Page of 591
Download TroubleshootingTroublesh.. Print This PagePrint Bookmark
   
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591
HP ProCurve Network Access Controller 800
Users Guide

Advertising

   Related Manuals for HP ProCurve NAC 800

   Summary of Contents for HP ProCurve NAC 800

  • Page 1

    HP ProCurve Network Access Controller 800 Users Guide...

  • Page 3

    ProCurve Network Access Controller 800 Release 1.1 Users Guide...

  • Page 4

    Publication Number consequential damages in connection with the furnishing, 5990-8851 performance, or use of this material. November 2008 Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished (rev-n) by Hewlett-Packard. Trademark Credits Warranty ®...

  • Page 5: Table Of Contents

    Contents Contents 1 Introduction What you Need to get Started ........1-2 Additional Documentation .

  • Page 6: Table Of Contents, System Configuration

    Contents Multiple-server Installations ........2-3 3 System Configuration Introduction .

  • Page 7: Table Of Contents

    Contents Deleting a User Account ........3-38 User Roles .

  • Page 8: Table Of Contents

    Contents Editing a DHCP Quarantine Area ....... 3-97 Deleting a DHCP Quarantine Area ......3-97 Quarantining, Inline .

  • Page 9: Table Of Contents, Endpoint Activity, End-user Access

    Contents Advanced Settings ..........3-130 Setting the Agent Read Timeout .

  • Page 10: Table Of Contents, Nac Policies

    Contents Agentless Test Method ........5-10 Configuring Windows 2000 Professional for Agentless Testing .

  • Page 11: Table Of Contents, Quarantined Networks

    Contents Enabling or Disabling an NAC Policy ......6-7 Selecting the Default NAC Policy ....... . 6-7 Creating a New NAC Policy .

  • Page 12: Table Of Contents, Dhcp Quarantine Method

    Contents 10 DHCP Quarantine Method Overview ........... . . 10-2 Configuring NAC 800 for DHCP .

  • Page 13: Table Of Contents, Remote Device Activity Capture, Dhcp Plug-in, System Administration

    Contents 12 Remote Device Activity Capture Creating a DAC Host ......... . . 12-2 Downloading the EXE File .

  • Page 14: Table Of Contents

    Contents Restarting NAC 800 System Processes ......15-4 Downloading New Tests ......... 15-5 System Settings .

  • Page 15: Table Of Contents

    Contents Enabling ICMP Echo Requests ....... . 15-37 Enable Temporary Ping ........15-37 Enable Persistent Ping .

  • Page 16: Table Of Contents

    Contents Internet Explorer (IE) Local Intranet Security Zone ....B-7 Internet Explorer (IE) Restricted Site Security Zone ....B-8 Internet Explorer (IE) Trusted Sites Security Zone .

  • Page 17: Table Of Contents

    Contents Windows Startup Registry Entries Allowed ..... . . B-32 Wireless Network Connections ....... . . B-33 Software –...

  • Page 18

    Contents E Ports used in NAC 800 F MS Disaster Recovery Overview ............F-2 Installation Requirements .

  • Page 19: Table Of Contents

    Introduction Chapter Contents What you Need to get Started ........1-2 NAC 800 Home Window .

  • Page 20: What You Need To Get Started, Inline

    A ProCurve NAC Endpoint Integrity Agent License ■ ProCurve NAC 800 is delivered as a hardware appliance that you install in your network. After NAC 800 is installed in your network, you configure it using a workstation with browser software installed.

  • Page 21: Additional Documentation

    Introduction Additional Documentation Additional Documentation The following documents provide information on installation and configura- tion, and are available at http://www.hp.com/rnd/support/manual/ NAC800.htm: ProCurve Network Access Controller 800 Hardware Installation Guide – Refer to this document first to see how to prepare for and perform the physical installation of the appliance and how to establish initial management access.

  • Page 22: Nac 800 Home Window

    Introduction NAC 800 Home Window NAC 800 Home Window The NAC 800 Home window (figure 1-1) is a centralized management user interface that allows you to quickly assess the status of your network. The following list and figure describe and show the key features: Important status announcements –...

  • Page 23

    Introduction NAC 800 Home Window 3. Top 5 failed tests area 2. User name 1. Important status 4. Window actions announcements 8. Enforcement server status area 5. Navigation 6. Test 7. Access control pane status area status area status area Figure 1-1.

  • Page 24: System Monitor

    Introduction System Monitor System Monitor The System monitor window provides the following information: ■ Enforcement cluster name – The Enforcement clusters are listed by name in the order they were created. Click on a cluster name to view cluster details. You must have cluster-editing permissions to view and edit cluster details.

  • Page 25

    Introduction System Monitor Breadcrumbs for navigation Figure 1-2. System Monitor Window The following figure shows the legend for the System monitor window icons: Figure 1-3. System Monitor Window Legend...

  • Page 26: Overview

    Introduction Overview Overview NAC 800 protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. NAC 800 systematically tests endpoints—with or without the use of a client or agent— for compliance with organizational security policies, quarantining non-com- pliant machines before they damage the network.

  • Page 27: High Availability

    Introduction Overview Test method Trade-offs Pros Cons ActiveX plug-in • No installation or upgrade to maintain. • No retesting of endpoint once browser is closed. • Supports all Windows operating systems. • Not supported by non-Windows operating • Only Internet Explorer application access systems.

  • Page 28: The Nac 800 Process, About Nac 800, Nac Policy Definition

    Introduction Overview Extensible – NAC 800’s easy-to-use open API allows administrators ■ to create custom tests for meeting unique organizational require- ments. The API is fully exposed and thoroughly documented. Custom tests are created using scripts and can be seamlessly added to existing policies.

  • Page 29: Endpoint Testing

    Introduction Overview the presence of worms, trojans, and viruses, and check for potentially danger- ous applications such as file sharing, peer-to-peer (P2P), or spyware. See “Tests Help” on page B-1 for more information. Key features include: ■ Out-of-the-box NAC policies – High, medium, and low security are ready to use with no additional configuration required.

  • Page 30: Compliance Enforcement, Automated And Manual Repair

    Introduction Overview Rapid testing and robust endpoint management – Thousands of ■ endpoints can be tested and managed simultaneously. ■ Continual testing – Endpoints are retested on an administrator- defined interval as long as they remain connected to the network. Compliance Enforcement Based on endpoint test results, NAC 800 takes the appropriate action.

  • Page 31: Targeted Reporting

    Introduction Overview Targeted Reporting NAC 800 reports provide concise security status information on endpoint compliance and access activity. Specific reports are available for auditors, managers, and IT staff members. For more information, see “Reports” on page 14-1. 1-13...

  • Page 32: Technical Support

    Introduction Technical Support Technical Support Technical support is available through www.procurve.com. 1-14...

  • Page 33: Upgrading

    Introduction Upgrading Upgrading Upgrading is described in“Checking for NAC 800 Upgrades” on page 3-29. CAUTION: Installing third-party software on the NAC 800 server is not supported. If you install additional software on the NAC 800 server, you need to remove it in order to troubleshoot any NAC 800 issues, and it will likely be partially or fully overwritten during NAC 800 release upgrades or patch installs, compromising the third-party software functionality.

  • Page 34: Conventions Used In This Document, Navigation Paragraph, Tip Paragraph, Note Paragraph, Caution Paragraph

    Introduction Conventions Used in This Document Conventions Used in This Document The conventions used in this document are described in this section: Navigation Paragraph Navigation paragraphs provide a quick visual on how to get to the screen or area discussed. Example: Home window>>Configure system Tip Paragraph...

  • Page 35: Warning Paragraph, Bold Font, Task Paragraph, Italic Text

    Introduction Conventions Used in This Document Warning Paragraph Warnings notify you of conditions that can lock your system or cause damage to your data. Example: WARNING: Do not log in using SSH—this kills your session and causes your session to hang.

  • Page 36: Courier Font, Angled Brackets, Square Brackets

    Introduction Conventions Used in This Document Courier Font Courier font is used in the following cases: ■ Indicating path names – Change the working directory to the following: C:\Program Files\<MyCompany>\ ProCurve NAC EI Agent ■ Indicating text; enter exactly as shown – Enter the following URL in the browser address field: https://<IP_address>/index.html In this case, you must replace <IP_address>...

  • Page 37: Terms

    Introduction Conventions Used in This Document Indicating a variable section in a *.INI file – ■ [Global] NASList=192.168.200.135 ■ Indicating a list in a properties file – Compliance.ObjectManager.DHCPConnec- torServers=[192.168.51.130, 192.168.99.1] Terms Terms are defined in the “Glossary” on page G-1. Example: MAC Media Access Control –...

  • Page 38: Copying Files, Pscp

    Introduction Copying Files Copying Files Whenever you copy a file from one machine to another, copy it using a secure copy utility that uses the Secure Shell (SSH) protocol. The exact syntax of the copy command will vary based on the utility you use. Example: 10.

  • Page 39

    Introduction Copying Files To copy a file from a Windows machine to a Linux machine, enter the following: <pscp directory>\pscp c:\documents\foo.txt fred@exam- ple.com:/tmp/foo You will be prompted to enter a password for the Linux/UNIX machine. NOTE: You can either enter the path to the PSCP.EXE file as part of the command, or cd to the directory where you saved the PSCP.EXE file before entering the pscp command.

  • Page 40: Users' Guide Online Help

    Introduction Users’ Guide Online Help Users’ Guide Online Help In NAC 800, the help links in the product open an HTML version of the NAC 800 documents. The PDF version is still available by clicking the Open Users’ guide or Open Installation guide PDF links in the HTML document. This section briefly describes the key components to the HTML version.

  • Page 41

    Introduction Users’ Guide Online Help Open PDF – Click the Open PDF file link to open the PDF file. ■ TIP: To print the entire document, open and print the PDF file. Selecting the print icon in the HTML version will print only the topic you are viewing. Click anywhere in the Contents pane to navigate through the document.

  • Page 42

    Introduction Users’ Guide Online Help Online help document>>Shown navigation icon>>Search tab Figure 1-6. Search tab Enter a term in the search box. Click Go. Click on one of the results returned to display it in the right-side pane. Click on the orange arrow to see the contents of the collapsed section of the document.

  • Page 43

    Clusters and Servers Chapter Contents Overview ............2-2 Installation Examples .

  • Page 44: Single-server Installation, Multiple-server Installations

    Clusters and Servers Overview Overview NAC 800 uses clusters and servers. A "cluster" is a logical grouping of one or more ESs that are managed by one MS. A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster.

  • Page 45: Installation Examples, Load Balancing

    Clusters and Servers Installation Examples Installation Examples Single-server Installation The simplest installation is where the MS and ES are installed on the same physical server as shown in the following figure: Figure 2-1. Single-server Installation Multiple-server Installations By using at least three servers, one for the MS and two for ESs, you gain the advantage of high availability and load balancing.

  • Page 46

    Clusters and Servers Installation Examples High availability is where ESs take over for any other ES or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the ESs. A three-server installation is shown in the following figure: Figure 2-2.

  • Page 47

    Clusters and Servers Installation Examples When your network is more complex, you can continue to add clusters as shown in the following figure: Figure 2-3. Multiple-server, Multiple-cluster Installation The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis.

  • Page 48

    Clusters and Servers Installation Examples All endpoints are returned to the proper status within 15 minutes after ■ a network recovery (power failure, all endpoints attempting to recon- nect, 3000 endpoints per ES)

  • Page 49: Table Of Contents

    System Configuration Chapter Contents Introduction ........... . . 3-4 Enforcement Clusters and Servers .

  • Page 50

    System Configuration Adding a User Account ........3-31 Searching for a User Account .

  • Page 51

    System Configuration Editing a DHCP Quarantine Area ....... 3-97 Deleting a DHCP Quarantine Area ......3-97 Quarantining, Inline .

  • Page 52: Introduction

    System Configuration Introduction Introduction User logins and associated user roles determine the access permissions for specific functionality within NAC 800. The following table shows the default home window menu options that are available by user role: User role Home window menu options available System Administrator •...

  • Page 53

    System Configuration Introduction Quarantining – “Quarantining, General” on page 3-51 ■ ■ Maintenance – “Maintenance” on page 3-106 Cluster setting defaults ■ • Testing Methods – “Testing Methods” on page 3-110 • Accessible services – “Accessible Services” on page 3-113 •...

  • Page 54: Enforcement Clusters And Servers

    System Configuration Enforcement Clusters and Servers Enforcement Clusters and Servers The Enforcement clusters & servers menu option (Figure 3-3 on page 3-10) is where you configure Enforcement clusters and servers. You can perform the following tasks: ■ Enforcement clusters • Add, edit, or delete Enforcement clusters •...

  • Page 55: Enforcement Clusters, Adding An Enforcement Cluster

    System Configuration Enforcement Clusters Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster: Home window>>System configuration>>Enforcement clusters & servers Figure 3-1. System Configuration, Enforcement Clusters & Servers...

  • Page 56

    System Configuration Enforcement Clusters Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add Enforcement cluster window appears. The General area is displayed by default. Figure 3-2. Add Enforcement Cluster Enter a name for the Enforcement cluster in the Cluster name field. b.

  • Page 57: Editing Enforcement Clusters

    System Configuration Enforcement Clusters The following cluster settings take on default values set from the System configuration window. To set up operating parameters that differ from those default settings, select the menu item of the settings you want to change, then select the For this cluster, override the default settings check box, and make the desired changes.

  • Page 58: Viewing Enforcement Cluster Status

    System Configuration Enforcement Clusters Viewing Enforcement Cluster Status There are two ways NAC 800 provides Enforcement cluster status: ■ The icons next to the cluster name (see Figure 3-4 on page 3-12) The Enforcement cluster window (see the following steps) ■...

  • Page 59: Deleting Enforcement Clusters

    System Configuration Enforcement Clusters The statistics shown in this window are per cluster, where the statistics shown in the Home window are system-wide. See “System Monitor” on page 1-6 for column descriptions. Deleting Enforcement Clusters NOTE: Enforcement clusters need to be empty before the delete option appears next to the name in the NAC 800 user interface.

  • Page 60: Enforcement Servers, Adding An Es

    System Configuration Enforcement Servers Enforcement Servers Adding an ES To add an ES: Home window>>System configuration>>Enforcement clusters & servers Figure 3-4. System Configuration, Enforcement Clusters & Servers 3-12...

  • Page 61

    System Configuration Enforcement Servers Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Figure 3-5. Add Enforcement Server Select a cluster from the Cluster drop-down list. Enter the IP address for this ES in the IP address text box. Enter the fully qualified hostname to set on this server in the Host name text box.

  • Page 62: Cluster And Server Icons, Moving Ess Between Clusters

    System Configuration Enforcement Servers Re-enter the password to set for the root user of the ES server’s operating system in the Re-enter root password text box. Click ok. Cluster and Server Icons To view the cluster and server icons: Home window>>System configuration>>Enforcement clusters & servers Move the mouse over the legend icon.

  • Page 63: Editing Ess

    System Configuration Enforcement Servers Navigate to NAC 800 Home window>>System configuration>>Enforcement clusters & servers. Click delete next to the ES you want to remove. Start the ES and log in as root using SSH or directly with a keyboard. Enter the following command at the ES command line: resetSystem.py Return to the NAC 800 MS user interface.

  • Page 64

    System Configuration Enforcement Servers Click the Configuration menu option to access the Enforcement Server’s settings. The Configuration area is displayed: Figure 3-7. Enforcement Server Edit the following settings: • ES Network settings – “Changing the ES Network Settings” on page 3- •...

  • Page 65: Changing The Es Network Settings, Changing The Es Date And Time

    System Configuration Enforcement Servers Changing the ES Network Settings CAUTION: Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems.

  • Page 66: Modifying The Es Snmp Settings, Modifying The Es Root Account Password

    System Configuration Enforcement Servers Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration Select a Region from the Region drop-down list in the Date and time area. Select a time zone from the Time zone drop-down list. Click ok. NOTE: See “Selecting the Time Zone” on page 3-27 for information on changing the time zone settings for the MS.

  • Page 67: Viewing Es Status

    System Configuration Enforcement Servers Viewing ES Status There are two ways NAC 800 provides ES status: ■ The icons next to the server name (see Figure 3-6 on page 3-14) The Status window (see the following steps). The Enforcement server ■...

  • Page 68

    System Configuration Enforcement Servers Click the server for which you want to view the status. The Enforcement server window appears: Figure 3-8. Enforcement Server, Status Click ok or cancel. 3-20...

  • Page 69: Deleting Ess, Es Recovery

    System Configuration Enforcement Servers Deleting ESs NOTE: Servers need to be powered down for the delete option to appear next to the name in the NAC 800 user interface. To delete ESs: Home window>>System configuration>>Enforcement clusters & servers Click delete next to the server you want to remove from the cluster. The Delete Enforcement server confirmation window appears.

  • Page 70: Management Server, Viewing Network Settings

    System Configuration Management Server Management Server Viewing Network Settings To view MS status: Home window>>System configuration>>Management server 3-22...

  • Page 71

    System Configuration Management Server Figure 3-9. System Configuration, Management Server 3-23...

  • Page 72: Modifying Ms Network Settings

    System Configuration Management Server Server status is shown in the Network settings area. Click ok or cancel. Modifying MS Network Settings CAUTION: Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems.

  • Page 73: Selecting A Proxy Server

    System Configuration Management Server NOTE: Select names that are short, easy to remember, have no spaces or under- scores, and the first and last character cannot be a dash (-). • Enter a new address in the IP address text field. For example, 192.168.153.35 Enter a new netmask in the Network mask text field.

  • Page 74: Setting The Date And Time, Automatically Setting The Time

    System Configuration Management Server – Negotiable – Using this scheme, the client and the proxy server negotiate a scheme for authentication. Ultimately, either the basic or digest scheme will be used. b. Enter the ID of a user account on the proxy server in the User name text box.

  • Page 75: Manually Setting The Time, Selecting The Time Zone

    System Configuration Management Server Manually Setting the Time To manually set the time: Home window>>System configuration>>Management server Select Manually set date & time. Click edit. The Date and time window appears: Figure 3-11. Date & Time Select the correct date and time. Click ok.

  • Page 76: Enabling Snmp, Modifying The Ms Root Account Password

    System Configuration Management Server b. Select a time zone from the Time zone drop-down list. Click ok. Enabling SNMP To select SNMP settings: Home window>>System configuraton>>Management server>>SNMP settings Select the Enable SNMP check box to select the SNMP settings. Enter the SNMP read community string. b.

  • Page 77: Checking For Nac 800 Upgrades, Changing The Nac 800 Upgrade Timeout

    System Configuration Management Server Click ok. Checking for NAC 800 Upgrades To check for system upgrades: Home window>>System configuration>>Management server Click check for upgrades in the System upgrade area. A progress window appears. A status window appears indicating if upgrades are available. If no upgrades are available, click ok to clear the status window.

  • Page 78

    System Configuration Management Server Where: <minutes> is the number of minutes of inactivity NAC 800 will wait before assuming the upgrade failed. For example, 30. The default value is 45. 3-30...

  • Page 79: User Accounts, Adding A User Account

    System Configuration User Accounts User Accounts NAC 800 allows you to create multiple user accounts. User accounts provide and limit access to NAC 800 functions based on permissions (user roles) and clusters assigned. See “User Roles” on page 3-39 for more information on setting permissions for the user roles.

  • Page 80

    System Configuration User Accounts Figure 3-12. System Configuration, User Accounts 3-32...

  • Page 81

    System Configuration User Accounts Click Add a user account. The Add user account window appears: Figure 3-13. Add User Account Enter the following information: User ID – The user ID used to log into NAC 800 • Password – The password used to log into NAC 800 •...

  • Page 82: Searching For A User Account

    System Configuration User Accounts • Cluster Administrator View-Only User • System Administrator • • Help Desk Technician • You can select a custom user role if you have created any. NOTE: Users must be assigned at least one role. In the Clusters area, select a cluster or clusters. NOTE: Users must be assigned at least one Enforcement cluster.

  • Page 83: Sorting The User Account Area, Copying A User Account

    System Configuration User Accounts • email address Enter the text to search for in the for field. Click search. TIP: Click reset to clear the text field and to refresh the display to show all accounts after a search. Sorting the User Account Area To sort the user account area: Home window>>System configuration>>User accounts Click the column heading for user id, full name, email address, user roles, or...

  • Page 84

    System Configuration User Accounts Click copy next to the user account you want to duplicate. The Copy user account window appears. The account information is duplicated from the original account. Figure 3-14. Copy User Account Enter the User ID of the new account. Enter the Password.

  • Page 85: Editing A User Account

    System Configuration User Accounts Editing a User Account To edit a user account: Home window>>System configuration>>User accounts Click the name of the user account that you want to edit. The User account window appears: Figure 3-15. User Account Change or enter information in the fields you want to change. See “Adding a User Account”...

  • Page 86: Deleting A User Account

    System Configuration User Accounts Deleting a User Account You must always have at least one account with System Administrator permis- sions. CAUTION: Do not delete or edit the account with which you are currently accessing the interface. Doing so can produce an error and lock you out of the interface until your session has timed out.

  • Page 87: User Roles, Adding A User Role

    System Configuration User Roles User Roles The User roles menu option allows you to configure the following: ■ View current user roles and details associated with those roles ■ Add a new user role • Name the new user role •...

  • Page 88

    System Configuration User Roles Figure 3-16. System Configuration, User Roles 3-40...

  • Page 89

    System Configuration User Roles Click add a user role in the User roles area. The Add user role window appears. Figure 3-17. Add User Role Enter a descriptive name in the Role name field. Enter a description of the role in the Description field. Select the permissions for the user role.

  • Page 90: Editing User Roles

    System Configuration User Roles Permission Description Generate reports Allows you to generate reports about any of your assigned clusters Manage NAC policies Allows you to manage the NAC policies for all of your clusters View endpoint activity Allows you to view details about all endpoints in your clusters Monitor system status Allows you to monitor the system status Control Access...

  • Page 91: Deleting User Roles

    System Configuration User Roles Click the role you want to edit. The user role window appears: Figure 3-18. User Role Enter the information in the fields you want to change. See “Adding a User Role” on page 3-39 for information on user role settings. Click ok.

  • Page 92: Sorting The User Roles Area

    System Configuration User Roles Click yes. Sorting the User Roles Area To sort the user roles area: Home window>>System configuration>>User roles Click user role name or description column heading. The selected category sorts in ascending or descending order. Click ok. 3-44...

  • Page 93: License, Updating Your License

    System Configuration License License The License menu option allows you to configure the following: ■ View license start and end dates ■ View number of days remaining on license, and associated renewal date View remaining endpoints and servers available under license ■...

  • Page 94

    System Configuration License Figure 3-19. System Configuration, License Click submit license request. Click ok on the license validated pop-up window. 3-46...

  • Page 95: Test Updates, Manually Checking For Test Updates

    System Configuration Test Updates Test Updates The Test updates menu option allows you to configure the following: ■ View last successful test update date/time ■ Check for test updates (forces an immediate check for test updates) Set time or times for downloading test updates ■...

  • Page 96: Selecting Test Update Times

    System Configuration Test Updates Figure 3-20. System Configuration, Test Updates In the Last successful test update area, click check for test updates. Click ok. NOTE: It is important to check for test updates during the initial configuration of NAC 800. Selecting Test Update Times To select test update times: 3-48...

  • Page 97: Viewing Test Update Logs

    System Configuration Test Updates Home window>>System configuration>>Test updates Using the hour check boxes, select the time periods in which you would like NAC 800 to check for available test updates. By default, NAC 800 checks once every hour using the ProCurve Secure Rule Distribution Center.

  • Page 98

    System Configuration Test Updates The Test update log window legend is shown in the following figure: Figure 3-22. Test Update Log Window Legend 3-50...

  • Page 99: Quarantining, General, Selecting The Quarantine Method

    System Configuration Quarantining, General Quarantining, General The Quarantining menu option allows you to configure the following by cluster: ■ Select the quarantine method ■ Select the access mode Basic 802.1X settings ■ ■ Authentication settings Add, edit, delete 802.1X devices ■...

  • Page 100

    System Configuration Quarantining, General Figure 3-23. System Configuration, Quarantining Select a cluster. 3-52...

  • Page 101: Selecting The Access Mode

    System Configuration Quarantining, General In the Quarantine method area, select one of the following quarantine methods: 802.1X – When using the 802.1X quarantine method, NAC 800 must sit • in a place on the network where it can communicate with your RADIUS server, which communicates with your switch or router, which performs the quarantining.

  • Page 102: Quarantining, 802.1x, Entering Basic 802.1x Settings

    System Configuration Quarantining, 802.1X Quarantining, 802.1X The 802.1X quarantine (enforcement) method is enabled by default. To select the 802.1X quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the 802.1X radio button. Click ok. Entering Basic 802.1X Settings To enter basic 802.1X settings: Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button...

  • Page 103: Authentication Settings, Selecting The Radius Authentication Method, Configuring Windows Domain Settings

    System Configuration Quarantining, 802.1X Authentication Settings Selecting the RADIUS Authentication method To select the RADIUS authentication method: Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button Select the Local radio button in the Basic 802.1X settings area. Select an End-user authentication method: •...

  • Page 104

    System Configuration Quarantining, 802.1X Select Windows domain from the End-user authentication method drop-down list. Figure 3-24. System Configuration, Windows Domain 3-56...

  • Page 105: Configuring Openldap Settings

    System Configuration Quarantining, 802.1X Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field. Enter the user name of an account with sufficient administrative rights to join an ES to the domain in the Administrator user name text field. Enter the password of the account entered into the Administrator user name field in the Administrator password text field.

  • Page 106

    System Configuration Quarantining, 802.1X Select OpenLDAP from the End-user authentication method drop-down list. Figure 3-25. System Configuration, OpenLDAP 3-58...

  • Page 107

    System Configuration Quarantining, 802.1X Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.

  • Page 108: Configuring Novell Edirectory Settings

    System Configuration Quarantining, 802.1X Configuring Novell eDirectory Settings To configuring Novell eDirectory settings: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 3-60...

  • Page 109

    System Configuration Quarantining, 802.1X Select Novell eDirectory from the End-user authentication type drop-down list. Figure 3-26. System Configuration Window, RADIUS, Novel eDirectory 3-61...

  • Page 110

    System Configuration Quarantining, 802.1X Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the Distinguished Name (DN) under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.

  • Page 111: Adding 802.1x Devices

    System Configuration Quarantining, 802.1X 11. Click ok. Adding 802.1X Devices To add an 802.1X device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-27. Add 802.1X Device Enter the IP address of the 802.1X device in the IP address text field. Enter a shared secret in the Shared secret text field.

  • Page 112: Testing The Connection To A Device

    System Configuration Quarantining, 802.1X • Enterasys – See “Enterasys” on page 3-71. Extreme ExtremeWare – See “Extreme ExtremeWare” on page 3-73. • Extreme XOS – See “Extreme XOS” on page 3-75. • • Foundry – See “Foundry” on page 3-77. HP ProCurve switch –...

  • Page 113

    System Configuration Quarantining, 802.1X In the 802.1X devices area, click edit next to the device you want to test. The 802.1X device window appears. The Test connection to this device area is near the bottom of the window: Figure 3-28. Add 802.1X Device, Test Connection Area Option 1 Figure 3-29.

  • Page 114: Cisco Ios

    System Configuration Quarantining, 802.1X NOTE: You must enter the port, the MAC address, or both, depending on the re- authentication OID. Click test connection to this device. Cisco IOS To add a Cisco IOS device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-66...

  • Page 115

    System Configuration Quarantining, 802.1X Figure 3-30. Add Cisco IOS Device Enter the IP address of the Cisco IOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.

  • Page 116: Cisco Catos

    System Configuration Quarantining, 802.1X Enter the Password with which to log into the device's console. Re-enter the console password. 10. Enter the Cisco port mask in the text field. This specifies which characters within the endpoint identifier returned by the Cisco device contain the bank and port information of the endpoint.

  • Page 117

    System Configuration Quarantining, 802.1X Figure 3-31. Add Cisco CatOS Device Enter the IP address of the Cisco CatOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.

  • Page 118: Catos User Name In Enable Mode

    System Configuration Quarantining, 802.1X Enter the User name with which to log into the device's console. Enter the Password with which to log into the device's console. Re-enter the console password. 10. Enter the password with which to enter enable mode. 11.

  • Page 119: Enterasys

    System Configuration Quarantining, 802.1X Click edit next to an 802.1X device. (You can also perform these steps while you are adding an 802.1X device.) Click the plus sign next to Show scripts. Add the correct expect script syntax to the text box for enable mode user name.

  • Page 120

    System Configuration Quarantining, 802.1X Figure 3-32. Add Enterasys Device Enter the IP address of the Enterasys device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.

  • Page 121: Extreme Extremeware

    System Configuration Quarantining, 802.1X Re-enter the console password. 10. Enter the Reconnect idle time. This is the amount of time in milliseconds that a t Telnet/SSH console can remain idle or unused before it is reset. 11. Select the Show scripts plus symbol to show the following scripts: Initialization script –...

  • Page 122

    System Configuration Quarantining, 802.1X Figure 3-33. Add ExtremeWare Device Enter the IP address of the ExtremeWare device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.

  • Page 123: Extreme Xos

    System Configuration Quarantining, 802.1X Re-enter the console password. 10. Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 11. Select the Show scripts plus symbol to show the following scripts: Initialization script –...

  • Page 124

    System Configuration Quarantining, 802.1X Figure 3-34. Add Extreme XOS Device Enter the IP address of the Extreme XOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.

  • Page 125: Foundry

    System Configuration Quarantining, 802.1X Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 10. Select the Show scripts plus symbol to show the following scripts: •...

  • Page 126

    System Configuration Quarantining, 802.1X Figure 3-35. Add Foundry Device Enter the IP address of the Foundry device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.

  • Page 127: Hp Procurve Switch

    System Configuration Quarantining, 802.1X 10. Enter the password with which to enter enable mode. 11. Re-enter the enable mode password. 12. Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 13.

  • Page 128

    System Configuration Quarantining, 802.1X Figure 3-36. Add HP ProCurve Device Enter the IP address of the HP ProCurve device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.

  • Page 129

    System Configuration Quarantining, 802.1X b. Enter the Password used to log into this device's console. To help confirm accuracy, type the same password you entered into the Password field in the Re-enter Password field. d. Enter the Enable mode user name that is used to enter enable mode on this device.

  • Page 130: Hp Procurve Wesm Xl Or Hp Procurve Wesm Zl

    System Configuration Quarantining, 802.1X – DECIMAL STRING – BITS – NULLOBJ d. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. Select the Use a different OID for MAC authentication check box to re- authenticate using a different OID when the supplicant request is for a MAC authenticated device.

  • Page 131

    System Configuration Quarantining, 802.1X Figure 3-37. Add HP ProCurve WESM xl/zl Device Enter the IP address of the HP ProCurve WESM device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.

  • Page 132

    System Configuration Quarantining, 802.1X Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port and MAC address of the endpoint to be re- authenticated. NOTE: figure 3-37.

  • Page 133: Hp Procurve 420 Ap Or Hp Procurve 530 Ap

    System Configuration Quarantining, 802.1X Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. HP ProCurve 420 AP or HP ProCurve 530 AP To add an HP ProCurve 420 AP or HP ProCurve 530 AP device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-38.

  • Page 134

    System Configuration Quarantining, 802.1X Re-enter the shared secret in the Re-enter shared secret text field. Enter an alias for this device that appears in log files in the Short name text field. Select ProCurve 420 AP or ProCurve 530 AP from the Device type drop-down list.

  • Page 135: Nortel

    System Configuration Quarantining, 802.1X – HEX STRING – DECIMAL STRING – BITS – NULLOBJ Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. Nortel To add a Nortel device: Home window>>System configuration>>Quarantining>>802.1X Quarantine...

  • Page 136

    System Configuration Quarantining, 802.1X Figure 3-39. Add Nortel Device Enter the IP address of the Nortel device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.

  • Page 137: Other

    System Configuration Quarantining, 802.1X Re-enter the console password. 10. Enter the Enable mode user name. 11. Enter the password with which to enter enable mode. 12. Re-enter the enable mode password. 13. Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset.

  • Page 138

    System Configuration Quarantining, 802.1X Figure 3-40. Add Other Device Enter the IP address of the new device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.

  • Page 139

    System Configuration Quarantining, 802.1X Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 10. Select the Show scripts plus symbol to show the following scripts: NOTE: You must enter the script contents yourself for the 802.1X device you are adding.

  • Page 140: Quarantining, Dhcp, Dhcp Server Configuration, Setting Dhcp Enforcement

    System Configuration Quarantining, DHCP Quarantining, DHCP To select the DHCP quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the DHCP radio button. Click ok. DHCP Server Configuration Inline DHCP server is selected by default. If you want to use the DHCP plug-in, which allows you to use multiple DHCP servers, see the instructions in “DHCP Plug-in”...

  • Page 141

    System Configuration Quarantining, DHCP Figure 3-41. System Configuration, Quarantining, DHCP Enforcement Inline DHCP server is selected by default. If you wish to use multiple DHCP servers, see the instructions in “DHCP Plug-in” on page 13-1. Select one of the following radio buttons: Enforce DHCP requests from all IP addresses –...

  • Page 142: Adding A Dhcp Quarantine Area

    System Configuration Quarantining, DHCP • Restrict enforcement of DHCP requests to quarantine and non-quarantine subnets – Specify individual DHCP relay agent IP addresses, separated by carriage returns in the DHCP relay IP addresses to enforce text box. These addresses must be a subset of either the quarantined or non- quarantined subnets.

  • Page 143

    System Configuration Quarantining, DHCP Click add a quarantine area. The Add quarantine area window appears. Figure 3-42. Add a Quarantine Area In the Add quarantine area window, enter the following information: Quarantined subnet – The CIDR network that represents the IP space •...

  • Page 144: Sorting The Dhcp Quarantine Area

    System Configuration Quarantining, DHCP must reflect this configuration on your router. The subnets specified in each area must be unique; that is, neither the quarantined nor the non-quarantined subnets in one area can be quarantined or non- quarantined in another. Static routes assigned on the endpoint –...

  • Page 145: Editing A Dhcp Quarantine Area, Deleting A Dhcp Quarantine Area

    System Configuration Quarantining, DHCP • non-quarantine subnets • domain suffix d (indicates the quarantine option selected in step 3 on page 3-95) • The DHCP quarantine area sorts by the column name clicked. Editing a DHCP Quarantine Area To edit a DHCP quarantine area: Home window>>System configuration>>Quarantining>>DHCP radio button Click edit next to the quarantine area you want to edit.

  • Page 146

    System Configuration Quarantining, DHCP Click delete next to the quarantine area you want to remove. The Delete quarantine area confirmation window appears Click yes. 3-98...

  • Page 147: Quarantining, Inline

    System Configuration Quarantining, Inline Quarantining, Inline To select the Inline quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the Inline radio button. Click ok. 3-99...

  • Page 148: Post-connect, Allowing The Post-connect Service Through The Firewall, First Time Selection

    System Configuration Post-connect Post-connect Post-connect in NAC 800 provides an interface where you can configure external systems, such as IDS/IPS, that request quarantining of an endpoint based on activity that occurs after the endpoint has connected to the network (post-connect). Allowing the Post-connect Service Through the Firewall The firewall must be opened for each post-connect service that communicates...

  • Page 149: Setting Nac 800 Properties

    System Configuration Post-connect Figure 3-44. Post-connect Configuration Message Configure your post-connect system as described in “Configuring a Post- connect System” on page 3-102. Then launch your post-connect system as described in “Launching Post-connect Systems” on page 3-103. Setting NAC 800 Properties Most NAC 800 properties are set by default.

  • Page 150: Configuring A Post-connect System

    System Configuration Post-connect Configuring a Post-connect System To configure an external post-connect system: Home>>System configuration>>Post-connect Figure 3-45. System Configuration, Post-connect Enter the name of your post-connect service in the Service name text field. This is the name used in the Post-connect and Endpoint activity windows. Enter the URL of the post-connect service in the Service URL text field.

  • Page 151: Launching Post-connect Systems

    System Configuration Post-connect Enter the user name of the account to be used for logging into the post-connect service in the User name text field. b. Enter the password of the account to be used for logging into the post- connect service in the Password text field.

  • Page 152: Post-connect In The Endpoint Activity Window, Adding Post-connect System Logos And Icons

    System Configuration Post-connect Post-connect in the Endpoint Activity Window When an external service requests that an endpoint be quarantined, it sends the request to NAC 800, which quarantines the endpoint based on the hierar- chy rules described in “Endpoint Quarantine Precedence” on page 7-2. The icons on the Endpoint activity window show that the endpoint is quaran- tined by an external service.

  • Page 153

    System Configuration Post-connect Logo file – approximately 154 pixels wide x 24 pixels high Icon file – approximately 18 x 18 pixels Copy the logo and icon files to the following directory on the NAC 800 MS (see “Copying Files” on page 1-20): /usr/local/nac/webapps/ROOT/images Log in to the NAC 800 MS as root using SSH or directly with a keyboard.

  • Page 154: Maintenance, Initiating A New Backup

    System Configuration Maintenance Maintenance The Maintenance window allows you to back up the MS database, properties files, keystore files, and subscription files in a file with the following name: backup-<year-month-day>Thh-mm-ss.tar.bz2 where: year is the year the system was backed up = 2007 ■...

  • Page 155

    System Configuration Maintenance Figure 3-48. System Configuration, Maintenance Click begin backup now in the Backup area. The Operation in progress confirmation window appears. Depending on your browser settings, a pop-up window may appear asking if you want to save or open the file. Select Save to disk and click OK. NOTE: A system backup does not work using Internet Explorer 7 as a browser window.

  • Page 156: Restoring From A Backup

    System Configuration Maintenance The System backup completed successfully message appears at the top of the System configuration window: Figure 3-49. Backup Successful Message Restoring From a Backup See “Restoring from Backup” on page 15-16 for information about restoring from a backup file. TIP: If you are using Backup and Restore to move configuration files from one physical server to another, you must have the same version of NAC 800...

  • Page 157: Downloading Support Packages

    System Configuration Downloading Support Packages Downloading Support Packages Support packages are useful when debugging your system with ProCurve Networking by HP. If a support package is necessary, ProCurve Networking by HP will instruct you to generate one and will provide instructions on how to upload the generated package (a TAR file).

  • Page 158: Cluster Setting Defaults, Testing Methods, Selecting Test Methods

    System Configuration Cluster Setting Defaults Cluster Setting Defaults The following sections describe how to globally set the default settings for all clusters. For information on overriding the default settings for a specific cluster, see “Enforcement Clusters and Servers” on page 3-6. Testing Methods The Testing methods menu option allows you to configure the following: Select testing methods...

  • Page 159: Ordering Test Methods

    System Configuration Cluster Setting Defaults Figure 3-50. System Configuration, Testing Methods Select one or more of the following ProCurve NAC EI Agent – This test method installs a service (ProCurve NAC EI Agent) the first time the user connects. b. ActiveX plug-in – This test method downloads an ActiveX control each time the user connects to the network.

  • Page 160: Recommended Test Methods

    System Configuration Cluster Setting Defaults If no agent is available, NAC 800 tries to test with the ActiveX test method. If ActiveX is not available and if credentials for the endpoint or domain exist, NAC 800 tries to test with the agentless test method. If the endpoint can not be tested transparently, then NAC 800 uses the end-user access screens to set up a test method and sequence for interacting with the end-user.

  • Page 161: Selecting End-user Options, Accessible Services

    System Configuration Cluster Setting Defaults Windows endpoints on your Windows domain are tested automatically when you specify the domain admin credentials in the System configuration>>Agent- less credentials>>Add administrator credentials window. The agent-based test method is recommended for any environment where enforcement is enabled on Windows Vista endpoints.

  • Page 162

    System Configuration Cluster Setting Defaults Figure 3-51. System Configuration, Accessible Services Enter one or more Web sites, host names, IP addresses, ports, endpoints, or networks, that are accessible to connecting endpoints when they fail their compliance tests. You can enter these endpoints and services in the following formats separated by a carriage return.

  • Page 163

    System Configuration Cluster Setting Defaults You do not need to enter the IP address of the NAC 800 server here. If you do, it can cause redirection problems when end-users try to connect. You do need to add any update server names, such as the ones that provide anti-virus and software updates.

  • Page 164: Exceptions, Always Granting Access To Endpoints And Domains

    System Configuration Cluster Setting Defaults Exceptions The Exceptions menu option allows you to define the following: ■ The endpoints and domains that are always allowed access (whitelist) The endpoints and domains that are always quarantined (blacklist) ■ Always Granting Access to Endpoints and Domains To always grant access to endpoints and domains: Home window>>System configuration>>Exceptions Figure 3-52.

  • Page 165: Always Quarantine Endpoints And Domains, Notifications

    System Configuration Cluster Setting Defaults NOTE: You can use a MAC prefix (one to five bytes or octets) to act on more than one endpoint at a time. For example entering 00:13 matches all MAC addresses that begin with 00:13. To exempt end-user domains from testing, in the Whitelist area, enter the domain names.

  • Page 166: Enabling Notifications

    System Configuration Cluster Setting Defaults Enabling Notifications To enable email notifications: Home window>>System configuration>>Notifications Figure 3-53. System Configuration, Notifications To send email notifications, you must provide NAC 800 with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the NAC 800 machine.

  • Page 167: End-user Screens, Specifying An End-user Screen Logo

    System Configuration Cluster Setting Defaults In the Via SMTP server IP address text box, enter the IP address of the SMTP email server from which NAC 800 sends email notifications. This must be a valid IP address that is reachable from where the NAC 800 machine is located on your network.

  • Page 168: Specifying The End-user Screen Text

    System Configuration Cluster Setting Defaults Figure 3-54. System Configuration, End-user Screens Enter the customization information: Organization logo image – Enter a path to your organization’s logo, or click Browse to select a file on your network. ProCurve recommends you place your logo here to help end-users feel secure about having their computers tested.

  • Page 169: Specifying The End-user Test Failed Pop-up Window

    System Configuration Cluster Setting Defaults Introduction (opening screen) – Enter the introduction text for the default window. ProCurve recommends you provide text here that sets the stage for the end-user’s experience. b. Test successful message (final screen) – Enter the text for the final, test successful window.

  • Page 170: Agentless Credentials, Adding Windows Credentials

    System Configuration Cluster Setting Defaults TIP: You can verify your changes to the end-user access screens immediately by pointing a browser window to port 88 of your NAC 800 installation. For example, if the IP address of your NAC 800 installation is 10.0.16.18, point the browser window to: http://10.0.16.18:88 Click ok.

  • Page 171

    System Configuration Cluster Setting Defaults Figure 3-55. System Configuration, Agentless Credentials 3-123...

  • Page 172: Testing Windows Credentials

    System Configuration Cluster Setting Defaults Click Add administrator credentials. The Add Windows administrator credentials window appears: Figure 3-56. Agentless Credentials, Add Windows Administrator Credentials In the Add Windows administrator credentials window, enter the following: Windows domain name – Enter the domain name of the Windows •...

  • Page 173: Editing Windows Credentials, Deleting Windows Credentials

    System Configuration Cluster Setting Defaults If you want to test these credentials, select the ES in this cluster or the MS from the Server to test from drop-down list. In the Test these credentials area, enter the IP address of the endpoint. TIP: When using a multi-server installation, the credentials are stored on the ES, but the test is initiated from the MS.

  • Page 174: Sorting The Windows Credentials Area

    System Configuration Cluster Setting Defaults Home window>>System configuration>>Agentless credentials Click delete next to the name of the Windows administrator credentials you want to remove. The Delete Windows administrative credentials conformation window appears. Click yes. Sorting the Windows Credentials Area To sort the Windows credentials area: Home window>>System configuration>>Agentless credentials Sort the Windows administrator credentials by clicking on a column heading.

  • Page 175: Logging, Setting Es Logging Levels

    System Configuration Logging Logging Setting ES Logging Levels You can configure the amount of diagnostic information written to log files, ranging from error (error-level messages only) to trace (everything). To set ES logging levels: Home window>>System configuration>>Logging Figure 3-57. System Configuration, Logging Option To configure the amount of diagnostic information written to log files, select a logging level from the Enforcement servers drop-down list: •...

  • Page 176: Setting 802.1x Devices Logging Levels, Setting Idm Logging Levels

    System Configuration Logging • info – Log info-level and above messages only • debug – Log debug-level and above messages only • trace – Log everything CAUTION: Setting the log level to trace may adversely affect performance. Click ok. Setting 802.1X Devices Logging Levels You can configure the amount of diagnostic information written to log files related to 802.1X re-authentication, ranging from error (error-level messages only) to trace (everything).

  • Page 177

    System Configuration Logging To configure the amount of diagnostic information written to log files related to IDM, select a logging level from the IDM drop-down list: • error – log error-level messages only • warn – log warning-level messages only •...

  • Page 178: Advanced Settings, Setting The Agent Read Timeout

    System Configuration Advanced Settings Advanced Settings This section describes setting the timeout periods. Endpoint detection is described in “Working with Ranges” on page 15-25. Setting the Agent Read Timeout To set the Agent read timeout period: Home window>>System configuration>>Advanced Figure 3-58. System Configuration, Advanced Option Enter a number of seconds in the Agent connection timeout period text field.

  • Page 179: Setting The Rpc Command Timeout

    System Configuration Advanced Settings Enter a number of seconds in the Agent read timeout period text field. The agent read time is the time in seconds that NAC 800 waits on an agent read. Use a larger number for systems with network latency issues. Click ok.

  • Page 180

    (This page intentionally left blank.)

  • Page 181: Table Of Contents

    Endpoint Activity Chapter Contents Overview ............4-2 Filtering the Endpoint Activity Window .

  • Page 182

    Endpoint Activity Overview Overview Use the Endpoint activity window, to monitor end-user connection activity. Home window>>Endpoint activity The Endpoint activity window has the following sections: Endpoint selection area – The left column of the window provides ■ links that allow you to quickly filter the results area by Access control status or Endpoint test status.

  • Page 183

    Endpoint Activity Overview 2. Search criteria area 3. Search results area 1. Endpoint selection area Figure 4-1. Endpoint Activity, All Endpoints Area...

  • Page 184: Filtering The Endpoint Activity Window, Filtering By Access Control Or Test Status

    Endpoint Activity Filtering the Endpoint Activity Window Filtering the Endpoint Activity Window You can modify the results shown in the Endpoint activity window to include activity for the following: ■ Access control status ■ Endpoint test status Cluster ■ ■ NetBIOS name IP address ■...

  • Page 185: Filtering By Time

    Endpoint Activity Filtering the Endpoint Activity Window Select a method for filtering the results window; by a specific access control status or endpoint status as shown in the following figure: Figure 4-2. Endpoint Activity, Menu Options NOTE: This part of the window reflects the total number of endpoints in the network at the current time.

  • Page 186: Limiting Number Of Endpoints Displayed

    Endpoint Activity Filtering the Endpoint Activity Window To filter the disconnected endpoints by time: Home window>>Endpoint Activity Figure 4-3. Timeframe Drop-down List Select Disconnected in the Access control status area. Select one of the options from the Timeframe drop-down list. Click search.

  • Page 187: Searching

    Endpoint Activity Filtering the Endpoint Activity Window Select a number from the drop down list. The results area updates to show only the number of endpoints selected with page navigation breadcrumbs. Searching To search the Endpoint activity window. Home window>>Endpoint activity>>Search criteria area Figure 4-5.

  • Page 188

    Endpoint Activity Filtering the Endpoint Activity Window To refresh the Endpoint activity window to show all endpoint activity, click reset. TIP: The search box is not case-sensitive. Searching matches entire words. You must enter wildcard characters (*) to match substrings. For example, 192.168.*.

  • Page 189: Access Control States

    Endpoint Activity Access Control States Access Control States NAC 800 provides on-going feedback on the access status of endpoints in the Endpoint activity window as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-16. ■ Quarantined –...

  • Page 190: Endpoint Test Status

    Endpoint Activity Endpoint Test Status Endpoint Test Status NAC 800 provides on-going feedback on the test status of endpoints in the left pane of the Endpoint activity window as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-16. ■...

  • Page 191

    Endpoint Activity Endpoint Test Status Connecting – NAC 800 shows this status briefly after the endpoint has ■ been tested while the endpoint is being assigned a non-quarantined IP address. ■ Awaiting credentials – NAC 800 shows this status briefly while the agentless credentials are being verified.

  • Page 192

    Endpoint Activity Endpoint Test Status Installing test service – NAC 800 shows this status briefly while the ■ agent is being installed. ■ Installation canceled – NAC 800 shows this status when the end-user has cancelled the installation of the agent. Testing (agent) –...

  • Page 193

    Endpoint Activity Endpoint Test Status routing issue which is not allowing the endpoint to reach the neces- sary servers on the network. Also, if NAC 800 is inline with the domain controller, you might need to open up the appropriate ports (135 through 138, 445, 389, 1029) in the NAC 800 accessible endpoints configuration for your domain controller IP address.

  • Page 194: Enforcement Cluster Access Mode

    Endpoint Activity Enforcement Cluster Access Mode Enforcement Cluster Access Mode The access mode of each cluster can be one of the following: ■ normal – Endpoints are tested and allowed access or quarantined based on policies, exceptions, and administrator overrides. ■...

  • Page 195

    Endpoint Activity Enforcement Cluster Access Mode the endpoint is allowed access because of the change to allow all mode; however, when the mode is changed back to normal, the endpoint will again be quarantined for the reason listed. Figure 4-10. Failed Endpoint Allow All Mode Mouse Over 4-15...

  • Page 196: Viewing Endpoint Access Status

    Endpoint Activity Viewing Endpoint Access Status Viewing Endpoint Access Status To view access status for a endpoint: Home window>>Endpoint activity window Locate the endpoint you are interested in. The first column is the selection column, the second column is the Endpoint test status column, and the third column is the Access control status column.

  • Page 197

    Endpoint Activity Viewing Endpoint Access Status NOTE: If an endpoint is seen by two different clusters simultaneously, the endpoint state can get lost. This could happen, for example, if you had a Training cluster and an Engineering cluster and an endpoint that was connected in the Engineering cluster also attempted to connect by way of the Training cluster.

  • Page 198: Selecting Endpoints To Act On

    Endpoint Activity Selecting Endpoints to Act on Selecting Endpoints to Act on To select endpoint to act on: Home window>>Endpoint activity Click a box or boxes in the first column to select the endpoints of interest. TIP: Click the box at the top of the column to select all of the endpoints. 4-18...

  • Page 199: Acting On Selected Endpoints, Manually Retest An Endpoint, Immediately Grant Access To An Endpoint

    Endpoint Activity Acting on Selected Endpoints Acting on Selected Endpoints Once you have filtered the Endpoint activity window and selected which endpoints to take action on, you can perform the following actions: ■ Retest an endpoint (“Manually Retest an Endpoint” on page 4-19) ■...

  • Page 200: Immediately Quarantine An Endpoint, Clearing Temporary Endpoint States

    Endpoint Activity Acting on Selected Endpoints NOTE: If an endpoint that has been granted or denied access temporarily by the administrator disconnects, the next time the endpoint attempts to connect it will be retested; the previous temporary status no longer applies. Immediately Quarantine an Endpoint To immediately quarantine an endpoint: Home window>>Endpoint activity...

  • Page 201: Viewing Endpoint Information

    Endpoint Activity Viewing Endpoint Information Viewing Endpoint Information To view information about an endpoint: Home window>>Endpoint activity Click on an endpoint name to view the Endpoint window: Figure 4-12. Endpoint, General Option 4-21...

  • Page 202

    Endpoint Activity Viewing Endpoint Information Click Test results to view the details of the test: Figure 4-13. Endpoint Activity, Endpoint Test Results Option TIP: Click on any underlined link (for example, change access) to make changes such as changing access or test credentials. 4-22...

  • Page 203: Troubleshooting Quarantined Endpoints

    Endpoint Activity Troubleshooting Quarantined Endpoints Troubleshooting Quarantined Endpoints The following table describes the various components that affect an endpoint attempting to access the network: 4-23...

  • Page 204

    Endpoint Activity Troubleshooting Quarantined Endpoints Enforcement Mode How endpoints are quarantined and How quarantined endpoints reach redirected to NAC 800 accessible devices DHCP mode Endpoint DHCP server (NAC 800) gives the DHCP server (NAC 800) also sends: enforcement endpoint: • A static route to the NAC 800 server •...

  • Page 205

    Endpoint Activity Troubleshooting Quarantined Endpoints Enforcement Mode How endpoints are quarantined and How quarantined endpoints reach redirected to NAC 800 accessible devices DHCP mode Network DHCP server (NAC 800) gives the NAC 800 (fake root) DNS – As in enforcement endpoint: endpoint enforcement (for access to names in Accessible services).

  • Page 206

    Endpoint Activity Troubleshooting Quarantined Endpoints Enforcement Mode How endpoints are quarantined and How quarantined endpoints reach redirected to NAC 800 accessible devices Inline / Gateway VPN split tunnel NAC 800 acts as the man-in-the-middle, No need to allow public sites (endpoint iptables rewrites packets, and forwards can get there directly, without going (multihomed...

  • Page 207

    Endpoint Activity Troubleshooting Quarantined Endpoints Enforcement Mode How endpoints are quarantined and How quarantined endpoints reach redirected to NAC 800 accessible devices 802.1X DHCP server (MS DHCP server, and so NAC 800 DNS – As in endpoint on) gives the endpoint: enforcement (for access to names in Accessible services •...

  • Page 208

    (This page intentionally left blank.)

  • Page 209: Table Of Contents

    End-user Access Chapter Contents Overview ............5-2 Test Methods Used .

  • Page 210

    End-user Access Overview Overview End-users can connect to your network from a number of different types of computers (see “Endpoints Supported” on page 5-5), be tested for compliance based on your definitions in the standard (high, medium, or low security) or custom NAC policies (see “NAC Policies”...

  • Page 211: Test Methods Used, Agent Callback

    End-user Access Test Methods Used Test Methods Used NAC 800 tests endpoints using one of the following methods: ■ Agent-based ■ Agentless ActiveX ■ See “Testing Methods” on page 3-110 for a description of each of these methods. Agent Callback The Agent Callback to NAC 800 feature allows the NAC 800 agent to inform the ES that an endpoint is now active on the network and available to be tested.

  • Page 212

    End-user Access Test Methods Used _naces1 ■ ■ _naces2 If no contact can be made, try the following A names: NOTE: The endpoints DNS suffix must be correctly configured for your domain for the Agent Callback feature to work correctly. ■...

  • Page 213: Endpoints Supported

    End-user Access Endpoints Supported Endpoints Supported This NAC 800 release supports the following: ■ Agent-based testing • Windows 2000 • Windows Server (2000, 2003) • Windows XP Professional • Windows XP Home • Mac OS (version 10.3.7 or later) • Vista Ultimate •...

  • Page 214

    End-user Access Endpoints Supported NOTE: Other operating system support (for example Linux) will be included in future releases. Windows ME and Windows 95 are not supported in this release. TIP: If the end-user switches the Windows view while connected, such as from Classic view to Guest view, the change may not be immediate due to the way sessions are cached.

  • Page 215: Browser Version

    End-user Access Browser Version Browser Version The browser that should be used by the endpoint is based on the test method as follows: ■ ActiveX test method – Microsoft Internet Explorer (IE) version 6.0 or later. Agentless test methods – IE, Firefox, or Mozilla. ■...

  • Page 216: Firewall Settings, Managed Endpoints, Unmanaged Endpoints, Making Changes To The Firewall

    End-user Access Firewall Settings Firewall Settings NAC 800 can perform tests through firewalls on both managed and unmanaged endpoints. Managed Endpoints Typically, a managed endpoint’s firewall is controlled with the Domain Group Policy for Windows, or a central policy manager for other firewalls. In this case, the network administrator opens up the agent port or agentless ports only to the NAC 800 server using the centralized policy.

  • Page 217: Windows Endpoint Settings, Ie Internet Security Setting, Agent-based Test Method, Ports Used For Testing

    End-user Access Windows Endpoint Settings Windows Endpoint Settings IE Internet Security Setting If the end-user has their IE Internet security zone set to High, the endpoint is not testable. Using one of the following options will allow the endpoint to be tested: The end-user could change the Internet security to Medium ■...

  • Page 218: Agentless Test Method, Configuring Windows 2000 Professional For Agentless Testing

    End-user Access Windows Endpoint Settings See the following link for details on UAC: http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e- ac08-4c21f5c6c2d91033.mspx?mfr=true Agentless Test Method This section describes the settings you need to make on Windows 2000, Windows XP, and Windows Vista when using the Agentless test method. Configuring Windows 2000 Professional for Agentless Testing The agentless test method requires file and printer sharing to be enabled.

  • Page 219: Configuring Windows Xp Professional For Agentless Testing

    End-user Access Windows Endpoint Settings On the General tab, in the Components checked are used by this connection area, verify that File and Printer sharing is listed and that the check box is selected. Click OK. Configuring Windows XP Professional for Agentless Testing The agentless test method requires file and printer sharing to be enabled.

  • Page 220: Configuring Windows Vista For Agentless Testing, Defining The Agentless Group Policy Object

    End-user Access Windows Endpoint Settings To configure File and Printer Sharing for Microsoft Networks – http:/ ■ /www.microsoft.com/resources/documentation/windows/xp/all/ proddocs/en-us/howto_config_fileandprintsharing.mspx ■ To add a network component – http://www.microsoft.com/resources/ documentation/windows/xp/all/proddocs/en-us/ howto_config_fileandprintsharing.mspx Configuring Windows Vista for Agentless Testing Agentless testing for Windows Vista Endpoints requires that these endpoints be configured from a domain controller.

  • Page 221

    End-user Access Windows Endpoint Settings Open the Group Policy Management window by selecting Start>>Control Panel>>Administrator Tools>>Group Policy Management. The Group Policy Management Window appears: Figure 5-3. Group Policy Management Window Right-click on the domain you wish to use for the Vista endpoints and select Create and Link a GPO Here.

  • Page 222

    End-user Access Windows Endpoint Settings Right-click on the Agentless Testing Policy name and select Edit. The Group Policy Object Editor window appears: Figure 5-5. Group Policy Object Editor b. In the left pane, click the plus symbols under Computer Configuration to expand Windows Settings>>SecuritySettings>>Local Policies.

  • Page 223

    End-user Access Windows Endpoint Settings In the right pane, scroll down and right-click on Network access: sharing and security model for local accounts policy, select Properties. The Network Access window appears: Figure 5-6. Network Access Window ii. Select the Define this policy setting check box. iii.

  • Page 224

    End-user Access Windows Endpoint Settings In the right pane, scroll down and right-click on Network Security: LAN Manager authentication level and select Properties. The following window appears: Figure 5-7. Network Security Window vi. Select the Define this policy setting check box. vii.

  • Page 225

    End-user Access Windows Endpoint Settings In the right pane, right-click Network Connections and select Properties.The following window appears: Figure 5-8. Network Connection Properties Window ii. Select the Define this policy setting check box. iii. Select the Automatic radio button. iv. Click OK. 5-17...

  • Page 226

    End-user Access Windows Endpoint Settings In the right pane, right-click Remote Procedure Call (RPC) and select Properties. The following window appears. Figure 5-9. Remote Procedure Call Properties Window vi. Select the Define this policy setting check box. vii. Select the Automatic radio button. viii.

  • Page 227

    End-user Access Windows Endpoint Settings ix. In the right pane, right-click Remote Registry and select Properties. The following window appears: Figure 5-10. Remote Registry Properties Window x. Select the Define this policy setting check box. xi. Select the Automatic radio button. xii.

  • Page 228

    End-user Access Windows Endpoint Settings In the right pane, right-click Windows Firewall: Allow file and printer sharing exception and select Properties. The following window appears: Figure 5-11. Windows Firewall Window ii. Select the Enabled radio button. iii. Click OK. In the left pane, click the plus symbols to expand Administrative Templates>>Network.

  • Page 229

    End-user Access Windows Endpoint Settings In the right pane, right-click on Turn off Microsoft Peer-to-Peer Networking Services and select Properties. The following window appears: Figure 5-12. Microsoft Peer-to-Peer Window ii. Select the Disabled radio button. iii. Click OK. Close the Group Policy Object Editor window. Move the Agentless Testing policy to the top of the list to process it first and take precedence over any local configuration: In the Group Policy Management window, select the Linked Group Policy...

  • Page 230: Ports Used For Testing, Allowing The Windows Rpc Service Through The Firewall

    End-user Access Windows Endpoint Settings Click the double arrow icon to the left of the policies to move it to the top. The following window shows the double arrow icon: double arrow icon Figure 5-13. Double Arrow Icon Close the Group Policy Management window. This Agentless Group Policy Object is applicable to all Windows endpoints used in the domain.

  • Page 231

    End-user Access Windows Endpoint Settings To configure the Windows XP Professional firewall to allow the RPC service to connect: Windows endpoint>>Start>>Settings>>Control Panel>>Windows Firewall>>Exceptions tab Select File and Print Sharing. (Verify that the check box is also selected.) Click Edit. Verify that the check boxes for all four ports are selected. Select TCP 139.

  • Page 232: Activex Test Method, Ports Used For Testing, Windows Vista Settings

    End-user Access Windows Endpoint Settings TIP: You can add more security by specifying the endpoints allowed for File and Print Sharing as follows: Select File and Print Sharing, Click Edit, Select Change Scope, and select either My Network or Custom List (and then specify the endpoints). ActiveX Test Method Ports Used for Testing You might need to configure some firewalls and routers to allow NAC 800 to...

  • Page 233: Mac Os X Endpoint Settings, Ports Used For Testing

    End-user Access Mac OS X Endpoint Settings Mac OS X Endpoint Settings This release of NAC 800 supports only the agent-based method of testing for Mac OS X. Ports Used for Testing You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for agent-based testing.

  • Page 234

    End-user Access Mac OS X Endpoint Settings Figure 5-14. Mac System Preferences 5-26...

  • Page 235

    End-user Access Mac OS X Endpoint Settings Select the Sharing icon. The Sharing window opens. Figure 5-15. Mac Sharing Select the Firewall tab. The firewall settings must be one of the following: • • On with the following: – OS X NAC Agent check box selected –...

  • Page 236

    End-user Access Mac OS X Endpoint Settings To change the port: Mac endpoint>>Apple Menu>>System Preferences>>Sharing icon>>Firewall Select OS X NAC Agent. Click Edit. The port configuration window appears: Figure 5-16. Mac Ports Enter 1500 in the Port Number, Range or Series text field. Click OK.

  • Page 237: End-user Access Windows

    End-user Access End-user Access Windows End-user Access Windows Several end-user access templates come with NAC 800. The End-user window provides a way to customize these templates from within the user interface (see “End-user Screens” on page 3-119). For optimal end-user experience, brand these windows as your own and keep them friendly and helpful.

  • Page 238: Opening Window

    End-user Access End-user Access Windows Opening Window When the end-user directs their browser to go to a location that is not listed in the Accessible services and endpoints list, the testing option window appears: Figure 5-17. End-user Opening Window The end-users select Get connected. One of the following windows appears, depending on which test method and order is specified in the System configu- ration>>Testing methods window: ■...

  • Page 239: Windows Nac Agent Test Windows, Automatically Installing The Windows Agent

    End-user Access End-user Access Windows Windows NAC Agent Test Windows Automatically Installing the Windows Agent When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears: Figure 5-18.

  • Page 240

    End-user Access End-user Access Windows If Active Content is disabled in the browser, the following error window appears: Figure 5-19. End-user Agent Installation Failed TIP: To enable active content, see “Active Content” on page C-4. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears.

  • Page 241

    End-user Access End-user Access Windows Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation: Figure 5-20. End-user Agent Installation Window (Start) The user must click Finish to complete the agent installation and begin testing: Figure 5-21.

  • Page 242: Removing The Agent, Manually Installing The Windows Agent

    End-user Access End-user Access Windows Removing the Agent To remove the agent: Windows endpoint>>Start button>>Settings>>Control panel>>Add/remove programs Figure 5-22. Add/Remove Programs Find the ProCurve NAC EI Agent in the list of installed programs. Click Remove. TIP: The ProCurve NAC EI Agent also appears in the services list: Start button>>Settings>>Control panel>>Administrative tools>>Services Manually Installing the Windows Agent To manually install the agent (using Internet Explorer):...

  • Page 243

    End-user Access End-user Access Windows Windows endpoint>>IE browser window Point the browser to the following URL: https://<enforcement_server_ip>:89/setup.exe The security certificate window appears: Figure 5-23. Security Certificate Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file: Figure 5-24.

  • Page 244: How To View The Windows Agent Version Installed, Mac Os Agent Test Windows

    How to View the Windows Agent Version Installed To see what version of the agent the endpoint is running: Windows endpoint>>Command line window Change the working directory to the following: C:\Program Files\Hewlett-Packard\ProCurve NAC Endpoint Integrity Agent Enter the following command: SAService version The version number is returned.

  • Page 245

    End-user Access End-user Access Windows Double-click the extracted file to launch the installer program. A confirmation window appears: Figure 5-25. Start Mac OS Installer Click Continue. The installer appears: Figure 5-26. Mac OS Installer 1 of 5 5-37...

  • Page 246

    End-user Access End-user Access Windows Click Continue. The Select a Destination window appears: Figure 5-27. Mac OS Installer 2 of 5 Click Continue. The Easy Install window appears: Figure 5-28. Mac OS Installer 3 of 5 5-38...

  • Page 247: Verifying The Mac Os Agent

    End-user Access End-user Access Windows Click Install. The Authenticate window appears: Figure 5-29. Mac OS Installer 4 of 5 Enter your password. Click OK. The agent is installed and the confirmation window appears: Figure 5-30. Mac OS Installer 5 of 5 Click Close.

  • Page 248

    End-user Access End-user Access Windows Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Figure 5-31. Applications, Utilities Folder 5-40...

  • Page 249

    End-user Access End-user Access Windows Double-click Activity Monitor. The Activity Monitor window appears: Figure 5-32. Activity Monitor Verify that the osxnactunnel process is running. If the osxnactunnel process is not running, start it by performing the following steps: 5-41...

  • Page 250

    End-user Access End-user Access Windows Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Figure 5-33. Mac Terminal b. Enter the following at the command line: OSXNACAgent -v The build and version number are returned. If an error message is returned indicating that the agent could not be found, the agent was not installed properly.

  • Page 251: Removing The Mac Os Agent

    End-user Access End-user Access Windows Removing the Mac OS Agent To remove the Mac OS agent: Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Select Mac OS X Terminal. A terminal window opens (figure 5-33). Enter the following at the command line: remove_osxnacagent Remove the firewall entry: Select Apple Menu>>System Preferences>>Sharing->Firewall tab.

  • Page 252: Activex Test Windows, Agentless Test Windows

    End-user Access End-user Access Windows ActiveX Test Windows For the ActiveX test, the Testing window appears (see “Testing Window” on page 5- 47) and an ActiveX component is downloaded. If there is an error running the ActiveX component, an error window appears: Figure 5-34.

  • Page 253

    End-user Access End-user Access Windows Automatically connect the user through domain authentication (“Agentless ■ Credentials” on page 3-122) ■ Require the user to log in. End-users must set up their local endpoints to have a Windows administrator account with a password in order to be tested by NAC 800.

  • Page 254

    End-user Access End-user Access Windows If the end-users do not enter the correct information in the login window fields, a login failure window appears: Figure 5-36. End-user Login Failed TIP: You can customize the logo and contact paragraph that appear on this window.

  • Page 255: Testing Window

    End-user Access End-user Access Windows Testing Window The following figure shows the window that appears during the testing process: Figure 5-37. End-user Testing The possible outcomes from the test are as follows: ■ Test successful window (see “Test Successful Window” on page 5-48) ■...

  • Page 256: Test Successful Window

    End-user Access End-user Access Windows Test Successful Window When the end-users’ endpoints meet the test criteria defined in the NAC policy, they are allowed access to the network, and a window indicating successful testing appears: Figure 5-38. End-user Testing Successful TIP: You can customize the logo and text that appears on this window as described in “End-user Screens”...

  • Page 257: Testing Cancelled Window, Testing Failed Window

    End-user Access End-user Access Windows Testing Cancelled Window If the Allow end users to cancel testing option on the System configuration>>Testing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled: Figure 5-39.

  • Page 258

    End-user Access End-user Access Windows For each NAC policy, you can specify a temporary access period should the end- users fail the tests. See “Selecting Action Taken” on page 6-17 for more information. Figure 5-40. End-user Testing Failed Example 1 TIP: You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configura-...

  • Page 259: Error Windows

    End-user Access End-user Access Windows End-users can click Printable version to view the testing results in a printable format, as shown in the following figure: Figure 5-41. End-user Testing Failed, Printable Results Error Windows End-users might see any of the following error windows: Unsupported endpoint ■...

  • Page 260: Customizing Error Messages

    End-user Access Customizing Error Messages Customizing Error Messages The default error message strings (remediation messages) are defined in the follow- ing file: /usr/local/nac/scripts/BaseClasses/Strings.py You can create custom error message strings that appear in the test result reports, and on the test results access window that the end-user views by editing or creating the following file: /usr/local/nac/scripts/BaseClasses/CustomStrings.py To customize the error messages:...

  • Page 261

    End-user Access Customizing Error Messages dir/application.exe'>Location Name</a>", "name2" : "message2", NOTE: A “%s” in the description text is a special variable that is interpolated into extra information (passed from NAC 800) such as lists of missing patches, or missing software. CAUTION: Normally NAC 800 uses Strings.py.

  • Page 262

    End-user Access Customizing Error Messages Test name Description checkAntiVirusUpdates.String.2 %s is installed but the service is not running and the virus signatures are not up-to-date (installed: %s required: %s)., checkAntiVirusUpdates.String.3 %s is installed but the service is not running., checkAntiVirusUpdates.String.4 (version: %s), checkAntiVirusUpdates.String.5 %s is installed but the virus signatures are not up-to-date...

  • Page 263

    End-user Access Customizing Error Messages Test name Description checkIESecurityZoneSettings.String.1 There was no security zone specified., checkIESecurityZoneSettings.String.2 Internet Explorer %s security zone settings are acceptable., checkIESecurityZoneSettings.String.3 There was no security level specified., checkIESecurityZoneSettings.String.4 An invalid security level '%s' was specified., checkIESecurityZoneSettings.String.5 Could not test Internet Explorer %s security zone settings.

  • Page 264

    End-user Access Customizing Error Messages Test name Description checkPersonalFirewalls.String.1 The required personal firewall software was not found. Install a personal firewall and keep it up-to-date. Supported firewall software: %s, checkPersonalFirewalls.String.2 %s is installed but not running., checkPersonalFirewalls.String.3 %s service is installed and running., checkServicePacks.String.1 An unsupported operating system was encountered., checkServicePacks.String.2...

  • Page 265

    End-user Access Customizing Error Messages Test name Description checkSoftwareNotAllowed.String.3 Do not specify the HKEY_LOCAL_MACHINE\SOFTWARE registry key., checkSoftwareNotAllowed.String.4 The following software is not allowed: %s. Uninstall the software listed. Also, remove any file types listed by double- clicking My Computer>>select Tools>>Folder Options>>File Types and remove the file type mentioned., checkSoftwareNotAllowed.String.5 %s, # placeholder for link location for each software...

  • Page 266

    End-user Access Customizing Error Messages Test name Description checkWormsVirusesAndTrojans.String.2 The following worms, viruses, or trojans were found: %s. Contact your network administrator for assistance on removing them., checkAntiSpyware.String.1 The %s software is installed and a scan was run recently on %s., checkAntiSpyware.String.2 The %s software was found but a scan has not performed...

  • Page 267: Table Of Contents

    NAC Policies Chapter Contents Overview ............6-2 Standard NAC Policies .

  • Page 268

    NAC Policies Overview Overview "NAC policies" are collections of tests that evaluate remote endpoints attempt- ing to connect to your network. You can use the standard tests installed with NAC 800, or you can create your own custom tests. NOTE: The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name.

  • Page 269

    NAC Policies Overview Figure 6-1. NAC Policies The following figure shows the legend explaining the NAC policies icons: Figure 6-2. NAC Policies Window Legend...

  • Page 270: Standard Nac Policies

    NAC Policies Standard NAC Policies Standard NAC Policies NAC 800 ships with three standard NAC policies: ■ High security ■ Low security Medium security ■ NAC policies are organized in groups. Groups include the clusters defined for your system, a Default group, and any other groups you create. Each standard policy has tests pre-selected.

  • Page 271: Nac Policy Group Tasks, Add A Nac Policy Group, Editing A Nac Policy Group

    NAC Policies NAC Policy Group Tasks NAC Policy Group Tasks Add a NAC Policy Group To add an NAC policy group: Home window>>NAC policies Click Add an NAC policy group. The Add NAC policy group window opens: Figure 6-3. Add NAC Policy Group Type a name for the group in the Name of NAC policy group text box.

  • Page 272: Deleting A Nac Policy Group

    NAC Policies NAC Policy Group Tasks Click on an existing NAC policy group name (for example, Default). The NAC policy group window opens. Figure 6-4. Edit NAC Policy Group Make any changes required. See “Add a NAC Policy Group” on page 6-5 for details on NAC policy group options.

  • Page 273: Nac Policy Tasks, Enabling Or Disabling An Nac Policy, Selecting The Default Nac Policy

    NAC Policies NAC Policy Tasks NAC Policy Tasks Enabling or Disabling an NAC Policy Select which NAC polices are enabled or disabled. To enable/disable a NAC policy: Home window>>NAC policies Click on the enable or disable link. An X indicates disabled. Selecting the Default NAC Policy To select the default NAC policy: Home window>>NAC policies...

  • Page 274

    NAC Policies NAC Policy Tasks Click Add a NAC policy. The Add NAC policy window opens as shown in the following figure: Figure 6-6. Add a NAC Policy, Basic Settings Area Enter a policy name. Enter a description in the Description text box. Select a NAC policy group.

  • Page 275

    NAC Policies NAC Policy Tasks Select the Operating systems that will not be tested but are allowed network access. • Windows ME, Windows 98, Windows 95, Windows NT • UNIX • All other unsupported OSs NOTE: In DHCP mode, if an endpoint with an unsupported OS already has a DHCP- assigned IP address, NAC 800 cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires.

  • Page 276

    NAC Policies NAC Policy Tasks Click the Domains and endpoints menu option to open the Domains and endpoints window, shown in the following figure: Figure 6-7. Add a NAC Policy, Domains and Endpoints 10. Click on a cluster name. 11. Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a carriage return.

  • Page 277

    NAC Policies NAC Policy Tasks NOTE: You can leave the Domains and Endpoints areas blank if you do not want to assign domains and endpoints to this policy. TIP: Move the mouse cursor over the question mark (?) by the word Endpoints, then click on the CIDR notation link to see the CIDR conversion table pop- up window.

  • Page 278

    NAC Policies NAC Policy Tasks 13. Click the Tests menu option to open the Tests window: Figure 6-8. Add NAC Policy, Tests Area 6-12...

  • Page 279: Editing A Nac Policy, Copying A Nac Policy

    NAC Policies NAC Policy Tasks NOTE: The icons to the right of the tests indicate the test failure actions. See “Test Icons” on page 6-21. 14. Select a test to include in the NAC policy by clicking on the check box next to the test name.

  • Page 280: Deleting A Nac Policy, Moving A Nac Policy Between Nac Policy Groups

    NAC Policies NAC Policy Tasks Change any of the options desired. See “Creating a New NAC Policy” on page 6-7 for details on the options available. Click ok. Deleting a NAC Policy To delete an existing NAC policy: Home window>>NAC policies Click the delete link to the right of the NAC policy you want to delete.

  • Page 281: Nac Policy Hierarchy, Setting Retest Time, Setting Connection Time

    NAC Policies NAC Policy Tasks NOTE: You can use a MAC prefix (one to five bytes or octets) to act on more than one endpoint at a time. For example entering 00:13 matches all MAC addresses that begin with 00:13. In the Windows domains area, enter a domain name or list of domain names separated by a carriage return.

  • Page 282: Defining Non-supported Os Access Settings, Setting Test Properties

    NAC Policies NAC Policy Tasks inactivity quarantine, the end-user may just need to log in again; however, other changes (such as a policy change or new required hotfix) may require the end-user to perform some action before being allowed on the network again.

  • Page 283: Selecting Action Taken

    NAC Policies NAC Policy Tasks Select the test failure actions to apply for this test: Send email notification • Quarantine access • Select any test properties if applicable. Click ok. Selecting Action Taken Actions can be passive (send an email), active (quarantine) or a combination of both.

  • Page 284

    NAC Policies NAC Policy Tasks select the Initiate patch manager to fix the problem and retest the endpoint when it finishes check box. b. Select a patch manager from the Patch manager drop down list. Enter a number for the times to retest before failing in the Maximum number of retest attempts text box.

  • Page 285: About Nac 800 Tests, Viewing Information About Tests, Selecting Test Properties, Entering Software Required/not Allowed

    NAC Policies About NAC 800 Tests About NAC 800 Tests NAC 800 tests are assigned to NAC policies. NAC policies are used to test endpoints attempting to connect to your network. NAC 800 tests might be updated as often as hourly; however, at the time of this release, the tests shown in “Tests Help”...

  • Page 286: Entering Service Names Required/not Allowed

    NAC Policies About NAC 800 Tests You can enter any combination of these keys in the NAC 800 text entry fields to detect a vendor, software package and version on an endpoint (for example, you can also enter Mozilla\Firefox or simply Mozilla) and NAC 800 searches for them in the HKEY_LOCAL_MACHINE\Software registry key sub-tree.

  • Page 287: Entering The Browser Version Number, Test Icons

    NAC Policies About NAC 800 Tests Utility Manager ■ ■ Windows Installer Entering the Browser Version Number To specify the minimum browser version the end-user needs: For Mozilla Firefox: Clear the Check For Mozilla Firefox [1.5] check box. b. Type a version number in the text entry field. For Internet Explorer on Windows XP and Windows 2003: Clear the Check For Internet Explorer for Windows XP and Windows 2003 [6.0.2900.2180] check box.

  • Page 288

    (This page intentionally left blank.)

  • Page 289: Table Of Contents

    Quarantined Networks Chapter Contents Endpoint Quarantine Precedence ........7-2 Using Ports in Accessible Services and Endpoints .

  • Page 290: Endpoint Quarantine Precedence

    Quarantined Networks Endpoint Quarantine Precedence Endpoint Quarantine Precedence Endpoints are quarantined in the following hierarchical order: Access mode (normal operation or allow all) Temporarily quarantine for/Temporarily grant access for radio buttons Endpoint testing exceptions (always grant access, always quarantine) Post-connect (external quarantine request) NAC policies NOTE: In DHCP mode, if an endpoint with an unsupported OS already has a DHCP-...

  • Page 291

    Quarantined Networks Endpoint Quarantine Precedence TIP: Use the Clear temporary access control status radio button to remove the temporary access or temporary quarantine state enabled by the Temporarily quarantine for/Temporarily grant access for radio buttons. Endpoint testing exceptions overrides items following it in the list (4, ■...

  • Page 292: Using Ports In Accessible Services And Endpoints

    Quarantined Networks Using Ports in Accessible Services and Endpoints Using Ports in Accessible Services and Endpoints To use a port number when specifying accessible services and endpoints (cluster default): Home window>>System configuration>>Accessible services The following figure shows the Accessible services window: Figure 7-1.

  • Page 293

    Quarantined Networks Using Ports in Accessible Services and Endpoints For all other deployment modes, the Fully Qualified Domain Name (FQDN) of the target servers should be added to the list (for example mycom- pany.com). If the specified servers are not behind an ES, a network firewall must be used to control access to only the desired ports.

  • Page 294: Always Granting Access To An Endpoint

    Quarantined Networks Always Granting Access to an Endpoint Always Granting Access to an Endpoint To always grant access to a endpoint without testing: Home window>>System configuration>>Exceptions The following figure shows the Exceptions window. Figure 7-2. System Configuration, Exceptions In the Whitelist area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns.

  • Page 295

    Quarantined Networks Always Granting Access to an Endpoint CAUTION: If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without testing option is used. CAUTION: Please read “Untestable Endpoints and DHCP Mode” on page 7-11 so that you fully understand the ramifications of allowing untested endpoints on your network.

  • Page 296: Always Quarantining An Endpoint

    Quarantined Networks Always Quarantining an Endpoint Always Quarantining an Endpoint To always quarantine a an endpoint without testing (cluster default): Home window>>System configuration>>Exceptions In the Blacklist area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns. b.

  • Page 297: New Users

    Quarantined Networks New Users New Users The process NAC 800 follows for allowing end-users to connect is: ■ Inline mode – An IP address is assigned to the endpoint outside of NAC 800. When the end-user attempts to connect to the network, NAC 800 either blocks access or allows access by adding the endpoint IP address to the internal firewall.

  • Page 298: Shared Resources

    Quarantined Networks Shared Resources Shared Resources If the end-users typically make connections to shared services and endpoints during the boot process, these shares are unable to connect while the endpoint has the quarantined IP address, unless the services and endpoints are listed in the Accessible services and endpoints area (see “Accessible Services”...

  • Page 299: Untestable Endpoints And Dhcp Mode

    Quarantined Networks Untestable Endpoints and DHCP Mode Untestable Endpoints and DHCP Mode If you have an endpoint that does not have a supported operating system, you can allow access or quarantine the endpoint. The current supported operating systems are listed in “Endpoints Supported” on page 5-5. If you allow an untested endpoint to have access, there are several important items to keep in mind.

  • Page 300: Windows Domain Authentication And Quarantined Endpoints

    Quarantined Networks Windows Domain Authentication and Quarantined Endpoints Windows Domain Authentication and Quarantined Endpoints In order to satisfy the following scenarios: A guest user gets redirected ■ ■ A user is redirected if their home page is the Intranet ■ The only host that is resolved is the domain controller (DC);...

  • Page 301

    Quarantined Networks Windows Domain Authentication and Quarantined Endpoints _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 389 dc01.lvh.com 7-13...

  • Page 302

    (This page intentionally left blank.)

  • Page 303

    High Availability and Load Balancing Chapter Contents High Availability ..........8-2 Load Balancing .

  • Page 304: High Availability

    High Availability and Load Balancing High Availability High Availability High availability occurs when one or more ESs takes over for an ES that has become unavailable in a multiple-server installation. Once an ES becomes unavailable, the other ESs take over enforcement from the ES that is now unavailable.

  • Page 305

    High Availability and Load Balancing High Availability ports on the switch based on the switch configuration. If an ES becomes unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 8-1.

  • Page 306

    High Availability and Load Balancing High Availability Figure 8-2. DHCP Installation...

  • Page 307

    High Availability and Load Balancing High Availability Figure 8-3. 802.1X Installation...

  • Page 308: Load Balancing

    High Availability and Load Balancing Load Balancing Load Balancing Load balancing distributes the testing of endpoints across all NAC 800 ESs in a cluster. NAC 800 uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the ESs. If the MAC address is unavailable (untestable endpoint) the IP address is used to determine which ES should test an endpoint.

  • Page 309

    Inline Quarantine Method Chapter Contents Inline ............9-2...

  • Page 310

    Inline Quarantine Method Inline Inline Inline is the most basic NAC 800 installation. When deploying NAC 800 inline, NAC 800 monitors and enforces all endpoint traffic. NAC 800 allows endpoints to access the network or blocks endpoints from accessing the network based on their Internet Protocol (IP) address with a built-in firewall (iptables).

  • Page 311

    Inline Quarantine Method Inline Figure 9-1. Inline Installations TIP: You can install NAC 800 at any “choke point” in your network; a VPN is not required.

  • Page 312

    (This page intentionally left blank.)

  • Page 313: Table Of Contents

    DHCP Quarantine Method Chapter Contents Overview ............10-2 Configuring NAC 800 for DHCP .

  • Page 314

    DHCP Quarantine Method Overview Overview When configured with a Dynamic Host Configuration Protocol (DHCP) quar- antine area, all endpoints requesting a DHCP IP address are issued a tempo- rary address on a quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to the main LAN.

  • Page 315

    DHCP Quarantine Method Overview Figure 10-1. DHCP Installation 10-3...

  • Page 316: Configuring Nac 800 For Dhcp, Setting Up A Quarantine Area, Router Configuration

    DHCP Quarantine Method Configuring NAC 800 for DHCP Configuring NAC 800 for DHCP The primary configuration required for using NAC 800 and DHCP is setting up the quarantine area (see “Setting up a Quarantine Area” on page 10-4). You should also review the following topics related to quarantining endpoints: ■...

  • Page 317: Configuring The Router Acls, Configuring Windows Update Service For Xp Sp2

    DHCP Quarantine Method Configuring NAC 800 for DHCP Configuring the Router ACLs In order to sufficiently restrict access to and from the quarantine area, you must configure your router Access Control Lists (ACLs) as follows: ■ Allow traffic to and from the NAC 800 server and the quarantined network.

  • Page 318

    (This page intentionally left blank.)

  • Page 319

    802.1X Quarantine Method Chapter Contents About 802.1X ..........11-2 NAC 800 and 802.1X .

  • Page 320: About 802.1x

    802.1X Quarantine Method About 802.1X About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows: ■ Supplicant – The client; the endpoint that wants to access the network. Authenticator– The access point, such as a switch, that prevents ■...

  • Page 321

    802.1X Quarantine Method About 802.1X The AP (authenticator) opens a port for EAP messages, and blocks all others. The AP (authenticator) requests the client’s (supplicant’s) identity. The Client (supplicant) sends its identity. The AP (authenticator) passes the identity on to the authentication server. The authentication server performs the authentication and returns an accept or reject message to the AP (authenticator).

  • Page 322: Nac 800 And 802.1x

    802.1X Quarantine Method NAC 800 and 802.1X NAC 800 and 802.1X When configured as 802.1X-enabled, NAC 800 can be installed with three different configurations depending on your network environment: ■ Microsoft IAS and NAC 800 IAS Plug-in With this method, the switch is configured with the IAS server IP address as the RADIUS server host.

  • Page 323

    802.1X Quarantine Method NAC 800 and 802.1X Figure 11-2. NAC 800 802.1X Enforcement 11-5...

  • Page 324

    802.1X Quarantine Method NAC 800 and 802.1X Figure 11-3. 802.1X Communications 11-6...

  • Page 325: Setting Up The 802.1x Components, Setting Up The Radius Server

    802.1X Quarantine Method Setting up the 802.1X Components Setting up the 802.1X Components In order to use NAC 800 in an 802.1X environment, ProCurve recommends configuring your environment first, then installing and configuring NAC 800. This section provides instructions for the following: “Setting up the RADIUS Server”...

  • Page 326

    802.1X Quarantine Method Setting up the 802.1X Components Microsoft® Windows Server™ 2003 Internet Authentication Service (IAS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server. This section provides instructions on configuring this server to use with NAC 800. For details on the Windows Server 2003 IAS, refer to the following link: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/tech- nologies/ias.mspx...

  • Page 327: Configuring The Microsoft Ias Radius Server

    802.1X Quarantine Method Setting up the 802.1X Components Select the Networking Services check box. Click Details. The Networking Services window appears, as shown in the following figure. Figure 11-5. Networking Services Select the check box for Internet Authentication Service and any other Windows Internet Authentication Service (IAS) components you want to install.

  • Page 328

    802.1X Quarantine Method Setting up the 802.1X Components From the RADIUS server main window, select Start>>Settings>>Control Panel>>Administrative Tools>>Internet Authentication Service. Configure IAS to use Active Directory: Right-click on Internet Authentication Service (Local). b. Select Register Server in Active Directory (figure 11-6). Click OK if a registration completed window appears.

  • Page 329

    802.1X Quarantine Method Setting up the 802.1X Components Figure 11-8. IAS, Properties General tab – Enter a descriptive name in the Server Description text box. For example, IAS. ii. Select the Rejected authentication requests check box. iii. Select the Successful authentication requests check box. d.

  • Page 330

    802.1X Quarantine Method Setting up the 802.1X Components b. Select New RADIUS Client. The New RADIUS Client window appears: Figure 11-9. IAS, New Client, Name and Address Enter a descriptive name for the Friendly name, such as Foundry. d. Enter the IP address of the authenticator in the Client address text box. TIP: Click Verify to test the connection.

  • Page 331

    802.1X Quarantine Method Setting up the 802.1X Components Select RADIUS Standard from the Client Vendor drop-down list Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator. NOTE: See your system administrator to obtain the shared secret for your switch. h.

  • Page 332

    802.1X Quarantine Method Setting up the 802.1X Components Click Next. Figure 11-12. IAS, Remote Access Policy, Access Method Select the Ethernet radio button. (The Ethernet option will not work for authenticating wireless clients with this policy.) h. Click Next. Figure 11-13. IAS, Remote Access Policy, Group Access You can configure your Access policy by user or group.

  • Page 333

    802.1X Quarantine Method Setting up the 802.1X Components Click Add. The Select Groups pop-up window appears: Figure 11-14. IAS, Remote Access Policy, Find Group 11-15...

  • Page 334

    802.1X Quarantine Method Setting up the 802.1X Components k. Click Advanced. Figure 11-15. Remote Access Policy, Select Group Click Find Now to populate the Search Results area. m. Select Domain Guests. n. Click OK. o. Click OK. 11-16...

  • Page 335

    802.1X Quarantine Method Setting up the 802.1X Components p. Click Next. Figure 11-16. IAS, Remote Access Policy, Authentication Method NOTE: If you choose PEAP as your authentication mechanism in step q, see step 8 before completing step r and step s. Adding a certificate, if your server does not already have one, and configuring PEAP is explained in step 8.

  • Page 336

    802.1X Quarantine Method Setting up the 802.1X Components These steps assume there is a Domain Certificate Authority (CA) available to request a certificate. If there is not a CA available, the certificate needs to be imported manually. NOTE: To import the certificate manually: 1.

  • Page 337

    802.1X Quarantine Method Setting up the 802.1X Components h. Open the Certificates folder under the Console Root. Right-click on the Personal folder and select All Tasks>>Request New Certificate. NOTE: To import the certificate manually: 1. Right-click on the Personal folder>>select All Tasks>>Import. 2.

  • Page 338

    802.1X Quarantine Method Setting up the 802.1X Components Click Configure to configure the certificate for use with the PEAP authentication method. The Protected EAP Properties window appears, as shown in the following figure: Figure 11-18. Protected EAP Properties 10. Configure the new Remote Access Policy. Figure 11-19.

  • Page 339

    802.1X Quarantine Method Setting up the 802.1X Components b. In the right pane, right-click the new policy name and select Properties. The Guest Policy Properties window appears: Figure 11-20. IAS, Remote Access Policy, Configure Click Edit Profile. The Edit Dial-in Profile window appears. Authentication tab –...

  • Page 340

    802.1X Quarantine Method Setting up the 802.1X Components 1) Click Add. Figure 11-21. IAS, Remote Access Policy, Add Attribute 2) Select Tunnel-Medium-Type. (Adding the first of the three attributes.) 3) Click Add. 4) Click Add again on the next window. 5) From the Attribute value drop-down list, select 802 (includes all 802 media.

  • Page 341

    802.1X Quarantine Method Setting up the 802.1X Components 18) Click OK. 19) Click OK. 20) Click OK. 11. Repeat step 9 for every VLAN group defined in Active Directory. IMPORTANT: The order of the connection attributes should be most- specific at the top, and most-general at the bottom. 12.

  • Page 342

    802.1X Quarantine Method Setting up the 802.1X Components d. Settings tab – Select any of the request and status options you are interested in logging. Log file tab – In the Format area, select the IAS radio button. ii. In the Create a new log file area, select a frequency, such as Daily. iii.

  • Page 343

    802.1X Quarantine Method Setting up the 802.1X Components support/ias/SAIASConnector.dll support/ias/SAIASConnector.ini NOTE: SAIASConnector.ini is installed within NAC 800 using standard system defaults. Utilities for this such as DebugAttributes and DebugLevel should be modified only in conjunction with technical assistance through ProCurve ProCurve Networking by HP at or .

  • Page 344

    802.1X Quarantine Method Setting up the 802.1X Components vi. Click Add. Figure 11-25. IAS, Add/Remove Snap-in, Certificates vii. Select Certificates. viii. Click Add. ix. Select the Computer account radio button. x. Click Next. xi. Select the Local computer: (the computer this console is running on) radio button.

  • Page 345

    802.1X Quarantine Method Setting up the 802.1X Components xiv. Click OK. Figure 11-26. IAS, Import Certificate xv. Right-click on Console Root>>Certificates (Local Computer)>>Trusted Root Certificate Authorities. xvi. Select All tasks>>import. xvii.Click Next. xviii.Click Browse and choose the certificate. The NAC 800 server certificate is located on http://www.procurve.com/nactools xix.

  • Page 346

    802.1X Quarantine Method Setting up the 802.1X Components Quarantined – The endpoint failed a test and the action is configured to quarantine. Unknown – The endpoint has not been tested. Infected – The endpoint failed the Worms, Virus, and Trojans test. To configure the response, edit the SAIASConnector.ini file.

  • Page 347

    802.1X Quarantine Method Setting up the 802.1X Components From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers. Figure 11-27. Active Directory, Properties ii. Right-click on your directory name and select Properties. iii. Select the Group Policy tab. iv.

  • Page 348

    802.1X Quarantine Method Setting up the 802.1X Components viii. Right-click Store passwords using reversible encryption. ix. Select the Enabled check box. x. Click OK. xi. Close the Group Policy Object Editor window. xii. Close the Group Policy Management window. xiii. Close the <Active Directory Name> Properties window. 16.

  • Page 349

    802.1X Quarantine Method Setting up the 802.1X Components Select the Users folder. Figure 11-29. Active Directory Users and Computers 11-31...

  • Page 350

    802.1X Quarantine Method Setting up the 802.1X Components d. Right-click a user name and select Properties. The Properties windows appears: Figure 11-30. Active Directory, User Account Properties Select the Dial-in tab. In the Remote Access Permission area, select the Allow Access radio button.

  • Page 351: Built-in Nac 800 Radius Server

    802.1X Quarantine Method Setting up the 802.1X Components Repeat from step a for each user account. Proxying RADIUS Requests to an Existing RADIUS Server Using the Built-in NAC 800 RADIUS Server TIP: For an explanation of how the components communicate, see “NAC 800 and 802.1X”...

  • Page 352

    802.1X Quarantine Method Setting up the 802.1X Components Configure the SAFreeRADIUSConnector.conf file with the appropriate RADIUS attributes and VLANS. See comments in the following sample file for instructions. # FreeRADIUS Connector configuration file # TO DO - Change localhost to your server's IP if this is not the built-in FreeRADIUS server ServerUrl=https://localhost/servlet/AccessControlServlet DebugLevel=4...

  • Page 353

    802.1X Quarantine Method Setting up the 802.1X Components "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches #"HealthyRadiusAttributes"...

  • Page 354: Using The Built-in Nac 800 Radius Server For Authentication, Configuring Non-hp Switches

    802.1X Quarantine Method Setting up the 802.1X Components Test the RADIUS server proxy: radtest <user> <passwd> <radius-server[:port]> <nas- port-number><secret> Using the Built-in NAC 800 RADIUS Server for Authentication If you selected the Manual End-user authentication method in the Authentication settings area of the System configuration>>Quarantining>>802.1X window, con- figure NAC 800 according to the instructions in this section.

  • Page 355

    802.1X Quarantine Method Setting up the 802.1X Components NOTE: When using the Cisco® Catalyst® 6509 with the Catalyst operating system (CatOS), you need to refer to the VLAN by name, and not by number as shown in the following sample file. For example, use “Tunnel-Private-Group-ID := User_Seg_PA,”...

  • Page 356

    802.1X Quarantine Method Setting up the 802.1X Components #"CheckupRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 50, Tunnel-Type := VLAN, "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches...

  • Page 357: Enabling Nac 800 For 802.1x, Nac 800 User Interface Configuration

    802.1X Quarantine Method Setting up the 802.1X Components #"<POSTURE>RadiusAttributes-<NAS IP ADDRESS>" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, Enabling NAC 800 for 802.1X To enable NAC 800 for use in an 802.1X network, you need to select it in the user interface, and make a few changes to the properties using JMS and an XML file.

  • Page 358: Setting Up The Supplicant, Windows Xp Professional Setup

    802.1X Quarantine Method Setting up the 802.1X Components detection can be run remotely by installing and configuring the end- point activity capture software on each DHCP server involved in the 802.1X deployment. In this case, choose the remote option. local – In simple configurations, it is possible to span, or mirror, the •...

  • Page 359

    802.1X Quarantine Method Setting up the 802.1X Components Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears: Figure 11-32. Windows XP Pro Local Area Connection, General Tab Select the General tab. Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors.

  • Page 360: Windows Xp Home Setup

    802.1X Quarantine Method Setting up the 802.1X Components Select the Authentication tab. Figure 11-33. Windows XP Pro Local Area Connection Properties, Authentication Select the Enable IEE 802.1X authentication for this network check box. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.

  • Page 361: Windows 2000 Professional Setup

    802.1X Quarantine Method Setting up the 802.1X Components Select Wireless Zero Configuration. If the Status column does not already show Started, start the service: Right click on Wireless Zero Configuration. ii. Select Start. b. Close the Services window. Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network Connections Right-click on Local Area Connection.

  • Page 362

    802.1X Quarantine Method Setting up the 802.1X Components b. Close the Services window. Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network and Dial-up Connections Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears. Figure 11-34. Windows 2000 Local Area Connection Properties, General Tab b.

  • Page 363: Windows Vista Setup

    802.1X Quarantine Method Setting up the 802.1X Components d. Select the Authentication tab. Figure 11-35. Windows 2000 Local Area Connection Properties, Authentication Tab Select the Enable network access control using IEE 802.1X check box. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.

  • Page 364

    802.1X Quarantine Method Setting up the 802.1X Components Start the wired service: Double-click on Wired AutoConfig. The Wired AutoConfig Properties window appears. Figure 11-36. Wired AutoConfig Properties b. Select Automatic from the Startup type drop-down list. Click Start in the Service status area. d.

  • Page 365

    802.1X Quarantine Method Setting up the 802.1X Components Select Properties. The Local Area Connection windows appears: Figure 11-37. Windows Vista Local Area Connection, Networking Tab 11-47...

  • Page 366: Setting Up The Authenticator

    802.1X Quarantine Method Setting up the 802.1X Components Select the Authentication tab. Figure 11-38. Windows Vista Local Area Connection Properties, Authentication Tab Select the Enable IEE 802.1X authentication check box. Select an EAP type from the Choose a network authentication method drop- down list.

  • Page 367: Cisco® 2950 Ios

    802.1X Quarantine Method Setting up the 802.1X Components “Extreme® Summit 48si” on page 11-51 ■ ■ “ExtremeWare” on page 11-51 “ExtremeXOS” on page 11-52 ■ ■ “Foundry® FastIron® Edge 2402” on page 11-53 ■ “HP ProCurve 420AP” on page 11-53 “HP ProCurve 530AP”...

  • Page 368: Cisco® 4006 Catos, Enterasys® Matrix 1h582-25

    802.1X Quarantine Method Setting up the 802.1X Components dot1x timeout quiet-period 30 dot1x guest-vlan 5 dot1x reauthentication spanning-tree portfast ip http server radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 key mysecretpassword radius-server retransmit 3 Cisco® 4006 CatOS set dot1x re-authperiod 100 set feature dot1x-radius-keepalive disable #radius set radius server 172.17.20.150 auth-port 1812 primary...

  • Page 369: Extreme® Summit 48si, Extremeware

    802.1X Quarantine Method Setting up the 802.1X Components BD70F5AAA2CF0C5DBAA5DA97FADFE95 set radius enable Extreme® Summit 48si TIP: When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS users file. TIP: Change the admin password to a non-blank password. create vlan "Operations"...

  • Page 370: Extremexos

    802.1X Quarantine Method Setting up the 802.1X Components TIP: Change the admin password to a non-blank password. create vlan "Quarantine" create vlan "Test" # RADIUS configuration enable radius configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa" configure radius primary server 10.50.32.10 1812 client-ip 10.50.32.254 # Network Login Configuration enable netlogin port 1 vlan Default...

  • Page 371: Foundry® Fastiron® Edge 2402, Hp Procurve 420ap

    802.1X Quarantine Method Setting up the 802.1X Components configure netlogin base-url "network-access.com" configure netlogin redirect-page "http://www.extremenetworks.com" configure netlogin banner "" Foundry® FastIron® Edge 2402 dot1x-enable auth-fail-action restricted-vlan auth-fail-vlanid 5 mac-session-aging no-aging permitted-mac-only enable ethe 1 to 4 aaa authentication dot1x default radius radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 default key 1 $6\-ndUnoS!--+sU@ interface ethernet 1...

  • Page 372: Hp Procurve 530ap

    802.1X Quarantine Method Setting up the 802.1X Components HP ProCurve Access Point 420(if-wireless-g)#ssid index 1 HP ProCurve Access Point 420(if-wireless-g-ssid-1)#closed-system HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius- authentication-server address <IP of RADIUS Server> HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius- authentication-server key <Shared RADIUS secret> HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius- authentication-server vlan-format ascii HP ProCurve Access Point 420(if-wireless-g-ssid-1)#ssid...

  • Page 373

    802.1X Quarantine Method Setting up the 802.1X Components The RADIUS shared secret key must also be set to enable communication between this device and the RADIUS server. ProCurve Access Point 530(radio1-wlan1)#radius primary key <Shared RADIUS secret> ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary ip <IP of RADIUS Server>...

  • Page 374: Hp Procurve 3400/3500/5400, Nortel® 5510

    802.1X Quarantine Method Setting up the 802.1X Components ProCurve Access Point 530(radio1-wlan1)#wep-key-ascii ProCurve Access Point 530(radio1-wlan1)#wep-key-1 1q2w3e4r5t6y7 ProCurve Access Point 530(radio1-wlan1)#write mem ProCurve Access Point 530(radio1-wlan1)#enable ProCurve Access Point 530(radio2-wlan1)#enable ProCurve Access Point 530(config)#radio 1 ProCurve Access Point 530(radio1)#enable ProCurve Access Point 530(radio1)#radio 2 ProCurve Access Point 530(radio2)#enable ProCurve Access Point 530(config)#write mem ProCurve Access Point 530(config)#exit...

  • Page 375: Creating Custom Expect Scripts

    802.1X Quarantine Method Setting up the 802.1X Components uthentication-period 3600 re-authenticate quiet-interval 60 transmit-interval 3 0 supplicant-timeout 30 server-timeout 30 max-request 2 Vlan Info: vlan create 10 name "production" type port vlan create 11 name "guest" type port vlan create 12 name "quarantine" type port ! *** EAP *** eapol enable interface FastEthernet ALL...

  • Page 376

    802.1X Quarantine Method Setting up the 802.1X Components When testing configuration settings from the NAC 800 user interface, all three scripts are executed once in sequence and the connection is closed. If any output is returned by a command sent in the re-authentication script, it is logged and returned to the user.

  • Page 377

    802.1X Quarantine Method Setting up the 802.1X Components expect [OPTIONS] TEXT | "Waits for TEXT to appear on connection input" send [OPTIONS] TEXT | "Writes TEXT to connection output" The expect scripts use the following commands: Command Description and parameters Waits for TEXT to appear on the connection input expect [OPTIONS] TEXT...

  • Page 378

    802.1X Quarantine Method Setting up the 802.1X Components IS_TELNET – Set to "true" for a telnet connection (otherwise unset) ■ ■ IS_SSH – Set to "true" for an SSH connection (otherwise unset) The following variables may be referenced from re-authentication script: PORT –...

  • Page 379

    802.1X Quarantine Method Setting up the 802.1X Components expect (config)# Reauthorization script: send interface FastEthernet ${PORT} expect (config-if)# send eapol re-authenticate expect (config-if)# send exit expect (config)# Exit script: send exit expect # send exit expect press or to select option. send -noreturn l The conditions in the above scripts are driven by the values of the variables entered by the user, but sometimes it is necessary to drive conditions from interactions with...

  • Page 380

    (This page intentionally left blank.)

  • Page 381: Table Of Contents

    Remote Device Activity Capture Chapter Contents Creating a DAC Host ..........12-2 Downloading the EXE File .

  • Page 382: Creating A Dac Host

    Remote Device Activity Capture Creating a DAC Host Creating a DAC Host NAC 800 auto-discovers endpoints on your network so that the testing and transition from quarantine to non-quarantine areas happens quickly and smoothly after an endpoint is booted up. NAC 800 also relies on auto-discovery functionality to track DHCP IP address transitions so that it can continue to communicate seamlessly with endpoints after an IP change.

  • Page 383: Downloading The Exe File, Running The Windows Installer

    Remote Device Activity Capture Creating a DAC Host Your DAC host can be a Windows server. This section provides instructions on setting up a Windows host. First, download the executable file to your Windows server, then run the installer to install the first interface. For this release, if you want to add additional interfaces, you must install them manually.

  • Page 384

    Remote Device Activity Capture Creating a DAC Host To run the Windows installer: Windows server Navigate to the EXE file downloaded in “Downloading the EXE File” on page 12-3. Double-click on the EXE file. The DAC InstallShield Wizard Welcome window appears: Figure 12-1.

  • Page 385

    Remote Device Activity Capture Creating a DAC Host Click Next. The Setup Type window appears Figure 12-2. RDAC Installer, Setup Type Select Complete to install the DAC software, the JavaJRE software, and the WinPcap software. If you already have JavaJRE or WinPcap installed, select Custom.

  • Page 386

    Remote Device Activity Capture Creating a DAC Host Click Next. The Choose Destination Location window appears: Figure 12-3. RDAC Installer, Choose Destination Location In most cases, you should accept the default location. (Click Change to select a different location.) Click Next. The Confirm New Folder window appears: Figure 12-4.

  • Page 387

    Remote Device Activity Capture Creating a DAC Host Click Yes. If you selected Custom in step 4 on page 12-5, the Select Features window appears; otherwise the NIC Selection window appears (figure 12- Figure 12-5. RDAC Installer, Select Features 12-7...

  • Page 388

    Remote Device Activity Capture Creating a DAC Host Select the features to install. Click Next. The NIC Selection window appears: Figure 12-6. RDAC Installer, NIC Selection 12-8...

  • Page 389

    Remote Device Activity Capture Creating a DAC Host All of the interfaces installed on your Windows server are listed in this window. Select the one you want to use and click Next. The TCP Port Filter Specification window appears: Figure 12-7. RDAC Installer, TCP Port Filter Specification 12-9...

  • Page 390

    Remote Device Activity Capture Creating a DAC Host 10. In most cases you should accept the default entry. Click Next. The Enforcement Server Specification window appears: Figure 12-8. RDAC Installer, Enforcement Server Specification 12-10...

  • Page 391

    Remote Device Activity Capture Creating a DAC Host 11. Enter the IP address of the Enforcement Server (ES) to use. Click Next. The Ready to Install the Program window appears: Figure 12-9. RDAC Installer, Ready to Install the Program 12. Click Install. 13.

  • Page 392

    Remote Device Activity Capture Creating a DAC Host When the installation is complete, the InstallShield Wizard Complete window appears: Figure 12-10. RDAC Installer, InstallShield Wizard Complete 14. The following folders and files are created: • VERSION – InstallSSDAC.bat rdac SSDAC.bat UninstallSSDAC.bat wrapper.exe –...

  • Page 393: Adding Additional Interfaces

    Remote Device Activity Capture Creating a DAC Host – wrapper.log 15. Perform the steps detailed in “Adding Additional Interfaces” if you have additional interfaces to add. 16. Perform the steps detailed in “Configuring the MS and ES for DAC” on page 12-14.

  • Page 394: Configuring The Ms And Es For Dac

    Remote Device Activity Capture Creating a DAC Host b. Change any parameters necessary for your specific setup. The interface and IP address parameters are the only parameters that require a change; however, changing other parameters can assist you for debugging purposes. # Application parameters.

  • Page 395: Adding Additional Ess

    Remote Device Activity Capture Creating a DAC Host b. When the command completes, copy the DAC_keystore file (from / tmp or wherever you specified) to C:\Program Files\Hewlett- Packard\DAC\lib\ . After copying the DAC_keystore file from the MS, delete the file from its temporary location on the MS.

  • Page 396: Starting The Windows Service

    Remote Device Activity Capture Creating a DAC Host wrapper.app.parameter.X Where X is the numerical value representing the order in which the parameter will be added to the command. b. Add additional ESs: Locate the line that represents the initial ES, for example wrapper.app.parameter.8=172.17.100.100 ii.

  • Page 397: Viewing Version Information

    Remote Device Activity Capture Creating a DAC Host Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. The Services window appears: Figure 12-12. NAC Endpoint Activity Capture Service Right-click on the NAC Endpoint Activity Capture service and select Start. The service is set to automatic start at the next reboot by default. Viewing Version Information To view version information: Windows server...

  • Page 398: Removing The Software

    Remote Device Activity Capture Creating a DAC Host Removing the Software Each of the three software packages must be removed individually. To remove the RDAC software: Windows server Select Start>>Settings>>Control Panel>>Add or Remove Programs. Click once on the DAC listing. Click Remove.

  • Page 399

    Remote Device Activity Capture Creating a DAC Host Select Start>>Settings>>Control Panel>>Add or Remove Programs. Click once on the J2SE Runtime Environment listing. Click Remove. Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears: Select one of the options and click Finish.

  • Page 400: Nac 800 To Infoblox Connector, Configuring The Infoblox Server, Configuring Nac 800, Configuring Nac

    Remote Device Activity Capture NAC 800 to Infoblox Connector NAC 800 to Infoblox Connector Infoblox™ is a DHCP server appliance that writes to syslog when it vends IP addresses. These syslog messages (DHCPACK syslog lines) are translated and forwarded to the NAC 800 Device Activity Capturer (DAC) by way of the connector (syslog-to-dac.py).

  • Page 401

    Remote Device Activity Capture NAC 800 to Infoblox Connector In the Basic 802.1X settings area, select the remote Endpoint detection location radio button. Click ok. Command line window NOTE: Perform the following steps on each ES in your system. Log in as root to the NAC 800 ES using SSH or directly with a keyboard. Enter the following command: egrep DeviceActivityCapture /usr/local/nac/ properties/nac-es.properties...

  • Page 402

    Remote Device Activity Capture NAC 800 to Infoblox Connector d. In the ### LOG ENTRIES HERE ### area, add the following line: log { source(rdac); filter(f_mesg); destination(d_dac); }; Save and exit the file. Enter the following at the command line to restart the service: service syslog-ng restart Add the iptables firewall rule to allow this syslog traffic: Stop iptables by entering the following at the command line:...

  • Page 403: Table Of Contents

    DHCP Plug-in Chapter Contents Overview ............13-2 Installation Overview .

  • Page 404

    DHCP Plug-in Overview Overview The Dynamic Host Configuration Protocol (DHCP) plug-in is an optional feature that allows you to use one or more DHCP servers (without an instal- lation of NAC 800 in front of each DHCP server) as shown in the following figure: Figure 13-1.

  • Page 405

    DHCP Plug-in Overview The DHCP plug-in is a Microsoft DHCP plug-in that utilizes the Microsoft DHCP Server Callout Application Programming Interface (API). Installed on each DHCP server in your network, the plug-in processes or ignores DHCP packets based on the end-user device Media Access Control (MAC) address. NAC 800 tests endpoints that request access to the network and either assigns a quarantined Internet Protocol (IP) address (failed), or adds the MAC address of the end-user device as an authorized device (allowed) to the Access Control...

  • Page 406: Installation Overview

    DHCP Plug-in Installation Overview Installation Overview When NAC 800 does not sit inline with the DHCP server, you need to set up a remote host for Device Activity Capture (DAC) to allow NAC 800 to listen on the network. This is done by installing a small program on the DHCP server or other remote (non-NAC 800) host, which then sends relevant endpoint device information back to NAC 800.

  • Page 407

    DHCP Plug-in Installation Overview The DHCP Plug-in is configured using config.xml that resides on the Windows 2003 Server in C:\WINDOWS\SYSTEM32\DHCP\config.xml. Table 12 (in the Users Guide) shows options used in config.xml. Group Item Description failopen failopen=“true” means that if the NAC 800 DHCP listener connection goes down, the DHCP server goes in to allow...

  • Page 408

    DHCP Plug-in Installation Overview <listener failopen="true"> <port>*:4433</port> <looprate>10</looprate> </listener> <certificates> <cadir /> <certfile>c:\windows\system32\dhcp\server.pem</ certfile> <clientCN enforce="false">nac</clientCN> </certificates> <logging> <location>c:\windows\system32\dhcp\nac_DHCP.log</ location> <level>3</level> <maxsize>1024</maxsize> </logging> </dhcpconnector> 13-6...

  • Page 409: Dhcp Plug-in And The Nac 800 User Interface, Installing The Plug-in

    DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface DHCP Plug-in and the NAC 800 User Interface In order to use the DHCP plug-in, you need to select DHCP as the quarantine (enforcement) method, select the DHCP servers using the DHCP plug-in check box, and add your DHCP servers.

  • Page 410

    DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Select the DHCP servers using the DHCP plug-in radio button. Figure 13-2. System Configuration, Quarantining, DHCP 13-8...

  • Page 411

    DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click download the DHCP plug-in. A Windows save window appears. Browse to a location on the DHCP server you will remember and save the file. On the DHCP server, navigate to the location of the saved file and double- click it.

  • Page 412

    DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Enter your User Name and Company Name. Click Next. The Ready to Install the Program window appears. Figure 13-5. DHCP Plug-in Ready to Install the Program window 10. Click Install. The progress is displayed on a Status window. When installation is complete, the InstallShield Wizard Complete window appears.

  • Page 413: Enabling The Plug-in And Adding Servers

    DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Enabling the Plug-in and Adding Servers To enable the DHCP plug-in and add the DHCP servers: Home window>>System configuration>>Quarantining Select the DHCP radio button in the Quarantine area. Select the DHCP servers using the DHCP plug-in radio button (figure 13-2). NOTE: Changes made while one or more DHCP servers cannot be communicated with will be sent to those DHCP servers as soon as communication is re-...

  • Page 414

    DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface • debug – Log everything (most amount of detail) CAUTION: Setting the log level to debug may adversely affect performance. Click ok. The added DHCP server appears as shown in the following figure: Figure 13-8.

  • Page 415: Viewing Dhcp Server Plug-in Status, Editing Dhcp Server Plug-in Configurations

    DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Viewing DHCP Server Plug-in Status DHCP server plug-in status is displayed in the following locations: System configuration>>Quarantining>>DHCP window ■ System monitor>>select a cluster>>Quarantining window ■ Home window>>System configuration>>Quarantining>>DHCP Quarantine ■ method radio button>>DHCP servers using the DHCP plug-in radio button>>Click edit next to a DHCP server configuration Editing DHCP Server Plug-in Configurations...

  • Page 416: Deleting A Dhcp Server Plug-in Configuration, Disabling A Dhcp Server Plug-in Configuration

    DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click ok to return to the System Configuration>>Quarantining window. Click ok to save the changes and return to the Home window. Deleting a DHCP Server Plug-in Configuration To delete a DHCP Server Plug-in Configuration: Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio button>>DHCP servers using the DHCP plug-in radio button Click remove next to the DHCP server plug-in configuration you wish to...

  • Page 417

    DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click enable next to the DHCP server plug-in configuration you wish to enable. Click yes at the Enable DHCP plug-in configuration prompt. Click ok to save the changes and return to the Home window. 13-15...

  • Page 418

    (This page intentionally left blank.)

  • Page 419

    Reports Chapter Contents Report Types ........... 14-2 Generating Reports .

  • Page 420: Report Types

    Reports Report Types Report Types NAC 800 generates the following types of reports: Report Description Report columns NAC policy results Lists each NAC policy and the last • policy name pass/fail policy results • test status • # of times •...

  • Page 421

    Reports Report Types Report Description Report columns Test results by NetBIOS name Lists the number of tests that • netbios passed or failed for each netbios • cluster name. • ip address • user • test status • # of times •...

  • Page 422: Generating Reports

    Reports Generating Reports Generating Reports To generate a report: Home window>>Reports The following figure shows the Reports window. Figure 14-1. Reports In the Report drop-down list, select the report to run. Select the Report period. Select the Rows per page. In the Endpoint search criteria area, select any of the following options to use for filtering the report: Cluster...

  • Page 423

    Reports Generating Reports Endpoint test status Access control status Endpoints must match: of the selected criteria ii. Any of the selected criteria Select Generate report. After a short period of time the compiled report is displayed in a separate browser window. The following figure shows an example report.

  • Page 424: Viewing Report Details

    Reports Viewing Report Details Viewing Report Details To view report details: Home window>>Reports Select the options for the report you want to run. Click Generate report. Click the details link. The Test details window appears: 14-6...

  • Page 425

    Reports Viewing Report Details Figure 14-3. Test Details Report 14-7...

  • Page 426: Printing Reports

    Reports Printing Reports Printing Reports To print a report: Home window>>Reports Select the options for the report you want to run. Click Generate report. Select Print. Select the printer options and properties. Select Print. 14-8...

  • Page 427: Saving Reports To A File

    Reports Saving Reports to a File Saving Reports to a File To save a report: Home window>>Reports Select the options for the report you want to run. Click Generate report. Select File>>Save Page As from the browser menu. Enter a name and location where you want to save the file. Select Web page, complete.

  • Page 428: Converting An Html Report To A Word Document

    Reports Converting an HTML Report to a Word Document Converting an HTML Report to a Word Document To convert an HTML report: Run the report (see “Generating Reports” on page 14-4.) Save an HTML version of it (see “Saving Reports to a File” on page 14-9). Open the HTML report in Microsoft Word.

  • Page 429: Table Of Contents

    System Administration Chapter Contents Launching NAC 800 ..........15-3 Launching and Logging into NAC 800 .

  • Page 430: Table Of Contents

    System Administration Using an SSL Certificate from a known Certificate Authority (CA) . . . 15-29 Moving an ES from One MS to Another ......15-32 Recovering Quickly from a Network Failure .

  • Page 431: Launching Nac 800, Launching And Logging Into Nac 800, Logging Out Of Nac 800

    System Administration Launching NAC 800 Launching NAC 800 Launching and Logging into NAC 800 To launch and log into NAC 800: Browser window on the workstation Using https://, point your browser to the NAC 800 MS IP address or host name. The login page appears. Enter the User name and Password that you defined the first time you logged in.

  • Page 432: Restarting Nac 800 System Processes

    System Administration Restarting NAC 800 System Processes Restarting NAC 800 System Processes This section lists the commands to stop and restart services associated with NAC 800 installations for MS, ES, or Single-server Installations. Restart instead of start is used for services already running in NAC 800.When running NAC 800 and monitoring systems on your network, you may encounter a warning on a server stating that a Connection cannot be established.

  • Page 433: Downloading New Tests

    System Administration Downloading New Tests Downloading New Tests To download the latest tests from the ProCurve server: Home window>>System configuration>>Test updates>>Check for test updates button TIP: If you are not receiving test update, try the following checks: - Verify that the system time is correct - Verify that the NAC’s web proxy is correct (if one is needed) - Attempt to connect using a web browser: http://update.procurve.com/monitor/ruleUpdate_status...

  • Page 434: System Settings, Dns/windows Domain Authentication And Quarantined Endpoints

    System Administration System Settings System Settings DNS/Windows Domain Authentication and Quarantined Endpoints In order to satisfy the following scenarios: ■ A guest user gets redirected A user is redirected if their home page is the Intranet ■ ■ The only host that is resolved is the domain controller (DC); and no other intranet hosts are resolved.

  • Page 435: Matching Windows Domain Policies To Nac Policies

    System Administration System Settings _kerberos._tcp.Default-First-Site- Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88 dc01.lvh.com _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 389 dc01.lvh.com When a browser is configured with an Intranet site as its home page, it will get redirected as shown in the following example process: ->...

  • Page 436: Setting The Access Mode, Naming Your Enforcement Cluster

    System Administration System Settings For example, to change the NAC policy to not run the Windows automatic update test: Home window>>NAC policies Select the NAC policy that tests the domain's endpoints. Select the Tests menu option. Clear the Windows automatic updates check box. Click ok.

  • Page 437: Changing The Ms Host Name, Changing The Es Host Name

    System Administration System Settings Changing the MS Host Name To change the MS host name: See “Modifying MS Network Settings” on page 3-24. Changing the ES Host Name To change the ES host name: See “Changing the ES Network Settings” on page 3-17. Changing the MS or ES IP Address To change the MS or ES IP address: The preferred method is to use the user interface:...

  • Page 438

    System Administration System Settings TIP: You must reset the system before you can change the personality of the server; that is, before you can change an MS to and ES or an ES to a MS. To reset your system to the as-shipped state: Command line window Log in as root to the NAC 800 MS or ES, either using SSH or directly with a keyboard.

  • Page 439: Resetting Your Test Data

    System Administration System Settings Resetting your Test Data There are times when you may wish to revert to the as-shipped state for test data; clearing the database of all endpoints and test results, and resetting SAPQ and DHCP leases. To reset your test data to the as-shipped state: Command line window For single-server installations: Log in as root to the NAC 800 MS, either using SSH or directly with a...

  • Page 440: Changing Properties

    System Administration System Settings ii. Enter the following at the command line: resetTestData.py NOTE: The resetTestData.py file is in the following directory: cd /usr/local/nac/bin Changing Properties To change the property values in the properties files: Command line window Log in as root to the NAC 800 MS using SSH. Enter the following at the command line: setProperty.py <DESTINATION>...

  • Page 441: Specifying An Email Server For Sending Notifications

    System Administration System Settings <key>=<value> One or more key=value settings Note: a <value> of '-' will delete the property For example, to change the upgrade timeout to 30 minutes, enter the following command: setProperty.py -m Compliance.UpgradeManager.UpgradeTimeout= Specifying an Email Server for Sending Notifications NAC 800 Enforcement clusters send alerts and notifications when certain events occur.

  • Page 442: Entering Networks Using Cidr Format

    System Administration Entering Networks Using CIDR Format Entering Networks Using CIDR Format Networks and network endpoints can be specified in NAC 800 using Classless Inter Domain Routing (CIDR) format. CIDR is a commonly used method for specifying Internet objects. table 15-3 presents common CIDR naming con- ventions.

  • Page 443: Database, Creating A Backup File, Changing The Backup Timeouts

    System Administration Database Database Creating a Backup File To create a backup file of system configuration and data: See “Initiating a New Backup” on page 3-106. Changing the Backup Timeouts If the backup process takes longer than the default timeouts (10 minutes for pg_dump and 1 minute for tar), you can increase the timeout values by performing the following steps: To change the timeout value for backups:...

  • Page 444: Restoring From Backup

    System Administration Database Restoring from Backup NOTE: You must have backed up your system at least one time before you can restore from a backup. See “Initiating a New Backup” on page 3-106. To restore system configuration and data from a backup file: Home window>>System configuration>>Maintenance Click restore system from backup file.

  • Page 445: Restoring The Original Database, Generating A Support Package

    System Administration Database Restoring the Original Database CAUTION: Running this script resets your entire system, not just the database. See “Resetting your System” on page 15-9 for more information. To reset a NAC 800 database to its pristine state: Command window Log in as root to the NAC 800 MS using SSH.

  • Page 446: Supported Vpns

    System Administration Supported VPNs Supported VPNs NAC 800 works with any VPN endpoint, since NAC 800 does not directly interface or inter-operate with VPN endpoints. The following commonly deployed VPN solutions have been tested: ■ Cisco VPN Concentrators OpenSSL VPNs ■...

  • Page 447

    System Administration End-user Access Windows End-user Access Windows The end-user access windows are completely customizable. You can enter general text through the NAC 800 interface and edit the file that contains the messages that are returned to the end-user. TIP: If you need more end-user access window customization than is described in this Users’...

  • Page 448: How Nac 800 Handles Static Ip Addresses

    System Administration How NAC 800 Handles Static IP Addresses How NAC 800 Handles Static IP Addresses The following list details how NAC 800 handles static IP addresses: Inline Mode – NAC 800 can detect, test, and quarantine static IP ■ addresses.

  • Page 449: Managing Passwords

    System Administration Managing Passwords Managing Passwords The passwords associated with your NAC 800 installation are listed in the following table: NAC 800 Set during Recovery process password NAC 800 Initial install process * See “Resetting the NAC 800 Server Management or Password”...

  • Page 450: Resetting The Nac 800 Server Password

    System Administration Managing Passwords NAC 800 Set during Recovery process password Novell eDirectory Manually entered after installation on the Novell eDirectory password recovery is System beyond the scope of this document. configuration>>Quarantining>>802.1X Quarantine method radio button window. Table 15-4. NAC 800 Passwords Resetting the NAC 800 Server Password If you can remember the NAC 800 user interface password, but cannot remember the root login password for the NAC 800 MS or ES, log in to the...

  • Page 451: Resetting The Nac 800 Database Password, Changing The Nac 800 Administrator Password

    System Administration Managing Passwords CAUTION: Changing the appliance server mode (personality) resets the passwords, but it also restores the entire system to the default state—deleting data and erasing configuration settings. Resetting the NAC 800 Database Password The NAC 800 database password is set during the install process. You cannot change your database password with NAC 800 later.

  • Page 452

    System Administration Managing Passwords Enter the following command: setProperty.py -f<filename> From a workstation, open a browser window and point to the NAC 800 MS. Enter a new User Name and Password when prompted. 15-24...

  • Page 453: Working With Ranges

    System Administration Working with Ranges Working with Ranges In NAC 800 implementations, particularly in trial installations where you are connecting and disconnecting cables to a number of different types of end- points, you can filter the activity by specifying the following: ■...

  • Page 454

    System Administration Working with Ranges Home window>>System configuration>>Enforcement clusters & servers>>Select an Enforcement Cluster>>Advanced menu option In the Endpoint detection area, enter the range of addresses to ignore in the IP addresses to ignore text field. Separate ranges with a hyphen or use CIDR notation.

  • Page 455: Creating And Replacing Ssl Certificates, Creating A New Self-signed Certificate

    System Administration Creating and Replacing SSL Certificates Creating and Replacing SSL Certificates The Secure Sockets Layer (SSL) protocol uses encryption by way of certifi- cates to provide security for data or information sent over HTTP. Certificates are digitally signed statements that verify the authenticity of a server for security purposes.

  • Page 456

    System Administration Creating and Replacing SSL Certificates Remove the existing keystore by entering the following at the command line: rm -f /usr/local/nac/keystore/compliance.keystore Enter the following at the command line: keytool -genkey -keyalg RSA -alias <key_alias> -keystore /usr/local/nac/keystore/compliance.keystore Where: <key_alias> is the name for the key within the keystore file The keytool utility prompts you for the following information: •...

  • Page 457: Using An Ssl Certificate From A Known Certificate Authority (ca)

    System Administration Creating and Replacing SSL Certificates <key_alias> -keystore /usr/local/nac/keystore/compliance.keystore b. Import the key root certificates by entering the following command on the command line of the NAC 800 server: keytool -import -file /tmp/cacerts -alias <key_alias> -keystore /usr/local/nac/keystore/cacerts keytool prompts for the password of the cacerts file, that should be the default: changeit.

  • Page 458

    System Administration Creating and Replacing SSL Certificates Submit the CSR (see “Copying Files” on page 1-20) to your chosen CA (such as Thawte or Verisign) along with anything else they might require: http://www.verisign.com/ http://www.thawte.com/ If you are using a non-traditional CA (such as your own private Certificate Authority/Public Key Infrastructure (CA/PKI), or if you are using a less well-known CA, you will need to import the CA’s root certificates into the java cacerts file by entering the following command on the command line...

  • Page 459

    System Administration Creating and Replacing SSL Certificates 10. Save and exit the file. 15-31...

  • Page 460: Moving An Es From One Ms To Another

    System Administration Moving an ES from One MS to Another Moving an ES from One MS to Another If you have an existing ES, you can move it to a different MS by performing the steps in this section. To move an ES to a different MS: Command line window Log in to the ES as root using SSH or directly with a keyboard.

  • Page 461: Recovering Quickly From A Network Failure

    System Administration Recovering Quickly from a Network Failure Recovering Quickly from a Network Failure If you have a network with a very large number of endpoints (around 3000 endpoints per ES), and your network goes down, perform the following steps to make sure that your endpoints can reconnect as quickly as possible: Place all of the clusters that have a large number of endpoints in allow all mode:...

  • Page 462: Vlan Tagging

    System Administration VLAN Tagging VLAN Tagging In some cases, such as when the DHCP server is in a separate VLAN than the span/mirror port, the mirrored port traffic is 802.1q tagged. In this case, in order for NAC 800 to recognize the traffic, the following workaround must be performed.

  • Page 463

    System Administration VLAN Tagging Restart the network interface by entering the following at the command line: service network restart Change the interface the EDAC listens on: Log in to the MS using SSH or directly with a keyboard. b. For 802.1X mode, enter the following command at the command line: setProperty.py -c <cluster name>...

  • Page 464: Iptables Wrapper Script

    System Administration iptables Wrapper Script iptables Wrapper Script To avoid creating conflicts between iptables and the nac-es service, do not run the following commands manually: ■ /etc/init.d/iptables ■ service iptables start ■ service iptables stop ■ service iptables restart The nac-es service must be shutdown before making changes to the ipta- bles firewall.

  • Page 465: Supporting Network Management System, Enabling Icmp Echo Requests, Enable Temporary Ping, Enable Persistent Ping

    System Administration Supporting Network Management System Supporting Network Management System This section describes Network Management System (NMS) settings. Enabling ICMP Echo Requests The default configuration for NAC 800 is to not respond to ICMP Echo (ping) requests. Enable Temporary Ping To temporarily (until reboot) enable ICMP echo requests: Command line Log in to the NAC 800 server as root using SSH or directly with a keyboard.

  • Page 466: Restricting The Icmp Request

    System Administration Supporting Network Management System echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all Save and exit the file. At the command line, enter the following: /etc/rc.d/rc.local Restricting the ICMP Request If you wish to restrict the ping request to a specific interface, such as the interface facing the protected network, then after following the procedures above, follow the instructions in this section to add rules to the firewall chain so that ping requests are only viable through the interface specified.

  • Page 467: Snmp Mibs

    System Administration Supporting Network Management System SNMP MIBs A Management Information Base (MIB) is a database that manages devices in a network. Simple Network Management Protocol (SNMP) is a protocol used for communication between devices that uses MIBs to obtain SNMP message formats.

  • Page 468

    (This page intentionally left blank.)

  • Page 469

    Patch Management Chapter Contents Patch Management ..........16-2 Flagging a Test to Launch a Patch Manager .

  • Page 470: Patch Management

    Patch Management Patch Management Patch Management NAC 800 can integrate with patch management software. When an endpoint fails due to a missing patch, NAC 800 wakes the patch manager client, checks for the completion of the patch, and then retests upon completion. The patch management capability uses the following test statuses: ■...

  • Page 471: Flagging A Test To Launch A Patch Manager

    Patch Management Flagging a Test to Launch a Patch Manager Flagging a Test to Launch a Patch Manager To flag a test to launch a patch manager: Home window>>NAC Policies>>Select or create a NAC policy>>Tests menu option Figure 16-1. Initiate a Patch Manager Check Box Select the check box for a test in the left column.

  • Page 472: Selecting The Patch Manager

    Patch Management Selecting the Patch Manager Selecting the Patch Manager To select the patch manager: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column. Select the Initiate patch manager check box.

  • Page 473: Specifying The Number Of Retests

    Patch Management Specifying the Number of Retests Specifying the Number of Retests To select the maximum number of retest attempts: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column.

  • Page 474: Specifying The Retest Frequency

    Patch Management Specifying the Retest Frequency Specifying the Retest Frequency To specify the retest interval: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column. Select the Initiate patch manager check box.

  • Page 475: Sms Patch Management

    Patch Management SMS Patch Management SMS Patch Management Repair vulnerabilities using patch management with SMS. NOTE: Windows SMS 2003 is the only version supported. 16-7...

  • Page 476: Sms Concepts

    Patch Management SMS Concepts SMS Concepts Microsoft Systems Management Server (SMS) 2003 provides a means to manage software updates for Microsoft platform endpoints. The SMS server contains a database of logical groups with common attributes called collec- tions. SMS operates only on clients endpoints) that are members of a collec- tion.

  • Page 477: Nac 800/sms/nac 800 Process

    Patch Management NAC 800/SMS/NAC 800 Process NAC 800/SMS/NAC 800 Process When an agent-based test fails on the endpoint, NAC 800 wakes up the endpoint client (SMS) which patches the endpoint. NAC 800 retests the endpoint. If the test fails again, NAC 800 keeps looping until patching com- pletes.

  • Page 478: Nac 800 Setup

    Patch Management NAC 800 Setup NAC 800 Setup To set up NAC 800 for use with SMS: Install and configure NAC 800 . Log into the NAC 800 user interface. Add the following IP addresses to the NAC 800 home window>>System configuration>>Accessible services area: SMS server IP address b.

  • Page 479: Learning More About Sms

    Patch Management Learning More About SMS Learning More About SMS The following links provide additional information about SMS: ■ Microsoft SMS home page http://www.microsoft.com/smserver/ 16-11...

  • Page 480

    (This page intentionally left blank.)

  • Page 481

    Configuring the Post-connect Server Chapter Contents Overview ............A-2 Extracting the ZIP File .

  • Page 482

    Configuring the Post-connect Server Overview Overview This section describes how to configure the remote server for use with the NAC 800 post-connect feature. The post-connect server can be a Windows server or a Linux server. This section details the following: ■...

  • Page 483: Extracting The Zip File, Windows, Linux

    Configuring the Post-connect Server Extracting the ZIP File Extracting the ZIP File Windows To download and extract the ZIP file to a Windows machine: Create a directory for the contents of the ZIP file on the Windows machine. ProCurve recommends C:\Program Files\ProCurve. These instructions assume that you used the C:\Program Files\ProCurve directory.

  • Page 484: Zip File Contents

    Configuring the Post-connect Server ZIP File Contents ZIP File Contents The following folders and files are extracted: ■ postconnect • Connector.bat Connector_ActionScript.py InstallConnectorService.bat postconnect UninstallConnectorService.bat wrapper.exe • conf wrapper.conf • activemq-core-4.1.1.jar backport-util-concurrent-2.1.jar commons-logging-1.0.3.jar concurrent-1.3.4.jar connector.jar connector.properties geronimo-spec-j2ee-management-1.0-rc4.jar jms.jar JMSConnection.properties log4j-1.2.13.jar log4j.properties wrapper.dll wrapper.jar...

  • Page 485: Setting Up A Post-connect Host, Windows

    Configuring the Post-connect Server Setting up a Post-connect Host Setting up a Post-connect Host Windows Your post-connect host can be a Linux or Windows server. This section provides instructions on setting up a Windows host. To set up a Windows post-connect host: Install WinPcap on a Windows machine if it is not already installed: Log into your Windows server.

  • Page 486: Linux

    Configuring the Post-connect Server Setting up a Post-connect Host Change the product to be the product you are running. For example: product=IDS Product Name d. Save and exit the file. Edit the JMSConnection.properties file: Open the \postconnect\lib\JMSConnection.properties file with a text editor. b.

  • Page 487

    Configuring the Post-connect Server Setting up a Post-connect Host Log in the NAC 800 MS as root using SSH or directly with a keyboard. b. Copy the /usr/local/nac/keystore/cacerts file from the MS into the /usr/local/postconnect/lib folder on the post- connect server where you extracted the ZIP file. See “Copying Files” on page 1-20 for information on how to copy files securely.

  • Page 488

    Configuring the Post-connect Server Setting up a Post-connect Host d. Start the service by entering the following at the command line: service postconnect start...

  • Page 489: Viewing Logs

    Configuring the Post-connect Server Viewing Logs Viewing Logs To view post-connect logs: The log files are as follows: /usr/local/postconnect/log/connector.log – Verify that the connector ■ is running. ■ /usr/local/postconnect/log/script.log – The script writes to this file.

  • Page 490: Testing The Service, Windows, Linux

    Configuring the Post-connect Server Testing the Service Testing the Service To test the post-connect service: Command line Enter the following at the command line: Windows /usr/local/postconnect/bin/Connector_ActionScript.py <endpoint IP> "Reason 1" "Reason 2" Linux /usr/local/postconnect/bin/Connector_ActionScript.py <endpoint ip> "Reason 1" "Reason 2" Where: <endpoint IP>...

  • Page 491: Configuring Your Sensor

    Configuring the Post-connect Server Configuring Your Sensor Configuring Your Sensor Configure your post-connect sensor to call Connector_ActionScript.py with the IP address of the endpoint to quarantine and the reasons to quaran- tine. A-11...

  • Page 492: Allowing Nac 800 Through The Firewall

    Configuring the Post-connect Server Allowing NAC 800 Through the Firewall Allowing NAC 800 Through the Firewall NAC 800 needs to communicate with the post-connect server through port 61616. See “Allowing the Windows RPC Service through the Firewall” on page 5-22 for instructions on how to open a port on a Windows machine. A-12...

  • Page 493

    Tests Help Chapter Contents Overview ............B-3 Browser Security Policy –...

  • Page 494

    Tests Help Mac Security Updates ........B-24 Mac Services .

  • Page 495

    Tests Help Overview Overview The tests performed on endpoints attempting to connect to the network are listed on the NAC 800 Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting NAC 800 Home window>>System Configuration>>Test Updates>>Check for Test Updates.

  • Page 496: Browser Security Policy – Windows

    Tests Help Browser Security Policy – Windows Browser Security Policy – Windows The Browser security policy tests verify that any endpoint attempting to connect to your system meets your specified security requirements. Browser vulnerabilities are related to cookies, caches, and scripts (JavaScript, Java, and Active scripting / ActiveX).

  • Page 497

    Tests Help Browser Security Policy – Windows Item Description Active scripting / ActiveX Active scripting / ActiveX extends other programming languages (such as Java) by providing re-usable "controls" that enable developers to make Web pages "active". ActiveX is Microsoft's brand for active scripting. The following links provide more detailed information about ActiveX: http://www.active-x.com/articles/whatis.htm •...

  • Page 498: Internet Explorer (ie) Internet Security Zone

    Tests Help Browser Security Policy – Windows Internet Explorer (IE) Internet Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified Internet security zone stan- dards. Test Properties: Select the Internet Explorer Internet security zone settings required on your network.

  • Page 499: Internet Explorer (ie) Local Intranet Security Zone

    Tests Help Browser Security Policy – Windows Internet Explorer (IE) Local Intranet Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified local intranet security zone standards. Test Properties: Select the Internet Explorer local intranet security zone set- tings required on your network.

  • Page 500: Internet Explorer (ie) Restricted Site Security Zone

    Tests Help Browser Security Policy – Windows Internet Explorer (IE) Restricted Site Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified restricted site security zone standards. Test Properties: Select the Internet Explorer restricted sites security zone set- tings required on your network.

  • Page 501: Internet Explorer (ie) Trusted Sites Security Zone

    Tests Help Browser Security Policy – Windows Enter a domain name or IP address in the Add this Web site to the zone text box. Click Add. Click OK. Internet Explorer (IE) Trusted Sites Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified trusted sites security zone standards.

  • Page 502

    Tests Help Browser Security Policy – Windows Select one of the following: -Default Level to return to the default settings. - Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings. Select Sites. Enter a domain name or IP address in the Add this Web site to the zone text box.

  • Page 503: Operating System – Windows, Iis Hotfixes, Internet Explorer Hotfixes

    Tests Help Operating System – Windows Operating System – Windows The Operating System (OS) tests verify that any endpoint attempting to connect to your system meets your specified OS requirements. Installing the most recent version of your OS helps protect your system against exploits targeting the latest vulnerabilities.

  • Page 504: Microsoft Office Hotfixes, Microsoft Applications Hotfixes

    Tests Help Operating System – Windows What Do I Need to Do? : Manually initiate an update check (http://v4.window- supdate.microsoft.com/en/default.asp) if automatic update is not enabled, or is not working. Microsoft Office Hotfixes Description: This test verifies that the endpoint attempting to connect to your system had the latest Microsoft Office hotfixes installed.

  • Page 505: Microsoft Servers Hotfixes, Microsoft Tools Hotfixes

    Tests Help Operating System – Windows Test Properties: Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.

  • Page 506: Service Packs, Windows 2000 Sp4 Hotfixes

    Tests Help Operating System – Windows Test Properties: Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.

  • Page 507: Windows 2003 Sp1 Hotfixes, Windows 2003 Sp2 Hotfixes

    Tests Help Operating System – Windows secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft. You don't have to keep checking by patch number. How Does this Affect Me?: Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on.

  • Page 508: Windows Automatic Updates

    Tests Help Operating System – Windows Test Properties: Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to run at the file level. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft.

  • Page 509: Windows Media Player Hotfixes, Windows Vista™ Sp0 Hotfixes

    Tests Help Operating System – Windows What Do I Need to Do?: Enable automatic updates. See the following link for instructions: http://www.microsoft.com/protect/computer/updates/mu.mspx Enable automatic updates for Windows 2000: Select Start>>Settings>>Control Panel>>Automatic Updates Select Keep my computer up to date. Select Download the updates automatically and notify me when they are ready to be installed.

  • Page 510: Windows Xp Sp1 Hotfixes

    Tests Help Operating System – Windows Vista Enterprise ■ Test Properties: Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to run at the file level. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft.

  • Page 511: Windows Xp Sp2 Hotfixes

    Tests Help Operating System – Windows Windows XP SP2 Hotfixes Description: This test verifies that the endpoint attempting to connect to your system has the latest Windows XP SP2 hotfixes installed. Test Properties: Select the hotfixes from the list presented that are required on your network.

  • Page 512: Security Settings – Os X, Mac Airport Wep Enabled, Mac Airport Preference

    Tests Help Security Settings – OS X Security Settings – OS X Mac AirPort WEP Enabled Description: This test verifies that WEP encryption is enabled for Airport. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Wired Equivalent Privacy (WEP) is a wireless net- work security standard that provides the same level of security as the security in a wired network.

  • Page 513: Mac Airport User Prompt, Mac Anti-virus

    Tests Help Security Settings – OS X Mac AirPort User Prompt Description: This test verifies that the user is prompted before joining an open network. Test Properties: There are no properties to set for this test. How Does this Affect Me?: If you move between different locations, this option prompts you before automatically joining any network.

  • Page 514: Mac Bluetooth, Mac Firewall

    Tests Help Security Settings – OS X The following link provides more information on anti-virus software and protecting your computer: http://www.us-cert.gov/cas/tips/ST04-005.html Mac Bluetooth Description: This test verifies that Bluetooth is either completely disabled or if enabled is not discoverable. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Bluetooth is a wireless technology that allows com- puters and other endpoints (such as mobile phones and personal digital assistants (PDAs)) to communicate.

  • Page 515: Mac Internet Sharing, Mac Quicktime® Updates

    Tests Help Security Settings – OS X Mac Internet Sharing Description: This test verifies that the internet sharing is disabled. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Mac internet sharing allows one computer to share its internet connection with other computers.

  • Page 516: Mac Security Updates, Mac Services

    Tests Help Security Settings – OS X Mac Security Updates Description: This test verifies that the security updates have been applied on this endpoint. Test Properties: .When an endpoint fails this test, it can be granted temporary access in the following ways: Select the Quarantine access check box and enter a temporary access ■...

  • Page 517: Security Settings – Windows, Allowed Networks, Microsoft Excel Macros

    Tests Help Security Settings – Windows Security Settings – Windows The Security settings tests verify that any endpoint attempting to connect to your system meets your specified security settings requirements. Allowed Networks Description: Checks for the presence of an unauthorized connection on a endpoint.

  • Page 518: Microsoft Outlook Macros

    Tests Help Security Settings – Windows Low. (not recommended). You are not protected from potentially ■ unsafe macros. Use this setting only if you have virus scanning software installed, or you have checked the safety of all documents you open. How Does this Affect Me?: Macros are simple programs that are used to repeat commands and keystrokes within another program.

  • Page 519: Microsoft Word Macros

    Tests Help Security Settings – Windows How Does this Affect Me?: Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document.

  • Page 520: Services Not Allowed

    Tests Help Security Settings – Windows other files (such as the Normal template) and can potentially infect all of your files. If a user on another computer opens the infected file, the virus can spread to their computer as well. What Do I Need to Do?: Set the Microsoft Word macro security level as follows: Open Word.

  • Page 521: Services Required

    Tests Help Security Settings – Windows How to change the service startup type: Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. Right-click on a service and select Properties. Select Manual or Disabled from the Startup type drop-down list. Click OK. Close the Services window. Close the Administrative Tools window.

  • Page 522: Windows Bridge Network Connection, Windows Wireless Network Ssid Connections

    Tests Help Security Settings – Windows Right-click on a service and select Properties. Select Automatic from the Startup type drop-down list. Click OK. Close the Services window. Close the Administrative Tools window. Windows Bridge Network Connection Description: This test verifies that the endpoint attempting to connect to the network does not have a bridged network connection present.

  • Page 523: Windows Security Policy

    Tests Help Security Settings – Windows Test Properties: Enter a list of allowed Wireless SSIDs that are legitimate for your network. Enter the SSIDs as a comma-delimited list. For example, HomeNet, Work- Net. The following wireless adapters are supported: NetGear, LinkSYS, D-Link. How Does this Affect Me?: In order to use wireless networks, you must specify the network names to which the wireless endpoints connect.

  • Page 524: Windows Startup Registry Entries Allowed

    Tests Help Security Settings – Windows Enable "Accounts: Limit local account use of blank passwords to console ■ logon only" http://www.microsoft.com/resources/documentation/IIS/6/all/proddocs/ en-us/Default.asp?url=/resources/documentation/IIS/6/all/proddocs/en-us/ 636.asp What Do I Need to Do?: To select the security policies: Select Start>>Settings>>Control Panel>>Administrative Tools. Double-click Local Security Policy. Double-click Local Policies.

  • Page 525: Wireless Network Connections

    Tests Help Security Settings – Windows run and runOnce keys cause programs to run automatically. Many worms and viruses are started by a call from the Windows Registry. If you limit what can start up when you log in, you can reduce the potential for worms and viruses to run on your system. The following links provide a description of the Microsoft Windows Registry and the Run keys: ■...

  • Page 526

    Tests Help Security Settings – Windows http://www.pcworld.com/article/id,112138/article.html B-34...

  • Page 527: Software – Windows, Anti-spyware, Anti-virus

    Tests Help Software – Windows Software – Windows The Software tests verify that any endpoint attempting to connect to your system meets your specified software requirements. Installing the most recent version of your software helps protect your system against exploits targeting the latest vulner- abilities.

  • Page 528: High-risk Software, Microsoft Office Version Check

    Tests Help Software – Windows How Does this Affect Me?: Anti-virus software scans your computer, email, and other files for known viruses, worms, and trojan horses. It searches for known files and automatically removes them. A virus is a program that infects other programs and files and can spread when a user opens a program or file containing the virus.

  • Page 529: Personal Firewalls

    Tests Help Software – Windows Test Properties: Select the check box for one or more Microsoft Office packages. Any software package selected that does not have the latest version installed fails the test. How Does this Affect Me?: Some companies may support only the software listed. Using the most recently updated version of software can help protect your system from known vulnerabilities.

  • Page 530: Software Not Allowed, Software Required

    Tests Help Software – Windows How Does this Affect Me?: A firewall is hardware or software that views information as it flows to and from your computer. You configure the firewall to allow or block data based on criteria such as port number, content, source IP address, and so on. The following links provide more detailed information about firewalls: ■...

  • Page 531: Worms, Viruses, And Trojans

    Tests Help Software – Windows Test Properties: Enter a list of applications that are required on all connecting end- points, separated with a carriage return. The format for an application is vendor\soft- ware package[\version]. Using this format stores the value in the HKEY_LOCAL_MACHINE\Software key.

  • Page 532

    (This page intentionally left blank.)

  • Page 533

    Important Browser Settings Chapter Contents Pop-up Windows ..........C-2 Active Content .

  • Page 534: Pop-up Windows

    Important Browser Settings Pop-up Windows Pop-up Windows The NAC 800 reports capability uses a pop-up window. In order for you to run reports on NAC 800, you must allow pop-up windows from the NAC 800 server. To allow pop-up windows in IE 6.0 with SP2: IE browser>>Tools>>Pop-up blocker>>Pop-up blocker settings Enter the IP address or partial IP address of the NAC 800 MS.

  • Page 535

    Important Browser Settings Pop-up Windows Clear the Block Popup Windows check box. Close the Content window.

  • Page 536: Active Content

    Important Browser Settings Active Content Active Content The Windows® XP Service Pack 2 (SP2) installation changes some of the Internet Explorer (IE) browser’s security settings. This change in settings displays an active content message (figure C-1), at the top of the browser window when you access the NAC 800 help feature.

  • Page 537

    Important Browser Settings Active Content IE browser>>Tools>>Internet Options>>Advanced tab Figure C-4. IE Internet Options, Advanced Tab In the Internet Options pop-up window, scroll down to the security section. Select the Allow active content to run in files on my computer check box. Click OK.

  • Page 538: Minimum Font Size

    Important Browser Settings Minimum Font Size Minimum Font Size In order to properly display the NAC 800 user interface, do not specify the minimum font size. To clear the IE minimum font size: IE browser>>Tools>>Internet options>>General tab>>Accessibility button Make sure all of the check boxes are cleared on this window. Click OK.

  • Page 539

    Important Browser Settings Minimum Font Size Select the Allow pages to choose their own fonts, instead of my selections above check box. Click OK. Close the Content window.

  • Page 540: Page Caching

    Important Browser Settings Page Caching Page Caching To set the IE page caching options: Internet Explorer browser>>Tools>>Internet Options Select the General tab Click Settings. In the Check for new versions of stored pages area, select the Automatically radio button. Click OK. In the Internet Options dialog box, click the Advanced tab.

  • Page 541: Temporary Files

    Important Browser Settings Temporary Files Temporary Files Periodically delete temporary files from your system to improve browser performance. To delete temporary files in IE: Internet Explorer>>Tools>>Internet Options>>General tab Click Delete Files. Select the Delete all offline content check box. Click OK. Click OK.

  • Page 542

    Important Browser Settings Temporary Files Firefox menu>>Preferences>>Privacy In the Private Data area, click Settings. The Clear Private Data window appears. Select the Cache check box. Click OK. Click Clear Now. Close the Privacy window. C-10...

  • Page 543

    Installation and Configuration Check List Chapter Contents Minimum System Requirements ........D-2 Installation Location .

  • Page 544: Minimum System Requirements

    Installation and Configuration Check List Minimum System Requirements Minimum System Requirements Required fields are indicated by a red asterisk (*). Dedicated server with: Processor ( Pentium Intel Dual Core (Core 2 Duo/Xeon 5100 series) 4) *: Speed ( 1.2 GHz) *: ________________________________ 1.86 Memory (211 GB RAM) *: ____________________________ Disk space (8036 GBSATA disk drive...

  • Page 545: Installation Location

    Installation and Configuration Check List Installation Location Installation Location My office(s) Server room(s)/Data center(s) Test lab(s) Production network(s) I have access to the installation site(s) I do not have access to the installation site(s)

  • Page 546: Ip Addresses, Hostname, Logins, And Passwords, Single-server Installation, Multiple-server Installations

    Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords IP Addresses, Hostname, Logins, and Passwords NOTE: This Installation and Configuration Checklist is a list of the items used in NAC 800 including passwords; however, ProCurve recommends as a security best practice that you never write down passwords.

  • Page 547: Enforcement Server 1, Management Server

    Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords The MS is installed on one physical server; each ES is installed on a unique physical server. Management Server Required fields are indicated by a red asterisk (*). Create at least one MS. MS IP address: ___________________________________________ MS Netmask IP address (Network mask):...

  • Page 548: Enforcement Server 2, Enforcement Server 3

    Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords Tertiary nameserver IP address (DNS server): _________________ ES hostname (FQDN): _____________________________________ TIP: Select simple names that are short, easy to remember, have no spaces or underscores, and the first and last character cannot be a dash (-). Time zone: _______________________________________________ ES server root password:...

  • Page 549: Proxy Server

    Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords Cluster name 3: ___________________________________________ ES IP address: ____________________________________________ ES Netmask IP address (Network mask): ____________________ Default gateway IP address: ________________________________ Primary nameserver IP address (DNS server): ________________ Secondary nameserver IP address (DNS server): _______________ Tertiary nameserver IP address (DNS server): _________________ ES hostname (FQDN): _____________________________________...

  • Page 550

    Installation and Configuration Check List Agentless Credentials Agentless Credentials Required fields are indicated by a red asterisk (*). The administrator credentials for endpoints on a domain. Set them globally for all clusters, or override them on a per-cluster basis. All clusters: Windows domain name: ____________________________ Administrator user ID: *______________________________...

  • Page 551: Quarantine, X Devices

    Installation and Configuration Check List Quarantine Quarantine Define quarantine methods and settings for all clusters, or on a per-cluster basis. 802.1X Required fields are indicated by a red asterisk (*). Quarantine subnets: ________________________________________ RADIUS server type (local or remote IAS): ____________________ Local RADIUS server type end-user authentication method: Manual: ____________________________________________ Windows domain:...

  • Page 552: Dhcp

    Installation and Configuration Check List Quarantine 802.1X device 1 IP address: ________________________________________ Shared secret: ______________________________________ Device type: _______________________________________ 802.1X device 2 IP address: ________________________________________ Shared secret: ______________________________________ Device type: _______________________________________ 802.1X device 3 IP address: ________________________________________ Shared secret: ______________________________________ Device type: _______________________________________ 802.1X device 4 IP address:...

  • Page 553: Accessible Services

    Installation and Configuration Check List Quarantine Quarantine area 1 DHCP IP range: ___________________ Quarantine area 1 quarantined area gateway: *__________ Quarantine area 1 domain suffix: *_____________________ Quarantine area 1 corresponding non-quarantined subnets: DHCP quarantine area 2: Quarantine area 2 quarantined subnet: _________________ Quarantine area 2 DHCP IP range: ___________________ Quarantine area 2 quarantined area gateway: ___________...

  • Page 554

    Installation and Configuration Check List Quarantine Networks: __________________________________________ Windows domain controller: __________________________ Accessible services and endpoints for cluster 2: Web sites:___________________________________________ Hostnames: _________________________________________ IP addresses / ports: _________________________________ Networks: __________________________________________ Windows domain controller: __________________________ Accessible services and endpoints for cluster 3: Web sites:___________________________________________ Hostnames: _________________________________________ IP addresses / ports: _________________________________...

  • Page 555: Notifications

    Installation and Configuration Check List Notifications Notifications Notifications are defined for all clusters or on a per-cluster basis. All clusters Send information to: _________________________________ SNMP server IP address: _____________________________ Email information sent from:__________________________ Cluster 1 Send information to: _________________________________ SNMP server IP address: _____________________________ Email information sent from:__________________________ Cluster 2 Send information to: _________________________________...

  • Page 556: Test Exceptions

    Installation and Configuration Check List Test Exceptions Test Exceptions Exceptions are defined for all clusters or on a per-cluster basis. All cluster endpoint testing exceptions (endpoints that are whitelisted or blacklisted): MAC addresses: _____________________________________ IP addresses: ________________________________________ NetBIOS names: _____________________________________ Cluster 1 endpoint testing exceptions (endpoints that are whitelisted or blacklisted): MAC addresses: _____________________________________...

  • Page 557

    Ports used in NAC 800 The following table provides information about Ports used in NAC 800: Port Parties Description Comments Ports used for testing endpoints: 88 (TCP) Endpoint to ES When using agent-based testing, the Not configurable 89 (TCP) endpoint must point (using a browser window) to destination port 88 on the ES for testing, which is redirected to destination port 89 (end-user access...

  • Page 558

    Ports used in NAC 800 Port Parties Description Comments Ports used by the admin user browser: 443 (TCP) Admin user The administration user interface (as Not configurable browser to MS opposed to the end user access screens) uses port 443 on the MS for communication.

  • Page 559

    Ports used in NAC 800 Port Parties Description Comments 514 (TCP) Infoblox In environments with the Infoblox Configurable by making changes to connector to syslog connector, the Infoblox server both of the following: syslog service on sends DHCP information to NAC 800 •...

  • Page 560

    Ports used in NAC 800 Port Parties Description Comments Ports used for re-authentication: test 22 (TCP) ES to switch Used when you select the Not configurable connection to device button, and 23 (TCP) when an endpoint is re-authenticated 161 (TCP) by the switch.

  • Page 561

    Ports used in NAC 800 Port Parties Description Comments Ports used for accessible services and endpoints: Varies ES to endpoint In order to grant access for Configure in the NAC 800 user quarantined endpoints to needed interface: services, add entries to the Accessible Home window>>System services list.

  • Page 562

    (This page intentionally left blank.)

  • Page 563: Installation Requirements, Overview, Installing The Standby Ms

    MS Disaster Recovery Chapter Contents Overview ............F-2 Installation Requirements .

  • Page 564: Installation Requirements, Installing The Standby Ms

    MS Disaster Recovery Overview Overview If the Primary Management Server (primary MS) goes down due to an unre- coverable hardware failure, management server duties can be migrated to an online Standby Management Server (standby MS) using a simple backup and restore process.

  • Page 565: Ongoing Maintenance, Failover Process

    MS Disaster Recovery Overview NOTE: Only an administrative user needs to be created. Other UI users are migrated as part of the backup and restore process. Be sure to keep this UI login information safe, as it is Needed to transition MS services to the standby MS. Ongoing Maintenance Certain considerations must be noted regarding the ongoing maintenance of your system in the recovery process for an MS:...

  • Page 566

    MS Disaster Recovery Overview Shutdown the primary MS server by entering the following from the command line: shutdown -hy 0 Locate the most recent backup of the primary MS. See “Restoring from Backup” on page 16. This will be the backup that you were instructed during initial installation to store in a safe place.

  • Page 567

    Glossary The following terms and definitions are used in this book, and in other ProCurve Management Software documentation. 802.1X: A port-based authentication protocol that can dynamically vary encryption keys, and has three components: a supplicant, an authenticator, and an authentication server. ACL: Access control list –...

  • Page 568

    Glossary API: Application Programming Interface – The interface to an application’s source code. Other computer programs can communicate with the application through this interface. APIC: Advanced Programmable Interrupt Controller – A device that provides support for multiple processors by allowing for mul- tiple programable interrupts.

  • Page 569

    Glossary client: A computer that requests services from another (server). cluster: A logical grouping of ESs. compliance: Meets defined standards or conditions. CSR: Certificate Signing Request – A request sent by a system when applying for a public key certificate. CTA: Cisco Trust Agent DAC: Device Activity Capture –...

  • Page 570

    Glossary EAP: Extensible Authentication Protocol – An authentication pro- tocol used with Point-to-Point Protocol (PPP) and wireless networks. (802.1X) EAPOL EAP over LANs EDAC: Embedded Device Activity Capture – See DAC endpoint: A computer requesting access to a network. enforcement: In NAC 800, the process of upholding the access rules set in the NAC policies.

  • Page 571

    Glossary IDE: Integrated Drive Electronics – A standard storage connection interface known as Advanced Technology Attachment (ATA). IDS/IPS: Intrusion Detection System/Intrusion Prevention System – IDS and IPS systems detect and prevent attacks on your system. In NAC 800 you can configure these external systems so that they can request that NAC 800 quarantine an endpoint after it has been connected (post-connect) when unwanted behavior is detected.

  • Page 572

    Glossary LDAP: Lightweight Directory Access Protocol (LDAP) – A protocol that is used to look up information from a database that usually contains information about authorized users and their privileges. load balancing: In NAC 800, Load balancing distributes the testing of end- points across all NAC 800 ESs in a cluster.

  • Page 573

    Glossary NMS: Network Management System – A computer or computers and software used to manage a network. non-compliance: Does not meet defined standards or conditions. NTLM: Windows NT LAN Manager NTP: Network time protocol – A protocol that ensures local time- keeping.

  • Page 574

    Glossary RADIUS: Remote Authentication Dial-In User Service RAM: Random access memory RAS: Remote access server RDAC: Remote Device Activity Capture RDBMS: Relational Database Management System (RDBMS) – Used to store information in related tables. RPC: Remote procedure call – a procedure where arguments or parameters are sent to a program on a remote system.

  • Page 575

    Glossary SSL: Secure socket layer – A commonly-used protocol that man- ages the security of message transmissions over the Internet. STP: Spanning tree protocol subnet: A section of a network that shares part of the IP address of that network. supplicant: A component of 802.1X that is the client;...

  • Page 576

    Glossary whitelist: A list of devices or endpoints that are allowed access to a system or are allowed privileges. In NAC 800, endpoints and domains that are always allowed access. Wi-Fi: Wireless Fidelity WU: Windows Update xml: eXtensible Markup Language G-10...

  • Page 577

    Index 3-63 Numerics 3-68 Cisco CatOS device 1-15 3rd-party software, installing 3-66 Cisco IOS device 11-2, 11-4 802.1X Enforcement cluster 11-4 communication flow 3-12 Enforcement server 11-9 configuring the RADIUS server 3-71 Enterasys device 11-2 connections 3-75 Extreme XOS device 3-53, 11-39 enable 3-73...

  • Page 578

    Index 11-4 quarantine an endpoint without testing communication flow, 802.1X always quarantine configuration 3-117 10-4 domains DHCP 3-117 1-16 endpoints timeout 11-2 5-23 Windows XP Professional firewall 6-14 assign endpoints and domains to a policy configure 12-20 authentication 3-125 11-36 information non-HP switches 11-2...

  • Page 579

    Index 7-11 15-19 login end-user access screen 7-11 three minute Enforcement cluster 3-15 delete Enforcement server 3-11 cluster existing NAC policy 13-14 6-13 DHCP Server Plug-in Configuration NAC policy 3-21 3-97 quarantine area 6-14 15-19 NAC policy test results messages 3-37 NAC policy group user account...

  • Page 580

    Index endpoints supported error screens 5-51 5-10, 5-11 file and print sharing per MS 12-3 firewall EXE file download to Windows 3-121 footer IE Internet security zone 3-121 introduction 5-30 Figure opening screen 11-6 5-22 802.1X Communications ports 11-3 5-25 802.1X Components required firewall settings 11-5...

  • Page 581

    Index 5-40 4-14 Applications, Utilities Folder Failed Endpoint 3-108 4-14 Backup Successful Message Failed Endpoint Allow All Mode 3-36 Copy User Account Failed Endpoint Allow All Mode Mouse Over 3-27 Date & Time Default NAC Policy Highlighted Fields 8-4, 10-3 DHCP Installation Home Window 13-2...

  • Page 582

    Index 6-21 3-118 NAC Policy Test Icons System Configuration, Notifications 11-9 3-58 Networking Services System Configuration, OpenLDAP 11-58 3-102 Nortel Exit Script System Configuration, Post-connect 11-58 3-52 Nortel Initialization Script System Configuration, Quarantining 11-58 Nortel Re-authentication Script System Configuration, Quarantining, DHCP 3-101 Post-connect Configuration Message 3-103...

  • Page 583

    Index 4-19 Firefox, supported version grant access to an endpoint 4-20 firewall quarantine an endpoint 5-28 changing port import 5-22 11-25 letting RPC service through certificate 3-100 11-25 post-connect service the server’s certificate 6-16 settings inactive, set time 5-25 testing the end-user through index 1-23 testing through...

  • Page 584

    Index post-connect NAC policies 15-3 log out window, view 15-3 login NAC Policy 3-122, 5-44 credentials change to not run Windows automatic update 7-11 delay 15-8 test 3-122 domain NAC policy 3-113 save add group 5-45 saving 6-14 assign domains to 6-16 timeout 6-14...

  • Page 585

    Index 3-100 not tested firewall open 7-11 supported posture 3-112 11-27 ordering test methods Checkup 11-27 Healthy 11-28 Infected 11-28 Quarantined 11-28 page caching Unknown 15-18 pane PPTP 1-23 index print 1-22 password file 3-18 1-22 change ES topic 3-28 14-8 change MS root print a report...

  • Page 586

    Index 11-9 15-22 configure ES password 11-7 15-22 server and SA plug-in MS password 11-33 15-23 use existing server password 11-7 15-10 using a proxy system 11-7 15-11 using built-in testdata 15-23 range user interface password entering ports restore 3-115 15-17 of IP addresses original database...

  • Page 587

    Index 6-17 action to take DHCP 3-130 Agent read timeout period setting enforcement 3-92 3-127 15-18 ES logging levels VPNs 3-128 IDM logging levels switch 3-55 11-49 RADIUS authentication method Cisco 2950 6-15 11-36 retest time configure non-HP 3-131 11-50 RPC command timeout period Enterasys Matrix 1H582-25 6-16...

  • Page 588

    Index 1-11 test method options 5-44 ActiveX error pros & cons 5-31 3-113 agent to display 5-31 agent-based testing 3-110 5-49 select cancel 3-112 5-49 select order failed screen test methods ports defined used 5-22 3-31 testing method 3-111 3-35 ActiveX copy 3-111...

  • Page 589

    Index 5-29 end-user access Windows 2000 change NAC Policy to not run Windows automat- 15-8 ic update test 3-122 credentials 15-7 domain and end-user settings 3-55 domain settings, configure download and extract Zip file 12-3 download EXE file 5-22 Group policy 12-4 install 5-45...

  • Page 590

    (This page intentionally left blank.)

  • Page 591

    Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.

Comments to this Manuals

Symbols: 0
Latest comments: