlet DebugLevel 4 Debug on Username nacuser Password nacpwd TO DO Modify the vlan ids and names to match your switch configuration Use these attributes for all non Extreme switches Uncomment these two sections if you want the connector to specify the normal user vlan rather than specifying it for each user in the users configuration file HealthyRadiusAttri...

Page 353: ...reme Netlogin Vlan HealthyVlanName CheckupRadiusAttributes Extreme Netlogin Vlan HealthyVlanName QuarantineRadiusAttributes Extreme Netlogin Vlan QuarantineVlanName InfectedRadiusAttributes Extreme Netlogin Vlan QuarantineVlanName UnknownRadiusAttributes Extreme Netlogin Vlan TempOrGuestVlanName TO DO Uncomment if you want different switches to have different attributes Posture is Healthy Checkup ...

Page 354: ...ying the etc raddb users file Add user entries to the beginning of the file in the following format Clear text authentication user name Auth Type Local User Password pass word EAP PEAP or MD5 Challenge authentication the built in windows 802 1X supplicant uses these methods user name Auth Type EAP User Password password For example dave Auth Type EAP User Password d 9ij8 e Configuring Non HP Switc...

Page 355: ...9 servlet AccessControlServlet ServerUrl 2 https SERVER IP 2 89 servlet AccessControlServlet ServerUrl 3 https SERVER IP 3 89 servlet AccessControlServlet ServerUrl 4 https SERVER IP 4 89 servlet AccessControlServlet ServerUrl 5 https SERVER IP 5 89 servlet AccessControlServlet DebugLevel 4 Debug on Username nac Password changeme TO DO Modify the vlan ids and names to match your switch configurati...

Page 356: ...Group ID 5 Tunnel Type VLAN Use these attributes for Extreme switches HealthyRadiusAttributes Extreme Netlogin Vlan HealthyVlanName CheckupRadiusAttributes Extreme Netlogin Vlan HealthyVlanName QuarantineRadiusAttributes Extreme Netlogin Vlan QuarantineVlanName InfectedRadiusAttributes Extreme Netlogin Vlan QuarantineVlanName UnknownRadiusAttributes Extreme Netlogin Vlan TempOrGuestVlanName TO DO ...

Page 357: ...elect the 802 1X quarantine method radio button 2 In 802 1X enforcement mode the ESs must be able watch DHCP conversations and detect endpoints by sniffing network traffic as it flows between the DHCP server and the endpoints Select one of the following radio buttons remote In more complex deployments it is often impossible in the case of multiple ESs or multiple DHCP servers or undesirable to spa...

Page 358: ...sections describes how to set up the following endpoints for 802 1X Windows XP Professional endpoint Windows XP Home endpoint Windows 2000 Professional endpoint Windows Vista endpoint TIP The exact instructions for Windows XP and Windows Vista tasks will vary slightly depending on whether you are using Classic or Category view To determine which view you are using in the Control Panel select Start...

Page 359: ...s The Local Area Connection windows appears 3 Select the General tab 4 Select the Show icon in notification area when connected check box This enables the Windows XP balloon help utility which can assist you when entering information and troubleshooting errors Figure 11 32 Windows XP Pro Local Area Connection General Tab ...

Page 360: ... must match the EAP type selected in step 7 step q on page 11 17 8 Clear or select the Authenticate as computer when computer information is available check box The choice is yours 9 Click OK 10 Select to reboot if prompted Windows XP Home Setup To enable a Windows XP Home endpoint for 802 1X 1 Start the wireless service Windows desktop Start Settings Control Panel Administrative Tools Services Fi...

Page 361: ...tion and troubleshooting errors 6 Select the Authentication tab Figure 11 33 on page 11 42 a Select the Enable IEE 802 1X authentication for this network check box b Select an EAP type from the drop down list For this example select MD5 Challenge Important This EAP type must match the EAP type selected in Setting up the RADIUS Server step 7 step q on page 11 17 c Clear or select the Authenticate a...

Page 362: ...Windows desktop Start Settings Control Panel Network and Dial up Connections a Right click on Local Area Connection Select Properties The Local Area Connection windows appears b Select the General tab c Select the Show icon in taskbar when connected check box Figure 11 34 Windows 2000 Local Area Connection Properties General Tab ...

Page 363: ...r or select the Authenticate as computer when computer information is available check box The choice is yours h Click OK 3 Select to reboot if necessary Windows Vista Setup NOTE Frequently when performing actions on Windows Vista the User Account Control window pops up and asks you to select Continue to authorize the action The instructions in this section do not include this step To enable a Wind...

Page 364: ...utoConfig Properties window appears b Select Automatic from the Startup type drop down list c Click Start in the Service status area d Click OK e Close the Services window 2 Configure the network connections Windows desktop Start Settings Network Connections 3 Right click on Local Area Connection Figure 11 36 Wired AutoConfig Properties ...

Page 365: ...802 1X Quarantine Method Setting up the 802 1X Components 11 47 4 Select Properties The Local Area Connection windows appears Figure 11 37 Windows Vista Local Area Connection Networking Tab ...

Page 366: ... must match the EAP type selected in step 7 step q on page 11 17 8 Clear or select the Cache user information for subsequent connections to this network check box The choice is yours 9 Click OK 10 Select to reboot if prompted Setting up the Authenticator This section provides sample configurations for the following switches Cisco 2950 IOS on page 11 49 Cisco 4006 CatOS on page 11 50 Enterasys Matr...

Page 367: ...thentication dot1x default group radius aaa authorization network default group radius dot1x system auth control interface FastEthernet0 1 switchport mode access dot1x port control auto dot1x timeout quiet period 30 dot1x guest vlan 5 dot1x reauthentication spanning tree portfast interface FastEthernet0 2 switchport mode access dot1x port control auto dot1x timeout quiet period 30 dot1x guest vlan...

Page 368: ... port dot1x 2 17 port control auto set port dot1x 2 18 port control auto set port dot1x 2 19 port control auto set port dot1x 2 15 re authentication enable set port dot1x 2 17 re authentication enable set port dot1x 2 18 re authentication enable set port dot1x 2 19 re authentication enable set port dot1x 2 15 guest vlan 40 set port dot1x 2 17 guest vlan 40 set port dot1x 2 18 guest vlan 40 set por...

Page 369: ...100 10 1812 client ip 10 10 100 1 Network Login Configuration configure vlan Temp dhcp address range 10 10 5 100 10 10 5 150 configure vlan Temp dhcp options default gateway 10 10 5 1 configure vlan Temp dhcp options dns server 10 10 100 11 configure vlan Temp dhcp options wins server 10 10 100 10 enable netlogin port 33 vlan Temp enable netlogin port 34 vlan Temp enable netlogin port 35 vlan Temp...

Page 370: ...fault enable netlogin port 6 vlan Default enable netlogin port 7 vlan Default enable netlogin port 8 vlan Default configure netlogin mac auth retry count 3 configure netlogin mac reauth period 1800 ExtremeXOS create vlan Quarantine create vlan Test enable radius netlogin configure radius netlogin timeout 3 configure radius accounting netlogin timeout 3 Module netLogin configuration configure netlo...

Page 371: ...ow forwarding interface ethernet 3 dot1x port control auto sflow forwarding interface ethernet 4 dot1x port control auto sflow forwarding HP ProCurve 420AP This section shows how to configure the security settings on the 420AP so that user access may be controlled using Dynamic VLAN provisioning HP ProCurve Access Point 420 configure HP ProCurve Access Point 420 config interface ethernet Enter Eth...

Page 372: ...ver HP ProCurve Access Point 420 config radius accounting key Shared RADIUS secret HP ProCurve Access Point 420 config radius accounting enable HP ProCurve Access Point 420 config vlan enable dynamic Reboot system now y n y Dynamic WEP Enter the same commands as the previous configuration however substitute security suite 5 instead of security suite 6 wpa wpa2 HP ProCurve 530AP This section shows ...

Page 373: ... Access Point 530 conf ProCurve Access Point 530 config interface ethernet ProCurve Access Point 530 ethernet ip address IP of Access Point Netmask ProCurve Access Point 530 ethernet ip default gateway IP of Gateway ProCurve Access Point 530 ethernet management vlan 200 ProCurve Access Point 530 ethernet untagged vlan 200 ProCurve Access Point 530 radio1 wlan1 ssid Enterprise530 ProCurve Access Po...

Page 374: ...rver host 10 60 1 3 key hpsecret aaa accounting network start stop radius aaa authentication port access eap radius aaa port access authenticator 1 8 aaa port access authenticator 1 8 auth vid 100 aaa port access authenticator 1 8 unauth vid 101 aaa port access authenticator active Nortel 5510 NOTE When the Nortel switch is used in unstacked mode a range of ports is defined as 1 24 When the Nortel...

Page 375: ...es expect scripts when communicating with 802 1X devices You can add 802 1X devices in the NAC 800 user interface Home System configura tion Quarantiningmenuoption Add802 1Xdevice There are 11 pre defined devices and one generic device You can use the default expect script values modify them or enter new values The expect scripts used are as follows Initialization script This script is used to log...

Page 376: ...ter Ctrl Y to begin send noreturn 031 expect ifset USERNAME Username send ifset USERNAME USERNAME expect ifset PASSWORD Password send ifset PASSWORD PASSWORD expect press Return or Enter to select option send noreturn c expect send enable expect ifset ENABLE_USERNAME Username send ifset ENABLE_USERNAME USERNAME expect ifset ENABLE_PASSWORD Password send ifset ENABLE_PASSWORD ENABLE_PASSWORD expect...

Page 377: ...NS TEXT Waits for TEXT to appear on the connection input Where OPTION is one of three optional parameters regex Interprets the expect string as a Java 1 5 regular expression ifmatched Skips the command if the value captured from the last regular expression doesn t match the specified expression the expression may contain spaces if wrapped in double quotes ifset Skips the command if the specified v...

Page 378: ... the username from the switch is a MAC address otherwise unset IS_DOT1X Set to true if the username from the switch is not a MAC address otherwise unset Escape Sequences Special characters can be included by escaping them as XXX where XXX is an octal value representing an ASCII character or as uXXXX where XXXX is a hexadecimal value representing a unicode character Comments Lines that start with t...

Page 379: ...h either a blank password or no password no password prompt then the text field for password is insufficient to specify the correct configuration Instead the script can use a regular expression to expect either a password prompt or no prompt and drive subsequent commands from the result The following script works when any combination of Username and Password prompt appear and thus also works with ...

Page 380: ... This page intentionally left blank ...

Page 381: ... 3 Running the Windows Installer 12 3 Adding Additional Interfaces 12 13 Configuring the MS and ES for DAC 12 14 Starting the Windows Service 12 16 Viewing Version Information 12 17 Removing the Software 12 18 NAC 800 to Infoblox Connector 12 20 Configuring the Infoblox Server 12 20 Configuring NAC 800 12 20 ...

Page 382: ...ge There is no need for you to do any extra configuration of DAC in these modes 802 1X Mode Mirror Port DAC runs on the ESs The eth1 interface of the ES is connected to a mirror port on a switch that mirrors DHCP traffic The eth1 interface can also be configured to listen on a mirror port for other types of traffic to discover endpoints with static IP addresses Select the local radio button in the...

Page 383: ...rom the MS usr local nac webapps ROOT installers DACInstaller exe Running the Windows Installer The Windows installer performs the following tasks Installs the DAC software Installs the JavaJRE software if needed Installs the WinPcap software if needed Modifies the wrapper conf file Installs DAC as a Windows service NOTE If you have already installed DAC you must uninstall it before attempting to ...

Page 384: ... run the Windows installer Windows server 1 Navigate to the EXE file downloaded in Downloading the EXE File on page 12 3 2 Double click on the EXE file The DAC InstallShield Wizard Welcome window appears Figure 12 1 The DAC InstallShield Wizard Welcome Window ...

Page 385: ... Host 12 5 3 Click Next The Setup Type window appears 4 Select Complete to install the DAC software the JavaJRE software and the WinPcap software If you already have JavaJRE or WinPcap installed select Custom Figure 12 2 RDAC Installer Setup Type ...

Page 386: ...estination Location window appears 6 In most cases you should accept the default location Click Change to select a different location Click Next The Confirm New Folder window appears Figure 12 3 RDAC Installer Choose Destination Location Figure 12 4 RDAC Installer Confirm New Folder ...

Page 387: ... Capture Creating a DAC Host 12 7 7 Click Yes If you selected Custom in step 4 on page 12 5 the Select Features window appears otherwise the NIC Selection window appears figure 12 6 Figure 12 5 RDAC Installer Select Features ...

Page 388: ...Remote Device Activity Capture Creating a DAC Host 12 8 8 Select the features to install Click Next The NIC Selection window appears Figure 12 6 RDAC Installer NIC Selection ...

Page 389: ...C Host 12 9 9 All of the interfaces installed on your Windows server are listed in this window Select the one you want to use and click Next The TCP Port Filter Specification window appears Figure 12 7 RDAC Installer TCP Port Filter Specification ...

Page 390: ...ctivity Capture Creating a DAC Host 12 10 10 In most cases you should accept the default entry Click Next The Enforcement Server Specification window appears Figure 12 8 RDAC Installer Enforcement Server Specification ...

Page 391: ...e in step 4 on page 12 5 the InstallShield Wizard launches the Java installer first and then the WinPcap installer If you selected Custom in step 4 on page 12 5 the installers for only the selected feature will launch You will be notified by the Java and WinPcap installers if you already have the software installed Follow the instructions on the installer windows Figure 12 9 RDAC Installer Ready t...

Page 392: ...Complete window appears 14 The following folders and files are created DAC VERSION bin InstallSSDAC bat rdac SSDAC bat UninstallSSDAC bat wrapper exe conf wrapper conf lib DAC_keystore Jpcap dll libjpcap so SA_DeviceActivityCapturer jar wrapper dll wrapper jar Figure 12 10 RDAC Installer InstallShield Wizard Complete ...

Page 393: ...release if you want to add additional interfaces you must install them manually A future release will expand the options in the installer to include multiple interfaces To add additional interfaces to the DAC host Windows server 1 Open the DAC conf wrapper conf file with a text editor a Locate the Application Parameters section in the wrapper conf file You will see a list of entries like the follo...

Page 394: ...3 l wrapper app parameter 4 log DAC log wrapper app parameter 5 k wrapper app parameter 6 lib DAC_keystore wrapper app parameter 7 h replace wrapper app parameter 8 with the Enforcement Server IP address for multiple Enforcement Servers add more parameters and increment the ones below example wrapper app parameter 8 ip 1 wrapper app parameter 9 ip 2 wrapper app parameter 10 ip 2 wrapper app parame...

Page 395: ... in the first column of the output from the previous statement For example if the RELATED ESTABLISHED rule is rule 5 the INSERT command would look like the following iptables I RH Lokkit 0 50 INPUT 6 p tcp dport 8999 s DAC host IP m state state NEW j ACCEPT If you want this addition to survive a reboot you must use the iptables save command and dump the iptables ruleset to etc sysconfig iptables w...

Page 396: ...rameter 9 172 17 100 150 wrapper app parameter 10 172 50 50 7 iii Increment the rest of the wrapper app parameter numbers by the number of ESs added For this example of adding two ESs increment by two change 10 to 12 11 to 13 and so on wrapper app parameter 11 i wrapper app parameter 12 Device NPF_ 5405257 5 E4CC 46A5 B626 9167DD4F9BE3 wrapper app parameter 13 f wrapper app parameter 14 udp src po...

Page 397: ...o automatic start at the next reboot by default Viewing Version Information To view version information Windows server 1 Select Start Settings Control Panel Add or Remove Programs 2 Click once on the DAC listing 3 Click Click here for support information The Support Info window appears 4 The version and other support information is displayed Click Close 5 Close the Add or Remove Programs window Fi...

Page 398: ...elect Start Settings Control Panel Add or Remove Programs 2 Click once on the DAC listing 3 Click Remove 4 Click Yes when asked if you want to completely remove the application and features When the uninstallation is complete the Uninstall Complete window appears 5 Select one of the options and click Finish To remove the JavaJRE software Windows server Figure 12 13 RDAC Uninstall Complete ...

Page 399: ... the uninstallation is complete the Uninstall Complete window appears 5 Select one of the options and click Finish To remove the WinPcap software Windows server 1 Select Start Settings Control Panel Add or Remove Programs 2 Click once on the WinPcap listing 3 Click Remove 4 Click Yes when asked if you want to completely remove the application and features When the uninstallation is complete the Un...

Page 400: ...ver to send debug level DHCP logs to the NAC 800 ES IPs on TCP port 514 using the local3 facility The actual steps to set this up may vary by NIOS Contact Infoblox support for assistance http www infoblox com support If the Infoblox DHCP is clustered there is a floating management IP and multiple LAN IPs one for each of the nodes in the DHCP cluster In this configuration The switches must be confi...

Page 401: ... properties The expected results are Compliance DeviceActivityCapture RunningRemotely tru e It can take a minute or two Contact ProCurve Networking by HP if your results are different NOTE It can take a minute or two after changing the property in the user interface for the change to propagate to all ESs 6 Edit the configuration file a Open the following file with a text editor such as vi etc sysl...

Page 402: ... Stop iptables by entering the following at the command line service nac es stop fw_control stop b Open the following file with a text editor such as vi etc sysconfig iptables c Add the following line before the REJECT lines in the RH Lokkit 0 50 INPUT section and after the RELATED ESTABLISHED line d A RH Lokkit 0 50 INPUT s INFOBLOX_IP p tcp m tcp dport 514 m state state NEW j ACCEPT Where INFOBL...

Page 403: ...the NAC 800 User Interface 13 7 Installing the Plug in 13 7 Enabling the Plug in and Adding Servers 13 11 Viewing DHCP Server Plug in Status 13 13 Editing DHCP Server Plug in Configurations 13 13 Deleting a DHCP Server Plug in Configuration 13 14 Disabling a DHCP Server Plug in Configuration 13 14 ...

Page 404: ...Dynamic Host Configuration Protocol DHCP plug in is an optional feature that allows you to use one or more DHCP servers without an instal lation of NAC 800 in front of each DHCP server as shown in the following figure Figure 13 1 DHCP Plug in ...

Page 405: ...horized device allowed to the Access Control List ACL on the appropriate DHCP server The following connection and communication actions apply If the connection between the DHCP server and the NAC 800 server is lost and re established the existing ACL on the DHCP server is discarded and NAC 800 re transmits the entire ACL If the DHCP server cannot communicate with NAC 800 at any time the DHCP serve...

Page 406: ... as described in the Creating a DAC Host section of the Users Guide 2 On the NAC 800 MS enter the following commands and follow the on screen instructions a usr local nac bin MakeDHCPCert This command generates a file named server pem in the current directory This file contains a key and certificate signed by the CA The DHCP plug in responds to SSL connections from NAC 800 by providing this certif...

Page 407: ...tes certfile A Privacy Enhanced Mail PEM formatted file containing the server key and certificate along with any CA trusted entities logging location The location to save the DLL s log file The log file is an ASCII file level The level of verbosity in the log 1 Errorsonly logsunexpectedbehavior suchasunable to parse configuration file 2 Errors and warnings logs mode changes such as No Connection t...

Page 408: ...port looprate 10 looprate listener certificates cadir certfile c windows system32 dhcp server pem certfile clientCN enforce false nac clientCN certificates logging location c windows system32 dhcp nac_DHCP log location level 3 level maxsize 1024 maxsize logging dhcpconnector ...

Page 409: ...o use the DHCP plug in you need to select DHCP as the quarantine enforcement method select the DHCP servers using the DHCP plug in check box and add your DHCP servers Installing the Plug in To install the DHCP plug in Home window System configuration Quarantining 1 Select the DHCP radio button in the Quarantine area ...

Page 410: ...DHCP Plug in DHCP Plug in and the NAC 800 User Interface 13 8 2 Select the DHCP servers using the DHCP plug in radio button Figure 13 2 System Configuration Quarantining DHCP ...

Page 411: ...HCP server you will remember and save the file 5 On the DHCP server navigate to the location of the saved file and double click it 6 Double click the exe installer file The InstallShield Wizard starts 7 Click Next The Customer Information window appears Figure 13 3 DHCP Plug in InstallShield Wizard window Figure 13 4 DHCP Plug in Customer Information window ...

Page 412: ...eady to Install the Program window appears 10 Click Install The progress is displayed on a Status window When installation is complete the InstallShield Wizard Complete window appears 11 Click Finish Figure 13 5 DHCP Plug in Ready to Install the Program window Figure 13 6 DHCP Plug in InstallShield Wizard Complete window ...

Page 413: ...DHCP plug in configuration The Add DHCP plug in configuration window appears as shown in the following figure 4 Enter the IP address or host name of the DHCP server where the plug in is to be installed in the DHCP server hostname or IP address text box 5 Enter the port number on the DHCP server that listens for plug in requests in the Plug in listening port text field 6 Enter a brief description o...

Page 414: ...e following figure 9 Continue to add DHCP servers until you have added all of them The possible DHCP server plug in status states are shown in the following figure NOTE NAC 800 automatically attempts to connect to the DHCP server The possible DHCP server status states are shown in figure 13 9 10 Click ok to save the changes and return to the Home window Figure 13 8 DHCP Plug in Server Added Exampl...

Page 415: ...uarantine method radio button DHCP servers using the DHCP plug in radio button Click edit next to a DHCP server configuration Editing DHCP Server Plug in Configurations To edit DHCP Server Plug in Configurations Home window System configuration Quarantining DHCP Quarantine method radio button DHCP servers using the DHCP plug in radio button 1 Click edit next to the DHCP server you wish to edit The...

Page 416: ...er Plug in Configuration Disable a DHCP server plug in configuration when you do not wish to use it but wish to save the configuration and certificates To disable a DHCP Server Plug in Configuration Home window System configuration Quarantining DHCP Quarantine method radio button DHCP servers using the DHCP plug in radio button 1 Click disable next to the DHCP server plug in configuration you wish...

Page 417: ...he NAC 800 User Interface 13 15 1 Click enable next to the DHCP server plug in configuration you wish to enable 2 Click yes at the Enable DHCP plug in configuration prompt 3 Click ok to save the changes and return to the Home window ...

Page 418: ... This page intentionally left blank ...

Page 419: ... 1 14 Reports Chapter Contents Report Types 14 2 Generating Reports 14 4 Viewing Report Details 14 6 Printing Reports 14 8 Saving Reports to a File 14 9 Converting an HTML Report to a Word Document 14 10 ...

Page 420: ...ac address ip address cluster netbios user test status Test details Comprehensive list of all test results including remediation messages date time ip address netbios user policy test name actions test status message Test results Lists each test and the test s pass fail status test name test status of times of total details Test results by IP address Lists the number of tests that passed or failed...

Page 421: ...etBIOS name Lists the number of tests that passed or failed for each netbios name netbios cluster ip address user test status of times of total details Test results by user Lists the number of tests that passed or failed for each user user cluster ip address netbios test status of times of total details Report Description Report columns Table 14 1 Report Types and Fields cont ...

Page 422: ...Reports window 1 In the Report drop down list select the report to run 2 Select the Report period 3 Select the Rows per page 4 In the Endpoint search criteria area select any of the following options to use for filtering the report a Cluster b Endpoint NetBIOS c Endpoint IP address d Endpoint MAC address Figure 14 1 Reports ...

Page 423: ...nerate report After a short period of time the compiled report is displayed in a separate browser window The following figure shows an example report CAUTION The reports capability uses pop up windows if you have blocked pop up windows in your browser you will not be able to view reports See Pop up Windows on page C 2 for more information Figure 14 2 NAC Policy Results Report ...

Page 424: ...Report Details 14 6 Viewing Report Details To view report details Home window Reports 1 Select the options for the report you want to run 2 Click Generate report 3 Click the details link The Test details window appears ...

Page 425: ...Reports Viewing Report Details 14 7 Figure 14 3 Test Details Report ...

Page 426: ... Reports 14 8 Printing Reports To print a report Home window Reports 1 Select the options for the report you want to run 2 Click Generate report 3 Select Print 4 Select the printer options and properties 5 Select Print ...

Page 427: ...s 1 Select the options for the report you want to run 2 Click Generate report 3 Select File Save Page As from the browser menu 4 Enter a name and location where you want to save the file 5 Select Web page complete 6 Click Save The file is saved as an HTML file that can be viewed in a browser window ...

Page 428: ...ave an HTML version of it see Saving Reports to a File on page 14 9 3 Open the HTML report in Microsoft Word 4 Select File Save as 5 In the Save as type drop down list select doc 6 Click Save This creates a standalone file that retains all of its graphics and formatting 7 To print you might need to reduce the border sizes in File Page Setup dialog box for the report to print correctly ...

Page 429: ...Address 15 9 Resetting your System 15 9 Resetting your Test Data 15 11 Changing Properties 15 12 Specifying an Email Server for Sending Notifications 15 13 Entering Networks Using CIDR Format 15 14 Database 15 15 Creating a Backup File 15 15 Restoring from Backup 15 16 Restoring the Original Database 15 17 Generating a Support Package 15 17 Supported VPNs 15 18 How NAC 800 Handles Static IP Addres...

Page 430: ...n Certificate Authority CA 15 29 Moving an ES from One MS to Another 15 32 Recovering Quickly from a Network Failure 15 33 VLAN Tagging 15 34 iptables Wrapper Script 15 36 Supporting Network Management System 15 37 Enabling ICMP Echo Requests 15 37 SNMP MIBs 15 39 ...

Page 431: ... and Password that you defined the first time you logged in 3 Click log in The NAC 800 Home window appears Logging out of NAC 800 To log out of NAC 800 Any NAC 800 window Click Logout in the upper right corner of the NAC 800 home window When the logout procedure completes the ProCurve login window appears Important Browser Settings Thereareseveralbrowserconfigurationsettingstomake dependingonwhich...

Page 432: ...procurve com or Table 15 1 Service Stop and Restart Commands Command Description service watchdog stop This command stops all the NAC software processes on the server MS and or ES processes as necessary service watchdog start This command starts all the stopped NAC software processes on the server MS and or ES processes as necessary service watchdog restart This command restarts all the NAC softwa...

Page 433: ... ruleUpdate_status Attempt to connect using wget form the NAC the proxy command is optional export http_proxy your_web_proxy wget http update procurve com monitor ruleUpdate_status If the connection is successful then the ProCurve server will return a file containing a date time stamp file formatted as follows 2008 02 04 23 21 02 NOTE Your outbound SSL connection needs to access For license valida...

Page 434: ... as the following quarantine bad 2 Enter the full domain controller hostnames in the System configuration Accessible services area for example dc01 mycompany com dc02 mycompany com 3 Ensure that each ES has a valid fully qualified domain name FQDN and that the domain portion matches the domain for the registered windows domain 4 Ensure that each ES is configured with one or more valid DNS servers ...

Page 435: ... dc01 mycompany com dc02 mycompany com lookup the dc01 IP address receive the dc IP address forwarded through NAC 800 named to the real DNS server since dc01 mycompany com is in the accessible services list authenticate Matching Windows Domain Policies to NAC Policies Using a Windows domain might affect the end user s ability to change their system configuration to pass the tests For example in a ...

Page 436: ...up for trial use purposes allow all To change the access mode Home window System monitor Select an Enforcement cluster 1 Select one of the following from the Access mode area normal Access is regulated by the NAC policies allow all All requests for access are granted but endpoints are still tested 2 Click ok Naming Your Enforcement Cluster To name your Enforcement cluster Home window System config...

Page 437: ... Settings on page 3 17 However if you cannot access the user interface use the following instruc tions 1 Log in to the MS or ES as root using SSH or directly with a keyboard 2 Enter the following command at the command line network settings py ip address netmask gateway Where ip address is the new IP address for the MS or ES For example 192 168 40 10 netmask is the netmask For example 255 255 255 ...

Page 438: ...llation with the MS and ES on the same server an MS or an ES the database is cleared and the property files are restored to their defaults both The system is reset to be a single server installation MS and ES on one server the database is cleared and the property files are restored to their defaults ms The system is reset to be an MS the database is cleared and the property files are restored to t...

Page 439: ...resetTestData py 2 For multiple server installations a Stop the nac es service on all ESs i Log in as root to each NAC 800 ES either using SSH or directly with a keyboard ii Enter the following at the command line service nac es stop b Stop the nac ms service on the MS i Log in as root to the NAC 800 MS either using SSH or directly with a keyboard ii Enter the following at the command line service...

Page 440: ...800 MS using SSH 2 Enter the following at the command line setProperty py DESTINATION TYPE VALUES Where DESTINATION is one or more of c cluster name Set properties on all Enforcement Servers in cluster e ES hostname Set properties on Enforcement Server a Set properties on all Enforcement Servers m Set properties on Management Server TYPE is one of blank nothing specified l Properties are log4j pro...

Page 441: ... setProperty py m Compliance UpgradeManager UpgradeTimeout 30 Specifying an Email Server for Sending Notifications NAC 800 Enforcement clusters send alerts and notifications when certain events occur You must specify an SMTP email server for sending these notifications The server must allow SMTP messages from the NAC 800 ES To specify an email server for sending notifications See Notifications on ...

Page 442: ...55 255 248 1 32 8 28 255 255 255 240 1 16 16 27 255 255 255 224 1 8 32 26 255 255 255 192 1 4 64 25 255 255 255 128 1 2 128 24 255 255 255 0 1 Class C network 256 23 255 255 254 0 2 Class C networks 512 22 255 255 252 0 4 Class C networks 1 024 21 255 255 248 0 8 Class C networks 2 048 20 255 255 240 0 16 Class C networks 4 096 19 255 255 224 0 32 Class C networks 8 192 18 255 255 192 0 64 Class C...

Page 443: ... directly with a keyboard 2 Enter the following at the command line to increase the pg_dump timeout setProperty py m Compliance Backup PgDumpCmdTimeout milliseconds Where milliseconds is the number of milliseconds that the backup will wait on the pg_dump command before stopping and providing a process stopped message For example the default is 600000 10 minutes 3 Enter the following at the command...

Page 444: ...6 To restore system configuration and data from a backup file Home window System configuration Maintenance 1 Click restore system from backup file The Restore system window appears 2 Enter the backup file name or click Browse and navigate to the backup file 3 Click ok A status window appears 4 The system data is restored and the login window appears Figure 15 1 Restore System Figure 15 2 Login ...

Page 445: ...more information To reset a NAC 800 database to its pristine state Command window 1 Log in as root to the NAC 800 MS using SSH 2 Enter the following commands resetSystem py This script shuts down all of the services cleans the database iptables and DHCP server and restarts everything Generating a Support Package To generate a support package See Downloading Support Packages on page 3 109 ...

Page 446: ...Ns NAC 800 works with any VPN endpoint since NAC 800 does not directly interface or inter operate with VPN endpoints The following commonly deployed VPN solutions have been tested Cisco VPN Concentrators OpenSSL VPNs Protocols supported IPSec L2TP PPTP SSL ...

Page 447: ...results message text Command line window See Customizing Error Messages on page 5 52 CAUTION Make changes to the description only For example in the following text checkServicePacks String 3 There are no service packs installed Run Windows Update to install the most recent service packs Do not make changes to the text at the beginning of the line checkService Packs String 3 To view the end user ac...

Page 448: ... NAC 800 By using the Agent Callback feature see Agent Callback on page 5 3 An endpoint with a static IP address can be automatically tested only if the endpoint Has credentials stored for agentless testing Already has the agent installed If you do not use the items in the previous list you cannot capture the users attention in their browser to force them to supply credentials or install an agent ...

Page 449: ...e 15 23 endpoint domain administrator Manually entered on the endpoint by the end user If the end user has not defined a login password combination the default login is usually administrator with a blank password Known passwords are entered on the System configuration Windows Agentless credentials window to allow NAC 800 to test the endpoint Password recovery on endpoints is beyond the scope of th...

Page 450: ...2 Click ok If you cannot remember either password you can either reset the appliance mode or boot to the system partition and recover the whole application partition which resets all of the passwords losing any configuration settings in the process Instructions for booting to the system partition are beyond the scope of this document To reset the appliance mode On the appliance s LCD reset the ser...

Page 451: ...contact ProCurve Networking by HP for assistance Changing the NAC 800 Administrator Password When the Password is Known To reset the NAC 800 administrator user interface User Name and Password when known See Modifying the MS root Account Password on page 3 28 When the Password is Unknown To reset the NAC 800 administrator user interface User Name and Password when unknown Command line window 1 Cre...

Page 452: ...nistration Managing Passwords 15 24 4 Enter the following command setProperty py f filename 5 From a workstation open a browser window and point to the NAC 800 MS 6 Enter a new User Name and Password when prompted ...

Page 453: ...such that only the networks set to be enforced will ever get quarantine addresses NOTE There is one caveat to note with ranges to monitor and ranges to ignore if endpoints have IP addresses outside of the ranges to monitor and ranges to ignore and if the ES is capable of controlling network access for those endpoints the endpoints can still be quarantined by consequence of the NAC policy rules for...

Page 454: ...idual DHCP relay agent IP addresses separated by carriage returns These addresses are monitored in addition to the quarantined or non quarantined subnets NOTE When using Extreme switches running ExtremeWare or ExtremeXOS prior to release 11 6 DHCP relay IP addresses to enforce will NOT work when the quarantine subnet is a subset of the production network This is because Extreme switches forward th...

Page 455: ...o avoid SSL certificate warnings in the browser when connecting to the NAC 800 server either as a NAC 800 user interface user or from a redirected endpoint you will need to install SSL certificates that have been signed by a Certificate Authority CA recognized by the browser such as Thawte Verisign or your organization s own local SSL CA To install certifi cates follow the steps below for the MS a...

Page 456: ...rposes on a single machine this will be local host Organizational unit Enter the appropriate value Organization Enter the name of your organization City or locality Enter the city or location State or province Enter the unabbreviated state or province Two letter country code Enter a two letter country code The two letter country code for the United States is US 5 Review the information you ve ente...

Page 457: ...SSL Certificate from a known Certificate Authority CA To generate a Certificate Signing Request CSR to be submitted to a Certifi cate Authority CA first create a new self signed certificate following the instructions in the previous section then continue as follows 1 Log in as root to the NAC 800 server via SSH 2 Enter the following at the command line keytool certreq alias key_alias keyalg RSA fi...

Page 458: ...d preferably identifies the CA to which it pertains ca_root_cert_file is the file containing the CA s root certificate 6 keytool prompts for the password for the cacerts file which should be the default changeit 7 If you are prompted enter yes to trust the certificate 8 Once you get your signed certificate back from the CA import it into your keystore see Copying Files on page 1 20 replacing the p...

Page 459: ...System Administration Creating and Replacing SSL Certificates 15 31 10 Save and exit the file ...

Page 460: ...y with a keyboard 2 Enter the following command at the command line service nac es stop 3 Log in the MS user interface that currently manages the ES you want to move 4 Select System Configuration Enforcement clusters servers 5 Click delete next to the ES you want to move 6 In the command line window of the ES enter the following command resetSystem py 7 Log in to the MS user interface of the serve...

Page 461: ... b Click a cluster name c Select the allow all radio button d Click ok 2 Leave the cluster in allow all mode for a full test cycle If your test cycle is to retest endpoints every two hours leave the cluster in allow all mode for two hours To check the length of your test cycle a Select NAC policies b Click a policy name c Select the Basic settings menu option d In the Retest frequency area check t...

Page 462: ... using SSH or directly with a keyboard b Enter the following command at the command line cd etc sysconfig network scripts c For 802 1X mode i Enter the following at the command line cp ifcfg eth1 ifcfg eth1 1 ii Open the ifcfg eth1 1 file with a text editor such as vi iii Change the following line DEVICE eth1 To DEVICE eth1 VLAN ID Where VLAN ID is the VLAN where the DHCP server resides For exampl...

Page 463: ...operty py c cluster name Compliance ObjectManager NACModeTcpdumpInterface eth1 1 3 Verify the change a Log in to each ES using SSH or directly with a keyboard b Enter the following command at the command line ifconfig c Verify that the virtual interface you created is listed d Open the following file var log nac nac es log e Verify that the EDAC is using the virtual interface you created The log s...

Page 464: ...g changes to the ipta bles firewall This script ensures that errors are not introduced by making changes when nac es is running Use the following commands to control iptables from the command line To stop iptables fw_control stop To start iptables fw_control start To restart iptables fw_control restart To save iptables config fw_control save To get iptables status iptables L fw_control status NOTE...

Page 465: ...g in to the NAC 800 server as root using SSH or directly with a keyboard 2 Enter the following command at the command line echo 0 proc sys net ipv4 icmp_echo_ignore_all Pings will again be disabled after the next reboot Enable Persistent Ping To persistently enable ICMP echo requests Command line 1 Log in to the NAC 800 server as root using SSH or directly with a keyboard 2 Open the rc local file ...

Page 466: ... section to add rules to the firewall chain so that ping requests are only viable through the interface specified To restrict ping entries to a specific interface Command line 1 At the MS command line enter the following iptables entries in this order iptables A RH Lokkit 0 50 INPUT p icmp icmp type echo request i ethx j ACCEPT iptables A RH Lokkit 0 50 INPUT p icmp icmp type echo request j DROP W...

Page 467: ...The following MIBs located in usr share snmp mibs define the data that NAC 800 can read HOST RESOURCES MIB IF MIB IP MIB IPV6 MIB NET SNMP AGENT MIB NET SNMP MIB RFC1213 MIB SNMP FRAMEWORK MIB SNMP MPD MIB SNMP TARGET MIB SNMP USER BASED SM MIB SNMPv2 MIB SNMP VIEW BASED ACM MIB TCP MIB UCD DLMOD MIB UCD SNMP MIB UDP MIB Enter the following MIB to define outgoing SNMP notifications usr share snmp ...

Page 468: ... This page intentionally left blank ...

Page 469: ... a Test to Launch a Patch Manager 16 3 Selecting the Patch Manager 16 4 Specifying the Number of Retests 16 5 Specifying the Retest Frequency 16 6 SMS Patch Management 16 7 SMS Concepts 16 8 NAC 800 SMS NAC 800 Process 16 9 NAC 800 Setup 16 10 Learning More About SMS 16 11 ...

Page 470: ...nt software When an endpoint fails due to a missing patch NAC 800 wakes the patch manager client checks for the completion of the patch and then retests upon completion The patch management capability uses the following test statuses fail patching endpoint patching failed reason patching completed ...

Page 471: ...flag a test to launch a patch manager Home window NAC Policies Select or create a NAC policy Tests menu option 1 Select the check box for a test in the left column 2 Click on the test name in the left column 3 Select the Initiate patch manager check box 4 Click ok Figure 16 1 Initiate a Patch Manager Check Box ...

Page 472: ...er Home window NAC Policies Select or create an access policy Tests menu option 1 Select the check box for a test in the left column 2 Click on the test name in the left column 3 Select the Initiate patch manager check box 4 Select a patch manager from the Select a patch manager drop down list 5 Click ok ...

Page 473: ...C Policies Select or create an access policy Tests menu option 1 Select the check box for a test in the left column 2 Click on the test name in the left column 3 Select the Initiate patch manager check box 4 Enter a number in the Maximum number of retest attempts text box For example 10 the system minimum is 1 and the maximum is 2147483647 5 Click ok ...

Page 474: ... Policies Select or create an access policy Tests menu option 1 Select the check box for a test in the left column 2 Click on the test name in the left column 3 Select the Initiate patch manager check box 4 Enter a number in the retest interval text box For example 30 the system minimum is 1 and the maximum is 2147483647 5 Click ok ...

Page 475: ...Patch Management SMS Patch Management 16 7 SMS Patch Management Repair vulnerabilities using patch management with SMS NOTE Windows SMS 2003 is the only version supported ...

Page 476: ...t is a notification that says an update package is available NOTE Detailed instructions on using and configuring SMS are beyond the scope of this document See Learning More About SMS on page 16 11 for links to helpful SMS information NOTE SMS server has a setting that allows users to interact with and cancel patch installation ProCurve recommends that you do not allow users to cancel patchinstalla...

Page 477: ...point client SMS which patches the endpoint NAC 800 retests the endpoint If the test fails again NAC 800 keeps looping until patching com pletes If the test passes NAC 800 allows the endpoint access to the network NOTE SMS patch management works with agent based testing only NOTE Endpoints must be identified in SMS and have the SMS client installed ...

Page 478: ...r use with SMS 1 Install and configure NAC 800 2 Log into the NAC 800 user interface 3 Add the following IP addresses to the NAC 800 home window System configuration Accessible services area a SMS server IP address b Domain Controllers IP addresses and authentication ports ...

Page 479: ...Patch Management Learning More About SMS 16 11 Learning More About SMS The following links provide additional information about SMS Microsoft SMS home page http www microsoft com smserver ...

Page 480: ... This page intentionally left blank ...

Page 481: ...Server Chapter Contents Overview A 2 Extracting the ZIP File A 3 Windows A 3 Linux A 3 ZIP File Contents A 4 Setting up a Post connect Host A 5 Windows A 5 Linux A 6 Viewing Logs A 9 Testing the Service A 10 Configuring Your Sensor A 11 ...

Page 482: ... connect server can be a Windows server or a Linux server This section details the following Extracting the ZIP File on page A 3 Windows on page A 3 Linux on page A 3 ZIP File Contents on page A 4 Setting up a Post connect Host on page A 5 Windows on page A 5 Linux on page A 6 Viewing Logs on page A 9 Testing the Service on page A 10 Configuring Your Sensor on page A 11 ...

Page 483: ...tract the contents of the ZIP file with an extraction program such as WinZip or Windows zip utility Do not extract in a UNIX like terminal window such as cygwin as this may cause permission ownership issues Linux To download and extract the ZIP file to a Linux machine 1 Create a directory for the contents of the ZIP file on the Linux machine ProCurve recommends usr local These instructions assume ...

Page 484: ...InstallConnectorService bat postconnect UninstallConnectorService bat wrapper exe conf wrapper conf lib activemq core 4 1 1 jar backport util concurrent 2 1 jar commons logging 1 0 3 jar concurrent 1 3 4 jar connector jar connector properties geronimo spec j2ee management 1 0 rc4 jar jms jar JMSConnection properties log4j 1 2 13 jar log4j properties wrapper dll wrapper jar log ...

Page 485: ... to http java sun com javase downloads index jsp ii Download and install the Java 1 5 update 10 or greater 3 Install Python 2 5 or later if it is not already installed a Log into your Windows machine b Install Python i Navigate to http www python org download ii Download and install the Python for Windows version 4 Copy the cacerts file to the Windows server a Log in the NAC 800 MS as root using S...

Page 486: ... Start the service a On your Windows server select Start Settings Control Panel Administrative Tools Services b Right click on NAC Post Connect Service and select Start Linux Your post connect host can be a Linux or Windows server This section provides instructions on setting up a Linux host To set up a Linux post connect host 1 Install Java on a Linux machine if it is not already installed a Log ...

Page 487: ... iii Save and exit the file iv Copy the postconnect file to your etc init d folder by entering the following command at the command line cp usr local postconnect bin postconnect etc init d b Edit the connector properties file i Open the usr local postconnect lib connector properties file with a text editor such as vi ii Change the instance name to something recognizable by you For example instance...

Page 488: ...Configuring the Post connect Server Setting up a Post connect Host A 8 d Start the service by entering the following at the command line service postconnect start ...

Page 489: ...ver Viewing Logs A 9 Viewing Logs To view post connect logs The log files are as follows usr local postconnect log connector log Verify that the connector is running usr local postconnect log script log The script writes to this file ...

Page 490: ..._ActionScript py endpoint IP Reason 1 Reason 2 Linux usr local postconnect bin Connector_ActionScript py endpoint ip Reason 1 Reason 2 Where endpoint IP is the IP address of an endpoint known to NAC 800 For example 192 168 40 40 Reason 1 and Reason 2 are text strings that describe the reasons to quarantine the specified endpoint For example P2P Software Installed or Latest Windows XP Service Pack ...

Page 491: ... Post connect Server Configuring Your Sensor A 11 Configuring Your Sensor Configureyourpost connectsensortocallConnector_ActionScript py with the IP address of the endpoint to quarantine and the reasons to quaran tine ...

Page 492: ...the Firewall A 12 Allowing NAC 800 Through the Firewall NAC 800 needs to communicate with the post connect server through port 61616 See Allowing the Windows RPC Service through the Firewall on page 5 22 for instructions on how to open a port on a Windows machine ...

Page 493: ...ice Hotfixes B 12 Microsoft Applications Hotfixes B 12 Microsoft Servers Hotfixes B 13 Microsoft Tools Hotfixes B 13 Service Packs B 14 Windows 2000 SP4 Hotfixes B 14 Windows 2003 SP1 Hotfixes B 15 Windows 2003 SP2 Hotfixes B 15 Windows Automatic Updates B 16 Windows Media Player Hotfixes B 17 Windows Vista SP0 Hotfixes B 17 Windows XP SP1 Hotfixes B 18 Windows XP SP2 Hotfixes B 19 Security Settin...

Page 494: ...quired B 29 Windows Bridge Network Connection B 30 Windows Wireless Network SSID Connections B 30 Windows Security Policy B 31 Windows Startup Registry Entries Allowed B 32 Wireless Network Connections B 33 Software Windows B 35 Anti spyware B 35 Anti virus B 35 High risk Software B 36 Microsoft Office Version Check B 36 P2P B 37 Personal Firewalls B 37 Software Not Allowed B 38 Software Required ...

Page 495: ...st Updates Check for Test Updates This appendix describes tests available to NAC policies Each section covers one test and describes the following sections Description An overview of the check performed in this test Test Properties Information on configuring the criteria which an endpoint must meet to pass the test How Does this Affect Me An explanation of the risks that the test attempts to mitig...

Page 496: ... could be misused if an attacker gains access to them The following link provides detailed information about cookies http www cookiecentral com content phtml area 2 id 1 Cache Cache is a user specifiable amount of disk space where temporary files are stored These files contain graphics and Web pages you visit The primary purposes for storing Web page information is to save time reloading pages and...

Page 497: ...ends other programming languages such asJava byprovidingre usable controls thatenabledeveloperstomake Web pages active ActiveX is Microsoft s brand for active scripting The following links provide more detailed information about ActiveX http www active x com articles whatis htm http www active x com http www newportinc com software activex whatisAX htm Java Java is a programming language and a col...

Page 498: ... and prompt for ActiveX controls enables downloads a mix of enabled disabled and prompt for Miscellaneous options enables Scripting enables automatic login for intranet Low A mix of enabled and prompt for ActiveX controls enables downloads a mix of enabled and prompt for Miscellaneous options enables Scripting enables automatic login How Does this Affect Me The Internet security zone defines a sec...

Page 499: ...prompt for ActiveX controls enables downloads a mix of enabled disabled and prompt for Miscellaneous options enables Scripting enables automatic login for intranet Low A mix of enabled and prompt for ActiveX controls enables downloads a mix of enabled and prompt for Miscellaneous options enables Scripting enables automatic login How Does this Affect me Theintranetsecurityzone definesasecurity leve...

Page 500: ... a mix of enabled disabled and prompt for Miscellaneous options enables Scripting enables automatic login for intranet Low A mix of enabled and prompt for ActiveX controls enables downloads a mix of enabled and prompt for Miscellaneous options enables Scripting enables automatic login How Does this Affect Me The restricted sites security zone defines a security level for all restricted Web sites t...

Page 501: ... options enables Scripting enables automatic login for intranet Medium low A mix of enabled disabled and prompt for ActiveX controls enables downloads a mix of enabled disabled and prompt for Miscellaneous options enables Scripting enables automatic login for intranet Low A mix of enabled and prompt ActiveX controls enables down loads a mix of enabled and prompt for Miscellaneous options enables S...

Page 502: ...ect Custom Level to specify High Medium Medium low or Low or to create custom settings 3 Select Sites 4 Enter a domain name or IP address in the Add this Web site to the zone text box 5 Select the Require server verification https for all sites in this zone check box if encrypted communications are required 6 Click Add 7 Click OK ...

Page 503: ...ere is usually only one fix in a hotfix whereas a patch includes multiple hotfixes What Do I Need to Do Use the Windows 2000 IIS Hotfix Checking Tool to verify that you have the latest hotfixes http www microsoft com downloads details aspx displaylang en Fami lyID 6C8AFC1C 5008 4AC8 84E1 1632937DBD74 Internet Explorer Hotfixes Description Checks for hotfixes to Microsoft Internet Explorer IE Test ...

Page 504: ...he critical patches that have been released or will be released by Microsoft How Does this Affect Me Hotfixes are programs that update the software and may include performance enhancements bug fixes security enhancements and so on There is usually only one fix in a hotfix whereas a patch includes multiple hotfixes What Do I Need to Do Manually initiate an update check at http www update microsoft ...

Page 505: ...t side of the window as shown in figure B 1 Microsoft Servers Hotfixes Description Checks for hotfixes to Microsoft Servers Test Properties Select the hotfixes required on your network If needed select Deep Check to permit endpoint tests to run at the file level Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft How ...

Page 506: ...on This test verifies that the endpoint attempting to connect to your system has the latest operating system OS service packs installed Test Properties The service packs are listed here by operating system How Does this Affect Me Servicepacksareprogramsthatupdatethesoftware and may include performance enhancements bug fixes security enhance ments and so on If needed select Deep Check to permit end...

Page 507: ...ed Test Properties Select the hotfixes from the list presented that are required on your network This list will occasionally change as tests are updated If needed select Deep Check to permit endpoint tests to run at the file level The most secure option is to select the All critical updates option as this requires all the critical patches that have been released or that will be released by Microso...

Page 508: ...pdate microsoft com microsoftupdate ln en us or by clicking on one of the update numbers underlined at the right side of the window as shown in figure B 1 Windows Automatic Updates Description This test verifies that the endpoint attempting to connect to your system has Windows Automatic Updates enabled Test Properties Select the minimum setting for Windows automatic updates that is required of en...

Page 509: ...updates requires all the critical patches that have been released or will be released by Microsoft How Does this Affect Me Hotfixes are programs that update the software and may include performance enhancements bug fixes security enhancements and so on There is usually only one fix in a hotfix whereas a patch includes multiple hotfixes What Do I Need to Do Manually initiate an update check http v4...

Page 510: ...he right side of the window as shown in figure B 1 Windows XP SP1 Hotfixes Description This test verifies that the endpoint attempting to connect to your system has the latest Windows XP SP1 hotfixes installed Test Properties Select the hotfixes from the list presented that are required on your network This list will occasionally change as tests are updated If needed select Deep Check to permit en...

Page 511: ...l The most secure option is to select the All critical updates option as this requires all the critical patches that have been released or that will be released by Microsoft You don t have to keep checking by patch number How Does this Affect Me Hotfixes are programs that update the software and may include performance enhancements bug fixes security enhancements and so on There is usually only on...

Page 512: ... the Mac endpoint to use WEP encryption Select Mac Help or refer to the following link for assistance on configuring AirPort http www apple com support airport Mac AirPort Preference Description This test verifies that the Mac AirPort joins only preferred networks Test Properties There are no properties to set for this test How Does this Affect Me Ifyoumovebetweendifferentlocations andyouuse an Ai...

Page 513: ... this test How Does this Affect Me Anti virus software scans your computer email and other files for known viruses worms and trojan horses It searches for known files and automatically removes them A virus is a program that infects other programs and files and can spread when a user opens a program or file containing the virus A virus needs a host the program or file to spread A worm is a program ...

Page 514: ...hnology you should make sure that it is secure so that others cannot access your network What Do I Need to Do Disable Bluetooth or configure Bluetooth so that it is not discoverable on the endpoint Select Mac Help or refer to the following for assistance on configuring Bluetooth http www apple com bluetooth http www bluetooth com bluetooth Mac Firewall Description This test verifies that the firew...

Page 515: ...rties When an endpoint fails this test it can be granted temporary access in the following ways Select the Quarantine access check box and enter a temporary access period This is the amount of time the endpoint will have access starting from when the endpoint was detected by NAC 800 Enter an Allowed grace period in the Test properties area This is the amount of time that has elapsed since the secu...

Page 516: ...ance enhancements bug fixes security enhancements and so on What Do I Need to Do Initiate an update by clicking on one of the links shown in the Test Properties area For more information on Mac OS X software updates see the following page http docs info apple com article html art num 106704 Mac Services Description This test verifies that the services checked here are allowed on the endpoint Test ...

Page 517: ...work can allow attackers access to sensitive informationon your network or allowthem to disrupt network services What Do I Need to Do Enter the IP address ranges that are allowed for your network Microsoft Excel Macros Description This test verifies that the endpoint attempting to connect to your system has the Microsoft Excel macro security level specified by your security standards Test Properti...

Page 518: ... I Need to Do SettheMicrosoftExcelmacrosecuritylevelasfollows 1 Open Excel 2 Select Tools Macro Security Security Level tab 3 Select High Medium or Low 4 Click ok Microsoft Outlook Macros Description This test verifies that the endpoint attempting to connect to your system has the Microsoft Outlook macro security level specified by your security standards Test Properties Select the minimum Microso...

Page 519: ...s the Microsoft Word macro security level specified by your security standards Test Properties Select the minimum Microsoft Word macro setting for that is required in order for an endpoint to connect to your network Very High Only macros installed in trusted locations will be allowed to run All other signed and unsigned macros are disabled High Only signed macros from trusted sources will be allow...

Page 520: ...eparate additional services with a carriage return Use the service names found in the Start Settings Control Panel Administrative Tools ser vices application For example Telnet Messenger Remote Desktop Help Session Manager How Does this Affect Me Services are Windows operating system applica tions that run automatically without manual intervention Services explained http www microsoft com technet ...

Page 521: ...rriage return Use the service names found in the Start Settings Control Panel Administrative Tools ser vices application For example Telnet Messenger Remote Desktop Help Session Manager How Does this Affect Me Services are Windows operating system applica tions that run automatically without manual intervention Services explained http www microsoft com technet security guidance serversecurity tcg ...

Page 522: ...ion poses a significant security risk Test Properties Any endpoint which has a Windows bridge Network Connec tion will fail this test How Does this Affect Me Using network bridges can be useful in some envi ronments however they also create a security risk What Do I Need to Do Do not use network bridges The following articles describe bridge networking http technet2 microsoft com windowsserver en ...

Page 523: ...y policy options you want to require on your network Enable Network access Do not allow storage of credentials or NET Passports for network authentication Disable Network access Let Everyone permissions apply to anonymous users Enable Accounts Limit local account use of blank passwords to console logon only How Does this Affect Me Certain configurations such as the ones listed above create potenti...

Page 524: ...ies Allowed Description This test verifies that the endpoint attempting to connect to your system does not contain non compliant registry entries in the run and runOnce Windows registry keys Test Properties Enter a list of registry key and values that are allowed in the run and runOnce Windows registry keys If the endpoint has any other values in those keys the test will fail Separate entries by s...

Page 525: ...s problems that may require you to reinstall your operating system 1 Back up the registry as described at the following links XP and Windows Server 2003 http support microsoft com default aspx scid kb EN US 322756 2000 http support microsoft com default aspx scid kb EN US 322755 NT 4 0 http support microsoft com default aspx scid kb EN US 323170 2 Open the Registry editor by selecting Start Run 3 ...

Page 526: ...Tests Help Security Settings Windows B 34 http www pcworld com article id 112138 article html ...

Page 527: ...orma tion about the user computer and or network without the user s knowledge It is usually installed without the user s knowledge through seemingly harmless down loads such as freeware shareware instant messages and email attachments Spy ware is intentionally difficult to detect and remove Those who create and release spyware don t want you to know it s there or be able to easily uninstall it The...

Page 528: ...s a message such as Ha ha I deleted your files Trojan horse programs do not spread or replicate themselves What Do I Need to Do Make sure you have an anti virus program installed and that the virus definitions are kept up to date The following link provides more information on anti virus software and protecting your computer http www us cert gov cas tips ST04 005 html High risk Software Descriptio...

Page 529: ...ckages are selected this means that you do not allow P2P software and any endpoint with P2P software enabled will fail this test How Does this Affect Me A Peer to peer P2P network is one that is comprised of peer nodes computers rather than clients and servers These peer nodes function both as clients and servers to other nodes and can perform any client or server function P2P software allows user...

Page 530: ...kages listed installed Test Properties Enter a list of applications that are not allowed on connecting endpoints separated with a carriage return The format for an application is vendor software package version Using this format stores the value in the HKEY_LOCAL_MACHINE Software key For example Adobe Acrobat Reader Adobe Acrobat Reader 6 0 You can also specify which key to use for the specific va...

Page 531: ...em does not have any of the worms viruses or trojans listed Test Properties This area of the window displays the current list of worms viruses and trojans No selection actions are required How Does this Affect Me A virus is a program that infects other programs and files and can spread when a user opens a program or file containing the virus A virus needs a host the program or file to spread A wor...

Page 532: ... This page intentionally left blank ...

Page 533: ...C 1 C Important Browser Settings Chapter Contents Pop up Windows C 2 Active Content C 4 Minimum Font Size C 6 Page Caching C 8 Temporary Files C 9 ...

Page 534: ...dress of the NAC 800 MS 2 Click Add 3 Click Close To allow pop up windows in Mozilla Mozilla browser Edit Preferences Privacy Security Popup Windows 1 Select the Block unrequested popup windows check box 2 Click Allowed sites 3 Enter the IP address or partial IP address of the NAC 800 MS 4 Click Add 5 Click OK 6 Click OK To allow pop up windows in Windows or Linux Firefox Firefox browser Tools Opt...

Page 535: ...Important Browser Settings Pop up Windows C 3 1 Clear the Block Popup Windows check box 2 Close the Content window ...

Page 536: ... browser window when you access the NAC 800 help feature To view the NAC 800 online help in IE 1 Click on the message box to display the options figure C 2 2 Select Allow Blocked Content The Security Warning window appears 3 Click Yes on the Security Warning window To change the IE security settings to always allow active content Figure C 1 Internet Explorer Security Warning Message Figure C 2 Sec...

Page 537: ... browser Tools Internet Options Advanced tab 1 In the Internet Options pop up window scroll down to the security section 2 Select the Allow active content to run in files on my computer check box 3 Click OK Figure C 4 IE Internet Options Advanced Tab ...

Page 538: ...inimum font size Mozilla browser Edit Preferences Appearance Fonts 1 Select None from the Minimum font size drop down list 2 Click OK To clear the Windows or Linux Firefox minimum font size Firefox browser Tools Options Content Fonts Colors Advanced 1 Select None in the Minimum font size drop down list 2 Select the Allow pages to choose their own fonts instead of my selections above check box 3 Cl...

Page 539: ...Important Browser Settings Minimum Font Size C 7 2 Select the Allow pages to choose their own fonts instead of my selections above check box 3 Click OK 4 Close the Content window ...

Page 540: ...dio button 4 Click OK 5 In the Internet Options dialog box click the Advanced tab 6 Scroll down to the Security area Clear the Do not save encrypted pages to disk check box 7 Click OK To set the Mozilla page caching options Mozilla browser Edit Preferences 1 Click the plus symbol next to Advanced to expand the topic 2 Select Cache 3 In the Compare the page in the cache to the page on the network a...

Page 541: ...ontent check box 3 Click OK 4 Click OK To delete temporary files in Mozilla Mozilla browser Edit Preferences 1 Select the plus symbol next to Advanced to expand the topic 2 Select Cache 3 Click Clear Cache To delete temporary files in Windows or Linux Firefox Firefox browser Tools Options Privacy 1 In the Private Data area click Settings The Clear Private Data window appears 2 Select the Cache che...

Page 542: ...ings Temporary Files C 10 Firefox menu Preferences Privacy 1 In the Private Data area click Settings The Clear Private Data window appears 2 Select the Cache check box 3 Click OK 4 Click Clear Now 5 Close the Privacy window ...

Page 543: ...ion D 3 IP Addresses Hostname Logins and Passwords D 4 Single server Installation D 4 Multiple server Installations D 4 Multiple server Installations D 4 Proxy Server D 7 Agentless Credentials D 8 Quarantine D 9 802 1X D 9 802 1X Devices D 9 DHCP D 10 Accessible services D 11 Notifications D 13 Test Exceptions D 14 ...

Page 544: ..._______ Two standard 802 1X server quality NIC cards Intel Internet connection with outbound SSL communications NOTE You must have access to the following For license validation and test updates update hp com port 443 For software and operating system updates download hp com port 80 Workstation running one of the following browsers with 128 bit encryption Windows Mozilla Firefox 1 5 or later Mozil...

Page 545: ...ration Check List Installation Location D 3 Installation Location My office s Server room s Data center s Test lab s Production network s I have access to the installation site s I do not have access to the installation site s ...

Page 546: ...teway IP address ________________________________ Primary nameserver IP address DNS server ________________ Secondary nameserver IP address DNS server _______________ Tertiary nameserver IP address DNS server _________________ MS ES hostname FQDN _________________________________ TIP Select simple names that are short easy to remember have no spaces or underscores and the first and last character ...

Page 547: ...are short easy to remember have no spaces or underscores and the first and last character cannot be a dash Time zone _______________________________________________ MS server root password __________________________________ MS Database password ____________________________________ NAC 800 user interface administrator account name _________ NAC 800 user interface administrator account password ____...

Page 548: ...a red asterisk Create at least one ES Cluster name 2 ___________________________________________ ES IP address ____________________________________________ ES Netmask IP address Network mask ____________________ Default gateway IP address ________________________________ Primary nameserver IP address DNS server ________________ Secondary nameserver IP address DNS server _______________ Tertiary na...

Page 549: ...__________ Time zone _______________________________________________ ES server root password __________________________________ ES Database password ____________________________________ NAC 800 user interface administrator account name _________ NAC 800 user interface administrator account password ______ Proxy Server Required fields are indicated by a red asterisk If you use a proxy server for In...

Page 550: ... Windows domain name ____________________________ Administrator user ID ______________________________ Administrator password ____________________________ Cluster 2 Windows domain name ____________________________ Administrator user ID ______________________________ Administrator password ____________________________ Cluster 3 Windows domain name ____________________________ Administrator user ID ...

Page 551: ...me ____________________ Administrator password ____________________ Domain controllers _________________________ Additional credentials user name _____________ Additional credentials password _____________ Open LDAP Server _____________________________________ Identity ___________________________________ Password __________________________________ Base DN ___________________________________ Filter...

Page 552: ... type _______________________________________ 802 1X device 4 IP address ________________________________________ Shared secret ______________________________________ Device type _______________________________________ 802 1X device 5 IP address ________________________________________ Shared secret ______________________________________ Device type _______________________________________ DHCP Req...

Page 553: ..._______ Quarantine area 3 DHCP IP range ___________________ Quarantine area 3 quarantined area gateway ___________ Quarantine area 3 domain suffix _____________________ Quarantine area 3 corresponding non quarantined subnets Accessible services Accessible services are defined for all clusters or on a per cluster basis Accessible services and endpoints for all clusters Web sites ___________________...

Page 554: ...________________________ IP addresses ports _________________________________ Networks __________________________________________ Windows domain controller __________________________ Accessible services and endpoints for cluster 3 Web sites ___________________________________________ Hostnames _________________________________________ IP addresses ports _________________________________ Networks _...

Page 555: ...__ Cluster 1 Send information to _________________________________ SNMP server IP address _____________________________ Email information sent from __________________________ Cluster 2 Send information to _________________________________ SNMP server IP address _____________________________ Email information sent from __________________________ Cluster 3 Send information to _______________________...

Page 556: ...d or blacklisted MAC addresses _____________________________________ IP addresses ________________________________________ NetBIOS names _____________________________________ Cluster 2 endpoint testing exceptions endpoints that are whitelisted or blacklisted MAC addresses _____________________________________ IP addresses ________________________________________ NetBIOS names _____________________...

Page 557: ...estination port is 3128 squid on the ES Not configurable 137 UDP 138 UDP 139 TCP ES to endpoint These ports are opened by default whenFileandPrintSharingisenabled but are not used by NAC 800 Configure on the firewall router between ES and endpoint 445 TCP ES to endpoint This port is first used for NMB lookup identify yourself on Windows endpoints If this port is not open the endpoint cannot be tes...

Page 558: ...es use port 443 Not configurable N A MS to admin user client browser Support packages are downloaded to the admin client browser no external network interaction N A 80 TCP MS to Internet For software and operating system updates download hp com port 80 NOTE The ES communicates to the Internet through the MS Configure on the firewall router between MS and Internet 443 TCP MS to Internet For license...

Page 559: ... the ES and MS occurs on destination port 123 Not configurable Ports used for proxy servers Varies MStoproxyserver The port used for connecting to the proxy server Configure in the NAC 800 user interface System configuration Management server option Proxy server area Proxy server port text field Example 8080 Ports used for LDAP Varies ES to LDAP server When using 802 1X mode with local RADIUS conn...

Page 560: ...0 InDHCPmode whenyourDHCPserver andDomainControllerarebehindNAC 800 you must specify ports 88 135 to 159 389 1025 1026 and 3268 as part of the address If you do not specify a DHCP address users are blocked If youspecifyonlytheIPaddresswithno port endpoints are not quarantined even for failed tests Configure in the NAC 800 user interface Home window System configuration Accessible services 88 TCP 1...

Page 561: ...to only the desired ports InDHCPmode ifyourDHCPserverhas otherservicesbesidesDHCPforwhich you need to allow access be sure to NOT allow port 67 For example add the entries 192 168 1 1 1 66 and 192 168 1 1 68 65535 to open all ports besides 67 Configure in the NAC 800 user interface Home window System configuration Accessible services Example 10 0 16 100 53 Separate multiple endpoint entries with a...

Page 562: ... This page intentionally left blank ...

Page 563: ...F 1 F MS Disaster Recovery Chapter Contents Overview F 2 Installation Requirements F 2 Installing the Standby MS F 2 Ongoing Maintenance F 3 Failover process F 3 ...

Page 564: ...sential elements for recovery of an MS Primary and Standby Management Servers must each have their own unique license keys with equivalent settings number of ESs and endpoints Primary and Standby Management Servers must be assigned an Internet Protocol IP address within the same network so that when the standby MS temporarily assumes the primary MS s IP it is acces sible on the network Installing ...

Page 565: ...s you will need to make changes to the standby license as well For a license without an internetconnection you willneed to contact ProCurve Networking by HP at or for a package to update the license key In normal environments however the license key will update automatically Rule updates must be applied to both the primary and standby MS so they have the same version NAC 800 upgrades must be appli...

Page 566: ...restore to complete 6 Log in to the standby MS Enter the following at the command line service nac ms restart 7 Log in to the UI of the standby MS again at this point all UI users from the primary should be able to log in 8 Navigate to System configuration Management server edit network settings 9 Change the IP address to be that of the old or primary MS See Modifying MS Network Settings on page 3...

Page 567: ...ion that establishes standard interfaces ACS Access Control Server A server that controls access to your system A Cisco access policy control platform AD Active Directory A directory service included with Microsoft Windows Server 2003 that allows administrators to manage end user access to the network ActiveX A Microsoft technology that enables interactive Web content agent An information exchange...

Page 568: ...S server BIOS Basic Input Output System backdoor A disguised or hidden entry point in a software program or system An open backdoor can be intentional for mainte nance use or unintentional If a backdoor is discovered malicious users or software can gain entry and cause damage blacklist A list of devices or endpoints that are denied access to a system or are denied privileges In NAC 800 endpoints a...

Page 569: ...ationProtocol Amethodofassigning IP addresses to endpoints as they connect to the network and releasing them as the endpoints disconnect from the network DHCPallowsadministratorstomanageIPaddressesfromone location rather than at each endpoint DLL Dynamic Link Library A shared library file used in Microsoft systems These files have the DLL extension DMA Direct Memory Access A feature in computers w...

Page 570: ...ple myhost mycompany com HA High Availability A multiple server NAC 800 deployment is mutually supporting Should one server fail other nodes within a cluster will automatically provide coverage for the affected network segment Hotfix Hotfixes are programs that update the software and may include performance enhancements bug fixes security enhancements and so on There is usually only one fix in a h...

Page 571: ...00 where it is placed on the network and all traffic to be quarantined passes through NAC 800 IP Internet protocol A protocol by which data is sent from one computer to another on the Internet IPSec IP security iptables A Linux package used to manage packetfiltering and Network Address Translation NAT ISO image file An image of a CD saved in ISO 9660 standard format IT Information Technology Java ...

Page 572: ...g ESs MS MIB Management Information Base A database used to manage components in a network MMC MultiMediaCard A portable storage device MS Management server multinet A physical network of two or more logical networks NAC Network Admission Control NAC policies In NAC 800 collections of individual tests that evaluate end points attempting to access the network NAC policy group A logical grouping of ...

Page 573: ...for file sharing Many P2P software packages are considered spyware and their use is generally discouraged PDA Personal Digital Assistant A small portable electronic device that includes features normally found on a computer cell phone music player and other functionality ping Packet InterNet Groper A utility used to test the connection to a host post connect Post connect in NAC 800 provides an int...

Page 574: ...r Linux system that has administrator privileges SAM Security Accounts Manager server A computer that provides services to another client shared secret Used for security and integrity purposes to verify RADIUS messages Both the sender and the receiver of the messages must know the shared secret SMB Server Message Block SMS Software Systems Management Server SMTP Simple mail transfer protocol A TCP...

Page 575: ...to access the network SUS Software Update Service TAR Tape ARchive A type of file that contains multiple files and directory structures TCP Transfer Control Protocol temporary access period In NAC 800 a temporary period of time where an end user is allowed access TLS Transport Layer Security UAC User Access Control UDP User Datagram Protocol VLAN Virtual Local Area Network VPN Virtual private netw...

Page 576: ...list of devices or endpoints that are allowed access to a system or are allowed privileges In NAC 800 endpoints and domains that are always allowed access Wi Fi Wireless Fidelity WU Windows Update xml eXtensible Markup Language ...

Page 577: ...ory 11 8 and IAS 11 10 ActiveX 1 8 1 9 testing method 3 111 add 3 63 Cisco CatOS device 3 68 Cisco IOS device 3 66 Enforcement cluster 3 7 Enforcement server 3 12 Enterasys device 3 71 Extreme XOS device 3 75 ExtremeWare device 3 73 Foundry device 3 77 HP ProCurve 3 79 HP ProCurve 420 AP or HP ProCurve 530 AP de vice 3 85 HP ProCurve WESM device 3 82 NAC policy group 6 5 non listed 802 1X device 3...

Page 578: ...2 check for available test updates settings 3 49 CIDR 15 14 clear a temporary state 4 20 client 11 2 communication flow 802 1X 11 4 configuration DHCP 10 4 timeout 1 16 Windows XP Professional firewall 5 23 configure 12 20 non HP switches 11 36 post connect system 3 102 proxy RADIUS requests 11 33 11 36 Windows domain settings 3 55 configure NAC 800 12 20 configuring OpenLDAP settings 3 57 connect...

Page 579: ...Server Plug in Configurations 13 13 end user access screen 15 19 Enforcement cluster 3 9 Enforcement server 3 15 existing NAC policy 6 5 NAC policy 6 13 quarantine area 3 97 test results messages 15 19 user account 3 37 user role 3 42 email notification received by 6 13 notifications 3 118 server 15 13 set up notification 3 119 specifying server 15 13 email notifications disable 3 119 enable 3 118...

Page 580: ...le download to Windows 12 3 F Figure 802 1X Communications 11 6 802 1X Components 11 3 802 1X Enforcement 11 5 802 1X Installation 8 5 Access Control and Endpoint Test Status 4 16 Active Directory Users and Computers 11 31 Active Directory Properties 11 29 Active Directory Store Passwords 11 29 Active Directory User Account Properties 11 32 Activity Monitor 5 41 Add 802 1X Device 3 63 Add 802 1X D...

Page 581: ...nt Server Status 3 20 Error Message 11 18 Example wrapper conf File 12 14 Failed Endpoint 4 14 Failed Endpoint Allow All Mode 4 14 Failed Endpoint Allow All Mode Mouse Over 4 15 Highlighted Fields 4 7 Home Window 1 5 IAP Remote Access Policy Properties 11 20 IAS Connector 11 24 IAS Add Remove Snap in 11 25 IAS Add Remove Snap in Certificates 11 26 IAS Import Certificate 11 27 IAS New Client Additi...

Page 582: ...onfiguration Logging Option 3 127 System Configuration Maintenance 3 107 System Configuration Management Server 3 23 System Configuration Notifications 3 118 System Configuration OpenLDAP 3 58 System Configuration Post connect 3 102 System Configuration Quarantining 3 52 System Configuration Quarantining DHCP 13 8 System Configuration Quarantining DHCP En forcement 3 93 System Configuration Test U...

Page 583: ...P echo requests enable temporarily 15 37 icons viewing 3 14 IDM logging levels set 3 128 ignoring ranges 15 25 immediately grant access to an endpoint 4 19 quarantine an endpoint 4 20 import certificate 11 25 the server s certificate 11 25 inactive set time 6 16 index view pane 1 23 INI file connector 11 27 inline 9 2 install agent 5 31 agent manually 5 34 DHCP plug in 13 4 13 7 Mac OS agent 5 36 ...

Page 584: ... set 6 14 Mozilla supported version D 2 MS failover F 3 MS recover F 3 MS view status 3 22 N NAC policies 6 2 window view 6 2 NAC Policy change to not run Windows automatic update test 15 8 NAC policy add group 6 5 assign domains to 6 14 assign endpoint to 6 14 assign endpoints to 6 14 copy 6 13 create 6 7 create new 6 7 defined 1 10 delete 6 14 disable 6 7 edit 6 5 6 13 enable 6 7 enable disable ...

Page 585: ...ts 1 8 controlled by AP 11 3 to specify for DHCP and DC 3 115 post connect configure 3 102 set up Linux host A 6 set up Windows host A 5 test service A 10 view logs A 9 post connect service firewall open 3 100 posture Checkup 11 27 Healthy 11 27 Infected 11 28 Quarantined 11 28 Unknown 11 28 PPTP 15 18 print file 1 22 topic 1 22 print a report 14 8 private keystore generate new private key public ...

Page 586: ...4 3 Test results by user 14 3 view details 14 6 reports 14 2 converting to MS Word doc 14 10 enable browser pop ups 14 5 reset a database 15 17 ES password 15 22 MS password 15 22 password 15 23 system 15 10 testdata 15 11 user interface password 15 23 restore original database 15 17 system and data 15 16 restrict ping entries specific interface 15 38 retest an endpoint 4 19 set time 6 15 time 6 9...

Page 587: ... 2 static IP addresses 15 20 status access 4 9 Strings py 5 52 Supplicant 11 2 support package downloading 3 109 generate 15 17 supported end user endpoints 5 5 operating systems 7 11 protocols 15 18 VPNs 15 18 switch Cisco 2950 11 49 configure non HP 11 36 Enterasys Matrix 1H582 25 11 50 Extreme Summit 48si 11 51 Foundry Fast Ironedge 2402 11 53 restrict access at 10 5 sample configurations 11 48...

Page 588: ... 1 22 troubleshooting browser settings 15 3 U unmanaged endpoint 5 8 untested endpoint 6 9 7 11 and lease expiration 7 11 update server names 3 115 setting frequency 3 49 tests 15 5 upgrade timeout changing 3 29 upgrades 3 29 user account add 3 31 copy 3 35 delete 3 38 edit 3 37 search 3 34 sort area 3 35 user accounts create Active Directory 11 30 Dial in access Encryption 11 30 user name changin...

Page 589: ... download and extract Zip file A 3 download EXE file 12 3 Group policy 5 22 install 12 4 ME 5 6 Messenger Service 5 45 registry 6 19 Server 2000 2003 5 5 set up post connect A 5 start manually 12 16 Update server 3 115 XP Home 5 5 XP Professional 5 5 windowsupdate com 3 115 WinPcap remove 12 19 X Z XP firewall configuration 5 23 Zip file download and extract to Linux A 3 download and extract to Wi...

Page 590: ... This page intentionally left blank ...

Page 591: ...P The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP will not be liable for technical or editorial errors or omissions contained herein November 2008 Manual Part Numbe...