ProCurve 800, Configuration Manual

Page 1: ...Configuration Guide www procurve com ProCurve Network Access Controller 800 ...

Page 2: ......

Page 3: ...ProCurve Network Access Controller 800 Configuration Guide April 2008 1 0 30398 ...

Page 4: ...use of this material The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Hewlett Packard assumes no responsibility for the use or reliability of its soft...

Page 5: ...pes 1 8 Choosing the Server Type 1 8 Deployment of One MS and Multiple ESs 1 8 CS Deployment 1 11 Management Server MS 1 12 Enforcement Server ES 1 14 Combination Server CS 1 14 Changing the Server Type 1 15 Enforcement Clusters 1 16 Enforcement Clusters for an MS and ESs 1 16 Enforcement Clusters for a CS 1 16 Endpoint Integrity 1 17 Endpoint Integrity Capabilities of the NAC 800 1 18 NAC Tests 1...

Page 6: ...ts 1 36 How and Where to Deploy the NAC 800 1 38 802 1X Deployment Method RADIUS Server Only 1 43 How and Where to Deploy the NAC 800 1 43 DHCP Deployment Method 1 44 Types of Access Control Provided By the NAC 800 1 45 Two Options for a DHCP Deployment 1 45 How and Where to Deploy the NAC 800 for a DHCP Inline Deployment 1 45 How and Where to Deploy the NAC 800 for a DHCP Plug in Deployment 1 47 ...

Page 7: ...nterface 2 19 Turn the Locator LED On and Off 2 20 View System Information 2 21 Access the Panel LCD Menu 2 22 Navigate the Panel LCD Menu 2 23 Configure Initial Settings with the Panel LCD Menu 2 24 Set the Server Type with the Panel LCD Menu 2 24 Set the IP Address with the Panel LCD Menu 2 26 Test IP Settings Ping with the Panel LCD Menu 2 28 Complete Other Tasks Using the Panel LCD Menu 2 29 R...

Page 8: ...tings 3 3 System Settings Initial Configuration 3 4 Initial Configuration of CS or MS Settings 3 4 Initial Configuration of ES Settings 3 9 Edit System Settings 3 16 Edit System Settings on an MS or a CS 3 16 Edit System Settings on an ES 3 33 Licenses 3 41 Management and Maintenance 3 41 Upgrade the Software 3 41 Create Management Users 3 43 Create User Accounts 3 44 Configure User Roles 3 47 Dig...

Page 9: ...view 4 3 Authentication Protocols 4 4 Dynamic or User Based Settings 4 4 IDM Overview 4 5 Data Store Overview 4 6 Local Database 4 7 AD Windows Domain 4 7 LDAP Server 4 8 Proxy RADIUS Server 4 9 Configure the NAC 800 as a RADIUS Server 4 11 Specify the Quarantine Method 802 1X 4 12 Configure Authentication Settings 4 14 Configure Authentication to the NAC 800 s Local Database 4 14 Configure Authen...

Page 10: ...ng the RADIUS Server Without Identity Driven Manager Contents 5 1 Overview 5 3 RADIUS Overview 5 3 Authentication Protocols 5 4 Dynamic or User Based Settings 5 4 Data Store Overview 5 5 AD Windows Domain 5 5 LDAP Server 5 6 Proxy RADIUS Server 5 6 Configure the NAC 800 as a RADIUS Server 5 8 Specify the Quarantine Method 802 1X 5 8 Configure Authentication Settings 5 10 Configure Authentication t...

Page 11: ...igure Exceptions 6 2 Configure Exceptions for the Cluster Default Settings 6 3 Configure Exceptions for a Particular Cluster 6 5 7 Redundancy and Backup for RADIUS Services Contents 7 1 Redundancy 7 2 Planning Redundancy for RADIUS Only Deployments 7 2 Place the RADIUS Servers 7 3 Provide Duplicate Network Pathways 7 4 Configuring Network Devices for Redundant RADIUS Servers 7 4 Configure the NASs...

Page 12: ...viii A Appendix A Glossary B Appendix B Linux Commands Contents B 1 Common Linux Commands B 2 vi Editor B 4 Command Mode B 4 Insert Mode B 5 keytool B 6 openssl B 9 Service Commands B 12 ...

Page 13: ...rial Number and MAC Address 1 6 Ethernet Ports 1 7 Port 1 1 7 Port 2 1 7 Server Types 1 8 Choosing the Server Type 1 8 Deployment of One MS and Multiple ESs 1 8 CS Deployment 1 11 Management Server MS 1 12 Enforcement Server ES 1 14 Combination Server CS 1 14 Changing the Server Type 1 15 Enforcement Clusters 1 16 Enforcement Clusters for an MS and ESs 1 16 Enforcement Clusters for a CS 1 16 ...

Page 14: ...ment Method 1 34 802 1X Overview 1 34 Types of Access Control Provided by the NAC 800 1 35 802 1X Deployment Method Endpoint Integrity With or Without RADIUS 1 36 How the NAC 800 Quarantines Endpoints 1 36 How and Where to Deploy the NAC 800 1 38 802 1X Deployment Method RADIUS Server Only 1 43 How and Where to Deploy the NAC 800 1 43 DHCP Deployment Method 1 44 Types of Access Control Provided By...

Page 15: ...800 Contents Inline Deployment Method 1 56 Types of Access Control Provided by the NAC 800 1 57 How the NAC 800 Quarantines Endpoints 1 57 Configuring Accessible Services for Inline Method 1 57 How and Where to Deploy the NAC 800 1 58 ...

Page 16: ...compliant Reporting documents endpoints status and test results Authentication acts as a RADIUS server and checks users credentials Post connect NAC testing supports additional testing by other secu rity software such as an Intrusion Detection System IDS Intrusion Pre vention System IPS You will learn about all of these capabilities in this overview chapter The remainder of this management and con...

Page 17: ...ess These include LEDs Console port Panel LCD Panel buttons USB port which will be supported in future software releases Serial number and MAC address Two Ethernet ports Figure 1 1 NAC 800 Front Panel LEDs The NAC 800 has three LEDs on its left front panel Power LED glows green when the device is powered on Fault LED blinks orange to indicate a problem with the device Locator LED glows blue when y...

Page 18: ... and Buttons The NAC 800 s front panel features an LCD which initially displays this information Server type for example Combination Server IP address In addition the panel has six buttons which you use to interact with the LCD Four arrow buttons left right up and down An accept button a checkmark A cancel button an X You can press the accept button to access the panel LCD menu interface and compl...

Page 19: ...e of each port which differs according to the device s deployment method See Deployment Methods on page 1 33 Port 1 Port 1 is the port with the NAC 800 s IP address generally this port connects to the network to which the NAC 800 controls access The following communications are transmitted and received on port 1 Management traffic HTTPS traffic to the NAC 800 s Web browser interface SSH traffic RA...

Page 20: ...An enforcement cluster of multiple NAC 800s answers the needs of a network with more users A enforcement cluster consists of a single MS and multiple ESs recommended between two and five See Enforcement Clusters on page 1 16 for a more detailed definition of a cluster Neither an MS nor an ES can function on its own The MS co ordinates settings forallclustersinasystemwhiletheESstestendpointintegrit...

Page 21: ...compliant endpoints as well as where ESs are deployed Deploy ment Methods on page 1 33 discusses the quarantine methods in more detail Your network might require multiple quarantine methods and so multiple clusters because particular methods are better suited for controlling partic ular types of access In all of its clusters together the MS should support no more than 10 ESs Figure 1 3 illustrates...

Page 22: ... ES For example a network might require one NAC 800 to enforce endpoint integrity on 2000 Ethernet endpoints and one NAC 800 to enforce endpoint integrity on 700 remote endpoints It is recommended that you use one MS and two ESs for such an environment rather than two CSs for two reasons The MS helps you to co ordinate NAC policies and other settings The cluster deployment allows your NAC 800s to ...

Page 23: ...twork requires integrity testing for under 3000 endpoints Your NAC 800 functions as a RADIUS server only and does not test endpoint integrity A RADIUS only NAC 800 can support more than 3000 endpoints The precise number varies of course depending on your environment For example do all users log in at roughly the same time or do they log in at various times throughout the day How often do network i...

Page 24: ...hould also read more about enforcement clusters in Enforcement Clusters on page 1 16 Management Server MS The MS manages settings for your NAC 800s on a system wide level You choose one NAC 800 to act as the MS set all other NAC 800s to be ES and add the ESs to the MS s configuration For the best performance an MS should support no more than 10 ESs and no more than 5 ESs in a single cluster The MS...

Page 25: ...t of tests that the ESs run on endpoints as well as other properties related to those tests Post connect testing The MS stores the settings for any post connect services such as an IDS IPS that you define The MS also receives testing results and log information from the post connect services The MS stores these settings and configures them on its ESs Individual ES settings IP address Hostname Root...

Page 26: ...d settings Endpoint integrity licenses Connection to the Internet Clock The CS can use its internal clock or act as a Network Time Protocol NTP client and receive its clock from an NTP server Software upgrades The CS downloads new software and upgrade itself Test updates The CS if properly licensed automatically checks for and downloads test updates at the frequency you specify NAC policies The CS...

Page 27: ...er interface you can Track Detected endpoints Endpoint activity Endpoints access control status Endpoints test status Change endpoints access control status Generate reports Changing the Server Type You can change your device s server type at any time However changing the type causestheNAC800toresettoitsfactorydefaultsettings keepingonlyits IP address Hostname Default gateway DNS server NTP server...

Page 28: ...ncy each ES testing up to 5000 endpoints should one of its fellow ESs fail The following settings are configured per cluster Quarantine method Testing methods Accessible services for quarantined endpoints Exceptions domains and endpoints that are not tested Notifications the email address of the administrator informed when endpoints fail tests End user windows which users see as they are tested Ag...

Page 29: ...loyee returns the infected laptop to work Users intentionally or intentionally accept unsafe traffic over the Internet For example a user might choose to download a trojan which is a seemingly innocent application actually intended to cause harm Users fail to keep their stations updated with patches leaving them exposed to malware Users lower their browser s security settings so that they can visi...

Page 30: ... to reach accessible services which help in remediation The following sections describe the components of the endpoint integrity solution in more detail NAC Tests The NAC 800 supports many different tests each test checks for a particular setting or component on an endpoint For example the Windows XP hotfixes test checks the patches and updates installed on a Windows XP station And the IE Internet...

Page 31: ...l of security for various zones Internet sites local sites trusted sites and untrusted sites The NAC 800 scans Internet Explorer IE settings only NAC Test Properties All NAC tests have properties which are the criteria that an endpoint must meet to pass the test For example the required software test checks the software installed on the endpoint The required software test properties consist of a l...

Page 32: ...nes the endpoint either Immediately After a temporary access period configurable in length You choose the actions for each test For example the NAC 800 might immediately quarantine an endpoint with a virus but grant temporary access to an endpoint that needs updated patches And it might only send a notifica tion email if the endpoint has prohibited software NAC Policies On the ProCurve NAC 800 NAC...

Page 33: ... Home Windows Server 2000 or 2003 By default endpoints that cannot be tested are quarantined However you can choose to grant access to the untestable endpoints Untestable endpoints fall into these categories and you set the policy for handling the endpoints per category Windows 95 or ME Windows 98 Windows NT Unix Any other OS including Linux N ot e Consider the security implications of granting an...

Page 34: ...he security device can send a request to the NAC 800 which will then quarantine the endpoint The retest frequency determines how often the NAC 800 implements post connect integrity checks The higher the frequency the greater the secu rity although of course integrity checks add some overhead to network traffic The quarantining method about which you will learn more later affects post connect testi...

Page 35: ...of Tests In each NAC policy you choose which tests are enforced Test properties and actions are configurable per policy That is you can create one list of required software in NAC policy A but a different list in policy B And you could de activate the required software test entirely in policy C In addition the penalty for failing the test could be immediate quarantining in policy A but temporary a...

Page 36: ...t respond To converse in this way both the NAC 800 and the endpoint need compatible mechanisms in place One mechanism that allows an endpoint to respond to the NAC 800 s tests is called an agent the agent must be installed on the endpoint prior to the test Agents fall into two general categories Permanent agents once installed remain on the endpoint permanently Transient agents install on the endp...

Page 37: ...s the agent to the endpoint automatically The user sees the window in Figure 1 6 and unless he or she cancels the installation the agent is installed permanently The automatic installation uses ActiveX Figure 1 6 InstallShield Wizard for the NAC EI Agent Manually You can instruct users to access the NAC 800 and download the NAC EI agent manually The NAC 800 makes the agent available at this URL ht...

Page 38: ...000 or higher Once installed the NAC agent allows the NAC 800 to test the endpoint in the background at any time In addition the NAC agent automatically receives updates from the NAC 800 Finally the NAC 800 can test an endpoint through its firewall generally opening the necessary ports automatically However the NAC agent does require the initial setup and user interaction described above ActiveX W...

Page 39: ...dpoint If a user closes IE after his or her endpoint has gained access the NAC 800 cannot retest the endpoint The user can continue to connect to the network even if the endpoint becomes non compliant for as long as IE is closed Agentless RPC was designed to provide a flexible framework for a variety of communi cations between remote devices The NAC 800 uses RPC to run endpoint integrity checks on...

Page 40: ...addition the testing can occur from beginning to end without user interaction However you must ensure that the endpoints meet the requirements listed above and you must know the correct agentless credentials For these rea sons agentless testing works best on managed endpoints that are members of your domain Endpoint Integrity Posture As the NAC 800 tests an endpoint it assigns it an endpoint integ...

Page 41: ...e a single testing session with this policy On a typical LAN the testing process would typically take between 5 and 10 seconds Post Connect Testing Integrity checking ensures that endpoints adhere to your company s security policy before they are allowed onto the network To protect your network however security cannot stop there For example some of the users who are granted access to your network ...

Page 42: ...rvers NASs and RADIUS servers The NASs are the points of access for endpoints for example switch ports or wireless access points APs When an end user attempts to connect to a NAS the NAS sends an authentication request to its authentication RADIUS server The RADIUS server Verifies the end user s identity Decides Whether the user can connect Which rights to grant the user Communicates its decisions...

Page 43: ...HAPv2 Transport Layer Security TLS Tunneled TLS TTLS with Message Digest 5 MD5 Generic Token Card GTC Lightweight EAP LEAP Granting users rights as follows Assigning users to a VLAN based on their endpoint integrity posture Logging activity The NAC 800 logs RADIUS events to this file var log radius radius log By default the file stores a week s worth of logs Every month the NAC creates a new log f...

Page 44: ...s listed in the section above with these additions Authenticating users against an easily managed local database Granting users rights as follows Assigning dynamic settings based on identity access time access location and endpoint integrity posture Dynamic settings include VLAN assignment ACLs which control access to network resources Rate limit Logging activity to a centralized location and easi...

Page 45: ...esting to a network that already enforces authentication and access control Or the NAC 800 can test for endpoint integrity in a network with fewer capabilities and an older infrastructure You must consider all of these factors which type of access control you desire for which users in a network with which capabilities as youdetermine how and where to deploy your NAC 800s Deployment methods are als...

Page 46: ...certificate Authenticator The access point or the port to which the endpoint connects The authenticator can be a switch an AP or a Wireless Edge Services Module The port is a switch port or an 802 11 association with a wireless station The authenticator is responsible for enforcing all access decisions opening and closing the port as well as customizing the port with dynamic settings such as VLAN ...

Page 47: ...s a traditional RADIUS server Endpoint integrity only The NAC 800 integrates with a Microsoft Internet Authentication Service IAS server The IAS server provides authentication and the NAC 800 provides endpoint integrity testing N ot e IAS is the only option for a system that uses the NAC 800 for endpoint integrity only If your network already includes a non IAS RADIUS server however you can config...

Page 48: ...al Authentication After the endpoint completes the traditional first phase of 802 1X authentication it has the Unknown posture The NAC 800 places it in a guest or test VLAN which is If you are using IDM recommended the VLAN associated with the Unknown status via a access policy group rule If you are not using IDM the VLAN associated with the Unknown posture in the etc raddb SAFreeRadiusConnector c...

Page 49: ...ing IDM recommended the VLAN associated with the Fail or Infected status via a policy group rule If you are not using IDM the VLAN associated with the Quarantine or Infected posture in the etc raddb SAFreeRadiusConnector conf file SAIASConnector ini file if using the IAS plug in N ot e If you desire you can place infected endpoints in a separate VLAN from other quarantined endpoints As for the gue...

Page 50: ...eploy the NAC 800 One of the advantages of 802 1X is that although access control decisions are made at certain centralized points enforcement occurs at the edge In other words you can install the NAC 800 anywhere in your network It needs connectivity with the endpoints it must detect them but it does not need to stand between them and the production network the authenticators do that To properly ...

Page 51: ...rastructure switch If you are using a cluster deployment only one ES in the 802 1X enforcement cluster needs to receive mirrored DHCP traffic However you should mirror traffic to two ESs for the sake of redundancy Deploy a NAC 800 That Provides RADIUS and Endpoint Integrity Services Take these steps to deploy a NAC 800 that provides RADIUS services as well as endpoint integrity checking 1 Install ...

Page 52: ... of Chapter 4 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager Proxy RADIUS server Add the NAC 800 to the proxy server s client list Set up the NAC 800 as described in Configure Authentication to a Proxy RADIUS Server on page 4 30 of Chapter 4 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager or Configure Authentication to a Proxy RADIUS S...

Page 53: ... Fail and Infected postures to the profile with the appropriate VLAN assignment See the ProCurve Identity Driven Manager Users Guide If you are not using IDM set the VLAN IDs in the etc raddb SAFreeRadiusConnector conf file on the NAC 800 b Ifthe VLANs selected for untested or failed endpoints do not yet exist create them on network infrastructure devices such as routers and switches Apply ACLs to...

Page 54: ...Series see the Management and Configuration Guide for the ProCurve Series 3500yl 6200yl and 5400zl Switches 4 Set up the IAS server to work with the NAC 800 a Download two files from http www procurve com nactools SAIASConnector ini SAIASConnector dll b Install these files on the IAS server c Modify the SAIASConnector ini file to include the correct VLAN assignments for various endpoint integrity ...

Page 55: ...ectory Then it informs the NAS whether the endpoint can connect If you use IDM to manage the NAC 800 the NAC 800 can also factor access time and location into its decisions as well as send dynamic VLAN assign ments ACLs and rate limits How and Where to Deploy the NAC 800 For thisdeploymentmethod you place the NAC800asyou would anyRADIUS server NASs throughout the network will need to contact the N...

Page 56: ... Chapter 5 Configuring the RADIUS Server Without Identity Driven Manager Active Directory AD OpenLDAP or eDirectory In the NAC 800 s Web browser interface bind it to the directory If using IDM see Configure Authentication to a Windows Domain on page 4 16 or ConfigureAuthenticationtoanLDAPServer on page 4 20 of Chapter 4 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager...

Page 57: ...as multiple DHCP servers but they are on the same subnet and can be connected to the same switch You can use the DHCP plug in deployment method if you have multiple Windows 2003 DHCP servers that are attached to different switches located on different subnets than the NAC 800 How and Where to Deploy the NAC 800 for a DHCP Inline Deployment For this DHCP deployment method the NAC 800 must stand bet...

Page 58: ...vers to the same switch You then connect the NAC 800 s port 2 to that switch as well Do not connect any other devices to the switch as those devices could then circumvent the NAC 800 As shown in Figure 1 12 the NAC 800 s port 1 connects to a switch that links it to the rest of the network Figure 1 12 DHCP Inline Deployment Single NAC 800 and Multiple DHCP Servers That Are Attached to the Same Swit...

Page 59: ...S shares information with the other ESs which can test the endpoints from anywhere in the network However to provide redundancy at least two ESs should be able to intercept the DHCP traffic How and Where to Deploy the NAC 800 for a DHCP Plug in Deployment Unlike a DHCP inline deployment the DHCP plug in deployment does not require the NAC 800 to be placed between the network and the Windows 2003 D...

Page 60: ...n endpoint connects to a network it typically sends a DHCP request for a valid IP address for itself the IP address of its default gateway and DNS server and all the other configurations necessary for full connectivity The way the NAC 800 detects these communications varies depending on if you are using a DHCP inline deployment or a DHCP plug in deployment DHCP Inline Deployment The NAC 800 stands...

Page 61: ...vailable for endpoints within that subnet Default router for the quarantine subnet The NAC 800 automatically specifies itself as the DNS server Because the endpoints do not have valid IP addresses in a production subnet they cannot truly connect to the production network However you must take additional steps to limit network access in the quarantine subnet as described in the following section Ac...

Page 62: ...l continue to try to contact that server at regular intervals not stopping until it either reaches the DHCP server or you remove that DHCP server s information from the NAC 800 s configuration settings If a DHCP server cannot communicate with the NAC 800 the DHCP server activates the failover parameters that you have configured It either allows all traffic or denies all traffic To enable the DHCP ...

Page 63: ...t giving the endpoint an IP address in the quarantine network If at any time the DHCP server loses its connection with the NAC 800 server the DHCP server discards the existing ACL When the connection to the NAC 800 is re established the NAC 800 resends the entire ACL to the DHCP server For informationaboutconfiguring theDHCPplug indeploymentmethod see Chapter 13 DHCP Plug in of the ProCurve Networ...

Page 64: ...ate patches and so forth Adding another service is also easy simply add it to the list in the Home System configuration Accessible services window See Chapter3 System Configuration ofthe ProCurve Network Access Controller 800 Users Guide Designing the Quarantine Subnet As you should now understand the quarantine subnet is a special subnet that is tightly controlled and separated from production su...

Page 65: ... of the router in the associated production subnet It does not matter that this IP address is outside the range of the quarantine subnet because in actual fact the network infrastructure considers the quarantine subnet to be part of the production subnet You will set the non quarantine subnet for each quarantine area as the portion of the associated production VLAN that is already in use All healt...

Page 66: ... you actually add the quarantine subnets to your network design You might choose this option when most of the IP addresses in your production subnets are already in use For example your network might include two Class C subnets each with 250 users 192 168 8 0 24 192 168 12 0 24 For each existing Class C subnet you will add new Class C subnet for the quarantine subnet On the NAC 800 you set up two ...

Page 67: ...d the DHCP server can continue to use its existing scopes As always remember to apply the appropriate ACLs to VLANs on infrastruc ture devices if you have selected the ACL option for access control Setting up Helper Addresses If your network includes multiple VLANs its infrastructure devices probably already use helper addresses to forward DHCP requests from endpoints on one VLAN to a server on an...

Page 68: ...heVPNgatewaydevice at the production network Checking the integrity of the remote endpoints is particularly important as they are otherwise beyond your control A WAN A WAN is network that connects several sites over private connections such as T1 or E1 cable or ADSL lines For example branch offices might connect to a company headquarters For whatever reason you might want to test the integrity of ...

Page 69: ...w the NAC 800 Quarantines Endpoints With inline quarantining the NAC 800 acts as a Layer 2 bridge that imposes a firewall between its two ports The NAC 800 does not forward traffic received on port 2 out port 1 unless the source endpoint has the Healthy or Check up posture Anditdoesnotforwardtraffic from port1 to quarantined or unknown endpoints In other words endpoints on the port 2 side of the N...

Page 70: ...design differs according to the way endpoints access the network VPN Endpoints Remote Users Figure 1 15 shows a typical design for deploying a NAC 800 to control remote endpoints that connect through a VPN You connect port 2 of the NAC 800 directly to the gateway device You connect the NAC 800 s port 1 to the rest of the network typically a core switch Figure 1 15 Inline Deployment VPN With a Sing...

Page 71: ...to prevent broadcast storms Figure 1 16 shows a sample design for a cluster of inline ESs Figure 1 16 Inline Deployment VPN with a Cluster of NAC 800s WAN Endpoints Users at a Remote Site This scenario is somewhat similar to that of a VPN However instead of connecting to your network over a VPN tunnel and a public network users connect over a private WAN connection You deploy the NAC 800 in a simi...

Page 72: ...ess endpoints that connect through an AP simply deploy the NAC 800 as described in the previous sections with the AP in the place of the VPN gateway or the WAN router Or connect several APs to a switch and then place the NAC 800 between that switch and the rest of the network Make sure that the APs forward all traffic into the network in the same VLAN See Figure 1 18 Figure 1 18 Inline Deployment ...

Page 73: ...he wireless network should be on the same VLAN as the wired endpoints You can test the integrity of the wired endpoints or you can except them from testing as you choose See Figure 1 19 Figure 1 19 Inline Deployment Wireless Network Wireless Edge Services Module N ot e The RPs can be installed anywhere in the network They encapsulate all wirelesstraffic and forward it to the Wireless Edge Services...

Page 74: ...1 62 Overview of the ProCurve NAC 800 Deployment Methods ...

Page 75: ... with the Menu Interface 2 12 Test IP Settings Ping 2 13 Change the Password to the Menu Interface 2 15 Complete Other Tasks in the Menu Interface 2 17 Reboot the NAC 800 in the Menu Interface 2 18 Shut Down the NAC 800 in the Menu Interface 2 19 Turn the Locator LED On and Off 2 20 View System Information 2 21 Access the Panel LCD Menu 2 22 Navigate the Panel LCD Menu 2 23 Configure Initial Setti...

Page 76: ...ace 2 37 Requirements on the NAC 800 2 37 Requirements on the Management Station 2 38 Steps for Accessing the Web Browser Interface 2 39 Navigate the Web Browser Interface 2 39 Home Window 2 39 Common Features in Web Browser Interface Windows 2 44 Following Instructions to Navigate the Web Browser Interface 2 46 ProCurve Manager PCM Plus 2 48 Enable PCM Plus to Detect the NAC 800 2 48 Capabilities...

Page 77: ...nagement options A menu interface Panel LCD and buttons Root access to the OS ProCurve Identity Driven Manager IDM when the ES acts as a Remote Authentication Dial In User Service RADIUS server in an 802 1X deploy ment You can manage an MS or a CS with any of these options A menu interface Panel LCD and buttons A Web browser interface also called a Graphical User Interface GUI Root access to the O...

Page 78: ...these chapters also explain how to complete some tasks by logging in to the OS root when necessary In addition in Chapter 4 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager you will learn about integrating the NAC 800 s RADIUS server with IDM IDM is required to configure certain RADIUS capabilities on the NAC 800 and it simplifies the configuration of other RADIUS cap...

Page 79: ...agement options serve to Ready the NAC 800 for management through another option Shut down and reboot the NAC 800 Access the Menu Interface You can access the menu interface in two ways Console session requires physical access to the ProCurve NAC 800 Secure Shell SSH session requires a reachable IP address on the NAC 800 Console Session Follow these steps to access the menu interface through a con...

Page 80: ...600 Bits 8 Stop rate 1 Parity None Flow control None For the Windows Terminal program disable uncheck the Use Function Arrow and Ctrl Keys for Windows option For the Hilgraeve HyperTerminal program select the Terminal keys option for the Function arrow and ctrl keys act as parameter 4 When prompted for your username enter admin 5 When prompted enter your password default procurve You should now se...

Page 81: ...not initially have a default gateway Unless you can reach the default IP address you must set the NAC 800 s IP address using either a console session or the panel LCD before you can open the SSH session See Configure Initial Settings with the Menu Interface on page 2 9 or Configure Initial Settings with the Panel LCD Menu on page 2 24 2 When prompted for your username enter admin 3 When prompted e...

Page 82: ...owing instructions on the other hand indicate that you should type in the indicated string and then press Enter Enter string Instructions for using the menu interface include figures The figure caption lists the options that you must select to reach the illustrated window from the Application Main Menu For example Figure 2 5 shows the Server Type window To reach this window you must press 1 twice ...

Page 83: ... 800 through the Web browser interface you must configure some initial settings including server type and IP settings You should also immediately change the menu password to secure access to the device The menu interface is one option for configuring these settings Before completing the instructions in the sections below access the menu interface as described in Access the Menu Interface on page 2...

Page 84: ...tem DNS server Network Time Protocol NTP server and time zone N o t e An exception is when you change the server type from MS to ES in which case all settings are erased Setting the server type always resets the NAC 800 s configuration even if you set it to the device s current type In fact setting the server type is an easy way to return to factory default settings but keep your current IP settin...

Page 85: ...he server s type CS MS or ES Press 1 for Combination Server if your NAC 800 is a stand alone device This is the typical choice for a NAC 800 that functions only as a RADIUS server If your NAC 800 is part of a cluster deployment see Chapter 1 Overview of the ProCurve NAC 800 for more information choose either MS or ES On one NAC 800 press 2 for Management Server On the other NAC 800s press 3 for En...

Page 86: ... Configuration menu Main Menu 1 Configuration Figure 2 10 Application Main Menu 1 Configuration 2 Press 2 for IP Configuration Figure 2 11 Application Main Menu 1 Configuration 2 IP Configuration 3 The window displays the NAC 800 s current settings Enter the new IP address or press Enter to accept the current address For example 10 1 1 20 Figure 2 12 Application Main Menu 1 Configuration 2 IP Conf...

Page 87: ...he default Otherwise enter the correct IP address For example 10 1 1 2 6 When asked to confirm the settings check them and if they are correct press y and press Enter Test IP Settings Ping After you set the IP address you should verify connectivity by pinging The NAC 800 s default gateway Your management station The NAC 800 s DNS server Several IP addresses for Network Access Servers NASs such as ...

Page 88: ...3 Application Main Menu 2 Press 2 for Diagnostics Figure 2 14 Application Main Menu 2 Diagnostics 3 Press 1 for Ping test 4 Enter the IP address to which you want to confirm connectivity Or press Enter to ping the default gateway Figure 2 15 Application Main Menu 2 Diagnostics 3 Ping Test ...

Page 89: ...p the ping test at any time however by pressing Ctrl c 6 When you have finished looking at the results press Enter to continue configuring the device Change the Password to the Menu Interface The username with which you access the menu interface is admin and the default password is procurve To protect access to your NAC 800 s menu interface you should always change the password Follow these steps ...

Page 90: ...iguration 2 Press 3 for Change Password Figure 2 18 Main Menu 1 Configuration 3 Change Password 3 Enter y to confirm that you want to change the password 4 Enter a password 8 characters or longer The password can include alphanumeric and special characters but does not have specific complex ity requirements ...

Page 91: ...st 8 characters Mixed letters and numbers Therefore if you plan to use the same password to access the menu interface and the Web browser interface the password created in step 4 must include a mix of letters and numbers 5 When prompted re enter the same password Figure 2 19 Application Main Menu 6 Press Enter Complete Other Tasks in the Menu Interface Besides configuring initial settings as descr...

Page 92: ...u update its software N ot e You do not need to worry about saving your configurations because the NAC 800 OS automatically saves configurations to its startup config as they are made However you should periodically back up your system as explained in Chapter 7 Redundancy and Backup for RADIUS Services Follow these steps to reboot the NAC 800 1 Press 0 until you reach the Application Main Menu Fig...

Page 93: ... You can restart the NAC 800 by removing and then restoring power N ot e You do not need to worry about saving your configurations because the NAC 800 OS automatically saves configurations to its startup config as they are made However you should periodically backup your system as explained in Chapter 7 Redundancy and Backup for RADIUS Services Follow these steps to shut down the NAC 800 1 Press 0...

Page 94: ...ng many devices For example you may be configuring a NAC 800 through a remote SSH session You decide that you need to access the device physically so you turn on the locator LED to quickly find the correct device The locator LEDismostuseful ifyou generally keep itoff on alldevices which it is by default Then when you turn it on for a particular device you are sure that you are seeing the LED of th...

Page 95: ...o turn the LED off or 1 to turn it on 4 Press Enter to continue configuring the device View System Information You can view the following information about the NAC 800 in the menu interface Server type Software version Date of last update of the software Operating system version Hardware ID serial number Time zone Follow these steps 1 In the main menu press 1 for Configuration ...

Page 96: ...ss Enter when you are finished viewing the information Access the Panel LCD Menu The panel LCD is located on the front of the ProCurve NAC 800 To use the LCD menu you must of course have physical access to the device In addition to the LCD the panel includes six buttons Four arrow buttons left right up and down An accept button a checkmark A cancel button an X You use these buttons to interact wit...

Page 97: ...lowing information Server type for example Combination Server IP address Figure 2 28 Panel LCD Press the accept button to make LCD display the menu interface Navigate the Panel LCD Menu ThearchitectureofthepanelLCDmenuissimilartothatofthemenuinterface See Figure 2 29 Figure 2 29 Panel LCD Menu Interface Architecture ...

Page 98: ...tings with the Panel LCD Menu Before you can configure your NAC 800 through the Web browser interface you must configure some initial settings including server type and IP settings The panel LCD menu is one option for configuring these settings N ot e Even if you choose to configure initial settings through the panel LCD menu you should access the menu interface and change the menu password Other ...

Page 99: ...e 2 31 Panel LCD Menu Configuration 3 Select Server Type Figure 2 32 Panel LCD Menu Configuration 4 Choose the server s type CS MS or ES Select Combination Server if your NAC 800 is a stand alone device This is the typical choice for a NAC 800 that functions only as a RADIUS server If your NAC 800s are part of a cluster deployment see Chapter 1 Over view of the ProCurve NAC 800 for more informatio...

Page 100: ...ess the main menu Figure 2 33 Panel LCD Menu Configuration 2 Select IP Address Port 1 Figure 2 34 Panel LCD Menu Configuration IP Address Port 1 3 Set the NAC 800 s IP address An IP address includes of course twelve digits Use the left and right arrow buttons to move the cursor from digit to digit Then use the up and down arrow buttons to alter the selected digit Note that the NAC 800 treats each ...

Page 101: ...ask for the NAC 800 s subnet Use the arrow buttons to alter the subnet mask For a list of the masks that correspond to subnets of various lengths see Entering Networks Using CIDR Format in Chapter 15 System Administration of the Pro Curve Network Access Controller 800 Users Guide Press the accept button when you are finished You can accept the default mask by immediately pressing the accept button...

Page 102: ...x the problem N ot e IP settings can be valid while still incorrect for your environment Always check connectivity with the ping test Test IP Settings Ping with the Panel LCD Menu After you set the IP address you should verify connectivity by pinging The NAC 800 s default gateway Your management station The NAC 800 s DNS server Several IP addresses for NASs such as edge switches and wireless APs N...

Page 103: ...git Note that the NAC 800 treats each set of three digits as a single number For example if the first three digits currently display 009 and with your cursor at the third digit you press the up arrow button the digits then display 010 When you are finished press the accept button 4 The results of the ping are displayed Figure 2 40 Press the left arrow button to continue configuring the device Comp...

Page 104: ...rry about saving your configurations because the NAC 800 OS automatically saves configurations to its startup config as they are made However you should periodically backup your system as explained in Chapter 7 Redundancy and Backup for RADIUS Services Follow these steps to reboot the NAC 800 1 Access the main LCD menu Press the accept button to access the main menu initially press the cancel butt...

Page 105: ...ted N ot e You do not need to worry about saving your configurations because the NAC 800 OS automatically saves configurations to its startup config as they are made However you should periodically backup your system as explained in Chapter 7 Redundancy and Backup for RADIUS Services You can restart the NAC 800 by removing and then restoring power Follow these steps to shut down the NAC 800 1 Acce...

Page 106: ...ettings By default the NAC 800 sets the speed and duplex settings for its ports automatically based on the other end of the connection Both port 1 and port 2 support these speeds 1000 Mbps 100 Mbps 10 Mbps The ports can also act in full duplex send and receive data at the same time or in half duplex only send or receive data at any moment However if you select 1000 Mbps full duplex is the only opt...

Page 107: ...ttings manually follow these steps 1 Access the menu If the panel currently shows the NAC 800 s server type and IP address press the accept button Figure 2 47 Panel LCD Menu 2 Select Configuration Figure 2 48 Panel LCD Menu Configuration 3 Select Ports Speed Duplex Figure 2 49 Panel LCD Menu Configuration Ports Speed Duplex 4 Select Port 1 or Port 2 ...

Page 108: ...rface and Panel LCD Figure 2 50 Panel LCD Menu Configuration Ports Speed Duplex Port 1 5 The default setting is Auto All combinations of speed and duplex options are displayed below Scroll through the list and press the accept button to select the one you want ...

Page 109: ...en prompted for the password enter the root password default procurve Navigate the OS just as you would any Linux OS The NAC 800 features many common Linux applications such as VI which allows you to edit configuration files See Appendix B Appendix B Linux Commands When thisguide instructs youto enter a command from the root the command will be denoted by this text Syntax This guide uses the follo...

Page 110: ...ements Bold typeface is used for simulations of actual keys For example the Y key appears as y For example The actual command that you enter might be keytool certreq alias mykey file myrequest der keystore usr local nac compliance keystore Syntax keytool certreq alias keyname file filename keystore usr local nac compliance keystore ...

Page 111: ...ve Network Access Controller 800 Users Guide Access the Web Browser Interface The NAC 800 includes an HTTPS not HTTP server on which it can run a Web browser interface N ot e HTTPS a protocol similar to HTTP encrypts communications to increase security In addition HTTPS requires the Web server in this case the NAC 800 to authenticate itself with a digital certificate Requirements on the NAC 800 To...

Page 112: ...agement station It requires network connectivity and one of the following Web browsers On a Windows station Mozilla version 1 7 Mozilla Firefox version 1 5 or later Internet Explorer 7 0 On a Linux station Mozilla version 1 7 Mozilla Firefox version 1 5 or later The Web browser must implement the following settings Pop up windows allowed allows you to run reports N ot e Reports do not apply to RAD...

Page 113: ...rve NAC 800 4 You connect to the NAC 800 s Web browser interface The first time that you access the Web browser interface you must complete some basic setup For instructions see Initial Configuration of CS or MS Settings on page 3 4 of Chapter 3 Initial Setup of the ProCurve NAC 800 The next time that you access the Web browser interface you must log in with the Administrator username and password...

Page 114: ...ndow N ot e Subsequent figures in the management and configuration guide will not show the top area This area displays the name of the device Network Access Controller 800 To the right is the name of the user account with which you logged in The user account determines the privileges you have to the Web browser interface See Create Management Users on page 3 43 of Chapter 3 Initial Setup of the Pr...

Page 115: ...ton to delete an alert N ot e A NAC 800 that acts as a RADIUS server only does not require a license so you will often see the warnings at the top of the window telling you that the licenses have expired Simply ignore these warnings Left Navigation Bar The left navigation bar includes the following options Endpoint activity NAC policies Post connect System monitor Reports System configuration N ot...

Page 116: ...n groups Assign enforcement clusters to groups Configure NAC policies Choose which endpoint tests are enforced Configure test properties criteria for passing Set action taken against endpoints that fail Chapter 6 NAC Policies in the ProCurve Network Access Controller800Users Guide Post connect Launch the system you are using to perform additional testing on endpoint devices Establish communication...

Page 117: ...work Access Controller800Users Guide Reports Run reports on NAC policy results Connected endpoints and their test status Test results and the endpoints that passed or failed Chapter 14 Reports in the ProCurve Network Access Controller800Users Guide System configuration RADIUS only tasks Manage enforcement clusters Configure MS and ES settings Configure RADIUS settings Create exceptions for endpoin...

Page 118: ...etailed information on the NAC 800 s or ESs status Common Features in Web Browser Interface Windows Every window in the Web browser interface has certain features The top right corner features two links Support Click to access the ProCurve Networking Web site and download documentation read FAQs and submit questions to sup port Your NAC 800 must of course be able to reach the Internet Logout Click...

Page 119: ...ation windows feature two buttons at both the top and bottom ok Click to Apply the configurations in this window the settings begin to take effect Save the configurations the settings are preserved when the power is shut down Exit to the Home window cancel Click to Reject changes to configurations in this window Exit to the Home window ...

Page 120: ...lar to that field move your cursor over this button for specific information about valid values for that field Following Instructions to Navigate the Web Browser Interface The instructions in this management and configuration guide will often include steps such as these Select Home System configuration Quarantining Access the Home System configuration Enforcement clusters servers window Both steps...

Page 121: ...erface Another step if present is typically a menu option on the left side of the second level window For example Figure 2 53 shows the Home System configuration Enforcement clusters servers window System con figuration is the second level window and Enforcement clusters serv ers is the menu option in that window ...

Page 122: ... Protocol SNMP community name on the NAC 800 to match the community name on PCM Plus a Select Home System configuration Management server b In the SNMP settings area check the Enable SNMP box c In the Read community string field enter the name of your PCM server s SNMPv1 v2 read only community Valid characters for the field include letters numbers hyphens and underscores N ot e The NAC 800 does no...

Page 123: ...ition you can click the NAC Home tab and access the NAC 800 s Web browser interface The first time that you do so you must enter the username and password for a management user on the NAC 800 PCM Plus saves this information so that you do not have to enter it again N ot e You can change the username and password by following these steps 1 Select Tools Preferences 2 Select Identity Management 3 Ent...

Page 124: ...eg rity IDM can manage and configure settings on that device just as on other servers To manage a NAC 800 IDM must run version 2 2 auto update 2 Enable IDM to Detect the NAC 800 When PCM Plus detects a NAC 800 IDM automatically detects the NAC 800 as long as these additional conditions are met 1 The NAC 800 has client server permissions to the PCM Plus server Follow these steps a On the PCM Plus s...

Page 125: ... s IP address is specified in the NAC 800 s 802 1X quaran tining settings Follow these steps a Access the NAC 800 s Web browser interface b If you have a multiple NAC 800 deployment MS and multiple ESs choose the cluster that includes the RADIUS server ESs For a CS the default and only cluster Cluster 1 is automatically selected c In the Quarantine method area select 802 1X ...

Page 126: ...a cluster for RADIUS services only the access mode does not matter because the NAC 800 does not enforce quaran tining However you should disable testing as explained in Chapter 6 Disabling Endpoint Integrity Testing e In the Basic 802 1X settings area and the IDM server IP address field enter the IP address of the server that runs PCM Plus with IDM ...

Page 127: ...d times of access Valid access locations Dynamic VLAN assignments access control lists ACLs and rate limits Easily integrate the NAC 800 with Active Directory AD and other direc tories IDM can automatically synchronize with AD downloading account infor mation from the groups that you specify IDM can download lists of users from other directories Monitor users who attempt to authenticate to the NAC...

Page 128: ...abs NAC Home Access the NAC 800 s Home window NAC Monitor Access the NAC 800 s System monitor window NAC System Access the NAC 800 s System configuration window N ot e The NAC 800 that acts as a RADIUS server might be a CS or an ES IDM will detect any type of NAC 800 Although an ES does not actually run a Web browser interface you can still select the NAC Home NAC Monitor and NAC System tabs for t...

Page 129: ...censes 3 39 Management and Maintenance 3 39 Upgrade the Software 3 39 Create Management Users 3 41 Create User Accounts 3 42 Configure User Roles 3 45 Digital Certificates 3 52 Install a CA Signed Certificate for HTTPS 3 52 Generate a Key 3 53 Install the Root CA Certificate 3 55 Create a Certificate Request and Transfer It off the NAC 800 3 56 Download and Install the Signed Certificate 3 58 Rest...

Page 130: ... of the ProCurve NAC 800 Contents Install the Self signed Certificate as a Trusted Root Certificate 3 61 Restart the HTTPS Server 3 61 Install the Self signed Certificate as a Trusted Root Certificate on Endpoints 3 62 ...

Page 131: ... root account which you log in to through Secure Shell SSH grants access to the command line of the NAC 800 s Linux based operating system OS You will need such access if you want to enable the NAC 800 to act as a RADIUS server without ProCurve Identity Driven Manager IDM The username for the account is root and the default password is pro curve You can change this password If your NAC 800 is a co...

Page 132: ...l categories or levels depending on their impor tance You can choose the levels of events that the MS logs System Settings Initial Configuration You are prompted to configure most system settings for an MS or CS if your NAC 800 is a stand alone device the first time that you access the NAC 800 Web browser interface See Initial Configuration of CS or MS Settings on page 3 4 In a cluster deployment ...

Page 133: ...dress For example if the device s address is 10 1 1 100 type https 10 1 1 100 The Step 1 of 3 Accept license agreement window is displayed Figure 3 1 Step 1 of 3 Accept License Agreement 2 Read the license and select the I accept this license agreement option 3 Click the next button The Step 2 of 3 Enter management server settings window is displayed ...

Page 134: ...escribed in System Settings on page 3 3 you use the root password to log in to the NAC 800 s command line The password can include alphanumeric and special characters in fact a good password will include a mix of different types of characters However the password does not have specific complexity or length requirements Click back to see the license agreement again ...

Page 135: ...s setting narrows the selection for the next setting your time zone b Select the correct time zone from the Time zone drop down menu Time zones are listed by offset from Greenwich Mean Time GMT for example GMT 6 00 as well as by name and by select cities in that time zone If your city is not listed you can either rely entirely on the GMT offset or look for a city that you know is in your time zone...

Page 136: ...dress of at least one DNS server in the DNS IP addresses field The DNS server resolves FQDNs and other hostnames to IP addresses the MS must be able to contacta DNS server to access sites and services on the Internet You must identify the DNS server with an IP address not an FQDN Specify multiple servers to ensure high availability separate the IP addresses with commas no spaces 8 Click the next b...

Page 137: ...indow is displayed If you want to change the settings at a later point see Edit System Settings on an MS or a CS on page 3 16 If your NAC 800 is a CS typical for a device that acts as a RADIUS server only the system setup is complete Otherwise you must add ESs as described in the section below Initial Configuration of ES Settings When you add an ES the MS contacts it and configures its initial sys...

Page 138: ...rcement Clusters Servers add an Enforcement Cluster 2 Click add an enforcement cluster The Add enforcement cluster window is displayed The left navigation bar lists several menu options for now you can ignore all options except General which is selected by default Select this link to create a cluster ...

Page 139: ...nt Cluster General 3 In the Cluster name field enter a string that describes this cluster The string can include alphanumeric characters special characters and spaces 4 From the NAC policy group drop down menu select Default In the RADIUS only usage model the NAC policy has no effect However you must select a policy to create the cluster ...

Page 140: ... you are adding an ES that was previously managed by a different MS you must first reset the ES Log in to the ES as root and enter this command resetSystem py For the complete procedure of moving an ES from one MS to another see Chapter 15 System Administration of the ProCurve Network Access Con troller 800 Users Guide Follow these steps 1 You should be in the following window Home System configur...

Page 141: ...urve NAC 800 System Settings Figure 3 6 Home System Configuration Enforcement Clusters Servers add an Enforcement Server 2 Click add an enforcement server The Add enforcement server window is displayed Select this link to add an ES ...

Page 142: ... the Web Browser Interface on page 2 37 in Chapter 2 Management Options for the ProCurve NAC 800 5 Give the ES a hostname Enter the name as an FQDN For example ES NicheLab1 com The hostname can contain only these characters Alphanumeric characters Periods Hyphens The hostname can be up to 64 characters 6 In the DNS IP addresses field specify the IP address of at least one DNS server To contact dev...

Page 143: ... must contain both letters and numbers special characters are also allowed 8 Enter the same password in the Re enter root password field 9 Click the ok button You return to the Home System configuration Enforcement clusters servers window where you can see the new ES Figure 3 8 Home System Configuration Enforcement Clusters Servers 10 Return to page 3 10 and follow the steps to add another ES or c...

Page 144: ... system settings when You first access its Web browser interface an MS or a CS You add it to a cluster an ES However you can edit these settings at any time the following sections explain how Edit System Settings on an MS or a CS To edit system settings on an MS or a CS select Home System configuration Management server The window displays the previously configured settings which you can now edit ...

Page 145: ...3 17 Initial Setup of the ProCurve NAC 800 System Settings Figure 3 9 Home System Configuration Management Server ...

Page 146: ...tings causes the MS s network interface to briefly shut down and restart In addition if you make a mistake you can lock yourself out of the Web browser interface To correct the network settings open a console session with the MS or use its LCD buttons See Access the Web Browser Interface on page 2 37 in Chapter 2 Manage ment Options for the ProCurve NAC 800 To edit the network settings follow thes...

Page 147: ...ld specify the IP address of the default router in the MS s subnetwork e Specify the IP address of at least one DNS server in the DNS IP addresses field The DNS server resolves FQDNs and other hostnames to IP addresses the MS must be able to contacta DNS server to access sites and services on the Internet You must identify the DNS server with an IP address not an FQDN Specify multiple servers to e...

Page 148: ...3 20 Initial Setup of the ProCurve NAC 800 System Settings Follow these steps 1 You should be in the following window Home System configuration Management server 2 Find the Proxy server area ...

Page 149: ...3 21 Initial Setup of the ProCurve NAC 800 System Settings Figure 3 11 Home System Configuration Management Server Proxy Server Area ...

Page 150: ...rvers is significantly more secure than basic authentication Instead of submitting the password over the network the NAC 800 uses it to encrypt a random value Negotiable The NAC 800 and the proxy server agree together whether to use basic or digest authentication This option elimi nates compatibility issues but is less secure than the digest option b In the User name field enter the ID of a user a...

Page 151: ...3 23 Initial Setup of the ProCurve NAC 800 System Settings Follow these steps to edit the date and time 1 You should be in the Home System configuration Management server window ...

Page 152: ...3 24 Initial Setup of the ProCurve NAC 800 System Settings Figure 3 12 Home System Configuration Management Server Date And Time Area ...

Page 153: ... NTP server 4 Choose how the NAC 800 MS receives its clock automatically or manually Automatically receive NTP updates from Specify the NTP servers in the field on the right You can identify a server by FQDN or IP address You can specify multiple servers separate the IP addresses or FQDNs with commas no space Visit http support ntp org bin view Servers NTPPoolServers for a list of public NTP serve...

Page 154: ...ed network management you should configure the NAC 800 to integrate with the solution The NAC 800 supports SNMPv2c It provides read only access to its configu ration To gain this access an SNMP server must Have a read only community name that matches the name set on the MS Have an IP address in the allowed source network set on the MS To configure SNMP settings follow these steps 1 You should be i...

Page 155: ...3 27 Initial Setup of the ProCurve NAC 800 System Settings ...

Page 156: ...ddress in Classless Inter Domain Routing CIDR nota tion in the Allowed source network field If you do not want to restrict access to SNMP devices in a particular network enter default To configure Outgoing SNMP notifications follow these steps 1 Select the Outgoing SNMP notifications check box To disable outgoing notifications clear the check box 2 Enter a comma separated list of IP addresses or h...

Page 157: ...n If that is the case select the Do not send notifications when an endpoint has been granted temporary net work access check box 6 When you are done editing MS settings click the ok button to save the changes Edit the Root Password TherootpasswordgrantsaccesstotheNAC800 s OS via an SSH session To change the password follow these steps 1 You should be in the following window Home System configurati...

Page 158: ...3 30 Initial Setup of the ProCurve NAC 800 System Settings Figure 3 15 Home System Configuration Management Server Other Settings Area ...

Page 159: ...ing to their severity or possible negative impact on your network From most to least severe the log levels are Error Warn Info Debug Trace By default the log level is debug which means that the module will log all events that have debug level severity or higher that is all events except trace events If you find that you spend too much time searching through logs you can configure the NAC 800 to lo...

Page 160: ...3 32 Initial Setup of the ProCurve NAC 800 System Settings Figure 3 16 Home System Configuration Management Server Other Settings Area ...

Page 161: ...to save the changes N ot e To learn how to check for new software see Upgrade the Software on page 3 41 Edit System Settings on an ES You can edit the settings that were created when you added the ES You can also configure SNMP and time zone settings that are specific to this ES To do so you must access the ES s configuration as follows 1 You should be in the following window Home System configura...

Page 162: ...System Settings Figure 3 17 Home System Configuration Enforcement Clusters Servers 2 Click the name of the ES for which you want to edit the system settings The Enforcement server window is displayed at the Status menu option Click the ES s name ...

Page 163: ...3 35 Initial Setup of the ProCurve NAC 800 System Settings Figure 3 18 Home System Configuration Enforcement Clusters Servers Selected ES Status 3 Select the Configuration menu option ...

Page 164: ...twork Settings on page 3 36 Set the time zone See Set the ES Time Zone on page 3 37 Configure SNMP settings See Configure ES SNMP Settings on page 3 38 Changethe ES srootpassword See EdittheESRootPassword onpage 3 40 Edit ES Network Settings To edit the network settings of an ES follow these steps 1 You should be in the following window Home System configuration Enforcement clusters servers select...

Page 165: ...e IP address of at least one DNS server in the DNS IP addresses field The DNS server resolves FQDNs and other hostnames to IP addresses the MS must be able to contacta DNS server to access sites and services on the Internet You must identify the DNS server with an IP address not an FQDN Specify multiple servers to ensure high availability separate the IP addresses with commas no space 3 When you a...

Page 166: ... are listed by offset from Greenwich Mean Time GMT for example GMT 6 00 as well as by name and by select cities in that time zone If your city is not listed you can either rely on the GMT offset or look for a city that you know is in your time zone It is important to select the correct time zone so that the NAC 800 appropriately adjusts the time that it receives from the MS Configure ES SNMP Setti...

Page 167: ...read only community name that matches the name that is set on the ES have an IP address in the allowed source network that is set on the ES To configure SNMP settings follow these steps 1 You should be in the following window Home System configuration Enforcement clusters servers selected ES Status Figure 3 21 Home System Configuration Enforcement Clusters Servers Selected ES Configuration 2 Find ...

Page 168: ...er a network address in CIDR notation in the Allowed source network field If you do not want to restrict access to SNMP devices in a particular network enter default 6 When you are done editing ES settings click the ok button to save the changes Edit the ES Root Password The root password grants access to the NAC 800 scommand line via an SSHsession Tochangethe password follow these steps 1 You sho...

Page 169: ...age the ProCurve NAC 800s You manage clusters of NAC 800s through the MS s Web browser interface You manage each CS a stand alone NAC 800 through its own Web browser interface Upgrade the Software ProCurveNetworkingprovidesfreesoftwareupgradesaspartoftheProCurve NAC 800 s one year warranty These upgrades may add new functionality or improve performance You should always check for an upgrade as soo...

Page 170: ...3 42 Initial Setup of the ProCurve NAC 800 Management and Maintenance Figure 3 22 Home System Configuration Management Server System Upgrade Area ...

Page 171: ...n of CS or MS Settings on page 3 4 You can create other users that are allowed to access the Web browser interface and manage your system s NAC 800s A management user is identified by Username Password A user s management rights are defined by Role A role consists of a series of permissions For example the ability to run a report is a permission as is the ability to configure settings for a cluste...

Page 172: ...ate reports Manage NAC policies View endpoint activity Monitor system status Control access Retest endpoints Cluster Administrator For assigned clusters configure cluster settings view endpoint activity change endpoint access control retest endpoints and generate reports Configure cluster View system alerts Generate reports View endpoint activity Monitor system status Control access Retest endpoin...

Page 173: ...3 45 Initial Setup of the ProCurve NAC 800 Management and Maintenance Figure 3 23 Home System Configuration User Accounts 2 Click the add a user account link The Add user account window is displayed ...

Page 174: ... or special characters however it can include the at character 4 Enter the user s password in the Password field The password can include alphanumeric characters special characters and spaces It must contain a mix of letters and numbers and be at least 8 characters 5 Enter the same password in the Re enter password field 6 Enter the user s full name in the Full name field 7 Optionally specify the ...

Page 175: ...as all permissions for all clusters regardless of which clusters have been assigned to that account 11 Click the ok button Configure User Roles As explained earlier the NAC 800 OS includes several default roles suitable for many environments You can also customize these roles or create your own roles You can create entirely new roles that include the permissions that you select You can also custom...

Page 176: ...p the system and restore from the backup Configure cluster settings System configuration including all menu options View system alerts View system alerts on the Home window Home Generate reports Generate reports about assigned clusters Reports Manage NAC policies Add edit and delete NAC policies and NAC policy groups Set the NAC policy group for assigned clusters NAC policies View endpoint activit...

Page 177: ...nt and Maintenance Create a New User Role Follow these steps to create a new user role 1 Select Home System configuration User roles Figure 3 25 Home System Configuration User Roles 2 Click the add a user role link The Add user role window is displayed ...

Page 178: ...or This field can include alphanumeric characters special characters and spaces 4 Optionally describe this role at more length in the Description field Describing the role is a good idea because it helps other users know which management user accounts should receive this role User account windows display roles descriptions but not their permis sions so you should typically include information abou...

Page 179: ...View endpoint activity Control access The Configure the system permission allows users all of the access they need to configure a RADIUS only NAC 800 The View system alerts and Monitorsystemstatus permissionsaddtheabilitytomonitorthesystem You might want the View endpoint activity and Control access permis sions in order to help users in case the endpoint integrity test functions are not shut down...

Page 180: ...d Maintenance Follow these steps to edit the role 1 Select Home System configuration User roles Figure 3 27 Home System Configuration User Roles 2 Click the name of the role that you want to edit in the User role name column The User role window is displayed ...

Page 181: ...w name in the Role name field b Alter the text in the Description field You should change the description to reflect the new permissions c In the Permissions area check and clear check boxes to customize the role s permissions 4 When you are finished click the ok button N ot e The changes save immediately Any user that is assigned this role automati cally receives the new permissions ...

Page 182: ... A NAC 800 that binds to a Lightweight Directory Access Protocol LDAP server that uses TLS authentication requires the CA root certificate for the LDAP server s CA The instructions in this section apply only to the first and second purposes To learn about configuring digital certificates for the other purposes see Chapter 4 Configuring the RADIUS Server Integrated with ProCurve Iden tity Driven Ma...

Page 183: ...ry default settings the NAC 800 already includes several root CA certificates See Install the Root CA Certificate on page 3 57 for a list 3 Create a certificate request or certificate signing request CSR The format of the request is PKCS 10 4 Transfer the certificate request off the NAC 800 5 Submit the certificate request to your CA The steps for completing this task depend on your CA refer to th...

Page 184: ... compliance keystore 5 When prompted enter this password for the keystore changeit You must enter this password 6 Next you are prompted to enter information that will be included in the certificate that uses this key For the first and last name enter the NAC 800 s exact FQDN 7 The command line displays the information that you entered If it is correct type y and press Enter If you need to edit the...

Page 185: ...d below you can skip this task AddTrust Comodo Cybertrust Entrust Equifax Secure GeoTrust Go Daddy Sonera Starfield Thawte UserTrust Valicert VeriSign If you are using a different third party CA or your organization s own CA you must install the CA certificate Follow these steps 1 Obtain the CA certificate from your CA The certificate must use X 509 format 2 Download the CA certificate to the NAC ...

Page 186: ...t includes the public key and information about the NAC 800 and your organization Syntax pscp path filename root IP address path ca_cert_filename Replace path filename with the path and filename of the CA certificate that is saved on your workstation Replace IP address with the NAC 800 s IP address Alternately you can enter its hostname Replace path ca_cert_filename with the name that you choose t...

Page 187: ...t was created Enter this command ProCurve NAC 800 usr local nac keystore dir 7 Transfer the certificate request off the NAC 800 You can save the request to your management workstation If this work station has the PSCP application follow these steps a Access the command line prompt on your workstation b Move to the directory in which PSCP is stored Syntax keytool certreq alias keyname file filename...

Page 188: ...ocal nac key store mynac cer 2 When prompted enter the NAC 800 s root password 3 Log in to the NAC 800 as root 4 Move to this directory ProCurve NAC 800 cd usr local nac keystore Syntax pscp root IP address usr local nac keystore filename path file name Replace IP address with the NAC 800 s IP address Alternately you can enter its hostname Replace filename with the name given to the certificate re...

Page 189: ...wn CA On the other hand a self signed certificate is less trusted users might have to choose to trust it when they access the NAC 800 s Web browser interface You must complete these tasks to create and install a self signed certificate 1 Generate the self signed certificate and keypair in the compliance key store 2 Export the self signed certificate to a file 3 Install the self signed certificate ...

Page 190: ...y ProCurve NAC 800 cd usr local nac keystore 3 Enter this command 4 For example ProCurve NAC 800 usr local nac keystore keytool genkey alias mynac procurve com keyalg RSA keystore compliance keystore 5 When prompted enter changeit for the keystore password You must enter this password 6 Next you are prompted to enter information that will be included in the certificate that uses this key For the f...

Page 191: ...rt the self signed certificate to a file 1 Log in as root to the NAC 800 OS 2 Move to the usr local nac keystore directory ProCurve NAC 800 cd usr local nac keystore 3 Enter this command 4 When prompted for the password enter changeit Install the Self signed Certificate as a Trusted Root Certificate Follow these steps to install the new self signed certificate as a trusted CA root certificate 1 Lo...

Page 192: ...sted root CA certificate You have already exported the certificate to a file you should now transfer it off the NAC 800 Follow these steps to save the certificate off the NAC 800 to a management station that runs PSCP 1 Access the command line for the station that runs PSCP click Start Run and enter cmd and move to the directory in which PSCP is installed Syntax keytool import alias CA_name keysto...

Page 193: ...u can publish the certificate in Active Directory Check the appropriate documentation for instructions Syntax pscp root IP address usr local nac keystore self_cert_filename path filename Replace IP address with the NAC 800 s IP address Alternately you can enter its hostname Replace self_cert_filename with the name given to the self certificate file in Export the Self signed Certificate to a File o...

Page 194: ...3 66 Initial Setup of the ProCurve NAC 800 Digital Certificates ...

Page 195: ...tabase 4 7 AD Windows Domain 4 7 LDAP Server 4 8 Proxy RADIUS Server 4 9 Configure the NAC 800 as a RADIUS Server 4 11 Specify the Quarantine Method 802 1X 4 12 Configure Authentication Settings 4 14 Configure Authentication to the NAC 800 s Local Database 4 14 Configure Authentication to a Windows Domain 4 16 Configure Authentication to an LDAP Server 4 20 Configure Authentication to a Proxy RADI...

Page 196: ...rtificate on the NAC 800 4 49 Install a Server Certificate for RADIUS 4 50 Create a Self Signed Certificate 4 51 Install a CA Signed Certificate Using a Request Generated on the NAC 800 4 53 Install a CA Signed Certificate Using a Request Generated on Behalf of the NAC 800 4 58 Manage Certificates on Endpoints 4 62 Disable Server Validation on Endpoints 4 62 ...

Page 197: ...rcumstance only might you use a cluster deployment instead you are adding a RADIUS only NAC 800 to a system that already enforces endpoint integrity with a cluster configuration In this case the RADIUS only NAC 800 would be an ES in a new cluster that enforces 802 1X quarantining and no endpoint integrity You would configure most of the settings described in this chapter in the MS s Web browser in...

Page 198: ...orkstation has an 802 1X client available to all network connections and this client supports EAP TLS and PEAP with MS CHAPv2 Older workstations might require the installation of a vendor client for 802 1X authentication Table 4 1 Port Authentication Methods and Authentication Protocols Dynamic or User Based Settings Dynamic or user based settings allow you to customize users network access accord...

Page 199: ...M server and the NAC 800 See Configure MS or CS SNMP Settings on page 3 26 of Chapter 3 Initial Setup of the ProCurve NAC 800 On the IDM server add the NAC 800 s IP address to this file C Program Files Hewlett Packard PNM server config access txt On the NAC 800 specify the IP address of the server that runs PCM Plus with IDM See Specify the Quarantine Method 802 1X on page 4 12 After detecting the...

Page 200: ...nt version must match the IDM version The NAC 800 includes the IDM agent at its factory default settings you do not need to install it If the IDM agent is upgraded the release notes will instruct you how to upgrade the agent on the NAC 800 To check the current IDM agent version log in to the NAC 800 as root and enter more root version Data Store Overview The NAC 800 can search one of several locat...

Page 201: ...o authenticate users EAP TLS EAP TTLS with MS CHAPv2 or GTC PEAP with MS CHAPv2 or GTC Disadvantages of using the local database include You must have access to IDM to add entries to the database Although IDM can automatically add users you must set passwords for the user accounts before they are added to the NAC 800 s local database AD Windows Domain Many organizations manage users as a part of a...

Page 202: ...nd to an LDAP server and search a directory For example your organization might already have a directory that authenticates users and authorizes them for various types of network access The NAC 800 can bind to these LDAP servers OpenLDAP See Configure Authentication to an OpenLDAP Server on page 4 21 Novell eDirectory See Configure Authentication to a Novell eDirectory Server on page 4 26 Advantag...

Page 203: ...ver you might choose the proxy option for a RADIUS only NAC 800 in this situation you want to use IDM but your existing RADIUS server does not support the IDM agent The NAC 800 will proxy authentication requests to the existing server which checks user credentials When the NAC 800 receives an access response from the proxy server it will modify the response according to policies configured through...

Page 204: ...always transmit the username in encrypted form IDM cannot determine the correct policy to apply For example EAP TTLS might exhibit this problem An example of an EAP method that works with proxying is Microsoft s implementation of PEAP If your NAC 800 loses connectivity to the proxy server it cannot authen ticate users Specifying multiple proxy servers mitigates this disadvantage Manual configurati...

Page 205: ...l configuration of the NAC 800 See Chapter 3 Initial Setup of the ProCurve NAC 800 N ot e In particular set the NAC 800 s SNMPv2 community name to the name configured on the PCM Plus with IDM server If you are adding the RADIUS only NAC 800 to an existing system of NAC 800s create a cluster for 802 1X enforcement and add the new NAC 800 as an ES Otherwise simply set the NAC 800 as a CS 3 On the PC...

Page 206: ... RADIUS server automatically restarts See Apply Changes on page 4 44 9 Complete allother configurations including creating policiesfor dynamic settings and endpoint integrity with IDM Deploy policies to the NAC 800 See the ProCurve Identity Driven Manager Users Guide Specify the Quarantine Method 802 1X To act as a RADIUS server the ProCurve NAC 800 must implement the 802 1X quarantine method Howe...

Page 207: ...4 13 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4 1 Home System Configuration Quarantining 4 Select the Access mode ...

Page 208: ...sions as a RADIUS server Next you must configure the RADIUS server s authentication settings Configure Authentication Settings To check 802 1X credentials the NAC 800 draws on user accounts stored in one of several locations Its own local database configured through IDM see Configure Authen tication to the NAC 800 s Local Database on page 4 14 A Windows Domain see Configure Authentication to a Win...

Page 209: ...US Server Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4 2 Home System Configuration Quarantining 802 1X Quarantine Method 2 Keep Manual for the End user authentication method ...

Page 210: ...omain The Windows Domain authentication method allows the NAC 800 to check end user credentials against credentials stored in AD The NAC 800 joins the domain Then when it receives an authentication request from an end user the NAC 800 uses NT LAN Manager NTLM to query a domain controller a server that runs AD and check the end users creden tials To set up the Windows domain authentication method s...

Page 211: ...ler s FQDN To specify the DNS server see Edit MS or CS Network Settings on page 3 18 of Chapter 3 Initial Setup of the ProCurve NAC 800 Your network s DNS servers must have forward lookup entries for the NAC 800 and for the domain controller It must also have the correct reverse lookup zones The NAC 800 s clock is synced with the domain controller s clock Default Windows server settings require th...

Page 212: ...iven Manager Configure the NAC 800 as a RADIUS Server Figure 4 3 Home System Configuration Quarantining 802 1X Quarantine Method 2 Select Windows domain for the End user authentication method The Windows domain settings and Test Windows domain settings areas are displayed ...

Page 213: ...Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4 4 Home System Configuration Quarantining windows Domain Authentication Method ...

Page 214: ...ify the FQDN of your domain controller or controllers Domain controllers are servers that run AD Separate FQDNs with a comma no space N ot e In a network with multiple domain controllers you should generally specify all of the controllers If you do not you might see an error when you test the settings because the NAC 800 bound itself to a different domain controller than the one specified 8 To ver...

Page 215: ...unt that matches the name submitted by the end user Tocheckthe end user spassword theNAC 800requeststhepassword attribute for the account By default the NAC 800 and the LDAP server communicate in plaintext messages You should configure the NAC 800 to complete TLS authentication with the LDAP server which increases security in several ways The LDAP server verifies its identity to the NAC 800 with a...

Page 216: ...entity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4 5 Home System Configuration Quarantining 802 1X Quarantine Method 2 Select OpenLDAP for the End user authentication method The OpenLDAP settings and Test OpenLDAP settings areas are displayed ...

Page 217: ...23 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4 6 Home System Configuration Quarantining openldap Authentication Method ...

Page 218: ...e Identity field enter the DN of an object in the directory with administrative rights Enter the name in standard LDAP format For example cn Manager dc MyCompany dc com 5 In the Password field enter the password for the object specified in the previous step 6 In the Re enter password field enter this password again 7 In the Base DN field enter the DN for the object at which the NAC 800 begins sear...

Page 219: ... TLS box The NAC 800 and the OpenLDAP server perform a TLS handshake to authenticate each other as well as set up encryption keys to secure the connection ProCurve Networking recommends that you always enable this option 10 If you checked the box in the previous step verify that the NAC 800 has the proper certificate authority CA certificate The NAC 800 requires the CA certificate for the CA that ...

Page 220: ...S Server Configure Authentication to a Novell eDirectory Server If your net work stores user accounts in eDirectory follow these steps to configure the NAC 800 s authentication settings 1 Complete the steps listed in Specify the Quarantine Method 802 1X on page 4 12 You should see the window illustrated in Figure 4 7 ...

Page 221: ...er Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4 7 Home System Configuration Quarantining 802 1X Quarantine Method 2 Select Novell eDirectory for the End user authentication method ...

Page 222: ... ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server The Novell eDirectory settings and Test Novell eDirectory settings areas are displayed Figure 4 8 Home System Configuration Quarantining Novell eDirectory Authentication Method ...

Page 223: ...ssword for the account specified in the previous step 6 In the Re enter password field enter this password again 7 In the Base DN field enter the DN for the object at which the NAC 800 begins the search Typically you should specify the top of the directory For example dc MyCompany dc com The administrator specified in the Identity field should be under the base DN 8 You should leave the Filter and...

Page 224: ...ificate for the CA that signed the eDirectory server s certificate Save this certificate on your management station Then click the Browse button next to New certificate to upload it to the NAC 800 11 To verify that the NAC 800 can successfully bind to the eDirectory server click the test settings button See Test Authentication Settings on page 4 35 for more information on setting up the test 12 Yo...

Page 225: ...S Server Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4 9 Home System Configuration Quarantining 802 1X Quarantine Method 2 Select Proxy for the End user authentication method ...

Page 226: ...Manager Configure the NAC 800 as a RADIUS Server Figure 4 10 Home System Configuration Quarantining Proxy Authentication Method 3 Specify the IP address for the proxy server or servers To complete this task you must access the NAC 800 s OS and edit the etc raddb proxy conf file ...

Page 227: ...ve basic commands for editing the file with vi a standard Linux editor built into the NAC 800 For more information on vi see vi Editor on page B 4 of Appendix B Appendix B Linux Commands i Enter this command vi etc raddb proxy conf ii Move through the file until you find the realm company com section iii Enter insert mode by pressing i iv Delete the comment markers from the five lines in the realm...

Page 228: ...nd spaces enclose the secret within quotation marks ix The final configuration should resemble that shown in Figure 4 11 x When you are done leave insert mode by pressing Esc xi Enter this command to save the changes w xii Exit vi q N ot e More advanced users can configure the NAC 800 to proxy various requests to different RADIUS servers depending on the domain name or EAP type included in the req...

Page 229: ...y Bind to it Optionally perform a successful search You should test the settings to eliminate problems before the NAC 800 begins to authenticate end users on a live network Follow these steps 1 Complete the steps listed in Specify the Quarantine Method 802 1X on page 4 12 2 Complete the steps for your selected authentication method See Con figure Authentication Settings on page 4 14 3 You should s...

Page 230: ...4 36 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4 12 Home System Configuration Quarantining Novell eDirectory Method ...

Page 231: ...2 for results that do indicate a problem Test the bind operation and look up an end user s credentials i Check the Verify credentials for an end user box ii Enter the username for a valid user in the User name field iii Enter the user s password in the Password field iv Re enter the password in the Re enter password field v Click the test settings button This test verifies that The NAC 800 can rea...

Page 232: ...ndow is displayed when you have edited previously configured authentication settings To test the new settings the NAC 800 must temporarily write them over the old settings which if the NAC 800 is the RADIUS server for an active network can briefly interrupt service Click the no button to cancel the test in which case you should also wait before applying your new settings Click the yes button to pr...

Page 233: ... bind to the LDAP server The bind password is incorrect Test failed could not authenticate identity The NAC 800 failed to bind to the LDAP server The bind username is incorrect The base DN is incorrect Test failed LDAP error code32 NDSerror nosuch entry 601 The NAC 800 failed to bind to the LDAP server The bind username is incorrect The base DN is incorrect Test failed LDAP error code 13 Confident...

Page 234: ...ll refer to them as 802 1X devices Follow these steps to add the 802 1X devices 1 Complete the steps listed in Specify the Quarantine Method 802 1X on page 4 12 2 Complete the steps for your selected authentication method See Con figure Authentication Settings on page 4 14 3 You should see a window similar to that illustrated in Figure 4 15 Test failed password for end user username is invalid The...

Page 235: ...grated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4 15 Home System Configuration Quarantining 802 1X Quarantine Method 4 Click the add an 802 1X device link The Add 802 1X device window is displayed ...

Page 236: ...nformation on configuring this secret Or use PCM Plus s Secure Access Wizard described in the ProCurve Identity Driven Manager Users Guide The secret can include alphanumeric and special characters 7 Enter the same character string in the Re enter shared secret field 8 Optionally give the 802 1X device a descriptive name by entering a string in the Short name field The name is displayed in logs an...

Page 237: ...thod Add an 802 1X Device Link Connecting to the 802 1X device is necessary for implementing endpoint integrity the NAC 800 must force the 802 1X to re authenticate the end point after its endpoint integrity posture has changed so that the new VLAN assignment can take effect See How the NAC 800 Quarantines Endpoints on page 1 36 of Chapter 1 Overview of the ProCurve NAC 800 for more information ...

Page 238: ...ettings including adding an 802 1X device you must apply and save the changes When you apply the changes the CS s internal RADIUS server or the RADIUS servers on all ESs in the cluster automatically restart N ot e The RADIUS server typically takes several seconds to restart During this period the RADIUS server is unavailable for authenticating end users To avoid interrupting services configure 802...

Page 239: ...er Figure 4 18 Home System Configuration Enforcement Clusters Servers 2 Click the name of the CS or ES The Enforcement server window is displayed N ot e Figure 4 19 shows the Enforcement server window for a CS The window for an ES features two menu options General and Configuration You should select the General menu option ...

Page 240: ...r Configure the NAC 800 as a RADIUS Server Figure 4 19 Home System Configuration Enforcement Clusters Servers Selected Enforcement Server 3 The Process thread status area lists a number of services Click the restart now button for radius The Operation in progress window is displayed ...

Page 241: ...displayed The radius process was restarted N ot e Typically the RADIUS server restarts without a problem If it encounters difficulties you should restart it from the root of the OS Follow these steps 1 Log in as root to the NAC 800 OS a Open an SSH or console session with the NAC 800 b When asked for your username and password enter root and the root password default procurve 2 Enter this command ...

Page 242: ...lient example com You should load one of the following certificates on your NAC 800 A self signed certificate that specifies the NAC 800 s FQDN as its common name CN A certificate that specifies the NAC 800 s FQDN as its CN and is signed by a trusted CA In either case the certificate must allow the NAC 800 to use it for client and server authentication That is the extensions for the key usage shou...

Page 243: ...icants certificates Follow these steps to install the CA certificate on the NAC 800 1 Obtain the CA certificate from your CA Your CA should instruct you how to complete this step The certificate must be in PEM format See step 4 on page 4 50 for instructions on converting a DER or PFX certificate to PEM format 2 Transfer the CA certificate to the NAC 800 If you have installed PSCP on your managemen...

Page 244: ...NAC 800 cd etc raddb certs demoCA b Convert from DER format with this command For example enter ProCurve NAC 800 etc raddb certs demoCA openssl x509 in cac ert der inform DER out cacert pem outform PEM Convert from PFX format with this command 5 Restart the RADIUS server ProCurve NAC 800 etc raddb certs demoCA service radiusd restart Install a Server Certificate for RADIUS You have a variety of op...

Page 245: ...Configure the openssl application to issue self signed certificates with the correct extensions for a RADIUS server See Appendix B Appendix B Linux Commands for vi commands a Copy the default configuration file for openssl to a new location You will make changes to the new file ProCurve NAC 800 cp var ssl openssl cnf etc raddb certs openssl cnf b Enter this command ProCurve NAC 800 cd etc raddb ce...

Page 246: ...etc raddb certs service radiusd restart Syntax openssl req x509 config openssl cnf extensions radsrv newkey rsa dsa 512 1024 2048 4096 nodes days number keyout cert srv pem out cert srv pem The config option should specify the new configuration file that you created in step 2 Make sure that you are in the correct directory Similarly the extensions option specifies the bracketed name for the extens...

Page 247: ...ppendix B Appendix B Linux Commands for vi commands If you are using your own Windows CA you might skip this step and use a certificate template add the correct extensions a Copy the default configuration file for openssl to a new location You will make changes to the new file ProCurve NAC 800 cp var ssl openssl cnf etc raddb certs openssl cnf b Alter the new configuration file ProCurve NAC 800 et...

Page 248: ...hat you created in step 2 Make sure that you are in the correct directory Similarly the extensions option specifies bracketed name for the extensions that you added to that file The newkey option generates a private public keypair for this certificate Choose rsa or dsa for the algorithm and then choose the key length 4096 is not a valid option for dsa The private key for the certificate is saved w...

Page 249: ... and client authentication 8 After the CA returns the server certificate to you transfer it to the NAC 800 If you have installed PSCP on your management station you can follow these steps a Save the certificate to your management station b Access the command prompt on your management station and move to the directory in which PSCP is installed c Enter this command For example pscp mycertificate pe...

Page 250: ...mmands a Enter this command ProCurve NAC 800 vi etc raddb eap conf b Use the arrow keys or other vi commands to reach the tls section of the configuration file See Figure 4 21 Syntax openssl x509 in certificate_filename inform DER out certificate_ filename outform PEM For certificate_filename enter the name for the certificate that you chose in step 8 You should change the filename extension to re...

Page 251: ...ey pem f Set certificate_file to the same as the certificate filename that you specified in step 8 c on page 4 55 or step 11 on page 4 55 Keep the default path already included in the configuration file which works as long as you saved the certificate in the proper directory For example certificate_file raddbdir certs mycertificate pem g Make sure that CA_file is set to the filename including the ...

Page 252: ...i cate request and generate the certificate in X509 format Enter the NAC 800 sFQDN for itsCN Specify the NAC 800 scountry state and so forth as prompted Make sure to generate a RADIUS server certificate for the NAC Its key usage extensions should provide for both client and server authentica tion 2 Transfer the certificate and the private key to the NAC 800 If you have installed PSCP on your manag...

Page 253: ... allows the NAC 800 to use the new certificate without forcing you to alter the tls section of the etc raddb eap conf file which can lead to errors e When prompted enter the NAC 800 s root password 3 Log in to the NAC 800 as root 4 Enter this command ProCurve NAC 800 cd etc raddb certs Syntax pscp path filename root NAC 800 IP address etc raddb certs certificate_filename Replace path filename with...

Page 254: ...s named cert srv pem and if the private key is not protected with a password a Enter this command ProCurve NAC 800 vi etc raddb eap conf b Use the arrow keys or other vi commands to reach the tls section of the configuration file See Figure 4 22 N ot e The NAC 800 uses the tls configuration to authenticate itself for TLS PEAP and TTLS Syntax openssl x509 in certificate filename inform DER out cert...

Page 255: ...n step 2 c on page 4 59 or step 5 on page 4 60 Keep the default path already included in the configuration file which works as long as you saved the certificate in the proper directory For example certificate_file raddbdir certs mycertificate pem g Make sure that CA_file is set to the filename including the correct path for the CA root certificate This certificate was installed in Install the CA R...

Page 256: ...on endpoints if you have selected an EAP method that requires supplicants to authenticate with a certificate rather than a password Generally you would issue those certifi cates using your organization s CA Refer to the documentation for your CA service for instructions Disable Server Validation on Endpoints You might want to prevent endpoints from checking the NAC 800 s server certificate for sev...

Page 257: ...these steps on an endpoint to disable validation of the server on the native Windows 802 1X supplicant 1 Select Start Settings Network Connections Local Area Con nection Figure 4 23 Start Settings Network Connections Local Area Connection 2 Click the Properties button 3 Select the Authentication tab in the window that is displayed ...

Page 258: ...ed with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4 24 Local Area Connection Properties Authentication 4 Choose your EAP type and click the Properties button 5 Clear the Validate server certificate check box ...

Page 259: ...tal Certificates for RADIUS Figure 4 25 EAP Type Properties 6 Click OK to close all open windows Follow these steps to disable validation of the server on an endpoint that uses the Microsoft Wireless Zero Configuration client 1 Select Start Settings Network Connections Wireless Network Connection ...

Page 260: ...ed with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4 26 Start Settings Network Connections Local Area Connection 2 Click the Properties button 3 Select the Wireless Networks tab in the window that is displayed ...

Page 261: ...dentifier SSID for your wireless network in the Preferred networks area and click the Properties button If the SSID has not yet been configured on the client you must click the Add button instead Then in addition to completing the steps below you must configure settings such as the SSID the authentication method and the encryption type 5 Select the Authentication tab in the window that is displaye...

Page 262: ...er Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4 28 SSID Properties Authentication 6 Choose the EAP type and click the Properties button 7 Uncheck the Validate server certificate box ...

Page 263: ...4 69 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4 29 EAP Type Properties 8 Click OK to close all open windows ...

Page 264: ...4 70 Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS ...

Page 265: ...iew 5 5 AD Windows Domain 5 5 LDAP Server 5 6 Proxy RADIUS Server 5 6 Configure the NAC 800 as a RADIUS Server 5 8 Specify the Quarantine Method 802 1X 5 8 Configure Authentication Settings 5 10 Configure Authentication to a Windows Domain 5 10 Configure Authentication to an LDAP Server 5 14 Configure Authentication to a Proxy RADIUS Server 5 23 Test Authentication Settings 5 28 Add NASs as 802 1X...

Page 266: ... on the NAC 800 5 43 Install a Server Certificate for RADIUS 5 45 Create a Self Signed Certificate 5 45 Install a CA Signed Certificate Using a Request Generated on the NAC 800 5 47 Install a CA Signed Certificate Using a Request Generated on Behalf of the NAC 800 5 52 Manage Certificates on Endpoints 5 56 Disable Server Validation on Endpoints 5 56 ...

Page 267: ...guring a stand alone NAC 800 functioning as a combination server CS the typical setting for a RADIUS only NAC 800 In one circumstance only might you use a cluster deployment you are adding a RADIUS only NAC 800 to a system that already enforces endpoint integrity with a cluster configuration In this case the RADIUS only NAC 800 would be an ES in a new cluster that enforces 802 1X quarantining but ...

Page 268: ... workstation has an 802 1X client available to all network connections and this client supports EAP TLS and PEAP with MS CHAPv2 Older workstations might require the installation of a vendor client for 802 1X authentication Table 5 1 Port Authentication Methods and Authentication Protocols Dynamic or User Based Settings Dynamic oruser based settingsallowyoutocustomizeusers networkaccess according t...

Page 269: ...t of a Windows domain and Micro soft AD already stores user entries The NAC 800 can join the domain and request information from AD when necessary to authenticate a user See Configure Authentication to a Windows Domain on page 5 10 to learn how to configure this option Advantages of using the Windows domain and AD as the data store include You do not have to replicate information already present i...

Page 270: ...vailable to all NAC 800s Disadvantages of using the LDAP servers include You must know the username and password for the administrator of the directory database in question otherwise you cannot configure the NAC 800 to bind to the directory If your NAC 800 loses connectivity to the LDAP server it cannot authen ticate users Proxy RADIUS Server The NAC 800 can proxy access requests to one or more RA...

Page 271: ...uests include You do not have to duplicate policies and accounts already stored on another RADIUS server Disadvantages of using the proxy server include The existing RADIUS server must still handle authentication requests so the NAC 800 does not relieve that burden If your NAC 800 loses connectivity to the proxy server it cannot authen ticate users Specifying multiple proxy servers mitigates this ...

Page 272: ... 800 to an existing system of NAC 800s create a cluster for 802 1X enforcement and add the new NAC 800 as an ES 3 Select 802 1X for the quarantine method See Specify the Quarantine Method 802 1X on page 5 8 4 Configure the authentication settings which determine for example where the database of usernames and passwords is stored See Configure Authentication Settings on page 5 10 5 Add your network...

Page 273: ...lect Home System configuration Quarantining 2 Ifyou have a multiple NAC 800 deployment MS and multiple ESs choose the cluster that includes the RADIUS server ESs For a CS the default and only cluster Cluster 1 is automatically selected 3 In the Quarantine method area select 802 1X Figure 5 1 Home System Configuration Quarantining ...

Page 274: ...ion settings Configure Authentication Settings To check 802 1X credentials the NAC 800 draws on user accounts stored in one of several locations A Windows domain see Configure Authentication to a Windows Domain on page 5 10 An OpenLDAP server see Configure Authentication to an OpenLDAP Server on page 5 15 A Novell eDirectory server see Configure Authentication to a Novell eDirectory Server on page...

Page 275: ...Settings on page 3 18 of Chapter 3 Initial Setup of the ProCurve NAC 800 for instructions on changing the hostname The NAC 800 requires a valid DNS server address which allows it to resolve the domain controller s FQDN To specify the DNS server see Edit MS or CS Network Settings on page 3 18 of Chapter 3 Initial Setup of the ProCurve NAC 800 Your network s DNS servers must have forward lookup entr...

Page 276: ...ager Configure the NAC 800 as a RADIUS Server Figure 5 2 Home System Configuration Quarantining 802 1X Quarantine Method 2 Select Windows domain for the End user authentication method The Windows domain settings and Test Windows domain settings areas are displayed ...

Page 277: ...5 13 Configuring the RADIUS Server Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5 3 Home System Configuration Quarantining Windows Domain Authentication Method ...

Page 278: ...FQDNofyourdomain controller or controllers Domain controllers are servers that run AD Separate FQDNs with a comma no spaces N ot e In a network with multiple domain controllers you should generally specify all of the controllers If you do not you might see an error when you test the settings because the NAC 800 bound itself to a different domain controller than the one specified 8 To verify that t...

Page 279: ...ches the name submitted by the end user Tocheckthe end user spassword theNAC 800requeststhepassword attribute for the account By default the NAC 800 and the LDAP server communicate in plaintext messages You should configure the NAC 800 to complete TLS authentication with the LDAP server which increases security in several ways The NAC 800 and the LDAP server verify their identities to each other w...

Page 280: ...riven Manager Configure the NAC 800 as a RADIUS Server Figure 5 4 Home System Configuration Quarantining 802 1X Quarantine Method 2 Select OpenLDAP for the End user authentication method The OpenLDAP settings and Test OpenLDAP settings areas are displayed ...

Page 281: ...dentity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5 5 Home System Configuration Quarantining OpenLDAP Authentication Method 3 In the Server field enter the hostname or IP address of the OpenLDAP server For example 10 1 10 10 ...

Page 282: ...ied in the previous step 6 In the Re enter password field enter this password again 7 In the Base DN field enter the DN for the object at which the NAC 800 begins searches almost always the DN of the top level of the tree For example dc MyCompany dc com The administrator specified in the Identity field should be under the base DN 8 Typically leave the Filter and Password attribute fields at their ...

Page 283: ...NAC 800 The NAC 800 requires the CA certificate for the CA that signed the OpenLDAP server s certificate Save this certificate on your management station Then click the Browse button next to New certificate to upload it to the NAC 800 11 To verify that the NAC 800 can successfully bind to the OpenLDAP server click the test settings button See Test Authentication Settings on page 5 28 for more info...

Page 284: ...Configure the NAC 800 as a RADIUS Server Figure 5 6 Home System Configuration Quarantining 802 1X Quarantine Method 2 Select Novell eDirectory for the End user authentication method The Novell eDirectory settings and Test Novell eDirectory settings areas are displayed ...

Page 285: ...DIUS Server Figure 5 7 Home System Configuration Quarantining Novell eDirectory Authentication Method 3 In the Server field enter the hostname or IP address of the eDirectory server For example 10 1 10 10 A hostname can include alphanumeric characters periods and hyphens and be up to 64 characters ...

Page 286: ... the top of the directory For example dc MyCompany dc com The administrator specified in the Identity field should be under the base DN 8 You should leave the Filter and Password attribute fields at their default settings As explained in the introduction to Configure Authentication to an LDAP Server on page 5 14 the filter and password attribute help the NAC 800 perform searches within the directo...

Page 287: ... s certificate Save this certificate on your management station Then click the Browse button next to New certificate to upload it to the NAC 800 11 To verify that the NAC 800 can successfully bind to the eDirectory server click the test settings button See Test Authentication Settings on page 5 28 for more information on setting up the test 12 You are now ready to specify your network s NASs See A...

Page 288: ...the RADIUS Server Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5 8 Home System Configuration Quarantining 802 1X Quarantine Method 2 Select Proxy for the End user authentication method ...

Page 289: ...Configure the NAC 800 as a RADIUS Server Figure 5 9 Home System Configuration Quarantining Proxy Authentication Method 3 Specify the IP address for the proxy server or servers To complete this task you must access the NAC 800 s OS and edit the etc raddb proxy conf file ...

Page 290: ... a standard Linux editor built into the NAC 800 N ot e One reason to set up proxy RADIUS on a RADIUS only NAC 800 is to authenticate users in a different domain More advanced users can configure the NAC 800 to proxy various requests to different RADIUS servers depending on the domain name or EAP type included in the request The comments in the proxy conf file give guidelines however such configura...

Page 291: ...secret for the secret value Use this syntax secret shared secret This value must match exactly the secret configured on the proxy server for the NAC 800 The NAC 800 should be added as a client to the proxy server To include special characters and spaces enclose the secret within quotation marks ix The final configuration should resemble the one shown in Figure 5 10 x When you are done leave insert...

Page 292: ...Bind to it Optionally perform a successful search You should test the settings to eliminate problems before the NAC 800 begins to authenticate end users on a live network Follow these steps 1 Complete the steps listed in Specify the Quarantine Method 802 1X on page 5 8 2 Complete the steps for your selected authentication method See Con figure Authentication Settings on page 5 10 3 You should see ...

Page 293: ...uration Quarantining 4 If you are configuring a CS you can skip this step Otherwise you must select an ES from the Server to test from drop down menu In a multiple NAC 800 deployment ESs not the MS bind to the LDAP server when they need to authenticate the end user When you test set tings you must choose for which ES you are testing them ...

Page 294: ...r name field iii Enter the user s password in the Password field iv Re enter the password in the Re enter password field v Click the test settings button This test verifies that The NAC 800 can reach the domain controller or LDAP server The administrator username and password are correct For authentication through an LDAP server the filter and pass word attribute are correct The end user credentia...

Page 295: ...er the old settings which if the NAC 800 is the RADIUS server for a live network can briefly interrupt service Click the no button to cancel the test in which case you should also wait before applying your new settings Click the yes button to proceed with the test Note that proceeding with the test only temporarily overwrites the old settings You must still click the ok button on the Home System c...

Page 296: ...error Connection refused The NAC 800 failed to bind to the LDAP server The LDAP server requires TLS but this option is not selected Test failed could not verify server s certificate signature The NAC 800 failed to bind to the LDAP server The CA certificate for TLS authentication does not match the LDAP server s CA certificate Test failed password for end user username is invalid The NAC 800 succes...

Page 297: ... is incorrect The base DN is incorrect Test failed LDAP error code 13 Confidentiality Required The NAC 800 failed to bind to the LDAP server The LDAP server requires TLS but this option is not selected Testfailed connectionerror Connection refused The NAC 800 failed to bind to the LDAP server The LDAP server requires TLS but this option is not selected Test failed could not verify server s certifi...

Page 298: ...each NAS that uses the NAC 800 as its RADIUS server to the NAC 800 s list of 802 1X devices N ot e The NASs are often called RADIUS clients The Web browser interface however as well as this guide will refer to them as 802 1X devices Follow these steps to add the 802 1X devices 1 Complete the steps listed in Specify the Quarantine Method 802 1X on page 5 8 2 Complete the steps for your selected aut...

Page 299: ...ver Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5 14 Home System Configuration Quarantining 802 1X Quarantine Method 4 Click the add an 802 1X device link The Add 802 1X device window is displayed ...

Page 300: ...ctly See your device s documentation for information on configuring this secret The secret can include alphanumeric and special characters 7 Enter the same character string in the Re enter shared secret field 8 Optionally give the 802 1X device a descriptive name by entering a string in the Short name field The name is displayed in logs and can include alphanumeric and special characters 9 From th...

Page 301: ... an 802 1X Device Link Connecting to the 802 1X device is necessary for implementing endpoint integrity the NAC 800 must force the 802 1X to re authenticate the end point after its endpoint integrity posture has changed so that the new VLAN assignment can take effect See How the NAC 800 Quarantines Endpoints on page 1 36 of Chapter 1 Overview of the ProCurve NAC 800 for more information ...

Page 302: ...ding adding an 802 1X device you must apply and save the changes When you apply the changes the CS s internal RADIUS server or the RADIUS servers on all ESs in the cluster automatically restarts N ot e The RADIUS server typically takes several seconds to restart During this period the RADIUS server is unavailable for authenticating end users To avoid interrupting services configure 802 1X quaranti...

Page 303: ... 5 17 Home System Configuration Enforcement Clusters Servers 2 Click the name of the CS or ES The Enforcement server window is dis played N ot e Figure 5 18 shows the Enforcement server window for a CS The window for an ES features two menu options General and Configuration You should select the General menu option ...

Page 304: ...5 40 Configuring the RADIUS Server Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5 18 Home System Configuration Enforcement Clusters Servers Selected Enforcement Serve ...

Page 305: ...of the Enforcement server window this message should be dis played The radius process was restarted N ot e Typically the RADIUS server restarts without a problem If it encounters difficulties you should restart it from the root of the OS Follow these steps 1 Open an SSH session with the NAC 800 1 Log in as root to the NAC 800 OS a Open an SSH or console session with the NAC 800 b When asked for yo...

Page 306: ...mple com You should load one of the following certificates on your NAC 800 A self signed certificate that specifies the NAC 800 s FQDN as its common name CN A certificate that specifies the NAC 800 s FQDN as its CN and is signed by a trusted CA In either case the certificate must allow the NAC 800 to use it for client and server authentication That is the extensions for the key usage should be TLS...

Page 307: ...ertificates Follow these steps to install the CA certificate on the NAC 800 1 Obtain the CA certificate from your CA Your CA should instruct you how to complete this step The certificate must be in PEM format See step 4 on page 5 44 for instructions on converting a DER or PFX certificate to PEM format 2 Transfer the CA certificate to the NAC 800 If you have installed PSCP on your management statio...

Page 308: ... certificate is not in PEM format follow these steps a Move to the correct directory ProCurve NAC 800 cd etc raddb certs demoCA b Convert from DER format with this command For example enter ProCurve NAC 800 etc raddb certs demoCA openssl x509 in cacert der inform DER out cacert pem outform PEM Convert from PFX format with this command 5 Restart the RADIUS server ProCurve NAC 800 etc raddb certs de...

Page 309: ...f signed certificate to be used for RADIUS authentication 1 Log into the NAC 800 as root 2 Configure the openssl application to issue self signed certificates with the correct extensions for a RADIUS server See Appendix B Appendix B Linux Commands for vi commands a Copy the default configuration file for openssl to a new location You will make changes to the new file ProCurve NAC 800 cp var ssl op...

Page 310: ...b certs service radiusd restart Syntax openssl req x509 config openssl cnf extensions radsrv newkey rsa dsa 512 1024 2048 4096 nodes days number keyout cert srv pem out cert srv pem The config option should specify the new configuration file that you created in step 2 Make sure that you are in the correct directory Similarly the extensions option specifies the bracketed name for the extensions tha...

Page 311: ... Appendix B Linux Commands for vi commands If you are using your own Windows CA you might skip this step and use a certificate template add the correct extensions a Copy the default configuration file for openssl to a new location You will make changes to the new file ProCurve NAC 800 cp var ssl openssl cnf etc raddb certs openssl cnf b Alter the new configuration file ProCurve NAC 800 etc raddb c...

Page 312: ...created in step 2 Make sure that you are in the correct directory Similarly the extensions option specifies bracketed name for the extensions that you added to that file The newkey option generates a private public keypair for this certificate Choose rsa or dsa for the algorithm and then choose the key length 4096 is not a valid option for dsa The private key for the certificate is saved with the ...

Page 313: ...both server authentication and client authentication 8 After the CA returns the server certificate to you transfer it to the NAC 800 If you have installed PSCP on your management station you can follow these steps a Save the certificate to your management station b Access the command prompt on your management station and move to the directory in which PSCP is installed c Enter this command For exa...

Page 314: ...B Linux Commands for vi commands a Enter this command ProCurve NAC 800 vi etc raddb eap conf b Use the arrow keys or other vi commands to reach the tls section of the configuration file See Figure 5 20 Syntax openssl x509 in certificate_filename inform DER out certificate_ filename outform PEM For certificate_filename enter the name for the certificate that you chose in step 8 You should change th...

Page 315: ...Set certificate_file to the same as the certificate filename that you specified in step 8 c on page 5 49 or step 11 on page 5 50 Keep the default path already included in the configuration file which works as long as you saved the certificate in the proper directory For example certificate_file raddbdir certs mycertifi cate pem g Make sure that CA_file is set to the filename including the correct ...

Page 316: ...equest and generate the certificate in X509 format Enter the NAC 800 sFQDN for itsCN Specify the NAC 800 scountry state and so forth as prompted Make sure to generate a RADIUS server certificate for the NAC Its key usage extensions should provide for both client and server authentica tion 2 Transfer the certificate and the private key to the NAC 800 If you have installed PSCP on your management st...

Page 317: ...te without forcing you to alter the tls section of the etc raddb eap conf file which can lead to errors e When prompted enter the NAC 800 s root password 3 Log in to the NAC 800 as root 4 Enter this command ProCurve NAC 800 cd etc raddb certs 5 If your certificate is not in the correct format you can convert it Syntax pscp path filename root NAC 800 IP address etc raddb certs certificate_filename ...

Page 318: ... is not protected with a password a Enter this command ProCurve NAC 800 vi etc raddb eap conf b Use the arrow keys or other vi commands to reach the tls section of the configuration file See Figure 5 21 N ot e The NAC 800 uses the tls configuration to authenticate itself for TLS PEAP and TTLS Syntax openssl x509 in certificate filename inform DER out certificate file name outform PEM For certifica...

Page 319: ...c on page 5 53 or step 5 on page 5 53 Keep the default path already included in the configuration file which works as long as you saved the certificate in the proper directory For example certificate_file raddbdir certs mycertifi cate pem g Make sure that CA_file is set to the filename including the correct path for the CA root certificate This certificate was installed in Install the CA Root Cert...

Page 320: ...nts if you have selected an EAP method that requires supplicants to authenticate with a certificate rather than a password Generally you would issue those certifi cates using your organization s CA Refer to the documentation for your CA service for instructions Disable Server Validation on Endpoints You might want to prevent endpoints from checking the NAC 800 s server certificate for several reas...

Page 321: ...eps on an endpoint to disable validation of the server on the native Windows 802 1X supplicant 1 Select Start Settings Network Connections Local Area Connection Figure 5 22 Start Settings Network Connections Local Area Connection 2 Click the Properties button 3 Select the Authentication tab in the window that is displayed ...

Page 322: ... Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5 23 Local Area Connection Properties Authentication 4 Choose your EAP type and click the Properties button 5 Clear the Validate server certificate check box ...

Page 323: ...ficates for RADIUS Figure 5 24 EAP Type Properties 6 Click OK to close all open windows Follow these steps to disable validation of the server on an endpoint that uses the Microsoft Wireless Zero Configuration client 1 Select Start Settings Network Connections Wireless Network Connection ...

Page 324: ...Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5 25 Start Settings Network Connections Local Area Connection 2 Click the Properties button 3 Select the Wireless Networks tab in the window that is displayed ...

Page 325: ...r SSID for your wireless network in the Preferred networks area and click the Properties button If the SSID has not yet been configured on the client you must click the Add button instead Then in addition to completing the steps below you must configure settings such as the SSID the authentication method and the encryption type 5 Select the Authentication tab in the window that is displayed ...

Page 326: ...DIUS Server Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5 27 SSID Properties Authentication 6 Choose the EAP type and click the Properties button 7 Uncheck the Validate server certificate box ...

Page 327: ...5 63 Configuring the RADIUS Server Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5 28 EAP Type Properties 8 Click OK to close all open windows ...

Page 328: ...5 64 Configuring the RADIUS Server Without Identity Driven Manager Manage Digital Certificates for RADIUS ...

Page 329: ...t Integrity Testing Contents 6 Disabling Endpoint Integrity Testing Contents Overview 6 2 Configure Exceptions 6 2 Configure Exceptions for the Cluster Default Settings 6 3 Configure Exceptions for a Particular Cluster 6 5 ...

Page 330: ...tions the NAC 800 discovers them but does not test them In effect you have disabled endpoint integrity testing Configure Exceptions On the NAC 800 you configure exceptions for endpoints that you do not want tested for endpointintegrity When you designate an endpoint as an exception the NAC 800 discovers but does not test that endpoint To configure exceptions you can enter an address or a Windows d...

Page 331: ... a RADIUS server only you will typically specify a range or several ranges of addresses or a domain name Configure Exceptions for the Cluster Default Settings To configure exceptions as part of the cluster default settings which are then applied to all clusters complete the following steps 1 Select Home System configuration Figure 6 1 Home System Configuration Enforcement Clusters Servers ...

Page 332: ... 3 Under Whitelist enter either the addresses of endpoints or the domain name you want to exclude from testing Under Endpoints enter an IP address a range of IP addresses in CIDR format a MAC address or a NetBIOS name Under Windows domain enter the domain name Separate addresses and names with carriage returns as shown below 10 1 1 0 24 10 1 2 13 MyLaptop 4 Click ok ...

Page 333: ...of the clusters you have configured on the Management Server MS complete the following steps 1 Select Home System configuration Figure 6 3 Home System Configuration 2 Select Enforcement clusters servers and select the link for the cluster that implements RADIUS without endpoint integrity The Enforcement cluster window is displayed 3 Select Exceptions ...

Page 334: ...ot e The settings you configure for a particular cluster override the cluster setting defaults 4 Select the For this cluster override the default settings check box Figure 6 4 Home System Configuration Enforcement Clusters Servers Cluster_Name Exceptions ...

Page 335: ...e domain name you want to exclude from testing Under Endpoints enter an IP address a range of IP addresses in CIDR format a MAC address or a NetBIOS name Under Windows domain enter the domain name Separate addresses and names with carriage returns as shown below 192 168 10 0 24 192 168 115 55 MyNetwork 6 Click ok ...

Page 336: ...6 8 Disabling Endpoint Integrity Testing Overview ...

Page 337: ... Duplicate Network Pathways 7 4 Configuring Network Devices for Redundant RADIUS Servers 7 4 Configure the NASs 7 5 Configure Multiple LDAP Servers on the NAC 800 7 6 Use IDM to Configure the Usernames and Passwords 7 11 Test Your Redundant Configurations 7 11 Back Up Your NAC 800 Configuration 7 12 Configure the Web Browser So That It Allows You to Save Files 7 14 Restore the System from the Back...

Page 338: ... limited resources in the unauthorizedvirtuallocalarea network orVLAN dependingon howyouhave configured your network Neither option is desirable This chapter describes how to plan redundancy for a network in which one or more ProCurve Network Access Controller NAC 800s provide RADIUS services Planning Redundancy for RADIUS Only Deployments Providing redundant RADIUS services requires some planning...

Page 339: ...he LDAP server N ot e In the remainder of this chapter the term RADIUS server will refer either to a NAC 800 acting as a RADIUS server or a third party RADIUS server NAC 800 local data store If you are storing credentials on the NAC 800 IDM ensures that each NAC 800 includes the same user names and passwords You enter the usernames and passwords once on the IDM server and it will configure them on...

Page 340: ...a primary path becomes unavailable RSTP unblocks the redundant path Although a detailed discussion of network design is beyond the scope of this guide Figure 7 1 illustrates one design with duplicate network pathways Configuring Network Devices for Redundant RADIUS Servers WhenyousetupredundantRADIUSservers youmustconfigureyournetwork devices so that they cantake advantage oftheseservers Specifica...

Page 341: ...pecify a RADIUS server using the following command ProCurve Switch config radius server host ip address To configure a primary and a secondary RADIUS server you simply enter the command twice the first time you enter the IP address for the primary RADIUS server the second time you enter the IP address for the secondary RADIUS server The 5400zl Switch will contact the RADIUS servers in the order in...

Page 342: ...however you must edit the etc raddb radiusd conf file to reference multiple LDAP servers hostname Core module 1 type J8702A module 2 type J8702A module 3 type J9051A ip routing snmp server community public snmp server community procurve Unrestricted snmp server host 10 1 10 10 public vlan 1 name DEFAULT_VLAN untagged A2 A4 A24 B2 B24 ip helper address 10 1 10 10 ip address 10 1 1 1 255 255 255 0 n...

Page 343: ...s Because you are using a domain controller use the drop down menu to select Windows domain Additional fields are displayed allowing you to enter Domain name Administrator user name Administrator password You can then list additional domain controllers in the Domain controllers field If you list more than one domain controller in this field separate each one with a comma This section focuses only ...

Page 344: ...re 7 3 Home System Configuration Quarantining Edit the etc raddb radiusd conf file IfyouareusingNovelleDirectoryor OpenLDAP you must log in to the NAC 800 as root through an SSH or console session You then use the VI editor to edit the etc raddb radiusd conf file ...

Page 345: ...e NAC 800 to negotiate a Transport Layer Security TLS connection with the LDAP servers Include this parameter in the module for both LDAP servers tls_mode yes Syntax ldap server_name server LDAP server s FQDN identity administrator s DN password administrator s password basedn tree s base DN filter user login filter base_filter base filter modules ldap vmsuse server vmsuse netidm net identity cn M...

Page 346: ... or Chapter 5 Configuring the RADIUS Server Without Identity Driven Man ager Then access the radiusd conf file and copy the first server s configura tion for the second server simply changing the server name and the value for the server parameter After configuring the LDAP server modules find the authorize and authen ticate sections of the radiusd conf file To each section add the redundant parame...

Page 347: ...re passwords for those users See the ProCurve Identity Driven Management Users Guide for more detailed instructions in completing these steps Test Your Redundant Configurations Toensure thatyour RADIUS servers data stores and pathways are configured correctly to provide redundancy you should test them Of course it is always best to test the configuration after work hours when few if any users are ...

Page 348: ...up file that includes not only configu rations but also other information The file includes Management Server MS database All configurations completed through the Web browser interface saves all files in the usr local nac properties directory Digital certificates installed on the MS or Configuration Server CS and Enforcement Servers ESs saves all files in the usr local nac keystore directory Licen...

Page 349: ... A Web browser dialog box is displayed allowing you to begin the process of saving the backup file If your Web browser blocks your attempt to save the file see Configure the Web Browser So That It Allows You to Save Files on page 7 14 The exact dialog box displayed varies depending on which Web browser you are using Follow the prompts to save the backup file to the desired location If the backup f...

Page 350: ...er security settings might prevent you from saving the backup file to your workstation To solve this problem on Internet Explorer 6 com plete these steps 1 Select Tools Internet Options 2 Select the Security tab 3 Choose the zone in which your management station places the NAC 800 If the NAC 800 has an IP address on the same intranet as your station this zone is probably Local intranet Otherwise t...

Page 351: ...turn your NAC 800 to the settings stored in a backup file You might want to do this if a new configuration fails or if you add a replacement NAC 800 MS to your system When you restore the system from the backup file the following changes occur The MS and ESs use the configuration in the backup file The MS and ESs use the digital certificates stored in the backup file The MS uses the license stored...

Page 352: ...tion Maintenance 2 Click the restore system from backup file link 3 Click restore system from backup file The Restore system window is dis played allowing you to browse for your backup file This window also displays a warning reminding you that all the existing configurations will be overwritten by the backup file ...

Page 353: ... continue the restore process click the Browse button and select the backup file This file must be a NAC 800 backup file saved with the following naming convention backup year month day T hour minute second tar bz2 5 After you have selected the appropriate file click ok A progress window is displayed Figure 7 11 Operation In Progress Window The restore process takes a few minutes ...

Page 354: ...7 18 Redundancy and Backup for RADIUS Services Back Up Your NAC 800 Configuration ...

Page 355: ... pdf 802 1X A port based authentication standard that is part of the 802 1 group of proto cols 802 1X forces endpoints to authenticate establishing a point to point connection if authentication succeeds or blocking the connection if authenti cation fails By basing authentication on secure EAP methods 802 1X authen tication can prevent eavesdroppers from reading intercepted messages The 802 1X stan...

Page 356: ...www ietf org rfc rfc2989 txt See also authentication authorization and accounting access control The ability to determine which endpoints can access the network and the level of access they receive Access can be controlled based on an endpoint s compliance with network standards for example or on other configurable settings access control status The label that the NAC 800 gives to an endpoint to d...

Page 357: ...more information see the Microsoft Developer Center library at http msdn2 microsoft com en us library aa751968 aspx ActiveX test method An endpoint integrity testing method that relies on the ActiveX control opera tion of signed and safe controls The NAC 800 uses ActiveX to download a temporary agent to the endpoint All versions of the Windows operating system are supported and no ports on an endp...

Page 358: ...e that permits all endpoints to access the network regardless of test results AP Access Point A network component that receives and sends wireless LAN signals to wireless network cards through its anntena s An AP is functionally equivalent to a switch asymmetric A type of encryption algorithm wherein one key is used to encrypt and a different key is used to decrypt authentication The process ofcon...

Page 359: ...ion or controls An open back door can be intentional for maintenance use or unintentional If a back door is discovered by malicious users or software they may gain entry to a system and cause damage blacklist A list of endpoints and Windows domains that are always quarantined and never allowed onto the network C CA Certificate Authority A trusted third party that verifies the identity of parties t...

Page 360: ...ble entry For more information see RFC 1518 at http tools ietf org html rfc1518 cluster See enforcement cluster combination server See CS cookie A small bit of data that acts as an identifier between a Web browser and a Web server Web servers install cookies on clients so that when the client visits the Web site again the server remembers the client credentials A username and its corresponding pas...

Page 361: ...n the network DHCP simplifies IP man agement eliminating the need to manually assign IP addresses to devices and then track those addresses For more information see RFC 2131 at http www ietf org rfc rfc2131 txt DHCP deployment method A deployment method for networks that are not 802 1X compatible In this method the NAC 800 is placed between a switch and a DHCP server and intercepts DHCP requests f...

Page 362: ...cations fips fips186 2 fips186 2 change1 pdf Dynamic Host Configuration Protocol See DHCP E EAP Extensible Authentication Protocol A protocol that allows PPP to use authen tication protocols that are not part of the PPP suite For more information see RFC 3748 at http www ietf org rfc rfc3748 txt See also CHAP and PAP EAP GTC EAP with Generic Token Card An implementation of EAP that uses a token ca...

Page 363: ...0 devices can have the NAC EI agent installed on them but only 100 of those endpoints can be connected to the network at one time endpoint integrity agent maintenance license A license to receive automatic updates to the NACEIAgent software When you initially purchase an agent license you also receive a one year maintenance license You must purchase a license each year in one of the following incr...

Page 364: ...Fully Qualified Domain Name In LDAP an unambiguous unique name for an object that shows all of the domains to which the object belongs G GTC See EAP GTC H hash A number generated by running a string of text through an algorithm The hash is substantially smaller than the text itself and is unique because algorithms transform data in such a way that it is extremely unlikely that some other text will...

Page 365: ...ntine method A quarantine method that relies on the NAC 800 s placement in the network The NAC 800 functions as a Layer 2 bridge that imposes a firewall between its Ethernet port 1 and port 2 Only traffic from endpoints whose integrity posture is Healthy or Check Up can pass through the NAC 800 integrity posture The state of an endpoint in terms of its compliance with NAC policies The integrity po...

Page 366: ...ay On the NAC 800 a display that is located on the front panel of the chassis and that shows both information about the device and error messages The LCD also displays a menu interface you can use the panel buttons to configure basic settings such as IP address and gateway for the device LDAP Lightweight Directory Access Protocol A set of protocols that allow a host to look up and access directory...

Page 367: ...ate or damage a computer system The term encompassescomputer viruses worms Trojans spyware and adware In law malware is sometimes known as a computer contaminant managed endpoint A network device that isforced tocomply with the company s security policies and is under administrative control management server See MS MD5 Message Digest algorithm 5 A hash algorithm used to create digital signa tures ...

Page 368: ...hod NAC policy A collection of tests that evaluate the security status of endpoints that attempt to access the network A policy includes a list of activated tests their proper ties and actions as well as a list of endpoints to which the policy applies In addition the policy defines how to handle endpoints that run OSs that the NAC 800 does not support retest frequency and how to handle inactive en...

Page 369: ...ontrol A security implementation that attempts to control access to a network by enforcing security policies restricting prohibited traffic types identifying and containing end users that break rules or are noncompliant with policies and stopping and mitigating security threats network access server See NAS normal An access mode that mandates that endpoints network access be subject to the results...

Page 370: ... on prior distribution of a hierarchical PKI with a single root For more information see RFCs 1421 1424 at http www ietf org rfc html permanent agent An agent that is installed on an endpoint and that is not removed The NAC EI agent is a permanent agent See also transient agent PKI Public Key Infrastructure A system of digital certificates CAs and other registration authorities that verify and aut...

Page 371: ...e each other before opening the IKE SA private key One of a pair of keys that is generated from a single large random number The privatekey iskeptsecret notdistributed andisusedtodecrypt a message that was encrypted using the public key If used to encrypt a message it signs that message as originating from the private key s owner protected services Services that run on any servers that are connect...

Page 372: ...tizes traffic or guarantees a particular level of performance to a type of data flow R RADIUS Remote Authentication Dial In User Service An AAA protocol that allows a server to store all of the security information for a network in a single central database The server stores and manages end user information so that it can authenticate the end users The server also maps end users to the servicestha...

Page 373: ... determined by the network administrator RMON Remote MONitoring A standard that allows administrators to monitor and manage network equipment from a remote location RMON enables various network monitors and console systems to exchange network monitoring data using SNMP and MIBs For more information see RFC 2819 at http tools ietf org html rfc2819 RPC Remote Procedure Call A procedure where argumen...

Page 374: ...n attack signatures stored in a signature database Signature based IDSs recognize and interpret series of packets consistent with past intrusions as new attacks SMB Server Message Block An application layer network protocol that provides shared access to files printers serial ports and miscellaneous communica tions between nodes on a network SNMP Simple Network Management Protocol An application l...

Page 375: ...to RSTP which is a faster version of STP For more information see IEEE 802 1D at http www ieee802 org 1 pages 802 1D 2003 html supplicant The component of 802 1X that requests access to a network It communicates with the RADIUS server to submit an end user s credentials and also to authen ticate the RADIUS server to the endpoint An endpoint must have an 802 1X supplicant to connect to a segment of...

Page 376: ...ayer Security The successor to SSL It prevents eavesdropping on communications between Internet clientand server For more information see RFC 2240 at http www ietf org rfc rfc2246 txt TNC Trusted Network Connect A standard developed by over 50 of the networking industry s leading companies for integrating compliance testing with access control For more information see TNC Central at http www tncce...

Page 377: ... not under the company s administrative control Examples include a guest s computer or a contractor s computer Such a device is still subject to the company s network security policies untestable endpoint A device that is running an operating system that the NAC 800 does not currently support or whose Internet Explorer security setting is High user role NAC 800 management permissions that are gran...

Page 378: ...cured wired LAN It has been superseded by WPA and IEEE 802 11i For more information see IEEE 802 11 at http standards ieee org getieee802 802 11 html whitelist A list of endpoints and Windows domains that will always be allowed onto the network and will never be tested wildcard On the NAC 800 the asterisk is the wildcard character Windows The desktop and server operating system developed by Micros...

Page 379: ... it needs to be used such as over a secured channel or non electronically the end user is told the correct key X X 509 A strong authentication standard for PKI One of its functions is to specify a standard format for public key certificates and a path for certification valida tion For more information see ITU Recommendation X 509 at http www itu int rec T REC X 509 en Z zero day attack An attack o...

Page 380: ...A 26 Appendix A Glossary ...

Page 381: ...B 1 Appendix B Linux Commands Contents B Appendix B Linux Commands Contents Common Linux Commands B 2 vi Editor B 4 Command Mode B 4 Insert Mode B 5 keytool B 6 openssl B 9 Service Commands B 12 ...

Page 382: ...ssing f moves forward one screen pressing 5 and then f moves forward five screens Table B 1 Common Linux Commands Action Command Change your directory cd new directory Move to the directory above the current cd Return to the home directory cd do not specify a directory List files Simply enter dir to view files in the current directory Include the directory option if you want to view the contents o...

Page 383: ...ame spacebar or f move forward one screen N f moveforwardN screens b move back one screen N b move back N screens View or edit files vi filename See page B 4 Delete a file rm filename Copy a file cp filename newfilename Find a file find base directory name filename Action Command ...

Page 384: ...s you do not have to press Enter for them to take effect Table B 2 vi Editor Commands Action Command Enterinsertmode whichallowsyoutoaddordeletetextinthefile Characters are entered into the file after the cursor Characters are entered into the file before the cursor a i Enter replace mode which allows you to write new text over existing text beginning at the cursor R Delete a character x Delete N ...

Page 385: ...ow keys to change the cursor s position whichever key you press In addition to inserting text you can also use the Backspace key to erase text To return to command mode press Esc Replace Mode To enter text that writes over the current text enter replace mode by pressing Shift r To return to command mode press Esc Undo last change in file enter command again to redo change u Save changes w Exit vi ...

Page 386: ... algorithm Default 1024 bits and DSA If you do not enter the dname option you will be prompted to specify the distinguished name For the first and last name make sure to enter the NAC 800 s FQDN If you do not enter a password for the keystore and key you will be prompted to do so If the keystore has already been created you must enter the previously set password If you are creating a key for HTTPS...

Page 387: ...as alias keystore keystore file filename keypass password storepass password Saves under the specified filename the certificate associ ated with the specified alias in the specified keystore If you do not enter a password for the keystore and key you will be prompted to do so Match the previously set passwords Syntax keytool delete alias alias keystore keystore keypass password storepass password ...

Page 388: ...new new password storepass password Changes the password for the key stored under the alias in the specified keystore If you do not enter a password for the keystore you will be prompted to do so Syntax keytool storepasswd keystore keystore storepass password new new password Changes the password for the specified keystore ...

Page 389: ...x509 newkey rsa dsa 512 1024 2048 4096 keyout key_filename out certificate_filename days number nodes outform DER PEM config filename extensions section name Creates a self signed certificate and associated private public keypair of the specified algorithm and length for example rsa 2048 The key and certificate are saved as key_filename and certificate_filename The days option specifies the number...

Page 390: ...e that contains the extensions for this certificate request Syntax openssl genkey algorithm rsa dsa 512 1024 2048 4096 outform DER PEM out key_filename Generates a keypair of the specified algorithm and length for example rsa 2048 and format DER or PEM and saves it to the specified key_filename Syntax openssl req x509 key key filename out certificate_filename nodes outform DER PEM config filename ...

Page 391: ...pplication the extensions section_name option specifies the name of a section in that file that contains the extensions for this certificate request Syntax openssl x509 in certificate_filename inform DER PEM out new_ certificate_filename outform DER PEM Converts the X 509 certificate in certificate_filename to a different X 509 format that is DER to PEM or vice versa The certificate with the new f...

Page 392: ... Table B 3 Service Names Syntax service service_name restart Stops and restarts the service applying changes to the configuration file Syntax service service_name status Shows the status for the service Syntax service service_name stop Stops the service Syntax service service_name start Starts the stopped service Service Service Name FreeRADIUS server radiusd HTTPS server and other MS functions na...

Page 393: ...x Commands Service Commands Accessible IP addresses for inline deployment iptables Network Time Protocol NTP server ntpd Simple Network Management Protocol SNMP agent snmpd SNMP trap receiver snmptrapd Service Service Name ...

Page 394: ...B 14 Appendix B Linux Commands Service Commands ...

Page 395: ... access txt See files accessible services 1 28 802 1X deployment method 1 37 cluster 1 29 DHCP deployment method 1 49 ACLs 1 51 static routes 1 52 inline deployment method 1 57 accounting 4 34 5 27 ACLs 1 51 ActiveX testing advantages and disadvantages 1 27 requirements 1 26 AD 4 7 5 5 advantages and disadvantages 4 7 binding to 1 40 1 44 4 16 test settings 4 35 4 39 5 28 5 32 administrator permis...

Page 396: ...7 CN 4 58 5 52 extensions 4 48 4 51 4 58 5 42 5 45 5 52 self signed HTTPS 3 61 certificate extensions 4 48 5 42 certificate request HTTPS server 3 58 RADIUS server 4 53 5 47 cert srv pem See files Check up See endpoint integrity posture clusters 1 8 accessible services 1 29 best practices 1 10 1 12 CS 1 16 DHCP 1 47 enforcement 1 9 1 16 3 9 ES 2 37 exceptions 6 3 6 5 inline 1 59 mirroring 1 39 NAC...

Page 397: ...DAP 4 21 5 15 7 9 eDirectory 4 29 5 22 OpenLDAP 4 24 5 18 DNS server changing 3 19 NAC 800 as 1 37 1 49 specifying for ES 3 14 MS or CS 3 8 domain agentless testing 1 27 configuring authentication 4 16 multiple controllers 4 20 5 14 7 7 parent 4 20 5 14 See also Windows domain dynamic settings See settings E EAP 1 31 disabling server authentication 4 62 5 56 See also protocols authentication eap c...

Page 398: ... 4 5 cacert pem 4 50 5 44 certificate_file 4 57 4 61 5 51 5 55 cert srv pem 4 52 4 59 4 60 5 46 5 53 5 54 config access txt 4 11 eap conf 4 60 5 54 CA signed certificate 4 54 4 56 5 48 5 50 self signed certificate 4 52 5 46 private_key 4 57 4 61 5 51 5 55 proxy conf 4 32 5 25 5 26 5 27 RADIUS log 1 31 1 32 radiusd conf 7 6 7 8 7 10 SAFreeRadiusConnector conf 1 36 1 37 1 41 SAIASConnector 1 36 1 37...

Page 399: ...iew 4 8 redundancy 7 3 7 6 TLS 4 21 5 15 user login filter 4 21 5 15 LEAP See protocols authentication LEDs 1 5 locator activating menu 2 20 left navigation bar 2 41 license agreement 3 5 licenses 3 41 local database See database log files See files log level 3 31 Logout link 2 41 M MAC address NAC 800 1 6 management server See MS management user creating 3 44 role 3 43 creating 3 49 default 3 44 ...

Page 400: ...r login filter 4 21 5 15 operating systems supported 1 21 unsupported 1 21 1 22 P panel LCD 1 6 2 5 access menu 2 22 navigate menu 2 23 PAP See protocols authentication password changing menu interface 2 15 console 4 47 5 41 default 2 15 NULL 4 7 PCM in 2 49 private_key 4 57 4 61 5 51 5 55 proxy server 3 22 root 2 35 CS or MS 3 31 ES 3 15 3 40 setting 3 6 rules 2 17 3 7 SSH session 4 33 4 47 5 26 ...

Page 401: ...y server authentication settings 3 22 NAC 800 for 3 19 proxy conf See files PSCP 4 54 5 48 PuTTY SCP See PSCP Q Quarantine See endpoint integrity posture quarantine method See deployment method quarantining 1 20 802 1X 1 36 5 8 RADIUS only 4 12 DHCP 1 48 endpoint integrity 4 14 enforcement 1 51 inline 1 57 settings 1 13 1 14 subnet 802 1X method 4 14 DHCP 1 52 DNS server for 1 49 multinetting 1 54...

Page 402: ...CA root certificate restart RADIUS server 4 47 5 41 username and password 2 35 RPC See agentless testing RPs 1 56 1 61 RSTP 1 59 rules admin password 2 17 domain 5 14 hostname 3 14 3 19 4 17 LDAP format 4 24 parent domain 4 20 read community string 3 40 role name 3 50 shared secret 4 42 5 27 user account password 3 46 user account roles 3 47 username 3 46 S SAFreeRadiusConnector conf See files SAI...

Page 403: ...8 read write community 2 48 settings 3 38 software upgrade 1 13 1 14 3 41 Spanning Tree Protocol See STP SSH session username and password 4 33 5 26 SSID 4 67 5 61 STP 1 59 support link 2 41 supported OSs 1 21 switches ProCurve 7 3 7 5 system information menu interface viewing in 2 21 T tar file See files testing bind operation 4 37 5 30 IP settings 2 13 list 1 23 method 1 24 ActiveX 1 26 agentles...

Page 404: ...amic settings 4 4 5 4 quarantine 1 37 1 41 VPN 1 33 1 56 placing NAC 800 1 58 W WAN 1 33 1 56 placing NAC 800 1 59 warranty 1 ii Web browser interface 2 37 accessing 2 39 with IDM 2 54 with PCM Plus 2 49 navigating 2 39 2 44 2 46 requirements management station 2 38 NAC 800 2 37 WESM 1 57 1 60 1 61 Windows domain 4 7 joining NAC 800 to 4 17 5 11 multiple controllers 4 20 5 14 requirements 4 17 5 1...

Page 405: ......

Page 406: ... Copyright 2007 2008 Hewlett Packard Development Company L P April 2008 Manual Part Number 5991 8618 ...