Page 1 HP ProCurve Network Access Controller 800 Users Guide...
Page 3 ProCurve Network Access Controller 800 Release 1.1 Users Guide...
Page 4 Publication Number consequential damages in connection with the furnishing, 5990-8851 performance, or use of this material. November 2008 Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished (rev-n) by Hewlett-Packard. Trademark Credits Warranty ®...
Page 5: Table Of Contents
Contents Contents 1 Introduction What you Need to get Started ........1-2 Additional Documentation .
Page 6 Contents Multiple-server Installations ........2-3 3 System Configuration Introduction .
Page 7 Contents Deleting a User Account ........3-38 User Roles .
Page 8 Contents Editing a DHCP Quarantine Area ....... 3-97 Deleting a DHCP Quarantine Area ......3-97 Quarantining, Inline .
Page 9 Contents Advanced Settings ..........3-130 Setting the Agent Read Timeout .
Page 10 Contents Agentless Test Method ........5-10 Configuring Windows 2000 Professional for Agentless Testing .
Page 11 Contents Enabling or Disabling an NAC Policy ......6-7 Selecting the Default NAC Policy ....... . 6-7 Creating a New NAC Policy .
Page 12 Contents 10 DHCP Quarantine Method Overview ........... . . 10-2 Configuring NAC 800 for DHCP .
Page 13: Remote Device Activity Capture
Contents 12 Remote Device Activity Capture Creating a DAC Host ......... . . 12-2 Downloading the EXE File .
Page 14 Contents Restarting NAC 800 System Processes ......15-4 Downloading New Tests ......... 15-5 System Settings .
Page 15 Contents Enabling ICMP Echo Requests ....... . 15-37 Enable Temporary Ping ........15-37 Enable Persistent Ping .
Page 16 Contents Internet Explorer (IE) Local Intranet Security Zone ....B-7 Internet Explorer (IE) Restricted Site Security Zone ....B-8 Internet Explorer (IE) Trusted Sites Security Zone .
Page 17 Contents Windows Startup Registry Entries Allowed ..... . . B-32 Wireless Network Connections ....... . . B-33 Software –...
Page 18 Contents E Ports used in NAC 800 F MS Disaster Recovery Overview ............F-2 Installation Requirements .
Page 19 Introduction Chapter Contents What you Need to get Started ........1-2 NAC 800 Home Window .
Page 20: Introduction
A ProCurve NAC Endpoint Integrity Agent License ■ ProCurve NAC 800 is delivered as a hardware appliance that you install in your network. After NAC 800 is installed in your network, you configure it using a workstation with browser software installed.
Page 21: Additional Documentation
Introduction Additional Documentation Additional Documentation The following documents provide information on installation and configura- tion, and are available at http://www.hp.com/rnd/support/manual/ NAC800.htm: ProCurve Network Access Controller 800 Hardware Installation Guide – Refer to this document first to see how to prepare for and perform the physical installation of the appliance and how to establish initial management access.
Page 22: Nac 800 Home Window
Introduction NAC 800 Home Window NAC 800 Home Window The NAC 800 Home window (figure 1-1) is a centralized management user interface that allows you to quickly assess the status of your network. The following list and figure describe and show the key features: Important status announcements –...
Page 23 Introduction NAC 800 Home Window 3. Top 5 failed tests area 2. User name 1. Important status 4. Window actions announcements 8. Enforcement server status area 5. Navigation 6. Test 7. Access control pane status area status area status area Figure 1-1.
Page 24: System Monitor
Introduction System Monitor System Monitor The System monitor window provides the following information: ■ Enforcement cluster name – The Enforcement clusters are listed by name in the order they were created. Click on a cluster name to view cluster details. You must have cluster-editing permissions to view and edit cluster details.
Page 25 Introduction System Monitor Breadcrumbs for navigation Figure 1-2. System Monitor Window The following figure shows the legend for the System monitor window icons: Figure 1-3. System Monitor Window Legend...
Page 26: Overview
Introduction Overview Overview NAC 800 protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. NAC 800 systematically tests endpoints—with or without the use of a client or agent— for compliance with organizational security policies, quarantining non-com- pliant machines before they damage the network.
Page 27: High Availability
Introduction Overview Test method Trade-offs Pros Cons ActiveX plug-in • No installation or upgrade to maintain. • No retesting of endpoint once browser is closed. • Supports all Windows operating systems. • Not supported by non-Windows operating • Only Internet Explorer application access systems.
Page 28: The Nac 800 Process
Introduction Overview Extensible – NAC 800’s easy-to-use open API allows administrators ■ to create custom tests for meeting unique organizational require- ments. The API is fully exposed and thoroughly documented. Custom tests are created using scripts and can be seamlessly added to existing policies.
Page 29: Endpoint Testing
Introduction Overview the presence of worms, trojans, and viruses, and check for potentially danger- ous applications such as file sharing, peer-to-peer (P2P), or spyware. See “Tests Help” on page B-1 for more information. Key features include: ■ Out-of-the-box NAC policies – High, medium, and low security are ready to use with no additional configuration required.
Page 30: Compliance Enforcement
Introduction Overview Rapid testing and robust endpoint management – Thousands of ■ endpoints can be tested and managed simultaneously. ■ Continual testing – Endpoints are retested on an administrator- defined interval as long as they remain connected to the network. Compliance Enforcement Based on endpoint test results, NAC 800 takes the appropriate action.
Page 31: Targeted Reporting
Introduction Overview Targeted Reporting NAC 800 reports provide concise security status information on endpoint compliance and access activity. Specific reports are available for auditors, managers, and IT staff members. For more information, see “Reports” on page 14-1. 1-13...
Page 32: Technical Support
Introduction Technical Support Technical Support Technical support is available through www.procurve.com. 1-14...
Page 33: Upgrading
Introduction Upgrading Upgrading Upgrading is described in“Checking for NAC 800 Upgrades” on page 3-29. CAUTION: Installing third-party software on the NAC 800 server is not supported. If you install additional software on the NAC 800 server, you need to remove it in order to troubleshoot any NAC 800 issues, and it will likely be partially or fully overwritten during NAC 800 release upgrades or patch installs, compromising the third-party software functionality.
Page 34: Conventions Used In This Document
Introduction Conventions Used in This Document Conventions Used in This Document The conventions used in this document are described in this section: Navigation Paragraph Navigation paragraphs provide a quick visual on how to get to the screen or area discussed. Example: Home window>>Configure system Tip Paragraph...
Page 35: Warning Paragraph
Introduction Conventions Used in This Document Warning Paragraph Warnings notify you of conditions that can lock your system or cause damage to your data. Example: WARNING: Do not log in using SSH—this kills your session and causes your session to hang.
Page 36: Courier Font
Introduction Conventions Used in This Document Courier Font Courier font is used in the following cases: ■ Indicating path names – Change the working directory to the following: C:\Program Files\\ ProCurve NAC EI Agent ■ Indicating text; enter exactly as shown – Enter the following URL in the browser address field: https:///index.html In this case, you must replace ...
Page 37: Terms
Introduction Conventions Used in This Document Indicating a variable section in a *.INI file – ■ [Global] NASList=192.168.200.135 ■ Indicating a list in a properties file – Compliance.ObjectManager.DHCPConnec- torServers=[192.168.51.130, 192.168.99.1] Terms Terms are defined in the “Glossary” on page G-1. Example: MAC Media Access Control –...
Page 38: Copying Files
Introduction Copying Files Copying Files Whenever you copy a file from one machine to another, copy it using a secure copy utility that uses the Secure Shell (SSH) protocol. The exact syntax of the copy command will vary based on the utility you use. Example: 10.
Page 39 Introduction Copying Files To copy a file from a Windows machine to a Linux machine, enter the following: \pscp c:\documents\foo.txt fred@exam- ple.com:/tmp/foo You will be prompted to enter a password for the Linux/UNIX machine. NOTE: You can either enter the path to the PSCP.EXE file as part of the command, or cd to the directory where you saved the PSCP.EXE file before entering the pscp command.
Page 40: Users' Guide Online Help
Introduction Users’ Guide Online Help Users’ Guide Online Help In NAC 800, the help links in the product open an HTML version of the NAC 800 documents. The PDF version is still available by clicking the Open Users’ guide or Open Installation guide PDF links in the HTML document. This section briefly describes the key components to the HTML version.
Page 41 Introduction Users’ Guide Online Help Open PDF – Click the Open PDF file link to open the PDF file. ■ TIP: To print the entire document, open and print the PDF file. Selecting the print icon in the HTML version will print only the topic you are viewing. Click anywhere in the Contents pane to navigate through the document.
Page 42 Introduction Users’ Guide Online Help Online help document>>Shown navigation icon>>Search tab Figure 1-6. Search tab Enter a term in the search box. Click Go. Click on one of the results returned to display it in the right-side pane. Click on the orange arrow to see the contents of the collapsed section of the document.
Page 43: Clusters And Servers
Clusters and Servers Chapter Contents Overview ............2-2 Installation Examples .
Page 44: Overview
Clusters and Servers Overview Overview NAC 800 uses clusters and servers. A "cluster" is a logical grouping of one or more ESs that are managed by one MS. A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster.
Page 45: Installation Examples
Clusters and Servers Installation Examples Installation Examples Single-server Installation The simplest installation is where the MS and ES are installed on the same physical server as shown in the following figure: Figure 2-1. Single-server Installation Multiple-server Installations By using at least three servers, one for the MS and two for ESs, you gain the advantage of high availability and load balancing.
Page 46 Clusters and Servers Installation Examples High availability is where ESs take over for any other ES or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the ESs. A three-server installation is shown in the following figure: Figure 2-2.
Page 47 Clusters and Servers Installation Examples When your network is more complex, you can continue to add clusters as shown in the following figure: Figure 2-3. Multiple-server, Multiple-cluster Installation The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis.
Page 48 Clusters and Servers Installation Examples All endpoints are returned to the proper status within 15 minutes after ■ a network recovery (power failure, all endpoints attempting to recon- nect, 3000 endpoints per ES)
Page 49: System Configuration
System Configuration Chapter Contents Introduction ........... . . 3-4 Enforcement Clusters and Servers .
Page 50 System Configuration Adding a User Account ........3-31 Searching for a User Account .
Page 51 System Configuration Editing a DHCP Quarantine Area ....... 3-97 Deleting a DHCP Quarantine Area ......3-97 Quarantining, Inline .
Page 52: Introduction
System Configuration Introduction Introduction User logins and associated user roles determine the access permissions for specific functionality within NAC 800. The following table shows the default home window menu options that are available by user role: User role Home window menu options available System Administrator •...
Page 53 System Configuration Introduction Quarantining – “Quarantining, General” on page 3-51 ■ ■ Maintenance – “Maintenance” on page 3-106 Cluster setting defaults ■ • Testing Methods – “Testing Methods” on page 3-110 • Accessible services – “Accessible Services” on page 3-113 •...
Page 54: Enforcement Clusters And Servers
System Configuration Enforcement Clusters and Servers Enforcement Clusters and Servers The Enforcement clusters & servers menu option (Figure 3-3 on page 3-10) is where you configure Enforcement clusters and servers. You can perform the following tasks: ■ Enforcement clusters • Add, edit, or delete Enforcement clusters •...
Page 55: Enforcement Clusters
System Configuration Enforcement Clusters Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster: Home window>>System configuration>>Enforcement clusters & servers Figure 3-1. System Configuration, Enforcement Clusters & Servers...
Page 56 System Configuration Enforcement Clusters Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add Enforcement cluster window appears. The General area is displayed by default. Figure 3-2. Add Enforcement Cluster Enter a name for the Enforcement cluster in the Cluster name field. b.
Page 57: Editing Enforcement Clusters
System Configuration Enforcement Clusters The following cluster settings take on default values set from the System configuration window. To set up operating parameters that differ from those default settings, select the menu item of the settings you want to change, then select the For this cluster, override the default settings check box, and make the desired changes.
Page 58: Viewing Enforcement Cluster Status
System Configuration Enforcement Clusters Viewing Enforcement Cluster Status There are two ways NAC 800 provides Enforcement cluster status: ■ The icons next to the cluster name (see Figure 3-4 on page 3-12) The Enforcement cluster window (see the following steps) ■...
Page 59: Deleting Enforcement Clusters
System Configuration Enforcement Clusters The statistics shown in this window are per cluster, where the statistics shown in the Home window are system-wide. See “System Monitor” on page 1-6 for column descriptions. Deleting Enforcement Clusters NOTE: Enforcement clusters need to be empty before the delete option appears next to the name in the NAC 800 user interface.
Page 60: Enforcement Servers
System Configuration Enforcement Servers Enforcement Servers Adding an ES To add an ES: Home window>>System configuration>>Enforcement clusters & servers Figure 3-4. System Configuration, Enforcement Clusters & Servers 3-12...
Page 61 System Configuration Enforcement Servers Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Figure 3-5. Add Enforcement Server Select a cluster from the Cluster drop-down list. Enter the IP address for this ES in the IP address text box. Enter the fully qualified hostname to set on this server in the Host name text box.
Page 62: Cluster And Server Icons
System Configuration Enforcement Servers Re-enter the password to set for the root user of the ES server’s operating system in the Re-enter root password text box. Click ok. Cluster and Server Icons To view the cluster and server icons: Home window>>System configuration>>Enforcement clusters & servers Move the mouse over the legend icon.
Page 63: Editing Ess
System Configuration Enforcement Servers Navigate to NAC 800 Home window>>System configuration>>Enforcement clusters & servers. Click delete next to the ES you want to remove. Start the ES and log in as root using SSH or directly with a keyboard. Enter the following command at the ES command line: resetSystem.py Return to the NAC 800 MS user interface.
Page 64 System Configuration Enforcement Servers Click the Configuration menu option to access the Enforcement Server’s settings. The Configuration area is displayed: Figure 3-7. Enforcement Server Edit the following settings: • ES Network settings – “Changing the ES Network Settings” on page 3- •...
Page 65: Changing The Es Network Settings
System Configuration Enforcement Servers Changing the ES Network Settings CAUTION: Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems.
Page 66: Modifying The Es Snmp Settings
System Configuration Enforcement Servers Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration Select a Region from the Region drop-down list in the Date and time area. Select a time zone from the Time zone drop-down list. Click ok. NOTE: See “Selecting the Time Zone” on page 3-27 for information on changing the time zone settings for the MS.
Page 67: Viewing Es Status
System Configuration Enforcement Servers Viewing ES Status There are two ways NAC 800 provides ES status: ■ The icons next to the server name (see Figure 3-6 on page 3-14) The Status window (see the following steps). The Enforcement server ■...
Page 68 System Configuration Enforcement Servers Click the server for which you want to view the status. The Enforcement server window appears: Figure 3-8. Enforcement Server, Status Click ok or cancel. 3-20...
Page 69: Deleting Ess
System Configuration Enforcement Servers Deleting ESs NOTE: Servers need to be powered down for the delete option to appear next to the name in the NAC 800 user interface. To delete ESs: Home window>>System configuration>>Enforcement clusters & servers Click delete next to the server you want to remove from the cluster. The Delete Enforcement server confirmation window appears.
Page 70: Management Server
System Configuration Management Server Management Server Viewing Network Settings To view MS status: Home window>>System configuration>>Management server 3-22...
Page 71 System Configuration Management Server Figure 3-9. System Configuration, Management Server 3-23...
Page 72: Modifying Ms Network Settings
System Configuration Management Server Server status is shown in the Network settings area. Click ok or cancel. Modifying MS Network Settings CAUTION: Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems.
Page 73: Selecting A Proxy Server
System Configuration Management Server NOTE: Select names that are short, easy to remember, have no spaces or under- scores, and the first and last character cannot be a dash (-). • Enter a new address in the IP address text field. For example, 192.168.153.35 Enter a new netmask in the Network mask text field.
Page 74: Setting The Date And Time
System Configuration Management Server – Negotiable – Using this scheme, the client and the proxy server negotiate a scheme for authentication. Ultimately, either the basic or digest scheme will be used. b. Enter the ID of a user account on the proxy server in the User name text box.
Page 75: Manually Setting The Time
System Configuration Management Server Manually Setting the Time To manually set the time: Home window>>System configuration>>Management server Select Manually set date & time. Click edit. The Date and time window appears: Figure 3-11. Date & Time Select the correct date and time. Click ok.
Page 76: Enabling Snmp
System Configuration Management Server b. Select a time zone from the Time zone drop-down list. Click ok. Enabling SNMP To select SNMP settings: Home window>>System configuraton>>Management server>>SNMP settings Select the Enable SNMP check box to select the SNMP settings. Enter the SNMP read community string. b.
Page 77: Checking For Nac 800 Upgrades
System Configuration Management Server Click ok. Checking for NAC 800 Upgrades To check for system upgrades: Home window>>System configuration>>Management server Click check for upgrades in the System upgrade area. A progress window appears. A status window appears indicating if upgrades are available. If no upgrades are available, click ok to clear the status window.
Page 78 System Configuration Management Server Where: is the number of minutes of inactivity NAC 800 will wait before assuming the upgrade failed. For example, 30. The default value is 45. 3-30...
Page 79: User Accounts
System Configuration User Accounts User Accounts NAC 800 allows you to create multiple user accounts. User accounts provide and limit access to NAC 800 functions based on permissions (user roles) and clusters assigned. See “User Roles” on page 3-39 for more information on setting permissions for the user roles.
Page 80 System Configuration User Accounts Figure 3-12. System Configuration, User Accounts 3-32...
Page 81 System Configuration User Accounts Click Add a user account. The Add user account window appears: Figure 3-13. Add User Account Enter the following information: User ID – The user ID used to log into NAC 800 • Password – The password used to log into NAC 800 •...
Page 82: Searching For A User Account
System Configuration User Accounts • Cluster Administrator View-Only User • System Administrator • • Help Desk Technician • You can select a custom user role if you have created any. NOTE: Users must be assigned at least one role. In the Clusters area, select a cluster or clusters. NOTE: Users must be assigned at least one Enforcement cluster.
Page 83: Sorting The User Account Area
System Configuration User Accounts • email address Enter the text to search for in the for field. Click search. TIP: Click reset to clear the text field and to refresh the display to show all accounts after a search. Sorting the User Account Area To sort the user account area: Home window>>System configuration>>User accounts Click the column heading for user id, full name, email address, user roles, or...
Page 84 System Configuration User Accounts Click copy next to the user account you want to duplicate. The Copy user account window appears. The account information is duplicated from the original account. Figure 3-14. Copy User Account Enter the User ID of the new account. Enter the Password.
Page 85: Editing A User Account
System Configuration User Accounts Editing a User Account To edit a user account: Home window>>System configuration>>User accounts Click the name of the user account that you want to edit. The User account window appears: Figure 3-15. User Account Change or enter information in the fields you want to change. See “Adding a User Account”...
Page 86: Deleting A User Account
System Configuration User Accounts Deleting a User Account You must always have at least one account with System Administrator permis- sions. CAUTION: Do not delete or edit the account with which you are currently accessing the interface. Doing so can produce an error and lock you out of the interface until your session has timed out.
Page 87: User Roles
System Configuration User Roles User Roles The User roles menu option allows you to configure the following: ■ View current user roles and details associated with those roles ■ Add a new user role • Name the new user role •...
Page 88 System Configuration User Roles Figure 3-16. System Configuration, User Roles 3-40...
Page 89 System Configuration User Roles Click add a user role in the User roles area. The Add user role window appears. Figure 3-17. Add User Role Enter a descriptive name in the Role name field. Enter a description of the role in the Description field. Select the permissions for the user role.
Page 90: Editing User Roles
System Configuration User Roles Permission Description Generate reports Allows you to generate reports about any of your assigned clusters Manage NAC policies Allows you to manage the NAC policies for all of your clusters View endpoint activity Allows you to view details about all endpoints in your clusters Monitor system status Allows you to monitor the system status Control Access...
Page 91: Deleting User Roles
System Configuration User Roles Click the role you want to edit. The user role window appears: Figure 3-18. User Role Enter the information in the fields you want to change. See “Adding a User Role” on page 3-39 for information on user role settings. Click ok.
Page 92: Sorting The User Roles Area
System Configuration User Roles Click yes. Sorting the User Roles Area To sort the user roles area: Home window>>System configuration>>User roles Click user role name or description column heading. The selected category sorts in ascending or descending order. Click ok. 3-44...
Page 93: License
System Configuration License License The License menu option allows you to configure the following: ■ View license start and end dates ■ View number of days remaining on license, and associated renewal date View remaining endpoints and servers available under license ■...
Page 94 System Configuration License Figure 3-19. System Configuration, License Click submit license request. Click ok on the license validated pop-up window. 3-46...
Page 95: Test Updates
System Configuration Test Updates Test Updates The Test updates menu option allows you to configure the following: ■ View last successful test update date/time ■ Check for test updates (forces an immediate check for test updates) Set time or times for downloading test updates ■...
Page 96: Selecting Test Update Times
System Configuration Test Updates Figure 3-20. System Configuration, Test Updates In the Last successful test update area, click check for test updates. Click ok. NOTE: It is important to check for test updates during the initial configuration of NAC 800. Selecting Test Update Times To select test update times: 3-48...
Page 97: Viewing Test Update Logs
System Configuration Test Updates Home window>>System configuration>>Test updates Using the hour check boxes, select the time periods in which you would like NAC 800 to check for available test updates. By default, NAC 800 checks once every hour using the ProCurve Secure Rule Distribution Center.
Page 98 System Configuration Test Updates The Test update log window legend is shown in the following figure: Figure 3-22. Test Update Log Window Legend 3-50...
Page 99: Quarantining, General
System Configuration Quarantining, General Quarantining, General The Quarantining menu option allows you to configure the following by cluster: ■ Select the quarantine method ■ Select the access mode Basic 802.1X settings ■ ■ Authentication settings Add, edit, delete 802.1X devices ■...
Page 100 System Configuration Quarantining, General Figure 3-23. System Configuration, Quarantining Select a cluster. 3-52...
Page 101: Selecting The Access Mode
System Configuration Quarantining, General In the Quarantine method area, select one of the following quarantine methods: 802.1X – When using the 802.1X quarantine method, NAC 800 must sit • in a place on the network where it can communicate with your RADIUS server, which communicates with your switch or router, which performs the quarantining.
Page 102: Quarantining, 802.1X
System Configuration Quarantining, 802.1X Quarantining, 802.1X The 802.1X quarantine (enforcement) method is enabled by default. To select the 802.1X quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the 802.1X radio button. Click ok. Entering Basic 802.1X Settings To enter basic 802.1X settings: Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button...
Page 103: Authentication Settings
System Configuration Quarantining, 802.1X Authentication Settings Selecting the RADIUS Authentication method To select the RADIUS authentication method: Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button Select the Local radio button in the Basic 802.1X settings area. Select an End-user authentication method: •...
Page 104 System Configuration Quarantining, 802.1X Select Windows domain from the End-user authentication method drop-down list. Figure 3-24. System Configuration, Windows Domain 3-56...
Page 105: Configuring Openldap Settings
System Configuration Quarantining, 802.1X Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field. Enter the user name of an account with sufficient administrative rights to join an ES to the domain in the Administrator user name text field. Enter the password of the account entered into the Administrator user name field in the Administrator password text field.
Page 106 System Configuration Quarantining, 802.1X Select OpenLDAP from the End-user authentication method drop-down list. Figure 3-25. System Configuration, OpenLDAP 3-58...
Page 107 System Configuration Quarantining, 802.1X Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
Page 108: Configuring Novell Edirectory Settings
System Configuration Quarantining, 802.1X Configuring Novell eDirectory Settings To configuring Novell eDirectory settings: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 3-60...
Page 109 System Configuration Quarantining, 802.1X Select Novell eDirectory from the End-user authentication type drop-down list. Figure 3-26. System Configuration Window, RADIUS, Novel eDirectory 3-61...
Page 110 System Configuration Quarantining, 802.1X Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the Distinguished Name (DN) under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
Page 111: Adding 802.1X Devices
System Configuration Quarantining, 802.1X 11. Click ok. Adding 802.1X Devices To add an 802.1X device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-27. Add 802.1X Device Enter the IP address of the 802.1X device in the IP address text field. Enter a shared secret in the Shared secret text field.
Page 112: Testing The Connection To A Device
System Configuration Quarantining, 802.1X • Enterasys – See “Enterasys” on page 3-71. Extreme ExtremeWare – See “Extreme ExtremeWare” on page 3-73. • Extreme XOS – See “Extreme XOS” on page 3-75. • • Foundry – See “Foundry” on page 3-77. HP ProCurve switch –...
Page 113 System Configuration Quarantining, 802.1X In the 802.1X devices area, click edit next to the device you want to test. The 802.1X device window appears. The Test connection to this device area is near the bottom of the window: Figure 3-28. Add 802.1X Device, Test Connection Area Option 1 Figure 3-29.
Page 114: Cisco Ios
System Configuration Quarantining, 802.1X NOTE: You must enter the port, the MAC address, or both, depending on the re- authentication OID. Click test connection to this device. Cisco IOS To add a Cisco IOS device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-66...
Page 115 System Configuration Quarantining, 802.1X Figure 3-30. Add Cisco IOS Device Enter the IP address of the Cisco IOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 116: Cisco Catos
System Configuration Quarantining, 802.1X Enter the Password with which to log into the device's console. Re-enter the console password. 10. Enter the Cisco port mask in the text field. This specifies which characters within the endpoint identifier returned by the Cisco device contain the bank and port information of the endpoint.
Page 117 System Configuration Quarantining, 802.1X Figure 3-31. Add Cisco CatOS Device Enter the IP address of the Cisco CatOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 118: Catos User Name In Enable Mode
System Configuration Quarantining, 802.1X Enter the User name with which to log into the device's console. Enter the Password with which to log into the device's console. Re-enter the console password. 10. Enter the password with which to enter enable mode. 11.
Page 119: Enterasys
System Configuration Quarantining, 802.1X Click edit next to an 802.1X device. (You can also perform these steps while you are adding an 802.1X device.) Click the plus sign next to Show scripts. Add the correct expect script syntax to the text box for enable mode user name.
Page 120 System Configuration Quarantining, 802.1X Figure 3-32. Add Enterasys Device Enter the IP address of the Enterasys device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 121: Extreme Extremeware
System Configuration Quarantining, 802.1X Re-enter the console password. 10. Enter the Reconnect idle time. This is the amount of time in milliseconds that a t Telnet/SSH console can remain idle or unused before it is reset. 11. Select the Show scripts plus symbol to show the following scripts: Initialization script –...
Page 122 System Configuration Quarantining, 802.1X Figure 3-33. Add ExtremeWare Device Enter the IP address of the ExtremeWare device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 123: Extreme Xos
System Configuration Quarantining, 802.1X Re-enter the console password. 10. Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 11. Select the Show scripts plus symbol to show the following scripts: Initialization script –...
Page 124 System Configuration Quarantining, 802.1X Figure 3-34. Add Extreme XOS Device Enter the IP address of the Extreme XOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 125: Foundry
System Configuration Quarantining, 802.1X Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 10. Select the Show scripts plus symbol to show the following scripts: •...
Page 126 System Configuration Quarantining, 802.1X Figure 3-35. Add Foundry Device Enter the IP address of the Foundry device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 127: Hp Procurve Switch
System Configuration Quarantining, 802.1X 10. Enter the password with which to enter enable mode. 11. Re-enter the enable mode password. 12. Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 13.
Page 128 System Configuration Quarantining, 802.1X Figure 3-36. Add HP ProCurve Device Enter the IP address of the HP ProCurve device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 129 System Configuration Quarantining, 802.1X b. Enter the Password used to log into this device's console. To help confirm accuracy, type the same password you entered into the Password field in the Re-enter Password field. d. Enter the Enable mode user name that is used to enter enable mode on this device.
Page 130: Hp Procurve Wesm Xl Or Hp Procurve Wesm Zl
System Configuration Quarantining, 802.1X – DECIMAL STRING – BITS – NULLOBJ d. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. Select the Use a different OID for MAC authentication check box to re- authenticate using a different OID when the supplicant request is for a MAC authenticated device.
Page 131 System Configuration Quarantining, 802.1X Figure 3-37. Add HP ProCurve WESM xl/zl Device Enter the IP address of the HP ProCurve WESM device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 132 System Configuration Quarantining, 802.1X Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port and MAC address of the endpoint to be re- authenticated. NOTE: figure 3-37.
Page 133: Hp Procurve 420 Ap Or Hp Procurve 530 Ap
System Configuration Quarantining, 802.1X Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. HP ProCurve 420 AP or HP ProCurve 530 AP To add an HP ProCurve 420 AP or HP ProCurve 530 AP device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-38.
Page 134 System Configuration Quarantining, 802.1X Re-enter the shared secret in the Re-enter shared secret text field. Enter an alias for this device that appears in log files in the Short name text field. Select ProCurve 420 AP or ProCurve 530 AP from the Device type drop-down list.
Page 135: Nortel
System Configuration Quarantining, 802.1X – HEX STRING – DECIMAL STRING – BITS – NULLOBJ Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. Nortel To add a Nortel device: Home window>>System configuration>>Quarantining>>802.1X Quarantine...
Page 136 System Configuration Quarantining, 802.1X Figure 3-39. Add Nortel Device Enter the IP address of the Nortel device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 137: Other
System Configuration Quarantining, 802.1X Re-enter the console password. 10. Enter the Enable mode user name. 11. Enter the password with which to enter enable mode. 12. Re-enter the enable mode password. 13. Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset.
Page 138 System Configuration Quarantining, 802.1X Figure 3-40. Add Other Device Enter the IP address of the new device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 139 System Configuration Quarantining, 802.1X Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 10. Select the Show scripts plus symbol to show the following scripts: NOTE: You must enter the script contents yourself for the 802.1X device you are adding.
Page 140: Quarantining, Dhcp
System Configuration Quarantining, DHCP Quarantining, DHCP To select the DHCP quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the DHCP radio button. Click ok. DHCP Server Configuration Inline DHCP server is selected by default. If you want to use the DHCP plug-in, which allows you to use multiple DHCP servers, see the instructions in “DHCP Plug-in”...
Page 141 System Configuration Quarantining, DHCP Figure 3-41. System Configuration, Quarantining, DHCP Enforcement Inline DHCP server is selected by default. If you wish to use multiple DHCP servers, see the instructions in “DHCP Plug-in” on page 13-1. Select one of the following radio buttons: Enforce DHCP requests from all IP addresses –...
Page 142: Adding A Dhcp Quarantine Area
System Configuration Quarantining, DHCP • Restrict enforcement of DHCP requests to quarantine and non-quarantine subnets – Specify individual DHCP relay agent IP addresses, separated by carriage returns in the DHCP relay IP addresses to enforce text box. These addresses must be a subset of either the quarantined or non- quarantined subnets.
Page 143 System Configuration Quarantining, DHCP Click add a quarantine area. The Add quarantine area window appears. Figure 3-42. Add a Quarantine Area In the Add quarantine area window, enter the following information: Quarantined subnet – The CIDR network that represents the IP space •...
Page 144: Sorting The Dhcp Quarantine Area
System Configuration Quarantining, DHCP must reflect this configuration on your router. The subnets specified in each area must be unique; that is, neither the quarantined nor the non-quarantined subnets in one area can be quarantined or non- quarantined in another. Static routes assigned on the endpoint –...
Page 145: Editing A Dhcp Quarantine Area
System Configuration Quarantining, DHCP • non-quarantine subnets • domain suffix d (indicates the quarantine option selected in step 3 on page 3-95) • The DHCP quarantine area sorts by the column name clicked. Editing a DHCP Quarantine Area To edit a DHCP quarantine area: Home window>>System configuration>>Quarantining>>DHCP radio button Click edit next to the quarantine area you want to edit.
Page 146 System Configuration Quarantining, DHCP Click delete next to the quarantine area you want to remove. The Delete quarantine area confirmation window appears Click yes. 3-98...
Page 147: Quarantining, Inline
System Configuration Quarantining, Inline Quarantining, Inline To select the Inline quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the Inline radio button. Click ok. 3-99...
Page 148: Post-Connect
System Configuration Post-connect Post-connect Post-connect in NAC 800 provides an interface where you can configure external systems, such as IDS/IPS, that request quarantining of an endpoint based on activity that occurs after the endpoint has connected to the network (post-connect). Allowing the Post-connect Service Through the Firewall The firewall must be opened for each post-connect service that communicates...
Page 149: Setting Nac 800 Properties
System Configuration Post-connect Figure 3-44. Post-connect Configuration Message Configure your post-connect system as described in “Configuring a Post- connect System” on page 3-102. Then launch your post-connect system as described in “Launching Post-connect Systems” on page 3-103. Setting NAC 800 Properties Most NAC 800 properties are set by default.
Page 150: Configuring A Post-Connect System
System Configuration Post-connect Configuring a Post-connect System To configure an external post-connect system: Home>>System configuration>>Post-connect Figure 3-45. System Configuration, Post-connect Enter the name of your post-connect service in the Service name text field. This is the name used in the Post-connect and Endpoint activity windows. Enter the URL of the post-connect service in the Service URL text field.
Page 151: Launching Post-Connect Systems
System Configuration Post-connect Enter the user name of the account to be used for logging into the post-connect service in the User name text field. b. Enter the password of the account to be used for logging into the post- connect service in the Password text field.
Page 152: Post-Connect In The Endpoint Activity Window
System Configuration Post-connect Post-connect in the Endpoint Activity Window When an external service requests that an endpoint be quarantined, it sends the request to NAC 800, which quarantines the endpoint based on the hierar- chy rules described in “Endpoint Quarantine Precedence” on page 7-2. The icons on the Endpoint activity window show that the endpoint is quaran- tined by an external service.
Page 153 System Configuration Post-connect Logo file – approximately 154 pixels wide x 24 pixels high Icon file – approximately 18 x 18 pixels Copy the logo and icon files to the following directory on the NAC 800 MS (see “Copying Files” on page 1-20): /usr/local/nac/webapps/ROOT/images Log in to the NAC 800 MS as root using SSH or directly with a keyboard.
Page 154: Maintenance
System Configuration Maintenance Maintenance The Maintenance window allows you to back up the MS database, properties files, keystore files, and subscription files in a file with the following name: backup-Thh-mm-ss.tar.bz2 where: year is the year the system was backed up = 2007 ■...
Page 155 System Configuration Maintenance Figure 3-48. System Configuration, Maintenance Click begin backup now in the Backup area. The Operation in progress confirmation window appears. Depending on your browser settings, a pop-up window may appear asking if you want to save or open the file. Select Save to disk and click OK. NOTE: A system backup does not work using Internet Explorer 7 as a browser window.
Page 156: Restoring From A Backup
System Configuration Maintenance The System backup completed successfully message appears at the top of the System configuration window: Figure 3-49. Backup Successful Message Restoring From a Backup See “Restoring from Backup” on page 15-16 for information about restoring from a backup file. TIP: If you are using Backup and Restore to move configuration files from one physical server to another, you must have the same version of NAC 800...
Page 157: Downloading Support Packages
System Configuration Downloading Support Packages Downloading Support Packages Support packages are useful when debugging your system with ProCurve Networking by HP. If a support package is necessary, ProCurve Networking by HP will instruct you to generate one and will provide instructions on how to upload the generated package (a TAR file).
Page 158: Cluster Setting Defaults
System Configuration Cluster Setting Defaults Cluster Setting Defaults The following sections describe how to globally set the default settings for all clusters. For information on overriding the default settings for a specific cluster, see “Enforcement Clusters and Servers” on page 3-6. Testing Methods The Testing methods menu option allows you to configure the following: Select testing methods...
Page 159: Ordering Test Methods
System Configuration Cluster Setting Defaults Figure 3-50. System Configuration, Testing Methods Select one or more of the following ProCurve NAC EI Agent – This test method installs a service (ProCurve NAC EI Agent) the first time the user connects. b. ActiveX plug-in – This test method downloads an ActiveX control each time the user connects to the network.
Page 160: Recommended Test Methods
System Configuration Cluster Setting Defaults If no agent is available, NAC 800 tries to test with the ActiveX test method. If ActiveX is not available and if credentials for the endpoint or domain exist, NAC 800 tries to test with the agentless test method. If the endpoint can not be tested transparently, then NAC 800 uses the end-user access screens to set up a test method and sequence for interacting with the end-user.
Page 161: Selecting End-User Options
System Configuration Cluster Setting Defaults Windows endpoints on your Windows domain are tested automatically when you specify the domain admin credentials in the System configuration>>Agent- less credentials>>Add administrator credentials window. The agent-based test method is recommended for any environment where enforcement is enabled on Windows Vista endpoints.
Page 162 System Configuration Cluster Setting Defaults Figure 3-51. System Configuration, Accessible Services Enter one or more Web sites, host names, IP addresses, ports, endpoints, or networks, that are accessible to connecting endpoints when they fail their compliance tests. You can enter these endpoints and services in the following formats separated by a carriage return.
Page 163 System Configuration Cluster Setting Defaults You do not need to enter the IP address of the NAC 800 server here. If you do, it can cause redirection problems when end-users try to connect. You do need to add any update server names, such as the ones that provide anti-virus and software updates.
Page 164: Exceptions
System Configuration Cluster Setting Defaults Exceptions The Exceptions menu option allows you to define the following: ■ The endpoints and domains that are always allowed access (whitelist) The endpoints and domains that are always quarantined (blacklist) ■ Always Granting Access to Endpoints and Domains To always grant access to endpoints and domains: Home window>>System configuration>>Exceptions Figure 3-52.
Page 165: Always Quarantine Endpoints And Domains
System Configuration Cluster Setting Defaults NOTE: You can use a MAC prefix (one to five bytes or octets) to act on more than one endpoint at a time. For example entering 00:13 matches all MAC addresses that begin with 00:13. To exempt end-user domains from testing, in the Whitelist area, enter the domain names.
Page 166: Enabling Notifications
System Configuration Cluster Setting Defaults Enabling Notifications To enable email notifications: Home window>>System configuration>>Notifications Figure 3-53. System Configuration, Notifications To send email notifications, you must provide NAC 800 with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the NAC 800 machine.
Page 167: End-User Screens
System Configuration Cluster Setting Defaults In the Via SMTP server IP address text box, enter the IP address of the SMTP email server from which NAC 800 sends email notifications. This must be a valid IP address that is reachable from where the NAC 800 machine is located on your network.
Page 168: Specifying The End-User Screen Text
System Configuration Cluster Setting Defaults Figure 3-54. System Configuration, End-user Screens Enter the customization information: Organization logo image – Enter a path to your organization’s logo, or click Browse to select a file on your network. ProCurve recommends you place your logo here to help end-users feel secure about having their computers tested.
Page 169: Specifying The End-User Test Failed Pop-Up Window
System Configuration Cluster Setting Defaults Introduction (opening screen) – Enter the introduction text for the default window. ProCurve recommends you provide text here that sets the stage for the end-user’s experience. b. Test successful message (final screen) – Enter the text for the final, test successful window.
Page 170: Agentless Credentials
System Configuration Cluster Setting Defaults TIP: You can verify your changes to the end-user access screens immediately by pointing a browser window to port 88 of your NAC 800 installation. For example, if the IP address of your NAC 800 installation is 10.0.16.18, point the browser window to: http://10.0.16.18:88 Click ok.
Page 171 System Configuration Cluster Setting Defaults Figure 3-55. System Configuration, Agentless Credentials 3-123...
Page 172: Testing Windows Credentials
System Configuration Cluster Setting Defaults Click Add administrator credentials. The Add Windows administrator credentials window appears: Figure 3-56. Agentless Credentials, Add Windows Administrator Credentials In the Add Windows administrator credentials window, enter the following: Windows domain name – Enter the domain name of the Windows •...
Page 173: Editing Windows Credentials
System Configuration Cluster Setting Defaults If you want to test these credentials, select the ES in this cluster or the MS from the Server to test from drop-down list. In the Test these credentials area, enter the IP address of the endpoint. TIP: When using a multi-server installation, the credentials are stored on the ES, but the test is initiated from the MS.
Page 174: Sorting The Windows Credentials Area
System Configuration Cluster Setting Defaults Home window>>System configuration>>Agentless credentials Click delete next to the name of the Windows administrator credentials you want to remove. The Delete Windows administrative credentials conformation window appears. Click yes. Sorting the Windows Credentials Area To sort the Windows credentials area: Home window>>System configuration>>Agentless credentials Sort the Windows administrator credentials by clicking on a column heading.
Page 175: Logging
System Configuration Logging Logging Setting ES Logging Levels You can configure the amount of diagnostic information written to log files, ranging from error (error-level messages only) to trace (everything). To set ES logging levels: Home window>>System configuration>>Logging Figure 3-57. System Configuration, Logging Option To configure the amount of diagnostic information written to log files, select a logging level from the Enforcement servers drop-down list: •...
Page 176: Setting 802.1X Devices Logging Levels
System Configuration Logging • info – Log info-level and above messages only • debug – Log debug-level and above messages only • trace – Log everything CAUTION: Setting the log level to trace may adversely affect performance. Click ok. Setting 802.1X Devices Logging Levels You can configure the amount of diagnostic information written to log files related to 802.1X re-authentication, ranging from error (error-level messages only) to trace (everything).
Page 177 System Configuration Logging To configure the amount of diagnostic information written to log files related to IDM, select a logging level from the IDM drop-down list: • error – log error-level messages only • warn – log warning-level messages only •...
Page 178: Advanced Settings
System Configuration Advanced Settings Advanced Settings This section describes setting the timeout periods. Endpoint detection is described in “Working with Ranges” on page 15-25. Setting the Agent Read Timeout To set the Agent read timeout period: Home window>>System configuration>>Advanced Figure 3-58. System Configuration, Advanced Option Enter a number of seconds in the Agent connection timeout period text field.
Page 179: Setting The Rpc Command Timeout
System Configuration Advanced Settings Enter a number of seconds in the Agent read timeout period text field. The agent read time is the time in seconds that NAC 800 waits on an agent read. Use a larger number for systems with network latency issues. Click ok.
Page 180 (This page intentionally left blank.)
Page 181 Endpoint Activity Chapter Contents Overview ............4-2 Filtering the Endpoint Activity Window .
Page 182: Endpoint Activity
Endpoint Activity Overview Overview Use the Endpoint activity window, to monitor end-user connection activity. Home window>>Endpoint activity The Endpoint activity window has the following sections: Endpoint selection area – The left column of the window provides ■ links that allow you to quickly filter the results area by Access control status or Endpoint test status.
Page 183 Endpoint Activity Overview 2. Search criteria area 3. Search results area 1. Endpoint selection area Figure 4-1. Endpoint Activity, All Endpoints Area...
Page 184: Filtering The Endpoint Activity Window
Endpoint Activity Filtering the Endpoint Activity Window Filtering the Endpoint Activity Window You can modify the results shown in the Endpoint activity window to include activity for the following: ■ Access control status ■ Endpoint test status Cluster ■ ■ NetBIOS name IP address ■...
Page 185: Filtering By Time
Endpoint Activity Filtering the Endpoint Activity Window Select a method for filtering the results window; by a specific access control status or endpoint status as shown in the following figure: Figure 4-2. Endpoint Activity, Menu Options NOTE: This part of the window reflects the total number of endpoints in the network at the current time.
Page 186: Limiting Number Of Endpoints Displayed
Endpoint Activity Filtering the Endpoint Activity Window To filter the disconnected endpoints by time: Home window>>Endpoint Activity Figure 4-3. Timeframe Drop-down List Select Disconnected in the Access control status area. Select one of the options from the Timeframe drop-down list. Click search.
Page 187: Searching
Endpoint Activity Filtering the Endpoint Activity Window Select a number from the drop down list. The results area updates to show only the number of endpoints selected with page navigation breadcrumbs. Searching To search the Endpoint activity window. Home window>>Endpoint activity>>Search criteria area Figure 4-5.
Page 188 Endpoint Activity Filtering the Endpoint Activity Window To refresh the Endpoint activity window to show all endpoint activity, click reset. TIP: The search box is not case-sensitive. Searching matches entire words. You must enter wildcard characters (*) to match substrings. For example, 192.168.*.
Page 189: Access Control States
Endpoint Activity Access Control States Access Control States NAC 800 provides on-going feedback on the access status of endpoints in the Endpoint activity window as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-16. ■ Quarantined –...
Page 190: Endpoint Test Status
Endpoint Activity Endpoint Test Status Endpoint Test Status NAC 800 provides on-going feedback on the test status of endpoints in the left pane of the Endpoint activity window as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-16. ■...
Page 191 Endpoint Activity Endpoint Test Status Connecting – NAC 800 shows this status briefly after the endpoint has ■ been tested while the endpoint is being assigned a non-quarantined IP address. ■ Awaiting credentials – NAC 800 shows this status briefly while the agentless credentials are being verified.
Page 192 Endpoint Activity Endpoint Test Status Installing test service – NAC 800 shows this status briefly while the ■ agent is being installed. ■ Installation canceled – NAC 800 shows this status when the end-user has cancelled the installation of the agent. Testing (agent) –...
Page 193 Endpoint Activity Endpoint Test Status routing issue which is not allowing the endpoint to reach the neces- sary servers on the network. Also, if NAC 800 is inline with the domain controller, you might need to open up the appropriate ports (135 through 138, 445, 389, 1029) in the NAC 800 accessible endpoints configuration for your domain controller IP address.
Page 194: Enforcement Cluster Access Mode
Endpoint Activity Enforcement Cluster Access Mode Enforcement Cluster Access Mode The access mode of each cluster can be one of the following: ■ normal – Endpoints are tested and allowed access or quarantined based on policies, exceptions, and administrator overrides. ■...
Page 195 Endpoint Activity Enforcement Cluster Access Mode the endpoint is allowed access because of the change to allow all mode; however, when the mode is changed back to normal, the endpoint will again be quarantined for the reason listed. Figure 4-10. Failed Endpoint Allow All Mode Mouse Over 4-15...
Page 196: Viewing Endpoint Access Status
Endpoint Activity Viewing Endpoint Access Status Viewing Endpoint Access Status To view access status for a endpoint: Home window>>Endpoint activity window Locate the endpoint you are interested in. The first column is the selection column, the second column is the Endpoint test status column, and the third column is the Access control status column.
Page 197 Endpoint Activity Viewing Endpoint Access Status NOTE: If an endpoint is seen by two different clusters simultaneously, the endpoint state can get lost. This could happen, for example, if you had a Training cluster and an Engineering cluster and an endpoint that was connected in the Engineering cluster also attempted to connect by way of the Training cluster.
Page 198: Selecting Endpoints To Act On
Endpoint Activity Selecting Endpoints to Act on Selecting Endpoints to Act on To select endpoint to act on: Home window>>Endpoint activity Click a box or boxes in the first column to select the endpoints of interest. TIP: Click the box at the top of the column to select all of the endpoints. 4-18...
Page 199: Acting On Selected Endpoints
Endpoint Activity Acting on Selected Endpoints Acting on Selected Endpoints Once you have filtered the Endpoint activity window and selected which endpoints to take action on, you can perform the following actions: ■ Retest an endpoint (“Manually Retest an Endpoint” on page 4-19) ■...
Page 200: Immediately Quarantine An Endpoint
Endpoint Activity Acting on Selected Endpoints NOTE: If an endpoint that has been granted or denied access temporarily by the administrator disconnects, the next time the endpoint attempts to connect it will be retested; the previous temporary status no longer applies. Immediately Quarantine an Endpoint To immediately quarantine an endpoint: Home window>>Endpoint activity...
Page 201: Viewing Endpoint Information
Endpoint Activity Viewing Endpoint Information Viewing Endpoint Information To view information about an endpoint: Home window>>Endpoint activity Click on an endpoint name to view the Endpoint window: Figure 4-12. Endpoint, General Option 4-21...
Page 202 Endpoint Activity Viewing Endpoint Information Click Test results to view the details of the test: Figure 4-13. Endpoint Activity, Endpoint Test Results Option TIP: Click on any underlined link (for example, change access) to make changes such as changing access or test credentials. 4-22...
Page 203: Troubleshooting Quarantined Endpoints
Endpoint Activity Troubleshooting Quarantined Endpoints Troubleshooting Quarantined Endpoints The following table describes the various components that affect an endpoint attempting to access the network: 4-23...
Page 204 Endpoint Activity Troubleshooting Quarantined Endpoints Enforcement Mode How endpoints are quarantined and How quarantined endpoints reach redirected to NAC 800 accessible devices DHCP mode Endpoint DHCP server (NAC 800) gives the DHCP server (NAC 800) also sends: enforcement endpoint: • A static route to the NAC 800 server •...
Page 205 Endpoint Activity Troubleshooting Quarantined Endpoints Enforcement Mode How endpoints are quarantined and How quarantined endpoints reach redirected to NAC 800 accessible devices DHCP mode Network DHCP server (NAC 800) gives the NAC 800 (fake root) DNS – As in enforcement endpoint: endpoint enforcement (for access to names in Accessible services).
Page 206 Endpoint Activity Troubleshooting Quarantined Endpoints Enforcement Mode How endpoints are quarantined and How quarantined endpoints reach redirected to NAC 800 accessible devices Inline / Gateway VPN split tunnel NAC 800 acts as the man-in-the-middle, No need to allow public sites (endpoint iptables rewrites packets, and forwards can get there directly, without going (multihomed...
Page 207 Endpoint Activity Troubleshooting Quarantined Endpoints Enforcement Mode How endpoints are quarantined and How quarantined endpoints reach redirected to NAC 800 accessible devices 802.1X DHCP server (MS DHCP server, and so NAC 800 DNS – As in endpoint on) gives the endpoint: enforcement (for access to names in Accessible services •...
Page 208 (This page intentionally left blank.)
Page 209 End-user Access Chapter Contents Overview ............5-2 Test Methods Used .
Page 210: End-User Access
End-user Access Overview Overview End-users can connect to your network from a number of different types of computers (see “Endpoints Supported” on page 5-5), be tested for compliance based on your definitions in the standard (high, medium, or low security) or custom NAC policies (see “NAC Policies”...
Page 211: Test Methods Used
End-user Access Test Methods Used Test Methods Used NAC 800 tests endpoints using one of the following methods: ■ Agent-based ■ Agentless ActiveX ■ See “Testing Methods” on page 3-110 for a description of each of these methods. Agent Callback The Agent Callback to NAC 800 feature allows the NAC 800 agent to inform the ES that an endpoint is now active on the network and available to be tested.
Page 212 End-user Access Test Methods Used _naces1 ■ ■ _naces2 If no contact can be made, try the following A names: NOTE: The endpoints DNS suffix must be correctly configured for your domain for the Agent Callback feature to work correctly. ■...
Page 213: Endpoints Supported
End-user Access Endpoints Supported Endpoints Supported This NAC 800 release supports the following: ■ Agent-based testing • Windows 2000 • Windows Server (2000, 2003) • Windows XP Professional • Windows XP Home • Mac OS (version 10.3.7 or later) • Vista Ultimate •...
Page 214 End-user Access Endpoints Supported NOTE: Other operating system support (for example Linux) will be included in future releases. Windows ME and Windows 95 are not supported in this release. TIP: If the end-user switches the Windows view while connected, such as from Classic view to Guest view, the change may not be immediate due to the way sessions are cached.
Page 215: Browser Version
End-user Access Browser Version Browser Version The browser that should be used by the endpoint is based on the test method as follows: ■ ActiveX test method – Microsoft Internet Explorer (IE) version 6.0 or later. Agentless test methods – IE, Firefox, or Mozilla. ■...
Page 216: Firewall Settings
End-user Access Firewall Settings Firewall Settings NAC 800 can perform tests through firewalls on both managed and unmanaged endpoints. Managed Endpoints Typically, a managed endpoint’s firewall is controlled with the Domain Group Policy for Windows, or a central policy manager for other firewalls. In this case, the network administrator opens up the agent port or agentless ports only to the NAC 800 server using the centralized policy.
Page 217: Windows Endpoint Settings
End-user Access Windows Endpoint Settings Windows Endpoint Settings IE Internet Security Setting If the end-user has their IE Internet security zone set to High, the endpoint is not testable. Using one of the following options will allow the endpoint to be tested: The end-user could change the Internet security to Medium ■...
Page 218: Agentless Test Method
End-user Access Windows Endpoint Settings See the following link for details on UAC: http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e- ac08-4c21f5c6c2d91033.mspx?mfr=true Agentless Test Method This section describes the settings you need to make on Windows 2000, Windows XP, and Windows Vista when using the Agentless test method. Configuring Windows 2000 Professional for Agentless Testing The agentless test method requires file and printer sharing to be enabled.
Page 219: Configuring Windows Xp Professional For Agentless Testing
End-user Access Windows Endpoint Settings On the General tab, in the Components checked are used by this connection area, verify that File and Printer sharing is listed and that the check box is selected. Click OK. Configuring Windows XP Professional for Agentless Testing The agentless test method requires file and printer sharing to be enabled.
Page 220: Configuring Windows Vista For Agentless Testing
End-user Access Windows Endpoint Settings To configure File and Printer Sharing for Microsoft Networks – http:/ ■ /www.microsoft.com/resources/documentation/windows/xp/all/ proddocs/en-us/howto_config_fileandprintsharing.mspx ■ To add a network component – http://www.microsoft.com/resources/ documentation/windows/xp/all/proddocs/en-us/ howto_config_fileandprintsharing.mspx Configuring Windows Vista for Agentless Testing Agentless testing for Windows Vista Endpoints requires that these endpoints be configured from a domain controller.
Page 221 End-user Access Windows Endpoint Settings Open the Group Policy Management window by selecting Start>>Control Panel>>Administrator Tools>>Group Policy Management. The Group Policy Management Window appears: Figure 5-3. Group Policy Management Window Right-click on the domain you wish to use for the Vista endpoints and select Create and Link a GPO Here.
Page 222 End-user Access Windows Endpoint Settings Right-click on the Agentless Testing Policy name and select Edit. The Group Policy Object Editor window appears: Figure 5-5. Group Policy Object Editor b. In the left pane, click the plus symbols under Computer Configuration to expand Windows Settings>>SecuritySettings>>Local Policies.
Page 223 End-user Access Windows Endpoint Settings In the right pane, scroll down and right-click on Network access: sharing and security model for local accounts policy, select Properties. The Network Access window appears: Figure 5-6. Network Access Window ii. Select the Define this policy setting check box. iii.
Page 224 End-user Access Windows Endpoint Settings In the right pane, scroll down and right-click on Network Security: LAN Manager authentication level and select Properties. The following window appears: Figure 5-7. Network Security Window vi. Select the Define this policy setting check box. vii.
Page 225 End-user Access Windows Endpoint Settings In the right pane, right-click Network Connections and select Properties.The following window appears: Figure 5-8. Network Connection Properties Window ii. Select the Define this policy setting check box. iii. Select the Automatic radio button. iv. Click OK. 5-17...
Page 226 End-user Access Windows Endpoint Settings In the right pane, right-click Remote Procedure Call (RPC) and select Properties. The following window appears. Figure 5-9. Remote Procedure Call Properties Window vi. Select the Define this policy setting check box. vii. Select the Automatic radio button. viii.
Page 227 End-user Access Windows Endpoint Settings ix. In the right pane, right-click Remote Registry and select Properties. The following window appears: Figure 5-10. Remote Registry Properties Window x. Select the Define this policy setting check box. xi. Select the Automatic radio button. xii.
Page 228 End-user Access Windows Endpoint Settings In the right pane, right-click Windows Firewall: Allow file and printer sharing exception and select Properties. The following window appears: Figure 5-11. Windows Firewall Window ii. Select the Enabled radio button. iii. Click OK. In the left pane, click the plus symbols to expand Administrative Templates>>Network.
Page 229 End-user Access Windows Endpoint Settings In the right pane, right-click on Turn off Microsoft Peer-to-Peer Networking Services and select Properties. The following window appears: Figure 5-12. Microsoft Peer-to-Peer Window ii. Select the Disabled radio button. iii. Click OK. Close the Group Policy Object Editor window. Move the Agentless Testing policy to the top of the list to process it first and take precedence over any local configuration: In the Group Policy Management window, select the Linked Group Policy...
Page 230: Ports Used For Testing
End-user Access Windows Endpoint Settings Click the double arrow icon to the left of the policies to move it to the top. The following window shows the double arrow icon: double arrow icon Figure 5-13. Double Arrow Icon Close the Group Policy Management window. This Agentless Group Policy Object is applicable to all Windows endpoints used in the domain.
Page 231 End-user Access Windows Endpoint Settings To configure the Windows XP Professional firewall to allow the RPC service to connect: Windows endpoint>>Start>>Settings>>Control Panel>>Windows Firewall>>Exceptions tab Select File and Print Sharing. (Verify that the check box is also selected.) Click Edit. Verify that the check boxes for all four ports are selected. Select TCP 139.
Page 232: Activex Test Method
End-user Access Windows Endpoint Settings TIP: You can add more security by specifying the endpoints allowed for File and Print Sharing as follows: Select File and Print Sharing, Click Edit, Select Change Scope, and select either My Network or Custom List (and then specify the endpoints). ActiveX Test Method Ports Used for Testing You might need to configure some firewalls and routers to allow NAC 800 to...
Page 233: Mac Os X Endpoint Settings
End-user Access Mac OS X Endpoint Settings Mac OS X Endpoint Settings This release of NAC 800 supports only the agent-based method of testing for Mac OS X. Ports Used for Testing You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for agent-based testing.
Page 234 End-user Access Mac OS X Endpoint Settings Figure 5-14. Mac System Preferences 5-26...
Page 235 End-user Access Mac OS X Endpoint Settings Select the Sharing icon. The Sharing window opens. Figure 5-15. Mac Sharing Select the Firewall tab. The firewall settings must be one of the following: • • On with the following: – OS X NAC Agent check box selected –...
Page 236 End-user Access Mac OS X Endpoint Settings To change the port: Mac endpoint>>Apple Menu>>System Preferences>>Sharing icon>>Firewall Select OS X NAC Agent. Click Edit. The port configuration window appears: Figure 5-16. Mac Ports Enter 1500 in the Port Number, Range or Series text field. Click OK.
Page 237: End-User Access Windows
End-user Access End-user Access Windows End-user Access Windows Several end-user access templates come with NAC 800. The End-user window provides a way to customize these templates from within the user interface (see “End-user Screens” on page 3-119). For optimal end-user experience, brand these windows as your own and keep them friendly and helpful.
Page 238: Opening Window
End-user Access End-user Access Windows Opening Window When the end-user directs their browser to go to a location that is not listed in the Accessible services and endpoints list, the testing option window appears: Figure 5-17. End-user Opening Window The end-users select Get connected. One of the following windows appears, depending on which test method and order is specified in the System configu- ration>>Testing methods window: ■...
Page 239: Windows Nac Agent Test Windows
End-user Access End-user Access Windows Windows NAC Agent Test Windows Automatically Installing the Windows Agent When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears: Figure 5-18.
Page 240 End-user Access End-user Access Windows If Active Content is disabled in the browser, the following error window appears: Figure 5-19. End-user Agent Installation Failed TIP: To enable active content, see “Active Content” on page C-4. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears.
Page 241 End-user Access End-user Access Windows Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation: Figure 5-20. End-user Agent Installation Window (Start) The user must click Finish to complete the agent installation and begin testing: Figure 5-21.
Page 242: Removing The Agent
End-user Access End-user Access Windows Removing the Agent To remove the agent: Windows endpoint>>Start button>>Settings>>Control panel>>Add/remove programs Figure 5-22. Add/Remove Programs Find the ProCurve NAC EI Agent in the list of installed programs. Click Remove. TIP: The ProCurve NAC EI Agent also appears in the services list: Start button>>Settings>>Control panel>>Administrative tools>>Services Manually Installing the Windows Agent To manually install the agent (using Internet Explorer):...
Page 243 End-user Access End-user Access Windows Windows endpoint>>IE browser window Point the browser to the following URL: https://:89/setup.exe The security certificate window appears: Figure 5-23. Security Certificate Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file: Figure 5-24.
Page 244: How To View The Windows Agent Version Installed
How to View the Windows Agent Version Installed To see what version of the agent the endpoint is running: Windows endpoint>>Command line window Change the working directory to the following: C:\Program Files\Hewlett-Packard\ProCurve NAC Endpoint Integrity Agent Enter the following command: SAService version The version number is returned.
Page 245 End-user Access End-user Access Windows Double-click the extracted file to launch the installer program. A confirmation window appears: Figure 5-25. Start Mac OS Installer Click Continue. The installer appears: Figure 5-26. Mac OS Installer 1 of 5 5-37...
Page 246 End-user Access End-user Access Windows Click Continue. The Select a Destination window appears: Figure 5-27. Mac OS Installer 2 of 5 Click Continue. The Easy Install window appears: Figure 5-28. Mac OS Installer 3 of 5 5-38...
Page 247: Verifying The Mac Os Agent
End-user Access End-user Access Windows Click Install. The Authenticate window appears: Figure 5-29. Mac OS Installer 4 of 5 Enter your password. Click OK. The agent is installed and the confirmation window appears: Figure 5-30. Mac OS Installer 5 of 5 Click Close.
Page 248 End-user Access End-user Access Windows Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Figure 5-31. Applications, Utilities Folder 5-40...
Page 249 End-user Access End-user Access Windows Double-click Activity Monitor. The Activity Monitor window appears: Figure 5-32. Activity Monitor Verify that the osxnactunnel process is running. If the osxnactunnel process is not running, start it by performing the following steps: 5-41...
Page 250 End-user Access End-user Access Windows Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Figure 5-33. Mac Terminal b. Enter the following at the command line: OSXNACAgent -v The build and version number are returned. If an error message is returned indicating that the agent could not be found, the agent was not installed properly.
Page 251: Removing The Mac Os Agent
End-user Access End-user Access Windows Removing the Mac OS Agent To remove the Mac OS agent: Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Select Mac OS X Terminal. A terminal window opens (figure 5-33). Enter the following at the command line: remove_osxnacagent Remove the firewall entry: Select Apple Menu>>System Preferences>>Sharing->Firewall tab.
Page 252: Activex Test Windows
End-user Access End-user Access Windows ActiveX Test Windows For the ActiveX test, the Testing window appears (see “Testing Window” on page 5- 47) and an ActiveX component is downloaded. If there is an error running the ActiveX component, an error window appears: Figure 5-34.
Page 253 End-user Access End-user Access Windows Automatically connect the user through domain authentication (“Agentless ■ Credentials” on page 3-122) ■ Require the user to log in. End-users must set up their local endpoints to have a Windows administrator account with a password in order to be tested by NAC 800.
Page 254 End-user Access End-user Access Windows If the end-users do not enter the correct information in the login window fields, a login failure window appears: Figure 5-36. End-user Login Failed TIP: You can customize the logo and contact paragraph that appear on this window.
Page 255: Testing Window
End-user Access End-user Access Windows Testing Window The following figure shows the window that appears during the testing process: Figure 5-37. End-user Testing The possible outcomes from the test are as follows: ■ Test successful window (see “Test Successful Window” on page 5-48) ■...
Page 256: Test Successful Window
End-user Access End-user Access Windows Test Successful Window When the end-users’ endpoints meet the test criteria defined in the NAC policy, they are allowed access to the network, and a window indicating successful testing appears: Figure 5-38. End-user Testing Successful TIP: You can customize the logo and text that appears on this window as described in “End-user Screens”...
Page 257: Testing Cancelled Window
End-user Access End-user Access Windows Testing Cancelled Window If the Allow end users to cancel testing option on the System configuration>>Testing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled: Figure 5-39.
Page 258 End-user Access End-user Access Windows For each NAC policy, you can specify a temporary access period should the end- users fail the tests. See “Selecting Action Taken” on page 6-17 for more information. Figure 5-40. End-user Testing Failed Example 1 TIP: You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configura-...
Page 259: Error Windows
End-user Access End-user Access Windows End-users can click Printable version to view the testing results in a printable format, as shown in the following figure: Figure 5-41. End-user Testing Failed, Printable Results Error Windows End-users might see any of the following error windows: Unsupported endpoint ■...
Page 260: Customizing Error Messages
End-user Access Customizing Error Messages Customizing Error Messages The default error message strings (remediation messages) are defined in the follow- ing file: /usr/local/nac/scripts/BaseClasses/Strings.py You can create custom error message strings that appear in the test result reports, and on the test results access window that the end-user views by editing or creating the following file: /usr/local/nac/scripts/BaseClasses/CustomStrings.py To customize the error messages:...
Page 261 End-user Access Customizing Error Messages dir/application.exe'>Location Name", "name2" : "message2", NOTE: A “%s” in the description text is a special variable that is interpolated into extra information (passed from NAC 800) such as lists of missing patches, or missing software. CAUTION: Normally NAC 800 uses Strings.py.
Page 262 End-user Access Customizing Error Messages Test name Description checkAntiVirusUpdates.String.2 %s is installed but the service is not running and the virus signatures are not up-to-date (installed: %s required: %s)., checkAntiVirusUpdates.String.3 %s is installed but the service is not running., checkAntiVirusUpdates.String.4 (version: %s), checkAntiVirusUpdates.String.5 %s is installed but the virus signatures are not up-to-date...
Page 263 End-user Access Customizing Error Messages Test name Description checkIESecurityZoneSettings.String.1 There was no security zone specified., checkIESecurityZoneSettings.String.2 Internet Explorer %s security zone settings are acceptable., checkIESecurityZoneSettings.String.3 There was no security level specified., checkIESecurityZoneSettings.String.4 An invalid security level '%s' was specified., checkIESecurityZoneSettings.String.5 Could not test Internet Explorer %s security zone settings.
Page 264 End-user Access Customizing Error Messages Test name Description checkPersonalFirewalls.String.1 The required personal firewall software was not found. Install a personal firewall and keep it up-to-date. Supported firewall software: %s, checkPersonalFirewalls.String.2 %s is installed but not running., checkPersonalFirewalls.String.3 %s service is installed and running., checkServicePacks.String.1 An unsupported operating system was encountered., checkServicePacks.String.2...
Page 265 End-user Access Customizing Error Messages Test name Description checkSoftwareNotAllowed.String.3 Do not specify the HKEY_LOCAL_MACHINE\SOFTWARE registry key., checkSoftwareNotAllowed.String.4 The following software is not allowed: %s. Uninstall the software listed. Also, remove any file types listed by double- clicking My Computer>>select Tools>>Folder Options>>File Types and remove the file type mentioned., checkSoftwareNotAllowed.String.5 %s, # placeholder for link location for each software...
Page 266 End-user Access Customizing Error Messages Test name Description checkWormsVirusesAndTrojans.String.2 The following worms, viruses, or trojans were found: %s. Contact your network administrator for assistance on removing them., checkAntiSpyware.String.1 The %s software is installed and a scan was run recently on %s., checkAntiSpyware.String.2 The %s software was found but a scan has not performed...
Page 267 NAC Policies Chapter Contents Overview ............6-2 Standard NAC Policies .
Page 268: Nac Policies
NAC Policies Overview Overview "NAC policies" are collections of tests that evaluate remote endpoints attempt- ing to connect to your network. You can use the standard tests installed with NAC 800, or you can create your own custom tests. NOTE: The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name.
Page 269 NAC Policies Overview Figure 6-1. NAC Policies The following figure shows the legend explaining the NAC policies icons: Figure 6-2. NAC Policies Window Legend...
Page 270: Standard Nac Policies
NAC Policies Standard NAC Policies Standard NAC Policies NAC 800 ships with three standard NAC policies: ■ High security ■ Low security Medium security ■ NAC policies are organized in groups. Groups include the clusters defined for your system, a Default group, and any other groups you create. Each standard policy has tests pre-selected.
Page 271: Nac Policy Group Tasks
NAC Policies NAC Policy Group Tasks NAC Policy Group Tasks Add a NAC Policy Group To add an NAC policy group: Home window>>NAC policies Click Add an NAC policy group. The Add NAC policy group window opens: Figure 6-3. Add NAC Policy Group Type a name for the group in the Name of NAC policy group text box.
Page 272: Deleting A Nac Policy Group
NAC Policies NAC Policy Group Tasks Click on an existing NAC policy group name (for example, Default). The NAC policy group window opens. Figure 6-4. Edit NAC Policy Group Make any changes required. See “Add a NAC Policy Group” on page 6-5 for details on NAC policy group options.
Page 273: Nac Policy Tasks
NAC Policies NAC Policy Tasks NAC Policy Tasks Enabling or Disabling an NAC Policy Select which NAC polices are enabled or disabled. To enable/disable a NAC policy: Home window>>NAC policies Click on the enable or disable link. An X indicates disabled. Selecting the Default NAC Policy To select the default NAC policy: Home window>>NAC policies...
Page 274 NAC Policies NAC Policy Tasks Click Add a NAC policy. The Add NAC policy window opens as shown in the following figure: Figure 6-6. Add a NAC Policy, Basic Settings Area Enter a policy name. Enter a description in the Description text box. Select a NAC policy group.
Page 275 NAC Policies NAC Policy Tasks Select the Operating systems that will not be tested but are allowed network access. • Windows ME, Windows 98, Windows 95, Windows NT • UNIX • All other unsupported OSs NOTE: In DHCP mode, if an endpoint with an unsupported OS already has a DHCP- assigned IP address, NAC 800 cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires.
Page 276 NAC Policies NAC Policy Tasks Click the Domains and endpoints menu option to open the Domains and endpoints window, shown in the following figure: Figure 6-7. Add a NAC Policy, Domains and Endpoints 10. Click on a cluster name. 11. Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a carriage return.
Page 277 NAC Policies NAC Policy Tasks NOTE: You can leave the Domains and Endpoints areas blank if you do not want to assign domains and endpoints to this policy. TIP: Move the mouse cursor over the question mark (?) by the word Endpoints, then click on the CIDR notation link to see the CIDR conversion table pop- up window.
Page 278 NAC Policies NAC Policy Tasks 13. Click the Tests menu option to open the Tests window: Figure 6-8. Add NAC Policy, Tests Area 6-12...
Page 279: Editing A Nac Policy
NAC Policies NAC Policy Tasks NOTE: The icons to the right of the tests indicate the test failure actions. See “Test Icons” on page 6-21. 14. Select a test to include in the NAC policy by clicking on the check box next to the test name.
Page 280: Deleting A Nac Policy
NAC Policies NAC Policy Tasks Change any of the options desired. See “Creating a New NAC Policy” on page 6-7 for details on the options available. Click ok. Deleting a NAC Policy To delete an existing NAC policy: Home window>>NAC policies Click the delete link to the right of the NAC policy you want to delete.
Page 281: Nac Policy Hierarchy
NAC Policies NAC Policy Tasks NOTE: You can use a MAC prefix (one to five bytes or octets) to act on more than one endpoint at a time. For example entering 00:13 matches all MAC addresses that begin with 00:13. In the Windows domains area, enter a domain name or list of domain names separated by a carriage return.
Page 282: Defining Non-Supported Os Access Settings
NAC Policies NAC Policy Tasks inactivity quarantine, the end-user may just need to log in again; however, other changes (such as a policy change or new required hotfix) may require the end-user to perform some action before being allowed on the network again.
Page 283: Selecting Action Taken
NAC Policies NAC Policy Tasks Select the test failure actions to apply for this test: Send email notification • Quarantine access • Select any test properties if applicable. Click ok. Selecting Action Taken Actions can be passive (send an email), active (quarantine) or a combination of both.
Page 284 NAC Policies NAC Policy Tasks select the Initiate patch manager to fix the problem and retest the endpoint when it finishes check box. b. Select a patch manager from the Patch manager drop down list. Enter a number for the times to retest before failing in the Maximum number of retest attempts text box.
Page 285: About Nac 800 Tests
NAC Policies About NAC 800 Tests About NAC 800 Tests NAC 800 tests are assigned to NAC policies. NAC policies are used to test endpoints attempting to connect to your network. NAC 800 tests might be updated as often as hourly; however, at the time of this release, the tests shown in “Tests Help”...
Page 286: Entering Service Names Required/Not Allowed
NAC Policies About NAC 800 Tests You can enter any combination of these keys in the NAC 800 text entry fields to detect a vendor, software package and version on an endpoint (for example, you can also enter Mozilla\Firefox or simply Mozilla) and NAC 800 searches for them in the HKEY_LOCAL_MACHINE\Software registry key sub-tree.
Page 287: Entering The Browser Version Number
NAC Policies About NAC 800 Tests Utility Manager ■ ■ Windows Installer Entering the Browser Version Number To specify the minimum browser version the end-user needs: For Mozilla Firefox: Clear the Check For Mozilla Firefox [1.5] check box. b. Type a version number in the text entry field. For Internet Explorer on Windows XP and Windows 2003: Clear the Check For Internet Explorer for Windows XP and Windows 2003 [6.0.2900.2180] check box.
Page 288 (This page intentionally left blank.)
Page 289 Quarantined Networks Chapter Contents Endpoint Quarantine Precedence ........7-2 Using Ports in Accessible Services and Endpoints .
Page 290: Quarantined Networks
Quarantined Networks Endpoint Quarantine Precedence Endpoint Quarantine Precedence Endpoints are quarantined in the following hierarchical order: Access mode (normal operation or allow all) Temporarily quarantine for/Temporarily grant access for radio buttons Endpoint testing exceptions (always grant access, always quarantine) Post-connect (external quarantine request) NAC policies NOTE: In DHCP mode, if an endpoint with an unsupported OS already has a DHCP-...
Page 291 Quarantined Networks Endpoint Quarantine Precedence TIP: Use the Clear temporary access control status radio button to remove the temporary access or temporary quarantine state enabled by the Temporarily quarantine for/Temporarily grant access for radio buttons. Endpoint testing exceptions overrides items following it in the list (4, ■...
Page 292: Using Ports In Accessible Services And Endpoints
Quarantined Networks Using Ports in Accessible Services and Endpoints Using Ports in Accessible Services and Endpoints To use a port number when specifying accessible services and endpoints (cluster default): Home window>>System configuration>>Accessible services The following figure shows the Accessible services window: Figure 7-1.
Page 293 Quarantined Networks Using Ports in Accessible Services and Endpoints For all other deployment modes, the Fully Qualified Domain Name (FQDN) of the target servers should be added to the list (for example mycom- pany.com). If the specified servers are not behind an ES, a network firewall must be used to control access to only the desired ports.
Page 294: Always Granting Access To An Endpoint
Quarantined Networks Always Granting Access to an Endpoint Always Granting Access to an Endpoint To always grant access to a endpoint without testing: Home window>>System configuration>>Exceptions The following figure shows the Exceptions window. Figure 7-2. System Configuration, Exceptions In the Whitelist area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns.
Page 295 Quarantined Networks Always Granting Access to an Endpoint CAUTION: If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without testing option is used. CAUTION: Please read “Untestable Endpoints and DHCP Mode” on page 7-11 so that you fully understand the ramifications of allowing untested endpoints on your network.
Page 296: Always Quarantining An Endpoint
Quarantined Networks Always Quarantining an Endpoint Always Quarantining an Endpoint To always quarantine a an endpoint without testing (cluster default): Home window>>System configuration>>Exceptions In the Blacklist area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns. b.
Page 297: New Users
Quarantined Networks New Users New Users The process NAC 800 follows for allowing end-users to connect is: ■ Inline mode – An IP address is assigned to the endpoint outside of NAC 800. When the end-user attempts to connect to the network, NAC 800 either blocks access or allows access by adding the endpoint IP address to the internal firewall.
Page 298: Shared Resources
Quarantined Networks Shared Resources Shared Resources If the end-users typically make connections to shared services and endpoints during the boot process, these shares are unable to connect while the endpoint has the quarantined IP address, unless the services and endpoints are listed in the Accessible services and endpoints area (see “Accessible Services”...
Page 299: Untestable Endpoints And Dhcp Mode
Quarantined Networks Untestable Endpoints and DHCP Mode Untestable Endpoints and DHCP Mode If you have an endpoint that does not have a supported operating system, you can allow access or quarantine the endpoint. The current supported operating systems are listed in “Endpoints Supported” on page 5-5. If you allow an untested endpoint to have access, there are several important items to keep in mind.
Page 300: Windows Domain Authentication And Quarantined Endpoints
Quarantined Networks Windows Domain Authentication and Quarantined Endpoints Windows Domain Authentication and Quarantined Endpoints In order to satisfy the following scenarios: A guest user gets redirected ■ ■ A user is redirected if their home page is the Intranet ■ The only host that is resolved is the domain controller (DC);...
Page 301 Quarantined Networks Windows Domain Authentication and Quarantined Endpoints _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 389 dc01.lvh.com 7-13...
Page 302 (This page intentionally left blank.)
Page 303: High Availability And Load Balancing
High Availability and Load Balancing Chapter Contents High Availability ..........8-2 Load Balancing .
Page 304: High Availability
High Availability and Load Balancing High Availability High Availability High availability occurs when one or more ESs takes over for an ES that has become unavailable in a multiple-server installation. Once an ES becomes unavailable, the other ESs take over enforcement from the ES that is now unavailable.
Page 305 High Availability and Load Balancing High Availability ports on the switch based on the switch configuration. If an ES becomes unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 8-1.
Page 306 High Availability and Load Balancing High Availability Figure 8-2. DHCP Installation...
Page 307 High Availability and Load Balancing High Availability Figure 8-3. 802.1X Installation...
Page 308: Load Balancing
High Availability and Load Balancing Load Balancing Load Balancing Load balancing distributes the testing of endpoints across all NAC 800 ESs in a cluster. NAC 800 uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the ESs. If the MAC address is unavailable (untestable endpoint) the IP address is used to determine which ES should test an endpoint.
Page 309: Inline Quarantine Method
Inline Quarantine Method Chapter Contents Inline ............9-2...
Page 310: Inline
Inline Quarantine Method Inline Inline Inline is the most basic NAC 800 installation. When deploying NAC 800 inline, NAC 800 monitors and enforces all endpoint traffic. NAC 800 allows endpoints to access the network or blocks endpoints from accessing the network based on their Internet Protocol (IP) address with a built-in firewall (iptables).
Page 311 Inline Quarantine Method Inline Figure 9-1. Inline Installations TIP: You can install NAC 800 at any “choke point” in your network; a VPN is not required.
Page 312 (This page intentionally left blank.)
Page 313 DHCP Quarantine Method Chapter Contents Overview ............10-2 Configuring NAC 800 for DHCP .
Page 314: Dhcp Quarantine Method
DHCP Quarantine Method Overview Overview When configured with a Dynamic Host Configuration Protocol (DHCP) quar- antine area, all endpoints requesting a DHCP IP address are issued a tempo- rary address on a quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to the main LAN.
Page 315 DHCP Quarantine Method Overview Figure 10-1. DHCP Installation 10-3...
Page 316: Configuring Nac 800 For Dhcp
DHCP Quarantine Method Configuring NAC 800 for DHCP Configuring NAC 800 for DHCP The primary configuration required for using NAC 800 and DHCP is setting up the quarantine area (see “Setting up a Quarantine Area” on page 10-4). You should also review the following topics related to quarantining endpoints: ■...
Page 317: Configuring The Router Acls
DHCP Quarantine Method Configuring NAC 800 for DHCP Configuring the Router ACLs In order to sufficiently restrict access to and from the quarantine area, you must configure your router Access Control Lists (ACLs) as follows: ■ Allow traffic to and from the NAC 800 server and the quarantined network.
Page 318 (This page intentionally left blank.)
Page 319 802.1X Quarantine Method Chapter Contents About 802.1X ..........11-2 NAC 800 and 802.1X .
Page 320: About 802.1X
802.1X Quarantine Method About 802.1X About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows: ■ Supplicant – The client; the endpoint that wants to access the network. Authenticator– The access point, such as a switch, that prevents ■...
Page 321 802.1X Quarantine Method About 802.1X The AP (authenticator) opens a port for EAP messages, and blocks all others. The AP (authenticator) requests the client’s (supplicant’s) identity. The Client (supplicant) sends its identity. The AP (authenticator) passes the identity on to the authentication server. The authentication server performs the authentication and returns an accept or reject message to the AP (authenticator).
Page 322: Nac 800 And 802.1X
802.1X Quarantine Method NAC 800 and 802.1X NAC 800 and 802.1X When configured as 802.1X-enabled, NAC 800 can be installed with three different configurations depending on your network environment: ■ Microsoft IAS and NAC 800 IAS Plug-in With this method, the switch is configured with the IAS server IP address as the RADIUS server host.
Page 323 802.1X Quarantine Method NAC 800 and 802.1X Figure 11-2. NAC 800 802.1X Enforcement 11-5...
Page 324 802.1X Quarantine Method NAC 800 and 802.1X Figure 11-3. 802.1X Communications 11-6...
Page 325: Setting Up The 802.1X Components
802.1X Quarantine Method Setting up the 802.1X Components Setting up the 802.1X Components In order to use NAC 800 in an 802.1X environment, ProCurve recommends configuring your environment first, then installing and configuring NAC 800. This section provides instructions for the following: “Setting up the RADIUS Server”...
Page 326 802.1X Quarantine Method Setting up the 802.1X Components Microsoft® Windows Server™ 2003 Internet Authentication Service (IAS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server. This section provides instructions on configuring this server to use with NAC 800. For details on the Windows Server 2003 IAS, refer to the following link: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/tech- nologies/ias.mspx...
Page 327: Configuring The Microsoft Ias Radius Server
802.1X Quarantine Method Setting up the 802.1X Components Select the Networking Services check box. Click Details. The Networking Services window appears, as shown in the following figure. Figure 11-5. Networking Services Select the check box for Internet Authentication Service and any other Windows Internet Authentication Service (IAS) components you want to install.
Page 328 802.1X Quarantine Method Setting up the 802.1X Components From the RADIUS server main window, select Start>>Settings>>Control Panel>>Administrative Tools>>Internet Authentication Service. Configure IAS to use Active Directory: Right-click on Internet Authentication Service (Local). b. Select Register Server in Active Directory (figure 11-6). Click OK if a registration completed window appears.
Page 329 802.1X Quarantine Method Setting up the 802.1X Components Figure 11-8. IAS, Properties General tab – Enter a descriptive name in the Server Description text box. For example, IAS. ii. Select the Rejected authentication requests check box. iii. Select the Successful authentication requests check box. d.
Page 330 802.1X Quarantine Method Setting up the 802.1X Components b. Select New RADIUS Client. The New RADIUS Client window appears: Figure 11-9. IAS, New Client, Name and Address Enter a descriptive name for the Friendly name, such as Foundry. d. Enter the IP address of the authenticator in the Client address text box. TIP: Click Verify to test the connection.
Page 331 802.1X Quarantine Method Setting up the 802.1X Components Select RADIUS Standard from the Client Vendor drop-down list Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator. NOTE: See your system administrator to obtain the shared secret for your switch. h.
Page 332 802.1X Quarantine Method Setting up the 802.1X Components Click Next. Figure 11-12. IAS, Remote Access Policy, Access Method Select the Ethernet radio button. (The Ethernet option will not work for authenticating wireless clients with this policy.) h. Click Next. Figure 11-13. IAS, Remote Access Policy, Group Access You can configure your Access policy by user or group.
Page 333 802.1X Quarantine Method Setting up the 802.1X Components Click Add. The Select Groups pop-up window appears: Figure 11-14. IAS, Remote Access Policy, Find Group 11-15...
Page 334 802.1X Quarantine Method Setting up the 802.1X Components k. Click Advanced. Figure 11-15. Remote Access Policy, Select Group Click Find Now to populate the Search Results area. m. Select Domain Guests. n. Click OK. o. Click OK. 11-16...
Page 335 802.1X Quarantine Method Setting up the 802.1X Components p. Click Next. Figure 11-16. IAS, Remote Access Policy, Authentication Method NOTE: If you choose PEAP as your authentication mechanism in step q, see step 8 before completing step r and step s. Adding a certificate, if your server does not already have one, and configuring PEAP is explained in step 8.
Page 336 802.1X Quarantine Method Setting up the 802.1X Components These steps assume there is a Domain Certificate Authority (CA) available to request a certificate. If there is not a CA available, the certificate needs to be imported manually. NOTE: To import the certificate manually: 1.
Page 337 802.1X Quarantine Method Setting up the 802.1X Components h. Open the Certificates folder under the Console Root. Right-click on the Personal folder and select All Tasks>>Request New Certificate. NOTE: To import the certificate manually: 1. Right-click on the Personal folder>>select All Tasks>>Import. 2.
Page 338 802.1X Quarantine Method Setting up the 802.1X Components Click Configure to configure the certificate for use with the PEAP authentication method. The Protected EAP Properties window appears, as shown in the following figure: Figure 11-18. Protected EAP Properties 10. Configure the new Remote Access Policy. Figure 11-19.
Page 339 802.1X Quarantine Method Setting up the 802.1X Components b. In the right pane, right-click the new policy name and select Properties. The Guest Policy Properties window appears: Figure 11-20. IAS, Remote Access Policy, Configure Click Edit Profile. The Edit Dial-in Profile window appears. Authentication tab –...
Page 340 802.1X Quarantine Method Setting up the 802.1X Components 1) Click Add. Figure 11-21. IAS, Remote Access Policy, Add Attribute 2) Select Tunnel-Medium-Type. (Adding the first of the three attributes.) 3) Click Add. 4) Click Add again on the next window. 5) From the Attribute value drop-down list, select 802 (includes all 802 media.
Page 341 802.1X Quarantine Method Setting up the 802.1X Components 18) Click OK. 19) Click OK. 20) Click OK. 11. Repeat step 9 for every VLAN group defined in Active Directory. IMPORTANT: The order of the connection attributes should be most- specific at the top, and most-general at the bottom. 12.
Page 342 802.1X Quarantine Method Setting up the 802.1X Components d. Settings tab – Select any of the request and status options you are interested in logging. Log file tab – In the Format area, select the IAS radio button. ii. In the Create a new log file area, select a frequency, such as Daily. iii.
Page 343 802.1X Quarantine Method Setting up the 802.1X Components support/ias/SAIASConnector.dll support/ias/SAIASConnector.ini NOTE: SAIASConnector.ini is installed within NAC 800 using standard system defaults. Utilities for this such as DebugAttributes and DebugLevel should be modified only in conjunction with technical assistance through ProCurve ProCurve Networking by HP at or .
Page 344 802.1X Quarantine Method Setting up the 802.1X Components vi. Click Add. Figure 11-25. IAS, Add/Remove Snap-in, Certificates vii. Select Certificates. viii. Click Add. ix. Select the Computer account radio button. x. Click Next. xi. Select the Local computer: (the computer this console is running on) radio button.
Page 345 802.1X Quarantine Method Setting up the 802.1X Components xiv. Click OK. Figure 11-26. IAS, Import Certificate xv. Right-click on Console Root>>Certificates (Local Computer)>>Trusted Root Certificate Authorities. xvi. Select All tasks>>import. xvii.Click Next. xviii.Click Browse and choose the certificate. The NAC 800 server certificate is located on http://www.procurve.com/nactools xix.
Page 346 802.1X Quarantine Method Setting up the 802.1X Components Quarantined – The endpoint failed a test and the action is configured to quarantine. Unknown – The endpoint has not been tested. Infected – The endpoint failed the Worms, Virus, and Trojans test. To configure the response, edit the SAIASConnector.ini file.
Page 347 802.1X Quarantine Method Setting up the 802.1X Components From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers. Figure 11-27. Active Directory, Properties ii. Right-click on your directory name and select Properties. iii. Select the Group Policy tab. iv.
Page 348 802.1X Quarantine Method Setting up the 802.1X Components viii. Right-click Store passwords using reversible encryption. ix. Select the Enabled check box. x. Click OK. xi. Close the Group Policy Object Editor window. xii. Close the Group Policy Management window. xiii. Close the Properties window. 16.
Page 349 802.1X Quarantine Method Setting up the 802.1X Components Select the Users folder. Figure 11-29. Active Directory Users and Computers 11-31...
Page 350 802.1X Quarantine Method Setting up the 802.1X Components d. Right-click a user name and select Properties. The Properties windows appears: Figure 11-30. Active Directory, User Account Properties Select the Dial-in tab. In the Remote Access Permission area, select the Allow Access radio button.
Page 351: Proxying Radius Requests To An Existing Radius Server Using The Built-In Nac 800 Radius Server
802.1X Quarantine Method Setting up the 802.1X Components Repeat from step a for each user account. Proxying RADIUS Requests to an Existing RADIUS Server Using the Built-in NAC 800 RADIUS Server TIP: For an explanation of how the components communicate, see “NAC 800 and 802.1X”...
Page 352 802.1X Quarantine Method Setting up the 802.1X Components Configure the SAFreeRADIUSConnector.conf file with the appropriate RADIUS attributes and VLANS. See comments in the following sample file for instructions. # FreeRADIUS Connector configuration file # TO DO - Change localhost to your server's IP if this is not the built-in FreeRADIUS server ServerUrl=https://localhost/servlet/AccessControlServlet DebugLevel=4...
Page 353 802.1X Quarantine Method Setting up the 802.1X Components "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches #"HealthyRadiusAttributes"...
Page 354: Using The Built-In Nac 800 Radius Server For Authentication
802.1X Quarantine Method Setting up the 802.1X Components Test the RADIUS server proxy: radtest Using the Built-in NAC 800 RADIUS Server for Authentication If you selected the Manual End-user authentication method in the Authentication settings area of the System configuration>>Quarantining>>802.1X window, con- figure NAC 800 according to the instructions in this section.
Page 355 802.1X Quarantine Method Setting up the 802.1X Components NOTE: When using the Cisco® Catalyst® 6509 with the Catalyst operating system (CatOS), you need to refer to the VLAN by name, and not by number as shown in the following sample file. For example, use “Tunnel-Private-Group-ID := User_Seg_PA,”...
Page 356 802.1X Quarantine Method Setting up the 802.1X Components #"CheckupRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 50, Tunnel-Type := VLAN, "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches...
Page 357: Enabling Nac 800 For 802.1X
802.1X Quarantine Method Setting up the 802.1X Components #"RadiusAttributes-" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, Enabling NAC 800 for 802.1X To enable NAC 800 for use in an 802.1X network, you need to select it in the user interface, and make a few changes to the properties using JMS and an XML file.
Page 358: Setting Up The Supplicant
802.1X Quarantine Method Setting up the 802.1X Components detection can be run remotely by installing and configuring the end- point activity capture software on each DHCP server involved in the 802.1X deployment. In this case, choose the remote option. local – In simple configurations, it is possible to span, or mirror, the •...
Page 359 802.1X Quarantine Method Setting up the 802.1X Components Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears: Figure 11-32. Windows XP Pro Local Area Connection, General Tab Select the General tab. Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors.
Page 360: Windows Xp Home Setup
802.1X Quarantine Method Setting up the 802.1X Components Select the Authentication tab. Figure 11-33. Windows XP Pro Local Area Connection Properties, Authentication Select the Enable IEE 802.1X authentication for this network check box. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
Page 361: Windows 2000 Professional Setup
802.1X Quarantine Method Setting up the 802.1X Components Select Wireless Zero Configuration. If the Status column does not already show Started, start the service: Right click on Wireless Zero Configuration. ii. Select Start. b. Close the Services window. Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network Connections Right-click on Local Area Connection.
Page 362 802.1X Quarantine Method Setting up the 802.1X Components b. Close the Services window. Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network and Dial-up Connections Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears. Figure 11-34. Windows 2000 Local Area Connection Properties, General Tab b.
Page 363: Windows Vista Setup
802.1X Quarantine Method Setting up the 802.1X Components d. Select the Authentication tab. Figure 11-35. Windows 2000 Local Area Connection Properties, Authentication Tab Select the Enable network access control using IEE 802.1X check box. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
Page 364 802.1X Quarantine Method Setting up the 802.1X Components Start the wired service: Double-click on Wired AutoConfig. The Wired AutoConfig Properties window appears. Figure 11-36. Wired AutoConfig Properties b. Select Automatic from the Startup type drop-down list. Click Start in the Service status area. d.
Page 365 802.1X Quarantine Method Setting up the 802.1X Components Select Properties. The Local Area Connection windows appears: Figure 11-37. Windows Vista Local Area Connection, Networking Tab 11-47...
Page 366: Setting Up The Authenticator
802.1X Quarantine Method Setting up the 802.1X Components Select the Authentication tab. Figure 11-38. Windows Vista Local Area Connection Properties, Authentication Tab Select the Enable IEE 802.1X authentication check box. Select an EAP type from the Choose a network authentication method drop- down list.
Page 367: Cisco® 2950 Ios
802.1X Quarantine Method Setting up the 802.1X Components “Extreme® Summit 48si” on page 11-51 ■ ■ “ExtremeWare” on page 11-51 “ExtremeXOS” on page 11-52 ■ ■ “Foundry® FastIron® Edge 2402” on page 11-53 ■ “HP ProCurve 420AP” on page 11-53 “HP ProCurve 530AP”...
Page 368: Cisco® 4006 Catos
802.1X Quarantine Method Setting up the 802.1X Components dot1x timeout quiet-period 30 dot1x guest-vlan 5 dot1x reauthentication spanning-tree portfast ip http server radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 key mysecretpassword radius-server retransmit 3 Cisco® 4006 CatOS set dot1x re-authperiod 100 set feature dot1x-radius-keepalive disable #radius set radius server 172.17.20.150 auth-port 1812 primary...
Page 369: Extreme® Summit 48Si
802.1X Quarantine Method Setting up the 802.1X Components BD70F5AAA2CF0C5DBAA5DA97FADFE95 set radius enable Extreme® Summit 48si TIP: When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS users file. TIP: Change the admin password to a non-blank password. create vlan "Operations"...
Page 370: Extremexos
802.1X Quarantine Method Setting up the 802.1X Components TIP: Change the admin password to a non-blank password. create vlan "Quarantine" create vlan "Test" # RADIUS configuration enable radius configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa" configure radius primary server 10.50.32.10 1812 client-ip 10.50.32.254 # Network Login Configuration enable netlogin port 1 vlan Default...
Page 371: Foundry® Fastiron® Edge 2402
802.1X Quarantine Method Setting up the 802.1X Components configure netlogin base-url "network-access.com" configure netlogin redirect-page "http://www.extremenetworks.com" configure netlogin banner "" Foundry® FastIron® Edge 2402 dot1x-enable auth-fail-action restricted-vlan auth-fail-vlanid 5 mac-session-aging no-aging permitted-mac-only enable ethe 1 to 4 aaa authentication dot1x default radius radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 default key 1 $6\-ndUnoS!--+sU@ interface ethernet 1...
Page 372: Hp Procurve 530Ap
802.1X Quarantine Method Setting up the 802.1X Components HP ProCurve Access Point 420(if-wireless-g)#ssid index 1 HP ProCurve Access Point 420(if-wireless-g-ssid-1)#closed-system HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius- authentication-server address HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius- authentication-server key HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius- authentication-server vlan-format ascii HP ProCurve Access Point 420(if-wireless-g-ssid-1)#ssid...
Page 373 802.1X Quarantine Method Setting up the 802.1X Components The RADIUS shared secret key must also be set to enable communication between this device and the RADIUS server. ProCurve Access Point 530(radio1-wlan1)#radius primary key ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary ip ...
Page 374: Hp Procurve 3400/3500/5400
802.1X Quarantine Method Setting up the 802.1X Components ProCurve Access Point 530(radio1-wlan1)#wep-key-ascii ProCurve Access Point 530(radio1-wlan1)#wep-key-1 1q2w3e4r5t6y7 ProCurve Access Point 530(radio1-wlan1)#write mem ProCurve Access Point 530(radio1-wlan1)#enable ProCurve Access Point 530(radio2-wlan1)#enable ProCurve Access Point 530(config)#radio 1 ProCurve Access Point 530(radio1)#enable ProCurve Access Point 530(radio1)#radio 2 ProCurve Access Point 530(radio2)#enable ProCurve Access Point 530(config)#write mem ProCurve Access Point 530(config)#exit...
Page 375: Creating Custom Expect Scripts
802.1X Quarantine Method Setting up the 802.1X Components uthentication-period 3600 re-authenticate quiet-interval 60 transmit-interval 3 0 supplicant-timeout 30 server-timeout 30 max-request 2 Vlan Info: vlan create 10 name "production" type port vlan create 11 name "guest" type port vlan create 12 name "quarantine" type port ! *** EAP *** eapol enable interface FastEthernet ALL...
Page 376 802.1X Quarantine Method Setting up the 802.1X Components When testing configuration settings from the NAC 800 user interface, all three scripts are executed once in sequence and the connection is closed. If any output is returned by a command sent in the re-authentication script, it is logged and returned to the user.
Page 377 802.1X Quarantine Method Setting up the 802.1X Components expect [OPTIONS] TEXT | "Waits for TEXT to appear on connection input" send [OPTIONS] TEXT | "Writes TEXT to connection output" The expect scripts use the following commands: Command Description and parameters Waits for TEXT to appear on the connection input expect [OPTIONS] TEXT...
Page 378 802.1X Quarantine Method Setting up the 802.1X Components IS_TELNET – Set to "true" for a telnet connection (otherwise unset) ■ ■ IS_SSH – Set to "true" for an SSH connection (otherwise unset) The following variables may be referenced from re-authentication script: PORT –...
Page 379 802.1X Quarantine Method Setting up the 802.1X Components expect (config)# Reauthorization script: send interface FastEthernet ${PORT} expect (config-if)# send eapol re-authenticate expect (config-if)# send exit expect (config)# Exit script: send exit expect # send exit expect press or to select option. send -noreturn l The conditions in the above scripts are driven by the values of the variables entered by the user, but sometimes it is necessary to drive conditions from interactions with...
Page 380 (This page intentionally left blank.)
Page 381 Remote Device Activity Capture Chapter Contents Creating a DAC Host ..........12-2 Downloading the EXE File .
Page 382: Creating A Dac Host
Remote Device Activity Capture Creating a DAC Host Creating a DAC Host NAC 800 auto-discovers endpoints on your network so that the testing and transition from quarantine to non-quarantine areas happens quickly and smoothly after an endpoint is booted up. NAC 800 also relies on auto-discovery functionality to track DHCP IP address transitions so that it can continue to communicate seamlessly with endpoints after an IP change.
Page 383: Downloading The Exe File
Remote Device Activity Capture Creating a DAC Host Your DAC host can be a Windows server. This section provides instructions on setting up a Windows host. First, download the executable file to your Windows server, then run the installer to install the first interface. For this release, if you want to add additional interfaces, you must install them manually.
Page 384 Remote Device Activity Capture Creating a DAC Host To run the Windows installer: Windows server Navigate to the EXE file downloaded in “Downloading the EXE File” on page 12-3. Double-click on the EXE file. The DAC InstallShield Wizard Welcome window appears: Figure 12-1.
Page 385 Remote Device Activity Capture Creating a DAC Host Click Next. The Setup Type window appears Figure 12-2. RDAC Installer, Setup Type Select Complete to install the DAC software, the JavaJRE software, and the WinPcap software. If you already have JavaJRE or WinPcap installed, select Custom.
Page 386 Remote Device Activity Capture Creating a DAC Host Click Next. The Choose Destination Location window appears: Figure 12-3. RDAC Installer, Choose Destination Location In most cases, you should accept the default location. (Click Change to select a different location.) Click Next. The Confirm New Folder window appears: Figure 12-4.
Page 387 Remote Device Activity Capture Creating a DAC Host Click Yes. If you selected Custom in step 4 on page 12-5, the Select Features window appears; otherwise the NIC Selection window appears (figure 12- Figure 12-5. RDAC Installer, Select Features 12-7...
Page 388 Remote Device Activity Capture Creating a DAC Host Select the features to install. Click Next. The NIC Selection window appears: Figure 12-6. RDAC Installer, NIC Selection 12-8...
Page 389 Remote Device Activity Capture Creating a DAC Host All of the interfaces installed on your Windows server are listed in this window. Select the one you want to use and click Next. The TCP Port Filter Specification window appears: Figure 12-7. RDAC Installer, TCP Port Filter Specification 12-9...
Page 390 Remote Device Activity Capture Creating a DAC Host 10. In most cases you should accept the default entry. Click Next. The Enforcement Server Specification window appears: Figure 12-8. RDAC Installer, Enforcement Server Specification 12-10...
Page 391 Remote Device Activity Capture Creating a DAC Host 11. Enter the IP address of the Enforcement Server (ES) to use. Click Next. The Ready to Install the Program window appears: Figure 12-9. RDAC Installer, Ready to Install the Program 12. Click Install. 13.
Page 392 Remote Device Activity Capture Creating a DAC Host When the installation is complete, the InstallShield Wizard Complete window appears: Figure 12-10. RDAC Installer, InstallShield Wizard Complete 14. The following folders and files are created: • VERSION – InstallSSDAC.bat rdac SSDAC.bat UninstallSSDAC.bat wrapper.exe –...
Page 393: Adding Additional Interfaces
Remote Device Activity Capture Creating a DAC Host – wrapper.log 15. Perform the steps detailed in “Adding Additional Interfaces” if you have additional interfaces to add. 16. Perform the steps detailed in “Configuring the MS and ES for DAC” on page 12-14.
Page 394: Configuring The Ms And Es For Dac
Remote Device Activity Capture Creating a DAC Host b. Change any parameters necessary for your specific setup. The interface and IP address parameters are the only parameters that require a change; however, changing other parameters can assist you for debugging purposes. # Application parameters.
Page 395: Adding Additional Ess
Remote Device Activity Capture Creating a DAC Host b. When the command completes, copy the DAC_keystore file (from / tmp or wherever you specified) to C:\Program Files\Hewlett- Packard\DAC\lib\ . After copying the DAC_keystore file from the MS, delete the file from its temporary location on the MS.
Page 396: Starting The Windows Service
Remote Device Activity Capture Creating a DAC Host wrapper.app.parameter.X Where X is the numerical value representing the order in which the parameter will be added to the command. b. Add additional ESs: Locate the line that represents the initial ES, for example wrapper.app.parameter.8=172.17.100.100 ii.
Page 397: Viewing Version Information
Remote Device Activity Capture Creating a DAC Host Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. The Services window appears: Figure 12-12. NAC Endpoint Activity Capture Service Right-click on the NAC Endpoint Activity Capture service and select Start. The service is set to automatic start at the next reboot by default. Viewing Version Information To view version information: Windows server...
Page 398: Removing The Software
Remote Device Activity Capture Creating a DAC Host Removing the Software Each of the three software packages must be removed individually. To remove the RDAC software: Windows server Select Start>>Settings>>Control Panel>>Add or Remove Programs. Click once on the DAC listing. Click Remove.
Page 399 Remote Device Activity Capture Creating a DAC Host Select Start>>Settings>>Control Panel>>Add or Remove Programs. Click once on the J2SE Runtime Environment listing. Click Remove. Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears: Select one of the options and click Finish.
Page 400: Nac 800 To Infoblox Connector
Remote Device Activity Capture NAC 800 to Infoblox Connector NAC 800 to Infoblox Connector Infoblox™ is a DHCP server appliance that writes to syslog when it vends IP addresses. These syslog messages (DHCPACK syslog lines) are translated and forwarded to the NAC 800 Device Activity Capturer (DAC) by way of the connector (syslog-to-dac.py).
Page 401 Remote Device Activity Capture NAC 800 to Infoblox Connector In the Basic 802.1X settings area, select the remote Endpoint detection location radio button. Click ok. Command line window NOTE: Perform the following steps on each ES in your system. Log in as root to the NAC 800 ES using SSH or directly with a keyboard. Enter the following command: egrep DeviceActivityCapture /usr/local/nac/ properties/nac-es.properties...
Page 402 Remote Device Activity Capture NAC 800 to Infoblox Connector d. In the ### LOG ENTRIES HERE ### area, add the following line: log { source(rdac); filter(f_mesg); destination(d_dac); }; Save and exit the file. Enter the following at the command line to restart the service: service syslog-ng restart Add the iptables firewall rule to allow this syslog traffic: Stop iptables by entering the following at the command line:...
Page 403: Dhcp Plug-In
DHCP Plug-in Chapter Contents Overview ............13-2 Installation Overview .
Page 404: Overview
DHCP Plug-in Overview Overview The Dynamic Host Configuration Protocol (DHCP) plug-in is an optional feature that allows you to use one or more DHCP servers (without an instal- lation of NAC 800 in front of each DHCP server) as shown in the following figure: Figure 13-1.
Page 405 DHCP Plug-in Overview The DHCP plug-in is a Microsoft DHCP plug-in that utilizes the Microsoft DHCP Server Callout Application Programming Interface (API). Installed on each DHCP server in your network, the plug-in processes or ignores DHCP packets based on the end-user device Media Access Control (MAC) address. NAC 800 tests endpoints that request access to the network and either assigns a quarantined Internet Protocol (IP) address (failed), or adds the MAC address of the end-user device as an authorized device (allowed) to the Access Control...
Page 406: Installation Overview
DHCP Plug-in Installation Overview Installation Overview When NAC 800 does not sit inline with the DHCP server, you need to set up a remote host for Device Activity Capture (DAC) to allow NAC 800 to listen on the network. This is done by installing a small program on the DHCP server or other remote (non-NAC 800) host, which then sends relevant endpoint device information back to NAC 800.
Page 407 DHCP Plug-in Installation Overview The DHCP Plug-in is configured using config.xml that resides on the Windows 2003 Server in C:\WINDOWS\SYSTEM32\DHCP\config.xml. Table 12 (in the Users Guide) shows options used in config.xml. Group Item Description failopen failopen=“true” means that if the NAC 800 DHCP listener connection goes down, the DHCP server goes in to allow...
Page 408 DHCP Plug-in Installation Overview *:4433 10 c:\windows\system32\dhcp\server.pem nac c:\windows\system32\dhcp\nac_DHCP.log 3 1024 13-6...
Page 409: Dhcp Plug-In And The Nac 800 User Interface
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface DHCP Plug-in and the NAC 800 User Interface In order to use the DHCP plug-in, you need to select DHCP as the quarantine (enforcement) method, select the DHCP servers using the DHCP plug-in check box, and add your DHCP servers.
Page 410 DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Select the DHCP servers using the DHCP plug-in radio button. Figure 13-2. System Configuration, Quarantining, DHCP 13-8...
Page 411 DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click download the DHCP plug-in. A Windows save window appears. Browse to a location on the DHCP server you will remember and save the file. On the DHCP server, navigate to the location of the saved file and double- click it.
Page 412 DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Enter your User Name and Company Name. Click Next. The Ready to Install the Program window appears. Figure 13-5. DHCP Plug-in Ready to Install the Program window 10. Click Install. The progress is displayed on a Status window. When installation is complete, the InstallShield Wizard Complete window appears.
Page 413: Enabling The Plug-In And Adding Servers
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Enabling the Plug-in and Adding Servers To enable the DHCP plug-in and add the DHCP servers: Home window>>System configuration>>Quarantining Select the DHCP radio button in the Quarantine area. Select the DHCP servers using the DHCP plug-in radio button (figure 13-2). NOTE: Changes made while one or more DHCP servers cannot be communicated with will be sent to those DHCP servers as soon as communication is re-...
Page 414 DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface • debug – Log everything (most amount of detail) CAUTION: Setting the log level to debug may adversely affect performance. Click ok. The added DHCP server appears as shown in the following figure: Figure 13-8.
Page 415: Viewing Dhcp Server Plug-In Status
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Viewing DHCP Server Plug-in Status DHCP server plug-in status is displayed in the following locations: System configuration>>Quarantining>>DHCP window ■ System monitor>>select a cluster>>Quarantining window ■ Home window>>System configuration>>Quarantining>>DHCP Quarantine ■ method radio button>>DHCP servers using the DHCP plug-in radio button>>Click edit next to a DHCP server configuration Editing DHCP Server Plug-in Configurations...
Page 416: Deleting A Dhcp Server Plug-In Configuration
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click ok to return to the System Configuration>>Quarantining window. Click ok to save the changes and return to the Home window. Deleting a DHCP Server Plug-in Configuration To delete a DHCP Server Plug-in Configuration: Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio button>>DHCP servers using the DHCP plug-in radio button Click remove next to the DHCP server plug-in configuration you wish to...
Page 417 DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click enable next to the DHCP server plug-in configuration you wish to enable. Click yes at the Enable DHCP plug-in configuration prompt. Click ok to save the changes and return to the Home window. 13-15...
Page 418 (This page intentionally left blank.)
Page 419 Reports Chapter Contents Report Types ........... 14-2 Generating Reports .
Page 420: Reports
Reports Report Types Report Types NAC 800 generates the following types of reports: Report Description Report columns NAC policy results Lists each NAC policy and the last • policy name pass/fail policy results • test status • # of times •...
Page 421 Reports Report Types Report Description Report columns Test results by NetBIOS name Lists the number of tests that • netbios passed or failed for each netbios • cluster name. • ip address • user • test status • # of times •...
Page 422: Generating Reports
Reports Generating Reports Generating Reports To generate a report: Home window>>Reports The following figure shows the Reports window. Figure 14-1. Reports In the Report drop-down list, select the report to run. Select the Report period. Select the Rows per page. In the Endpoint search criteria area, select any of the following options to use for filtering the report: Cluster...
Page 423 Reports Generating Reports Endpoint test status Access control status Endpoints must match: of the selected criteria ii. Any of the selected criteria Select Generate report. After a short period of time the compiled report is displayed in a separate browser window. The following figure shows an example report.
Page 424: Viewing Report Details
Reports Viewing Report Details Viewing Report Details To view report details: Home window>>Reports Select the options for the report you want to run. Click Generate report. Click the details link. The Test details window appears: 14-6...
Page 425 Reports Viewing Report Details Figure 14-3. Test Details Report 14-7...
Page 426: Printing Reports
Reports Printing Reports Printing Reports To print a report: Home window>>Reports Select the options for the report you want to run. Click Generate report. Select Print. Select the printer options and properties. Select Print. 14-8...
Page 427: Saving Reports To A File
Reports Saving Reports to a File Saving Reports to a File To save a report: Home window>>Reports Select the options for the report you want to run. Click Generate report. Select File>>Save Page As from the browser menu. Enter a name and location where you want to save the file. Select Web page, complete.
Page 428: Converting An Html Report To A Word Document
Reports Converting an HTML Report to a Word Document Converting an HTML Report to a Word Document To convert an HTML report: Run the report (see “Generating Reports” on page 14-4.) Save an HTML version of it (see “Saving Reports to a File” on page 14-9). Open the HTML report in Microsoft Word.
Page 429: System Administration
System Administration Chapter Contents Launching NAC 800 ..........15-3 Launching and Logging into NAC 800 .
Page 430 System Administration Using an SSL Certificate from a known Certificate Authority (CA) . . . 15-29 Moving an ES from One MS to Another ......15-32 Recovering Quickly from a Network Failure .
Page 431: Launching Nac 800
System Administration Launching NAC 800 Launching NAC 800 Launching and Logging into NAC 800 To launch and log into NAC 800: Browser window on the workstation Using https://, point your browser to the NAC 800 MS IP address or host name. The login page appears. Enter the User name and Password that you defined the first time you logged in.
Page 432: Restarting Nac 800 System Processes
System Administration Restarting NAC 800 System Processes Restarting NAC 800 System Processes This section lists the commands to stop and restart services associated with NAC 800 installations for MS, ES, or Single-server Installations. Restart instead of start is used for services already running in NAC 800.When running NAC 800 and monitoring systems on your network, you may encounter a warning on a server stating that a Connection cannot be established.
Page 433: Downloading New Tests
System Administration Downloading New Tests Downloading New Tests To download the latest tests from the ProCurve server: Home window>>System configuration>>Test updates>>Check for test updates button TIP: If you are not receiving test update, try the following checks: - Verify that the system time is correct - Verify that the NAC’s web proxy is correct (if one is needed) - Attempt to connect using a web browser: http://update.procurve.com/monitor/ruleUpdate_status...
Page 434: System Settings
System Administration System Settings System Settings DNS/Windows Domain Authentication and Quarantined Endpoints In order to satisfy the following scenarios: ■ A guest user gets redirected A user is redirected if their home page is the Intranet ■ ■ The only host that is resolved is the domain controller (DC); and no other intranet hosts are resolved.
Page 435: Matching Windows Domain Policies To Nac Policies
System Administration System Settings _kerberos._tcp.Default-First-Site- Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88 dc01.lvh.com _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 389 dc01.lvh.com When a browser is configured with an Intranet site as its home page, it will get redirected as shown in the following example process: ->...
Page 436: Setting The Access Mode
System Administration System Settings For example, to change the NAC policy to not run the Windows automatic update test: Home window>>NAC policies Select the NAC policy that tests the domain's endpoints. Select the Tests menu option. Clear the Windows automatic updates check box. Click ok.
Page 437: Changing The Ms Host Name
System Administration System Settings Changing the MS Host Name To change the MS host name: See “Modifying MS Network Settings” on page 3-24. Changing the ES Host Name To change the ES host name: See “Changing the ES Network Settings” on page 3-17. Changing the MS or ES IP Address To change the MS or ES IP address: The preferred method is to use the user interface:...
Page 438 System Administration System Settings TIP: You must reset the system before you can change the personality of the server; that is, before you can change an MS to and ES or an ES to a MS. To reset your system to the as-shipped state: Command line window Log in as root to the NAC 800 MS or ES, either using SSH or directly with a keyboard.
Page 439: Resetting Your Test Data
System Administration System Settings Resetting your Test Data There are times when you may wish to revert to the as-shipped state for test data; clearing the database of all endpoints and test results, and resetting SAPQ and DHCP leases. To reset your test data to the as-shipped state: Command line window For single-server installations: Log in as root to the NAC 800 MS, either using SSH or directly with a...
Page 440: Changing Properties
System Administration System Settings ii. Enter the following at the command line: resetTestData.py NOTE: The resetTestData.py file is in the following directory: cd /usr/local/nac/bin Changing Properties To change the property values in the properties files: Command line window Log in as root to the NAC 800 MS using SSH. Enter the following at the command line: setProperty.py ...
Page 441: Specifying An Email Server For Sending Notifications
System Administration System Settings = One or more key=value settings Note: a of '-' will delete the property For example, to change the upgrade timeout to 30 minutes, enter the following command: setProperty.py -m Compliance.UpgradeManager.UpgradeTimeout= Specifying an Email Server for Sending Notifications NAC 800 Enforcement clusters send alerts and notifications when certain events occur.
Page 442: Entering Networks Using Cidr Format
System Administration Entering Networks Using CIDR Format Entering Networks Using CIDR Format Networks and network endpoints can be specified in NAC 800 using Classless Inter Domain Routing (CIDR) format. CIDR is a commonly used method for specifying Internet objects. table 15-3 presents common CIDR naming con- ventions.
Page 443: Database
System Administration Database Database Creating a Backup File To create a backup file of system configuration and data: See “Initiating a New Backup” on page 3-106. Changing the Backup Timeouts If the backup process takes longer than the default timeouts (10 minutes for pg_dump and 1 minute for tar), you can increase the timeout values by performing the following steps: To change the timeout value for backups:...
Page 444: Restoring From Backup
System Administration Database Restoring from Backup NOTE: You must have backed up your system at least one time before you can restore from a backup. See “Initiating a New Backup” on page 3-106. To restore system configuration and data from a backup file: Home window>>System configuration>>Maintenance Click restore system from backup file.
Page 445: Restoring The Original Database
System Administration Database Restoring the Original Database CAUTION: Running this script resets your entire system, not just the database. See “Resetting your System” on page 15-9 for more information. To reset a NAC 800 database to its pristine state: Command window Log in as root to the NAC 800 MS using SSH.
Page 446: Supported Vpns
System Administration Supported VPNs Supported VPNs NAC 800 works with any VPN endpoint, since NAC 800 does not directly interface or inter-operate with VPN endpoints. The following commonly deployed VPN solutions have been tested: ■ Cisco VPN Concentrators OpenSSL VPNs ■...
Page 447: End-User Access Windows
System Administration End-user Access Windows End-user Access Windows The end-user access windows are completely customizable. You can enter general text through the NAC 800 interface and edit the file that contains the messages that are returned to the end-user. TIP: If you need more end-user access window customization than is described in this Users’...
Page 448: How Nac 800 Handles Static Ip Addresses
System Administration How NAC 800 Handles Static IP Addresses How NAC 800 Handles Static IP Addresses The following list details how NAC 800 handles static IP addresses: Inline Mode – NAC 800 can detect, test, and quarantine static IP ■ addresses.
Page 449: Managing Passwords
System Administration Managing Passwords Managing Passwords The passwords associated with your NAC 800 installation are listed in the following table: NAC 800 Set during Recovery process password NAC 800 Initial install process * See “Resetting the NAC 800 Server Management or Password”...
Page 450: Resetting The Nac 800 Server Password
System Administration Managing Passwords NAC 800 Set during Recovery process password Novell eDirectory Manually entered after installation on the Novell eDirectory password recovery is System beyond the scope of this document. configuration>>Quarantining>>802.1X Quarantine method radio button window. Table 15-4. NAC 800 Passwords Resetting the NAC 800 Server Password If you can remember the NAC 800 user interface password, but cannot remember the root login password for the NAC 800 MS or ES, log in to the...
Page 451: Resetting The Nac 800 Database Password
System Administration Managing Passwords CAUTION: Changing the appliance server mode (personality) resets the passwords, but it also restores the entire system to the default state—deleting data and erasing configuration settings. Resetting the NAC 800 Database Password The NAC 800 database password is set during the install process. You cannot change your database password with NAC 800 later.
Page 452 System Administration Managing Passwords Enter the following command: setProperty.py -f From a workstation, open a browser window and point to the NAC 800 MS. Enter a new User Name and Password when prompted. 15-24...
Page 453: Working With Ranges
System Administration Working with Ranges Working with Ranges In NAC 800 implementations, particularly in trial installations where you are connecting and disconnecting cables to a number of different types of end- points, you can filter the activity by specifying the following: ■...
Page 454 System Administration Working with Ranges Home window>>System configuration>>Enforcement clusters & servers>>Select an Enforcement Cluster>>Advanced menu option In the Endpoint detection area, enter the range of addresses to ignore in the IP addresses to ignore text field. Separate ranges with a hyphen or use CIDR notation.
Page 455: Creating And Replacing Ssl Certificates
System Administration Creating and Replacing SSL Certificates Creating and Replacing SSL Certificates The Secure Sockets Layer (SSL) protocol uses encryption by way of certifi- cates to provide security for data or information sent over HTTP. Certificates are digitally signed statements that verify the authenticity of a server for security purposes.
Page 456 System Administration Creating and Replacing SSL Certificates Remove the existing keystore by entering the following at the command line: rm -f /usr/local/nac/keystore/compliance.keystore Enter the following at the command line: keytool -genkey -keyalg RSA -alias -keystore /usr/local/nac/keystore/compliance.keystore Where: is the name for the key within the keystore file The keytool utility prompts you for the following information: •...
Page 457: Using An Ssl Certificate From A Known Certificate Authority (Ca)
System Administration Creating and Replacing SSL Certificates -keystore /usr/local/nac/keystore/compliance.keystore b. Import the key root certificates by entering the following command on the command line of the NAC 800 server: keytool -import -file /tmp/cacerts -alias -keystore /usr/local/nac/keystore/cacerts keytool prompts for the password of the cacerts file, that should be the default: changeit.
Page 458 System Administration Creating and Replacing SSL Certificates Submit the CSR (see “Copying Files” on page 1-20) to your chosen CA (such as Thawte or Verisign) along with anything else they might require: http://www.verisign.com/ http://www.thawte.com/ If you are using a non-traditional CA (such as your own private Certificate Authority/Public Key Infrastructure (CA/PKI), or if you are using a less well-known CA, you will need to import the CA’s root certificates into the java cacerts file by entering the following command on the command line...
Page 459 System Administration Creating and Replacing SSL Certificates 10. Save and exit the file. 15-31...
Page 460: Moving An Es From One Ms To Another
System Administration Moving an ES from One MS to Another Moving an ES from One MS to Another If you have an existing ES, you can move it to a different MS by performing the steps in this section. To move an ES to a different MS: Command line window Log in to the ES as root using SSH or directly with a keyboard.
Page 461: Recovering Quickly From A Network Failure
System Administration Recovering Quickly from a Network Failure Recovering Quickly from a Network Failure If you have a network with a very large number of endpoints (around 3000 endpoints per ES), and your network goes down, perform the following steps to make sure that your endpoints can reconnect as quickly as possible: Place all of the clusters that have a large number of endpoints in allow all mode:...
Page 462: Vlan Tagging
System Administration VLAN Tagging VLAN Tagging In some cases, such as when the DHCP server is in a separate VLAN than the span/mirror port, the mirrored port traffic is 802.1q tagged. In this case, in order for NAC 800 to recognize the traffic, the following workaround must be performed.
Page 463 System Administration VLAN Tagging Restart the network interface by entering the following at the command line: service network restart Change the interface the EDAC listens on: Log in to the MS using SSH or directly with a keyboard. b. For 802.1X mode, enter the following command at the command line: setProperty.py -c ...
Page 464: Iptables Wrapper Script
System Administration iptables Wrapper Script iptables Wrapper Script To avoid creating conflicts between iptables and the nac-es service, do not run the following commands manually: ■ /etc/init.d/iptables ■ service iptables start ■ service iptables stop ■ service iptables restart The nac-es service must be shutdown before making changes to the ipta- bles firewall.
Page 465: Supporting Network Management System
System Administration Supporting Network Management System Supporting Network Management System This section describes Network Management System (NMS) settings. Enabling ICMP Echo Requests The default configuration for NAC 800 is to not respond to ICMP Echo (ping) requests. Enable Temporary Ping To temporarily (until reboot) enable ICMP echo requests: Command line Log in to the NAC 800 server as root using SSH or directly with a keyboard.
Page 466: Restricting The Icmp Request
System Administration Supporting Network Management System echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all Save and exit the file. At the command line, enter the following: /etc/rc.d/rc.local Restricting the ICMP Request If you wish to restrict the ping request to a specific interface, such as the interface facing the protected network, then after following the procedures above, follow the instructions in this section to add rules to the firewall chain so that ping requests are only viable through the interface specified.
Page 467: Snmp Mibs
System Administration Supporting Network Management System SNMP MIBs A Management Information Base (MIB) is a database that manages devices in a network. Simple Network Management Protocol (SNMP) is a protocol used for communication between devices that uses MIBs to obtain SNMP message formats.
Page 468 (This page intentionally left blank.)
Page 469 Patch Management Chapter Contents Patch Management ..........16-2 Flagging a Test to Launch a Patch Manager .
Page 470: Patch Management
Patch Management Patch Management Patch Management NAC 800 can integrate with patch management software. When an endpoint fails due to a missing patch, NAC 800 wakes the patch manager client, checks for the completion of the patch, and then retests upon completion. The patch management capability uses the following test statuses: ■...
Page 471: Flagging A Test To Launch A Patch Manager
Patch Management Flagging a Test to Launch a Patch Manager Flagging a Test to Launch a Patch Manager To flag a test to launch a patch manager: Home window>>NAC Policies>>Select or create a NAC policy>>Tests menu option Figure 16-1. Initiate a Patch Manager Check Box Select the check box for a test in the left column.
Page 472: Selecting The Patch Manager
Patch Management Selecting the Patch Manager Selecting the Patch Manager To select the patch manager: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column. Select the Initiate patch manager check box.
Page 473: Specifying The Number Of Retests
Patch Management Specifying the Number of Retests Specifying the Number of Retests To select the maximum number of retest attempts: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column.
Page 474: Specifying The Retest Frequency
Patch Management Specifying the Retest Frequency Specifying the Retest Frequency To specify the retest interval: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column. Select the Initiate patch manager check box.
Page 475: Sms Patch Management
Patch Management SMS Patch Management SMS Patch Management Repair vulnerabilities using patch management with SMS. NOTE: Windows SMS 2003 is the only version supported. 16-7...
Page 476: Sms Concepts
Patch Management SMS Concepts SMS Concepts Microsoft Systems Management Server (SMS) 2003 provides a means to manage software updates for Microsoft platform endpoints. The SMS server contains a database of logical groups with common attributes called collec- tions. SMS operates only on clients endpoints) that are members of a collec- tion.
Page 477: Nac 800/Sms/Nac 800 Process
Patch Management NAC 800/SMS/NAC 800 Process NAC 800/SMS/NAC 800 Process When an agent-based test fails on the endpoint, NAC 800 wakes up the endpoint client (SMS) which patches the endpoint. NAC 800 retests the endpoint. If the test fails again, NAC 800 keeps looping until patching com- pletes.
Page 478: Nac 800 Setup
Patch Management NAC 800 Setup NAC 800 Setup To set up NAC 800 for use with SMS: Install and configure NAC 800 . Log into the NAC 800 user interface. Add the following IP addresses to the NAC 800 home window>>System configuration>>Accessible services area: SMS server IP address b.
Page 479: Learning More About Sms
Patch Management Learning More About SMS Learning More About SMS The following links provide additional information about SMS: ■ Microsoft SMS home page http://www.microsoft.com/smserver/ 16-11...
Page 480 (This page intentionally left blank.)
Page 481 Configuring the Post-connect Server Chapter Contents Overview ............A-2 Extracting the ZIP File .
Page 482: Overview
Configuring the Post-connect Server Overview Overview This section describes how to configure the remote server for use with the NAC 800 post-connect feature. The post-connect server can be a Windows server or a Linux server. This section details the following: ■...
Page 483: Extracting The Zip File
Configuring the Post-connect Server Extracting the ZIP File Extracting the ZIP File Windows To download and extract the ZIP file to a Windows machine: Create a directory for the contents of the ZIP file on the Windows machine. ProCurve recommends C:\Program Files\ProCurve. These instructions assume that you used the C:\Program Files\ProCurve directory.
Page 484: Zip File Contents
Configuring the Post-connect Server ZIP File Contents ZIP File Contents The following folders and files are extracted: ■ postconnect • Connector.bat Connector_ActionScript.py InstallConnectorService.bat postconnect UninstallConnectorService.bat wrapper.exe • conf wrapper.conf • activemq-core-4.1.1.jar backport-util-concurrent-2.1.jar commons-logging-1.0.3.jar concurrent-1.3.4.jar connector.jar connector.properties geronimo-spec-j2ee-management-1.0-rc4.jar jms.jar JMSConnection.properties log4j-1.2.13.jar log4j.properties wrapper.dll wrapper.jar...
Page 485: Setting Up A Post-Connect Host
Configuring the Post-connect Server Setting up a Post-connect Host Setting up a Post-connect Host Windows Your post-connect host can be a Linux or Windows server. This section provides instructions on setting up a Windows host. To set up a Windows post-connect host: Install WinPcap on a Windows machine if it is not already installed: Log into your Windows server.
Page 486: Linux
Configuring the Post-connect Server Setting up a Post-connect Host Change the product to be the product you are running. For example: product=IDS Product Name d. Save and exit the file. Edit the JMSConnection.properties file: Open the \postconnect\lib\JMSConnection.properties file with a text editor. b.
Page 487 Configuring the Post-connect Server Setting up a Post-connect Host Log in the NAC 800 MS as root using SSH or directly with a keyboard. b. Copy the /usr/local/nac/keystore/cacerts file from the MS into the /usr/local/postconnect/lib folder on the post- connect server where you extracted the ZIP file. See “Copying Files” on page 1-20 for information on how to copy files securely.
Page 488 Configuring the Post-connect Server Setting up a Post-connect Host d. Start the service by entering the following at the command line: service postconnect start...
Page 489: Viewing Logs
Configuring the Post-connect Server Viewing Logs Viewing Logs To view post-connect logs: The log files are as follows: /usr/local/postconnect/log/connector.log – Verify that the connector ■ is running. ■ /usr/local/postconnect/log/script.log – The script writes to this file.
Page 490: Testing The Service
Configuring the Post-connect Server Testing the Service Testing the Service To test the post-connect service: Command line Enter the following at the command line: Windows /usr/local/postconnect/bin/Connector_ActionScript.py "Reason 1" "Reason 2" Linux /usr/local/postconnect/bin/Connector_ActionScript.py "Reason 1" "Reason 2" Where: ...
Page 491: Configuring Your Sensor
Configuring the Post-connect Server Configuring Your Sensor Configuring Your Sensor Configure your post-connect sensor to call Connector_ActionScript.py with the IP address of the endpoint to quarantine and the reasons to quaran- tine. A-11...
Page 492: Allowing Nac 800 Through The Firewall
Configuring the Post-connect Server Allowing NAC 800 Through the Firewall Allowing NAC 800 Through the Firewall NAC 800 needs to communicate with the post-connect server through port 61616. See “Allowing the Windows RPC Service through the Firewall” on page 5-22 for instructions on how to open a port on a Windows machine. A-12...
Page 493 Tests Help Chapter Contents Overview ............B-3 Browser Security Policy –...
Page 494 Tests Help Mac Security Updates ........B-24 Mac Services .
Page 495: Overview
Tests Help Overview Overview The tests performed on endpoints attempting to connect to the network are listed on the NAC 800 Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting NAC 800 Home window>>System Configuration>>Test Updates>>Check for Test Updates.
Page 496: Browser Security Policy - Windows
Tests Help Browser Security Policy – Windows Browser Security Policy – Windows The Browser security policy tests verify that any endpoint attempting to connect to your system meets your specified security requirements. Browser vulnerabilities are related to cookies, caches, and scripts (JavaScript, Java, and Active scripting / ActiveX).
Page 497: Browser Version
Tests Help Browser Security Policy – Windows Item Description Active scripting / ActiveX Active scripting / ActiveX extends other programming languages (such as Java) by providing re-usable "controls" that enable developers to make Web pages "active". ActiveX is Microsoft's brand for active scripting. The following links provide more detailed information about ActiveX: http://www.active-x.com/articles/whatis.htm •...
Page 498: Internet Explorer (Ie) Internet Security Zone
Tests Help Browser Security Policy – Windows Internet Explorer (IE) Internet Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified Internet security zone stan- dards. Test Properties: Select the Internet Explorer Internet security zone settings required on your network.
Page 499: Internet Explorer (Ie) Local Intranet Security Zone
Tests Help Browser Security Policy – Windows Internet Explorer (IE) Local Intranet Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified local intranet security zone standards. Test Properties: Select the Internet Explorer local intranet security zone set- tings required on your network.
Page 500: Internet Explorer (Ie) Restricted Site Security Zone
Tests Help Browser Security Policy – Windows Internet Explorer (IE) Restricted Site Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified restricted site security zone standards. Test Properties: Select the Internet Explorer restricted sites security zone set- tings required on your network.
Page 501: Internet Explorer (Ie) Trusted Sites Security Zone
Tests Help Browser Security Policy – Windows Enter a domain name or IP address in the Add this Web site to the zone text box. Click Add. Click OK. Internet Explorer (IE) Trusted Sites Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified trusted sites security zone standards.
Page 502 Tests Help Browser Security Policy – Windows Select one of the following: -Default Level to return to the default settings. - Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings. Select Sites. Enter a domain name or IP address in the Add this Web site to the zone text box.
Page 503: Operating System - Windows
Tests Help Operating System – Windows Operating System – Windows The Operating System (OS) tests verify that any endpoint attempting to connect to your system meets your specified OS requirements. Installing the most recent version of your OS helps protect your system against exploits targeting the latest vulnerabilities.
Page 504: Microsoft Office Hotfixes
Tests Help Operating System – Windows What Do I Need to Do? : Manually initiate an update check (http://v4.window- supdate.microsoft.com/en/default.asp) if automatic update is not enabled, or is not working. Microsoft Office Hotfixes Description: This test verifies that the endpoint attempting to connect to your system had the latest Microsoft Office hotfixes installed.
Page 505: Microsoft Servers Hotfixes
Tests Help Operating System – Windows Test Properties: Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Page 506: Service Packs
Tests Help Operating System – Windows Test Properties: Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Page 507: Windows 2003 Sp1 Hotfixes
Tests Help Operating System – Windows secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft. You don't have to keep checking by patch number. How Does this Affect Me?: Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on.
Page 508: Windows Automatic Updates
Tests Help Operating System – Windows Test Properties: Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to run at the file level. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft.
Page 509: Windows Media Player Hotfixes
Tests Help Operating System – Windows What Do I Need to Do?: Enable automatic updates. See the following link for instructions: http://www.microsoft.com/protect/computer/updates/mu.mspx Enable automatic updates for Windows 2000: Select Start>>Settings>>Control Panel>>Automatic Updates Select Keep my computer up to date. Select Download the updates automatically and notify me when they are ready to be installed.
Page 510: Windows Xp Sp1 Hotfixes
Tests Help Operating System – Windows Vista Enterprise ■ Test Properties: Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to run at the file level. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft.
Page 511: Windows Xp Sp2 Hotfixes
Tests Help Operating System – Windows Windows XP SP2 Hotfixes Description: This test verifies that the endpoint attempting to connect to your system has the latest Windows XP SP2 hotfixes installed. Test Properties: Select the hotfixes from the list presented that are required on your network.
Page 512: Mac Airport Wep Enabled
Tests Help Security Settings – OS X Security Settings – OS X Mac AirPort WEP Enabled Description: This test verifies that WEP encryption is enabled for Airport. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Wired Equivalent Privacy (WEP) is a wireless net- work security standard that provides the same level of security as the security in a wired network.
Page 513: Mac Airport User Prompt
Tests Help Security Settings – OS X Mac AirPort User Prompt Description: This test verifies that the user is prompted before joining an open network. Test Properties: There are no properties to set for this test. How Does this Affect Me?: If you move between different locations, this option prompts you before automatically joining any network.
Page 514: Mac Bluetooth
Tests Help Security Settings – OS X The following link provides more information on anti-virus software and protecting your computer: http://www.us-cert.gov/cas/tips/ST04-005.html Mac Bluetooth Description: This test verifies that Bluetooth is either completely disabled or if enabled is not discoverable. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Bluetooth is a wireless technology that allows com- puters and other endpoints (such as mobile phones and personal digital assistants (PDAs)) to communicate.
Page 515: Mac Internet Sharing
Tests Help Security Settings – OS X Mac Internet Sharing Description: This test verifies that the internet sharing is disabled. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Mac internet sharing allows one computer to share its internet connection with other computers.
Page 516: Mac Security Updates
Tests Help Security Settings – OS X Mac Security Updates Description: This test verifies that the security updates have been applied on this endpoint. Test Properties: .When an endpoint fails this test, it can be granted temporary access in the following ways: Select the Quarantine access check box and enter a temporary access ■...
Page 517: Security Settings - Windows
Tests Help Security Settings – Windows Security Settings – Windows The Security settings tests verify that any endpoint attempting to connect to your system meets your specified security settings requirements. Allowed Networks Description: Checks for the presence of an unauthorized connection on a endpoint.
Page 518: Microsoft Outlook Macros
Tests Help Security Settings – Windows Low. (not recommended). You are not protected from potentially ■ unsafe macros. Use this setting only if you have virus scanning software installed, or you have checked the safety of all documents you open. How Does this Affect Me?: Macros are simple programs that are used to repeat commands and keystrokes within another program.
Page 519: Microsoft Word Macros
Tests Help Security Settings – Windows How Does this Affect Me?: Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document.
Page 520: Services Not Allowed
Tests Help Security Settings – Windows other files (such as the Normal template) and can potentially infect all of your files. If a user on another computer opens the infected file, the virus can spread to their computer as well. What Do I Need to Do?: Set the Microsoft Word macro security level as follows: Open Word.
Page 521: Services Required
Tests Help Security Settings – Windows How to change the service startup type: Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. Right-click on a service and select Properties. Select Manual or Disabled from the Startup type drop-down list. Click OK. Close the Services window. Close the Administrative Tools window.
Page 522: Windows Bridge Network Connection
Tests Help Security Settings – Windows Right-click on a service and select Properties. Select Automatic from the Startup type drop-down list. Click OK. Close the Services window. Close the Administrative Tools window. Windows Bridge Network Connection Description: This test verifies that the endpoint attempting to connect to the network does not have a bridged network connection present.
Page 523: Windows Security Policy
Tests Help Security Settings – Windows Test Properties: Enter a list of allowed Wireless SSIDs that are legitimate for your network. Enter the SSIDs as a comma-delimited list. For example, HomeNet, Work- Net. The following wireless adapters are supported: NetGear, LinkSYS, D-Link. How Does this Affect Me?: In order to use wireless networks, you must specify the network names to which the wireless endpoints connect.
Page 524: Windows Startup Registry Entries Allowed
Tests Help Security Settings – Windows Enable "Accounts: Limit local account use of blank passwords to console ■ logon only" http://www.microsoft.com/resources/documentation/IIS/6/all/proddocs/ en-us/Default.asp?url=/resources/documentation/IIS/6/all/proddocs/en-us/ 636.asp What Do I Need to Do?: To select the security policies: Select Start>>Settings>>Control Panel>>Administrative Tools. Double-click Local Security Policy. Double-click Local Policies.
Page 525: Wireless Network Connections
Tests Help Security Settings – Windows run and runOnce keys cause programs to run automatically. Many worms and viruses are started by a call from the Windows Registry. If you limit what can start up when you log in, you can reduce the potential for worms and viruses to run on your system. The following links provide a description of the Microsoft Windows Registry and the Run keys: ■...
Page 526 Tests Help Security Settings – Windows http://www.pcworld.com/article/id,112138/article.html B-34...
Page 527: Software - Windows
Tests Help Software – Windows Software – Windows The Software tests verify that any endpoint attempting to connect to your system meets your specified software requirements. Installing the most recent version of your software helps protect your system against exploits targeting the latest vulner- abilities.
Page 528: High-Risk Software
Tests Help Software – Windows How Does this Affect Me?: Anti-virus software scans your computer, email, and other files for known viruses, worms, and trojan horses. It searches for known files and automatically removes them. A virus is a program that infects other programs and files and can spread when a user opens a program or file containing the virus.
Page 529: P2P
Tests Help Software – Windows Test Properties: Select the check box for one or more Microsoft Office packages. Any software package selected that does not have the latest version installed fails the test. How Does this Affect Me?: Some companies may support only the software listed. Using the most recently updated version of software can help protect your system from known vulnerabilities.
Page 530: Software Not Allowed
Tests Help Software – Windows How Does this Affect Me?: A firewall is hardware or software that views information as it flows to and from your computer. You configure the firewall to allow or block data based on criteria such as port number, content, source IP address, and so on. The following links provide more detailed information about firewalls: ■...
Page 531: Worms, Viruses, And Trojans
Tests Help Software – Windows Test Properties: Enter a list of applications that are required on all connecting end- points, separated with a carriage return. The format for an application is vendor\soft- ware package[\version]. Using this format stores the value in the HKEY_LOCAL_MACHINE\Software key.
Page 532 (This page intentionally left blank.)
Page 533 Important Browser Settings Chapter Contents Pop-up Windows ..........C-2 Active Content .
Page 534: Pop-Up Windows
Important Browser Settings Pop-up Windows Pop-up Windows The NAC 800 reports capability uses a pop-up window. In order for you to run reports on NAC 800, you must allow pop-up windows from the NAC 800 server. To allow pop-up windows in IE 6.0 with SP2: IE browser>>Tools>>Pop-up blocker>>Pop-up blocker settings Enter the IP address or partial IP address of the NAC 800 MS.
Page 535 Important Browser Settings Pop-up Windows Clear the Block Popup Windows check box. Close the Content window.
Page 536: Active Content
Important Browser Settings Active Content Active Content The Windows® XP Service Pack 2 (SP2) installation changes some of the Internet Explorer (IE) browser’s security settings. This change in settings displays an active content message (figure C-1), at the top of the browser window when you access the NAC 800 help feature.
Page 537 Important Browser Settings Active Content IE browser>>Tools>>Internet Options>>Advanced tab Figure C-4. IE Internet Options, Advanced Tab In the Internet Options pop-up window, scroll down to the security section. Select the Allow active content to run in files on my computer check box. Click OK.
Page 538: Minimum Font Size
Important Browser Settings Minimum Font Size Minimum Font Size In order to properly display the NAC 800 user interface, do not specify the minimum font size. To clear the IE minimum font size: IE browser>>Tools>>Internet options>>General tab>>Accessibility button Make sure all of the check boxes are cleared on this window. Click OK.
Page 539 Important Browser Settings Minimum Font Size Select the Allow pages to choose their own fonts, instead of my selections above check box. Click OK. Close the Content window.
Page 540: Page Caching
Important Browser Settings Page Caching Page Caching To set the IE page caching options: Internet Explorer browser>>Tools>>Internet Options Select the General tab Click Settings. In the Check for new versions of stored pages area, select the Automatically radio button. Click OK. In the Internet Options dialog box, click the Advanced tab.
Page 541: Temporary Files
Important Browser Settings Temporary Files Temporary Files Periodically delete temporary files from your system to improve browser performance. To delete temporary files in IE: Internet Explorer>>Tools>>Internet Options>>General tab Click Delete Files. Select the Delete all offline content check box. Click OK. Click OK.
Page 542 Important Browser Settings Temporary Files Firefox menu>>Preferences>>Privacy In the Private Data area, click Settings. The Clear Private Data window appears. Select the Cache check box. Click OK. Click Clear Now. Close the Privacy window. C-10...
Page 543 Installation and Configuration Check List Chapter Contents Minimum System Requirements ........D-2 Installation Location .
Page 544: Minimum System Requirements
Installation and Configuration Check List Minimum System Requirements Minimum System Requirements Required fields are indicated by a red asterisk (*). Dedicated server with: Processor ( Pentium Intel Dual Core (Core 2 Duo/Xeon 5100 series) 4) *: Speed ( 1.2 GHz) *: ________________________________ 1.86 Memory (211 GB RAM) *: ____________________________ Disk space (8036 GBSATA disk drive...
Page 545: Installation Location
Installation and Configuration Check List Installation Location Installation Location My office(s) Server room(s)/Data center(s) Test lab(s) Production network(s) I have access to the installation site(s) I do not have access to the installation site(s)
Page 546: Ip Addresses, Hostname, Logins, And Passwords
Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords IP Addresses, Hostname, Logins, and Passwords NOTE: This Installation and Configuration Checklist is a list of the items used in NAC 800 including passwords; however, ProCurve recommends as a security best practice that you never write down passwords.
Page 547: Management Server
Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords The MS is installed on one physical server; each ES is installed on a unique physical server. Management Server Required fields are indicated by a red asterisk (*). Create at least one MS. MS IP address: ___________________________________________ MS Netmask IP address (Network mask):...
Page 548: Enforcement Server 2
Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords Tertiary nameserver IP address (DNS server): _________________ ES hostname (FQDN): _____________________________________ TIP: Select simple names that are short, easy to remember, have no spaces or underscores, and the first and last character cannot be a dash (-). Time zone: _______________________________________________ ES server root password:...
Page 549: Proxy Server
Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords Cluster name 3: ___________________________________________ ES IP address: ____________________________________________ ES Netmask IP address (Network mask): ____________________ Default gateway IP address: ________________________________ Primary nameserver IP address (DNS server): ________________ Secondary nameserver IP address (DNS server): _______________ Tertiary nameserver IP address (DNS server): _________________ ES hostname (FQDN): _____________________________________...
Page 550: Agentless Credentials
Installation and Configuration Check List Agentless Credentials Agentless Credentials Required fields are indicated by a red asterisk (*). The administrator credentials for endpoints on a domain. Set them globally for all clusters, or override them on a per-cluster basis. All clusters: Windows domain name: ____________________________ Administrator user ID: *______________________________...
Page 551: Quarantine
Installation and Configuration Check List Quarantine Quarantine Define quarantine methods and settings for all clusters, or on a per-cluster basis. 802.1X Required fields are indicated by a red asterisk (*). Quarantine subnets: ________________________________________ RADIUS server type (local or remote IAS): ____________________ Local RADIUS server type end-user authentication method: Manual: ____________________________________________ Windows domain:...
Page 552: Dhcp
Installation and Configuration Check List Quarantine 802.1X device 1 IP address: ________________________________________ Shared secret: ______________________________________ Device type: _______________________________________ 802.1X device 2 IP address: ________________________________________ Shared secret: ______________________________________ Device type: _______________________________________ 802.1X device 3 IP address: ________________________________________ Shared secret: ______________________________________ Device type: _______________________________________ 802.1X device 4 IP address:...
Page 553: Accessible Services
Installation and Configuration Check List Quarantine Quarantine area 1 DHCP IP range: ___________________ Quarantine area 1 quarantined area gateway: *__________ Quarantine area 1 domain suffix: *_____________________ Quarantine area 1 corresponding non-quarantined subnets: DHCP quarantine area 2: Quarantine area 2 quarantined subnet: _________________ Quarantine area 2 DHCP IP range: ___________________ Quarantine area 2 quarantined area gateway: ___________...
Page 554 Installation and Configuration Check List Quarantine Networks: __________________________________________ Windows domain controller: __________________________ Accessible services and endpoints for cluster 2: Web sites:___________________________________________ Hostnames: _________________________________________ IP addresses / ports: _________________________________ Networks: __________________________________________ Windows domain controller: __________________________ Accessible services and endpoints for cluster 3: Web sites:___________________________________________ Hostnames: _________________________________________ IP addresses / ports: _________________________________...
Page 555: Notifications
Installation and Configuration Check List Notifications Notifications Notifications are defined for all clusters or on a per-cluster basis. All clusters Send information to: _________________________________ SNMP server IP address: _____________________________ Email information sent from:__________________________ Cluster 1 Send information to: _________________________________ SNMP server IP address: _____________________________ Email information sent from:__________________________ Cluster 2 Send information to: _________________________________...
Page 556: Test Exceptions
Installation and Configuration Check List Test Exceptions Test Exceptions Exceptions are defined for all clusters or on a per-cluster basis. All cluster endpoint testing exceptions (endpoints that are whitelisted or blacklisted): MAC addresses: _____________________________________ IP addresses: ________________________________________ NetBIOS names: _____________________________________ Cluster 1 endpoint testing exceptions (endpoints that are whitelisted or blacklisted): MAC addresses: _____________________________________...
Page 557: E Ports Used In Nac
Ports used in NAC 800 The following table provides information about Ports used in NAC 800: Port Parties Description Comments Ports used for testing endpoints: 88 (TCP) Endpoint to ES When using agent-based testing, the Not configurable 89 (TCP) endpoint must point (using a browser window) to destination port 88 on the ES for testing, which is redirected to destination port 89 (end-user access...
Page 558 Ports used in NAC 800 Port Parties Description Comments Ports used by the admin user browser: 443 (TCP) Admin user The administration user interface (as Not configurable browser to MS opposed to the end user access screens) uses port 443 on the MS for communication.
Page 559 Ports used in NAC 800 Port Parties Description Comments 514 (TCP) Infoblox In environments with the Infoblox Configurable by making changes to connector to syslog connector, the Infoblox server both of the following: syslog service on sends DHCP information to NAC 800 •...
Page 560 Ports used in NAC 800 Port Parties Description Comments Ports used for re-authentication: test 22 (TCP) ES to switch Used when you select the Not configurable connection to device button, and 23 (TCP) when an endpoint is re-authenticated 161 (TCP) by the switch.
Page 561 Ports used in NAC 800 Port Parties Description Comments Ports used for accessible services and endpoints: Varies ES to endpoint In order to grant access for Configure in the NAC 800 user quarantined endpoints to needed interface: services, add entries to the Accessible Home window>>System services list.
Page 562 (This page intentionally left blank.)
Page 563: Installation Requirements
MS Disaster Recovery Chapter Contents Overview ............F-2 Installation Requirements .
Page 564: Overview
MS Disaster Recovery Overview Overview If the Primary Management Server (primary MS) goes down due to an unre- coverable hardware failure, management server duties can be migrated to an online Standby Management Server (standby MS) using a simple backup and restore process.
Page 565: Ongoing Maintenance
MS Disaster Recovery Overview NOTE: Only an administrative user needs to be created. Other UI users are migrated as part of the backup and restore process. Be sure to keep this UI login information safe, as it is Needed to transition MS services to the standby MS. Ongoing Maintenance Certain considerations must be noted regarding the ongoing maintenance of your system in the recovery process for an MS:...
Page 566 MS Disaster Recovery Overview Shutdown the primary MS server by entering the following from the command line: shutdown -hy 0 Locate the most recent backup of the primary MS. See “Restoring from Backup” on page 16. This will be the backup that you were instructed during initial installation to store in a safe place.
Page 567 Glossary The following terms and definitions are used in this book, and in other ProCurve Management Software documentation. 802.1X: A port-based authentication protocol that can dynamically vary encryption keys, and has three components: a supplicant, an authenticator, and an authentication server. ACL: Access control list –...
Page 568 Glossary API: Application Programming Interface – The interface to an application’s source code. Other computer programs can communicate with the application through this interface. APIC: Advanced Programmable Interrupt Controller – A device that provides support for multiple processors by allowing for mul- tiple programable interrupts.
Page 569 Glossary client: A computer that requests services from another (server). cluster: A logical grouping of ESs. compliance: Meets defined standards or conditions. CSR: Certificate Signing Request – A request sent by a system when applying for a public key certificate. CTA: Cisco Trust Agent DAC: Device Activity Capture –...
Page 570 Glossary EAP: Extensible Authentication Protocol – An authentication pro- tocol used with Point-to-Point Protocol (PPP) and wireless networks. (802.1X) EAPOL EAP over LANs EDAC: Embedded Device Activity Capture – See DAC endpoint: A computer requesting access to a network. enforcement: In NAC 800, the process of upholding the access rules set in the NAC policies.
Page 571 Glossary IDE: Integrated Drive Electronics – A standard storage connection interface known as Advanced Technology Attachment (ATA). IDS/IPS: Intrusion Detection System/Intrusion Prevention System – IDS and IPS systems detect and prevent attacks on your system. In NAC 800 you can configure these external systems so that they can request that NAC 800 quarantine an endpoint after it has been connected (post-connect) when unwanted behavior is detected.
Page 572 Glossary LDAP: Lightweight Directory Access Protocol (LDAP) – A protocol that is used to look up information from a database that usually contains information about authorized users and their privileges. load balancing: In NAC 800, Load balancing distributes the testing of end- points across all NAC 800 ESs in a cluster.
Page 573 Glossary NMS: Network Management System – A computer or computers and software used to manage a network. non-compliance: Does not meet defined standards or conditions. NTLM: Windows NT LAN Manager NTP: Network time protocol – A protocol that ensures local time- keeping.
Page 574 Glossary RADIUS: Remote Authentication Dial-In User Service RAM: Random access memory RAS: Remote access server RDAC: Remote Device Activity Capture RDBMS: Relational Database Management System (RDBMS) – Used to store information in related tables. RPC: Remote procedure call – a procedure where arguments or parameters are sent to a program on a remote system.
Page 575 Glossary SSL: Secure socket layer – A commonly-used protocol that man- ages the security of message transmissions over the Internet. STP: Spanning tree protocol subnet: A section of a network that shares part of the IP address of that network. supplicant: A component of 802.1X that is the client;...
Page 576 Glossary whitelist: A list of devices or endpoints that are allowed access to a system or are allowed privileges. In NAC 800, endpoints and domains that are always allowed access. Wi-Fi: Wireless Fidelity WU: Windows Update xml: eXtensible Markup Language G-10...
Page 577 Index 3-63 Numerics 3-68 Cisco CatOS device 1-15 3rd-party software, installing 3-66 Cisco IOS device 11-2, 11-4 802.1X Enforcement cluster 11-4 communication flow 3-12 Enforcement server 11-9 configuring the RADIUS server 3-71 Enterasys device 11-2 connections 3-75 Extreme XOS device 3-53, 11-39 enable 3-73...
Page 578 Index 11-4 quarantine an endpoint without testing communication flow, 802.1X always quarantine configuration 3-117 10-4 domains DHCP 3-117 1-16 endpoints timeout 11-2 5-23 Windows XP Professional firewall 6-14 assign endpoints and domains to a policy configure 12-20 authentication 3-125 11-36 information non-HP switches 11-2...
Page 579 Index 7-11 15-19 login end-user access screen 7-11 three minute Enforcement cluster 3-15 delete Enforcement server 3-11 cluster existing NAC policy 13-14 6-13 DHCP Server Plug-in Configuration NAC policy 3-21 3-97 quarantine area 6-14 15-19 NAC policy test results messages 3-37 NAC policy group user account...
Page 580 Index endpoints supported error screens 5-51 5-10, 5-11 file and print sharing per MS 12-3 firewall EXE file download to Windows 3-121 footer IE Internet security zone 3-121 introduction 5-30 Figure opening screen 11-6 5-22 802.1X Communications ports 11-3 5-25 802.1X Components required firewall settings 11-5...
Page 581 Index 5-40 4-14 Applications, Utilities Folder Failed Endpoint 3-108 4-14 Backup Successful Message Failed Endpoint Allow All Mode 3-36 Copy User Account Failed Endpoint Allow All Mode Mouse Over 3-27 Date & Time Default NAC Policy Highlighted Fields 8-4, 10-3 DHCP Installation Home Window 13-2...
Page 582 Index 6-21 3-118 NAC Policy Test Icons System Configuration, Notifications 11-9 3-58 Networking Services System Configuration, OpenLDAP 11-58 3-102 Nortel Exit Script System Configuration, Post-connect 11-58 3-52 Nortel Initialization Script System Configuration, Quarantining 11-58 Nortel Re-authentication Script System Configuration, Quarantining, DHCP 3-101 Post-connect Configuration Message 3-103...
Page 583 Index 4-19 Firefox, supported version grant access to an endpoint 4-20 firewall quarantine an endpoint 5-28 changing port import 5-22 11-25 letting RPC service through certificate 3-100 11-25 post-connect service the server’s certificate 6-16 settings inactive, set time 5-25 testing the end-user through index 1-23 testing through...
Page 584 Index post-connect NAC policies 15-3 log out window, view 15-3 login NAC Policy 3-122, 5-44 credentials change to not run Windows automatic update 7-11 delay 15-8 test 3-122 domain NAC policy 3-113 save add group 5-45 saving 6-14 assign domains to 6-16 timeout 6-14...
Page 585 Index 3-100 not tested firewall open 7-11 supported posture 3-112 11-27 ordering test methods Checkup 11-27 Healthy 11-28 Infected 11-28 Quarantined 11-28 page caching Unknown 15-18 pane PPTP 1-23 index print 1-22 password file 3-18 1-22 change ES topic 3-28 14-8 change MS root print a report...
Page 586 Index 11-9 15-22 configure ES password 11-7 15-22 server and SA plug-in MS password 11-33 15-23 use existing server password 11-7 15-10 using a proxy system 11-7 15-11 using built-in testdata 15-23 range user interface password entering ports restore 3-115 15-17 of IP addresses original database...
Page 587 Index 6-17 action to take DHCP 3-130 Agent read timeout period setting enforcement 3-92 3-127 15-18 ES logging levels VPNs 3-128 IDM logging levels switch 3-55 11-49 RADIUS authentication method Cisco 2950 6-15 11-36 retest time configure non-HP 3-131 11-50 RPC command timeout period Enterasys Matrix 1H582-25 6-16...
Page 588 Index 1-11 test method options 5-44 ActiveX error pros & cons 5-31 3-113 agent to display 5-31 agent-based testing 3-110 5-49 select cancel 3-112 5-49 select order failed screen test methods ports defined used 5-22 3-31 testing method 3-111 3-35 ActiveX copy 3-111...
Page 589 Index 5-29 end-user access Windows 2000 change NAC Policy to not run Windows automat- 15-8 ic update test 3-122 credentials 15-7 domain and end-user settings 3-55 domain settings, configure download and extract Zip file 12-3 download EXE file 5-22 Group policy 12-4 install 5-45...
Page 590 (This page intentionally left blank.)
Page 591 Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.

HP ProCurve NAC 800 User Manual

1 Introduction

What You Need to Get Started

Additional Documentation

NAC 800 Home Window

System Monitor

Overview

Technical Support

Upgrading

Conventions Used in this Document

Copying Files

Users' Guide Online Help

2 Clusters and Servers

Overview

Installation Examples

3 System Configuration

Introduction

Enforcement Clusters and Servers

Enforcement Clusters

Enforcement Servers

Management Server

User Accounts

User Roles

License

Test Updates

Quarantining, General

Quarantining, 802.1X

Quarantining, DHCP

Quarantining, Inline

Post-Connect

Maintenance

Downloading Support Packages

Cluster Setting Defaults

Logging

Advanced Settings

4 Endpoint Activity

Overview

Filtering the Endpoint Activity Window

Access Control States

Endpoint Test Status

Enforcement Cluster Access Mode

Viewing Endpoint Access Status

Selecting Endpoints to Act on

Acting on Selected Endpoints

Viewing Endpoint Information

Troubleshooting Quarantined Endpoints

5 End-User Access

Overview

Test Methods Used

Endpoints Supported

Browser Version

Firewall Settings

Windows Endpoint Settings

Mac os X Endpoint Settings

End-User Access Windows

Customizing Error Messages

6 NAC Policies

Overview

Standard NAC Policies

NAC Policy Group Tasks

NAC Policy Tasks

About NAC 800 Tests

7 Quarantined Networks

Endpoint Quarantine Precedence

Using Ports in Accessible Services and Endpoints

Always Granting Access to an Endpoint

Always Quarantining an Endpoint

New Users

Shared Resources

Untestable Endpoints and DHCP Mode

Windows Domain Authentication and Quarantined Endpoints

8 High Availability and Load Balancing

High Availability

Load Balancing

9 Inline Quarantine Method

Inline

10 DHCP Quarantine Method

11 802.1X Quarantine Method

Quick Links

Related Manuals for HP ProCurve NAC 800