Professional Documents
Culture Documents
ProCurveNAC CfgGde Aug2007 59918618
ProCurveNAC CfgGde Aug2007 59918618
www.procurve.com
ProCurve Network Access
Controller 800
August 2007
1.0.XX
Configuration Guide
© Copyright 2007 Hewlett-Packard Development Company, L.P. Disclaimer
The information contained herein is subject to change without
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
notice. All Rights Reserved.
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
This document contains proprietary information, which is
WARRANTIES OF MERCHANTABILITY AND FITNESS
protected by copyright. No part of this document may be
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
photocopied, reproduced, or translated into another
be liable for errors contained herein or for incidental or
language without the prior written consent of Hewlett-
consequential damages in connection with the furnishing,
Packard.
performance, or use of this material.
The only warranties for HP products and services are set
Publication Number forth in the express warranty statements accompanying
5991-8618 such products and services. Nothing herein should be
August 2007 construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Applicable Products
Hewlett-Packard assumes no responsibility for the use or
Network Access Controller 800 (J9065A) reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Trademark Credits
Microsoft, Windows, Windows NT, and Windows XP are U.S. Warranty
registered trademarks of Microsoft Corporation. See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard
Roseville, California 95747
http://www.procurve.com/
Contents
i
Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
NAC EI Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Agentless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Endpoint Integrity Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Accessible Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Performance Implications of Endpoint Integrity Checks . . . . . . . . . 1-28
RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
ProCurve NAC 800 RADIUS Capabilities . . . . . . . . . . . . . . . . . . . . . . . 1-30
RADIUS Capabilities of the NAC 800 Integrated with IDM . . . . . . . . 1-30
Deployment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32
802.1X Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
802.1X Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Types of Access Control Provided by the NAC 800 . . . . . . . . . . . 1-34
802.1X Deployment Method—Endpoint Integrity With
or Without RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
How the NAC 800 Quarantines Endpoints . . . . . . . . . . . . . . . . . . 1-35
How and Where to Deploy the NAC 800 . . . . . . . . . . . . . . . . . . . . 1-37
802.1X Deployment Method—RADIUS Server Only . . . . . . . . . . . . . . 1-42
How and Where to Deploy the NAC 800 . . . . . . . . . . . . . . . . . . . . 1-42
DHCP Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Types of Access Control Provided By the NAC 800 . . . . . . . . . . 1-43
How the NAC 800 Quarantines Endpoints . . . . . . . . . . . . . . . . . . 1-44
How and Where to Deploy the NAC 800 . . . . . . . . . . . . . . . . . . . . 1-46
Inline Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Types of Access Control Provided by the NAC 800 . . . . . . . . . . . 1-52
How the NAC 800 Quarantines Endpoints . . . . . . . . . . . . . . . . . . 1-53
Configuring Accessible Services for Inline Method . . . . . . . . . . . 1-53
How and Where to Deploy the NAC 800 . . . . . . . . . . . . . . . . . . . . 1-53
ii
2 Management Options for the ProCurve NAC 800
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Menu Interface and Panel LCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Access the Menu Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Console Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
SSH Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Navigate the Menu Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Configure Initial Settings with the Menu Interface . . . . . . . . . . . . . . . . 2-9
Set the Server Type with the Menu Interface . . . . . . . . . . . . . . . . 2-10
Set the IP Address with the Menu Interface . . . . . . . . . . . . . . . . . 2-12
Test IP Settings (Ping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Change the Password to the Menu Interface . . . . . . . . . . . . . . . . . . . . 2-15
Complete Other Tasks in the Menu Interface . . . . . . . . . . . . . . . . . . . 2-17
Reboot the NAC 800 in the Menu Interface . . . . . . . . . . . . . . . . . 2-18
Shut Down the NAC 800 in the Menu Interface . . . . . . . . . . . . . . 2-19
Turn the Locator LED On and Off . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
View System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Access the Panel LCD Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Navigate the Panel LCD Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Configure Initial Settings with the Panel LCD Menu . . . . . . . . . . . . . 2-24
Set the Server Type with the Panel LCD Menu . . . . . . . . . . . . . . 2-24
Set the IP Address with the Panel LCD Menu . . . . . . . . . . . . . . . 2-26
Test IP Settings (Ping) with the Panel LCD Menu . . . . . . . . . . . . 2-28
Complete Other Tasks Using the Panel LCD Menu . . . . . . . . . . . . . . 2-29
Reboot the NAC 800 Using the Panel LCD Menu . . . . . . . . . . . . . 2-30
Shut Down the NAC 800 Using the Panel LCD . . . . . . . . . . . . . . . 2-31
Set the Ports Speed and Duplex Settings . . . . . . . . . . . . . . . . . . . 2-32
Root Access to the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Requirements on the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Requirements on the Management Station . . . . . . . . . . . . . . . . . . 2-38
Steps for Accessing the Web Browser Interface . . . . . . . . . . . . . 2-39
iii
Navigate the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Home Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Common Features in Web Browser Interface Screens . . . . . . . . 2-43
Following Instructions to Navigate the Web Browser
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
ProCurve Manager (PCM) Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47
Enable PCM Plus to Detect the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . 2-47
Capabilities of PCM Plus for Managing the NAC 800 . . . . . . . . . . . . . 2-48
IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49
Enable IDM to Detect the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49
Capabilities of IDM for Managing the NAC 800 . . . . . . . . . . . . . . . . . . 2-52
iv
Install a New Self-Signed Certificate for HTTPS . . . . . . . . . . . . . . . . . 3-59
Generate the Self-Certificate and Key . . . . . . . . . . . . . . . . . . . . . . 3-60
Export the Self-signed Certificate to a File . . . . . . . . . . . . . . . . . 3-61
Install the Self-signed Certificate as a Trusted Root
Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-61
Restart the HTTPS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-62
Install the Self-signed Certificate as a Trusted Root
Certificate on Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-62
v
Manage Digital Certificates for RADIUS . . . . . . . . . . . . . . . . . . . . . . . 4-47
Install the CA Root Certificate on the NAC 800 . . . . . . . . . . . . . . . . . 4-48
Install a Server Certificate for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . 4-49
Create a Self-Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-50
Install a CA-Signed Certificate Using a Request
Generated on the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52
Install a CA-Signed Certificate Using a Request
Generated on Behalf of the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . 4-57
Manage Certificates on Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-61
Disable Server Validation on Endpoints . . . . . . . . . . . . . . . . . . . . . . . . 4-61
vi
Install a Server Certificate for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . 5-45
Create a Self-Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45
Install a CA-Signed Certificate Using a Request
Generated on the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47
Install a CA-Signed Certificate Using a Request
Generated on Behalf of the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . 5-52
Manage Certificates on Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-56
Disable Server Validation on Endpoints . . . . . . . . . . . . . . . . . . . . . . . . 5-56
vii
A Appendix A: Glossary
viii
Overview of the ProCurve NAC 800
Contents
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Console Ethernet Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Panel LCD and Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Serial Number and MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Port 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Port 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Server Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Choosing the Server Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Deployment of One MS and Multiple ESs . . . . . . . . . . . . . . . . . . . . 1-7
CS Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Management Server (MS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Enforcement Server (ES) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Combination Server (CS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Changing the Server Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Enforcement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Enforcement Clusters for an MS and ESs . . . . . . . . . . . . . . . . . . . . . . 1-15
Enforcement Clusters for a CS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
1-1
Overview of the ProCurve NAC 800
Contents
1-2
Overview of the ProCurve NAC 800
Introduction
Introduction
The ProCurve Network Access Controller (NAC) 800 is a hardware appliance
that controls endpoints’ access to your network.
You will learn about all of these capabilities in this overview chapter.
The remainder of this management and configuration guide will focus on the
final capability: the NAC 800 as a RADIUS server, either integrated with
ProCurve Identity Driven Manager (IDM) or acting on its own.
To learn more about setting up other capabilities, see the ProCurve Network
Access Controller 800 Users’ Guide.
1-3
Overview of the ProCurve NAC 800
Hardware Overview
Hardware Overview
The ProCurve NAC 800 is a hardware appliance that comes in a single model
(J9065A). The device is 1U and mounts on a 19” rack.
You plug the power source into the back panel’s AC power connector.
All other ports, controls, and information displays are on the front panel for
easy access. These include:
■ LEDs
■ Console port
■ Panel LCD
■ Panel buttons
■ USB port, which will be supported in future software releases
■ Serial number and MAC address
■ Two Ethernet ports
LEDs
The NAC 800 has three LEDs on its left front panel:
■ Power LED—glows green when the device is powered on.
■ Fault LED—blinks orange to indicate a problem with the device
■ Locator LED—glows blue when you turn the LED on through the menu
interface, identifying which device you are configuring
See “Turn the Locator LED On and Off” on page 2-20 of Chapter 2:
“Management Options for the ProCurve NAC 800.”
■ Ethernet Link and Mode LEDs—indicate an open connection, as well
the connection speed
1-4
Overview of the ProCurve NAC 800
Hardware Overview
For more information on LEDs, see the ProCurve Network Access Controller
800 Hardware Installation Guide.
In addition, the panel has six buttons which you use to interact with the LCD:
■ Four arrow buttons (left, right, up, and down)
■ An accept button (a checkmark)
■ A cancel button (an X)
You can press the accept button to access the panel LCD menu interface and
complete tasks such as:
■ Set the server type
■ Configure IP settings
■ Reboot and shutdown the device
For more information, see “Menu Interface and Panel LCD” on page 2-5 of
Chapter 2: “Management Options for the ProCurve NAC 800.”
1-5
Overview of the ProCurve NAC 800
Hardware Overview
Ethernet Ports
The ProCurve NAC 800 contains two 10/100/1000 Base-T ports labelled:
• 1 (left port)
• 2 (right port)
Pay careful attention to which port you connect to a segment of the network:
the NAC 800 handles traffic differently depending on the port on which it
arrives.
To the right of the ports, the NAC 800’s panel features text reminding you of
the purpose of each port, which differs according to the device’s deployment
method. (See “Deployment Methods” on page 1-32.)
Port 1
Port 1 is the port with the NAC 800’s IP address; generally, this port connects
to the network to which the NAC 800 controls access.
Port 2
Port 2’s function depends on the selected quarantine method. You will learn
more about the three methods in “Deployment Methods” on page 1-32.
1-6
Overview of the ProCurve NAC 800
Server Types
Server Types
The ProCurve NAC 800 can function as one of three types of server:
■ Management server (MS)
■ Enforcement server (ES)
■ Combination server (CS)
The ESs load balance endpoints among themselves; a cluster with five ESs
can provide timely testing for up to 15,000 endpoints (80 percent of the
endpoints in under 30 seconds). A cluster of ESs also provides high availabil-
ity; if one fails, the others continue providing services.
1-7
Overview of the ProCurve NAC 800
Server Types
In all of its clusters together, the MS should support no more than 10 ESs.
1-8
Overview of the ProCurve NAC 800
Server Types
Note that it is best practice to use an MS and clusters of ESs even when the
individual clusters may require only one ES. For example, a network might
require one NAC 800 to enforce endpoint integrity on 2000 Ethernet endpoints
and one NAC 800 to enforce endpoint integrity on 700 remote endpoints. It is
recommended that you use one MS and two ESs for such an environment,
rather than two CSs, for two reasons:
■ The MS helps you to co-ordinate NAC policies and other settings.
■ The cluster deployment allows your NAC 800s to share licenses.
1-9
Overview of the ProCurve NAC 800
Server Types
For more information about roles performed by MSs and ESs, see “Manage-
ment Server (MS)” on page 1-11 and “Enforcement Server (ES)” on page 1-13.
You should also read more about enforcement clusters in “Enforcement
Clusters” on page 1-15.
CS Deployment
A CS both controls and enforces settings; it functions on its own. You should
set your NAC 800 to the CS type in either of these circumstances:
■ Your network requires integrity testing for under 3000 endpoints.
■ Your NAC 800 functions as a RADIUS server only and does not test
endpoint integrity.
A RADIUS-only NAC 800 can support more than 3000 endpoints. The precise
number varies, of course, depending on your environment. For example, do
all users log in at roughly the same time or do they log in at various times
throughout the day? How often do network infrastructure devices force users
to re-authenticate? As the answers to these questions vary, so varies the
burden placed on the NAC 800. Under typical usage, a single NAC 800 can
support authentication for 10,000 ports.
1-10
Overview of the ProCurve NAC 800
Server Types
Note Your network might require multiple NAC 800s that function as RADIUS
servers—to provide more timely service and redundancy. (See Chapter 7:
“Redundancy and Backup for RADIUS Services.”)
However, you do not need to place the NAC 800s in a cluster; both should still
be CSs.
For more information about roles performed by a CS, see “Combination Server
(CS)” on page 1-13. You should also read more about enforcement clusters in
“Enforcement Clusters” on page 1-15.
For the best performance an MS should support no more than 10 ESs and no
more than 5 ESs in a single cluster.
The MS runs the Web browser interface, which you access to manage and
configure your NAC 800s. (This management and configuration guide focuses
on completing tasks using this interface.) When you configure a setting on the
MS, the MS transmits it to its ESs, as appropriate.
1-11
Overview of the ProCurve NAC 800
Server Types
The MS also serves as the repository for information collected about end-
points throughout the network. In the MS Web browser interface, you can:
■ Track:
• Detected endpoints
• Endpoint activity:
– Endpoints’ access control status
– Endpoints’ test status
■ Change endpoints access control status
■ Generate reports
1-12
Overview of the ProCurve NAC 800
Server Types
An ES:
■ Authenticates endpoints, if operating as a RADIUS server
■ Tests endpoints for integrity
■ Controls endpoints’ access control status based on test (and, possibly,
authentication) results
Note A CS, of course, does not have the processing power or high availability of a
system of multiple ESs and an MS.
1-13
Overview of the ProCurve NAC 800
Server Types
Finally, the CS serves as the repository for information collected about end-
points throughout the network. In the Web browser interface, you can:
■ Track:
• Detected endpoints
• Endpoint activity:
– Endpoints’ access control status
– Endpoints’ test status
■ Change endpoints access control status.
■ Generate reports.
Note Setting the server type always resets the NAC 800 to factory defaults even if
you set the device to its current type. In fact, setting the server type is a quick
way to reset the NAC 800 to factory defaults.
1-14
Overview of the ProCurve NAC 800
Enforcement Clusters
Enforcement Clusters
An enforcement cluster is a group of ESs (or a single CS) that tests, quaran-
tines, and otherwise controls the same group of endpoints.
A cluster that consists of a group of ESs has these advantages over a single CS:
■ It can test more endpoints—3000 per ES (up to 15,000 total) as opposed
to 3000 total—load balancing the endpoints among themselves.
■ It provides redundancy, each ES testing up to 5000 endpoints should one
of its fellow ESs fail.
The same settings that, on an MS, are configurable per-cluster are also config-
ured on the CS’s single cluster. However, this cluster is always selected, so you
can ignore this fact.
1-15
Overview of the ProCurve NAC 800
Endpoint Integrity
Endpoint Integrity
Viruses and other malware continue to become ever more pervasive—tempo-
rarily bringing down networks, interferring with productivity, and exposing
potentially sensitive information to hackers. A traditional network acknowl-
edges one primary entrance for these threats—the Internet—and guards
against them with a firewall between the WAN router and the private network.
But viruses and malware infilitrate networks from many sources. For
example:
■ An increasingly mobile workforce carries laptops in and out of your
company’s private network. A virus picked up over a home Internet
connection can infiltrate your private network when an employee returns
the infected laptop to work.
■ Users—intentionally or intentionally—accept unsafe traffic over the
Internet. For example, a user might choose to download a trojan, which
is a seemingly innocent application actually intended to cause harm.
■ Users fail to keep their stations updated with patches, leaving them
exposed to malware.
■ Users lower their browser’s security settings so that they can visit unsafe
sites and use unsafe applications.
As you can see, end-users and endpoints play on important role in protecting
your network on all fronts. A network is only as safe as its endpoints exhibit
integrity—that is, meet criteria such as:
■ Having a firewall and other anti-virus software
■ Downloading and installing current patches
■ Enforcing proper browser security settings
■ Being clear of viruses and other malware
But endpoint integrity is a piece of the security puzzle that is particularly hard
to manage. Even if network administrators could ensure that every endpoint
had necessary security settings and solutions, they would find it hard to
prevent users from tampering with those settings.
1-16
Overview of the ProCurve NAC 800
Endpoint Integrity
NAC Tests
The NAC 800 supports many different tests; each test checks for a particular
setting or component on an endpoint. For example, the Windows XP hotfixes
test checks the patches and updates installed on a Windows XP station. And
the IE Internet Security Zone test checks the security level that the endpoint’s
IE browser enforces for Internet Web sites.
1-17
Overview of the ProCurve NAC 800
Endpoint Integrity
■ Software—Windows
These tests check software installed on an endpoint. Some tests look for
required software, such as personal firewalls and anti-virus software.
Other tests look for prohibited software, such as file sharing software.
Another test scans for viruses and other malware.
■ Operating System—Windows
These tests examine a Windows endpoint’s OS, verifying that all required
hotfixes and patches are installed.
■ Browser Security Policy—Windows
These tests verify that an endpoint’s Web browser enforces the proper
level of security for various zones (Internet sites, local sites, trusted sites,
and untrusted sites). The NAC 800 scans Internet Explorer (IE) settings
only.
NAC Test Properties. All NAC tests have properties, which are the criteria
that an endpoint must meet to pass the test. For example, the required
software test checks the software installed on the endpoint. The required
software test properties consist of a list of software. If the endpoint does not
have this software, it fails the test.
For more information about configuring test properties, see “Appendix: Tests
Help” in the ProCurve Network Access Controller 800 Users’ Guide.
For information about scheduling test updates, see “Chapter 3: System Con-
figuration” in the ProCurve Network Access Controller 800 Users’ Guide.
1-18
Overview of the ProCurve NAC 800
Endpoint Integrity
NAC Test Actions. When an endpoint fails a test, the NAC 800 takes one or
both of these actions:
■ Sends a notification email
■ Quarantines the endpoint, either:
• Immediately
• After a temporary access period (configurable in length)
You choose the actions for each test. For example, the NAC 800 might
immediately quarantine an endpoint with a virus, but grant temporary access
to an endpoint that needs updated patches. And it might only send a notifica-
tion email if the endpoint has prohibited software.
NAC Policies
On the ProCurve NAC 800, NAC tests are organized into NAC policies. A NAC
policy dictates how the NAC 800 checks endpoint integrity for particular
endpoints. The policy includes these settings:
■ Name and description
■ Policy for handling endpoints with OSs that the NAC 800 cannot test
■ Retest frequency
■ Policy for handling inactive endpoints
■ List of endpoints to which the policy applies
■ List of activated tests, including the properties and actions particular to
each test
Finally, a NAC policy is defined by its group. See “NAC Policy Groups” on
page 1-22.
The sections below provide more information about each of these settings.
For instructions on configuring them in the Web browser interface of an
MS or CS, see Chapter 6: NAC Policies in the ProCurve Network Access
Controller 800 Users’ Guide.
Name and Description. These settings identify the policy and are entirely
configurable.
1-19
Overview of the ProCurve NAC 800
Endpoint Integrity
Policy for Endpoints with Untestable OSs. The NAC 800 can test end-
points with these OSs:
■ Windows 98
■ Windows 2000
■ Windows XP Professional
■ Windows XP Home
■ Windows NT
■ Windows Server 2000 or 2003
By default, endpoints that cannot be tested are quarantined. However, you can
choose to grant access to the untestable endpoints. Untestable endpoints fall
into these categories, and you set the policy for handling the endpoints per
category:
■ Windows 95 or ME
■ Unix
■ Any other OS (including Linux and Windows Vista)
Retest Frequency. The NAC 800 supports both pre-connect and post-con-
nect integrity checks. In other words, to connect to your network, an endpoint
must meet certain criteria, and to stay connected, it must continue to meet
the criteria.
1-20
Overview of the ProCurve NAC 800
Endpoint Integrity
The retest frequency determines how often the NAC 800 implements post-
connect integrity checks. The higher the frequency, the greater the security—
although, of course, integrity checks add some overhead to network traffic.
The quarantining method (about which you will learn more later) affects post-
connect testing. For DHCP quarantining, a changed status does not take effect
until the endpoint sends a new DHCP request. So you should set the lease time
for scopes on your DHCP server quite low—hours rather than days.
For inline or 802.1X quarantining, the changed status takes immediate effect.
For example, with 802.1X quarantining, the NAC 800 commands the device to
which the endpoint connects to re-authenticate the endpoint, which then
receives the new VLAN assignment.
Policy for Inactive Endpoints. This setting applies only when you have
granted access to endpoints with unsupported OSs.
After the NAC 800 grants an unsupported endpoint network access, it cannot
track it in the same way that it does testable endpoints. Instead it listens for
traffic from the unsupported endpoint. As long as the endpoint continues to
generate traffic, the NAC 800 assumes that it is connected and keeps the
firewall rule that granted the endpoint access. If the NAC 800 does not detect
traffic from the endpoint for a certain configurable period, it clears out
the rule, denying access.
List of Endpoints to Which the Policy Applies. Because you can create
multiple NAC policies on your NAC 800s, you should specify to which end-
points a particular policy applies.
1-21
Overview of the ProCurve NAC 800
Endpoint Integrity
Note A policy does not affect specified endpoints until its group is assigned to a
cluster. See “NAC Policy Groups” on page 1-22.
List of Tests. In each NAC policy, you choose which tests are enforced.
Test properties and actions are configurable per policy. That is, you can create
one list of required software in NAC policy A, but a different list in policy B.
And you could de-activate the required software test entirely in policy C. In
addition, the penalty for failing the test could be immediate quarantining in
policy A, but temporary access in policy B.
Testing Methods
The discussion of endpoint integrity tests has not yet addressed a crucial
question: how does the NAC 800 actually run the test? For example, how does
the NAC 800 determine whether the endpoint has a firewall? How does it know
which software the endpoint has installed?
1-22
Overview of the ProCurve NAC 800
Endpoint Integrity
The NAC 800 must ask the endpoint to report information about itself, and the
endpoint must respond. To converse in this way, both the NAC 800 and the
endpoint need compatible mechanisms in place.
One mechanism that allows an endpoint to respond to the NAC 800’s tests is
called an agent; the agent must be installed on the endpoint prior to the test.
Agents fall into two general categories:
■ Permanent agents—once installed remain on the endpoint permanently
■ Transient agents—install on the endpoint temporarily each time the
endpoint is tested
The NAC 800 offers flexible support for endpoint integrity in a variety of
environments because it supports all three common testing methods:
■ NAC Endpoint Integrity (EI) agent (permanent agent)
■ ActiveX (transient agent)
■ Agentless (with Microsoft’s Remote Procedure Call [RPC] protocol)
While each method may require some initial setup on the endpoint
(depending on your environment), once set in place, testing can proceed
smoothly and—as long as the endpoint passes all tests—even without the
end-user’s knowledge.
NAC EI Agent
The NAC 800 stores the ProCurve NAC EI agent application. An end-user can
download and install this agent to his or her endpoint in these ways:
■ Automatically before testing—For example, you can use network
management tools to deploy the agent to many endpoints.
■ Automatically at initial testing—When a NAC 800 that uses the NAC
agent testing method detects an endpoint that does not have the agent, it
installs the agent to the endpoint automatically. The user sees the screen
in Figure 1-6 and, unless he or she cancels the installation, the agent is
installed permanently.
The automatic installation uses ActiveX.
1-23
Overview of the ProCurve NAC 800
Endpoint Integrity
■ Manually—You can instruct users to access the NAC 800 and download
the NAC EI agent manually. The NAC 800 makes the agent available at
this URL:
https://<CS or ES IP address>:89/setup.exe
A user might choose this option because he or she does not want to enable
ActiveX (required for automatic installation).
After the agent is installed, the NAC 800 can test the endpoint as often as
necessary without further end-user interaction.
Requirements for NAC Agent Testing. The agent must be installed on the
endpoint. For the NAC 800 to download the agent to endpoints automatically,
the endpoints must allow ActiveX content from the NAC 800.
Otherwise, either the IT staff or the user must install the NAC agent on the
endpoint before the user attempts to connect to the network.
If a router lies between the NAC 800 and the endpoints, the router must keep
port 1500 open. In most cases, the NAC 800 can automatically open the correct
ports through the endpoints’ firewall.
1-24
Overview of the ProCurve NAC 800
Endpoint Integrity
Note This rule has one exception. You must open port 1500 on an endpoint that
meets these three conditions:
■ Is unmanaged
■ Runs Windows XP
■ Uses a non-SP2 firewall such as Norton
However, the NAC agent does require the initial setup and user interaction
described above.
ActiveX
When using the ActiveX method, the NAC 800 automatically downloads and
installs the ActiveX agent on the endpoint to be tested. Unlike the NAC agent,
after the check is complete, the ActiveX agent is removed from the endpoint.
Requirements for ActiveX Testing. The ActiveX agent uses ActiveX con-
tent and Java script. The endpoint’s browser security settings must allow such
content from the NAC 800.
ActiveX testing requires the endpoint’s Web browser to be open for every test.
The Web browser must be IE version 5.0 or 6.0.
If a router lies between the NAC 800 and the endpoints, it must keep port 1500
open. In most cases, the NAC 800 can automatically open the correct ports
through the endpoints’ firewall.
Note This rule has one exception. You must open port 1500 on an endpoint that
meets these three conditions:
■ Is unmanaged
■ Runs Windows XP
■ Uses a non-SP2 firewall such as Norton
1-25
Overview of the ProCurve NAC 800
Endpoint Integrity
However, while the NAC agent requires a one-time installation and user
interaction, the ActiveX agent requires that interaction every time an endpoint
connects. Although the user may not notice the installation if the endpoint
allows ActiveX content without prompting, the installation does add overhead
to network traffic.
IE must be open for the NAC 800 to test the endpoint. If a user closes IE after
his or her endpoint has gained access, the NAC 800 cannot retest the endpoint.
The user can continue to connect to the network—even if the endpoint
becomes non-compliant—for as long as IE is closed.
Agentless
RPC was designed to provide a flexible framework for a variety of communi-
cations between remote devices. The NAC 800 uses RPC to run endpoint
integrity checks on endpoints, which must also support RPC.
In order for an endpoint to accept the RPC messages, the NAC 800 must submit
credentials for an administrator of that endpoint. On the NAC 800, these
credentials are called agentless credentials and can be:
■ Configured in cluster settings—Enter the credentials of an adminis-
trator in the endpoint’s domain.
■ Submitted by the end-user—This option allows agentless testing of a
user who is not a member of your domain. However, because users often
do not know, or are reluctant to share, the proper credentials, this option
is not generally recommended.
Caution Never make agentless testing the only method available to test non-domain
members.
1-26
Overview of the ProCurve NAC 800
Endpoint Integrity
For the user to view all end-user screens, the endpoint’s browser security
settings must allow Java scripting from the NAC 800.
However, you must ensure that the endpoints meet the requirements listed
above, and you must know the correct agentless credentials. For these rea-
sons, agentless testing works best on managed endpoints that are members
of your domain.
Accessible Services
The NAC 800 allows quarantined endpoints to access the limited set of
resources listed on its Home > System configuration > Accessible services
screen. By default, the screen lists Web sites from which endpoints can
download service packs, patches, and so forth. You can add hostnames and
IP addresses to the list in order to provide additional services for the quaran-
tined endpoints.
1-27
Overview of the ProCurve NAC 800
Endpoint Integrity
The means by which the NAC 800 restricts quarantined endpoints to the
accessible services differs based on the deployment method. In addition, you
might need to set up your network infrastructure to support the NAC 800’s
restrictions. “Deployment Methods” on page 1-32 explains in more depth.
The High Security NAC policy, a pre-defined policy that includes approxi-
mately 20 tests, can be taken as a general high mark. The NAC 800 passes
approximately 9 to 16 kilobytes of total data between itself and an endpoint
to complete a single testing session with this policy. On a typical LAN, the
testing process would typically take between 5 and 10 seconds.
1-28
Overview of the ProCurve NAC 800
RADIUS Server
RADIUS Server
The Remote Access Dial-In User Service (RADIUS) protocol is an
authentication, authorization, and accounting (AAA) protocol. It allows
your network to:
■ Authenticate end-users—verify that users are who they claim to be
■ Authorize end-users—grant users rights based on their identities
■ Create accounting records—collect information about end-user activ-
ity, including when users connect, how long they connect, and which
resources they consume
The NASs are the points of access for endpoints—for example, switch ports
or wireless access points (APs). When an end-user attempts to connect to a
NAS, the NAS sends an authentication request to its authentication (RADIUS)
server.
If the RADIUS server is also an accounting server, it can receive reports about
the user’s activity from the NAS.
The NAC 800 supports the RADIUS protocol and can act as your network’s
RADIUS server. It supports RADIUS as a stand-alone access control solution
(see “802.1X Deployment Method—RADIUS Server Only” on page 1-42). Or it
can integrate its RADIUS capabilities with endpoint integrity checking (see
“802.1X Deployment Method—Endpoint Integrity With or Without RADIUS”
on page 1-34).
1-29
Overview of the ProCurve NAC 800
RADIUS Server
1-30
Overview of the ProCurve NAC 800
RADIUS Server
When you manage a NAC 800 with IDM, the NAC 800 has all the capabilities
listed in the section above with these additions:
■ Authenticating users against an easily managed local database
■ Granting users rights, as follows:
• Assigning dynamic settings based on identity, access time, access
location, and endpoint integrity posture
Dynamic settings include:
– VLAN assignment
– ACLs (which control access to network resources)
– Rate limit
■ Logging activity to a centralized location and easily-browsed interface
Information tracked includes:
• Lists of successful and failed authentication attempts
• Lists of currently connected users
1-31
Overview of the ProCurve NAC 800
Deployment Methods
Deployment Methods
The NAC 800 can control network access in variety of ways. It can make
decisions based on who is connecting (authentication) as well as on what is
connecting and the risks that device might pose (endpoint integrity).
In addition, the NAC 800 can control network access for endpoints connecting
from a variety of locations, including:
■ A Virtual Private Network (VPN) connection
■ A Wide Area Network (WAN) connection
■ A wireless connection
■ A LAN connection
You must consider all of these factors—which type of access control you
desire for which users in a network with which capabilities—as you determine
how and where to deploy your NAC 800s.
Note When you purchase your NAC 800, you also purchase the ProCurve Network
Access Controller 800 Implementation Start-up Service. Your ProCurve solu-
tions provider will help you think through options and plan your deployment.
1-32
Overview of the ProCurve NAC 800
Deployment Methods
A brief overview of 802.1X will help you understand how the NAC 800 interacts
with other components of an 802.1X solution.
802.1X Overview
Traditionally, 802.1X features three components:
■ Supplicant—The endpoint attempting to connect to the network. The
supplicant must authenticate itself to the network by submitting a user-
name and either a password or a digital certificate.
■ Authenticator—The access point or the port to which the endpoint
connects. The authenticator can be a switch, an AP, or a Wireless Edge
Services Module. The port is a switch port or an 802.11 association with
a wireless station. The authenticator is responsible for enforcing all
access decisions-opening and closing the port, as well as customizing the
port with dynamic settings such as VLAN assignments.
■ Authentication server—A RADIUS server. The RADIUS server makes
all access decisions. It validates the end-user's credentials, and, if the
credentials check out, it determines whether the user is connecting in an
appropriate manner. (Depending on the RADIUS server's capabilities, the
server consider factors such as access time and location and type of
access.) Finally, the RADIUS server can match particular users to partic-
ular dynamic settings, such as VLAN assignments, which it forwards to
the authenticator.
1-33
Overview of the ProCurve NAC 800
Deployment Methods
The NAC 800 enters the 802.1X framework as either an authentication server
or a supplement to the authentication server. It adds endpoint integrity to the
process of making access decisions. In other words, the authentication
server’s decision is now based on these factors:
■ End-user identity
■ Other factors such as the time and the endpoint’s location
■ Endpoint integrity (whether the endpoint passes the tests listed in the
NAC policy)
Note IAS is the only option for a system that uses the NAC 800 for endpoint
integrity only. If your network already includes a non-IAS RADIUS server,
however, you can configure the NAC 800 to act as a RADIUS server, but
proxy requests to the existing server (or bind to an existing directory).
■ Both—The NAC 800 authenticates the endpoint like a traditional RADIUS
server. However, it also tests the endpoint's integrity and factors test
results into its access decisions.
Further discussion of the 802.1X deployment method will divide into two
categories:
■ NAC 800 provides endpoint integrity (with or without its internal RADIUS
server).
■ NAC 800 provides RADIUS services only.
1-34
Overview of the ProCurve NAC 800
Deployment Methods
Exactly how the NAC 800 assigns users to VLANs depends on several factors,
including whether it integrates with IDM. The rest of this section explains.
You might make this VLAN identical to the quarantine VLAN, or you might
create a different VLAN. In either case, set up the VLAN in the network
infrastructure and complete these steps:
1. Configure your DHCP server to specify the NAC 800 as the DNS server for
this VLAN.
2. Configure network infrastructure devices to restrict endpoints in this
VLAN to services necessary for testing.
If the endpoint has the Healthy or Check-up posture, the NAC 800 allows it to
receive the standard (production) VLAN assignment for that user in that
network:
■ The VLAN assigned through IDM for the Pass status if you have integrated
the NAC 800 with IDM
■ The VLAN assigned through OpenLDAP, eDirectory, or a proxy RADIUS
server if the NAC 800 is configured to authenticate users against one of
those sources
■ The VLAN assigned through IAS if your network uses the IAS plug-in
1-35
Overview of the ProCurve NAC 800
Deployment Methods
If, on the other hand, the endpoint has the Quarantine or Infected posture, the
NAC 800 places it in the quarantine VLAN:
■ If you are using IDM (recommended), the VLAN associated with the Fail
or Infected status via a policy group rule
■ If you are not using IDM, the VLAN associated with the Quarantine or
Infected posture in the:
• /etc/raddb/SAFreeRadiusConnector.conf file
• SAIASConnector.ini file (if using the IAS plug-in)
Note If you desire, you can place infected endpoints in a separate VLAN from other
quarantined endpoints.
As for the guest VLAN, scopes on the network’s DHCP servers should specify
the NAC 800 as DNS server for the quarantine VLAN.
It is by acting as the DNS server that the NAC 800 controls the quarantined
endpoints. Whenever a quarantined user attempts to navigate to a Web page,
its endpoint sends a DNS request to the NAC 800. If the requested hostname
(or the IP address to which that hostname resolves) is on the accessible
services list, the NAC 800 sends a DNS response with the correct IP address.
The user reaches the Web page. On the other hand, if the requested hostname
is not on the list, the NAC 800 sends its own IP address in the response,
redirecting the user to a Web page such as the one shown in Figure 1-8.
1-36
Overview of the ProCurve NAC 800
Deployment Methods
The user cannot reach non-accessible Web sites until he or she has fixed the
problem.
You could also set up ACLs on network infrastructure devices that limit
endpoints in the quarantine VLAN. For example, you might deny the quaran-
tine subnet access to all private addresses except for the NAC 800’s and a
DHCP server. The NAC 800 handles controlling the quarantined endpoints
access to external sites.
However, to properly implement endpoint integrity testing, the NAC 800 must
receive mirrored traffic from the DHCP server. This allows the NAC 800 to
discover an endpoint’s IP address after it connects and is placed in a VLAN.
The NAC 800 can then test and re-test the device as necessary.
1-37
Overview of the ProCurve NAC 800
Deployment Methods
Note The following deployment instructions apply to CSs and ESs. An MS simply
requires connectivity to ESs. To deploy an MS, connect its port 1 to an
infrastructure switch.
If you are using a cluster deployment, only one ES in the 802.1X enforcement
cluster needs to receive mirrored DHCP traffic. However, you should mirror
traffic to two ESs for the sake of redundancy.
1-38
Overview of the ProCurve NAC 800
Deployment Methods
4. Determine the source of credentials and take any steps necessary to allow
the NAC 800 to access this source:
• NAC 800’s local database—ProCurve Networking recommends
that you always use IDM to configure the local database.
See “Configure Authentication to the NAC 800’s Local Database” on
page 4-14 of Chapter 4: “Configuring the RADIUS Server—Integrated
with ProCurve Identity Driven Manager.”
• Proxy RADIUS server—Add the NAC 800 to the proxy server’s
client list.
Set up the NAC 800 as described in “Configure Authentication to a
Proxy RADIUS Server” on page 4-29 of Chapter 4: “Configuring the
RADIUS Server—Integrated with ProCurve Identity Driven Manager”
or “Configure Authentication to a Proxy RADIUS Server” on page 5-23
of Chapter 5: “Configuring the RADIUS Server—Without Identity
Driven Manager.”
• Active Directory (AD), OpenLDAP, or eDirectory—In the
NAC 800’s Web browser interface, bind it to the directory.
If using IDM, see “Configure Authentication to a Windows Domain”
on page 4-16 or “Configure Authentication to an LDAP Server” on page
4-20 of Chapter 4: “Configuring the RADIUS Server—Integrated with
ProCurve Identity Driven Manager.”
If not using IDM, see “Configure Authentication to a Windows
Domain” on page 5-10 or “Configure Authentication to an LDAP
Server” on page 5-14 of Chapter 5: “Configuring the RADIUS Server—
Without Identity Driven Manager.”
5. Send mirrored DHCP traffic to the NAC 800. Either:
• Connect the NAC 800’s port 2 to the same switch to which the DHCP
server is connected. Make the NAC 800’s switch port the mirror port,
and the DHCP server’s port the monitored port.
• If you cannot connect the NAC 800’s port 2 to the DHCP server’s
switch, you must set up remote mirroring. For instructions on setting
up this capability on a ProCurve Switch 3500yl/5400zl/6200yl Series,
see the Management and Configuration Guide for the ProCurve
Series 3500yl, 6200yl, and 5400zl Switches.
1-39
Overview of the ProCurve NAC 800
Deployment Methods
6. Throughout the network, set up the guest VLAN (for not-yet-tested end-
points) and the quarantine VLAN:
a. Configure the appropriate VLAN ID for each integrity posture:
– If you are using IDM, create policy group rules to match the
Unknown, Fail, and Infected postures to the profile with the
appropriate VLAN assignment.
See the ProCurve Identity Driven Manager User’s Guide.
– If you are not using IDM, set the VLAN IDs in the /etc/raddb/
SAFreeRadiusConnector.conf file on the NAC 800.
b. If the VLANs selected for untested or failed endpoints do not yet exist,
create them on network infrastructure devices such as routers and
switches. Apply ACLs to restrict traffic routed in and out of the
VLANs.
c. Create DHCP scopes for the guest and quarantine VLANs. Specify the
NAC 800 as the DNS server.
7. Set up NAC policies and testing methods.
See the ProCurve Network Access Controller 800 Users’ Guide.
Deploy a NAC 800 That Provides Endpoint Integrity Only. For a NAC
800 that enforces endpoint integrity with the 802.1X quarantine method, but
relies on IAS to authenticate users, follow these steps:
1. Install the NAC 800, connecting its ports as follows:
• Port 1—to any port in your production network
• Port 2—to a port that can receive mirrored DHCP traffic
Unless your network devices support remote mirroring, this port
should be on the same switch to which the DHCP server connects.
2. Give the NAC 800 an IP address in the appropriate VLAN.
3. Send mirrored DHCP traffic to the NAC 800. Either:
• Connect the NAC 800’s port 2 to the same switch to which the DHCP
server is connected. Make the NAC 800’s switch port the mirror port,
and the DHCP server’s port the monitored port.
• If you cannot connect the NAC 800’s port 2 to the DHCP server’s
switch, you must set up remote mirroring. For instructions on setting
up this capability on a ProCurve Switch 3500yl/5400zl/6200yl Series,
see the Management and Configuration Guide for the ProCurve
Series 3500yl, 6200yl, and 5400zl Switches.
1-40
Overview of the ProCurve NAC 800
Deployment Methods
1-41
Overview of the ProCurve NAC 800
Deployment Methods
Switches, APs, and other NASs contact the NAC 800 when an end-user
attempts to connect to the network. The NAC 800 checks the user’s credentials
against its local database, another RADIUS server, or a directory. Then it
informs the NAS whether the endpoint can connect.
If you use IDM to manage the NAC 800, the NAC 800 can also factor access
time and location into its decisions, as well as send dynamic VLAN assign-
ments, ACLs, and rate limits.
1-42
Overview of the ProCurve NAC 800
Deployment Methods
3. Determine the source of credentials and take any steps necessary to allow
the NAC 800 to access this source:
• NAC 800’s local database—ProCurve Networking recommends
that you always use IDM to configure the local database.
See “Configure Authentication to the NAC 800’s Local Database” on
page 4-14 of Chapter 4: “Configuring the RADIUS Server—Integrated
with ProCurve Identity Driven Manager.”
• Proxy RADIUS server—Add the NAC 800 to the proxy server’s
client list.
Set up the NAC 800 as described in “Configure Authentication to a
Proxy RADIUS Server” on page 4-29 of Chapter 4: “Configuring the
RADIUS Server—Integrated with ProCurve Identity Driven Manager”
or “Configure Authentication to a Proxy RADIUS Server” on page 5-23
of Chapter 5: “Configuring the RADIUS Server—Without Identity
Driven Manager.”
• Active Directory (AD), OpenLDAP, or eDirectory—In the
NAC 800’s Web browser interface, bind it to the directory.
If using IDM, see “Configure Authentication to a Windows Domain”
on page 4-16 or “Configure Authentication to an LDAP Server” on page
4-20 of Chapter 4: “Configuring the RADIUS Server—Integrated with
ProCurve Identity Driven Manager.”
If not using IDM, see “Configure Authentication to a Windows
Domain” on page 5-10 or “Configure Authentication to an LDAP
Server” on page 5-14 of Chapter 5: “Configuring the RADIUS Server—
Without Identity Driven Manager.”
1-43
Overview of the ProCurve NAC 800
Deployment Methods
The NAC 800 stands between endpoints and the DHCP server, intercepting
and responding to these requests based on endpoints’ integrity postures.
Note The NAC 800 forwards all non-DHCP traffic to the server without interferring
with it.
The NAC 800 forwards DHCP requests from endpoints with the Healthy or the
Check-up posture on to the DHCP server, which issues the endpoints IP
addresses and other configurations just as it would were the NAC 800 not
present.
However, the NAC 800 intercepts DHCP requests from endpoints with the
Unknown, Quarantine, or Infected postures and responds to these requests in
lieu of the network DHCP server. To do so, the NAC 800 uses the configuration
for the quarantine area, which includes:
■ The quarantine subnet address and range of IP addresses available for
endpoints within that subnet
■ Default router for the quarantine subnet
Acting as the DNS server allows the NAC 800 to inform quarantined users why
they cannot reach the sites they are attempting to reach. When a quarantined
user opens a Web browser and attempts to reach a non-accessible Web site
(not on the accessible services list), the NAC 800 receives the DNS request to
resolve the hostname. It sends its own IP address to the user’s endpoint, and
the user sees the page such as the one shown in Figure 1-11, which helps him
or her begin to remediate the endpoint.
1-44
Overview of the ProCurve NAC 800
Deployment Methods
Note An end-user who has the technical savvy to give his or her station a valid IP
address can circumvent DHCP quarantining. This is one reason that 802.1X is
the recommended option for high security.
1-45
Overview of the ProCurve NAC 800
Deployment Methods
The simplest scenario is a network with a single DHCP server and fewer than
3000 users. This network requires a single NAC 800, which is set to the CS
type. The NAC 800’s port 1 connects to a switch in the production network,
and its port 2 connects to the DHCP server. The NAC 800 and the DHCP server
require IP addresses on the same subnet.
1-46
Overview of the ProCurve NAC 800
Deployment Methods
Figure 1-12. DHCP Deployment—Single NAC 800 and Single DHCP Server
If your network uses more than one DHCP server, you should connect the
servers to the same switch. Then connect the NAC 800’s port 2 to that switch
as well. Do not connect any other devices to the switch as those devices could
then circumvent the NAC 800. As shown in Figure 1-13, the NAC 800’s port 1
connects to a switch that links it to the rest of the network.
Figure 1-13. DHCP Deployment—Single NAC 800 and Multiple DHCP Servers
You can modify the design as necessary for a larger network. For example,
you might install several NAC 800s in a cluster deployment to support a
network with a large number of users. Install the MS wherever you desire.
Then install at least one ES between the DHCP servers and the rest of the
network.
1-47
Overview of the ProCurve NAC 800
Deployment Methods
One ES standing between the network and the DHCP servers is sufficient. That
ES shares information with the other ESs, which can test the endpoints from
anywhere in the network. However, to provide redundancy, at least two ESs
should be able to intercept the DHCP traffic.
If your network’s DHCP servers must receive requests from VLANs not their
own, you must set up helper addresses.
Your network probably already includes several production (or user) VLANs,
each with its own subnet. However, users might not require every available IP
address in a subnet. A good network design often reserves certain addresses
in each subnet for future use. You can now exploit those reserved IP addresses
for a quarantine subnet.
For example, your network might include three Class C user subnets, each
with 100 users:
■ 10.1.2.0/24
■ 10.1.3.0/24
■ 10.1.4.0/24
Currently, your DHCP server assigns users addresses in the 25 to 125 range-
for example, 10.1.2.25 to 10.1.2.125. This means that the second half of each
subnet (10.1.X.128/25) is available for quarantined endpoints:
On the NAC 800, you must set up a separate quarantine area for each produc-
tion subnet. Specify the quarantine subnets for the areas as follows:
■ Area 1—Quarantine subnet = 10.1.2.128/25
■ Area 2—Quarantine subnet = 10.1.3.128/25
■ Area 3—Quarantine subnet = 10.1.4.128/25
1-48
Overview of the ProCurve NAC 800
Deployment Methods
For the quarantine subnet’s default router, specify the IP address of the router
in the associated production subnet. It does not matter that this IP address is
outside the range of the quarantine subnet because, in actual fact, the network
infrastructure considers the quarantine subnet to be part of the production
subnet.
You will set the non-quarantine subnet for each quarantine area as the portion
of the associated production VLAN that is already in use. All healthy end-
points, all network servers, and the NAC 800 require address in one of these
ranges:
■ Area 1—Non-quarantine subnet = 10.1.2.0/25
■ Area 2—Non-quarantine subnet = 10.1.3.0/25
■ Area 3—Non-quarantine subnet = 10.1.4.0/25
The network DHCP server continues to assign IP addresses from the complete
Class C network. It is very important, of course, that the range exclude IP
addresses designated for quarantined endpoints.
■ Scope 1
Network = 10.1.2.0/24
Range = 10.1.2.25-10.1.2.125
■ Scope 2
Network = 10.1.2.0/24
Range 10.1.2.25-10.1.2.125
■ Scope 3
Network = 10.1.4.0/24
Range = 10.1.4.25-10.1.4.125
Of course, if you have selected the ACL option for network access control,
you must apply ACLs to the production VLANs in order to control traffic from
IP addresses in the quarantine range.
The static route option can be attractive because you do not have to alter
configurations on existing infrastructure devices.
1-49
Overview of the ProCurve NAC 800
Deployment Methods
For example, your network might include two Class C subnets, each with
250 users:
■ 192.168.8.0/24
■ 192.168.12.0/24
For each existing Class C subnet, you will add new Class C subnet for the
quarantine subnet.
On the NAC 800, you set up two quarantine areas and specify one quarantine
subnet for each production subnet:
■ Area 1
Quarantine subnet = 192.168.9.0/24
Non-quarantine subnet = 192.168.8.0/24
■ Area 2
Quarantine subnet = 192.168.13.0/24
Non-quarantine subnet = 192.168.12.0/24
With this option, quarantined endpoints are placed in a truly separate subnet.
Therefore, they require a default gateway with an IP address in that subnet.
For example:
■ Area 1—Default gateway = 192.168.9.1
■ Area 2—Default gateway = 192.168.13.1
You should now add the IP addresses you specified for quarantine subnets’
default gateways:
VLAN 2
IP address = 192.168.8.1/24
IP address = 192.168.9.1/24
VLAN 3
IP address = 192.168.12.1/24
IP address = 192.168.13.1/24
1-50
Overview of the ProCurve NAC 800
Deployment Methods
However you establish the quarantine subnets, the infrastructure devices now
require two helper addresses:
■ The network DHCP server’s
■ The NAC 800’s (the CS or the ES that is connected to the DHCP server)
Which device should act as the DHCP server changes as an endpoint’s integrity
posture changes. However, the NAC 800 handles this issue: it simply drops the
request if it is destined to the wrong IP address. (See Table 1-1).
For example, should the switch (or other device) send a DHCP request from
a healthy station to the NAC 800’s address, the NAC 800 simply ignores it. The
switch, not receiving a reply, next sends the request to the DHCP server’s
address; because the endpoint is healthy, the NAC 800 forwards the request
to the server.
1-51
Overview of the ProCurve NAC 800
Deployment Methods
Clearly, you cannot deploy an individual NAC 800 between every endpoint and
its switch port. Inline quarantining is a viable option only when many end-
points connect to your network through a single point of access. Examples
include:
■ A VPN—Remote users access the production network through the Inter-
net. Each remote user sets up a secure tunnel with the VPN gateway device
at the production network. Checking the integrity of the remote endpoints
is particularly important as they are otherwise beyond your control.
■ A WAN—A WAN is network that connects several sites over private
connections such as T1 or E1 cable or ADSL lines. For example, branch
offices might connect to a company headquarters. For whatever reason,
you might want to test the integrity of endpoints at a remote office before
they connect to the segment of the WAN under your control.
■ A wireless network—A device such as the ProCurve Wireless Edge
Services Module controls many RPs and may provide many wireless users
their access point to the production network. Especially when the wire-
less users connect with their own equipment, the network should test
their integrity. Even non-coordinated APs, which support fewer users, can
act as choke points.
Typically, however, you would not use the inline method to control a
wireless network for several reasons:
• The Wireless Edge Services Module and ProCurve APs support 802.1X
authentication, and, for a wireless network that takes advantage of
that option, you should choose the 802.1X deployment method.
• All traffic from the module or the APs must be forwarded through the
NAC 800 in the same VLAN.
However, some networks use an alternative such as WPA-PSK and place
all users in the same VLAN. In this case, inline quarantining might provide
a higher security option than DHCP.
1-52
Overview of the ProCurve NAC 800
Deployment Methods
In other words, endpoints on the port 2 side of the NAC 800 can access any
resources that are also on the port 2 side. However, they cannot access any
resources on the port 1 side until they have proved compliance with the
appropriate NAC policies.
For inline quarantining, you must specify IP addresses rather than host names
in the accessible services list. You can specify a port number to allow a specific
service. For example, to manage a router with IP address 10.1.44.50 using
SNMP, add this line to the accessible services list:
10.1.44.50:161
VPN Endpoints (Remote Users). Figure 1-14 shows a typical design for
deploying a NAC 800 to control remote endpoints that connect through a VPN.
You connect port 2 of the NAC 800 directly to the gateway device. You connect
the NAC 800’s port 1 to the rest of the network, typically a core switch.
1-53
Overview of the ProCurve NAC 800
Deployment Methods
Then set the server type to CS or ES. Choose CS if the NAC 800 will act on its
own—typically because:
■ Your network supports fewer than 3000 remote users
■ You only want to test remote endpoints
If the VPN supports more than 3000 users, you should deploy a cluster of ESs
to test the remote endpoints. Connect the ESs to switches on their port 2; then
connect the VPN gateway to all of these switches. This design, with its
redundant connections, creates a network loop. It is very important to activate
Spanning Tree Protocol (STP) or Rapid STP (RSTP) on the switches to prevent
broadcast storms.
1-54
Overview of the ProCurve NAC 800
Deployment Methods
You deploy the NAC 800 in a similar position. Connect its port 2 to the WAN
router and its port 1 to a core switch. Then set the type to CS or ES, basing
your decision on the factors discussed in the previous section.
1-55
Overview of the ProCurve NAC 800
Deployment Methods
If you are controlling wireless endpoints that connect through an AP, simply
deploy the NAC 800 as described in the previous sections, with the AP in the
place of the VPN gateway or the WAN router. Or connect several APs to a
switch and then place the NAC 800 between that switch and the rest of the
network. Make sure that the APs forward all traffic into the network in the
same VLAN.
1-56
Overview of the ProCurve NAC 800
Deployment Methods
Because a Wireless Edge Service Module connects to the rest of the network
on an internal uplink port, you cannot connect that port directly to the NAC
800. Instead, connect the NAC 800’s port 2 to the wireless services-enabled
switch. Connect the NAC 800’s port 1 to another switch. Make sure that the
wireless services enabled-switch connects only to other endpoints, not to
other switches, otherwise the wireless endpoints could access the production
network without passing through the NAC 800. The wireless network should
be on the same VLAN as the wired endpoints. (You can test the integrity of the
wired endpoints, or you can except them from testing, as you choose).
Note The RPs can be installed anywhere in the network. They encapsulate all
wireless traffic and forward it to the Wireless Edge Services Module. Logically,
therefore the module is the single point of access for the wireless endpoints.
You will need to set up Layer 3 adoption for the RPs so that they can become
adopted through the NAC 800. See the Wireless Edge Services xl Module
Management and Configuration Guide or the Wireless Edge Services zl
Module Management and Configuration Guide.
1-57
Overview of the ProCurve NAC 800
Deployment Methods
1-58
Management Options for the ProCurve NAC 800
Contents
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Menu Interface and Panel LCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Access the Menu Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Console Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
SSH Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Navigate the Menu Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Configure Initial Settings with the Menu Interface . . . . . . . . . . . . . . . . 2-9
Set the Server Type with the Menu Interface . . . . . . . . . . . . . . . . 2-10
Set the IP Address with the Menu Interface . . . . . . . . . . . . . . . . . 2-12
Test IP Settings (Ping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Change the Password to the Menu Interface . . . . . . . . . . . . . . . . . . . . 2-15
Complete Other Tasks in the Menu Interface . . . . . . . . . . . . . . . . . . . 2-17
Reboot the NAC 800 in the Menu Interface . . . . . . . . . . . . . . . . . 2-18
Shut Down the NAC 800 in the Menu Interface . . . . . . . . . . . . . . 2-19
Turn the Locator LED On and Off . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
View System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Access the Panel LCD Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Navigate the Panel LCD Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Configure Initial Settings with the Panel LCD Menu . . . . . . . . . . . . . 2-24
Set the Server Type with the Panel LCD Menu . . . . . . . . . . . . . . 2-24
Set the IP Address with the Panel LCD Menu . . . . . . . . . . . . . . . 2-26
Test IP Settings (Ping) with the Panel LCD Menu . . . . . . . . . . . . 2-28
2-1
Management Options for the ProCurve NAC 800
Contents
2-2
Management Options for the ProCurve NAC 800
Overview
Overview
This chapter introduces you to the options for managing and configuring the
ProCurve NAC 800.
The available options depend on your NAC 800’s server type, which can be:
■ Management server (MS)
■ Enforcement server (ES)
■ Combination server (CS)
See Chapter 1: “Overview of the ProCurve NAC 800.” for more information on
the roles played by each server type.
The following sections of this chapter guide you through the process of
accessing and navigating each management option.
Note You must use the menu interface or panel LCD menu to set up some basic
options before you can access the Web browser interface.
2-3
Management Options for the ProCurve NAC 800
Overview
Note All instructions assume that you have installed and powered on the NAC 800,
as explained in the ProCurve Network Access Controller 800 Hardware
Installation Guide.
2-4
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Console Session
Follow these steps to access the menu interface through a console session:
1. Your NAC 800 ships with a console cable. Plug the cable’s Ethernet (RJ45)
connector into the Console Ethernet port, which is located on the left
front panel of the NAC 800.
2. Plug the cable’s DB-9 connector into a console port on your management
workstation.
2-5
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
3. Use terminal session software such as Tera Term to open a console session
with the NAC 800. Use the following settings:
• Baud rate = 9600
• Bits = 8
• Stop rate = 1
• Parity = None
• Flow control = None
• For the Windows Terminal program, disable (uncheck) the “Use
Function, Arrow, and Ctrl Keys for Windows” option.
• For the Hilgraeve HyperTerminal program, select the “Terminal keys”
option for the “Function, arrow, and ctrl keys act as” parameter.
4. When prompted for your username, enter admin.
5. When prompted, enter your password (default, procurve).
2-6
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
SSH Session
Follow these steps to access the menu interface through an SSH session:
1. Open an SSH session with the NAC 800.
Use an SSH-capable terminal session application such as Tera Term or
PuTTY.
You must specify the NAC 800’s IP address. Its default address is
192.168.0.2, and the NAC 800 does not initially have a default gateway.
Unless you can reach the default IP address, you must set the NAC 800’s
IP address (using either a console session or the panel LCD) before you
can open the SSH session. (See “Configure Initial Settings with the Menu
Interface” on page 2-9 or “Configure Initial Settings with the Panel LCD
Menu” on page 2-24.)
2. When prompted for your username, enter admin.
3. When prompted, enter your password (default, procurve).
2-7
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Below the screen name are listed various options. Press a number to select
the option and move to a new screen.
Note In this management and configuration guide, the following instructions indi-
cate that you should simply press a key on your keyboard:
Press [keyname].
The following instructions, on the other hand, indicate that you should type
in the indicated string and then press [Enter]:
Enter <string>.
Instructions for using the menu interface include figures. The figure caption
lists the options that you must select to reach the illustrated screen from the
Application Main Menu.
For example, Figure 2-5 shows the Server Type screen. To reach this screen,
you must press [1] twice from the Application Main Menu.
Figure 2-5. Application Main Menu > 1. Configuration > 1. Server Type
In any screen, you can press [0] to move back one screen. Press [0] in the
Application Main Menu to log out of the menu interface.
2-8
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Before completing the instructions in the sections below, access the menu
interface as described in “Access the Menu Interface” on page 2-5.
2-9
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Note An exception is when you change the server type from MS to ES, in which
case all settings are erased.
Setting the server type always resets the NAC 800’s configuration even if you
set it to the device’s current type. In fact, setting the server type is an easy way
to return to factory default settings (but keep your current IP settings).
Follow these steps to set the server type from the menu interface:
1. In the main menu, press [1] for Configuration.
2-10
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Figure 2-9. Application Main Menu > 1. Configuration > 1. Server Type
2-11
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
3. The screen displays the NAC 800’s current settings. Enter the new IP
address (or press [Enter] to accept the current address). For example:
10.1.1.20
2-12
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Note For security reasons, the NAC 800 does not respond to pings that it does not
initiate. Therefore, you must always test connectivity between the NAC 800
and another device from the NAC 800’s management interface.
2-13
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Figure 2-15. Application Main Menu > 2. Diagnostics > 3. Ping Test
2-14
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
5. The results of the ping, including the times for the round trip, are
displayed.
Figure 2-16. Application Main Menu > 2. Ping test > Results
By default, the NAC 800 sends out five pings. You can stop the ping test
at any time, however, by pressing [Ctrl+c].
6. When you have finished looking at the results, press [Enter] to continue
configuring the device.
2-15
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
2-16
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Note When you initially access the Web browser interface, you create a user-
name and password for an administrator with access to that interface. You
can, if you so desire, set these to match the username and password for
the menu interface. However, passwords for Web browser managers must
meet these requirements:
• At least 8 characters
• Mixed letters and numbers
Therefore, if you plan to use the same password to access the menu
interface and the Web browser interface, the password created in step 4
must include a mix of letters and numbers.
6. Press [Enter].
2-17
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Generally, you must reboot the NAC 800 when you update its software.
Note You do not need to worry about saving your configurations because the NAC
800 OS automatically saves configurations to its startup-config as they are
made. However, you should periodically back up your system as explained in
Chapter 7: “Redundancy and Backup for RADIUS Services.”
2-18
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Note You do not need to worry about saving your configurations because the NAC
800 OS automatically saves configurations to its startup-config as they are
made. However, you should periodically backup your system as explained in
Chapter 7: “Redundancy and Backup for RADIUS Services.”
2-19
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
The locator LED is most useful if you generally keep it off on all devices (which
it is by default). Then, when you turn it on for a particular device, you are sure
that you are seeing the LED of the device in question.
2-20
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Figure 2-25. Application Main Menu > 2. Diagnostics > 3. Locator LED
2-21
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
2-22
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Press the accept button to make LCD display the menu interface.
2-23
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Navigating the panel LCD menu is easy: for the most part, you can follow the
instructions indicated on the panel screen.
Use the up and down arrows to scroll the cursor through options. When the
cursor reaches your option, select it by pressing the accept button. In the
following sections, “select Option” indicates that you should scroll to the
indicated option and click the accept button.
Press the cancel button to move back a screen. (Sometimes you must press
the left button instead. The screen will indicate when this is the case.)
The panel LCD menu is one option for configuring these settings.
Note Even if you choose to configure initial settings through the panel LCD menu,
you should access the menu interface and change the menu password. Other-
wise an unauthorized user might gain access your NAC 800. (See “Change the
Password to the Menu Interface” on page 2-15.)
Note Setting the server type always resets the NAC 800’s configuration even if you
set it to the device’s current type. In fact, setting the server type is an easy way
to return to factory default settings (but keep your current IP settings).
2-24
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Follow these steps to set the server type from the menu interface:
1. Access the menu. (If the panel currently shows the NAC 800’s server type
and IP address, press the accept button.)
2. Select Configuration.
2-25
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
2. Select IP Address—Port 1.
2-26
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Figure 2-35. Panel LCD Menu > Configuration > IP Address—Port 1 (IP Address)
Figure 2-36. Panel LCD Menu > Configuration > IP Address—Port 1 (Subnet Mask)
Figure 2-37. Panel LCD Menu > Configuration > IP Address—Port 1 (Gateway)
5. Set the IP address of the default router for the NAC 800’s subnet.
The default IP address for the router is the lowest IP address in the NAC
800’s subnet. Again, you use the arrow buttons to change the address and
press the accept button when you are finished.
2-27
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Note IP settings can be valid while still incorrect for your environment. Always
check connectivity with the ping test.
Note For security reasons, the NAC 800 does not respond to pings that it does not
initiate. Therefore, you must always test connectivity with the NAC 800 from
a NAC 800 management interface.
2-28
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Figure 2-40. Panel LCD Menu > Ping Test > Results
2-29
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Generally, you must reboot the NAC 800 when you update its software.
Note You do not need to worry about saving your configurations because the
NAC 800 OS automatically saves configurations to its startup-config as they
are made. However, you should periodically backup your system as explained
in Chapter 7: “Redundancy and Backup for RADIUS Services.”
2. Select Reboot/Shutdown.
2-30
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Figure 2-43. Panel LCD Menu > Reboot/Shutdown > Reboot the NAC
Note You do not need to worry about saving your configurations because the NAC
800 OS automatically saves configurations to its startup-config as they are
made. However, you should periodically backup your system as explained in
Chapter 7: “Redundancy and Backup for RADIUS Services.”
You can restart the NAC 800 by removing and then restoring power.
2. Select Reboot/Shutdown.
2-31
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Figure 2-46. Panel LCD Menu > Reboot/Shutdown > Shutdown the NAC
The ports can also act in full duplex (send and receive data at the same time)
or in half duplex (only send or receive data at any moment). However, if you
select 1000 Mbps, full duplex is the only option.
Typically, the ports should auto-negotiate these settings, because unless they
exactly match settings on the other end, the connection fails.
2-32
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
However, if for whatever reason you must set the port speed and duplex
settings manually, follow these steps:
1. Access the menu. (If the panel currently shows the NAC 800’s server type
and IP address, press the accept button.)
2. Select Configuration.
Figure 2-49. Panel LCD Menu > Configuration > Ports Speed/Duplex
2-33
Management Options for the ProCurve NAC 800
Menu Interface and Panel LCD
Figure 2-50. Panel LCD Menu > Configuration > Ports Speed/Duplex > Port 1
5. The default setting is Auto. All combinations of speed and duplex options
are displayed below. Scroll through the list and press the accept button
to select the one you want.
2-34
Management Options for the ProCurve NAC 800
Root Access to the NAC 800
Caution Be very careful when configuring the NAC 800 from the root: misconfigura-
tions can cause the device to malfunction. You should be experienced with
Linux systems.
Navigate the OS just as you would any Linux OS. The NAC 800 features many
common Linux applications such as VI, which allows you to edit configuration
files. See Appendix B: “Linux Commands.”
When this guide instructs you to enter a command from the root, the command
will be denoted by this text:
Syntax:
2-35
Management Options for the ProCurve NAC 800
Root Access to the NAC 800
For example:
2-36
Management Options for the ProCurve NAC 800
Web Browser Interface
Similarly, you must ready a NAC 800 to be added to an MS’s cluster as an ES.
This NAC 800 requires:
■ An IP address reachable from the MS
■ The server type set to ES
2-37
Management Options for the ProCurve NAC 800
Web Browser Interface
You can configure these initial settings either with the menu interface or the
panel LCD menu. See “Configure Initial Settings with the Menu Interface” on
page 2-9 or “Configure Initial Settings with the Panel LCD Menu” on page 2-24.
After initial configuration, you can install the NAC 800 in its final location.
(See the ProCurve Network Access Controller 800 Hardware Installation
Guide.)
To keep the Web browser interface running smoothly, you should also period-
ically delete temporary files.
2-38
Management Options for the ProCurve NAC 800
Web Browser Interface
Note You can upload a new certificate—for example, one signed by your own
certificate authority (CA)—to the NAC 800. See “Digital Certificates” on page
3-52 of Chapter 3: “Initial Setup of the ProCurve NAC 800.”
Home Screen
Figure 2-51 shows the Home screen of the Web browser interface.
2-39
Management Options for the ProCurve NAC 800
Web Browser Interface
Top Area. The Web browser interface features an area at the top of the
screen, which remains as you navigate from screen to screen.
Note Future figures in the management and configuration guide will not show the
top area.
This area displays the name of the device: Network Access Controller 800. To
the right is the name of the user account with which you logged in. The user
account determines the privileges you have to the Web browser interface. See
“Create Management Users” on page 3-41 of Chapter 3: “Initial Setup of the
ProCurve NAC 800.”
2-40
Management Options for the ProCurve NAC 800
Web Browser Interface
Note You should always log out of the Web browser interface (rather than simply
shut the browser) to prevent an unauthorized person from hijacking the
management session.
The top area of the Home screen also displays alerts. For example, in
Figure 2-51, you can see warnings that the NAC 800’s license has expired.
Note A NAC 800 that acts as a RADIUS server only does not require a license, so
you will often see the warnings displayed in Figure 2-51. Simply ignore them.
Left Navigation Bar. The left navigation bar includes five options:
■ Endpoint activity
■ NAC policies
■ System monitor
■ Reports
■ System configuration
Note If you do not see an option, you have logged in as a user that does that have
privileges for that particular option. See “Create Management Users” on page
3-41 of Chapter 3: “Initial Setup of the ProCurve NAC 800.”
Select an option to access a series of screens in which you can complete the
associated management and configuration tasks. (See Table 2-1.)
For a NAC 800 that acts a RADIUS server only, the System configuration and
System monitor screens are most important.
2-41
Management Options for the ProCurve NAC 800
Web Browser Interface
Endpoint activity • Check endpoint status: Chapter 4: Endpoint Activity in the ProCurve
– access control status Network Access Controller 800 Users’ Guide
– test status
• Change endpoint access control status
NAC policies • Create NAC policy groups and place Chapter 6: NAC Policies in the ProCurve
policies in groups Network Access Controller 800 Users’ Guide
• Assign enforcement clusters to groups
• Configure NAC policies:
– Choose which endpoint tests are
enforced
– Configure test properties (criteria for
passing)
– Set action taken against endpoints
that fail
System monitor • Check status and performance of the “System Monitor” in Chapter 1: Introduction
NAC 800 in the ProCurve Network Access Controller
• For a cluster deployment, check status 800 Users’ Guide
and performance of ESs
Reports • Run reports on: Chapter 12: Reports in the ProCurve
– NAC policy results Network Access Controller 800 Users’ Guide
– Connected endpoints and their test
status
– Test results and the endpoints that
passed or failed
2-42
Management Options for the ProCurve NAC 800
Web Browser Interface
Central Area. The central area of the Home screen includes two sections.
The Access control section shows the number of endpoints that are currently:
■ Granted access by the NAC 800
■ Quarantined by the NAC 800
■ Once connected but are currently disconnected
On a NAC 800 acting only as a RADIUS server, you should see 0 quarantined
endpoints. Although the quarantine means nothing unless you have set up
VLAN assignments to support it, seeing quarantined endpoints indicates that
the NAC 800 is testing endpoints unnecessarily. See Chapter 6: “Disabling
Endpoint Integrity Testing” to correct the problem.
The Endpoint tests area reports on the number of endpoints that have:
■ Passed all endpoint integrity tests
■ Failed at least one test
Right Area. The Top 5 failed tests area reports on endpoint integrity functions
and can be ignored for a RADIUS-only NAC 800.
The bottom right area of the Home screen shows Enforcement server status—
the number of ESs with ok or with error status. On a CS, the status refers to
that of the CS itself.
Click on the System monitor link to see more detailed information on the
NAC 800’s (or ESs’) status.
Note You should always log out of the Web browser interface (rather than
simply shut the browser) to prevent an unauthorized person from
hijacking the management session.
2-43
Management Options for the ProCurve NAC 800
Web Browser Interface
■ The left top area shows the navigation path for the screen.
See “Following Instructions to Navigate the Web Browser Interface” on
page 2-45 for more information on following the path.
2-44
Management Options for the ProCurve NAC 800
Web Browser Interface
■ Configuration screens feature two buttons at both the top and bottom:
• ok—Click to:
– Apply the configurations in this screen (the settings begin to take
effect)
– Save the configurations (the settings are preserved when the
power is shut down)
– Exit to the Home screen
• cancel—Click to:
– Reject changes to configurations in this screen
– Exit to the Home screen
■ Status screens feature this button:
• done—Click to close the screen.
■ Both types of screen may include three additional buttons:
• refresh—Click to update the information displayed (for example,
about the status of a device).
• legend—Click to see the meaning of any symbol used in the screen.
• help—Click to view the online help, which explains the meaning of
fields and settings. Some fields also feature a small help button
particular to that field; move your cursor over this button for specific
information about valid values for that field.
Both steps ask you to do the same thing: follow the path.
The first step is always the Home screen. The next step is the options that you
must select from in the left navigation bar in the Home screen. These options
lead you to second-level screens.
2-45
Management Options for the ProCurve NAC 800
Web Browser Interface
Another step, if present, is typically a menu option on the left side of the
second-level screen. For example, Figure 2-53 shows the Home > System
configuration > Enforcement clusters & servers screen. System configuration is the
second-level screen, and Enforcement clusters & servers is the menu option in
that screen.
2-46
Management Options for the ProCurve NAC 800
ProCurve Manager (PCM) Plus
Note To manage the NAC 800, your server must have a version of PCM Plus 2.2 auto-
update 2 installed.
Note The NAC 800 does not grant read-write access to SNMP servers. When you
use PCM Plus to discover the NAC 800, you must enter the read-only commu-
nity name for the read-write community as well.
d. In the Allowed source network field, enter, in CIDR notation, the subnet
in which your PCM server is installed. For example: 10.1.1.0/24.
Specifying the network increases security. However, you can enter
default to allow a server with any IP address to access the NAC 800.
e. Click the ok button.
2-47
Management Options for the ProCurve NAC 800
ProCurve Manager (PCM) Plus
When you select a NAC 800 node, all the tabs available for any device are
displayed. In addition, you can click the NAC Home tab and access the NAC
800’s Web browser interface. The first time that you do so, you must enter the
username and password for a management user on the NAC 800. PCM Plus
saves this information so that you do not have to enter it again.
Note You can change the username and password by following these steps:
1. Select Tools > Preferences.
2. Select Identity Management.
3. Enter the new username and password in the ProCurve NAC Web GUI
Credentials fields.
Most of the capabilities that PCM Plus adds to the NAC 800 relate to IDM,
which is described in the following section.
2-48
Management Options for the ProCurve NAC 800
IDM
IDM
ProCurve IDM is a plug-in to PCM Plus that helps you assign users the correct
rights based on their identities. When managing a NAC 800, IDM can also
assign users rights based on their endpoint integrity posture.
You set up rights on IDM by configuring various settings, such as virtual local
area network (VLAN) assignments and allowed resources, in profiles. Rules
specify the correct profile for a group of users connecting at a certain time
and place—and optionally, with the NAC 800, with a certain endpoint integrity
posture.
IDM then pushes these settings to the IDM agent on RADIUS servers. When
you use the NAC 800 as a RADIUS server—with or without endpoint integ-
rity—IDM can manage and configure settings on that device just as on other
servers.
To manage a NAC 800, IDM must run version 2.2 auto update 2.
2-49
Management Options for the ProCurve NAC 800
IDM
Note To check the NAC 800’s IDM agent version, log in as root to the NAC 800 and
enter:
more /root/version
3. The IDM server’s IP address is specified in the NAC 800’s 802.1X quaran-
tining settings.
Follow these steps:
a. Access the NAC 800’s Web browser interface.
b. If you have a multiple NAC 800 deployment (MS and multiple ESs),
choose the cluster that includes the RADIUS server ESs. For a CS, the
default and only cluster (Cluster #1) is automatically selected.
c. In the Quarantine method area, select 802.1X.
2-50
Management Options for the ProCurve NAC 800
IDM
d. In the Basic 802.1X settings area and the IDM server IP address field,
enter the IP address of the server that runs PCM Plus with IDM.
e. Complete other settings as described in Chapter 4: “Configuring the
RADIUS Server—Integrated with ProCurve Identity Driven Manager”
and click the ok button.
2-51
Management Options for the ProCurve NAC 800
IDM
When you select a NAC 800, IDM displays similar screens and tabs as those
for a RADIUS server. So you can complete all the same tasks for the NAC 800
that you can for a RADIUS server:
■ Deploy a group policy to the NAC 800, which includes:
• Valid days and times of access
• Valid access locations
• Dynamic VLAN assignments, access control lists (ACLs), and rate
limits
■ Easily integrate the NAC 800 with Active Directory (AD) and other direc-
tories
IDM can automatically synchronize with AD, downloading account infor-
mation from the groups that you specify.
IDM can download lists of users from other directories.
■ Monitor users who attempt to authenticate to the NAC 800
Table 2-2 summarizes the capabilities that IDM brings to the NAC 800.
2-52
Management Options for the ProCurve NAC 800
IDM
Issue different VLAN assignments Yes Only by editing configuration files from
according to endpoint integrity posture the root OS
You can also access the NAC 800’s Web browser interface directly from IDM.
Click on a NAC 800 node and select one of these tabs:
■ NAC Home—Access the NAC 800’s Home screen.
■ NAC Monitor—Access the NAC 800’s System monitor screen.
■ NAC System—Access the NAC 800’s System configuration screen.
Note The NAC 800 that acts as a RADIUS server might be a CS or an ES; IDM will
detect any type of NAC 800. Although an ES does not actually run a Web
browser interface, you can still select the NAC Home, NAC Monitor, and NAC
System tabs for the ES; IDM simply launches the Web browser interface for
the ES’s MS.
2-53
Management Options for the ProCurve NAC 800
IDM
2-54
Initial Setup of the ProCurve NAC 800
Contents
Contents
System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
System Settings—Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Initial Configuration of CS or MS Settings . . . . . . . . . . . . . . . . . . . 3-4
Initial Configuration of ES Settings . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Edit System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Edit System Settings on an MS or a CS . . . . . . . . . . . . . . . . . . . . . 3-16
Edit System Settings on an ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Management and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Upgrade the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Create Management Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Create User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
Configure User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52
Install a CA-Signed Certificate for HTTPS . . . . . . . . . . . . . . . . . . . . . . 3-53
Generate a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54
Install the Root CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55
Create a Certificate Request and Transfer It off
the NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56
Download and Install the Signed Certificate . . . . . . . . . . . . . . . . 3-58
Restart the HTTPS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-59
3-1
Initial Setup of the ProCurve NAC 800
Contents
3-2
Initial Setup of the ProCurve NAC 800
System Settings
System Settings
System settings for your ProCurve NAC 800 include:
■ Network settings
Network settings identify your NAC 800 in the network and allow it to
communicate with other devices. These settings include:
• Hostname
• Static IP address
• Default router IP address
• Domain Name System (DNS) server IP address
■ Simple Network Management Protocol (SNMP) settings
SNMP allows you and other network administrators to control multiple
network devices through a single solution such as ProCurve Manager
(PCM). The NAC 800 supports read-only access to its configuration via
SNMP versions 1 or 2.
■ Root password
The root account, which you log in to through Secure Shell (SSH), grants
access to the command line of the NAC 800’s Linux-based operating
system (OS). You will need such access if you want to enable the NAC 800
to act as a RADIUS server without ProCurve Identity Driven Manager
(IDM).
The username for the account is root and the default password is procurve.
You can change this password.
3-3
Initial Setup of the ProCurve NAC 800
System Settings
In a cluster deployment, you configure most system settings for ESs when
you first add them to the cluster. See “Initial Configuration of ES Settings” on
page 3-9.
You can later edit the system settings for any type of NAC 800. See “Edit System
Settings” on page 3-16.
3-4
Initial Setup of the ProCurve NAC 800
System Settings
2. Read the license and select the I accept this license agreement option.
3. Click the next button. The Step 2 of 3: Enter management server settings
screen is displayed.
3-5
Initial Setup of the ProCurve NAC 800
System Settings
3-6
Initial Setup of the ProCurve NAC 800
System Settings
Note In the following screen, you will create a username and password for an
administrator with access to the Web browser interface. You can, if you
so desire, set the password to match the root password. However, pass-
words for Web browser managers must meet these requirements:
• At least 8 characters
• Mixed letters and numbers
Therefore, if you plan to use the same password to access the Web
browser interface and the root OS, the password created in step 4 must
include a mix of letters and numbers.
Root passwords for ESs also must include mixed letters and numbers.
3-7
Initial Setup of the ProCurve NAC 800
System Settings
Click back to
change the MS
system settings
3-8
Initial Setup of the ProCurve NAC 800
System Settings
9. Create an account that grants access to the MS’s Web browser interface:
This account has the Administrator role and full rights to all management
and configuration tasks available in the Web browser interface. (See
“Configure User Roles” on page 3-45 to learn more about roles.)
a. Enter a string in the User name field.
The username can include alphabetic characters but not numbers. It
can also include the “at” character (@).
b. Enter a string in the Password field.
The password must include a mix of letters and numbers and be at
least 8 characters long. It can also include special characters and
spaces.
c. Enter the same password in the Re-enter password field.
10. Click the finish button.
You have completed the initial setup of the MS system settings, and the Home
screen is displayed. If you want to change the settings at a later point, see “Edit
System Settings on an MS or a CS” on page 3-16.
If your NAC 800 is a CS—typical for a device that acts as a RADIUS server
only—the system setup is complete. Otherwise, you must add ESs, as
described in the section below.
Before you can add an ES, you must access it directly and configure its IP
address and default router, as described in “Access the Web Browser Inter-
face” on page 2-37 in Chapter 2: “Management Options for the ProCurve
NAC 800.” You must also create an enforcement cluster, as described in the
section below.
3-9
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-4. Home > System configuration > Enforcement clusters & servers—add
an enforcement cluster
3-10
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-5. Home > System configuration > Enforcement clusters & servers > Add
enforcement cluster > General
3. In the Cluster name field, enter a string that describes this cluster.
The string can include alphanumeric characters, special characters, and
spaces.
3-11
Initial Setup of the ProCurve NAC 800
System Settings
Note If you are adding an ES that was previously managed by a different MS, you
must first reset the ES. Log in to the ES as root, and enter this command:
resetSystem.py
3-12
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-6. Home > System configuration > Enforcement clusters & servers—add
an enforcement server
3-13
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-7. Home > System configuration > Enforcement clusters & servers > Add
enforcement server
3. From the Cluster drop-down menu, choose the cluster that you configured
for the NAC 800s that act as RADIUS servers only.
4. Enter the ES’s IP address in the IP address field. For example: 10.1.1.10.
You should have already set this IP address as described in “Access the
Web Browser Interface” on page 2-37 in Chapter 2: “Management Options
for the ProCurve NAC 800.”
5. Give the ES a hostname. Enter the name as an FQDN. For example:
myES.mycompany.com
The hostname can contain only these characters:
• Alphanumeric characters
• Periods
• Hyphens
The hostname can be up to 64 characters.
6. In the DNS IP addresses field, specify the IP address of at least one DNS
server.
To contact devices by hostname, the ES requires a DNS server. You must
specify one server and you can specify multiple servers (use commas to
separate their addresses). By default, this field displays the MS’s DNS
server or servers.
3-14
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-8. Home > System configuration > Enforcement clusters & servers
3-15
Initial Setup of the ProCurve NAC 800
System Settings
10. Return to page 3-10 and follow the steps to add another ES, or click the
ok button to save the changes.
These instructions have taught you how to create basic system settings for
ESs. For more information about managing enforcement clusters and servers,
see Chapter 7: “Redundancy and Backup for RADIUS Services.”
However, you can edit these settings at any time; the following sections
explain how.
The screen displays the previously configured settings, which you can
now edit:
■ Network settings—See “Edit MS or CS Network Settings” on page 3-18.
■ Date and time settings—See “Edit MS or CS Date and Time Settings” on
page 3-21.
■ Root password—See “Edit the Root Password” on page 3-26.
3-16
Initial Setup of the ProCurve NAC 800
System Settings
3-17
Initial Setup of the ProCurve NAC 800
System Settings
The Home > System configuration > Management server screen also allows you
to configure some additional settings:
■ Proxy server for accessing the Internet—See “Set the Proxy Server” on
page 3-19.
■ SNMP settings—See “Configure MS or CS SNMP Settings” on page 3-24.
■ Log level settings—See “Set the Log Level” on page 3-28.
Figure 3-10. Home > System configuration > Management server > Management
server network settings
3-18
Initial Setup of the ProCurve NAC 800
System Settings
If a proxy server stands between your private network and the Internet, you
must configure the NAC 800 MS to communicate with the proxy server.
3-19
Initial Setup of the ProCurve NAC 800
System Settings
3-20
Initial Setup of the ProCurve NAC 800
System Settings
3. Check the Use a proxy server for Internet connections check box.
4. In the Proxy server IP address field, enter the address of the server that will
act as the proxy for the Internet.
5. In the Proxy server port field, enter the port for your proxy server.
The valid range is from 1 to 65535. Typically, you can accept the default
(8080).
6. If your proxy server requires authentication, select the Proxy server is
authenticated check box. Then configure the authentication settings:
a. Select an option from the Authentication method drop-down menu:
– Basic—This method (the original for HTTP authentication) is not
recommended because it transmits the user ID and password in
plaintext. However, it is compatible with most proxy servers.
– Digest—This method, which is supported by HTTP 1.1-compliant
servers, is significantly more secure than basic authentication.
Instead of submitting the password over the network, the NAC
800 uses it to encrypt a random value.
– Negotiable—The NAC 800 and the proxy server agree together
whether to use basic or digest authentication. This option elimi-
nates compatibility issues, but is less secure than the digest
option.
b. In the User name field, enter the ID of a user account on the proxy
server.
c. In the Password field, enter the password of that user account.
d. Re-enter the password in the Re-enter password field.
7. When you are done editing MS settings, click the ok button to save the
changes.
Edit MS or CS Date and Time Settings. You now have two options for
configuring the MS date and time. The MS can receive its clock either:
■ Automatically from an NTP server
■ From the date and time that you set manually
Receiving the clock from an NTP server is generally the more reliable option.
The date and time settings configured for the MS apply to all ESs; however,
you can set the time zone individually for each ES.
3-21
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-12. Home > System configuration > Management server—Date and
time area
3-22
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-13. Home > System configuration > Management server > Date and time
ii. Set the date in the Date drop-down menus—select the day from
the left, the month from the center, and the year from the right
drop-down menus.
iii. Set the time in the Time fields—enter the hour and minutes in the
12-hour clock and choose AM or PM from the drop-down menu.
iv. Click the ok button.
3-23
Initial Setup of the ProCurve NAC 800
System Settings
5. When you are done editing MS settings, click the ok button in the Home >
System configuration > Management server screen to save the changes.
The NAC 800 supports SNMPv1 and v2. It provides read-only access to its
configuration. To gain this access, an SNMP server must:
■ Have a read-only community name that matches the name set on the MS
■ Have an IP address in the allowed source network set on the MS
3-24
Initial Setup of the ProCurve NAC 800
System Settings
3-25
Initial Setup of the ProCurve NAC 800
System Settings
Note The NAC 800 does not grant read-write access to SNMP servers. However, to
properly discover the NAC 800, PCM requires both a read-only and a read-
write community name. Set both names to the name configured in the Read
community string field.
Edit the Root Password. The root password grants access to the NAC 800’s
OS (via an SSH session). To change the password, follow these steps:
1. You should be in the following screen: Home > System configuration >
Management server.
2. Find the Other settings area.
3-26
Initial Setup of the ProCurve NAC 800
System Settings
3-27
Initial Setup of the ProCurve NAC 800
System Settings
Set the Log Level. When certain events occur, the NAC 800 creates a log
message and adds it to the appropriate log file. Events are classified according
to their severity or possible negative impact on your network. From most to
least severe, the log levels are:
■ Error
■ Warn
■ Info
■ Debug
■ Trace
By default, the log level is debug, which means that the module will log all
events that have debug-level severity or higher (that is, all events except trace
events). If you find that you spend too much time searching through logs, you
can configure the NAC 800 to log only those events with a higher severity level.
Note Generally, you should not set the level to trace. The volume of logged events
may degrade your NAC 800s’ performance.
3-28
Initial Setup of the ProCurve NAC 800
System Settings
3-29
Initial Setup of the ProCurve NAC 800
System Settings
3. Select the severity level from the Log level drop-down menu.
The NAC 800 logs events of this severity or greater.
When you are done editing MS settings, click the ok button to save the changes.
Note To learn how to check for new software, see “Upgrade the Software” on
page 3-39.
3-30
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-17. Home > System configuration > Enforcement clusters & servers
2. Click the name of the ES for which you want to edit the system settings.
The Enforcement server screen is displayed at the Status menu option.
3-31
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-18. Home > System configuration > Enforcement clusters & servers >
selected ES > Status
3-32
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-19. Home > System configuration > Enforcement clusters & servers >
selected ES > Configuration
3-33
Initial Setup of the ProCurve NAC 800
System Settings
Set the ES Time Zone. You can set each ES’s time zone individually—
which is useful if you have an MS that manages multiple ES’s within a wide
area network (WAN) that spans multiple time zones.
ESs receive their clock from the MS, so you cannot configure other date and
time settings on ESs. See “Edit MS or CS Date and Time Settings” on page 3-21
to learn how to configure the MS.
3-34
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-20. Home > System configuration > Enforcement clusters & servers >
selected ES > Configuration
3-35
Initial Setup of the ProCurve NAC 800
System Settings
3. Select the correct time zone from the Time zone drop-down menu.
Time zones are listed by offset from Greenwich Mean Time (GMT)—for
example, GMT –6:00—as well as by name and by select cities in that time
zone. (If your city is not listed, you can either rely on the GMT offset or
look for a city that you know is in your time zone.)
It is important to select the correct time zone so that the NAC 800
appropriately adjusts the time that it receives from the MS.
Note This task is particularly important if you are using IDM to manage NAC 800s’
RADIUS functions.
The NAC 800 supports SNMPv1 and v2. It provides read-only access to its
configuration. To gain this access, an SNMP server must:
■ have a read-only community name that matches the name that is set on
the ES
■ have an IP address in the allowed source network that is set on the ES
3-36
Initial Setup of the ProCurve NAC 800
System Settings
Figure 3-21. Home > System configuration > Enforcement clusters & servers >
selected ES > Configuration
3-37
Initial Setup of the ProCurve NAC 800
System Settings
Note The NAC 800 does not grant read-write access to SNMP servers. However, to
properly discover the NAC 800, PCM requires a “read-only” and “read-write”
community name. Set both names to the name configured in the Read
community string field.
Edit the ES Root Password. The root password grants access to the
NAC 800’s command line (via an SSH session). To change the password, follow
these steps:
1. You should be in the following screen: Home > System configuration >
Enforcement clusters & servers > selected ES > Status.
2. Find the Other settings area.
3. Enter a password in the Root password field.
The password must contain both letters and numbers; special characters
are also allowed.
4. Enter the same password in the Re-enter root password field.
5. When you are done editing ES settings, click the ok button to save the
changes.
3-38
Initial Setup of the ProCurve NAC 800
Licenses
Licenses
Licenses on the ProCurve NAC 800 enable endpoint integrity testing. If you
plan to use the RADIUS-only usage model, your NAC 800 does not require a
license.
Note To add endpoint integrity, you must purchase licenses. See Chapter 3: System
Configuration in the ProCurve Network Access Controller 800 Users’ Guide
for more information.
You manage clusters of NAC 800s through the MS’s Web browser interface.
You manage each CS (a stand-alone NAC 800) through its own Web browser
interface.
To check for the upgrade, the NAC 800 MS or CS requires a connection to the
Internet. After an MS upgrades its own software, it automatically upgrades the
software on all ESs in its clusters.
Follow these steps to check for and install new software on an MS or CS:
1. Select Home > System configuration > Management server.
3-39
Initial Setup of the ProCurve NAC 800
Management and Maintenance
Figure 3-22. Home > System configuration > Management server—System Upgrade
area
2. In the System Upgrade area, click the check for upgrades button.
3-40
Initial Setup of the ProCurve NAC 800
Management and Maintenance
If new software has been posted, the NAC 800 downloads and installs it.
You can create other users that are allowed to access the Web browser
interface and manage your system’s NAC 800s.
3-41
Initial Setup of the ProCurve NAC 800
Management and Maintenance
View-Only User View endpoint activity and generate reports • Generate reports
about assigned clusters • View endpoint activity
Help Desk Technician For assigned clusters, view endpoint activity, • Generate reports
change endpoint access control, retest • View endpoint activity
endpoints, and generate reports • Control access
• Retest endpoints
3-42
Initial Setup of the ProCurve NAC 800
Management and Maintenance
2. Click the add a user account link. The Add user account screen is displayed.
3-43
Initial Setup of the ProCurve NAC 800
Management and Maintenance
Figure 3-24. Home > System configuration > User accounts > add a user account
3-44
Initial Setup of the ProCurve NAC 800
Management and Maintenance
You can create entirely new roles that include the permissions that you select.
You can also customize an existing role, removing or adding the desired
permissions (sometimes a simpler option).
You can edit any role on the NAC 800, including default roles. However, you
cannot remove permissions from the System Administrator role.
Note Some aspects of a permission do not apply to a CS. For example, on an MS,
the “Configure cluster” permission allows a user to add clusters, configure
cluster settings, add ESs to clusters, and so forth. However, a CS has one
cluster only. A user with the “Configure cluster” permission to a CS can
configure cluster settings but not add new clusters or ESs.
3-45
Initial Setup of the ProCurve NAC 800
Management and Maintenance
Configure servers View status for all ESs in assigned clusters Enforcement clusters & servers
Configure the system All system-level settings for all clusters: System configuration (including all menu
• Add, configure, and delete clusters options)
• Add and configure ESs
• Manage user accounts and roles
• Submit license requests
• Schedule checks for test updates
• Configure quarantine settings (including
RADIUS)
• Backup the system and restore from the
backup
• Configure cluster settings
View system alerts View system alerts on the Home screen Home
Manage NAC policies • Add, edit, and delete NAC policies and NAC policies
NAC policy groups
• Set the NAC policy group for assigned
clusters
View endpoint activity View activity for endpoints in assigned Endpoint activity
clusters:
• Check access control status
• Check endpoint test status
Monitor system status View status for all ESs in assigned clusters System monitor
Control Access Change access control status for endpoints change access button in Endpoint activity
in assigned clusters screens
• Requires View endpoint activity
permission
Retest endpoints Force a retest of endpoints in assigned retest button in Endpoint activity screens
clusters
• Requires View endpoint activity
permission
3-46
Initial Setup of the ProCurve NAC 800
Management and Maintenance
Create a New User Role. Follow these steps to create a new user role:
1. Select Home > System configuration > User roles.
2. Click the add a user role link. The Add user role screen is displayed.
3-47
Initial Setup of the ProCurve NAC 800
Management and Maintenance
Figure 3-26. Home > System configuration > User roles > Add user role
3. In the Role name field, enter a short, meaningful description of the role.
For example:
Assistant Administrator
This field can include alphanumeric characters, special characters, and
spaces.
4. Optionally, describe this role at more length in the Description field.
Describing the role is a good idea because it helps other users know which
management user accounts should receive this role.
User account screens display roles’ descriptions but not their permissions,
so you should typically include information about the permissions in the
Description field.
3-48
Initial Setup of the ProCurve NAC 800
Management and Maintenance
5. Check boxes in the Permissions area to specify which permissions this role
allows.
You must check at least one box and can check multiple boxes.
Note If you select Control Access or Retest endpoints, you must also select View
endpoint activity.
See Table 3-2 on page 3-46 for more information about permissions.
Note Some permissions relate only to the NAC 800’s endpoint integrity func-
tions. The primary permissions of interest for a NAC 800 that acts only as
a RADIUS server are:
• Configure the system
• View system alerts
• Monitor system status
• View endpoint activity
• Control access
The “Configure the system” permission allows users all of the access they
need to configure a RADIUS-only NAC 800. The “View system alerts” and
“Monitor system status” permissions add the ability to monitor the system.
You might want the “View endpoint activity” and “Control access” permis-
sions in order to help users in case the endpoint integrity test functions
are not shut down properly.
Note The new role saves immediately and will be displayed on the User Account
screen. You can now assign this role to users. (See “Create User Accounts” on
page 3-42.)
Edit an Existing User Role. You can also customize existing roles, altering
any of these settings:
■ Name
■ Description
■ Permissions
Note You can alter the name and description, but not permissions, for the System
Administrator role.
3-49
Initial Setup of the ProCurve NAC 800
Management and Maintenance
2. Click the name of the role that you want to edit in the User role name
column. The User role screen is displayed.
3-50
Initial Setup of the ProCurve NAC 800
Management and Maintenance
Figure 3-28. Home > System configuration > User role (selected user role)
Note The changes save immediately. Any user that is assigned this role automati-
cally receives the new permissions.
3-51
Initial Setup of the ProCurve NAC 800
Digital Certificates
Digital Certificates
Your ProCurve NAC 800 (or NAC 800s) might require a digital certificate for
several reasons:
■ On a CS or MS, an SSL certificate enables access to the Web browser
interface. (HTTPS, the only supported option, requires the server to have
a certificate).
■ A CS or ES requires an SSL certificate to communicate with endpoints
during endpoint integrity testing.
■ A NAC 800 acting as a RADIUS server (CS or ES) requires a server
certificate for:
• Server authentication—The NAC 800 authenticates itself during
the Extensible Authentication Protocol (EAP) process.
• Client authentication—The NAC 800 and the endpoint can use the
certificate to generate keys to secure the EAP process. Depending on
the EAP method, the NAC 800 also verifies end-users’ certificates.
■ A NAC 800 that binds to a Lightweight Directory Access Protocol (LDAP)
server that uses TLS authentication requires the CA root certificate for
the LDAP server’s CA.
The instructions in this section apply only to the first and second purposes.
To learn about configuring digital certificates for the other purposes, see
Chapter 4: “Configuring the RADIUS Server—Integrated with ProCurve Iden-
tity Driven Manager” or Chapter 5: “Configuring the RADIUS Server—Without
Identity Driven Manager.”
At factory defaults, a NAC 800 uses a self-signed digital certificate for HTTPS.
In this certificate, cn=HP. You will probably want to install a new certificate
that:
■ Includes information about this specific device and your own organization
■ Is signed by your company’s CA or by a trusted CA
See “Install a CA-Signed Certificate for HTTPS” on page 3-53 to learn how to
obtain and install a signed certificate for HTTPS.
You can also create a new self-signed certificate for HTTPS. See “Install a New
Self-Signed Certificate for HTTPS” on page 3-59.
3-52
Initial Setup of the ProCurve NAC 800
Digital Certificates
You must complete these tasks by accessing the root command line for the
NAC 800’s OS:
1. Open a console or SSH session with the NAC 800.
2. Log in:
• username = root
• password = <root password>
3-53
Initial Setup of the ProCurve NAC 800
Digital Certificates
Generate a Key
Before submitting a certificate request for your NAC 800, you must generate
the certificate’s public/private keypair. The NAC 800 includes the public key
in the request but keeps the private key only in its own keystore, which is
protected with a password.
Syntax: keytool -genkey -alias <keyname> -keyalg [rsa | dsa] -keystore compli-
ance.keystore
Replace <keyname> with a name that you choose for the key’s
alias in the compliance.keystore file. Make a note of the name:
you will need it when you generate a certificate request or
self-signed certificate that uses this keypair.
The asymmetric algorithms supported by the NAC 800 for the
keypair include Rivest, Shamir, and Adelman (RSA) and
Digital Signature Algorithm (DSA); choose one or the other
for the -keyalg option.
For example:
ProCurve NAC 800:/usr/local/nac/keystore:# keytool
-genkey -alias mynac.procurve.com -keyalg RSA
-keystore compliance.keystore
5. When prompted, enter this password for the keystore: changeit. (You must
enter this password.)
6. Next you are prompted to enter information that will be included in the
certificate that uses this key. For the first and last name, enter the NAC
800’s exact FQDN.
7. The command line displays the information that you entered. If it is
correct, type [y] and press [Enter]. If you need to edit the information, press
[Enter] only.
3-54
Initial Setup of the ProCurve NAC 800
Digital Certificates
8. The keytool utility prompts you to enter a password to protect the key.
You must press [Enter] without entering a password; the key is protected
with the keystore’s password.
If you are using a different third-party CA or your organization’s own CA, you
must install the CA certificate. Follow these steps:
1. Obtain the CA certificate from your CA.
The certificate must use X.509 format.
2. Download the CA certificate to the NAC 800.
If you have installed the PuTTY Secure Copy (PSCP) application on your
workstation, follow these steps:
a. Save the CA certificate on your management workstation.
b. Access the command-line prompt on your workstation. (Select Start
> Run and enter cmd.)
c. Move to the directory in which PSCP is stored.
3-55
Initial Setup of the ProCurve NAC 800
Digital Certificates
For example:
pscp C:\\certificates\myCA.cer root@10.2.1.20://
myCA.cer
e. When prompted, enter the NAC 800’s root password.
3. Log in as root to the NAC 800.
4. Enter this command:
For example:
ProCurve NAC 800:# keytool -import -alias myCA -file
myCA.cer -keystore /usr/local/java/jre/lib/security/
cacerts
5. When prompted, enter the password for the cacerts keystore (default:
changeit).
6. When prompted to trust the certificate, enter yes.
3-56
Initial Setup of the ProCurve NAC 800
Digital Certificates
For example:
ProCurve NAC 800:/usr/local/nac/keystore:# keytool
-certreq -alias mynac.procurve.com -file mynac.req
-keystore compliance.keystore
4. When prompted, enter the password for the keystore.
5. If prompted, enter the password for the key.
6. View files in the directory and verify that the request was created. Enter
this command:
ProCurve NAC 800:/usr/local/nac/keystore# dir
7. Transfer the certificate request off the NAC 800.
You can save the request to your management workstation. If this work-
station has the PSCP application, follow these steps:
a. Access the command-line prompt on your workstation.
b. Move to the directory in which PSCP is stored.
3-57
Initial Setup of the ProCurve NAC 800
Digital Certificates
For example:
pscp C:\\certificates\mynac.cer root@10.2.1.20://
usr/local/nac/keystore/mynac.cer
2. When prompted, enter the NAC 800’s root password.
3. Log in to the NAC 800 as root.
4. Move to this directory:
ProCurve NAC 800:/# cd /usr/local/nac/keystore
3-58
Initial Setup of the ProCurve NAC 800
Digital Certificates
For example:
ProCurve NAC 800:/usr/local/nac/keystore:# keytool
-import -alias mynac.procurve.com -trustcacerts -file
mynac.cer -keystore compliance.keystore
6. When prompted, enter the password for the keystore (changeit).
You must complete these tasks to create and install a self-signed certificate:
1. Generate the self-signed certificate and keypair in the compliance.keystore.
2. Export the self-signed certificate to a file.
3. Install the self-signed certificate as a trusted CA root certificate in the Java
cacerts keystore.
4. Restart the HTTPS server.
3-59
Initial Setup of the ProCurve NAC 800
Digital Certificates
As an optional final task, you might transfer the self-signed certificate off the
NAC 800 and install it as a trusted CA root certificate on endpoints.
As you must complete these tasks, you must access the root command line
for the NAC 800’s OS:
1. Open an SSH session with the NAC 800.
2. Log in:
• username = root
• password = <root password>
Syntax: keytool -genkey -alias <keyname> -keyalg [rsa | dsa] -keystore compli-
ance.keystore
Replace <keyname> with a name that you choose for the key’s alias
in the compliance.keystore file. Make a note of the name: you will
need it when you generate a certificate request or self-signed
certificate that uses this keypair.
The asymmetric algorithms supported by the NAC 800 for the
keypair include RSA and DSA; choose one or the other for the -keyalg
option.
4. For example:
ProCurve NAC 800:/usr/local/nac/keystore:# keytool
-genkey -alias mynac.procurve.com -keyalg RSA
-keystore compliance.keystore
5. When prompted, enter changeit for the keystore password. You must enter
this password.
6. Next you are prompted to enter information that will be included in the
certificate that uses this key. For the first and last name, enter the NAC
800’s FQDN.
7. The command line displays the information you entered. If it is correct,
enter y. If you need to edit the information, press [Enter] only.
3-60
Initial Setup of the ProCurve NAC 800
Digital Certificates
8. The keytool utility prompts you to enter a password to protect the key.
You must press [Enter] instead of entering a password; the key is protected
with the keystore’s password only.
The keypair and associated self-signed certificate is now saved with the
specified alias in the specified keystore.
3-61
Initial Setup of the ProCurve NAC 800
Digital Certificates
Follow these steps to save the certificate off the NAC 800 to a management
station that runs PSCP:
1. Access the command line for the station that runs PSCP (click Start > Run
and enter cmd) and move to the directory in which PSCP is installed.
2. Enter this command:
You can now install the certificate as a trusted root CA certificate on end-
points. The exact steps depend on the endpoints and your environment. For
example, in a Windows domain, you can publish the certificate in Active
Directory. Check the appropriate documentation for instructions.
3-62
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Contents
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Dynamic or User-Based Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
IDM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Data Store Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Local Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
AD (Windows Domain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Proxy RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Configure the NAC 800 as a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Specify the Quarantine Method (802.1X) . . . . . . . . . . . . . . . . . . . . . . . 4-12
Configure Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Configure Authentication to the NAC 800’s Local
Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Configure Authentication to a Windows Domain . . . . . . . . . . . . 4-16
Configure Authentication to an LDAP Server . . . . . . . . . . . . . . . 4-20
Configure Authentication to a Proxy RADIUS Server . . . . . . . . . 4-29
Test Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Add NASs as 802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39
Apply Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
Restart the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
4-1
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Contents
4-2
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Overview
Overview
As explained in Chapter 1: “Overview of the ProCurve NAC 800,” a ProCurve
NAC 800 can fulfill a variety of functions, among them checking endpoint
integrity and authenticating endpoints as a RADIUS server. In this chapter,
you learn how to configure a NAC 800 that acts only as a RADIUS server.
In one circumstance only might you use a cluster deployment instead: you are
adding a RADIUS-only NAC 800 to a system that already enforces endpoint
integrity with a cluster configuration. In this case, the RADIUS-only NAC 800
would be an ES in a new cluster that enforces 802.1X quarantining and no
endpoint integrity. You would configure most of the settings described in this
chapter in the MS’s Web browser interface. However, you would create digital
certificates through the RADIUS-only NAC 800’s root command line.
RADIUS Overview
The RADIUS protocol regulates communications between Network Access
Servers (NASs) and authentication servers. The NASs are the points of access
for endpoints—for example, switch ports or wireless access points (APs).
They are also called the server’s clients. In your network, the NAC 800 is the
authentication server.
4-3
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Overview
Authentication Protocols
An authentication server receives an endpoints’ credentials via an authentica-
tion protocol. With 802.1X, the authentication protocol is always EAP, and the
NAC 800 and the endpoint negotiate the method. The NAC 800 supports these
EAP methods:
■ Protected EAP (PEAP) with:
• MS-CHAPv2
• Generic Token Card (GTC)
■ Transport Layer Security (TLS)
■ Tunneled TLS (TTLS) with:
• MS-CHAPv2
• Generic Token Card (GTC)
■ Lightweight EAP (LEAP)—not recommended
An endpoint requires a client that supports at least one of the listed EAP
methods. For example, a Windows XP workstation has an 802.1X client
available to all network connections, and this client supports EAP-TLS and
PEAP with MS-CHAPv2. Older workstations might require the installation of
a vendor client for 802.1X authentication.
4-4
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Overview
In fact, IDM enables you to capitalize on all of the NAC 800’s RADIUS
capabilities—and to configure the NAC 800 as part of a centralized manage-
ment solution.
Note If you are using the NAC 800 to test endpoint integrity, you also use IDM to
set up dynamic VLAN assignments according to an endpoint’s integrity
posture.
IDM Overview
IDM detects and assumes management of the NAC 800 just as it does any
RADIUS server. Because the IDM agent is installed on the NAC 800 at factory
defaults, you only need to perform three tasks to integrate the NAC 800
with IDM:
■ Configure the same read-only Simple Network Management Protocol
version 2 (SNMPv2) community name on the IDM server and the NAC 800.
(See “Configure MS or CS SNMP Settings” on page 3-24 of Chapter 3:
“Initial Setup of the ProCurve NAC 800.”)
■ On the IDM server, add the NAC 800’s IP address to this file:
C:\Program Files\Hewlett-Packard\PNM\server\config\access.txt.
■ On the NAC 800, specify the IP address of the server that runs PCM Plus
with IDM. (See “Specify the Quarantine Method (802.1X)” on page 4-12.)
After detecting the NAC 800, IDM places it in its ProCurve Network Access
Controllers folder and treats the device much like any RADIUS server:
■ IDM deploys policies to the NAC 800, which include:
• Times and locations for network access
• Profiles for authenticated users, which include dynamic VLAN assign-
ments, ACLs, and rate limits
Note When IDM deploys a policy to a NAC 800, the NAC 800 stores the
associated configuration. In other words, although IDM manages policies,
once it has deployed them the NAC 800 always enforces them whether it
can reach the IDM server or not.
■ IDM tracks end-users that send authentication requests to the NAC 800.
4-5
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Overview
For more information on IDM and how it interacts with the NAC 800, see “IDM”
on page 2-49 of Chapter 2: “Management Options for the ProCurve NAC 800.”
Note To function with the NAC 800, IDM’s version number must be 2.2 auto-update
2. The NAC 800’s IDM agent version must match the IDM version.
The NAC 800 includes the IDM agent at its factory default settings; you do not
need to install it. If the IDM agent is upgraded, the release notes will instruct
you how to upgrade the agent on the NAC 800.
To check the current IDM agent version, log in to the NAC 800 as root and
enter:
more /root/version
You choose the data store when you configure the NAC 800’s (or cluster’s)
end-user authentication method. (See “Configure Authentication Settings” on
page 4-14.)
4-6
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Overview
Local Database
You can store user accounts as entries in a database on the NAC 800 itself.
IDM simplifies adding entries to the local database. You simply enable local
authentication on the NAC 800’s IDM realm. Then, whenever you add a user
to IDM, the user is automatically added to the local database of all NAC 800s
in the realm.
Note You must always include a password for users that are added to the local
database through IDM. (The NAC 800 does not accept NULL passwords.)
AD (Windows Domain)
Many organizations manage users as a part of a Windows domain, and
Microsoft AD already stores user entries. Rather than duplicate these entries,
the NAC 800 can simply join the domain and request information from AD
when necessary to authenticate a user.
Advantages of using the Windows domain and AD as the data store include:
■ IDM can synchronize with a Windows domain and automatically import
users in specific groups. When you add the NAC 800 to the domain, you
enable the NAC 800 to authenticate these users without adding passwords
to the user accounts in IDM.
■ Changes to an object in AD are automatically available to all NAC 800s.
4-7
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Overview
LDAP Server
Just as the NAC 800 can join a Windows domain and access AD, it can bind to
an LDAP server and search a directory. For example, your organization might
already have a directory that authenticates users and authorizes them for
various types of network access.
4-8
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Overview
■ If your NAC 800 loses connectivity to the LDAP server, it cannot authen-
ticate users.
Specifying multiple LDAP servers mitigates this disadvantage. See
Chapter 7: “Redundancy and Backup for RADIUS Services.”
The NAC 800 can proxy all requests, or it can only proxy requests that meet
certain criteria, such as having a particular domain suffix.
Proxying requests is primarily intended for NAC 800s that implement endpoint
integrity. The existing RADIUS server handles authentication, and the NAC
800 handles the endpoint integrity.
However, you might choose the proxy option for a RADIUS-only NAC 800 in
this situation: you want to use IDM, but your existing RADIUS server does not
support the IDM agent. The NAC 800 will proxy authentication requests to the
existing server, which checks user credentials. When the NAC 800 receives an
access response from the proxy server, it will modify the response according
to policies configured through IDM.
To configure proxying, you must log in as root to the NAC 800’s (CS’s or ES’s)
command line and edit this file: /etc/raddb/proxy.conf. See “Configure Authen-
tication to a Proxy RADIUS Server” on page 4-29.
4-9
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Overview
4-10
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note In particular, set the NAC 800’s SNMPv2 community name to the name
configured on the PCM Plus with IDM server.
If you are adding the RADIUS-only NAC 800 to an existing system of NAC
800s, create a cluster for 802.1X enforcement and add the new NAC 800
as an ES. Otherwise, simply set the NAC 800 as a CS.
3. On the PCM Plus with IDM server (called the IDM server for the rest of
this chapter), add the NAC 800’s IP address to the list of devices allowed
to access the server.
Follow these steps:
a. On the IDM server, open C:\Program Files\Hewlett-Pack-
ard\PNM\server\config.access.txt.
Open the file in a text-based editor such as Notepad or Wordpad.
b. Add the NAC 800’s IP address or hostname on its own line.
c. Save and close the file.
4. On the NAC 800, select 802.1X for the quarantine method.
See “Specify the Quarantine Method (802.1X)” on page 4-12.
4-11
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-12
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4. In the Basic 802.1X settings area and the IDM server IP address field, enter
the IP address of the server that runs PCM Plus with IDM.
5. Select Local for the RADIUS server type.
4-13
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note The Quarantine subnets field only applies if the NAC 800 enforces endpoint
integrity. This setting allows the NAC 800 to respond to DNS requests from
endpoints in quarantine VLANs. You should have already set up the quarantine
VLANs in IDM.
You have now enabled the NAC 800 to make access control decisions as a
RADIUS server. Next you must configure the RADIUS server’s authentication
settings.
4-14
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-15
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
The NAC 800 joins the domain. Then, when it receives an authentication
request from an end-user, the NAC 800 uses NT LAN Manager (NTLM) to query
a domain controller (a server that runs AD) and check the end-users’ creden-
tials.
4-16
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-17
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-18
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-19
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
3. In the Domain name field, enter the FQDN of your domain. For example:
MyCompany.com
Note In a domain with subdomains, the NAC 800 must join the parent domain
(rather than one of the subdomains). For example, you must specify
MyCompany.com, not hq.MyCompany.com.
4. In the Administrator user name field, enter the username of an account with
the right to join the NAC 800 to the domain.
5. In the Administrator password field, enter the password for the user spec-
ified in previous step.
6. In the Re-enter administrator password field, enter the password again.
7. In the Domain controllers field, specify the FQDN of your domain controller
(or controllers).
Domain controllers are servers that run AD. Separate FQDNs with a
comma (no space).
8. To verify that the NAC 800 can successfully join the domain, click the test
settings button.
See “Test Authentication Settings” on page 4-34 for more information on
setting up the test.
9. You are now ready to specify your network’s NASs. (See “Add NASs as
802.1X Devices” on page 4-39.)
4-20
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
By default, the NAC 800 and the LDAP server communicate in plaintext
messages. You should configure the NAC 800 to complete TLS authentication
with the LDAP server, which increases security in several ways:
■ The LDAP server verifies its identity to the NAC 800 with a secure digital
certificate—which ensures that it receives user account information to
authorized devices only.
■ TLS creates an encrypted tunnel between the NAC 800 and the LDAP
server—which protects users’ information from eavesdroppers.
4-21
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-22
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-23
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note If you specify a hostname, remember to check the NAC 800’s DNS server.
See “Edit MS or CS Network Settings” on page 3-18 of Chapter 3: “Initial
Setup of the ProCurve NAC 800.”
4-24
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
The default filter is shown in Figure 4-6; it tells the NAC 800 to search for
an entry in which the “uid” attribute equals whatever username is submit-
ted in an authentication request. (The “Stripped-User-Domain” portion of
the filter allows the NAC 800 to remove an appended domain name, which
may be necessary to match the uid as stored in the directory.)
Note Be careful when altering the default settings: if you cause searches to fail,
you effectively lock out all users.
Note You may receive a message that the test failed because the LDAP query
returned no results. Do not worry: although the search did not return any
results, the bind completed successfully. For information about other result
messages, see Table 4-2 on page 4-38.
12. You are now ready to specify your network’s NASs. (See “Add NASs as
802.1X Devices” on page 4-39.)
4-25
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-26
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-27
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-28
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note Be careful when altering the default settings: if you cause searches to fail,
you effectively lock out all users.
Note Check the EAP methods supported by the proxy RADIUS server. The server
must use only those methods, such as PEAP, that include the username in
plaintext.
4-29
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-30
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4-31
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note If your NAC 800 is a CS, simply alter the proxy.conf files on that NAC 800.
However, if you have a cluster of MS and ESs, you must alter the file on each
ES in this cluster.
#
realm mycompany.com {
type = radius
authhost= 10.10.10.10
accthost= 10.10.10.20
secret = “mysecret”
}
4-32
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note More advanced users can configure the NAC 800 to proxy various requests to
different RADIUS servers depending on the domain name or EAP type
included in the request. The comments in the proxy.conf file give guidelines;
however, such configuration is not supported by ProCurve Networking.
4. You are now ready to specify your network’s NASs. (See “Add NASs as
802.1X Devices” on page 4-39.)
Note If you are not comfortable using vi, you can save the file to your management
station and edit it with a text editor on that device. Then copy the file back to
the NAC 800 (preserving the /etc/raddb/proxy.conf location and filename). You
can also use this option to copy the same file to multiple devices.
4-33
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
After configuring one of these methods, you should test whether the NAC
800 can:
■ Contact the directory
■ Bind to it
■ Optionally, perform a successful search
You should test the settings to eliminate problems before the NAC 800 begins
to authenticate end-users on a live network.
4-34
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4. If you are configuring a CS, you can skip this step. Otherwise, you must
select an ES from the Server to test from drop-down menu.
In a multiple NAC 800 deployment, ESs (not the MS) bind to the LDAP
server when they need to authenticate end-users. When you test settings,
you must choose for which ES you are testing them.
4-35
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note If you choose this option, you may receive a message that the test
failed because the LDAP query returned no results or multiple results.
Do not worry: although the search didn’t return results, the bind
completed successfully. See Table 4-2 for results that do indicate a
problem.
• Test the bind operation and look up an end-user’s credentials:
i. Check the Verify credentials for an end-user box.
ii. Enter the username for a valid user in the User name field.
iii. Enter the user’s password in the Password field.
iv. Re-enter the password in the Re-enter password field.
v. Click the test settings button.
This test verifies that:
– The NAC 800 can reach the domain controller or LDAP server.
– The administrator username and password are correct.
– For authentication through an LDAP server, the filter and pass-
word attribute are correct.
– The end-user credentials that you entered are correct.
Note When you first test a configuration with the Verify credentials for an end-
user option, choose an end-user username and password that you are
certain are correct (for example, the administrator password). In that way,
you verify that the configuration itself functions correctly.
Later, if a particular user has difficulty connecting, you can use the Verify
credentials for an end-user option to check the user’s credentials.
4-36
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 4-13. Home > System configuration > Quarantining > test settings button
Figure 4-14. Home > System configuration > Quarantining > test settings button
4-37
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Test failed: LDAP query • The NAC 800 successfully bound to the
returned no results. LDAP server.
• You didn’t ask to verify credentials.
Test failed: LDAP query • The NAC 800 successfully bound to the
returned more than one LDAP server.
result. • You didn’t ask to verify credentials.
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The bind password is incorrect.
code 48 - Inappropriate server.
Authentication].
Test failed: could not The NAC 800 failed to bind to the LDAP • The bind username is incorrect.
authenticate identity. server. • The base DN is incorrect.
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP • The bind username is incorrect.
code 32 - NDS error: no such server. • The base DN is incorrect.
entry (-601)]
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
code 13 - Confidentiality server. option is not selected.
Required]
Test failed: connection error The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
(Connection refused). server. option is not selected.
Test failed: could not verify The NAC 800 failed to bind to the LDAP The CA certificate for TLS authentication
server's certificate server. does not match the LDAP server’s CA
signature. certificate.
Test failed: end-user • The NAC 800 successfully bound to the • The test username is incorrect.
<username> not found. LDAP server. • The base DN is incorrect.
• The NAC 800 failed to validate the test • The filter specifies the wrong attribute
credentials. name.
Test failed: password for • The NAC 800 successfully bound to the The test password is incorrect.
end user <username> is LDAP server.
invalid. • The NAC 800 failed to validate the test
credentials.
4-38
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Test failed: Attribute • The NAC 800 successfully bound to the The password attribute is incorrect.
<attribute name> not found. LDAP server.
• The NAC 800 failed to validate the test
credentials.
You must add each NAS that uses the NAC 800 as its RADIUS server to the
NAC 800’s list of 802.1X devices.
Note The NASs are often called RADIUS clients. The Web browser interface,
however, as well as this guide, will refer to them as 802.1X devices.
4-39
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4. Click the add an 802.1X device link. The Add 802.1X device screen is dis-
played.
4-40
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 4-16. Home > System configuration > Quarantining (802.1X quarantine
method) > Add an 802.1X device
4-41
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 4-17. Home > System configuration > Quarantining (802.1X quarantine
method) > add an 802.1X device link
4-42
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
If you are using the NAC 800 as a RADIUS server only, the connection
settings do not matter.
Leave the settings at the defaults, or for the ProCurve Wireless Edge
Services xl Module, ProCurve 420 AP, and ProCurve 530 AP, fill in only the
community name.
11. Click the ok button.
12. To apply and save the 802.1X device configuration, you must also click
the ok button in the Home > System configuration > Quarantining screen.
Apply Changes
Whenever you alter the configuration for the 802.1X and RADIUS settings
(including adding an 802.1X device), you must apply and save the changes.
When you apply the changes, the CS’s internal RADIUS server, or the RADIUS
servers on all ESs in the cluster, automatically restart.
Note The RADIUS server typically takes several seconds to restart. During this
period, the RADIUS server is unavailable for authenticating end-users. To
avoid interrupting services, configure 802.1X quarantining settings after
hours.
4-43
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 4-18. Home > System configuration > Enforcement clusters & servers
2. Click the name of the CS or ES. The Enforcement server screen is displayed.
Note Figure 4-19 shows the Enforcement server screen for a CS. The screen for an
ES features two menu options: General and Configuration. You should select
the General menu option.
4-44
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 4-19. Home > System configuration > Enforcement clusters & servers >
selected Enforcement server
3. The Process/thread status area lists a number of services. Click the restart
now button for radius. The Operation in progress screen is displayed.
4-45
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 4-20. Home > System configuration > Enforcement clusters & servers >
selected Enforcement server > radius restart now button
4-46
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
At its factory default settings, the NAC 800 authenticates as a RADIUS server
with a self-signed digital certificate. However, this certificate is not intended
for an enterprise environment. It identifies the NAC 800 as follows:
■ subject=/C=CA/ST=Province/L=Some City/O=Organization/OU=local-
host/CN=Root certificate/emailAddress=root@example.com
■ issuer=/C=CA/ST=Province/L=Some City/O=Organization/OU=local-
host/CN=Client certificate/emailAddress=client@example.com
You should load one of the following certificates on your NAC 800:
■ A self-signed certificate that specifies the NAC 800’s FQDN as its common
name (CN)
■ A certificate that specifies the NAC 800’s FQDN as its CN and is signed by
a trusted CA
In either case, the certificate must allow the NAC 800 to use it for client and
server authentication. That is, the extensions for the key usage should be “TLS
Web Server Authentication” and “TLS Web Client Authentication.”
The following sections explain how to complete these tasks. The final sections
of this chapter give you some guidelines on setting up certificates on end-
points.
4-47
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
You must complete these tasks by accessing the root command line for the
NAC 800’s OS:
1. Open a console or SSH session with the NAC 800.
2. Log in:
• username = root
• password = <root password>
For example:
pscp myCA.pem root@10.1.1.20://etc/raddb/certs/
demoCa/cacert.pem
4-48
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
Note Be very careful to enter the output file for the certificate exactly as shown
above: /etc/raddb/certs/demoCA/cacert.pem.
Otherwise, you must alter the name specified for the private key file and
the certificate file in the “tls” section of the /etc/raddb/eap.conf file—which
can lead to errors. (See step 12 on page 4-55.)
d. When prompted, enter the NAC 800’s root password.
3. Log in as root to the NAC 800 OS.
4. If the CA certificate is not in PEM format, follow these steps:
a. Move to the correct directory:
ProCurve NAC 800:/# cd /etc/raddb/certs/demoCA
b. Convert from DER format with this command:
Syntax: openssl x509 -in <filename> -inform DER -out <filename> -outform PEM
Preferably, specify cacert.pem for the second filename.
4-49
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
4-50
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
Syntax: openssl req -x509 -config openssl.cnf -extensions radsrv -newkey [rsa |
dsa]:[512 | 1024 | 2048 | 4096] -nodes -days <number> -keyout cert-srv.pem
-out cert-srv.pem
The -config option should specify the new configuration file
that you created in step 2. (Make sure that you are in the
correct directory.) Similarly the -extensions option specifies
the bracketed name for the extensions that you added to that
file.
The -newkey option generates a private/public keypair for this
certificate. Choose rsa or dsa for the algorithm and then choose
the key length (4096 is not a valid option for dsa). Replace
<number> with the number of days that this certificate will
remain valid.
The -nodes option in the command above creates the private
key without password protection. For greater security, leave
out this option when you enter the command. You will then
be prompted to enter the password.
After you finish step 4, edit the /etc/raddb/eap.conf file and
change the private key password from whatever to the
password that you entered.
For example:
ProCurve NAC 800:/etc/raddb/certs# openssl req -x509
-config openssl.cnf -extensions radsrv -newkey
rsa:2048 -nodes -days 365 -keyout cert-srv.pem -out
cert-srv.pem
Note Be very careful to enter the output files for the key and the certificate
exactly as shown above: /etc/raddb/certs/cert-srv.pem.
Otherwise, you must alter the name specified for the private key file and
the certificate file in the “tls” section of the /etc/raddb/eap.conf file—which
can lead to errors. (See step 12 on page 4-55.)
4. You will be prompted to enter information about the NAC 800. When
prompted for the CN, enter the NAC 800’s FQDN.
5. Restart the RADIUS server.
ProCurve NAC 800:/etc/raddb/certs# service radiusd
restart
4-51
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
4-52
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
For example:
ProCurve NAC 800:/etc/raddb/certs# openssl req -new
-config openssl.cnf -extensions radsrv_req -newkey
rsa:1024 -nodes -keyout mykey.pem -out myrequest.req
5. You will be prompted to enter information about the NAC 800. When
prompted for the Common Name (CN), enter the NAC 800’s FQDN.
6. Transfer the certificate request to a Secure Copy (SCP) server.
If you have installed PuTTY SCP (PSCP) on your management station, you
can follow these steps:
a. Access the command prompt on your management station and move
to the directory in which PSCP is installed.
b. Enter this command:
4-53
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
For example:
pscp root@10.1.1.20://etc/raddb/certs/myre-
quest.req nacrequest.req
c. When prompted, enter the NAC 800’s root password.
7. Submit the certificate request to your CA.
Contact your CA to learn how to complete this step. You should request
X.509 format (either Distinguished Encoding Rules [DER] or Privacy
Enhanced Mail [PEM]). However, if necessary you can convert a certifi-
cate that uses a different format. (See step 11.)
Note If you are using a Windows CA, have the CA issue a certificate using the
RAS and IAS Server template (or another template that has key extensions
for both server authentication and client authentication).
8. After the CA returns the server certificate to you, transfer it to the NAC
800.
If you have installed PSCP on your management station, you can follow
these steps:
a. Save the certificate to your management station.
b. Access the command prompt on your management station and move
to the directory in which PSCP is installed.
c. Enter this command:
For example:
pscp mycertificate.pem root@10.1.1.20://etc/raddb/
certs/mycertificate.pem
d. When prompted, enter the NAC 800’s root password.
9. Log back in to the NAC 800 as root.
10. Enter this command:
ProCurve NAC 800:/# cd /etc/raddb/certs
11. If your certificate is not the desired format, you can convert it.
4-54
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
12. Alter the /etc/raddb/eap.conf file to specify the new private key and certif-
icate files. (See Appendix B, “Linux Commands” for vi commands.)
a. Enter this command:
ProCurve NAC 800:/# vi /etc/raddb/eap.conf
b. Use the arrow keys or other vi commands to reach the “tls” section
of the configuration file. (See Figure 4-21.)
4-55
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
Note The NAC 800 uses the “tls” configuration for server certificates for TLS,
PEAP, and TTLS.
c. Press [i].
d. If you created a password for the private key, set
private_key_password to the same key that you chose earlier. For
example:
private_key_password = mypassword
e. Set private_key_file to the same as the <key filename> that you speci-
fied in step 4 on page 4-53. Keep the default path already included in
the configuration file (which works as long as you saved the key in
the proper directory). For example:
private_key_file = ${raddbdir}/certs/mykey.pem
f. Set certificate_file to the same as the <certificate filename> that you
specified in step 8-c on page 4-54 (or step 11 on page 4-54). Keep the
default path already included in the configuration file (which works
as long as you saved the certificate in the proper directory). For
example:
certificate_file = ${raddbdir}/certs/mycertifi-
cate.pem
g. Make sure that CA_file is set to the filename (including the correct
path) for the CA root certificate. This certificate was installed in
“Install the CA Root Certificate on the NAC 800” on page 4-48.
4-56
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
h. Press [Esc].
i. Enter this command:
:wq
13. Restart the RADIUS server.
ProCurve NAC 800:/# service radiusd restart
If the RADIUS server fails to restart, you have probably mistyped the
filenames or private key password in step 12. Carefully recheck the
configuration.
4-57
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
For example:
pscp mycertificate.pem root@10.1.1.20://etc/raddb/
certs/mycertificate.pem
d. Repeat the previous command to transfer the private key file, if
separate from the certificate file:
For example:
pscp mycertificate.pem root@10.1.1.20://etc/raddb/
certs/mykey.pem
Note The private key and server certificate might be stored in the same file. In
this case, you only need to enter the command once and you should
specify the output file: /etc/raddb/certs/cert-srv.pem.
This allows the NAC 800 to use the new certificate without forcing you to
alter the “tls” section of the /etc/raddb/eap.conf file—which can lead to
errors.
e. When prompted, enter the NAC 800’s root password.
3. Log in to the NAC 800 as root.
4. Enter this command:
ProCurve NAC 800:/# cd /etc/raddb/certs
5. If your certificate is not in the correct format, you can convert it.
4-58
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
Syntax: openssl x509 -in <certificate filename> -inform DER -out <certificate file-
name> -outform PEM
For <certificate_filename>, enter the name for the certificate
that you chose in step 2-c on page 4-58. You should change the
filename extension to reflect the changed format.
6. Alter the /etc/raddb/eap.conf file to specify the new certificate. (See Appen-
dix B, “Linux Commands” for vi commands.)
Note You can skip this step if the new server certificate and private key are in
the same file, which is named cert-srv.pem, and if the private key is not
protected with a password.
a. Enter this command:
ProCurve NAC 800:/# vi /etc/raddb/eap.conf
b. Use the arrow keys or other vi commands to reach the “tls” section
of the configuration file. (See Figure 4-22).
Note The NAC 800 uses the “tls” configuration to authenticate itself for TLS,
PEAP, and TTLS.
4-59
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
c. Press [i].
d. Set private_key_password to equal the password you chose to protect
your key. For example:
private_key_password = mypassword
e. Set private_key_file to equal the <key_filename> you specified in step
2-d on page 4-58. Keep the default path already included in the con-
figuration file (which works as long as you saved the key in the proper
directory). For example:
private_key_file = ${raddbdir}/certs/mykey.pem
f. Set certificate_file to equal the <certificate_filename> you specified in
step 2-c on page 4-58 (or step 5 on page 4-58). Keep the default path
already included in the configuration file (which works as long as you
saved the certificate in the proper directory). For example:
certificate_file = ${raddbdir}/certs/mycertifi-
cate.pem
g. Make sure that CA_file is set to the filename (including the correct
path) for the CA root certificate. This certificate was installed in
“Install the CA Root Certificate on the NAC 800” on page 4-48.
h. Press [Esc].
i. Enter this command:
:wq
4-60
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
Note If you selected a well-known vendor CA to issue your NAC 800’s certificate,
most endpoints already have the necessary certificate.
You must also install user or computer certificates on endpoints—if you have
selected an EAP method that requires supplicants to authenticate with a
certificate rather than a password. Generally, you would issue those certifi-
cates using your organization’s CA. Refer to the documentation for your CA
service for instructions.
Caution Because this option could allow endpoints to connect to a rogue server,
ProCurve Networking does not recommend it.
■ You want to help endpoints temporarily connect to the network so that
they can obtain the CA certificate necessary for validating the NAC 800’s
certificate.
For example, a Windows station automatically receives the domain’s CA
root certificate when it joins the domain.
After an endpoint obtains the certificate, it should be configured to once
again validate the server certificate.
4-61
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
Figure 4-23. Start > Settings > Network Connections > Local Area Connection
4-62
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
4-63
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
Follow these steps to disable validation of the server on an endpoint that uses
the Microsoft Wireless Zero Configuration client:
1. Select Start > Settings > Network Connections > Wireless Network
Connection.
4-64
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
Figure 4-26. Start > Settings > Network Connections > Local Area Connection
4-65
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
4. Select the service set identifier (SSID) for your wireless network in the
Preferred networks area and click the Properties button.
If the SSID has not yet been configured on the client, you must click the
Add button instead. Then, in addition to completing the steps below, you
must configure settings such as the SSID, the authentication method, and
the encryption type.
5. Select the Authentication tab in the window that is displayed.
4-66
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
4-67
Configuring the RADIUS Server—Integrated with ProCurve Identity Driven Manager
Manage Digital Certificates for RADIUS
4-68
Configuring the RADIUS Server—Without Identity Driven Manager
Contents
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Dynamic or User-Based Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Data Store Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
AD (Windows Domain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Proxy RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Configure the NAC 800 as a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Specify the Quarantine Method (802.1X) . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Configure Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Configure Authentication to a Windows Domain . . . . . . . . . . . . 5-10
Configure Authentication to an LDAP Server . . . . . . . . . . . . . . . 5-14
Configure Authentication to a Proxy RADIUS Server . . . . . . . . . 5-23
Test Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
Add NASs as 802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34
Apply Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38
Restart the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38
Manage Digital Certificates for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42
Install the CA Root Certificate on the NAC 800 . . . . . . . . . . . . . . . . . 5-43
5-1
Configuring the RADIUS Server—Without Identity Driven Manager
Contents
5-2
Configuring the RADIUS Server—Without Identity Driven Manager
Overview
Overview
As explained in Chapter 1: “Overview of the ProCurve NAC 800,” a ProCurve
NAC 800 can fulfill a variety of functions, among them checking endpoint
integrity and authenticating endpoints as a RADIUS server. In this chapter,
you learn how to configure a NAC 800 that acts only as a RADIUS server.
This chapter guides you through manual configuration of the NAC 800’s
RADIUS server. See Chapter 4: “Configuring the RADIUS Server—Integrated
with ProCurve Identity Driven Manager” to learn how to configure RADIUS
settings using IDM.
In one circumstance only might you use a cluster deployment: you are adding
a RADIUS-only NAC 800 to a system that already enforces endpoint integrity
with a cluster configuration. In this case, the RADIUS-only NAC 800 would be
an ES in a new cluster that enforces 802.1X quarantining but not endpoint
integrity. You configure most of the settings described in this chapter in the
MS’s Web browser interface. However, you create digital certificates through
the RADIUS-only NAC 800’s root command line.
RADIUS Overview
The RADIUS protocol regulates communications between Network Access
Servers (NASs) and authentication servers. The NASs are the points of access
for endpoints—for example, switch ports or wireless access points (APs). In
your network, the NAC 800 is the authentication server.
5-3
Configuring the RADIUS Server—Without Identity Driven Manager
Overview
Authentication Protocols
An authentication server receives an endpoints’ credentials via an authentica-
tion protocol. With 802.1X, the authentication protocol is always EAP, and the
NAC 800 and the endpoint negotiate the method. The NAC 800 supports these
EAP methods:
■ Protected EAP (PEAP) with:
• MS-CHAPv2
• Generic Token Card (GTC)
■ Transport Layer Security (TLS)
■ Tunneled TLS (TTLS) with:
• MS-CHAPv2
• Generic Token Card (GTC)
■ Lightweight EAP (LEAP)—not recommended
An endpoint requires a client that supports at least one of the listed EAP
methods. For example, a Windows XP workstation has an 802.1X client
available to all network connections, and this client supports EAP-TLS and
PEAP with MS-CHAPv2. Older workstations might require the installation of
a vendor client for 802.1X authentication.
5-4
Configuring the RADIUS Server—Without Identity Driven Manager
Overview
However, IDM is required for configuring these settings on the NAC 800. See
Chapter 4: “Configuring the RADIUS Server—Integrated with ProCurve Iden-
tity Driven Manager.”
You choose the data store when you configure the NAC 800’s (or cluster’s)
end-user authentication method. (See “Configure Authentication Settings” on
page 5-10.)
AD (Windows Domain)
Many organizations manage users as a part of a Windows domain, and
Microsoft AD already stores user entries. The NAC 800 can join the domain
and request information from AD when necessary to authenticate a user.
Advantages of using the Windows domain and AD as the data store include:
■ You do not have to replicate information already present in AD.
■ Changes to an object in AD are automatically available to all NAC 800s.
5-5
Configuring the RADIUS Server—Without Identity Driven Manager
Overview
LDAP Server
Just as the NAC 800 can join a Windows domain and access AD, it can bind to
an LDAP server and search a directory. For example, your organization might
already have a directory that authenticates users and authorizes them for
various types of network access.
The NAC 800 can proxy all requests, or it can only proxy requests that meet
certain criteria such as domain suffix.
Proxying requests is primarily intended for NAC 800s that implement endpoint
integrity. The existing RADIUS server handles authentication, and the NAC
800 handles the endpoint integrity.
However, you can, if you so choose, have the NAC 800 proxy at least some
requests to an existing RADIUS server.
5-6
Configuring the RADIUS Server—Without Identity Driven Manager
Overview
To configure proxying, you must log in as root to the NAC 800’s (CS’s or ES’s)
command line and edit this file: /etc/raddb/proxy.conf. See “Configure Authen-
tication to a Proxy RADIUS Server” on page 5-23.
5-7
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-8
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-9
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4. In the Basic 802.1X settings area, select Local for the RADIUS server type.
Note The Quarantine subnets field only applies if the NAC 800 enforces endpoint
integrity. This setting allows the NAC 800 to respond to DNS requests from
endpoints in quarantine VLANs. You should have already set up the quarantine
VLANs in IDM.
You have now enabled the NAC 800 to make access-control decisions as a
RADIUS server. Next, you must configure the RADIUS server’s authentication
settings.
Note The Manual option for end-user authentication specifies the NAC 800’s local
database as the data store. However, IDM is required for this option.
The NAC 800 joins the domain. Then, when it receives an authentication
request from an end-user, the NAC 800 uses NT LAN Manager (NTLM) to query
a domain controller (a server that runs AD) and check the end-user’s
credentials.
5-10
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-11
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-12
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-13
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note In a domain with subdomains, the NAC 800 must join the parent domain
(rather than one of the subdomains). For example, you must specify
MyCompany.com, not hq.MyCompany.com.
4. In the Administrator user name field, enter the username of an account with
the right to add the NAC 800 to the domain.
5. In the Administrator password field, enter the password for the user spec-
ified in the previous step.
6. In the Re-enter administrator password field, enter the password again.
7. In the Domain controllers field, specify the FQDN of your domain controller
(or controllers).
Domain controllers are servers that run AD. Separate FQDNs with a
comma (no spaces).
8. To verify that the NAC 800 can successfully join the domain, click the test
settings button.
See “Test Authentication Settings” on page 5-28 for more information on
setting up the test.
9. You are now ready to specify your network’s NASs. (See “Add NASs as
802.1X Devices” on page 5-34.)
5-14
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
By default, the NAC 800 and the LDAP server communicate in plaintext
messages. You should configure the NAC 800 to complete TLS authentication
with the LDAP server, which increases security in several ways:
■ The NAC 800 and the LDAP server verify their identities to each other with
secure digital certificates—which ensures that they communicate user
account information to authorized devices only.
■ TLS creates an encrypted tunnel between the NAC 800 and the LDAP
server—which protects users’ information from eavesdroppers.
5-15
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-16
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-17
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note If you specify a hostname, remember to check the NAC 800’s DNS server.
See “Edit MS or CS Network Settings” on page 3-18 of Chapter 3: “Initial
Setup of the ProCurve NAC 800.”
5-18
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note Be careful when altering the default settings: if you cause searches to fail,
you effectively lock out all users.
Note You may receive a message that the test failed because the LDAP query
returned no results. Do not worry: although the search did not return any
results, the bind completed successfully. For information about other result
messages, see Table 5-2 on page 5-32.
12. You are now ready to specify your network’s NASs. (See “Add NASs as
802.1X Devices” on page 5-34.)
5-19
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-20
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-21
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note Be careful when altering the default settings: if you cause searches to fail,
you effectively lock out all users.
5-22
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-23
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-24
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
5-25
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note If your NAC 800 is a CS, simply alter the proxy.conf files on that NAC 800.
However, if you have a cluster of MS and ESs, you must alter the file on
each ES in this cluster.
#
realm mycompany.com {
type = radius
authhost= 10.10.10.10
accthost= 10.10.10.20
secret = “mysecret”
}
5-26
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note If you are not comfortable using vi, you can save the file to your management
station and edit it with a text editor on that device. Then copy the file back to
the NAC 800 (preserving the /etc/raddb/proxy.conf location and filename). For
instructions on copying files to and from the NAC 800, see Chapter 1: Intro-
duction of the ProCurve Network Access Controller Users’ Guide.
5-27
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
After configuring one of these methods, you should test whether the
NAC 800 can:
■ Contact the directory
■ Bind to it
■ Optionally, perform a successful search
You should test the settings to eliminate problems before the NAC 800 begins
to authenticate end-users on a live network.
5-28
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4. If you are configuring a CS, you can skip this step. Otherwise, you must
select an ES from the Server to test from drop-down menu.
In a multiple NAC 800 deployment, ESs (not the MS) bind to the LDAP
server when they need to authenticate the end-user. When you test set-
tings, you must choose for which ES you are testing them.
5-29
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Note If you choose this option, you may receive a message that the test
failed because the LDAP query returned no results or multiple results.
Do not worry: although the search did not return results, the bind
completed successfully. See Table 5-2 for results that do indicate a
problem.
• Test the bind operation and look up an end-user’s credentials:
i. Check the Verify credentials for an end-user box.
ii. Enter the username for a valid user in the User name field.
iii. Enter the user’s password in the Password field.
iv. Re-enter the password in the Re-enter password field.
v. Click the test settings button.
This test verifies that:
– The NAC 800 can reach the domain controller or LDAP server.
– The administrator username and password are correct.
– For authentication through an LDAP server, the filter and pass-
word attribute are correct.
– The end-user credentials that you entered are correct.
Note When you first test a configuration with the Verify credentials for an end-
user option, choose an end-user username and password that you are
certain are correct (for example, the administrator password). In that way,
you verify that the configuration itself functions correctly.
Later, if a particular user has difficulty connecting, you can use the Verify
credentials for an end-user option to check the user’s credentials.
5-30
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 5-12. Home > System configuration > Quarantining > test settings button
Figure 5-13. Home > System configuration > Quarantining > test settings button
5-31
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Test failed: LDAP query • The NAC 800 successfully bound to the
returned no results. LDAP server.
• You did not ask to verify credentials.
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The bind password is incorrect.
code 48 - Inappropriate server.
Authentication].
Test failed: could not The NAC 800 failed to bind to the LDAP The bind username is incorrect.
authenticate identity. server.
Test failed: end-user • The NAC 800 successfully bound to the • The test username is incorrect.
<username> not found. LDAP server. • The filter specifies the wrong attribute
• The NAC 800 failed to validate the test name.
credentials.
Test failed: connection error The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
(Connection refused). server. option is not selected.
Test failed: could not verify The NAC 800 failed to bind to the LDAP The CA certificate for TLS authentication
server's certificate server. does not match the LDAP server’s CA
signature. certificate.
Test failed: password for • The NAC 800 successfully bound to the The test password is incorrect.
end user <username> is LDAP server.
invalid. • The NAC 800 failed to validate the test
credentials.
Test failed: Attribute • The NAC 800 successfully bound to the The password attribute is incorrect.
<attribute name> not found. LDAP server.
• The NAC 800 failed to validate the test
credentials.
Test failed: LDAP query • The NAC 800 successfully bound to the
returned more than one LDAP server.
result. • You did not ask to verify credentials.
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP • The bind username is incorrect.
code 32 - NDS error: no such server. • The base DN is incorrect.
entry (-601)]
Test failed: [LDAP: error • The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
code 13 - Confidentiality server. option is not selected.
Required]
5-32
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Test failed: LDAP query • The NAC 800 successfully bound to the
returned no results. LDAP server.
• You didn’t ask to verify credentials.
Test failed: LDAP query • The NAC 800 successfully bound to the
returned more than one LDAP server.
result. • You didn’t ask to verify credentials.
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The bind password is incorrect.
code 48 - Inappropriate server.
Authentication].
Test failed: could not The NAC 800 failed to bind to the LDAP • The bind username is incorrect.
authenticate identity. server. • The base DN is incorrect.
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP • The bind username is incorrect.
code 32 - NDS error: no such server. • The base DN is incorrect.
entry (-601)]
Test failed: [LDAP: error The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
code 13 - Confidentiality server. option is not selected.
Required]
Test failed: connection error The NAC 800 failed to bind to the LDAP The LDAP server requires TLS, but this
(Connection refused). server. option is not selected.
Test failed: could not verify The NAC 800 failed to bind to the LDAP The CA certificate for TLS authentication
server's certificate server. does not match the LDAP server’s CA
signature. certificate.
Test failed: end-user • The NAC 800 successfully bound to the • The test username is incorrect.
<username> not found. LDAP server. • The base DN is incorrect.
• The NAC 800 failed to validate the test • The filter specifies the wrong attribute
credentials. name.
Test failed: password for • The NAC 800 successfully bound to the The test password is incorrect.
end user <username> is LDAP server.
invalid. • The NAC 800 failed to validate the test
credentials.
Test failed: Attribute • The NAC 800 successfully bound to the The password attribute is incorrect.
<attribute name> not found. LDAP server.
• The NAC 800 failed to validate the test
credentials.
5-33
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
You must add each NAS that uses the NAC 800 as its RADIUS server to the
NAC 800’s list of 802.1X devices.
Note The NASs are often called RADIUS clients. The Web browser interface,
however, as well as this guide, will refer to them as 802.1X devices.
5-34
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
4. Click the add an 802.1X device link. The Add 802.1X device screen is
displayed.
5-35
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 5-15. Home > System configuration > Quarantining (802.1X quarantine
method) > add an 802.1X device
5-36
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 5-16. Home > System configuration > Quarantining (802.1X quarantine
method) > add an 802.1X device link
5-37
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
If you are using the NAC 800 as a RADIUS server only, the connection
settings do not matter.
Leave the settings at the defaults, or for the ProCurve Wireless Edge
Services xl Module, ProCurve 420 AP, and ProCurve 530 AP, fill in only the
community name.
11. Click the ok button.
12. To apply and save the 802.1X device configuration, you must also click
the ok button in the Home > System configuration > Quarantining screen.
Apply Changes
Whenever you alter the configuration for the 802.1X and RADIUS settings
(including adding an 802.1X device), you must apply and save the changes.
When you apply the changes, the CS’s internal RADIUS server (or the RADIUS
servers on all ESs in the cluster) automatically restarts.
Note The RADIUS server typically takes several seconds to restart. During this
period, the RADIUS server is unavailable for authenticating end-users. To
avoid interrupting services, configure 802.1X quarantining settings after
hours.
5-38
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 5-17. Home > System configuration > Enforcement clusters & servers
2. Click the name of the CS or ES. The Enforcement server screen is displayed.
Note Figure 5-18 shows the Enforcement server screen for a CS. The screen for an
ES features two menu options: General and Configuration. You should select
the General menu option.
5-39
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 5-18. Home > System configuration > Enforcement clusters & servers >
selected Enforcement server
3. The Process/thread status area lists a number of services. Click the restart
now button for radius. The Operation in progress screen is displayed.
5-40
Configuring the RADIUS Server—Without Identity Driven Manager
Configure the NAC 800 as a RADIUS Server
Figure 5-19. Home > System configuration > Enforcement clusters & servers >
selected Enforcement server > radius restart now button
5-41
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
At its factory default settings, the NAC 800 authenticates as a RADIUS server
with a self-signed digital certificate. However, this certificate is not intended
for an enterprise environment. It identifies the NAC 800 as follows:
■ subject=/C=CA/ST=Province/L=Some City/O=Organization/OU=local-
host/CN=Root certificate/emailAddress=root@example.com
■ issuer=/C=CA/ST=Province/L=Some City/O=Organization/OU=local-
host/CN=Client certificate/emailAddress=client@example.com
You should load one of the following certificates on your NAC 800:
■ A self-signed certificate that specifies the NAC 800’s FQDN as its common
name (CN)
■ A certificate that specifies the NAC 800’s FQDN as its CN and is signed by
a trusted CA
In either case, the certificate must allow the NAC 800 to use it for client and
server authentication. That is, the extensions for the key usage should be “TLS
Web Server Authentication” and “TLS Web Client Authentication.”
The following sections explain how to complete these tasks. The final sections
of this chapter give you some guidelines on setting up certificates on end-
points.
5-42
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
You must complete these tasks by accessing the root command line for the
NAC 800’s OS:
1. Open a console or SSH session with the NAC 800.
2. Log in:
• username = root
• password = <root password>
For example:
pscp myCA.pem root@10.1.1.20://etc/raddb/certs/
demoCa/cacert.pem
5-43
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
Note Be very careful to enter the output file for the certificate exactly as shown
above: /etc/raddb/certs/demoCA/cacert.pem.
Otherwise, you must alter the name specified for the private key file and
the certificate file in the “tls” section of the /etc/raddb/eap.conf file—which
can lead to errors. (See step 12 on page 5-50.)
d. When prompted, enter the NAC 800’s root password.
3. Log in as root to the NAC 800 OS.
4. If the CA certificate is not in PEM format, follow these steps:
a. Move to the correct directory:
ProCurve NAC 800:/# cd /etc/raddb/certs/demoCA
b. Convert from DER format with this command:
Syntax: openssl x509 -in <filename> -inform DER -out <filename> -outform PEM
Preferably, specify cacert.pem for the second filename.
5-44
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
5-45
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
Syntax: openssl req -x509 -config openssl.cnf -extensions radsrv -newkey [rsa |
dsa]:[512 | 1024 | 2048 | 4096] -nodes -days <number> -keyout cert-srv.pem
-out cert-srv.pem
The -config option should specify the new configuration file
that you created in step 2. (Make sure that you are in the
correct directory.) Similarly the -extensions option specifies
the bracketed name for the extensions that you added to that
file.
The -newkey option generates a private/public keypair for this
certificate. Choose rsa or dsa for the algorithm and then choose
the key length (4096 is not a valid option for dsa). Replace
<number> with the number of days that this certificate will
remain valid.
The -nodes option in the command above creates the private
key without password protection. For greater security, leave
out this option when you enter the command. You will then
be prompted to enter the password.
After you finish step 4, edit the /etc/raddb/eap.conf file and
change the private key password from whatever to the
password that you entered.
For example:
ProCurve NAC 800:/etc/raddb/certs# openssl req -x509
-config openssl.cnf -extensions radsrv -newkey
rsa:2048 -nodes -days 365 -keyout cert-srv.pem -out
cert-srv.pem
Note Be very careful to enter the output files for the key and the certificate
exactly as shown above: /etc/raddb/certs/cert-srv.pem.
Otherwise, you must alter the name specified for the private key file and
the certificate file in the “tls” section of the /etc/raddb/eap.conf file—which
can lead to errors. (See step 12 on page 5-50.)
4. You will be prompted to enter information about the NAC 800. When
prompted for the CN, enter the NAC 800’s FQDN.
5. Restart the RADIUS server.
ProCurve NAC 800:/etc/raddb/certs# service radiusd
restart
5-46
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
5-47
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
For example:
ProCurve NAC 800:/etc/raddb/certs# openssl req -new
-config openssl.cnf -extensions radsrv_req -newkey
rsa:1024 -nodes -keyout mykey.pem -out myrequest.req
5. You will be prompted to enter information about the NAC 800. When
prompted for the Common Name (CN), enter the NAC 800’s FQDN.
6. Transfer the certificate request to a Secure Copy (SCP) server.
If you have installed PuTTY SCP (PSCP) on your management station, you
can follow these steps:
a. Access the command prompt on your management station and move
to the directory in which PSCP is installed.
b. Enter this command:
5-48
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
For example:
pscp root@10.1.1.20://etc/raddb/certs/myre-
quest.req nacrequest.req
c. When prompted, enter the NAC 800’s root password.
7. Submit the certificate request to your CA.
Contact your CA to learn how to complete this step. You should request
X.509 format (either Distinguished Encoding Rules [DER] or Privacy
Enhanced Mail [PEM]). However, if necessary you can convert a certifi-
cate that uses a different format. (See step 11.)
Note If you are using a Windows CA, have the CA issue a certificate using the
RAS and IAS Server template (or another template that has key extensions
for both server authentication and client authentication).
8. After the CA returns the server certificate to you, transfer it to the NAC
800.
If you have installed PSCP on your management station, you can follow
these steps:
a. Save the certificate to your management station.
b. Access the command prompt on your management station and move
to the directory in which PSCP is installed.
c. Enter this command:
For example:
pscp mycertificate.pem root@10.1.1.20://etc/raddb/
certs/mycertificate.pem
d. When prompted, enter the NAC 800’s root password.
9. Log back in to the NAC 800 as root.
10. Enter this command:
ProCurve NAC 800:/# cd /etc/raddb/certs
5-49
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
11. If your certificate is not the desired format, you can convert it.
Convert from DER with this command:
12. Alter the /etc/raddb/eap.conf file to specify the new private key and certif-
icate files. (See Appendix B, “Linux Commands” for vi commands.)
a. Enter this command:
ProCurve NAC 800:/# vi /etc/raddb/eap.conf
b. Use the arrow keys or other vi commands to reach the “tls” section
of the configuration file. (See Figure 5-20.)
5-50
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
Note The NAC 800 uses the “tls” configuration for server certificates for TLS,
PEAP, and TTLS.
c. Press [i].
d. If you created a password for the private key, set
private_key_password to the same key that you chose earlier. For
example:
private_key_password = mypassword
e. Set private_key_file to the same as the <key filename> that you speci-
fied in step 4 on page 5-48. Keep the default path already included in
the configuration file (which works as long as you saved the key in
the proper directory). For example:
private_key_file = ${raddbdir}/certs/mykey.pem
f. Set certificate_file to the same as the <certificate filename> that you
specified in step 8-c on page 5-49 (or step 11 on page 5-50). Keep the
default path already included in the configuration file (which works
as long as you saved the certificate in the proper directory). For
example:
certificate_file = ${raddbdir}/certs/mycertifi-
cate.pem
g. Make sure that CA_file is set to the filename (including the correct
path) for the CA root certificate. This certificate was installed in
“Install the CA Root Certificate on the NAC 800” on page 5-43.
5-51
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
h. Press [Esc].
i. Enter this command:
:wq
13. Restart the RADIUS server.
ProCurve NAC 800:/# service radiusd restart
If the RADIUS server fails to restart, you have probably mistyped the
filenames or private key password in step 12. Carefully recheck the
configuration.
5-52
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
For example:
pscp mycertificate.pem root@10.1.1.20://etc/raddb/
certs/mycertificate.pem
d. Repeat the previous command to transfer the private key file, if
separate from the certificate file:
For example:
pscp mycertificate.pem root@10.1.1.20://etc/raddb/
certs/mykey.pem
Note The private key and server certificate might be stored in the same file. In
this case, you only need to enter the command once and you should
specify the output file: /etc/raddb/certs/cert-srv.pem.
This allows the NAC 800 to use the new certificate without forcing you to
alter the “tls” section of the /etc/raddb/eap.conf file—which can lead to
errors.
e. When prompted, enter the NAC 800’s root password.
3. Log in to the NAC 800 as root.
4. Enter this command:
ProCurve NAC 800:/# cd /etc/raddb/certs
5. If your certificate is not in the correct format, you can convert it.
5-53
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
Syntax: openssl x509 -in <certificate filename> -inform DER -out <certificate file-
name> -outform PEM
For <certificate_filename>, enter the name for the certificate
that you chose in step 2-c on page 5-53. You should change the
filename extension to reflect the changed format.
6. Alter the /etc/raddb/eap.conf file to specify the new certificate. (See Appen-
dix B, “Linux Commands” for vi commands.)
Note You can skip this step if the new server certificate and private key are in
the same file, which is named cert-srv.pem, and if the private key is not
protected with a password.
a. Enter this command:
ProCurve NAC 800:/# vi /etc/raddb/eap.conf
b. Use the arrow keys or other vi commands to reach the “tls” section
of the configuration file. (See Figure 5-21).
Note The NAC 800 uses the “tls” configuration to authenticate itself for TLS,
PEAP, and TTLS.
5-54
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
c. Press [i].
d. Set private_key_password to equal the password you chose to protect
your key. For example:
private_key_password = mypassword
e. Set private_key_file to equal the <key_filename> you specified in step
2-d on page 5-53. Keep the default path already included in the con-
figuration file (which works as long as you saved the key in the proper
directory). For example:
private_key_file = ${raddbdir}/certs/mykey.pem
f. Set certificate_file to equal the <certificate_filename> you specified in
step 2-c on page 5-53 (or step 5 on page 5-53). Keep the default path
already included in the configuration file (which works as long as you
saved the certificate in the proper directory). For example:
certificate_file = ${raddbdir}/certs/mycertifi-
cate.pem
g. Make sure that CA_file is set to the filename (including the correct
path) for the CA root certificate. This certificate was installed in
“Install the CA Root Certificate on the NAC 800” on page 5-43.
h. Press [Esc].
i. Enter this command:
:wq
5-55
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
Note If you selected a well-known vendor CA to issue your NAC 800’s certificate,
most endpoints already have the necessary certificate.
You must also install user or computer certificates on endpoints—if you have
selected an EAP method that requires supplicants to authenticate with a
certificate rather than a password. Generally, you would issue those certifi-
cates using your organization’s CA. Refer to the documentation for your CA
service for instructions.
Caution Because this option could allow endpoints to connect to a rogue server,
ProCurve Networking does not recommend it.
■ You want to help endpoints temporarily connect to the network so that
they can obtain the CA certificate necessary for validating the NAC 800’s
certificate.
For example, a Windows station automatically receives the domain’s CA
root certificate when it joins the domain.
After an endpoint obtains the certificate, it should be configured to once
again validate the server certificate.
5-56
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
Figure 5-22. Start > Settings > Network Connections > Local Area Connection
5-57
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
5-58
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
Follow these steps to disable validation of the server on an endpoint that uses
the Microsoft Wireless Zero Configuration client:
1. Select Start > Settings > Network Connections > Wireless Network
Connection.
5-59
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
Figure 5-25. Start > Settings > Network Connections > Local Area Connection
5-60
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
4. Select the service set identifier (SSID) for your wireless network in the
Preferred networks area and click the Properties button.
If the SSID has not yet been configured on the client, you must click the
Add button instead. Then, in addition to completing the steps below, you
must configure settings such as the SSID, the authentication method, and
the encryption type.
5. Select the Authentication tab in the window that is displayed.
5-61
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
5-62
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
5-63
Configuring the RADIUS Server—Without Identity Driven Manager
Manage Digital Certificates for RADIUS
5-64
Disabling Endpoint Integrity Testing
Contents
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Configure Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Configure Exceptions for the Cluster Default Settings . . . . . . . . . 6-3
Configure Exceptions for a Particular Cluster . . . . . . . . . . . . . . . . 6-5
6-1
Disabling Endpoint Integrity Testing
Overview
Overview
The ProCurve Network Access Controller (NAC) 800 is designed to provide
both endpoint integrity checking and RADIUS services. If you want the NAC
800 to function only as a RADIUS server, you must disable endpoint integrity
testing on endpoints.
When you identify endpoints as exceptions, the NAC 800 discovers them but
does not test them. In effect, you have disabled endpoint integrity testing.
Configure Exceptions
On the NAC 800, you configure exceptions for endpoints that you do not want
tested for endpoint integrity. When you designate an endpoint as an exception,
the NAC 800 discovers but does not test that endpoint.
6-2
Disabling Endpoint Integrity Testing
Overview
To exclude an entire domain, enter your company’s domain name, such as:
ABCCompany.com
Because you are setting up the NAC 800 to function as a RADIUS server only,
you will typically specify a range or several ranges of addresses or a domain
name.
6-3
Disabling Endpoint Integrity Testing
Overview
Figure 6-2. Home > System configuration > Cluster setting defaults > Exceptions
3. Under Always grant access and never test, enter either the addresses of
endpoints or the domain name you want to exclude.
• Under Endpoints, enter an IP address, a range of IP addresses in CIDR
format, a MAC address, or a NetBIOS name.
• Under Windows domain, enter the domain name.
Separate addresses and names with carriage returns, as shown below:
10.1.1.0/24
10.1.2.13
MyLaptop
6-4
Disabling Endpoint Integrity Testing
Overview
4. Click ok.
2. Select Enforcement clusters & servers and select the link for the cluster that
implements RADIUS without endpoint integrity.
The Enforcement cluster screen is displayed.
6-5
Disabling Endpoint Integrity Testing
Overview
3. Select Exceptions.
Note The settings you configure for a particular cluster override the cluster setting
defaults.
4. Select the For this cluster, override the default settings check box.
Figure 6-4. Home > System configuration > Enforcement clusters & servers >
cluster_name > Exceptions
6-6
Disabling Endpoint Integrity Testing
Overview
5. Under Always grant access and never test, enter either the addresses of
endpoints or the domain name you want to exclude.
• Under Endpoints, enter an IP address, a range of IP addresses in CIDR
format, a MAC address, or a NetBIOS name.
• Under Windows domain, enter the domain name.
Separate addresses and names with carriage returns, as shown below:
192.168.10.0/24
192.168.115.55
MyNetwork
6. Click ok.
6-7
Disabling Endpoint Integrity Testing
Overview
6-8
Redundancy and Backup for RADIUS Services
Contents
Contents
Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Planning Redundancy for RADIUS-Only Deployments . . . . . . . . . . . . 7-2
Place the RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Provide Duplicate Network Pathways . . . . . . . . . . . . . . . . . . . . . . 7-4
Configuring Network Devices for Redundant RADIUS Servers . . . . . 7-4
Configure the NASs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Configure Multiple LDAP Servers on the NAC 800 . . . . . . . . . . . . 7-6
Use IDM to Configure the Usernames and Passwords . . . . . . . . 7-11
Test Your Redundant Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
Back Up Your NAC 800 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Configure the Web Browser So That It Allows You
to Save Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
Restore the System from the Backup File . . . . . . . . . . . . . . . . . . . . . . 7-15
7-1
Redundancy and Backup for RADIUS Services
Redundancy
Redundancy
Redundant systems have become a priority for companies simply because
most employees rely on their workstation and the company’s network to
complete their work. Consequently, downtime can be expensive.
When you design redundancy for your network systems, you must ensure that
critical network resources are always available. You must eliminate any single
point of failure, including:
■ Hardware failures
■ Software failures
■ Unavailable network pathways
This chapter describes how to plan redundancy for a network in which one
or more ProCurve Network Access Controller (NAC) 800s provide RADIUS
services.
7-2
Redundancy and Backup for RADIUS Services
Redundancy
Note In the remainder of this chapter, the term RADIUS server will refer either
to a NAC 800 acting as a RADIUS server or a third-party RADIUS server.
• NAC 800 local data store—If you are storing credentials on the
NAC 800, IDM ensures that each NAC 800 includes the same user-
names and passwords. You enter the usernames and passwords once
on the IDM server, and it will configure them on each NAC 800 for you
when you deploy the policy.
■ Network paths—You should build redundant links into your network
architecture. A single failed connection should never isolate one section
of the network from another.
7-3
Redundancy and Backup for RADIUS Services
Redundancy
If you are using LDAP servers for your data store, you must also configure the
NAC 800 with the settings for additional servers.
7-4
Redundancy and Backup for RADIUS Services
Redundancy
Best practices dictate that you specify one RADIUS server as the primary
server for some NASs and the other RADIUS server as the primary server for
other NASs. Each RADIUS server, of course, acts as the secondary server for
the NASs for which it is not the primary server. This design eases the burden
on each RADIUS server; during normal conditions, each handles only some
of the authentication requests.
For example, when you configure port authentication on the ProCurve Switch
5400zl Series, you specify a RADIUS server using the following command:
To configure a primary and a secondary RADIUS server, you simply enter the
command twice: the first time you enter the IP address for the primary
RADIUS server; the second time you enter the IP address for the secondary
RADIUS server. The 5400zl Switch will contact the RADIUS servers in the
order in which they are listed in the running-config.
Figure 7-2 shows a sample running-config for a 5400zl Switch. In this example,
two RADIUS servers are listed. Both of these servers are NAC 800s. When the
switch receives an authentication request, it will contact the first RADIUS
server listed—in this case, the NAC 800 with the IP address 10.1.1.20. If that
server does not respond, the 5400zl Switch will contact the next RADIUS
server listed—10.1.1.100 in the example.
On another switch, you might reverse the order of the commands, specifying
10.1.1.100 before 10.1.1.20.
7-5
Redundancy and Backup for RADIUS Services
Redundancy
hostname "Core"
module 1 type J8702A
module 2 type J8702A
module 3 type J9051A
ip routing
snmp-server community "public"
snmp-server community "procurve" Unrestricted
snmp-server host 10.1.10.10 "public"
vlan 1
name "DEFAULT_VLAN"
untagged A2,A4-A24,B2-B24
ip helper-address 10.1.10.10
ip address 10.1.1.1 255.255.255.0
no untagged A1,A3,B1
exit
vlan 10
name "VLAN10"
untagged A1,A3
ip address 10.1.10.1 255.255.255.0
tagged B24
exit
vlan 8
name "VLAN8"
untagged B1
ip address 10.1.8.1 255.255.255.0
tagged B24
exit
aaa authentication port-access eap-radius
radius-server host 10.1.1.20 Primary and secondary
radius-server host 10.1.1.100 RADIUS server
aaa port-access authenticator A19,A21
aaa port-access authenticator active
aaa port-access A19,A21
7-6
Redundancy and Backup for RADIUS Services
Redundancy
You can then list additional domain controllers in the Domain controllers field.
If you list more than one domain controller in this field, separate each one
with a comma. (This section focuses only on specifying multiple domain
controllers. For information about configuring other settings on this screen,
see Chapter 4: “Configuring the RADIUS Server—Integrated with ProCurve
Identity Driven Manager” or Chapter 5: “Configuring the RADIUS Server—
Without Identity Driven Manager.”)
7-7
Redundancy and Backup for RADIUS Services
Redundancy
7-8
Redundancy and Backup for RADIUS Services
Redundancy
First move to the “modules” section and add ldap <server_name> as a module,
specifying the following parameters for the server:
Add another module for the second server. See Figure 7-4.
In this example configuration, vmsuse is the name of the primary LDAP server,
and suse is the name of the secondary LDAP server. The example base
Distinguished Name (DN) is netidm.net.
modules {
ldap vmsuse {
server = "vmsuse.netidm.net"
identity = "cn=Manager,dc=netidm,dc=net"
password = secret
basedn = "dc=netidm,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
tls_mode = "yes"
}
ldap suse {
server = "suse.netidm.net"
identity = "cn=Manager,dc=netidm,dc=net"
password = secret
basedn = "dc=netidm,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
tls_mode = "yes"
}
Note that, in order to protect users’ credentials, you should require the NAC
800 to negotiate a Transport Layer Security (TLS) connection with the LDAP
servers. Include this parameter in the module for both LDAP servers:
tls_mode = "yes"
7-9
Redundancy and Backup for RADIUS Services
Redundancy
The location of the LDAP server’s CA certificate, which is required for TLS
mode, is specified in this line:
You must, of course, obtain the certificate and copy it to the specified location
on the NAC 800 (using an application such as PSCP).
It is often a good idea to set up one server through the Web browser interface,
which helps you easily install the CA certificate. (See Chapter 4: “Configuring
the RADIUS Server—Integrated with ProCurve Identity Driven Manager” or
Chapter 5: “Configuring the RADIUS Server—Without Identity Driven Man-
ager.”) Then access the radiusd.conf file and copy the first server’s configura-
tion for the second server, simply changing the server name and the value for
the server parameter.
After configuring the LDAP server modules, find the “authorize” and “authen-
ticate” sections of the radiusd.conf file. To each section, add the redundant
parameter and list below it the LDAP servers, specified by the name given in
the “modules” section.
Syntax: redundant {
<ldap server 1 name>
<ldap server 2 name>
}
authorize {
redundant {
vmsuse
suse
}
7-10
Redundancy and Backup for RADIUS Services
Test Your Redundant Configurations
authenticate {
Auth-Type LDAP {
redundant {
vmsuse
suse
}
}
IDM automatically configures on the NAC 800 any user that you add to the
NAC 800’s realm. You must, however, configure passwords for those users.
(See the ProCurve Identity Driven Management User’s Guide for more
detailed instructions in completing these steps.)
Shut down one of the RADIUS servers and then attempt to log in to the
network from a workstation attached to a NAS that uses this server as its
primary RADIUS server.
7-11
Redundancy and Backup for RADIUS Services
Back Up Your NAC 800 Configuration
That way, if your company suffers a disaster such as a fire or hurricane, your
backups are less likely to be affected.
You can then restore your configuration whenever you need the backup file:
■ To load on replacement hardware
■ To restore a working configuration if a new configuration fails
Backing up your system creates a backup file that includes not only configu-
rations but also other information. The file includes:
■ Management Server (MS) database
■ All configurations completed through the Web browser interface—
saves all files in the /usr/local/nac/properties directory
■ Digital certificates installed on the MS (or Configuration Server
[CS]) and Enforcement Servers (ESs)—saves all files in the /usr/local/
nac/keystore directory
■ Licenses—saves all files in the /usr/local/nac/subscription directory
Note You always should back up the system after you install a new certificate or
license so that you do not lose them should you have to restore from the
backup.
The backup files are grouped into a tar file and saved on your management
stations with the following name:
backup-<year-month-day>T<hour-minute-second>.tar.bz2
The months, days, hours, minutes, and seconds are formatted as two numbers
each, and the time uses the 24-hour clock. For example, a file backed up on
June 23, 2008, at 13:07:22 has the following name:
backup-2008-06-23T13-07-22.tar.bz2
7-12
Redundancy and Backup for RADIUS Services
Back Up Your NAC 800 Configuration
2. Click begin backup now. A Web browser dialog box is displayed, allowing
you to begin the process of saving the backup file. (If your Web browser
blocks your attempt to save the file, see “Configure the Web Browser So
That It Allows You to Save Files” on page 7-14.) The exact dialog box
displayed varies, depending on which Web browser you are using. Follow
the prompts to save the backup file to the desired location.
If the backup file is saved successfully, a message is displayed, as shown
in Figure 7-8.
7-13
Redundancy and Backup for RADIUS Services
Back Up Your NAC 800 Configuration
7-14
Redundancy and Backup for RADIUS Services
Back Up Your NAC 800 Configuration
When you restore the system from the backup file, the following changes
occur:
■ The MS (and ESs) use the configuration in the backup file.
■ The MS (and ESs) use the digital certificates stored in the backup file.
■ The MS uses the license stored in the backup file.
7-15
Redundancy and Backup for RADIUS Services
Back Up Your NAC 800 Configuration
7-16
Redundancy and Backup for RADIUS Services
Back Up Your NAC 800 Configuration
Figure 7-10. Home > System configuration > Maintenance > restore system from
backup file
4. If you want to continue the restore process, click the Browse button and
select the backup file. This file must be a NAC 800 backup file, saved with
the following naming convention:
backup-<year-month-day>T<hour-minute-second>.tar.bz2
5. After you have selected the appropriate file, click ok. A progress screen
is displayed.
7-17
Redundancy and Backup for RADIUS Services
Back Up Your NAC 800 Configuration
7-18
Appendix A: Glossary
Appendix A: Glossary
Numeric
3DES A version of DES, also called “Triple DES” (TDES), in which three encryption
phases are applied. For more information, see NIST Special Publication 800-
67 at http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf.
802.1 The standard for managing LANs and MANs. It covers network architecture,
bridging, management, link security, and protocol layers above the MAC and
LLC layers. For more information, see IEEE 802.1 at http://www.ieee802.org/
1/.
802.11 The standard for wireless LANs. For more information, see IEEE 802.11 at
http://standards.ieee.org/getieee802/802.11.html.
802.11i Enhanced security standard for 802.11, which supersedes WEP security. For
more information, see the standard at http://standards.ieee.org/getieee802/
download/802.11i-2004.pdf.
802.1X A port-based authentication standard that is part of the 802.1 group of proto-
cols. 802.1X forces endpoints to authenticate, establishing a point-to-point
connection if authentication succeeds or blocking the connection if authenti-
cation fails. By basing authentication on secure EAP methods, 802.1X authen-
tication can prevent eavesdroppers from reading intercepted messages. The
802.1X standard requires three components: the supplicant, which runs on the
endpoint device; the authenticator, which is typically a switch or AP; and the
authentication server, which is usually a RADIUS server. For more information,
see IEEE 802.1X at http://www.ieee802.org/1/pages/802.1x.html.
802.1X The deployment method that corresponds to the 802.1X quarantine method. In this
deployment method, the NAC 800 is connected to a switch via both its Ethernet ports. Port
method 1 receives authentication requests, and port 2 receives mirrored DHCP traffic.
See also DHCP deployment method and inline deployment method.
A-1
Appendix A: Glossary
802.1X quarantine One of the NAC 800’s three methods for quarantining endpoints that fail to
method comply with the NAC policy. This method draws on the authentication and
authorization component of 802.1X, assigning end-users to a VLAN based not
just on identity but also on endpoint integrity posture. The NAC 800 can enforce
802.1X quarantining by working with an existing RADIUS server or by acting as
a RADIUS server itself. See also inline quarantine method and DHCP quarantine
method.
802.1X device The authenticator in the 802.1X framework, which forwards authentication
requests from endpoints to the NAC 800 that is acting as a RADIUS server. When
enforcing endpoint integrity, the NAC 800 sends a VLAN assignment for an
endpoint to the 802.1X device based on the endpoint’s integrity posture; the
802.1X device enforces the assignment.
A
AAA Authentication, Authorization, and Accounting. Processes that are used to
control network access and enforce security policies. For more information
about AAA, see RFC 2989 at http://www.ietf.org/rfc/rfc2989.txt. See also
authentication, authorization, and accounting.
access control The ability to determine which endpoints can access the network and the level
of access they receive. Access can be controlled based on an endpoint’s
compliance with network standards, for example, or on other configurable
settings.
access control The label that the NAC 800 gives to an endpoint to define its ability to access
status the network. Access control status are further defined by the rule that pro-
duced the status.
access grace The period of time between an endpoint failing a test and the endpoint being
period quarantined. The network administrator sets the access grace period for a
particular test when configuring the test failure actions for that test in a NAC
policy.
access method The way in which an endpoint connects to the network. Options include VPN,
dial-up, wireless, or Ethernet.
A-2
Appendix A: Glossary
access mode An option that controls whether NAC 800s in a particular enforcement cluster
quarantine endpoints or allow them access to the network. Three settings are
possible: normal, allow all, or quarantine all. Normal grants access to all end-
points that pass the NAC tests, allow all permits access to all endpoints
regardless of test results, and quarantine all isolates all endpoints regardless
of test results.
accessible services Those services that are made available to quarantined endpoints so that they
can perform remediation. Services include access to Web sites with service
patch downloads or plug-ins. The network administrator can configure which
services are available to quarantined endpoints.
accounting The process of collecting information about how resources are used. The
collected information can then be used for trend analysis, billing, auditing, or
regulatory compliance. The NAC 800 can provide RADIUS accounting services.
ACL Access Control List. A set of rules that network edge devices such as routers,
switches, and wireless APs use to control access to network resources and to
identify packets that require special handling such as QoS or NAT. An ACL can
be configured to select packets according to values in their headers, such as
IP protocol, source and destination IP address, and source and destination
TCP or UDP ports.
ActiveX test An endpoint integrity-testing method that relies on the ActiveX control opera-
method tion of signed and safe controls. The NAC 800 uses ActiveX to download a
temporary agent to the endpoint. All versions of the Windows operating
system are supported, and no ports on an endpoint’s personal Windows
firewall need to be opened. As long as the firewall allows Internet Explorer
access and Internet Explorer settings allow ActiveX, the endpoint can be
tested. However, non-Internet Explorer browsers are not supported, and the
endpoints cannot be retested after end-users close their browsers.
Active Scripting The technology used to implement component-based scripting support, for-
merly known as “ActiveX Scripting.”
A-3
Appendix A: Glossary
agent testing An endpoint integrity-testing method that employs the NAC EI agent, which is
method installed once onto the endpoint and periodically updated. This method is
supported by Windows OS versions 98 and later and by Mac OSX 10.3.7 and
later. The agent can be used through a firewall. See also NAC EI agent.
agentless test A testing method that does not require that an agent be installed on the
method endpoint. Using the Windows RPC service, agentless testing allows the NAC
800 to begin testing, provide test results, and grant access to compliant
endpoints without any interaction from the user. Of the three testing methods,
agentless testing is the easiest to deploy, requiring less administrative effort
and no memory on the endpoint. However, you cannot use this test method
with legacy Windows operating systems (Windows 95, ME, and earlier) or non-
Windows endpoints. Agentless testing requires that file and print sharing be
enabled on the endpoint, that ports 137, 138, 139, and 445 be open on the
endpoint’s firewall, that the endpoint’s browser security settings allow Java
scripting, and that administrator credentials be known for the endpoint.
allow all An access mode that permits all endpoints to access the network regardless of
test results.
AP Access Point. A network component that receives and sends wireless LAN
signals to wireless network cards through its anntena(s). An AP is functionally
equivalent to a switch.
asymmetric A type of encryption algorithm wherein one key is used to encrypt and a
different key is used to decrypt.
authentication Protocols that allow the peers in a connection to verify each other’s identity.
protocols In the PPP protocol suite, authentication protocols include PAP, CHAP, and EAP.
A-4
Appendix A: Glossary
authenticator The component of the 802.1X framework that enforces authentication and
authorization. When an endpoint connects to the authenticator, the authentica-
tor forces it to authenticate to the network. The authenticator passes the
endpoint’s supplicant messages to the authentication server and enforces the
decisions made by that server. These decisions include whether the endpoint
is allowed any access at all as well as the level of access. Also called the 802.1X
device (in the NAC 800 Web browser interface) and NAS (in the RADIUS
protocol). See also 802.1X device and NAS.
authorization The process of controlling the network resources and services that an end-
user can access, usually based on the end-user’s identity; with the NAC 800,
authorization is also based on endpoint integrity. A RADIUS or TACACS+ server
or a NAC 800 can act as an authorization server. Authorization is sometimes
called “access control” although access control is properly broader than
authorization alone.
authorization A device that makes authorization decisions that are enforced by other
server infrastructure devices.
B
back door A disguised or hidden entry point in a software program or system that allows
end-users to circumvent normal authentication or controls. An open back door
can be intentional (for maintenance use) or unintentional. If a back door is
discovered by malicious users or software, they may gain entry to a system
and cause damage.
C
CA Certificate Authority. A trusted third party that verifies the identity of parties
that want to communicate with one another. CAs are responsible for generat-
ing, distributing, and revoking digital authentication certificates, which
uniquely identify the owner of the certificate and the owner’s data. See also
certificate.
A-5
Appendix A: Glossary
certificate An electronic document that contains a public key and is digitally signed by a
third-party issuer such as a CA. Digital certificates are used for network
authentication. They contain the certificate holder’s name or other identifying
information, a serial number, the expiration date, and a copy of the certificate
holder’s public key, which validates data signed by the corresponding private
key.
cookie A small bit of data that acts as an identifier between a Web browser and a Web
server. Web servers install cookies on clients so that when the client visits the
Web site again, the server “remembers” the client.
CSR Certificate Signing Request. In PKI systems, a request for a digital certificate
that is sent to a CA by an applicant.
A-6
Appendix A: Glossary
D
Data Encryption See DES.
Standard
data store The location where an endpoint’s credentials are stored. Possible data stores
include a local database of users, a Windows domain controller that runs AD,
an LDAP server such as OpenLDAP or Novell eDirectory, or another RADIUS
server (accessed via proxy requests).
deployment Sometimes called “deployment option,” the way in which the NAC 800 is
method connected to the LAN relative to other components such as routers, switches,
DHCP servers, and the Internet. The deployment method is determined by the
quarantine method and the access method that the network will employ. The
NAC 800 supports three deployment methods: 802.1X deployment, inline deploy-
ment, and DHCP deployment.
DER Distinguished Encoding Rules. A method for encoding data objects. For more
information, see ITU-T X.690 at http://www.itu.int/ITU-T/studygroups/
com17/languages/X.690-0207.pdf.
DES Data Encryption Standard. A published encryption algorithm that uses a 56-
bit symmetric key to encrypt data in 64-bit blocks. IPSec, the industry standard
for VPNs, supports 3DES. For more information, see FIPS PUB 46-3 at http://
csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf.
DHCP deployment A deployment method for networks that are not 802.1X compatible. In this
method method, the NAC 800 is placed between a switch and a DHCP server and
intercepts DHCP requests from non-tested or non-compliant endpoints. See
also DHCP quarantine method.
DHCP An option to configure when employing the DCHP quarantine method. The NAC
enforcement 800 can either examine, and possible intercept, all DHCP requests or only
those requests forwarded by devices in subnets associates with quarantine
areas.
A-7
Appendix A: Glossary
DHCP quarantine An option that determines how endpoints in the quarantine subnet are con-
option trolled when employing the DCHP quarantine method. Options are static routes
and router ACLs.
DNS Domain Name Server. A server that associates Internet domain names (such
as www.abccompany.com) with their corresponding IP addresses.
domain In LDAP, a logical grouping of devices that allows the network administrator
to manage all of the objects in a domain at the same time, e.g., to control who
has access to the objects in the domain.
domain controller A Microsoft Windows server that controls activities such as end-user access
in a domain.
DSA Digital Signature Algorithm. A standard for digital signatures that is part of
the DSS. For more information, see FIPS PUB 186-2 at http://csrc.nist.gov/
publications/fips/fips186-2/fips186-2-change1.pdf.
DSS Digital Signature Standard. A method for key generation, signing, and
verifying. For more information, see FIPS PUB 186-2 at http://csrc.nist.gov/
publications/fips/fips186-2/fips186-2-change1.pdf.
E
EAP Extensible Authentication Protocol. A protocol that allows PPP to use authen-
tication protocols that are not part of the PPP suite. For more information,
see RFC 3748 at http://www.ietf.org/rfc/rfc3748.txt. See also CHAP and PAP
A-8
Appendix A: Glossary
EAP-GTC EAP with Generic Token Card. An implementation of EAP that uses a token
card for authentication. For more information, see RFC 3748 at http://
tools.ietf.org/html/rfc3748.
EAP-TLS EAP with Transport Layer Security (TLS). An implementation of EAP that
provides mutual certificate authentication between client and server. For more
information, see RFC 2716 at http://tools.ietf.org/html/rfc2716.
EAP-TTLS EAP with Tunneled TLS. An implementation of EAP in which the server
authenticates with a certificate, but the client authenticates (usually with a
password) using a different protocol sent over a secure tunnel. For more
information, see the Internet Draft at http://www3.ietf.org/proceedings/02jul/
I-D/draft-ietf-pppext-eap-ttls-01.txt.
eDirectory A hierarchical, LDAP-based system from Novell that can interoperate with
NetWare, AIX, HP-UX, Solaris, Windows, and Linux-based network servers.
endpoint integrity The functionality that examines all endpoints that attempt to attach to the
network and prohibits unsafe or non-compliant endpoints from gaining
access. Endpoint integrity ensures that an endpoint that attaches to the edge
of the network is clean and meets configured criteria (for example, antivirus
program present and running with current signatures) before allowing it to
access network resources.
endpoint integrity A licence that permits the use of the NAC EI agent on endpoints. The licenses
agent license apply to the number of endpoints, identified by MAC address. For example, if
an end-user is connected to the network with a desktop computer via Ethernet
and a laptop via the wireless LAN, two licenses are required. Also, if a site has
100 licenses, more than 100 devices can have the NAC EI agent installed on
them, but only 100 of those endpoints can be connected to the network at
one time.
endpoint integrity A license to receive automatic updates to the NAC EI Agent software. When you
agent initially purchase an agent license, you also receive a one-year maintenance
maintenance license. You must purchase a license each year in one of the following
license increments: 100, 250, 1000, or 5000 endpoints.
endpoint integrity An service offered by ProCurve Networking to help customers implement the
implementation NAC 800. You can purchase either the inline/DHCP service or the 802.1X service.
startup service
A-9
Appendix A: Glossary
end-user screen NAC 800 message windows that appear on the end-user’s monitor; they show
information such as the endpoint’s test status and remediation steps, permitting
the user to download an agent, cancel testing, and get more information about
why a test failed.
enforcement A logical group of one or more ESs that are controlled by an MS. Each cluster
cluster can support only one deployment method, but an MS can control multiple ESs,
each supporting a different deployment method.
Ethernet ports On the NAC 800, port 1 connects to the LAN and provides inband management.
The use of port 2 varies, depending on the deployment method. For the inline
deployment method, port 2 might connect to a VPN or RAS. For the DCHP
deployment method, port 2 connects to a DHCP server. For the 802.1X develop-
ment method, port 2 connects to a port configured to mirror the DHCP server
connection.
exception A rule that exempts a particular endpoint or group of endpoints from testing.
You can specify that the excepted endpoints be either always or never granted
access.
F
FQDN Fully Qualified Domain Name. In LDAP, an unambiguous, unique name for
an object that shows all of the domains to which the object belongs.
G
GTC See EAP-GTC.
A-10
Appendix A: Glossary
H
hash A number generated by running a string of text through an algorithm. The hash
is substantially smaller than the text itself and is unique, because algorithms
transform data in such a way that it is extremely unlikely that some other text
will produce the same hash value. The hash is also irreversible: the encryption
cannot be reversed to obtain the original text.
high availability Enforcement clusters are designed to provide high availability. The ESs in the
cluster load balance testing endpoints among themselves. In addition, if one
or more ESs become unavailable, the remaining ESs in the cluster take over,
providing the services that the unavailable ES server was providing.
I
IAS Internet Authentication Services. IAS is the Microsoft implementation of
RADIUS.
IKE Internet Key Exchange. A protocol that is used to set up an SA in the IPsec
protocol suite.
inline deployment The NAC 800 is placed between a “choke point” and the rest of the network
method such that all traffic to be quarantined passes through the NAC 800. See also
inline quarantine method.
inline quarantine A quarantine method that relies on the NAC 800’s placement in the network.
method The NAC 800 functions as a Layer 2 bridge that imposes a firewall between its
Ethernet port 1 and port 2. Only traffic from endpoints whose integrity posture is
“Healthy” or “Check-Up” can pass through the NAC 800.
A-11
Appendix A: Glossary
integrity posture The state of an endpoint in terms of its compliance with NAC policies. The
integrity posture is used to determine an endpoint’s access control state along
with other factors such as an exception, access grace period, and access mode.
See Appendix C, “Integrity Postures.”
IPsec Internet Protocol security. A suite of protocols that are used to establish a
VPN tunnel between devices that communicate over the Internet and thus
protect their data. IPSec For more information, see the IPsec Working Group
home page at http://www.ietf.org/html.charters/OLD/ipsec-charter.html.
J
JavaScript® A scripting language that is used mostly in client-side Web applications. It is
not related to the Java programming language. The term is a registered
trademark of Sun Microsystems. For more information, see the Mozilla Devel-
opment Center at http://developer.mozilla.org/en/docs/JavaScript.
K
key In cryptography, a key is a unique value or string of text that is used to encrypt
data when that data is run through an encryption or hash algorithm. To decrypt
or dehash the data, a device must apply the correct key to the encrypted data.
The length of a key generally determines how difficult it will be to decrypt the
data. Keys can be either symmetric or asymmetric.
keypair The set of two keys that are used in asymmetric encryption. A keypair consists
of a public key and private key. The public key decrypts data encrypted by the
private key and vice versa.
L
L2TP Layer 2 Tunneling Protocol. A protocol that is used in VPNs. For more
information, see RFC 2661 at http://tools.ietf.org/html/rfc2661.
LCD Liquid Crystal Display. On the NAC 800, a display that is located on the front
panel of the chassis and that shows both information about the device and
error messages. The LCD also displays a menu interface; you can use the panel
buttons to configure basic settings—such as IP address and gateway—for the
device.
A-12
Appendix A: Glossary
LDAP Lightweight Directory Access Protocol. A set of protocols that allow a host to
look up and access directory services. For more information, see RFC 2251 at
http://www.ietf.org/rfc/rfc2251.txt.
license See endpoint integrity agent licence and endpoint integrity agent maintenance
license.
load balancing Distribution of integrity checking among two or more devices. The NAC 800
distributes the testing of endpoints across all ESs in a cluster. The NAC 800
uses a hashing algorithm based on MAC or IP addresses to distribute the
endpoints between the ESs.
local mirroring Copying all traffic transmitted on one port (the monitored port) to another
port on the same device (the mirror port).
log level A category into which error messages are recorded, depending on their
severity. Log levels are, from most to least severe: error, warn, info, debug,
and trace. The default level for messages logged on the NAC 800 is debug.
M
MAC-auth MAC Authentication. Authentication that is based on the endpoint’s MAC
address rather than on the user’s credentials. MAC-auth does not require
device configuration or end-user interaction; instead, the authenticator han-
dles sending the MAC address to the authentication server to be checked
against black lists and white lists.
managed endpoint A network device that is forced to comply with the company’s security policies
and is under administrative control.
A-13
Appendix A: Glossary
MIB Management Information Base. A set of network objects that can be managed
with SNMP. For more information, see RFC 3418 at http://www.ietf.org/rfc/
rfc3418.txt.
MS-CHAP Microsoft CHAP. The Microsoft implementation of CHAP. For more informa-
tion, see RFC 2759 at http://tools.ietf.org/html/rfc2759.
N
NAC Network Access Controller. The generic term for any device that controls
network access, particularly based on compliance with network policies
(endpoint integrity).
NAC agent test Also called “agent test method,” a test method that requires a one-time interac-
method tion from end-users and minimal memory on the endpoint (about .80 Mb). After
end-users download and install the NAC EI agent, the endpoint is always
available for retesting, and the agent is automatically updated when a new
version of the agent is available. All versions of Windows are supported by this
testing method.
A-14
Appendix A: Glossary
NAC policy A collection of tests that evaluate the security status of endpoints that attempt
to access the network. A policy includes a list of activated tests, their proper-
ties, and actions, as well as a list of endpoints to which the policy applies. In
addition, the policy defines how to handle endpoints that run OSs that the
NAC 800 does not support, retest frequency, and how to handle inactive
endpoints. Three default NAC policies are provided: high, medium, and low.
You can also define your own policies.
NAC policy group A logical set of NAC policies that applies to one or more enforcement clusters.
Each cluster uses only one NAC policy group.
NAC test actions The procedures that the NAC 800 performs when an endpoint fails the test. The
failure actions can be: send a notification email to the network administrator,
quarantine the endpoint, or grant temporary access before quarantining.
NAC test The criteria that an endpoint must meet to pass a particular test. For example,
properties the NAC 800 can test for the presence of certain prohibited applications. If the
endpoint has one of the prohibited applications, the endpoint fails the test.
The NAC test properties for that test is the list of prohibited software.
NAC tests Used to determine if an endpoint complies with your company’s network
policies. Test categories are Windows security settings, security settings on
other OSs, Windows software, Windows operating system, and Windows
browser security policies.
NAS Network Access Server. A server that provides endpoints access and that
enforces the decisions of AAA servers, thereby guarding access to the Internet,
printers, phone networks, or other protected resources. While a NAS does not
contain information about which endpoints and end-users can connect, it does
send an end-user’s credentials to the AAA server, which processes them and
directs the NAS how to proceed.
A-15
Appendix A: Glossary
normal An access mode that mandates that endpoints’ network access be subject to
the results of endpoint integrity testing. See also quarantine.
NTLM NT LAN Manager. A Microsoft authentication protocol that is used with SMB.
O
OAM Operations, Administration, Maintenance. A term used to describe the
activities that are involved with system operation, administration, and main-
tainance.
OID Object IDentifier. Used in LDAP schemas and in X.509 certificates to name
object classes and their attributes.
P
P2P Peer-to-Peer. A P2P network is comprised of peer nodes rather than clients
and servers. P2P software allows end-users to connect directly to other end-
users and is used for file sharing. Many P2P software packages are considered
spyware, and their use can be discouraged or even prohibited by corporate
policies.
A-16
Appendix A: Glossary
PEM Privacy Enhanced Mail. An IETF proposal to secure emails with public keys.
PEM depends on prior distribution of a hierarchical PKI with a single root. For
more information, see RFCs 1421–1424 at http://www.ietf.org/rfc.html.
permanent agent An agent that is installed on an endpoint and that is not removed. The NAC EI
agent is a permanent agent. See also transient agent.
PKI Public Key Infrastructure. A system of digital certificates, CAs, and other
registration authorities that verify and authenticate each party in an Internet
transaction. PKI enables devices to privately exchange data using a public
infrastructure such as the Internet by managing keys and certificates. From a
trusted CA, an end-user obtains a certificate, which includes the user’s iden-
tification information, a public key, and the CA’s signature. The end-user also
obtains the corresponding private key. The user authenticates with the certif-
icate. In addition, devices can encrypt messages destined to the user with the
user’s public key, which the user’s endpoint then decrypts with the private key.
See also DSS.
post-connect NAC tests that are run on endpoints after they have already connected
testing successfully to the network. The network administrator configures the length
of the retest frequency. If a device has become infected or no longer complies
with an organization’s security policies, the NAC 800 quarantines it.
pre-connect Testing performed before an endpoint is granted access to the network. Only
testing endpoints that comply with an organization’s security policies are allowed
onto the network. Endpoints that do not comply are quarantined.
preshared key A preshared key is an alphanumeric character string agreed upon by two
parties in advance. In IKE negotiations, peers can exchange a preshared key
that is between 8 and 255 characters long to authenticate each other before
opening the IKE SA.
private key One of a pair of keys that is generated from a single, large random number.
The private key is kept secret, not distributed, and is used to decrypt a message
that was encrypted using the public key. If used to encrypt a message, it “signs”
that message as originating from the private key’s owner.
A-17
Appendix A: Glossary
protected services Services that run on any servers that are connected to the eth1 port. Such
services could include directory services, DNS, DHCP, NTP, file servers, and
print servers.
public key One of a pair of keys that is generated from a single, large random number.
The public key is distributed widely and is used to encrypt a message that can
be decrypted using only the private key. The public key also verifies data signed
by the private key.
PuTTY A terminal emulation program that combines Telnet and SSH for Win32 and
Unix platforms. For more information, see http://
www.chiark.greenend.org.uk/~sgtatham/putty.
Q
quarantine The isolation of endpoints or systems to prevent potential infection of other
endpoints or systems. The NAC 800 determines whether to quarantine an
endpoint by applying the following policies in this order: access mode, tempo-
rarily quarantine/grant access setting, exceptions, NAC policies (the results of
tests in the policy).
quarantine all An access mode that mandates that all endpoints be quarantined regardless of
test results.
quarantine The way in which non-compliant endpoints are quarantined. The NAC 800
method supports three methods: 802.11X quarantine method, inline quarantine method,
and DHCP quarantine method. The quarantine method must be the same as the
deployment method.
quarantine subnet A tightly controlled subnet that is isolated from the rest of the network.
Quarantined endpoints are assigned to this subnet where the endpoints cannot
access network resources except those that are defined by the network
administrator.
QoS Quality of Service. A service provided by some network protocols such that
the network prioritizes traffic or guarantees a particular level of performance
to a type of data flow.
A-18
Appendix A: Glossary
R
RADIUS Remote Authentication Dial-In User Service. An AAA protocol that allows a
server to store all of the security information for a network in a single, central
database. The server stores and manages end-user information so that it can
authenticate the end-users. The server also maps end-users to the services that
they are allowed to access. For more information, see RFC 2865 at http://
www.ietf.org/rfc/rfc2865.txt.
RADIUS server A common type of AAA server. The RADIUS server authenticates end-users,
using protocols such as PAP, CHAP, and EAP. If the end-user passes authentica-
tion, the server authorizes access to the network based on policies such as
valid access times. The server can also authorize the end-user for a specific
level of access by sending dynamic settings for the NAS to enforce. As an
accounting server, the RADIUS server can also be notified when a session
starts and stops.
RAS Remote Access Server. A server that is dedicated to handling end-users that
are not on a LAN but need remote access to it. The RAS allows end-users to
gain access to files and print services on the LAN from a remote location.
remote mirroring Technology that enables you to send mirrored traffic from network devices to
a remote analyzer using the network infrastructure rather than a dedicated
line.
retest frequency The interval between post-connect tests, which is determined by the network
administrator.
A-19
Appendix A: Glossary
RPC Remote Procedure Call. A procedure where arguments or parameters are sent
to a program on a remote system. The remote program executes and returns
the results. RPC can be used as an alternative to an agent for testing.
RSTP Rapid Spanning Tree Protocol. An evolution of STP that provides for faster
spanning-tree convergence after a topology change. RSTP prevents broadcast
storms (unintentional DoS attacks) that arise from redundant network links
in an OSI Layer 2 switched network. For more information, see IEEE 802.1D-
2004 at http://standards.ieee.org/getieee802/download/802.1D-2004.pdf.
S
SA Security Association. Secure communication between two network devices
that is created from shared security information. SA is used in IKE. For more
information, see RFC 4306 at http://tools.ietf.org/html/rfc4306.
SCP Secure Copy Protocol. Encrypts data packets over an SSH connection.
SFTP Secure File Transfer Protocol. Supersedes SCP in many applications. For
more information on SFTP, see the Internet Draft at http://tools.ietf.org/html/
draft-ietf-secsh-filexfer-13.
shared secret Any authentication information such as a password that is “known” by two or
more network devices. The shared secret is identical on both devices.
signature-based Attack detection that compares audit data with known attack signatures
detection stored in a signature database. Signature-based IDSs recognize and interpret
series of packets consistent with past intrusions as new attacks.
A-20
Appendix A: Glossary
SSID Service Set IDentifier. A user-defined name for a wireless LAN subnet. All of
the devices on the same wireless subnet use the same SSID. When a wireless
network card searches for a wireless LAN, the SSID for each detected network
is displayed.
SSL Secure Sockets Layer. A protocol that was developed by Netscape for securing
the transmission of messages over the Internet. SSL works by using asymmetric
keys to encrypt message data. For more information, see http://
wp.netscape.com/eng/ssl3/draft302.txt.
STP Spanning Tree Protocol. A protocol that eliminates network loops by de-
activating redundant connections. It is currently being revised into RSTP
which is a faster version of STP. For more information, see IEEE 802.1D at
http://www.ieee802.org/1/pages/802.1D-2003.html.
A-21
Appendix A: Glossary
symmetric A type of algorithm wherein the same key is used both to encrypt and decrypt.
T
TACACS+ Terminal Access Controller Access Control System Plus. An authentication
protocol that uses TCP. (RADIUS uses UDP.)
Telnet TELephone NETwork. A TCP/IP protocol that provides a fairly general, bi-
directional, 8-bit, byte-oriented communications facility. It is typically used to
provide user-oriented command-line login sessions between hosts on the
Internet. The name “Telnet” came about because the protocol was designed
to emulate a single terminal attached to the other computer. For more infor-
mation, see RFC 854 at http://www.ietf.org/rfc/rfc0854.txt.
temporary access The time during which an endpoint is allowed access to the network, overriding
period the endpoint’s quarantine status. The network administrator configures the
length of this period.
testing methods Methods that the NAC 800 uses to perform tests. The NAC 800 supports three
testing methods: agent test method, ActiveX test method, and agentless test
method.
test status The status in which an endpoint is categorized during and after the testing
process.
test updates ProCurve periodically updates the NAC 800 tests to check for new hot fixes
and virus definitions. The NAC 800 automatically updates its testing software
and database by querying MyProCurve Web servers for these updates.
TFTP Trivial File Transfer Protocol. A protocol that uses UDP to transmit and
receive files and provides no security features. TFTP is often used by servers
to boot diskless workstations, X-terminals, and routers. It can also be used as
a file server. For more information, see RFC 1350 at http://www.ietf.org/rfc/
rfc1350.txt.
A-22
Appendix A: Glossary
transient agent An agent that is installed on the endpoint for a short time only at the beginning
of each test. The ActiveX test method uses a transient agent.
There are two common types of Trojan. One is found in otherwise useful
software that has been corrupted by the insertion of the Trojan, which
executes while the program is used, for example, in weather-alerting pro-
grams, computer clock-setting software, and peer-to-peer file-sharing utilities.
The other type of Trojan is a standalone program that masquerades as some-
thing else, such as program that claims to rid your hard drive of viruses but in
fact inserts them.
U
UDP User Datagram Protocol. A stateless protocol that is part of the IP protocol
suite. Using UDP, programs on network computers can send datagrams to one
another. UDP does not provide the reliability and ordering guarantees that TCP
does; datagrams may arrive out of order or go missing without notice. How-
ever, UDP is faster and more efficient for many lightweight or time-sensitive
programs. For more information, see RFC 768 at http://www.ietf.org/rfc/
rfc0768.txt.
USB Universal Serial Bus. A serial bus standard for interface devices. It was
designed for computers, but its popularity has made it commonplace on video
game consoles, PDAs, cell phones, MP3 players, portable memory devices,
and even on televisions and home stereo equipment
unmanaged A device that is not under the company’s administrative control. Examples
endpoint include a guest’s computer or a contractor’s computer. Such a device is still
subject to the company’s network security policies.
A-23
Appendix A: Glossary
untestable A device that is running an operating system that the NAC 800 does not
endpoint currently support or whose Internet Explorer security setting is “High.”
user role NAC 800 management permissions that are granted to end-users. Four pre-
defined roles are included with the NAC 800: See Table 3-1 for predefined user
roles. New user roles can also be created.
V
VI A display-oriented interactive text editor that was created for Unix systems.
For more information, see the original document at http://webauth.stan-
ford.edu/protocol.html.
virus A computer program that can copy itself and damage a computer system. A
virus cannot self-propagate as a worm can but is spread via infected removable
media (floppy disks, zip drives, USB drives) or by sending it over a network.
Viruses can be programmed to do all kinds of damage, such as erasing hard
drives, deleting files, or corrupting executables, or they can be relatively
benign (showing text or a graphic), but even the benign viruses use up
computer resources such as hard drive space, memory, and processor cycles.
Like biological viruses, they can modify themselves upon replication to avoid
easy detection.
VLAN Virtual Local Area Network. A standard that enables network administrators
to group end-users by logical function rather than by physical location. VLANs
are created on switches to segment networks into smaller broadcast domains,
enhance network security, and simplify network management. For more
information, see IEEE 802.1Q at http://www.ieee802.org/1/pages/
802.1Q.html.
W
Web-Auth A method for authenticating end-users that does not require a client utility on
the endpoints. The NAS redirects end-users to a Web page in which the end-
users submit their credentials. The NAS retrieves the credentials and submits
them to an authentication server.
WEP Wired Equivalent Privacy. A protocol that is part of the IEEE 802.11 suite of
protocols for wireless LANs. Its purpose is to provide security equivalent to
an unsecured wired LAN. It has been superseded by WPA and IEEE 802.11i. For
more information, see IEEE 802.11 at http://standards.ieee.org/getieee802/
802.11.html.
A-24
Appendix A: Glossary
wildcard On the NAC 800, the asterisk (*) is the wildcard character.
Windows The desktop and server operating system developed by Microsoft. The ver-
sions of Windows that are supported by the NAC 800 are Windows 98,
Windows 2000, Windows XP Professional and Home, Windows Server 2000
and 2003, and Windows NT.
Wireless Edge A ProCurve product that is used to manage wireless LANs. The Wireless Edge
Services Module Services Module, which is installed in a switch, controls many RPs (co-
ordinated APs).
WPA Wi-Fi Protected Access. A standard created by IEEE and the Wi-Fi Alliance to
address the security weaknesses in WEP. For more information, see the Wi-Fi
Alliance white paper at http://www.wi-fi.org/white_papers/whitepaper-
042903-wpa.
WPA-PSK WPA using a Preshared Key. PSK refers to a key that is shared between two
stations before it needs to be used, such as over a secured channel or non-
electronically (the end-user is told the correct key).
X
X.509 A strong authentication standard for PKI. One of its functions is to specify a
standard format for public key certificates and a path for certification valida-
tion. For more information, see ITU Recommendation X.509 at http://
www.itu.int/rec/T-REC-X.509/en.
A-25
Appendix A: Glossary
Z
zero-day attack An attack of any sort that exploits a vulnerability that has not yet been
officially discovered and patched. Because systems are not protected from
zero-day attacks, these attacks can aggressively propagate throughout the
world in a matter of hours. Zero-day attacks consume incredible amounts of
network resources when propagating and can use unique code that most
antivirus software does not detect.
A-26
Appendix B: Linux Commands
Contents
Contents
Common Linux Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
vi Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4
Command Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4
Insert Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5
keytool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6
openssl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9
Service Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-12
B-1
Appendix B: Linux Commands
Common Linux Commands
You should also keep in mind these general tips for using Linux:
■ Filenames are case sensitive.
■ Linux does not use file extensions in the same way that Windows uses
them. You can create any file extension.
Note In the syntax, an “N” indicates that you can press a number before the
command. For example, if pressing [f] moves forward one screen, pressing [5]
and then [f] moves forward five screens.
Action Command
B-2
Appendix B: Linux Commands
Common Linux Commands
Action Command
B-3
Appendix B: Linux Commands
vi Editor
vi Editor
To edit or view files on the NAC 800, use the vi editor, a commonly used Linux
text editor.
Command Mode
When you access vi and open a file, you are typically in the command mode:
you can enter any of the commands outlined in Table B-2. Unless preceded by
a colon (:) these commands are keystrokes; you do not have to press [Enter]
for them to take effect.
Action Command
Enter insert mode, which allows you to add or delete text in the file:
Characters are entered into the file after the cursor. a
Characters are entered into the file before the cursor. i
Enter replace mode, which allows you to write new text over R
existing text, beginning at the cursor.
Delete a character x
Delete N characters Nx
Delete a word dw
Delete a line dd
B-4
Appendix B: Linux Commands
vi Editor
Action Command
Save changes :w
Insert Mode
If you want to input text into the file, you must enter the insert mode. To enter
the insert mode, press [a] or [i]. If you press [a], you enter text after the cursor.
If you press [i], you enter text before the cursor. However, you can use the
arrow keys to change the cursor’s position whichever key you press.
In addition to inserting text, you can also use the [Backspace] key to erase text.
Replace Mode
To enter text that writes over the current text, enter replace mode by pressing
[Shift]+[r]. To return to command mode, press [Esc].
B-5
Appendix B: Linux Commands
keytool
keytool
The NAC 800 OS includes keytool, an application for managing keystores,
which consist of private keys and the associated public keys (certificate
chains). You should use keytool commands to create and manage the digital
certificate for the NAC 800’s HTTPS server (which grants access to its Web
browser interface).
The commands below, while not comprehensive, help you complete common
tasks. Visit http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
for further documentation provided by the developer, Sun Microsystems.
You should import a certificate for the NAC 800 into the
keystore with the corresponding private key. Import CA cer-
tificates for HTTPS into the /usr/local/java/jre/lib/security/cac-
erts keystore.
B-6
Appendix B: Linux Commands
keytool
B-7
Appendix B: Linux Commands
keytool
B-8
Appendix B: Linux Commands
openssl
openssl
The NAC 800 OS offers openssl, another tool for creating and managing
certificates. Chapter 4: “Configuring the RADIUS Server—Integrated with
ProCurve Identity Driven Manager” and Chapter 5: “Configuring the RADIUS
Server—Without Identity Driven Manager” teach you how to use openssl
commands to manage certificates for the NAC 800 FreeRADIUS server.
The commands below are far from comprehensive, but they will help you
complete common tasks. Visit http://www.openssl.org/docs/apps/
openssl.html for complete documentation provided by the OpenSSL project.
Syntax: openssl req -x509 -newkey [rsa | dsa]:[512 | 1024 | 2048 | 4096] -keyout
<key_filename> -out <certificate_filename> -days <number> [-nodes]
[-outform {DER | PEM}] [-config <filename>] [-extensions <section name>]
Creates a self-signed certificate and associated private/public
keypair of the specified algorithm and length (for example,
rsa:2048). The key and certificate are saved as <key_filename>
and <certificate_filename>.
The days option specifies the number of days the certificate is
valid.
Include the -nodes option if you do not want to protect the key
with a password.
You can choose DER or PEM for the -outform option, which
specifies the certificate format (default: PEM).
The -config option specifies the configuration file for the
openssl application; the -extensions option specifies the name
of a section in that file that contains the extensions for this
certificate.
B-9
Appendix B: Linux Commands
openssl
Syntax: openssl req -new -newkey [rsa | dsa]:[512 | 1024 | 2048 | 4096] -nodes -
keyout <key_filename> -out <request_filename> [-days <number>]
[-outform {DER | PEM}] [-config <filename>] [-extensions
<section_name>]
Creates a certificate request and an associated private/public
keypair of the specified algorithm and length. The key and
certificate request are saved as <key_filename> and
<request_filename>.
The days option specifies the number of days the certificate is
valid.
Include the -nodes option if you do not want to protect the key
with a password.
You can choose DER or PEM for the -outform option, which
specifies the certificate request format (default: PEM).
The -config <filename> option specifies the configuration file
for the openssl application; the -extensions <section_name>
option specifies the name of a section in that file that contains
the extensions for this certificate request.
Syntax: openssl genkey -algorithm [rsa | dsa]:[512 | 1024 | 2048 | 4096] -outform
[DER | PEM] -out <key_filename>
Generates a keypair of the specified algorithm and length (for
example, rsa:2048) and format (DER or PEM) and saves it to
the specified <key_filename>.
Syntax: openssl req -x509 -key <key filename> -out <certificate_filename>
[-nodes] {-outform [DER | PEM]} [-config <filename>] [-extensions <sec-
tion name>]
Creates a self-signed certificate using the specified
<key_filename>. The certificate is saved with the specified
<certificate_filename>.
The days option specifies the number of days the certificate is
valid.
Include the -nodes option if you do not want to protect the key
with a password.
You can choose DER or PEM for the -outform option, which
specifies the certificate format (default: PEM).
The -config <filename> option specifies the configuration file
for the openssl application; the -extensions <section_name>
option specifies the name of a section in that file that contains
the extensions for this certificate.
B-10
Appendix B: Linux Commands
openssl
Syntax: openssl req -new -key <key filename> -out <request filename> [-days
<number>] [-outform {DER | PEM}] [-config <filename>] [-extensions <sec-
tion name>]
Creates a certificate request using the specified
<key_filename>. The certificate is saved with the specified
<request_filename>.
The days option specifies the number of days the certificate is
valid.
Include the -nodes option if you do not want to protect the key
with a password.
You can choose DER or PEM for the -outform option, which
specifies the certificate request format (default: PEM).
The -config <filename> option specifies the configuration file
for the openssl application; the -extensions <section_name>
option specifies the name of a section in that file that contains
the extensions for this certificate request.
Syntax: openssl x509 -in <certificate_filename> -inform [DER | PEM] -out <new_
certificate_filename> -outform [DER | PEM]
Converts the X.509 certificate in <certificate_filename> to a
different X.509 format—that is, DER to PEM or vice versa.
The certificate with the new format is saved to <new_
certificate_filename>.
Syntax: openssl pkcs12 -in <certificate_filename> -out
<new_certificate_filename>
Converts the PKCS#12 (PFX) certificate in
<certificate_filename> to an X.509 certificate, which is saved
to <new_ certificate_filename>.
Syntax: openssl x509 -in <certificate_filename> -text [-noout]
Displays the certificate saved in <certificate_filename>.
Include the -noout option if you do not want to see the encoded
portion.
B-11
Appendix B: Linux Commands
Service Commands
Service Commands
As you make configurations to the NAC 800, you might need to restart a service
or check its status. For example, after you install certificates for the NAC 800s
RADIUS server, you must restart the radiusd service.
The names for some services of interest are displayed in Table B-3. (The list
is not comprehensive.)
B-12
Appendix B: Linux Commands
Service Commands
B-13
Appendix B: Linux Commands
Service Commands
B-14
Index
Numerics DHCP deployment method … 1-44
ACLs … 1-45
802.1X authentication … 1-33
static routes … 1-46
authentication server … 1-33
inline deployment method … 1-53
authenticator … 1-33, 4-39, 5-34
accounting … 4-33, 5-27
client … 4-4, 5-4
ACLs … 1-45
EAP methods … 1-30, 4-4, 5-4
ActiveX testing
supplicant … 1-33
advantages and disadvantages … 1-26
VLAN assignment
requirements … 1-25
pass or healthy … 1-35
AD … 4-7, 5-5
pre-test … 1-35
advantages and disadvantages … 4-7
quarantine or fail … 1-36
binding to … 1-39, 1-43, 4-16
802.1X deployment method … 1-38
test settings … 4-34, 4-38, 5-28, 5-32
accessible services … 1-36
administrator
apply changes … 4-43, 5-38
permissions … 3-42
IDM and … 4-5
set up account … 3-8
placing NAC 800
ADSL
endpoint integrity only … 1-40
See protocols
RADIUS and endpoint integrity … 1-38
AEA … 4-4, 5-4
RADIUS only … 1-42
agent
quarantining … 1-35
definition … 1-23
RADIUS services and … 4-12
IDM … 2-50, 4-6
VLAN assignment
NAC EI … 1-23
fail … 1-40
agentless testing
pass or healthy … 1-35
advantages and disadvantages … 1-27
pre-test … 1-35
non-domain members … 1-26
802.1X device … 4-39, 5-34
requirements … 1-26
802.1X quarantining
RPC … 1-26
See 802.1X deployment method
alerts … 2-41
AP … 1-29, 5-3
A attributes
cn … 4-28, 5-22
AAA
password … 4-21, 5-15
See RADIUS server
eDirectory … 4-29, 5-22
access control
OpenLDAP … 4-25, 5-19
802.1X … 1-33
uid … 4-25, 5-18
DHCP … 1-43
authentication methods
inline … 1-52
802.1X … 1-33, 4-16, 5-11
access point
certificates for … 4-47, 5-42
See AP
proxy server … 4-10
access.txt
supported by AD … 4-8
See files
authentication protocols
accessible services … 1-27
See protocols, authentication
802.1X deployment method … 1-36
cluster … 1-27
Index – 1
B certificate request
HTTPS server … 3-56
back up
RADIUS server … 4-52, 5-47
restore from … 7-15
cert-srv.pem
system configuration … 7-12
See files
best practices
Check-up
clusters … 1-9, 1-11
See endpoint integrity, posture
NAS configuration … 7-5
clusters … 1-7
binding to
accessible services … 1-27
AD … 1-39, 1-43, 4-16
best practices … 1-9, 1-11
directory … 1-34, 4-21, 5-15
CS … 1-15
eDirectory … 4-26, 5-19
DHCP … 1-47
OpenLDAP … 4-21, 5-15
enforcement … 1-8, 1-15, 3-9
TLS connection … 4-25, 5-19
ES … 2-37
buttons
exceptions … 6-3, 6-5
setting the NAC 800 IP with … 2-26
inline … 1-54
Web browser interface … 2-45
mirroring … 1-38
NAC 800s … 1-11, 5-9
C NAC policy group … 1-22
performance … 1-15
CA root certificate
settings … 1-15, 1-26
default in Java store … 3-55
CN … 3-52
HTTPS … 3-55
RADIUS server certificate … 4-57, 5-52
RADIUS … 4-48, 5-43
combination server
certificate … 3-52, 4-47, 5-42
See CS
CA root
command syntax … 2-35
See CA root certificate
common name
converting format … 4-54, 5-50
See CN
EAP-TLS … 4-47, 5-42
config.access.txt
EAP-TTLS … 4-47, 5-42
See files
eDirectory … 4-29, 5-23
console port … 1-5
endpoint … 4-61, 5-56
menu interface access … 2-5
factory default
root access to OS … 2-35
HTTPS … 2-37, 3-52
terminal session settings … 2-6
RADIUS server … 4-47, 5-42
credentials
HTTPS server
agentless testing … 1-26
CA-signed … 3-53, 3-58
CS … 1-13
issuing … 4-50, 5-45
enforcement cluster … 1-15
OpenLDAP … 4-25, 5-19
initial configuration in Web browser
PEAP … 4-47, 5-42
interface … 3-4
RADIUS server
management options … 2-3
CA-signed … 4-52, 5-47
RADIUS-only … 1-10
CN … 4-57, 5-52
role in deployment … 1-10
extensions … 4-47, 4-50, 4-57, 5-42, 5-45,
settings … 1-13
5-52
SNMP settings … 3-24
self-signed
HTTPS … 3-59
certificate extensions … 4-47, 5-42
2 – Index
D specifying for
ES … 3-14
data store … 5-5
MS or CS … 3-8
NAC 800 … 7-3
domain
redundancy … 7-2, 7-6
agentless testing … 1-26
supported with IDM … 4-6
configuring authentication … 4-16
database
multiple controllers … 4-20, 5-14, 7-7
configuring … 1-39, 1-43
parent … 4-20, 5-14
local … 4-7
See also Windows domain
adding user accounts … 4-16
dynamic settings
configuring authentication … 4-14
See settings
password required … 4-7
date … 3-23
changing … 3-21 E
updating … 3-23 EAP … 1-30
deployment method … 1-32 disabling server authentication … 4-61, 5-56
802.1X See also protocols, authentication
See 802.1X deployment method eap.conf
DHCP See files
See DHCP deployment method EAP-TLS
inline See also protocols, authentication
See inline deployment method See TLS
DER format server certificate
converting from … 4-54, 4-59, 5-49, 5-54 file … 4-56, 5-51
DHCP deployment method … 1-43 private key file … 4-56, 5-51
accessible services … 1-44 EAP-TTLS
ACLs … 1-45 See TTLS
circumventing … 1-45 eDirectory … 1-30, 5-5
enforcement methods … 1-45 advantages and disadvantages … 4-8, 5-6
helper addresses … 1-51 binding to … 1-39, 1-43, 4-21, 4-26, 5-15, 5-19
mirroring … 1-38 multiple … 7-8
placing NAC 800 … 1-46 settings … 4-28, 5-21
quarantining … 1-44 test settings … 4-34, 4-38, 5-28, 5-32
requests … 1-51 TLS connection … 4-29, 5-23
static routes … 1-46 configuring authentication … 4-26
subnet design … 1-48 redundancy … 7-6
digital certificate user login filter … 4-21, 5-15
See certificate encryption … 4-10
distinguished name MD5 … 1-30
See DN WPA-PSK … 1-52
DN endpoint
binding to LDAP … 4-21, 5-15, 7-9 802.1X client … 4-4, 5-4
eDirectory … 4-28, 5-22 accessible services … 1-27
OpenLDAP … 4-24, 5-18 certificate for EAP … 4-61, 5-56
DNS server endpoint integrity … 1-16
changing … 3-19 disabling … 6-2
NAC 800 as … 1-36, 1-44 dynamic settings … 4-5
Index – 3
posture … 1-27 proxy.conf … 4-31, 5-25, 5-26, 5-27
Check-up … 1-35 RADIUS.log … 1-30, 1-31
Fail … 1-40 radiusd.conf … 7-6, 7-8, 7-10
Healthy … 1-35 SAFreeRadiusConnector.conf … 1-35, 1-36, 1-40
Infected … 1-44 SAIASConnector … 1-35, 1-36, 1-41
Quarantine … 1-44 tar … 7-12
Unknown … 1-40, 1-44
quarantining … 4-14
with or without RADIUS … 1-34
G
end-user redirect screen GTC
See screens See protocols, authentication
enforcement cluster
See clusters
H
enforcement server
See ES hardware … 1-4
ES … 1-13 Healthy
adding to cluster … 3-12 See endpoint integrity, posture
initial configuration … 3-9 helper addresses
management options … 2-3 See DHCP deployment method
moving to a new MS … 3-12 Home screen
role in deployment … 1-7 See screens
settings … 1-12 hostname … 5-11
SNMP settings … 3-36 changing CS or ES … 3-19
Ethernet ports ES … 3-14
See ports MS or CS … 3-8
exceptions rules … 3-14, 3-19, 4-17
addresses … 6-2 HTTPS server … 2-37
cluster default settings … 6-3
configuring … 6-2 I
excluding domain names … 6-3
particular cluster … 6-5 IAS … 1-34
extensions plug-in … 1-36
RADIUS certificate request … 4-52, 5-47 IDM
RADIUS server certificate … 4-47, 4-50, 4-57, agent … 4-6
5-42, 5-45, 5-52 capabilities … 1-30, 2-52, 2-53
configuring local database … 1-39, 1-43
configuring usernames and passwords … 7-11
F data stores … 4-6
files detecting NAC 800 … 2-49
access.txt … 2-49, 4-5 dynamic settings … 4-5
cacert.pem … 4-49, 5-44 enable management of NAC 800 … 4-5
certificate_file … 4-56, 4-60, 5-51, 5-55 management option … 2-49
cert-srv.pem … 4-51, 4-58, 4-59, 5-46, 5-53, 5-54 overview … 4-5
config.access.txt … 4-11 server
eap.conf … 4-59, 5-54 set on NAC 800 … 4-13
CA-signed certificate … 4-53, 4-55, 5-48, 5-50 specified on NAC 800 … 2-50
self-signed certificate … 4-51, 5-46 version number … 2-49, 4-6
private_key … 4-56, 4-60, 5-51, 5-55
4 – Index
Infected local database
See endpoint integrity, posture See database
inline deployment method … 1-51 log files
accessible services … 1-53 See files
example deployments … 1-52 log level … 3-28
placing NAC 800 Logout link … 2-41
VPN … 1-53
WAN … 1-55
WLAN … 1-56
M
quarantining … 1-53 MAC address
installing NAC 800 … 1-5
NAC EI agent … 1-23 management server
integrity posture See MS
See endpoint integrity, posture management user
IP address creating … 3-42
gateway … 3-19 role … 3-41
setting creating … 3-47
menu interface … 2-12 default … 3-42
panel LCD … 2-26 editing … 3-49
Web browser interface … 3-19 permissions … 3-46
MD5 … 1-30
menu interface … 2-5
K accessing
key console session … 2-5
encryption … 1-30 SSH session … 2-7
generating for HTTPS certificate … 3-54, 3-60 changing password … 2-15
default password … 2-15
navigating … 2-8
L server type settings … 2-10
LCD system information in … 2-21
See panel LCD username … 2-15
LDAP format … 4-24 mirroring … 1-38, 1-39, 1-41
LDAP server MS … 1-11
advantages and disadvantages … 4-8, 5-6 initial configuration in Web browser
binding to … 4-21, 5-15 interface … 3-4
multiple … 7-8 management options … 2-3
configuring authentication … 4-20, 5-14 role in deployment … 1-7
overview … 4-8 settings … 3-5
redundancy … 7-3, 7-6 SNMP settings … 3-24
TLS … 4-21, 5-15 MS-CHAP
user login filter … 4-21, 5-15 See protocols, authentication
LEAP multinetting … 1-49
See protocols, authentication multiple NAC 800s
LEDs … 1-4 See clusters
locator, activating (menu) … 2-20
left navigation bar … 2-41
license agreement … 3-5
licenses … 3-39
Index – 5
N P
NAC EI agent panel LCD … 1-5, 2-5
advantages and disadvantages … 1-25 access menu … 2-22
installing … 1-23 navigate menu … 2-23
requirements for testing … 1-24 PAP
NAC policy … 1-19 See protocols, authentication
endpoints applied to … 1-21 password
inactive endpoints … 1-21 changing menu interface … 2-15
name … 1-19 console … 4-46, 5-41
retest frequency … 1-20 default … 2-15
testable OS … 1-20 NULL … 4-7
tests list … 1-22 PCM, in … 2-48
untestable OS … 1-20 private_key … 4-56, 4-60, 5-51, 5-55
NAC policy group … 1-22 proxy server … 3-21
NAC tests … 1-17 root … 2-35
actions … 1-19 CS or MS … 3-28
properties … 1-18 ES … 3-15, 3-38
settings … 1-17 setting … 3-6
updates … 1-18 rules … 2-17, 3-7
NAS SSH session … 4-32, 4-46, 5-26, 5-41
adding as RADIUS client … 4-39, 5-34 terminal session … 2-6
configure … 4-11, 5-8 user account … 3-44
definition … 1-29, 4-3, 5-3 using IDM to configure … 7-11
network settings Web browser interface … 3-9
See settings PCM Plus … 2-48
NTLM detecting NAC 800 … 2-47, 3-26
See protocols version required … 2-47
NTP server … 1-12 PEAP … 4-4, 5-4
changing … 3-23 mutual authentication … 4-47, 5-42
CS as … 1-13 proxy and IDM … 4-10
specifying … 3-7 Windows domain authentication … 4-16, 5-11
performance
endpoint integrity checks … 1-28
O RADIUS server … 1-10
OpenLDAP … 1-30, 5-5 PFX format
advantages and disadvantages … 4-8, 5-6 converting from … 4-55, 4-59, 5-50, 5-54
binding to … 1-39, 1-43, 4-21, 5-15 ping
multiple … 7-8 menu interface … 2-13
settings … 4-24, 5-18 panel LCD … 2-28
test settings … 4-34, 4-38, 5-28, 5-32 responding to … 2-13
configuring authentication … 4-21 placing NAC 800
redundancy … 7-6 802.1X deployment method … 1-38
TLS connection … 4-25, 5-19 DHCP deployment method … 1-46
user login filter … 4-21, 5-15 inline
operating systems VPN … 1-53
supported … 1-20 WAN … 1-55
unsupported … 1-20, 1-21 WLAN … 1-56
plaintext … 4-10
6 – Index
ports Q
console … 2-5
Quarantine
console Ethernet … 1-5, 2-35
See endpoint integrity, posture
default LDAP … 5-22
quarantine method
Ethernet
See deployment method
802.1X deployment … 1-38, 1-40
quarantining … 1-19
802.1X deployment (RADIUS-only) … 1-42
inline deployment … 1-53, 1-57 802.1X … 1-35, 5-8
mirroring to … 1-39 RADIUS-only … 4-12
overview … 1-6 DHCP … 1-44
speed and duplex … 2-32 endpoint integrity … 4-14
RADIUS accounting … 4-33, 5-27 enforcement … 1-45
RADIUS authentication … 4-32, 5-27 inline … 1-53
TLS connection … 5-22 settings … 1-12, 1-13
post-connect testing … 1-21 subnet
protocols 802.1X method … 4-14
ADSL … 1-52 DHCP … 1-48
authentication … 4-7 DNS server for … 1-44
EAP … 4-10 multinetting … 1-49
See also EAP part of existing subnet … 1-48
GTC … 1-30, 4-4, 5-4 VLAN … 1-36, 1-40
LEAP … 1-30, 4-4, 5-4 DNS server … 1-36
MS-CHAP … 1-30
PAP … 1-30 R
RADIUS … 4-3, 5-3
See PEAP radio points
See TLS See RPs
See TTLS RADIUS
supported … 4-4, 5-4 See protocols, authentication
TLS … 4-29 RADIUS client
See also EAP-TLS adding to NAC 800 … 4-39, 5-34
NTLM … 4-16, 5-10 RADIUS server … 1-29
PFX … 4-55, 4-59, 5-50, 5-54 accounting … 1-30
SNMPv2 … 4-5 apply changes … 4-43, 5-38
STP, RSTP … 1-54 CA root certificate … 4-48, 5-43
proxy RADIUS server capabilities with IDM … 1-30, 2-52
advantages and disadvantages … 4-9, 5-7 capabilities without IDM … 1-30
configuration file … 4-32, 5-26 certificate … 4-47, 5-42
configure … 1-39, 1-43 CA-signed … 4-52, 5-47
configuring authentication … 4-29, 5-23 CN … 4-57, 5-52
overview … 4-9, 5-6 extensions … 4-47, 4-50, 4-57, 5-42, 5-45,
proxy server 5-52
authentication settings … 3-21 request extensions … 4-52, 5-47
NAC 800 for … 3-19 configuration with IDM … 4-11, 5-8
proxy.conf log files … 1-30
See files NAC 800 as … 4-11, 5-8
PSCP … 4-53, 5-48 primary and secondary … 7-5
PuTTY SCP redundancy … 7-2, 7-3
See PSCP
Index – 7
restart rules
root … 4-46, 5-41 admin password … 2-17
Web browser interface … 4-43, 5-38 domain … 5-14
RADIUS-only NAC 800 … 1-42 hostname … 3-14, 3-19, 4-17
capabilities … 1-10 LDAP format … 4-24
multiple NAC 800s … 1-11 parent domain … 4-20
quarantine method … 4-12 read community string … 3-37
Rapid Spanning Tree Protocol role name … 3-48
See RSTP shared secret … 4-41, 5-27
read community string … 3-37 user account password … 3-44
reboot user account roles … 3-45
menu interface … 2-18 username … 3-44
NAC 800 … 2-19
panel LCD … 2-30
redundancy
S
configuring NASs … 7-5 SAFreeRadiusConnector.conf
data store … 7-2, 7-6 See files
eDirectory … 7-6 SAIASConnector files
LDAP servers … 7-3, 7-6 See files
network paths … 7-4 save
OpenLDAP … 7-6 configurations … 2-45
RADIUS servers … 7-2, 7-3 configuring Web browser … 7-14
testing … 7-11 SCP server … 4-53, 5-48
remote access … 1-53 screens
restart end-user redirect … 1-45
RADIUS server Home … 2-39
root … 4-46, 5-41 access control section … 2-43
Web browser … 4-43, 5-38 right area … 2-43
restart after shutdown … 2-20 IDM … 2-53
retest frequency … 1-20 testing Windows domain authentication … 4-37,
RJ45 connector … 1-5 5-31
role name rules … 3-48 Web browser interface … 2-43
roles search
management … 3-41 locking out … 4-29
user … 3-45 serial number … 1-5
editing … 3-49 menu interface, viewing in … 2-21
root server type
accessing NAC 800 OS … 2-35 changing … 1-14
certificate choosing … 1-7
See CA root certificate setting … 2-10
restart panel LCD … 2-24
RADIUS server … 4-46, 5-41 settings
username and password … 2-35 802.1X quarantining … 2-50
RPC authentication … 4-14, 5-10
See agentless testing proxy server … 3-21
RPs … 1-52, 1-57
RSTP … 1-54
8 – Index
binding to support link … 2-41
eDirectory … 4-28, 5-21 supported OSs … 1-20
OpenLDAP … 4-24, 5-18 switches
Windows domain … 4-20, 5-14 ProCurve … 7-3, 7-5
cluster … 1-15, 1-26 system information
cluster default menu interface, viewing in … 2-21
exceptions … 6-3
CS … 1-13
dynamic … 4-4, 5-4
T
VLAN … 4-4, 5-4 tar file
ES … 1-12 See files
IDM … 4-5 testing
IP address … 2-12, 2-26, 2-28 bind operation … 4-36, 5-30
locking out searches … 4-29 IP settings … 2-13
menu interface … 2-9 list … 1-22
MS … 3-5 method … 1-22
NAC 800 IP … 2-26 ActiveX … 1-25
network … 3-18 agentless … 1-26
server type … 2-24 NAC EI agent … 1-23
SNMP … 3-24, 3-36 post-connect … 1-21
speed and duplex … 2-32 redundancy … 7-11
subnet mask … 2-27 requirements
system … 2-21, 3-3 ActiveX … 1-25
terminal session … 2-6 agentless … 1-26
test results … 4-38, 5-32 NAC EI agent … 1-24
testing … 2-28, 4-34, 5-28 results … 4-38, 5-32
user-based … 4-4, 5-4 time … 3-23
shared secret … 4-33, 5-27 zone … 3-7
802.1X device for … 4-41, 5-36 CS or MS … 3-23
rules … 5-27 ES … 3-34
shutdown TLS … 4-4, 5-4
restarting after … 2-20 eDirectory bind … 4-29, 5-23
shutting down LDAP bind … 4-21, 5-15, 7-9
menu interface … 2-19 mutual authentication … 4-47, 5-42
panel LCD … 2-31 OpenLDAP bind … 4-25, 5-19
SNMP TTLS … 4-4, 5-4
allowed source network … 2-47 mutual authentication … 4-47, 5-42
read-only access … 3-24, 3-26 proxy and IDM … 4-10
read-only community … 2-47 Windows domain authentication … 4-16, 5-11
read-write community … 2-47
settings … 3-36
U
software upgrade … 1-12, 1-13, 3-39
Spanning Tree Protocol unknown
See STP See endpoint integrity, posture
SSH session unsupported OSs … 1-20, 1-21
username and password … 4-32, 5-26 updates
SSID … 4-66, 5-61 test … 1-12, 1-13, 1-18
STP … 1-54
Index – 9
user accounts Windows domain … 4-7
adding to local database … 4-16 joining NAC 800 to … 4-17, 5-11
user login filter … 4-21, 5-15 multiple controllers … 4-20, 5-14
user roles requirements … 4-17, 5-11
See roles settings … 4-20, 5-14
username authentication … 5-10
account rules … 3-44 test … 4-34, 4-38, 5-28, 5-32
console … 2-6, 4-46, 5-41 Wireless Edge Services Module
menu interface … 2-15 See WESM
PCM, in … 2-48 wireless LAN
proxy server … 4-10 See WLAN
root … 2-35 WLAN … 1-52
SSH session … 4-32, 4-46, 5-26, 5-41 802.1X deployment … 1-52
using IDM to configure … 7-11 placing NAC 800 (inline) … 1-56
V
version
IDM … 4-6
IDM agent … 2-50
menu interface, viewing software … 2-21
vi editor … 4-32, 5-26
VLAN
assignment … 1-35
dynamic settings … 4-4, 5-4
quarantine … 1-36, 1-40
VPN … 1-32, 1-52
placing NAC 800 … 1-53
W
WAN … 1-32, 1-52
placing NAC 800 … 1-55
warranty … 1-ii
Web browser interface … 2-37
accessing … 2-39
with IDM … 2-53
with PCM Plus … 2-48
navigating … 2-39, 2-44, 2-45
requirements
management station … 2-38
NAC 800 … 2-37
WESM … 1-52, 1-56, 1-57
10 – Index
© Copyright 2007 Hewlett-Packard
Development Company, L.P.
August 2007