ProCurveNAC CfgGde Aug2007 59918618

Configuration Guide
ProCurve Network Access Controller 800
www.procurve.com
ProCurve Network Access
Controller 800
August 2007
1.0.XX
Configuration Guide
© Copyright 2007 Hewlett-Packard Development Company, L.P. Disclaimer
The information contained herein is subject to change without
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
notice. All Rights Reserved.
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
This document contains proprietary information, which is
WARRANTIES OF MERCHANTABILITY AND FITNESS
protected by copyright. No part of this document may be
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
photocopied, reproduced, or translated into another
be liable for errors contained herein or for incidental or
language without the prior written consent of Hewlett-
consequential damages in connection with the furnishing,
Packard.
performance, or use of this material.
The only warranties for HP products and services are set
Publication Number forth in the express warranty statements accompanying
5991-8618 such products and services. Nothing herein should be
August 2007 construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Applicable Products
Hewlett-Packard assumes no responsibility for the use or
Network Access Controller 800 (J9065A) reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Trademark Credits
Microsoft, Windows, Windows NT, and Windows XP are U.S. Warranty
registered trademarks of Microsoft Corporation. See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Open Source Software Acknowledgment

Statement
This software incorporates open source components that
are governed by the GNU General Public License (GPL),
version 2. In accordance with this license, ProCurve
Networking will make available a complete, machine-
readable copy of the source code components covered by
the GNU GPL upon receipt of a written request. Send a
request to:
Hewlett-Packard Company, L.P.
Wireless Edge Services xl Module Program
GNU GPL Source Code
Attn: ProCurve Networking Support
MS: 5550
Roseville, CA 95747 USA
Hewlett-Packard Company
8000 Foothills Boulevard
Roseville, California 95747
http://www.procurve.com/
Contents
1 Overview of the ProCurve NAC 800

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Console Ethernet Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Panel LCD and Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Serial Number and MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Port 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Port 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Server Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Choosing the Server Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Deployment of One MS and Multiple ESs . . . . . . . . . . . . . . . . . . . . 1-7
CS Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Management Server (MS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Enforcement Server (ES) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Combination Server (CS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Changing the Server Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Enforcement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Enforcement Clusters for an MS and ESs . . . . . . . . . . . . . . . . . . . . . . 1-15
Enforcement Clusters for a CS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Endpoint Integrity Capabilities of the NAC 800 . . . . . . . . . . . . . . . . . 1-17
NAC Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
NAC Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
i
Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
NAC EI Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Agentless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Endpoint Integrity Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Accessible Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Performance Implications of Endpoint Integrity Checks . . . . . . . . . 1-28
RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
ProCurve NAC 800 RADIUS Capabilities . . . . . . . . . . . . . . . . . . . . . . . 1-30
RADIUS Capabilities of the NAC 800 Integrated with IDM . . . . . . . . 1-30
Deployment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32
802.1X Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
802.1X Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Types of Access Control Provided by the NAC 800 . . . . . . . . . . . 1-34
802.1X Deployment Method—Endpoint Integrity With
or Without RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
How the NAC 800 Quarantines Endpoints . . . . . . . . . . . . . . . . . . 1-35
How and Where to Deploy the NAC 800 . . . . . . . . . . . . . . . . . . . . 1-37
802.1X Deployment Method—RADIUS Server Only . . . . . . . . . . . . . . 1-42
DHCP Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Types of Access Control Provided By the NAC 800 . . . . . . . . . . 1-43
Inline Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Configuring Accessible Services for Inline Method . . . . . . . . . . . 1-53
ii
2 Management Options for the ProCurve NAC 800
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Menu Interface and Panel LCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Access the Menu Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Console Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
SSH Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Navigate the Menu Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Configure Initial Settings with the Menu Interface . . . . . . . . . . . . . . . . 2-9
Set the Server Type with the Menu Interface . . . . . . . . . . . . . . . . 2-10
Set the IP Address with the Menu Interface . . . . . . . . . . . . . . . . . 2-12
Test IP Settings (Ping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Change the Password to the Menu Interface . . . . . . . . . . . . . . . . . . . . 2-15
Complete Other Tasks in the Menu Interface . . . . . . . . . . . . . . . . . . . 2-17
Reboot the NAC 800 in the Menu Interface . . . . . . . . . . . . . . . . . 2-18
Shut Down the NAC 800 in the Menu Interface . . . . . . . . . . . . . . 2-19
Turn the Locator LED On and Off . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
View System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Access the Panel LCD Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Navigate the Panel LCD Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Configure Initial Settings with the Panel LCD Menu . . . . . . . . . . . . . 2-24
Set the Server Type with the Panel LCD Menu . . . . . . . . . . . . . . 2-24
Set the IP Address with the Panel LCD Menu . . . . . . . . . . . . . . . 2-26
Test IP Settings (Ping) with the Panel LCD Menu . . . . . . . . . . . . 2-28
Complete Other Tasks Using the Panel LCD Menu . . . . . . . . . . . . . . 2-29
Reboot the NAC 800 Using the Panel LCD Menu . . . . . . . . . . . . . 2-30
Shut Down the NAC 800 Using the Panel LCD . . . . . . . . . . . . . . . 2-31
Set the Ports Speed and Duplex Settings . . . . . . . . . . . . . . . . . . . 2-32
Root Access to the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Requirements on the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Requirements on the Management Station . . . . . . . . . . . . . . . . . . 2-38
Steps for Accessing the Web Browser Interface . . . . . . . . . . . . . 2-39
iii
Navigate the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Home Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Common Features in Web Browser Interface Screens . . . . . . . . 2-43
Following Instructions to Navigate the Web Browser
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
ProCurve Manager (PCM) Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47
Enable PCM Plus to Detect the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . 2-47
Capabilities of PCM Plus for Managing the NAC 800 . . . . . . . . . . . . . 2-48
IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49
Enable IDM to Detect the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49
Capabilities of IDM for Managing the NAC 800 . . . . . . . . . . . . . . . . . . 2-52
3 Initial Setup of the ProCurve NAC 800

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
System Settings—Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Initial Configuration of CS or MS Settings . . . . . . . . . . . . . . . . . . . 3-4
Initial Configuration of ES Settings . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Edit System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Edit System Settings on an MS or a CS . . . . . . . . . . . . . . . . . . . . . 3-16
Edit System Settings on an ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Management and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Upgrade the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Create Management Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Create User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
Configure User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52
Install a CA-Signed Certificate for HTTPS . . . . . . . . . . . . . . . . . . . . . . 3-53
Generate a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54
Install the Root CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55
Create a Certificate Request and Transfer It off
the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56
Download and Install the Signed Certificate . . . . . . . . . . . . . . . . 3-58
Restart the HTTPS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-59
iv
Install a New Self-Signed Certificate for HTTPS . . . . . . . . . . . . . . . . . 3-59
Generate the Self-Certificate and Key . . . . . . . . . . . . . . . . . . . . . . 3-60
Export the Self-signed Certificate to a File . . . . . . . . . . . . . . . . . 3-61
Install the Self-signed Certificate as a Trusted Root
Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-61
Install the Self-signed Certificate as a Trusted Root
Certificate on Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-62
4 Configuring the RADIUS Server—Integrated with

ProCurve Identity Driven Manager
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Dynamic or User-Based Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
IDM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Data Store Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Local Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
AD (Windows Domain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Proxy RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Configure the NAC 800 as a RADIUS Server . . . . . . . . . . . . . . . . . . . 4-11
Specify the Quarantine Method (802.1X) . . . . . . . . . . . . . . . . . . . . . . . 4-12
Configure Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Configure Authentication to the NAC 800’s Local
Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Configure Authentication to a Windows Domain . . . . . . . . . . . . 4-16
Configure Authentication to an LDAP Server . . . . . . . . . . . . . . . 4-20
Configure Authentication to a Proxy RADIUS Server . . . . . . . . . 4-29
Test Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Add NASs as 802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39
Apply Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
Restart the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
v
Manage Digital Certificates for RADIUS . . . . . . . . . . . . . . . . . . . . . . . 4-47
Install the CA Root Certificate on the NAC 800 . . . . . . . . . . . . . . . . . 4-48
Install a Server Certificate for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . 4-49
Create a Self-Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-50
Install a CA-Signed Certificate Using a Request
Generated on the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52
Generated on Behalf of the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . 4-57
Manage Certificates on Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-61
Disable Server Validation on Endpoints . . . . . . . . . . . . . . . . . . . . . . . . 4-61
5 Configuring the RADIUS Server—Without Identity Driven

Manager
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Configure the NAC 800 as a RADIUS Server . . . . . . . . . . . . . . . . . . . . 5-8
Specify the Quarantine Method (802.1X) . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Apply Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38
Manage Digital Certificates for RADIUS . . . . . . . . . . . . . . . . . . . . . . . 5-42
vi
6 Disabling Endpoint Integrity Testing

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Configure Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Configure Exceptions for the Cluster Default Settings . . . . . . . . . 6-3
Configure Exceptions for a Particular Cluster . . . . . . . . . . . . . . . . 6-5
7 Redundancy and Backup for RADIUS Services

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Planning Redundancy for RADIUS-Only Deployments . . . . . . . . . . . . 7-2
Place the RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Provide Duplicate Network Pathways . . . . . . . . . . . . . . . . . . . . . . 7-4
Configuring Network Devices for Redundant RADIUS Servers . . . . . 7-4
Configure the NASs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Configure Multiple LDAP Servers on the NAC 800 . . . . . . . . . . . . 7-6
Use IDM to Configure the Usernames and Passwords . . . . . . . . 7-11
Test Your Redundant Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
Back Up Your NAC 800 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Configure the Web Browser So That It Allows You
to Save Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
Restore the System from the Backup File . . . . . . . . . . . . . . . . . . . . . . 7-15
vii
A Appendix A: Glossary
B Appendix B: Linux Commands
viii
Overview of the ProCurve NAC 800
Contents
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Console Ethernet Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Panel LCD and Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Serial Number and MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Port 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Port 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Server Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Choosing the Server Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Deployment of One MS and Multiple ESs . . . . . . . . . . . . . . . . . . . . 1-7
CS Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Management Server (MS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Enforcement Server (ES) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Combination Server (CS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Changing the Server Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Enforcement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Enforcement Clusters for an MS and ESs . . . . . . . . . . . . . . . . . . . . . . 1-15
Enforcement Clusters for a CS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
1-1
Contents
Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Endpoint Integrity Capabilities of the NAC 800 . . . . . . . . . . . . . . . . . 1-17
NAC Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
NAC Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
NAC EI Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Agentless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Endpoint Integrity Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Accessible Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Performance Implications of Endpoint Integrity Checks . . . . . . . . . 1-28
RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
ProCurve NAC 800 RADIUS Capabilities . . . . . . . . . . . . . . . . . . . . . . . 1-30
RADIUS Capabilities of the NAC 800 Integrated with IDM . . . . . . . . 1-30
Deployment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32
802.1X Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
802.1X Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
or Without RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
802.1X Deployment Method—RADIUS Server Only . . . . . . . . . . . . . . 1-42
DHCP Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Types of Access Control Provided By the NAC 800 . . . . . . . . . . 1-43
Inline Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Configuring Accessible Services for Inline Method . . . . . . . . . . . 1-53
1-2
Introduction
Introduction
The ProCurve Network Access Controller (NAC) 800 is a hardware appliance
that controls endpoints’ access to your network.
It provides these capabilities:

■ Endpoint integrity testing—tests endpoints for compliance with a
network’s security policies
■ Quarantining—isolates non-compliant endpoints, preventing them from
compromising the network
■ Remediation—allows quarantined endpoints access to services that help
them become compliant
■ Reporting—documents endpoints’ status and test results
■ Authentication—acts as a RADIUS server and checks users’ credentials
You will learn about all of these capabilities in this overview chapter.
The remainder of this management and configuration guide will focus on the
final capability: the NAC 800 as a RADIUS server, either integrated with
ProCurve Identity Driven Manager (IDM) or acting on its own.
To learn more about setting up other capabilities, see the ProCurve Network
Access Controller 800 Users’ Guide.
1-3
Hardware Overview
Hardware Overview
The ProCurve NAC 800 is a hardware appliance that comes in a single model
(J9065A). The device is 1U and mounts on a 19” rack.
You plug the power source into the back panel’s AC power connector.
See the ProCurve Network Access Controller 800 Hardware Installation

Guide for more information on mounting and powering the NAC 800.
All other ports, controls, and information displays are on the front panel for
easy access. These include:
■ LEDs
■ Console port
■ Panel LCD
■ Panel buttons
■ USB port, which will be supported in future software releases
■ Serial number and MAC address
■ Two Ethernet ports
Figure 1-1. NAC 800 Front Panel
LEDs
The NAC 800 has three LEDs on its left front panel:
■ Power LED—glows green when the device is powered on.
■ Fault LED—blinks orange to indicate a problem with the device
■ Locator LED—glows blue when you turn the LED on through the menu
interface, identifying which device you are configuring
See “Turn the Locator LED On and Off” on page 2-20 of Chapter 2:
“Management Options for the ProCurve NAC 800.”
■ Ethernet Link and Mode LEDs—indicate an open connection, as well
the connection speed
1-4
Hardware Overview
For more information on LEDs, see the ProCurve Network Access Controller
800 Hardware Installation Guide.
Console Ethernet Port

The console Ethernet port is located beneath the front panel LEDs and enables
out-of-band management. The port accepts an RJ45 connector; use the RJ45
Connector/Console Cable (5188-6699) that ships with your NAC 800. The other
end of this cable connects to a standard console port. Plug it in to your
workstation and open a console terminal session to access the NAC 800’s
menu interface.
Panel LCD and Buttons

The NAC 800’s front panel features an LCD, which initially displays this
information:
■ Server type (for example, Combination Server)
■ IP address
In addition, the panel has six buttons which you use to interact with the LCD:
■ Four arrow buttons (left, right, up, and down)
■ An accept button (a checkmark)
■ A cancel button (an X)
You can press the accept button to access the panel LCD menu interface and
complete tasks such as:
■ Set the server type
■ Configure IP settings
■ Reboot and shutdown the device
For more information, see “Menu Interface and Panel LCD” on page 2-5 of
Chapter 2: “Management Options for the ProCurve NAC 800.”
Serial Number and MAC Address

The front panel of your NAC 800 displays the device’s serial number, necessary
for generating licenses, and its MAC address.
1-5
Hardware Overview
Ethernet Ports
The ProCurve NAC 800 contains two 10/100/1000 Base-T ports labelled:
• 1 (left port)
• 2 (right port)
Pay careful attention to which port you connect to a segment of the network:
the NAC 800 handles traffic differently depending on the port on which it
arrives.
To the right of the ports, the NAC 800’s panel features text reminding you of
the purpose of each port, which differs according to the device’s deployment
method. (See “Deployment Methods” on page 1-32.)
Port 1
Port 1 is the port with the NAC 800’s IP address; generally, this port connects
to the network to which the NAC 800 controls access.
The following communications are transmitted and received on port 1:

■ Management traffic:
• HTTPS traffic to the NAC 800’s Web browser interface
• SSH traffic
■ RADIUS authentication traffic
■ Endpoint integrity checking traffic
Port 2
Port 2’s function depends on the selected quarantine method. You will learn
more about the three methods in “Deployment Methods” on page 1-32.
1-6
Server Types
Server Types
The ProCurve NAC 800 can function as one of three types of server:
■ Management server (MS)
■ Enforcement server (ES)
■ Combination server (CS)
Choosing the Server Type

A NAC 800 deployment can consist of either:
■ One MS and multiple ESs
■ One CS
Deployment of One MS and Multiple ESs

Set your NAC 800s to the MS and ES types when you require multiple NAC 800s
for your endpoint integrity solution.
To ensure adequate performance, ProCurve Networking recommends that a

single NAC 800 provide integrity testing for no more than 3000 endpoints. An
enforcement cluster of multiple NAC 800s answers the needs of a network
with more users. A enforcement cluster consists of a single MS and multiple
ESs (recommended, between two and five). (See “Enforcement Clusters” on
page 1-15 for a more precise definition of a cluster.)
Neither an MS nor an ES can function on its own. The MS co-ordinates settings

for all clusters in a system while the ESs test endpoint integrity, or authenticate
users, or both.
The ESs load balance endpoints among themselves; a cluster with five ESs
can provide timely testing for up to 15,000 endpoints (80 percent of the
endpoints in under 30 seconds). A cluster of ESs also provides high availabil-
ity; if one fails, the others continue providing services.
Figure 1-2 illustrates, at a high level, a deployment of multiple NAC 800s.
1-7
Server Types
Figure 1-2. Deployment with Multiple NAC 800s
An MS can support multiple enforcement clusters, each of which implements

a different quarantine method. Quarantine methods determine how ESs con-
trol non-compliant endpoints, as well as where ESs are deployed. (“Deploy-
ment Methods” on page 1-32 discusses the quarantine methods in more detail.)
Your network might require multiple quarantine methods (and so multiple
clusters) because particular methods are better suited for controlling partic-
ular types of access.
In all of its clusters together, the MS should support no more than 10 ESs.
Figure 1-3 illustrates, at a high level, a network with multiple clusters.
1-8
Server Types
Figure 1-3. Deployment with Multiple Clusters
Note that it is best practice to use an MS and clusters of ESs even when the
individual clusters may require only one ES. For example, a network might
require one NAC 800 to enforce endpoint integrity on 2000 Ethernet endpoints
and one NAC 800 to enforce endpoint integrity on 700 remote endpoints. It is
recommended that you use one MS and two ESs for such an environment,
rather than two CSs, for two reasons:
■ The MS helps you to co-ordinate NAC policies and other settings.
■ The cluster deployment allows your NAC 800s to share licenses.
1-9
Server Types
For more information about roles performed by MSs and ESs, see “Manage-
ment Server (MS)” on page 1-11 and “Enforcement Server (ES)” on page 1-13.
You should also read more about enforcement clusters in “Enforcement
Clusters” on page 1-15.
CS Deployment
A CS both controls and enforces settings; it functions on its own. You should
set your NAC 800 to the CS type in either of these circumstances:
■ Your network requires integrity testing for under 3000 endpoints.
■ Your NAC 800 functions as a RADIUS server only and does not test
endpoint integrity.
A RADIUS-only NAC 800 can support more than 3000 endpoints. The precise
number varies, of course, depending on your environment. For example, do
all users log in at roughly the same time or do they log in at various times
throughout the day? How often do network infrastructure devices force users
to re-authenticate? As the answers to these questions vary, so varies the
burden placed on the NAC 800. Under typical usage, a single NAC 800 can
support authentication for 10,000 ports.
Figure 1-4. CS Deployment
1-10
Server Types
Note Your network might require multiple NAC 800s that function as RADIUS
servers—to provide more timely service and redundancy. (See Chapter 7:
“Redundancy and Backup for RADIUS Services.”)
However, you do not need to place the NAC 800s in a cluster; both should still
be CSs.
Figure 1-5. Two NAC 800s Acting as RADIUS Servers
For more information about roles performed by a CS, see “Combination Server
(CS)” on page 1-13. You should also read more about enforcement clusters in
“Enforcement Clusters” on page 1-15.
Management Server (MS)

The MS manages settings for your NAC 800s on a system-wide level. You
choose one NAC 800 to act as the MS, set all other NAC 800s to be ES, and add
the ESs to the MS’s configuration.
For the best performance an MS should support no more than 10 ESs and no
more than 5 ESs in a single cluster.
The MS runs the Web browser interface, which you access to manage and
configure your NAC 800s. (This management and configuration guide focuses
on completing tasks using this interface.) When you configure a setting on the
MS, the MS transmits it to its ESs, as appropriate.
1-11
Server Types
The MS handles these system-wide settings:

■ Endpoint integrity licenses
■ Connection to the Internet
■ Clock—The MS can use its internal clock or act as a Network Time
Protocol (NTP) client and receive its clock from an NTP server. The MS
is the NTP server for all of its ESs.
■ Software upgrades—The MS downloads new software; it upgrades first
itself and then all ESs.
■ Test updates—The MS (if properly licensed) automatically checks for
and downloads test updates at the frequency you specify.
■ NAC policies—The MS stores the list of tests that the ESs run on
endpoints, as well as other properties related to those tests.
The MS stores these settings and configures them on its ESs:

■ Individual ES settings:
• IP address
• Hostname
• Root password (allows access to the ES’s OS)
• Time zone
■ Quarantining settings
The MS also serves as the repository for information collected about end-
points throughout the network. In the MS Web browser interface, you can:
■ Track:
• Detected endpoints
• Endpoint activity:
– Endpoints’ access control status
– Endpoints’ test status
■ Change endpoints access control status
■ Generate reports
1-12
Server Types
Enforcement Server (ES)

While you configure access control settings on the MS, the ESs take respon-
sibility for enforcing those controls.
An ES:
■ Authenticates endpoints, if operating as a RADIUS server
■ Tests endpoints for integrity
■ Controls endpoints’ access control status based on test (and, possibly,
authentication) results
Combination Server (CS)

A CS has all the capabilities of an MS and an ES.
Note A CS, of course, does not have the processing power or high availability of a
system of multiple ESs and an MS.
The CS supports these features and settings:

■ Endpoint integrity licenses
■ Connection to the Internet
■ Clock—The CS can use its internal clock or act as a Network Time
Protocol (NTP) client and receive its clock from an NTP server.
■ Software upgrades—The CS downloads new software and upgrade
itself.
■ Test updates—The CS (if properly licensed) automatically checks for
and downloads test updates at the frequency you specify.
■ NAC policies—The CS stores a list of tests to run on endpoints, as well
as other properties related to those tests.
■ Individual settings, including:
• IP address
• hostname
• root password (allows access to its OS)
• time zone
■ Quarantining settings
1-13
Server Types
The CS also enforces access control settings:

■ Authenticates endpoints, if operating as a RADIUS server
■ Tests endpoints for integrity
■ Controls endpoints’ access control status based on test (and, sometimes,
authentication) results
Finally, the CS serves as the repository for information collected about end-
points throughout the network. In the Web browser interface, you can:
■ Track:
• Detected endpoints
• Endpoint activity:
– Endpoints’ access control status
– Endpoints’ test status
■ Change endpoints access control status.
■ Generate reports.
Changing the Server Type

You can change your device’s server type at any time. However, changing the
type causes the NAC 800 to reset to its factory default settings, keeping only its:
■ IP address
■ Hostname
■ Default gateway
■ DNS server
■ NTP server
■ Time zone
Note Setting the server type always resets the NAC 800 to factory defaults even if
you set the device to its current type. In fact, setting the server type is a quick
way to reset the NAC 800 to factory defaults.
1-14
Enforcement Clusters
Enforcement Clusters
An enforcement cluster is a group of ESs (or a single CS) that tests, quaran-
tines, and otherwise controls the same group of endpoints.
Enforcement Clusters for an MS and ESs

An MS groups ESs into enforcement clusters. Each cluster enforces the same
access control settings using the same quarantine method. (See “Deployment
Methods” on page 1-32 for more information about quarantine methods.)
A cluster that consists of a group of ESs has these advantages over a single CS:
■ It can test more endpoints—3000 per ES (up to 15,000 total) as opposed
to 3000 total—load balancing the endpoints among themselves.
■ It provides redundancy, each ES testing up to 5000 endpoints should one
of its fellow ESs fail.
The following settings are configured per cluster:

■ Quarantine method
■ Testing methods
■ Accessible services for quarantined endpoints
■ Exceptions (domains and endpoints that are not tested)
■ Notifications (the email address of the administrator informed when
endpoints fail tests)
■ End-user screens, which users see as they are tested
■ Agentless credentials (administrator username and password for end-
points in a domain)
■ NAC policy group (the set of policies and test applied to users)
Enforcement Clusters for a CS

A CS has a single enforcement cluster and is itself the single ES within that
cluster. The cluster is automatically configured at factory default settings; you
cannot delete the cluster or create additional clusters.
The same settings that, on an MS, are configurable per-cluster are also config-
ured on the CS’s single cluster. However, this cluster is always selected, so you
can ignore this fact.
1-15
Endpoint Integrity
Endpoint Integrity
Viruses and other malware continue to become ever more pervasive—tempo-
rarily bringing down networks, interferring with productivity, and exposing
potentially sensitive information to hackers. A traditional network acknowl-
edges one primary entrance for these threats—the Internet—and guards
against them with a firewall between the WAN router and the private network.
But viruses and malware infilitrate networks from many sources. For
example:
■ An increasingly mobile workforce carries laptops in and out of your
company’s private network. A virus picked up over a home Internet
connection can infiltrate your private network when an employee returns
the infected laptop to work.
■ Users—intentionally or intentionally—accept unsafe traffic over the
Internet. For example, a user might choose to download a trojan, which
is a seemingly innocent application actually intended to cause harm.
■ Users fail to keep their stations updated with patches, leaving them
exposed to malware.
■ Users lower their browser’s security settings so that they can visit unsafe
sites and use unsafe applications.
As you can see, end-users and endpoints play on important role in protecting
your network on all fronts. A network is only as safe as its endpoints exhibit
integrity—that is, meet criteria such as:
■ Having a firewall and other anti-virus software
■ Downloading and installing current patches
■ Enforcing proper browser security settings
■ Being clear of viruses and other malware
But endpoint integrity is a piece of the security puzzle that is particularly hard
to manage. Even if network administrators could ensure that every endpoint
had necessary security settings and solutions, they would find it hard to
prevent users from tampering with those settings.
An endpoint integrity solution automates the process of checking whether an

endpoint meets security standards, and it enforces the standards—imposing
penalties if an endpoint fails the integrity check. The ProCurve NAC 800
provides such a solution.
1-16
Endpoint Integrity
Endpoint Integrity Capabilities of the NAC 800

The NAC 800 supports endpoint integrity as follows:
■ When it detects a new endpoint, it subjects it to a series of tests to ensure
that the endpoint meets your organization’s security policies.
■ It handles endpoints according to the results of these tests:
• It allows “healthy” endpoints (those that pass all tests) full access.
• It takes action against endpoints that fail tests, quarantining them
immediately or granting them temporary access, as you choose.
• It allows quarantined endpoints to reach “accessible services,” which
help in remediation.
The following sections describe the components of the endpoint integrity

solution in more detail.
NAC Tests
The NAC 800 supports many different tests; each test checks for a particular
setting or component on an endpoint. For example, the Windows XP hotfixes
test checks the patches and updates installed on a Windows XP station. And
the IE Internet Security Zone test checks the security level that the endpoint’s
IE browser enforces for Internet Web sites.
Tests are organized into the following categories:

■ Security Settings—Windows
These tests examine an endpoint’s security settings, checking, among
other settings:
• Enabled services
• Networks to which the endpoint connects
• Security settings for macros
• Local security settings, which determine how users are allowed to
access the endpoint
■ Security Settings—Other OSs
These tests examine security settings for a Mac endpoint, including:
• Wireless client settings
• Enabled services
• Firewall enabled and Internet sharing disabled
1-17
Endpoint Integrity
■ Software—Windows
These tests check software installed on an endpoint. Some tests look for
required software, such as personal firewalls and anti-virus software.
Other tests look for prohibited software, such as file sharing software.
Another test scans for viruses and other malware.
■ Operating System—Windows
These tests examine a Windows endpoint’s OS, verifying that all required
hotfixes and patches are installed.
■ Browser Security Policy—Windows
These tests verify that an endpoint’s Web browser enforces the proper
level of security for various zones (Internet sites, local sites, trusted sites,
and untrusted sites). The NAC 800 scans Internet Explorer (IE) settings
only.
NAC Test Properties. All NAC tests have properties, which are the criteria
that an endpoint must meet to pass the test. For example, the required
software test checks the software installed on the endpoint. The required
software test properties consist of a list of software. If the endpoint does not
have this software, it fails the test.
Properties can be configurable or unconfigurable. For example, the required

software test properties are configurable: you choose which software is
required in your network. On the other hand, the Mac airport WEP enabled
test has unconfigurable properties. If an endpoint has WEP enabled, it always
passes; if WEP is disabled, the endpoint always fails.
For more information about configuring test properties, see “Appendix: Tests
Help” in the ProCurve Network Access Controller 800 Users’ Guide.
NAC Test Updates. As new threats emerge, ProCurve Networking updates

the NAC 800’s tests. It might add an entirely new test. Or it might add a property
to an existing test—for example, a new hotfix to the list of Windows XP
hotfixes. The NAC 800 automatically checks for and installs the new tests and
properties as long as it has:
■ A valid endpoint integrity license
■ A working connection to the Internet
For information about scheduling test updates, see “Chapter 3: System Con-
figuration” in the ProCurve Network Access Controller 800 Users’ Guide.
1-18
Endpoint Integrity
NAC Test Actions. When an endpoint fails a test, the NAC 800 takes one or
both of these actions:
■ Sends a notification email
■ Quarantines the endpoint, either:
• Immediately
• After a temporary access period (configurable in length)
You choose the actions for each test. For example, the NAC 800 might
immediately quarantine an endpoint with a virus, but grant temporary access
to an endpoint that needs updated patches. And it might only send a notifica-
tion email if the endpoint has prohibited software.
NAC Policies
On the ProCurve NAC 800, NAC tests are organized into NAC policies. A NAC
policy dictates how the NAC 800 checks endpoint integrity for particular
endpoints. The policy includes these settings:
■ Name and description
■ Policy for handling endpoints with OSs that the NAC 800 cannot test
■ Retest frequency
■ Policy for handling inactive endpoints
■ List of endpoints to which the policy applies
■ List of activated tests, including the properties and actions particular to
each test
Finally, a NAC policy is defined by its group. See “NAC Policy Groups” on
page 1-22.
The sections below provide more information about each of these settings.
For instructions on configuring them in the Web browser interface of an
MS or CS, see Chapter 6: NAC Policies in the ProCurve Network Access
Controller 800 Users’ Guide.
Name and Description. These settings identify the policy and are entirely
configurable.
1-19
Endpoint Integrity
Policy for Endpoints with Untestable OSs. The NAC 800 can test end-
points with these OSs:
■ Windows 98
■ Windows 2000
■ Windows XP Professional
■ Windows XP Home
■ Windows NT
■ Windows Server 2000 or 2003
By default, endpoints that cannot be tested are quarantined. However, you can
choose to grant access to the untestable endpoints. Untestable endpoints fall
into these categories, and you set the policy for handling the endpoints per
category:
■ Windows 95 or ME
■ Unix
■ Any other OS (including Linux and Windows Vista)
Note Consider the security implications of granting an endpoint access without

checking its integrity—particularly older endpoints, which often have limited
security capabilities.
The access granted to untestable endpoints is permanent. Even if you later

change the policy, an already-connected endpoint will not be affected until:
■ The endpoint renews its IP address (DHCP quarantine method).
How often this occurs depends on the lease time for the endpoint’s DHCP
address, which is set on the DHCP server.
■ The endpoint is re-authenticated (802.1X quarantine method).
How often this occurs depends on the re-authentication period, typically
set on the 802.1X authenticator (an access point, such as a switch or
wireless AP).
■ The endpoint disconnects and reconnects.
Retest Frequency. The NAC 800 supports both pre-connect and post-con-
nect integrity checks. In other words, to connect to your network, an endpoint
must meet certain criteria, and to stay connected, it must continue to meet
the criteria.
1-20
Endpoint Integrity
Post-connect checking is an key component of a true endpoint integrity

solution. Without it, end-users quickly learn that they can—for example—
raise their browser security settings, connect to the network, and immediately
lower the settings again.
The retest frequency determines how often the NAC 800 implements post-
connect integrity checks. The higher the frequency, the greater the security—
although, of course, integrity checks add some overhead to network traffic.
The quarantining method (about which you will learn more later) affects post-
connect testing. For DHCP quarantining, a changed status does not take effect
until the endpoint sends a new DHCP request. So you should set the lease time
for scopes on your DHCP server quite low—hours rather than days.
For inline or 802.1X quarantining, the changed status takes immediate effect.
For example, with 802.1X quarantining, the NAC 800 commands the device to
which the endpoint connects to re-authenticate the endpoint, which then
receives the new VLAN assignment.
Policy for Inactive Endpoints. This setting applies only when you have
granted access to endpoints with unsupported OSs.
After the NAC 800 grants an unsupported endpoint network access, it cannot
track it in the same way that it does testable endpoints. Instead it listens for
traffic from the unsupported endpoint. As long as the endpoint continues to
generate traffic, the NAC 800 assumes that it is connected and keeps the
firewall rule that granted the endpoint access. If the NAC 800 does not detect
traffic from the endpoint for a certain configurable period, it clears out
the rule, denying access.
List of Endpoints to Which the Policy Applies. Because you can create
multiple NAC policies on your NAC 800s, you should specify to which end-
points a particular policy applies.
You can apply the policy to:

■ An entire domain or domains (including every endpoint within the
domains)
■ Individual endpoints, identified by:
• IP address
• MAC address
• NetBIOS name
• Hostname
1-21
Endpoint Integrity
Note A policy does not affect specified endpoints until its group is assigned to a
cluster. See “NAC Policy Groups” on page 1-22.
List of Tests. In each NAC policy, you choose which tests are enforced.
Test properties and actions are configurable per policy. That is, you can create
one list of required software in NAC policy A, but a different list in policy B.
And you could de-activate the required software test entirely in policy C. In
addition, the penalty for failing the test could be immediate quarantining in
policy A, but temporary access in policy B.
NAC Policy Groups

NAC 800s organize NAC policies in NAC policy groups. Each CS or cluster of
ESs is assigned a single policy group and enforces the policies in that group.
A NAC policy group includes these settings:

■ Name
■ List of clusters
Multiple clusters can use the same NAC policy group. (A CS, of course,
has a single cluster). On the other hand, each CS cluster or cluster of ESs
is assigned a single NAC policy group. If you add a cluster to one policy
group, the cluster is removed from a previous policy group.
■ List of policies
The NAC policy group can include any number of policies. Clusters
assigned to this group determine which policy to apply to a particular
endpoint based on:
• Lists of domains and endpoints specified in the policies—The
NAC 800 matches the endpoint’s domain name, IP or MAC address,
NetBios name, or hostname to a policy.
• Policy priority—If the endpoint doesn’t match a policy, or matches
multiple policies, the NAC 800 enforces the policy with highest
priority.
Testing Methods
The discussion of endpoint integrity tests has not yet addressed a crucial
question: how does the NAC 800 actually run the test? For example, how does
the NAC 800 determine whether the endpoint has a firewall? How does it know
which software the endpoint has installed?
1-22
Endpoint Integrity
The NAC 800 must ask the endpoint to report information about itself, and the
endpoint must respond. To converse in this way, both the NAC 800 and the
endpoint need compatible mechanisms in place.
One mechanism that allows an endpoint to respond to the NAC 800’s tests is
called an agent; the agent must be installed on the endpoint prior to the test.
Agents fall into two general categories:
■ Permanent agents—once installed remain on the endpoint permanently
■ Transient agents—install on the endpoint temporarily each time the
endpoint is tested
As an alternative to a specific agent designed for endpoint integrity checking,

a NAC can leverage an application that already exists on endpoints.
The NAC 800 offers flexible support for endpoint integrity in a variety of
environments because it supports all three common testing methods:
■ NAC Endpoint Integrity (EI) agent (permanent agent)
■ ActiveX (transient agent)
■ Agentless (with Microsoft’s Remote Procedure Call [RPC] protocol)
While each method may require some initial setup on the endpoint
(depending on your environment), once set in place, testing can proceed
smoothly and—as long as the endpoint passes all tests—even without the
end-user’s knowledge.
NAC EI Agent
The NAC 800 stores the ProCurve NAC EI agent application. An end-user can
download and install this agent to his or her endpoint in these ways:
■ Automatically before testing—For example, you can use network
management tools to deploy the agent to many endpoints.
■ Automatically at initial testing—When a NAC 800 that uses the NAC
agent testing method detects an endpoint that does not have the agent, it
installs the agent to the endpoint automatically. The user sees the screen
in Figure 1-6 and, unless he or she cancels the installation, the agent is
installed permanently.
The automatic installation uses ActiveX.
1-23
Endpoint Integrity
Figure 1-6. InstallShield Wizard for the NAC EI Agent
■ Manually—You can instruct users to access the NAC 800 and download
the NAC EI agent manually. The NAC 800 makes the agent available at
this URL:
https://<CS or ES IP address>:89/setup.exe
A user might choose this option because he or she does not want to enable
ActiveX (required for automatic installation).
After the agent is installed, the NAC 800 can test the endpoint as often as
necessary without further end-user interaction.
Requirements for NAC Agent Testing. The agent must be installed on the
endpoint. For the NAC 800 to download the agent to endpoints automatically,
the endpoints must allow ActiveX content from the NAC 800.
Otherwise, either the IT staff or the user must install the NAC agent on the
endpoint before the user attempts to connect to the network.
If a router lies between the NAC 800 and the endpoints, the router must keep
port 1500 open. In most cases, the NAC 800 can automatically open the correct
ports through the endpoints’ firewall.
1-24
Endpoint Integrity
Note This rule has one exception. You must open port 1500 on an endpoint that
meets these three conditions:
■ Is unmanaged
■ Runs Windows XP
■ Uses a non-SP2 firewall such as Norton
Advantages and Disadvantages of NAC Agent Testing. The NAC agent

can be installed on any Windows station capable of being tested (OS version 98
or higher). Once installed, the NAC agent allows the NAC 800 to test the
endpoint in the background at any time. In addition, the NAC agent automat-
ically receives updates from the NAC 800. Finally, the NAC 800 can test an
endpoint through its firewall, generally opening the necessary ports automat-
ically.
However, the NAC agent does require the initial setup and user interaction
described above.
ActiveX
When using the ActiveX method, the NAC 800 automatically downloads and
installs the ActiveX agent on the endpoint to be tested. Unlike the NAC agent,
after the check is complete, the ActiveX agent is removed from the endpoint.
Requirements for ActiveX Testing. The ActiveX agent uses ActiveX con-
tent and Java script. The endpoint’s browser security settings must allow such
content from the NAC 800.
ActiveX testing requires the endpoint’s Web browser to be open for every test.
The Web browser must be IE version 5.0 or 6.0.
If a router lies between the NAC 800 and the endpoints, it must keep port 1500
open. In most cases, the NAC 800 can automatically open the correct ports
through the endpoints’ firewall.
Note This rule has one exception. You must open port 1500 on an endpoint that
meets these three conditions:
■ Is unmanaged
■ Runs Windows XP
■ Uses a non-SP2 firewall such as Norton
1-25
Endpoint Integrity
Advantages and Disadvantages of ActiveX Testing. The ActiveX agent

does not remain on the endpoint and does not require maintenance or
upgrades—saving overhead. Generally, the NAC 800 can test an endpoint
through its firewall, automatically opening the necessary ports.
However, while the NAC agent requires a one-time installation and user
interaction, the ActiveX agent requires that interaction every time an endpoint
connects. Although the user may not notice the installation if the endpoint
allows ActiveX content without prompting, the installation does add overhead
to network traffic.
IE must be open for the NAC 800 to test the endpoint. If a user closes IE after
his or her endpoint has gained access, the NAC 800 cannot retest the endpoint.
The user can continue to connect to the network—even if the endpoint
becomes non-compliant—for as long as IE is closed.
Agentless
RPC was designed to provide a flexible framework for a variety of communi-
cations between remote devices. The NAC 800 uses RPC to run endpoint
integrity checks on endpoints, which must also support RPC.
In order for an endpoint to accept the RPC messages, the NAC 800 must submit
credentials for an administrator of that endpoint. On the NAC 800, these
credentials are called agentless credentials and can be:
■ Configured in cluster settings—Enter the credentials of an adminis-
trator in the endpoint’s domain.
■ Submitted by the end-user—This option allows agentless testing of a
user who is not a member of your domain. However, because users often
do not know, or are reluctant to share, the proper credentials, this option
is not generally recommended.
Caution Never make agentless testing the only method available to test non-domain
members.
Requirements for Agentless Testing. To undergo agentless testing, the

endpoint must make its RPC service available to the NAC 800. The endpoint
must meet these requirements:
■ RPC service supported (native on all testable Windows OS) and activate
■ File and print sharing enabled—On the firewall, ports 137, 138, 139, and
445 are open to the NAC 800
1-26
Endpoint Integrity
For the user to view all end-user screens, the endpoint’s browser security
settings must allow Java scripting from the NAC 800.
In addition, as discussed above, the NAC 800 requires administrator creden-

tials for the endpoint (typically, those of a domain administrator).
Advantages and Disadvantages of Agentless Testing. Agentless testing

does not require any installation on the endpoint, so it is easy to deploy and
maintain and involves little administrative overhead. In addition, the testing
can occur—from beginning to end—without user interaction.
However, you must ensure that the endpoints meet the requirements listed
above, and you must know the correct agentless credentials. For these rea-
sons, agentless testing works best on managed endpoints that are members
of your domain.
Endpoint Integrity Posture

As the NAC 800 tests an endpoint, it assigns it an endpoint integrity posture
based on the results of tests:
■ Unknown—not yet tested
■ Healthy—passed all tests
■ Check-up—failed at least one test but allowed temporary access
■ Quarantine—failed at least one test for which the penalty is quarantining
(and a temporary access period, if allowed, has expired); or was incapable
of being tested (and your network quarantines untestable endpoints)
■ Infected—infected with malware (failed the Worms, Viruses, and Trojans
test)
Accessible Services
The NAC 800 allows quarantined endpoints to access the limited set of
resources listed on its Home > System configuration > Accessible services
screen. By default, the screen lists Web sites from which endpoints can
download service packs, patches, and so forth. You can add hostnames and
IP addresses to the list in order to provide additional services for the quaran-
tined endpoints.
Note On an MS, you can customize accessible services per cluster.
1-27
Endpoint Integrity
The means by which the NAC 800 restricts quarantined endpoints to the
accessible services differs based on the deployment method. In addition, you
might need to set up your network infrastructure to support the NAC 800’s
restrictions. “Deployment Methods” on page 1-32 explains in more depth.
Performance Implications of Endpoint Integrity Checks

The time and bandwidth required to complete an endpoint integrity check
depends on the NAC policy. The more tests, clearly, the longer the check
will take.
The High Security NAC policy, a pre-defined policy that includes approxi-
mately 20 tests, can be taken as a general high mark. The NAC 800 passes
approximately 9 to 16 kilobytes of total data between itself and an endpoint
to complete a single testing session with this policy. On a typical LAN, the
testing process would typically take between 5 and 10 seconds.
1-28
RADIUS Server
RADIUS Server
The Remote Access Dial-In User Service (RADIUS) protocol is an
authentication, authorization, and accounting (AAA) protocol. It allows
your network to:
■ Authenticate end-users—verify that users are who they claim to be
■ Authorize end-users—grant users rights based on their identities
■ Create accounting records—collect information about end-user activ-
ity, including when users connect, how long they connect, and which
resources they consume
RADIUS regulates communications between Network Access Servers (NASs)

and RADIUS servers.
The NASs are the points of access for endpoints—for example, switch ports
or wireless access points (APs). When an end-user attempts to connect to a
NAS, the NAS sends an authentication request to its authentication (RADIUS)
server.
The RADIUS server:

■ Verifies the end-user’s identity
■ Decides:
• Whether the user can connect
• Which rights to grant the user
■ Communicates its decisions to the NAS, which enforces them
If the RADIUS server is also an accounting server, it can receive reports about
the user’s activity from the NAS.
The NAC 800 supports the RADIUS protocol and can act as your network’s
RADIUS server. It supports RADIUS as a stand-alone access control solution
(see “802.1X Deployment Method—RADIUS Server Only” on page 1-42). Or it
can integrate its RADIUS capabilities with endpoint integrity checking (see
“802.1X Deployment Method—Endpoint Integrity With or Without RADIUS”
on page 1-34).
1-29
RADIUS Server
ProCurve NAC 800 RADIUS Capabilities

The ProCurve NAC 800 supports the following RADIUS capabilities:
■ Authenticating users against accounts stored in a variety of locations,
including:
• Windows domain controllers (Active Directory [AD])
• An OpenLDAP server
• An eDirectory server
• Another RADIUS server (proxying requests)
■ Authenticating users with a variety of protocols, including:
• Extensible Authentication Protocol (EAP):
– Protected EAP (PEAP) with Microsoft CHAP version 2
(MS-CHAPv2)
– Transport Layer Security (TLS)
– Tunneled TLS (TTLS) with Message Digest 5 (MD5)
– Generic Token Card (GTC)
– Lightweight EAP (LEAP)
■ Granting users rights, as follows:
• Assigning users to a VLAN based on their endpoint integrity posture
■ Logging activity
The NAC 800 logs RADIUS events to this file: /var/log/radius/radius.log. By
default, the file stores a week’s worth of logs. Every month, the NAC
creates a new log file, and it saves up to four files.
RADIUS logs include:
• Failed authentication attempts
• Successful authentication attempts
• Authentication requests from unknown NASs
■ Accounting
The NAC 800 can also act as a RADIUS accounting server. RADIUS
accounting reports are logged as files in this directory: /var/log/radius/
radacct.
RADIUS Capabilities of the NAC 800 Integrated

with IDM
ProCurve IDM is a centralized, easy-to-use solution for assigning network
rights to users based on their identity. IDM manages RADIUS servers, includ-
ing NAC 800s.
1-30
RADIUS Server
When you manage a NAC 800 with IDM, the NAC 800 has all the capabilities
listed in the section above with these additions:
■ Authenticating users against an easily managed local database
■ Granting users rights, as follows:
• Assigning dynamic settings based on identity, access time, access
location, and endpoint integrity posture
Dynamic settings include:
– VLAN assignment
– ACLs (which control access to network resources)
– Rate limit
■ Logging activity to a centralized location and easily-browsed interface
Information tracked includes:
• Lists of successful and failed authentication attempts
• Lists of currently connected users
1-31
Deployment Methods
Deployment Methods
The NAC 800 can control network access in variety of ways. It can make
decisions based on who is connecting (authentication) as well as on what is
connecting and the risks that device might pose (endpoint integrity).
In addition, the NAC 800 can control network access for endpoints connecting
from a variety of locations, including:
■ A Virtual Private Network (VPN) connection
■ A Wide Area Network (WAN) connection
■ A wireless connection
■ A LAN connection
Finally, the NAC 800 is suitable for a variety of environments featuring

different types of equipment and security capabilities. For example, the NAC
800 can add endpoint integrity testing to a network that already enforces
authentication and access control. Or the NAC 800 can test for endpoint
integrity in a network with fewer capabilities and an older infrastructure.
You must consider all of these factors—which type of access control you
desire for which users in a network with which capabilities—as you determine
how and where to deploy your NAC 800s.
Deployment methods are also called enforcement options or quarantine meth-

ods because how the NAC 800 enforces access control determines how and
where you must deploy it.
The NAC 800 has three deployment (quarantine) methods:

■ 802.1X
■ DHCP
■ Inline
The sections below describe these methods in more detail.
Note When you purchase your NAC 800, you also purchase the ProCurve Network
Access Controller 800 Implementation Start-up Service. Your ProCurve solu-
tions provider will help you think through options and plan your deployment.
1-32
Deployment Methods
802.1X Deployment Method

802.1X is a standard method for enforcing access control in Ethernet and
wireless networks. It provides a framework for linking the status of endpoint's
access port (open or closed) to the end-user's authentication status.
The NAC 800 adds endpoint integrity to the framework.
A brief overview of 802.1X will help you understand how the NAC 800 interacts
with other components of an 802.1X solution.
802.1X Overview
Traditionally, 802.1X features three components:
■ Supplicant—The endpoint attempting to connect to the network. The
supplicant must authenticate itself to the network by submitting a user-
name and either a password or a digital certificate.
■ Authenticator—The access point or the port to which the endpoint
connects. The authenticator can be a switch, an AP, or a Wireless Edge
Services Module. The port is a switch port or an 802.11 association with
a wireless station. The authenticator is responsible for enforcing all
access decisions-opening and closing the port, as well as customizing the
port with dynamic settings such as VLAN assignments.
■ Authentication server—A RADIUS server. The RADIUS server makes
all access decisions. It validates the end-user's credentials, and, if the
credentials check out, it determines whether the user is connecting in an
appropriate manner. (Depending on the RADIUS server's capabilities, the
server consider factors such as access time and location and type of
access.) Finally, the RADIUS server can match particular users to partic-
ular dynamic settings, such as VLAN assignments, which it forwards to
the authenticator.
Figure 1-7. 802.1X Components
1-33
Deployment Methods
The NAC 800 enters the 802.1X framework as either an authentication server
or a supplement to the authentication server. It adds endpoint integrity to the
process of making access decisions. In other words, the authentication
server’s decision is now based on these factors:
■ End-user identity
■ Other factors such as the time and the endpoint’s location
■ Endpoint integrity (whether the endpoint passes the tests listed in the
NAC policy)
Types of Access Control Provided by the NAC 800

The NAC 800 can provide these types of access control with the 802.1X
deployment method:
■ Authentication only—The NAC 800 acts as a traditional RADIUS server.
■ Endpoint integrity only—The NAC 800 integrates with a Microsoft
Internet Authentication Service (IAS) server. The IAS server provides
authentication, and the NAC 800 provides endpoint integrity testing.
Note IAS is the only option for a system that uses the NAC 800 for endpoint
integrity only. If your network already includes a non-IAS RADIUS server,
however, you can configure the NAC 800 to act as a RADIUS server, but
proxy requests to the existing server (or bind to an existing directory).
■ Both—The NAC 800 authenticates the endpoint like a traditional RADIUS
server. However, it also tests the endpoint's integrity and factors test
results into its access decisions.
Further discussion of the 802.1X deployment method will divide into two
categories:
■ NAC 800 provides endpoint integrity (with or without its internal RADIUS
server).
■ NAC 800 provides RADIUS services only.

or Without RADIUS
The following sections describe how the NAC 800 uses 802.1X to quarantine
endpoints; they also explain, at a high level, how to set up your network to
support such quarantining.
1-34
Deployment Methods
How the NAC 800 Quarantines Endpoints

As discussed earlier, 802.1X helps network devices apply dynamic VLAN
assignments to endpoints. When using the 802.1X method, the NAC 800
quarantines endpoints by assigning them to the appropriate VLAN based on
their integrity posture.
Exactly how the NAC 800 assigns users to VLANs depends on several factors,
including whether it integrates with IDM. The rest of this section explains.
VLAN Assignment After Initial Authentication. After the endpoint

completes the traditional, first-phase of 802.1X authentication, it has the
Unknown posture. The NAC 800 places it in a “guest” or “test” VLAN, which is:
■ If you are using IDM (recommended), the VLAN associated with the
Unknown status via a access policy group rule
■ If you are not using IDM, the VLAN associated with the Unknown posture
in the:
• /etc/raddb/SAFreeRadiusConnector.conf file
• SAIASConnector.ini file (if using the IAS plug-in)
You might make this VLAN identical to the quarantine VLAN, or you might
create a different VLAN. In either case, set up the VLAN in the network
infrastructure and complete these steps:
1. Configure your DHCP server to specify the NAC 800 as the DNS server for
this VLAN.
2. Configure network infrastructure devices to restrict endpoints in this
VLAN to services necessary for testing.
VLAN Assignment After Endpoint Integrity Testing. When the testing

is complete, the endpoint has gained one of the other three postures.
If the endpoint has the Healthy or Check-up posture, the NAC 800 allows it to
receive the standard (production) VLAN assignment for that user in that
network:
■ The VLAN assigned through IDM for the Pass status if you have integrated
the NAC 800 with IDM
■ The VLAN assigned through OpenLDAP, eDirectory, or a proxy RADIUS
server if the NAC 800 is configured to authenticate users against one of
those sources
■ The VLAN assigned through IAS if your network uses the IAS plug-in
1-35
Deployment Methods
■ The VLAN configured in /etc/raddb/SAFreeRadiusConnector.conf file if you

are authenticating to the local database or a Windows domain without
IDM
■ The static or default VLAN on the authenticator if your network does not
use dynamic settings
If, on the other hand, the endpoint has the Quarantine or Infected posture, the
NAC 800 places it in the quarantine VLAN:
■ If you are using IDM (recommended), the VLAN associated with the Fail
or Infected status via a policy group rule
■ If you are not using IDM, the VLAN associated with the Quarantine or
Infected posture in the:
• /etc/raddb/SAFreeRadiusConnector.conf file
• SAIASConnector.ini file (if using the IAS plug-in)
Note If you desire, you can place infected endpoints in a separate VLAN from other
quarantined endpoints.
As for the guest VLAN, scopes on the network’s DHCP servers should specify
the NAC 800 as DNS server for the quarantine VLAN.
It is by acting as the DNS server that the NAC 800 controls the quarantined
endpoints. Whenever a quarantined user attempts to navigate to a Web page,
its endpoint sends a DNS request to the NAC 800. If the requested hostname
(or the IP address to which that hostname resolves) is on the accessible
services list, the NAC 800 sends a DNS response with the correct IP address.
The user reaches the Web page. On the other hand, if the requested hostname
is not on the list, the NAC 800 sends its own IP address in the response,
redirecting the user to a Web page such as the one shown in Figure 1-8.
1-36
Deployment Methods
Figure 1-8. End-User Redirect Screen
The user cannot reach non-accessible Web sites until he or she has fixed the
problem.
You could also set up ACLs on network infrastructure devices that limit
endpoints in the quarantine VLAN. For example, you might deny the quaran-
tine subnet access to all private addresses except for the NAC 800’s and a
DHCP server. The NAC 800 handles controlling the quarantined endpoints
access to external sites.
How and Where to Deploy the NAC 800

One of the advantages of 802.1X is that, although access control decisions are
made at certain centralized points, enforcement occurs at the edge. In other
words, you can install the NAC 800 anywhere in your network. It needs
connectivity with the endpoints (it must detect them), but it does not need to
stand between them and the production network: the authenticators do that.
However, to properly implement endpoint integrity testing, the NAC 800 must
receive mirrored traffic from the DHCP server. This allows the NAC 800 to
discover an endpoint’s IP address after it connects and is placed in a VLAN.
The NAC 800 can then test and re-test the device as necessary.
1-37
Deployment Methods
Figure 1-9. Deploying a NAC 800 in 802.1X Quarantine Mode
Note The following deployment instructions apply to CSs and ESs. An MS simply
requires connectivity to ESs. To deploy an MS, connect its port 1 to an
infrastructure switch.
If you are using a cluster deployment, only one ES in the 802.1X enforcement
cluster needs to receive mirrored DHCP traffic. However, you should mirror
traffic to two ESs for the sake of redundancy.
Deploy a NAC 800 That Provides RADIUS and Endpoint Integrity

Services. Take these steps to deploy a NAC 800 that provides RADIUS
services as well as endpoint integrity checking:
1. Install the NAC 800, connecting its ports as follows:
• Port 1—to any port in your production network, determining the
location just as you would for any RADIUS server
• Port 2—to a port that can receive mirrored DHCP traffic
Unless your network devices support remote mirroring, this port
should be on the same switch to which the DHCP server connects.
2. Give the NAC 800 an IP address in the appropriate VLAN.
3. On the authenticators (switch, APs, and so forth), specify the NAC 800’s
IP address as one of the RADIUS servers.
1-38
Deployment Methods
4. Determine the source of credentials and take any steps necessary to allow
the NAC 800 to access this source:
• NAC 800’s local database—ProCurve Networking recommends
that you always use IDM to configure the local database.
See “Configure Authentication to the NAC 800’s Local Database” on
page 4-14 of Chapter 4: “Configuring the RADIUS Server—Integrated
with ProCurve Identity Driven Manager.”
• Proxy RADIUS server—Add the NAC 800 to the proxy server’s
client list.
Set up the NAC 800 as described in “Configure Authentication to a
Proxy RADIUS Server” on page 4-29 of Chapter 4: “Configuring the
RADIUS Server—Integrated with ProCurve Identity Driven Manager”
or “Configure Authentication to a Proxy RADIUS Server” on page 5-23
of Chapter 5: “Configuring the RADIUS Server—Without Identity
Driven Manager.”
• Active Directory (AD), OpenLDAP, or eDirectory—In the
NAC 800’s Web browser interface, bind it to the directory.
If using IDM, see “Configure Authentication to a Windows Domain”
on page 4-16 or “Configure Authentication to an LDAP Server” on page
4-20 of Chapter 4: “Configuring the RADIUS Server—Integrated with
ProCurve Identity Driven Manager.”
If not using IDM, see “Configure Authentication to a Windows
Domain” on page 5-10 or “Configure Authentication to an LDAP
Server” on page 5-14 of Chapter 5: “Configuring the RADIUS Server—
Without Identity Driven Manager.”
5. Send mirrored DHCP traffic to the NAC 800. Either:
• Connect the NAC 800’s port 2 to the same switch to which the DHCP
server is connected. Make the NAC 800’s switch port the mirror port,
and the DHCP server’s port the monitored port.
• If you cannot connect the NAC 800’s port 2 to the DHCP server’s
switch, you must set up remote mirroring. For instructions on setting
up this capability on a ProCurve Switch 3500yl/5400zl/6200yl Series,
see the Management and Configuration Guide for the ProCurve
Series 3500yl, 6200yl, and 5400zl Switches.
1-39
Deployment Methods
6. Throughout the network, set up the guest VLAN (for not-yet-tested end-
points) and the quarantine VLAN:
a. Configure the appropriate VLAN ID for each integrity posture:
– If you are using IDM, create policy group rules to match the
Unknown, Fail, and Infected postures to the profile with the
appropriate VLAN assignment.
See the ProCurve Identity Driven Manager User’s Guide.
– If you are not using IDM, set the VLAN IDs in the /etc/raddb/
SAFreeRadiusConnector.conf file on the NAC 800.
b. If the VLANs selected for untested or failed endpoints do not yet exist,
create them on network infrastructure devices such as routers and
switches. Apply ACLs to restrict traffic routed in and out of the
VLANs.
c. Create DHCP scopes for the guest and quarantine VLANs. Specify the
NAC 800 as the DNS server.
7. Set up NAC policies and testing methods.
See the ProCurve Network Access Controller 800 Users’ Guide.
Deploy a NAC 800 That Provides Endpoint Integrity Only. For a NAC
800 that enforces endpoint integrity with the 802.1X quarantine method, but
relies on IAS to authenticate users, follow these steps:
1. Install the NAC 800, connecting its ports as follows:
• Port 1—to any port in your production network
• Port 2—to a port that can receive mirrored DHCP traffic
Unless your network devices support remote mirroring, this port
should be on the same switch to which the DHCP server connects.
2. Give the NAC 800 an IP address in the appropriate VLAN.
1-40
Deployment Methods
4. Set up the IAS server to work with the NAC 800:

a. Download two files from http://www.procurve.com/nactools:
– SAIASConnector.ini
– SAIASConnector.dll
b. Install these files on the IAS server.
c. Modify the SAIASConnector.ini file to include the correct VLAN assign-
ments for various endpoint integrity postures.
d. Modify the IAS server’s registry to include the SAIASConnector.dll file.
e. Load the NAC 800’s digital certificate to the IAS server’s trusted CA
certificates store.
For instructions on completing these tasks, see “Using the NAC 800 Plug-
in to the Microsoft IAS RADIUS Server” in “Chapter 11: 802.1X Deploy-
ment” of the ProCurve Network Access Controller 800 Users’ Guide.
6. Set up the network to support the VLANs configured in step 4-c:
a. If the VLANs do not yet exist, create them on network infrastructure
devices such as routers and switches. Apply ACLs to restrict traffic
routed in and out of the VLANs.
b. Create DHCP scopes for the guest and quarantine VLANs. Specify the
NAC 800 as the DNS server.
7. Set up NAC policies and testing methods.
See the ProCurve Network Access Controller 800 Users’ Guide.
1-41
Deployment Methods
802.1X Deployment Method—RADIUS Server Only

You can disable the NAC 800’s endpoint integrity capabilities and use the
device as a stand-alone RADIUS appliance.
Switches, APs, and other NASs contact the NAC 800 when an end-user
attempts to connect to the network. The NAC 800 checks the user’s credentials
against its local database, another RADIUS server, or a directory. Then it
informs the NAS whether the endpoint can connect.
If you use IDM to manage the NAC 800, the NAC 800 can also factor access
time and location into its decisions, as well as send dynamic VLAN assign-
ments, ACLs, and rate limits.

For this deployment method, you place the NAC 800 as you would any RADIUS
server. NASs throughout the network will need to contact the NAC 800, so you
should typically place it in the network core in a server VLAN.
Figure 1-10. Deploy a RADIUS-Only NAC 800
Follow these steps:

1. Connect the NAC 800’s port 1 to a port in your production network. Give
the NAC 800 an IP address in the appropriate VLAN.
You do not need to connect the NAC 800’s port 2.
2. On the authenticators, specify the NAC 800’s IP address as one of the
RADIUS servers.
1-42
Deployment Methods
3. Determine the source of credentials and take any steps necessary to allow
the NAC 800 to access this source:
• NAC 800’s local database—ProCurve Networking recommends
that you always use IDM to configure the local database.
See “Configure Authentication to the NAC 800’s Local Database” on
page 4-14 of Chapter 4: “Configuring the RADIUS Server—Integrated
with ProCurve Identity Driven Manager.”
• Proxy RADIUS server—Add the NAC 800 to the proxy server’s
client list.
Set up the NAC 800 as described in “Configure Authentication to a
Proxy RADIUS Server” on page 4-29 of Chapter 4: “Configuring the
or “Configure Authentication to a Proxy RADIUS Server” on page 5-23
of Chapter 5: “Configuring the RADIUS Server—Without Identity
Driven Manager.”
• Active Directory (AD), OpenLDAP, or eDirectory—In the
NAC 800’s Web browser interface, bind it to the directory.
If using IDM, see “Configure Authentication to a Windows Domain”
on page 4-16 or “Configure Authentication to an LDAP Server” on page
4-20 of Chapter 4: “Configuring the RADIUS Server—Integrated with
ProCurve Identity Driven Manager.”
If not using IDM, see “Configure Authentication to a Windows
Domain” on page 5-10 or “Configure Authentication to an LDAP
Server” on page 5-14 of Chapter 5: “Configuring the RADIUS Server—
Without Identity Driven Manager.”
DHCP Deployment Method

The DHCP deployment method is designed primarily for networks with equip-
ment that is not 802.1X capable. Any endpoint is allowed to connect to the
network. However, the NAC 800 prevents non-compliant endpoints from
receiving a valid IP address in the production network. Instead, these end-
points receive an address in a quarantine subnet, in which they have access
only to resources necessary for remediation (accessible services).
Types of Access Control Provided By the NAC 800

When using the DHCP deployment method, the NAC 800 provides access
control based only on endpoint integrity.
1-43
Deployment Methods
Your network may not enforce authentication, or it may enforce it through a

directory service; in either case, authentication is entirely outside the purview
of this NAC 800 solution.

As soon as an endpoint connects to a network, it typically sends a DHCP
request for a valid IP address for itself, the IP address of its default gateway
and DNS server, and all the other configurations necessary for full
connectivity.
The NAC 800 stands between endpoints and the DHCP server, intercepting
and responding to these requests based on endpoints’ integrity postures.
Note The NAC 800 forwards all non-DHCP traffic to the server without interferring
with it.
The NAC 800 forwards DHCP requests from endpoints with the Healthy or the
Check-up posture on to the DHCP server, which issues the endpoints IP
addresses and other configurations just as it would were the NAC 800 not
present.
However, the NAC 800 intercepts DHCP requests from endpoints with the
Unknown, Quarantine, or Infected postures and responds to these requests in
lieu of the network DHCP server. To do so, the NAC 800 uses the configuration
for the quarantine area, which includes:
■ The quarantine subnet address and range of IP addresses available for
endpoints within that subnet
■ Default router for the quarantine subnet
The NAC 800 automatically specifies itself as the DNS server.
Because the endpoints do not have valid IP addresses in a production subnet,

they cannot truly connect to the production network. However, you must take
additional steps to limit network access in the quarantine subnet, as described
in the following section.
Acting as the DNS server allows the NAC 800 to inform quarantined users why
they cannot reach the sites they are attempting to reach. When a quarantined
user opens a Web browser and attempts to reach a non-accessible Web site
(not on the accessible services list), the NAC 800 receives the DNS request to
resolve the hostname. It sends its own IP address to the user’s endpoint, and
the user sees the page such as the one shown in Figure 1-11, which helps him
or her begin to remediate the endpoint.
1-44
Deployment Methods
Figure 1-11. End-User Redirect Screen
Note An end-user who has the technical savvy to give his or her station a valid IP
address can circumvent DHCP quarantining. This is one reason that 802.1X is
the recommended option for high security.
Enforcement Methods for DHCP Quarantining. You have two options

for limiting network access in the quarantine subnet:
■ ACLs—This option relies on the network infrastructure to impose con-
trols on the quarantine subnet.
Routers and switches apply ACLs to the quarantine subnet or associated
VLAN. Access control entries (ACEs) in these ACLs determine which
services are accessible to endpoints in the quarantine subnet.
You might select this option if your network already includes a VLAN
designed to limit access in the ways a quarantine VLAN should.
ACLs should:
• Allow traffic between the quarantine subnet and the NAC 800 CS or
ESs (in both directions)
• Allow traffic between the quarantine subnet and the IP addresses and
ports of servers in the accessible services list (in both directions)
• Deny all other traffic to and from the quarantine subnet
1-45
Deployment Methods
■ Static routes—This option relies on the NAC 800 to impose controls on

the quarantine subnet.
When you select this option, the NAC 800 omits the default gateway
address from DHCP configurations sent to quarantined endpoints; the
NAC 800 also sets the subnet mask to 255.255.255.255. (The NAC 800 does
so no matter what you specify for the gateway address and subnet mask
in the quarantine area configuration.) Isolated in its own subnet without
a gateway, the endpoint cannot transmit traffic.
As part of the DHCP configuration, the NAC 800 sends a static route to
itself, which allows the endpoints to send it DNS requests. The NAC 800
also acts as a proxy Web server for quarantined endpoints, allowing them
to reach accessible services when they request them.
The static route access control option offers easy setup: you do not have
to configure any device except for the NAC 800, and the NAC 800 auto-
matically enables access to all services required to for endpoints to update
patches and so forth. Adding another service is also easy: simply add it to
the list in the Home > System configuration > Accessible services screen.
(See Chapter 3: System Configuration of the ProCurve Network Access
Controller 800 Users’ Guide.)

For the DHCP deployment method, the NAC 800 must stand between the
production network and DHCP servers.
The simplest scenario is a network with a single DHCP server and fewer than
3000 users. This network requires a single NAC 800, which is set to the CS
type. The NAC 800’s port 1 connects to a switch in the production network,
and its port 2 connects to the DHCP server. The NAC 800 and the DHCP server
require IP addresses on the same subnet.
Figure 1-12 illustrates this design.
1-46
Deployment Methods
Figure 1-12. DHCP Deployment—Single NAC 800 and Single DHCP Server
If your network uses more than one DHCP server, you should connect the
servers to the same switch. Then connect the NAC 800’s port 2 to that switch
as well. Do not connect any other devices to the switch as those devices could
then circumvent the NAC 800. As shown in Figure 1-13, the NAC 800’s port 1
connects to a switch that links it to the rest of the network.
Figure 1-13. DHCP Deployment—Single NAC 800 and Multiple DHCP Servers
You can modify the design as necessary for a larger network. For example,
you might install several NAC 800s in a cluster deployment to support a
network with a large number of users. Install the MS wherever you desire.
Then install at least one ES between the DHCP servers and the rest of the
network.
1-47
Deployment Methods
One ES standing between the network and the DHCP servers is sufficient. That
ES shares information with the other ESs, which can test the endpoints from
anywhere in the network. However, to provide redundancy, at least two ESs
should be able to intercept the DHCP traffic.
Designing the Quarantine Subnet. As you should now understand, the

quarantine subnet is a special subnet that is tightly controlled and separated
from production subnets. However, for quarantined endpoints to reach the
few resources to which they do need access, you must include the quarantine
subnet in your production network architecture.
You have two options:

■ Configuring the quarantine subnet as a part of an existing subnet
■ Configuring the quarantine subnet using multinetting
If your network’s DHCP servers must receive requests from VLANs not their
own, you must set up helper addresses.
Configuring the Quarantine Subnet as Part of an Existing Subnet.
Your network probably already includes several production (or user) VLANs,
each with its own subnet. However, users might not require every available IP
address in a subnet. A good network design often reserves certain addresses
in each subnet for future use. You can now exploit those reserved IP addresses
for a quarantine subnet.
For example, your network might include three Class C user subnets, each
with 100 users:
■ 10.1.2.0/24
■ 10.1.3.0/24
■ 10.1.4.0/24
Currently, your DHCP server assigns users addresses in the 25 to 125 range-
for example, 10.1.2.25 to 10.1.2.125. This means that the second half of each
subnet (10.1.X.128/25) is available for quarantined endpoints:
On the NAC 800, you must set up a separate quarantine area for each produc-
tion subnet. Specify the quarantine subnets for the areas as follows:
■ Area 1—Quarantine subnet = 10.1.2.128/25
1-48
Deployment Methods
For the quarantine subnet’s default router, specify the IP address of the router
in the associated production subnet. It does not matter that this IP address is
outside the range of the quarantine subnet because, in actual fact, the network
infrastructure considers the quarantine subnet to be part of the production
subnet.
You will set the non-quarantine subnet for each quarantine area as the portion
of the associated production VLAN that is already in use. All healthy end-
points, all network servers, and the NAC 800 require address in one of these
ranges:
■ Area 1—Non-quarantine subnet = 10.1.2.0/25
The network DHCP server continues to assign IP addresses from the complete
Class C network. It is very important, of course, that the range exclude IP
addresses designated for quarantined endpoints.
■ Scope 1
Network = 10.1.2.0/24
Range = 10.1.2.25-10.1.2.125
■ Scope 2
Network = 10.1.2.0/24
Range 10.1.2.25-10.1.2.125
■ Scope 3
Network = 10.1.4.0/24
Range = 10.1.4.25-10.1.4.125
You do not have to add quarantine subnets to the network infrastructure

because infrastructure devices include the “quarantine subnets” as part of
existing subnets.
Of course, if you have selected the ACL option for network access control,
you must apply ACLs to the production VLANs in order to control traffic from
IP addresses in the quarantine range.
The static route option can be attractive because you do not have to alter
configurations on existing infrastructure devices.
Configuring the Quarantine Subnet Using Multinetting. With the

multinetting option, you actually add the quarantine subnets to your network
design. You might choose this option when most of the IP addresses in your
production subnets are already in use.
1-49
Deployment Methods
For example, your network might include two Class C subnets, each with
250 users:
■ 192.168.8.0/24
■ 192.168.12.0/24
For each existing Class C subnet, you will add new Class C subnet for the
quarantine subnet.
On the NAC 800, you set up two quarantine areas and specify one quarantine
subnet for each production subnet:
■ Area 1
Quarantine subnet = 192.168.9.0/24
Non-quarantine subnet = 192.168.8.0/24
■ Area 2
Quarantine subnet = 192.168.13.0/24
Non-quarantine subnet = 192.168.12.0/24
With this option, quarantined endpoints are placed in a truly separate subnet.
Therefore, they require a default gateway with an IP address in that subnet.
For example:
■ Area 1—Default gateway = 192.168.9.1
■ Area 2—Default gateway = 192.168.13.1
On the infrastructure devices that act as default gateways, set up multinetting

on the production VLANs. For example, a routing switch might have this
existing configuration:
■ VLAN 2—IP address = 192.168.8.1/24
■ VLAN 3—IP address = 192.168.12.1/24
You should now add the IP addresses you specified for quarantine subnets’
default gateways:
VLAN 2
IP address = 192.168.8.1/24
IP address = 192.168.9.1/24
VLAN 3
IP address = 192.168.12.1/24
IP address = 192.168.13.1/24
1-50
Deployment Methods
VLAN tagging should already be in place to support the endpoint whether it

is in the quarantine or the subnet VLAN. And the DHCP server can continue
to use its existing scopes.
As always, remember to apply the appropriate ACLs to VLANs on infrastruc-

ture devices if you have selected the ACL option for access control.
Setting up Helper Addresses. If your network includes multiple VLANs,

its infrastructure devices probably already use helper addresses to forward
DHCP requests from endpoints on one VLAN to a server on another VLAN.
However you establish the quarantine subnets, the infrastructure devices now
require two helper addresses:
■ The network DHCP server’s
■ The NAC 800’s (the CS or the ES that is connected to the DHCP server)
Which device should act as the DHCP server changes as an endpoint’s integrity
posture changes. However, the NAC 800 handles this issue: it simply drops the
request if it is destined to the wrong IP address. (See Table 1-1).
Table 1-1. How the NAC 800 Handles DHCP Requests
DHCP Request Destination Endpoint Integrity Posture NAC 800 Action
DHCP server Unknown, Quarantine, or Infected Block the request
DHCP server Healthy or Check-up Forward the request
NAC 800 Unknown, Quarantine, or Infected Answer the request
NAC 800 Healthy or Check-up Ignore the request
For example, should the switch (or other device) send a DHCP request from
a healthy station to the NAC 800’s address, the NAC 800 simply ignores it. The
switch, not receiving a reply, next sends the request to the DHCP server’s
address; because the endpoint is healthy, the NAC 800 forwards the request
to the server.
Inline Deployment Method

In an inline deployment, perhaps the most straightforward of the three deploy-
ment methods, a NAC 800 physically separates endpoints from the production
network.
1-51
Deployment Methods
Clearly, you cannot deploy an individual NAC 800 between every endpoint and
its switch port. Inline quarantining is a viable option only when many end-
points connect to your network through a single point of access. Examples
include:
■ A VPN—Remote users access the production network through the Inter-
net. Each remote user sets up a secure tunnel with the VPN gateway device
at the production network. Checking the integrity of the remote endpoints
is particularly important as they are otherwise beyond your control.
■ A WAN—A WAN is network that connects several sites over private
connections such as T1 or E1 cable or ADSL lines. For example, branch
offices might connect to a company headquarters. For whatever reason,
you might want to test the integrity of endpoints at a remote office before
they connect to the segment of the WAN under your control.
■ A wireless network—A device such as the ProCurve Wireless Edge
Services Module controls many RPs and may provide many wireless users
their access point to the production network. Especially when the wire-
less users connect with their own equipment, the network should test
their integrity. Even non-coordinated APs, which support fewer users, can
act as choke points.
Typically, however, you would not use the inline method to control a
wireless network for several reasons:
• The Wireless Edge Services Module and ProCurve APs support 802.1X
authentication, and, for a wireless network that takes advantage of
that option, you should choose the 802.1X deployment method.
• All traffic from the module or the APs must be forwarded through the
NAC 800 in the same VLAN.
However, some networks use an alternative such as WPA-PSK and place
all users in the same VLAN. In this case, inline quarantining might provide
a higher security option than DHCP.
Types of Access Control Provided by the NAC 800

When enforcing inline quarantining, the NAC 800 tests endpoints’ compliance
with NAC policies and controls network access according to the results.
The NAC 800 plays no role in authenticating endpoints; this service is

typically handled by the VPN gateway (or wireless AP or Wireless Edge
Service Module).
1-52
Deployment Methods

With inline quarantining, the NAC 800 acts as a Layer 2 bridge that imposes a
firewall between its two ports. The NAC 800 does not forward traffic received
on port 2 out port 1 unless the source endpoint has the Healthy or Check-up
posture. And it does not forward traffic from port 1 to quarantined or unknown
endpoints.
In other words, endpoints on the port 2 side of the NAC 800 can access any
resources that are also on the port 2 side. However, they cannot access any
resources on the port 1 side until they have proved compliance with the
appropriate NAC policies.
Exceptions, as always, include the list of accessible services, which any

endpoint, no matter where it is installed and what its status, can reach.
Configuring Accessible Services for Inline Method

Because, by default, all traffic except for the testing services are blocked from
the port 1 side, you must add accessible services to allow infrastructure traffic
to traverse the bridge. For example, the NAC 800 lies inline between your LAN
and its router/VPN gateway. You want to manage the router from within the
LAN. So you must allow the management traffic in the accessible service list.
For inline quarantining, you must specify IP addresses rather than host names
in the accessible services list. You can specify a port number to allow a specific
service. For example, to manage a router with IP address 10.1.44.50 using
SNMP, add this line to the accessible services list:
10.1.44.50:161
Remember to permit other necessary traffic such as routing protocols.

You must install a CS or an ES (for a cluster deployment) between the
endpoints to be tested and the production network. The exact design differs
according to the way endpoints access the network.
VPN Endpoints (Remote Users). Figure 1-14 shows a typical design for
deploying a NAC 800 to control remote endpoints that connect through a VPN.
You connect port 2 of the NAC 800 directly to the gateway device. You connect
the NAC 800’s port 1 to the rest of the network, typically a core switch.
1-53
Deployment Methods
Figure 1-14. Inline Deployment—VPN With a Single NAC 800
Then set the server type to CS or ES. Choose CS if the NAC 800 will act on its
own—typically because:
■ Your network supports fewer than 3000 remote users
■ You only want to test remote endpoints
Choose ES if your network includes other NAC 800s enforcing a different

quarantine method, and you want to manage all NAC 800s centrally. This NAC
800 will be the sole ES in its cluster.
If the VPN supports more than 3000 users, you should deploy a cluster of ESs
to test the remote endpoints. Connect the ESs to switches on their port 2; then
connect the VPN gateway to all of these switches. This design, with its
redundant connections, creates a network loop. It is very important to activate
Spanning Tree Protocol (STP) or Rapid STP (RSTP) on the switches to prevent
broadcast storms.
Figure 1-15 shows a sample design for a cluster of inline ESs.
1-54
Deployment Methods
Figure 1-15. Inline Deployment—VPN With a Cluster of NAC 800s
WAN Endpoints (Users at a Remote Site). This scenario is somewhat

similar to that of a VPN. However, instead of connecting to your network over
a VPN tunnel and a public network, users connect over a private WAN
connection.
You deploy the NAC 800 in a similar position. Connect its port 2 to the WAN
router and its port 1 to a core switch. Then set the type to CS or ES, basing
your decision on the factors discussed in the previous section.
Figure 1-16 shows a typical design.
1-55
Deployment Methods
Figure 1-16. Inline Deployment—WAN
Wireless Endpoints. An AP or a Wireless Edge Services Module can act as

a “choke point” for many users.
If you are controlling wireless endpoints that connect through an AP, simply
deploy the NAC 800 as described in the previous sections, with the AP in the
place of the VPN gateway or the WAN router. Or connect several APs to a
switch and then place the NAC 800 between that switch and the rest of the
network. Make sure that the APs forward all traffic into the network in the
same VLAN.
See Figure 1-17.
Figure 1-17. Inline Deployment—Wireless Network (APs)
1-56
Deployment Methods
Because a Wireless Edge Service Module connects to the rest of the network
on an internal uplink port, you cannot connect that port directly to the NAC
800. Instead, connect the NAC 800’s port 2 to the wireless services-enabled
switch. Connect the NAC 800’s port 1 to another switch. Make sure that the
wireless services enabled-switch connects only to other endpoints, not to
other switches, otherwise the wireless endpoints could access the production
network without passing through the NAC 800. The wireless network should
be on the same VLAN as the wired endpoints. (You can test the integrity of the
wired endpoints, or you can except them from testing, as you choose).
See Figure 1-18.
Figure 1-18. Inline Deployment—Wireless Network (Wireless Edge Services

Module)
Note The RPs can be installed anywhere in the network. They encapsulate all
wireless traffic and forward it to the Wireless Edge Services Module. Logically,
therefore the module is the single point of access for the wireless endpoints.
You will need to set up Layer 3 adoption for the RPs so that they can become
adopted through the NAC 800. See the Wireless Edge Services xl Module
Management and Configuration Guide or the Wireless Edge Services zl
Module Management and Configuration Guide.
1-57
Deployment Methods
1-58
Management Options for the ProCurve NAC 800
Contents
Management Options for the ProCurve

NAC 800
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Menu Interface and Panel LCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Access the Menu Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Console Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
SSH Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Navigate the Menu Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Configure Initial Settings with the Menu Interface . . . . . . . . . . . . . . . . 2-9
Set the Server Type with the Menu Interface . . . . . . . . . . . . . . . . 2-10
Set the IP Address with the Menu Interface . . . . . . . . . . . . . . . . . 2-12
Test IP Settings (Ping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Change the Password to the Menu Interface . . . . . . . . . . . . . . . . . . . . 2-15
Complete Other Tasks in the Menu Interface . . . . . . . . . . . . . . . . . . . 2-17
Reboot the NAC 800 in the Menu Interface . . . . . . . . . . . . . . . . . 2-18
Shut Down the NAC 800 in the Menu Interface . . . . . . . . . . . . . . 2-19
Turn the Locator LED On and Off . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
View System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Access the Panel LCD Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Navigate the Panel LCD Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Configure Initial Settings with the Panel LCD Menu . . . . . . . . . . . . . 2-24
Set the Server Type with the Panel LCD Menu . . . . . . . . . . . . . . 2-24
Set the IP Address with the Panel LCD Menu . . . . . . . . . . . . . . . 2-26
Test IP Settings (Ping) with the Panel LCD Menu . . . . . . . . . . . . 2-28
2-1
Contents
Complete Other Tasks Using the Panel LCD Menu . . . . . . . . . . . . . . 2-29

Reboot the NAC 800 Using the Panel LCD Menu . . . . . . . . . . . . . 2-30
Shut Down the NAC 800 Using the Panel LCD . . . . . . . . . . . . . . . 2-31
Set the Ports Speed and Duplex Settings . . . . . . . . . . . . . . . . . . . 2-32
Root Access to the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Requirements on the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Requirements on the Management Station . . . . . . . . . . . . . . . . . . 2-38
Steps for Accessing the Web Browser Interface . . . . . . . . . . . . . 2-39
Navigate the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Home Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Common Features in Web Browser Interface Screens . . . . . . . . 2-43
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
ProCurve Manager (PCM) Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47
Enable PCM Plus to Detect the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . 2-47
Capabilities of PCM Plus for Managing the NAC 800 . . . . . . . . . . . . . 2-48
IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49
Enable IDM to Detect the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49
Capabilities of IDM for Managing the NAC 800 . . . . . . . . . . . . . . . . . . 2-52
2-2
Overview
Overview
This chapter introduces you to the options for managing and configuring the
ProCurve NAC 800.
The available options depend on your NAC 800’s server type, which can be:
■ Management server (MS)
■ Enforcement server (ES)
■ Combination server (CS)
See Chapter 1: “Overview of the ProCurve NAC 800.” for more information on
the roles played by each server type.
Most configuration for an ES is handled through its MS. So an ES itself has

only these management options:
■ A menu interface
■ Panel LCD and buttons
■ Root access to the OS
■ ProCurve Identity Driven Manager (IDM) (when the ES acts as a Remote
Authentication Dial-In User Service [RADIUS] server in an 802.1X deploy-
ment)
You can manage an MS or a CS with any of these options:

■ A menu interface
■ Panel LCD and buttons
■ A Web browser interface (also called a Graphical User Interface [GUI])
■ Root access to the OS
■ ProCurve Manager (PCM) and PCM Plus
■ IDM
The following sections of this chapter guide you through the process of
accessing and navigating each management option.
Note You must use the menu interface or panel LCD menu to set up some basic
options before you can access the Web browser interface.
2-3
Overview
Note All instructions assume that you have installed and powered on the NAC 800,
as explained in the ProCurve Network Access Controller 800 Hardware
Installation Guide.
The remaining chapters of the management and configuration guide focus on

the Web browser interface. However, these chapters also explain how to
complete some tasks by logging in to the OS root, when necessary.
In addition, in Chapter 4: “Configuring the RADIUS Server—Integrated with

ProCurve Identity Driven Manager,” you will learn about integrating the NAC
800’s RADIUS server with IDM. IDM is required to configure certain RADIUS
capabilities on the NAC 800, and it simplifies the configuration of other
RADIUS capabilities. You should refer to the ProCurve Identity Driven
Manager Users’ Guide for complete instructions on using IDM to manage your
NAC 800.
2-4
Menu Interface and Panel LCD

The menu interface and panel LCD support a limited number of management
and configuration tasks, including:
■ Setting the server type
■ Configuring IP settings
■ Testing connectivity (pinging)
■ Rebooting the NAC 800
■ Shutting down the NAC 800
■ Turning the locator LED on and off (menu interface only)
■ Setting port speed and duplex settings (panel LCD only)
Primarily, these management options serve to:

■ Ready the NAC 800 for management through another option
■ Shut down and reboot the NAC 800
Access the Menu Interface

You can access the menu interface in two ways:
■ Console session—requires physical access to the ProCurve NAC 800
■ Secure Shell (SSH) session—requires a reachable IP address on the
NAC 800
Console Session
Follow these steps to access the menu interface through a console session:
1. Your NAC 800 ships with a console cable. Plug the cable’s Ethernet (RJ45)
connector into the Console Ethernet port, which is located on the left
front panel of the NAC 800.
2. Plug the cable’s DB-9 connector into a console port on your management
workstation.
2-5
Figure 2-1. Accessing the Menu Interface with a Console Session
3. Use terminal session software such as Tera Term to open a console session
with the NAC 800. Use the following settings:
• Baud rate = 9600
• Bits = 8
• Stop rate = 1
• Parity = None
• Flow control = None
• For the Windows Terminal program, disable (uncheck) the “Use
Function, Arrow, and Ctrl Keys for Windows” option.
• For the Hilgraeve HyperTerminal program, select the “Terminal keys”
option for the “Function, arrow, and ctrl keys act as” parameter.
4. When prompted for your username, enter admin.
5. When prompted, enter your password (default, procurve).
You should now see the Application Main Menu.
Figure 2-2. Application Main Menu
2-6
SSH Session
Follow these steps to access the menu interface through an SSH session:
1. Open an SSH session with the NAC 800.
Use an SSH-capable terminal session application such as Tera Term or
PuTTY.
You must specify the NAC 800’s IP address. Its default address is
192.168.0.2, and the NAC 800 does not initially have a default gateway.
Unless you can reach the default IP address, you must set the NAC 800’s
IP address (using either a console session or the panel LCD) before you
can open the SSH session. (See “Configure Initial Settings with the Menu
Interface” on page 2-9 or “Configure Initial Settings with the Panel LCD
Menu” on page 2-24.)
2. When prompted for your username, enter admin.
3. When prompted, enter your password (default, procurve).
Figure 2-3. Accessing the Menu Interface with an SSH Session
You should now see the Application Main Menu.
2-7
Navigate the Menu Interface

The top of a screen in the menu interface displays the screen name—for
example, Application Main Menu.
Below the screen name are listed various options. Press a number to select
the option and move to a new screen.
Note In this management and configuration guide, the following instructions indi-
cate that you should simply press a key on your keyboard:
Press [keyname].
The following instructions, on the other hand, indicate that you should type
in the indicated string and then press [Enter]:
Enter <string>.
Instructions for using the menu interface include figures. The figure caption
lists the options that you must select to reach the illustrated screen from the
Application Main Menu.
For example, Figure 2-5 shows the Server Type screen. To reach this screen,
you must press [1] twice from the Application Main Menu.
Figure 2-5. Application Main Menu > 1. Configuration > 1. Server Type
In any screen, you can press [0] to move back one screen. Press [0] in the
Application Main Menu to log out of the menu interface.
Figure 2-6 illustrates the architecture of the menu interface.
2-8
Figure 2-6. Menu Interface Architecture
Configure Initial Settings with the Menu Interface

Before you can configure your NAC 800 through the Web browser interface,
you must configure some initial settings, including server type and IP settings.
You should also immediately change the menu password to secure access to
the device.
The menu interface is one option for configuring these settings.
Before completing the instructions in the sections below, access the menu
interface as described in “Access the Menu Interface” on page 2-5.
2-9
Set the Server Type with the Menu Interface

When you set the server type, the NAC 800 erases:
■ All databases
■ All licenses
■ All configurations except for:
• IP address
• Hostname
• Default gateway
• Domain Name System (DNS) server
• Network Time Protocol (NTP) server and time zone
Note An exception is when you change the server type from MS to ES, in which
case all settings are erased.
Setting the server type always resets the NAC 800’s configuration even if you
set it to the device’s current type. In fact, setting the server type is an easy way
to return to factory default settings (but keep your current IP settings).
Follow these steps to set the server type from the menu interface:
1. In the main menu, press [1] for Configuration.
2-10
Figure 2-8. Main Menu > 1. Configuration
2. Press [1] for Server Type.
Figure 2-9. Application Main Menu > 1. Configuration > 1. Server Type
3. Choose the server’s type: CS, MS, or ES.

Press [1] for Combination Server if your NAC 800 is a stand-alone device.
This is the typical choice for a NAC 800 that functions only as a RADIUS
server.
If your NAC 800 is part of a cluster deployment (see Chapter 1: “Overview
of the ProCurve NAC 800” for more information), choose either MS or ES:
• On one NAC 800, press [2] for Management Server.
• On the other NAC 800s, press [3] for Enforcement Server.
2-11
Set the IP Address with the Menu Interface

Follow these steps to set a NAC 800’s IP address using the menu interface:
1. Access the Configuration menu (Main Menu > 1. Configuration).
Figure 2-10. Application Main Menu > 1. Configuration
2. Press [2] for IP Configuration.
Figure 2-11. Application Main Menu > 1. Configuration > 2. IP Configuration
3. The screen displays the NAC 800’s current settings. Enter the new IP
address (or press [Enter] to accept the current address). For example:
10.1.1.20
Figure 2-12. Application Main Menu > 1. Configuration > 2. IP Configuration
2-12
4. Enter the subnet mask for the NAC 800’s subnetwork.

For example, for a /26 network, enter:
255.255.255.192
For a list of the masks that correspond to subnets of various lengths, see
“Entering Networks Using CIDR Format” in Chapter 13: System Admin-
istration of the ProCurve Network Access Controller 800 Users’ Guide.
5. Enter the IP address of the default router on the NAC 800’s subnet.
By default, the menu interface suggests the lowest IP address in the
subnet. Press [Enter] to accept the default. Otherwise, enter the correct IP
address. For example:
10.1.1.2
6. When asked to confirm the settings, check them and (if they are correct),
press [y] and press [Enter].
Test IP Settings (Ping)

After you set the IP address, you should verify connectivity by pinging:
■ The NAC 800’s default gateway
■ Your management station
■ The NAC 800’s DNS server
■ Several IP addresses for Network Access Servers (NASs) such as edge
switches and wireless access points (APs)
Note For security reasons, the NAC 800 does not respond to pings that it does not
initiate. Therefore, you must always test connectivity between the NAC 800
and another device from the NAC 800’s management interface.
Follow these steps to conduct the ping test:

1. Press [0] until you reach the Application Main Menu.
2-13
2. Press [2] for Diagnostics.
Figure 2-14. Application Main Menu > 2. Diagnostics
3. Press [1] for Ping test.

4. Enter the IP address to which you want to confirm connectivity.
Or press [Enter] to ping the default gateway.
Figure 2-15. Application Main Menu > 2. Diagnostics > 3. Ping Test
2-14
5. The results of the ping, including the times for the round trip, are
displayed.
Figure 2-16. Application Main Menu > 2. Ping test > Results
By default, the NAC 800 sends out five pings. You can stop the ping test
at any time, however, by pressing [Ctrl+c].
6. When you have finished looking at the results, press [Enter] to continue
configuring the device.
Change the Password to the Menu Interface

The username with which you access the menu interface is admin, and the
default password is procurve. To protect access to your NAC 800’s menu
interface, you should always change the password.
Follow these steps to change the password:

2-15
2. Press [3] for Change Password.
Figure 2-18. Main Menu > 1. Configuration > 3. Change Password
3. Enter y to confirm that you want to change the password.

4. Enter a password 8 characters or longer. The password can include
alphanumeric and special characters, but does not have specific complex-
ity requirements.
2-16
Note When you initially access the Web browser interface, you create a user-
name and password for an administrator with access to that interface. You
can, if you so desire, set these to match the username and password for
the menu interface. However, passwords for Web browser managers must
meet these requirements:
• At least 8 characters
• Mixed letters and numbers
Therefore, if you plan to use the same password to access the menu
interface and the Web browser interface, the password created in step 4
must include a mix of letters and numbers.
5. When prompted, re-enter the same password.
6. Press [Enter].
Complete Other Tasks in the Menu Interface

Besides configuring initial settings as described in the previous section, you
can complete the following management tasks from the menu interface:
■ Reboot the NAC 800
■ Shut down the NAC 800
■ Turn the locator LED on and off
■ View system information
2-17
Reboot the NAC 800 in the Menu Interface

When you reboot the NAC 800, the device shuts down and immediately
restarts, booting from its primary software and startup-config.
Generally, you must reboot the NAC 800 when you update its software.
Note You do not need to worry about saving your configurations because the NAC
800 OS automatically saves configurations to its startup-config as they are
made. However, you should periodically back up your system as explained in
Chapter 7: “Redundancy and Backup for RADIUS Services.”
Follow these steps to reboot the NAC 800:

2. Press [3] for Reboot.
Figure 2-21. Application Main Menu > 3. Reboot
2-18
3. Enter y to confirm the reboot.

The NAC 800 restarts as soon as you press [Enter].
Shut Down the NAC 800 in the Menu Interface

When you shut down the NAC 800, the device powers down and remains down
until manually restarted. You can restart the NAC 800 by removing and then
restoring power.
made. However, you should periodically backup your system as explained in
Follow these steps to shut down the NAC 800:

2. Press [4] for Shutdown.
2-19
Figure 2-23. Application Main Menu > 4. Shutdown
3. Enter y to confirm the shutdown.

The NAC 800 shuts down as soon as you press [Enter].
To restart the NAC 800, remove power and then return it.
Turn the Locator LED On and Off

The locator LED helps you to pick out a device that is installed among many
devices. For example, you may be configuring a NAC 800 through a remote
SSH session. You decide that you need to access the device physically, so you
turn on the locator LED to quickly find the correct device.
The locator LED is most useful if you generally keep it off on all devices (which
it is by default). Then, when you turn it on for a particular device, you are sure
that you are seeing the LED of the device in question.
Follow these steps to turn the locator LED on or off:

1. In the main menu, press [2] for Diagnostics.
Figure 2-24. Application Main Menu > 2. Diagnostics
2-20
2. Press [2] for Locator LED.
Figure 2-25. Application Main Menu > 2. Diagnostics > 3. Locator LED
3. Press [0] to turn the LED off or [1] to turn it on.

4. Press [Enter] to continue configuring the device.
View System Information

You can view the following information about the NAC 800 in the menu
interface:
■ Server type
■ Software version
■ Date of last update of the software
■ Operating system version
■ Hardware ID (serial number)
■ Time zone
Follow these steps:

2-21
2. Press [4] for System Information.
Figure 2-27. Main Menu > 1. Configuration > 4. System Information
3. Press [Enter] when you are finished viewing the information.
Access the Panel LCD Menu

The panel LCD is located on the front of the ProCurve NAC 800. To use the
LCD menu, you must, of course, have physical access to the device.
In addition to the LCD, the panel includes six buttons:

■ Four arrow buttons (left, right, up, and down)
■ An accept button (a checkmark)
■ A cancel button (an X)
You use these buttons to interact with the panel LCD.
2-22
Initially, the panel LCD lists the following information:

■ Server type (for example, Combination Server)
■ IP address
Figure 2-28. Panel LCD
Press the accept button to make LCD display the menu interface.
Navigate the Panel LCD Menu

The architecture of the panel LCD menu is similar to that of the menu interface.
See Figure 2-29.
Figure 2-29. Panel LCD Menu Interface Architecture
2-23
Navigating the panel LCD menu is easy: for the most part, you can follow the
instructions indicated on the panel screen.
Use the up and down arrows to scroll the cursor through options. When the
cursor reaches your option, select it by pressing the accept button. In the
following sections, “select Option” indicates that you should scroll to the
indicated option and click the accept button.
Press the cancel button to move back a screen. (Sometimes you must press
the left button instead. The screen will indicate when this is the case.)
When you are presented with a choice—for example, whether to accept a

setting—press the accept button (for yes) or the cancel button (for no).
Configure Initial Settings with the Panel LCD Menu

Before you can configure your NAC 800 through the Web browser interface,
you must configure some initial settings, including server type and IP settings.
The panel LCD menu is one option for configuring these settings.
Note Even if you choose to configure initial settings through the panel LCD menu,
you should access the menu interface and change the menu password. Other-
wise an unauthorized user might gain access your NAC 800. (See “Change the
Password to the Menu Interface” on page 2-15.)
Set the Server Type with the Panel LCD Menu

When you set the server type, the NAC 800 erases:
■ All databases
■ All configurations except for:
• IP address
• Hostname
• Default gateway
• DNS server
• NTP server and time zone
Note Setting the server type always resets the NAC 800’s configuration even if you
set it to the device’s current type. In fact, setting the server type is an easy way
to return to factory default settings (but keep your current IP settings).
2-24
Follow these steps to set the server type from the menu interface:
1. Access the menu. (If the panel currently shows the NAC 800’s server type
and IP address, press the accept button.)
Figure 2-30. Panel LCD Menu
2. Select Configuration.
Figure 2-31. Panel LCD Menu > Configuration
3. Select Server Type.
4. Choose the server’s type: CS, MS, or ES.

Select Combination Server if your NAC 800 is a stand-alone device. This is
the typical choice for a NAC 800 that functions only as a RADIUS server.
If your NAC 800s are part of a cluster deployment (see Chapter 1: “Over-
view of the ProCurve NAC 800” for more information), choose either MS
or ES:
• On one NAC 800, select Management Server.
• On the other NAC 800s, select Enforcement Server.
2-25
5. Your selection is displayed. Push the accept button.
Set the IP Address with the Panel LCD Menu

Follow these steps to set a NAC 800’s IP address using the panel LCD menu:
1. Access the Configuration menu (Panel LCD Menu > Configuration).
If necessary, press the cancel button to move back a screen or the accept
button to access the main menu.
2. Select IP Address—Port 1.
Figure 2-34. Panel LCD Menu > Configuration > IP Address—Port 1
3. Set the NAC 800’s IP address.

An IP address includes, of course, twelve digits. Use the left and right
arrow buttons to move the cursor from digit to digit. Then use the up and
down arrow buttons to alter the selected digit.
Note that the NAC 800 treats each set of three digits as a single number.
For example, if the first three digits currently display 009, and with your
cursor at the third digit you press the up arrow button, the digits then
display 010.
2-26
Figure 2-35. Panel LCD Menu > Configuration > IP Address—Port 1 (IP Address)
When you are finished, press the accept button.
Figure 2-36. Panel LCD Menu > Configuration > IP Address—Port 1 (Subnet Mask)
4. Set the mask for the NAC 800’s subnet.

Use the arrow buttons to alter the subnet mask. (For a list of the masks
that correspond to subnets of various lengths, see “Entering Networks
Using CIDR Format” in Chapter 13: System Administration of the
ProCurve Network Access Controller 800 Users’ Guide.)
Press the accept button when you are finished.
You can accept the default mask by immediately pressing the accept
button.
Figure 2-37. Panel LCD Menu > Configuration > IP Address—Port 1 (Gateway)
5. Set the IP address of the default router for the NAC 800’s subnet.
The default IP address for the router is the lowest IP address in the NAC
800’s subnet. Again, you use the arrow buttons to change the address and
press the accept button when you are finished.
2-27
6. The NAC 800 OS checks the new IP settings.

• If the IP settings are valid, the panel LCD displays:
IP Address OK
Setting new IP...
• If you set an invalid subnet mask or a default router that is not in the
NAC 800’s subnet, the panel LCD indicates the problem. Press the
accept button and you are moved to the proper screen to fix the
problem.
Note IP settings can be valid while still incorrect for your environment. Always
check connectivity with the ping test.
Test IP Settings (Ping) with the Panel LCD Menu

After you set the IP address, you should verify connectivity by pinging:
■ The NAC 800’s default gateway
■ Your management station
■ The NAC 800’s DNS server
■ Several IP addresses for NASs such as edge switches and wireless APs
Note For security reasons, the NAC 800 does not respond to pings that it does not
initiate. Therefore, you must always test connectivity with the NAC 800 from
a NAC 800 management interface.
Follow these steps to conduct the ping test:

1. Access the main LCD menu.
Press the accept button to access the main menu initially; press the cancel
button to move back a screen.
2. Select Ping Test.
2-28
Figure 2-39. Panel LCD Menu > Ping Test
3. Set the IP address to which you want to confirm connectivity.

By default, the IP address is set to the NAC 800’s default gateway. Press
the accept button to ping the default gateway.
To ping a different IP address, use the left and right arrow buttons to move
the cursor from digit to digit. Then use the up and down arrow buttons to
alter the selected digit.
Note that the NAC 800 treats each set of three digits as a single number.
For example, if the first three digits currently display 009, and with your
cursor at the third digit you press the up arrow button, the digits then
display 010.
When you are finished, press the accept button.
4. The results of the ping are displayed.
Figure 2-40. Panel LCD Menu > Ping Test > Results
5. Press the left arrow button to continue configuring the device.
Complete Other Tasks Using the Panel LCD Menu

Besides configuring initial settings as described in the previous section, you
can complete the following management tasks with the panel LCD and
buttons:
■ Reboot the NAC 800
■ Shut down the NAC 800
■ Set the port type and speed (not typically necessary)
2-29
Reboot the NAC 800 Using the Panel LCD Menu

When you reboot the NAC 800, the device shuts down and immediately
restarts, booting from its primary software and startup-config.
Generally, you must reboot the NAC 800 when you update its software.
Note You do not need to worry about saving your configurations because the
NAC 800 OS automatically saves configurations to its startup-config as they
are made. However, you should periodically backup your system as explained
in Chapter 7: “Redundancy and Backup for RADIUS Services.”
Follow these steps to reboot the NAC 800:

2. Select Reboot/Shutdown.
Figure 2-42. Panel LCD Menu > Reboot/Shutdown
3. Select Reboot the NAC 800.
2-30
Figure 2-43. Panel LCD Menu > Reboot/Shutdown > Reboot the NAC
4. Press the accept button to confirm.

The NAC 800 begins to reboot as soon as you press the accept button.
Shut Down the NAC 800 Using the Panel LCD

When you shut down the NAC 800, the device powers down and remains down
until manually restarted.
made. However, you should periodically backup your system as explained in
You can restart the NAC 800 by removing and then restoring power.
Follow these steps to shut down the NAC 800:

2. Select Reboot/Shutdown.
2-31
Figure 2-45. Panel LCD Menu > Reboot/Shutdown
3. Select Shutdown the NAC.
Figure 2-46. Panel LCD Menu > Reboot/Shutdown > Shutdown the NAC
4. Press the accept button to confirm.

The NAC 800 powers down as soon as you press the accept button.
Set the Ports Speed and Duplex Settings

By default, the NAC 800 sets the speed and duplex settings for its ports
automatically based on the other end of the connection.
Both port 1 and port 2 support these speeds:

■ 1000 Mbps
■ 100 Mbps
■ 10 Mbps
The ports can also act in full duplex (send and receive data at the same time)
or in half duplex (only send or receive data at any moment). However, if you
select 1000 Mbps, full duplex is the only option.
Typically, the ports should auto-negotiate these settings, because unless they
exactly match settings on the other end, the connection fails.
2-32
However, if for whatever reason you must set the port speed and duplex
settings manually, follow these steps:
1. Access the menu. (If the panel currently shows the NAC 800’s server type
and IP address, press the accept button.)
2. Select Configuration.
3. Select Ports Speed/Duplex.
Figure 2-49. Panel LCD Menu > Configuration > Ports Speed/Duplex
4. Select Port 1 or Port 2.
2-33
Figure 2-50. Panel LCD Menu > Configuration > Ports Speed/Duplex > Port 1
5. The default setting is Auto. All combinations of speed and duplex options
are displayed below. Scroll through the list and press the accept button
to select the one you want.
2-34
Root Access to the NAC 800

Certain tasks may require you to log into the NAC 800 as root and access its
Linux-based OS.
Caution Be very careful when configuring the NAC 800 from the root: misconfigura-
tions can cause the device to malfunction. You should be experienced with
Linux systems.
Follow these steps to gain root access to the NAC 800:

1. Use terminal software such as Tera Term or PuTTY to open a session
with the NAC 800. Either:
• An SSH session to the NAC 800’s IP address
• A console session (your management station is connected to the
NAC 800’s console Ethernet port)
2. When prompted for the username, enter root.
3. When prompted for the password, enter the root password (default,
procurve).
Navigate the OS just as you would any Linux OS. The NAC 800 features many
common Linux applications such as VI, which allows you to edit configuration
files. See Appendix B: “Linux Commands.”
When this guide instructs you to enter a command from the root, the command
will be denoted by this text:
Syntax:
This guide uses the following conventions for command syntax:

■ Angle brackets ( < > ) enclose variable elements. Replace the italicized
words that are enclosed in the brackets with text that you choose, such
as a filename.
■ Square brackets ( [ ] ) are used in two ways:
• They enclose a set of options. When entering the command, you select
one option from the set. For example, if the syntax indicates [rsa | dsa]
you would enter either rsa or dsa.
• They indicate an optional element. You can include the optional
element in the command, but it is not required.
2-35
■ Vertical bars ( | ) separate alternative, mutually exclusive elements.

■ Bold typeface is used for simulations of actual keys. For example, the “Y”
key appears as [y].
For example:
Syntax: keytool -certreq -alias <keyname> -file <filename> -keystore /usr/local/

nac/compliance.keystore
The actual command that you enter might be:
keytool -certreq -alias mykey -file myrequest.der

-keystore /usr/local/nac/compliance.keystore
2-36
Web Browser Interface

The Web browser interface of an MS or CS supports the majority of manage-
ment and configuration tasks, including (but not limited to):
■ Updating software
■ Adding management users and roles
■ Creating clusters and adding ESs to the clusters
■ Configuring most RADIUS settings
■ Configuring endpoint integrity
The remaining chapters in this management and configuration guide explain

how to perform all of these tasks except configuring endpoint integrity: if you
want to use that capability, refer to the ProCurve Network Access Controller
800 Users’ Guide.
Access the Web Browser Interface

The NAC 800 includes an HTTPS (not HTTP) server on which it can run a Web
browser interface.
Note HTTPS, a protocol similar to HTTP, encrypts communications to increase

security. In addition, HTTPS requires the Web server (in this case, the NAC
800) to authenticate itself with a digital certificate.
Requirements on the NAC 800

To access the NAC 800’s Web browser interface, you must ensure the NAC
800 has:
■ A reachable IP address
■ Its server type set to MS or CS
■ A digital certificate
The NAC 800, at factory default settings, includes a self-signed certificate.
Similarly, you must ready a NAC 800 to be added to an MS’s cluster as an ES.
This NAC 800 requires:
■ An IP address reachable from the MS
■ The server type set to ES
2-37
You can configure these initial settings either with the menu interface or the
panel LCD menu. See “Configure Initial Settings with the Menu Interface” on
page 2-9 or “Configure Initial Settings with the Panel LCD Menu” on page 2-24.
After initial configuration, you can install the NAC 800 in its final location.
(See the ProCurve Network Access Controller 800 Hardware Installation
Guide.)
Requirements on the Management Station

The workstation from which you access the NAC 800 is the management
station. It requires network connectivity and one of the following Web
browsers:
■ On a Windows station:
• Mozilla version 1.7
• Mozilla Firefox version 1.5 or later
• Internet Explorer 6.0
On a Linux station:
• Mozilla version 1.7
• Mozilla Firefox version 1.5 or later
The Web browser must implement the following settings:

■ Pop-up windows allowed—allows you to run reports
Note Reports do not apply to RADIUS functions.

■ ActiveX allowed—allows you to access the online help
■ Minimum font size unspecified
■ Page caching enabled
To keep the Web browser interface running smoothly, you should also period-
ically delete temporary files.
For help configuring these settings, see Appendix B: Important Browser

Settings in the ProCurve Network Access Controller 800 Users’ Guide.
2-38
Steps for Accessing the Web Browser Interface

After determining that your station meets all requirements, follow these steps
to access the Web browser interface of the NAC 800 (CS or MS):
1. Open the Web browser on your management station.
2. Enter https://<NAC 800 IP address>. For example:
https://10.1.1.150
3. Since the NAC 800 is using its self-signed certificate, your browser will
probably ask you whether you want to trust this certificate. Answer yes.
Note You can upload a new certificate—for example, one signed by your own
certificate authority (CA)—to the NAC 800. See “Digital Certificates” on page
3-52 of Chapter 3: “Initial Setup of the ProCurve NAC 800.”
4. You connect to the NAC 800’s Web browser interface.

The first time that you access the Web browser interface, you must
complete some basic setup. For instructions, see “Initial Configuration of
CS or MS Settings” on page 3-4 of Chapter 3: “Initial Setup of the ProCurve
NAC 800.”
The next time that you access the Web browser interface, you must log in
with the Administrator username and password created during the basic
setup.
You can also log in as another management user, created as described in
“Create Management Users” on page 3-41 of Chapter 3: “Initial Setup of
the ProCurve NAC 800.”
Navigate the Web Browser Interface

This section teaches you how to navigate the Web browser interface, begin-
ning in the Home screen. You should be comfortable navigating the interface
so that you can follow instructions in subsequent chapters.
Home Screen
Figure 2-51 shows the Home screen of the Web browser interface.
2-39
Figure 2-51. Home
Top Area. The Web browser interface features an area at the top of the
screen, which remains as you navigate from screen to screen.
Note Future figures in the management and configuration guide will not show the
top area.
This area displays the name of the device: Network Access Controller 800. To
the right is the name of the user account with which you logged in. The user
account determines the privileges you have to the Web browser interface. See
“Create Management Users” on page 3-41 of Chapter 3: “Initial Setup of the
ProCurve NAC 800.”
2-40
Below the account name are four links:

■ Refresh—Click to update the information displayed (for example, about
the status of a device).
■ Help—Click to view the online help.
■ Support—Click to access the ProCurve Networking Web site and down-
load documentation, read FAQs, and submit questions to support.
■ Logout—Click to close the HTTPS session with the NAC 800.
Note You should always log out of the Web browser interface (rather than simply
shut the browser) to prevent an unauthorized person from hijacking the
management session.
The top area of the Home screen also displays alerts. For example, in
Figure 2-51, you can see warnings that the NAC 800’s license has expired.
Click the clear button to delete an alert.
Note A NAC 800 that acts as a RADIUS server only does not require a license, so
you will often see the warnings displayed in Figure 2-51. Simply ignore them.
Left Navigation Bar. The left navigation bar includes five options:
■ Endpoint activity
■ NAC policies
■ System monitor
■ Reports
■ System configuration
Note If you do not see an option, you have logged in as a user that does that have
privileges for that particular option. See “Create Management Users” on page
3-41 of Chapter 3: “Initial Setup of the ProCurve NAC 800.”
Select an option to access a series of screens in which you can complete the
associated management and configuration tasks. (See Table 2-1.)
For a NAC 800 that acts a RADIUS server only, the System configuration and
System monitor screens are most important.
2-41
Table 2-1. Home Left Navigation ar Options
Left Navigation Bar Option Tasks in Associated Screens Documentation
Endpoint activity • Check endpoint status: Chapter 4: Endpoint Activity in the ProCurve
– access control status Network Access Controller 800 Users’ Guide
– test status
• Change endpoint access control status
NAC policies • Create NAC policy groups and place Chapter 6: NAC Policies in the ProCurve
policies in groups Network Access Controller 800 Users’ Guide
• Assign enforcement clusters to groups
• Configure NAC policies:
– Choose which endpoint tests are
enforced
– Configure test properties (criteria for
passing)
– Set action taken against endpoints
that fail
System monitor • Check status and performance of the “System Monitor” in Chapter 1: Introduction
NAC 800 in the ProCurve Network Access Controller
• For a cluster deployment, check status 800 Users’ Guide
and performance of ESs
Reports • Run reports on: Chapter 12: Reports in the ProCurve
– NAC policy results Network Access Controller 800 Users’ Guide
– Connected endpoints and their test
status
– Test results and the endpoints that
passed or failed
System configuration • RADIUS-only tasks: • RADIUS-only tasks:

– Manage enforcement clusters – Chapter 3: “Initial Setup of the
– Configure MS and ES settings ProCurve NAC 800.”
– Configure RADIUS settings – Chapter 4: “Configuring the RADIUS
– Create exceptions for endpoint Server—Integrated with ProCurve
testing Identity Driven Manager.”
• Endpoint integrity tasks: – Chapter 5: “Configuring the RADIUS
Server—Without Identity Driven
– Set up quarantining Manager.”
– Configure other cluster settings • Endpoint integrity tasks:
– Set up NAC policies – Chapter 3: System Configuration in the
ProCurve Network Access Controller 800
Users’ Guide
– Chapter 6: NAC Policies in the ProCurve
Network Access Controller 800 Users’
Guide
2-42
Central Area. The central area of the Home screen includes two sections.
The Access control section shows the number of endpoints that are currently:
■ Granted access by the NAC 800
■ Quarantined by the NAC 800
■ Once connected but are currently disconnected
On a NAC 800 acting only as a RADIUS server, you should see 0 quarantined
endpoints. Although the quarantine means nothing unless you have set up
VLAN assignments to support it, seeing quarantined endpoints indicates that
the NAC 800 is testing endpoints unnecessarily. See Chapter 6: “Disabling
Endpoint Integrity Testing” to correct the problem.
The Endpoint tests area reports on the number of endpoints that have:
■ Passed all endpoint integrity tests
■ Failed at least one test
You can ignore this area for a RADIUS-only NAC 800.
Right Area. The Top 5 failed tests area reports on endpoint integrity functions
and can be ignored for a RADIUS-only NAC 800.
The bottom right area of the Home screen shows Enforcement server status—
the number of ESs with ok or with error status. On a CS, the status refers to
that of the CS itself.
Click on the System monitor link to see more detailed information on the
NAC 800’s (or ESs’) status.
Common Features in Web Browser Interface Screens

Every screen in the Web browser interface has certain features:
■ The top right corner features two links:
• Support—Click to access the ProCurve Networking Web site and
download documentation, read FAQs, and submit questions to sup-
port.
Your NAC 800 must, of course, be able to reach the Internet.
• Logout—Click to close the HTTPS session with the NAC 800.
Note You should always log out of the Web browser interface (rather than
simply shut the browser) to prevent an unauthorized person from
hijacking the management session.
2-43
■ The left top area shows the navigation path for the screen.
See “Following Instructions to Navigate the Web Browser Interface” on
page 2-45 for more information on following the path.
Figure 2-52. Common Features in the Web Browser Interface
2-44
■ Configuration screens feature two buttons at both the top and bottom:
• ok—Click to:
– Apply the configurations in this screen (the settings begin to take
effect)
– Save the configurations (the settings are preserved when the
power is shut down)
– Exit to the Home screen
• cancel—Click to:
– Reject changes to configurations in this screen
– Exit to the Home screen
■ Status screens feature this button:
• done—Click to close the screen.
■ Both types of screen may include three additional buttons:
• refresh—Click to update the information displayed (for example,
about the status of a device).
• legend—Click to see the meaning of any symbol used in the screen.
• help—Click to view the online help, which explains the meaning of
fields and settings. Some fields also feature a small help button
particular to that field; move your cursor over this button for specific
information about valid values for that field.

Interface
The instructions in this management and configuration guide will often
include steps such as these:
■ Select Home > System configuration > Quarantining.
■ Access the Home > System configuration > Enforcement clusters & servers
screen.
Both steps ask you to do the same thing: follow the path.
Steps in the path are separated by right angle brackets (>).
The first step is always the Home screen. The next step is the options that you
must select from in the left navigation bar in the Home screen. These options
lead you to second-level screens.
2-45
Figure 2-53. Navigating the Web Browser Interface
Another step, if present, is typically a menu option on the left side of the
second-level screen. For example, Figure 2-53 shows the Home > System
configuration > Enforcement clusters & servers screen. System configuration is the
second-level screen, and Enforcement clusters & servers is the menu option in
that screen.
2-46
ProCurve Manager (PCM) Plus

This section explains, at a high level, how to use PCM Plus to manage the
ProCurve NAC 800. It does not provide detailed explanations of management
and configuration tasks. See the ProCurve Manager Plus 2.2 Network Admin-
istrator’s Guide for these instructions.
Note To manage the NAC 800, your server must have a version of PCM Plus 2.2 auto-
update 2 installed.
Enable PCM Plus to Detect the NAC 800

Follow these steps to ensure that PCM Plus can detect your NAC 800:
1. Access the NAC 800’s Web browser interface and log in.
2. Set the Simple Network Management Protocol (SNMP) community name
on the NAC 800 to match the community name on PCM Plus:
a. Select Home > System configuration > Management server.
b. In the SNMP settings area, check the Enable SNMP box.
c. In the Read community string field, enter the name of your PCM server’s
SNMPv1/v2 read-only community.
Valid characters for the field include letters, numbers, hyphens, and
underscores.
Note The NAC 800 does not grant read-write access to SNMP servers. When you
use PCM Plus to discover the NAC 800, you must enter the read-only commu-
nity name for the read-write community as well.
d. In the Allowed source network field, enter, in CIDR notation, the subnet
in which your PCM server is installed. For example: 10.1.1.0/24.
Specifying the network increases security. However, you can enter
default to allow a server with any IP address to access the NAC 800.
e. Click the ok button.
2-47
Capabilities of PCM Plus for Managing the NAC 800

When it detects a NAC 800, PCM Plus creates a ProCurve Network Access
Controllers folders in the Interconnect Devices folder. PCM Plus then adds
the NAC 800 as a node in this folder.
When you select a NAC 800 node, all the tabs available for any device are
displayed. In addition, you can click the NAC Home tab and access the NAC
800’s Web browser interface. The first time that you do so, you must enter the
username and password for a management user on the NAC 800. PCM Plus
saves this information so that you do not have to enter it again.
Note You can change the username and password by following these steps:
1. Select Tools > Preferences.
2. Select Identity Management.
3. Enter the new username and password in the ProCurve NAC Web GUI
Credentials fields.
Most of the capabilities that PCM Plus adds to the NAC 800 relate to IDM,
which is described in the following section.
2-48
IDM
IDM
ProCurve IDM is a plug-in to PCM Plus that helps you assign users the correct
rights based on their identities. When managing a NAC 800, IDM can also
assign users rights based on their endpoint integrity posture.
You set up rights on IDM by configuring various settings, such as virtual local
area network (VLAN) assignments and allowed resources, in profiles. Rules
specify the correct profile for a group of users connecting at a certain time
and place—and optionally, with the NAC 800, with a certain endpoint integrity
posture.
IDM then pushes these settings to the IDM agent on RADIUS servers. When
you use the NAC 800 as a RADIUS server—with or without endpoint integ-
rity—IDM can manage and configure settings on that device just as on other
servers.
To manage a NAC 800, IDM must run version 2.2 auto update 2.
Enable IDM to Detect the NAC 800

When PCM Plus detects a NAC 800, IDM automatically detects the NAC 800
as long as these additional conditions are met:
1. The NAC 800 has client/server permissions to the PCM Plus server.
Follow these steps:
a. On the PCM Plus server, open the access.txt file, which, by default, is
stored in this directory: C:\Program Files\Hewlett-Pack-
ard\PNM\server\config.
Open the file in a text-based editor such as Notepad or Wordpad.
b. Add the NAC 800’s IP address or hostname on its own line.
c. Save and close the file.
2. The version for the NAC 800’s IDM agent matches your IDM server’s
version.
The NAC 800’s software automatically includes the IDM agent. If there is
an update to the agent, release notes will instruct you how to update the
agent on the NAC 800.
2-49
IDM
Note To check the NAC 800’s IDM agent version, log in as root to the NAC 800 and
enter:
more /root/version
3. The IDM server’s IP address is specified in the NAC 800’s 802.1X quaran-
tining settings.
Follow these steps:
a. Access the NAC 800’s Web browser interface.
b. If you have a multiple NAC 800 deployment (MS and multiple ESs),
choose the cluster that includes the RADIUS server ESs. For a CS, the
default and only cluster (Cluster #1) is automatically selected.
c. In the Quarantine method area, select 802.1X.
2-50
IDM
Figure 2-54. Home > System configuration > Quarantining
d. In the Basic 802.1X settings area and the IDM server IP address field,
enter the IP address of the server that runs PCM Plus with IDM.
e. Complete other settings as described in Chapter 4: “Configuring the
and click the ok button.
2-51
IDM
Capabilities of IDM for Managing the NAC 800

IDM adds NAC 800s as nodes in its ProCurve Network Access Controllers
folders. These folders are located within realms and are comparable to IDM’s
RADIUS Servers folders.
When you select a NAC 800, IDM displays similar screens and tabs as those
for a RADIUS server. So you can complete all the same tasks for the NAC 800
that you can for a RADIUS server:
■ Deploy a group policy to the NAC 800, which includes:
• Valid days and times of access
• Valid access locations
• Dynamic VLAN assignments, access control lists (ACLs), and rate
limits
■ Easily integrate the NAC 800 with Active Directory (AD) and other direc-
tories
IDM can automatically synchronize with AD, downloading account infor-
mation from the groups that you specify.
IDM can download lists of users from other directories.
■ Monitor users who attempt to authenticate to the NAC 800
In addition, IDM allows you to:

■ Manage the NAC 800’s local database
■ Assign VLANs to users based on their endpoint integrity status
The endpoint integrity status can be:
• Pass—The endpoint has passed all tests (or failed a test but been
granted temporary access).
• Fail—The endpoint failed at least one test and has been quarantined.
• Infected—The endpoint is infected with a virus or other malware
(failed the Worms, Viruses, and Trojans test).
• Unknown—The endpoint has not yet been tested.
Chapter 4: “Configuring the RADIUS Server—Integrated with ProCurve Iden-

tity Driven Manager” explains how to configure a NAC 800 that will be
managed by IDM. This chapter also includes general information about tasks
completed in IDM. However, you should see the ProCurve Identity Driven
Manager Users’ Guide for detailed instructions on performing the IDM tasks.
Table 2-2 summarizes the capabilities that IDM brings to the NAC 800.
2-52
IDM
Table 2-2. NAC 800 Capabilities With and Without IDM
Capability With IDM Without IDM
Authenticate users with its local Yes No

database
Consider time and location in Yes No

authentication decisions
Issue different dynamic settings Yes No

according to group
Issue different VLAN assignments Yes Only by editing configuration files from
according to endpoint integrity posture the root OS
Authenticate users with accounts Yes Yes

stored in AD
You can also access the NAC 800’s Web browser interface directly from IDM.
Click on a NAC 800 node and select one of these tabs:
■ NAC Home—Access the NAC 800’s Home screen.
■ NAC Monitor—Access the NAC 800’s System monitor screen.
■ NAC System—Access the NAC 800’s System configuration screen.
Note The NAC 800 that acts as a RADIUS server might be a CS or an ES; IDM will
detect any type of NAC 800. Although an ES does not actually run a Web
browser interface, you can still select the NAC Home, NAC Monitor, and NAC
System tabs for the ES; IDM simply launches the Web browser interface for
the ES’s MS.
2-53
IDM
2-54
Initial Setup of the ProCurve NAC 800
Contents
Contents
System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
System Settings—Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Initial Configuration of CS or MS Settings . . . . . . . . . . . . . . . . . . . 3-4
Initial Configuration of ES Settings . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Edit System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Edit System Settings on an MS or a CS . . . . . . . . . . . . . . . . . . . . . 3-16
Edit System Settings on an ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Management and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Upgrade the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Create Management Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Create User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
Configure User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52
Install a CA-Signed Certificate for HTTPS . . . . . . . . . . . . . . . . . . . . . . 3-53
Generate a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54
Install the Root CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55
Create a Certificate Request and Transfer It off
the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56
Download and Install the Signed Certificate . . . . . . . . . . . . . . . . 3-58
3-1
Contents
Install a New Self-Signed Certificate for HTTPS . . . . . . . . . . . . . . . . . 3-59

Generate the Self-Certificate and Key . . . . . . . . . . . . . . . . . . . . . . 3-60
Export the Self-signed Certificate to a File . . . . . . . . . . . . . . . . . 3-61
Install the Self-signed Certificate as a Trusted
Root Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-61
Install the Self-signed Certificate as a Trusted
Root Certificate on Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-62
3-2
System Settings
System Settings
System settings for your ProCurve NAC 800 include:
■ Network settings
Network settings identify your NAC 800 in the network and allow it to
communicate with other devices. These settings include:
• Hostname
• Static IP address
• Default router IP address
• Domain Name System (DNS) server IP address
■ Simple Network Management Protocol (SNMP) settings
SNMP allows you and other network administrators to control multiple
network devices through a single solution such as ProCurve Manager
(PCM). The NAC 800 supports read-only access to its configuration via
SNMP versions 1 or 2.
■ Root password
The root account, which you log in to through Secure Shell (SSH), grants
access to the command line of the NAC 800’s Linux-based operating
system (OS). You will need such access if you want to enable the NAC 800
to act as a RADIUS server without ProCurve Identity Driven Manager
(IDM).
The username for the account is root and the default password is procurve.
You can change this password.
If your NAC 800 is a combination server (CS) (typically, a stand-alone device),

the settings listed above are management server (MS) settings. This is the
standard type for a RADIUS-only NAC 800.
However, your deployment might include an MS and multiple enforcement

servers (ESs). (For more information about this option, see “Enforcement
Clusters” on page 1-15 of Chapter 1: “Overview of the ProCurve NAC 800.”)
In such a system, you configure the settings described above for both the MS
and ESs.
3-3
System Settings
Additional settings apply only to an MS or to a CS:

■ Proxy server for connecting to the Internet
MSs and CSs require Internet access for these purposes:
• Receiving software updates
• Validating licenses
• Submitting support packages to ProCurve Networking (for trouble-
shooting)
In some networks, the NAC 800 simply requires connectivity to the
Internet router and a DNS server address. However, if your network uses
a proxy server, you must configure the proxy settings.
■ Time and date
All network devices should have an accurate clock so that logs and
security reports are useful and accurate. ESs receive the clock from
their MS.
■ Logging settings
Events fall into several categories, or levels, depending on their impor-
tance. You can choose the levels of events that the MS logs.
System Settings—Initial Configuration

You are prompted to configure most system settings for an MS (or CS if your
NAC 800 is a stand-alone device) the first time that you access the NAC 800
Web browser interface. See “Initial Configuration of CS or MS Settings” on
page 3-4.
In a cluster deployment, you configure most system settings for ESs when
you first add them to the cluster. See “Initial Configuration of ES Settings” on
page 3-9.
You can later edit the system settings for any type of NAC 800. See “Edit System
Settings” on page 3-16.
Initial Configuration of CS or MS Settings

Before accessing the NAC 800 Web browser interface for the first time, you
must configure the CS’s or MS’s initial IP settings as described in “Access the
Web Browser Interface” on page 2-37 in Chapter 2: “Management Options for
the ProCurve NAC 800.”
3-4
System Settings
Then follow these steps:

1. In your Web browser, open an HTTPS session to the CS’s (or MS’s) IP
address. For example, if the device’s address is 10.1.1.100, type:
https://10.1.1.100
The Step 1 of 3: Accept license agreement screen is displayed.
Figure 3-1. Step 1 of 3: Accept license agreement
2. Read the license and select the I accept this license agreement option.
3. Click the next button. The Step 2 of 3: Enter management server settings
screen is displayed.
3-5
System Settings
Click back to see

the license
agreement again
Figure 3-2. Step 2 of 3: Enter management server settings
4. Enter a password in the Root password field.

As described in “System Settings” on page 3-3, you use the root password
to log in to the NAC 800’s command line. The password can include
alphanumeric and special characters—in fact, a good password will
include a mix of different types of characters. However, the password
does not have specific complexity or length requirements.
3-6
System Settings
Note In the following screen, you will create a username and password for an
administrator with access to the Web browser interface. You can, if you
so desire, set the password to match the root password. However, pass-
words for Web browser managers must meet these requirements:
• At least 8 characters
• Mixed letters and numbers
Therefore, if you plan to use the same password to access the Web
browser interface and the root OS, the password created in step 4 must
include a mix of letters and numbers.
Root passwords for ESs also must include mixed letters and numbers.
5. Enter the same password in the Re-enter root password field.

6. Configure the NAC 800 to receive its date and time from a Network Time
Protocol (NTP) server:
a. Chose your region from the Region drop-down menu.
While not mandatory, this setting narrows the selection for the next
setting: your time zone.
b. Select the correct time zone from the Time zone drop-down menu.
Time zones are listed by offset from Greenwich Mean Time (GMT)—
for example, GMT –6:00—as well as by name and by select cities in
that time zone. (If your city is not listed, you can either rely entirely
on the GMT offset or look for a city that you know is in your time
zone.)
It is important to select the correct time zone so that the NAC 800
appropriately adjusts the time that it receives from the NTP server.
c. Specify the IP address or fully qualified domain name (FQDN) of at
least one NTP server.
You can specify multiple servers; separate the IP addresses or FQDNs
with commas (no space). By default, the MS is set to communicate
with three public NTP servers:
– 0.pool.ntp.org
– 1.pool.ntp.org
– 2.pool.ntp.org
You can add to or replace these servers with other NTP servers—your
company’s own server, a private server, or other public servers. Visit
http://support.ntp.org/bin/view/Servers/NTPPoolServers for a list of
public NTP servers.
3-7
System Settings
7. Configure network settings.

a. Name the NAC 800 by entering a string in the Host name field. You
should enter the name as an FQDN. For example:
mynac.mycompany.com
The hostname can include only these characters:
– Alphanumeric characters
– Periods
– Hyphens
The hostname can be up to 64 characters.
b. Specify the IP address of at least one DNS server in the DNS IP
addresses field.
The DNS server resolves FQDNs and other hostnames to IP
addresses; the MS must be able to contact a DNS server to access sites
and services on the Internet.
You must identify the DNS server with an IP address (not an FQDN).
Specify multiple servers to ensure high availability; separate the IP
addresses with commas (no spaces).
8. Click the next button. The Step 3 of 3: Create administrator account screen
is displayed.
Click back to
change the MS
system settings
Figure 3-3. Step 3 of 3: Create administrator account
3-8
System Settings
9. Create an account that grants access to the MS’s Web browser interface:
This account has the Administrator role and full rights to all management
and configuration tasks available in the Web browser interface. (See
“Configure User Roles” on page 3-45 to learn more about roles.)
a. Enter a string in the User name field.
The username can include alphabetic characters but not numbers. It
can also include the “at” character (@).
b. Enter a string in the Password field.
The password must include a mix of letters and numbers and be at
least 8 characters long. It can also include special characters and
spaces.
c. Enter the same password in the Re-enter password field.
10. Click the finish button.
You have completed the initial setup of the MS system settings, and the Home
screen is displayed. If you want to change the settings at a later point, see “Edit
System Settings on an MS or a CS” on page 3-16.
If your NAC 800 is a CS—typical for a device that acts as a RADIUS server
only—the system setup is complete. Otherwise, you must add ESs, as
described in the section below.
Initial Configuration of ES Settings

When you add an ES, the MS contacts it and configures its initial system
settings. You can then control the ES through the MS Web browser interface,
configuring most of the capabilities described in this management and config-
uration guide.
Before you can add an ES, you must access it directly and configure its IP
address and default router, as described in “Access the Web Browser Inter-
face” on page 2-37 in Chapter 2: “Management Options for the ProCurve
NAC 800.” You must also create an enforcement cluster, as described in the
section below.
Create an Enforcement Cluster. To create an enforcement cluster, follow

these steps:
1. Select Home > System configuration > Enforcement clusters & servers.
3-9
System Settings
Select this link to

create a cluster
Figure 3-4. Home > System configuration > Enforcement clusters & servers—add
an enforcement cluster
2. Click add an enforcement cluster.

The Add enforcement cluster screen is displayed. The left navigation bar
lists several menu options; for now, you can ignore all options except
General, which is selected by default.
3-10
System Settings
Figure 3-5. Home > System configuration > Enforcement clusters & servers > Add
enforcement cluster > General
3. In the Cluster name field, enter a string that describes this cluster.
The string can include alphanumeric characters, special characters, and
spaces.
3-11
System Settings
4. Choose the Access mode.

If you are creating a cluster for RADIUS services only, the access mode
does not matter because the NAC 800 does not enforce quarantining.
However, you should disable testing as explained in Chapter 6: “Disabling
Endpoint Integrity Testing.”
5. From the NAC policy group drop-down menu, select Default.
In the RADIUS-only usage model, the NAC policy has no effect. However,
you must select a policy to create the cluster.
6. Click the ok button.
You return to the Home > System configuration > Enforcement clusters &
servers screen, where you can now add an ES.
Add an ES. Next you must add the ES.
Note If you are adding an ES that was previously managed by a different MS, you
must first reset the ES. Log in to the ES as root, and enter this command:
resetSystem.py
For the complete procedure of moving an ES from one MS to another, see

“Chapter 13: System Administration” of the ProCurve Network Access Con-
troller 800 Users’ Guide.
Follow these steps:

1. You should be in the following screen: Home > System configuration >
Enforcement clusters & servers.
3-12
System Settings
Select this link to

add an ES
Figure 3-6. Home > System configuration > Enforcement clusters & servers—add
an enforcement server
2. Click add an enforcement server. The Add enforcement server screen is

displayed.
3-13
System Settings
Figure 3-7. Home > System configuration > Enforcement clusters & servers > Add
enforcement server
3. From the Cluster drop-down menu, choose the cluster that you configured
for the NAC 800s that act as RADIUS servers only.
4. Enter the ES’s IP address in the IP address field. For example: 10.1.1.10.
You should have already set this IP address as described in “Access the
Web Browser Interface” on page 2-37 in Chapter 2: “Management Options
for the ProCurve NAC 800.”
5. Give the ES a hostname. Enter the name as an FQDN. For example:
myES.mycompany.com
The hostname can contain only these characters:
• Alphanumeric characters
• Periods
• Hyphens
6. In the DNS IP addresses field, specify the IP address of at least one DNS
server.
To contact devices by hostname, the ES requires a DNS server. You must
specify one server and you can specify multiple servers (use commas to
separate their addresses). By default, this field displays the MS’s DNS
server or servers.
3-14
System Settings

As described in “System Settings” on page 3-3, you use the root password
to access the NAC 800’s OS (through an SSH session). The password must
contain both letters and numbers; special characters are also allowed.
You return to the Home > System configuration > Enforcement clusters &
servers screen, where you can see the new ES.
Figure 3-8. Home > System configuration > Enforcement clusters & servers
3-15
System Settings
10. Return to page 3-10 and follow the steps to add another ES, or click the
ok button to save the changes.
These instructions have taught you how to create basic system settings for
ESs. For more information about managing enforcement clusters and servers,
see Chapter 7: “Redundancy and Backup for RADIUS Services.”
Edit System Settings

As you learned in “System Settings—Initial Configuration” on page 3-4, you
are prompted to configure a NAC 800’s system settings when:
■ You first access its Web browser interface—an MS or a CS
■ You add it to a cluster—an ES
However, you can edit these settings at any time; the following sections
explain how.
Edit System Settings on an MS or a CS

To edit system settings on an MS or a CS, select Home > System configuration
> Management server.
The screen displays the previously configured settings, which you can
now edit:
■ Network settings—See “Edit MS or CS Network Settings” on page 3-18.
■ Date and time settings—See “Edit MS or CS Date and Time Settings” on
page 3-21.
■ Root password—See “Edit the Root Password” on page 3-26.
3-16
System Settings
Figure 3-9. Home > System configuration > Management server
3-17
System Settings
The Home > System configuration > Management server screen also allows you
to configure some additional settings:
■ Proxy server for accessing the Internet—See “Set the Proxy Server” on
page 3-19.
■ SNMP settings—See “Configure MS or CS SNMP Settings” on page 3-24.
■ Log level settings—See “Set the Log Level” on page 3-28.
Edit MS or CS Network Settings. You can edit network settings; take

care, however, because editing network settings causes the MS’s network
interface to briefly shut down and restart. In addition, if you make a mistake,
you can lock yourself out of the Web browser interface. (To correct the
network settings, open a console session with the MS or use its LCD buttons.
See “Access the Web Browser Interface” on page 2-37 in Chapter 2: “Manage-
ment Options for the ProCurve NAC 800.”)
To edit the network settings, follow these steps:

Management server.
2. Click edit network settings. The Management server network settings screen
is displayed.
Figure 3-10. Home > System configuration > Management server > Management
server network settings
3-18
System Settings
3. Change any of the settings displayed:

a. Change the NAC 800’s name by entering a string in the Host name field.
You should enter the name as an FQDN, which can contain only:
– Periods
– Hyphens
b. Enter a new IP address for the NAC 800 in the IP address field. For
example:
10.1.1.101
c. Enter the correct mask for the MS’s subnetwork in the Network mask
field.
If you need help determining the mask that corresponds with a
network of a specific length, see “Entering Networks Using CIDR
Format” in Chapter 13: System Administration of the ProCurve
Network Access Controller 800 Users’ Guide.
d. In the Gateway IP address field, specify the IP address of the default
router in the MS’s subnetwork.
e. Specify the IP address of at least one DNS server in the DNS IP
addresses field.
addresses with commas (no space).
5. When you are done editing MS settings, click the ok button in the Home >
System configuration > Management server screen to save the changes.
Set the Proxy Server. As described in the introduction to “System Settings”

on page 3-3, an MS requires Internet access to receive software updates,
among other reasons.
If a proxy server stands between your private network and the Internet, you
must configure the NAC 800 MS to communicate with the proxy server.
3-19
System Settings
Follow these steps:

Management server.
2. Find the Proxy server area.
Figure 3-11. Home > System configuration > Management server—Proxy

server area
3-20
System Settings
3. Check the Use a proxy server for Internet connections check box.
4. In the Proxy server IP address field, enter the address of the server that will
act as the proxy for the Internet.
5. In the Proxy server port field, enter the port for your proxy server.
The valid range is from 1 to 65535. Typically, you can accept the default
(8080).
6. If your proxy server requires authentication, select the Proxy server is
authenticated check box. Then configure the authentication settings:
a. Select an option from the Authentication method drop-down menu:
– Basic—This method (the original for HTTP authentication) is not
recommended because it transmits the user ID and password in
plaintext. However, it is compatible with most proxy servers.
– Digest—This method, which is supported by HTTP 1.1-compliant
servers, is significantly more secure than basic authentication.
Instead of submitting the password over the network, the NAC
800 uses it to encrypt a random value.
– Negotiable—The NAC 800 and the proxy server agree together
whether to use basic or digest authentication. This option elimi-
nates compatibility issues, but is less secure than the digest
option.
b. In the User name field, enter the ID of a user account on the proxy
server.
c. In the Password field, enter the password of that user account.
d. Re-enter the password in the Re-enter password field.
7. When you are done editing MS settings, click the ok button to save the
changes.
Edit MS or CS Date and Time Settings. You now have two options for
configuring the MS date and time. The MS can receive its clock either:
■ Automatically from an NTP server
■ From the date and time that you set manually
Receiving the clock from an NTP server is generally the more reliable option.
The date and time settings configured for the MS apply to all ESs; however,
you can set the time zone individually for each ES.
3-21
System Settings
Follow these steps to edit the date and time:

1. You should be in the Home > System configuration > Management server
screen.
Figure 3-12. Home > System configuration > Management server—Date and
time area
3-22
System Settings
2. Chose your region from the Region drop-down menu.

While not mandatory, this setting narrows the selection for the next
setting: your time zone.
3. Select the correct time zone from the Time zone drop-down menu.
Time zones are listed by relation to Greenwich Mean Time (GMT)—for
example, GMT –6:00—as well as by name and by select cities in that time
zone. (If your city is not listed, you can either rely entirely on the GMT
offset or look for a city that you know is in your time zone.)
appropriately adjusts the time that it receives from the NTP server.
4. Choose how the NAC 800 MS receives its clock (automatically or
manually):
• Automatically receive NTP updates from
Specify the NTP servers in the field on the right. You can identify a
server by FQDN or IP address.
You can specify multiple servers; separate the IP addresses or FQDNs
with commas (no space). Visit http://support.ntp.org/bin/view/
Servers/NTPPoolServers for a list of public NTP servers.
• Manually set date and time
i. The current time and date are displayed on the right. Click edit.
Figure 3-13. Home > System configuration > Management server > Date and time
ii. Set the date in the Date drop-down menus—select the day from
the left, the month from the center, and the year from the right
drop-down menus.
iii. Set the time in the Time fields—enter the hour and minutes in the
12-hour clock and choose AM or PM from the drop-down menu.
iv. Click the ok button.
3-23
System Settings
5. When you are done editing MS settings, click the ok button in the Home >
System configuration > Management server screen to save the changes.
Configure MS or CS SNMP Settings. If your organization has an SNMP

solution for centralized network management, you should configure the
NAC 800 to integrate with the solution.
The NAC 800 supports SNMPv1 and v2. It provides read-only access to its
configuration. To gain this access, an SNMP server must:
■ Have a read-only community name that matches the name set on the MS
■ Have an IP address in the allowed source network set on the MS
To configure SNMP settings, follow these steps:

1. You should be in the Home > System configuration > Management server
screen.
2. Find the SNMP settings area.
3-24
System Settings
Figure 3-14. Home > System configuration > Management server—SNMP

settings area
3-25
System Settings
3. Check the Enable SNMP check box.

To disable SNMP, clear the check box.
4. Enter a read-only community name that matches your SNMP server’s in
the Read community string field.
Valid characters include letters, numbers, hyphens, or underscores. The
default name is public, which is the default for most devices and SNMP
servers (including PCM). You should change the name for more security.
Note The NAC 800 does not grant read-write access to SNMP servers. However, to
properly discover the NAC 800, PCM requires both a read-only and a read-
write community name. Set both names to the name configured in the Read
community string field.
5. Enter a network address in Classless Inter-Domain Routing (CIDR) nota-

tion in the Allowed source network field.
If you do not want to restrict access to SNMP devices in a particular
network, enter default.
changes.
Edit the Root Password. The root password grants access to the NAC 800’s
OS (via an SSH session). To change the password, follow these steps:
Management server.
2. Find the Other settings area.
3-26
System Settings
Figure 3-15. Home > System configuration > Management server—Other

settings area
3-27
System Settings

The password can include alphanumeric and special characters—a good
password will include a mix of different types of characters.
changes.
Set the Log Level. When certain events occur, the NAC 800 creates a log
message and adds it to the appropriate log file. Events are classified according
to their severity or possible negative impact on your network. From most to
least severe, the log levels are:
■ Error
■ Warn
■ Info
■ Debug
■ Trace
By default, the log level is debug, which means that the module will log all
events that have debug-level severity or higher (that is, all events except trace
events). If you find that you spend too much time searching through logs, you
can configure the NAC 800 to log only those events with a higher severity level.
Note Generally, you should not set the level to trace. The volume of logged events
may degrade your NAC 800s’ performance.
Follow these steps to set the log level:

Management server.
3-28
System Settings
Figure 3-16. Home > System configuration > Management server—Other

settings area
3-29
System Settings
3. Select the severity level from the Log level drop-down menu.
The NAC 800 logs events of this severity or greater.
When you are done editing MS settings, click the ok button to save the changes.
Note To learn how to check for new software, see “Upgrade the Software” on
page 3-39.
Edit System Settings on an ES

You can edit the settings that were created when you added the ES. You can
also configure SNMP and time-zone settings that are specific to this ES. To do
so, you must access the ES’s configuration as follows:
Enforcement clusters & servers.
3-30
System Settings
Click the ES’s

name.
2. Click the name of the ES for which you want to edit the system settings.
The Enforcement server screen is displayed at the Status menu option.
3-31
System Settings
Figure 3-18. Home > System configuration > Enforcement clusters & servers >
selected ES > Status
3. Select the Configuration menu option.
3-32
System Settings
selected ES > Configuration
In this screen, you can:

■ Edit network settings—See “Edit ES Network Settings” on page 3-33.
■ Set the time zone—See “Set the ES Time Zone” on page 3-34.
■ Configure SNMP settings—See “Configure ES SNMP Settings” on page
3-36.
■ Change the ES’s root password—See “Edit the ES Root Password” on page
3-38.
Edit ES Network Settings. To edit the network settings of an ES, follow

these steps:
Enforcement clusters & servers > selected ES > Status.
3-33
System Settings
2. Change any of the settings displayed:

a. Change the ES’s name by entering a string in the Host name field.
You should enter the name as an FQDN, which can include only these
characters:
– Periods
– Hyphens
b. Enter a new IP address for the NAC 800 in the IP address field. For
example:
10.1.1.101
c. Enter the correct mask for the MS’s subnetwork in the Network mask
field.
If you need help determining the mask that corresponds with a
network of a specific length, see “Entering Networks in CIDR Format”
in Chapter 13: System Administration of the ProCurve Network
Access Controller 800 Users’ Guide.
d. In the Gateway IP address field, specify the IP address of the default
router in the MS’s subnetwork.
e. Specify the IP address of at least one DNS server in the DNS IP
addresses field.
addresses with commas (no space).
3. When you are done editing ES settings, click the ok button to save the
changes.
Set the ES Time Zone. You can set each ES’s time zone individually—
which is useful if you have an MS that manages multiple ES’s within a wide
area network (WAN) that spans multiple time zones.
ESs receive their clock from the MS, so you cannot configure other date and
time settings on ESs. See “Edit MS or CS Date and Time Settings” on page 3-21
to learn how to configure the MS.
3-34
System Settings
Follow these steps to set an ES’s time zone:

2. Chose your region from the Region drop-down menu.

This choice narrows the selection for the next setting: your time zone.
3-35
System Settings
3. Select the correct time zone from the Time zone drop-down menu.
Time zones are listed by offset from Greenwich Mean Time (GMT)—for
example, GMT –6:00—as well as by name and by select cities in that time
zone. (If your city is not listed, you can either rely on the GMT offset or
look for a city that you know is in your time zone.)
appropriately adjusts the time that it receives from the MS.
Configure ES SNMP Settings. If your organization has an SNMP solution

for centralized network management, you should configure your NAC 800 ESs
to integrate with the solution.
Note This task is particularly important if you are using IDM to manage NAC 800s’
RADIUS functions.
The NAC 800 supports SNMPv1 and v2. It provides read-only access to its
configuration. To gain this access, an SNMP server must:
■ have a read-only community name that matches the name that is set on
the ES
■ have an IP address in the allowed source network that is set on the ES
To configure SNMP settings, follow these steps:

3-36
System Settings
2. Find the SNMP Settings area.

3. Check the Enable SNMP check box.
To disable SNMP, clear the check box.
4. Enter a read-only community name that matches your SNMP server’s in
the Read community string field.
Valid characters include letters, numbers, hyphens, or underscores. The
default name is public, which is the default for most devices and SNMP
servers (including PCM). You should change the name for more security.
3-37
System Settings
Note The NAC 800 does not grant read-write access to SNMP servers. However, to
properly discover the NAC 800, PCM requires a “read-only” and “read-write”
community name. Set both names to the name configured in the Read
community string field.
5. Enter a network address in CIDR notation in the Allowed source network

field.
If you do not want to restrict access to SNMP devices in a particular
network, enter default.
changes.
Edit the ES Root Password. The root password grants access to the
NAC 800’s command line (via an SSH session). To change the password, follow
these steps:
The password must contain both letters and numbers; special characters
are also allowed.
changes.
3-38
Licenses
Licenses
Licenses on the ProCurve NAC 800 enable endpoint integrity testing. If you
plan to use the RADIUS-only usage model, your NAC 800 does not require a
license.
Note To add endpoint integrity, you must purchase licenses. See Chapter 3: System
Configuration in the ProCurve Network Access Controller 800 Users’ Guide
for more information.
Management and Maintenance

This section of the guide covers some basic management and maintenance
tasks, including:
■ Upgrading the software
■ Creating users that are allowed to access the Web browser interface and
manage the ProCurve NAC 800s
You manage clusters of NAC 800s through the MS’s Web browser interface.
You manage each CS (a stand-alone NAC 800) through its own Web browser
interface.
Upgrade the Software

ProCurve Networking provides free software upgrades as part of the ProCurve
NAC 800’s one-year warranty. These upgrades may add new functionality or
improve performance. You should always check for an upgrade as soon as you
install your new NAC 800. Then check for upgrades periodically every several
weeks.
To check for the upgrade, the NAC 800 MS or CS requires a connection to the
Internet. After an MS upgrades its own software, it automatically upgrades the
software on all ESs in its clusters.
Follow these steps to check for and install new software on an MS or CS:
1. Select Home > System configuration > Management server.
3-39
Figure 3-22. Home > System configuration > Management server—System Upgrade
area
2. In the System Upgrade area, click the check for upgrades button.
3-40
If new software has been posted, the NAC 800 downloads and installs it.
Create Management Users

When you initially connect to the Web browser interface of an MS or a CS, you
create the Administrator user, who has complete Web management access to
that device. (See “Initial Configuration of CS or MS Settings” on page 3-4.)
You can create other users that are allowed to access the Web browser
interface and manage your system’s NAC 800s.
A management user is identified by:

■ Username
■ Password
A user’s management rights are defined by:

■ Role—A role consists of a series of permissions. For example, the ability
to run a report is a permission, as is the ability to configure settings for a
cluster. The NAC 800 OS includes four default roles, described in
Table 3-1. You can also create your own roles. (See “Configure User Roles”
on page 3-45.)
■ Clusters—Users can perform permitted tasks only for their assigned
clusters.
3-41
Table 3-1. User Roles
User Role Description Permissions
System Administrator All permissions • Configure cluster

• Configure servers
• Configure the system
• View system alerts
• Generate reports
• Manage NAC policies
• View endpoint activity
• Monitor system status
• Control access
• Retest endpoints
Cluster Administrator For assigned clusters, configure cluster • Configure cluster

settings, view endpoint activity, change • View system alerts
endpoint access control, retest endpoints, • Generate reports
and generate reports
• Control access
View-Only User View endpoint activity and generate reports • Generate reports
about assigned clusters • View endpoint activity
Help Desk Technician For assigned clusters, view endpoint activity, • Generate reports
change endpoint access control, retest • View endpoint activity
endpoints, and generate reports • Control access
Create User Accounts

Follow these steps to create an account for a new management user:
1. Select Home > System configuration > User accounts.
Initially, the screen displays the Administrator account, which has the
System Administrator role and rights to every cluster configured on this
NAC 800.
3-42
Figure 3-23. Home > System configuration > User accounts
2. Click the add a user account link. The Add user account screen is displayed.
3-43
Figure 3-24. Home > System configuration > User accounts > add a user account
3. Enter the username in the User ID field.

The username can contain alphabetic characters but not numbers or
special characters; however, it can include the “at” character (@).
4. Enter the user’s password in the Password field.
The password can include alphanumeric characters, special characters,
and spaces. It must contain a mix of letters and numbers and be at least
8 characters.
5. Enter the same password in the Re-enter password field.
6. Enter the user’s full name in the Full name field.
7. Optionally, specify the user’s email address in the Email address field.
3-44
8. Choose the Account status:

• enabled—The new user can log in with this account.
• disabled—The account is stored, but the user cannot log in.
9. Assign the user roles by checking the corresponding boxes in the User
roles area.
The user must have at least one role and can have multiple roles. See
Table 3-1 for an explanation of roles. All default and custom roles are
displayed in the area. See “Configure User Roles” on page 3-45 for infor-
mation on configuring your own customized roles.
10. The Clusters area displays every cluster configured on this NAC 800. Check
the check box for at least one cluster.
The user can perform permitted tasks only for his or her own clusters. In
other words, a Cluster Administrator assigned to Cluster A can configure
settings on that cluster, but not on Cluster B.
However, a System Administrator has all permissions for all clusters
regardless of which clusters have been assigned to that account.
Configure User Roles

As explained earlier, the NAC 800 OS includes several default roles, suitable
for many environments. You can also customize these roles or create your
own roles.
You can create entirely new roles that include the permissions that you select.
You can also customize an existing role, removing or adding the desired
permissions (sometimes a simpler option).
You can edit any role on the NAC 800, including default roles. However, you
cannot remove permissions from the System Administrator role.
A user role consists of a name, a description, and a set of permissions.

Table 3-2 lists all available permissions.
Note Some aspects of a permission do not apply to a CS. For example, on an MS,
the “Configure cluster” permission allows a user to add clusters, configure
cluster settings, add ESs to clusters, and so forth. However, a CS has one
cluster only. A user with the “Configure cluster” permission to a CS can
configure cluster settings but not add new clusters or ESs.
3-45
Table 3-2. Permissions for User Roles
Permission Allows a User To Related Web Browser Interface Screen
Configure cluster • Add new clusters Enforcement clusters & servers

• Configure settings for assigned clusters
• Delete assigned clusters
• Add ESs to assigned clusters
• View status for all ESs in assigned clusters
Configure servers View status for all ESs in assigned clusters Enforcement clusters & servers
Configure the system All system-level settings for all clusters: System configuration (including all menu
• Add, configure, and delete clusters options)
• Add and configure ESs
• Manage user accounts and roles
• Submit license requests
• Schedule checks for test updates
• Configure quarantine settings (including
RADIUS)
• Backup the system and restore from the
backup
• Configure cluster settings
View system alerts View system alerts on the Home screen Home
Generate reports Generate reports about assigned clusters Reports
Manage NAC policies • Add, edit, and delete NAC policies and NAC policies
NAC policy groups
• Set the NAC policy group for assigned
clusters
View endpoint activity View activity for endpoints in assigned Endpoint activity
clusters:
• Check access control status
• Check endpoint test status
Monitor system status View status for all ESs in assigned clusters System monitor
Control Access Change access control status for endpoints change access button in Endpoint activity
in assigned clusters screens
• Requires View endpoint activity
permission
Retest endpoints Force a retest of endpoints in assigned retest button in Endpoint activity screens
clusters
• Requires View endpoint activity
permission
3-46
Create a New User Role. Follow these steps to create a new user role:
1. Select Home > System configuration > User roles.
Figure 3-25. Home > System configuration > User roles
2. Click the add a user role link. The Add user role screen is displayed.
3-47
Figure 3-26. Home > System configuration > User roles > Add user role
3. In the Role name field, enter a short, meaningful description of the role.
For example:
Assistant Administrator
This field can include alphanumeric characters, special characters, and
spaces.
4. Optionally, describe this role at more length in the Description field.
Describing the role is a good idea because it helps other users know which
management user accounts should receive this role.
User account screens display roles’ descriptions but not their permissions,
so you should typically include information about the permissions in the
Description field.
3-48
5. Check boxes in the Permissions area to specify which permissions this role
allows.
You must check at least one box and can check multiple boxes.
Note If you select Control Access or Retest endpoints, you must also select View
endpoint activity.
See Table 3-2 on page 3-46 for more information about permissions.
Note Some permissions relate only to the NAC 800’s endpoint integrity func-
tions. The primary permissions of interest for a NAC 800 that acts only as
a RADIUS server are:
• Configure the system
• View system alerts
• Control access
The “Configure the system” permission allows users all of the access they
need to configure a RADIUS-only NAC 800. The “View system alerts” and
“Monitor system status” permissions add the ability to monitor the system.
You might want the “View endpoint activity” and “Control access” permis-
sions in order to help users in case the endpoint integrity test functions
are not shut down properly.
Note The new role saves immediately and will be displayed on the User Account
screen. You can now assign this role to users. (See “Create User Accounts” on
page 3-42.)
Edit an Existing User Role. You can also customize existing roles, altering
any of these settings:
■ Name
■ Description
■ Permissions
Note You can alter the name and description, but not permissions, for the System
Administrator role.
3-49
Follow these steps to edit the role:

1. Select Home > System configuration > User roles.
Figure 3-27. Home > System configuration > User roles
2. Click the name of the role that you want to edit in the User role name
column. The User role screen is displayed.
3-50
Figure 3-28. Home > System configuration > User role (selected user role)
3. Make any or all of these changes:

a. Enter a new name in the Role name field.
b. Alter the text in the Description field.
You should change the description to reflect the new permissions.
c. In the Permissions area, check and clear check boxes to customize the
role’s permissions.
4. When you are finished, click the ok button.
Note The changes save immediately. Any user that is assigned this role automati-
cally receives the new permissions.
3-51
Digital Certificates
Your ProCurve NAC 800 (or NAC 800s) might require a digital certificate for
several reasons:
■ On a CS or MS, an SSL certificate enables access to the Web browser
interface. (HTTPS, the only supported option, requires the server to have
a certificate).
■ A CS or ES requires an SSL certificate to communicate with endpoints
during endpoint integrity testing.
■ A NAC 800 acting as a RADIUS server (CS or ES) requires a server
certificate for:
• Server authentication—The NAC 800 authenticates itself during
the Extensible Authentication Protocol (EAP) process.
• Client authentication—The NAC 800 and the endpoint can use the
certificate to generate keys to secure the EAP process. Depending on
the EAP method, the NAC 800 also verifies end-users’ certificates.
■ A NAC 800 that binds to a Lightweight Directory Access Protocol (LDAP)
server that uses TLS authentication requires the CA root certificate for
the LDAP server’s CA.
The instructions in this section apply only to the first and second purposes.
To learn about configuring digital certificates for the other purposes, see
tity Driven Manager” or Chapter 5: “Configuring the RADIUS Server—Without
Identity Driven Manager.”
At factory defaults, a NAC 800 uses a self-signed digital certificate for HTTPS.
In this certificate, cn=HP. You will probably want to install a new certificate
that:
■ Includes information about this specific device and your own organization
■ Is signed by your company’s CA or by a trusted CA
See “Install a CA-Signed Certificate for HTTPS” on page 3-53 to learn how to
obtain and install a signed certificate for HTTPS.
You can also create a new self-signed certificate for HTTPS. See “Install a New
Self-Signed Certificate for HTTPS” on page 3-59.
3-52
Install a CA-Signed Certificate for HTTPS

To install a new signed certificate, complete these tasks:
1. Generate a private/public keypair for the certificate.
Note A digital certificate relies on a public/private keypair unique to that

certificate. The certificate includes the public key openly; however, only
the device that owns the certificate knows the private key. This means
that the device can “sign” data with the private key and prove its identity.
The private key is protected by the compliance.keystore’s password
(changeit).
2. Install the root CA certificate for the signing CA.

At factory default settings, the NAC 800 already includes several root CA
certificates. See “Install the Root CA Certificate” on page 3-55 for a list.
3. Create a certificate request or certificate signing request (CSR).
The format of the request is PKCS #10.
4. Transfer the certificate request off the NAC 800.
5. Submit the certificate request to your CA.
The steps for completing this task depend on your CA; refer to the CA’s
instructions. Request a certificate that:
• Uses an X.509 format (either Distinguished Encoding Rules [DER] or
PEM is acceptable)
• Is suitable for a Web server
6. After your CA issues the certificate, save it to the NAC 800.
7. Install the certificate.
8. Restart the HTTPS server
You must complete these tasks by accessing the root command line for the
NAC 800’s OS:
1. Open a console or SSH session with the NAC 800.
2. Log in:
• username = root
• password = <root password>
3-53
Generate a Key
Before submitting a certificate request for your NAC 800, you must generate
the certificate’s public/private keypair. The NAC 800 includes the public key
in the request but keeps the private key only in its own keystore, which is
protected with a password.
Follow these steps to generate the key:

1. Log in as root to the NAC 800 OS.
2. Move to the /usr/local/nac/keystore directory.
ProCurve NAC 800:# cd /usr/local/nac/keystore
3. Remove the default keystore:
ProCurve NAC 800:/usr/local/nac/keystore:# rm -f com-
pliance.keystore
4. Enter this command:
Syntax: keytool -genkey -alias <keyname> -keyalg [rsa | dsa] -keystore compli-
ance.keystore
Replace <keyname> with a name that you choose for the key’s
alias in the compliance.keystore file. Make a note of the name:
you will need it when you generate a certificate request or
self-signed certificate that uses this keypair.
The asymmetric algorithms supported by the NAC 800 for the
keypair include Rivest, Shamir, and Adelman (RSA) and
Digital Signature Algorithm (DSA); choose one or the other
for the -keyalg option.
For example:
ProCurve NAC 800:/usr/local/nac/keystore:# keytool
-genkey -alias mynac.procurve.com -keyalg RSA
-keystore compliance.keystore
5. When prompted, enter this password for the keystore: changeit. (You must
enter this password.)
6. Next you are prompted to enter information that will be included in the
certificate that uses this key. For the first and last name, enter the NAC
800’s exact FQDN.
7. The command line displays the information that you entered. If it is
correct, type [y] and press [Enter]. If you need to edit the information, press
[Enter] only.
3-54
8. The keytool utility prompts you to enter a password to protect the key.
You must press [Enter] without entering a password; the key is protected
with the keystore’s password.
The keypair is now saved with the specified name in compliance.keystore.
Install the Root CA Certificate

The NAC 800 has several root CA certificates installed on it at factory default
settings. If the new certificate will be signed by one of the CAs listed below,
you can skip this task:
■ AddTrust
■ Comodo
■ Cybertrust
■ Entrust
■ Equifax Secure
■ GeoTrust
■ Go Daddy
■ Sonera
■ Starfield
■ Thawte
■ UserTrust
■ Valicert
■ VeriSign
If you are using a different third-party CA or your organization’s own CA, you
must install the CA certificate. Follow these steps:
1. Obtain the CA certificate from your CA.
The certificate must use X.509 format.
2. Download the CA certificate to the NAC 800.
If you have installed the PuTTY Secure Copy (PSCP) application on your
workstation, follow these steps:
a. Save the CA certificate on your management workstation.
b. Access the command-line prompt on your workstation. (Select Start
> Run and enter cmd.)
c. Move to the directory in which PSCP is stored.
3-55
d. Enter this command:
Syntax: pscp <path\filename> root@<IP address>://<path/ca_cert_filename>

Replace <path\filename> with the path and filename of the CA
certificate that is saved on your workstation. Replace <IP
address> with the NAC 800’s IP address. (Alternately, you can
enter its hostname). Replace <path/ca_cert_filename> with the
name that you choose to give the CA certificate file on the NAC
800.
For example:
pscp C:\\certificates\myCA.cer root@10.2.1.20://
myCA.cer
e. When prompted, enter the NAC 800’s root password.
3. Log in as root to the NAC 800.
Syntax: keytool -import -alias <CA_name> -file <path/ca_cert_filename>

-keystore /usr/local/java/jre/lib/security/cacerts
Replace <CA_name> with a name that you choose for the CA.
Replace <path/ca_cert_filename> with the filename that you
gave to the CA certificate in step 2-d.
This command adds the CA certificate, identified by the CA
name, to the cacerts keystore in the usr/local/java/jre/lib/
security directory.
For example:
ProCurve NAC 800:# keytool -import -alias myCA -file
myCA.cer -keystore /usr/local/java/jre/lib/security/
cacerts
5. When prompted, enter the password for the cacerts keystore (default:
changeit).
6. When prompted to trust the certificate, enter yes.
Create a Certificate Request and Transfer It off the NAC 800

To obtain a certificate from a CA, you must submit a certificate request. The
request includes the public key and information about the NAC 800 and your
organization.
3-56
Follow these steps to create the certificate request:

1. Log in to the NAC 800 as root.
ProCurve NAC 800:/# cd /usr/local/nac/keystore
Syntax: keytool -certreq -alias <keyname> -file <filename> -keystore compli-

ance.keystore
Replace <keyname> with the name you specified in step 3 of
“Generate a Key” on page 3-52. The command creates a
request using the public key and information associated with
the specified keyname. Also specify the keystore in which the
key is saved.
Replace <filename> with the name you want to give to the
certificate request file.
For example:
-certreq -alias mynac.procurve.com -file mynac.req
4. When prompted, enter the password for the keystore.
5. If prompted, enter the password for the key.
6. View files in the directory and verify that the request was created. Enter
this command:
ProCurve NAC 800:/usr/local/nac/keystore# dir
7. Transfer the certificate request off the NAC 800.
You can save the request to your management workstation. If this work-
station has the PSCP application, follow these steps:
a. Access the command-line prompt on your workstation.
b. Move to the directory in which PSCP is stored.
3-57
c. Enter this command:
Syntax: pscp root@<IP address>://usr/local/nac/keystore/<filename> <path\file-

name>
Replace <IP address> with the NAC 800’s IP address.
(Alternately, you can enter its hostname).
Replace <filename> with the name given to the certificate
request in step 3.
Replace <path\filename> with the path and filename where you
want to save the request on your workstation.
d. When prompted, enter the NAC 800’s root password.
Download and Install the Signed Certificate

After you submit the certificate request, the CA returns a signed certificate.
Follow these steps to install the certificate on the NAC 800:
1. Download the signed certificate to the NAC 800.
If you have installed the PSCP application on your workstation, follow
these steps:
a. Save the certificate on your management workstation.
b. Access the command-line prompt on your workstation.
c. Move to the directory in which PSCP is stored.
d. Enter this command:
Syntax: pscp <path\filename> root@<IP address>://usr/local/nac/keystore/

<cert_filename>
Replace <path\filename> with the path and filename of the
signed certificate that you saved on your workstation. Replace
<IP address> with the NAC 800’s IP address. (Alternately, you
can enter its hostname). Replace <cert_filename> with the
name that you want to give the certificate file on the NAC 800.
For example:
pscp C:\\certificates\mynac.cer root@10.2.1.20://
usr/local/nac/keystore/mynac.cer
2. When prompted, enter the NAC 800’s root password.
4. Move to this directory:
3-58
Syntax: keytool -import -alias <keyname> -trustcacerts -file <cert_filename>

“Generate a Key” on page 3-52. Replace <cert_filename> with
the filename that you gave to the certificate in step 1-d.
This command adds the signed certificate to the keystore in
the usr/local/nac/keystore directory.
For example:
-import -alias mynac.procurve.com -trustcacerts -file
mynac.cer -keystore compliance.keystore
6. When prompted, enter the password for the keystore (changeit).
Restart the HTTPS Server

The NAC 800 begins to use the new certificate the next time the HTTPS server
starts. Enter the following command from the root to restart the server:
Syntax: service [nac-ms | nac-es] restart

Restarts the nac-ms or nac-es services, including the HTTPS
server. On an MS, select nac-ms. On an ES, select nac-es. On a
CS, restart both services.
Install a New Self-Signed Certificate for HTTPS

The NAC 800 can identify itself to users that access its HTTPS server with a
self-signed certificate (instead of with a CA-signed certificate). A self-signed
certificate is easier to install because it does not require you to purchase a
certificate from a third-party vendor nor have your own CA. On the other hand,
a self-signed certificate is less trusted; users might have to choose to trust it
when they access the NAC 800’s Web browser interface.
You must complete these tasks to create and install a self-signed certificate:
1. Generate the self-signed certificate and keypair in the compliance.keystore.
2. Export the self-signed certificate to a file.
3. Install the self-signed certificate as a trusted CA root certificate in the Java
cacerts keystore.
4. Restart the HTTPS server.
3-59
As an optional final task, you might transfer the self-signed certificate off the
NAC 800 and install it as a trusted CA root certificate on endpoints.
As you must complete these tasks, you must access the root command line
for the NAC 800’s OS:
2. Log in:
• username = root
Generate the Self-Certificate and Key

When keytool generates a public/private keypair, the utility automatically
creates a self-signed certificate around the public key. Follow these steps:
Syntax: keytool -genkey -alias <keyname> -keyalg [rsa | dsa] -keystore compli-
ance.keystore
Replace <keyname> with a name that you choose for the key’s alias
in the compliance.keystore file. Make a note of the name: you will
need it when you generate a certificate request or self-signed
certificate that uses this keypair.
The asymmetric algorithms supported by the NAC 800 for the
keypair include RSA and DSA; choose one or the other for the -keyalg
option.
4. For example:
-genkey -alias mynac.procurve.com -keyalg RSA
5. When prompted, enter changeit for the keystore password. You must enter
this password.
6. Next you are prompted to enter information that will be included in the
certificate that uses this key. For the first and last name, enter the NAC
800’s FQDN.
7. The command line displays the information you entered. If it is correct,
enter y. If you need to edit the information, press [Enter] only.
3-60
8. The keytool utility prompts you to enter a password to protect the key.
You must press [Enter] instead of entering a password; the key is protected
with the keystore’s password only.
The keypair and associated self-signed certificate is now saved with the
specified alias in the specified keystore.
Export the Self-signed Certificate to a File

Follow these steps to export the self-signed certificate to a file:
Syntax: keytool -export -alias <keyname> -keystore compliance.keystore -file

<filename>
“Generate a Key” on page 3-58.
Replace <filename> with a name that you choose for the self-signed
certificate file.
4. When prompted for the password, enter changeit.
Install the Self-signed Certificate as a Trusted Root Certificate

Follow these steps to install the new self-signed certificate as a trusted CA
root certificate:
Syntax: keytool -import -alias <CA_name> -keystore /usr/local/java/jre/lib/secu-

rity/cacerts -file <filename>
Replace <CA_name> with a name that identifies the NAC 800.
Replace <filename> with the name that you chose for the self-signed
certificate file in the previous task.
4. When prompted for the password, enter changeit.
3-61
Restart the HTTPS Server

The NAC 800 begins to use the new certificate the next time the HTTPS server
starts. Enter the following command from the root to restart the server:
Syntax: service [nac-ms | nac-es] restart

Restarts the nac-ms or nac-es services, including the HTTPS
server. On an MS, select nac-ms. On an ES, select nac-es. On a
CS, restart both services.
Install the Self-signed Certificate as a Trusted Root Certificate

on Endpoints
The NAC 800 presents its new self-signed certificate to endpoints that access
its HTTPS server. Because the certificate is self-signed, the endpoints will not
trust the certificate until it has been installed as a trusted root CA certificate.
You have already exported the certificate to a file; you should now transfer it
off the NAC 800.
Follow these steps to save the certificate off the NAC 800 to a management
station that runs PSCP:
1. Access the command line for the station that runs PSCP (click Start > Run
and enter cmd) and move to the directory in which PSCP is installed.
Syntax: pscp root@<IP address>://usr/local/nac/keystore/<self_cert_filename>

<path\filename>
Replace <IP address> with the NAC 800’s IP address.
(Alternately, you can enter its hostname).
Replace <self_cert_filename> with the name given to the self-
certificate file in “Export the Self-signed Certificate to a File”
on page 3-61.
Replace <path\filename> with the path and filename where you
want to save the request on your workstation.
3. When prompted, enter the NAC 800’s root password.
You can now install the certificate as a trusted root CA certificate on end-
points. The exact steps depend on the endpoints and your environment. For
example, in a Windows domain, you can publish the certificate in Active
Directory. Check the appropriate documentation for instructions.
3-62
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Contents
Configuring the RADIUS Server—Integrated

with ProCurve Identity Driven Manager
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
IDM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Local Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Configure the NAC 800 as a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Specify the Quarantine Method (802.1X) . . . . . . . . . . . . . . . . . . . . . . . 4-12
Configure Authentication to the NAC 800’s Local
Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Apply Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
4-1
Contents
Manage Digital Certificates for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47

4-2
Overview
Overview
As explained in Chapter 1: “Overview of the ProCurve NAC 800,” a ProCurve
NAC 800 can fulfill a variety of functions, among them checking endpoint
integrity and authenticating endpoints as a RADIUS server. In this chapter,
you learn how to configure a NAC 800 that acts only as a RADIUS server.
ProCurve Identity Driven Manager (IDM), a plug-in to ProCurve Manager

(PCM) Plus, helps you to quickly and easily configure the NAC 800’s RADIUS
capabilities from a centralized location. This chapter focuses on setting up the
NAC 800 in a network that includes IDM. See Chapter 5: “Configuring the
RADIUS Server—Without Identity Driven Manager” to learn how to configure
the NAC 800 to provide RADIUS services without IDM.
This chapter focuses on configuring a stand-alone NAC 800 that is functioning

as a combination server (CS)—the typical setting for a RADIUS-only NAC 800.
In one circumstance only might you use a cluster deployment instead: you are
adding a RADIUS-only NAC 800 to a system that already enforces endpoint
integrity with a cluster configuration. In this case, the RADIUS-only NAC 800
would be an ES in a new cluster that enforces 802.1X quarantining and no
endpoint integrity. You would configure most of the settings described in this
chapter in the MS’s Web browser interface. However, you would create digital
certificates through the RADIUS-only NAC 800’s root command line.
RADIUS Overview
The RADIUS protocol regulates communications between Network Access
Servers (NASs) and authentication servers. The NASs are the points of access
for endpoints—for example, switch ports or wireless access points (APs).
They are also called the server’s clients. In your network, the NAC 800 is the
authentication server.
When an end-user attempts to connect to a NAS, the NAS sends an authenti-

cation request to the NAC 800, its RADIUS server. The NAC 800 decides
whether the end-user can connect. The NAC 800 bases this decision on
whether the end-user submits valid credentials as well as—using IDM poli-
cies—the time and location of the access attempt.
4-3
Overview
Authentication Protocols
An authentication server receives an endpoints’ credentials via an authentica-
tion protocol. With 802.1X, the authentication protocol is always EAP, and the
NAC 800 and the endpoint negotiate the method. The NAC 800 supports these
EAP methods:
■ Protected EAP (PEAP) with:
• MS-CHAPv2
• Generic Token Card (GTC)
■ Transport Layer Security (TLS)
■ Tunneled TLS (TTLS) with:
• MS-CHAPv2
■ Lightweight EAP (LEAP)—not recommended
The NAC 800 first suggests PEAP with MS-CHAPv2.
An endpoint requires a client that supports at least one of the listed EAP
methods. For example, a Windows XP workstation has an 802.1X client
available to all network connections, and this client supports EAP-TLS and
PEAP with MS-CHAPv2. Older workstations might require the installation of
a vendor client for 802.1X authentication.
Table 4-1. Port Authentication Methods and Authentication Protocols
Port/Wireless Selection Method for Authentication

Authentication Method Protocol
802.1X NAC 800 and endpoint negotiation—NAC

suggests PEAP with MS-CHAPv2 first.
Dynamic or User-Based Settings

Dynamic or user-based settings allow you to customize users’ network access
according to identity and are an important component of the ProCurve Adap-
tive Edge Architecture (AEA). The RADIUS server is responsible for matching
an authenticated user to the correct settings for that user.
Dynamic settings supported on the NAC 800 include:

■ Virtual local area network (VLAN) assignments
■ Access control lists (ACLs)
■ Rate limits
4-4
Overview
IDM is required for configuring these settings on the NAC 800.
In fact, IDM enables you to capitalize on all of the NAC 800’s RADIUS
capabilities—and to configure the NAC 800 as part of a centralized manage-
ment solution.
Note If you are using the NAC 800 to test endpoint integrity, you also use IDM to
set up dynamic VLAN assignments according to an endpoint’s integrity
posture.
IDM Overview
IDM detects and assumes management of the NAC 800 just as it does any
RADIUS server. Because the IDM agent is installed on the NAC 800 at factory
defaults, you only need to perform three tasks to integrate the NAC 800
with IDM:
■ Configure the same read-only Simple Network Management Protocol
version 2 (SNMPv2) community name on the IDM server and the NAC 800.
(See “Configure MS or CS SNMP Settings” on page 3-24 of Chapter 3:
“Initial Setup of the ProCurve NAC 800.”)
■ On the IDM server, add the NAC 800’s IP address to this file:
C:\Program Files\Hewlett-Packard\PNM\server\config\access.txt.
■ On the NAC 800, specify the IP address of the server that runs PCM Plus
with IDM. (See “Specify the Quarantine Method (802.1X)” on page 4-12.)
After detecting the NAC 800, IDM places it in its ProCurve Network Access
Controllers folder and treats the device much like any RADIUS server:
■ IDM deploys policies to the NAC 800, which include:
• Times and locations for network access
• Profiles for authenticated users, which include dynamic VLAN assign-
ments, ACLs, and rate limits
Note When IDM deploys a policy to a NAC 800, the NAC 800 stores the
associated configuration. In other words, although IDM manages policies,
once it has deployed them the NAC 800 always enforces them whether it
can reach the IDM server or not.
■ IDM tracks end-users that send authentication requests to the NAC 800.
4-5
Overview
In addition, IDM provides these services for NAC 800s:

■ A tool for adding user accounts to the NAC 800’s local database
■ Access to the NAC 800’s Web browser interface
■ Profiles for authenticated users based on their endpoint integrity posture
(pass, fail, infected, or unknown)
For more information on IDM and how it interacts with the NAC 800, see “IDM”
on page 2-49 of Chapter 2: “Management Options for the ProCurve NAC 800.”
Note To function with the NAC 800, IDM’s version number must be 2.2 auto-update
2. The NAC 800’s IDM agent version must match the IDM version.
The NAC 800 includes the IDM agent at its factory default settings; you do not
need to install it. If the IDM agent is upgraded, the release notes will instruct
you how to upgrade the agent on the NAC 800.
To check the current IDM agent version, log in to the NAC 800 as root and
enter:
more /root/version
Data Store Overview

The NAC 800 can search one of several locations, or data stores, for a user’s
credentials:
■ A local database of users
■ A Windows domain controller, which runs Active Directory (AD)
■ A Lightweight Directory Access Protocol (LDAP) server:
• OpenLDAP
• Novell eDirectory
■ Another RADIUS server (via a proxy request)
You choose the data store when you configure the NAC 800’s (or cluster’s)
end-user authentication method. (See “Configure Authentication Settings” on
page 4-14.)
4-6
Overview
Local Database
You can store user accounts as entries in a database on the NAC 800 itself.
IDM simplifies adding entries to the local database. You simply enable local
authentication on the NAC 800’s IDM realm. Then, whenever you add a user
to IDM, the user is automatically added to the local database of all NAC 800s
in the realm.
Note You must always include a password for users that are added to the local
database through IDM. (The NAC 800 does not accept NULL passwords.)
Advantages of using the local database configured through IDM include:

■ The database is always available to the NAC 800.
■ The database is under the control of administrators with access to IDM.
■ Local databases on multiple NAC 800s are always identical because you
configure them centrally.
■ You can use any of these protocols to authenticate users:
• EAP-TLS
• EAP-TTLS with MS-CHAPv2 (or GTC)
• PEAP with MS-CHAPv2 (or GTC)
Disadvantages of using the local database include:

■ You must have access to IDM to add entries to the database.
■ Although IDM can automatically add users, you must set passwords for
the user accounts before they are added to the NAC 800’s local database.
AD (Windows Domain)
Many organizations manage users as a part of a Windows domain, and
Microsoft AD already stores user entries. Rather than duplicate these entries,
the NAC 800 can simply join the domain and request information from AD
when necessary to authenticate a user.
See “Configure Authentication to a Windows Domain” on page 4-16 to learn

how to configure this option.
Advantages of using the Windows domain and AD as the data store include:
■ IDM can synchronize with a Windows domain and automatically import
users in specific groups. When you add the NAC 800 to the domain, you
enable the NAC 800 to authenticate these users without adding passwords
to the user accounts in IDM.
■ Changes to an object in AD are automatically available to all NAC 800s.
4-7
Overview
Disadvantages of using the Windows domain include:

■ You must know an administrator username and password for the Win-
dows domain; otherwise, you cannot configure the NAC 800 to join the
domain.
■ If your NAC 800 loses connectivity to the domain controller (the server
running AD), it cannot authenticate users.
Having multiple domain controllers mitigates this disadvantage.
■ Your network must use one of these authentication methods:
• MS-CHAPv1 or MS-CHAPv2
• EAP-TTLS with MS-CHAPv2
• PEAP with MS-CHAPv2
If you need to use a different method, use the NAC 800’s local database.
LDAP Server
Just as the NAC 800 can join a Windows domain and access AD, it can bind to
an LDAP server and search a directory. For example, your organization might
already have a directory that authenticates users and authorizes them for
various types of network access.
The NAC 800 can bind to these LDAP servers:

■ OpenLDAP
See “Configure Authentication to an OpenLDAP Server” on page 4-21.
■ Novell eDirectory
See “Configure Authentication to a Novell eDirectory Server” on page
4-26.
Advantages of using LDAP servers as the data store include:

■ IDM can import users from an LDAP server. When you also bind the NAC
800 to the LDAP server, you enable the NAC 800 to authenticate these
users without adding passwords to the user accounts in IDM.
■ Changes to a directory object are automatically available to all NAC 800s.
Disadvantages of using the LDAP servers include:

■ You must know the username and password for the root account of the
directory database in question; otherwise, you cannot configure the NAC
800 to bind to the directory.
4-8
Overview
■ If your NAC 800 loses connectivity to the LDAP server, it cannot authen-
ticate users.
Specifying multiple LDAP servers mitigates this disadvantage. See
Proxy RADIUS Server

The NAC 800 can proxy access requests to one or more RADIUS servers. The
NAC 800 acts as a RADIUS client to the proxy server, and the proxy server
looks up credentials and authenticates the user.
The NAC 800 can proxy all requests, or it can only proxy requests that meet
certain criteria, such as having a particular domain suffix.
Proxying requests is primarily intended for NAC 800s that implement endpoint
integrity. The existing RADIUS server handles authentication, and the NAC
800 handles the endpoint integrity.
However, you might choose the proxy option for a RADIUS-only NAC 800 in
this situation: you want to use IDM, but your existing RADIUS server does not
support the IDM agent. The NAC 800 will proxy authentication requests to the
existing server, which checks user credentials. When the NAC 800 receives an
access response from the proxy server, it will modify the response according
to policies configured through IDM.
To configure proxying, you must log in as root to the NAC 800’s (CS’s or ES’s)
command line and edit this file: /etc/raddb/proxy.conf. See “Configure Authen-
tication to a Proxy RADIUS Server” on page 4-29.
Advantages of using a proxy server for at least some requests include:

■ You do not have to duplicate user accounts already stored on another
RADIUS server.
■ You can gain the advantages of IDM in a network with existing RADIUS
servers that do not support the IDM agent.
Disadvantages of using the proxy server include:

■ The existing RADIUS server must still handle authentication requests, so
the NAC 800 does not relieve that burden.
4-9
Overview
■ The EAP method must allow the username to be transmitted in plaintext.

IDM requires access to the username. If the proxy server and supplicant
always transmit the username in encrypted form, IDM cannot determine
the correct policy to apply.
For example, EAP-TTLS might exhibit this problem.
An example of an EAP method that works with proxying is Microsoft’s
implementation of PEAP.
■ If your NAC 800 loses connectivity to the proxy server, it cannot authen-
ticate users.
Specifying multiple proxy servers mitigates this disadvantage.
■ Manual configuration creates opportunities for errors.
4-10
Configure the NAC 800 as a RADIUS Server
Configure the NAC 800 as a RADIUS

Server
You must complete these tasks to set up the ProCurve NAC 800 as a RADIUS
server in a network with IDM:
1. Configure your network’s NASs—including, as necessary, switches, wire-
less APs, and Wireless Edge Services Modules—to use the NAC 800 as
their RADIUS server.
The NAC 800 can be the NASs’ primary or secondary server.
Refer to your devices’ documentation for instructions on completing
this task.
PCM Plus also offers a Secure Access Wizard for completing this step on
ProCurve devices. See the ProCurve Identity Driven Management User’s
Guide.
2. Complete initial configuration of the NAC 800.
See Chapter 3: “Initial Setup of the ProCurve NAC 800.”
Note In particular, set the NAC 800’s SNMPv2 community name to the name
configured on the PCM Plus with IDM server.
If you are adding the RADIUS-only NAC 800 to an existing system of NAC
800s, create a cluster for 802.1X enforcement and add the new NAC 800
as an ES. Otherwise, simply set the NAC 800 as a CS.
3. On the PCM Plus with IDM server (called the IDM server for the rest of
this chapter), add the NAC 800’s IP address to the list of devices allowed
to access the server.
Follow these steps:
a. On the IDM server, open C:\Program Files\Hewlett-Pack-
ard\PNM\server\config.access.txt.
Open the file in a text-based editor such as Notepad or Wordpad.
b. Add the NAC 800’s IP address or hostname on its own line.
c. Save and close the file.
4. On the NAC 800, select 802.1X for the quarantine method.
See “Specify the Quarantine Method (802.1X)” on page 4-12.
4-11
5. On the NAC 800, set the IDM server address.

6. On the NAC 800, configure the authentication settings, which determine,
for example, where the database of usernames and passwords is stored.
See “Configure Authentication Settings” on page 4-14.
7. On the NAC 800, add your network’s NASs—switches, APs, and Wireless
Edge Services Modules—as 802.1X devices.
See “Add NASs as 802.1X Devices” on page 4-39.
8. On the NAC 800, apply your configuration changes.
The RADIUS server automatically restarts. See “Apply Changes” on page
4-43.
9. Complete all other configurations, including creating policies for dynamic
settings and endpoint integrity, with IDM. Deploy policies to the NAC 800.
See the ProCurve Identity Driven Manager User’s Guide.
Specify the Quarantine Method (802.1X)

To act as a RADIUS server, the ProCurve NAC 800 must implement the 802.1X
quarantine method. (However, you can disable the actual quarantining by
disabling endpoint testing. See Chapter 6: “Disabling Endpoint Integrity
Testing.”)
Follow these steps:

1. Select Home > System configuration > Quarantining.
2. If you have a multiple NAC 800 deployment (MS and multiple ESs), choose
the cluster that includes the RADIUS server ESs. For a CS, the default and
only cluster is automatically selected.
3. In the Quarantine method area, select 802.1X.
4-12
4. In the Basic 802.1X settings area and the IDM server IP address field, enter
the IP address of the server that runs PCM Plus with IDM.
5. Select Local for the RADIUS server type.
4-13
Note The Quarantine subnets field only applies if the NAC 800 enforces endpoint
integrity. This setting allows the NAC 800 to respond to DNS requests from
endpoints in quarantine VLANs. You should have already set up the quarantine
VLANs in IDM.
You have now enabled the NAC 800 to make access control decisions as a
RADIUS server. Next you must configure the RADIUS server’s authentication
settings.
Configure Authentication Settings

To check 802.1X credentials, the NAC 800 draws on user accounts stored in
one of several locations:
■ Its own local database configured through IDM (see “Configure Authen-
tication to the NAC 800’s Local Database” on page 4-14)
■ A Windows Domain (see “Configure Authentication to a Windows
Domain” on page 4-16)
■ An OpenLDAP server (see “Configure Authentication to an OpenLDAP
Server” on page 4-21)
■ A Novell eDirectory server (see “Configure Authentication to a Novell
eDirectory Server” on page 4-26)
■ Another RADIUS server (see “Configure Authentication to a Proxy
RADIUS Server” on page 4-29)
While not typical for a RADIUS-only NAC 800, this option is supported.
Configure Authentication to the NAC 800’s Local Database

Follow these steps to enable the NAC to authenticate users against its own
local database:
1. Complete the steps listed in “Specify the Quarantine Method (802.1X)” on
page 4-12. You should see the screen illustrated in Figure 4-2.
4-14
Figure 4-2. Home > System configuration > Quarantining—802.1X quarantine

method
2. Keep Manual for the End-user authentication method.
4-15
3. Add user accounts to the local database through IDM.

You must complete two steps on the IDM server:
a. Modify the NAC 800’s domain and select Enable Local Authentication
for ProCurve NAC devices.
b. Add users to the realm.
IDM automatically configures on the NAC 800 any user that you add
to the NAC 800’s realm. You must, however, configure passwords for
those users.
See the ProCurve Identity Driven Management User’s Guide for more
detailed instructions in completing these steps.
4. You are now ready to specify your network’s NASs. (See “Add NASs as
802.1X Devices” on page 4-39.)
Configure Authentication to a Windows Domain

The Windows Domain authentication method allows the NAC 800 to check
end-user credentials against credentials stored in AD.
The NAC 800 joins the domain. Then, when it receives an authentication
request from an end-user, the NAC 800 uses NT LAN Manager (NTLM) to query
a domain controller (a server that runs AD) and check the end-users’ creden-
tials.
To set up the Windows domain authentication method successfully, you must

ensure that:
■ Endpoints and NASs meet requirements for NTLM authentication:
• End-users are members of the domain.
• For 802.1X authentication, endpoints support PEAP or TTLS with MS-
CHAPv2 as the inner method.
Note If your NASs or endpoints do not support the correct authentication

methods, the NAC 800 cannot authenticate end-users directly against AD.
You must either proxy authentication requests to another RADIUS server
or select local authentication in IDM to duplicate user accounts on the
NAC 800’s local directory.
4-16
■ The NAC 800 (the CS or ESs) can join the domain:

• You need the username and password of an account with the right to
add devices to the domain (an administrator account).
• The NAC 800’s hostname must be fully qualified with your domain’s
name—for example, nac.mydomain.com, not nac.
See “Edit MS or CS Network Settings” on page 3-18 of Chapter 3:
“Initial Setup of the ProCurve NAC 800” for instructions on changing
the hostname.
• The NAC 800 requires a valid DNS server address (which allows it to
resolve the domain controller’s FQDN).
To specify the DNS server, see “Edit MS or CS Network Settings” on
page 3-18 of Chapter 3: “Initial Setup of the ProCurve NAC 800.”
• Your network’s DNS servers must have forward lookup entries for the
NAC 800 and for the domain controller. It must also have the correct
reverse lookup zones.
• The NAC 800’s clock is synced with the domain controller’s clock.
Default Windows server settings require the NAC 800’s time to be
within five minutes of the domain controller’s time to prevent replay
attacks. Either verify that both devices receive their clock from an
NTP server, or change the settings on the domain controller.
Follow these steps to configure end-user authentication against a Windows

domain:
4-17

method
2. Select Windows domain for the End-user authentication method.

The Windows domain settings and Test Windows domain settings areas are
displayed.
4-18
Figure 4-4. Home > System configuration > Quarantining—Windows domain

authentication method
4-19
3. In the Domain name field, enter the FQDN of your domain. For example:
MyCompany.com
Note In a domain with subdomains, the NAC 800 must join the parent domain
(rather than one of the subdomains). For example, you must specify
MyCompany.com, not hq.MyCompany.com.
4. In the Administrator user name field, enter the username of an account with
the right to join the NAC 800 to the domain.
5. In the Administrator password field, enter the password for the user spec-
ified in previous step.
6. In the Re-enter administrator password field, enter the password again.
7. In the Domain controllers field, specify the FQDN of your domain controller
(or controllers).
Domain controllers are servers that run AD. Separate FQDNs with a
comma (no space).
Note In a network with multiple domain controllers, you should generally

specify all of the controllers. If you do not, you might see an error when
you test the settings because the NAC 800 bound itself to a different
domain controller than the one specified.
8. To verify that the NAC 800 can successfully join the domain, click the test
settings button.
See “Test Authentication Settings” on page 4-34 for more information on
setting up the test.
Configure Authentication to an LDAP Server

Your network might already have a directory that stores user accounts and
rights. You can configure your NAC 800 to authenticate users against these
LDAP-compliant servers:
■ OpenLDAP
4-20
You must configure the NAC 800 to perform these functions:

■ Bind to the LDAP server
To complete the binding, the server submits a distinguished name (DN)
and password to the LDAP server. You must specify the DN and password
of an object with administrative rights. In addition, you must specify the
base DN. The base DN serves as the starting point for LDAP searches and
is typically the top level of the tree. The administrator object must be
under the specified base DN.
■ Search the LDAP server’s directory to check the user’s credentials and
group memberships
• With the user login filter, the NAC 800 looks up the account that
matches the name submitted by the end-user.
• To check the end-user’s password, the NAC 800 requests the password
attribute for the account.
By default, the NAC 800 and the LDAP server communicate in plaintext
messages. You should configure the NAC 800 to complete TLS authentication
with the LDAP server, which increases security in several ways:
■ The LDAP server verifies its identity to the NAC 800 with a secure digital
certificate—which ensures that it receives user account information to
authorized devices only.
■ TLS creates an encrypted tunnel between the NAC 800 and the LDAP
server—which protects users’ information from eavesdroppers.
Configure Authentication to an OpenLDAP Server. If your network

stores user accounts in OpenLDAP, follow these steps to configure the NAC
800’s authentication settings:
4-21

method
2. Select OpenLDAP for the End-user authentication method.

The OpenLDAP settings and Test OpenLDAP settings areas are displayed.
4-22
Figure 4-6. Home > System configuration > Quarantining—OpenLDAP

3. In the Server field, enter the hostname or IP address of the OpenLDAP

server. For example:
10.1.10.10
4-23
Optionally, append a colon and port number to the IP address to specify

the port used by your OpenLDAP server. For example:
10.1.10.10:646
If you do not specify the port, the NAC 800 behaves as follows:
• Uses port 389 if the connection is not secure
• Uses port 636 if the connection is secure
Step 9 on page 4-25 explains how to choose a secure connection.
Note If you specify a hostname, remember to check the NAC 800’s DNS server.
See “Edit MS or CS Network Settings” on page 3-18 of Chapter 3: “Initial
Setup of the ProCurve NAC 800.”
4. In the Identity field, enter the DN of an object in the directory with

administrative rights.
Enter the name in standard LDAP format. For example:
cn=Manager,dc=MyCompany,dc=com
5. In the Password field, enter the password for the object specified in the
previous step.
6. In the Re-enter password field, enter this password again.
7. In the Base DN field, enter the DN for the object at which the NAC 800
begins searches—almost always the DN of the top level of the tree.
For example:
dc=MyCompany,dc=com
The administrator specified in the Identity field should be under the base
DN.
8. Typically, leave the Filter and Password attribute fields at their default
settings.
As explained in the introduction to “Configure Authentication to an LDAP
Server” on page 4-20, the user filter and password attribute help the
NAC 800 perform searches within the directory. Your settings must match
up with attribute names used in your OpenLDAP installation, and the
syntax must follow LDAP syntax.
4-24
The default filter is shown in Figure 4-6; it tells the NAC 800 to search for
an entry in which the “uid” attribute equals whatever username is submit-
ted in an authentication request. (The “Stripped-User-Domain” portion of
the filter allows the NAC 800 to remove an appended domain name, which
may be necessary to match the uid as stored in the directory.)
Note Depending on how your directory is constructed, you might need to

change “uid” to “cn.”
The password attribute (default “userPassword”) must match the name

of the attribute that stores passwords in your directory. Remember the
OpenLDAP directory must allow the NAC 800 “auth” access to this
attribute.
Note Be careful when altering the default settings: if you cause searches to fail,
you effectively lock out all users.
9. Check the Use a secure connection (TLS) box.

The NAC 800 and the OpenLDAP server perform a TLS handshake to
authenticate each other, as well as set up encryption keys to secure the
connection.
ProCurve Networking recommends that you always enable this option.
10. If you checked the box in the previous step, verify that the NAC 800 has
the proper certificate authority (CA) certificate.
The NAC 800 requires the CA certificate for the CA that signed the
OpenLDAP server’s certificate. Save this certificate on your management
station. Then click the Browse button next to New certificate to upload it
to the NAC 800.
11. To verify that the NAC 800 can successfully bind to the OpenLDAP server,
click the test settings button.
Note You may receive a message that the test failed because the LDAP query
returned no results. Do not worry: although the search did not return any
results, the bind completed successfully. For information about other result
messages, see Table 4-2 on page 4-38.
4-25
Configure Authentication to a Novell eDirectory Server. If your net-

work stores user accounts in eDirectory, follow these steps to configure the
NAC 800’s authentication settings:

method
4-26
2. Select Novell eDirectory for the End-user authentication method.

The Novell eDirectory settings and Test Novell eDirectory settings areas are
displayed.
Figure 4-8. Home > System configuration > Quarantining—Novell eDirectory

4-27
3. In the Server field, enter the hostname or IP address of the eDirectory

10.1.10.10
A hostname can include alphanumeric characters, periods, and hyphens
and be up to 64 characters.
Optionally, append a colon and port number to the IP address or hostname
to specify the port used by your eDirectory server. For example:
10.1.10.10:636
The default LDAP port is 389, and the NAC 800 uses this port if you do not
explicitly specify another. Use the 636 port when you check the Use a
secure connection (TLS) box (recommended). See step 9 on page 4-29.
4. In the Identity field, enter the DN of an account with administrator rights.
cn=Administrator,dc=MyCompany,dc=com
5. In the Password field, enter the password for the account specified in the
previous step.
begins the search.
Typically, you should specify the top of the directory. For example:
dc=MyCompany,dc=com
The administrator specified in the Identity field should be under the
base DN.
8. You should leave the Filter and Password attribute fields at their default
settings.
Server” on page 4-20, the filter and password attribute help the NAC 800
perform searches within the directory. The values must match exactly the
values used by eDirectory, and the syntax must follow LDAP syntax.
an account in which the “cn” attribute equals whatever username is
submitted in an authentication request. (The “Stripped-User-Domain”
portion of the filter allows the NAC 800 to remove an appended domain
name, which may be necessary to match the cn as stored in the directory.)
4-28
The password attribute (default “nspmPassword”) must match the

attribute used to store passwords in eDirectory accounts.

The NAC 800 and the eDirectory server perform a TLS handshake to
authenticate each other, as well as set up encryption keys to prevent
eavesdroppers from discovering credentials.
An eDirectory server, by default, requires secure connections.
10. If you checked the box in the previous step, verify that the NAC 800 has
the proper CA certificate.
eDirectory server’s certificate. Save this certificate on your management
to the NAC 800.
11. To verify that the NAC 800 can successfully bind to the eDirectory server,
Configure Authentication to a Proxy RADIUS Server

If your network has an existing RADIUS server, you can configure the NAC
800 to proxy end-user authentication requests to that server.
Note Check the EAP methods supported by the proxy RADIUS server. The server
must use only those methods, such as PEAP, that include the username in
plaintext.
Follow these steps:

4-29

method
2. Select Proxy for the End-user authentication method.
4-30
Figure 4-10. Home > System configuration > Quarantining—Proxy authentication

method
3. Specify the IP address for the proxy server (or servers).

To complete this task, you must access the NAC 800’s OS and edit the
/etc/raddb/proxy.conf file.
4-31
Note If your NAC 800 is a CS, simply alter the proxy.conf files on that NAC 800.
However, if you have a cluster of MS and ESs, you must alter the file on each
ES in this cluster.
Follow these steps:

a. Click the ok button to save your changes before you leave the Web
browser session.
b. Log in as root to the NAC 800:
i. Open a Secure Shell (SSH) or console session with the NAC 800.
ii. When asked for your username and password, enter root and the
root password (default: procurve).
c. Edit the /etc/raddb/proxy.conf file.
The steps below give basic commands for editing the file with vi, a
standard Linux editor built into the NAC 800. For more information
on vi, see “vi Editor” on page B-4 of Appendix B: “Linux Commands.”
i. Enter this command:
vi /etc/raddb/proxy.conf
ii. Move through the file until you find the “realm company.com”
section.
iii. Enter insert mode by pressing [i].
iv. Delete the comment markers (#) from the five lines in the “realm
company.com” section.
#
realm mycompany.com {
type = radius
authhost= 10.10.10.10
accthost= 10.10.10.20
secret = “mysecret”
}
Figure 4-11. Example proxy.conf (Relevant Section Only)
v. Change “company.com” to the name of the domain of the proxy

server.
vi. For the “authhost” value, specify the proxy RADIUS authentica-
tion server. Use this syntax:
authhost= <FQDN or IP address>:<port number>
If you do not specify a port, the NAC 800 uses the default RADIUS
authentication port (1812).
4-32
vii. If you want to implement RADIUS accounting, specify the

RADIUS accounting server for the “accthost” value. Use this
syntax:
accthost= <FQDN or IP address>:<port number>
accounting port (1813).
If you do not want to implement accounting, re-insert the com-
ment marker (#) on this line.
viii. Specify the shared secret for the “secret” value. Use this syntax:
secret= <shared secret>
This value must match exactly the secret configured on the proxy
server for the NAC 800 (which should be added as a client to the
proxy server).
To include special characters and spaces, enclose the secret
within quotation marks (“ ”).
ix. The final configuration should resemble that shown in Figure 4-11.
x. When you are done, leave insert mode by pressing [Esc].
xi. Enter this command to save the changes:
:w
xii. Exit vi:
:q
Note More advanced users can configure the NAC 800 to proxy various requests to
different RADIUS servers depending on the domain name or EAP type
included in the request. The comments in the proxy.conf file give guidelines;
however, such configuration is not supported by ProCurve Networking.
Note If you are not comfortable using vi, you can save the file to your management
station and edit it with a text editor on that device. Then copy the file back to
the NAC 800 (preserving the /etc/raddb/proxy.conf location and filename). You
can also use this option to copy the same file to multiple devices.
4-33
Test Authentication Settings

The following authentication methods require the NAC 800 to bind to a
directory server:
■ Windows domain (AD)
■ OpenLDAP
After configuring one of these methods, you should test whether the NAC
800 can:
■ Contact the directory
■ Bind to it
■ Optionally, perform a successful search
You should test the settings to eliminate problems before the NAC 800 begins
to authenticate end-users on a live network.
Follow these steps:

page 4-12.
2. Complete the steps for your selected authentication method. (See “Con-
figure Authentication Settings” on page 4-14.)
3. You should see a screen similar to the one illustrated in Figure 4-12. Find
the Test <authentication method> settings area.
For example, in Figure 4-12, you can see the Test Novell eDirectory
settings area.
4-34
4. If you are configuring a CS, you can skip this step. Otherwise, you must
select an ES from the Server to test from drop-down menu.
In a multiple NAC 800 deployment, ESs (not the MS) bind to the LDAP
server when they need to authenticate end-users. When you test settings,
you must choose for which ES you are testing them.
4-35
5. You now have two options:

• Test the bind operation only.
Click the test settings button.
This test verifies that:
– The NAC 800 can reach the domain controller or LDAP server.
– The administrator username and password are correct.
Note If you choose this option, you may receive a message that the test
failed because the LDAP query returned no results or multiple results.
Do not worry: although the search didn’t return results, the bind
completed successfully. See Table 4-2 for results that do indicate a
problem.
• Test the bind operation and look up an end-user’s credentials:
i. Check the Verify credentials for an end-user box.
ii. Enter the username for a valid user in the User name field.
iii. Enter the user’s password in the Password field.
iv. Re-enter the password in the Re-enter password field.
v. Click the test settings button.
– For authentication through an LDAP server, the filter and pass-
word attribute are correct.
– The end-user credentials that you entered are correct.
Note When you first test a configuration with the Verify credentials for an end-
user option, choose an end-user username and password that you are
certain are correct (for example, the administrator password). In that way,
you verify that the configuration itself functions correctly.
Later, if a particular user has difficulty connecting, you can use the Verify
credentials for an end-user option to check the user’s credentials.
6. The Operation in progress screen is displayed.

Figure 4-13 shows the screen for testing Windows domain authentication
settings.
4-36
Figure 4-13. Home > System configuration > Quarantining > test settings button
You might see, instead, the screen shown in Figure 4-14.
This screen is displayed when you have edited previously configured

authentication settings. To test the new settings, the NAC 800 must
temporarily write them over the old settings, which—if the NAC 800 is the
RADIUS server for an active network—can briefly interrupt service.
Click the no button to cancel the test (in which case you should also wait
before applying your new settings).
Click the yes button to proceed with the test.
Note that proceeding with the test only temporarily overwrites the old
settings. You must still click the ok button in the Home > System configura-
tion > Quarantining screen to save the new settings.
7. When the test completes, you are returned to the Home > System configu-
ration > Quarantining screen. The message at the top of the screen indicates
the result. Refer to Table 4-2 for help interpreting the message.
4-37
Table 4-2. Authentication Settings Test Results
Message Result Possible Cause of Failure
LDAP settings successfully • The NAC 800 successfully bound to the

validated. LDAP server.
• The NAC 800 successfully validated the
test credentials.
Test failed: LDAP query • The NAC 800 successfully bound to the
returned no results. LDAP server.
• You didn’t ask to verify credentials.
returned more than one LDAP server.
result. • You didn’t ask to verify credentials.
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The bind password is incorrect.
code 48 - Inappropriate server.
Authentication].
Test failed: could not The NAC 800 failed to bind to the LDAP • The bind username is incorrect.
authenticate identity. server. • The base DN is incorrect.
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP • The bind username is incorrect.
code 32 - NDS error: no such server. • The base DN is incorrect.
entry (-601)]
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
code 13 - Confidentiality server. option is not selected.
Required]
Test failed: connection error The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
(Connection refused). server. option is not selected.
Test failed: could not verify The NAC 800 failed to bind to the LDAP The CA certificate for TLS authentication
server's certificate server. does not match the LDAP server’s CA
signature. certificate.
Test failed: end-user • The NAC 800 successfully bound to the • The test username is incorrect.
<username> not found. LDAP server. • The base DN is incorrect.
• The NAC 800 failed to validate the test • The filter specifies the wrong attribute
credentials. name.
Test failed: password for • The NAC 800 successfully bound to the The test password is incorrect.
end user <username> is LDAP server.
invalid. • The NAC 800 failed to validate the test
credentials.
4-38
Test failed: Attribute • The NAC 800 successfully bound to the The password attribute is incorrect.
<attribute name> not found. LDAP server.
• The NAC 800 failed to validate the test
credentials.
Add NASs as 802.1X Devices

A NAS is the device to which end-users connect—typically, a switch or an AP.
The NAS enforces port authentication on end-user ports, forwarding users’
authentication requests to a RADIUS server.
You must add each NAS that uses the NAC 800 as its RADIUS server to the
NAC 800’s list of 802.1X devices.
Note The NASs are often called RADIUS clients. The Web browser interface,
however, as well as this guide, will refer to them as 802.1X devices.
Follow these steps to add the 802.1X devices:

page 4-12.
3. You should see a screen similar to that illustrated in Figure 4-15.
4-39

method
4. Click the add an 802.1X device link. The Add 802.1X device screen is dis-
played.
4-40
Figure 4-16. Home > System configuration > Quarantining (802.1X quarantine
method) > Add an 802.1X device
5. Enter the 802.1X device’s IP address in the IP address field.

For example, endpoints connect to an edge switch that has 10.1.1.152 for
its management IP address. Enter:
10.1.1.152
6. Enter a character string in the Shared secret field.
This string and the RADIUS server secret configured on the 802.1X device
must match exactly. (See your device’s documentation for information on
configuring this secret. Or use PCM Plus’s Secure Access Wizard,
described in the ProCurve Identity Driven Manager User’s Guide.)
The secret can include alphanumeric and special characters.
7. Enter the same character string in the Re-enter shared secret field.
8. Optionally, give the 802.1X device a descriptive name by entering a string
in the Short name field.
The name is displayed in logs and can include alphanumeric and special
characters.
9. From the Device type drop-down menu, choose the type of 802.1X device
(that is, its manufacturer and OS).
The drop-down menu includes several common devices, but the NAC 800
supports any device that can act as a standard RADIUS client. If your
device is not listed, select Other.
10. Options for connecting to the selected device are displayed.
4-41
method) > add an 802.1X device link
Connecting to the 802.1X device is necessary for implementing endpoint

integrity: the NAC 800 must force the 802.1X to re-authenticate the end-
point after its endpoint integrity posture has changed, so that the new
VLAN assignment can take effect. See “How the NAC 800 Quarantines
Endpoints” on page 1-35 of Chapter 1: “Overview of the ProCurve NAC
800” for more information.
4-42
If you are using the NAC 800 as a RADIUS server only, the connection
settings do not matter.
Leave the settings at the defaults, or for the ProCurve Wireless Edge
Services xl Module, ProCurve 420 AP, and ProCurve 530 AP, fill in only the
community name.
12. To apply and save the 802.1X device configuration, you must also click
the ok button in the Home > System configuration > Quarantining screen.
Apply Changes
Whenever you alter the configuration for the 802.1X and RADIUS settings
(including adding an 802.1X device), you must apply and save the changes.
When you apply the changes, the CS’s internal RADIUS server, or the RADIUS
servers on all ESs in the cluster, automatically restart.
Note The RADIUS server typically takes several seconds to restart. During this
period, the RADIUS server is unavailable for authenticating end-users. To
avoid interrupting services, configure 802.1X quarantining settings after
hours.
Follow these steps:

1. If you have not already done so, click the ok button in the Home > System
configuration > Quarantining screen.
Clicking the ok button writes the change to both the startup-config and
running-config.
Restart the RADIUS Server

Follow these steps should you ever need to restart the RADIUS server
manually:
4-43
2. Click the name of the CS or ES. The Enforcement server screen is displayed.
Note Figure 4-19 shows the Enforcement server screen for a CS. The screen for an
ES features two menu options: General and Configuration. You should select
the General menu option.
4-44
selected Enforcement server
3. The Process/thread status area lists a number of services. Click the restart
now button for radius. The Operation in progress screen is displayed.
4-45
selected Enforcement server > radius restart now button
4. Within several seconds, the Operation in progress screen should close. At

the top of the Enforcement server screen, this message should be displayed:
The radius process was restarted.
Note Typically, the RADIUS server restarts without a problem. If it encounters

difficulties, you should restart it from the root of the OS. Follow these steps:
1. Log in as root to the NAC 800 OS:
a. Open an SSH or console session with the NAC 800.
b. When asked for your username and password, enter root and the root
password (default, procurve).
ProCurve NAC 800:# service radiusd restart
3. Read any messages that display. For example, if you have altered config-
uration files, one of the files might have an error and fail to load.
4-46
Manage Digital Certificates for RADIUS

The following authentication methods use mutual authentication, which
means that the RADIUS server (in your case, the NAC 800 CS or ES) identifies
itself to endpoints with a digital certificate:
■ EAP-TLS
■ EAP-TTLS
■ PEAP
At its factory default settings, the NAC 800 authenticates as a RADIUS server
with a self-signed digital certificate. However, this certificate is not intended
for an enterprise environment. It identifies the NAC 800 as follows:
■ subject=/C=CA/ST=Province/L=Some City/O=Organization/OU=local-
host/CN=Root certificate/emailAddress=root@example.com
■ issuer=/C=CA/ST=Province/L=Some City/O=Organization/OU=local-
host/CN=Client certificate/emailAddress=client@example.com
You should load one of the following certificates on your NAC 800:
■ A self-signed certificate that specifies the NAC 800’s FQDN as its common
name (CN)
■ A certificate that specifies the NAC 800’s FQDN as its CN and is signed by
a trusted CA
In either case, the certificate must allow the NAC 800 to use it for client and
server authentication. That is, the extensions for the key usage should be “TLS
Web Server Authentication” and “TLS Web Client Authentication.”
Follow these steps to set up certificates for RADIUS services:

1. If you plan to use a CA-signed certificate, install the CA root certificate on
the NAC 800.
2. Obtain a server certificate and install it on the NAC 800. You must specify
the certificate and private key locations in the /etc/raddb/eap.conf file.
As mentioned above, you can create a self-certificate or obtain a certifi-
cate from a CA.
The following sections explain how to complete these tasks. The final sections
of this chapter give you some guidelines on setting up certificates on end-
points.
4-47
NAC 800’s OS:
2. Log in:
• username = root
Install the CA Root Certificate on the NAC 800

The NAC 800 must have the CA root certificate for the CA that signed its server
certificate. If supplicants authenticate with certificates (the EAP method is
EAP-TLS or, less commonly, PEAP or EAP-TTLS with an inner method that
requires certificates), the NAC 800 also uses this CA certificate to verify the
supplicants’ certificates.
Follow these steps to install the CA certificate on the NAC 800:

Your CA should instruct you how to complete this step.
The certificate must be in PEM format. (See step 4 on page 4-49 for
instructions on converting a DER or PFX certificate to PEM format.)
2. Transfer the CA certificate to the NAC 800.
If you have installed PSCP on your management station, you can follow
these steps:
a. Save the CA certificate to your management station.
b. Access the command prompt on your management station and move
to the directory in which PSCP is installed.
Syntax: pscp <path\filename> root@<NAC 800 IP address>://etc/raddb/certs/

demoCA/cacert.pem
Replace <path\filename> with the directory path and filename
for the CA certificate.
For example:
pscp myCA.pem root@10.1.1.20://etc/raddb/certs/
demoCa/cacert.pem
4-48
Note Be very careful to enter the output file for the certificate exactly as shown
above: /etc/raddb/certs/demoCA/cacert.pem.
Otherwise, you must alter the name specified for the private key file and
the certificate file in the “tls” section of the /etc/raddb/eap.conf file—which
can lead to errors. (See step 12 on page 4-55.)
4. If the CA certificate is not in PEM format, follow these steps:
a. Move to the correct directory:
ProCurve NAC 800:/# cd /etc/raddb/certs/demoCA
b. Convert from DER format with this command:
Syntax: openssl x509 -in <filename> -inform DER -out <filename> -outform PEM
Preferably, specify cacert.pem for the second filename.
For example, enter:

ProCurve NAC 800:/etc/raddb/certs/demoCA# openssl
x509 -in cacert.der -inform DER -out cacert.pem
-outform PEM
Convert from PFX format with this command:
Syntax: openssl pkcs12 -in <filename>.pfx -out <filename>.pem

You should change the filename extension to reflect the
changed format. Preferably, specify cacert.pem for the
filename
5. Restart the RADIUS server.

ProCurve NAC 800:/etc/raddb/certs/demoCA# service
radiusd restart
Install a Server Certificate for RADIUS

You have a variety of options for obtaining and installing the server certificate
for RADIUS authentication. You can:
■ Create a self-signed certificate on the NAC 800.
4-49
■ Obtain and install a CA-signed certificate in one of these ways:

• Create a private/public keypair and certificate request on the NAC 800
and submit the request to your CA.
• On the CA, request a certificate on behalf of the NAC 800. Make sure to
save the associated private key so that you can load it to the NAC 800.
Create a Self-Signed Certificate

Follow these steps to create a self-signed certificate to be used for RADIUS
authentication:
1. Log into the NAC 800 as root.
2. Configure the openssl application to issue self-signed certificates with the
correct extensions for a RADIUS server. (See Appendix B, “Linux Com-
mands” for vi commands.)
a. Copy the default configuration file for openssl to a new location. You
will make changes to the new file.
ProCurve NAC 800:# cp /var/ssl/openssl.cnf /etc/
raddb/certs/openssl.cnf
b. Enter this command:
ProCurve NAC 800:# cd /etc/raddb/certs
c. Alter the new configuration file:
ProCurve NAC 800:/etc/raddb/certs# vi openssl.cnf
d. Press [i] to enter Insert mode.
e. Find the “[new_oids]” section. Add this text:
[radsrv]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
f. ress [Esc] to exit Insert mode.
g. Save the changes and exit vi.
:wq
4-50
3. Enter this command to generate the self-signed certificate:
Syntax: openssl req -x509 -config openssl.cnf -extensions radsrv -newkey [rsa |
dsa]:[512 | 1024 | 2048 | 4096] -nodes -days <number> -keyout cert-srv.pem
-out cert-srv.pem
The -config option should specify the new configuration file
that you created in step 2. (Make sure that you are in the
correct directory.) Similarly the -extensions option specifies
the bracketed name for the extensions that you added to that
file.
The -newkey option generates a private/public keypair for this
certificate. Choose rsa or dsa for the algorithm and then choose
the key length (4096 is not a valid option for dsa). Replace
<number> with the number of days that this certificate will
remain valid.
The -nodes option in the command above creates the private
key without password protection. For greater security, leave
out this option when you enter the command. You will then
be prompted to enter the password.
After you finish step 4, edit the /etc/raddb/eap.conf file and
change the private key password from whatever to the
password that you entered.
For example:
ProCurve NAC 800:/etc/raddb/certs# openssl req -x509
-config openssl.cnf -extensions radsrv -newkey
rsa:2048 -nodes -days 365 -keyout cert-srv.pem -out
cert-srv.pem
Note Be very careful to enter the output files for the key and the certificate
exactly as shown above: /etc/raddb/certs/cert-srv.pem.
4. You will be prompted to enter information about the NAC 800. When
prompted for the CN, enter the NAC 800’s FQDN.
ProCurve NAC 800:/etc/raddb/certs# service radiusd
restart
4-51
Install a CA-Signed Certificate Using a Request Generated on

the NAC 800
Follow these steps to create a certificate request and install a CA-signed
certificate for RADIUS authentication:
ProCurve NAC 800:/# cd /etc/raddb/certs
3. Configure the openssl application to create certificate requests that
request the correct extensions for a RADIUS server. (See Appendix B,
“Linux Commands” for vi commands.) If you are using your own Windows
CA, you might skip this step and use a certificate template add the correct
extensions.
b. Alter the new configuration file:
c. Press [i] to enter Insert mode.
d. Find the “[new_oids]” section. Add this text:
[radsrv_req]
e. Press [Esc] to exit Insert mode.
f. Save the changes and exit vi.
:wq
4-52
4. Enter this command to generate the certificate request:
Syntax: openssl req -new -config openssl.cnf -extensions radsrv_req -newkey

[rsa | dsa]:[512 | 1024 | 2048 | 4096] -nodes -keyout <key_filename> -out
<request_filename> {-outform [DER | PEM]}
bracketed name for the extensions that you added to that file.
the key length (4096 is not a valid option for dsa).
The private key for the certificate is saved with the name you
enter for the <key filename>. The certificate request is saved
with the name you enter for the <request_filename>. You can
choose the format (DER or PEM) for the request (default: PEM).
key without password protection. For greater security, omit
this option when you enter the command. You will then be
prompted to enter the password. In step 12 on page 4-55, you
will edit the /etc/raddb/eap.conf file and specify this password.
For example:
ProCurve NAC 800:/etc/raddb/certs# openssl req -new
-config openssl.cnf -extensions radsrv_req -newkey
rsa:1024 -nodes -keyout mykey.pem -out myrequest.req
prompted for the Common Name (CN), enter the NAC 800’s FQDN.
6. Transfer the certificate request to a Secure Copy (SCP) server.
If you have installed PuTTY SCP (PSCP) on your management station, you
can follow these steps:
a. Access the command prompt on your management station and move
Syntax: pscp root@<NAC 800 IP address>://etc/raddb/certs/<request_filename>

<path\filename>
Transfers the request off the NAC 800. Replace
<request_filename> with the name you specified in step 4 on
page 4-53. The request is saved on the station with the name
that you specify for <path\filename>.
4-53
For example:
pscp root@10.1.1.20://etc/raddb/certs/myre-
quest.req nacrequest.req
c. When prompted, enter the NAC 800’s root password.
Contact your CA to learn how to complete this step. You should request
X.509 format (either Distinguished Encoding Rules [DER] or Privacy
Enhanced Mail [PEM]). However, if necessary you can convert a certifi-
cate that uses a different format. (See step 11.)
Note If you are using a Windows CA, have the CA issue a certificate using the
RAS and IAS Server template (or another template that has key extensions
for both server authentication and client authentication).
8. After the CA returns the server certificate to you, transfer it to the NAC
800.
these steps:
a. Save the certificate to your management station.

<certificate_filename>
for the server certificate. The certificate is saved with the
name that you specify for <certificate_filename>.
For example:
pscp mycertificate.pem root@10.1.1.20://etc/raddb/
certs/mycertificate.pem
9. Log back in to the NAC 800 as root.
11. If your certificate is not the desired format, you can convert it.
4-54
Convert from DER with this command:
Syntax: openssl x509 -in <certificate_filename> -inform DER -out <certificate_

filename> -outform PEM
For <certificate_filename>, enter the name for the certificate
that you chose in step 8. You should change the filename
extension to reflect the changed format.
For example, enter:

ProCurve NAC 800:/etc/raddb/certs# openssl x509 -in
mycertificate.der -inform DER -out mycertificate.pem
-outform PEM
Syntax: openssl pkcs12 -in <certificate_filename>.pfx -out

<certificate_filename>.pem
For <certificate_filename> enter the name for the certificate
that you chose in step 8 on page 4-54. You should change the
filename extension to reflect the changed format.
12. Alter the /etc/raddb/eap.conf file to specify the new private key and certif-
icate files. (See Appendix B, “Linux Commands” for vi commands.)
a. Enter this command:
ProCurve NAC 800:/# vi /etc/raddb/eap.conf
b. Use the arrow keys or other vi commands to reach the “tls” section
of the configuration file. (See Figure 4-21.)
4-55
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
# If Private key & Certificate are located in

# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list

CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
Figure 4-21. Example radiusd.conf File——tls Section
Note The NAC 800 uses the “tls” configuration for server certificates for TLS,
PEAP, and TTLS.
c. Press [i].
d. If you created a password for the private key, set
private_key_password to the same key that you chose earlier. For
example:
private_key_password = mypassword
e. Set private_key_file to the same as the <key filename> that you speci-
fied in step 4 on page 4-53. Keep the default path already included in
the configuration file (which works as long as you saved the key in
the proper directory). For example:
private_key_file = ${raddbdir}/certs/mykey.pem
f. Set certificate_file to the same as the <certificate filename> that you
specified in step 8-c on page 4-54 (or step 11 on page 4-54). Keep the
default path already included in the configuration file (which works
as long as you saved the certificate in the proper directory). For
example:
certificate_file = ${raddbdir}/certs/mycertifi-
cate.pem
g. Make sure that CA_file is set to the filename (including the correct
path) for the CA root certificate. This certificate was installed in
“Install the CA Root Certificate on the NAC 800” on page 4-48.
4-56
h. Press [Esc].
:wq
ProCurve NAC 800:/# service radiusd restart
If the RADIUS server fails to restart, you have probably mistyped the
filenames or private key password in step 12. Carefully recheck the
configuration.

Behalf of the NAC 800
Follow these steps to generate a certificate for the NAC 800 on your organi-
zation’s CA and to install that certificate on the NAC 800:
1. Following the instructions in your CA documentation, create the certifi-
cate request and generate the certificate (in X509 format).
Enter the NAC 800’s FQDN for its CN. Specify the NAC 800’s country, state,
and so forth, as prompted.
Make sure to generate a RADIUS server certificate for the NAC. (Its key
usage extensions should provide for both client and server authentica-
tion.)
2. Transfer the certificate and the private key to the NAC 800.
these steps:
a. Save the certificate and private key to your management station.
It is very important that you save the private key for the certificate.
You will upload this key to the NAC 800 in step 3. You might have been
prompted to create a password for the key. If you do, you will need
to specify that password in step 6 on page 4-59.
4-57

for the server certificate. Replace <certificate_filename> with
the name under which the certificate will be stored on the NAC
800.
For example:
d. Repeat the previous command to transfer the private key file, if
separate from the certificate file:

<key_filename>
for the private key. Replace <key_filename> with the name
under which the private key will be stored on the NAC 800.
For example:
certs/mykey.pem
Note The private key and server certificate might be stored in the same file. In
this case, you only need to enter the command once and you should
specify the output file: /etc/raddb/certs/cert-srv.pem.
This allows the NAC 800 to use the new certificate without forcing you to
alter the “tls” section of the /etc/raddb/eap.conf file—which can lead to
errors.
5. If your certificate is not in the correct format, you can convert it.
4-58
Convert from DER format to PEM format with this command:
Syntax: openssl x509 -in <certificate filename> -inform DER -out <certificate file-
name> -outform PEM
that you chose in step 2-c on page 4-58. You should change the
For example, enter:

-outform PEM
Syntax: openssl pkcs12 -in <certificate filename>.pfx -out

6. Alter the /etc/raddb/eap.conf file to specify the new certificate. (See Appen-
dix B, “Linux Commands” for vi commands.)
Note You can skip this step if the new server certificate and private key are in
the same file, which is named cert-srv.pem, and if the private key is not
of the configuration file. (See Figure 4-22).
Note The NAC 800 uses the “tls” configuration to authenticate itself for TLS,
PEAP, and TTLS.
4-59
tls {

# name.

Figure 4-22. Example radiusd.conf File—tls Section
c. Press [i].
d. Set private_key_password to equal the password you chose to protect
your key. For example:
e. Set private_key_file to equal the <key_filename> you specified in step
2-d on page 4-58. Keep the default path already included in the con-
figuration file (which works as long as you saved the key in the proper
directory). For example:
f. Set certificate_file to equal the <certificate_filename> you specified in
step 2-c on page 4-58 (or step 5 on page 4-58). Keep the default path
already included in the configuration file (which works as long as you
saved the certificate in the proper directory). For example:
cate.pem
h. Press [Esc].
:wq
4-60

password or filenames in step 6. Carefully recheck the configuration.
Manage Certificates on Endpoints

To authenticate the NAC 800 RADIUS server, endpoints require the root
certificate for the CA that signed the NAC 800’s server certificate. The exact
steps for installing this certificate depend, of course, on the endpoint. Refer
to the appropriate documentation.
Note If you selected a well-known vendor CA to issue your NAC 800’s certificate,
most endpoints already have the necessary certificate.
You must also install user or computer certificates on endpoints—if you have
selected an EAP method that requires supplicants to authenticate with a
certificate rather than a password. Generally, you would issue those certifi-
cates using your organization’s CA. Refer to the documentation for your CA
service for instructions.
Disable Server Validation on Endpoints

You might want to prevent endpoints from checking the NAC 800’s server
certificate for several reasons:
■ You do not want to bother installing new certificates on the NAC 800 for
server authentication.
Caution Because this option could allow endpoints to connect to a rogue server,
ProCurve Networking does not recommend it.
■ You want to help endpoints temporarily connect to the network so that
they can obtain the CA certificate necessary for validating the NAC 800’s
certificate.
For example, a Windows station automatically receives the domain’s CA
root certificate when it joins the domain.
After an endpoint obtains the certificate, it should be configured to once
again validate the server certificate.
4-61
Follow these steps on an endpoint to disable validation of the server on the

native Windows 802.1X supplicant:
1. Select Start > Settings > Network Connections > Local Area Connection.
Figure 4-23. Start > Settings > Network Connections > Local Area Connection
2. Click the Properties button.

3. Select the Authentication tab in the window that is displayed.
4-62
Figure 4-24. Local Area Connection Properties > Authentication
4. Choose your EAP type and click the Properties button.

5. Clear the Validate server certificate check box.
4-63
Figure 4-25. <EAP type> Properties
6. Click OK to close all open windows.
Follow these steps to disable validation of the server on an endpoint that uses
the Microsoft Wireless Zero Configuration client:
1. Select Start > Settings > Network Connections > Wireless Network
Connection.
4-64

3. Select the Wireless Networks tab in the window that is displayed.
4-65
Figure 4-27. Wireless Network Connection Properties
4. Select the service set identifier (SSID) for your wireless network in the
Preferred networks area and click the Properties button.
If the SSID has not yet been configured on the client, you must click the
Add button instead. Then, in addition to completing the steps below, you
must configure settings such as the SSID, the authentication method, and
the encryption type.
4-66
Figure 4-28. <SSID> Properties > Authentication
6. Choose the EAP type and click the Properties button.

7. Uncheck the Validate server certificate box.
4-67
4-68
Configuring the RADIUS Server—Without Identity Driven Manager
Contents
Configuring the RADIUS Server—Without

Identity Driven Manager
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Configure the NAC 800 as a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Specify the Quarantine Method (802.1X) . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Apply Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38
Manage Digital Certificates for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42
5-1
Contents

5-2
Overview
Overview
As explained in Chapter 1: “Overview of the ProCurve NAC 800,” a ProCurve
NAC 800 can fulfill a variety of functions, among them checking endpoint
integrity and authenticating endpoints as a RADIUS server. In this chapter,
you learn how to configure a NAC 800 that acts only as a RADIUS server.
ProCurve Identity Driven Manager (IDM), a plug-in to ProCurve Manager

(PCM) Plus, helps you to quickly and easily configure the NAC 800’s RADIUS
capabilities from a centralized location. However, even without IDM, you can
configure several RADIUS capabilities on the NAC 800—although such con-
figuration can be more difficult.
This chapter guides you through manual configuration of the NAC 800’s
RADIUS server. See Chapter 4: “Configuring the RADIUS Server—Integrated
with ProCurve Identity Driven Manager” to learn how to configure RADIUS
settings using IDM.
This chapter focuses on configuring a stand-alone NAC 800, functioning as a

combination server (CS)—the typical setting for a RADIUS-only NAC 800.
In one circumstance only might you use a cluster deployment: you are adding
a RADIUS-only NAC 800 to a system that already enforces endpoint integrity
with a cluster configuration. In this case, the RADIUS-only NAC 800 would be
an ES in a new cluster that enforces 802.1X quarantining but not endpoint
integrity. You configure most of the settings described in this chapter in the
MS’s Web browser interface. However, you create digital certificates through
the RADIUS-only NAC 800’s root command line.
RADIUS Overview
The RADIUS protocol regulates communications between Network Access
Servers (NASs) and authentication servers. The NASs are the points of access
for endpoints—for example, switch ports or wireless access points (APs). In
your network, the NAC 800 is the authentication server.
When an end-user attempts to connect to a NAS, the NAS sends an authenti-

cation request to the NAC 800, its RADIUS server. The NAC 800 decides
whether the end-user can connect. The NAC 800 bases this decision on
whether the end-user submits valid credentials.
5-3
Overview
Authentication Protocols
An authentication server receives an endpoints’ credentials via an authentica-
tion protocol. With 802.1X, the authentication protocol is always EAP, and the
NAC 800 and the endpoint negotiate the method. The NAC 800 supports these
EAP methods:
■ Protected EAP (PEAP) with:
• MS-CHAPv2
■ Transport Layer Security (TLS)
■ Tunneled TLS (TTLS) with:
• MS-CHAPv2
■ Lightweight EAP (LEAP)—not recommended
The NAC 800 first suggests PEAP with MS-CHAPv2.
An endpoint requires a client that supports at least one of the listed EAP
methods. For example, a Windows XP workstation has an 802.1X client
available to all network connections, and this client supports EAP-TLS and
PEAP with MS-CHAPv2. Older workstations might require the installation of
a vendor client for 802.1X authentication.
Table 5-1. Port Authentication Methods and Authentication Protocols
Port/Wireless Selection Method for Authentication

Authentication Method Protocol
802.1X NAC 800 and endpoint negotiation—NAC

suggests PEAP with MS-CHAPv2 first.
Dynamic or User-Based Settings

Dynamic, or user-based, settings allow you to customize users’ network access
according to identity and are an important component of the ProCurve Adap-
tive Edge Architecture (AEA). The RADIUS server is responsible for matching
an authenticated user to the correct settings for that user.
Dynamic settings supported on the NAC 800 include:

■ Virtual LAN (VLAN) assignments
■ Access control lists (ACLs)
■ Rate limits
5-4
Overview
However, IDM is required for configuring these settings on the NAC 800. See
tity Driven Manager.”
Data Store Overview

The NAC 800 can search one of several locations, or data stores, for a user’s
credentials:
■ A Windows domain controller, which runs Active Directory (AD)
■ A Lightweight Directory Access Protocol (LDAP) server:
• OpenLDAP
• Novell eDirectory
■ Another RADIUS server (via a proxy request)
You choose the data store when you configure the NAC 800’s (or cluster’s)
end-user authentication method. (See “Configure Authentication Settings” on
page 5-10.)
AD (Windows Domain)
Many organizations manage users as a part of a Windows domain, and
Microsoft AD already stores user entries. The NAC 800 can join the domain
and request information from AD when necessary to authenticate a user.
See “Configure Authentication to a Windows Domain” on page 5-10 to learn

how to configure this option.
Advantages of using the Windows domain and AD as the data store include:
■ You do not have to replicate information already present in AD.
■ Changes to an object in AD are automatically available to all NAC 800s.
Disadvantages of using the Windows domain include:

■ You must know an administrator username and password for the Win-
dows domain; otherwise, you cannot configure the NAC 800 to join the
domain.
■ If your NAC 800 loses connectivity to the domain controller (the server
running AD), it cannot authenticate users.
Having multiple domain controllers mitigates this disadvantage.
■ Your network must use one of these authentication methods:
• EAP-TTLS with MS-CHAPv2
• PEAP with MS-CHAPv2
5-5
Overview
LDAP Server
Just as the NAC 800 can join a Windows domain and access AD, it can bind to
an LDAP server and search a directory. For example, your organization might
already have a directory that authenticates users and authorizes them for
various types of network access.
The NAC 800 can bind to these LDAP servers:

■ OpenLDAP
See “Configure Authentication to an OpenLDAP Server.” on page 5-15.
See “Configure Authentication to a Novell eDirectory Server” on page 5-19.
Advantages of using LDAP servers as the data store include:

■ You do not have to replicate information already present in the directory.
■ Changes to an object in the directory are automatically available to all
NAC 800s.
Disadvantages of using the LDAP servers include:

■ You must know the username and password for the administrator of the
directory database in question; otherwise, you cannot configure the
NAC 800 to bind to the directory.
■ If your NAC 800 loses connectivity to the LDAP server, it cannot authen-
ticate users.
Proxy RADIUS Server

The NAC 800 can proxy access requests to one or more RADIUS servers. The
NAC 800 acts as a RADIUS client to the proxy server, and the proxy server
looks up credentials and makes policy decisions.
The NAC 800 can proxy all requests, or it can only proxy requests that meet
certain criteria such as domain suffix.
Proxying requests is primarily intended for NAC 800s that implement endpoint
integrity. The existing RADIUS server handles authentication, and the NAC
800 handles the endpoint integrity.
However, you can, if you so choose, have the NAC 800 proxy at least some
requests to an existing RADIUS server.
5-6
Overview
To configure proxying, you must log in as root to the NAC 800’s (CS’s or ES’s)
command line and edit this file: /etc/raddb/proxy.conf. See “Configure Authen-
tication to a Proxy RADIUS Server” on page 5-23.
Advantages of using a proxy server for at least some requests include:

■ You do not have to duplicate policies and accounts already stored on
another RADIUS server.
Disadvantages of using the proxy server include:

■ The existing RADIUS server must still handle authentication requests, so
the NAC 800 does not relieve that burden.
■ If your NAC 800 loses connectivity to the proxy server, it cannot authen-
ticate users.
Specifying multiple proxy servers mitigates this disadvantage.
■ Manual configuration creates opportunities for errors, as does manual
configuration of the local database (if necessary).
5-7
Configure the NAC 800 as a RADIUS

Server
You must complete these tasks to set up the ProCurve NAC 800 as your
network’s RADIUS server:
1. Configure your network’s NASs—including, as necessary, switches and
wireless APs—to use the NAC 800 as their RADIUS server.
The NAC 800 can be the NASs’ primary or secondary server.
Refer to your devices’ documentation for instructions on completing this
task.
2. Complete initial configuration of the NAC 800.
See Chapter 3: “Initial Setup of the ProCurve NAC 800.”
If you are adding the RADIUS-only NAC 800 to an existing system of NAC
800s, create a cluster for 802.1X enforcement and add the new NAC 800
as an ES.
3. Select 802.1X for the quarantine method.
4. Configure the authentication settings, which determine, for example,
where the database of usernames and passwords is stored.
See “Configure Authentication Settings” on page 5-10.
5. Add your network’s NASs—switches, APs, and Wireless Edge Services
Modules—as 802.1X devices.
6. See “Add NASs as 802.1X Devices” on page 5-34.
7. Apply your configuration changes.
See “Apply Changes” on page 5-38.
Specify the Quarantine Method (802.1X)

To act as a RADIUS server, the ProCurve NAC 800 must implement the 802.1X
quarantine method. (However, you can disable the quarantining by disabling
endpoint testing. See Chapter 6: “Disabling Endpoint Integrity Testing.”)
5-8
Follow these steps:

1. Select Home > System configuration > Quarantining.
2. If you have a multiple NAC 800 deployment (MS and multiple ESs), choose
the cluster that includes the RADIUS server ESs. For a CS, the default and
only cluster (Cluster #1) is automatically selected.
3. In the Quarantine method area, select 802.1X.
5-9
4. In the Basic 802.1X settings area, select Local for the RADIUS server type.
Note The Quarantine subnets field only applies if the NAC 800 enforces endpoint
integrity. This setting allows the NAC 800 to respond to DNS requests from
endpoints in quarantine VLANs. You should have already set up the quarantine
VLANs in IDM.
You have now enabled the NAC 800 to make access-control decisions as a
RADIUS server. Next, you must configure the RADIUS server’s authentication
settings.
Configure Authentication Settings

To check 802.1X credentials, the NAC 800 draws on user accounts stored in
one of several locations:
■ A Windows domain (see “Configure Authentication to a Windows
Domain” on page 5-10)
■ An OpenLDAP server (see “Configure Authentication to an OpenLDAP
Server.” on page 5-15)
■ A Novell eDirectory server (see “Configure Authentication to a Novell
eDirectory Server” on page 5-19)
■ Another RADIUS server (see “Configure Authentication to a Proxy
RADIUS Server” on page 5-23)
Note The Manual option for end-user authentication specifies the NAC 800’s local
database as the data store. However, IDM is required for this option.
Configure Authentication to a Windows Domain

The Windows domain authentication method allows the NAC 800 to check
end-user credentials against credentials stored in AD.
The NAC 800 joins the domain. Then, when it receives an authentication
request from an end-user, the NAC 800 uses NT LAN Manager (NTLM) to query
a domain controller (a server that runs AD) and check the end-user’s
credentials.
5-10
To set up the Windows domain authentication method successfully, you must

ensure that:
■ Endpoints and NASs meet requirements for NTLM authentication:
• End-users are members of the domain.
• For 802.1X authentication, endpoints support PEAP or TTLS with MS-
CHAPv2 as the inner method.
Note If your NASs or endpoints do not support the correct authentication

methods, the NAC 800 cannot authenticate end-users directly against AD.
■ The NAC 800 (the CS or ESs) can join the domain:
• You need the username and password of an account with the right to
add devices to the domain (an administrator account).
• The NAC 800’s hostname must be fully qualified with your domain’s
name—for example, nac.mydomain.com, not nac.
See “Edit MS or CS Network Settings” on page 3-18 of Chapter 3:
“Initial Setup of the ProCurve NAC 800” for instructions on changing
the hostname.
• The NAC 800 requires a valid DNS server address (which allows it to
resolve the domain controller’s FQDN).
To specify the DNS server, see “Edit MS or CS Network Settings” on
page 3-18 of Chapter 3: “Initial Setup of the ProCurve NAC 800.”
• Your network’s DNS servers must have forward lookup entries for the
NAC 800 and for the domain controller. It must also have the correct
reverse lookup zones.
• The NAC 800’s clock is synced with the domain controller’s clock.
Default Windows server settings require the NAC 800’s time to be
within five minutes of the domain controller’s time to prevent replay
attacks. Either verify that both devices receive their clock from an
NTP server or change the setting on the domain controller.
Follow these steps to configure end-user authentication against a Windows

domain:
page 5-8. You should see the screen in Figure 5-2.
5-11

method
2. Select Windows domain for the End-user authentication method.

The Windows domain settings and Test Windows domain settings areas are
displayed.
5-12
Figure 5-3. Home > System configuration > Quarantining—Windows domain

5-13
3. In the Domain name field, enter the FQDN of your domain.

For example:
MyCompany.com
Note In a domain with subdomains, the NAC 800 must join the parent domain
(rather than one of the subdomains). For example, you must specify
MyCompany.com, not hq.MyCompany.com.
4. In the Administrator user name field, enter the username of an account with
the right to add the NAC 800 to the domain.
5. In the Administrator password field, enter the password for the user spec-
ified in the previous step.
6. In the Re-enter administrator password field, enter the password again.
7. In the Domain controllers field, specify the FQDN of your domain controller
(or controllers).
Domain controllers are servers that run AD. Separate FQDNs with a
comma (no spaces).
Note In a network with multiple domain controllers, you should generally

specify all of the controllers. If you do not, you might see an error when
you test the settings because the NAC 800 bound itself to a different
domain controller than the one specified.
8. To verify that the NAC 800 can successfully join the domain, click the test
settings button.
Configure Authentication to an LDAP Server

Your network might already have a directory that stores user accounts and
rights. You can configure your NAC 800 to authenticate users against these
LDAP-compliant servers:
■ OpenLDAP
5-14
You must configure the NAC 800 to perform these functions:

■ Bind to the LDAP server
To complete the binding, the server submits a distinguished name (DN)
and password to the LDAP server. You must specify the DN and password
of an object with administrative rights. In addition, you must specify the
base DN. The base DN serves as the starting point for LDAP searches and
is typically the top level of the tree. The administrator object must be
under the specified base DN.
■ Search the LDAP server’s directory to check the user’s credentials and
group memberships.
• With the user login filter, the NAC 800 looks up the account that
matches the name submitted by the end-user.
• To check the end-user’s password, the NAC 800 requests the password
attribute for the account.
By default, the NAC 800 and the LDAP server communicate in plaintext
messages. You should configure the NAC 800 to complete TLS authentication
with the LDAP server, which increases security in several ways:
■ The NAC 800 and the LDAP server verify their identities to each other with
secure digital certificates—which ensures that they communicate user
account information to authorized devices only.
■ TLS creates an encrypted tunnel between the NAC 800 and the LDAP
server—which protects users’ information from eavesdroppers.
Configure Authentication to an OpenLDAP Server. If your network

stores user accounts in OpenLDAP, follow these steps to configure the NAC
800’s authentication settings:
5-15

method
2. Select OpenLDAP for the End-user authentication method.

The OpenLDAP settings and Test OpenLDAP settings areas are displayed.
5-16
Figure 5-5. Home > System configuration > Quarantining—OpenLDAP

3. In the Server field, enter the hostname or IP address of the OpenLDAP

10.1.10.10
5-17
Optionally, append a colon and port number to the IP address to specify

the port used by your OpenLDAP server. For example:
10.1.10.10:646
If you do not specify the port, the NAC 800 behaves as follows:
• Uses port 389 if the connection is not secure
• Uses port 636 if the connection is secure
Step 9 on page 5-19 explains how to choose a secure connection.
Note If you specify a hostname, remember to check the NAC 800’s DNS server.
See “Edit MS or CS Network Settings” on page 3-18 of Chapter 3: “Initial
Setup of the ProCurve NAC 800.”
4. In the Identity field, enter the DN of an object in the directory with

administrative rights.
cn=Manager,dc=MyCompany,dc=com
5. In the Password field, enter the password for the object specified in the
previous step.
begins searches—almost always the DN of the top level of the tree. For
example:
dc=MyCompany,dc=com
DN.
8. Typically, leave the Filter and Password attribute fields at their default
settings.
Server” on page 5-14, the user filter and password attribute help the NAC
800 perform searches within the directory. Your settings must match up
with attribute names used in your OpenLDAP installation, and the syntax
must follow LDAP syntax.
an entry in which the “uid” attribute equals whichever username is sub-
mitted in an authentication request. (The “Stripped-User-Domain” portion
of the filter allows the NAC 800 to remove an appended domain name,
which may be necessary to match the uid as stored in the directory.)
5-18
Note Depending on how your directory is constructed, you might need to

change “uid” to “cn.”
The password attribute (default “userPassword”) must match the name

of the attribute that stores passwords in your directory. Remember the
OpenLDAP directory must allow the NAC 800 “auth” access to this
attribute.

The NAC 800 and the OpenLDAP server perform a TLS handshake to
connection.
ProCurve Networking recommends that you always use this option.
10. If you checked the box in the previous step, load the proper certificate
authority (CA) certificate on the NAC 800.
OpenLDAP server’s certificate. Save this certificate on your management
to the NAC 800.
11. To verify that the NAC 800 can successfully bind to the OpenLDAP server,
Note You may receive a message that the test failed because the LDAP query
returned no results. Do not worry: although the search did not return any
results, the bind completed successfully. For information about other result
messages, see Table 5-2 on page 5-32.
Configure Authentication to a Novell eDirectory Server. If your net-

work stores user accounts in eDirectory, follow these steps to configure the
NAC 800’s authentication settings:
5-19

method
2. Select Novell eDirectory for the End-user authentication method.

The Novell eDirectory settings and Test Novell eDirectory settings areas are
displayed.
5-20
Figure 5-7. Home > System configuration > Quarantining—Novell eDirectory

3. In the Server field, enter the hostname or IP address of the eDirectory

10.1.10.10
A hostname can include alphanumeric characters, periods, and hyphens
and be up to 64 characters.
5-21
Optionally, append a colon and port number to the IP address or hostname

to specify the port used by your eDirectory server. For example:
10.1.10.10:636
The default LDAP port is 389, and the NAC 800 uses this port if you do not
explicitly specify another. Use the 636 port when you check the Use a
secure connection (TLS) box (recommended). See step 9.
4. In the Identity field, enter the DN of an account with administrator rights.
cn=Administrator,dc=MyCompany,dc=com
5. In the Password field, enter the password for the account specified in the
previous step.
begins the search.
Typically, you should specify the top of the directory. For example:
dc=MyCompany,dc=com
DN.
8. You should leave the Filter and Password attribute fields at their default
settings.
Server” on page 5-14, the filter and password attribute help the NAC 800
perform searches within the directory. The values must match exactly the
values used by eDirectory, and the syntax must follow LDAP syntax.
an account in which the “cn” attribute equals whatever username is
submitted in an authentication request. (The “Stripped-User-Domain”
portion of the filter allows the NAC 800 to remove an appended domain
name, which may be necessary to match the cn as stored in the directory.)
The password attribute (default “nspmPassword”) must match the
attribute used to store passwords in eDirectory accounts.
5-22

The NAC 800 and the eDirectory server perform a TLS handshake to
connection.
By default, eDirectory servers require secure connections, and ProCurve
Networking also recommends that you always use this option.
10. If you checked the box in the previous step, load the proper CA certificate
on the NAC 800.
eDirectory server’s certificate. Save this certificate on your management
to the NAC 800.
11. To verify that the NAC 800 can successfully bind to the eDirectory server,
Configure Authentication to a Proxy RADIUS Server

If your network has an existing RADIUS server, you can configure the NAC 800
to proxy end-user authentication requests to that server. (However, this option
is not typical for a RADIUS-only NAC 800.)
Follow these steps:

5-23

method
2. Select Proxy for the End-user authentication method.
5-24
Figure 5-9. Home > System configuration > Quarantining—Proxy authentication

method
3. Specify the IP address for the proxy server (or servers).

To complete this task, you must access the NAC 800’s OS and edit the
/etc/raddb/proxy.conf file.
5-25
Note If your NAC 800 is a CS, simply alter the proxy.conf files on that NAC 800.
However, if you have a cluster of MS and ESs, you must alter the file on
each ES in this cluster.
Follow these steps:

a. Click the ok button to save your changes before you leave the Web
browser session.
b. Log in as root to the NAC 800:
i. Open a Secure Shell (SSH) or console session with the NAC 800.
ii. When asked for your username and password, enter root and the
root password (default: procurve).
c. Edit the /etc/raddb/proxy.conf file.
The steps below give basic commands for editing the file with vi, a
standard Linux editor built into the NAC 800.
Note One reason to set up proxy RADIUS on a RADIUS-only NAC 800 is to

authenticate users in a different domain.
More advanced users can configure the NAC 800 to proxy various
requests to different RADIUS servers depending on the domain name
or EAP type included in the request. The comments in the proxy.conf
file give guidelines; however, such configuration is not supported by
ProCurve Networking.
The commands below are for the most basic configuration.
vi /etc/raddb/proxy.conf
ii. Move through the file until you find the “realm mycompany.com”
section.
#
realm mycompany.com {
type = radius
authhost= 10.10.10.10
accthost= 10.10.10.20
secret = “mysecret”
}
Figure 5-10.Example proxy.conf (Relevant Section Only)
iii. Enter insert mode by pressing [i].

iv. Delete the comment markers (#) from the five lines in the “realm
company.com” section.
5-26
v. Change “company.com” to the domain name of the proxy server.

vi. For the “authhost” value, specify the proxy RADIUS authentica-
tion server. Use this syntax:
authhost= <FQDN or IP address>:<port number>
authentication port (1812).
vii. If you want to implement RADIUS accounting, specify the
RADIUS accounting server for the “accthost” value. Use this
syntax:
accthost= <FQDN or IP address>:<port number>
accounting port (1813).
If you do not want to implement accounting, re-insert the com-
ment marker (#) on this line.
viii. Specify the shared secret for the “secret” value. Use this syntax:
secret= <shared secret>
This value must match exactly the secret configured on the proxy
server for the NAC 800. (The NAC 800 should be added as a client
to the proxy server.)
To include special characters and spaces, enclose the secret
within quotation marks (“ ”).
ix. The final configuration should resemble the one shown in
Figure 5-10.
x. When you are done, leave insert mode by pressing [Esc].
xi. Enter this command to save the changes:
:w
xii. Exit vi:
:q
Note If you are not comfortable using vi, you can save the file to your management
station and edit it with a text editor on that device. Then copy the file back to
the NAC 800 (preserving the /etc/raddb/proxy.conf location and filename). For
instructions on copying files to and from the NAC 800, see Chapter 1: Intro-
duction of the ProCurve Network Access Controller Users’ Guide.
5-27
Test Authentication Settings

The following authentication methods require the NAC 800 to bind to a
directory server:
■ Windows domain (AD)
■ OpenLDAP
After configuring one of these methods, you should test whether the
NAC 800 can:
■ Contact the directory
■ Bind to it
■ Optionally, perform a successful search
You should test the settings to eliminate problems before the NAC 800 begins
to authenticate end-users on a live network.
Follow these steps:

page 5-8.
3. You should see a screen similar to the one in Figure 5-11. Find the Test
<authentication method> settings area.
For example, in Figure 5-11, you can see the Test Novell eDirectory
settings area.
5-28
4. If you are configuring a CS, you can skip this step. Otherwise, you must
select an ES from the Server to test from drop-down menu.
In a multiple NAC 800 deployment, ESs (not the MS) bind to the LDAP
server when they need to authenticate the end-user. When you test set-
tings, you must choose for which ES you are testing them.
5-29
5. You now have two options:

• Test the bind operation only.
Click the test settings button.
Note If you choose this option, you may receive a message that the test
failed because the LDAP query returned no results or multiple results.
Do not worry: although the search did not return results, the bind
completed successfully. See Table 5-2 for results that do indicate a
problem.
• Test the bind operation and look up an end-user’s credentials:
i. Check the Verify credentials for an end-user box.
ii. Enter the username for a valid user in the User name field.
iii. Enter the user’s password in the Password field.
iv. Re-enter the password in the Re-enter password field.
v. Click the test settings button.
– For authentication through an LDAP server, the filter and pass-
word attribute are correct.
– The end-user credentials that you entered are correct.
Note When you first test a configuration with the Verify credentials for an end-
user option, choose an end-user username and password that you are
certain are correct (for example, the administrator password). In that way,
you verify that the configuration itself functions correctly.
Later, if a particular user has difficulty connecting, you can use the Verify
credentials for an end-user option to check the user’s credentials.
6. The Operation in progress screen is displayed.

Figure 5-12 shows the screen for testing Windows domain authentication
settings.
5-30
You might see, instead, the screen shown in Figure 5-13.
This screen is displayed when you have edited previously configured

authentication settings. To test the new settings, the NAC 800 must
temporarily write them over the old settings, which—if the NAC 800 is the
RADIUS server for a live network—can briefly interrupt service.
Click the no button to cancel the test (in which case you should also wait
before applying your new settings).
Click the yes button to proceed with the test.
Note that proceeding with the test only temporarily overwrites the old
settings. You must still click the ok button on the Home > System configu-
ration > Quarantining screen to save the new settings.
7. When the test completes, you are returned to the Home > System configu-
ration > Quarantining screen. The message at the top of the screen indicates
the result. Refer to Table 5-2 for help interpreting the message.
5-31
Table 5-2. Authentication Settings Test Results
Message Result Cause of Failure

test credentials.
• You did not ask to verify credentials.
Authentication].
Test failed: could not The NAC 800 failed to bind to the LDAP The bind username is incorrect.
authenticate identity. server.
<username> not found. LDAP server. • The filter specifies the wrong attribute
• The NAC 800 failed to validate the test name.
credentials.
credentials.
credentials.
result. • You did not ask to verify credentials.
entry (-601)]
Test failed: [LDAP: error • The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
Required]
5-32

test credentials.
• You didn’t ask to verify credentials.
result. • You didn’t ask to verify credentials.
Authentication].
Test failed: could not The NAC 800 failed to bind to the LDAP • The bind username is incorrect.
authenticate identity. server. • The base DN is incorrect.
entry (-601)]
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
Required]
<username> not found. LDAP server. • The base DN is incorrect.
• The NAC 800 failed to validate the test • The filter specifies the wrong attribute
credentials. name.
credentials.
credentials.
5-33
Add NASs as 802.1X Devices

A NAS is the device to which end-users connect—typically, a switch or an AP.
The NAS enforces port authentication on end-user ports, forwarding users’
authentication requests to a RADIUS server.
You must add each NAS that uses the NAC 800 as its RADIUS server to the
NAC 800’s list of 802.1X devices.
Note The NASs are often called RADIUS clients. The Web browser interface,
however, as well as this guide, will refer to them as 802.1X devices.
Follow these steps to add the 802.1X devices:

page 5-8.
3. You should see a screen similar to that illustrated in Figure 5-14.
5-34

method
4. Click the add an 802.1X device link. The Add 802.1X device screen is
displayed.
5-35
method) > add an 802.1X device
5. Enter the 802.1X device’s IP address in the IP address field.

For example, endpoints connect to an edge switch that has 10.1.1.152 for
its management IP address. Enter:
10.1.1.152
6. Enter a character string in the Shared secret field.
This string and the RADIUS server secret configured on the 802.1X device
must match exactly. (See your device’s documentation for information on
configuring this secret.)
The secret can include alphanumeric and special characters.
7. Enter the same character string in the Re-enter shared secret field.
8. Optionally, give the 802.1X device a descriptive name by entering a string
in the Short name field.
The name is displayed in logs and can include alphanumeric and special
characters.
9. From the Device type drop-down menu, choose the type of 802.1X device
(that is, its manufacturer and OS).
The drop-down menu includes several common devices, but the NAC 800
supports any device that can act as a standard RADIUS client. If your
device is not listed, select Other.
10. Options for connecting to the selected device are displayed.
5-36
method) > add an 802.1X device link
Connecting to the 802.1X device is necessary for implementing endpoint

integrity: the NAC 800 must force the 802.1X to re-authenticate the end-
point after its endpoint integrity posture has changed, so that the new
VLAN assignment can take effect. See “How the NAC 800 Quarantines
Endpoints” on page 1-35 of Chapter 1: “Overview of the ProCurve NAC
800” for more information.
5-37
If you are using the NAC 800 as a RADIUS server only, the connection
settings do not matter.
Leave the settings at the defaults, or for the ProCurve Wireless Edge
Services xl Module, ProCurve 420 AP, and ProCurve 530 AP, fill in only the
community name.
12. To apply and save the 802.1X device configuration, you must also click
the ok button in the Home > System configuration > Quarantining screen.
Apply Changes
Whenever you alter the configuration for the 802.1X and RADIUS settings
(including adding an 802.1X device), you must apply and save the changes.
When you apply the changes, the CS’s internal RADIUS server (or the RADIUS
servers on all ESs in the cluster) automatically restarts.
Note The RADIUS server typically takes several seconds to restart. During this
period, the RADIUS server is unavailable for authenticating end-users. To
avoid interrupting services, configure 802.1X quarantining settings after
hours.
Follow these steps:

1. If you have not already done so, click the ok button in the Home > System
configuration > Quarantining screen.
Clicking the ok button writes the change to both the startup-config and
the running-config.
Restart the RADIUS Server

Follow these steps should you ever need to restart the RADIUS server manu-
ally:
5-38
2. Click the name of the CS or ES. The Enforcement server screen is displayed.
Note Figure 5-18 shows the Enforcement server screen for a CS. The screen for an
ES features two menu options: General and Configuration. You should select
the General menu option.
5-39
selected Enforcement server
3. The Process/thread status area lists a number of services. Click the restart
now button for radius. The Operation in progress screen is displayed.
5-40
selected Enforcement server > radius restart now button
4. Within several seconds, the Operation in progress screen should close. At

the top of the Enforcement server screen, this message should be displayed:
The radius process was restarted.
Note Typically, the RADIUS server restarts without a problem. If it encounters

difficulties, you should restart it from the root of the OS. Follow these steps:
1. Log in as root to the NAC 800 OS:
a. Open an SSH or console session with the NAC 800.
b. When asked for your username and password, enter root and the root
password (default, procurve).
service radiusd restart
3. Read any messages that display. For example, if you have altered config-
uration files, one of the files might have an error and fail to load.
5-41

The following authentication methods use mutual authentication, which
means that the RADIUS server (in your case, the NAC 800 CS or ES) identifies
itself to endpoints with a digital certificate:
■ EAP-TLS
■ EAP-TTLS
■ PEAP
At its factory default settings, the NAC 800 authenticates as a RADIUS server
with a self-signed digital certificate. However, this certificate is not intended
for an enterprise environment. It identifies the NAC 800 as follows:
■ subject=/C=CA/ST=Province/L=Some City/O=Organization/OU=local-
host/CN=Root certificate/emailAddress=root@example.com
■ issuer=/C=CA/ST=Province/L=Some City/O=Organization/OU=local-
host/CN=Client certificate/emailAddress=client@example.com
You should load one of the following certificates on your NAC 800:
■ A self-signed certificate that specifies the NAC 800’s FQDN as its common
name (CN)
■ A certificate that specifies the NAC 800’s FQDN as its CN and is signed by
a trusted CA
In either case, the certificate must allow the NAC 800 to use it for client and
server authentication. That is, the extensions for the key usage should be “TLS
Web Server Authentication” and “TLS Web Client Authentication.”
Follow these steps to set up certificates for RADIUS services:

1. If you plan to use a CA-signed certificate, install the CA root certificate on
the NAC 800.
2. Obtain a server certificate and install it on the NAC 800. You must specify
the certificate and private key locations in the /etc/raddb/eap.conf file.
As mentioned above, you can create a self-certificate or obtain a certifi-
cate from a CA.
The following sections explain how to complete these tasks. The final sections
of this chapter give you some guidelines on setting up certificates on end-
points.
5-42
NAC 800’s OS:
2. Log in:
• username = root
Install the CA Root Certificate on the NAC 800

The NAC 800 must have the CA root certificate for the CA that signed its server
certificate. If supplicants authenticate with certificates (the EAP method is
EAP-TLS or, less commonly, PEAP or EAP-TTLS with an inner method that
requires certificates), the NAC 800 also uses this CA certificate to verify the
supplicants’ certificates.
Follow these steps to install the CA certificate on the NAC 800:

Your CA should instruct you how to complete this step.
The certificate must be in PEM format. (See step 4 on page 5-44 for
instructions on converting a DER or PFX certificate to PEM format.)
2. Transfer the CA certificate to the NAC 800.
these steps:
a. Save the CA certificate to your management station.

demoCA/cacert.pem
for the CA certificate.
For example:
pscp myCA.pem root@10.1.1.20://etc/raddb/certs/
demoCa/cacert.pem
5-43
Note Be very careful to enter the output file for the certificate exactly as shown
above: /etc/raddb/certs/demoCA/cacert.pem.
4. If the CA certificate is not in PEM format, follow these steps:
a. Move to the correct directory:
ProCurve NAC 800:/# cd /etc/raddb/certs/demoCA
b. Convert from DER format with this command:
Syntax: openssl x509 -in <filename> -inform DER -out <filename> -outform PEM
Preferably, specify cacert.pem for the second filename.
For example, enter:

ProCurve NAC 800:/etc/raddb/certs/demoCA# openssl
x509 -in cacert.der -inform DER -out cacert.pem
-outform PEM
Syntax: openssl pkcs12 -in <filename>.pfx -out <filename>.pem

You should change the filename extension to reflect the
changed format. Preferably, specify cacert.pem for the
filename

ProCurve NAC 800:/etc/raddb/certs/demoCA# service
radiusd restart
5-44
Install a Server Certificate for RADIUS

You have a variety of options for obtaining and installing the server certificate
for RADIUS authentication. You can:
■ Create a self-signed certificate on the NAC 800.
■ Obtain and install a CA-signed certificate in one of these ways:
• Create a private/public keypair and certificate request on the NAC 800
and submit the request to your CA.
• On the CA, request a certificate on behalf of the NAC 800. Make sure to
save the associated private key so that you can load it to the NAC 800.
Create a Self-Signed Certificate

Follow these steps to create a self-signed certificate to be used for RADIUS
authentication:
1. Log into the NAC 800 as root.
2. Configure the openssl application to issue self-signed certificates with the
correct extensions for a RADIUS server. (See Appendix B, “Linux Com-
mands” for vi commands.)
ProCurve NAC 800:# cd /etc/raddb/certs
c. Alter the new configuration file:
d. Press [i] to enter Insert mode.
e. Find the “[new_oids]” section. Add this text above:
[radsrv]
f. Press [Esc] to exit Insert mode.
g. Save the changes and exit vi.
:wq
5-45
3. Enter this command to generate the self-signed certificate:
Syntax: openssl req -x509 -config openssl.cnf -extensions radsrv -newkey [rsa |
dsa]:[512 | 1024 | 2048 | 4096] -nodes -days <number> -keyout cert-srv.pem
-out cert-srv.pem
the bracketed name for the extensions that you added to that
file.
the key length (4096 is not a valid option for dsa). Replace
<number> with the number of days that this certificate will
remain valid.
key without password protection. For greater security, leave
out this option when you enter the command. You will then
be prompted to enter the password.
After you finish step 4, edit the /etc/raddb/eap.conf file and
change the private key password from whatever to the
password that you entered.
For example:
ProCurve NAC 800:/etc/raddb/certs# openssl req -x509
-config openssl.cnf -extensions radsrv -newkey
rsa:2048 -nodes -days 365 -keyout cert-srv.pem -out
cert-srv.pem
Note Be very careful to enter the output files for the key and the certificate
exactly as shown above: /etc/raddb/certs/cert-srv.pem.
prompted for the CN, enter the NAC 800’s FQDN.
ProCurve NAC 800:/etc/raddb/certs# service radiusd
restart
5-46

the NAC 800
Follow these steps to create a certificate request and install a CA-signed
certificate for RADIUS authentication:
3. Configure the openssl application to create certificate requests that
request the correct extensions for a RADIUS server. (See Appendix B,
“Linux Commands” for vi commands.) If you are using your own Windows
CA, you might skip this step and use a certificate template add the correct
extensions.
b. Alter the new configuration file:
c. Press [i] to enter Insert mode.
d. Find the “[new_oids]” section. Add this text:
[radsrv_req]
e. Press [Esc] to exit Insert mode.
f. Save the changes and exit vi.
:wq
5-47
4. Enter this command to generate the certificate request:
Syntax: openssl req -new -config openssl.cnf -extensions radsrv_req -newkey

[rsa | dsa]:[512 | 1024 | 2048 | 4096] -nodes -keyout <key_filename> -out
<request_filename> {-outform [DER | PEM]}
bracketed name for the extensions that you added to that file.
the key length (4096 is not a valid option for dsa).
The private key for the certificate is saved with the name you
enter for the <key filename>. The certificate request is saved
with the name you enter for the <request_filename>. You can
choose the format (DER or PEM) for the request (default: PEM).
key without password protection. For greater security, omit
this option when you enter the command. You will then be
prompted to enter the password. In step 12 on page 5-50, you
will edit the /etc/raddb/eap.conf file and specify this password.
For example:
ProCurve NAC 800:/etc/raddb/certs# openssl req -new
-config openssl.cnf -extensions radsrv_req -newkey
rsa:1024 -nodes -keyout mykey.pem -out myrequest.req
prompted for the Common Name (CN), enter the NAC 800’s FQDN.
6. Transfer the certificate request to a Secure Copy (SCP) server.
If you have installed PuTTY SCP (PSCP) on your management station, you
can follow these steps:
a. Access the command prompt on your management station and move
Syntax: pscp root@<NAC 800 IP address>://etc/raddb/certs/<request_filename>

<path\filename>
Transfers the request off the NAC 800. Replace
<request_filename> with the name you specified in step 4 on
page 5-48. The request is saved on the station with the name
that you specify for <path\filename>.
5-48
For example:
pscp root@10.1.1.20://etc/raddb/certs/myre-
quest.req nacrequest.req
c. When prompted, enter the NAC 800’s root password.
Contact your CA to learn how to complete this step. You should request
X.509 format (either Distinguished Encoding Rules [DER] or Privacy
Enhanced Mail [PEM]). However, if necessary you can convert a certifi-
cate that uses a different format. (See step 11.)
Note If you are using a Windows CA, have the CA issue a certificate using the
RAS and IAS Server template (or another template that has key extensions
for both server authentication and client authentication).
8. After the CA returns the server certificate to you, transfer it to the NAC
800.
these steps:
a. Save the certificate to your management station.

for the server certificate. The certificate is saved with the
name that you specify for <certificate_filename>.
For example:
9. Log back in to the NAC 800 as root.
5-49
11. If your certificate is not the desired format, you can convert it.
Convert from DER with this command:
Syntax: openssl x509 -in <certificate_filename> -inform DER -out <certificate_

filename> -outform PEM
that you chose in step 8. You should change the filename
extension to reflect the changed format.
For example, enter:

-outform PEM
Syntax: openssl pkcs12 -in <certificate_filename>.pfx -out

For <certificate_filename> enter the name for the certificate
that you chose in step 8 on page 5-49. You should change the
12. Alter the /etc/raddb/eap.conf file to specify the new private key and certif-
icate files. (See Appendix B, “Linux Commands” for vi commands.)
of the configuration file. (See Figure 5-20.)
5-50
tls {

# name.

Figure 5-20. Example radiusd.conf File——tls Section
Note The NAC 800 uses the “tls” configuration for server certificates for TLS,
PEAP, and TTLS.
c. Press [i].
d. If you created a password for the private key, set
private_key_password to the same key that you chose earlier. For
example:
e. Set private_key_file to the same as the <key filename> that you speci-
fied in step 4 on page 5-48. Keep the default path already included in
the configuration file (which works as long as you saved the key in
the proper directory). For example:
f. Set certificate_file to the same as the <certificate filename> that you
specified in step 8-c on page 5-49 (or step 11 on page 5-50). Keep the
default path already included in the configuration file (which works
as long as you saved the certificate in the proper directory). For
example:
cate.pem
5-51
h. Press [Esc].
:wq
filenames or private key password in step 12. Carefully recheck the
configuration.

Behalf of the NAC 800
Follow these steps to generate a certificate for the NAC 800 on your organi-
zation’s CA and to install that certificate on the NAC 800:
1. Following the instructions in your CA documentation, create the certifi-
cate request and generate the certificate (in X509 format).
Enter the NAC 800’s FQDN for its CN. Specify the NAC 800’s country, state,
and so forth, as prompted.
Make sure to generate a RADIUS server certificate for the NAC. (Its key
usage extensions should provide for both client and server authentica-
tion.)
2. Transfer the certificate and the private key to the NAC 800.
these steps:
a. Save the certificate and private key to your management station.
It is very important that you save the private key for the certificate.
You will upload this key to the NAC 800 in step 3. You might have been
prompted to create a password for the key. If you do, you will need
to specify that password in step 6 on page 5-54.
5-52

for the server certificate. Replace <certificate_filename> with
the name under which the certificate will be stored on the NAC
800.
For example:
d. Repeat the previous command to transfer the private key file, if
separate from the certificate file:

<key_filename>
for the private key. Replace <key_filename> with the name
under which the private key will be stored on the NAC 800.
For example:
certs/mykey.pem
Note The private key and server certificate might be stored in the same file. In
this case, you only need to enter the command once and you should
specify the output file: /etc/raddb/certs/cert-srv.pem.
This allows the NAC 800 to use the new certificate without forcing you to
alter the “tls” section of the /etc/raddb/eap.conf file—which can lead to
errors.
5. If your certificate is not in the correct format, you can convert it.
5-53
Convert from DER format to PEM format with this command:
Syntax: openssl x509 -in <certificate filename> -inform DER -out <certificate file-
name> -outform PEM
For example, enter:

-outform PEM
Syntax: openssl pkcs12 -in <certificate filename>.pfx -out

6. Alter the /etc/raddb/eap.conf file to specify the new certificate. (See Appen-
dix B, “Linux Commands” for vi commands.)
Note You can skip this step if the new server certificate and private key are in
the same file, which is named cert-srv.pem, and if the private key is not
of the configuration file. (See Figure 5-21).
Note The NAC 800 uses the “tls” configuration to authenticate itself for TLS,
PEAP, and TTLS.
5-54
tls {

# name.

Figure 5-21. Example radiusd.conf File—tls Section
c. Press [i].
d. Set private_key_password to equal the password you chose to protect
your key. For example:
e. Set private_key_file to equal the <key_filename> you specified in step
2-d on page 5-53. Keep the default path already included in the con-
figuration file (which works as long as you saved the key in the proper
directory). For example:
f. Set certificate_file to equal the <certificate_filename> you specified in
step 2-c on page 5-53 (or step 5 on page 5-53). Keep the default path
already included in the configuration file (which works as long as you
saved the certificate in the proper directory). For example:
cate.pem
h. Press [Esc].
:wq
5-55

password or filenames in step 6. Carefully recheck the configuration.
Manage Certificates on Endpoints

To authenticate the NAC 800 RADIUS server, endpoints require the root
certificate for the CA that signed the NAC 800’s server certificate. The exact
steps for installing this certificate depend, of course, on the endpoint. Refer
to the appropriate documentation.
Note If you selected a well-known vendor CA to issue your NAC 800’s certificate,
most endpoints already have the necessary certificate.
You must also install user or computer certificates on endpoints—if you have
selected an EAP method that requires supplicants to authenticate with a
certificate rather than a password. Generally, you would issue those certifi-
cates using your organization’s CA. Refer to the documentation for your CA
service for instructions.
Disable Server Validation on Endpoints

You might want to prevent endpoints from checking the NAC 800’s server
certificate for several reasons:
■ You do not want to bother installing new certificates on the NAC 800 for
server authentication.
Caution Because this option could allow endpoints to connect to a rogue server,
ProCurve Networking does not recommend it.
■ You want to help endpoints temporarily connect to the network so that
they can obtain the CA certificate necessary for validating the NAC 800’s
certificate.
For example, a Windows station automatically receives the domain’s CA
root certificate when it joins the domain.
After an endpoint obtains the certificate, it should be configured to once
again validate the server certificate.
5-56
Follow these steps on an endpoint to disable validation of the server on the

native Windows 802.1X supplicant:
1. Select Start > Settings > Network Connections > Local Area Connection.

5-57
Figure 5-23. Local Area Connection Properties > Authentication
4. Choose your EAP type and click the Properties button.

5. Clear the Validate server certificate check box.
5-58
Follow these steps to disable validation of the server on an endpoint that uses
the Microsoft Wireless Zero Configuration client:
1. Select Start > Settings > Network Connections > Wireless Network
Connection.
5-59

3. Select the Wireless Networks tab in the window that is displayed.
5-60
Figure 5-26. Wireless Network Connection Properties
4. Select the service set identifier (SSID) for your wireless network in the
Preferred networks area and click the Properties button.
If the SSID has not yet been configured on the client, you must click the
Add button instead. Then, in addition to completing the steps below, you
must configure settings such as the SSID, the authentication method, and
the encryption type.
5-61
Figure 5-27. <SSID> Properties > Authentication
6. Choose the EAP type and click the Properties button.

7. Uncheck the Validate server certificate box.
5-62
5-63
5-64
Disabling Endpoint Integrity Testing
Contents
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Configure Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Configure Exceptions for the Cluster Default Settings . . . . . . . . . 6-3
Configure Exceptions for a Particular Cluster . . . . . . . . . . . . . . . . 6-5
6-1
Overview
Overview
The ProCurve Network Access Controller (NAC) 800 is designed to provide
both endpoint integrity checking and RADIUS services. If you want the NAC
800 to function only as a RADIUS server, you must disable endpoint integrity
testing on endpoints.
The recommended procedure for disabling endpoint integrity is to modify the

cluster default settings, adding your company’s network devices as exceptions
that are not tested. If your network supports multiple clusters and you do not
want to disable endpoint integrity for all of these clusters, you can define
exceptions for a particular cluster or clusters.
When you identify endpoints as exceptions, the NAC 800 discovers them but
does not test them. In effect, you have disabled endpoint integrity testing.
Configure Exceptions
On the NAC 800, you configure exceptions for endpoints that you do not want
tested for endpoint integrity. When you designate an endpoint as an exception,
the NAC 800 discovers but does not test that endpoint.
To configure exceptions, you can enter an address or a Windows domain

name.
For an address, you can specify:

■ IP address—Enter individual IP addresses or a range of IP addresses
using Classless Inter-Domain Routing (CIDR) format. For example, you
might enter:
192.168.2.10
192.168.3.0/24
■ MAC address—Use the standard MAC address format: FF:FF:FF:FF:FF.
For example, you might enter:
00:11:43:66:68:CC
■ NetBIOS name—To provide backward compatibility with a legacy Win-
dows system, enter the NetBIOS name assigned to the device. For exam-
ple, you might enter:
MyLaptop
6-2
Overview
To exclude an entire domain, enter your company’s domain name, such as:
ABCCompany.com
Because you are setting up the NAC 800 to function as a RADIUS server only,
you will typically specify a range or several ranges of addresses or a domain
name.
Configure Exceptions for the Cluster Default Settings

To configure exceptions as part of the cluster default settings, which are then
applied to all clusters, complete the following steps:
1. Select Home > System configuration.
Figure 6-1. Home > System configuration
6-3
Overview
2. Select Cluster setting defaults > Exceptions.
Figure 6-2. Home > System configuration > Cluster setting defaults > Exceptions
3. Under Always grant access and never test, enter either the addresses of
endpoints or the domain name you want to exclude.
• Under Endpoints, enter an IP address, a range of IP addresses in CIDR
format, a MAC address, or a NetBIOS name.
• Under Windows domain, enter the domain name.
Separate addresses and names with carriage returns, as shown below:
10.1.1.0/24
10.1.2.13
MyLaptop
6-4
Overview
4. Click ok.
Configure Exceptions for a Particular Cluster

If you want to disable endpoint integrity for only one of the clusters you have
configured on the Management Server (MS), complete the following steps:
1. Select Home > System configuration.
Figure 6-3. Home > System configuration
2. Select Enforcement clusters & servers and select the link for the cluster that
implements RADIUS without endpoint integrity.
The Enforcement cluster screen is displayed.
6-5
Overview
3. Select Exceptions.
Note The settings you configure for a particular cluster override the cluster setting
defaults.
4. Select the For this cluster, override the default settings check box.
cluster_name > Exceptions
6-6
Overview
5. Under Always grant access and never test, enter either the addresses of
endpoints or the domain name you want to exclude.
• Under Endpoints, enter an IP address, a range of IP addresses in CIDR
format, a MAC address, or a NetBIOS name.
• Under Windows domain, enter the domain name.
Separate addresses and names with carriage returns, as shown below:
192.168.10.0/24
192.168.115.55
MyNetwork
6. Click ok.
6-7
Overview
6-8
Redundancy and Backup for RADIUS Services
Contents
Contents
Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Planning Redundancy for RADIUS-Only Deployments . . . . . . . . . . . . 7-2
Place the RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Provide Duplicate Network Pathways . . . . . . . . . . . . . . . . . . . . . . 7-4
Configuring Network Devices for Redundant RADIUS Servers . . . . . 7-4
Configure the NASs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Configure Multiple LDAP Servers on the NAC 800 . . . . . . . . . . . . 7-6
Use IDM to Configure the Usernames and Passwords . . . . . . . . 7-11
Test Your Redundant Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
Back Up Your NAC 800 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Configure the Web Browser So That It Allows You
to Save Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
Restore the System from the Backup File . . . . . . . . . . . . . . . . . . . . . . 7-15
7-1
Redundancy
Redundancy
Redundant systems have become a priority for companies simply because
most employees rely on their workstation and the company’s network to
complete their work. Consequently, downtime can be expensive.
When you design redundancy for your network systems, you must ensure that
critical network resources are always available. You must eliminate any single
point of failure, including:
■ Hardware failures
■ Software failures
■ Unavailable network pathways
Because you use a RADIUS server to control access to your company’s

network resources, this server is critical to the operation of your network. If
your RADIUS server becomes unavailable, users and devices will be unable
to access the network or will be given access to limited resources in the
unauthorized virtual local area network, or VLAN (depending on how you have
configured your network). Neither option is desirable.
This chapter describes how to plan redundancy for a network in which one
or more ProCurve Network Access Controller (NAC) 800s provide RADIUS
services.
Planning Redundancy for RADIUS-Only Deployments

Providing redundant RADIUS services requires some planning. You must plan
redundancy for:
■ RADIUS servers—You need at least two RADIUS servers: either two
NAC 800s or one NAC 800 and one third-party RADIUS server.
■ Data store—You must consider the data store that the NAC 800 and the
other RADIUS server use to verify users’ login credentials. When using
the NAC 800, you have three options for the data store: you can use a
Lightweight Directory Access Protocol (LDAP) server or Windows
domain controller, which stores user objects for your entire network; you
can use the local data store on the NAC 800 itself; or you can use a proxy
RADIUS server.
7-2
Redundancy
If the NAC 800 contacts another device—such as an LDAP or proxy

RADIUS server—to check user credentials, two additional points of fail-
ure are possible—the data store and the link to the data store. If the server
goes down or the network connection fails, NAC 800 cannot reach its data
store to authenticate users.
Although storing credentials on individual NAC 800s’ local databases
eliminates the need to contact another device and eliminates this potential
failure point, it creates another issue: all NAC 800s and RADIUS servers
must have identical databases so that, if called upon, they can authenticate
any user. (ProCurve Identity Driven Manager, or IDM, simplifies this
process as explained below.)
Whichever data store you choose, consider the following issues:
• Directory service—If the data store is an LDAP-compliant directory
service, you must provide redundancy for the LDAP servers them-
selves. (This task is outside of the scope of this management and
configuration guide.) You must also plan for redundant pathways
between the RADIUS servers and the data store on the LDAP server.
Note In the remainder of this chapter, the term RADIUS server will refer either
to a NAC 800 acting as a RADIUS server or a third-party RADIUS server.
• NAC 800 local data store—If you are storing credentials on the
NAC 800, IDM ensures that each NAC 800 includes the same user-
names and passwords. You enter the usernames and passwords once
on the IDM server, and it will configure them on each NAC 800 for you
when you deploy the policy.
■ Network paths—You should build redundant links into your network
architecture. A single failed connection should never isolate one section
of the network from another.
Place the RADIUS Servers

Because you are trying to eliminate any single point of failure, you should not
connect your two redundant RADIUS servers to the same switch. Ideally, the
RADIUS servers should be connected to two different switches so that, if one
switch becomes unavailable, the other RADIUS server is not affected. (You
can also reduce the possibility of a switch failure by purchasing a switch that
is designed for high availability. For example, the ProCurve Switch 5400zl
Series has a dual-power supply, and the ProCurve Switch 8200zl Series has
dual management modules, dual fabric modules, and a dual-power supply. For
more information about these switches, visit http://www.procurve.com.)
7-3
Redundancy
Figure 7-1. Redundant RADIUS Servers
Provide Duplicate Network Pathways

In addition to deploying multiple RADIUS servers, you should examine path-
ways to ensure that neither RADIUS server will be isolated by a cable or
hardware failure. Designing your network to eliminate these points of failure
will undoubtedly create network loops. However, using Multiple Rapid Span-
ning Tree Protocol (RSTP) eliminates loops by temporarily blocking redun-
dant paths. When a primary path becomes unavailable, RSTP unblocks the
redundant path.
Although a detailed discussion of network design is beyond the scope of this

guide, Figure 7-1 illustrates one design with duplicate network pathways.
Configuring Network Devices for Redundant RADIUS

Servers
When you set up redundant RADIUS servers, you must configure your network
devices so that they can take advantage of these servers. Specifically, you must
enter settings on the Network Access Servers (NASs). In the 802.1X environ-
ment, a NAS might be a switch, a router, an access point (AP), or a ProCurve
Wireless Edge Services Module.
If you are using LDAP servers for your data store, you must also configure the
NAC 800 with the settings for additional servers.
7-4
Redundancy
Configure the NASs

To provide redundancy for RADIUS services, you must specify at least two
RADIUS servers on each NAS. If the first RADIUS server listed is unavailable,
the NAS contacts the second RADIUS server.
Best practices dictate that you specify one RADIUS server as the primary
server for some NASs and the other RADIUS server as the primary server for
other NASs. Each RADIUS server, of course, acts as the secondary server for
the NASs for which it is not the primary server. This design eases the burden
on each RADIUS server; during normal conditions, each handles only some
of the authentication requests.
For example, when you configure port authentication on the ProCurve Switch
5400zl Series, you specify a RADIUS server using the following command:
ProCurve Switch (config)# radius-server host <ip address>
To configure a primary and a secondary RADIUS server, you simply enter the
command twice: the first time you enter the IP address for the primary
RADIUS server; the second time you enter the IP address for the secondary
RADIUS server. The 5400zl Switch will contact the RADIUS servers in the
order in which they are listed in the running-config.
Figure 7-2 shows a sample running-config for a 5400zl Switch. In this example,
two RADIUS servers are listed. Both of these servers are NAC 800s. When the
switch receives an authentication request, it will contact the first RADIUS
server listed—in this case, the NAC 800 with the IP address 10.1.1.20. If that
server does not respond, the 5400zl Switch will contact the next RADIUS
server listed—10.1.1.100 in the example.
On another switch, you might reverse the order of the commands, specifying
10.1.1.100 before 10.1.1.20.
7-5
Redundancy
hostname "Core"
module 1 type J8702A
ip routing
snmp-server community "public"
snmp-server community "procurve" Unrestricted
snmp-server host 10.1.10.10 "public"
vlan 1
name "DEFAULT_VLAN"
untagged A2,A4-A24,B2-B24
ip helper-address 10.1.10.10
ip address 10.1.1.1 255.255.255.0
no untagged A1,A3,B1
exit
vlan 10
name "VLAN10"
untagged A1,A3
ip address 10.1.10.1 255.255.255.0
tagged B24
exit
vlan 8
name "VLAN8"
untagged B1
ip address 10.1.8.1 255.255.255.0
tagged B24
exit
aaa authentication port-access eap-radius
radius-server host 10.1.1.20 Primary and secondary
radius-server host 10.1.1.100 RADIUS server
aaa port-access authenticator A19,A21
aaa port-access authenticator active
aaa port-access A19,A21
Figure 7-2. Running-config for the 5400zl Switch
Configure Multiple LDAP Servers on the NAC 800

If you have designed your directory services to provide redundancy, your
network includes multiple LDAP servers. You must reference these LDAP
servers on the NAC 800 so that it can contact another LDAP server if the first
one is unavailable. To provide this redundancy for Microsoft Windows domain
controllers (which use Active Directory [AD]), you can use the Web browser
interface to specify multiple domain controllers. For other LDAP servers, such
as Novell eDirectory and OpenLDAP, however, you must edit the /etc/raddb/
radiusd.conf file to reference multiple LDAP servers.
7-6
Redundancy
Specifying Multiple Domain Controllers. You specify domain control-

lers when you are selecting a quarantine method and configuring the related
settings. To access the Quarantining by cluster screen where you configure
these settings, select Home > System configuration > Quarantining.
As Figure 7-3 shows, you must configure an End-user authentication method,

which determines what the NAC 800 uses to verify users’ credentials. Because
you are using a domain controller, use the drop-down menu to select Windows
domain. Additional fields are displayed, allowing you to enter:
■ Domain name
■ Administrator user name
■ Administrator password
You can then list additional domain controllers in the Domain controllers field.
If you list more than one domain controller in this field, separate each one
with a comma. (This section focuses only on specifying multiple domain
controllers. For information about configuring other settings on this screen,
see Chapter 4: “Configuring the RADIUS Server—Integrated with ProCurve
Identity Driven Manager” or Chapter 5: “Configuring the RADIUS Server—
Without Identity Driven Manager.”)
7-7
Redundancy
Edit the /etc/raddb/radiusd.conf file. If you are using Novell eDirectory or

OpenLDAP, you must log in to the NAC 800 as root through an SSH or console
session. You then use the VI editor to edit the /etc/raddb/radiusd.conf file.
7-8
Redundancy
First move to the “modules” section and add ldap <server_name> as a module,
specifying the following parameters for the server:
Syntax: ldap <server_name> {

server = “<LDAP server’s FQDN>”
identity = “<administrator’s DN>”
password = “<administrator’s password>”
basedn = “<tree’s base DN>”
filter = “<user login filter>”
base_filter = “<base filter>”
}
Add another module for the second server. See Figure 7-4.
In this example configuration, vmsuse is the name of the primary LDAP server,
and suse is the name of the secondary LDAP server. The example base
Distinguished Name (DN) is netidm.net.
modules {
ldap vmsuse {
server = "vmsuse.netidm.net"
identity = "cn=Manager,dc=netidm,dc=net"
password = secret
basedn = "dc=netidm,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
tls_mode = "yes"
}
ldap suse {
server = "suse.netidm.net"
identity = "cn=Manager,dc=netidm,dc=net"
password = secret
basedn = "dc=netidm,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
tls_mode = "yes"
}
Figure 7-4. radiusd.conf File for Multiple LDAP Servers—Modules Section
Note that, in order to protect users’ credentials, you should require the NAC
800 to negotiate a Transport Layer Security (TLS) connection with the LDAP
servers. Include this parameter in the module for both LDAP servers:
tls_mode = "yes"
7-9
Redundancy
The location of the LDAP server’s CA certificate, which is required for TLS
mode, is specified in this line:
Syntax: tls_cacertfile = “<file location>”
You must, of course, obtain the certificate and copy it to the specified location
on the NAC 800 (using an application such as PSCP).
It is often a good idea to set up one server through the Web browser interface,
which helps you easily install the CA certificate. (See Chapter 4: “Configuring
the RADIUS Server—Integrated with ProCurve Identity Driven Manager” or
Chapter 5: “Configuring the RADIUS Server—Without Identity Driven Man-
ager.”) Then access the radiusd.conf file and copy the first server’s configura-
tion for the second server, simply changing the server name and the value for
the server parameter.
After configuring the LDAP server modules, find the “authorize” and “authen-
ticate” sections of the radiusd.conf file. To each section, add the redundant
parameter and list below it the LDAP servers, specified by the name given in
the “modules” section.
Syntax: redundant {
<ldap server 1 name>
<ldap server 2 name>
}
See Figure 7-5 and Figure 7-6.
authorize {
redundant {
vmsuse
suse
}
Figure 7-5. radiusd.conf File for Multiple LDAP Servers—Authorize Section
7-10
Test Your Redundant Configurations
authenticate {
Auth-Type LDAP {
redundant {
vmsuse
suse
}
}
Figure 7-6. radiusd.conf File for Multiple LDAP Servers—Authenticate Section
Use IDM to Configure the Usernames and Passwords

If you are using IDM to configure the local data store on multiple NACs, you
add user accounts to the local database through IDM. As described in
tity Driven Manager,” you must complete two steps on the IDM server:
1. Modify the NAC 800’s domain and select Enable Local Authentication for
ProCurve NAC devices.
2. Add users to the realm.
IDM automatically configures on the NAC 800 any user that you add to the
NAC 800’s realm. You must, however, configure passwords for those users.
(See the ProCurve Identity Driven Management User’s Guide for more
detailed instructions in completing these steps.)
Test Your Redundant Configurations

To ensure that your RADIUS servers, data stores, and pathways are configured
correctly to provide redundancy, you should test them. Of course, it is always
best to test the configuration after work hours when few if any users are
accessing your network.
Shut down one of the RADIUS servers and then attempt to log in to the
network from a workstation attached to a NAS that uses this server as its
primary RADIUS server.
Problems that you encounter may include:

■ Authentication times out—The NAS cannot contact the secondary
RADIUS server. Or, the secondary RADIUS server cannot reach a direc-
tory server.
■ Authentication fails—The secondary RADIUS does not have the same
database of users as the primary user.
7-11
Back Up Your NAC 800 Configuration

To protect your network, you should back up your system whenever you make
changes to the configuration. For maximum backup protection, you should
store the NAC 800 backup file off-site with the backups from your other
network devices. Of course, your off-site storage facility must be secure so
that your confidential data and network configuration information is pro-
tected.
That way, if your company suffers a disaster such as a fire or hurricane, your
backups are less likely to be affected.
You can then restore your configuration whenever you need the backup file:
■ To load on replacement hardware
■ To restore a working configuration if a new configuration fails
Backing up your system creates a backup file that includes not only configu-
rations but also other information. The file includes:
■ Management Server (MS) database
■ All configurations completed through the Web browser interface—
saves all files in the /usr/local/nac/properties directory
■ Digital certificates installed on the MS (or Configuration Server
[CS]) and Enforcement Servers (ESs)—saves all files in the /usr/local/
nac/keystore directory
■ Licenses—saves all files in the /usr/local/nac/subscription directory
Note You always should back up the system after you install a new certificate or
license so that you do not lose them should you have to restore from the
backup.
The backup files are grouped into a tar file and saved on your management
stations with the following name:
backup-<year-month-day>T<hour-minute-second>.tar.bz2
The months, days, hours, minutes, and seconds are formatted as two numbers
each, and the time uses the 24-hour clock. For example, a file backed up on
June 23, 2008, at 13:07:22 has the following name:
backup-2008-06-23T13-07-22.tar.bz2
7-12
To back up your NAC 800 configuration, complete the following steps:

1. Select Home > System configuration > Maintenance.
Figure 7-7. Home > System configuration > Maintenance
2. Click begin backup now. A Web browser dialog box is displayed, allowing
you to begin the process of saving the backup file. (If your Web browser
blocks your attempt to save the file, see “Configure the Web Browser So
That It Allows You to Save Files” on page 7-14.) The exact dialog box
displayed varies, depending on which Web browser you are using. Follow
the prompts to save the backup file to the desired location.
If the backup file is saved successfully, a message is displayed, as shown
in Figure 7-8.
7-13
The status of the backup

process is displayed here.
Figure 7-8. Successful backup
If the configuration was not backed up successfully, an error message is

displayed instead.
Configure the Web Browser So That It Allows You to Save

Files
Your Web browser security settings might prevent you from saving the backup
file to your workstation. To solve this problem on Internet Explorer 6, com-
plete these steps:
1. Select Tools > Internet Options.
2. Select the Security tab.
3. Choose the zone in which your management station places the NAC 800.
If the NAC 800 has an IP address on the same intranet as your station, this
zone is probably Local intranet. Otherwise, the zone is probably Internet.
7-14
4. Click the Custom Level button.

5. Find the Downloads section. Enable Automatic prompting for file downloads.
6. Click the OK button.
7. Click Yes to confirm the change.
8. Click the OK button.
Restore the System from the Backup File

You can return your NAC 800 to the settings stored in a backup file. You might
want to do this if a new configuration fails or if you add a replacement NAC
800 MS to your system.
When you restore the system from the backup file, the following changes
occur:
■ The MS (and ESs) use the configuration in the backup file.
■ The MS (and ESs) use the digital certificates stored in the backup file.
■ The MS uses the license stored in the backup file.
Follow these steps to restore the system from backup:

1. Select Home > System configuration > Maintenance.
7-15
Figure 7-9. Home > System configuration > Maintenance
2. Click the restore system from backup file link.

3. Click restore system from backup file. The Restore system screen is displayed,
allowing you to browse for your backup file. This screen also displays a
warning, reminding you that all the existing configurations will be over-
written by the backup file.
7-16
Figure 7-10. Home > System configuration > Maintenance > restore system from
backup file
4. If you want to continue the restore process, click the Browse button and
select the backup file. This file must be a NAC 800 backup file, saved with
the following naming convention:
backup-<year-month-day>T<hour-minute-second>.tar.bz2
5. After you have selected the appropriate file, click ok. A progress screen
is displayed.
Figure 7-11. Operation in progress screen
The restore process takes a few minutes.
7-17
7-18
Appendix A: Glossary
Numeric
3DES A version of DES, also called “Triple DES” (TDES), in which three encryption
phases are applied. For more information, see NIST Special Publication 800-
67 at http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf.
802.1 The standard for managing LANs and MANs. It covers network architecture,
bridging, management, link security, and protocol layers above the MAC and
LLC layers. For more information, see IEEE 802.1 at http://www.ieee802.org/
1/.
802.11 The standard for wireless LANs. For more information, see IEEE 802.11 at
http://standards.ieee.org/getieee802/802.11.html.
802.11i Enhanced security standard for 802.11, which supersedes WEP security. For
more information, see the standard at http://standards.ieee.org/getieee802/
download/802.11i-2004.pdf.
802.1X A port-based authentication standard that is part of the 802.1 group of proto-
cols. 802.1X forces endpoints to authenticate, establishing a point-to-point
connection if authentication succeeds or blocking the connection if authenti-
cation fails. By basing authentication on secure EAP methods, 802.1X authen-
tication can prevent eavesdroppers from reading intercepted messages. The
802.1X standard requires three components: the supplicant, which runs on the
endpoint device; the authenticator, which is typically a switch or AP; and the
authentication server, which is usually a RADIUS server. For more information,
see IEEE 802.1X at http://www.ieee802.org/1/pages/802.1x.html.
802.1X The deployment method that corresponds to the 802.1X quarantine method. In this
deployment method, the NAC 800 is connected to a switch via both its Ethernet ports. Port
method 1 receives authentication requests, and port 2 receives mirrored DHCP traffic.
See also DHCP deployment method and inline deployment method.
A-1
802.1X quarantine One of the NAC 800’s three methods for quarantining endpoints that fail to
method comply with the NAC policy. This method draws on the authentication and
authorization component of 802.1X, assigning end-users to a VLAN based not
just on identity but also on endpoint integrity posture. The NAC 800 can enforce
802.1X quarantining by working with an existing RADIUS server or by acting as
a RADIUS server itself. See also inline quarantine method and DHCP quarantine
method.
802.1X device The authenticator in the 802.1X framework, which forwards authentication
requests from endpoints to the NAC 800 that is acting as a RADIUS server. When
enforcing endpoint integrity, the NAC 800 sends a VLAN assignment for an
endpoint to the 802.1X device based on the endpoint’s integrity posture; the
802.1X device enforces the assignment.
A
AAA Authentication, Authorization, and Accounting. Processes that are used to
control network access and enforce security policies. For more information
about AAA, see RFC 2989 at http://www.ietf.org/rfc/rfc2989.txt. See also
authentication, authorization, and accounting.
access control The ability to determine which endpoints can access the network and the level
of access they receive. Access can be controlled based on an endpoint’s
compliance with network standards, for example, or on other configurable
settings.
access control The label that the NAC 800 gives to an endpoint to define its ability to access
status the network. Access control status are further defined by the rule that pro-
duced the status.
access grace The period of time between an endpoint failing a test and the endpoint being
period quarantined. The network administrator sets the access grace period for a
particular test when configuring the test failure actions for that test in a NAC
policy.
access method The way in which an endpoint connects to the network. Options include VPN,
dial-up, wireless, or Ethernet.
A-2
access mode An option that controls whether NAC 800s in a particular enforcement cluster
quarantine endpoints or allow them access to the network. Three settings are
possible: normal, allow all, or quarantine all. Normal grants access to all end-
points that pass the NAC tests, allow all permits access to all endpoints
regardless of test results, and quarantine all isolates all endpoints regardless
of test results.
access point See AP.
accessible services Those services that are made available to quarantined endpoints so that they
can perform remediation. Services include access to Web sites with service
patch downloads or plug-ins. The network administrator can configure which
services are available to quarantined endpoints.
accounting The process of collecting information about how resources are used. The
collected information can then be used for trend analysis, billing, auditing, or
regulatory compliance. The NAC 800 can provide RADIUS accounting services.
ACL Access Control List. A set of rules that network edge devices such as routers,
switches, and wireless APs use to control access to network resources and to
identify packets that require special handling such as QoS or NAT. An ACL can
be configured to select packets according to values in their headers, such as
IP protocol, source and destination IP address, and source and destination
TCP or UDP ports.
Active Directory See AD.
ActiveX A Microsoft technology that enables interactive Web content. An endpoint

must accept ActiveX content from the NAC 800 to be tested via the ActiveX
plug-in. For more information, see the Microsoft Developer Center library at
http://msdn2.microsoft.com/en-us/library/aa751968.aspx.
ActiveX test An endpoint integrity-testing method that relies on the ActiveX control opera-
method tion of signed and safe controls. The NAC 800 uses ActiveX to download a
temporary agent to the endpoint. All versions of the Windows operating
system are supported, and no ports on an endpoint’s personal Windows
firewall need to be opened. As long as the firewall allows Internet Explorer
access and Internet Explorer settings allow ActiveX, the endpoint can be
tested. However, non-Internet Explorer browsers are not supported, and the
endpoints cannot be retested after end-users close their browsers.
Active Scripting The technology used to implement component-based scripting support, for-
merly known as “ActiveX Scripting.”
AD Active Directory. An LDAP-based directory service created by Microsoft that

is included with all Microsoft network servers.
A-3
AEA Adaptive EDGE Architecture™. A networking model developed by ProCurve

that pushes decision-making and intelligence to the “edge” of the network,
closer to the user, while providing control from the center. The NAC 800 and
IDM provide control from the center. For more information on AEA, see the
white paper at http://www.hp.com/rnd/pdfs/
EDGEarchitecture_white_paper.pdf.
agent See NAC EI agent.
agent testing An endpoint integrity-testing method that employs the NAC EI agent, which is
method installed once onto the endpoint and periodically updated. This method is
supported by Windows OS versions 98 and later and by Mac OSX 10.3.7 and
later. The agent can be used through a firewall. See also NAC EI agent.
agentless test A testing method that does not require that an agent be installed on the
method endpoint. Using the Windows RPC service, agentless testing allows the NAC
800 to begin testing, provide test results, and grant access to compliant
endpoints without any interaction from the user. Of the three testing methods,
agentless testing is the easiest to deploy, requiring less administrative effort
and no memory on the endpoint. However, you cannot use this test method
with legacy Windows operating systems (Windows 95, ME, and earlier) or non-
Windows endpoints. Agentless testing requires that file and print sharing be
enabled on the endpoint, that ports 137, 138, 139, and 445 be open on the
endpoint’s firewall, that the endpoint’s browser security settings allow Java
scripting, and that administrator credentials be known for the endpoint.
allow all An access mode that permits all endpoints to access the network regardless of
test results.
AP Access Point. A network component that receives and sends wireless LAN
signals to wireless network cards through its anntena(s). An AP is functionally
equivalent to a switch.
asymmetric A type of encryption algorithm wherein one key is used to encrypt and a
different key is used to decrypt.
authentication The process of confirming an endpoint’s or a end-user’s identity before granting

a network connection. Authentication can be implemented through the use of
passwords, keys, or digital certificates. A RADIUS or TACACS+ server can handle
authentication for the entire network.
authentication Protocols that allow the peers in a connection to verify each other’s identity.
protocols In the PPP protocol suite, authentication protocols include PAP, CHAP, and EAP.
A-4
authentication A server whose function it is to authenticate end-users and endpoints. In the

server 802.1X framework, the component that decides whether to grant an end-user
access.
authenticator The component of the 802.1X framework that enforces authentication and
authorization. When an endpoint connects to the authenticator, the authentica-
tor forces it to authenticate to the network. The authenticator passes the
endpoint’s supplicant messages to the authentication server and enforces the
decisions made by that server. These decisions include whether the endpoint
is allowed any access at all as well as the level of access. Also called the 802.1X
device (in the NAC 800 Web browser interface) and NAS (in the RADIUS
protocol). See also 802.1X device and NAS.
authorization The process of controlling the network resources and services that an end-
user can access, usually based on the end-user’s identity; with the NAC 800,
authorization is also based on endpoint integrity. A RADIUS or TACACS+ server
or a NAC 800 can act as an authorization server. Authorization is sometimes
called “access control” although access control is properly broader than
authorization alone.
authorization A device that makes authorization decisions that are enforced by other
server infrastructure devices.
B
back door A disguised or hidden entry point in a software program or system that allows
end-users to circumvent normal authentication or controls. An open back door
can be intentional (for maintenance use) or unintentional. If a back door is
discovered by malicious users or software, they may gain entry to a system
and cause damage.
C
CA Certificate Authority. A trusted third party that verifies the identity of parties
that want to communicate with one another. CAs are responsible for generat-
ing, distributing, and revoking digital authentication certificates, which
uniquely identify the owner of the certificate and the owner’s data. See also
certificate.
A-5
certificate An electronic document that contains a public key and is digitally signed by a
third-party issuer such as a CA. Digital certificates are used for network
authentication. They contain the certificate holder’s name or other identifying
information, a serial number, the expiration date, and a copy of the certificate
holder’s public key, which validates data signed by the corresponding private
key.
certificate See CA.

authority
Challenge See CHAP.

Handshake
Authentication
Protocol
CHAP Challenge Handshake Authentication Protocol. An authentication protocol

that is supported by PPP and also incorporated in RADIUS. With CHAP, the
authenticator sends the client a “challenge” text. The client creates a hash
value from its pre-shared password and the text. The authenticator also
creates a hash value from the same text. The authenticator compares the hash
values. If they match, authentication succeeds and the link is established. For
more information, see RFC 2759 at http://www.ietf.org/rfc/rfc2759.txt.
CIDR Classless Inter-Domain Routing. A method of interpreting IP addresses that

allows for blocks of addresses to appear in a single routing table entry. For
more information, see RFC 1518 at http://tools.ietf.org/html/rfc1518.
cluster See enforcement cluster.
combination See CS.

server
cookie A small bit of data that acts as an identifier between a Web browser and a Web
server. Web servers install cookies on clients so that when the client visits the
Web site again, the server “remembers” the client.
credentials A username and its corresponding password.
CS Combination Server. A NAC 800 that functions as both an ES and an MS and

acts as a stand-alone device.
CSR Certificate Signing Request. In PKI systems, a request for a digital certificate
that is sent to a CA by an applicant.
A-6
D
Data Encryption See DES.
Standard
data store The location where an endpoint’s credentials are stored. Possible data stores
include a local database of users, a Windows domain controller that runs AD,
an LDAP server such as OpenLDAP or Novell eDirectory, or another RADIUS
server (accessed via proxy requests).
deployment Sometimes called “deployment option,” the way in which the NAC 800 is
method connected to the LAN relative to other components such as routers, switches,
DHCP servers, and the Internet. The deployment method is determined by the
quarantine method and the access method that the network will employ. The
NAC 800 supports three deployment methods: 802.1X deployment, inline deploy-
ment, and DHCP deployment.
DER Distinguished Encoding Rules. A method for encoding data objects. For more
information, see ITU-T X.690 at http://www.itu.int/ITU-T/studygroups/
com17/languages/X.690-0207.pdf.
DES Data Encryption Standard. A published encryption algorithm that uses a 56-
bit symmetric key to encrypt data in 64-bit blocks. IPSec, the industry standard
for VPNs, supports 3DES. For more information, see FIPS PUB 46-3 at http://
csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf.
DHCP Dynamic Host Configuration Protocol. A protocol that allows network

administrators to set up a server to manage IP addresses, automatically
assigning IP addresses to devices on the network. DHCP simplifies IP man-
agement, eliminating the need to manually assign IP addresses to devices and
then track those addresses. For more information, see RFC 2131 at http://
www.ietf.org/rfc/rfc2131.txt.
DHCP deployment A deployment method for networks that are not 802.1X compatible. In this
method method, the NAC 800 is placed between a switch and a DHCP server and
intercepts DHCP requests from non-tested or non-compliant endpoints. See
also DHCP quarantine method.
DHCP An option to configure when employing the DCHP quarantine method. The NAC
enforcement 800 can either examine, and possible intercept, all DHCP requests or only
those requests forwarded by devices in subnets associates with quarantine
areas.
A-7
DHCP quarantine An option that determines how endpoints in the quarantine subnet are con-
option trolled when employing the DCHP quarantine method. Options are static routes
and router ACLs.
DHCP quarantine A quarantine method that gives non-compliant endpoints an IP address in a

method quarantine subnet, where they have access only to remediation services.
digital certificate See certificate.
distinguished See DN.

name
DN Distinguished Name. In LDAP, a unique identifier for each object in a domain,

such as servers, printers, and end-user accounts.
DNS Domain Name Server. A server that associates Internet domain names (such
as www.abccompany.com) with their corresponding IP addresses.
domain In LDAP, a logical grouping of devices that allows the network administrator
to manage all of the objects in a domain at the same time, e.g., to control who
has access to the objects in the domain.
domain controller A Microsoft Windows server that controls activities such as end-user access
in a domain.
domain name See DNS.

server
DSA Digital Signature Algorithm. A standard for digital signatures that is part of
the DSS. For more information, see FIPS PUB 186-2 at http://csrc.nist.gov/
publications/fips/fips186-2/fips186-2-change1.pdf.
DSS Digital Signature Standard. A method for key generation, signing, and
verifying. For more information, see FIPS PUB 186-2 at http://csrc.nist.gov/
publications/fips/fips186-2/fips186-2-change1.pdf.
Dynamic Host See DHCP.

Configuration
Protocol
E
EAP Extensible Authentication Protocol. A protocol that allows PPP to use authen-
tication protocols that are not part of the PPP suite. For more information,
see RFC 3748 at http://www.ietf.org/rfc/rfc3748.txt. See also CHAP and PAP
A-8
EAP-GTC EAP with Generic Token Card. An implementation of EAP that uses a token
card for authentication. For more information, see RFC 3748 at http://
tools.ietf.org/html/rfc3748.
EAP-TLS EAP with Transport Layer Security (TLS). An implementation of EAP that
provides mutual certificate authentication between client and server. For more
information, see RFC 2716 at http://tools.ietf.org/html/rfc2716.
EAP-TTLS EAP with Tunneled TLS. An implementation of EAP in which the server
authenticates with a certificate, but the client authenticates (usually with a
password) using a different protocol sent over a secure tunnel. For more
information, see the Internet Draft at http://www3.ietf.org/proceedings/02jul/
I-D/draft-ietf-pppext-eap-ttls-01.txt.
eDirectory A hierarchical, LDAP-based system from Novell that can interoperate with
NetWare, AIX, HP-UX, Solaris, Windows, and Linux-based network servers.
EI See Endpoint Integrity.
endpoint A device that connects to a network, such as a desktop computer, a laptop

computer, or a server.
endpoint integrity The functionality that examines all endpoints that attempt to attach to the
network and prohibits unsafe or non-compliant endpoints from gaining
access. Endpoint integrity ensures that an endpoint that attaches to the edge
of the network is clean and meets configured criteria (for example, antivirus
program present and running with current signatures) before allowing it to
access network resources.
endpoint integrity A licence that permits the use of the NAC EI agent on endpoints. The licenses
agent license apply to the number of endpoints, identified by MAC address. For example, if
an end-user is connected to the network with a desktop computer via Ethernet
and a laptop via the wireless LAN, two licenses are required. Also, if a site has
100 licenses, more than 100 devices can have the NAC EI agent installed on
them, but only 100 of those endpoints can be connected to the network at
one time.
endpoint integrity A license to receive automatic updates to the NAC EI Agent software. When you
agent initially purchase an agent license, you also receive a one-year maintenance
maintenance license. You must purchase a license each year in one of the following
license increments: 100, 250, 1000, or 5000 endpoints.
endpoint integrity An service offered by ProCurve Networking to help customers implement the
implementation NAC 800. You can purchase either the inline/DHCP service or the 802.1X service.
startup service
A-9
end-user screen NAC 800 message windows that appear on the end-user’s monitor; they show
information such as the endpoint’s test status and remediation steps, permitting
the user to download an agent, cancel testing, and get more information about
why a test failed.
enforcement A logical group of one or more ESs that are controlled by an MS. Each cluster
cluster can support only one deployment method, but an MS can control multiple ESs,
each supporting a different deployment method.
enforcement See ES.

server
ES Enforcement Server. In a multiple-NAC 800 installation, the ES applies the

NAC policies that are defined on the MS and enforces quarantining.
Ethernet ports On the NAC 800, port 1 connects to the LAN and provides inband management.
The use of port 2 varies, depending on the deployment method. For the inline
deployment method, port 2 might connect to a VPN or RAS. For the DCHP
deployment method, port 2 connects to a DHCP server. For the 802.1X develop-
ment method, port 2 connects to a port configured to mirror the DHCP server
connection.
exception A rule that exempts a particular endpoint or group of endpoints from testing.
You can specify that the excepted endpoints be either always or never granted
access.
Extensible See EAP.

Authentication
Protocol
F
FQDN Fully Qualified Domain Name. In LDAP, an unambiguous, unique name for
an object that shows all of the domains to which the object belongs.
G
GTC See EAP-GTC.
A-10
H
hash A number generated by running a string of text through an algorithm. The hash
is substantially smaller than the text itself and is unique, because algorithms
transform data in such a way that it is extremely unlikely that some other text
will produce the same hash value. The hash is also irreversible: the encryption
cannot be reversed to obtain the original text.
high availability Enforcement clusters are designed to provide high availability. The ESs in the
cluster load balance testing endpoints among themselves. In addition, if one
or more ESs become unavailable, the remaining ESs in the cluster take over,
providing the services that the unavailable ES server was providing.
I
IAS Internet Authentication Services. IAS is the Microsoft implementation of
RADIUS.
IDM Identity Driven Manager. This ProCurve Networking application provides

management of user-based profiles (including ACLs, QoS settings, and rate
limits). IDM assigns various profiles to end-users based on their identity
(community), access time, access location, and endpoint integrity posture.
IDS Intrusion Detection System. A device or software that is used to detect

malware or unauthorized attempts to enter the network, usually from the
Internet but also from internal devices, that most firewalls are unable to
detect.
IE Microsoft’s Internet Explorer browser.
IKE Internet Key Exchange. A protocol that is used to set up an SA in the IPsec
protocol suite.
inline deployment The NAC 800 is placed between a “choke point” and the rest of the network
method such that all traffic to be quarantined passes through the NAC 800. See also
inline quarantine method.
inline quarantine A quarantine method that relies on the NAC 800’s placement in the network.
method The NAC 800 functions as a Layer 2 bridge that imposes a firewall between its
Ethernet port 1 and port 2. Only traffic from endpoints whose integrity posture is
“Healthy” or “Check-Up” can pass through the NAC 800.
A-11
integrity posture The state of an endpoint in terms of its compliance with NAC policies. The
integrity posture is used to determine an endpoint’s access control state along
with other factors such as an exception, access grace period, and access mode.
See Appendix C, “Integrity Postures.”
IPsec Internet Protocol security. A suite of protocols that are used to establish a
VPN tunnel between devices that communicate over the Internet and thus
protect their data. IPSec For more information, see the IPsec Working Group
home page at http://www.ietf.org/html.charters/OLD/ipsec-charter.html.
J
JavaScript® A scripting language that is used mostly in client-side Web applications. It is
not related to the Java programming language. The term is a registered
trademark of Sun Microsystems. For more information, see the Mozilla Devel-
opment Center at http://developer.mozilla.org/en/docs/JavaScript.
K
key In cryptography, a key is a unique value or string of text that is used to encrypt
data when that data is run through an encryption or hash algorithm. To decrypt
or dehash the data, a device must apply the correct key to the encrypted data.
The length of a key generally determines how difficult it will be to decrypt the
data. Keys can be either symmetric or asymmetric.
keyname A user-defined name for a keypair that is generated by a CA.
keypair The set of two keys that are used in asymmetric encryption. A keypair consists
of a public key and private key. The public key decrypts data encrypted by the
private key and vice versa.
L
L2TP Layer 2 Tunneling Protocol. A protocol that is used in VPNs. For more
LCD Liquid Crystal Display. On the NAC 800, a display that is located on the front
panel of the chassis and that shows both information about the device and
error messages. The LCD also displays a menu interface; you can use the panel
buttons to configure basic settings—such as IP address and gateway—for the
device.
A-12
LDAP Lightweight Directory Access Protocol. A set of protocols that allow a host to
look up and access directory services. For more information, see RFC 2251 at
http://www.ietf.org/rfc/rfc2251.txt.
LEAP Lightweight EAP. A wireless LAN authentication protocol developed by Cisco

systems. It is not recommended for use with the NAC 800.
license See endpoint integrity agent licence and endpoint integrity agent maintenance
license.
lightweight See LDAP.

directory access
protocol
load balancing Distribution of integrity checking among two or more devices. The NAC 800
distributes the testing of endpoints across all ESs in a cluster. The NAC 800
uses a hashing algorithm based on MAC or IP addresses to distribute the
endpoints between the ESs.
local mirroring Copying all traffic transmitted on one port (the monitored port) to another
port on the same device (the mirror port).
log level A category into which error messages are recorded, depending on their
severity. Log levels are, from most to least severe: error, warn, info, debug,
and trace. The default level for messages logged on the NAC 800 is debug.
M
MAC-auth MAC Authentication. Authentication that is based on the endpoint’s MAC
address rather than on the user’s credentials. MAC-auth does not require
device configuration or end-user interaction; instead, the authenticator han-
dles sending the MAC address to the authentication server to be checked
against black lists and white lists.
maintenance See endpoint integrity agent maintenance license.

license
malware Software designed to infiltrate or damage a computer system. The term

encompasses computer viruses, worms, Trojans, spyware, and adware. In law,
malware is sometimes known as a computer contaminant.
managed endpoint A network device that is forced to comply with the company’s security policies
and is under administrative control.
A-13
management See MS.

server
MD5 Message-Digest algorithm 5. A hash algorithm used to create digital signa-

tures. MD5 is a one-way hash function that transforms and condenses data
into a fixed string of digits called a message digest. A variety of protocols use
MD5 to check a message’s data integrity as well as authenticate the sender.
Some protocols, such as EAP-MD5, require passwords to be transmitted as
hashes rather than in plaintext. For more information, see RFC 1321 at http:/
/tools.ietf.org/html/rfc1321.
MIB Management Information Base. A set of network objects that can be managed
with SNMP. For more information, see RFC 3418 at http://www.ietf.org/rfc/
rfc3418.txt.
mirroring, local See local mirroring.
mirroring, remote See remote mirroring.
MS Management Server. When using a NAC 800 in a multiple-server installation,

the server that is used for managing and controlling the ESs.
MS-CHAP Microsoft CHAP. The Microsoft implementation of CHAP. For more informa-
tion, see RFC 2759 at http://tools.ietf.org/html/rfc2759.
N
NAC Network Access Controller. The generic term for any device that controls
network access, particularly based on compliance with network policies
(endpoint integrity).
NAC EI agent A ProCurve-developed agent that is installed permanently on an endpoint to

enable testing. This agent runs as a new Windows service.
NAC agent test Also called “agent test method,” a test method that requires a one-time interac-
method tion from end-users and minimal memory on the endpoint (about .80 Mb). After
end-users download and install the NAC EI agent, the endpoint is always
available for retesting, and the agent is automatically updated when a new
version of the agent is available. All versions of Windows are supported by this
testing method.
A-14
NAC policy A collection of tests that evaluate the security status of endpoints that attempt
to access the network. A policy includes a list of activated tests, their proper-
ties, and actions, as well as a list of endpoints to which the policy applies. In
addition, the policy defines how to handle endpoints that run OSs that the
NAC 800 does not support, retest frequency, and how to handle inactive
endpoints. Three default NAC policies are provided: high, medium, and low.
You can also define your own policies.
NAC policy group A logical set of NAC policies that applies to one or more enforcement clusters.
Each cluster uses only one NAC policy group.
NAC test actions The procedures that the NAC 800 performs when an endpoint fails the test. The
failure actions can be: send a notification email to the network administrator,
quarantine the endpoint, or grant temporary access before quarantining.
NAC test The criteria that an endpoint must meet to pass a particular test. For example,
properties the NAC 800 can test for the presence of certain prohibited applications. If the
endpoint has one of the prohibited applications, the endpoint fails the test.
The NAC test properties for that test is the list of prohibited software.
NAC tests Used to determine if an endpoint complies with your company’s network
policies. Test categories are Windows security settings, security settings on
other OSs, Windows software, Windows operating system, and Windows
browser security policies.
NAS Network Access Server. A server that provides endpoints access and that
enforces the decisions of AAA servers, thereby guarding access to the Internet,
printers, phone networks, or other protected resources. While a NAS does not
contain information about which endpoints and end-users can connect, it does
send an end-user’s credentials to the AAA server, which processes them and
directs the NAS how to proceed.
NAT Network Address Translation. A method of reusing IP addresses wherein

endpoints inside the network have IP addresses that are different from those
that are presented to the Internet. For more information, see RFC 3022 at http:/
/tools.ietf.org/html/rfc3022.
network access A security implementation that attempts to control access to a network by

control enforcing security policies, restricting prohibited traffic types, identifying and
containing end-users that break rules or are noncompliant with policies, and
stopping and mitigating security threats.
network access See NAS.

server
A-15
normal An access mode that mandates that endpoints’ network access be subject to
the results of endpoint integrity testing. See also quarantine.
NTLM NT LAN Manager. A Microsoft authentication protocol that is used with SMB.
NTP Network Time Protocol. A protocol to synchronize a computer or server’s

internal clock with Coordinated Universal Time (UTC). For more information,
see the NTP status pages at http://tools.ietf.org/wg/ntp.
O
OAM Operations, Administration, Maintenance. A term used to describe the
activities that are involved with system operation, administration, and main-
tainance.
OID Object IDentifier. Used in LDAP schemas and in X.509 certificates to name
object classes and their attributes.
OpenLDAP A free, open-source version of LDAP that is platform-independent. For more

information, see the official Web site at http://www.openldap.org.
P
P2P Peer-to-Peer. A P2P network is comprised of peer nodes rather than clients
and servers. P2P software allows end-users to connect directly to other end-
users and is used for file sharing. Many P2P software packages are considered
spyware, and their use can be discouraged or even prohibited by corporate
policies.
PAP Password Authentication Protocol. A protocol used to authenticate a client

to a remote server or an Internet service provider. PAP transmits usernames
and passwords in unencrypted plaintext, making it insecure. For more infor-
mation, see RFC 1334 at http://www.ietf.org/rfc/rfc1334.txt.
PCM ProCurve Manager. ProCurve’s SNMP solution.
PEAP Protected EAP. A transport mechanism developed to provide much of the

security of EAP-TLS without forcing endpoints to use digital certificates, thereby
drastically cutting the work to implement the protocol. PEAP requires only a
server-side PKI certificate to create a secure TLS tunnel to protect end-user
authentication.
peer-to-peer See P2P.
A-16
PEM Privacy Enhanced Mail. An IETF proposal to secure emails with public keys.
PEM depends on prior distribution of a hierarchical PKI with a single root. For
more information, see RFCs 1421–1424 at http://www.ietf.org/rfc.html.
permanent agent An agent that is installed on an endpoint and that is not removed. The NAC EI
agent is a permanent agent. See also transient agent.
PKI Public Key Infrastructure. A system of digital certificates, CAs, and other
registration authorities that verify and authenticate each party in an Internet
transaction. PKI enables devices to privately exchange data using a public
infrastructure such as the Internet by managing keys and certificates. From a
trusted CA, an end-user obtains a certificate, which includes the user’s iden-
tification information, a public key, and the CA’s signature. The end-user also
obtains the corresponding private key. The user authenticates with the certif-
icate. In addition, devices can encrypt messages destined to the user with the
user’s public key, which the user’s endpoint then decrypts with the private key.
See also DSS.
post-connect NAC tests that are run on endpoints after they have already connected
testing successfully to the network. The network administrator configures the length
of the retest frequency. If a device has become infected or no longer complies
with an organization’s security policies, the NAC 800 quarantines it.
posture See integrity posture.
PPP Point-to-Point Protocol. A layer-2 protocol that connects a device such as a

personal computer to a server through a phone line. PPP uses a serial interface
and is sometimes considered part of the TCP/IP protocol suite. For more
pre-connect Testing performed before an endpoint is granted access to the network. Only
testing endpoints that comply with an organization’s security policies are allowed
onto the network. Endpoints that do not comply are quarantined.
preshared key A preshared key is an alphanumeric character string agreed upon by two
parties in advance. In IKE negotiations, peers can exchange a preshared key
that is between 8 and 255 characters long to authenticate each other before
opening the IKE SA.
private key One of a pair of keys that is generated from a single, large random number.
The private key is kept secret, not distributed, and is used to decrypt a message
that was encrypted using the public key. If used to encrypt a message, it “signs”
that message as originating from the private key’s owner.
A-17
protected services Services that run on any servers that are connected to the eth1 port. Such
services could include directory services, DNS, DHCP, NTP, file servers, and
print servers.
PSCP PuTTY with SCP.
public key One of a pair of keys that is generated from a single, large random number.
The public key is distributed widely and is used to encrypt a message that can
be decrypted using only the private key. The public key also verifies data signed
by the private key.
public key See PKI.

infrastructure
PuTTY A terminal emulation program that combines Telnet and SSH for Win32 and
Unix platforms. For more information, see http://
www.chiark.greenend.org.uk/~sgtatham/putty.
Q
quarantine The isolation of endpoints or systems to prevent potential infection of other
endpoints or systems. The NAC 800 determines whether to quarantine an
endpoint by applying the following policies in this order: access mode, tempo-
rarily quarantine/grant access setting, exceptions, NAC policies (the results of
tests in the policy).
quarantine all An access mode that mandates that all endpoints be quarantined regardless of
test results.
quarantine area See quarantine subnet.
quarantine The way in which non-compliant endpoints are quarantined. The NAC 800
method supports three methods: 802.11X quarantine method, inline quarantine method,
and DHCP quarantine method. The quarantine method must be the same as the
deployment method.
quarantine subnet A tightly controlled subnet that is isolated from the rest of the network.
Quarantined endpoints are assigned to this subnet where the endpoints cannot
access network resources except those that are defined by the network
administrator.
QoS Quality of Service. A service provided by some network protocols such that
the network prioritizes traffic or guarantees a particular level of performance
to a type of data flow.
A-18
R
RADIUS Remote Authentication Dial-In User Service. An AAA protocol that allows a
server to store all of the security information for a network in a single, central
database. The server stores and manages end-user information so that it can
authenticate the end-users. The server also maps end-users to the services that
they are allowed to access. For more information, see RFC 2865 at http://
www.ietf.org/rfc/rfc2865.txt.
RADIUS server A common type of AAA server. The RADIUS server authenticates end-users,
using protocols such as PAP, CHAP, and EAP. If the end-user passes authentica-
tion, the server authorizes access to the network based on policies such as
valid access times. The server can also authorize the end-user for a specific
level of access by sending dynamic settings for the NAS to enforce. As an
accounting server, the RADIUS server can also be notified when a session
starts and stops.
RAS Remote Access Server. A server that is dedicated to handling end-users that
are not on a LAN but need remote access to it. The RAS allows end-users to
gain access to files and print services on the LAN from a remote location.
RC5 Rivest Cipher 5. A symmetric encryption algorithm supported by IPSec. RC5

is a block cipher with variable key length up to 2040 bits. For more information,
see “The RC5 Encryption Algorithm” at http://people.csail.mit.edu/rivest/
Rivest-rc5rev.pdf.
remediation The process by which a non-compliant endpoint is made compliant. For

example, if a Windows service pack is missing on an endpoint, the end-user
must install the service pack before being allowed network access. In this
case, an end-user screen gives the end-user instructions for running Windows
Update.
remote access See RAS.

server
remote mirroring Technology that enables you to send mirrored traffic from network devices to
a remote analyzer using the network infrastructure rather than a dedicated
line.
remote procedure See RPC.

call
retest frequency The interval between post-connect tests, which is determined by the network
administrator.
A-19
RMON Remote MONitoring. A standard that allows administrators to monitor and

manage network equipment from a remote location. RMON enables various
network monitors and console systems to exchange network monitoring data
using SNMP and MIBs. For more information, see RFC 2819 at http://
tools.ietf.org/html/rfc2819.
RPC Remote Procedure Call. A procedure where arguments or parameters are sent
to a program on a remote system. The remote program executes and returns
the results. RPC can be used as an alternative to an agent for testing.
RSA Rivest-Shamir-Adleman. A public-key encryption technology developed by

RSA Data Security, Inc. The RSA algorithm is based on the fact that there is
no efficient way to factor very large numbers. Deducing an RSA key, therefore,
requires an extraordinary amount of computer processing power and time.
RSA supports keys between 1024 and 2048 bits long. RSA keys can be used
for signing digital certificates. For more information, see the RSA Cryptogra-
phy Standard at http://www.rsa.com/rsalabs/node.asp?id=2125.
RSTP Rapid Spanning Tree Protocol. An evolution of STP that provides for faster
spanning-tree convergence after a topology change. RSTP prevents broadcast
storms (unintentional DoS attacks) that arise from redundant network links
in an OSI Layer 2 switched network. For more information, see IEEE 802.1D-
2004 at http://standards.ieee.org/getieee802/download/802.1D-2004.pdf.
S
SA Security Association. Secure communication between two network devices
that is created from shared security information. SA is used in IKE. For more
SCP Secure Copy Protocol. Encrypts data packets over an SSH connection.
SFTP Secure File Transfer Protocol. Supersedes SCP in many applications. For
more information on SFTP, see the Internet Draft at http://tools.ietf.org/html/
draft-ietf-secsh-filexfer-13.
shared secret Any authentication information such as a password that is “known” by two or
more network devices. The shared secret is identical on both devices.
signature-based Attack detection that compares audit data with known attack signatures
detection stored in a signature database. Signature-based IDSs recognize and interpret
series of packets consistent with past intrusions as new attacks.
A-20
SMB Server Message Block. An application-layer network protocol that provides

shared access to files, printers, serial ports, and miscellaneous communica-
tions between nodes on a network.
SNMP Simple Network Management Protocol. An application-layer protocol that

supports the exchange of management information between network devices.
An SNMP network consists of agents, managed devices, and network-manage-
ment systems. Hierarchically organized information about network devices is
stored in and accessed from a MIB. The NAC 800 supports SNMPv2, which
controls access based on community. For example, a server that knows the
NAC 800’s read-only community name can read. For more information, see
RFC 1157 at http://www.ietf.org/rfc/rfc1157.txt.
spyware A broad category of malicious software designed to intercept or take partial

control of a computer’s operation without the informed consent of that
machine’s owner or legitimate user. While the term literally suggests software
that surreptitiously monitors the user’s actions, it has come to refer more
broadly to software that subverts the computer’s operation for the benefit of
a third party.
SSH Secure SHell. A program/network protocol that allows an end-user to log on

to another computer over a network, execute commands in the remote
machine’s OS, and move files from one machine to another. SSH provides
strong authentication. It secures communications over insecure channels and
can be used when tunneling. For more information, see the Internet Draft at
http://www.free.lp.se/fish/rfc.txt.
SSID Service Set IDentifier. A user-defined name for a wireless LAN subnet. All of
the devices on the same wireless subnet use the same SSID. When a wireless
network card searches for a wireless LAN, the SSID for each detected network
is displayed.
SSL Secure Sockets Layer. A protocol that was developed by Netscape for securing
the transmission of messages over the Internet. SSL works by using asymmetric
keys to encrypt message data. For more information, see http://
wp.netscape.com/eng/ssl3/draft302.txt.
STP Spanning Tree Protocol. A protocol that eliminates network loops by de-
activating redundant connections. It is currently being revised into RSTP
which is a faster version of STP. For more information, see IEEE 802.1D at
http://www.ieee802.org/1/pages/802.1D-2003.html.
A-21
supplicant The component of 802.1X that requests access to a network. It communicates

with the RADIUS server to submit an end-user’s credentials (and also to authen-
ticate the RADIUS server to the endpoint). An endpoint must have an 802.1X
supplicant to connect to a segment of the network that enforces 802.1X
quarantining. Supplicants supported by the NAC 800 include native suppli-
cants on Windows Vista, XP SP2, and 2000 SP4; MAC OS 10; as well as Juniper
Odyssey 4.2 and Open1X Xsupplicant 1.2.8.
symmetric A type of algorithm wherein the same key is used both to encrypt and decrypt.
T
TACACS+ Terminal Access Controller Access Control System Plus. An authentication
protocol that uses TCP. (RADIUS uses UDP.)
Telnet TELephone NETwork. A TCP/IP protocol that provides a fairly general, bi-
directional, 8-bit, byte-oriented communications facility. It is typically used to
provide user-oriented command-line login sessions between hosts on the
Internet. The name “Telnet” came about because the protocol was designed
to emulate a single terminal attached to the other computer. For more infor-
mation, see RFC 854 at http://www.ietf.org/rfc/rfc0854.txt.
temporary access The time during which an endpoint is allowed access to the network, overriding
period the endpoint’s quarantine status. The network administrator configures the
length of this period.
testing methods Methods that the NAC 800 uses to perform tests. The NAC 800 supports three
testing methods: agent test method, ActiveX test method, and agentless test
method.
test properties See NAC test properties.
test status The status in which an endpoint is categorized during and after the testing
process.
test updates ProCurve periodically updates the NAC 800 tests to check for new hot fixes
and virus definitions. The NAC 800 automatically updates its testing software
and database by querying MyProCurve Web servers for these updates.
TFTP Trivial File Transfer Protocol. A protocol that uses UDP to transmit and
receive files and provides no security features. TFTP is often used by servers
to boot diskless workstations, X-terminals, and routers. It can also be used as
a file server. For more information, see RFC 1350 at http://www.ietf.org/rfc/
rfc1350.txt.
A-22
TLS Transport Layer Security. The successor to SSL. It prevents eavesdropping

on communications between Internet client and server. For more information,
see RFC 2240 at http://www.ietf.org/rfc/rfc2246.txt.
TNC Trusted Network Connect. A standard developed by over 50 of the networking

industry’s leading companies for integrating compliance testing with access
control. For more information, see TNC Central at http://www.tnccentral.org.
transient agent An agent that is installed on the endpoint for a short time only at the beginning
of each test. The ActiveX test method uses a transient agent.
Trojan A malicious program disguised as or embedded within legitimate software.

The term comes from the classical myth of the Trojan horse—something that
looks useful, interesting, or harmless, but is actually harmful when executed.
Trojans cannot operate autonomously, in contrast to some other types of
malware such as viruses or worms. Trojans “hitch a ride” on an executable
program that the intended victim must deliberately launch.
There are two common types of Trojan. One is found in otherwise useful
software that has been corrupted by the insertion of the Trojan, which
executes while the program is used, for example, in weather-alerting pro-
grams, computer clock-setting software, and peer-to-peer file-sharing utilities.
The other type of Trojan is a standalone program that masquerades as some-
thing else, such as program that claims to rid your hard drive of viruses but in
fact inserts them.
U
UDP User Datagram Protocol. A stateless protocol that is part of the IP protocol
suite. Using UDP, programs on network computers can send datagrams to one
another. UDP does not provide the reliability and ordering guarantees that TCP
does; datagrams may arrive out of order or go missing without notice. How-
ever, UDP is faster and more efficient for many lightweight or time-sensitive
programs. For more information, see RFC 768 at http://www.ietf.org/rfc/
rfc0768.txt.
USB Universal Serial Bus. A serial bus standard for interface devices. It was
designed for computers, but its popularity has made it commonplace on video
game consoles, PDAs, cell phones, MP3 players, portable memory devices,
and even on televisions and home stereo equipment
unmanaged A device that is not under the company’s administrative control. Examples
endpoint include a guest’s computer or a contractor’s computer. Such a device is still
subject to the company’s network security policies.
A-23
untestable A device that is running an operating system that the NAC 800 does not
endpoint currently support or whose Internet Explorer security setting is “High.”
user role NAC 800 management permissions that are granted to end-users. Four pre-
defined roles are included with the NAC 800: See Table 3-1 for predefined user
roles. New user roles can also be created.
V
VI A display-oriented interactive text editor that was created for Unix systems.
For more information, see the original document at http://webauth.stan-
ford.edu/protocol.html.
virus A computer program that can copy itself and damage a computer system. A
virus cannot self-propagate as a worm can but is spread via infected removable
media (floppy disks, zip drives, USB drives) or by sending it over a network.
Viruses can be programmed to do all kinds of damage, such as erasing hard
drives, deleting files, or corrupting executables, or they can be relatively
benign (showing text or a graphic), but even the benign viruses use up
computer resources such as hard drive space, memory, and processor cycles.
Like biological viruses, they can modify themselves upon replication to avoid
easy detection.
VLAN Virtual Local Area Network. A standard that enables network administrators
to group end-users by logical function rather than by physical location. VLANs
are created on switches to segment networks into smaller broadcast domains,
enhance network security, and simplify network management. For more
information, see IEEE 802.1Q at http://www.ieee802.org/1/pages/
802.1Q.html.
W
Web-Auth A method for authenticating end-users that does not require a client utility on
the endpoints. The NAS redirects end-users to a Web page in which the end-
users submit their credentials. The NAS retrieves the credentials and submits
them to an authentication server.
WEP Wired Equivalent Privacy. A protocol that is part of the IEEE 802.11 suite of
protocols for wireless LANs. Its purpose is to provide security equivalent to
an unsecured wired LAN. It has been superseded by WPA and IEEE 802.11i. For
more information, see IEEE 802.11 at http://standards.ieee.org/getieee802/
802.11.html.
A-24
wildcard On the NAC 800, the asterisk (*) is the wildcard character.
Windows The desktop and server operating system developed by Microsoft. The ver-
sions of Windows that are supported by the NAC 800 are Windows 98,
Windows 2000, Windows XP Professional and Home, Windows Server 2000
and 2003, and Windows NT.
Wireless Edge A ProCurve product that is used to manage wireless LANs. The Wireless Edge
Services Module Services Module, which is installed in a switch, controls many RPs (co-
ordinated APs).
worm A computer worm is a self-replicating computer program similar to a com-

puter virus. While a virus attaches itself to and becomes part of another
executable program, a worm is self-contained and does not need to be part of
another program to propagate. Worms often exploit file transmission capabil-
ities found on many computers, using networks to send copies of themselves
to other systems without any intervention. In general, worms harm the net-
work and consume bandwidth, whereas viruses infect or corrupt files on a
targeted computer. Viruses generally do not affect network performance,
because their malicious activities are mostly confined within the target com-
puter itself.
WPA Wi-Fi Protected Access. A standard created by IEEE and the Wi-Fi Alliance to
address the security weaknesses in WEP. For more information, see the Wi-Fi
Alliance white paper at http://www.wi-fi.org/white_papers/whitepaper-
042903-wpa.
WPA-PSK WPA using a Preshared Key. PSK refers to a key that is shared between two
stations before it needs to be used, such as over a secured channel or non-
electronically (the end-user is told the correct key).
X
X.509 A strong authentication standard for PKI. One of its functions is to specify a
standard format for public key certificates and a path for certification valida-
tion. For more information, see ITU Recommendation X.509 at http://
www.itu.int/rec/T-REC-X.509/en.
A-25
Z
zero-day attack An attack of any sort that exploits a vulnerability that has not yet been
officially discovered and patched. Because systems are not protected from
zero-day attacks, these attacks can aggressively propagate throughout the
world in a matter of hours. Zero-day attacks consume incredible amounts of
network resources when propagating and can use unique code that most
antivirus software does not detect.
A-26
Appendix B: Linux Commands
Contents
Contents
Common Linux Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
vi Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4
Command Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4
Insert Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5
keytool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6
openssl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9
Service Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-12
B-1
Common Linux Commands

This appendix provides additional information on Linux commands used for
completing tasks discussed in this management and configuration guide.
You should also keep in mind these general tips for using Linux:
■ Filenames are case sensitive.
■ Linux does not use file extensions in the same way that Windows uses
them. You can create any file extension.
Table B-1 lists some useful commands.
Note In the syntax, an “N” indicates that you can press a number before the
command. For example, if pressing [f] moves forward one screen, pressing [5]
and then [f] moves forward five screens.
Table B-1. Common Linux Commands
Action Command
Change your directory cd <new directory>
Move to the directory above the current cd ..
Return to the home directory cd (do not specify a

directory)
List files: dir <directory>

• Simply enter dir to view files in the current directory
• Include the [<directory>] option if you want to view the
contents of a particular directory
List files and subdirectories with ls ls [<directory>] [-l]

• Simply enter ls to view files in the current directory
• Include the [<directory>] option if you want to view the
contents of a particular directory
• Include the -l option to view the files and directories in the long
format
Repeat previous command !!
Repeat specified command !
B-2
Action Command
View text files more <filename>

• [spacebar] or [f]—
move forward one
screen
• N[f]—move forward N
screens
• [b]—move back one
screen
• N[b]—move back N
screens
View or edit files vi <filename>

See page B-4.
Delete a file rm <filename>
Copy a file cp <filename>

<newfilename>
Find a file find <base directory>

-name <filename>
B-3
vi Editor
vi Editor
To edit or view files on the NAC 800, use the vi editor, a commonly used Linux
text editor.
The vi editor has three modes:

■ Command
■ Insert
■ Replace
Command Mode
When you access vi and open a file, you are typically in the command mode:
you can enter any of the commands outlined in Table B-2. Unless preceded by
a colon (:) these commands are keystrokes; you do not have to press [Enter]
for them to take effect.
Table B-2. vi Editor Commands
Action Command
Enter insert mode, which allows you to add or delete text in the file:
Characters are entered into the file after the cursor. a
Characters are entered into the file before the cursor. i
Enter replace mode, which allows you to write new text over R
existing text, beginning at the cursor.
Delete a character x
Delete N characters Nx
Delete a word dw
Delete N words dNw
Delete a line dd
Delete N lines Ndd
Copy current line yy
Copy N lines, beginning with the current Nyy
Paste copied lines back into the file p
B-4
vi Editor
Action Command
Undo last change in file; enter command again to redo change u
Save changes :w
Exit vi and save changes to file :wq
Exit vi and do not save changes to file :q!
Insert Mode
If you want to input text into the file, you must enter the insert mode. To enter
the insert mode, press [a] or [i]. If you press [a], you enter text after the cursor.
If you press [i], you enter text before the cursor. However, you can use the
arrow keys to change the cursor’s position whichever key you press.
In addition to inserting text, you can also use the [Backspace] key to erase text.
To return to command mode, press [Esc].
Replace Mode
To enter text that writes over the current text, enter replace mode by pressing
[Shift]+[r]. To return to command mode, press [Esc].
B-5
keytool
keytool
The NAC 800 OS includes keytool, an application for managing keystores,
which consist of private keys and the associated public keys (certificate
chains). You should use keytool commands to create and manage the digital
certificate for the NAC 800’s HTTPS server (which grants access to its Web
browser interface).
The commands below, while not comprehensive, help you complete common
tasks. Visit http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
for further documentation provided by the developer, Sun Microsystems.
Syntax: keytool -genkey -alias <alias> -keystore <keystore> [-keysize <size>]

[-keyalg [rsa | dsa]] [-validity <days>] [dname <distinguished name>]
[-keypass <password>] [-storepass <password>]
Creates a new private key/public certificate which is stored
under the specified <alias> in the specified <keystore>. The key
is of the specified <size> (must be a multiple of 64) and
algorithm. (Default: 1024 bits and DSA.) If you do not enter
the dname option, you will be prompted to specify the
distinguished name. (For the first and last name, make sure
to enter the NAC 800’s FQDN.) If you do not enter a password
for the keystore and key, you will be prompted to do so. If the
keystore has already been created, you must enter the
previously-set password.
If you are creating a key for HTTPS, you should create
compliance.keystore in the /usr/local/nac/keystore directory and
use changeit for the password.
Syntax: keytool -import -file <cert_filename> -alias <alias> -keystore <keystore>
Imports the certificate in the specified <cert_filename> under
the specified <alias> into the specified <keystore>. If you have
not entered the necessary passwords, you will be prompted to
do so. And, if the certificate is a root CA certificate, you will
be prompted to trust the certificate.
You should import a certificate for the NAC 800 into the
keystore with the corresponding private key. Import CA cer-
tificates for HTTPS into the /usr/local/java/jre/lib/security/cac-
erts keystore.
B-6
keytool
Syntax: keytool -certreq -alias <alias> -file <filename> -keystore <keystore> [-

keypass <password>] [-storepass <password>]
Creates a certificate request using the public key and LDAP
DN stored under the specified <alias> in the specified <key-
store>. The request is saved under the specified <filename>. If
you do not enter a password for the keystore and key, you will
be prompted to do so. Match the previously-set passwords.
Syntax: keytool -selfcert -alias <alias> -keystore <keystore>
Creates a self-signed certificate that uses the private/public
keypair using the specified <alias> in the specified <keystore>.
If you do not enter a password for the keystore and key, you
will be prompted to do so. Match the previously-set passwords.
Syntax: keytool -export -alias <alias> -keystore <keystore> -file <filename> [-
keypass <password>] [-storepass <password>]
Saves, under the specified <filename>, the certificate associ-
ated with the specified <alias> in the specified <keystore>. If
you do not enter a password for the keystore and key, you will
be prompted to do so. Match the previously-set passwords.
Syntax: keytool -delete -alias <alias> -keystore <keystore> [-keypass
<password>] [-storepass <password>]
Removes the certificate associated with the specified <alias>
in the specified <keystore>. If you do not enter a password for
the keystore and key, you will be prompted to do so. Match the
previously-set passwords.
Syntax: keytool -printcert -file <filename>
Displays the certificate saved in the specified <filename>.
Syntax: keytool -list -alias <alias> -keystore <keystore> [-keypass <password>] [-
storepass <password>]
Displays the certificate associated with the specified <alias>
in the specified <keystore>. If you do not enter a password for
the keystore and key, you will be prompted to do so. Match the
previously-set passwords.
B-7
keytool
Syntax: keytool -keypasswd -alias <alias> -keystore <keystore filename>

-keypass <old password> -new <new password> [-storepass
<password>]
Changes the password for the key stored under the <alias> in
the specified <keystore>. If you do not enter a password for the
keystore, you will be prompted to do so.
Syntax: keytool -storepasswd -keystore <keystore> -storepass <password> -new
<new password>
Changes the password for the specified <keystore>.
B-8
openssl
openssl
The NAC 800 OS offers openssl, another tool for creating and managing
certificates. Chapter 4: “Configuring the RADIUS Server—Integrated with
ProCurve Identity Driven Manager” and Chapter 5: “Configuring the RADIUS
Server—Without Identity Driven Manager” teach you how to use openssl
commands to manage certificates for the NAC 800 FreeRADIUS server.
The commands below are far from comprehensive, but they will help you
complete common tasks. Visit http://www.openssl.org/docs/apps/
openssl.html for complete documentation provided by the OpenSSL project.
Syntax: openssl req -x509 -newkey [rsa | dsa]:[512 | 1024 | 2048 | 4096] -keyout
<key_filename> -out <certificate_filename> -days <number> [-nodes]
[-outform {DER | PEM}] [-config <filename>] [-extensions <section name>]
Creates a self-signed certificate and associated private/public
keypair of the specified algorithm and length (for example,
rsa:2048). The key and certificate are saved as <key_filename>
and <certificate_filename>.
The days option specifies the number of days the certificate is
valid.
Include the -nodes option if you do not want to protect the key
with a password.
You can choose DER or PEM for the -outform option, which
specifies the certificate format (default: PEM).
The -config option specifies the configuration file for the
openssl application; the -extensions option specifies the name
of a section in that file that contains the extensions for this
certificate.
B-9
openssl
Syntax: openssl req -new -newkey [rsa | dsa]:[512 | 1024 | 2048 | 4096] -nodes -
keyout <key_filename> -out <request_filename> [-days <number>]
[-outform {DER | PEM}] [-config <filename>] [-extensions
<section_name>]
Creates a certificate request and an associated private/public
keypair of the specified algorithm and length. The key and
certificate request are saved as <key_filename> and
<request_filename>.
valid.
with a password.
specifies the certificate request format (default: PEM).
The -config <filename> option specifies the configuration file
for the openssl application; the -extensions <section_name>
option specifies the name of a section in that file that contains
the extensions for this certificate request.
Syntax: openssl genkey -algorithm [rsa | dsa]:[512 | 1024 | 2048 | 4096] -outform
[DER | PEM] -out <key_filename>
Generates a keypair of the specified algorithm and length (for
example, rsa:2048) and format (DER or PEM) and saves it to
the specified <key_filename>.
Syntax: openssl req -x509 -key <key filename> -out <certificate_filename>
[-nodes] {-outform [DER | PEM]} [-config <filename>] [-extensions <sec-
tion name>]
Creates a self-signed certificate using the specified
<key_filename>. The certificate is saved with the specified
<certificate_filename>.
valid.
with a password.
specifies the certificate format (default: PEM).
the extensions for this certificate.
B-10
openssl
Syntax: openssl req -new -key <key filename> -out <request filename> [-days
<number>] [-outform {DER | PEM}] [-config <filename>] [-extensions <sec-
tion name>]
Creates a certificate request using the specified
<key_filename>. The certificate is saved with the specified
<request_filename>.
valid.
with a password.
specifies the certificate request format (default: PEM).
the extensions for this certificate request.
Syntax: openssl x509 -in <certificate_filename> -inform [DER | PEM] -out <new_
certificate_filename> -outform [DER | PEM]
Converts the X.509 certificate in <certificate_filename> to a
different X.509 format—that is, DER to PEM or vice versa.
The certificate with the new format is saved to <new_
certificate_filename>.
Syntax: openssl pkcs12 -in <certificate_filename> -out
<new_certificate_filename>
Converts the PKCS#12 (PFX) certificate in
<certificate_filename> to an X.509 certificate, which is saved
to <new_ certificate_filename>.
Syntax: openssl x509 -in <certificate_filename> -text [-noout]
Displays the certificate saved in <certificate_filename>.
Include the -noout option if you do not want to see the encoded
portion.
B-11
Service Commands
Service Commands
As you make configurations to the NAC 800, you might need to restart a service
or check its status. For example, after you install certificates for the NAC 800s
RADIUS server, you must restart the radiusd service.
Use these commands:
Syntax: service <service_name> restart

Stops and restarts the service (applying changes to the
configuration file).
Syntax: service <service_name> status
Shows the status for the service.
Syntax: service <service_name> stop
Stops the service.
Syntax: service <service_name> start
Starts the stopped service.
The names for some services of interest are displayed in Table B-3. (The list
is not comprehensive.)
Table B-3. Service Names
Service Service Name
FreeRADIUS server radiusd
HTTPS server and other nac-ms

MS functions
HTTPS server and other nac-es

ES functions
IDM agent idmagent
Dynamic Host dhcpd

Configuration Protocol
(DHCP) server
Winbind (for joining winbind

Windows domain)
Proxy Web server squid
B-12
Service Commands
Service Service Name
Accessible IP addresses iptables

(for inline deployment)
Network Time Protocol ntpd

(NTP) server
Simple Network snmpd

Management Protocol
(SNMP) agent
SNMP trap receiver snmptrapd
B-13
Service Commands
B-14
Index
Numerics DHCP deployment method … 1-44
ACLs … 1-45
802.1X authentication … 1-33
static routes … 1-46
authentication server … 1-33
inline deployment method … 1-53
authenticator … 1-33, 4-39, 5-34
accounting … 4-33, 5-27
client … 4-4, 5-4
ACLs … 1-45
EAP methods … 1-30, 4-4, 5-4
ActiveX testing
supplicant … 1-33
advantages and disadvantages … 1-26
VLAN assignment
requirements … 1-25
pass or healthy … 1-35
AD … 4-7, 5-5
pre-test … 1-35
quarantine or fail … 1-36
binding to … 1-39, 1-43, 4-16
802.1X deployment method … 1-38
test settings … 4-34, 4-38, 5-28, 5-32
accessible services … 1-36
administrator
apply changes … 4-43, 5-38
permissions … 3-42
IDM and … 4-5
set up account … 3-8
placing NAC 800
ADSL
endpoint integrity only … 1-40
See protocols
RADIUS and endpoint integrity … 1-38
AEA … 4-4, 5-4
RADIUS only … 1-42
agent
quarantining … 1-35
definition … 1-23
RADIUS services and … 4-12
IDM … 2-50, 4-6
VLAN assignment
NAC EI … 1-23
fail … 1-40
agentless testing
pass or healthy … 1-35
pre-test … 1-35
non-domain members … 1-26
802.1X device … 4-39, 5-34
requirements … 1-26
802.1X quarantining
RPC … 1-26
See 802.1X deployment method
alerts … 2-41
AP … 1-29, 5-3
A attributes
cn … 4-28, 5-22
AAA
password … 4-21, 5-15
See RADIUS server
eDirectory … 4-29, 5-22
access control
OpenLDAP … 4-25, 5-19
802.1X … 1-33
uid … 4-25, 5-18
DHCP … 1-43
authentication methods
inline … 1-52
802.1X … 1-33, 4-16, 5-11
access point
certificates for … 4-47, 5-42
See AP
proxy server … 4-10
access.txt
supported by AD … 4-8
See files
authentication protocols
See protocols, authentication
802.1X deployment method … 1-36
cluster … 1-27
Index – 1
B certificate request
HTTPS server … 3-56
back up
RADIUS server … 4-52, 5-47
restore from … 7-15
cert-srv.pem
system configuration … 7-12
See files
best practices
Check-up
clusters … 1-9, 1-11
See endpoint integrity, posture
NAS configuration … 7-5
clusters … 1-7
binding to
AD … 1-39, 1-43, 4-16
best practices … 1-9, 1-11
directory … 1-34, 4-21, 5-15
CS … 1-15
DHCP … 1-47
OpenLDAP … 4-21, 5-15
enforcement … 1-8, 1-15, 3-9
TLS connection … 4-25, 5-19
ES … 2-37
buttons
exceptions … 6-3, 6-5
setting the NAC 800 IP with … 2-26
inline … 1-54
Web browser interface … 2-45
mirroring … 1-38
NAC 800s … 1-11, 5-9
C NAC policy group … 1-22
performance … 1-15
CA root certificate
settings … 1-15, 1-26
default in Java store … 3-55
CN … 3-52
HTTPS … 3-55
RADIUS server certificate … 4-57, 5-52
RADIUS … 4-48, 5-43
combination server
certificate … 3-52, 4-47, 5-42
See CS
CA root
command syntax … 2-35
See CA root certificate
common name
converting format … 4-54, 5-50
See CN
EAP-TLS … 4-47, 5-42
config.access.txt
EAP-TTLS … 4-47, 5-42
See files
console port … 1-5
endpoint … 4-61, 5-56
menu interface access … 2-5
factory default
root access to OS … 2-35
HTTPS … 2-37, 3-52
terminal session settings … 2-6
RADIUS server … 4-47, 5-42
credentials
HTTPS server
agentless testing … 1-26
CA-signed … 3-53, 3-58
CS … 1-13
issuing … 4-50, 5-45
enforcement cluster … 1-15
OpenLDAP … 4-25, 5-19
initial configuration in Web browser
PEAP … 4-47, 5-42
interface … 3-4
RADIUS server
management options … 2-3
CA-signed … 4-52, 5-47
RADIUS-only … 1-10
CN … 4-57, 5-52
role in deployment … 1-10
extensions … 4-47, 4-50, 4-57, 5-42, 5-45,
settings … 1-13
5-52
SNMP settings … 3-24
self-signed
HTTPS … 3-59
certificate extensions … 4-47, 5-42
2 – Index
D specifying for
ES … 3-14
data store … 5-5
MS or CS … 3-8
NAC 800 … 7-3
domain
redundancy … 7-2, 7-6
agentless testing … 1-26
supported with IDM … 4-6
configuring authentication … 4-16
database
multiple controllers … 4-20, 5-14, 7-7
configuring … 1-39, 1-43
parent … 4-20, 5-14
local … 4-7
See also Windows domain
adding user accounts … 4-16
dynamic settings
configuring authentication … 4-14
See settings
password required … 4-7
date … 3-23
changing … 3-21 E
updating … 3-23 EAP … 1-30
deployment method … 1-32 disabling server authentication … 4-61, 5-56
802.1X See also protocols, authentication
See 802.1X deployment method eap.conf
DHCP See files
See DHCP deployment method EAP-TLS
inline See also protocols, authentication
See inline deployment method See TLS
DER format server certificate
converting from … 4-54, 4-59, 5-49, 5-54 file … 4-56, 5-51
DHCP deployment method … 1-43 private key file … 4-56, 5-51
accessible services … 1-44 EAP-TTLS
ACLs … 1-45 See TTLS
circumventing … 1-45 eDirectory … 1-30, 5-5
enforcement methods … 1-45 advantages and disadvantages … 4-8, 5-6
helper addresses … 1-51 binding to … 1-39, 1-43, 4-21, 4-26, 5-15, 5-19
mirroring … 1-38 multiple … 7-8
placing NAC 800 … 1-46 settings … 4-28, 5-21
quarantining … 1-44 test settings … 4-34, 4-38, 5-28, 5-32
requests … 1-51 TLS connection … 4-29, 5-23
static routes … 1-46 configuring authentication … 4-26
subnet design … 1-48 redundancy … 7-6
digital certificate user login filter … 4-21, 5-15
See certificate encryption … 4-10
distinguished name MD5 … 1-30
See DN WPA-PSK … 1-52
DN endpoint
binding to LDAP … 4-21, 5-15, 7-9 802.1X client … 4-4, 5-4
eDirectory … 4-28, 5-22 accessible services … 1-27
OpenLDAP … 4-24, 5-18 certificate for EAP … 4-61, 5-56
DNS server endpoint integrity … 1-16
changing … 3-19 disabling … 6-2
NAC 800 as … 1-36, 1-44 dynamic settings … 4-5
Index – 3
posture … 1-27 proxy.conf … 4-31, 5-25, 5-26, 5-27
Check-up … 1-35 RADIUS.log … 1-30, 1-31
Fail … 1-40 radiusd.conf … 7-6, 7-8, 7-10
Healthy … 1-35 SAFreeRadiusConnector.conf … 1-35, 1-36, 1-40
Infected … 1-44 SAIASConnector … 1-35, 1-36, 1-41
Quarantine … 1-44 tar … 7-12
Unknown … 1-40, 1-44
with or without RADIUS … 1-34
G
end-user redirect screen GTC
See screens See protocols, authentication
enforcement cluster
See clusters
H
enforcement server
See ES hardware … 1-4
ES … 1-13 Healthy
adding to cluster … 3-12 See endpoint integrity, posture
initial configuration … 3-9 helper addresses
management options … 2-3 See DHCP deployment method
moving to a new MS … 3-12 Home screen
role in deployment … 1-7 See screens
settings … 1-12 hostname … 5-11
SNMP settings … 3-36 changing CS or ES … 3-19
Ethernet ports ES … 3-14
See ports MS or CS … 3-8
exceptions rules … 3-14, 3-19, 4-17
addresses … 6-2 HTTPS server … 2-37
cluster default settings … 6-3
configuring … 6-2 I
excluding domain names … 6-3
particular cluster … 6-5 IAS … 1-34
extensions plug-in … 1-36
RADIUS certificate request … 4-52, 5-47 IDM
RADIUS server certificate … 4-47, 4-50, 4-57, agent … 4-6
5-42, 5-45, 5-52 capabilities … 1-30, 2-52, 2-53
configuring local database … 1-39, 1-43
configuring usernames and passwords … 7-11
F data stores … 4-6
files detecting NAC 800 … 2-49
access.txt … 2-49, 4-5 dynamic settings … 4-5
cacert.pem … 4-49, 5-44 enable management of NAC 800 … 4-5
certificate_file … 4-56, 4-60, 5-51, 5-55 management option … 2-49
cert-srv.pem … 4-51, 4-58, 4-59, 5-46, 5-53, 5-54 overview … 4-5
config.access.txt … 4-11 server
eap.conf … 4-59, 5-54 set on NAC 800 … 4-13
CA-signed certificate … 4-53, 4-55, 5-48, 5-50 specified on NAC 800 … 2-50
self-signed certificate … 4-51, 5-46 version number … 2-49, 4-6
private_key … 4-56, 4-60, 5-51, 5-55
4 – Index
Infected local database
See endpoint integrity, posture See database
inline deployment method … 1-51 log files
accessible services … 1-53 See files
example deployments … 1-52 log level … 3-28
placing NAC 800 Logout link … 2-41
VPN … 1-53
WAN … 1-55
WLAN … 1-56
M
quarantining … 1-53 MAC address
installing NAC 800 … 1-5
NAC EI agent … 1-23 management server
integrity posture See MS
See endpoint integrity, posture management user
IP address creating … 3-42
gateway … 3-19 role … 3-41
setting creating … 3-47
menu interface … 2-12 default … 3-42
panel LCD … 2-26 editing … 3-49
Web browser interface … 3-19 permissions … 3-46
MD5 … 1-30
menu interface … 2-5
K accessing
key console session … 2-5
encryption … 1-30 SSH session … 2-7
generating for HTTPS certificate … 3-54, 3-60 changing password … 2-15
default password … 2-15
navigating … 2-8
L server type settings … 2-10
LCD system information in … 2-21
See panel LCD username … 2-15
LDAP format … 4-24 mirroring … 1-38, 1-39, 1-41
LDAP server MS … 1-11
advantages and disadvantages … 4-8, 5-6 initial configuration in Web browser
binding to … 4-21, 5-15 interface … 3-4
multiple … 7-8 management options … 2-3
configuring authentication … 4-20, 5-14 role in deployment … 1-7
overview … 4-8 settings … 3-5
redundancy … 7-3, 7-6 SNMP settings … 3-24
TLS … 4-21, 5-15 MS-CHAP
user login filter … 4-21, 5-15 See protocols, authentication
LEAP multinetting … 1-49
See protocols, authentication multiple NAC 800s
LEDs … 1-4 See clusters
locator, activating (menu) … 2-20
left navigation bar … 2-41
license agreement … 3-5
licenses … 3-39
Index – 5
N P
NAC EI agent panel LCD … 1-5, 2-5
advantages and disadvantages … 1-25 access menu … 2-22
installing … 1-23 navigate menu … 2-23
requirements for testing … 1-24 PAP
NAC policy … 1-19 See protocols, authentication
endpoints applied to … 1-21 password
inactive endpoints … 1-21 changing menu interface … 2-15
name … 1-19 console … 4-46, 5-41
retest frequency … 1-20 default … 2-15
testable OS … 1-20 NULL … 4-7
tests list … 1-22 PCM, in … 2-48
untestable OS … 1-20 private_key … 4-56, 4-60, 5-51, 5-55
NAC policy group … 1-22 proxy server … 3-21
NAC tests … 1-17 root … 2-35
actions … 1-19 CS or MS … 3-28
properties … 1-18 ES … 3-15, 3-38
settings … 1-17 setting … 3-6
updates … 1-18 rules … 2-17, 3-7
NAS SSH session … 4-32, 4-46, 5-26, 5-41
adding as RADIUS client … 4-39, 5-34 terminal session … 2-6
configure … 4-11, 5-8 user account … 3-44
definition … 1-29, 4-3, 5-3 using IDM to configure … 7-11
network settings Web browser interface … 3-9
See settings PCM Plus … 2-48
NTLM detecting NAC 800 … 2-47, 3-26
See protocols version required … 2-47
NTP server … 1-12 PEAP … 4-4, 5-4
changing … 3-23 mutual authentication … 4-47, 5-42
CS as … 1-13 proxy and IDM … 4-10
specifying … 3-7 Windows domain authentication … 4-16, 5-11
performance
endpoint integrity checks … 1-28
O RADIUS server … 1-10
OpenLDAP … 1-30, 5-5 PFX format
advantages and disadvantages … 4-8, 5-6 converting from … 4-55, 4-59, 5-50, 5-54
binding to … 1-39, 1-43, 4-21, 5-15 ping
multiple … 7-8 menu interface … 2-13
settings … 4-24, 5-18 panel LCD … 2-28
test settings … 4-34, 4-38, 5-28, 5-32 responding to … 2-13
configuring authentication … 4-21 placing NAC 800
redundancy … 7-6 802.1X deployment method … 1-38
TLS connection … 4-25, 5-19 DHCP deployment method … 1-46
user login filter … 4-21, 5-15 inline
operating systems VPN … 1-53
supported … 1-20 WAN … 1-55
unsupported … 1-20, 1-21 WLAN … 1-56
plaintext … 4-10
6 – Index
ports Q
console … 2-5
Quarantine
console Ethernet … 1-5, 2-35
See endpoint integrity, posture
default LDAP … 5-22
quarantine method
Ethernet
See deployment method
802.1X deployment … 1-38, 1-40
802.1X deployment (RADIUS-only) … 1-42
inline deployment … 1-53, 1-57 802.1X … 1-35, 5-8
mirroring to … 1-39 RADIUS-only … 4-12
overview … 1-6 DHCP … 1-44
speed and duplex … 2-32 endpoint integrity … 4-14
RADIUS accounting … 4-33, 5-27 enforcement … 1-45
RADIUS authentication … 4-32, 5-27 inline … 1-53
TLS connection … 5-22 settings … 1-12, 1-13
post-connect testing … 1-21 subnet
protocols 802.1X method … 4-14
ADSL … 1-52 DHCP … 1-48
authentication … 4-7 DNS server for … 1-44
EAP … 4-10 multinetting … 1-49
See also EAP part of existing subnet … 1-48
GTC … 1-30, 4-4, 5-4 VLAN … 1-36, 1-40
LEAP … 1-30, 4-4, 5-4 DNS server … 1-36
MS-CHAP … 1-30
PAP … 1-30 R
RADIUS … 4-3, 5-3
See PEAP radio points
See TLS See RPs
See TTLS RADIUS
supported … 4-4, 5-4 See protocols, authentication
TLS … 4-29 RADIUS client
See also EAP-TLS adding to NAC 800 … 4-39, 5-34
NTLM … 4-16, 5-10 RADIUS server … 1-29
PFX … 4-55, 4-59, 5-50, 5-54 accounting … 1-30
SNMPv2 … 4-5 apply changes … 4-43, 5-38
STP, RSTP … 1-54 CA root certificate … 4-48, 5-43
proxy RADIUS server capabilities with IDM … 1-30, 2-52
advantages and disadvantages … 4-9, 5-7 capabilities without IDM … 1-30
configuration file … 4-32, 5-26 certificate … 4-47, 5-42
configure … 1-39, 1-43 CA-signed … 4-52, 5-47
configuring authentication … 4-29, 5-23 CN … 4-57, 5-52
overview … 4-9, 5-6 extensions … 4-47, 4-50, 4-57, 5-42, 5-45,
proxy server 5-52
authentication settings … 3-21 request extensions … 4-52, 5-47
NAC 800 for … 3-19 configuration with IDM … 4-11, 5-8
proxy.conf log files … 1-30
See files NAC 800 as … 4-11, 5-8
PSCP … 4-53, 5-48 primary and secondary … 7-5
PuTTY SCP redundancy … 7-2, 7-3
See PSCP
Index – 7
restart rules
root … 4-46, 5-41 admin password … 2-17
Web browser interface … 4-43, 5-38 domain … 5-14
RADIUS-only NAC 800 … 1-42 hostname … 3-14, 3-19, 4-17
capabilities … 1-10 LDAP format … 4-24
multiple NAC 800s … 1-11 parent domain … 4-20
quarantine method … 4-12 read community string … 3-37
Rapid Spanning Tree Protocol role name … 3-48
See RSTP shared secret … 4-41, 5-27
read community string … 3-37 user account password … 3-44
reboot user account roles … 3-45
menu interface … 2-18 username … 3-44
NAC 800 … 2-19
panel LCD … 2-30
redundancy
S
configuring NASs … 7-5 SAFreeRadiusConnector.conf
data store … 7-2, 7-6 See files
eDirectory … 7-6 SAIASConnector files
LDAP servers … 7-3, 7-6 See files
network paths … 7-4 save
OpenLDAP … 7-6 configurations … 2-45
RADIUS servers … 7-2, 7-3 configuring Web browser … 7-14
testing … 7-11 SCP server … 4-53, 5-48
remote access … 1-53 screens
restart end-user redirect … 1-45
RADIUS server Home … 2-39
root … 4-46, 5-41 access control section … 2-43
Web browser … 4-43, 5-38 right area … 2-43
restart after shutdown … 2-20 IDM … 2-53
retest frequency … 1-20 testing Windows domain authentication … 4-37,
RJ45 connector … 1-5 5-31
role name rules … 3-48 Web browser interface … 2-43
roles search
management … 3-41 locking out … 4-29
user … 3-45 serial number … 1-5
editing … 3-49 menu interface, viewing in … 2-21
root server type
accessing NAC 800 OS … 2-35 changing … 1-14
certificate choosing … 1-7
See CA root certificate setting … 2-10
restart panel LCD … 2-24
RADIUS server … 4-46, 5-41 settings
username and password … 2-35 802.1X quarantining … 2-50
RPC authentication … 4-14, 5-10
See agentless testing proxy server … 3-21
RPs … 1-52, 1-57
RSTP … 1-54
8 – Index
binding to support link … 2-41
eDirectory … 4-28, 5-21 supported OSs … 1-20
OpenLDAP … 4-24, 5-18 switches
Windows domain … 4-20, 5-14 ProCurve … 7-3, 7-5
cluster … 1-15, 1-26 system information
cluster default menu interface, viewing in … 2-21
exceptions … 6-3
CS … 1-13
dynamic … 4-4, 5-4
T
VLAN … 4-4, 5-4 tar file
ES … 1-12 See files
IDM … 4-5 testing
IP address … 2-12, 2-26, 2-28 bind operation … 4-36, 5-30
locking out searches … 4-29 IP settings … 2-13
menu interface … 2-9 list … 1-22
MS … 3-5 method … 1-22
NAC 800 IP … 2-26 ActiveX … 1-25
network … 3-18 agentless … 1-26
server type … 2-24 NAC EI agent … 1-23
SNMP … 3-24, 3-36 post-connect … 1-21
speed and duplex … 2-32 redundancy … 7-11
subnet mask … 2-27 requirements
system … 2-21, 3-3 ActiveX … 1-25
terminal session … 2-6 agentless … 1-26
test results … 4-38, 5-32 NAC EI agent … 1-24
testing … 2-28, 4-34, 5-28 results … 4-38, 5-32
user-based … 4-4, 5-4 time … 3-23
shared secret … 4-33, 5-27 zone … 3-7
802.1X device for … 4-41, 5-36 CS or MS … 3-23
rules … 5-27 ES … 3-34
shutdown TLS … 4-4, 5-4
restarting after … 2-20 eDirectory bind … 4-29, 5-23
shutting down LDAP bind … 4-21, 5-15, 7-9
menu interface … 2-19 mutual authentication … 4-47, 5-42
panel LCD … 2-31 OpenLDAP bind … 4-25, 5-19
SNMP TTLS … 4-4, 5-4
allowed source network … 2-47 mutual authentication … 4-47, 5-42
read-only access … 3-24, 3-26 proxy and IDM … 4-10
read-only community … 2-47 Windows domain authentication … 4-16, 5-11
read-write community … 2-47
settings … 3-36
U
software upgrade … 1-12, 1-13, 3-39
Spanning Tree Protocol unknown
See STP See endpoint integrity, posture
SSH session unsupported OSs … 1-20, 1-21
username and password … 4-32, 5-26 updates
SSID … 4-66, 5-61 test … 1-12, 1-13, 1-18
STP … 1-54
Index – 9
user accounts Windows domain … 4-7
adding to local database … 4-16 joining NAC 800 to … 4-17, 5-11
user login filter … 4-21, 5-15 multiple controllers … 4-20, 5-14
user roles requirements … 4-17, 5-11
See roles settings … 4-20, 5-14
username authentication … 5-10
account rules … 3-44 test … 4-34, 4-38, 5-28, 5-32
console … 2-6, 4-46, 5-41 Wireless Edge Services Module
menu interface … 2-15 See WESM
PCM, in … 2-48 wireless LAN
proxy server … 4-10 See WLAN
root … 2-35 WLAN … 1-52
SSH session … 4-32, 4-46, 5-26, 5-41 802.1X deployment … 1-52
using IDM to configure … 7-11 placing NAC 800 (inline) … 1-56
V
version
IDM … 4-6
IDM agent … 2-50
menu interface, viewing software … 2-21
vi editor … 4-32, 5-26
VLAN
assignment … 1-35
dynamic settings … 4-4, 5-4
quarantine … 1-36, 1-40
VPN … 1-32, 1-52
placing NAC 800 … 1-53
W
WAN … 1-32, 1-52
placing NAC 800 … 1-55
warranty … 1-ii
Web browser interface … 2-37
accessing … 2-39
with IDM … 2-53
with PCM Plus … 2-48
navigating … 2-39, 2-44, 2-45
requirements
management station … 2-38
NAC 800 … 2-37
WESM … 1-52, 1-56, 1-57
10 – Index
© Copyright 2007 Hewlett-Packard
Development Company, L.P.
August 2007
Manual Part Number

5991-8618

ProCurveNAC CfgGde Aug2007 59918618

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ProCurveNAC CfgGde Aug2007 59918618

Uploaded by

Copyright:

Available Formats

Configuration Guide

ProCurve Network Access Controller 800

Open Source Software Acknowledgment

1 Overview of the ProCurve NAC 800

3 Initial Setup of the ProCurve NAC 800

4 Configuring the RADIUS Server—Integrated with

5 Configuring the RADIUS Server—Without Identity Driven

6 Disabling Endpoint Integrity Testing

7 Redundancy and Backup for RADIUS Services

B Appendix B: Linux Commands

Overview of the ProCurve NAC 800

Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

It provides these capabilities:

See the ProCurve Network Access Controller 800 Hardware Installation

Figure 1-1. NAC 800 Front Panel

Console Ethernet Port

Panel LCD and Buttons

Serial Number and MAC Address

The following communications are transmitted and received on port 1:

Choosing the Server Type

Deployment of One MS and Multiple ESs

To ensure adequate performance, ProCurve Networking recommends that a

Neither an MS nor an ES can function on its own. The MS co-ordinates settings

Figure 1-2 illustrates, at a high level, a deployment of multiple NAC 800s.

Figure 1-2. Deployment with Multiple NAC 800s

An MS can support multiple enforcement clusters, each of which implements

Figure 1-3 illustrates, at a high level, a network with multiple clusters.

Figure 1-3. Deployment with Multiple Clusters

Figure 1-4. CS Deployment

Figure 1-5. Two NAC 800s Acting as RADIUS Servers

Management Server (MS)

The MS handles these system-wide settings:

The MS stores these settings and configures them on its ESs:

Enforcement Server (ES)

Combination Server (CS)

The CS supports these features and settings:

The CS also enforces access control settings:

Changing the Server Type

Enforcement Clusters for an MS and ESs

The following settings are configured per cluster:

Enforcement Clusters for a CS

An endpoint integrity solution automates the process of checking whether an

Endpoint Integrity Capabilities of the NAC 800

The following sections describe the components of the endpoint integrity

Tests are organized into the following categories:

Properties can be configurable or unconfigurable. For example, the required

NAC Test Updates. As new threats emerge, ProCurve Networking updates

Note Consider the security implications of granting an endpoint access without

The access granted to untestable endpoints is permanent. Even if you later

Post-connect checking is an key component of a true endpoint integrity

You can apply the policy to:

NAC Policy Groups

A NAC policy group includes these settings:

As an alternative to a specific agent designed for endpoint integrity checking,

Figure 1-6. InstallShield Wizard for the NAC EI Agent

Advantages and Disadvantages of NAC Agent Testing. The NAC agent

Advantages and Disadvantages of ActiveX Testing. The ActiveX agent

Requirements for Agentless Testing. To undergo agentless testing, the

In addition, as discussed above, the NAC 800 requires administrator creden-

Advantages and Disadvantages of Agentless Testing. Agentless testing

Endpoint Integrity Posture

Note On an MS, you can customize accessible services per cluster.

Performance Implications of Endpoint Integrity Checks