■ A ProCurve NAC Endpoint Integrity Agent License ProCurve NAC 800 is delivered as a hardware appliance that you install in your network. After NAC 800 is installed in your network, you configure it using a workstation with browser software installed.
Page 23
Introduction What you Need to get Started ProCurve Network Access Controller 800Users’ Guide – Refer to this document last for information on configuring, monitoring activities, creating NAC policies, and running reports.
(see figure 1-2. System Monitor Window on page 1-7). Endpoint test status area – The Endpoint tests area displays the total number of endpoints that NAC 800 has attempted to test, and what the test status is for each endpoint. Click the number of endpoints to view details.
Page 25
NAC 800 Home Window 3. Top 5 failed tests area 2. User name 1. Important status 4. Window actions announcements 5. Navigation 6. Test 7. Access control 8. Enforcement server pane status area status area status area Figure 1-1. NAC 800 Home Window...
Introduction System Monitor System Monitor The System monitor window provides the following information: ■ Enforcement cluster name – The Enforcement clusters are listed by name in the order they were created. Click on a cluster name to view cluster details. You must have cluster-editing permissions to view and edit cluster details.
Page 27
Introduction System Monitor Breadcrumbs for navigation Figure 1-2. System Monitor Window The following figure shows the legend for the System monitor window icons: Figure 1-3. System Monitor Window Legend...
Introduction Overview Overview NAC 800 protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. NAC 800 systematically tests endpoints—with or without the use of a client or agent— for compliance with organizational security policies, quarantining non-com- pliant machines before they damage the network.
Enforcement options – NAC 800 provides multiple enforcement options for quarantining endpoints that do not comply with your security policy (Inline, DHCP, and 802.1X). This enables NAC 800 to enforce compliance across complex, heterogeneous networks. High availability and load balancing – A multi-server NAC 800 deploy- ■...
NAC 800 administrators create "NAC policies" that define which applications and services are permitted, and specify the actions to be taken when endpoints do not comply. NAC 800 automatically applies the NAC policies to endpoints as they log into the network, and periodically as the endpoints remain logged into the network.
NAC 800 passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single NAC 800 server for a single testing session with the High Security NAC policy (approximately 20 tests). It typically takes between 5 and 10 seconds to all tests in a policy on a 100Mb LAN.
Introduction Overview Compliance Enforcement Based on endpoint test results, NAC 800 takes the appropriate action. End- points that test compliant with the applied policy are permitted access. Non- compliant endpoints are either quarantined, or are given access for a tempo- rary period.
Introduction Additional Documentation Additional Documentation NAC 800 documentation is available in a number of media formats and is accessible in a variety of ways: ■ Quick-start card – The Quick-start card provides a high-level overview of the physical deployment options, software installation, post-instal- lation configuration, the Users’...
Installing third-party software on the NAC 800 server is not supported. If you install additional software on the NAC 800 server, you need to remove it in order to troubleshoot any NAC 800 issues, and it will likely be partially or fully overwritten during NAC 800 release upgrades or patch installs, compromising the third-party software functionality.
If there is no activity for 30 minutes, the configuration window times out and you must log in again. Caution Paragraph Cautions notify you of conditions that can cause errors or unexpected results. Example: CAUTION: Do not rename the files or they will not be seen by NAC 800. 1-16...
Low – You are not protected from potentially unsafe macros. (Not recommended). Indicating document titles – ■ NAC 800 Installation Guide Indicating a variable entry in a command – ■ https://<IP_address>/index.html In this case, you must replace <IP_address> with the actual IP address, such as 10.0.16.99.
Courier font is used in the following cases: ■ Indicating path names – Change the working directory to the following: C:\Program Files\<MyCompany>\ ProCurve NAC EI Agent ■ Indicating text; enter exactly as shown – Enter the following URL in the browser address field: https://<IP_address>/index.html In this case, you must replace <IP_address>...
Introduction Conventions Used in This Document Indicating a variable section in a *.INI file – ■ [Global] NASList=192.168.200.135 ■ Indicating a list in a properties file – Compliance.ObjectManager.DHCPConnec- torServers=[192.168.51.130, 192.168.99.1] Terms Terms are defined in the “Glossary” on page D-1. Example: MAC Media Access Control –...
Example: 10. Copy the /usr/local/nac/properties/NACAVPs.txt file from the NAC 800 server to the ACS server using PSCP (or other secure copy utility). scp is a Linux/UNIX command used to copy files between Linux/UNIX machines.
Page 41
Introduction Copying Files To copy a file from a Windows machine to a Linux machine, enter the following: <pscp directory>\pscp c:\documents\foo.txt fred@exam- ple.com:/tmp/foo You will be prompted to enter a password for the Linux/UNIX machine. NOTE: You can either enter the path to the PSCP.EXE file as part of the command, or cd to the directory where you saved the PSCP.EXE file before entering the pscp command.
Clusters and Servers Overview Overview NAC 800 uses clusters and servers. A "cluster" is a logical grouping of one or more Enforcement servers (ESs) that are managed by one Management server (MS). A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster.
Clusters and Servers Installation Examples Installation Examples Single-server Installation The simplest installation is where the MS and ES are installed on the same physical server as shown in the following figure: Figure 2-1. Single-server Installation Multiple-server Installations By using at least three servers, one for the MS and two for Enforcement servers, you gain the advantage of high availability and load balancing.
Page 46
Clusters and Servers Installation Examples High availability is where Enforcement servers take over for any other Enforcement server or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the Enforcement servers. A three-server installation is shown in the following figure: Figure 2-2.
Page 47
Clusters and Servers Installation Examples When your network is more complex, you can continue to add clusters as shown in the following figure: Figure 2-3. Multiple-server, Multiple-cluster Installation The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis.
Page 48
Clusters and Servers Installation Examples (This page intentionally left blank.)
Table 3-1.Default Menu Options Only a system administrator can assign access permissions and access the System configuration window. See Figure 1-1 on page 1-5 for the NAC 800 home window of a user with system administration permissions. If you do not see the System configuration menu option, you do not have system administrator permissions.
Page 53
System Configuration Introduction Quarantining – “Quarantining” on page 3-49 ■ ■ Maintenance – “Maintenance” on page 3-91 Cluster setting defaults ■ • Testing Methods – “Testing Methods” on page 3-95 • Accessible services – “Accessible Services” on page 3-98 • Exceptions –...
System Configuration Enforcement Clusters and Servers Enforcement Clusters and Servers The Enforcement clusters & servers menu option (figure 3-3) is where you configure Enforcement clusters and servers. You can perform the following tasks: ■ Enforcement clusters • Add, edit, or delete Enforcement clusters •...
System Configuration Enforcement Clusters Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster: NAC 800 Home window>>System configuration>>Enforcement clusters & servers Figure 3-1. System Configuration Window, Enforcement Clusters & Servers Area...
Page 56
If you are setting up a cluster for the first time, and you have not yet added an ES, select allow all until you have finished configuring NAC 800. Select a NAC policy group from the NAC policy group drop-down list (see “NAC Policies”...
Advanced – See “Advanced Settings” on page 3-114 Editing Enforcement Clusters To edit the Enforcement clusters settings: NAC 800 Home window>>System configuration>>Enforcement clusters & servers Click the cluster you want to edit. The Enforcement cluster window appears, as shown in Figure 3-3 on page 3-11.
“Adding an Enforcement Cluster” on page 3-7. Click ok. Viewing Enforcement Cluster Status There are two ways NAC 800 provides Enforcement cluster status: ■ The icons next to the cluster name (see Figure 3-4 on page 3-13) The Enforcement cluster window (see the following steps) ■...
Home window are system-wide. Deleting Enforcement Clusters NOTE: Enforcement clusters need to be empty before the delete option appears next to the name in the NAC 800 console. To delete Enforcement clusters: NAC 800 Home window>>System configuration>>Enforcement clusters & servers...
Page 60
System Configuration Enforcement Clusters Click delete next to the cluster you want to remove. The Delete Enforcement cluster confirmation window appears. Click yes. The System configuration window appears (figure 3-1). 3-12...
System Configuration Enforcement Servers Enforcement Servers Adding an Enforcement Server To add an Enforcement server: NAC 800 home window>>System configuration>>Enforcement clusters & servers Figure 3-4. System Configuration Window, Enforcement Clusters & Servers Area 3-13...
Page 62
System Configuration Enforcement Servers Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Figure 3-5. Add Enforcement Server Window Select a cluster from the Cluster drop-down list. Enter the IP address for this Enforcement server in the IP address text box. Enter the fully qualified hostname to set on this server in the Host name text box.
Figure 3-6. Enforcement Cluster Legend Editing Enforcement Servers To edit Enforcement server settings: NAC 800 Home window>>System configuration>>Enforcement clusters & servers Click the Enforcement server you want to edit. The Enforcement server window appears, as shown in Figure 3-7 on page 3-16.
Page 64
System Configuration Enforcement Servers Click the Configuration menu option to access the Enforcement server’s settings. The Configuration area is displayed: Figure 3-7. Enforcement Server Configuration Window Edit the following setting(s): • Enforcement server network settings – “Changing the Enforcement Server Network Settings” on page 3-17 •...
DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1 NOTE: The NAC 800 Enforcement server’s host name must be a fully qualified domain name (FQDN). For example, the FQDN should include the host and the domain name—including the top-level domain.
Re-enter the password in the Re-enter root password text box. Click ok. Viewing Enforcement Server Status There are two ways NAC 800 provides ES status: ■ The icons next to the server name (see Figure 3-6 on page 3-15) The Status window (see the following steps). The Enforcement server ■...
Page 67
Percentage of memory used on the server • Disk space usage for the server To view Enforcement server status: NAC 800 Home window>>System configuration>>Enforcement clusters & servers Click the server for which you want to view the status. The Enforcement server window appears: Figure 3-8.
Servers need to be powered down for the delete option to appear next to the name in the NAC 800 console. To delete Enforcement servers: NAC 800 Home window>>System configuration>>Enforcement clusters & servers Click delete next to the server you want to remove from the cluster. The Delete Enforcement server confirmation window appears.
System Configuration Management Server Management Server Viewing Network Settings To view Management servers status: NAC 800 Home window>>System configuration>>Management server 3-21...
Page 70
System Configuration Management Server Figure 3-9. System Configuration, Management Server Window Server status is shown in the Network settings area. Click ok or cancel. 3-22...
See “Maintenance” on page 3-91 for instructions on backing up and restoring your system. To modify Management server network settings: NAC 800 Home window>>System configuration>>Management server WARNING: Changing the Management server network settings will cause the network interface to restart.
System Configuration Management Server To select a proxy server: NAC 800 Home window>>System configuration>>Management server Select Use a proxy server for Internet connections. Enter the IP address of the server that will act as the proxy for Internet connections in the Proxy server IP address text field.
Select Automatically receive NTP updates from and enter one or more Network Time Protocol (NTP) servers, separated by commas. The NTP protocol allows NAC 800 to synchronize its date and time with other endpoints on your network. For example, time.nist.gov.
NAC 800 Home window>>System configuration>>Management server Select the Enable SNMP check box to enable SNMP. Clear the check box to disable SNMP. NAC 800 supports read-only SNMP v1 and v2. Enter the Read community string. The default setting for network equipment is often set to public.
“Changing the NAC 800 Console Timeout”. Changing the NAC 800 Console Timeout To change the timeout value for the console: Command window Log in to the NAC 800 server as root, either using SSH or directly with a keyboard. 3-27...
Page 76
System Configuration Management Server Enter the following at the command line: setProperty.py -m Compliance.UpgradeManager.UpgradeTimeout=<minutes> Where: <minutes> is the number of minutes of inactivity NAC 800 will wait before requiring the user to log in to the console again. For example,30. 3-28...
User Accounts NAC 800 allows you to create multiple user accounts. User accounts provide and limit access to NAC 800 functions based on permissions (user roles) and clusters assigned. See “User Roles” on page 3-37 for more information on setting permissions for the user roles.
Page 78
System Configuration User Accounts Figure 3-11. System Configuration, User Accounts 3-30...
Page 79
Figure 3-12. Add User Account Enter the following information: • User ID – The user ID used to log into NAC 800 Password – The password used to log into NAC 800 • Full name – The name associated with the user account •...
Create your own user roles and definitions. Table 3-2.Default User Roles Click ok. Searching for a User Account To search for a user account: NAC 800 Home window>>System configuration>>User accounts Select one of the following from the Search drop-down list: user ID • full name •...
Sorting the User Account Area To sort the user account area: NAC 800 Home window>>System configuration>>User accounts Click the column heading for user id, full name, email address, user roles, or clusters. The user accounts reorder according to the column heading selected.
System Configuration User Accounts Click copy next to the user account you want to duplicate. The Copy user account window appears. The account information is duplicated from the original account. Figure 3-13. Copy User Account Enter the User ID of the new account. Enter the Password.
System Configuration User Accounts NAC 800 Home window>>System configuration>>User accounts Click the name of the user account that you want to edit. The User account window appears: Figure 3-14. User Account Change or enter information in the fields you want to change. See “Adding a User Account”...
Page 84
System Configuration User Accounts To delete a user account: NAC 800 Home window>>System configuration>>User accounts Click delete next to the user account you want to remove. The Delete user account confirmation window appears. Click yes. 3-36...
Edit the name of the user role • Edit the detail description of the user role • Edit the assigned permissions for the user role ■ Delete a user role Adding a User Role To add a user role: NAC 800 Home window>>System configuration>>User roles 3-37...
Page 86
System Configuration User Roles Figure 3-15. System Configuration Window, User Roles 3-38...
Page 87
System Configuration User Roles Click add a user role in the User roles area. The Add user role window appears. Figure 3-16. Add User Role Window Enter a descriptive name in the Role name field. Enter a description of the role in the Description field. Select the permissions for the user role.
Allows you to quarantine or grant network access to endpoints in your clusters Retest Allows you to have endpoints in your clusters retested endpoints Table 3-3.User Role Permissions (cont.) Editing User Roles NOTE: You cannot edit the System Administrator user role. To edit user roles: NAC 800 Home window>>System configuration>>User roles 3-40...
Deleting User Roles NOTE: You cannot delete the System Administrator role. To delete user roles: NAC 800 Home window>>System configuration>>User roles Click delete next to the user role you want to remove. The Delete user role confirmation window appears. Click yes.
System Configuration User Roles Sorting the User Roles Area To sort the user roles area: NAC 800 Home window>>System configuration>>User roles Click user role name or description column heading. The selected category sorts in ascending or descending order. Click ok.
View license start and end dates ■ View number of days remaining on license, and associated renewal date View remaining endpoints and servers available under license ■ Updating Your License To update your license: NAC 800 Home window>>System configuration>>License 3-43...
Page 92
System Configuration License Figure 3-18. System Configuration Window, License Click submit license request. Click ok on the license validated pop-up window. 3-44...
Check for test updates (forces an immediate check for test updates) Set time or times for downloading test updates ■ ■ View test update logs Manually Checking for Test Updates To manually check for test updates: NAC 800 Home window>>System configuration>>Test updates 3-45...
In the Last successful test update area, click check for test updates. Click ok. NOTE: It is important to check for test updates during the initial configuration of NAC 800. Selecting Test Update Times To select test update times: NAC 800 Home window>>System configuration>>Test updates 3-46...
By default, NAC 800 checks once every hour using the ProCurve Secure Rule Distribution Center. All times listed are dependent upon the clock setting and time zone of the hardware on which NAC 800 is running. Click ok. Viewing Test Update Logs To view test update logs: NAC 800 Home window>>System configuration>>Test updates...
Page 96
System Configuration Test Updates Click the View test update log link just to the right of the Check for test updates button. The Test update log window appears: Figure 3-20. Test Update Log Window The Test update log window legend is shown in the following figure: Figure 3-21.
The Quarantining menu option allows you to configure the following by cluster: ■ Select the quarantine method ■ Basic 802.1X settings Set up authentication method ■ ■ Add, edit, delete 802.1X devices Selecting the Quarantine Method To select the quarantine method: NAC 800 Home window>>System configuration>>Quarantining 3-49...
Page 98
In the Quarantine method area, select one of the following quarantine methods: • 802.1X – When using the 802.1X quarantine method, NAC 800 must sit in a place on the network where it can communicate with your RADIUS server, which communicates with your switch or router, which performs the quarantining.
Inline – When using the inline quarantine method, NAC 800 must be placed on the network where all traffic to be quarantined passes through NAC 800. It must be inline with an endpoint like a VPN. Click ok. Entering Basic 802.1X Settings To enter basic 802.1X settings:...
Proxy – Authentication requests are proxied to a remote RADIUS • server configured to allow the Enforcement server as a client NAS. Click ok. Configuring Windows Domain Settings To configure Windows domain settings: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 3-52...
Page 101
System Configuration Quarantining Select Windows domain from the End-user authentication method drop-down list. Figure 3-23. System Configuration, Windows Domain Window Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field. 3-53...
Enter the password of the end-user in the Password text box. iii. Re-enter the password of the end-user in the Re-enter password text box. Click test settings. Click ok. Configuring OpenLDAP Settings To configure OpenLDAP settings: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 3-54...
Page 103
System Configuration Quarantining Select OpenLDAP from the End-user authentication method drop-down list. Figure 3-24. System Configuration Window, OpenLDAP 3-55...
Page 104
System Configuration Quarantining Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
System Configuration Quarantining Configuring Novell eDirectory Settings To configuring Novell eDirectory settings: NAC 800 home window>>System configuration>>Quarantining>>802.1x Quarantine method radio button>>Local radio button 3-57...
Page 106
System Configuration Quarantining Select Novell eDirectory from the End-user authentication type drop-down list. Figure 3-25. System Configuration Window, RADIUS, Novel eDirectory 3-58...
Page 107
System Configuration Quarantining Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the Distinguished Name (DN) under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
11. Click ok. Adding 802.1X Devices To add an 802.1X device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-26. Add 802.1X Device Window Enter the IP address of the 802.1X device in the IP address text field.
HP ProCurve switch – See “HP ProCurve Switch” on page 3-73. HP ProCurve WESM – See “HP ProCurve WESM” on page 3-76. • HP ProCurve 420/530 AP – See “HP ProCurve 420 AP or HP ProCurve • 530 AP” on page 3-79.
Click test connection to device. Cisco IOS To add a Cisco IOS device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-28. Add Cisco IOS Device Window Enter the IP address of the Cisco IOS device in the IP address text field.
Exit script – The expect script used to exit the console. • 13. Click ok. TIP: Click revert to defaults to restore the default settings. Cisco CatOS To add a Cisco CatOS device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-63...
Page 112
System Configuration Quarantining Figure 3-29. Add Cisco CatOS Device Window Enter the IP address of the Cisco CatOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Exit script – The expect script used to exit the console. 16. Click ok. TIP: Click revert to defaults to restore the default settings. Enterasys To add an Enterasys device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-65...
Page 114
System Configuration Quarantining Figure 3-30. Add Enterasys Device Window Enter the IP address of the Enterasys device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Exit script – The expect script used to exit the console. 12. Click ok. TIP: Click revert to defaults to restore the default settings. Extreme ExtremeWare To add an ExtremeWare device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-67...
Page 116
System Configuration Quarantining Figure 3-31. Add ExtremeWare Device Window Enter the IP address of the ExtremeWare device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Exit script – The expect script used to exit the console. • 12. Click ok. TIP: Click revert to defaults to restore the default settings. Extreme XOS To add an Extreme XOS device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-69...
Page 118
System Configuration Quarantining Figure 3-32. Add Extreme XOS Device Window Enter the IP address of the Extreme XOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Exit script – The expect script used to exit the console. • 11. Click ok. TIP: Click revert to defaults to restore the default settings. Foundry To add a Foundry device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-71...
Page 120
System Configuration Quarantining Figure 3-33. Add Foundry Device Window Enter the IP address of the Foundry device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Exit script – The expect script used to exit the console. 14. Click ok. TIP: Click revert to defaults to restore the default settings. HP ProCurve Switch To add an HP ProCurve switch: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-73...
Page 122
Quarantining Figure 3-34. Add HP ProCurve Device Window Enter the IP address of the HP ProCurve device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 123
System Configuration Quarantining To help confirm accuracy, type the same password you entered into the Password field in the Re-enter Password field. d. Enter the Enable mode user name that is used to enter enable mode on this device. Enter the Password used to enter enable mode on this device. To help confirm accuracy, type the same password you entered into the Enable password field in the Re-enter Password field.
OID value text field. TIP: Click revert to defaults to restore the default settings. HP ProCurve WESM To add an HP ProCurve WESM device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-76...
Page 125
System Configuration Quarantining Figure 3-35. Add HP ProCurve WESM Device Window Enter the IP address of the HP ProCurve WESM device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 126
System Configuration Quarantining Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port and MAC address of the endpoint to be re- authenticated. Select the type of the re-authentication OID from the OID type drop-down list: •...
Quarantine method radio button>>Add an 802.1X device Figure 3-36. Add HP ProCurve 420/530 AP Device Window Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 128
Enter an alias for this device that appears in log files in the Short name text field. Select ProCurve 420 AP or ProCurve 530 AP from the Device type drop-down list. Enter the Community string used to authorize writes to SNMP objects.
Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. Nortel To add a Nortel device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-81...
Page 130
System Configuration Quarantining Figure 3-37. Add Nortel Device Window Enter the IP address of the Nortel device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Exit script – The expect script used to exit the console. • 16. Click ok. TIP: Click revert to defaults to restore the default settings. Other To add a non-listed 802.1X device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-83...
Page 132
System Configuration Quarantining Figure 3-38. Add Other Device Window Enter the IP address of the new device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Setting DHCP Enforcement NOTE: See “Configuring Windows Update Service for XP SP2” on page 10-5 for information on using Windows Update Service for devices in quarantine. To set DHCP enforcement: NAC 800 Home window>>System configuration>>Quarantining>>DHCP quarantine method radio button 3-85...
Page 134
System Configuration Quarantining Figure 3-39. DHCP Enforcement Window Select one of the following radio buttons: Enforce DHCP requests from all IP addresses – Allows DHCP requests • from all IP addresses. • Restrict enforcement of DHCP requests to these relay agent IP addresses –...
IP information. Click ok. Adding a DHCP Quarantine Area To add a quarantine area: NAC 800 Home window>>System configuration>>Quarantining>>DHCP quarantine method radio button>>add a quarantine area Figure 3-40. Add a Quarantine Area Window 3-87...
Page 136
DHCP set- tings with no gateway and a netmask of 255.255.255.255. Static routes and a Web proxy server built into NAC 800 allow the endpoint access to specific networks, IP addresses, and Web sites. These networks, IP addresses, and Web sites are configured in the accessible endpoint list setting (System Configuration>>Accessible Services).
1 for each additional quarantine area. Click ok. Sorting the DHCP Quarantine Area To sort the quarantine area: NAC 800 Home window>>System configuration>>Quarantining>>DHCP radio button Click one of the following the column headings to sort the quarantine area by category: subnet •...
Quarantine Area” on page 3-87 for information on Quarantine area options. Click ok. Deleting a DHCP Quarantine Area To delete a DHCP quarantine area: NAC 800 Home window>>System configuration>>Quarantining Click delete next to the quarantine area you want to remove. The Delete quarantine area confirmation window appears Click yes.
For example, a file backed up on March 4, 2007 at 12:11:22 has the following name: backup-2007-03-04T12-11-22.tar.bz2 The following file are backed up: Database ■ ■ /usr/local/nac/properties directory /usr/local/nac/keystore directory ■ ■ /usr/local/nac/subscription directory Initiating a New Backup To initiate a new backup: NAC 800 Home window>>System configuration>>Maintenance 3-91...
Page 140
System Configuration Maintenance Figure 3-42. System Configuration Window, Maintenance Click begin backup now in the Backup area. The Operation in progress confirmation window appears. A pop-up window appears asking you if you want to save or open the file. Select Save to disk and click OK. Depending on your browser settings, you might be prompted to select a location for the file.
System Configuration Maintenance Restoring From a Backup See “Restoring from Backup” on page 13-10 for information about restoring from a backup file. 3-93...
Downloading Support Packages Support packages are useful when debugging your system with ProCurve Networking by HP. If a support package is necessary, ProCurve Networking by HP will instruct you to generate one and will provide instructions on how to upload the generated package (a TAR file).
The Testing methods menu option allows you to configure the following: Select testing methods ■ ■ Define order of that the test method screens appear to the end-user Select end-user options ■ Selecting Test Methods To select test methods: NAC 800 Home window>>System configuration>>Testing methods 3-95...
The NAC 800 backend attempts to test an endpoint transparently in the following order: NAC 800 tries to test with the agent-based test method. If no agent is available, NAC 800 tries to test with the ActiveX test method. 3-96...
If ActiveX is not available and if credentials for the endpoint or domain exist, NAC 800 tries to test with the agentless test method. If the endpoint can not be tested transparently, then NAC 800 uses the end-user access screens to set up a test method and sequence for interacting with the end-user.
System Configuration Cluster Setting Defaults Selecting End-user Options To select end-user options: NAC 800 Home window>>System configuration>>Testing methods Select one or more of the following options: • Allow end-users to have their administrator login information saved for future access (Agentless testing method only) – This option allows the end-users to elect to save their login credentials so they do not have to enter them each time they connect.
Page 147
Web sites – www.mycompany.com Host names – bagle.com IP addresses – 10.0.16.100 Ports – 10.0.16.100:53 Networks – 10.0.16.1/24 Range of IP addresses – 10.0.16.1-10.0.16.5 You do not need to enter the IP address of the NAC 800 server here. If you 3-99...
In DHCP mode, when your DHCP server and Domain Controller are controller behind NAC 800, you must specify ports 88, 135 to 159, 389, 1025, 1026, and 3268 as part of the address. If you do not specify a DHCP address, users are blocked.
■ Always Granting Access to Endpoints and Domains To always grant access to endpoints and domains: NAC 800 Home window>>System configuration>>Exceptions Figure 3-46. System Configuration, Exceptions To exempt endpoints from testing, in the Always grant access and never test area, enter the endpoint(s) by MAC or IP address, or NetBIOS name.
TIP: In DHCP mode, the NAC 800 firewall quarantines based on MAC address (everything entered must be translated to the corresponding endpoint's MAC address). This translation occurs each time activity from the endpoint is detected.
Page 151
Cluster Setting Defaults Figure 3-47. System Configuration, Notifications To send email notifications, you must provide NAC 800 with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the NAC 800 machine. Use the following steps to configure the SMTP email server function: Select the radio button next to Send email notifications.
Optionally define a pop-up window as an end-user notification when an endpoint fails one or more tests The end-user screens are shown in “End-user Access” on page 5-1. Specifying an End-user Screen Logo To specify an end-user screen logo: NAC 800 Home window>>System configuration>>End-user screens 3-104...
Enter the customization information: Organization logo image – Enter a path to your organization’s logo, or click Browse to select a file on your network. ProCurve recommends you place your logo here to help end-users feel secure about having their computers tested.
This URL points to port 89 on the NAC 800 ES (the default end-user screen that shows the test failed results), and is where the user is directed to when they click the Get details button on the new pop-up window.
Click ok. Agentless Credentials When NAC 800 accesses and tests endpoints, it needs to know the adminis- trator credentials for that endpoint. If your network uses a Windows domain controller and the connecting endpoint is a member of a configured domain, NAC 800 uses the information supplied to access and test the endpoint.
Page 156
System Configuration Cluster Setting Defaults Figure 3-49. System Configuration Window, Agentless Credentials Click Add administrator credentials. The Add Windows administrator credentials window appears: Figure 3-50. Agentless Credentials, Add Windows Administrator Credentials Window In the Add Windows administrator credentials window, enter the following: 3-108...
NOTE: NAC 800 saves authentication information encrypted on the NAC 800 server. When a user connects with the same browser, NAC 800 looks up this infor- mation and uses it for testing. TIP: When using the Windows administrator account connection method, NAC 800 performs some user-based tests with the administrator account's user registry settings, rather than those of the actual user logged into the endpoint.
Windows administrator credentials. Click ok. Deleting Windows Credentials To delete Windows credentials: NAC 800 Home window>>System configuration>>Agentless credentials Click delete next to the name of the Windows administrator credentials you want to remove. The Delete Windows administrative credentials conformation window appears.
You can configure the amount of diagnostic information written to log files, ranging from error (error-level messages only) to trace (everything). To set ES logging levels: NAC 800 home window>>System configuration>>Logging Figure 3-51. System Configuration Window, Logging Option To configure the amount of diagnostic information written to log files, select a logging level from the Enforcement servers drop-down list: •...
802.1X re-authentication, ranging from error (error-level messages only) to trace (everything). To set 802.1X logging levels: NAC 800 home window>>System configuration>>Logging To configure the amount of diagnostic information written to log files related to 802.1X re-authentication, select a logging level from the 802.1X devices drop-down list: •...
Page 161
System Configuration Logging • info – log info-level messages only • debug – log debug-level messages only • trace – log everything CAUTION: Setting the log level to trace may adversely affect performance. Click ok. 3-113...
Enter a number of seconds in the Agent read timeout period text field. The agent read time is the time in seconds that NAC 800 waits on an agent read. Use a larger number for systems with network latency issues.
NAC 800 home window>>System configuration>>Advanced Enter a number of seconds in the RPC command timeout period text field. The RPC command timeout is the time in seconds that NAC 800 waits on an rpcclient command to finish. Use a larger number for systems with network latency issues.
Page 164
System Configuration Advanced Settings (This page intentionally left blank.) 3-116...
Endpoint Activity Overview Overview Use the Endpoint activity window, to monitor end-user connection activity. NAC 800 Home window>>Endpoint activity The Endpoint activity window has the following sections: Endpoint selection area – The left column of the window provides ■ links that allow you to quickly filter the results area by Access control status or Endpoint test status.
Page 167
Endpoint Activity Overview 2. Search criteria area 1. Endpoint selection area 3. Search results area Figure 4-1. Endpoint Activity, All Endpoints Area...
NetBIOS name ■ ■ IP address MAC address ■ User ID ■ ■ Windows domain NAC policy ■ ■ Operating system ■ Number of endpoints to display Filtering by Access Control or Test Status NAC 800 Home window>>Endpoint activity window...
Select a method for filtering the results window; by a specific access control status or endpoint status as shown in the following figure: Figure 4-2. Endpoint Activity, Menu Options Filtering by Time To filter the information displayed: NAC 800 Home window>>Endpoint Activity...
Select one of the options from the drop-down list; the results area updates to match the time frame selected. Limiting Number of Endpoints Displayed To limit the number of endpoints displayed: NAC 800 Home window>>Endpoint Activity Figure 4-4. Display Endpoints Drop-down...
Figure 4-5. Endpoint Activity Page Navigation Links Searching To search the Endpoint activity window. NAC 800 Home window>>Endpoint activity>>Search criteria area Figure 4-6. Search Criteria Window Select a Cluster or NAC policy from the drop-down lists and enter any text string in one of the text boxes you want to search for (you can leave these blank).
Page 172
Endpoint Activity Filtering the Endpoint Activity Window TIP: The search box is not case-sensitive. Searching matches entire words. You must enter wildcard characters (*) to match substrings. For example, 192.168.*.
Endpoint Activity Access Control States Access Control States NAC 800 provides on-going feedback on the access status of endpoints as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-14. ■ Quarantined – The endpoint has been assigned a quarantined IP address.
Endpoint Activity Test Status States Test Status States NAC 800 provides on-going feedback on the test status of endpoints as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-14. ■ Unknown error – This is most likely a problem that cannot be resolved without contacting ProCurve.
Page 175
These endpoints are never tested and always quarantined. ■ Awaiting test initiation – NAC 800 shows this status when one of the following conditions occurs: • NAC 800 doesn't have credentials and there is no agent •...
Page 176
This can be due to a routing issue which is not allowing the endpoint to reach the neces- sary servers on the network. Also, if NAC 800 is inline with the domain controller, you might need to open up the appropriate ports (135 through 138, 445, 389, 1029) in the NAC 800 accessible endpoints configuration for your domain controller IP address.
Page 177
Connection failed - no route to host – The endpoint is unreachable on ■ the network by NAC 800. This can be due to either a network routing issue or because the endpoint has powered off or is in the process of rebooting.
Viewing Endpoint Access Status Viewing Endpoint Access Status To view access status for a endpoint: NAC 800 Home window>>Endpoint activity window Locate the endpoint you are interested in. The first column is the selection column, the second column is the Endpoint test status column, and the third column is the Access control status column.
Selecting Endpoints to Act on Selecting Endpoints to Act on To select endpoint to act on: NAC 800 Home window>>Endpoint activity Click a box or boxes in the first column to select the endpoints of interest. TIP: Click the box at the top of the column to select all of the endpoints.
Clear the temporary quarantine or access state (“Clearing Temporary Endpoint States” on page 4-17) Manually Retest an Endpoint To manually retest an endpoint: NAC 800 Home window>>Endpoint activity Select a box or boxes to select the endpoints of interest. Click retest. Immediately Grant Access to an Endpoint To immediately grant access to an endpoint: NAC 800 Home window>>Endpoint activity...
Endpoint Activity Acting on Selected Endpoints Immediately Quarantine an Endpoint To immediately quarantine an endpoint: NAC 800 Home window>>Endpoint activity Select a box or boxes to select the endpoints of interest. Click change access. Select the Temporarily Quarantine for radio button.
Endpoint Activity Viewing Endpoint Information Viewing Endpoint Information To view information about an endpoint: NAC 800 Home window>>Endpoint activity Click on an endpoint name to view the Endpoint window: Figure 4-8. Endpoint, General Option 4-18...
Page 183
Endpoint Activity Viewing Endpoint Information Click Test results to view the details of the test: Figure 4-9. Endpoint Activity, Endpoint Test Results Option TIP: Click on any underlined link (for example, change access) to make changes such as changing access or test credentials. 4-19...
Page 184
Endpoint Activity Viewing Endpoint Information (This page intentionally left blank.) 4-20...
End-user Access Overview Overview End-users can connect to your network from a number of different types of computers (see “Endpoints Supported” on page 5-3), be tested for compliance based on your definitions in the standard (high, medium, or low security) or custom NAC policies (see “NAC Policies”...
End-user Access Endpoints Supported Endpoints Supported This NAC 800 release supports the following: ■ Windows 98 ■ Windows 2000 Windows Server (2000, 2003) ■ ■ Windows XP Professional Windows XP Home ■ ■ Windows NT ■ Mac OS (version 10.3.7 or later)
End-user Access Browser Version Browser Version The browser that should be used is based on the test method as follows: ■ ActiveX test method – Microsoft Internet Explorer (IE) version 5.0 or 6.0. ■ Agentless and agent-based test methods – IE, Firefox, or Mozilla.
The end-user could change the Internet security to Medium ■ (Tools>>Internet options>>Security>>Custom level>>Reset to Medium). The end-user could add the IP address of the NAC 800 server to the ■ Trusted sites zone, and then set the Trusted sites zone to Medium.
End-user Access Agentless Settings Agentless Settings The agentless test method requires file and printer sharing to be enabled. To enable file and printer sharing on Windows XP Professional: Endpoint>>Start>>Settings>>Control Panel Double-click Network connections. Right-click Local area connection. Select Properties. The Local area connection properties window appears: Figure 5-1.
Page 191
End-user Access Agentless Settings To add a network component – http://www.microsoft.com/resources/ ■ documentation/windows/xp/all/proddocs/en-us/ howto_config_fileandprintsharing.mspx...
End-user Access Ports Used for Testing Ports Used for Testing You might need to configure some firewalls and routers to allow NAC 800 to access the following ports for testing: – ■ Agentless test method – 137, 138, 139, and 445 ■...
NAC 800 server using the centralized policy. If the Domain Group Policy is not used for Windows endpoints, the appropri- ate ports are opened during the agent installation process by the NAC 800 installer. Unmanaged Endpoints For unmanaged endpoints, the NAC Agent and the ActiveX control test methods automatically open the necessary ports for testing.
Page 194
End-user Access Firewall Settings Click Add. In the Service Settings window, enter the following information: Description: NAC 800 Server 137 IP: <IP of the NAC 800 Server> External port number: 137 Select UDP. Click OK. Click Add. In the Service Settings window, enter the following information: Description: NAC 800 Server 138 IP: <IP of the NAC 800 Server>...
Page 195
Click OK. Select UDP 137. 10. Click Change Scope. 11. Select Custom List. 12. Enter the NAC 800 Server IP address and the 255.255.255.0 mask. 13. Click OK. 14. Select TCP 445. 15. Click Change Scope. 16. Verify that the My network (subnet) only radio button is selected.
My Network or Custom List (and then specify the endpoints). Allowing NAC 800 through the OS X Firewall To verify that NAC 800 can test the end-user through the end-user’s firewall: Apple Menu>>System Preferences Figure 5-2. Mac System Preferences Window...
Page 197
End-user Access Firewall Settings Select the Sharing icon. The Sharing window opens. Figure 5-3. Mac Sharing Window Select the Firewall tab. The firewall settings must be one of the following: • • On with the following: – OS X NAC Agent check box selected –...
Page 198
End-user Access Firewall Settings To change the port: Apple Menu>>System Preferences>>Sharing icon>>Firewall tab Select OS X NAC Agent. Click Edit. The port configuration window appears: Figure 5-4. Mac Ports Window Enter 1500 in the Port Number, Range or Series text field. Click OK.
Your updated templates are preserved. CAUTION: Do not rename the files or they will not be seen by NAC 800. End-users begin the login process by opening their browser. If their home page is defined on the Accessible services window, they are allowed to access that page.
End-user Access End-user Access Windows Opening Window When the end-user directs their browser to go to a location that is not listed in the Accessible services and endpoints list, the testing option window appears: Figure 5-5. End-user Opening Window The end-users select Get connected. One of the following windows appears, depending on which test method and order is specified in the System configu- ration>>Testing methods window: ■...
End-user Access End-user Access Windows Windows NAC Agent Test Windows Automatically Installing the Windows Agent When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears: Figure 5-6.
Page 202
End-user Access End-user Access Windows If Active Content is disabled in the browser, the following error window appears: Figure 5-7. End-user Agent Installation Failed TIP: To enable active content, see “Active Content” on page B-3. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears.
Page 203
End-user Access End-user Access Windows Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation: Figure 5-8. End-user Agent Installation Window (Start) The user must click Finish to complete the agent installation and begin testing: Figure 5-9.
Removing the Agent To remove the agent: Start button>>Settings>>Control panel>>Add/remove programs Figure 5-10. Add/Remove Programs Find the ProCurve NAC EI Agent in the list of installed programs. Click Remove. TIP: The ProCurve NAC EI Agent also appears in the services list: Start button>>Settings>>Control panel>>Administrative tools>>Services...
End-user Access End-user Access Windows Point the browser to the following URL: https://<enforcement_server_ip>:89/setup.exe The security certificate window appears: Figure 5-11. Security Certificate Window Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file: Figure 5-12.
Mac OS Agent Test Windows When the test method selected is agent-based, the first time the end-user logs in to their Macintosh computer and opens a browser window, NAC 800 attempts to test the endpoint. If the agent is required, they receive the Installation Failed window shown in figure 5-7.
Page 207
End-user Access End-user Access Windows Click Continue. The installer appears: Figure 5-14. Mac OS Installer Window 1 of 5 Click Continue. The Select a Destination window appears: Figure 5-15. Mac OS Installer Window 2 of 5 5-23...
Page 208
End-user Access End-user Access Windows Click Continue. The Easy Install window appears: Figure 5-16. Mac OS Installer Window 3 of 5 Click Install. The Authenticate window appears: Figure 5-17. Mac OS Installer Window 4 of 5 5-24...
End-user Access End-user Access Windows Enter your password. Click OK. The agent is installed and the confirmation window appears: Figure 5-18. Mac OS Installer Window 5 of 5 Click Close. Verifying the Mac OS Agent To verify that the Mac OS agent is running properly: Double-click Desktop icon>>Aplication folder>>Utilities folder 5-25...
Page 211
End-user Access End-user Access Windows Double-click Activity Monitor. The Activity Monitor window appears: Figure 5-20. Activity Monitor Window Verify that the osxnactunnel process is running. If the osxnactunnel process is not running, start it by performing the following steps: 5-27...
Page 212
End-user Access End-user Access Windows Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Figure 5-21. Mac Terminal Window b. Enter the following at the command line: OSXNACAgent -v The build and version number are returned. If an error message is returned indicating that the agent could not be found, the agent was not installed properly.
End-user Access End-user Access Windows Removing the Mac OS Agent To remove the Mac OS agent: Double-click Desktop icon>>Aplication folder>>Utilities folder Select Mac OS X Terminal. A terminal window opens (figure 5-21). Enter the following at the command line: remove_osxnacagent Remove the firewall entry: Select Apple Menu>>System Preferences>>Sharing->Firewall tab.
TIP: To enable active content, see “Active Content” on page B-3. Agentless Test Windows If the end-users select Agentless test, NAC 800 needs login credentials in order to test the endpoint. Credentials can be obtained from the following: ■ Automatically connect the user through domain authentication (“Agentless Credentials”...
Page 215
Windows administrator account with a password in order to be tested by NAC 800. NOTE: NAC 800 uses the Windows Messenger Service when using agentless testing. If you have disabled this service (http://www.microsoft.com/windowsxp/ using/security/learnmore/stopspam.mspx), agentless testing will not work.
Page 216
End-user Access End-user Access Windows If the end-users do not enter the correct information in the login window fields, a login failure window appears: Figure 5-24. End-user Login Failed TIP: You can customize the logo and contact paragraph that appear on this window.
End-user Access End-user Access Windows Testing Window The following figure shows the window that appears during the testing pro- cess: Figure 5-25. End-user Testing Window The possible outcomes from the test are as follows: ■ Test successful window (see “Test Successful Window” on page 5-34) ■...
End-user Access End-user Access Windows Test Successful Window When the end-users’ endpoints meet the test criteria defined in the NAC policy, they are allowed access to the network, and a window indicating successful testing appears: Figure 5-26. End-user Testing Successful Window TIP: You can customize the logo and text that appears on this window as described in “End-user Screens”...
End-user Access Windows Temporary Quarantine Window When the end-users meet the test criteria defined in the NAC policy, but the NAC 800 Quarantine all setting is enabled, the quarantine window appears: Figure 5-27. Temporary Quarantine Window TIP: You can customize the logo and contact paragraph that appear on this window.
End-user Access End-user Access Windows Testing Cancelled Window If the Allow end users to cancel testing option on the System configuration>>Test- ing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled: Figure 5-28.
End-user Access End-user Access Windows Testing Failed Window When the end-user’s endpoints fail to meet the test criteria defined in the NAC policy, the end-users are not allowed access to the network (are quarantined) and the following testing failed window appears: Figure 5-29.
For each NAC policy, you can specify a temporary access period should the end-users fail the tests. To set the temporary access period: NAC 800 Home window>>NAC policies>>NAC policy of interest>>Tests menu option>>Select a test failure action Select from the following: •...
Page 223
End-user Access End-user Access Windows Unsupported endpoint ■ ■ Unknown error The following figure shows an example of an error window: Figure 5-31. End-user Error Window 5-39...
End-user Access Customizing Error Messages Customizing Error Messages The default error message strings (remediation messages) are defined in the following file: /usr/local/nac/scripts/BaseClasses/Strings.py You can create custom error message strings that appear in the test result reports, and on the test results access window that the end-user views by editing or creating the following file: /usr/local/nac/scripts/BaseClasses/CustomStrings.py To customize the error messages:...
Page 225
"name2" : "message2", NOTE: A “%s” in the description text is a special variable that is interpolated into extra information (passed from NAC 800) such as lists of missing patches, or missing software. NOTE: While editing the description avoid the use of double quotes “”. Use single quotes instead.
Page 226
End-user Access Customizing Error Messages Test name Description checkAutoUpdateStatus.String.3 Automatic Updates have not been configured. For Windows 2000, install Service Pack 4, then enable Automatic Updates by selecting: Control Panel>>Automatic Updates. For Windows XP: select Control Panel>>System>>Automatic Updates tab., checkAutoUpdateStatus.String.4 Automatic Updates are set to: %s, checkAutoUpdateStatus.String.5 Automatic Updates must be configured to %s.
Page 227
End-user Access Customizing Error Messages Test name Description checkIESecurityZoneSettings.String.6 The required security level for your Internet Explorer %s security zone is %s or greater. To change the setting, select Tools>>Internet Options>>Security>>%s>> select the setting and click OK. If you are using a custom setting, higher security settings are required for:<ul>%s</ul>* indicates an Internet Explorer 6 or later setting, checkIESecurityZoneSettings.String.7...
Page 228
End-user Access Customizing Error Messages Test name Description checkServicePacks.String.3 There are no service packs installed. Run Windows Update to install the most recent service packs., checkServicePacks.String.4 There are no service packs installed. Run Windows Update to install the most recent service packs., checkServicePacks.String.5 All required service packs are installed, checkServicePacks.String.6...
Page 229
End-user Access Customizing Error Messages Test name Description checkSoftwareRequired.String.2 All required software is installed., checkSoftwareRequired.String.3 The required software was not found: %s., checkSoftwareRequired.String.4 %s, # placeholder for link location for each software package. checkUniqueId.String.1 An unsupported operating system was encountered., checkUniqueId.String.2 Could not determine unique ID, checkWindowsSecurityPolicy.String.1...
Page 230
End-user Access Customizing Error Messages Test name Description checkAntiSpyware.String.5 The %s software was found but a scan has never been performed., checkBadIP.String.1 There were no unauthorized network connections found., checkBadIP.String.2 An unsupported operating system was encountered., checkBadIP.String.3 The IP addresses %s are on unauthorized networks., checkBadIP.String.4 The IP address %s is on an unauthorized network., Table 5-1.Default Test Names and Descriptions (cont.)
"NAC policies" are collections of tests that evaluate remote endpoints attempt- ing to connect to your network. You can use the standard tests installed with NAC 800, or you can create your own custom tests. NOTE: The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name.
Page 233
NAC Policies Overview Figure 6-1. NAC Policies Window The following figure shows the legend explaining the NAC policies icons: Figure 6-2. NAC Policies Window Legend...
NAC Policies Standard NAC Policies Standard NAC Policies NAC 800 ships with three standard NAC policies: ■ High security ■ Low security Medium security ■ NAC policies are organized in groups, which include the clusters defined for your system, a Default group, and any other groups you create. Each standard policy has tests pre-selected.
NAC Policy Group Tasks Add a NAC Policy Group To add an NAC policy group: NAC 800 Home window>>NAC policies Click Add an NAC policy group. The Add NAC policy group window opens: Figure 6-3. Add NAC Policy Group Window Type a name for the group in the Name of NAC policy group text box.
Click OK to save or Cancel to return without saving. Deleting a NAC Policy Group To delete a NAC policy group: NAC 800 home window>>NAC policies NOTE: You cannot delete a NAC policy group if any clusters are using it; first, you need to assign a different NAC policy group to all of the clusters from the System configuration>>Enforcement clusters &...
Enabling or Disabling an NAC Policy Select which NAC polices are enabled or disabled. To enable/disable a NAC policy: NAC 800 Home window>>NAC policies Click on the enable or disable link. An X indicates disabled. Selecting the Default NAC Policy To select the default NAC policy: NAC 800 Home window>>NAC policies...
Page 238
In DHCP mode, if an endpoint with an unsupported OS already has a DHCP- assigned IP address, NAC 800 cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with...
Page 239
In the Retest frequency area, enter how frequently NAC 800 should retest a connected machine. TIP: A lower number ensures higher security, but puts more load on the NAC 800 server. In the Inactive endpoints area, enter how long an end-user can be inactive before they have to log in again.
Page 240
NAC Policies NAC Policy Tasks 10. Click on a cluster name. 11. Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a carriage return. 12. Enter a single endpoint or list of endpoints separated by a carriage return using the endpoint IP address, MAC address, NetBIOS name, or host name.
Page 241
NAC Policies NAC Policy Tasks 13. Click the Tests menu option to open the Tests window: Figure 6-8. Add NAC Policy, Tests Area 6-11...
18. Click ok. TIP: Selecting the Send an email notification option sends an email to the address you identified in NAC 800 Home window>>System Configuration>>Notifications area. This option is defined per cluster. Editing a NAC Policy To edit an existing NAC policy: NAC 800 home window>>NAC policies...
Select which endpoints are associated with each policy. To assign endpoints and domains to a policy: NAC 800 Home window>>NAC policies>>Select a NAC Policy>>Domains and endpoints menu option Enter a single endpoint or list of endpoints separated by a carriage return using the endpoint IP address, MAC address, or NetBIOS name.
In the Retest frequency area, enter how frequently in minutes, hours, or days NAC 800 should retest a connected endpoint. TIP: A lower number ensures higher security, but puts more load on the NAC 800 server. Click ok. Setting Connection Time...
Tests are explained in detail in “Tests Help” on page A-1. To set the test properties for a specific test: NAC 800 Home window>>NAC policies>>Select a NAC Policy>>Tests menu option Click on the name of test to display the test’s options.
Page 246
NAC Policies NAC Policy Tasks NAC 800 Home window>>NAC policies>>Select a NAC Policy>>Tests menu option Click on the name of test to display the test’s options. NOTE: Click a test name to display the options; select the test check box to enable the test for the policy you are modifying.
About NAC 800 Tests About NAC 800 Tests NAC 800 tests are assigned to NAC policies. NAC policies are used to test endpoints attempting to connect to your network. NAC 800 tests might be updated as often as hourly; however, at the time of this release, the tests shown in “Tests Help”...
NAC Policies About NAC 800 Tests You can enter any combination of these keys in the NAC 800 text entry fields to detect a vendor, software package and version on an endpoint (for example, you can also enter Mozilla\Firefox or simply Mozilla) and NAC 800 searches for them in the HKEY_LOCAL_MACHINE\Software registry key sub-tree.
NAC Policies About NAC 800 Tests Utility Manager ■ ■ Windows Installer Entering the Browser Version Number To specify the minimum browser version the end-user needs: For Mozilla Firefox: Clear the Check For Mozilla Firefox [1.5] check box. b. Type a version number in the text entry field.
Page 250
NAC Policies About NAC 800 Tests (This page intentionally left blank.) 6-20...
Page 251
Quarantined Networks Chapter Contents Endpoint Quarantine Precedence ........7-2 Using Ports in Accessible Services and Endpoints .
In DHCP mode, if an endpoint with an unsupported OS already has a DHCP- assigned IP address, NAC 800 cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with an unsupported OS has a static IP address, NAC 800 cannot affect this endpoint in any way.
Page 253
Quarantined Networks Endpoint Quarantine Precedence TIP: Use the Clear temporary access control status radio button to remove the temporary access or temporary quarantine state enabled by the Temporarily quarantine for/Temporarily grant access for radio buttons. Endpoint testing exceptions overrides items following it in the list (4). ■...
Endpoints To use a port number when specifying accessible services and endpoints (cluster default): NAC 800 Home window>>System configuration>>Accessible services The following figure shows the Accessible services window: Figure 7-1. Accessible Services Window In order to grant access for quarantined endpoints to needed services, add entries to the Accessible services list.
Page 255
Quarantined Networks Using Ports in Accessible Services and Endpoints For all other deployment modes, the Fully Qualified Domain Name (FQDN) of the target servers should be added to the list (for example mycom- pany.com). If the specified servers are not behind an ES, a network firewall must be used to control access to only the desired ports.
Windows Update service and retrieve the required service packs and/or hotfixes. The following setup is used for this example: An endpoint that is currently quarantined, or uses the NAC 800 ES as ■ its DNS server ■...
Page 257
40773+ A? windowsupdate.microsoft.com. (45) 16:20:50.531469 IP SA00.domain > 172.21.20.20.2586: 40773 NXDomain* 0/1/0 (96) Log into the NAC 800 MS console using an administrator account. Navigate to the Accessible services window (System configuration>>Accessible services). Add microsoft.com to the accessible services and endpoints list.
Page 258
Quarantined Networks Determining Accessible Services Example The final list of accessible services for this example is shown in the following figure. Figure 7-3. Final List of Accessible Services Example The complete tcpdump results for this example are shown below: tcpdump -i eth0 -s0 -w /tmp/dns.pcap port 53 and host 172.21.20.20 waldo:~ # tcpdump -i eth0 -s0 port 53 and host 172.21.20.20 tcpdump: WARNING: eth0: no IPv4 address assigned...
Page 259
Quarantined Networks Determining Accessible Services Example 16:23:56.240873 IP 172.21.20.20.2586 > SA00.domain: 55115+ A? windowsupdate.microsoft.com. (45) 16:23:56.245644 IP SA00.domain > 172.21.20.20.2586: 55115 2/7/7 CNAME windowsupdate.microsoft.nsatc.net., A 207.46.225.221 (353) 16:23:56.981306 IP 172.21.20.20.2586 > SA00.domain: 34378+ A? update.microsoft.com. (38) 16:23:56.981667 IP SA00.domain > 172.21.20.20.2586: 34378 NXDomain* 0/1/0 (89) 16:25:03.645582 IP 172.21.20.20.2586 >...
Page 260
Quarantined Networks Determining Accessible Services Example 16:27:09.136659 IP 172.21.20.20.2586 > SA00.domain: 5201+ A? download.windowsupdate.com. (44) 16:27:09.137238 IP SA00.domain > 172.21.20.20.2586: 5201* 1/1/1 A SA00 (100) 16:27:09.172260 IP 172.21.20.20.2586 > SA00.domain: 27984+ A? download.microsoft.com. (40) 16:27:09.172793 IP SA00.domain > 172.21.20.20.2586: 27984 2/1/1 CNAME main.dl.ms.akadns.net., A SA00 (131) 16:27:09.991527 IP 172.21.20.20.2586 >...
Page 261
Quarantined Networks Determining Accessible Services Example 16:29:56.590312 IP 172.21.20.20.2586 > SA00.domain: 3934+ A? download.microsoft.com. (40) 16:29:56.715218 IP SA00.domain > 172.21.20.20.2586: 3934 4/1/1 CNAME main.dl.ms.akadns.net., CNAME dom.dl.ms.akadns.net., CNAME dl.ms.d4p.net., A SA00 (173) 16:29:57.402083 IP 172.21.20.20.2586 > SA00.domain: 25181+ A? c.microsoft.com. (33) 16:29:57.403740 IP SA00.domain >...
Page 262
Quarantined Networks Determining Accessible Services Example 16:37:40.332613 IP SA00.domain > 172.21.20.20.1045: 28344 6/1/1 CNAME main.dl.wu.akadns.net., CNAME dom.dl.wu.akadns.net., CNAME dl.wu.ms.edgesuite.net., CNAME a258.g.akamai.net., A 89.149.169.57, A 89.149.169.66 (234) 16:37:40.332723 IP SA00.domain > 172.21.20.20.1045: 28344 6/1/1 CNAME main.dl.wu.akadns.net., CNAME dom.dl.wu.akadns.net., CNAME dl.wu.ms.edgesuite.net., CNAME a258.g.akamai.net., A 89.149.169.57, A 89.149.169.66 (234) 16:37:40.332837 IP SA00.domain >...
Always Granting Access to an Endpoint Always Granting Access to an Endpoint To always grant access to a endpoint without testing: NAC 800 Home window>>System configuration>>Exceptions The following figure shows the Exceptions window. Figure 7-4. Exceptions Window In the Always grant access and never test area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns.
Page 264
Quarantined Networks Always Granting Access to an Endpoint CAUTION: If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without testing option is used. CAUTION: Please read “Untestable Endpoints and DHCP Mode” on page 7-18 so that you fully understand the ramifications of allowing untested endpoints on your network.
Always Quarantining an Endpoint Always Quarantining an Endpoint To always quarantine a an endpoint without testing (cluster default): NAC 800 Home window>>System configuration>>Exceptions In the Always quarantine and never test area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns.
■ Inline mode – An IP address is assigned to the endpoint outside of NAC 800. When the end-user attempts to connect to the network, NAC 800 either blocks access or allows access by adding the endpoint IP address to the internal firewall.
Quarantined Networks Shared Resources Shared Resources If the end-users typically make connections to shared services and endpoints during the boot process, these shares are unable to connect while the endpoint has the quarantined IP address, unless the services and endpoints are listed in the Accessible services and endpoints area (see “Accessible Services”...
The IP address granted by your DHCP server has a lease expiration period that cannot be affected by the NAC 800 server. Once an untested endpoint has been allowed access and assigned a non-quarantined IP address by your DHCP server, that endpoint has continual access through that IP address until the IP address lease expires.
ES is unavailable, the notification indicates that at the top of the Home window. When NAC 800 is installed inline in a multiple-server configuration (figure 8- 1), the multiple Enforcement servers (ESs) form a network loop (an undesired condition).
Page 271
High Availability and Load Balancing High Availability ES becomes unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 8-1. Inline Installations...
Page 272
High Availability and Load Balancing High Availability Figure 8-2. DHCP Installation...
Page 273
High Availability and Load Balancing High Availability Figure 8-3. 802.1X Installation...
Load Balancing Load Balancing Load balancing distributes the testing of endpoints across all NAC 800 Enforcement servers in a cluster. NAC 800 uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the Enforcement servers.
Inline Quarantine Method Inline Inline Inline is the most basic NAC 800 installation. When deploying NAC 800 inline, NAC 800 monitors and enforces all endpoint traffic. When NAC 800 is installed in a single-server installation, NAC 800 becomes a Layer 2 bridge that requires no changes to the network configuration settings.
Page 277
VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 9-1. Inline Installations TIP: You can install NAC 800 at any “choke point” in your network; a VPN is not required.
DHCP Quarantine Method Overview Overview When configured with a Dynamic Host Configuration Protocol (DHCP) quar- antine area, all endpoints requesting a DHCP IP address are issued a tempo- rary address on a quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to the main LAN.
Configuring NAC 800 for DHCP Configuring NAC 800 for DHCP The primary configuration required for using NAC 800 and DHCP is setting up the quarantine area (see “Setting Up a Quarantine Area” on page 10-4). You should also review the following topics related to quarantining endpoints: ■...
In order to sufficiently restrict access to and from the quarantine area, you must configure your router Access Control Lists (ACLs) as follows: ■ Allow traffic to and from the NAC 800 server and the quarantined network. If you want to allow access to other endpoints outside of the quaran- ■...
Page 284
DHCP Quarantine Method Configuring NAC 800 for DHCP (This page intentionally left blank.) 10-6...
Page 285
Setting up the RADIUS Server ....... . . 11-7 Enabling NAC 800 for 802.1X ....... . 11-43 Setting Up the Supplicant .
802.1X Quarantine Method About 802.1X About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows: ■ Supplicant – The client; the endpoint that wants to access the network. Authenticator– The access point, such as a switch, that prevents ■...
Page 287
802.1X Quarantine Method About 802.1X The AP (authenticator) opens a port for EAP messages, and blocks all others. The AP (authenticator) requests the client’s (supplicant’s) identity. The Client (supplicant) sends its identity. The AP (authenticator) passes the identity on to the authentication server. The authentication server performs the authentication and returns an accept or reject message to the AP (authenticator).
VLAN to place the endpoint, and returns the result to the switch. When NAC 800 is used in an 802.1X network, the configuration is as shown in figure 11-2, and the communication flow is shown in Figure 11-3 on page 11-6.
The NAC 800 802.1X solution must be integrated with the RADIUS authentication to “intervene” in the authentication process, test endpoints, and assign them to the appropriate VLAN. NAC 800 can be deployed and integrated with RADIUS in the following three ways: ■...
Page 292
Microsoft® Windows Server™ 2003 Internet Authentication Service (IAS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server. This section provides instructions on configuring this server to use with NAC 800. For details on the Windows Server 2003 IAS, refer to the following link: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/tech- nologies/ias.mspx...
Page 293
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-4. Windows Components Wizard Window Select the Networking Services check box. Click Details. The Networking Services window appears, as shown in the following figure. Figure 11-5. Networking Services Window 11-9...
Install any IAS and 802.1X updates that are available. http://www.microsoft.com/downloads/search.aspx?displaylang=en Configuring the Microsoft IAS RADIUS server For an explanation of how the components communicate, see “NAC 800 and 802.1X” on page 11-4. Now that you have the RADIUS server installed, you need to log into it and perform the configuration steps described in this section.
Page 295
802.1X Quarantine Method Setting Up the 802.1X Components Configure the RADIUS server parameters: Figure 11-6. IAS, Register Server in Active Directory Window Right-click on Internet Authentication Service (local) b. Select Properties (figure 11-7). The Properties window appears (figure 11-8). Figure 11-7. IAS, Properties Option 11-11...
Page 296
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-8. IAS, Properties Window General tab – Enter a descriptive name in the Server Description text box. For example, IAS. ii. Select the Rejected authentication requests check box. iii. Select the Successful authentication requests check box. d.
Page 297
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-9. IAS, New Client, Name and Address Window Enter a descriptive name for the Frendly name, such as Foundry. d. Enter the IP address of the authenticator in the Client address text box. TIP: Click Verify to test the connection.
Page 298
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-10. IAS, New Client, Additional Information Window Select RADIUS Standard from the Client Vendor drop-down list Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator. h.
Page 299
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-11. IAS, New Remote Access Policy d. Select the Use the wizard radio button. Enter a meaningful name in the Policy Name text field. Click Next. Figure 11-12. IAS, Remote Access Policy, Access Method 11-15...
Page 300
802.1X Quarantine Method Setting Up the 802.1X Components Select the Ethernet radio button. (The Ethernet option will not work for authenticating wireless clients with this policy.) h. Click Next. Figure 11-13. IAS, Remote Access Policy, Group Access You can configure your Access policy by user or group. This example uses the group method.
Page 301
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-14. IAS, Remote Access Policy, Find Group k. Click Advanced. 11-17...
Page 302
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-15. Remote Access Policy, Select Group Click Find Now to populate the Search Results area. m. Select Domain Guests. n. Click OK. o. Click OK. p. Click Next. 11-18...
Page 303
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-16. IAS, Remote Access Policy, Authentication Method NOTE: If you choose PEAP as your authentication mechanism in step q, see step 8 before completing step r and step s. Adding a certificate, if your server does not already have one, and configuring PEAP is explained in step 8.
Page 304
802.1X Quarantine Method Setting Up the 802.1X Components to request a certificate. If there is not a CA available, the certificate needs to be imported manually. To request a certificate from a Domain Certificate Authority: Figure 11-17. Error Message Open the Microsoft management console by choosing Start>>Run and entering mmc.
Page 305
802.1X Quarantine Method Setting Up the 802.1X Components right-click on the template, select properties, and change the permissions for your user) on the certificate authority. The Computer or RAS and IAS templates both work. k. Once the Certificate is granted by the certificate authority, return to the IAS policy editor to continue the setup.
Page 306
802.1X Quarantine Method Setting Up the 802.1X Components Configure the new Remote Access Policy. Figure 11-19. IAP, Remote Access Policy, Properties Select Remote Access Policies. b. In the right pane, right-click the new policy name and select Properties. The Guest Policy Properties window appears: Figure 11-20.
Page 307
Advanced tab – Add three RADIUS attributes: TIP: The attributes you select might be different for different switch types. Contact ProCurve Networking by HP if you would like assistance. 1) Click Add. Figure 11-21. IAS, Remote Access Policy, Add Attribute 2) Select Tunnel-Medium-Type.
Page 308
802.1X Quarantine Method Setting Up the 802.1X Components 11) In the Enter the attribute value area, select the String radio button and type the VLAN ID (usually a number such as 50) in the text box. 12) Click OK. 13) Click OK. 14) Select Tunnel-Type.
Page 309
Select the When disk is full, delete older log files check box. iv. Click OK. 12. Install the NAC 800-to-IAS connector – The NAC 800 IAS Connector is a DLL file that is installed on your Windows Server 2003 machine where the IAS component is enabled.
Page 310
RADIUS attributes to your switch instructing it into which VLAN to place an endpoint. The following figure illustrates this process: Figure 11-23. NAC 800-to-IAS Connector Copy the following NAC 800 IAS Connector files from the NAC 800 CD-ROM (/support directory) to the WINDOWS/system32 directory on your Windows Server 2003 machine.
Page 311
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-24. IAS, Add/Remove Snap-in Select File>>Add/Remove Snap-in. vi. Click Add. Figure 11-25. IAS, Add/Remove Snap-in, Certificates vii. Select Certificates. viii. Click Add. ix. Select the Computer account radio button. x. Click Next. 11-27...
Page 312
CD-ROM in support/ias/compliance.keystore.cer xix. Click Next. xx. Click Next. xxi. Click Finish. 13. Configure the NAC 800-to-IAS connector – Modify the INI file for your network environment. NAC 800 returns one of postures for an endpoint attempting to 11-28...
Page 313
ServerUrl.5=https://<SERVER IP.5>:89/servlet/AccessControlServlet DebugLevel=4 Debug=on Username=nacuser Password=nacpwd ; If the NAC 800 server cannot be contacted reply to RADIUS with the following posture ; 0=healthy, 10=checkup, 20=quarantined, 30=infected, 100=unknown DefaultPosture=0 ; Use the following timeouts (in milliseconds) for contacting the NAC 800 server.
Page 314
GroupId,Tunnel-Type InfectedRadiusAttributes=Tunnel-Medium-Type,Quarantine-Tunnel-Pvt- GroupId,Tunnel-Type UnknownRadiusAttributes=Tunnel-Medium-Type,Unknown-Tunnel-Pvt-GroupId,Tunnel- Type,Unknown-Session-Timeout,Unknown-Termination-Action ; Use these settings for Extreme switches ; Uncomment if you want NAC 800 to assign a VLAN for endpoints with a healthy or checkup posture ; HealthyRadiusAttributes=Healthy ; CheckupRadiusAttributes=Healthy ; QuarantineRadiusAttributes=Quarantine ; InfectedRadiusAttributes=Quarantine ; UnknownRadiusAttributes=Unknown ;...
Page 315
802.1X Quarantine Method Setting Up the 802.1X Components ; in the <Posture>RadiusAttribute settings above. ; TO DO - Use these settings for Extreme switches. Change the Value setting to match the VLAN names on your switch. [Healthy] Type=26 VendorId=1916 VendorType=203 DataType=1 Value=Healthy [Quarantine]...
Page 316
802.1X Quarantine Method Setting Up the 802.1X Components [Healthy-Termination-Action] Type=29 DataType=3 Value=1 [Quarantine-Tunnel-Pvt-GroupId] Type=81 DataType=1 Value=15 [Quarantine-Session-Timeout] Type=27 DataType=3 Value=30 [Quarantine-Termination-Action] Type=29 DataType=3 Value=1 [Unknown-Tunnel-Pvt-GroupId] Type=81 DataType=1 Value=5 [Unknown-Session-Timeout] Type=27 DataType=3 Value=30 [Unknown-Termination-Action] Type=29 DataType=3 Value=1 -------------------------------------------------------------------------------- ------ b. Enable the Authorization DLL file. At startup, IAS checks the registry for a list of third-party DLL files to call.
Page 317
802.1X Quarantine Method Setting Up the 802.1X Components ix. Type AuthorizationDLLs for the name and press Enter on the keyboard. x. Right-click AuthorizationDLLs, and select Modify. xi. Enter the following value in the Value Data text box. C:\Windows\System32\SAIASConnector.dll xii. Click OK. Restart the IAS server (Start>>Settings>>Control Panel>>Services>>Internet Authentication Services>>Restart).
Page 318
802.1X Quarantine Method Setting Up the 802.1X Components iv. Click Open. Right-click Default Domain Policy and select Edit (click OK if you get a global changes pop-up message). Figure 11-28. Active Directory, Store Passwords vi. Navigate to Computer Configuration>>Windows Settings>>Security Settings>>Account Policies>>Password Policy.
Page 319
802.1X Quarantine Method Setting Up the 802.1X Components 16. Configure user accounts for Dial-in access and Password Reversible Encryption: From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers. b. Click the plus symbol next to the domain to expand the selection. Select the Users folder.
Page 320
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-30. Active Directory, User Account Properties Select the Dial-in tab. In the Remote Access Permission area, select the Allow Access radio button. Select the Account tab. h. Verify that you are using Microsoft’s version of the challenge- handshake authentication protocol (CHAP) MSCHAPv2.
The realm NULL section must go after the realm LOCAL section, or you can comment out the realm LOCAL section. Configure your RADIUS server to allow the NAC 800 IP address as a client with the shared secret specified in the previous step. See your RADIUS server’s documentation for instructions on how to configure allowed...
Page 322
802.1X Quarantine Method Setting Up the 802.1X Components Configure the SAFreeRADIUSConnector.conf file with the appropriate RADIUS attributes and VLANS. See comments in the following sample file for instructions. # Free Radius Connector configuration file # TO DO - Change localhost to your server's IP if this is not the built-in FreeRadius server ServerUrl=https://localhost/servlet/AccessControlServlet DebugLevel=4...
Page 323
802.1X Quarantine Method Setting Up the 802.1X Components "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches #"HealthyRadiusAttributes"...
If you selected the Manual End-user authentication method in the Authentication settings area of the System configuration>>Quarantining>>802.1X window, con- figure NAC 800 according to the instructions in this section. To configure NAC 800 to handle RADIUS requests: Add users to the RADIUS server by modifying the /etc/raddb/users file.
Page 325
(CatOS), you need to refer to the VLAN by name, and not by number as shown in the following sample file. For example, use “Tunnel-Private-Group-ID := User_Seg_PA,” instead of “Tunnel-Private-Group-ID := 50,”. # NAC 800 Free Radius Connector configuration file # General configuration parameters ServerUrl=https://<SERVER IP>:89/servlet/AccessControlServlet ServerUrl.1=https://<SERVER IP.1>:89/servlet/AccessControlServlet...
Tunnel-Type := VLAN, Enabling NAC 800 for 802.1X To enable NAC 800 for use in an 802.1X network, you need to select it in the console, and make a few changes to the properties using JMS and an XML file.
802.1X Quarantine Method Setting Up the 802.1X Components • local – In simple configurations, it is possible to span, or mirror, the switch port into which the DHCP server is connected. The eth1 interface of the Enforcement server is then plugged into the spanned port and endpoint traffic is monitored on the eth1 interface.
Page 329
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-32. IAS, Windows Client Authentication General tab – Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors.
Page 330
802.1X Quarantine Method Setting Up the 802.1X Components Windows Main Window>>Start>>Settings>>Control Panel>>Administrative Tools>>Services Wireless Zero Configuration (this service needs to be started, if not already running the user needs to right-click on the service named Wireless Zero Configuration and click 'start'). Right-click on Local Area Connection.
802.1X Quarantine Method Setting Up the 802.1X Components set port dot1x 2/15 guest-vlan 40 set port dot1x 2/17 guest-vlan 40 set port dot1x 2/18 guest-vlan 40 set port dot1x 2/19 guest-vlan 40 Enterasys® Matrix 1H582-25 ! dot1x set dot1x auth-config authcontrolled-portcontrol forced- auth fe.0.5-24 set dot1x auth-config maxreq 10000 fe.0.1-4 set dot1x auth-config keytxenabled true fe.0.1-4...
802.1X Quarantine Method Setting Up the 802.1X Components enable netlogin port 36 vlan Temp enable netlogin port 37 vlan Temp enable netlogin port 38 vlan Temp enable netlogin port 39 vlan Temp enable netlogin port 40 vlan Temp configure netlogin redirect-page "https://10.10.100.100:89" ExtremeWare TIP: When authenticating via the onboard FreeRadius server, you need to add the...
HP ProCurve Access Point 420(config)#interface ethernet Enter Ethernet configuration commands, one per line. HP ProCurve Access Point 420(if-ethernet)#no ip dhcp HP ProCurve Access Point 420(if-ethernet)#ip address <IP of Access Point Netmask Gateway> HP ProCurve Access Point 420(if-ethernet)#end HP ProCurve Access Point 420(config)#management-vlan 200...
Dynamic VLAN provision- ing. ProCurve Access Point 530#conf ProCurve Access Point 530(config)#interface ethernet ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway> ProCurve Access Point 530(ethernet)#management-vlan 200...
ProCurve Access Point 530(config)#write mem ProCurve Access Point 530(config)#exit Dynamic WEP: ProCurve Access Point 530#conf ProCurve Access Point 530(config)#interface ethernet ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway> ProCurve Access Point 530(ethernet)#management-vlan 200...
802.1X Quarantine Method Setting Up the 802.1X Components aaa accounting network start-stop radius aaa authentication port-access eap-radius aaa port-access authenticator 1-8 aaa port-access authenticator 1-8 auth-vid 100 aaa port-access authenticator 1-8 unauth-vid 101 aaa port-access authenticator active Nortel® 5510 NOTE: When the Nortel switch is used in unstacked mode, a range of ports is defined as 1-24.
Reports Report Types Report Types NAC 800 generates the following types of reports: Report Description Report columns NAC policy results Lists each NAC policy and the last • policy name pass/fail policy results • test status • # of times •...
Page 341
Reports Report Types Report Description Report columns Test results by NetBIOS name Lists the number of tests that • netbios passed or failed for each netbios • cluster name. • ip address • user • test status • # of times •...
Reports Generating Reports Generating Reports To generate a report: NAC 800 Home window>>Reports The following figure shows the Reports window. Figure 12-1. Reports Window In the Report drop-down list, select the report to run. Select the Report period. Select the Rows per page.
Page 343
Reports Generating Reports ii. Any of the selected criteria Select Generate report. After a short period of time the compiled report is displayed in a separate browser window. The following figure shows an example report. Figure 12-2. NAC Policy Results Report CAUTION: The reports capability uses pop-up windows;...
Reports Viewing Report Details Viewing Report Details To view report details: NAC 800 Home window>>Reports Select the options for the report you want to run. Click Generate report. Click the details link. The Test details window appears: Figure 12-3. Report, Test Details Window...
Reports Printing Reports Printing Reports To print a report: NAC 800 Home window>>Reports Select the options for the report you want to run. Click Generate report. Select Print. Select the printer options and properties. Select Print. 12-7...
Reports Saving Reports to a File Saving Reports to a File To save a report: NAC 800 Home window>>Reports Select the options for the report you want to run. Click Generate report. Select File>>Save Page As from the browser menu.
Reports Converting an HTML Report to a Word Document Converting an HTML Report to a Word Document To convert an HTML report: Run the report (see “Generating Reports” on page 12-4.) Save an HTML version of it (see “Saving Reports to a File” on page 12-8). Open the HTML report in Microsoft Word.
Page 348
Reports Converting an HTML Report to a Word Document (This page intentionally left blank.) 12-10...
Page 350
System Administration Resetting the NAC 800 Database Password ..... . 13-37 Changing the NAC 800 Administrator Password ....13-37 Working with Ranges .
Logging out of NAC 800 To log out of NAC 800: Any NAC 800 window Click Logout in the upper right corner of the NAC 800 home window. When the logout procedure completes, the ProCurve login window appears. Important Browser Settings There are several browser configuration settings to make, depending on which browser you are using.
System Administration Downloading New Tests Downloading New Tests To download the latest tests from the ProCurve server: NAC 800 Home window>>System configuration>>Test updates>>Check for test updates button TIP: If you are not receiving test updates, try the following checks: - Verify that the system time is correct...
IE security settings. The NAC 800 administrator needs to make sure the global policy on their network matches the NAC policy defined, or skip the test.
Resetting your System To reset your system to the as-shipped state: Command line window Log in as root to the NAC 800 MS, either using SSH or directly with a keyboard. Enter the following command at the command line: resetSystem.py [both | ms | es]...
/usr/local/nac/bin Changing Properties To change the property values in the properties files: Command line window Log in as root to the NAC 800 MS using SSH. Enter the following at the command line: setProperty.py <DESTINATION> <TYPE> <VALUES> Where: •...
The Windows 2003 Server endpoint cannot download the agent. ■ To disable the Enhanced Security Configuration option: Start>>Settings>>Control panel>>Add/Remove Programs>>Add/Remove Windows Components Clear the selected Enhanced Security Configuration option. TIP: Alternatively, you could select the NAC 800 MS and ES IP addresses as trusted sites. 13-8...
Entering Networks Using CIDR Format Entering Networks Using CIDR Format Networks and network endpoints can be specified in NAC 800 using Classless Inter Domain Routing (CIDR) format. CIDR is a commonly used method for specifying Internet objects. table 13-1 presents common CIDR naming con- ventions.
NOTE: You must have backed up your system at least one time before you can restore from a backup. NAC 800 Home window>>System configuration>>Maintenance Click restore system from backup file. The Restore system window appears: Figure 13-1. Restore System Window Enter the backup file name or click Browse and navigate to the backup file.
“Resetting your System” on page 13-6 for more information. To reset a NAC 800 database to its pristine state: Command window Log in as root to the NAC 800 MS using SSH. Enter the following commands: resetSystem.py This script shuts down all of the services, cleans the database, iptables, and DHCP server, and restarts everything.
System Administration Supported VPNs Supported VPNs NAC 800 works with any VPN endpoint, since NAC 800 does not directly interface or inter-operate with VPN endpoints. The following commonly deployed VPN solutions have been tested: ■ Cisco VPN: 30xx series Microsoft 2000 and 2003 Server (VPN capability enabled) ■...
NAC 800 scripting API. Each NAC 800 test script defines a test class. To change an error message, create a new script that derives a new test class from an existing test class and modify the return hash of the runTest method.
Page 362
System Administration Adding Custom Tests Log in as root to the NAC 800 server using SSH. Open the /sampleTests/myCheckSoftwareNotAllowed.py file on the NAC 800 CD in a text editor. Examine the code. The comments explain each section of code. The following example shows the contents of the file.
Page 363
Do not change the status_code or the result_code for this example. Once you have completed your edits and saved the myCheckSoftwareNotAllowed.py file, copy it to the following directory on the NAC 800 MS: /usr/local/nac/scripts/Custom/Tests If you have created new base classes, copy them to the following directory...
Page 364
ESs, verify that the scripts and base classes are under the Custom directory tree as specified above, and enter the following on the command line of the NAC 800 MS: installCustomTests This command compiles the Python source files, builds an RPM, updates the policy groups, and sends these changes to all ESs.
Page 367
System Administration Adding Custom Tests #!/usr/bin/python from BaseClasses.SABase import SABase as SABase # This allows a script to be tested from the command line. if __name__ == '__main__': import testTemplate t = testTemplate.TestTemplate() t.processCommandLine() # The class definition. All classes must be derived from the SABase class. class TestTemplate(SABase): # Make up a test id.
Page 368
System Administration Adding Custom Tests # Assign the test to an existing group or create a new group. # Groups are configured and created in the policies.xml file <group> # section (See the Adding new groups section). testGroupId = "TestGroup" # This is the HTML that will be displayed in the test properties page # in the policy editor.
Page 369
System Administration Adding Custom Tests # All tests must define the runTest method with the self and the debug # parameters. def runTest(self,debug=0): # All tests must call the initialize routine self.initTest() # Create a hash to store the return results. # All tests must fill return a hash with the following keys: status_code - 0 if an unexpected error occurred, 1 if...
Page 370
• All test scripts contain a self.session member variable that is set by NAC 800 when the test class is instantiated. It contains a reference to a Session object, which is a built-in Python class defined by NAC 800 and is used internally by the BasicTests class described later in this section.
Page 371
System Administration Adding Custom Tests figure 13-6 shows the code for the new checkOpenPorts.py test. The file is included on the NAC 800 CD as /sampleTests/ checkOpenPorts.py. Review the code. The comments explain each section of the code. #!/usr/bin/python from BaseClasses.SABase import SABase as SABase # This allows a script to be tested from the command line.
Page 372
System Administration Adding Custom Tests testConfig = \ """ <div id="test_parameters"> <table height="100%" width="100%" border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td colspan="2" style="padding: 5px 3px 5px 3px;"> Enter a list of ports that are not allowed to be open on the endpoint.
Page 373
System Administration Adding Custom Tests # Make up a summary for the test. This will show up in the description # field in the policy editor. testSummary = "This test takes a list of ports that should NOT be found open on the remote host.
Page 374
# Try to open the port. Throws an exception if connection # is refused or times out (set timeout to 5 seconds). # Note that NAC 800 uses a restricted Python socket # library that doesn't allow connections to arbitrary # hosts.
Page 375
# Always use the doReturn function. This will record test timings as well as # encode the result_message into a format compatible with NAC 800 return(self.doReturn(returnHash)) Figure 13-6. checkOpenPorts.py script (cont.) Once you have completed your test script modifications, save the script as described in step 6 on page 13-15.
For the final test, connect to: http://<NAC 800 ip>:88 and test your Windows endpoint. If you have ports open that are not allowed, this test fails. BasicTests API Every NAC 800 test has a base functionality described as follows: … try: self.bt.getregKeyExists( “HKEY_LOCAL_MACHINE\\Software\\America Online\\AIM”)
Page 377
System Administration Adding Custom Tests The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getOs(debug=0) Retrieves the operating system of the targetHost .
Page 378
System Administration Adding Custom Tests The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getServiceStatus(list serviceNames, debug=0) Gets the status for a list of services. Returns a hash containing the result_data key.
Page 379
System Administration Adding Custom Tests The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Boolean getRegKeyExists(string key, debug=0) Check to see if a single key exists in the registry. Returns the following: •...
Page 380
System Administration Adding Custom Tests The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Boolean getFileIsDirectory(string file, debug=0) Returns the following: •...
End-user Access Windows End-user Access Windows The end-user access windows are completely customizable. You can enter general text through the NAC 800 interface and edit the file that contains the messages that are returned to the end-user. TIP: If you need more end-user access window customization than is described in this Users’...
How NAC 800 Handles Static IP Addresses How NAC 800 Handles Static IP Addresses The following list details how NAC 800 handles static IP addresses: Inline Mode – NAC 800 can detect, test, and quarantine static IP ■ addresses. The end-user cannot circumvent a quarantine. ■...
System Administration Managing Passwords Managing Passwords The passwords associated with your NAC 800 installation are listed in the following table: NAC 800 Set during Recovery process password NAC 800 Initial install process * See “Resetting the NAC 800 Server Management or Password”...
You must set the terminal emulator settings as follows: 9600/8/n/1 To reset the NAC 800 server root password: At the NAC 800 MS or ES server (not through the web or SSH), reboot the MS or ES server by pressing: [CTRL]+[ALT]+[DELETE] As the machine boots, you are presented with a list of kernels.
Resetting the NAC 800 Database Password The NAC 800 database password is set during the install process. You can not change your database password with NAC 800 later. If your database password gets changed by some other method after NAC 800 is installed, NAC 800 will not be able to communicate with the database.
Page 386
Enter characters following the equal sign that are the password (for example, CwR0(tW). Save the file and copy it to the NAC 800 server (either MS or ES). Log into the NAC 800 server as root. Enter the following command: setProperty.py -f<filename>...
System Administration Working with Ranges Working with Ranges In NAC 800 implementations, particularly in trial installations where you are connecting and disconnecting cables to a number of different types of end- points, you can filter the activity by specifying the following: ■...
Page 388
Extreme switches forward the packets from the IP address closest to NAC 800 and not the IP address of the interface closest to the endpoint, so all the DHCPRelay packets will appear to come from a production network IP address.
System Administration Creating and Replacing SSL Certificates Creating and Replacing SSL Certificates The Secure Sockets Layer (SSL) protocol uses encryption by way of certifi- cates to provide security for data or information sent over HTTP. Certificates are digitally signed statements that verify the authenticity of a server for security purposes.
To generate a private keystore containing a new private key/public certificate pair: Command line window Log in as root to the NAC 800 server via SSH. Remove the existing keystore by entering the following at the command line: rm -f /usr/local/nac/keystore/compliance.keystore Enter the following at the command line: keytool -genkey -keyalg RSA -alias <key_alias>...
Using an SSL Certificate from a known Certificate Authority (CA) To generate a Certificate Signing Request (CSR) to be submitted to a Certifi- cate Authority (CA): Log in as root to the NAC 800 server via SSH. Enter the following at the command line: <key_alias> <csr_filename>...
Page 392
(see “Copying Files” on page 1-20), replacing the previously self- signed public certificate for your key by entering the following command on the command line of the NAC 800 server: keytool -import -alias <key_alias> -trustcacerts -file <signed_cert_file> -keystore /usr/local/nac/keystore/ compliance.keystore...
System Administration Moving an ES from One MS to Another Moving an ES from One MS to Another If you have an existing ES, you can move it to a different MS by performing the steps in this section. To move an ES to a different MS: Command line window Log in to the ES as root using SSH or directly with a keyboard.
System Administration Recovering Quickly from a Network Failure Recovering Quickly from a Network Failure If you have a network with a very large number of endpoints (around 3000 endpoints per ES), and your network goes down, perform the following steps to make sure that your endpoints can reconnect as quickly as possible: Place all of the clusters that have a large number of endpoints in allow all mode:...
Overview The tests performed on endpoints attempting to connect to the network are listed on the NAC 800 Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting NAC 800 Home window>>System Configuration>>Test Updates>>Check for Test Updates.
Tests Help Browser Security Policy – Windows Browser Security Policy – Windows The Browser security policy tests verify that any endpoint attempting to connect to your system meets your specified security requirements. Browser vulnerabilities are related to cookies, caches, and scripts (JavaScript, Java, and Active scripting / ActiveX).
Tests Help Browser Security Policy – Windows Item Description JavaScript JavaScript is a scripting language used to enhance Web pages. JavaScript programs are embedded in Web pages and enable active functionality; for example, JavaScript allows you to create images that change when you move the mouse over them and clocks with moving parts.
Page 400
Tests Help Browser Security Policy – Windows How Does this Affect Me? Older browsers may not have adequate security or fixes against vulnerabili- ties. What Do I Need to Do? Install a required browser or update your browser to the required version. See the following links for browser information: http://www.mozilla.com/en-US/firefox/ http://www.microsoft.com/windows/ie/ie6/default.mspx...
Page 401
Tests Help Browser Security Policy – Windows How Does this Affect Me? The Internet security zone defines a security level for all external Web sites that you visit (unless you have specified exceptions in the trusted and restricted site configurations). The default setting is Medium. The following link provides details about the specific security options in the Custom Level window: http://www.microsoft.com/windows/ie/using/howto/...
Page 402
Tests Help Browser Security Policy – Windows Medium-low. A mix of enabled, disabled and prompt for ActiveX ■ controls, enables downloads, a mix of enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login for intranet Low. A mix of enabled and prompt for ActiveX controls, enables ■...
Tests Help Browser Security Policy – Windows High. Disables all ActiveX Controls and plug-ins, disables file down- ■ loads, prompts for font downloads, disables or prompts for Miscella- neous options, disables Scripting, requires login Medium. A mix of enabled, disabled and prompt for ActiveX controls, ■...
Tests Help Browser Security Policy – Windows Click Add. Click OK. Internet Explorer (IE) Trusted Sites Security Zone Description This test verifies that the endpoint attempting to connect to your system is configured according to your specified trusted sites security zone standards. Test properties Select the Internet Explorer trusted sites security zone settings required on your network.
Page 405
Tests Help Operating System – Windows Operating System – Windows The Operating System (OS) tests verify that any endpoint attempting to connect to your system meets your specified OS requirements. Installing the most recent version of your OS helps protect your system against exploits targeting the latest vulnerabilities.
Page 406
Tests Help Operating System – Windows Test Properties Select the hotfixes required on your network. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft. How Does this Affect Me? Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on.
Page 407
Tests Help Operating System – Windows Service Packs Description This test verifies that the endpoint attempting to connect to your system has the latest operating system (OS) service packs installed. Test Properties The service packs are listed here by operating system. How Does this Affect Me? Service packs are programs that update the software and may include perfor- mance enhancements, bug fixes, security enhancements, and so on.
Page 408
Tests Help Operating System – Windows What Do I Need to Do? Manually initiate an update check (http://v4.windowsupdate.microsoft.com/ en/default.asp) if automatic update is not enabled, or is not working. Windows Media Player Hotfixes Description Checks for Windows Media Player hotfixes. Test Properties Select the hotfixes required on your network.
Page 409
Tests Help Operating System – Windows How Does this Affect Me? Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a patch includes multiple hotfixes. What Do I Need to Do? Manually initiate an update check (http://v4.windowsupdate.microsoft.com/...
Page 410
Tests Help Operating System – Windows Test Properties Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft.
Page 411
Tests Help Operating System – Windows Windows XP Hotfixes Description This test verifies that the endpoint attempting to connect to your system has the latest Windows XP hotfixes installed. Test Properties Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated.
Tests Help Operating System – Windows How Does this Affect Me? Microsoft periodically releases software updates to "patch holes" (vulnerabil- ities) and incorporate other fixes and updates. Although you can manually initiate an update check (http://v4.windowsupdate.microsoft.com/en/ default.asp), automatically checking for updates ensures a higher level of security.
Tests Help Security Settings – OS X Security Settings – OS X Mac AirPort Preference Description This test verifies that the Mac AirPort® joins only preferred networks. Test Properties There are no properties to set for this test. How Does this Affect Me? If you move between different locations, and you use an AirPort network in each one, you can choose your preferred AirPort network for each network location you create.
Tests Help Security Settings – OS X What Do I Need to Do? Configure the Mac endpoint to prompt before joining open networks. Select Mac Help, or refer to the following link for assistance on configuring AirPort: http://www.apple.com/support/airport/ Mac AirPort WEP Enabled Description This test verifies that WEP encryption is enabled for Airport.
Tests Help Security Settings – OS X How Does this Affect Me? Bluetooth is a wireless technology that allows computers and other devices (such as mobile phones and personal digital assistants (PDAs)) to communi- cate. Whenever you use a wireless technology, you should make sure that it is secure so that others cannot access your network.
Tests Help Security Settings – OS X Mac Internet Sharing Description This test verifies that the internet sharing is disabled. Test Properties There are no properties to set for this test. How Does this Affect Me? Mac internet sharing allows one computer to share its internet connection with other computers.
Tests Help Security Settings – OS X What Do I Need to Do? Enable or disable services on the endpoint. Apple Menu>>System Preferences>>Sharing Select the Services tab. Select a service, such as Personal File Sharing. Click Stop to turn off sharing for that service, or Start to turn on sharing for that service.
Tests Help Security Settings – Windows Security Settings – Windows The Security settings tests verify that any endpoint attempting to connect to your system meets your specified security settings requirements. Allowed Networks Description Checks for the presence of an unauthorized connection on a endpoint. These might include connections to a rogue wireless access point, VPN, or other remote network.
Tests Help Security Settings – Windows Medium. You can choose whether or not to run potentially unsafe ■ macros. Low. You are not protected from potentially unsafe macros. (Not ■ recommended) How Does this Affect Me? Macros are simple programs that are used to repeat commands and keystrokes within another program.
Tests Help Security Settings – Windows Low. You are not protected from potentially unsafe macros. (Not ■ recommended). How Does this Affect Me? Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple com- mand that you assign, such as [ctrl]+[shift]+[r].
Tests Help Security Settings – Windows How Does this Affect Me? Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple com- mand that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document.
Tests Help Security Settings – Windows Services explained: http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/ tcgch07n.mspx How to identify the services running in a process: http://www.microsoft.com/resources/documentation/windows/2000/server/ scriptguide/en-us/sas_ser_arwi.mspx Tips on Windows XP services: http://www.theeldergeek.com/services_guide.htm What do I need to do? For services you never use, disable the service. For services you may use occasionally, change the startup type from automatic to manual.
Tests Help Security Settings – Windows How Does this Affect Me? Services are Windows operating system applications that run automatically, without manual intervention. Services explained: http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/ tcgch07n.mspx How to identify the services running in a process: http://www.microsoft.com/resources/documentation/windows/2000/server/ scriptguide/en-us/sas_ser_arwi.mspx Tips on Windows XP services: http://www.theeldergeek.com/services_guide.htm What Do I Need to Do? For services you always use, change the startup type to automatic.
Tests Help Security Settings – Windows Test Properties Any endpoint which has a Windows bridge Network Connection will fail this test. How Does this Affect Me? Using network bridges can be useful in some environments; however, they also create a security risk. What Do I Need to Do? Do not use network bridges.
Tests Help Security Settings – Windows How Does this Affect Me? Certain configurations, such as the ones listed above, create potential holes that can leak sensitive information if your system is compromised. Selecting the above policy options creates a more secure network environment. The following links provide detailed information on these security settings: ■...
Tests Help Security Settings – Windows Windows Startup Registry Entries Allowed Description This test verifies that the endpoint attempting to connect to your system does not contain non-compliant registry entries in the run and runOnce Windows registry keys. Test Properties Enter a list of registry key and values that are allowed in the run and runOnce Windows registry keys.
Tests Help Security Settings – Windows What Do I Need to Do? Verify that the run and runOnce registry keys run only compliant programs. CAUTION: Modifying registry entries incorrectly can cause serious problems that may require you to reinstall your operating system. Back up the registry as described at the following links: XP and Windows Server 2003 –...
Tests Help Software – Windows Software – Windows The Software tests verify that any endpoint attempting to connect to your system meets your specified software requirements. Installing the most recent version of your software helps protect your system against exploits targeting the latest vulnerabilities.
Tests Help Software – Windows Anti-virus Description This test verifies that the endpoint attempting to connect to your system has the latest anti-virus software installed, that it is running, and that the virus definitions are up-to-date. Test Properties Select the anti-virus software allowed on your network. Any endpoint that does not have at least one of the anti-virus software packages selected will fail this test.
Tests Help Software – Windows High-risk Software Description This test verifies that the endpoint attempting to connect to your system does not have High-risk software installed. Test Properties Select the high-risk software not allowed on your network. Any endpoint that has at least one of the high-risk software packages selected fails this test.
Tests Help Software – Windows http://office.microsoft.com/en-us/downloads/default.aspx Description This test verifies that the endpoint attempting to connect to your system has only approved person-to-person (P2P) software installed. Test Properties Select the P2P software allowed on your network. If none of the P2P packages are selected, this means that you do not allow P2P software and any endpoint with P2P software enabled will fail this test.
Tests Help Software – Windows How Does this Affect Me? A firewall is hardware or software that views information as it flows to and from your computer. You configure the firewall to allow or block data based on criteria such as port number, content, source IP address, and so on. The following links provide more detailed information about firewalls: ■...
Tests Help Software – Windows What Do I Need to Do? Remove the software that is not allowed. Software Required Description This test verifies that the endpoint attempting to connect to your system has the required software packages installed. Test Properties Enter a list of applications that are required on all connecting endpoints, separated with a carriage return.
Tests Help Software – Windows Test Properties This area of the window displays the current list of worms, viruses, and trojans. No selection actions are required. How Does this Affect Me? A virus is a program that infects other programs and files and can spread when a user opens a program or file containing the virus.
Page 435
Important Browser Settings Chapter Contents Pop-up Windows ..........B-2 Active Content .
Pop-up Windows Pop-up Windows The NAC 800 reports capability uses a pop-up window. In order for you to run reports on NAC 800, you must allow pop-up windows from the NAC 800 server. To allow pop-up windows in IE 6.0 with SP2: IE browser>>Tools>>Pop-up blocker>>Pop-up blocker settings...
(figure B-1), to display at the top of the browser window when you access the NAC 800 help feature. Figure B-1. Internet Explorer Security Warning Message To view the NAC 800 online help in IE: Click on the message box to display the options: Figure B-2. IE Security Message Options Select the Allow Blocked Content option.
Page 438
Important Browser Settings Active Content IE browser>>Tools>>Options>>Advanced tab Figure B-4. IE Internet Options, Advanced Tab Scroll down to the security section. Select the Allow active content to run in files on my computer check box. Click OK.
Important Browser Settings Minimum Font Size Minimum Font Size In order to properly display the NAC 800 console, do not specify the minimum font size. To clear the IE minimum font size: IE browser>>Tools>>Internet options>>General tab>>Accessibility button Make sure all of the check boxes are cleared on this window.
Important Browser Settings Page Caching Page Caching To set the IE page caching options: Internet Explorer browser>>Tools>>Internet Options On the General tab, click Settings. Under Check for new versions of stored pages, select the Automatically radio button. Click OK. In the Internet Options dialog box, click the Advanced tab. In the Security options, make sure that Do not save encrypted pages to disk is not checked.
Important Browser Settings Temporary Files Temporary Files Periodically delete temporary files from your system to improve browser performance. To delete temporary files in IE: Internet Explorer>>Tools>>Internet Options>>General tab Click Delete Files. Select the Delete all offline content check box. Click OK. Click OK.
Page 442
Important Browser Settings Temporary Files (This page intentionally left blank.)
Page 443
Installation and Configuration Check List Chapter Contents Minimum System Requirements ........C-2 IP Addresses, Hostname, Logins, and Passwords .
Workstation running one of the following browsers with 128-bit encryption: Windows: Mozilla Firefox 1.5 or later Mozilla 1.7 Internet Explorer 6.0 Linux: Mozilla Firefox 1.5 or later Mozilla 1.7 ProCurve NAC Endpoint Integrity Agent License ProCurve NAC Implementation Start-up Service, from an authorized ProCurve partner or ProCurve...
_______________________________________________ MS/ES server root password: ______________________________ MS/ES Database password:* ________________________________ NAC 800 console administrator account name: _______________ NAC 800 console administrator account password: ___________ SMTP server IP address: ____________________________________ Multiple-server Installations The MS is installed on one physical server (appliance); each ES is installed on a unique physical server (appliance).
Time zone: _______________________________________________ MS server root password: __________________________________ MS Database password:* ____________________________________ NAC 800 console administrator account name: _______________ NAC 800 console administrator account password: ___________ SMTP server IP address: ____________________________________ Enforcement Server 1 Create at least one ES. Cluster name 1:...
Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords NAC 800 console administrator account name: _______________ NAC 800 console administrator account password: ___________ Enforcement Server 2 Create at least one ES. Cluster name 2: ___________________________________________ ES IP address:...
Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords ES Database password: ____________________________________ NAC 800 console administrator account name: _______________ NAC 800 console administrator account password: ___________ Proxy Server If you use a proxy server for Internet connections, these fields are required:...
Installation and Configuration Check List Agentless Credentials Agentless Credentials Required fields are indicated by a red asterisk (*). The administrator credentials for endpoints on a domain. Set them globally for all clusters, or override them on a per-cluster basis. All clusters: Windows domain name: ____________________________ Administrator user ID: *______________________________...
Installation and Configuration Check List Quarantine Quarantine Required fields are indicated by a red asterisk (*). Define quarantine methods and settings for all clusters, or on a per-cluster basis. 802.1X IDM Server IP address ______________________________________ Quarantine subnets: _______________________________________ RADIUS server type (local or remote IAS): ___________________ Local RADIUS server type end-user authentication method: Manual: ____________________________________________...
Installation and Configuration Check List Quarantine Identity: ___________________________________ Password: _________________________________ Base DN: __________________________________ Filter: _____________________________________ Password attribute: _________________________ End-user credentials user name: *______________ End-user credentials Password: ______________ 802.1X Devices Define 802.1X devices globally for all clusters, or on a per-cluster basis. 802.1X device 1 IP address: ________________________________________...
Installation and Configuration Check List Quarantine DHCP Define quarantine areas for all clusters, or on a per-cluster basis. Create as many quarantine areas as you need. NOTE: If you select DHCP quarantine, you must create at least one area or you will get a process error.
Page 453
Installation and Configuration Check List Quarantine Hostnames: _________________________________________ IP addresses / ports: _________________________________ Networks: __________________________________________ Windows domain controller: __________________________ Accessible services and endpoints for cluster 1: Web sites:___________________________________________ Hostnames: _________________________________________ IP addresses / ports: _________________________________ Networks: __________________________________________ Windows domain controller: __________________________ Accessible services and endpoints for cluster 2: Web sites:___________________________________________ Hostnames: _________________________________________...
Installation and Configuration Check List Notifications Notifications Required fields are indicated by a red asterisk (*). Notifications are defined for all clusters, or on a per-cluster basis. All clusters Send information to: _________________________________ SNMP server IP address: _____________________________ Email information sent from:__________________________ Cluster 1 Send information to: _________________________________ SNMP server IP address: _____________________________...
Installation and Configuration Check List Test Exemptions Test Exemptions Required fields are indicated by a red asterisk (*). Exemptions are defined for all clusters, or on a per-cluster basis. All cluster endpoint testing exemptions (endpoints that are always allowed access or always quarantined): MAC addresses: _____________________________________ IP addresses: ________________________________________ NetBIOS names: _____________________________________...
Page 456
Installation and Configuration Check List Test Exemptions (This page intentionally left blank.) C-14...
Page 457
Glossary The following terms and definitions are used in this book, and in other ProCurve Management Software documentation. 802.1X: A port-based authentication protocol that can dynamically vary encryption keys, and has three components: a supplicant, an authenticator, and an authentication server.
Page 458
Meets defined standards or conditions. CTA: Cisco Trust Agent Enforcement: cluster: A logical grouping of Enforcement servers. Enforcement: server: When using NAC 800 in a multiple-server installation, the server that is used for enforcement. ES: Enforcement server DC: Domain controller – A server that manages and controls the activities (such as user access) in the domain.
Page 459
Glossary HA: High Availability – A multiple-server NAC 800 deployment is mutually supporting. Should one server fail, other nodes within a cluster will automatically provide coverage for the affected network segment. HTML: Hyper text markup language – A language that tells a web browser how to display the web page.
Page 460
MAC: Media Access Control – The unique number that identifies a physical endpoint. Generally referred to as the MAC address. Management server: When using NAC 800 in a multiple-server installation, the server that is used for managing Enforcement servers. MS: Management server multinet A physical network of two or more logical networks.
Page 461
A section of a network that shares part of the IP address of that network. SUS: Software Update Service temporary access period: In NAC 800, a temporary period of time where an end-user is allowed access. VPN: Virtual private network – A secure method of using the Inter-...
Page 462
Glossary (This page intentionally left blank.)
Page 463
Index Index Numerics select send an email 3rd-party software, installing active content 2, 4 802.1X allowing communication flow in the browser configuring the RADIUS server Active Directory connections and IAS 50, 43 enable 8, 9 ActiveX 44, 45, 46 enable XP endpoint testing method installing the RADIUS server logging levels, set...
Page 464
Index grant access clear a temporary state quarantine an endpoint without testing client always quarantine communication flow, 802.1X domains configuration endpoints DHCP timeout 9, 10 assign endpoints and domains to a policy Windows XP Professional firewall authentication configure information non-HP switches 37, 40 server proxy RADIUS requests...
Page 465
Index three minute server delete set up notification cluster specifying server email notifications NAC policy disable NAC policy group enable quarantine area enable 50, 43 user account 802.1X user role a NAC policy details, view report dll file DHCP file and printer sharing configuration the Authorization DLL file ports to specify...
Page 466
Index test successful screen find services names testing failed screen Firefox, supported version view access screens firewall end-user access screens changing port 105, 106 customize letting RPC service through editing settings viewing testing the end-user through end-user options, selecting testing through 9, 10 end-user screen XP configuration...
Page 467
Index quarantine an endpoint in a NAC policy import in DHCP mode certificate Mac OS the server’s certificate Mac OS agent inactive, set time remove INI file, connector verify inline managed endpoint install manually test an endpoint agent manually maximum naming endpoints per ES screen...
Page 468
Index low security changing firewall MAC address enter a range medium security number in quarantined network move to new set number, accounting NetBIOS name number, authentication select default ports name controlled by AP Enforcement server to specify for DHCP and DC MS host posture NetBIOS in a NAC policy...
Page 469
Index built-in retest configure an endpoint server and SA plug-in set time use existing server time using a proxy router using built-in range command timeout period, set entering ports connection timeout period, set 9, 10 of IP addresses service ranges to enforce to ignore SAIASConnector.ini...
Page 470
Index settings contacting 802.1X, entering template location change MS SNMP templates modify MS changes during upgrade required for agentless edit and customize 16, 15 Windows 2003 Server renaming shared services temporarily quarantined SMTP server IP address temporary software access period and operating system updates files installing 3rd-party...
Page 471
Index extending existing help standard view updating access status viewing help current list of tests three-minute delay endpoint information time Enforcement cluster statistics between tests ES status set automatically MS status set connection NAC policies window set manually online help set retest report details zone set...
Page 472
Index (This page intentionally left blank.) Index-10...