Page 4
Microsoft Corporation. UNIX is a registered Hewlett-Packard products and replacement parts can be trademark of The Open Group. obtained from your HP Sales and Service Office or authorized dealer. Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 http://www.procurve.com...
A ProCurve NAC Endpoint Integrity Agent License ■ ProCurve NAC 800 is delivered as a hardware appliance that you install in your network. After NAC 800 is installed in your network, you configure it using a workstation with browser software installed.
This document contains appliance specifications, safety information, and appliance certifications. ProCurve Network Access Controller 800 Configuration Guide – Refer to this document second, to understand the product's features, capabilities, and use. This document explains how to configure the appliance based on the usage model you choose to deploy in your network.
(see figure 1-2. System Monitor Window on page 1-7). Endpoint test status area – The Endpoint tests area displays the total number of endpoints that NAC 800 has attempted to test, and what the test status is for each endpoint. Click the number of endpoints to view details.
3. Top 5 failed tests area 2. User name 1. Important status 4. Window actions announcements 8. Enforcement server status area 5. Navigation 6. Test 7. Access control pane status area status area status area Figure 1-1. NAC 800 Home Window...
Introduction System Monitor System Monitor The System monitor window provides the following information: ■ Enforcement cluster name – The Enforcement clusters are listed by name in the order they were created. Click on a cluster name to view cluster details. You must have cluster-editing permissions to view and edit cluster details.
Page 25
Introduction System Monitor Breadcrumbs for navigation Figure 1-2. System Monitor Window The following figure shows the legend for the System monitor window icons: Figure 1-3. System Monitor Window Legend...
Introduction Overview Overview NAC 800 protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. NAC 800 systematically tests endpoints—with or without the use of a client or agent— for compliance with organizational security policies, quarantining non-com- pliant machines before they damage the network.
Enforcement options – NAC 800 provides multiple enforcement options for quarantining endpoints that do not comply with your security policy (Inline, DHCP, and 802.1X). This enables NAC 800 to enforce compliance across complex, heterogeneous networks. High availability and load balancing – A multi-server NAC 800 deploy- ■...
If you have external Intrusion Detection System/Intrusion Prevention System (IDS/IPS) systems that monitor your network for attacks, you can configure these external systems in NAC 800 so they can request that NAC 800 quarantine an endpoint after it has been connected (post-connect).
NAC 800 passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single NAC 800 server for a single testing session with the High Security NAC policy (approximately 20 tests). It typically takes between 5 and 10 seconds to all tests in a policy on a 100Mb LAN.
Compliance Enforcement Based on endpoint test results, NAC 800 takes the appropriate action. End- points that test compliant with the applied policy are permitted access. Non- compliant endpoints are either quarantined, or are given access for a tempo- rary period.
Page 31
Introduction Overview For more information, see “Reports” on page 14-1. 1-13...
Installing third-party software on the NAC 800 server is not supported. If you install additional software on the NAC 800 server, you need to remove it in order to troubleshoot any NAC 800 issues, and it will likely be partially or fully overwritten during NAC 800 release upgrades or patch installs, compromising the third-party software functionality.
If there is no activity for 30 minutes, the configuration window times out and you must log in again. Caution Paragraph Cautions notify you of conditions that can cause errors or unexpected results. Example: CAUTION: Do not rename the files or they will not be seen by NAC 800. 1-16...
Low – You are not protected from potentially unsafe macros. (Not recommended). Indicating document titles – ■ NAC 800 Installation Guide Indicating a variable entry in a command – ■ https://<IP_address>/index.html In this case, you must replace <IP_address> with the actual IP address, such as 10.0.16.99.
Courier font is used in the following cases: ■ Indicating path names – Change the working directory to the following: C:\Program Files\<MyCompany>\ ProCurve NAC EI Agent ■ Indicating text; enter exactly as shown – Enter the following URL in the browser address field: https://<IP_address>/index.html In this case, you must replace <IP_address>...
Introduction Conventions Used in This Document Indicating a variable section in a *.INI file – ■ [Global] NASList=192.168.200.135 ■ Indicating a list in a properties file – Compliance.ObjectManager.DHCPConnec- torServers=[192.168.51.130, 192.168.99.1] Terms Terms are defined in the “Glossary” on page F-1. Example: MAC Media Access Control –...
Example: 10. Copy the /usr/local/nac/properties/NACAVPs.txt file from the NAC 800 server to the ACS server using PSCP (or other secure copy utility). scp is a Linux/UNIX command used to copy files between Linux/UNIX machines.
Page 39
Introduction Copying Files To copy a file from a Windows machine to a Linux machine, enter the following: <pscp directory>\pscp c:\documents\foo.txt fred@exam- ple.com:/tmp/foo You will be prompted to enter a password for the Linux/UNIX machine. NOTE: You can either enter the path to the PSCP.EXE file as part of the command, or cd to the directory where you saved the PSCP.EXE file before entering the pscp command.
Overview Overview NAC 800 uses clusters and servers. A "cluster" is a logical grouping of one or more ESs that are managed by one MS. A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster.
Clusters and Servers Installation Examples Installation Examples Single-server Installation The simplest installation is where the MS and ES are installed on the same physical server as shown in the following figure: Figure 2-1. Single-server Installation Multiple-server Installations By using at least three servers, one for the MS and two for ESs, you gain the advantage of high availability and load balancing.
Page 44
Clusters and Servers Installation Examples High availability is where ESs take over for any other ES or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the ESs. A three-server installation is shown in the following figure: Figure 2-2.
Page 45
Clusters and Servers Installation Examples When your network is more complex, you can continue to add clusters as shown in the following figure: Figure 2-3. Multiple-server, Multiple-cluster Installation The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis.
Page 46
Clusters and Servers Installation Examples All endpoints are returned to the proper status within 15 minutes after ■ a network recovery (power failure, all endpoints attempting to recon- nect, 3000 endpoints per ES)
Default Menu Options Only a system administrator can assign access permissions and access the System configuration window. See Figure 1-1 on page 1-5 for the NAC 800 home window of a user with system administration permissions. If you do not see the System configuration menu option, you do not have system administrator permissions.
Page 51
System Configuration Introduction Quarantining – “Quarantining, General” on page 3-46 ■ ■ Maintenance – “Maintenance” on page 3-96 Cluster setting defaults ■ • Testing Methods – “Testing Methods” on page 3-100 • Accessible services – “Accessible Services” on page 3-103 •...
System Configuration Enforcement Clusters and Servers Enforcement Clusters and Servers The Enforcement clusters & servers menu option (figure 3-3) is where you configure Enforcement clusters and servers. You can perform the following tasks: ■ Enforcement clusters • Add, edit, or delete Enforcement clusters •...
System Configuration Enforcement Clusters Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster: Home window>>System configuration>>Enforcement clusters & servers Figure 3-1. System Configuration, Enforcement Clusters & Servers...
Page 54
System Configuration Enforcement Clusters Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add Enforcement cluster window appears. The General area is displayed by default. Figure 3-2. Add Enforcement Cluster Enter a name for the Enforcement cluster in the Cluster name field. b.
System Configuration Enforcement Clusters change, then select the For this cluster, override the default settings check box, and make the desired changes. Refer to the sections listed below to set up the default values, or for more information on the specific settings. Testing methods –...
System Configuration Enforcement Clusters Viewing Enforcement Cluster Status There are two ways NAC 800 provides Enforcement cluster status: ■ The icons next to the cluster name (see Figure 3-4 on page 3-12) The Enforcement cluster window (see the following steps) ■...
Deleting Enforcement Clusters NOTE: Enforcement clusters need to be empty before the delete option appears next to the name in the NAC 800 user interface. To delete Enforcement clusters: Home window>>System configuration>>Enforcement clusters & servers Click delete next to the cluster you want to remove. The Delete Enforcement cluster confirmation window appears.
System Configuration Enforcement Servers Enforcement Servers Adding an ES To add an ES: Home window>>System configuration>>Enforcement clusters & servers Figure 3-4. System Configuration, Enforcement Clusters & Servers 3-12...
System Configuration Enforcement Servers Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Figure 3-5. Add Enforcement Server Select a cluster from the Cluster drop-down list. Enter the IP address for this ES in the IP address text box. Enter the fully qualified hostname to set on this server in the Host name text box.
System Configuration Enforcement Servers Move the mouse away from the legend icon to hide pop-up window. Figure 3-6. Enforcement Cluster Legend Editing ESs To edit ES settings: Home window>>System configuration>>Enforcement clusters & servers Click the ES you want to edit. The Enforcement server window appears, as shown in Figure 3-7 on page 3-15.
System Configuration Enforcement Servers Click the Configuration menu option to access the Enforcement Server’s settings. The Configuration area is displayed: Figure 3-7. Enforcement Server Edit the following settings: • ES Network settings – “Changing the ES Network Settings” on page 3- •...
DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1 NOTE: The NAC 800 ESs host name must be a fully qualified domain name (FQDN). For example, the FQDN should include the host and the domain name— including the top-level domain.
Re-enter the password in the Re-enter root password text box. Click ok. Viewing ES Status There are two ways NAC 800 provides ES status: ■ The icons next to the server name (see Figure 3-6 on page 3-14) The Status window (see the following steps). The Enforcement server ■...
Page 64
System Configuration Enforcement Servers • Upgrade status • Process/thread status • System load average for the server • Current endpoints being tested/minute for the server • Percentage of memory used on the server • Disk space usage for the server To view ES status: Home window>>System configuration>>Enforcement clusters &...
Deleting ESs NOTE: Servers need to be powered down for the delete option to appear next to the name in the NAC 800 user interface. To delete ESs: Home window>>System configuration>>Enforcement clusters & servers Click delete next to the server you want to remove from the cluster. The Delete Enforcement server confirmation window appears.
System Configuration Management Server Management Server Viewing Network Settings To view MS status: Home window>>System configuration>>Management server 3-20...
Page 67
System Configuration Management Server Figure 3-9. System Configuration, Management Server Server status is shown in the Network settings area. Click ok or cancel. 3-21...
System Configuration Management Server Modifying MS Network Settings CAUTION: Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems.
System Configuration Management Server • Enter a new netmask in the Network mask text field. For example, 255.255.255.0 Enter a new gateway in the Gateway IP address text field. For example • 192.168.153.2 • Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or spaces in the DNS IP addresses text box.
Select Automatically receive NTP updates from and enter one or more Network Time Protocol (NTP) servers, separated by commas. The NTP protocol allows NAC 800 to synchronize its date and time with other endpoints on your network. For example, time.nist.gov.
System Configuration Management Server Select Manually set date & time. Click edit. The Date and time window appears: Figure 3-11. Date & Time Select the correct date and time. Click ok. Click ok. CAUTION: Manually changing the date/time (other than a time zone change) a large amount will require a restart of all servers.
Enter the new password in the Root password text box in the Other settings area. Re-enter the password in the Re-enter root password text box. Click ok. Checking for NAC 800 Upgrades To check for system upgrades: Home window>>System configuration>>Management server 3-26...
To change the inactivity timeout value for upgrades: Command window Log in to the NAC 800 server as root, either using SSH or directly with a keyboard. Enter the following at the command line: setProperty.py -m...
User Accounts NAC 800 allows you to create multiple user accounts. User accounts provide and limit access to NAC 800 functions based on permissions (user roles) and clusters assigned. See “User Roles” on page 3-36 for more information on setting permissions for the user roles.
Page 75
System Configuration User Accounts Figure 3-12. System Configuration, User Accounts 3-29...
Page 76
Figure 3-13. Add User Account Enter the following information: • User ID – The user ID used to log into NAC 800 Password – The password used to log into NAC 800 • Full name – The name associated with the user account •...
System Configuration User Accounts • Help Desk Technician • You can select a custom user role if you have created any. NOTE: Users must be assigned at least one role. In the Clusters area, select a cluster or clusters. NOTE: Users must be assigned at least one Enforcement cluster.
System Configuration User Accounts TIP: Click reset to clear the text field and to refresh the display to show all accounts after a search. Sorting the User Account Area To sort the user account area: Home window>>System configuration>>User accounts Click the column heading for user id, full name, email address, user roles, or clusters.
System Configuration User Accounts Click copy next to the user account you want to duplicate. The Copy user account window appears. The account information is duplicated from the original account. Figure 3-14. Copy User Account Enter the User ID of the new account. Enter the Password.
System Configuration User Accounts Click the name of the user account that you want to edit. The User account window appears: Figure 3-15. User Account Change or enter information in the fields you want to change. See “Adding a User Account” on page 3-28 for information on user account settings. Click ok.
Page 81
System Configuration User Accounts Click delete next to the user account you want to remove. The Delete user account confirmation window appears. Click yes. 3-35...
System Configuration User Roles User Roles The User roles menu option allows you to configure the following: ■ View current user roles and details associated with those roles ■ Add a new user role • Name the new user role •...
Page 83
System Configuration User Roles Figure 3-16. System Configuration, User Roles 3-37...
Page 84
System Configuration User Roles Click add a user role in the User roles area. The Add user role window appears. Figure 3-17. Add User Role Enter a descriptive name in the Role name field. Enter a description of the role in the Description field. Select the permissions for the user role.
System Configuration User Roles Permission Description Monitor system status Allows you to monitor the system status Control Access Allows you to quarantine or grant network access to endpoints in your clusters Retest Allows you to have endpoints in your clusters retested endpoints Table 3-3.
System Configuration User Roles Click ok. Deleting User Roles NOTE: You cannot delete the System Administrator role. To delete user roles: Home window>>System configuration>>User roles Click delete next to the user role you want to remove. The Delete user role confirmation window appears.
System Configuration License License The License menu option allows you to configure the following: ■ View license start and end dates ■ View number of days remaining on license, and associated renewal date View remaining endpoints and servers available under license ■...
Page 88
System Configuration License Click ok on the license validated pop-up window. 3-42...
System Configuration Test Updates Test Updates The Test updates menu option allows you to configure the following: ■ View last successful test update date/time ■ Check for test updates (forces an immediate check for test updates) Set time or times for downloading test updates ■...
By default, NAC 800 checks once every hour using the ProCurve Secure Rule Distribution Center. All times listed are dependent upon the clock setting and time zone of the hardware on which NAC 800 is running. Click ok. Viewing Test Update Logs To view test update logs: Home window>>System configuration>>Test updates...
Page 91
System Configuration Test Updates Click the View test update log link just to the right of the Check for test updates button. The Test update log window appears: Figure 3-21. Test Update Log The Test update log window legend is shown in the following figure: Figure 3-22.
System Configuration Quarantining, General Quarantining, General The Quarantining menu option allows you to configure the following by cluster: ■ Select the quarantine method ■ Select the access mode Basic 802.1X settings ■ ■ Authentication settings Add, edit, delete 802.1X devices ■...
Page 93
Select a cluster. In the Quarantine method area, select one of the following quarantine methods: 802.1X – When using the 802.1X quarantine method, NAC 800 must sit • in a place on the network where it can communicate with your RADIUS server, which communicates with your switch or router, which performs the quarantining.
Inline – When using the inline quarantine method, NAC 800 must be • placed on the network where all traffic to be quarantined passes through NAC 800. It must be inline with an endpoint like a VPN. Click ok. Selecting the Access Mode To select the access mode: Home window>>System configuration>>Quarantining...
System Configuration Quarantining, 802.1X Quarantining, 802.1X The 802.1X quarantine (enforcement) method is enabled by default. To select the 802.1X quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the 802.1X radio button. Click ok. Entering Basic 802.1X Settings To enter basic 802.1X settings: Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button...
Select an End-user authentication method: • Manual – RADIUS server authentication settings are configured man- ually from the command line. See “Enabling NAC 800 for 802.1X” on page 11-38 for configuration information. Windows domain – Authentication requests are handled by a Windows •...
Page 97
System Configuration Quarantining, 802.1X Select Windows domain from the End-user authentication method drop-down list. Figure 3-24. System Configuration, Windows Domain Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field. 3-51...
System Configuration Quarantining, 802.1X Enter the user name of an account with sufficient administrative rights to join an ES to the domain in the Administrator user name text field. Enter the password of the account entered into the Administrator user name field in the Administrator password text field.
Page 99
System Configuration Quarantining, 802.1X Select OpenLDAP from the End-user authentication method drop-down list. Figure 3-25. System Configuration, OpenLDAP 3-53...
Page 100
System Configuration Quarantining, 802.1X Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
System Configuration Quarantining, 802.1X Configuring Novell eDirectory Settings To configuring Novell eDirectory settings: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 3-55...
Page 102
System Configuration Quarantining, 802.1X Select Novell eDirectory from the End-user authentication type drop-down list. Figure 3-26. System Configuration Window, RADIUS, Novel eDirectory 3-56...
Page 103
System Configuration Quarantining, 802.1X Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the Distinguished Name (DN) under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
System Configuration Quarantining, 802.1X 11. Click ok. Adding 802.1X Devices To add an 802.1X device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-27. Add 802.1X Device Enter the IP address of the 802.1X device in the IP address text field. Enter a shared secret in the Shared secret text field.
• HP ProCurve WESM – See “HP ProCurve WESM” on page 3-74. • • HP ProCurve 420/530 AP – See “HP ProCurve 420 AP or HP ProCurve 530 AP” on page 3-77. Nortel – See “Nortel” on page 3-79. •...
System Configuration Quarantining, 802.1X Figure 3-29. Add 802.1X Device, Test Connection Area Option 2 For ProCurve, Nortel, Other switches (figure 3-28),: Select the Method to execute the re-authentication command in test: – 802.1X – MAC auth b. Enter the port of the endpoint being tested in the Port text field.
Page 107
System Configuration Quarantining, 802.1X Figure 3-30. Add Cisco IOS Device Enter the IP address of the Cisco IOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
System Configuration Quarantining, 802.1X 10. Enter the Cisco port mask in the text field. This specifies which characters within the endpoint identifier returned by the Cisco device contain the bank and port information of the endpoint. All offsets start at 0, so a mask of 2/34 indicates character 3 for the bank and characters 4 and 5 for the port.
Page 109
System Configuration Quarantining, 802.1X Figure 3-31. Add Cisco CatOS Device Enter the IP address of the Cisco CatOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
If you have your CatOS switch configured to run in enable mode with a user name, the expect script supplied with NAC 800 will not run “out of the box.” Workaround: Do not use a user name with your switch, or modify the expect script in the console to include the user name.
System Configuration Quarantining, 802.1X Add the correct expect script syntax to the text box for enable mode user name. See your switch documentation for more information on the correct syntax. Click ok. Enterasys To add an Enterasys device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-32.
System Configuration Quarantining, 802.1X Enter an alias for this device that appears in log files in the Short name text field. Select Enterasys from the Device type drop-down list. Select telnet or SSH from the Connection method drop-down list. Enter the User name with which to log into the device's console. Enter the Password with which to log into the device's console.
Page 113
System Configuration Quarantining, 802.1X Figure 3-33. Add ExtremeWare Device Enter the IP address of the ExtremeWare device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
System Configuration Quarantining, 802.1X 11. Select the Show scripts plus symbol to show the following scripts: Initialization script – The expect script used to log into the console and • enter enable mode. • Re-authentication script – The expect script used to perform endpoint re-authentication.
Page 115
System Configuration Quarantining, 802.1X Figure 3-34. Add Extreme XOS Device Enter the IP address of the Extreme XOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
System Configuration Quarantining, 802.1X • Initialization script – The expect script used to log into the console and enter enable mode. Re-authentication script – The expect script used to perform endpoint • re-authentication. • Exit script – The expect script used to exit the console. 11.
Exit script – The expect script used to exit the console. • 14. Click ok. TIP: Click revert to defaults to restore the default settings. HP ProCurve Switch To add an HP ProCurve switch: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-71...
Page 118
Quarantining, 802.1X Figure 3-36. Add HP ProCurve Device Enter the IP address of the HP ProCurve device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 119
System Configuration Quarantining, 802.1X To help confirm accuracy, type the same password you entered into the Password field in the Re-enter Password field. d. Enter the Enable mode user name that is used to enter enable mode on this device. Enter the Password used to enter enable mode on this device.
Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. HP ProCurve WESM To add an HP ProCurve WESM device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-74...
Page 121
System Configuration Quarantining, 802.1X Figure 3-37. Add HP ProCurve WESM Device Enter the IP address of the HP ProCurve WESM device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 122
System Configuration Quarantining, 802.1X Select the type of the re-authentication OID from the OID type drop-down list: • INTEGER • unsigned INTEGER • TIMETICKS • IPADDRESS • OBJID • STRING • HEX STRING • DECIMAL STRING • BITS • NULLOBJ Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field.
802.1X device Figure 3-38. Add HP ProCurve 420/530 AP Device Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 124
System Configuration Quarantining, 802.1X Select ProCurve 420 AP or ProCurve 530 AP from the Device type drop-down list. Enter the Community string used to authorize writes to SNMP objects. Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field.
System Configuration Quarantining, 802.1X Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. Nortel To add a Nortel device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-39.
System Configuration Quarantining, 802.1X Re-enter the shared secret in the Re-enter shared secret text field. Enter an alias for this device that appears in log files in the Short name text field. Select Nortel from the Device type drop-down list. Select telnet or SSH from the Connection method drop-down list.
Page 127
System Configuration Quarantining, 802.1X Figure 3-40. Add Other Device Enter the IP address of the new device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 128
System Configuration Quarantining, 802.1X 10. Select the Show scripts plus symbol to show the following scripts: NOTE: You must enter the script contents yourself for the 802.1X device you are adding. • Initialization script – The expect script used to log into the console and enter enable mode.
System Configuration Quarantining, DHCP Quarantining, DHCP To select the DHCP quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the DHCP radio button. Click ok. DHCP Server Configuration Inline DHCP server is selected by default. If you want to use the DHCP plug-in, which allows you to use multiple DHCP servers, see the instructions in “DHCP Plug-in”...
Page 130
System Configuration Quarantining, DHCP Figure 3-41. System Configuration, Quarantining, DHCP Enforcement Inline DHCP server is selected by default. If you wish to use multiple DHCP servers, see the instructions in “DHCP Plug-in” on page 13-1. Select one of the following radio buttons: •...
System Configuration Quarantining, DHCP These addresses must be a subset of either the quarantined or non- quarantined subnets. This limits the enforcement scope to DHCP requests relayed via these IP addresses, allowing you to restrict enforcement to only those DHCP requests which are forwarded via particular routers or Layer 3 switches.
Page 132
DHCP set- tings with no gateway and a netmask of 255.255.255.255. Static routes and a Web proxy server built into NAC 800 allow the endpoint access to specific networks, IP addresses, and Web sites. These networks, IP addresses, and Web sites are configured in the accessible endpoint list setting (System Configuration>>Accessible Services).
System Configuration Quarantining, DHCP TIP: The quarantine areas can either be a subset of your existing DHCP scopes or a separate network multinetted on your router. If this option is not selected, enforcement must occur using ACLs on your router. TIP: To set up multiple quarantine areas, click Add a quarantine area, then enter the information detailed in step 2 for each additional quarantine area.
System Configuration Quarantining, DHCP Click edit next to the quarantine area you want to edit. The Quarantine area window appears: Figure 3-43. Quarantine Area Edit the information in the fields you want to change. See “Adding a DHCP Quarantine Area” on page 3-85 for information on Quarantine area options. Click ok.
System Configuration Quarantining, Inline Quarantining, Inline To select the Inline quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the Inline radio button. Click ok. 3-89...
To open the firewall for your post-connect service: Command line window Log in to the NAC 800 MS as root using SSH or directly with a keyboard. Enter the following command at the command prompt: iptables -I INPUT -s<host> -m tcp -p tcp --dport 61616 -j ACCEPT Where <host>...
“Launching Post-connect Systems” on page 3-93. Setting NAC 800 Properties Most NAC 800 properties are set by default. To change or set properties, you must change the properties as described in “Changing Properties” on page 15- You must set the following properties for <product name variable> to com- municate with your external post-connect server (see “Configuring the Post-...
Page 138
Select the Automatically log into service check box to log into the post- connect service automatically when it is launched by clicking the post- connect service name on the NAC 800 Post-connect window (Home>>Post- connect). Enter the user name of the account to be used for logging into the post-connect service in the User name text field.
Post-connect in the Endpoint Activity Window When an external service requests that an endpoint be quarantined, it sends the request to NAC 800, which quarantines the endpoint based on the hierar- chy rules described in “Endpoint Quarantine Precedence” on page 7-2.
System Configuration Post-connect The icons on the Endpoint activity window show that the endpoint is quaran- tined by an external service. When you hover the cursor over the icon, the quarantine details are presented in a pop-up window: Post-connect service name Post-connect service logo Figure 3-47.
Page 141
Copy the logo and icon files to the following directory on the NAC 800 MS (see “Copying Files” on page 1-20): /usr/local/nac/webapps/ROOT/images Log in to the NAC 800 MS as root using SSH or directly with a keyboard. Modify the following properties in the nac-ms.properties file (see “Changing Properties” on page 15-11): Compliance.PostConnect.Agents.<PRODUCTID>.Logo=<Logo...
System Configuration Maintenance Maintenance The Maintenance window allows you to back up the MS database, properties files, keystore files, and subscription files in a file with the following name: backup-<year-month-day>Thh-mm-ss.tar.bz2 where: year is the year the system was backed up = 2007 ■...
Page 143
System Configuration Maintenance Figure 3-48. System Configuration, Maintenance Click begin backup now in the Backup area. The Operation in progress confirmation window appears. Depending on your browser and browser settings, a pop-up window may appear asking if you want to save or open the file. Select Save to disk and click OK.
See “Restoring from Backup” on page 15-14 for information about restoring from a backup file. TIP: If you are using Backup and Restore to move configuration files from one physical server to another, you must have the same version of NAC 800 installed on both servers. 3-98...
Downloading Support Packages Support packages are useful when debugging your system with ProCurve Networking by HP. If a support package is necessary, ProCurve Networking by HP will instruct you to generate one and will provide instructions on how to upload the generated package (a TAR file).
System Configuration Cluster Setting Defaults Cluster Setting Defaults The following sections describe how to globally set the default settings for all clusters. For information on overriding the default settings for a specific cluster, see “Enforcement Clusters and Servers” on page 3-6. Testing Methods The Testing methods menu option allows you to configure the following: Select testing methods...
The NAC 800 backend attempts to test an endpoint transparently in the following order: NAC 800 tries to test with the agent-based test method. If no agent is available, NAC 800 tries to test with the ActiveX test method. 3-101...
If ActiveX is not available and if credentials for the endpoint or domain exist, NAC 800 tries to test with the agentless test method. If the endpoint can not be tested transparently, then NAC 800 uses the end-user access screens to set up a test method and sequence for interacting with the end-user.
System Configuration Cluster Setting Defaults The agent-based test method is recommended for any environment where enforcement is enabled on Windows Vista endpoints. Selecting End-user Options To select end-user options: Home window>>System configuration>>Testing methods Select one or more of the following options: Allow end-users to have their administrator login information saved for •...
Page 150
Web sites – www.mycompany.com Host names – bagle.com IP addresses – 10.0.16.100 Ports – 10.0.16.100:53 Networks – 10.0.16.1/24 Range of IP addresses – 10.0.16.1/30 You do not need to enter the IP address of the NAC 800 server here. If you 3-104...
In DHCP mode, when your DHCP server and Domain Controller are controller behind NAC 800, you must specify ports 88, 135 to 159, 389, 1025, 1026, and 3268 as part of the address. If you do not specify a DHCP address, users are blocked.
System Configuration Cluster Setting Defaults The endpoints and domains that are always quarantined (blacklist) ■ Always Granting Access to Endpoints and Domains To always grant access to endpoints and domains: Home window>>System configuration>>Exceptions Figure 3-52. System Configuration, Exceptions To exempt endpoints from testing, in the Whitelist area, enter the endpoints by MAC or IP address, or NetBIOS name.
To always quarantine domains when testing, in the Blacklist area, enter the domains. TIP: In DHCP mode, the NAC 800 firewall quarantines based on MAC address (everything entered must be translated to the corresponding endpoint's MAC address). This translation occurs each time activity from the endpoint is detected.
Page 154
Cluster Setting Defaults Figure 3-53. System Configuration, Notifications To send email notifications, you must provide NAC 800 with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the NAC 800 machine. Use the following steps to configure the SMTP email server function: Select the radio button next to Send email notifications.
System Configuration Cluster Setting Defaults To disable email notifications: Home window>>System configuration Select a cluster. The Enforcement cluster window appears. Select the Notifications menu item. Select the For this cluster, override the default settings check box. Select Do not send email notifications. Click ok.
Enter the customization information: Organization logo image – Enter a path to your organization’s logo, or click Browse to select a file on your network. ProCurve recommends you place your logo here to help end-users feel secure about having their computers tested.
This URL points to port 89 on the NAC 800 ES (the default end-user screen that shows the test failed results), and is where the user is directed to when they click the Get details button on the new pop-up window.
You can verify your changes to the end-user access screens immediately by pointing a browser window to port 88 of your NAC 800 installation. For example, if the IP address of your NAC 800 installation is 10.0.16.18, point the browser window to: http://10.0.16.18:88...
Page 159
System Configuration Cluster Setting Defaults Figure 3-55. System Configuration, Agentless Credentials Click Add administrator credentials. The Add Windows administrator credentials window appears: Figure 3-56. Agentless Credentials, Add Windows Administrator Credentials In the Add Windows administrator credentials window, enter the following: 3-113...
NOTE: NAC 800 saves authentication information encrypted on the NAC 800 server. When a user connects with the same browser, NAC 800 looks up this infor- mation and uses it for testing. TIP: When using the Windows administrator account connection method, NAC 800 performs some user-based tests with the administrator account's user registry settings, rather than those of the actual user logged into the endpoint.
System Configuration Cluster Setting Defaults Editing Windows Credentials To edit Windows credentials: Home window>>System configuration>>Agentless credentials Click edit next to the name of the Windows administrator credentials you want to edit. Enter or change information in the fields you want to change. (See “Adding Windows Credentials”...
System Configuration Logging Logging Setting ES Logging Levels You can configure the amount of diagnostic information written to log files, ranging from error (error-level messages only) to trace (everything). To set ES logging levels: Home window>>System configuration>>Logging Figure 3-57. System Configuration, Logging Option To configure the amount of diagnostic information written to log files, select a logging level from the Enforcement servers drop-down list: •...
System Configuration Logging • debug – Log debug-level and above messages only • trace – Log everything CAUTION: Setting the log level to trace may adversely affect performance. Click ok. Setting 802.1X Devices Logging Levels You can configure the amount of diagnostic information written to log files related to 802.1X re-authentication, ranging from error (error-level messages only) to trace (everything).
Page 164
System Configuration Logging To configure the amount of diagnostic information written to log files related to IDM, select a logging level from the IDM drop-down list: • error – log error-level messages only • warn – log warning-level messages only •...
Enter a number of seconds in the Agent read timeout period text field. The agent read time is the time in seconds that NAC 800 waits on an agent read. Use a larger number for systems with network latency issues.
Home window>>System configuration>>Advanced Enter a number of seconds in the RPC command timeout period text field. The RPC command timeout is the time in seconds that NAC 800 waits on an rpcclient command to finish. Use a larger number for systems with network latency issues.
Endpoint Activity Overview Overview Use the Endpoint activity window, to monitor end-user connection activity. Home window>>Endpoint activity The Endpoint activity window has the following sections: Endpoint selection area – The left column of the window provides ■ links that allow you to quickly filter the results area by Access control status or Endpoint test status.
Page 169
Endpoint Activity Overview 2. Search criteria area 3. Search results area 1. Endpoint selection area Figure 4-1. Endpoint Activity, All Endpoints Area...
Endpoint Activity Filtering the Endpoint Activity Window Filtering the Endpoint Activity Window You can modify the results shown in the Endpoint activity window to include activity for the following: ■ Access control status ■ Endpoint test status Cluster ■ ■ NetBIOS name IP address ■...
Endpoint Activity Filtering the Endpoint Activity Window Select a method for filtering the results window; by a specific access control status or endpoint status as shown in the following figure: Figure 4-2. Endpoint Activity, Menu Options NOTE: This part of the window reflects the total number of endpoints in the network at the current time.
Endpoint Activity Filtering the Endpoint Activity Window Home window>>Endpoint Activity Figure 4-3. Timeframe Drop-down List Select Disconnected in the Access control status area. Select one of the options from the Timeframe drop-down list. Click search. The results area updates to match the time frame selected, and the Timeframe selected is highlighted to show that this filter option has been applied.
Endpoint Activity Filtering the Endpoint Activity Window Searching To search the Endpoint activity window. Home window>>Endpoint activity>>Search criteria area Figure 4-5. Search Criteria Select any or all of the following: A Cluster from the drop-down list • A NAC policy from the drop-down list •...
Page 174
Endpoint Activity Filtering the Endpoint Activity Window TIP: The search box is not case-sensitive. Searching matches entire words. You must enter wildcard characters (*) to match substrings. For example, 192.168.*.
Endpoint Activity Access Control States Access Control States NAC 800 provides on-going feedback on the access status of endpoints in the Endpoint activity window as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-16. ■...
Endpoint Activity Endpoint Test Status Endpoint Test Status NAC 800 provides on-going feedback on the test status of endpoints in the left pane of the Endpoint activity window as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-16.
Page 177
■ Testing (agentless test) – NAC 800 shows this status briefly while the agentless test is being performed. Passed – NAC 800 shows this status after the endpoint has passed the ■ test and is connected to the network. ■...
Page 178
Installation failed – NAC 800 shows this status when the agent cannot be installed. This is likely due to permission problems on the endpoint. Agent not active – NAC 800 shows this status when an endpoint that ■ was previously running the agent is no longer running the agent. This is likely due to a firewall being turned on.
Page 179
Endpoint Test Status routing issue which is not allowing the endpoint to reach the neces- sary servers on the network. Also, if NAC 800 is inline with the domain controller, you might need to open up the appropriate ports (135 through 138, 445, 389, 1029) in the NAC 800 accessible endpoints configuration for your domain controller IP address.
Endpoint Activity Enforcement Cluster Access Mode Enforcement Cluster Access Mode The access mode of each cluster can be one of the following: ■ normal – Endpoints are tested and allowed access or quarantined based on policies, exceptions, and administrator overrides. ■...
Page 181
Endpoint Activity Enforcement Cluster Access Mode the endpoint is allowed access because of the change to allow all mode; however, when the mode is changed back to normal, the endpoint will again be quarantined for the reason listed. Figure 4-10. Failed Endpoint Allow All Mode Mouse Over 4-15...
Endpoint Activity Viewing Endpoint Access Status Viewing Endpoint Access Status To view access status for a endpoint: Home window>>Endpoint activity window Locate the endpoint you are interested in. The first column is the selection column, the second column is the Endpoint test status column, and the third column is the Access control status column.
Page 183
Endpoint Activity Viewing Endpoint Access Status NOTE: If an endpoint is seen by two different clusters simultaneously, the endpoint state can get lost. This could happen, for example, if you had a Training cluster and an Engineering cluster and an endpoint that was connected in the Engineering cluster also attempted to connect by way of the Training cluster.
Endpoint Activity Selecting Endpoints to Act on Selecting Endpoints to Act on To select endpoint to act on: Home window>>Endpoint activity Click a box or boxes in the first column to select the endpoints of interest. TIP: Click the box at the top of the column to select all of the endpoints. 4-18...
Endpoint Activity Acting on Selected Endpoints Acting on Selected Endpoints Once you have filtered the Endpoint activity window and selected which endpoints to take action on, you can perform the following actions: ■ Retest an endpoint (“Manually Retest an Endpoint” on page 4-19) ■...
Endpoint Activity Acting on Selected Endpoints NOTE: If an endpoint that has been granted or denied access temporarily by the administrator disconnects, the next time the endpoint attempts to connect it will be retested; the previous temporary status no longer applies. Immediately Quarantine an Endpoint To immediately quarantine an endpoint: Home window>>Endpoint activity...
Endpoint Activity Viewing Endpoint Information Viewing Endpoint Information To view information about an endpoint: Home window>>Endpoint activity Click on an endpoint name to view the Endpoint window: Figure 4-12. Endpoint, General Option 4-21...
Page 188
Endpoint Activity Viewing Endpoint Information Click Test results to view the details of the test: Figure 4-13. Endpoint Activity, Endpoint Test Results Option TIP: Click on any underlined link (for example, change access) to make changes such as changing access or test credentials. 4-22...
Endpoint Activity Troubleshooting Quarantined Endpoints Troubleshooting Quarantined Endpoints The following table describes the various components that affect an endpoint attempting to access the network: 4-23...
Page 190
DHCP server (NAC 800) gives the DHCP server (NAC 800) also sends: enforcement endpoint: • A static route to the NAC 800 server • Quarantine range IP address (*) IP via a gateway (*) • 255.255.255.255 netmask (effectively • Static routes to any IP addresses...
Page 191
NAC 800 accessible devices DHCP mode Network DHCP server (NAC 800) gives the NAC 800 (fake root) DNS – As in enforcement endpoint: endpoint enforcement (for access to names in Accessible services). The • Quarantine range IP address DNS server forwards requests for •...
Page 192
VPN users can only get through iptables by becoming compliant with a Accessible The names listed in NAC 800 policy, after which a hole is services are not used. opened for their VPN IP address. NOTE: In this configuration, the user has...
Page 193
NAC 800:443 --> NAC 800:89 Traffic coming from non-quarantine ranges will not be rewritten, so that users can get to the NAC 800 user interface on port 443. NOTES: • (*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the endpoint no real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you there.
End-user Access Overview Overview End-users can connect to your network from a number of different types of computers (see “Endpoints Supported” on page 5-5), be tested for compliance based on your definitions in the standard (high, medium, or low security) or custom NAC policies (see “NAC Policies”...
Agent Callback The Agent Callback to NAC 800 feature allows the NAC 800 agent to inform the ES that an endpoint is now active on the network and available to be tested. This feature allows faster detection of endpoints in a network utilizing static IP addresses.
Page 198
End-user Access Test Methods Used _naces1 ■ ■ _naces2 If no contact can be made, try the following A names: NOTE: The endpoints DNS suffix must be correctly configured for your domain for the Agent Callback feature to work correctly. ■...
End-user Access Endpoints Supported Endpoints Supported This NAC 800 release supports the following: ■ Agent-based testing • Windows 2000 • Windows Server (2000, 2003) • Windows XP Professional • Windows XP Home • Mac OS (version 10.3.7 or later) •...
Page 200
End-user Access Endpoints Supported NOTE: Other operating system support (for example Linux) will be included in future releases. Windows ME and Windows 95 are not supported in this release. TIP: If the end-user switches the Windows view while connected, such as from Classic view to Guest view, the change may not be immediate due to the way sessions are cached.
End-user Access Browser Version Browser Version The browser that should be used by the endpoint is based on the test method as follows: ■ ActiveX test method – Microsoft Internet Explorer (IE) version 6.0 or later. Agentless test methods – IE, Firefox, or Mozilla. ■...
NAC 800 server using the centralized policy. If the Domain Group Policy is not used for Windows endpoints, the appropri- ate ports are opened during the agent installation process by the NAC 800 installer. Unmanaged Endpoints For unmanaged endpoints, the NAC Agent and the ActiveX control test methods automatically open the necessary ports for testing.
You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for agent-based testing. TIP: See “Ports used in NAC 800” on page E-1 for a complete description of the ports used in NAC 800. Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the agent to install successfully.
End-user Access Windows Endpoint Settings See the following link for details on UAC: http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e- ac08-4c21f5c6c2d91033.mspx?mfr=true Agentless Test Method This section describes the settings you need to make on Windows 2000, Windows XP, and Windows Vista when using the Agentless test method. Configuring Windows 2000 Professional for Agentless Testing The agentless test method requires file and printer sharing to be enabled.
End-user Access Windows Endpoint Settings On the General tab, in the Components checked are used by this connection area, verify that File and Printer sharing is listed and that the check box is selected. Click OK. Configuring Windows XP Professional for Agentless Testing The agentless test method requires file and printer sharing to be enabled.
End-user Access Windows Endpoint Settings To configure File and Printer Sharing for Microsoft Networks – http:/ ■ /www.microsoft.com/resources/documentation/windows/xp/all/ proddocs/en-us/howto_config_fileandprintsharing.mspx ■ To add a network component – http://www.microsoft.com/resources/ documentation/windows/xp/all/proddocs/en-us/ howto_config_fileandprintsharing.mspx Configuring Windows Vista for Agentless Testing Vista endpoints must have the following enabled to allow testing from non- Local subnet systems (if the endpoint goes into a quarantine subnet, it is no longer on the local subnet): ■...
Page 207
End-user Access Windows Endpoint Settings Figure 5-3. Network and Sharing Center Enable network discovery: 5-13...
Page 208
End-user Access Windows Endpoint Settings Click the down arrow on the Network discovery line. The window expands to show the Network discovery options: Figure 5-4. Network Discovery Options b. Select the Turn on network discovery radio button. Click Apply. d. Click Continue on the User Account Control pop-up window. Click Yes, turn on network discovery for all public networks.
■ ■ TIP: See “Ports used in NAC 800” on page E-1 for a complete description of the ports used in NAC 800. Allowing the Windows RPC Service through the Firewall If end-users enable the XP SP2 Professional firewall, they need to change the configuration to allow the agentless testing.
Page 210
Windows endpoint>>Start>>Settings>>Control Panel>>Windows Firewall>>Advanced tab>>Settings button Click Add. In the Service Settings window, enter the following information: Description: NAC 800 Server 137 IP: <IP of the NAC 800 Server> External port number: 137 Select UDP. Click OK. Click Add. In the Service Settings window, enter the following information: Description: NAC 800 Server 138 IP: <IP of the NAC 800 Server>...
Page 211
Click OK. Select UDP 137. 10. Click Change Scope. 11. Select Custom List. 12. Enter the NAC 800 Server IP address and the 255.255.255.0 mask. 13. Click OK. 14. Select TCP 445. 15. Click Change Scope. 16. Verify that the My network (subnet) only radio button is selected.
You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for ActiveX testing. TIP: See “Ports used in NAC 800” on page E-1 for a complete description of the ports used in NAC 800. Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the ActiveX component to install successfully.
You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for agent-based testing. TIP: See “Ports used in NAC 800” on page E-1 for a complete description of the ports used in NAC 800. Allowing NAC 800 through the OS X Firewall To verify that NAC 800 can test the end-user through the end-user’s firewall:...
Page 214
End-user Access Mac OS X Endpoint Settings Figure 5-6. Mac System Preferences 5-20...
Page 215
End-user Access Mac OS X Endpoint Settings Select the Sharing icon. The Sharing window opens. Figure 5-7. Mac Sharing Select the Firewall tab. The firewall settings must be one of the following: • • On with the following: – OS X NAC Agent check box selected –...
Page 216
End-user Access Mac OS X Endpoint Settings To change the port: Mac endpoint>>Apple Menu>>System Preferences>>Sharing icon>>Firewall Select OS X NAC Agent. Click Edit. The port configuration window appears: Figure 5-8. Mac Ports Enter 1500 in the Port Number, Range or Series text field. Click OK.
Your updated templates are preserved. CAUTION: Do not rename the files or they will not be seen by NAC 800. End-users begin the login process by opening their browser. If their home page is defined on the Accessible services window, they are allowed to access that page.
End-user Access End-user Access Windows Opening Window When the end-user directs their browser to go to a location that is not listed in the Accessible services and endpoints list, the testing option window appears: Figure 5-9. End-user Opening Window The end-users select Get connected. One of the following windows appears, depending on which test method and order is specified in the System configu- ration>>Testing methods window: ■...
End-user Access End-user Access Windows Windows NAC Agent Test Windows Automatically Installing the Windows Agent When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears: Figure 5-10.
Page 220
End-user Access End-user Access Windows If Active Content is disabled in the browser, the following error window appears: Figure 5-11. End-user Agent Installation Failed TIP: To enable active content, see “Active Content” on page C-4. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears.
Page 221
End-user Access End-user Access Windows Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation: Figure 5-12. End-user Agent Installation Window (Start) The user must click Finish to complete the agent installation and begin testing: Figure 5-13.
To remove the agent: Windows endpoint>>Start button>>Settings>>Control panel>>Add/remove programs Figure 5-14. Add/Remove Programs Find the ProCurve NAC EI Agent in the list of installed programs. Click Remove. TIP: The ProCurve NAC EI Agent also appears in the services list: Start button>>Settings>>Control panel>>Administrative tools>>Services...
Page 223
End-user Access End-user Access Windows Windows endpoint>>IE browser window Point the browser to the following URL: https://<enforcement_server_ip>:89/setup.exe The security certificate window appears: Figure 5-15. Security Certificate Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file: Figure 5-16.
Mac OS Agent Test Windows When the test method selected is agent-based, the first time the end-user logs in to their Macintosh computer and opens a browser window, NAC 800 attempts to test the endpoint. If the agent is required, they receive the Installation Failed window shown in figure 5-11.
Page 225
End-user Access End-user Access Windows Double-click the extracted file to launch the installer program. A confirmation window appears: Figure 5-17. Start Mac OS Installer Click Continue. The installer appears: Figure 5-18. Mac OS Installer 1 of 5 5-31...
Page 226
End-user Access End-user Access Windows Click Continue. The Select a Destination window appears: Figure 5-19. Mac OS Installer 2 of 5 Click Continue. The Easy Install window appears: Figure 5-20. Mac OS Installer 3 of 5 5-32...
End-user Access End-user Access Windows Click Install. The Authenticate window appears: Figure 5-21. Mac OS Installer 4 of 5 Enter your password. Click OK. The agent is installed and the confirmation window appears: Figure 5-22. Mac OS Installer 5 of 5 Click Close.
Page 228
End-user Access End-user Access Windows Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Figure 5-23. Applications, Utilities Folder 5-34...
Page 229
End-user Access End-user Access Windows Double-click Activity Monitor. The Activity Monitor window appears: Figure 5-24. Activity Monitor Verify that the osxnactunnel process is running. If the osxnactunnel process is not running, start it by performing the following steps: 5-35...
Page 230
End-user Access End-user Access Windows Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Figure 5-25. Mac Terminal b. Enter the following at the command line: OSXNACAgent -v The build and version number are returned. If an error message is returned indicating that the agent could not be found, the agent was not installed properly.
End-user Access End-user Access Windows Removing the Mac OS Agent To remove the Mac OS agent: Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Select Mac OS X Terminal. A terminal window opens (figure 5-25). Enter the following at the command line: remove_osxnacagent Remove the firewall entry: Select Apple Menu>>System Preferences>>Sharing->Firewall tab.
To enable active content, see “Active Content” on page C-4. TIP: Install any needed patches before installing the Agent. Agentless Test Windows If the end-users select Agentless test, NAC 800 needs login credentials in order to test the endpoint. Credentials can be obtained from the following: 5-38...
Page 233
Windows administrator account with a password in order to be tested by NAC 800. NOTE: NAC 800 uses the Windows Messenger Service when using agentless testing. If you have disabled this service (http://www.microsoft.com/windowsxp/ using/security/learnmore/stopspam.mspx), agentless testing will not work.
Page 234
End-user Access End-user Access Windows If the end-users do not enter the correct information in the login window fields, a login failure window appears: Figure 5-28. End-user Login Failed TIP: You can customize the logo and contact paragraph that appear on this window.
End-user Access End-user Access Windows Testing Window The following figure shows the window that appears during the testing pro- cess: Figure 5-29. End-user Testing The possible outcomes from the test are as follows: ■ Test successful window (see “Test Successful Window” on page 5-42) ■...
End-user Access End-user Access Windows Test Successful Window When the end-users’ endpoints meet the test criteria defined in the NAC policy, they are allowed access to the network, and a window indicating successful testing appears: Figure 5-30. End-user Testing Successful TIP: You can customize the logo and text that appears on this window as described in “End-user Screens”...
End-user Access End-user Access Windows Testing Cancelled Window If the Allow end users to cancel testing option on the System configuration>>Test- ing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled: Figure 5-31.
Page 238
End-user Access End-user Access Windows For each NAC policy, you can specify a temporary access period should the end-users fail the tests. See “Selecting Action Taken” on page 6-19 for more information. Figure 5-32. End-user Testing Failed Example 1 TIP: You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configura- tion>>Accessible services window (see “Accessible Services”...
End-user Access End-user Access Windows End-users can click Printable version to view the testing results in a printable format, as shown in the following figure: Figure 5-33. End-user Testing Failed, Printable Results Error Windows End-users might see any of the following error windows: Unsupported endpoint ■...
End-user Access Customizing Error Messages Customizing Error Messages The default error message strings (remediation messages) are defined in the following file: /usr/local/nac/scripts/BaseClasses/Strings.py You can create custom error message strings that appear in the test result reports, and on the test results access window that the end-user views by editing or creating the following file: /usr/local/nac/scripts/Custom/BaseClasses/Custom- Strings.py...
Page 241
"name2" : "message2", NOTE: A “%s” in the description text is a special variable that is interpolated into extra information (passed from NAC 800) such as lists of missing patches, or missing software. CAUTION: Normally NAC 800 uses Strings.py. If you create a CustomStrings.py file, make sure that the number of placeholders (%s) for a given entry is equal to the placeholders for that entry in Strings.py.
Page 242
End-user Access Customizing Error Messages Test name Description checkAntiVirusUpdates.String.1 The required anti-virus software was not found. Install anti- virus software and keep the virus definitions up-to-date. Supported Anti Virus software: %s, checkAntiVirusUpdates.String.2 %s is installed but the service is not running and the virus signatures are not up-to-date (installed: %s required: %s)., checkAntiVirusUpdates.String.3 %s is installed but the service is not running.,...
Page 243
End-user Access Customizing Error Messages Test name Description checkHotFixes.String.4 The %s installed are not current. Run Windows Update to install the most recent service packs and hotfixes. The missing hotfixes are: %s. You may need to run Windows Update multiple times to install all the hotfixes. Some of the hotfixes listed may be contained in a cumulative patch., checkHotFixes.String.5 All required %s are installed.,...
Page 244
End-user Access Customizing Error Messages Test name Description checkMicrosoftOfficeMacroSecurityLevel.String.5 Microsoft Office %s is not installed., checkMicrosoftOfficeMacroSecurityLevel.String.6 The Microsoft %s macro security level setting must be set to %s or above. To change the security level, open %s and do the following: Select \'Options...\' under the \'Tools\' menu. Choose the \'Security\' tab.
Page 245
End-user Access Customizing Error Messages Test name Description checkServicesRequired.String.2 The following required services were not found: %s. Start the service by selecting Control Panel>>Administrative Tools>>Services application>>right-click on the service and select properties. Change the startup type to automatic and click start. Click OK to save your changes. If the service does not exist contact your administrator., checkServicesRequired.String.3 %s, # placeholder for link location for each service.
Page 246
End-user Access Customizing Error Messages Test name Description checkWindowsStartupRegistryEntriesAllowed.String.1 All Windows startup registry entries are acceptable., checkWindowsStartupRegistryEntriesAllowed.String.2 The following Windows startup registry entries are not allowed in the HKEY_LOCAL_MACHINE>>Software>>Microsoft>>Windo ws Run and RunOnce registry keys: %s. Contact your network administrator for removal of these items from the registry., checkWormsVirusesAndTrojans.String.1 No worms, viruses or trojans were found.,...
"NAC policies" are collections of tests that evaluate remote endpoints attempt- ing to connect to your network. You can use the standard tests installed with NAC 800, or you can create your own custom tests. NOTE: The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name.
NAC Policies Standard NAC Policies Standard NAC Policies NAC 800 ships with three standard NAC policies: ■ High security ■ Low security Medium security ■ NAC policies are organized in groups. Groups include the clusters defined for your system, a Default group, and any other groups you create. Each standard policy has tests pre-selected.
NAC Policies NAC Policy Group Tasks NAC Policy Group Tasks Add a NAC Policy Group To add an NAC policy group: Home window>>NAC policies Click Add an NAC policy group. The Add NAC policy group window opens: Figure 6-3. Add NAC Policy Group Type a name for the group in the Name of NAC policy group text box.
NAC Policies NAC Policy Group Tasks Home window>>NAC policies Click on an existing NAC policy group name (for example, Default). The NAC policy group window opens. Figure 6-4. Edit NAC Policy Group Make any changes required. See “Add a NAC Policy Group” on page 6-5 for details on NAC policy group options.
Page 253
NAC Policies NAC Policy Group Tasks Click yes on the Delete NAC policy group confirmation window.
NAC Policies NAC Policy Tasks NAC Policy Tasks Enabling or Disabling an NAC Policy Select which NAC polices are enabled or disabled. To enable/disable a NAC policy: Home window>>NAC policies Click on the enable or disable link. An X indicates disabled. Selecting the Default NAC Policy To select the default NAC policy: Home window>>NAC policies...
Page 255
NAC Policies NAC Policy Tasks Click Add a NAC policy. The Add NAC policy window opens as shown in the following figure: Figure 6-6. Add a NAC Policy, Basic Settings Area Enter a policy name. Enter a description in the Description text box. Select a NAC policy group.
Page 256
In DHCP mode, if an endpoint with an unsupported OS already has a DHCP- assigned IP address, NAC 800 cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with an unsupported OS has a static IP address, NAC 800 cannot affect this endpoint in any way.
Page 257
NAC Policies NAC Policy Tasks Click the Domains and endpoints menu option to open the Domains and endpoints window, shown in the following figure: Figure 6-7. Add a NAC Policy, Domains and Endpoints 10. Click on a cluster name. 11. Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a carriage return.
Page 258
NAC Policies NAC Policy Tasks NOTE: You can leave the Domains and Endpoints areas blank if you do not want to assign domains and endpoints to this policy. TIP: Move the mouse cursor over the question mark (?) by the word Endpoints, then click on the CIDR notation link to see the CIDR conversion table pop- up window.
Page 259
NAC Policies NAC Policy Tasks 13. Click the Tests menu option to open the Tests window: 6-13...
18. Click ok. TIP: Selecting the Send an email notification option sends an email to the address you identified in NAC 800 Home window>>System Configuration>>Notifications area. This option is defined per cluster. Editing a NAC Policy To edit an existing NAC policy: Home window>>NAC policies...
NAC Policies NAC Policy Tasks Change any of the options desired. See “Creating a New NAC Policy” on page 6-8 for details on the options available. Click ok. Deleting a NAC Policy To delete an existing NAC policy: Home window>>NAC policies Click the delete link to the right of the NAC policy you want to delete.
In the Retest frequency area, enter how frequently in minutes, hours, or days NAC 800 should retest a connected endpoint. TIP: A lower number ensures higher security, but puts more load on the NAC 800 server. Click ok. Setting Connection Time When an endpoint is inactive for a period of time, you can elect to automati- cally move the endpoint to a quarantined state.
NAC Policies NAC Policy Tasks In the Inactive endpoints area, enter how long an end-user can be inactive before they are quarantined. TIP: A lower number ensures higher security. Click ok. Defining Non-supported OS Access Settings To define what actions to take for endpoints with non-supported operating systems: Home window>>NAC policies>>Select a NAC Policy>>Basic settings area In the Operating systems area, select the check box beside any operating...
NAC Policies NAC Policy Tasks Selecting Action Taken Actions can be passive (send an email), active (quarantine) or a combination of both. To select the action to take: Home window>>NAC policies>>Select a NAC Policy>>Tests menu option Click on the name of test to display the test’s options. NOTE: Click a test name to display the options;...
Page 266
NAC Policies NAC Policy Tasks Click ok if you are done in the Tests window, or continue making changes to other tests. 6-20...
About NAC 800 Tests About NAC 800 Tests NAC 800 tests are assigned to NAC policies. NAC policies are used to test endpoints attempting to connect to your network. NAC 800 tests might be updated as often as hourly; however, at the time of this release, the tests shown in “Tests Help”...
NAC Policies About NAC 800 Tests You can enter any combination of these keys in the NAC 800 text entry fields to detect a vendor, software package and version on an endpoint (for example, you can also enter Mozilla\Firefox or simply Mozilla) and NAC 800 searches for them in the HKEY_LOCAL_MACHINE\Software registry key sub-tree.
NAC Policies About NAC 800 Tests Utility Manager ■ ■ Windows Installer Entering the Browser Version Number To specify the minimum browser version the end-user needs: For Mozilla Firefox: Clear the Check For Mozilla Firefox [1.5] check box. b. Type a version number in the text entry field.
In DHCP mode, if an endpoint with an unsupported OS already has a DHCP- assigned IP address, NAC 800 cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with an unsupported OS has a static IP address, NAC 800 cannot affect this endpoint in any way.
Page 273
Quarantined Networks Endpoint Quarantine Precedence TIP: Use the Clear temporary access control status radio button to remove the temporary access or temporary quarantine state enabled by the Temporarily quarantine for/Temporarily grant access for radio buttons. Endpoint testing exceptions overrides items following it in the list (4, ■...
Quarantined Networks Using Ports in Accessible Services and Endpoints Using Ports in Accessible Services and Endpoints To use a port number when specifying accessible services and endpoints (cluster default): Home window>>System configuration>>Accessible services The following figure shows the Accessible services window: Figure 7-1.
Page 275
Quarantined Networks Using Ports in Accessible Services and Endpoints In order to grant access for quarantined endpoints to needed services, add entries to the Accessible services list. For inline enforcement mode, enter the IP addresses of the servers that provide the services. A port or ports can be added to limit the access to the servers from quarantined endpoints.
Quarantined Networks Always Granting Access to an Endpoint Always Granting Access to an Endpoint To always grant access to a endpoint without testing: Home window>>System configuration>>Exceptions The following figure shows the Exceptions window. Figure 7-2. System Configuration, Exceptions In the Whitelist area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns.
Page 277
Quarantined Networks Always Granting Access to an Endpoint CAUTION: If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without testing option is used. CAUTION: Please read “Untestable Endpoints and DHCP Mode” on page 7-11 so that you fully understand the ramifications of allowing untested endpoints on your network.
Quarantined Networks Always Quarantining an Endpoint Always Quarantining an Endpoint To always quarantine a an endpoint without testing (cluster default): Home window>>System configuration>>Exceptions In the Blacklist area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns. b.
■ Inline mode – An IP address is assigned to the endpoint outside of NAC 800. When the end-user attempts to connect to the network, NAC 800 either blocks access or allows access by adding the endpoint IP address to the internal firewall.
Quarantined Networks Shared Resources Shared Resources If the end-users typically make connections to shared services and endpoints during the boot process, these shares are unable to connect while the endpoint has the quarantined IP address, unless the services and endpoints are listed in the Accessible services and endpoints area (see “Accessible Services”...
The IP address granted by your DHCP server has a lease expiration period that cannot be affected by the NAC 800 server. Once an untested endpoint has been allowed access and assigned a non-quarantined IP address by your DHCP server, that endpoint has continual access through that IP address until the IP address lease expires.
• • • 135-139 • 1025 NAC 800 will then lookup the Kerberos and LDAP services, and resolve those services within its own DNS server used for quarantined devices. For example: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88 dc01.lvh.com 7-12...
Page 283
Quarantined Networks Windows Domain Authentication and Quarantined Endpoints _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 389 dc01.lvh.com 7-13...
ES is unavailable, the notification indicates that at the top of the Home window. When NAC 800 is installed inline in a multiple-server configuration (figure 8- 1), the multiple ESs form a network loop (an undesired condition). The...
Page 287
High Availability and Load Balancing High Availability ports on the switch based on the switch configuration. If an ES becomes unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 8-1.
Page 288
High Availability and Load Balancing High Availability Figure 8-2. DHCP Installation...
Page 289
High Availability and Load Balancing High Availability...
Load Balancing Load balancing distributes the testing of endpoints across all NAC 800 ESs in a cluster. NAC 800 uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the ESs. If the MAC address is unavailable (untestable endpoint) the IP address is used to determine which ES should test an endpoint.
This is an undesirable situation. To prevent this, you may have to configure the switch that connects the NAC 800 ESs to use Spanning Tree Protocol (STP), if STP is not already configured. The STP automatically detects the loop, and closes one of the offending ports on the switch based on the switch configuration.
Page 293
Inline Quarantine Method Inline Figure 9-1. Inline Installations TIP: You can install NAC 800 at any “choke point” in your network; a VPN is not required.
DHCP Quarantine Method Overview Overview When configured with a Dynamic Host Configuration Protocol (DHCP) quar- antine area, all endpoints requesting a DHCP IP address are issued a tempo- rary address on a quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to the main LAN.
Configuring NAC 800 for DHCP Configuring NAC 800 for DHCP The primary configuration required for using NAC 800 and DHCP is setting up the quarantine area (see “Setting up a Quarantine Area” on page 10-4). You should also review the following topics related to quarantining endpoints: ■...
In order to sufficiently restrict access to and from the quarantine area, you must configure your router Access Control Lists (ACLs) as follows: ■ Allow traffic to and from the NAC 800 server and the quarantined network. If you want to allow access to other endpoints outside of the quaran- ■...
802.1X Quarantine Method About 802.1X About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows: ■ Supplicant – The client; the endpoint that wants to access the network. Authenticator– The access point, such as a switch, that prevents ■...
Page 303
802.1X Quarantine Method About 802.1X The AP (authenticator) opens a port for EAP messages, and blocks all others. The AP (authenticator) requests the client’s (supplicant’s) identity. The Client (supplicant) sends its identity. The AP (authenticator) passes the identity on to the authentication server. The authentication server performs the authentication and returns an accept or reject message to the AP (authenticator).
VLAN to place the endpoint, and returns the result to the switch. When NAC 800 is used in an 802.1X network, the configuration is as shown in figure 11-2, and the communication flow is shown in Figure 11-3 on page 11-6.
The NAC 800 802.1X solution must be integrated with the RADIUS authentication to “intervene” in the authentication process, test endpoints, and assign them to the appropriate VLAN. NAC 800 can be deployed and integrated with RADIUS in the following three ways: ■...
Page 308
Microsoft® Windows Server™ 2003 Internet Authentication Service (IAS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server. This section provides instructions on configuring this server to use with NAC 800. For details on the Windows Server 2003 IAS, refer to the following link: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/tech- nologies/ias.mspx...
Install any IAS and 802.1X updates that are available. http://www.microsoft.com/downloads/search.aspx?displaylang=en Configuring the Microsoft IAS RADIUS Server For an explanation of how the components communicate, see “NAC 800 and 802.1X” on page 11-4. Now that you have the RADIUS server installed, you need to log into it and perform the configuration steps described in this section.
Page 310
802.1X Quarantine Method Setting up the 802.1X Components From the RADIUS server main window, select Start>>Settings>>Control Panel>>Administrative Tools>>Internet Authentication Service. Configure IAS to use Active Directory: Right-click on Internet Authentication Service (Local). b. Select Register Server in Active Directory (figure 11-6). Click OK if a registration completed window appears.
Page 311
802.1X Quarantine Method Setting up the 802.1X Components Figure 11-8. IAS, Properties General tab – Enter a descriptive name in the Server Description text box. For example, IAS. ii. Select the Rejected authentication requests check box. iii. Select the Successful authentication requests check box. d.
Page 312
802.1X Quarantine Method Setting up the 802.1X Components b. Select New RADIUS Client. The New RADIUS Client window appears: Figure 11-9. IAS, New Client, Name and Address Enter a descriptive name for the Friendly name, such as Foundry. d. Enter the IP address of the authenticator in the Client address text box. TIP: Click Verify to test the connection.
Page 313
802.1X Quarantine Method Setting up the 802.1X Components Select RADIUS Standard from the Client Vendor drop-down list Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator. NOTE: See your system administrator to obtain the shared secret for your switch. h.
Page 314
802.1X Quarantine Method Setting up the 802.1X Components Click Next. Figure 11-12. IAS, Remote Access Policy, Access Method Select the Ethernet radio button. (The Ethernet option will not work for authenticating wireless clients with this policy.) h. Click Next. Figure 11-13. IAS, Remote Access Policy, Group Access You can configure your Access policy by user or group.
Page 315
802.1X Quarantine Method Setting up the 802.1X Components Click Add. The Select Groups pop-up window appears: Figure 11-14. IAS, Remote Access Policy, Find Group 11-15...
Page 316
802.1X Quarantine Method Setting up the 802.1X Components k. Click Advanced. Figure 11-15. Remote Access Policy, Select Group Click Find Now to populate the Search Results area. m. Select Domain Guests. n. Click OK. o. Click OK. 11-16...
Page 317
802.1X Quarantine Method Setting up the 802.1X Components p. Click Next. Figure 11-16. IAS, Remote Access Policy, Authentication Method NOTE: If you choose PEAP as your authentication mechanism in step q, see step 8 before completing step r and step s. Adding a certificate, if your server does not already have one, and configuring PEAP is explained in step 8.
Page 318
To import the certificate manually: 1. Right-click on the Personal folder>>select All Tasks>>Import. 2. When the wizard opens, click Next. 3.Enter the path to the NAC 800 certificate, for example: D:\support\ias\compliance.keystore.cer 4.Click Next, Next, and Finish. To request a certificate from a Domain Certificate Authority: Figure 11-17.
Page 319
To import the certificate manually: 1. Right-click on the Personal folder>>select All Tasks>>Import. 2. When the wizard opens, click Next. 3.Enter the path to the NAC 800 certificate, for example: D:\support\ias\compliance.keystore.cer 4.Click Next, Next, and Finish. Follow the instructions to generate a certificate request. If there are...
Page 320
802.1X Quarantine Method Setting up the 802.1X Components Click Configure to configure the certificate for use with the PEAP authentication method. The Protected EAP Properties window appears, as shown in the following figure: Figure 11-18. Protected EAP Properties 10. Configure the new Remote Access Policy. Figure 11-19.
Page 321
This example does not use additional selections. ii. Advanced tab – Add three RADIUS attributes: TIP: The attributes you select might be different for different switch types. Contact ProCurve Networking by HP if you would like assistance. 11-21...
Page 322
802.1X Quarantine Method Setting up the 802.1X Components 1) Click Add. Figure 11-21. IAS, Remote Access Policy, Add Attribute 2) Select Tunnel-Medium-Type. (Adding the first of the three attributes.) 3) Click Add. 4) Click Add again on the next window. 5) From the Attribute value drop-down list, select 802 (includes all 802 media.
Page 323
802.1X Quarantine Method Setting up the 802.1X Components 18) Click OK. 19) Click OK. 20) Click OK. 11. Repeat step 9 for every VLAN group defined in Active Directory. IMPORTANT: The order of the connection attributes should be most- specific at the top, and most-general at the bottom. 12.
Page 324
Select the When disk is full, delete older log files check box. iv. Click OK. 13. Install the NAC 800-to-IAS connector – The NAC 800 IAS Connector is a DLL file that is installed on your Windows Server 2003 machine where the IAS component is enabled.
Page 325
802.1X Quarantine Method Setting up the 802.1X Components support/ias/SAIASConnector.dll support/ias/SAIASConnector.ini b. Import the NAC 800 server’s certificate so the connector can communicate with NAC 800 over SSL: On the Windows Server 2003 machine, click Start. ii. Select run. iii. Enter mmc.
Page 326
Click Next. xxi. Click Finish. 14. Configure the NAC 800-to-IAS connector – Modify the INI file for your network environment. NAC 800 returns one of postures for an endpoint attempting to authenticate. For each posture received, a different RADIUS response 11-26...
Page 327
802.1X Quarantine Method Setting up the 802.1X Components to the switch can be configured using RADIUS attributes. This response determines into what VLAN the endpoint is placed. Healthy – The endpoint passed all tests or no failed tests were configured to quarantine. Checkup –...
Page 328
802.1X Quarantine Method Setting up the 802.1X Components 15. Verify that you are using Microsoft’s version of the challenge-handshake authentication protocol (CHAP) MSCHAPv2. If for some reason, you cannot upgrade to MSCHAPv2 at this time, perform the following workaround for MSCHAPv1: Configure passwords: From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active...
Page 329
802.1X Quarantine Method Setting up the 802.1X Components Right-click Default Domain Policy and select Edit (click OK if you get a global changes pop-up message). Figure 11-28. Active Directory, Store Passwords vi. Navigate to Computer Configuration>>Windows Settings>>Security Settings>>Account Policies>>Password Policy. vii.
Page 330
802.1X Quarantine Method Setting up the 802.1X Components From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers. b. Click the plus symbol next to the domain to expand the selection. Select the Users folder. Figure 11-29. Active Directory Users and Computers 11-30...
Page 331
802.1X Quarantine Method Setting up the 802.1X Components d. Right-click a user name and select Properties. The Properties windows appears: Figure 11-30. Active Directory, User Account Properties Select the Dial-in tab. In the Remote Access Permission area, select the Allow Access radio button.
The realm NULL section must go after the realm LOCAL section, or you can comment out the realm LOCAL section. Configure your RADIUS server to allow the NAC 800 IP address as a client with the shared secret specified in the previous step. See your RADIUS server’s documentation for instructions on how to configure allowed...
Page 333
802.1X Quarantine Method Setting up the 802.1X Components Configure the SAFreeRADIUSConnector.conf file with the appropriate RADIUS attributes and VLANS. See comments in the following sample file for instructions. # FreeRADIUS Connector configuration file # TO DO - Change localhost to your server's IP if this is not the built-in FreeRADIUS server ServerUrl=https://localhost/servlet/AccessControlServlet DebugLevel=4...
Page 334
802.1X Quarantine Method Setting up the 802.1X Components "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches #"HealthyRadiusAttributes"...
If you selected the Manual End-user authentication method in the Authentication settings area of the System configuration>>Quarantining>>802.1X window, con- figure NAC 800 according to the instructions in this section. To configure NAC 800 to handle RADIUS requests: Add users to the RADIUS server by modifying the /etc/raddb/users file.
Page 336
(CatOS), you need to refer to the VLAN by name, and not by number as shown in the following sample file. For example, use “Tunnel-Private-Group-ID := User_Seg_PA,” instead of “Tunnel-Private-Group-ID := 50,”. # NAC 800 FreeRADIUS Connector configuration file # General configuration parameters ServerUrl=https://<SERVER IP>:89/servlet/AccessControlServlet ServerUrl.1=https://<SERVER IP.1>:89/servlet/AccessControlServlet...
Tunnel-Type := VLAN, Enabling NAC 800 for 802.1X To enable NAC 800 for use in an 802.1X network, you need to select it in the user interface, and make a few changes to the properties using JMS and an XML file.
802.1X Quarantine Method Setting up the 802.1X Components detection can be run remotely by installing and configuring the end- point activity capture software on each DHCP server involved in the 802.1X deployment. In this case, choose the remote option. local – In simple configurations, it is possible to span, or mirror, the •...
Page 340
802.1X Quarantine Method Setting up the 802.1X Components Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears: Figure 11-32. Windows XP Pro Local Area Connection, General Tab Select the General tab. Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors.
802.1X Quarantine Method Setting up the 802.1X Components Select the Authentication tab. Figure 11-33. Windows XP Pro Local Area Connection Properties, Authentication Select the Enable IEE 802.1X authentication for this network check box. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
802.1X Quarantine Method Setting up the 802.1X Components Select Wireless Zero Configuration. If the Status column does not already show Started, start the service: Right click on Wireless Zero Configuration. ii. Select Start. b. Close the Services window. Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network Connections Right-click on Local Area Connection.
Page 343
802.1X Quarantine Method Setting up the 802.1X Components Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network and Dial-up Connections Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears. Figure 11-34. Windows 2000 Local Area Connection Properties, General Tab b.
802.1X Quarantine Method Setting up the 802.1X Components d. Select the Authentication tab. Figure 11-35. Windows 2000 Local Area Connection Properties, Authentication Tab Select the Enable network access control using IEE 802.1X check box. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
Page 345
802.1X Quarantine Method Setting up the 802.1X Components Windows desktop>>Start>>Settings>>Control Panel>>Administrative Tools>>Services Start the wired service: Double-click on Wired AutoConfig. The Wired AutoConfig Properties window appears. Figure 11-36. Wired AutoConfig Properties b. Select Automatic from the Startup type drop-down list. Click Start in the Service status area.
Page 346
802.1X Quarantine Method Setting up the 802.1X Components Select Properties. The Local Area Connection windows appears: Figure 11-37. Windows Vista Local Area Connection, Networking Tab 11-46...
802.1X Quarantine Method Setting up the 802.1X Components Select the Authentication tab. Figure 11-38. Windows Vista Local Area Connection Properties, Authentication Tab Select the Enable IEE 802.1X authentication check box. Select an EAP type from the Choose a network authentication method drop- down list.
802.1X Quarantine Method Setting up the 802.1X Components set radius server 1 10.11.100.10 1812 02108000AE5BA9C47EDC24F2CA6529EE4CCC8930B BD70F5AAA2CF0C5DBAA5DA97FADFE95 set radius enable Extreme® Summit 48si TIP: When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS users file. TIP: Change the admin password to a non-blank password.
802.1X Quarantine Method Setting up the 802.1X Components ExtremeWare TIP: When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS users file. TIP: Change the admin password to a non-blank password. create vlan "Quarantine" create vlan "Test"...
This section shows how to configure the security settings on the 420AP so that user access may be controlled using Dynamic VLAN provisioning. HP ProCurve Access Point 420#configure HP ProCurve Access Point 420(config)#interface ethernet Enter Ethernet configuration commands, one per line. HP ProCurve Access Point 420(if-ethernet)#no ip dhcp 11-52...
802.1X Quarantine Method Setting up the 802.1X Components HP ProCurve Access Point 420(if-ethernet)#ip address <IP of Access Point Netmask Gateway> HP ProCurve Access Point 420(if-ethernet)#end HP ProCurve Access Point 420(config)#management-vlan 200 tagged HP ProCurve Access Point 420(config)#interface wireless g Enter Wireless configuration commands, one per line.
Page 354
ProCurve Access Point 530(config)#write mem ProCurve Access Point 530(config)#exit Dynamic WEP: ProCurve Access Point 530#conf ProCurve Access Point 530(config)#interface ethernet ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway> ProCurve Access Point 530(ethernet)#management-vlan 200...
Setting up the 802.1X Components The RADIUS shared secret key must also be set to enable communication between this device and the RADIUS server. ProCurve Access Point 530(radio1-wlan1)#radius primary key <Shared RADIUS secret> ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary ip <IP of RADIUS Server>...
Expect is a tool that uses simple scripts to automate interactive applications. NAC 800 utilizes expect scripts when communicating with 802.1X devices. You can add 802.1X devices in the NAC 800 user interface (Home>>System config- uration>>Quarantining menu option>>Add 802.1X device). There are 11 pre- defined devices, and one generic device.
Page 357
Exit script – This script is used to exit the console. It is executed when the idle time timeout is reached. When testing configuration settings from the NAC 800 user interface, all three scripts are executed once in sequence and the connection is closed. If any output is returned by a command sent in the re-authentication script, it is logged and returned to the user.
Page 358
802.1X Quarantine Method Setting up the 802.1X Components send exit expect # send exit expect press <Return> or <Enter> to select option. send -noreturn l Figure 11-41. Nortel Exit Script Expect Script Commands: expect [OPTIONS] TEXT | "Waits for TEXT to appear on connection input"...
Page 359
802.1X Quarantine Method Setting up the 802.1X Components Expect Script Variables: Variables referenced with the syntax ${VARIABLE_NAME} will be substituted with the value of the variable at execution time. The following variables may be referenced anywhere: ■ USERNAME – The username used to log in to the device PASSWORD –...
NAC 800 auto-discovers endpoints on your network so that the testing and transition from quarantine to non-quarantine areas happens quickly and smoothly after an endpoint is booted up. NAC 800 also relies on auto-discovery functionality to track DHCP IP address transitions so that it can continue to communicate seamlessly with endpoints after an IP change.
To download the EXE file to a Windows machine: Browser window Download and save the EXE file to a Windows machine. The EXE file can be downloaded directly from the MS: http://www.procurve.com/nactools/ Running the Windows Installer The Windows installer performs the following tasks: ■...
Page 366
Remote Device Activity Capture Creating a DAC Host Double-click on the EXE file. The Setup Type window appears: Figure 12-1. RDAC Installer, Setup Type Select Complete to install the DAC software, the JavaJRE software, and the WinPcap software. If you already have JavaJRE or WinPcap installed, select Custom.
Page 367
Remote Device Activity Capture Creating a DAC Host Click Next. The Choose Destination Location window appears: Figure 12-2. RDAC Installer, Choose Destination Location In most cases, you should accept the default location. (Click Change to select a different location.) Click Next. The Confirm New Folder window appears: Figure 12-3.
Page 368
Remote Device Activity Capture Creating a DAC Host Click Yes. If you selected Custom in step 3 on page 12-4, the Select Features window appears; otherwise the NIC Selection window appears (figure 12- Figure 12-4. RDAC Installer, Select Features 12-6...
Page 369
Remote Device Activity Capture Creating a DAC Host Select the features to install. Click Next. The NIC Selection window appears: Figure 12-5. RDAC Installer, NIC Selection 12-7...
Page 370
Remote Device Activity Capture Creating a DAC Host All of the interfaces installed on your Windows server are listed in this window. Select the one you want to use and click Next. The TCP Port Filter Specification window appears: Figure 12-6. RDAC Installer, TCP Port Filter Specification 12-8...
Page 371
Remote Device Activity Capture Creating a DAC Host In most cases you should accept the default entry. Click Next. The Enforcement Server Specification window appears: Figure 12-7. RDAC Installer, Enforcement Server Specification 12-9...
Page 372
Remote Device Activity Capture Creating a DAC Host 10. Enter the IP address of the Enforcement Server (ES) to use. Click Next. The Ready to Install the Program window appears: Figure 12-8. RDAC Installer, Ready to Install the Program 11. Click Install. 12.
Page 373
Remote Device Activity Capture Creating a DAC Host When the installation is complete, the InstallShield Wizard Complete window appears: Figure 12-9. RDAC Installer, InstallShield Wizard Complete 13. The following folders and files are created: • VERSION – InstallSSDAC.bat rdac SSDAC.bat UninstallSSDAC.bat wrapper.exe –...
Remote Device Activity Capture Creating a DAC Host – wrapper.log 14. Perform the steps detailed in “Adding Additional Interfaces” if you have additional interfaces to add. 15. Perform the steps detailed in “Configuring the MS and ES for DAC” on page 12-13.
Configuring the MS and ES for DAC Create a keystore file containing a unique key, signed certificate, and a CA certificate that is required for SSL communication. For a multiple-server installation, on the NAC 800 MS, enter the following command at the command line: /usr/local/nac/bin/SSL-createRemoteDACCertificate...
Remote Device Activity Capture Creating a DAC Host b. When the command completes, copy the DAC_keystore file (from / tmp or wherever you specified) to C:\Program Files\HP\DAC\lib\ . After copying the DAC_keystore file from the MS, delete the file from its temporary location on the MS. NOTE: Note that for each remote DAC host, this step must be repeated as each host should have its own unique key.
Remote Device Activity Capture Creating a DAC Host Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. The Services window appears: Figure 12-11. NAC Endpoint Activity Capture Service Right-click on the NAC Endpoint Activity Capture service and select Start. The service is set to automatic start at the next reboot by default. Viewing Version Information To view version information: Windows server...
Remote Device Activity Capture Creating a DAC Host Removing the Software Each of the three software packages must be removed individually. To remove the RDAC software: Windows server Select Start>>Settings>>Control Panel>>Add or Remove Programs. Click once on the DAC listing. Click Remove.
Page 379
Remote Device Activity Capture Creating a DAC Host Select Start>>Settings>>Control Panel>>Add or Remove Programs. Click once on the J2SE Runtime Environment listing. Click Remove. Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears: Select one of the options and click Finish.
You must configure syslog on the Infoblox server to send debug level DHCP logs to the NAC 800 ES IPs on TCP port 514, using the local3 facility. The actual steps to set this up may vary by NIOS. Contact Infoblox support for assistance (http://www.infoblox.com/support/).
Page 381
Click ok. Command line window NOTE: Perform the following steps on each ES in your system. Log in as root to the NAC 800 ES using SSH or directly with a keyboard. Enter the following command: egrep DeviceActivityCapture /usr/local/nac/ properties/nac-es.properties The expected results are: Compliance.DeviceActivityCapture.RunningRemotely=tru...
Page 382
Remote Device Activity Capture NAC 800 to Infoblox Connector d. In the ### LOG ENTRIES HERE ### area, add the following line: log { source(rdac); filter(f_mesg); destination(d_dac); }; Save and exit the file. Enter the following at the command line to restart the service:...
Page 383
Installation Overview ..........13-4 DHCP Plug-in and the NAC 800 User Interface ..... . . 13-7 Installing the Plug-in .
The Dynamic Host Configuration Protocol (DHCP) plug-in is an optional feature that allows you to use one or more DHCP servers (without an instal- lation of NAC 800 in front of each DHCP server) as shown in the following figure: Figure 13-1.
Page 385
DHCP Plug-in Overview NAC 800 tests endpoints that request access to the network and either assigns a quarantined Internet Protocol (IP) address (failed), or adds the MAC address of the end-user device as an authorized device (allowed) to the Access Control List (ACL) on the appropriate DHCP server.
Installation Overview Installation Overview When NAC 800 does not sit inline with the DHCP server, you need to set up a remote host for Device Activity Capture (DAC) to allow NAC 800 to listen on the network. This is done by installing a small program on the DHCP server or other remote (non-NAC 800) host, which then sends relevant endpoint device information back to NAC 800.
Page 387
DHCP Plug-in Installation Overview After copying the server.pem file from the NAC 800 server, delete the file from its temporary location on the NAC 800 server. Group Item Description failopen failopen=“true” means that if the NAC 800 DHCP listener connection goes down, the DHCP server goes in to allow all mode.
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface DHCP Plug-in and the NAC 800 User Interface In order to use the DHCP plug-in, you need to select DHCP as the quarantine (enforcement) method, select the DHCP servers using the DHCP plug-in check box, and add your DHCP servers.
Page 390
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Select the DHCP Servers using the DHCP Plug-in radio button.. Figure 13-2. System Configuration, Quarantining, DHCP Click download the DHCP plug-in. A Windows save window appears. 13-8...
Page 391
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Browse to a location on the DHCP server you will remember and save the file. On the DHCP server, navigate to the location of the saved file and double- click it.
Page 392
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click Next. The Ready to Install the Program window appears. Figure 13-5. DHCP Plug-in Ready to Install the Program window 10. Click Install. The progress is displayed on a Status window. When installation is complete, the InstallShield Wizard Complete window appears.
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Enabling the Plug-in and Adding Servers To enable the DHCP plug-in and add the DHCP servers: Home window>>System configuration>>Quarantining Select the DHCP radio button in the Quarantine area. Select the DHCP servers using the DHCP plug-in radio button (figure 13-2).
Page 394
Figure 13-9. DHCP Plug-in Legend NOTE: NAC 800 automatically attempts to connect to the DHCP server. The possible DHCP server status states are shown in figure 13-9. 10. Click ok to save the changes and return to the Home window.
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Viewing DHCP Server Plug-in Status DHCP server plug-in status is displayed in the following locations: System configuration>>Quarantining>>DHCP window ■ System monitor>>select a cluster>>Quarantining window ■ Home window>>System configuration>>Quarantining>>DHCP Quarantine ■...
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Make any necessary modifications. Click ok to return to the System Configuration>>Quarantining window. Click ok to save the changes and return to the Home window. Deleting a DHCP Server Plug-in Configuration To delete a DHCP Server Plug-in Configuration: Home window>>System configuration>>Quarantining>>DHCP Quarantine...
Page 397
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click enable next to the DHCP server plug-in configuration you wish to enable. Click yes at the Enable DHCP plug-in configuration prompt. Click ok to save the changes and return to the Home window.
Reports Report Types Report Types NAC 800 generates the following types of reports: Report Description Report columns NAC policy results Lists each NAC policy and the last • policy name pass/fail policy results • test status • # of times •...
Page 401
Reports Report Types Report Description Report columns Test results by NetBIOS name Lists the number of tests that • netbios passed or failed for each netbios • cluster name. • ip address • user • test status • # of times •...
Reports Generating Reports Generating Reports To generate a report: Home window>>Reports The following figure shows the Reports window. Figure 14-1. Reports In the Report drop-down list, select the report to run. Select the Report period. Select the Rows per page. In the Endpoint search criteria area, select any of the following options to use for filtering the report: Cluster...
Page 403
Reports Generating Reports Access control status Endpoints must match: of the selected criteria ii. Any of the selected criteria Select Generate report. After a short period of time the compiled report is displayed in a separate browser window. The following figure shows an example report.
Reports Viewing Report Details Viewing Report Details To view report details: Home window>>Reports Select the options for the report you want to run. Click Generate report. Click the details link. The Test details window appears: 14-6...
Reports Printing Reports Printing Reports To print a report: Home window>>Reports Select the options for the report you want to run. Click Generate report. Select Print. Select the printer options and properties. Select Print. 14-8...
Reports Saving Reports to a File Saving Reports to a File To save a report: Home window>>Reports Select the options for the report you want to run. Click Generate report. Select File>>Save Page As from the browser menu. Enter a name and location where you want to save the file. Select Web page, complete.
Reports Converting an HTML Report to a Word Document Converting an HTML Report to a Word Document To convert an HTML report: Run the report (see “Generating Reports” on page 14-4.) Save an HTML version of it (see “Saving Reports to a File” on page 14-9). Open the HTML report in Microsoft Word.
Page 410
System Administration Creating a New Self-signed Certificate ......15-25 Using an SSL Certificate from a known Certificate Authority (CA) . . . 15-27 Moving an ES from One MS to Another .
Logging out of NAC 800 To log out of NAC 800: Any NAC 800 window Click Logout in the upper right corner of the NAC 800 home window. When the logout procedure completes, the ProCurve login window appears. Important Browser Settings There are several browser configuration settings to make, depending on which browser you are using.
System Administration Downloading New Tests Downloading New Tests To download the latest tests from the ProCurve server: Home window>>System configuration>>Test updates>>Check for test updates button TIP: If you are not receiving test updates, try the following checks: - Verify that the system time is correct...
Ensure that the following ports on the domain controller/active directory (DC/AD) servers are available from quarantine: • • • 135-139 • 1025 NAC 800 will then lookup the Kerberos and LDAP services, and resolve those services within its own DNS server used for quarantined devices. For example: 15-5...
-> lookup the _kerberos and _ldap service location <- receive dc01.mycompany.com & dc02.mycompany.com -> lookup the dc01 IP address <- receive the dc IP address forwarded through NAC 800 named to the real DNS server (since dc01.mycompany.com is in the accessible services list). -> authenticate Matching Windows Domain Policies to NAC Policies Using a Windows domain might affect the end-user’s ability to change their...
System Administration System Settings For example, if the global network policy is to not allow Windows automatic updates, any user attempting to connect through the High security NAC policy fails the test, and is not able to change their endpoint settings to pass the test. In this example, change the NAC policy to not run the Windows automatic update test: Home window>>NAC policies...
System Administration System Settings Changing the MS Host Name To change the MS host name: See “Modifying MS Network Settings” on page 3-22. Changing the ES Host Name To change the ES host name: See “Changing the ES Network Settings” on page 3-15. Changing the MS or ES IP Address To change the MS or ES IP address: The preferred method is to use the user interface:...
Page 417
MS to and ES or an ES to a MS. To reset your system to the as-shipped state: Command line window Log in as root to the NAC 800 MS or ES, either using SSH or directly with a keyboard. Enter the following command at the command line: resetSystem.py [both | ms | es]...
To reset your test data to the as-shipped state: Command line window For single-server installations: Log in as root to the NAC 800 MS, either using SSH or directly with a keyboard. b. Run the script by entering the following at the command line: resetTestData.py...
/usr/local/nac/bin Changing Properties To change the property values in the properties files: Command line window Log in as root to the NAC 800 MS using SSH. Enter the following at the command line: setProperty.py <DESTINATION> <TYPE> <VALUES> Where: •...
NAC 800 Enforcement clusters send alerts and notifications when certain events occur. You must specify an SMTP email server for sending these notifications. The server must allow SMTP messages from the NAC 800 ES. To specify an email server for sending notifications: See “Notifications”...
Entering Networks Using CIDR Format Entering Networks Using CIDR Format Networks and network endpoints can be specified in NAC 800 using Classless Inter Domain Routing (CIDR) format. CIDR is a commonly used method for specifying Internet objects. table 15-1 presents common CIDR naming con- ventions.
System Administration Database Database Creating a Backup File To create a backup file of system configuration and data: See “Initiating a New Backup” on page 3-96. Restoring from Backup NOTE: You must have backed up your system at least one time before you can restore from a backup.
“Resetting your System” on page 15-8 for more information. To reset a NAC 800 database to its pristine state: Command window Log in as root to the NAC 800 MS using SSH. Enter the following commands: resetSystem.py This script shuts down all of the services, cleans the database, iptables, and DHCP server, and restarts everything.
System Administration Supported VPNs Supported VPNs NAC 800 works with any VPN endpoint, since NAC 800 does not directly interface or inter-operate with VPN endpoints. The following commonly deployed VPN solutions have been tested: ■ Cisco VPN Concentrators OpenSSL VPNs ■...
Viewing the end-user access windows: IE browser window Point the IE browser to port 88 of your NAC 800 ES. For example, if the IP address of your NAC 800 ES is 10.0.16.18, point an IE browser window to: http://10.0.16.18:88...
How NAC 800 Handles Static IP Addresses How NAC 800 Handles Static IP Addresses The following list details how NAC 800 handles static IP addresses: Inline Mode – NAC 800 can detect, test, and quarantine static IP ■ addresses. The end-user cannot circumvent a quarantine. ■...
System Administration Managing Passwords Managing Passwords The passwords associated with your NAC 800 installation are listed in the following table: NAC 800 Set during Recovery process password NAC 800 Initial install process * See “Resetting the NAC 800 Server Management or Password”...
If you can remember the NAC 800 user interface password, but cannot remember the root login password for the NAC 800 MS or ES, log in to the NAC 800 user interface and navigate to one of the following windows: To reset the MS Password: Home>>System configuration>>Management server...
Compliance.ObjectManager.AdminUser= Compliance.ObjectManager.AdminPassword= Compliance.UI.FirstTimeConfigCompleted=true Enter characters following the equal sign that are the password (for example, CwR0(tW). Save the file and copy it to the NAC 800 server (either MS or ES). Log into the NAC 800 server as root. 15-21...
Page 430
System Administration Managing Passwords Enter the following command: setProperty.py -f<filename> From a workstation, open a browser window and point to the NAC 800 MS. Enter a new User Name and Password when prompted. 15-22...
System Administration Working with Ranges Working with Ranges In NAC 800 implementations, particularly in trial installations where you are connecting and disconnecting cables to a number of different types of end- points, you can filter the activity by specifying the following: ■...
Page 432
This is because Extreme switches forward the packets from the IP address closest to NAC 800 and not the IP address of the interface closest to the endpoint, so all the DHCPRelay packets will appear to come from a production network IP address.
In order to avoid SSL certificate warnings in the browser when connecting to the NAC 800 server (either as a NAC 800 user interface user, or from a redirected endpoint) you will need to install SSL certificates that have been signed by a Certificate Authority (CA) recognized by the browser, such as Thawte, Verisign, or your organization's own local SSL CA.
Page 434
Import the CA’s root certificates into the java cacerts file by entering the following command on the command line of the NAC 800 server: keytool -import -alias <CA_alias> -file <ca_root_cert_file>...
To generate a Certificate Signing Request (CSR) to be submitted to a Certifi- cate Authority (CA), first create a new self-signed certificate following the instructions in the previous section, then continue as follows Log in as root to the NAC 800 server via SSH. Enter the following at the command line: <key_alias>...
Page 436
(see “Copying Files” on page 1-20), replacing the previously self- signed public certificate for your key by entering the following command on the command line of the NAC 800 server: keytool -import -alias <key_alias> -trustcacerts -file <signed_cert_file> -keystore /usr/local/nac/keystore/ compliance.keystore...
System Administration Moving an ES from One MS to Another Moving an ES from One MS to Another If you have an existing ES, you can move it to a different MS by performing the steps in this section. To move an ES to a different MS: Command line window Log in to the ES as root using SSH or directly with a keyboard.
System Administration Recovering Quickly from a Network Failure Recovering Quickly from a Network Failure If you have a network with a very large number of endpoints (around 3000 endpoints per ES), and your network goes down, perform the following steps to make sure that your endpoints can reconnect as quickly as possible: Place all of the clusters that have a large number of endpoints in allow all mode:...
In some cases, such as when the DHCP server is in a separate VLAN than the span/mirror port, the mirrored port traffic is 802.1q tagged. In this case, in order for NAC 800 to recognize the traffic, the following workaround must be performed.
Page 440
System Administration VLAN Tagging Append the following line to the bottom of the file: VLAN=yes Modify the IPADDR line if needed. Save and exit the file. h. Restart the network interface by entering the following at the command line: service network restart Change the interface the EDAC listens on: Log in to the MS using SSH or directly with a keyboard.
Page 441
System Administration VLAN Tagging Verify that the EDAC is using the virtual interface you created. The log should contain a line similar to the following: [070509-MDT 10:53:11.366 DeviceActivityCapture- INFO ] Listening on: eth1:1 15-33...
System Administration iptables Wrapper Script iptables Wrapper Script To avoid creating conflicts between iptables and the nac-es service, do not run the following commands manually: ■ /etc/init.d/iptables ■ service iptables start ■ service iptables stop ■ service iptables restart The nac-es service must be shutdown before making changes to the ipta- bles firewall.
Enable Temporary Ping To temporarily (until reboot) enable ICMP echo requests: Command line Log in to the NAC 800 server as root using SSH or directly with a keyboard. Open the following file with a text editor such as vi: /proc/sys/net/ipv4/icmp_echo_ignore_all This file contains only the number 1, which disables pings.
System Administration Supporting Network Management System echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all Save and exit the file. At the command line, enter the following: /etc/rc.d/rc.local Restricting the ICMP Request If you wish to restrict the ping request to a specific interface, such as the interface facing the protected network, then after following the procedures above, follow the instructions in this section to add rules to the firewall chain so that ping requests are only viable through the interface specified.
Simple Network Management Protocol (SNMP) is a protocol used for communication between devices that uses MIBs to obtain SNMP message formats. NAC 800 supports SNMP v2c for incoming SNMP notifications. The following MIBs (located in /usr/share/snmp/mibs/ ) define the data that NAC 800 can read: ■...
Patch Management NAC 800 can integrate with patch management software. When an endpoint fails due to a missing patch, NAC 800 wakes the patch manager client, checks for the completion of the patch, and then retests upon completion. The patch management capability uses the following test statuses: ■...
Patch Management Flagging a Test to Launch a Patch Manager Flagging a Test to Launch a Patch Manager To flag a test to launch a patch manager: Home window>>NAC Policies>>Select or create a NAC policy>>Tests menu option Figure 16-1. Initiate a Patch Manager Check Box Select the check box for a test in the left column.
Patch Management Selecting the Patch Manager Selecting the Patch Manager To select the patch manager: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column. Select the Initiate patch manager check box.
Patch Management Specifying the Number of Retests Specifying the Number of Retests To select the maximum number of retest attempts: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column.
Patch Management Specifying the Retest Frequency Specifying the Retest Frequency To specify the retest interval: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column. Select the Initiate patch manager check box.
Patch Management SMS Patch Management SMS Patch Management Repair vulnerabilities using patch management with SMS. NOTE: Windows SMS 2003 is the only version supported. 16-7...
NOTE: SMS server has a setting that allows users to interact with and cancel patch installation. ProCurve recommends that you do not allow users to cancel patch installation. Once a patch installation has been canceled, the patch does not automatically attempt to install later and the endpoint will never pass the NAC policy test without manual intervention by the SMS administrator.
(SMS) which patches the endpoint. NAC 800 retests the endpoint. If the test fails again, NAC 800 keeps looping until patching com- pletes. If the test passes, NAC 800 allows the endpoint access to the network. NOTE: SMS patch management works with agent-based testing only.
To set up NAC 800 for use with SMS: Install and configure NAC 800 . Log into the NAC 800 user interface. Add the following IP addresses to the NAC 800 home window>>System configuration>>Accessible services area: SMS server IP address b.
Patch Management Learning More About SMS Learning More About SMS The following links provide additional information about SMS: ■ Microsoft SMS home page http://www.microsoft.com/smserver/ 16-11...
Overview Overview This section describes how to configure the remote server for use with the NAC 800 post-connect feature. The post-connect server can be a Windows server or a Linux server. This section details the following: ■ “Extracting the ZIP File” on page A-3 •...
Create a directory for the contents of the ZIP file on the Windows machine. ProCurve recommends C:\Program Files\ProCurve. These instructions assume that you used the C:\Program Files\ProCurve directory. Download and save the ZIP file to a Windows machine. The ZIP file can be downloaded directly from: http://www.procurve.com/nactools/...
Download and install the Python for Windows version. Copy the cacerts file to the Windows server: Log in the NAC 800 MS as root using SSH or directly with a keyboard. b. Copy the /usr/local/nac/keystore/cacerts file from the MS into the \lib folder on the post-connect server where you extracted the ZIP file.
Configuring the Post-connect Server Setting up a Post-connect Host Change the product to be the product you are running. For example: product=IDS Product Name d. Save and exit the file. Edit the JMSConnection.properties file: Open the \postconnect\lib\JMSConnection.properties file with a text editor. b.
Page 465
Configuring the Post-connect Server Setting up a Post-connect Host Log in the NAC 800 MS as root using SSH or directly with a keyboard. b. Copy the /usr/local/nac/keystore/cacerts file from the MS into the /usr/local/postconnect/lib folder on the post- connect server where you extracted the ZIP file. See “Copying Files”...
Page 466
Configuring the Post-connect Server Setting up a Post-connect Host d. Start the service by entering the following at the command line: service postconnect start...
Configuring the Post-connect Server Viewing Logs Viewing Logs To view post-connect logs: The log files are as follows: /usr/local/postconnect/log/connector.log – Verify that the connector ■ is running. ■ /usr/local/postconnect/log/script.log – The script writes to this file.
/usr/local/postconnect/bin/Connector_ActionScript.py <endpoint ip> "Reason 1" "Reason 2" Where: <endpoint IP> is the IP address of an endpoint known to NAC 800. For example, 192.168.40.40 “Reason 1” and “Reason 2” are text strings that describe the reasons to quarantine the specified endpoint. For example, “P2P Software Installed”, or “Latest Windows XP Service Pack not applied”.
Configuring the Post-connect Server Configuring your Sensor Configuring your Sensor Configure your post-connect sensor to call Connector_ActionScript.py with the IP address of the endpoint to quarantine and the reasons to quaran- tine. A-11...
Page 470
Allowing NAC 800 Through the Firewall Allowing NAC 800 Through the Firewall NAC 800 needs to communicate with the post-connect server through port 61616. See “Allowing the Windows RPC Service through the Firewall” on page 5-15 for instructions on how to open a port on a Windows machine.
Overview The tests performed on endpoints attempting to connect to the network are listed on the NAC 800 Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting NAC 800 Home window>>System Configuration>>Test Updates>>Check for Test Updates.
Tests Help Browser Security Policy – Windows Browser Security Policy – Windows The Browser security policy tests verify that any endpoint attempting to connect to your system meets your specified security requirements. Browser vulnerabilities are related to cookies, caches, and scripts (JavaScript, Java, and Active scripting / ActiveX).
Tests Help Browser Security Policy – Windows Item Description JavaScript JavaScript is a scripting language used to enhance Web pages. JavaScript programs are embedded in Web pages and enable active functionality; for example, JavaScript allows you to create images that change when you move the mouse over them and clocks with moving parts.
Tests Help Browser Security Policy – Windows What Do I Need to Do?: Install a required browser or update your browser to the required version. See the following links for browser information: http://www.mozilla.com/en-US/firefox/ http://www.microsoft.com/windows/ie/ie6/default.mspx Internet Explorer (IE) Internet Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified Internet security zone stan- dards.
Tests Help Browser Security Policy – Windows Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings. Internet Explorer (IE) Local Intranet Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified local intranet security zone standards.
Tests Help Browser Security Policy – Windows Internet Explorer (IE) Restricted Site Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified restricted site security zone standards. Test Properties: Select the Internet Explorer restricted sites security zone set- tings required on your network.
Tests Help Browser Security Policy – Windows Enter a domain name or IP address in the Add this Web site to the zone text box. Click Add. Click OK. Internet Explorer (IE) Trusted Sites Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified trusted sites security zone standards.
Page 480
Tests Help Browser Security Policy – Windows Select one of the following: -Default Level to return to the default settings. - Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings. Select Sites. Enter a domain name or IP address in the Add this Web site to the zone text box.
Tests Help Operating System – Windows Operating System – Windows The Operating System (OS) tests verify that any endpoint attempting to connect to your system meets your specified OS requirements. Installing the most recent version of your OS helps protect your system against exploits targeting the latest vulnerabilities.
Tests Help Operating System – Windows What Do I Need to Do? : Manually initiate an update check (http://v4.window- supdate.microsoft.com/en/default.asp) if automatic update is not enabled, or is not working. Microsoft Office Hotfixes Description: This test verifies that the endpoint attempting to connect to your system had the latest Microsoft Office hotfixes installed.
Tests Help Operating System – Windows Test Properties: Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Tests Help Operating System – Windows Test Properties: Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Tests Help Operating System – Windows secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft. You don't have to keep checking by patch number. How Does this Affect Me?: Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on.
Tests Help Operating System – Windows Test Properties: Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to run at the file level. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft.
Tests Help Operating System – Windows http://www.microsoft.com/security/protect/windowsxp/updates.asp Enable automatic updates for Windows 2000: Select Start>>Settings>>Control Panel>>Automatic Updates Select Keep my computer up to date. Select Download the updates automatically and notify me when they are ready to be installed. Click OK. Windows Media Player Hotfixes Description: Checks for Windows Media Player hotfixes.
Tests Help Operating System – Windows Test Properties: Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to run at the file level. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft.
Tests Help Operating System – Windows Windows XP SP2 Hotfixes Description: This test verifies that the endpoint attempting to connect to your system has the latest Windows XP SP2 hotfixes installed. Test Properties: Select the hotfixes from the list presented that are required on your network.
Tests Help Security Settings – OS X Security Settings – OS X Mac AirPort WEP Enabled Description: This test verifies that WEP encryption is enabled for Airport. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Wired Equivalent Privacy (WEP) is a wireless net- work security standard that provides the same level of security as the security in a wired network.
Tests Help Security Settings – OS X Mac AirPort User Prompt Description: This test verifies that the user is prompted before joining an open network. Test Properties: There are no properties to set for this test. How Does this Affect Me?: If you move between different locations, this option prompts you before automatically joining any network.
Tests Help Security Settings – OS X The following link provides more information on anti-virus software and protecting your computer: http://www.us-cert.gov/cas/tips/ST04-005.html Mac Bluetooth Description: This test verifies that Bluetooth is either completely disabled or if enabled is not discoverable. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Bluetooth is a wireless technology that allows com- puters and other endpoints (such as mobile phones and personal digital assistants (PDAs)) to communicate.
Select the Quarantine access check box and enter a temporary access ■ period. This is the amount of time the endpoint will have access starting from when the endpoint was detected by NAC 800. Enter an Allowed grace period in the Test properties area. This is the ■...
Select the Quarantine access check box and enter a temporary access ■ period. This is the amount of time the endpoint will have access starting from when the endpoint was detected by NAC 800. Enter an Allowed grace period in the Test properties area. This is the ■...
Tests Help Security Settings – Windows Security Settings – Windows The Security settings tests verify that any endpoint attempting to connect to your system meets your specified security settings requirements. Allowed Networks Description: Checks for the presence of an unauthorized connection on a endpoint.
Tests Help Security Settings – Windows Low. (not recommended). You are not protected from potentially ■ unsafe macros. Use this setting only if you have virus scanning software installed, or you have checked the safety of all documents you open. How Does this Affect Me?: Macros are simple programs that are used to repeat commands and keystrokes within another program.
Tests Help Security Settings – Windows How Does this Affect Me?: Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document.
Tests Help Security Settings – Windows other files (such as the Normal template) and can potentially infect all of your files. If a user on another computer opens the infected file, the virus can spread to their computer as well. What Do I Need to Do?: Set the Microsoft Word macro security level as follows: Open Word.
Tests Help Security Settings – Windows How to change the service startup type: Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. Right-click on a service and select Properties. Select Manual or Disabled from the Startup type drop-down list. Click OK. Close the Services window. Close the Administrative Tools window.
Tests Help Security Settings – Windows Right-click on a service and select Properties. Select Automatic from the Startup type drop-down list. Click OK. Close the Services window. Close the Administrative Tools window. Windows Bridge Network Connection Description: This test verifies that the endpoint attempting to connect to the network does not have a bridged network connection present.
Tests Help Security Settings – Windows Test Properties: Enter a list of allowed Wireless SSIDs that are legitimate for your network. Enter the SSIDs as a comma-delimited list. For example, HomeNet, WorkNet. The following wireless adapters are supported: NetGear, LinkSYS, D-Link. How Does this Affect Me?: In order to use wireless networks, you must specify the network names to which the wireless endpoints connect.
Tests Help Security Settings – Windows Enable "Accounts: Limit local account use of blank passwords to ■ console logon only" http://www.microsoft.com/resources/documentation/IIS/6/all/prod- docs/en-us/Default.asp?url=/resources/documentation/IIS/6/all/ proddocs/en-us/636.asp What Do I Need to Do?: To select the security policies: Select Start>>Settings>>Control Panel>>Administrative Tools. Double-click Local Security Policy. Double-click Local Policies.
Tests Help Security Settings – Windows Many worms and viruses are started by a call from the Windows Registry. If you limit what can start up when you log in, you can reduce the potential for worms and viruses to run on your system. The following links provide a description of the Microsoft Windows Registry and the Run keys: ■...
Page 504
Tests Help Security Settings – Windows What Do I Need to Do?: The following link provides more information on wire- less networking: http://www.pcworld.com/article/id,112138/article.html B-34...
Tests Help Software – Windows Software – Windows The Software tests verify that any endpoint attempting to connect to your system meets your specified software requirements. Installing the most recent version of your software helps protect your system against exploits targeting the latest vulnerabilities.
Tests Help Software – Windows Test Properties: Select the anti-virus software allowed on your network. Any endpoint that does not have at least one of the anti-virus software packages selected will fail this test. How Does this Affect Me?: Anti-virus software scans your computer, email, and other files for known viruses, worms, and trojan horses.
Tests Help Software – Windows Microsoft Office Version Check Description: This check fetches the version and service pack information of the Microsoft Office software installed. Test Properties: Select the check box for one or more Microsoft Office pack- ages. Any software package selected that does not have the latest version installed fails the test.
Tests Help Software – Windows Test Properties: Select the personal firewalls that meet your requirements. Any endpoint that does not have at least one of the personal firewalls selected will fail this test. How Does this Affect Me?: A firewall is hardware or software that views infor- mation as it flows to and from your computer.
Tests Help Software – Windows Software Required Description: This test verifies that the endpoint attempting to connect to your system has the required software packages installed. Test Properties: Enter a list of applications that are required on all connecting endpoints, separated with a carriage return. The format for an application is vendor\software package[\version].
Page 510
Tests Help Software – Windows What Do I Need to Do?: Make sure you are running an anti-virus software pro- gram, and that it is kept up-to-date. B-40...
Page 511
Important Browser Settings Chapter Contents Pop-up Windows ..........C-2 Active Content .
Pop-up Windows Pop-up Windows The NAC 800 reports capability uses a pop-up window. In order for you to run reports on NAC 800, you must allow pop-up windows from the NAC 800 server. To allow pop-up windows in IE 6.0 with SP2: IE browser>>Tools>>Pop-up blocker>>Pop-up blocker settings...
Page 513
Important Browser Settings Pop-up Windows Clear the Block Popup Windows check box. Close the Content window.
Internet Explorer (IE) browser’s security settings. This change in settings displays an active content message (figure C-1), at the top of the browser window when you access the NAC 800 help feature. Figure C-1. Internet Explorer Security Warning Message To view the NAC 800 online help in IE: Click on the message box to display the options (figure C-2).
Page 515
Important Browser Settings Active Content IE browser>>Tools>>Internet Options>>Advanced tab Figure C-4. IE Internet Options, Advanced Tab In the Internet Options pop-up window, scroll down to the security section. Select the Allow active content to run in files on my computer check box. Click OK.
Important Browser Settings Minimum Font Size Minimum Font Size In order to properly display the NAC 800 user interface, do not specify the minimum font size. To clear the IE minimum font size: IE browser>>Tools>>Internet options>>General tab>>Accessibility button Make sure all of the check boxes are cleared on this window.
Page 517
Important Browser Settings Minimum Font Size Select the Allow pages to choose their own fonts, instead of my selections above check box. Click OK. Close the Content window.
Important Browser Settings Page Caching Page Caching To set the IE page caching options: Internet Explorer browser>>Tools>>Internet Options Select the General tab Click Settings. In the Check for new versions of stored pages area, select the Automatically radio button. Click OK. In the Internet Options dialog box, click the Advanced tab.
Important Browser Settings Temporary Files Temporary Files Periodically delete temporary files from your system to improve browser performance. To delete temporary files in IE: Internet Explorer>>Tools>>Internet Options>>General tab Click Delete Files. Select the Delete all offline content check box. Click OK. Click OK.
Page 520
Important Browser Settings Temporary Files Firefox menu>>Preferences>>Privacy In the Private Data area, click Settings. The Clear Private Data window appears. Select the Cache check box. Click OK. Click Clear Now. Close the Privacy window. C-10...
Page 521
Installation and Configuration Check List Chapter Contents Minimum System Requirements ........D-2 Installation Location .
Workstation running one of the following browsers with 128-bit encryption: Windows: Mozilla Firefox 1.5 or later Mozilla 1.7 Internet Explorer 6.0 Linux: Mozilla Firefox 1.5 or later Mozilla 1.7 Mac OS X: Mozilla Firefox 1.5 or later License key: (cut and paste from the email you receive from ProCurve)
Installation and Configuration Check List Installation Location Installation Location My office(s) Server room(s)/Data center(s) Test lab(s) Production network(s) I have access to the installation site(s) I do not have access to the installation site(s)
Required fields are indicated by a red asterisk (*). One of the following: Install CD (Request an install CD from ProCurve Sales if you do not have experience creating a CD from an ISO image.) Upgrade link: (provided to ProCurve subscribers through email)
Passwords NOTE: This Installation and Configuration Checklist is a list of the items used in NAC 800 including passwords; however, ProCurve recommends as a security best practice that you never write down passwords. Single-server Installation Required fields are indicated by a red asterisk (*).
Page 526
_______________________________________________ MS server root password: _________________________________ MS Database password:* ____________________________________ NAC 800 user interface administrator account name: _________ NAC 800 user interface administrator account password: _____ SMTP server IP address: ____________________________________ Enforcement Server 1 Required fields are indicated by a red asterisk (*).
Page 527
_______________________________________________ ES server root password: __________________________________ ES Database password:* ____________________________________ NAC 800 user interface administrator account name: _________ NAC 800 user interface administrator account password: _____ Enforcement Server 2 Required fields are indicated by a red asterisk (*). Create at least one ES.
Time zone: _______________________________________________ ES server root password: __________________________________ ES Database password: ____________________________________ NAC 800 user interface administrator account name: _________ NAC 800 user interface administrator account password: _____ Proxy Server Required fields are indicated by a red asterisk (*). If you use a proxy server for Internet connections, these fields are required:...
Installation and Configuration Check List Agentless Credentials Agentless Credentials Required fields are indicated by a red asterisk (*). The administrator credentials for endpoints on a domain. Set them globally for all clusters, or override them on a per-cluster basis. All clusters: Windows domain name: ____________________________ Administrator user ID:...
Installation and Configuration Check List Quarantine Quarantine Define quarantine methods and settings for all clusters, or on a per-cluster basis. 802.1X Required fields are indicated by a red asterisk (*). Quarantine subnets: ________________________________________ RADIUS server type (local or remote IAS): ____________________ Local RADIUS server type end-user authentication method: Manual: ____________________________________________ Windows domain:...
Installation and Configuration Check List Quarantine Quarantine area 1 DHCP IP range: ___________________ Quarantine area 1 quarantined area gateway: _________ Quarantine area 1 domain suffix: ____________________ Quarantine area 1 corresponding non-quarantined subnets: DHCP quarantine area 2: Quarantine area 2 quarantined subnet:_________________ Quarantine area 2 DHCP IP range: ___________________ Quarantine area 2 quarantined area gateway: ___________...
Page 533
Installation and Configuration Check List Quarantine Accessible services and endpoints for cluster 2: Web sites: __________________________________________ Hostnames: _________________________________________ IP addresses / ports:_________________________________ Networks: __________________________________________ Windows domain controller:__________________________ Accessible services and endpoints for cluster 3: Web sites: __________________________________________ Hostnames: _________________________________________ IP addresses / ports:_________________________________ Networks: __________________________________________ Windows domain controller:__________________________ D-13...
Installation and Configuration Check List Notifications Notifications Notifications are defined for all clusters or on a per-cluster basis. All clusters Send information to: _________________________________ SNMP server IP address: _____________________________ Email information sent from: _________________________ Cluster 1 Send information to: _________________________________ SNMP server IP address: _____________________________ Email information sent from: _________________________ Cluster 2...
Installation and Configuration Check List Test Exceptions Test Exceptions Exceptions are defined for all clusters or on a per-cluster basis. All cluster endpoint testing exceptions (endpoints that are whitelisted or blacklisted): MAC addresses:_____________________________________ IP addresses:________________________________________ NetBIOS names:_____________________________________ Cluster 1 endpoint testing exceptions (endpoints that are whitelisted or blacklisted): MAC addresses:_____________________________________ IP addresses:________________________________________ NetBIOS names:_____________________________________...
Page 537
Ports used in NAC 800 The following table provides information about Ports used in NAC 800: Port Parties Description Comments Ports used for testing endpoints: 88 (TCP) Endpoint to ES When using agent-based testing, the Not configurable 89 (TCP) endpoint must point (using a browser...
Page 538
Ports used in NAC 800 Port Parties Description Comments Ports used by the admin user browser: 443 (TCP) Admin user The administration user interface (as Not configurable browser to MS opposed to the end user access screens) uses port 443 on the MS for communication.
Page 539
Configurable by making changes to connector to syslog connector, the Infoblox server both of the following: syslog service on sends DHCP information to NAC 800 • Infoblox server the ESs using syslog. • syslog-ng.conf file on the MS 61616 (TCP)
Page 540
In DHCP mode, if your domain 389 (TCP) controller is not situated behind NAC 1025 (TCP) 800, you must configure your router to 1026 (TCP) allow routes from the quarantine area 3268 (TCP) to your domain controller on ports 88, 135-159, 389, 1025, 1026, and 3268.
Page 541
Description Comments Ports used for accessible services and endpoints: Varies ES to endpoint In order to grant access for Configure in the NAC 800 user quarantined endpoints to needed interface: services, add entries to the Home window>>System Accessible services list.
Page 543
NAC policies: In NAC 800, NAC policies consist of individual tests that evaluate endpoints attempting to access the network. These tests assess operating systems, verify that key hotfixes and...
Page 544
CTA: Cisco Trust Agent Enforcement A logical grouping of Enforcement servers. cluster: Enforcement When using NAC 800 in a multiple-server installation, the server: server that is used for enforcement. ES: Enforcement server DC: Domain controller – A server that manages and controls the activities (such as user access) in the domain.
Page 545
DNS: Domain name server – A computer that translates domain names (such as mycompany.com) into IP addresses (such as 216.239.41.99). HA: High Availability – A multiple-server NAC 800 deployment is mutually supporting. Should one server fail, other nodes within a cluster will automatically provide coverage for the affected network segment.
Page 546
MAC: Media Access Control – The unique number that identifies a physical endpoint. Generally referred to as the MAC address. Management server: When using NAC 800 in a multiple-server installation, the server that is used for managing ESs. MS: Management server multinet: A physical network of two or more logical networks.
Page 547
Internet. subnet: A section of a network that shares part of the IP address of that network. SUS: Software Update Service In NAC 800, a temporary period of time where an end-user is temporary access allowed access. period:...
Page 548
Glossary VPN: Virtual private network – A secure method of using the Inter- net to gain access to an organization's network.
Page 549
Index 3-12 Numerics Enforcement server NAC policy group 1-15 3rd-party software, installing 3-85 quarantine area 11-2, 11-4 802.1X 3-28 user account 11-4 communication flow 3-36 user role 11-9 configuring the RADIUS server 3-114 administrator account's user registry settings 11-2 connections 1-8, 1-9 agent 3-47, 11-38...
Page 550
Index 15-14 system and data credentials 3-115 browser delete Windows 3-115 allow pop-ups edit Windows 5-38 end-user for agentless test 3-112 3-112 end-user version login 15-3 3-115 important settings sort Windows area 14-5 3-114 pop-ups required for reports test Windows 3-112 settings Windows...
Page 551
Index 15-6 3-107 matching policies enable Domain Controller enable 3-105 3-47, 11-38 IP address 802.1X 3-105 specifying the name a NAC policy 3-107 11-27 domains, always quarantine dll file 15-4 5-10, 5-11 download the latest tests file and printer sharing 3-99 11-27 downloading support packages...
Page 552
Index 3-17 6-11 change password host name in a NAC policy 3-19 5-23 delete HTML or text editor 3-14 edit 3-18 view status 3-83 enforcement, set DHCP 15-23 enforcing ranges 11-8 add to Windows Server 2003 Installation error 11-10 5-38 and Active Directory ActiveX 11-24...
Page 553
Index 3-41 updating license validation and test updates NAC policies limit endpoints displayed window, view Linux NAC policy 15-3 log out add group 15-3 login 6-16 assign domains to 3-112, 5-38 credentials 6-16 assign endpoint to 7-11 delay 6-16 assign endpoints to 3-112 domain 6-15...
Page 554
Index endpoint without testing 3-46 method, select page caching network port number password 3-87 set up multiple areas 3-17 change ES quarantine area 3-26 change MS root 3-85 15-21 changing 3-88 delete 11-28 configure for Active Directory 3-87 edit 5-39, 15-19 end-user admin 3-87 sort...
Page 555
Index 14-2 Test results by IP address 14-3 Test results by netbios name 11-27 SAIASConnector.ini 14-3 Test results by user save 14-6 view details 14-9 a report 14-2 reports 3-103 login 14-10 converting to MS Word doc 5-39 login information 14-5 enable browser pop-ups search...
Page 556
Index switch test 11-48 3-59 Cisco 2950 connection to 802.1X device 11-35 6-21 configure non-HP properties, selecting 11-49 6-18 Enterasys Matrix 1H582-25 set properties 11-50 4-10 Extreme Summit 48si status 11-52 5-42 Foundry Fast Ironedge 2402 successful screen 10-5 3-44 restrict access at update times, select 11-47...
Page 557
Index 3-39 edit 3-40 sort area 3-114 user-based tests 5-23 view 4-16 access status 3-13 cluster and server icons 6-21 current list of tests 4-21 endpoint information 3-10 Enforcement cluster statistics 3-18 ES status 3-20 MS status NAC policies window 14-6 report details 3-44...