1. Manuals
  2. Brands
  3. ProCurve Manuals
  4. Network Hardware
  5. 800
  6. Configuration manual

ProCurve 800 Configuration Manual

Network access controller
Hide thumbs
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
Table of Contents

Advertisement

Quick Links

Download this manual
Configuration Guide
ProCurve Network Access Controller 800
www.procurve.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 800 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ProCurve 800

Summary of Contents for ProCurve 800

  • Page 1 Configuration Guide ProCurve Network Access Controller 800 www.procurve.com...
  • Page 3 ProCurve Network Access Controller 800 April 2008 1.0-30398 Configuration Guide...
  • Page 4 This software incorporates open source components that are governed by the GNU General Public License (GPL), version 2. In accordance with this license, ProCurve Networking will make available a complete, machine- readable copy of the source code components covered by the GNU GPL upon receipt of a written request.

  • Page 5: Table Of Contents

    Endpoint Integrity ......... . . 1-17 Endpoint Integrity Capabilities of the NAC 800 ....1-18 NAC Tests .
  • Page 6 RADIUS Server ..........1-30 ProCurve NAC 800 RADIUS Capabilities ..... . . 1-31 RADIUS Capabilities of the NAC 800 Integrated with IDM .
  • Page 7 Root Access to the NAC 800 ........
  • Page 8 IDM ............2-50 Enable IDM to Detect the NAC 800 ......2-50 Capabilities of IDM for Managing the NAC 800 .
  • Page 9 Proxy RADIUS Server ........4-9 Configure the NAC 800 as a RADIUS Server ....4-11 Specify the Quarantine Method (802.1X) .
  • Page 10 Install a CA-Signed Certificate Using a Request Generated on Behalf of the NAC 800 ....... . 4-58 Manage Certificates on Endpoints .
  • Page 11 Install a CA-Signed Certificate Using a Request Generated on Behalf of the NAC 800 ....... . 5-52 Manage Certificates on Endpoints .
  • Page 12 A Appendix A: Glossary B Appendix B: Linux Commands Contents ........... . . B-1 Common Linux Commands .

  • Page 13: Overview Of The Procurve Nac 800

    Overview of the ProCurve NAC 800 Contents Overview of the ProCurve NAC 800 Contents Introduction ........... 1-4 Hardware Overview .
  • Page 14 RADIUS Server ..........1-30 ProCurve NAC 800 RADIUS Capabilities ..... . . 1-31 RADIUS Capabilities of the NAC 800 Integrated with IDM .
  • Page 15 Configuring Accessible Services for Inline Method ... 1-57 How and Where to Deploy the NAC 800 ......1-58...

  • Page 16: Introduction

    You will learn about all of these capabilities in this overview chapter. The remainder of this management and configuration guide will focus on the final capability: the NAC 800 as a RADIUS server, either integrated with ProCurve Identity Driven Manager (IDM) or acting on its own.

  • Page 17: Hardware Overview

    Overview of the ProCurve NAC 800 Hardware Overview Hardware Overview The ProCurve NAC 800 is a hardware appliance that comes in a single model ” (J9065A). The device is 1U and mounts on a 19 rack. You plug the power source into the back panel’s AC power connector.

  • Page 18: Console Ethernet Port

    For more information, see “Menu Interface and Panel LCD” on page 2-5 of Chapter 2: “Management Options for the ProCurve NAC 800.” Serial Number and MAC Address The front panel of your NAC 800 displays the device’s serial number, necessary for generating licenses, and its MAC address.

  • Page 19: Ethernet Ports

    NAC 800 handles traffic differently depending on the port on which it arrives. To the right of the ports, the NAC 800’s panel features text reminding you of the purpose of each port, which differs according to the device’s deployment method.

  • Page 20: Server Types

    Overview of the ProCurve NAC 800 Server Types Server Types The ProCurve NAC 800 can function as one of three types of server: Management server (MS) Enforcement server (ES) Combination server (CS) Choosing the Server Type A NAC 800 deployment can consist of either:...
  • Page 21 Overview of the ProCurve NAC 800 Server Types Figure 1-2. Deployment with Multiple NAC 800s An MS can support multiple enforcement clusters, each of which implements a different quarantine method. Quarantine methods determine how ESs con- trol non-compliant endpoints, as well as where ESs are deployed. (“Deploy- ment Methods”...
  • Page 22 ES. For example, a network might require one NAC 800 to enforce endpoint integrity on 2000 Ethernet endpoints and one NAC 800 to enforce endpoint integrity on 700 remote endpoints. It is recommended that you use one MS and two ESs for such an environment, rather than two CSs, for two reasons: The MS helps you to co-ordinate NAC policies and other settings.

  • Page 23: Cs Deployment

    How often do network infrastructure devices force users to re-authenticate? As the answers to these questions vary, so varies the burden placed on the NAC 800. Under typical usage, a single NAC 800 can support authentication for 10,000 ports.

  • Page 24: Management Server (Ms)

    Management Server (MS) The MS manages settings for your NAC 800s on a system-wide level. You choose one NAC 800 to act as the MS, set all other NAC 800s to be ES, and add the ESs to the MS’s configuration.
  • Page 25 Overview of the ProCurve NAC 800 Server Types The MS handles these system-wide settings: Endpoint integrity licenses Connection to the Internet Clock—The MS can use its internal clock or act as a Network Time Protocol (NTP) client and receive its clock from an NTP server. The MS is the NTP server for all of its ESs.

  • Page 26: Enforcement Server (Es)

    Overview of the ProCurve NAC 800 Server Types Enforcement Server (ES) While you configure access control settings on the MS, the ESs take respon- sibility for enforcing those controls. An ES: Authenticates endpoints, if operating as a RADIUS server Tests endpoints for integrity Controls endpoints’...

  • Page 27: Changing The Server Type

    Change endpoints access control status. Generate reports. Changing the Server Type You can change your device’s server type at any time. However, changing the type causes the NAC 800 to reset to its factory default settings, keeping only its: IP address Hostname Default gateway...

  • Page 28: Enforcement Clusters

    Overview of the ProCurve NAC 800 Enforcement Clusters Enforcement Clusters An enforcement cluster is a group of ESs (or a single CS) that tests, quaran- tines, and otherwise controls the same group of endpoints. Enforcement Clusters for an MS and ESs An MS groups ESs into enforcement clusters.

  • Page 29: Endpoint Integrity

    Overview of the ProCurve NAC 800 Endpoint Integrity The same settings that, on an MS, are configurable per-cluster are also config- ured on the CS’s single cluster. However, this cluster is always selected, so you can ignore this fact. Endpoint Integrity Viruses and other malware continue to become ever more pervasive—tempo-...

  • Page 30: Endpoint Integrity Capabilities Of The Nac 800

    NAC Tests The NAC 800 supports many different tests; each test checks for a particular setting or component on an endpoint. For example, the Windows XP hotfixes test checks the patches and updates installed on a Windows XP station. And the IE Internet Security Zone test checks the security level that the endpoint’s...
  • Page 31 These tests verify that an endpoint’s Web browser enforces the proper level of security for various zones (Internet sites, local sites, trusted sites, and untrusted sites). The NAC 800 scans Internet Explorer (IE) settings only. NAC Test Properties. All NAC tests have properties, which are the criteria that an endpoint must meet to pass the test.

  • Page 32: Nac Policies

    NAC Test Updates. As new threats emerge, ProCurve Networking updates the NAC 800’s tests. It might add an entirely new test. Or it might add a property to an existing test—for example, a new hotfix to the list of Windows XP hotfixes.
  • Page 33 The sections below provide more information about each of these settings. For instructions on configuring them in the Web browser interface of an MS or CS, see Chapter 6: “NAC Policies” in the ProCurve Network Access Controller 800 Users’ Guide.
  • Page 34 IDS/IPS perform additional testing and monitoring to detect attacks or other threats. If an endpoint fails this additional testing, the security device can send a request to the NAC 800, which will then quarantine the endpoint.

  • Page 35: Nac Policy Groups

    Overview of the ProCurve NAC 800 Endpoint Integrity firewall rule that granted the endpoint access. If the NAC 800 does not detect traffic from the endpoint for a certain configurable period, it clears out the rule, denying access. List of Endpoints to Which the Policy Applies. Because you can create multiple NAC policies on your NAC 800s, you should specify to which end- points a particular policy applies.

  • Page 36: Testing Methods

    The discussion of endpoint integrity tests has not yet addressed a crucial question: how does the NAC 800 actually run the test? For example, how does the NAC 800 determine whether the endpoint has a firewall? How does it know...

  • Page 37: Nac Ei Agent

    A user might choose this option because he or she does not want to enable ActiveX (required for automatic installation). After the agent is installed, the NAC 800 can test the endpoint as often as necessary without further end-user interaction.

  • Page 38: Activex

    ActiveX testing requires the endpoint’s Web browser to be open for every test. The Web browser must be IE version 6.0 or later. If a router lies between the NAC 800 and the endpoints, it must keep port 1500 open. In most cases, the NAC 800 can automatically open the correct ports through the endpoints’...

  • Page 39: Agentless

    ActiveX content without prompting, the installation does add overhead to network traffic. IE must be open for the NAC 800 to test the endpoint. If a user closes IE after his or her endpoint has gained access, the NAC 800 cannot retest the endpoint.

  • Page 40: Endpoint Integrity Posture

    Endpoint Integrity Posture As the NAC 800 tests an endpoint, it assigns it an endpoint integrity posture based on the results of tests: Unknown—not yet tested Healthy—passed all tests...

  • Page 41: Performance Implications Of Endpoint Integrity Checks

    The High Security NAC policy, a pre-defined policy that includes approxi- mately 20 tests, can be taken as a general high mark. The NAC 800 passes approximately 9 to 16 kilobytes of total data between itself and an endpoint to complete a single testing session with this policy.

  • Page 42: Radius Server

    If the RADIUS server is also an accounting server, it can receive reports about the user’s activity from the NAS. The NAC 800 supports the RADIUS protocol and can act as your network’s RADIUS server. It supports RADIUS as a stand-alone access control solution (see “802.1X Deployment Method—RADIUS Server Only”...

  • Page 43: Procurve Nac 800 Radius Capabilities

    RADIUS logs include: • Failed authentication attempts • Successful authentication attempts • Authentication requests from unknown NASs Accounting The NAC 800 can also act as a RADIUS accounting server. RADIUS accounting reports are logged as files in this directory: /var/log/radius/ radacct. 1-31...

  • Page 44: Radius Capabilities Of The Nac 800 Integrated With Idm

    IDM manages RADIUS servers, includ- ing NAC 800s. When you manage a NAC 800 with IDM, the NAC 800 has all the capabilities listed in the section above with these additions: Authenticating users against an easily managed local database Granting users rights, as follows: •...

  • Page 45: Deployment Methods

    Deployment Methods Deployment Methods The NAC 800 can control network access in variety of ways. It can make decisions based on who is connecting (authentication) as well as on what is connecting and the risks that device might pose (endpoint integrity).

  • Page 46: 802.1X Deployment Method

    (open or closed) to the end-user's authentication status. The NAC 800 adds endpoint integrity to the framework. A brief overview of 802.1X will help you understand how the NAC 800 interacts with other components of an 802.1X solution.

  • Page 47: Types Of Access Control Provided By The Nac 800

    NAC 800 provides endpoint integrity testing. N o t e IAS is the only option for a system that uses the NAC 800 for endpoint integrity only. If your network already includes a non-IAS RADIUS server, however, you can configure the NAC 800 to act as a RADIUS server, but proxy requests to the existing server (or bind to an existing directory).

  • Page 48: Deployment Method-Endpoint Integrity With Or Without Radius

    VLAN Assignment After Initial Authentication. After the endpoint completes the traditional, first-phase of 802.1X authentication, it has the Unknown posture. The NAC 800 places it in a “guest” or “test” VLAN, which is: If you are using IDM (recommended), the VLAN associated with the...
  • Page 49 The user reaches the Web page. On the other hand, if the requested hostname is not on the list, the NAC 800 sends its own IP address in the response, redirecting the user to a Web page such as the one shown in Figure 1-8.

  • Page 50: How And Where To Deploy The Nac 800

    You could also set up ACLs on network infrastructure devices that limit endpoints in the quarantine VLAN. For example, you might deny the quaran- tine subnet access to all private addresses except for the NAC 800’s and a DHCP server. The NAC 800 handles controlling the quarantined endpoints access to external sites.
  • Page 51 Receive mirrored traffic from the DHCP server. (See Figure 1-9.) This allows the NAC 800 to discover an endpoint’s IP address after it connects and is placed in a VLAN. The NAC 800 can then test and re-test the device as necessary.
  • Page 52 DHCP server connects. Give the NAC 800 an IP address in the appropriate VLAN. On the authenticators (switch, APs, and so forth), specify the NAC 800’s IP address as one of the RADIUS servers.
  • Page 53 • RDAC deployment—If you will install RDAC on your DHCP servers, simply connect port 1 on the NAC 800 to any port in your production network, determining the location just as you would for any RADIUS server. You will not use the second port on the NAC 800.
  • Page 54 Give the NAC 800 an IP address in the appropriate VLAN. Send DHCP traffic to the NAC 800. Either: • Have RDAC on your DHCP server send DHCP traffic to the NAC 800. • Send mirrored traffic if you did not install RDAC on you DHCP server.

  • Page 55: 802.1X Deployment Method-Radius Server Only

    RADIUS server, or a directory. Then it informs the NAS whether the endpoint can connect. If you use IDM to manage the NAC 800, the NAC 800 can also factor access time and location into its decisions, as well as send dynamic VLAN assign- ments, ACLs, and rate limits.

  • Page 56: Dhcp Deployment Method

    Overview of the ProCurve NAC 800 Deployment Methods On the authenticators, specify the NAC 800’s IP address as one of the RADIUS servers. Determine the source of credentials and take any steps necessary to allow the NAC 800 to access this source: •...

  • Page 57: Types Of Access Control Provided By The Nac 800

    3000 users. This network requires a single NAC 800, which is set to the CS type. The NAC 800’s port 1 connects to a switch in the production network, and its port 2 connects to the DHCP server. The NAC 800 and the DHCP server require IP addresses on the same subnet.
  • Page 58 If your network uses more than one DHCP server, you can connect the servers to the same switch. You then connect the NAC 800’s port 2 to that switch as well. Do not connect any other devices to the switch as those devices could then circumvent the NAC 800.

  • Page 59: Deployment

    Deployment Unlike a DHCP inline deployment, the DHCP plug-in deployment does not require the NAC 800 to be placed between the network and the Windows 2003 DHCP servers. Instead, the DHCP servers can be located on any subnet anywhere on the network, as long as they can communicate with the NAC 800.

  • Page 60: How The Nac 800 Quarantines Endpoints For A Dhcp

    Deployment Methods Figure 1-13. DHCP Plug-in Deployment—Single NAC 800 and Multiple DHCP Servers You must then configure the DHCP plug-in as described in the ProCurve Network Access Controller 800 Users’ Guide. How the NAC 800 Quarantines Endpoints for a DHCP...
  • Page 61 However, the NAC 800 intercepts DHCP requests from endpoints with the Unknown, Quarantine, or Infected postures and responds to these requests in lieu of the network DHCP server. To do so, the NAC 800 uses the configuration for the quarantine area, which includes:...
  • Page 62 DHCP quarantining. This is one reason that 802.1X is the recommended option for high security. DHCP Plug-in Deployment. When the NAC 800 boots, it tries to connect to the DHCP servers you have defined for the DHCP plug-in deployment. If the NAC 800 cannot communicate with a particular DHCP server, it will continue to try to contact that server at regular intervals—not stopping until it either...

  • Page 63: Enforcement Methods For Dhcp Quarantining

    DHCP plug-in allows the DHCP server to process or ignore DHCP requests based on the ACL that the NAC 800 sends it. If an endpoint’s MAC address is on the ACL, the DHCP server will send it an IP address. If not, the DHCP server will not respond to the endpoint’s DHCP requests.

  • Page 64: Designing The Quarantine Subnet

    Isolated in its own subnet without a gateway, the endpoint cannot transmit traffic. As part of the DHCP configuration, the NAC 800 sends a static route to itself, which allows the endpoints to send it DNS requests. The NAC 800 also acts as a proxy Web server for quarantined endpoints, allowing them to reach accessible services when they request them.
  • Page 65 10.1.2.25 to 10.1.2.125. This means that the second half of each subnet (10.1.X.128/25) is available for quarantined endpoints: On the NAC 800, you must set up a separate quarantine area for each produc- tion subnet. Specify the quarantine subnets for the areas as follows: Area 1—Quarantine subnet = 10.1.2.128/25...
  • Page 66 192.168.12.0/24 For each existing Class C subnet, you will add new Class C subnet for the quarantine subnet. On the NAC 800, you set up two quarantine areas and specify one quarantine subnet for each production subnet: Area 1 Quarantine subnet = 192.168.9.0/24 Non-quarantine subnet = 192.168.8.0/24...
  • Page 67 The network DHCP server’s The NAC 800’s (the CS or the ES that is connected to the DHCP server) Which device should act as the DHCP server changes as an endpoint’s integrity posture changes. However, the NAC 800 handles this issue: it simply drops the request if it is destined to the wrong IP address.

  • Page 68: Inline Deployment Method

    For example, should the switch (or other device) send a DHCP request from a healthy station to the NAC 800’s address, the NAC 800 simply ignores it. The switch, not receiving a reply, next sends the request to the DHCP server’s address;...

  • Page 69: Types Of Access Control Provided By The Nac 800

    And it does not forward traffic from port 1 to quarantined or unknown endpoints. In other words, endpoints on the port 2 side of the NAC 800 can access any resources that are also on the port 2 side. However, they cannot access any resources on the port 1 side until they have proved compliance with the appropriate NAC policies.

  • Page 70: How And Where To Deploy The Nac 800

    NAC 800’s port 1 to the rest of the network, typically a core switch. Figure 1-15. Inline Deployment—VPN With a Single NAC 800 Then set the server type to CS or ES. Choose CS if the NAC 800 will act on its own—typically because:...
  • Page 71 VPN tunnel and a public network, users connect over a private WAN connection. You deploy the NAC 800 in a similar position. Connect its port 2 to the WAN router and its port 1 to a core switch. Then set the type to CS or ES, basing your decision on the factors discussed in the previous section.
  • Page 72 If you are controlling wireless endpoints that connect through an AP, simply deploy the NAC 800 as described in the previous sections, with the AP in the place of the VPN gateway or the WAN router. Or connect several APs to a switch and then place the NAC 800 between that switch and the rest of the network.
  • Page 73 NAC 800. Instead, connect the NAC 800’s port 2 to the wireless services-enabled switch. Connect the NAC 800’s port 1 to another switch. Make sure that the wireless services enabled-switch connects only to other endpoints, not to other switches, otherwise the wireless endpoints could access the production network without passing through the NAC 800.
  • Page 74 Overview of the ProCurve NAC 800 Deployment Methods 1-62...

  • Page 75: Management Options For The Procurve Nac

    Complete Other Tasks in the Menu Interface ....2-17 Reboot the NAC 800 in the Menu Interface ....2-18 Shut Down the NAC 800 in the Menu Interface .
  • Page 76 ProCurve Manager (PCM) Plus ........2-48...

  • Page 77: Overview

    Overview Overview This chapter introduces you to the options for managing and configuring the ProCurve NAC 800. The available options depend on your NAC 800’s server type, which can be: Management server (MS) Enforcement server (ES) Combination server (CS) See Chapter 1: “Overview of the ProCurve NAC 800.” for more information on the roles played by each server type.
  • Page 78 Management Options for the ProCurve NAC 800 Overview N o t e All instructions assume that you have installed and powered on the NAC 800, as explained in the ProCurve Network Access Controller 800 Hardware Installation Guide. The remaining chapters of the management and configuration guide focus on the Web browser interface.

  • Page 79: Menu Interface And Panel Lcd

    Console Session Follow these steps to access the menu interface through a console session: Your NAC 800 ships with a console cable. Plug the cable’s Ethernet (RJ45) connector into the Console Ethernet port, which is located on the left front panel of the NAC 800.
  • Page 80 Menu Interface and Panel LCD Figure 2-1. Accessing the Menu Interface with a Console Session Use terminal session software such as Tera Term to open a console session with the NAC 800. Use the following settings: • Baud rate = 9600 •...

  • Page 81: Ssh Session

    You must specify the NAC 800’s IP address. Its default address is 192.168.0.2, and the NAC 800 does not initially have a default gateway. Unless you can reach the default IP address, you must set the NAC 800’s IP address (using either a console session or the panel LCD) before you can open the SSH session.

  • Page 82: Navigate The Menu Interface

    Management Options for the ProCurve NAC 800 Menu Interface and Panel LCD Navigate the Menu Interface The top of a window in the menu interface displays the window name—for example, Application Main Menu. Below the window name are listed various options. Press a number to select the option and move to a new window.

  • Page 83: Configure Initial Settings With The Menu Interface

    Figure 2-6. Menu Interface Architecture Configure Initial Settings with the Menu Interface Before you can configure your NAC 800 through the Web browser interface, you must configure some initial settings, including server type and IP settings. You should also immediately change the menu password to secure access to the device.

  • Page 84: Set The Server Type With The Menu Interface

    An exception is when you change the server type from MS to ES, in which case all settings are erased. Setting the server type always resets the NAC 800’s configuration even if you set it to the device’s current type. In fact, setting the server type is an easy way to return to factory default settings (but keep your current IP settings).
  • Page 85 Press for Combination Server if your NAC 800 is a stand-alone device. This is the typical choice for a NAC 800 that functions only as a RADIUS server. If your NAC 800 is part of a cluster deployment (see Chapter 1: “Overview of the ProCurve NAC 800”...

  • Page 86: Set The Ip Address With The Menu Interface

    Menu Interface and Panel LCD Set the IP Address with the Menu Interface Follow these steps to set a NAC 800’s IP address using the menu interface: Access the Configuration menu (Main Menu > 1. Configuration). Figure 2-10. Application Main Menu > 1. Configuration Press for IP Configuration.

  • Page 87: Test Ip Settings (Ping)

    (APs) N o t e For security reasons, the NAC 800 does not respond to pings that it does not initiate. Therefore, you must always test connectivity between the NAC 800 and another device from the NAC 800’s management interface.
  • Page 88 Management Options for the ProCurve NAC 800 Menu Interface and Panel LCD Figure 2-13. Application Main Menu Press for Diagnostics. Figure 2-14. Application Main Menu > 2. Diagnostics Press for Ping test. Enter the IP address to which you want to confirm connectivity.

  • Page 89: Change The Password To The Menu Interface

    The results of the ping, including the times for the round trip, are displayed. Figure 2-16. Application Main Menu > 2. Ping test > Results By default, the NAC 800 sends out five pings. You can stop the ping test at any time, however, by pressing [Ctrl+c]...
  • Page 90 Management Options for the ProCurve NAC 800 Menu Interface and Panel LCD Figure 2-17. Main Menu > 1. Configuration Press for Change Password. Figure 2-18. Main Menu > 1. Configuration > 3. Change Password Enter y to confirm that you want to change the password.

  • Page 91: Complete Other Tasks In The Menu Interface

    Management Options for the ProCurve NAC 800 Menu Interface and Panel LCD N o t e When you initially access the Web browser interface, you create a user- name and password for an administrator with access to that interface. You can, if you so desire, set these to match the username and password for the menu interface.

  • Page 92: Reboot The Nac 800 In The Menu Interface

    Menu Interface and Panel LCD Reboot the NAC 800 in the Menu Interface When you reboot the NAC 800, the device shuts down and immediately restarts, booting from its primary software and startup-config. Generally, you must reboot the NAC 800 when you update its software.

  • Page 93: Shut Down The Nac 800 In The Menu Interface

    The NAC 800 restarts as soon as you press [Enter] Shut Down the NAC 800 in the Menu Interface When you shut down the NAC 800, the device powers down and remains down until manually restarted. You can restart the NAC 800 by removing and then restoring power.

  • Page 94: Turn The Locator Led On And Off

    The locator LED helps you to pick out a device that is installed among many devices. For example, you may be configuring a NAC 800 through a remote SSH session. You decide that you need to access the device physically, so you turn on the locator LED to quickly find the correct device.

  • Page 95: View System Information

    Press to continue configuring the device. [Enter] View System Information You can view the following information about the NAC 800 in the menu interface: Server type Software version Date of last update of the software Operating system version...

  • Page 96: Access The Panel Lcd Menu

    [Enter] Access the Panel LCD Menu The panel LCD is located on the front of the ProCurve NAC 800. To use the LCD menu, you must, of course, have physical access to the device. In addition to the LCD, the panel includes six buttons:...

  • Page 97: Navigate The Panel Lcd Menu

    Management Options for the ProCurve NAC 800 Menu Interface and Panel LCD Initially, the panel LCD lists the following information: Server type (for example, Combination Server) IP address Figure 2-28. Panel LCD Press the accept button to make LCD display the menu interface.

  • Page 98: Configure Initial Settings With The Panel Lcd Menu

    Even if you choose to configure initial settings through the panel LCD menu, you should access the menu interface and change the menu password. Other- wise an unauthorized user might gain access your NAC 800. (See “Change the Password to the Menu Interface” on page 2-15.)
  • Page 99 Select Combination Server if your NAC 800 is a stand-alone device. This is the typical choice for a NAC 800 that functions only as a RADIUS server. If your NAC 800s are part of a cluster deployment (see Chapter 1: “Over- view of the ProCurve NAC 800”...

  • Page 100: Set The Ip Address With The Panel Lcd Menu

    Your selection is displayed. Push the accept button. Set the IP Address with the Panel LCD Menu Follow these steps to set a NAC 800’s IP address using the panel LCD menu: Access the Configuration menu (Panel LCD Menu > Configuration).
  • Page 101 Figure 2-36. Panel LCD Menu > Configuration > IP Address—Port 1 (Subnet Mask) Set the mask for the NAC 800’s subnet. Use the arrow buttons to alter the subnet mask. (For a list of the masks that correspond to subnets of various lengths, see “Entering Networks Using CIDR Format”...

  • Page 102: Test Ip Settings (Ping) With The Panel Lcd Menu

    Several IP addresses for NASs such as edge switches and wireless APs N o t e For security reasons, the NAC 800 does not respond to pings that it does not initiate. Therefore, you must always test connectivity with the NAC 800 from a NAC 800 management interface.

  • Page 103: Complete Other Tasks Using The Panel Lcd Menu

    Then use the up and down arrow buttons to alter the selected digit. Note that the NAC 800 treats each set of three digits as a single number. For example, if the first three digits currently display 009, and with your cursor at the third digit you press the up arrow button, the digits then display 010.

  • Page 104: Reboot The Nac 800 Using The Panel Lcd Menu

    Menu Interface and Panel LCD Reboot the NAC 800 Using the Panel LCD Menu When you reboot the NAC 800, the device shuts down and immediately restarts, booting from its primary software and startup-config. Generally, you must reboot the NAC 800 when you update its software.

  • Page 105: Shut Down The Nac 800 Using The Panel Lcd

    Reboot the NAC Press the accept button to confirm. The NAC 800 begins to reboot as soon as you press the accept button. Shut Down the NAC 800 Using the Panel LCD When you shut down the NAC 800, the device powers down and remains down until manually restarted.

  • Page 106: Set The Ports Speed And Duplex Settings

    The NAC 800 powers down as soon as you press the accept button. Set the Ports Speed and Duplex Settings By default, the NAC 800 sets the speed and duplex settings for its ports automatically based on the other end of the connection.
  • Page 107 However, if for whatever reason you must set the port speed and duplex settings manually, follow these steps: Access the menu. (If the panel currently shows the NAC 800’s server type and IP address, press the accept button.) Figure 2-47. Panel LCD Menu Select Configuration.
  • Page 108 Management Options for the ProCurve NAC 800 Menu Interface and Panel LCD Figure 2-50. Panel LCD Menu > Configuration > Ports Speed/Duplex > Port 1 The default setting is Auto. All combinations of speed and duplex options are displayed below. Scroll through the list and press the accept button to select the one you want.

  • Page 109: Root Access To The Nac 800

    Management Options for the ProCurve NAC 800 Root Access to the NAC 800 Root Access to the NAC 800 Certain tasks may require you to log into the NAC 800 as root and access its Linux-based OS. C a u t i o n Be very careful when configuring the NAC 800 from the root: misconfigura- tions can cause the device to malfunction.
  • Page 110 Management Options for the ProCurve NAC 800 Root Access to the NAC 800 Vertical bars ( | ) separate alternative, mutually exclusive elements. Bold typeface is used for simulations of actual keys. For example, the “Y” key appears as For example: Syntax: keytool -certreq -alias <keyname>...

  • Page 111: Web Browser Interface

    A digital certificate The NAC 800, at factory default settings, includes a self-signed certificate. Similarly, you must ready a NAC 800 to be added to an MS’s cluster as an ES. This NAC 800 requires: An IP address reachable from the MS...

  • Page 112: Requirements On The Management Station

    LCD menu. See “Configure Initial Settings with the Menu Interface” on page 2-9 or “Configure Initial Settings with the Panel LCD Menu” on page 2-24. After initial configuration, you can install the NAC 800 in its final location. (See the ProCurve Network Access Controller 800 Hardware Installation Guide.)

  • Page 113: Steps For Accessing The Web Browser Interface

    The first time that you access the Web browser interface, you must complete some basic setup. For instructions, see “Initial Configuration of CS or MS Settings” on page 3-4 of Chapter 3: “Initial Setup of the ProCurve NAC 800.” The next time that you access the Web browser interface, you must log in with the Administrator username and password created during the basic setup.
  • Page 114 Subsequent figures in the management and configuration guide will not show the top area. This area displays the name of the device: Network Access Controller 800. To the right is the name of the user account with which you logged in. The user account determines the privileges you have to the Web browser interface.
  • Page 115 N o t e A NAC 800 that acts as a RADIUS server only does not require a license, so you will often see the warnings at the top of the window, telling you that the licenses have expired.
  • Page 116 Management Options for the ProCurve NAC 800 Web Browser Interface Table 2-1. Home Left Navigation ar Options Left Navigation Bar Option Tasks in Associated Windows Documentation Endpoint activity • Check endpoint status: Chapter 4: “Endpoint Activity” in the ProCurve Network Access Controller 800 –...
  • Page 117 Quarantined by the NAC 800 Once connected but are currently disconnected On a NAC 800 acting only as a RADIUS server, you should see 0 quarantined endpoints. Although the quarantine means nothing unless you have set up VLAN assignments to support it, seeing quarantined endpoints indicates that the NAC 800 is testing endpoints unnecessarily.

  • Page 118: Common Features In Web Browser Interface Windows

    Support—Click to access the ProCurve Networking Web site and download documentation, read FAQs, and submit questions to sup- port. Your NAC 800 must, of course, be able to reach the Internet. • Logout—Click to close the HTTPS session with the NAC 800.
  • Page 119 Management Options for the ProCurve NAC 800 Web Browser Interface Figure 2-52. Common Features in the Web Browser Interface Configuration windows feature two buttons at both the top and bottom: • ok—Click to: – Apply the configurations in this window (the settings begin to take effect) –...

  • Page 120: Following Instructions To Navigate The Web Browser Interface

    Management Options for the ProCurve NAC 800 Web Browser Interface Status windows feature this button: • done—Click to close the window. Both types of window may include three additional buttons: • refresh—Click to update the information displayed (for example, about the status of a device).
  • Page 121 Management Options for the ProCurve NAC 800 Web Browser Interface Figure 2-53. Navigating the Web Browser Interface Another step, if present, is typically a menu option on the left side of the second-level window. For example, Figure 2-53 shows the Home > System configuration >...

  • Page 122: Procurve Manager (Pcm) Plus

    See the ProCurve Manager Plus 2.2 Network Admin- istrator’s Guide for these instructions. N o t e To manage the NAC 800, your server must have a version of PCM Plus 2.2 auto- update 2 installed. Enable PCM Plus to Detect the NAC 800 Follow these steps to ensure that PCM Plus can detect your NAC 800: Access the NAC 800’s Web browser interface and log in.

  • Page 123: Capabilities Of Pcm Plus For Managing The Nac 800

    Controllers folders in the Interconnect Devices folder. PCM Plus then adds the NAC 800 as a node in this folder. When you select a NAC 800 node, all the tabs available for any device are displayed. In addition, you can click the NAC Home tab and access the NAC 800’s Web browser interface.

  • Page 124: Idm

    Management Options for the ProCurve NAC 800 ProCurve IDM is a plug-in to PCM Plus that helps you assign users the correct rights based on their identities. When managing a NAC 800, IDM can also assign users rights based on their endpoint integrity posture.
  • Page 125 Management Options for the ProCurve NAC 800 N o t e To check the NAC 800’s IDM agent version, log in as root to the NAC 800 and enter: more /root/version The IDM server’s IP address is specified in the NAC 800’s 802.1X quaran- tining settings.
  • Page 126 Select the Access mode. If you are creating a cluster for RADIUS services only, the access mode does not matter because the NAC 800 does not enforce quaran- tining. However, you should disable testing as explained in Chapter 6: “Disabling Endpoint Integrity Testing.”...

  • Page 127: Capabilities Of Idm For Managing The Nac 800

    RADIUS Servers folders. When you select a NAC 800, IDM displays similar windows and tabs as those for a RADIUS server. So you can complete all the same tasks for the NAC 800 that you can for a RADIUS server: Deploy a group policy to the NAC 800, which includes: •...
  • Page 128 NAC System—Access the NAC 800’s System configuration window. N o t e The NAC 800 that acts as a RADIUS server might be a CS or an ES; IDM will detect any type of NAC 800. Although an ES does not actually run a Web browser interface, you can still select the NAC Home, NAC Monitor, and NAC System tabs for the ES;...

  • Page 129: Initial Setup Of The Procurve Nac 800

    Install the Root CA Certificate ......3-55 Create a Certificate Request and Transfer It off the NAC 800 . . 3-56 Download and Install the Signed Certificate .

  • Page 130: Contents

    Initial Setup of the ProCurve NAC 800 Contents Install the Self-signed Certificate as a Trusted Root Certificate ..........3-61 Restart the HTTPS Server .

  • Page 131: System Settings

    The root account, which you log in to through Secure Shell (SSH), grants access to the command line of the NAC 800’s Linux-based operating system (OS). You will need such access if you want to enable the NAC 800 to act as a RADIUS server without ProCurve Identity Driven Manager (IDM).

  • Page 132: System Settings-Initial Configuration

    See “Initial Configuration of ES Settings” on page 3-9. You can later edit the system settings for any type of NAC 800. See “Edit System Settings” on page 3-16. Initial Configuration of CS or MS Settings Before accessing the NAC 800 Web browser interface for the first time, you must configure the CS’s or MS’s initial IP settings as described in “Access the...
  • Page 133 Initial Setup of the ProCurve NAC 800 System Settings Then follow these steps: In your Web browser, open an HTTPS session to the CS’s (or MS’s) IP address. For example, if the device’s address is 10.1.1.100, type: https://10.1.1.100 The Step 1 of 3: Accept license agreement window is displayed.
  • Page 134 Enter a password in the Root password field. As described in “System Settings” on page 3-3, you use the root password to log in to the NAC 800’s command line. The password can include alphanumeric and special characters—in fact, a good password will include a mix of different types of characters.
  • Page 135 Root passwords for ESs also must include mixed letters and numbers. Enter the same password in the Re-enter root password field. Configure the NAC 800 to receive its date and time from a Network Time Protocol (NTP) server: Chose your region from the Region drop-down menu.
  • Page 136 Initial Setup of the ProCurve NAC 800 System Settings Configure network settings. Name the NAC 800 by entering a string in the Host name field. You should enter the name as an FQDN. For example: mynac.mycompany.com The hostname can include only these characters: –...

  • Page 137: Initial Configuration Of Es Settings

    If you want to change the settings at a later point, see “Edit System Settings on an MS or a CS” on page 3-16. If your NAC 800 is a CS—typical for a device that acts as a RADIUS server only—the system setup is complete. Otherwise, you must add ESs, as described in the section below.
  • Page 138 Initial Setup of the ProCurve NAC 800 System Settings Select this link to create a cluster Figure 3-4. Home > System Configuration > Enforcement Clusters & Servers—add an Enforcement Cluster Click add an enforcement cluster. The Add enforcement cluster window is displayed. The left navigation bar lists several menu options;...
  • Page 139 Initial Setup of the ProCurve NAC 800 System Settings Figure 3-5. Home > System Configuration > Enforcement Clusters & Servers > Add Enforcement Cluster > General In the Cluster name field, enter a string that describes this cluster. The string can include alphanumeric characters, special characters, and spaces.
  • Page 140 ES. Log in to the ES as root, and enter this command: resetSystem.py For the complete procedure of moving an ES from one MS to another, see Chapter 15: “System Administration” of the ProCurve Network Access Con- troller 800 Users’ Guide. Follow these steps: You should be in the following window: Home >...
  • Page 141 Initial Setup of the ProCurve NAC 800 System Settings Select this link to add an ES Figure 3-6. Home > System Configuration > Enforcement Clusters & Servers—add an Enforcement Server Click add an enforcement server. The Add enforcement server window is displayed.
  • Page 142 Initial Setup of the ProCurve NAC 800 System Settings Figure 3-7. Home > System Configuration > Enforcement Clusters & Servers > Add Enforcement Server From the Cluster drop-down menu, choose the cluster that you configured for the NAC 800s that act as RADIUS servers only.
  • Page 143 Enter a password in the Root password field. As described in “System Settings” on page 3-3, you use the root password to access the NAC 800’s OS (through an SSH session). The password must contain both letters and numbers; special characters are also allowed.

  • Page 144: Edit System Settings

    Edit System Settings As you learned in “System Settings—Initial Configuration” on page 3-4, you are prompted to configure a NAC 800’s system settings when: You first access its Web browser interface—an MS or a CS You add it to a cluster—an ES However, you can edit these settings at any time;...
  • Page 145 Initial Setup of the ProCurve NAC 800 System Settings Figure 3-9. Home > System Configuration > Management Server 3-17...
  • Page 146 Initial Setup of the ProCurve NAC 800 System Settings The Home > System configuration > Management server window also allows you to configure some additional settings: Proxy server for accessing the Internet—See “Set the Proxy Server” on page 3-19. SNMP settings—See “Configure MS or CS SNMP Settings” on page 3-26.
  • Page 147 – Hyphens The hostname can be up to 64 characters. b. Enter a new IP address for the NAC 800 in the IP address field. For example: 10.1.1.101 Enter the correct mask for the MS’s subnetwork in the Network mask field.
  • Page 148 Initial Setup of the ProCurve NAC 800 System Settings Follow these steps: You should be in the following window: Home > System configuration > Management server. Find the Proxy server area. 3-20...
  • Page 149 Initial Setup of the ProCurve NAC 800 System Settings Figure 3-11. Home > System Configuration > Management Server—Proxy Server Area 3-21...
  • Page 150 Instead of submitting the password over the network, the NAC 800 uses it to encrypt a random value. – Negotiable—The NAC 800 and the proxy server agree together whether to use basic or digest authentication. This option elimi- nates compatibility issues, but is less secure than the digest option.
  • Page 151 Initial Setup of the ProCurve NAC 800 System Settings Follow these steps to edit the date and time: You should be in the Home > System configuration > Management server window. 3-23...
  • Page 152 Initial Setup of the ProCurve NAC 800 System Settings Figure 3-12. Home > System Configuration > Management Server—Date And Time Area 3-24...
  • Page 153 (If your city is not listed, you can either rely entirely on the GMT offset or look for a city that you know is in your time zone.) It is important to select the correct time zone so that the NAC 800 appropriately adjusts the time that it receives from the NTP server.
  • Page 154 NAC 800 to integrate with the solution. The NAC 800 supports SNMPv2c. It provides read-only access to its configu- ration. To gain this access, an SNMP server must: Have a read-only community name that matches the name set on the MS...
  • Page 155 Initial Setup of the ProCurve NAC 800 System Settings 3-27...
  • Page 156 (including PCM). You should change the name for more security. N o t e The NAC 800 does not grant read-write access to SNMP servers. However, to properly discover the NAC 800, PCM requires both a read-only and a read- write community name.
  • Page 157 When you are done editing MS settings, click the ok button to save the changes. Edit the Root Password. The root password grants access to the NAC 800’s OS (via an SSH session). To change the password, follow these steps: You should be in the following window: Home >...
  • Page 158 Initial Setup of the ProCurve NAC 800 System Settings Figure 3-15. Home > System Configuration > Management Server— Other Settings Area 3-30...
  • Page 159 (that is, all events except trace events). If you find that you spend too much time searching through logs, you can configure the NAC 800 to log only those events with a higher severity level. N o t e Generally, you should not set the level to trace.
  • Page 160 Initial Setup of the ProCurve NAC 800 System Settings Figure 3-16. Home > System Configuration > Management Server— Other Settings Area 3-32...

  • Page 161: Edit System Settings On An Es

    System Settings Select the severity level from the Log level drop-down menu. The NAC 800 logs events of this severity or greater. When you are done editing MS settings, click the ok button to save the changes. N o t e To learn how to check for new software, see “Upgrade the Software”...
  • Page 162 Initial Setup of the ProCurve NAC 800 System Settings Click the ES’s name. Figure 3-17. Home > System Configuration > Enforcement Clusters & Servers Click the name of the ES for which you want to edit the system settings. The Enforcement server window is displayed at the Status menu option.
  • Page 163 Initial Setup of the ProCurve NAC 800 System Settings Figure 3-18. Home > System Configuration > Enforcement Clusters & Servers > Selected ES > Status Select the Configuration menu option. 3-35...
  • Page 164 Initial Setup of the ProCurve NAC 800 System Settings Figure 3-19. Home > System Configuration > Enforcement Clusters & Servers > Selected ES > Configuration In this window, you can: Edit network settings—See “Edit ES Network Settings” on page 3-36.
  • Page 165 – Hyphens The hostname can be up to 64 characters. b. Enter a new IP address for the NAC 800 in the IP address field. Enter the correct mask for the MS’s subnetwork in the Network mask field. If you need help determining the mask that corresponds with a network of a specific length, see “Entering Networks in CIDR Format”...
  • Page 166 (If your city is not listed, you can either rely on the GMT offset or look for a city that you know is in your time zone.) It is important to select the correct time zone so that the NAC 800 appropriately adjusts the time that it receives from the MS.
  • Page 167 This task is particularly important if you are using IDM to manage NAC 800s’ RADIUS functions. The NAC 800 supports SNMPv1 and v2. It provides read-only access to its configuration. To gain this access, an SNMP server must: have a read-only community name that matches the name that is set on...
  • Page 168 (including PCM). You should change the name for more security. N o t e The NAC 800 does not grant read-write access to SNMP servers. However, to properly discover the NAC 800, PCM requires a “read-only” and “read-write” community name. Set both names to the name configured in the Read community string field.

  • Page 169: Licenses

    NAC 800. Then check for upgrades periodically every several weeks. To check for the upgrade, the NAC 800 MS or CS requires a connection to the Internet. After an MS upgrades its own software, it automatically upgrades the software on all ESs in its clusters.
  • Page 170 Initial Setup of the ProCurve NAC 800 Management and Maintenance Figure 3-22. Home > System Configuration > Management Server—System Upgrade Area 3-42...

  • Page 171: Create Management Users

    Management and Maintenance In the System Upgrade area, click the check for upgrades button. If new software has been posted, the NAC 800 downloads and installs it. Create Management Users When you initially connect to the Web browser interface of an MS or a CS, you create the Administrator user, who has complete Web management access to that device.

  • Page 172: Create User Accounts

    Initial Setup of the ProCurve NAC 800 Management and Maintenance Table 3-1. User Roles User Role Description Permissions System Administrator All permissions • Configure cluster • Configure servers • Configure the system • View system alerts • Generate reports • Manage NAC policies •...
  • Page 173 Initial Setup of the ProCurve NAC 800 Management and Maintenance Figure 3-23. Home > System Configuration > User Accounts Click the add a user account link. The Add user account window is displayed. 3-45...
  • Page 174 Initial Setup of the ProCurve NAC 800 Management and Maintenance Figure 3-24. Home > System Configuration > User Accounts > Add a User Account Enter the username in the User ID field. The username can contain alphabetic characters but not numbers or special characters;...

  • Page 175: Configure User Roles

    You can also customize an existing role, removing or adding the desired permissions (sometimes a simpler option). You can edit any role on the NAC 800, including default roles. However, you cannot remove permissions from the System Administrator role. A user role consists of a name, a description, and a set of permissions.
  • Page 176 Initial Setup of the ProCurve NAC 800 Management and Maintenance Table 3-2. Permissions for User Roles Permission Allows a User To Related Web Browser Interface Window Configure cluster • Add new clusters Enforcement clusters & servers • Configure settings for assigned clusters •...
  • Page 177 Initial Setup of the ProCurve NAC 800 Management and Maintenance Create a New User Role. Follow these steps to create a new user role: Select Home > System configuration > User roles. Figure 3-25. Home > System Configuration > User Roles Click the add a user role link.
  • Page 178 Initial Setup of the ProCurve NAC 800 Management and Maintenance Figure 3-26. Home > System Configuration > User Roles > Add User Role In the Role name field, enter a short, meaningful description of the role. For example: Assistant Administrator This field can include alphanumeric characters, special characters, and spaces.
  • Page 179 See Table 3-2 on page 3-48 for more information about permissions. N o t e Some permissions relate only to the NAC 800’s endpoint integrity func- tions. The primary permissions of interest for a NAC 800 that acts only as a RADIUS server are: •...
  • Page 180 Initial Setup of the ProCurve NAC 800 Management and Maintenance Follow these steps to edit the role: Select Home > System configuration > User roles. Figure 3-27. Home > System Configuration > User Roles Click the name of the role that you want to edit in the User role name column.
  • Page 181 Initial Setup of the ProCurve NAC 800 Management and Maintenance Figure 3-28. Home > System Configuration > User Role (Selected User Role) Make any or all of these changes: Enter a new name in the Role name field. b. Alter the text in the Description field.

  • Page 182: Digital Certificates

    A CS or ES requires an SSL certificate to communicate with endpoints during endpoint integrity testing. A NAC 800 acting as a RADIUS server (CS or ES) requires a server certificate for: • Server authentication—The NAC 800 authenticates itself during the Extensible Authentication Protocol (EAP) process.

  • Page 183: Install A Ca-Signed Certificate For Https

    (changeit). Install the root CA certificate for the signing CA. At factory default settings, the NAC 800 already includes several root CA certificates. See “Install the Root CA Certificate” on page 3-57 for a list. Create a certificate request or certificate signing request (CSR).

  • Page 184: Generate A Key

    Digital Certificates Generate a Key Before submitting a certificate request for your NAC 800, you must generate the certificate’s public/private keypair. The NAC 800 includes the public key in the request but keeps the private key only in its own keystore, which is protected with a password.

  • Page 185: Install The Root Ca Certificate

    The keypair is now saved with the specified name in compliance.keystore. Install the Root CA Certificate The NAC 800 has several root CA certificates installed on it at factory default settings. If the new certificate will be signed by one of the CAs listed below,...

  • Page 186: Create A Certificate Request And Transfer It Off The Nac 800

    Create a Certificate Request and Transfer It off the NAC 800 To obtain a certificate from a CA, you must submit a certificate request. The request includes the public key and information about the NAC 800 and your organization. 3-58...
  • Page 187 Initial Setup of the ProCurve NAC 800 Digital Certificates Follow these steps to create the certificate request: Log in to the NAC 800 as root. Move to the /usr/local/nac/keystore directory. ProCurve NAC 800:/# cd /usr/local/nac/keystore Enter this command: Syntax: keytool -certreq -alias <keyname> -file <filename> -keystore compli- ance.keystore...

  • Page 188: Download And Install The Signed Certificate

    Replace <IP address> with the NAC 800’s IP address. (Alternately, you can enter its hostname). Replace <cert_filename> with the name that you want to give the certificate file on the NAC 800. For example: pscp C:\\certificates\mynac.cer root@10.2.1.20://usr/local/nac/key- store/mynac.cer...

  • Page 189: Restart The Https Server

    When prompted, enter the password for the keystore (changeit). Restart the HTTPS Server The NAC 800 begins to use the new certificate the next time the HTTPS server starts. Enter the following command from the root to restart the server:...

  • Page 190: Generate The Self-Certificate And Key

    Restart the HTTPS server. As an optional final task, you might transfer the self-signed certificate off the NAC 800 and install it as a trusted CA root certificate on endpoints. As you must complete these tasks, you must access the root command line for the NAC 800’s OS:...

  • Page 191: Export The Self-Signed Certificate To A File

    Export the Self-signed Certificate to a File Follow these steps to export the self-signed certificate to a file: Log in as root to the NAC 800 OS. Move to the /usr/local/nac/keystore directory. ProCurve NAC 800:/# cd /usr/local/nac/keystore Enter this command: Syntax: keytool -export -alias <keyname>...

  • Page 192: Restart The Https Server

    When prompted for the password, enter changeit. Restart the HTTPS Server The NAC 800 begins to use the new certificate the next time the HTTPS server starts. Enter the following command from the root to restart the server: Syntax: service [nac-ms | nac-es] restart Restarts the nac-ms or nac-es services, including the HTTPS server.
  • Page 193 Enter this command: Syntax: pscp root@<IP address>://usr/local/nac/keystore/<self_cert_filename> <path\filename> Replace <IP address> with the NAC 800’s IP address. (Alternately, you can enter its hostname). Replace <self_cert_filename> with the name given to the self- certificate file in “Export the Self-signed Certificate to a File”...
  • Page 194 Initial Setup of the ProCurve NAC 800 Digital Certificates 3-66...

  • Page 195: Configuring The Radius Server-Integrated With Procurve Identity Driven Manager

    Proxy RADIUS Server ........4-9 Configure the NAC 800 as a RADIUS Server ......4-11 Specify the Quarantine Method (802.1X) .
  • Page 196 Install a CA-Signed Certificate Using a Request Generated on the NAC 800 ....... 4-53 Install a CA-Signed Certificate Using a Request Generated on Behalf of the NAC 800 .

  • Page 197: Overview

    NAC 800 can fulfill a variety of functions, among them checking endpoint integrity and authenticating endpoints as a RADIUS server. In this chapter, you learn how to configure a NAC 800 that acts only as a RADIUS server. ProCurve Identity Driven Manager (IDM), a plug-in to ProCurve Manager (PCM) Plus, helps you to quickly and easily configure the NAC 800’s RADIUS...

  • Page 198: Authentication Protocols

    An authentication server receives an endpoints’ credentials via an authentica- tion protocol. With 802.1X, the authentication protocol is always EAP, and the NAC 800 and the endpoint negotiate the method. The NAC 800 supports these EAP methods: Protected EAP (PEAP) with: •...

  • Page 199: Idm Overview

    NAC 800 as part of a centralized manage- ment solution. N o t e If you are using the NAC 800 to test endpoint integrity, you also use IDM to set up dynamic VLAN assignments according to an endpoint’s integrity posture.

  • Page 200: Data Store Overview

    If the IDM agent is upgraded, the release notes will instruct you how to upgrade the agent on the NAC 800. To check the current IDM agent version, log in to the NAC 800 as root and enter:...

  • Page 201: Local Database

    Overview Local Database You can store user accounts as entries in a database on the NAC 800 itself. IDM simplifies adding entries to the local database. You simply enable local authentication on the NAC 800’s IDM realm. Then, whenever you add a user to IDM, the user is automatically added to the local database of all NAC 800s in the realm.

  • Page 202: Ldap Server

    If you need to use a different method, use the NAC 800’s local database. LDAP Server Just as the NAC 800 can join a Windows domain and access AD, it can bind to an LDAP server and search a directory. For example, your organization might already have a directory that authenticates users and authorizes them for various types of network access.

  • Page 203: Proxy Radius Server

    IDM. To configure proxying, you must log in as root to the NAC 800’s (CS’s or ES’s) command line and edit this file: /etc/raddb/proxy.conf. See “Configure Authentication to a Proxy RADIUS Server”...
  • Page 204 For example, EAP-TTLS might exhibit this problem. An example of an EAP method that works with proxying is Microsoft’s implementation of PEAP. If your NAC 800 loses connectivity to the proxy server, it cannot authen- ticate users. Specifying multiple proxy servers mitigates this disadvantage.

  • Page 205: Configure The Nac 800 As A Radius Server

    Configure the NAC 800 as a RADIUS Server Configure the NAC 800 as a RADIUS Server You must complete these tasks to set up the ProCurve NAC 800 as a RADIUS server in a network with IDM: Configure your network’s NASs—including, as necessary, switches, wire- less APs, and Wireless Edge Services Modules—to use the NAC 800 as...

  • Page 206: Specify The Quarantine Method (802.1X)

    See the ProCurve Identity Driven Manager Users’ Guide. Specify the Quarantine Method (802.1X) To act as a RADIUS server, the ProCurve NAC 800 must implement the 802.1X quarantine method. (However, you can disable the actual quarantining by disabling endpoint testing. See Chapter 6: “Disabling Endpoint Integrity Testing.”)
  • Page 207 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-1. Home > System Configuration > Quarantining Select the Access mode. 4-13...

  • Page 208: Configure Authentication Settings

    VLANs. You should have already set up the quarantine VLANs in IDM. You have now enabled the NAC 800 to make access control decisions as a RADIUS server. Next you must configure the RADIUS server’s authentication settings.
  • Page 209 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-2. Home > System Configuration > Quarantining—802.1X Quarantine Method Keep Manual for the End-user authentication method. 4-15...

  • Page 210: Configure Authentication To A Windows Domain

    AD. The NAC 800 joins the domain. Then, when it receives an authentication request from an end-user, the NAC 800 uses NT LAN Manager (NTLM) to query a domain controller (a server that runs AD) and check the end-users’ creden- tials.
  • Page 211 “Initial Setup of the ProCurve NAC 800” for instructions on changing the hostname. • The NAC 800 requires a valid DNS server address (which allows it to resolve the domain controller’s FQDN). To specify the DNS server, see “Edit MS or CS Network Settings” on page 3-18 of Chapter 3: “Initial Setup of the ProCurve NAC 800.”...
  • Page 212 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-3. Home > System Configuration > Quarantining—802.1X Quarantine Method Select Windows domain for the End-user authentication method. The Windows domain settings and Test Windows domain settings areas are displayed.
  • Page 213 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-4. Home > System Configuration > Quarantining—windows Domain Authentication Method 4-19...

  • Page 214: Configure Authentication To An Ldap Server

    NAC 800 bound itself to a different domain controller than the one specified. To verify that the NAC 800 can successfully join the domain, click the test settings button. See “Test Authentication Settings” on page 4-35 for more information on setting up the test.
  • Page 215 You should configure the NAC 800 to complete TLS authentication with the LDAP server, which increases security in several ways: The LDAP server verifies its identity to the NAC 800 with a secure digital certificate—which ensures that it receives user account information to authorized devices only.
  • Page 216 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-5. Home > System Configuration > Quarantining—802.1X Quarantine Method Select OpenLDAP for the End-user authentication method. The OpenLDAP settings and Test OpenLDAP settings areas are displayed.
  • Page 217 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-6. Home > System Configuration > Quarantining—openldap Authentication Method 4-23...
  • Page 218 In the Re-enter password field, enter this password again. In the Base DN field, enter the DN for the object at which the NAC 800 begins searches—almost always the DN of the top level of the tree. For example:...
  • Page 219 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server The default filter is shown in Figure 4-6; it tells the NAC 800 to search for an entry in which the “uid” attribute equals whatever username is submit- ted in an authentication request.
  • Page 220 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Configure Authentication to a Novell eDirectory Server. If your net- work stores user accounts in eDirectory, follow these steps to configure the NAC 800’s authentication settings: Complete the steps listed in “Specify the Quarantine Method (802.1X)”...
  • Page 221 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-7. Home > System Configuration > Quarantining—802.1X Quarantine Method Select Novell eDirectory for the End-user authentication method. 4-27...
  • Page 222 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server The Novell eDirectory settings and Test Novell eDirectory settings areas are displayed. Figure 4-8. Home > System Configuration > Quarantining—Novell eDirectory Authentication Method...
  • Page 223 For example: 10.1.10.10:636 The default LDAP port is 389, and the NAC 800 uses this port if you do not explicitly specify another. Use the 636 port when you check the Use a secure connection (TLS) box (recommended).

  • Page 224: Configure Authentication To A Proxy Radius Server

    An eDirectory server, by default, requires secure connections. 10. If you checked the box in the previous step, verify that the NAC 800 has the proper CA certificate. The NAC 800 requires the CA certificate for the CA that signed the eDirectory server’s certificate.
  • Page 225 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-9. Home > System Configuration > Quarantining—802.1X Quarantine Method Select Proxy for the End-user authentication method. 4-31...
  • Page 226 Configure the NAC 800 as a RADIUS Server Figure 4-10. Home > System Configuration > Quarantining—Proxy Authentication Method Specify the IP address for the proxy server (or servers). To complete this task, you must access the NAC 800’s OS and edit the /etc/raddb/proxy.conf file. 4-32...
  • Page 227 Configure the NAC 800 as a RADIUS Server N o t e If your NAC 800 is a CS, simply alter the proxy.conf files on that NAC 800. However, if you have a cluster of MS and ESs, you must alter the file on each ES in this cluster.
  • Page 228 RADIUS accounting server for the “accthost” value. Use this syntax: accthost= <FQDN or IP address>:<port number> If you do not specify a port, the NAC 800 uses the default RADIUS accounting port (1813). If you do not want to implement accounting, re-insert the com- ment marker ( ) on this line.

  • Page 229: Test Authentication Settings

    Contact the directory Bind to it Optionally, perform a successful search You should test the settings to eliminate problems before the NAC 800 begins to authenticate end-users on a live network. Follow these steps: Complete the steps listed in “Specify the Quarantine Method (802.1X)” on page 4-12.
  • Page 230 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-12. Home > System Configuration > Quarantining—Novell eDirectory Method 4-36...
  • Page 231 If you are configuring a CS, you can skip this step. Otherwise, you must select an ES from the Server to test from drop-down menu. In a multiple NAC 800 deployment, ESs (not the MS) bind to the LDAP server when they need to authenticate end-users. When you test settings, you must choose for which ES you are testing them.
  • Page 232 This window is displayed when you have edited previously configured authentication settings. To test the new settings, the NAC 800 must temporarily write them over the old settings, which—if the NAC 800 is the RADIUS server for an active network—can briefly interrupt service.
  • Page 233 LDAP server. result. • You didn’t ask to verify credentials. Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The bind password is incorrect. code 48 - Inappropriate server. Authentication]. Test failed: could not The NAC 800 failed to bind to the LDAP •...

  • Page 234: Add Nass As 802.1X Devices

    The NAS enforces port authentication on end-user ports, forwarding users’ authentication requests to a RADIUS server. You must add each NAS that uses the NAC 800 as its RADIUS server to the NAC 800’s list of 802.1X devices. N o t e The NASs are often called RADIUS clients.
  • Page 235 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-15. Home > System Configuration > Quarantining—802.1X Quarantine Method Click the add an 802.1X device link. The Add 802.1X device window is displayed.
  • Page 236 From the Device type drop-down menu, choose the type of 802.1X device (that is, its manufacturer and OS). The drop-down menu includes several common devices, but the NAC 800 supports any device that can act as a standard RADIUS client. If your device is not listed, select Other.
  • Page 237 Method) > Add an 802.1X Device Link Connecting to the 802.1X device is necessary for implementing endpoint integrity: the NAC 800 must force the 802.1X to re-authenticate the end- point after its endpoint integrity posture has changed, so that the new VLAN assignment can take effect.

  • Page 238: Apply Changes

    Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server If you are using the NAC 800 as a RADIUS server only, the connection settings do not matter. Leave the settings at the defaults, or for the ProCurve Wireless Edge Services xl Module, ProCurve 420 AP, and ProCurve 530 AP, fill in only the community name.
  • Page 239 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-18. Home > System Configuration > Enforcement Clusters & Servers Click the name of the CS or ES. The Enforcement server window is displayed.
  • Page 240 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 4-19. Home > System Configuration > Enforcement Clusters & Servers > Selected Enforcement Server The Process/thread status area lists a number of services. Click the restart now button for radius.
  • Page 241 OS. Follow these steps: Log in as root to the NAC 800 OS: Open an SSH or console session with the NAC 800. b. When asked for your username and password, enter root and the root password (default, procurve).

  • Page 242: Manage Digital Certificates For Radius

    A certificate that specifies the NAC 800’s FQDN as its CN and is signed by a trusted CA In either case, the certificate must allow the NAC 800 to use it for client and server authentication. That is, the extensions for the key usage should be “TLS Web Server Authentication”...

  • Page 243: Install The Ca Root Certificate On The Nac 800

    = <root password> Install the CA Root Certificate on the NAC 800 The NAC 800 must have the CA root certificate for the CA that signed its server certificate. If supplicants authenticate with certificates (the EAP method is EAP-TLS or, less commonly, PEAP or EAP-TTLS with an inner method that requires certificates), the NAC 800 also uses this CA certificate to verify the supplicants’...

  • Page 244: Install A Server Certificate For Radius

    “tls” section of the /etc/raddb/eap.conf file—which can lead to errors. (See step 12 on page 4-56.) d. When prompted, enter the NAC 800’s root password. Log in as root to the NAC 800 OS. If the CA certificate is not in PEM format, follow these steps:...

  • Page 245: Create A Self-Signed Certificate

    CA. • On the CA, request a certificate on behalf of the NAC 800. Make sure to save the associated private key so that you can load it to the NAC 800. Create a Self-Signed Certificate...
  • Page 246 “tls” section of the /etc/raddb/eap.conf file—which can lead to errors. (See step 12 on page 4-56.) You will be prompted to enter information about the NAC 800. When prompted for the CN, enter the NAC 800’s FQDN.

  • Page 247: Install A Ca-Signed Certificate Using A Request Generated On The Nac 800

    Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Install a CA-Signed Certificate Using a Request Generated on the NAC 800 Follow these steps to create a certificate request and install a CA-signed certificate for RADIUS authentication: Log in to the NAC 800 as root.
  • Page 248 -config openssl.cnf -extensions radsrv_req -newkey rsa:1024 -nodes - keyout mykey.pem -out myrequest.req You will be prompted to enter information about the NAC 800. When prompted for the Common Name (CN), enter the NAC 800’s FQDN. Transfer the certificate request to a Secure Copy (SCP) server.
  • Page 249 <certificate_filename>. For example: pscp mycertificate.pem root@10.1.1.20://etc/raddb/certs/mycertifi- cate.pem d. When prompted, enter the NAC 800’s root password. Log back in to the NAC 800 as root. 10. Enter this command: ProCurve NAC 800:/# cd /etc/raddb/certs 11. If your certificate is not the desired format, you can convert it.
  • Page 250 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Convert from DER with this command: Syntax: openssl x509 -in <certificate_filename> -inform DER -out <certificate_ filename> -outform PEM For <certificate_filename>, enter the name for the certificate that you chose in step 8.
  • Page 251 = ${raddbdir}/certs/random Figure 4-21. Example radiusd.conf File——tls Section N o t e The NAC 800 uses the “tls” configuration for server certificates for TLS, PEAP, and TTLS. Press d. If you created a password for the private key, set private_key_password to the same key that you chose earlier.

  • Page 252: Install A Ca-Signed Certificate Using A Request Generated On Behalf Of The Nac 800

    It is very important that you save the private key for the certificate. You will upload this key to the NAC 800 in step 3. You might have been prompted to create a password for the key. If you do, you will need to specify that password in step 6 on page 4-60.
  • Page 253 /etc/raddb/certs/cert-srv.pem. This allows the NAC 800 to use the new certificate without forcing you to alter the “tls” section of the /etc/raddb/eap.conf file—which can lead to errors.
  • Page 254 Use the arrow keys or other vi commands to reach the “tls” section of the configuration file. (See Figure 4-22). N o t e The NAC 800 uses the “tls” configuration to authenticate itself for TLS, PEAP, and TTLS. 4-60...
  • Page 255 = ${raddbdir}/certs/mycertificate.pem Make sure that CA_file is set to the filename (including the correct path) for the CA root certificate. This certificate was installed in “Install the CA Root Certificate on the NAC 800” on page 4-49. h. Press [Esc]...

  • Page 256: Manage Certificates On Endpoints

    Disable Server Validation on Endpoints You might want to prevent endpoints from checking the NAC 800’s server certificate for several reasons: You do not want to bother installing new certificates on the NAC 800 for server authentication. C a u t i o n Because this option could allow endpoints to connect to a rogue server, ProCurve Networking does not recommend it.
  • Page 257 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Follow these steps on an endpoint to disable validation of the server on the native Windows 802.1X supplicant: Select Start > Settings > Network Connections > Local Area Con- nection.
  • Page 258 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4-24. Local Area Connection Properties > Authentication Choose your EAP type and click the Properties button. Clear the Validate server certificate check box. 4-64...
  • Page 259 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4-25. <EAP Type> Properties Click OK to close all open windows. Follow these steps to disable validation of the server on an endpoint that uses the Microsoft Wireless Zero Configuration client: Select Start >...
  • Page 260 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4-26. Start > Settings > Network Connections > Local Area Connection Click the Properties button. Select the Wireless Networks tab in the window that is displayed.
  • Page 261 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4-27. Wireless Network Connection Properties Select the service set identifier (SSID) for your wireless network in the Preferred networks area and click the Properties button.
  • Page 262 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4-28. <SSID> Properties > Authentication Choose the EAP type and click the Properties button. Uncheck the Validate server certificate box. 4-68...
  • Page 263 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS Figure 4-29. <EAP Type> Properties Click OK to close all open windows. 4-69...
  • Page 264 Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager Manage Digital Certificates for RADIUS 4-70...

  • Page 265: Configuring The Radius Server-Without Identity Driven Manager

    Proxy RADIUS Server ........5-6 Configure the NAC 800 as a RADIUS Server ......5-8 Specify the Quarantine Method (802.1X) .
  • Page 266 Install a CA-Signed Certificate Using a Request Generated on the NAC 800 ....... 5-47 Install a CA-Signed Certificate Using a Request Generated on Behalf of the NAC 800 .

  • Page 267: Overview

    NAC 800 can fulfill a variety of functions, among them checking endpoint integrity and authenticating endpoints as a RADIUS server. In this chapter, you learn how to configure a NAC 800 that acts only as a RADIUS server. ProCurve Identity Driven Manager (IDM), a plug-in to ProCurve Manager (PCM) Plus, helps you to quickly and easily configure the NAC 800’s RADIUS...

  • Page 268: Authentication Protocols

    An authentication server receives an endpoints’ credentials via an authentica- tion protocol. With 802.1X, the authentication protocol is always EAP, and the NAC 800 and the endpoint negotiate the method. The NAC 800 supports these EAP methods: Protected EAP (PEAP) with: •...

  • Page 269: Data Store Overview

    Chapter 4: “Configuring the RADIUS Server—Integrated with ProCurve Iden- tity Driven Manager.” Data Store Overview The NAC 800 can search one of several locations, or data stores, for a user’s credentials: A Windows domain controller, which runs Active Directory (AD) A Lightweight Directory Access Protocol (LDAP) server: •...

  • Page 270: Ldap Server

    Overview LDAP Server Just as the NAC 800 can join a Windows domain and access AD, it can bind to an LDAP server and search a directory. For example, your organization might already have a directory that authenticates users and authorizes them for various types of network access.
  • Page 271 Configuring the RADIUS Server—Without Identity Driven Manager Overview To configure proxying, you must log in as root to the NAC 800’s (CS’s or ES’s) command line and edit this file: /etc/raddb/proxy.conf. See “Configure Authen- tication to a Proxy RADIUS Server” on page 5-23.

  • Page 272: Configure The Nac 800 As A Radius Server

    Configure the NAC 800 as a RADIUS Server Configure the NAC 800 as a RADIUS Server You must complete these tasks to set up the ProCurve NAC 800 as your network’s RADIUS server: Configure your network’s NASs—including, as necessary, switches and wireless APs—to use the NAC 800 as their RADIUS server.
  • Page 273 Follow these steps: Select Home > System configuration > Quarantining. If you have a multiple NAC 800 deployment (MS and multiple ESs), choose the cluster that includes the RADIUS server ESs. For a CS, the default and only cluster (Cluster #1) is automatically selected.

  • Page 274: Configure Authentication Settings

    AD. The NAC 800 joins the domain. Then, when it receives an authentication request from an end-user, the NAC 800 uses NT LAN Manager (NTLM) to query a domain controller (a server that runs AD) and check the end-user’s credentials.
  • Page 275 “Initial Setup of the ProCurve NAC 800” for instructions on changing the hostname. • The NAC 800 requires a valid DNS server address (which allows it to resolve the domain controller’s FQDN). To specify the DNS server, see “Edit MS or CS Network Settings” on page 3-18 of Chapter 3: “Initial Setup of the ProCurve NAC 800.”...
  • Page 276 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-2. Home > System Configuration > Quarantining—802.1X Quarantine Method Select Windows domain for the End-user authentication method. The Windows domain settings and Test Windows domain settings areas are displayed.
  • Page 277 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-3. Home > System Configuration > Quarantining—Windows Domain Authentication Method 5-13...

  • Page 278: Configure Authentication To An Ldap Server

    NAC 800 bound itself to a different domain controller than the one specified. To verify that the NAC 800 can successfully join the domain, click the test settings button. See “Test Authentication Settings” on page 5-28 for more information on setting up the test.
  • Page 279 You should configure the NAC 800 to complete TLS authentication with the LDAP server, which increases security in several ways: The NAC 800 and the LDAP server verify their identities to each other with secure digital certificates—which ensures that they communicate user account information to authorized devices only.
  • Page 280 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-4. Home > System Configuration > Quarantining—802.1X Quarantine Method Select OpenLDAP for the End-user authentication method. The OpenLDAP settings and Test OpenLDAP settings areas are displayed.
  • Page 281 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-5. Home > System Configuration > Quarantining—OpenLDAP Authentication Method In the Server field, enter the hostname or IP address of the OpenLDAP server. For example: 10.1.10.10...
  • Page 282 In the Re-enter password field, enter this password again. In the Base DN field, enter the DN for the object at which the NAC 800 begins searches—almost always the DN of the top level of the tree. For...
  • Page 283 Then click the Browse button next to New certificate to upload it to the NAC 800. 11. To verify that the NAC 800 can successfully bind to the OpenLDAP server, click the test settings button. See “Test Authentication Settings” on page 5-28 for more information on setting up the test.
  • Page 284 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-6. Home > System Configuration > Quarantining—802.1X Quarantine Method Select Novell eDirectory for the End-user authentication method. The Novell eDirectory settings and Test Novell eDirectory settings areas are displayed.
  • Page 285 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-7. Home > System Configuration > Quarantining—Novell eDirectory Authentication Method In the Server field, enter the hostname or IP address of the eDirectory server. For example: 10.1.10.10...
  • Page 286 For example: 10.1.10.10:636 The default LDAP port is 389, and the NAC 800 uses this port if you do not explicitly specify another. Use the 636 port when you check the Use a secure connection (TLS) box (recommended).

  • Page 287: Configure Authentication To A Proxy Radius Server

    Then click the Browse button next to New certificate to upload it to the NAC 800. 11. To verify that the NAC 800 can successfully bind to the eDirectory server, click the test settings button. See “Test Authentication Settings” on page 5-28 for more information on setting up the test.
  • Page 288 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-8. Home > System Configuration > Quarantining—802.1X Quarantine Method Select Proxy for the End-user authentication method. 5-24...
  • Page 289 Configure the NAC 800 as a RADIUS Server Figure 5-9. Home > System Configuration > Quarantining—Proxy Authentication Method Specify the IP address for the proxy server (or servers). To complete this task, you must access the NAC 800’s OS and edit the /etc/raddb/proxy.conf file. 5-25...
  • Page 290 Configure the NAC 800 as a RADIUS Server N o t e If your NAC 800 is a CS, simply alter the proxy.conf files on that NAC 800. However, if you have a cluster of MS and ESs, you must alter the file on each ES in this cluster.
  • Page 291 For the “authhost” value, specify the proxy RADIUS authentica- tion server. Use this syntax: authhost= <FQDN or IP address>:<port number> If you do not specify a port, the NAC 800 uses the default RADIUS authentication port (1812). vii. If you want to implement RADIUS accounting, specify the RADIUS accounting server for the “accthost”...

  • Page 292: Test Authentication Settings

    Contact the directory Bind to it Optionally, perform a successful search You should test the settings to eliminate problems before the NAC 800 begins to authenticate end-users on a live network. Follow these steps: Complete the steps listed in “Specify the Quarantine Method (802.1X)” on page 5-8.
  • Page 293 If you are configuring a CS, you can skip this step. Otherwise, you must select an ES from the Server to test from drop-down menu. In a multiple NAC 800 deployment, ESs (not the MS) bind to the LDAP server when they need to authenticate the end-user. When you test set- tings, you must choose for which ES you are testing them.
  • Page 294 Test the bind operation only. Click the test settings button. This test verifies that: – The NAC 800 can reach the domain controller or LDAP server. – The administrator username and password are correct. N o t e If you choose this option, you may receive a message that the test failed because the LDAP query returned no results or multiple results.
  • Page 295 This window is displayed when you have edited previously configured authentication settings. To test the new settings, the NAC 800 must temporarily write them over the old settings, which—if the NAC 800 is the RADIUS server for a live network—can briefly interrupt service.
  • Page 296 32 - NDS error: no such server. • The base DN is incorrect. entry (-601)] Test failed: [LDAP: error • The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this code 13 - Confidentiality server. option is not selected.
  • Page 297 LDAP server. result. • You didn’t ask to verify credentials. Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The bind password is incorrect. code 48 - Inappropriate server. Authentication]. Test failed: could not The NAC 800 failed to bind to the LDAP •...

  • Page 298: Add Nass As 802.1X Devices

    The NAS enforces port authentication on end-user ports, forwarding users’ authentication requests to a RADIUS server. You must add each NAS that uses the NAC 800 as its RADIUS server to the NAC 800’s list of 802.1X devices. N o t e The NASs are often called RADIUS clients.
  • Page 299 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-14. Home > System Configuration > Quarantining—802.1X Quarantine Method Click the add an 802.1X device link. The Add 802.1X device window is displayed. 5-35...
  • Page 300 From the Device type drop-down menu, choose the type of 802.1X device (that is, its manufacturer and OS). The drop-down menu includes several common devices, but the NAC 800 supports any device that can act as a standard RADIUS client. If your device is not listed, select Other.
  • Page 301 Method) > Add an 802.1X Device Link Connecting to the 802.1X device is necessary for implementing endpoint integrity: the NAC 800 must force the 802.1X to re-authenticate the end- point after its endpoint integrity posture has changed, so that the new VLAN assignment can take effect.

  • Page 302: Apply Changes

    Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server If you are using the NAC 800 as a RADIUS server only, the connection settings do not matter. Leave the settings at the defaults, or for the ProCurve Wireless Edge Services xl Module, ProCurve 420 AP, and ProCurve 530 AP, fill in only the community name.
  • Page 303 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-17. Home > System Configuration > Enforcement Clusters & Servers Click the name of the CS or ES. The Enforcement server window is dis- played.
  • Page 304 Configuring the RADIUS Server—Without Identity Driven Manager Configure the NAC 800 as a RADIUS Server Figure 5-18. Home > System Configuration > Enforcement Clusters & Servers > Selected Enforcement Serve 5-40...
  • Page 305 Open an SSH session with the NAC 800. Log in as root to the NAC 800 OS: Open an SSH or console session with the NAC 800. b. When asked for your username and password, enter root and the root password (default, procurve).

  • Page 306: Manage Digital Certificates For Radius

    A certificate that specifies the NAC 800’s FQDN as its CN and is signed by a trusted CA In either case, the certificate must allow the NAC 800 to use it for client and server authentication. That is, the extensions for the key usage should be “TLS Web Server Authentication”...

  • Page 307: Install The Ca Root Certificate On The Nac 800

    = <root password> Install the CA Root Certificate on the NAC 800 The NAC 800 must have the CA root certificate for the CA that signed its server certificate. If supplicants authenticate with certificates (the EAP method is EAP-TLS or, less commonly, PEAP or EAP-TTLS with an inner method that requires certificates), the NAC 800 also uses this CA certificate to verify the supplicants’...
  • Page 308 “tls” section of the /etc/raddb/eap.conf file—which can lead to errors. (See step 12 on page 5-50.) d. When prompted, enter the NAC 800’s root password. Log in as root to the NAC 800 OS. If the CA certificate is not in PEM format, follow these steps:...

  • Page 309: Install A Server Certificate For Radius

    CA. • On the CA, request a certificate on behalf of the NAC 800. Make sure to save the associated private key so that you can load it to the NAC 800. Create a Self-Signed Certificate...
  • Page 310 “tls” section of the /etc/raddb/eap.conf file—which can lead to errors. (See step 12 on page 5-50.) You will be prompted to enter information about the NAC 800. When prompted for the CN, enter the NAC 800’s FQDN.

  • Page 311: Install A Ca-Signed Certificate Using A Request Generated

    NAC 800 Follow these steps to create a certificate request and install a CA-signed certificate for RADIUS authentication: Log in to the NAC 800 as root. Enter this command: ProCurve NAC 800:/# cd /etc/raddb/certs Configure the openssl application to create certificate requests that request the correct extensions for a RADIUS server.
  • Page 312 -config openssl.cnf -extensions radsrv_req -newkey rsa:1024 -nodes -keyout mykey.pem -out myrequest.req You will be prompted to enter information about the NAC 800. When prompted for the Common Name (CN), enter the NAC 800’s FQDN. Transfer the certificate request to a Secure Copy (SCP) server.
  • Page 313 <certificate_filename>. For example: pscp mycertificate.pem root@10.1.1.20://etc/raddb/ certs/mycertificate.pem d. When prompted, enter the NAC 800’s root password. Log back in to the NAC 800 as root. 10. Enter this command: ProCurve NAC 800:/# cd /etc/raddb/certs 5-49...
  • Page 314 8. You should change the filename extension to reflect the changed format. For example, enter: ProCurve NAC 800:/etc/raddb/certs# openssl x509 -in mycertificate.der -inform DER -out mycertificate.pem -outform PEM Convert from PFX format with this command: Syntax: openssl pkcs12 -in <certificate_filename>.pfx -out...
  • Page 315 = ${raddbdir}/certs/random Figure 5-20. Example radiusd.conf File——tls Section N o t e The NAC 800 uses the “tls” configuration for server certificates for TLS, PEAP, and TTLS. Press d. If you created a password for the private key, set private_key_password to the same key that you chose earlier.

  • Page 316: Install A Ca-Signed Certificate Using A Request Generated On Behalf Of The Nac 800

    It is very important that you save the private key for the certificate. You will upload this key to the NAC 800 in step 3. You might have been prompted to create a password for the key. If you do, you will need to specify that password in step 6 on page 5-54.
  • Page 317 /etc/raddb/certs/cert-srv.pem. This allows the NAC 800 to use the new certificate without forcing you to alter the “tls” section of the /etc/raddb/eap.conf file—which can lead to errors.
  • Page 318 Use the arrow keys or other vi commands to reach the “tls” section of the configuration file. (See Figure 5-21). N o t e The NAC 800 uses the “tls” configuration to authenticate itself for TLS, PEAP, and TTLS. 5-54...
  • Page 319 Make sure that CA_file is set to the filename (including the correct path) for the CA root certificate. This certificate was installed in “Install the CA Root Certificate on the NAC 800” on page 5-43. h. Press [Esc] Enter this command:...

  • Page 320: Manage Certificates On Endpoints

    Disable Server Validation on Endpoints You might want to prevent endpoints from checking the NAC 800’s server certificate for several reasons: You do not want to bother installing new certificates on the NAC 800 for server authentication. C a u t i o n Because this option could allow endpoints to connect to a rogue server, ProCurve Networking does not recommend it.
  • Page 321 Configuring the RADIUS Server—Without Identity Driven Manager Manage Digital Certificates for RADIUS Follow these steps on an endpoint to disable validation of the server on the native Windows 802.1X supplicant: Select Start > Settings > Network Connections > Local Area Connection. Figure 5-22.
  • Page 322 Configuring the RADIUS Server—Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5-23. Local Area Connection Properties > Authentication Choose your EAP type and click the Properties button. Clear the Validate server certificate check box. 5-58...
  • Page 323 Configuring the RADIUS Server—Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5-24. <EAP Type> Properties Click OK to close all open windows. Follow these steps to disable validation of the server on an endpoint that uses the Microsoft Wireless Zero Configuration client: Select Start >...
  • Page 324 Configuring the RADIUS Server—Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5-25. Start > Settings > Network Connections > Local Area Connection Click the Properties button. Select the Wireless Networks tab in the window that is displayed. 5-60...
  • Page 325 Configuring the RADIUS Server—Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5-26. Wireless Network Connection Properties Select the service set identifier (SSID) for your wireless network in the Preferred networks area and click the Properties button. If the SSID has not yet been configured on the client, you must click the Add button instead.
  • Page 326 Configuring the RADIUS Server—Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5-27. <SSID> Properties > Authentication Choose the EAP type and click the Properties button. Uncheck the Validate server certificate box. 5-62...
  • Page 327 Configuring the RADIUS Server—Without Identity Driven Manager Manage Digital Certificates for RADIUS Figure 5-28. <EAP Type> Properties Click OK to close all open windows. 5-63...
  • Page 328 Configuring the RADIUS Server—Without Identity Driven Manager Manage Digital Certificates for RADIUS 5-64...

  • Page 329: Contents

    Disabling Endpoint Integrity Testing Contents Disabling Endpoint Integrity Testing Contents Overview ............6-2 Configure Exceptions .

  • Page 330: Disabling Endpoint Integrity Testing

    In effect, you have disabled endpoint integrity testing. Configure Exceptions On the NAC 800, you configure exceptions for endpoints that you do not want tested for endpoint integrity. When you designate an endpoint as an exception, the NAC 800 discovers but does not test that endpoint.

  • Page 331: Configure Exceptions For The Cluster Default Settings

    To exclude an entire domain, enter your company’s domain name, such as: CS.NicheLab1.com Because you are setting up the NAC 800 to function as a RADIUS server only, you will typically specify a range or several ranges of addresses or a domain name.
  • Page 332 Disabling Endpoint Integrity Testing Overview Select Cluster setting defaults > Exceptions. Figure 6-2. Home > System Configuration > Cluster Setting Defaults > Exceptions Under Whitelist, enter either the addresses of endpoints or the domain name you want to exclude from testing. •...

  • Page 333: Configure Exceptions For A Particular Cluster

    Disabling Endpoint Integrity Testing Overview Configure Exceptions for a Particular Cluster If you want to disable endpoint integrity for only one of the clusters you have configured on the Management Server (MS), complete the following steps: Select Home > System configuration. Figure 6-3.
  • Page 334 Disabling Endpoint Integrity Testing Overview N o t e The settings you configure for a particular cluster override the cluster setting defaults. Select the For this cluster, override the default settings check box. Figure 6-4. Home > System Configuration > Enforcement Clusters & Servers > Cluster_Name >...
  • Page 335 Disabling Endpoint Integrity Testing Overview Under Whitelist, enter either the addresses of endpoints or the domain name you want to exclude from testing. Under Endpoints, enter an IP address, a range of IP addresses in CIDR • format, a MAC address, or a NetBIOS name. •...
  • Page 336 Disabling Endpoint Integrity Testing Overview...
  • Page 337 Test Your Redundant Configurations ......7-11 Back Up Your NAC 800 Configuration ......7-12 Configure the Web Browser So That It Allows You to Save Files .

  • Page 338: Redundancy And Backup For Radius Services

    NAC 800, you have three options for the data store: you can use a Lightweight Directory Access Protocol (LDAP) server or Windows domain controller, which stores user objects for your entire network; you can use the local data store on the NAC 800 itself; or you can use a proxy RADIUS server.

  • Page 339: Place The Radius Servers

    NAC 800, IDM ensures that each NAC 800 includes the same user- names and passwords. You enter the usernames and passwords once on the IDM server, and it will configure them on each NAC 800 for you when you deploy the policy.

  • Page 340: Provide Duplicate Network Pathways

    Specifically, you must enter settings on the Network Access Servers (NASs). In the 802.1X environ- ment, a NAS might be a switch, a router, an access point (AP), or a ProCurve Wireless Edge Services Module.

  • Page 341: Configure The Nass

    RADIUS servers are listed. Both of these servers are NAC 800s. When the switch receives an authentication request, it will contact the first RADIUS server listed—in this case, the NAC 800 with the IP address 10.1.1.20. If that server does not respond, the 5400zl Switch will contact the next RADIUS server listed—10.1.1.100 in the example.

  • Page 342: Configure Multiple Ldap Servers On The Nac 800

    If you have designed your directory services to provide redundancy, your network includes multiple LDAP servers. You must reference these LDAP servers on the NAC 800 so that it can contact another LDAP server if the first one is unavailable. To provide this redundancy for Microsoft Windows domain controllers (which use Active Directory [AD]), you can use the Web browser interface to specify multiple domain controllers.
  • Page 343 Home > System configuration > Quarantining. As Figure 7-3 shows, you must configure an End-user authentication method, which determines what the NAC 800 uses to verify users’ credentials. Because you are using a domain controller, use the drop-down menu to select Windows domain.
  • Page 344 Figure 7-3. Home > System Configuration > Quarantining Edit the /etc/raddb/radiusd.conf file. If you are using Novell eDirectory or OpenLDAP, you must log in to the NAC 800 as root through an SSH or console session. You then use the VI editor to edit the /etc/raddb/radiusd.conf file.
  • Page 345 Figure 7-4. radiusd.conf File for Multiple LDAP Servers—Modules Section Note that, in order to protect users’ credentials, you should require the NAC 800 to negotiate a Transport Layer Security (TLS) connection with the LDAP servers. Include this parameter in the module for both LDAP servers:...
  • Page 346 You must, of course, obtain the certificate and copy it to the specified location on the NAC 800 (using an application such as PSCP). It is often a good idea to set up one server through the Web browser interface, which helps you easily install the CA certificate.

  • Page 347: Use Idm To Configure The Usernames And Passwords

    ProCurve NAC devices. Add users to the realm. IDM automatically configures on the NAC 800 any user that you add to the NAC 800’s realm. You must, however, configure passwords for those users. (See the ProCurve Identity Driven Management Users’ Guide for more detailed instructions in completing these steps.)

  • Page 348: Back Up Your Nac 800 Configuration

    To protect your network, you should back up your system whenever you make changes to the configuration. For maximum backup protection, you should store the NAC 800 backup file off-site with the backups from your other network devices. Of course, your off-site storage facility must be secure so that your confidential data and network configuration information is pro- tected.

  • Page 349: Configure The Web Browser So That It Allows You To

    Redundancy and Backup for RADIUS Services Back Up Your NAC 800 Configuration To back up your NAC 800 configuration, complete the following steps: Select Home > System configuration > Maintenance. Figure 7-7. Home > System Configuration > Maintenance Click begin backup now. A Web browser dialog box is displayed, allowing you to begin the process of saving the backup file.

  • Page 350: Configure The Web Browser So That It Allows You To

    Select the Security tab. Choose the zone in which your management station places the NAC 800. If the NAC 800 has an IP address on the same intranet as your station, this zone is probably Local intranet. Otherwise, the zone is probably Internet.

  • Page 351: Restore The System From The Backup File

    Click the OK button. Restore the System from the Backup File You can return your NAC 800 to the settings stored in a backup file. You might want to do this if a new configuration fails or if you add a replacement NAC 800 MS to your system.
  • Page 352 Redundancy and Backup for RADIUS Services Back Up Your NAC 800 Configuration Figure 7-9. Home > System Configuration > Maintenance Click the restore system from backup file link. Click restore system from backup file. The Restore system window is dis- played, allowing you to browse for your backup file.
  • Page 353 Figure 7-10. Home > System Configuration > Maintenance > Restore System From Backup File If you want to continue the restore process, click the Browse button and select the backup file. This file must be a NAC 800 backup file, saved with the following naming convention: backup-<year-month-day>T<hour-minute-second>.tar.bz2 After you have selected the appropriate file, click ok.
  • Page 354 Redundancy and Backup for RADIUS Services Back Up Your NAC 800 Configuration 7-18...
  • Page 355 IEEE 802.1X at http://www.ieee802.org/1/pages/802.1x.html. 802.1X The deployment method that corresponds to the 802.1X quarantine method. In this method, the NAC 800 is connected to a switch via both its Ethernet ports. Port deployment method 1 receives authentication requests, and port 2 receives mirrored DHCP traffic.
  • Page 356 Access can be controlled based on an endpoint’s compliance with network standards, for example, or on other configurable settings. The label that the NAC 800 gives to an endpoint to define its ability to access access control status the network.
  • Page 357 Active Directory See AD. ActiveX A Microsoft technology that enables interactive Web content. An endpoint must accept ActiveX content from the NAC 800 to be tested via the ActiveX plug-in. For more information, see the Microsoft Developer Center library at http://msdn2.microsoft.com/en-us/library/aa751968.aspx.
  • Page 358 Using the Windows RPC service, agentless testing allows the NAC method 800 to begin testing, provide test results, and grant access to compliant endpoints without any interaction from the user. Of the three testing methods, agentless testing is the easiest to deploy, requiring less administrative effort and no memory on the endpoint.
  • Page 359 Appendix A: Glossary is allowed any access at all as well as the level of access. Also called the 802.1X device (in the NAC 800 Web browser interface) and NAS (in the RADIUS protocol). See also 802.1X device and NAS.
  • Page 360 Web site again, the server “remembers” the client. credentials A username and its corresponding password. CS Combination Server. A NAC 800 that functions as both an ES and an MS and acts as a stand-alone device. CSR Certificate Signing Request. In PKI systems, a request for a digital certificate that is sent to a CA by an applicant.
  • Page 361 A deployment method for networks that are not 802.1X compatible. In this method method, the NAC 800 is placed between a switch and a DHCP server and intercepts DHCP requests from non-tested or non-compliant endpoints. See also DHCP quarantine method.
  • Page 362 Appendix A: Glossary DNS Domain Name Server. A server that associates Internet domain names (such as www.abccompany.com) with their corresponding IP addresses. domain In LDAP, a logical grouping of devices that allows the network administrator to manage all of the objects in a domain at the same time, e.g., to control who has access to the objects in the domain.
  • Page 363 NAC 800 message windows that appear on the end-user’s monitor; they show information such as the endpoint’s test status and remediation steps, permitting the user to download an agent, cancel testing, and get more information about why a test failed.
  • Page 364 Appendix A: Glossary Ethernet ports On the NAC 800, port 1 connects to the LAN and provides inband management. The use of port 2 varies, depending on the deployment method. For the inline deployment method, port 2 might connect to a VPN or RAS. For the DCHP deployment method, port 2 connects to a DHCP server.
  • Page 365 IKE Internet Key Exchange. A protocol that is used to set up an SA in the IPsec protocol suite. inline deployment The NAC 800 is placed between a “choke point” and the rest of the network method such that all traffic to be quarantined passes through the NAC 800. See also inline quarantine method.
  • Page 366 L2TP Layer 2 Tunneling Protocol. A protocol that is used in VPNs. For more information, see RFC 2661 at http://tools.ietf.org/html/rfc2661. LCD Liquid Crystal Display. On the NAC 800, a display that is located on the front panel of the chassis and that shows both information about the device and error messages.
  • Page 367 A category into which error messages are recorded, depending on their severity. Log levels are, from most to least severe: error, warn, info, debug, and trace. The default level for messages logged on the NAC 800 is debug. MAC-auth MAC Authentication. Authentication that is based on the endpoint’s MAC address rather than on the user’s credentials.
  • Page 368 NAC policy group A logical set of NAC policies that applies to one or more enforcement clusters. Each cluster uses only one NAC policy group. NAC test actions The procedures that the NAC 800 performs when an endpoint fails the test. The failure actions can be: send a notification email to the network administrator, quarantine the endpoint, or grant temporary access before quarantining.
  • Page 369 Appendix A: Glossary NAC tests Used to determine if an endpoint complies with your company’s network policies. Test categories are Windows security settings, security settings on other OSs, Windows software, Windows operating system, and Windows browser security policies. NAS Network Access Server. A server that provides endpoints access and that enforces the decisions of AAA servers, thereby guarding access to the Internet, printers, phone networks, or other protected resources.
  • Page 370 NAC tests that are run on endpoints after they have already connected testing successfully to the network. The network administrator configures the length of the retest frequency. If a device has become infected or no longer complies with an organization’s security policies, the NAC 800 quarantines it. A-16...
  • Page 371 Appendix A: Glossary posture See integrity posture. PPP Point-to-Point Protocol. A layer-2 protocol that connects a device such as a personal computer to a server through a phone line. PPP uses a serial interface and is sometimes considered part of the TCP/IP protocol suite. For more information, see RFC 1661 at http://tools.ietf.org/html/rfc1661.
  • Page 372 Appendix A: Glossary quarantine The isolation of endpoints or systems to prevent potential infection of other endpoints or systems. The NAC 800 determines whether to quarantine an endpoint by applying the following policies in this order: access mode, tempo- rarily quarantine/grant access setting, exceptions, NAC policies (the results of tests in the policy).
  • Page 373 Appendix A: Glossary RC5 Rivest Cipher 5. A symmetric encryption algorithm supported by IPSec. RC5 is a block cipher with variable key length up to 2040 bits. For more information, see “The RC5 Encryption Algorithm” at http://people.csail.mit.edu/rivest/ Rivest-rc5rev.pdf. remediation The process by which a non-compliant endpoint is made compliant. For example, if a Windows service pack is missing on an endpoint, the end-user must install the service pack before being allowed network access.
  • Page 374 An SNMP network consists of agents, managed devices, and network-manage- ment systems. Hierarchically organized information about network devices is stored in and accessed from a MIB. The NAC 800 supports SNMPv2, which controls access based on community. For example, a server that knows the NAC 800’s read-only community name can read.
  • Page 375 RADIUS server to the endpoint). An endpoint must have an 802.1X supplicant to connect to a segment of the network that enforces 802.1X quarantining. Supplicants supported by the NAC 800 include native suppli- cants on Windows Vista, XP SP2, and 2000 SP4; MAC OS 10; as well as Juniper Odyssey 4.2 and Open1X Xsupplicant 1.2.8.
  • Page 376 The network administrator configures the length of this period. testing methods Methods that the NAC 800 uses to perform tests. The NAC 800 supports three testing methods: agent test method, ActiveX test method, and agentless test method.
  • Page 377 Such a device is still subject to the company’s network security policies. untestable A device that is running an operating system that the NAC 800 does not endpoint currently support or whose Internet Explorer security setting is “High.”...
  • Page 378 On the NAC 800, the asterisk (*) is the wildcard character. Windows The desktop and server operating system developed by Microsoft. The ver- sions of Windows that are supported by the NAC 800 are Windows 98, Windows 2000, Windows XP Professional and Home, Windows Server 2000 and 2003, and Windows NT.
  • Page 379 Appendix A: Glossary work and consume bandwidth, whereas viruses infect or corrupt files on a targeted computer. Viruses generally do not affect network performance, because their malicious activities are mostly confined within the target com- puter itself. WPA Wi-Fi Protected Access. A standard created by IEEE and the Wi-Fi Alliance to address the security weaknesses in WEP.
  • Page 380 Appendix A: Glossary A-26...

  • Page 381: Contents

    Appendix B: Linux Commands Contents Appendix B: Linux Commands Contents Common Linux Commands ........B-2 vi Editor .

  • Page 382: Common Linux Commands

    Appendix B: Linux Commands Common Linux Commands Common Linux Commands This appendix provides additional information on Linux commands used for completing tasks discussed in this management and configuration guide. You should also keep in mind these general tips for using Linux: Filenames are case sensitive.
  • Page 383 Appendix B: Linux Commands Common Linux Commands Action Command View text files more <filename> • [spacebar] or [f]—move forward one screen • N[f]—move forward N screens • [b]—move back one screen • N[b]—move back N screens View or edit files vi <filename>...

  • Page 384: Vi Editor

    Appendix B: Linux Commands vi Editor vi Editor To edit or view files on the NAC 800, use the vi editor, a commonly used Linux text editor. The vi editor has three modes: Command Insert Replace Command Mode When you access vi and open a file, you are typically in the command mode: you can enter any of the commands outlined in Table B-2.

  • Page 385: Insert Mode

    Appendix B: Linux Commands vi Editor Action Command Undo last change in file; enter command again to redo change Save changes Exit vi and save changes to file Exit vi and do not save changes to file Insert Mode If you want to input text into the file, you must enter the insert mode. To enter the insert mode, press .

  • Page 386: Keytool

    (certificate chains). You should use keytool commands to create and manage the digital certificate for the NAC 800’s HTTPS server (which grants access to its Web browser interface). The commands below, while not comprehensive, help you complete common tasks.
  • Page 387 Appendix B: Linux Commands keytool Syntax: keytool -certreq -alias <alias> -file <filename> -keystore <keystore> [- keypass <password>] [-storepass <password>] Creates a certificate request using the public key and LDAP DN stored under the specified <alias> in the specified <key- store>. The request is saved under the specified <filename>. If you do not enter a password for the keystore and key, you will be prompted to do so.
  • Page 388 Appendix B: Linux Commands keytool Syntax: keytool -keypasswd -alias <alias> -keystore <keystore filename> -keypass <old password> -new <new password> [-storepass <password>] Changes the password for the key stored under the <alias> in the specified <keystore>. If you do not enter a password for the keystore, you will be prompted to do so.

  • Page 389: Openssl

    Appendix B: Linux Commands openssl openssl The NAC 800 OS offers openssl, another tool for creating and managing certificates. Chapter 4: “Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager” and Chapter 5: “Configuring the RADIUS Server—Without Identity Driven Manager” teach you how to use openssl commands to manage certificates for the NAC 800 FreeRADIUS server.
  • Page 390 Appendix B: Linux Commands openssl Syntax: openssl req -new -newkey [rsa | dsa]:[512 | 1024 | 2048 | 4096] -nodes - keyout <key_filename> -out <request_filename> [-days <number>] [-outform {DER | PEM}] [-config <filename>] [-extensions <section_name>] Creates a certificate request and an associated private/public keypair of the specified algorithm and length.
  • Page 391 Appendix B: Linux Commands openssl Syntax: openssl req -new -key <key filename> -out <request filename> [-days <number>] [-outform {DER | PEM}] [-config <filename>] [-extensions <sec- tion name>] Creates a certificate request using the specified <key_filename>. The certificate is saved with the specified <request_filename>.

  • Page 392: Service Commands

    Service Commands Service Commands As you make configurations to the NAC 800, you might need to restart a service or check its status. For example, after you install certificates for the NAC 800s RADIUS server, you must restart the radiusd service.
  • Page 393 Appendix B: Linux Commands Service Commands Service Service Name Accessible IP addresses iptables (for inline deployment) Network Time Protocol ntpd (NTP) server Simple Network snmpd Management Protocol (SNMP) agent SNMP trap receiver snmptrapd B-13...
  • Page 394 Appendix B: Linux Commands Service Commands B-14...
  • Page 395 … 4-44, 5-38 binding to … 1-40, 1-44, 4-16 IDM and … 4-5 test settings … 4-35, 4-39, 5-28, 5-32 placing NAC 800 administrator endpoint integrity only … 1-41 permissions … 3-44 RADIUS and endpoint integrity … 1-39 set up account …...
  • Page 396 … 1-9, 1-16, 3-9 TLS connection … 4-25, 5-19 ES … 2-37 buttons exceptions … 6-3, 6-5 setting the NAC 800 IP with … 2-26 inline … 1-59 Web browser interface … 2-45 mirroring … 1-39 NAC 800s … 1-12, 5-9 NAC policy group …...
  • Page 397 DNS server changing … 3-19 data store … 5-5 NAC 800 as … 1-37, 1-49 NAC 800 … 7-3 specifying for redundancy … 7-2, 7-6 ES … 3-14 supported with IDM … 4-6 MS or CS … 3-8 database domain configuring …...
  • Page 398 NAC 800 … 2-50 access.txt … 2-50, 4-5 dynamic settings … 4-5 cacert.pem … 4-50, 5-44 enable management of NAC 800 … 4-5 certificate_file … 4-57, 4-61, 5-51, 5-55 management option … 2-50 cert-srv.pem … 4-52, 4-59, 4-60, 5-46, 5-53, 5-54 overview …...
  • Page 399 … 2-41 set on NAC 800 … 4-14 license agreement … 3-5 specified on NAC 800 … 2-51 licenses … 3-41 version number … 2-50, 4-6 local database Infected See database See endpoint integrity, posture log files inline deployment method …...
  • Page 400 IDM to configure … 7-11 network settings Web browser interface … 3-9 See settings PCM Plus … 2-49 NTLM detecting NAC 800 … 2-48, 3-28 See protocols version required … 2-48 NTP server … 1-13 PEAP … 4-4, 5-4 changing … 3-25 mutual authentication …...
  • Page 401 … 4-4, 5-4 See protocols, authentication TLS … 4-30 RADIUS client See also EAP-TLS adding to NAC 800 … 4-40, 5-34 NTLM … 4-16, 5-10 RADIUS server … 1-30 PFX … 4-56, 4-60, 5-50, 5-54 accounting … 1-31 SNMPv2 … 4-5 apply changes …...
  • Page 402 … 3-47 menu interface, viewing in … 2-21 editing … 3-51 server type root changing … 1-15 accessing NAC 800 OS … 2-35 choosing … 1-8 certificate setting … 2-10 See CA root certificate panel LCD … 2-24 restart settings RADIUS server …...
  • Page 403 … 4-30 list … 1-23 menu interface … 2-9 method … 1-24 MS … 3-5 ActiveX … 1-26 NAC 800 IP … 2-26 agentless … 1-27 network … 3-18 NAC EI agent … 1-25 server type … 2-24 post-connect … 1-22 SNMP …...
  • Page 404 SSH session … 4-33, 4-47, 5-26, 5-41 WESM … 1-57, 1-60, 1-61 using IDM to configure … 7-11 Windows domain … 4-7 joining NAC 800 to … 4-17, 5-11 multiple controllers … 4-20, 5-14 requirements … 4-17, 5-11 version settings … 4-20, 5-14 IDM …...
  • Page 406 © Copyright 2007-2008 Hewlett-Packard Development Company, L.P. April 2008 Manual Part Number 5991-8618...

Table of Contents