Page 4
Microsoft Corporation. UNIX is a registered Hewlett-Packard products and replacement parts can be trademark of The Open Group. obtained from your HP Sales and Service Office or authorized dealer. Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 http://www.procurve.com...
Page 16
Contents Internet Explorer (IE) Local Intranet Security Zone ....B-7 Internet Explorer (IE) Restricted Site Security Zone ....B-8 Internet Explorer (IE) Trusted Sites Security Zone .
A ProCurve NAC Endpoint Integrity Agent License ■ ProCurve NAC 800 is delivered as a hardware appliance that you install in your network. After NAC 800 is installed in your network, you configure it using a workstation with browser software installed.
This document explains how to configure the appliance based on the usage model you choose to deploy in your network. ProCurve Network Access Controller 800 Users’ Guide – Refer to this document last for information on configuring, monitoring activities, creating NAC policies, and running reports.
(see figure 1-2. System Monitor Window on page 1-7). Endpoint test status area – The Endpoint tests area displays the total number of endpoints that NAC 800 has attempted to test, and what the test status is for each endpoint. Click the number of endpoints to view details.
Page 23
3. Top 5 failed tests area 2. User name 1. Important status 4. Window actions announcements 8. Enforcement server status area 5. Navigation 6. Test 7. Access control pane status area status area status area Figure 1-1. NAC 800 Home Window...
Introduction System Monitor System Monitor The System monitor window provides the following information: ■ Enforcement cluster name – The Enforcement clusters are listed by name in the order they were created. Click on a cluster name to view cluster details. You must have cluster-editing permissions to view and edit cluster details.
Page 25
Introduction System Monitor Breadcrumbs for navigation Figure 1-2. System Monitor Window The following figure shows the legend for the System monitor window icons: Figure 1-3. System Monitor Window Legend...
Introduction Overview Overview NAC 800 protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. NAC 800 systematically tests endpoints—with or without the use of a client or agent— for compliance with organizational security policies, quarantining non-com- pliant machines before they damage the network.
Enforcement options – NAC 800 provides multiple enforcement options for quarantining endpoints that do not comply with your security policy (Inline, DHCP, and 802.1X). This enables NAC 800 to enforce compliance across complex, heterogeneous networks. High availability and load balancing – A multi-server NAC 800 deploy- ■...
If you have external Intrusion Detection System/Intrusion Prevention System (IDS/IPS) systems that monitor your network for attacks, you can configure these external systems in NAC 800 so they can request that NAC 800 quarantine an endpoint after it has been connected (post-connect).
NAC 800 passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single NAC 800 server for a single testing session with the High Security NAC policy (approximately 20 tests). It typically takes between 5 and 10 seconds to all tests in a policy on a 100Mb LAN.
Compliance Enforcement Based on endpoint test results, NAC 800 takes the appropriate action. End- points that test compliant with the applied policy are permitted access. Non- compliant endpoints are either quarantined, or are given access for a tempo- rary period.
Introduction Overview Targeted Reporting NAC 800 reports provide concise security status information on endpoint compliance and access activity. Specific reports are available for auditors, managers, and IT staff members. For more information, see “Reports” on page 14-1. 1-13...
Installing third-party software on the NAC 800 server is not supported. If you install additional software on the NAC 800 server, you need to remove it in order to troubleshoot any NAC 800 issues, and it will likely be partially or fully overwritten during NAC 800 release upgrades or patch installs, compromising the third-party software functionality.
If there is no activity for 30 minutes, the configuration window times out and you must log in again. Caution Paragraph Cautions notify you of conditions that can cause errors or unexpected results. Example: CAUTION: Do not rename the files or they will not be seen by NAC 800. 1-16...
Low – You are not protected from potentially unsafe macros. (Not recommended). Indicating document titles – ■ NAC 800 Installation Guide Indicating a variable entry in a command – ■ https://<IP_address>/index.html In this case, you must replace <IP_address> with the actual IP address, such as 10.0.16.99.
Courier font is used in the following cases: ■ Indicating path names – Change the working directory to the following: C:\Program Files\<MyCompany>\ ProCurve NAC EI Agent ■ Indicating text; enter exactly as shown – Enter the following URL in the browser address field: https://<IP_address>/index.html In this case, you must replace <IP_address>...
Introduction Conventions Used in This Document Indicating a variable section in a *.INI file – ■ [Global] NASList=192.168.200.135 ■ Indicating a list in a properties file – Compliance.ObjectManager.DHCPConnec- torServers=[192.168.51.130, 192.168.99.1] Terms Terms are defined in the “Glossary” on page G-1. Example: MAC Media Access Control –...
Example: 10. Copy the /usr/local/nac/properties/NACAVPs.txt file from the NAC 800 server to the ACS server using PSCP (or other secure copy utility). scp is a Linux/UNIX command used to copy files between Linux/UNIX machines.
Page 39
Introduction Copying Files To copy a file from a Windows machine to a Linux machine, enter the following: <pscp directory>\pscp c:\documents\foo.txt fred@exam- ple.com:/tmp/foo You will be prompted to enter a password for the Linux/UNIX machine. NOTE: You can either enter the path to the PSCP.EXE file as part of the command, or cd to the directory where you saved the PSCP.EXE file before entering the pscp command.
HTML version. The online help contains the same content as this Users’ guide. When you click a help link from within NAC 800, the help topic opens in a new window, as shown in the following figure: Figure 1-4.
Page 41
Introduction Users’ Guide Online Help Open PDF – Click the Open PDF file link to open the PDF file. ■ TIP: To print the entire document, open and print the PDF file. Selecting the print icon in the HTML version will print only the topic you are viewing. Click anywhere in the Contents pane to navigate through the document.
Page 42
Introduction Users’ Guide Online Help Online help document>>Shown navigation icon>>Search tab Figure 1-6. Search tab Enter a term in the search box. Click Go. Click on one of the results returned to display it in the right-side pane. Click on the orange arrow to see the contents of the collapsed section of the document.
Overview Overview NAC 800 uses clusters and servers. A "cluster" is a logical grouping of one or more ESs that are managed by one MS. A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster.
Clusters and Servers Installation Examples Installation Examples Single-server Installation The simplest installation is where the MS and ES are installed on the same physical server as shown in the following figure: Figure 2-1. Single-server Installation Multiple-server Installations By using at least three servers, one for the MS and two for ESs, you gain the advantage of high availability and load balancing.
Page 46
Clusters and Servers Installation Examples High availability is where ESs take over for any other ES or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the ESs. A three-server installation is shown in the following figure: Figure 2-2.
Page 47
Clusters and Servers Installation Examples When your network is more complex, you can continue to add clusters as shown in the following figure: Figure 2-3. Multiple-server, Multiple-cluster Installation The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis.
Page 48
Clusters and Servers Installation Examples All endpoints are returned to the proper status within 15 minutes after ■ a network recovery (power failure, all endpoints attempting to recon- nect, 3000 endpoints per ES)
Default Menu Options Only a system administrator can assign access permissions and access the System configuration window. See Figure 1-1 on page 1-5 for the NAC 800 home window of a user with system administration permissions. If you do not see the System configuration menu option, you do not have system administrator permissions.
Page 53
System Configuration Introduction Quarantining – “Quarantining, General” on page 3-50 ■ ■ Maintenance – “Maintenance” on page 3-105 Cluster setting defaults ■ • Testing Methods – “Testing Methods” on page 3-109 • Accessible services – “Accessible Services” on page 3-112 •...
System Configuration Enforcement Clusters and Servers Enforcement Clusters and Servers The Enforcement clusters & servers menu option (Figure 3-3 on page 3-10) is where you configure Enforcement clusters and servers. You can perform the following tasks: ■ Enforcement clusters • Add, edit, or delete Enforcement clusters •...
System Configuration Enforcement Clusters Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster: Home window>>System configuration>>Enforcement clusters & servers Figure 3-1. System Configuration, Enforcement Clusters & Servers...
Page 56
System Configuration Enforcement Clusters Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add Enforcement cluster window appears. The General area is displayed by default. Figure 3-2. Add Enforcement Cluster Enter a name for the Enforcement cluster in the Cluster name field. b.
System Configuration Enforcement Clusters The following cluster settings take on default values set from the System configuration window. To set up operating parameters that differ from those default settings, select the menu item of the settings you want to change, then select the For this cluster, override the default settings check box, and make the desired changes.
System Configuration Enforcement Clusters Viewing Enforcement Cluster Status There are two ways NAC 800 provides Enforcement cluster status: ■ The icons next to the cluster name (see Figure 3-4 on page 3-12) The Enforcement cluster window (see the following steps) ■...
Deleting Enforcement Clusters NOTE: Enforcement clusters need to be empty before the delete option appears next to the name in the NAC 800 user interface. To delete Enforcement clusters: Home window>>System configuration>>Enforcement clusters & servers Click delete next to the cluster you want to remove. The Delete Enforcement cluster confirmation window appears.
System Configuration Enforcement Servers Enforcement Servers Adding an ES To add an ES: Home window>>System configuration>>Enforcement clusters & servers Figure 3-4. System Configuration, Enforcement Clusters & Servers 3-12...
Page 61
System Configuration Enforcement Servers Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Figure 3-5. Add Enforcement Server Select a cluster from the Cluster drop-down list. Enter the IP address for this ES in the IP address text box. Enter the fully qualified hostname to set on this server in the Host name text box.
System Configuration Enforcement Servers Re-enter the password to set for the root user of the ES server’s operating system in the Re-enter root password text box. Click ok. Cluster and Server Icons To view the cluster and server icons: Home window>>System configuration>>Enforcement clusters & servers Move the mouse over the legend icon.
Page 63
System Configuration Enforcement Servers Click the Configuration menu option to access the Enforcement Server’s settings. The Configuration area is displayed: Figure 3-7. Enforcement Server Edit the following settings: • ES Network settings – “Changing the ES Network Settings” on page 3- •...
DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1 NOTE: The NAC 800 ESs host name must be a fully qualified domain name (FQDN). For example, the FQDN should include the host and the domain name— including the top-level domain.
System Configuration Enforcement Servers Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration Select a Region from the Region drop-down list in the Date and time area. Select a time zone from the Time zone drop-down list. Click ok. NOTE: See “Selecting the Time Zone” on page 3-26 for information on changing the time zone settings for the MS.
System Configuration Enforcement Servers Viewing ES Status There are two ways NAC 800 provides ES status: ■ The icons next to the server name (see Figure 3-6 on page 3-14) The Status window (see the following steps). The Enforcement server ■...
Page 67
System Configuration Enforcement Servers Click the server for which you want to view the status. The Enforcement server window appears: Figure 3-8. Enforcement Server, Status Click ok or cancel. 3-19...
Deleting ESs NOTE: Servers need to be powered down for the delete option to appear next to the name in the NAC 800 user interface. To delete ESs: Home window>>System configuration>>Enforcement clusters & servers Click delete next to the server you want to remove from the cluster. The Delete Enforcement server confirmation window appears.
System Configuration Management Server Management Server Viewing Network Settings To view MS status: Home window>>System configuration>>Management server 3-21...
Page 70
System Configuration Management Server Figure 3-9. System Configuration, Management Server 3-22...
System Configuration Management Server Server status is shown in the Network settings area. Click ok or cancel. Modifying MS Network Settings CAUTION: Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems.
System Configuration Management Server NOTE: Select names that are short, easy to remember, have no spaces or under- scores, and the first and last character cannot be a dash (-). • Enter a new address in the IP address text field. For example, 192.168.153.35 Enter a new netmask in the Network mask text field.
Select Automatically receive NTP updates from and enter one or more Network Time Protocol (NTP) servers, separated by commas. The NTP protocol allows NAC 800 to synchronize its date and time with other endpoints on your network. For example, time.nist.gov.
System Configuration Management Server Manually Setting the Time To manually set the time: Home window>>System configuration>>Management server Select Manually set date & time. Click edit. The Date and time window appears: Figure 3-11. Date & Time Select the correct date and time. Click ok.
Enter a comma-separated list of IP address or hostnames that can receive the SNMP notifications. Enter the community string used to authorize SNMP notifications from NAC 800. Select one or both of the following: Select the Resend notifications check box and enter the resend interval, for example 60.
To change the inactivity timeout value for upgrades: Command window Log in to the NAC 800 server as root, either using SSH or directly with a keyboard. Enter the following at the command line: setProperty.py -m...
Page 77
System Configuration Management Server Where: <minutes> is the number of minutes of inactivity NAC 800 will wait before assuming the upgrade failed. For example, 30. The default value is 45. 3-29...
User Accounts NAC 800 allows you to create multiple user accounts. User accounts provide and limit access to NAC 800 functions based on permissions (user roles) and clusters assigned. See “User Roles” on page 3-38 for more information on setting permissions for the user roles.
Page 79
System Configuration User Accounts Figure 3-12. System Configuration, User Accounts 3-31...
Page 80
Click Add a user account. The Add user account window appears: Figure 3-13. Add User Account Enter the following information: User ID – The user ID used to log into NAC 800 • Password – The password used to log into NAC 800 •...
System Configuration User Accounts • Cluster Administrator View-Only User • System Administrator • • Help Desk Technician • You can select a custom user role if you have created any. NOTE: Users must be assigned at least one role. In the Clusters area, select a cluster or clusters. NOTE: Users must be assigned at least one Enforcement cluster.
System Configuration User Accounts • email address Enter the text to search for in the for field. Click search. TIP: Click reset to clear the text field and to refresh the display to show all accounts after a search. Sorting the User Account Area To sort the user account area: Home window>>System configuration>>User accounts Click the column heading for user id, full name, email address, user roles, or...
Page 83
System Configuration User Accounts Click copy next to the user account you want to duplicate. The Copy user account window appears. The account information is duplicated from the original account. Figure 3-14. Copy User Account Enter the User ID of the new account. Enter the Password.
System Configuration User Accounts Editing a User Account To edit a user account: Home window>>System configuration>>User accounts Click the name of the user account that you want to edit. The User account window appears: Figure 3-15. User Account Change or enter information in the fields you want to change. See “Adding a User Account”...
System Configuration User Accounts Deleting a User Account You must always have at least one account with System Administrator permis- sions. CAUTION: Do not delete or edit the account with which you are currently accessing the interface. Doing so can produce an error and lock you out of the interface until your session has timed out.
System Configuration User Roles User Roles The User roles menu option allows you to configure the following: ■ View current user roles and details associated with those roles ■ Add a new user role • Name the new user role •...
Page 87
System Configuration User Roles Figure 3-16. System Configuration, User Roles 3-39...
Page 88
System Configuration User Roles Click add a user role in the User roles area. The Add user role window appears. Figure 3-17. Add User Role Enter a descriptive name in the Role name field. Enter a description of the role in the Description field. Select the permissions for the user role.
System Configuration User Roles Permission Description Generate reports Allows you to generate reports about any of your assigned clusters Manage NAC policies Allows you to manage the NAC policies for all of your clusters View endpoint activity Allows you to view details about all endpoints in your clusters Monitor system status Allows you to monitor the system status Control Access...
System Configuration User Roles Click the role you want to edit. The user role window appears: Figure 3-18. User Role Enter the information in the fields you want to change. See “Adding a User Role” on page 3-38 for information on user role settings. Click ok.
System Configuration User Roles Click yes. Sorting the User Roles Area To sort the user roles area: Home window>>System configuration>>User roles Click user role name or description column heading. The selected category sorts in ascending or descending order. Click ok. 3-43...
System Configuration License License The License menu option allows you to configure the following: ■ View license start and end dates ■ View number of days remaining on license, and associated renewal date View remaining endpoints and servers available under license ■...
Page 93
System Configuration License Figure 3-19. System Configuration, License Click submit license request. Click ok on the license validated pop-up window. 3-45...
System Configuration Test Updates Test Updates The Test updates menu option allows you to configure the following: ■ View last successful test update date/time ■ Check for test updates (forces an immediate check for test updates) Set time or times for downloading test updates ■...
In the Last successful test update area, click check for test updates. Click ok. NOTE: It is important to check for test updates during the initial configuration of NAC 800. Selecting Test Update Times To select test update times: 3-47...
By default, NAC 800 checks once every hour using the ProCurve Secure Rule Distribution Center. All times listed are dependent upon the clock setting and time zone of the hardware on which NAC 800 is running. Click ok. Viewing Test Update Logs To view test update logs: Home window>>System configuration>>Test updates...
Page 97
System Configuration Test Updates The Test update log window legend is shown in the following figure: Figure 3-22. Test Update Log Window Legend 3-49...
System Configuration Quarantining, General Quarantining, General The Quarantining menu option allows you to configure the following by cluster: ■ Select the quarantine method ■ Select the access mode Basic 802.1X settings ■ ■ Authentication settings Add, edit, delete 802.1X devices ■...
Page 99
System Configuration Quarantining, General Figure 3-23. System Configuration, Quarantining Select a cluster. 3-51...
Inline – When using the inline quarantine method, NAC 800 must be • placed on the network where all traffic to be quarantined passes through NAC 800. It must be inline with an endpoint like a VPN. Click ok. Selecting the Access Mode To select the access mode: Home window>>System configuration>>Quarantining...
System Configuration Quarantining, 802.1X Quarantining, 802.1X The 802.1X quarantine (enforcement) method is enabled by default. To select the 802.1X quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the 802.1X radio button. Click ok. Entering Basic 802.1X Settings To enter basic 802.1X settings: Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button...
Select an End-user authentication method: • Manual – RADIUS server authentication settings are configured man- ually from the command line. See “Enabling NAC 800 for 802.1X” on page 11-39 for configuration information. Windows domain – Authentication requests are handled by a Windows •...
Page 103
System Configuration Quarantining, 802.1X Select Windows domain from the End-user authentication method drop-down list. Figure 3-24. System Configuration, Windows Domain 3-55...
System Configuration Quarantining, 802.1X Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field. Enter the user name of an account with sufficient administrative rights to join an ES to the domain in the Administrator user name text field. Enter the password of the account entered into the Administrator user name field in the Administrator password text field.
Page 105
System Configuration Quarantining, 802.1X Select OpenLDAP from the End-user authentication method drop-down list. Figure 3-25. System Configuration, OpenLDAP 3-57...
Page 106
System Configuration Quarantining, 802.1X Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
System Configuration Quarantining, 802.1X Configuring Novell eDirectory Settings To configuring Novell eDirectory settings: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Local radio button 3-59...
Page 108
System Configuration Quarantining, 802.1X Select Novell eDirectory from the End-user authentication type drop-down list. Figure 3-26. System Configuration Window, RADIUS, Novel eDirectory 3-60...
Page 109
System Configuration Quarantining, 802.1X Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 Enter the Distinguished Name (DN) under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA Enter the password that authenticates the DN entered into the Identity text field in the Password text field.
System Configuration Quarantining, 802.1X 11. Click ok. Adding 802.1X Devices To add an 802.1X device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-27. Add 802.1X Device Enter the IP address of the 802.1X device in the IP address text field. Enter a shared secret in the Shared secret text field.
HP ProCurve WESM – See “HP ProCurve WESM xl or HP ProCurve • WESM zl” on page 3-81. • HP ProCurve 420/530 AP – See “HP ProCurve 420 AP or HP ProCurve 530 AP” on page 3-84. Nortel – See “Nortel” on page 3-86. •...
Page 112
Figure 3-28. Add 802.1X Device, Test Connection Area Option 1 Figure 3-29. Add 802.1X Device, Test Connection Area Option 2 For ProCurve, Nortel, Other switches (figure 3-28),: Select the Method to execute the re-authentication command in test: –...
System Configuration Quarantining, 802.1X NOTE: You must enter the port, the MAC address, or both, depending on the re- authentication OID. Click test connection to this device. Cisco IOS To add a Cisco IOS device: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-65...
Page 114
System Configuration Quarantining, 802.1X Figure 3-30. Add Cisco IOS Device Enter the IP address of the Cisco IOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
System Configuration Quarantining, 802.1X Enter the Password with which to log into the device's console. Re-enter the console password. 10. Enter the Cisco port mask in the text field. This specifies which characters within the endpoint identifier returned by the Cisco device contain the bank and port information of the endpoint.
Page 116
System Configuration Quarantining, 802.1X Figure 3-31. Add Cisco CatOS Device Enter the IP address of the Cisco CatOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
If you have your CatOS switch configured to run in enable mode with a user name, the expect script supplied with NAC 800 will not run “out of the box.” Workaround: Do not use a user name with your switch, or modify the expect script in the console to include the user name.
System Configuration Quarantining, 802.1X Click edit next to an 802.1X device. (You can also perform these steps while you are adding an 802.1X device.) Click the plus sign next to Show scripts. Add the correct expect script syntax to the text box for enable mode user name.
Page 119
System Configuration Quarantining, 802.1X Figure 3-32. Add Enterasys Device Enter the IP address of the Enterasys device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
System Configuration Quarantining, 802.1X Re-enter the console password. 10. Enter the Reconnect idle time. This is the amount of time in milliseconds that a t Telnet/SSH console can remain idle or unused before it is reset. 11. Select the Show scripts plus symbol to show the following scripts: Initialization script –...
Page 121
System Configuration Quarantining, 802.1X Figure 3-33. Add ExtremeWare Device Enter the IP address of the ExtremeWare device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
System Configuration Quarantining, 802.1X Re-enter the console password. 10. Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 11. Select the Show scripts plus symbol to show the following scripts: Initialization script –...
Page 123
System Configuration Quarantining, 802.1X Figure 3-34. Add Extreme XOS Device Enter the IP address of the Extreme XOS device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
System Configuration Quarantining, 802.1X Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 10. Select the Show scripts plus symbol to show the following scripts: •...
Page 125
System Configuration Quarantining, 802.1X Figure 3-35. Add Foundry Device Enter the IP address of the Foundry device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Exit script – The expect script used to exit the console. 14. Click ok. TIP: Click revert to defaults to restore the default settings. HP ProCurve Switch To add an HP ProCurve switch: Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device 3-78...
Page 127
Quarantining, 802.1X Figure 3-36. Add HP ProCurve Device Enter the IP address of the HP ProCurve device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 128
System Configuration Quarantining, 802.1X b. Enter the Password used to log into this device's console. To help confirm accuracy, type the same password you entered into the Password field in the Re-enter Password field. d. Enter the Enable mode user name that is used to enter enable mode on this device.
Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. HP ProCurve WESM xl or HP ProCurve WESM zl To add an HP ProCurve WESM xl or zl device: HP ProCurve WESM Home window>>System configuration>>Quarantining>>802.1X Quarantine...
Page 130
Quarantining, 802.1X Figure 3-37. Add HP ProCurve WESM xl/zl Device Enter the IP address of the HP ProCurve WESM device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 131
MAC address of the endpoint to be re- authenticated. NOTE: figure 3-37. Add HP ProCurve WESM xl/zl Device on page 82 shows an example for WESM zl. Select the type of the re-authentication OID from the OID type drop-down list: •...
802.1X device Figure 3-38. Add HP ProCurve 420/530 AP Device Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
Page 133
Enter an alias for this device that appears in log files in the Short name text field. Select ProCurve 420 AP or ProCurve 530 AP from the Device type drop-down list. Enter the Community string used to authorize writes to SNMP objects.
System Configuration Quarantining, 802.1X – HEX STRING – DECIMAL STRING – BITS – NULLOBJ Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. Nortel To add a Nortel device: Home window>>System configuration>>Quarantining>>802.1X Quarantine...
Page 135
System Configuration Quarantining, 802.1X Figure 3-39. Add Nortel Device Enter the IP address of the Nortel device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
System Configuration Quarantining, 802.1X Re-enter the console password. 10. Enter the Enable mode user name. 11. Enter the password with which to enter enable mode. 12. Re-enter the enable mode password. 13. Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset.
Page 137
System Configuration Quarantining, 802.1X Figure 3-40. Add Other Device Enter the IP address of the new device in the IP address text field. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. Re-enter the shared secret in the Re-enter shared secret text field.
Page 138
System Configuration Quarantining, 802.1X Enter the Reconnect idle time. This is the amount of time in milliseconds that a Telnet/SSH console can remain idle or unused before it is reset. 10. Select the Show scripts plus symbol to show the following scripts: NOTE: You must enter the script contents yourself for the 802.1X device you are adding.
System Configuration Quarantining, DHCP Quarantining, DHCP To select the DHCP quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the DHCP radio button. Click ok. DHCP Server Configuration Inline DHCP server is selected by default. If you want to use the DHCP plug-in, which allows you to use multiple DHCP servers, see the instructions in “DHCP Plug-in”...
Page 140
System Configuration Quarantining, DHCP Figure 3-41. System Configuration, Quarantining, DHCP Enforcement Inline DHCP server is selected by default. If you wish to use multiple DHCP servers, see the instructions in “DHCP Plug-in” on page 13-1. Select one of the following radio buttons: Enforce DHCP requests from all IP addresses –...
System Configuration Quarantining, DHCP • Restrict enforcement of DHCP requests to quarantine and non-quarantine subnets – Specify individual DHCP relay agent IP addresses, separated by carriage returns in the DHCP relay IP addresses to enforce text box. These addresses must be a subset of either the quarantined or non- quarantined subnets.
Page 142
System Configuration Quarantining, DHCP Click add a quarantine area. The Add quarantine area window appears. Figure 3-42. Add a Quarantine Area In the Add quarantine area window, enter the following information: Quarantined subnet – The CIDR network that represents the IP space •...
DHCP set- tings with no gateway and a netmask of 255.255.255.255. Static routes and a Web proxy server built into NAC 800 allow the endpoint access to specific networks, IP addresses, and Web sites. These networks, IP addresses, and Web sites are configured in the accessible endpoint list setting (System Configuration>>Accessible Services).
System Configuration Quarantining, DHCP • non-quarantine subnets • domain suffix d (indicates the quarantine option selected in step 3 on page 3-94) • The DHCP quarantine area sorts by the column name clicked. Editing a DHCP Quarantine Area To edit a DHCP quarantine area: Home window>>System configuration>>Quarantining>>DHCP radio button Click edit next to the quarantine area you want to edit.
Page 145
System Configuration Quarantining, DHCP Click delete next to the quarantine area you want to remove. The Delete quarantine area confirmation window appears Click yes. 3-97...
System Configuration Quarantining, Inline Quarantining, Inline To select the Inline quarantine method: Home window>>System configuration>>Quarantining Select a cluster. In the Quarantine method area, select the Inline radio button. Click ok. 3-98...
To open the firewall for your post-connect service: Command line window Log in to the NAC 800 MS as root using SSH or directly with a keyboard. Enter the following command at the command prompt: iptables -I INPUT -s<host> -m tcp -p tcp --dport 61616 -j ACCEPT Where <host>...
“Launching Post-connect Systems” on page 3-102. Setting NAC 800 Properties Most NAC 800 properties are set by default. To change or set properties, you must change the properties as described in “Changing Properties” on page 15- You must set the following properties for <product name variable> to com- municate with your external post-connect server (see “Configuring the Post-...
URL from the NAC 800 Post-connect window. For example, https://192.168.40.15/index.jsp. Select the Automatically log into service check box to log into the post- connect service automatically when it is launched by clicking the post- connect service name on the NAC 800 Post-connect window (Home>>Post- connect). 3-101...
Click ok to save your changes and return to the Home window. Launching Post-connect Systems After you have configured a post-connect system, you must launch it before NAC 800 can communicate with it. To launch a post-connect system: Home>>Post-connect Figure 3-46. Post-connect Launch Window Click on the post-connect system name.
Post-connect in the Endpoint Activity Window When an external service requests that an endpoint be quarantined, it sends the request to NAC 800, which quarantines the endpoint based on the hierar- chy rules described in “Endpoint Quarantine Precedence” on page 7-2.
Page 152
Copy the logo and icon files to the following directory on the NAC 800 MS (see “Copying Files” on page 1-20): /usr/local/nac/webapps/ROOT/images Log in to the NAC 800 MS as root using SSH or directly with a keyboard. Modify the following properties in the nac-ms.properties file (see “Changing Properties” on page 15-12): Compliance.PostConnect.Agents.<PRODUCTID>.Logo=<Logo...
System Configuration Maintenance Maintenance The Maintenance window allows you to back up the MS database, properties files, keystore files, and subscription files in a file with the following name: backup-<year-month-day>Thh-mm-ss.tar.bz2 where: year is the year the system was backed up = 2007 ■...
Page 154
System Configuration Maintenance Figure 3-48. System Configuration, Maintenance Click begin backup now in the Backup area. The Operation in progress confirmation window appears. Depending on your browser settings, a pop-up window may appear asking if you want to save or open the file. Select Save to disk and click OK. NOTE: A system backup does not work using Internet Explorer 7 as a browser window.
See “Restoring from Backup” on page 15-15 for information about restoring from a backup file. TIP: If you are using Backup and Restore to move configuration files from one physical server to another, you must have the same version of NAC 800 installed on both servers. 3-107...
Downloading Support Packages Support packages are useful when debugging your system with ProCurve Networking by HP. If a support package is necessary, ProCurve Networking by HP will instruct you to generate one and will provide instructions on how to upload the generated package (a TAR file).
System Configuration Cluster Setting Defaults Cluster Setting Defaults The following sections describe how to globally set the default settings for all clusters. For information on overriding the default settings for a specific cluster, see “Enforcement Clusters and Servers” on page 3-6. Testing Methods The Testing methods menu option allows you to configure the following: Select testing methods...
Agentless – This test method uses an existing Windows service (RPC). Click ok. Ordering Test Methods The NAC 800 backend attempts to test an endpoint transparently in the following order: NAC 800 tries to test with the agent-based test method.
System Configuration Cluster Setting Defaults If no agent is available, NAC 800 tries to test with the ActiveX test method. If ActiveX is not available and if credentials for the endpoint or domain exist, NAC 800 tries to test with the agentless test method.
System Configuration Cluster Setting Defaults Windows endpoints on your Windows domain are tested automatically when you specify the domain admin credentials in the System configuration>>Agent- less credentials>>Add administrator credentials window. The agent-based test method is recommended for any environment where enforcement is enabled on Windows Vista endpoints.
Page 161
System Configuration Cluster Setting Defaults Figure 3-51. System Configuration, Accessible Services Enter one or more Web sites, host names, IP addresses, ports, endpoints, or networks, that are accessible to connecting endpoints when they fail their compliance tests. You can enter these endpoints and services in the following formats separated by a carriage return.
Page 162
System Configuration Cluster Setting Defaults You do not need to enter the IP address of the NAC 800 server here. If you do, it can cause redirection problems when end-users try to connect. You do need to add any update server names, such as the ones that provide anti-virus and software updates.
System Configuration Cluster Setting Defaults Exceptions The Exceptions menu option allows you to define the following: ■ The endpoints and domains that are always allowed access (whitelist) The endpoints and domains that are always quarantined (blacklist) ■ Always Granting Access to Endpoints and Domains To always grant access to endpoints and domains: Home window>>System configuration>>Exceptions Figure 3-52.
To always quarantine domains when testing, in the Blacklist area, enter the domains. TIP: In DHCP mode, the NAC 800 firewall quarantines based on MAC address (everything entered must be translated to the corresponding endpoint's MAC address). This translation occurs each time activity from the endpoint is detected.
Page 165
Cluster Setting Defaults Figure 3-53. System Configuration, Notifications To send email notifications, you must provide NAC 800 with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the NAC 800 machine. Use the following steps to configure the SMTP email server function: Select the radio button next to Send email notifications.
System Configuration Cluster Setting Defaults To disable email notifications: Home window>>System configuration Select a cluster. The Enforcement cluster window appears. Select the Notifications menu item. Select the For this cluster, override the default settings check box. Select Do not send email notifications. Click ok.
Enter the customization information: Organization logo image – Enter a path to your organization’s logo, or click Browse to select a file on your network. ProCurve recommends you place your logo here to help end-users feel secure about having their computers tested.
This URL points to port 89 on the NAC 800 ES (the default end-user screen that shows the test failed results), and is where the user is directed to when they click the Get details button on the new pop-up window.
You can verify your changes to the end-user access screens immediately by pointing a browser window to port 88 of your NAC 800 installation. For example, if the IP address of your NAC 800 installation is 10.0.16.18, point the browser window to: http://10.0.16.18:88...
Page 170
System Configuration Cluster Setting Defaults Figure 3-55. System Configuration, Agentless Credentials 3-122...
System Configuration Cluster Setting Defaults Click Add administrator credentials. The Add Windows administrator credentials window appears: Figure 3-56. Agentless Credentials, Add Windows Administrator Credentials In the Add Windows administrator credentials window, enter the following: Windows domain name – Enter the domain name of the Windows •...
NOTE: NAC 800 saves authentication information encrypted on the NAC 800 server. When a user connects with the same browser, NAC 800 looks up this infor- mation and uses it for testing. TIP: When using the Windows administrator account connection method, NAC 800 performs some user-based tests with the administrator account's user registry settings, rather than those of the actual user logged into the endpoint.
System Configuration Cluster Setting Defaults Click yes. Sorting the Windows Credentials Area To sort the Windows credentials area: Home window>>System configuration>>Agentless credentials Sort the Windows administrator credentials by clicking on a column heading. Click ok. 3-125...
System Configuration Logging Logging Setting ES Logging Levels You can configure the amount of diagnostic information written to log files, ranging from error (error-level messages only) to trace (everything). To set ES logging levels: Home window>>System configuration>>Logging Figure 3-57. System Configuration, Logging Option To configure the amount of diagnostic information written to log files, select a logging level from the Enforcement servers drop-down list: •...
System Configuration Logging • info – Log info-level and above messages only • debug – Log debug-level and above messages only • trace – Log everything CAUTION: Setting the log level to trace may adversely affect performance. Click ok. Setting 802.1X Devices Logging Levels You can configure the amount of diagnostic information written to log files related to 802.1X re-authentication, ranging from error (error-level messages only) to trace (everything).
Page 176
System Configuration Logging To configure the amount of diagnostic information written to log files related to IDM, select a logging level from the IDM drop-down list: • error – log error-level messages only • warn – log warning-level messages only •...
Enter a number of seconds in the Agent connection timeout period text field. The agent connection timeout period is the time in seconds that NAC 800 waits on a connection to the agent. Use a larger number for systems with network latency issues.
Enter a number of seconds in the Agent read timeout period text field. The agent read time is the time in seconds that NAC 800 waits on an agent read. Use a larger number for systems with network latency issues.
Endpoint Activity Overview Overview Use the Endpoint activity window, to monitor end-user connection activity. Home window>>Endpoint activity The Endpoint activity window has the following sections: Endpoint selection area – The left column of the window provides ■ links that allow you to quickly filter the results area by Access control status or Endpoint test status.
Page 181
Endpoint Activity Overview 2. Search criteria area 3. Search results area 1. Endpoint selection area Figure 4-1. Endpoint Activity, All Endpoints Area...
Endpoint Activity Filtering the Endpoint Activity Window Filtering the Endpoint Activity Window You can modify the results shown in the Endpoint activity window to include activity for the following: ■ Access control status ■ Endpoint test status Cluster ■ ■ NetBIOS name IP address ■...
Endpoint Activity Filtering the Endpoint Activity Window Select a method for filtering the results window; by a specific access control status or endpoint status as shown in the following figure: Figure 4-2. Endpoint Activity, Menu Options NOTE: This part of the window reflects the total number of endpoints in the network at the current time.
Endpoint Activity Filtering the Endpoint Activity Window To filter the disconnected endpoints by time: Home window>>Endpoint Activity Figure 4-3. Timeframe Drop-down List Select Disconnected in the Access control status area. Select one of the options from the Timeframe drop-down list. Click search.
Endpoint Activity Filtering the Endpoint Activity Window Select a number from the drop down list. The results area updates to show only the number of endpoints selected with page navigation breadcrumbs. Searching To search the Endpoint activity window. Home window>>Endpoint activity>>Search criteria area Figure 4-5.
Page 186
Endpoint Activity Filtering the Endpoint Activity Window To refresh the Endpoint activity window to show all endpoint activity, click reset. TIP: The search box is not case-sensitive. Searching matches entire words. You must enter wildcard characters (*) to match substrings. For example, 192.168.*.
Endpoint Activity Access Control States Access Control States NAC 800 provides on-going feedback on the access status of endpoints in the Endpoint activity window as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-16. ■...
Endpoint Activity Endpoint Test Status Endpoint Test Status NAC 800 provides on-going feedback on the test status of endpoints in the left pane of the Endpoint activity window as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-16.
Page 189
■ Testing (agentless test) – NAC 800 shows this status briefly while the agentless test is being performed. Passed – NAC 800 shows this status after the endpoint has passed the ■ test and is connected to the network. ■...
Page 190
Installation failed – NAC 800 shows this status when the agent cannot be installed. This is likely due to permission problems on the endpoint. Agent not active – NAC 800 shows this status when an endpoint that ■ was previously running the agent is no longer running the agent. This is likely due to a firewall being turned on.
Page 191
Endpoint Test Status routing issue which is not allowing the endpoint to reach the neces- sary servers on the network. Also, if NAC 800 is inline with the domain controller, you might need to open up the appropriate ports (135 through 138, 445, 389, 1029) in the NAC 800 accessible endpoints configuration for your domain controller IP address.
Endpoint Activity Enforcement Cluster Access Mode Enforcement Cluster Access Mode The access mode of each cluster can be one of the following: ■ normal – Endpoints are tested and allowed access or quarantined based on policies, exceptions, and administrator overrides. ■...
Page 193
Endpoint Activity Enforcement Cluster Access Mode the endpoint is allowed access because of the change to allow all mode; however, when the mode is changed back to normal, the endpoint will again be quarantined for the reason listed. Figure 4-10. Failed Endpoint Allow All Mode Mouse Over 4-15...
Endpoint Activity Viewing Endpoint Access Status Viewing Endpoint Access Status To view access status for a endpoint: Home window>>Endpoint activity window Locate the endpoint you are interested in. The first column is the selection column, the second column is the Endpoint test status column, and the third column is the Access control status column.
Page 195
Endpoint Activity Viewing Endpoint Access Status NOTE: If an endpoint is seen by two different clusters simultaneously, the endpoint state can get lost. This could happen, for example, if you had a Training cluster and an Engineering cluster and an endpoint that was connected in the Engineering cluster also attempted to connect by way of the Training cluster.
Endpoint Activity Selecting Endpoints to Act on Selecting Endpoints to Act on To select endpoint to act on: Home window>>Endpoint activity Click a box or boxes in the first column to select the endpoints of interest. TIP: Click the box at the top of the column to select all of the endpoints. 4-18...
Endpoint Activity Acting on Selected Endpoints Acting on Selected Endpoints Once you have filtered the Endpoint activity window and selected which endpoints to take action on, you can perform the following actions: ■ Retest an endpoint (“Manually Retest an Endpoint” on page 4-19) ■...
Endpoint Activity Acting on Selected Endpoints NOTE: If an endpoint that has been granted or denied access temporarily by the administrator disconnects, the next time the endpoint attempts to connect it will be retested; the previous temporary status no longer applies. Immediately Quarantine an Endpoint To immediately quarantine an endpoint: Home window>>Endpoint activity...
Endpoint Activity Viewing Endpoint Information Viewing Endpoint Information To view information about an endpoint: Home window>>Endpoint activity Click on an endpoint name to view the Endpoint window: Figure 4-12. Endpoint, General Option 4-21...
Page 200
Endpoint Activity Viewing Endpoint Information Click Test results to view the details of the test: Figure 4-13. Endpoint Activity, Endpoint Test Results Option TIP: Click on any underlined link (for example, change access) to make changes such as changing access or test credentials. 4-22...
Endpoint Activity Troubleshooting Quarantined Endpoints Troubleshooting Quarantined Endpoints The following table describes the various components that affect an endpoint attempting to access the network: 4-23...
Page 202
DHCP server (NAC 800) gives the DHCP server (NAC 800) also sends: enforcement endpoint: • A static route to the NAC 800 server • Quarantine range IP address (*) IP via a gateway (*) • 255.255.255.255 netmask (effectively • Static routes to any IP addresses...
Page 203
NAC 800 accessible devices DHCP mode Network DHCP server (NAC 800) gives the NAC 800 (fake root) DNS – As in enforcement endpoint: endpoint enforcement (for access to names in Accessible services). The • Quarantine range IP address DNS server forwards requests for •...
Page 204
VPN users can only get through iptables by becoming compliant with a Accessible The names listed in NAC 800 policy, after which a hole is services are not used. opened for their VPN IP address. NOTE: In this configuration, the user has...
Page 205
• Appropriate default gateway following specific traffic: • NAC 800 server's IP as DNS server • Quarantine --> NAC 800 (OK) (will resolve everything except • Production -?-> Quarantine Accessible services...
End-user Access Overview Overview End-users can connect to your network from a number of different types of computers (see “Endpoints Supported” on page 5-5), be tested for compliance based on your definitions in the standard (high, medium, or low security) or custom NAC policies (see “NAC Policies”...
Agent Callback The Agent Callback to NAC 800 feature allows the NAC 800 agent to inform the ES that an endpoint is now active on the network and available to be tested. This feature allows faster detection of endpoints in a network utilizing static IP addresses.
Page 210
End-user Access Test Methods Used _naces1 ■ ■ _naces2 If no contact can be made, try the following A names: NOTE: The endpoints DNS suffix must be correctly configured for your domain for the Agent Callback feature to work correctly. ■...
End-user Access Endpoints Supported Endpoints Supported This NAC 800 release supports the following: ■ Agent-based testing • Windows 2000 • Windows Server (2000, 2003) • Windows XP Professional • Windows XP Home • Mac OS (version 10.3.7 or later) •...
Page 212
End-user Access Endpoints Supported NOTE: Other operating system support (for example Linux) will be included in future releases. Windows ME and Windows 95 are not supported in this release. TIP: If the end-user switches the Windows view while connected, such as from Classic view to Guest view, the change may not be immediate due to the way sessions are cached.
End-user Access Browser Version Browser Version The browser that should be used by the endpoint is based on the test method as follows: ■ ActiveX test method – Microsoft Internet Explorer (IE) version 6.0 or later. Agentless test methods – IE, Firefox, or Mozilla. ■...
NAC 800 server using the centralized policy. If the Domain Group Policy is not used for Windows endpoints, the appropri- ate ports are opened during the agent installation process by the NAC 800 installer. Unmanaged Endpoints For unmanaged endpoints, the NAC Agent and the ActiveX control test methods automatically open the necessary ports for testing.
You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for agent-based testing. TIP: See “Ports used in NAC 800” on page E-1 for a complete description of the ports used in NAC 800. Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the agent to install successfully.
End-user Access Windows Endpoint Settings See the following link for details on UAC: http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e- ac08-4c21f5c6c2d91033.mspx?mfr=true Agentless Test Method This section describes the settings you need to make on Windows 2000, Windows XP, and Windows Vista when using the Agentless test method. Configuring Windows 2000 Professional for Agentless Testing The agentless test method requires file and printer sharing to be enabled.
End-user Access Windows Endpoint Settings On the General tab, in the Components checked are used by this connection area, verify that File and Printer sharing is listed and that the check box is selected. Click OK. Configuring Windows XP Professional for Agentless Testing The agentless test method requires file and printer sharing to be enabled.
End-user Access Windows Endpoint Settings To configure File and Printer Sharing for Microsoft Networks – http:/ ■ /www.microsoft.com/resources/documentation/windows/xp/all/ proddocs/en-us/howto_config_fileandprintsharing.mspx ■ To add a network component – http://www.microsoft.com/resources/ documentation/windows/xp/all/proddocs/en-us/ howto_config_fileandprintsharing.mspx Configuring Windows Vista for Agentless Testing In order for a Windows Vista endpoint to be tested agentlessly, you must configure the following: ■...
Page 219
End-user Access Windows Endpoint Settings Click Start>>Welcome Center. The Welcome Center window appears: Figure 5-3. Windows Vista, Welcome Center 5-13...
Page 220
End-user Access Windows Endpoint Settings Double-click View computer details. The Control Panel>System and Maintenance>System window appears. Figure 5-4. Windows Vista, System Click Change settings. 5-14...
Page 221
End-user Access Windows Endpoint Settings Click Continue if the User Account Control window appears. The System Properties window appears. Figure 5-5. Windows Vista, System Properties Select the Computer Name tab. 5-15...
Page 222
End-user Access Windows Endpoint Settings Click Change. The Computer Name/Domain Changes window appears. Figure 5-6. Windows Vista, Computer Name/Domain Changes Select the Member of Domain radio button. Enter the domain name in the text box. 5-16...
Windows Vista endpoints are not tested until they are logged in to the domain. Ports Used for Testing You might need to configure some firewalls and routers to allow NAC 800 to access the following ports for agentless testing: ■...
End-user Access Windows Endpoint Settings TIP: See “Ports used in NAC 800” on page E-1 for a complete description of the ports used in NAC 800. Allowing the Windows RPC Service through the Firewall If end-users enable the XP SP2 Professional firewall, they need to change the configuration to allow the agentless testing.
Page 225
Enter the NAC 800 Server IP address and the 255.255.255.0 mask. Click OK. Select UDP 137. 10. Click Change Scope. 11. Select Custom List. 12. Enter the NAC 800 Server IP address and the 255.255.255.0 mask. 13. Click OK. 5-19...
You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for ActiveX testing. TIP: See “Ports used in NAC 800” on page E-1 for a complete description of the ports used in NAC 800. Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the ActiveX component to install successfully.
Page 227
End-user Access Windows Endpoint Settings See the following link for details on UAC: http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e- ac08-4c21f5c6c2d91033.mspx?mfr=true 5-21...
You might need to configure some firewalls and routers to allow NAC 800 to access port 1500 for agent-based testing. TIP: See “Ports used in NAC 800” on page E-1 for a complete description of the ports used in NAC 800. Allowing NAC 800 through the OS X Firewall To verify that NAC 800 can test the end-user through the end-user’s firewall:...
Page 229
End-user Access Mac OS X Endpoint Settings Figure 5-8. Mac System Preferences 5-23...
Page 230
End-user Access Mac OS X Endpoint Settings Select the Sharing icon. The Sharing window opens. Figure 5-9. Mac Sharing Select the Firewall tab. The firewall settings must be one of the following: • • On with the following: – OS X NAC Agent check box selected –...
Page 231
End-user Access Mac OS X Endpoint Settings To change the port: Mac endpoint>>Apple Menu>>System Preferences>>Sharing icon>>Firewall Select OS X NAC Agent. Click Edit. The port configuration window appears: Figure 5-10. Mac Ports Enter 1500 in the Port Number, Range or Series text field. Click OK.
Your updated templates are preserved. CAUTION: Do not rename the files or they will not be seen by NAC 800. End-users begin the login process by opening their browser. If their home page is defined on the Accessible services window, they are allowed to access that page.
End-user Access End-user Access Windows Opening Window When the end-user directs their browser to go to a location that is not listed in the Accessible services and endpoints list, the testing option window appears: Figure 5-11. End-user Opening Window The end-users select Get connected. One of the following windows appears, depending on which test method and order is specified in the System configu- ration>>Testing methods window: ■...
End-user Access End-user Access Windows Windows NAC Agent Test Windows Automatically Installing the Windows Agent When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears: Figure 5-12.
Page 235
End-user Access End-user Access Windows If Active Content is disabled in the browser, the following error window appears: Figure 5-13. End-user Agent Installation Failed TIP: To enable active content, see “Active Content” on page C-4. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears.
Page 236
End-user Access End-user Access Windows Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation: Figure 5-14. End-user Agent Installation Window (Start) The user must click Finish to complete the agent installation and begin testing: Figure 5-15.
To remove the agent: Windows endpoint>>Start button>>Settings>>Control panel>>Add/remove programs Figure 5-16. Add/Remove Programs Find the ProCurve NAC EI Agent in the list of installed programs. Click Remove. TIP: The ProCurve NAC EI Agent also appears in the services list: Start button>>Settings>>Control panel>>Administrative tools>>Services...
Page 238
End-user Access End-user Access Windows Windows endpoint>>IE browser window Point the browser to the following URL: https://<enforcement_server_ip>:89/setup.exe The security certificate window appears: Figure 5-17. Security Certificate Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file: Figure 5-18.
Mac OS Agent Test Windows When the test method selected is agent-based, the first time the end-user logs in to their Macintosh computer and opens a browser window, NAC 800 attempts to test the endpoint. If the agent is required, they receive the Installation Failed window shown in figure 5-13.
Page 240
End-user Access End-user Access Windows Double-click the extracted file to launch the installer program. A confirmation window appears: Figure 5-19. Start Mac OS Installer Click Continue. The installer appears: Figure 5-20. Mac OS Installer 1 of 5 5-34...
Page 241
End-user Access End-user Access Windows Click Continue. The Select a Destination window appears: Figure 5-21. Mac OS Installer 2 of 5 Click Continue. The Easy Install window appears: Figure 5-22. Mac OS Installer 3 of 5 5-35...
End-user Access End-user Access Windows Click Install. The Authenticate window appears: Figure 5-23. Mac OS Installer 4 of 5 Enter your password. Click OK. The agent is installed and the confirmation window appears: Figure 5-24. Mac OS Installer 5 of 5 Click Close.
Page 243
End-user Access End-user Access Windows Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Figure 5-25. Applications, Utilities Folder 5-37...
Page 244
End-user Access End-user Access Windows Double-click Activity Monitor. The Activity Monitor window appears: Figure 5-26. Activity Monitor Verify that the osxnactunnel process is running. If the osxnactunnel process is not running, start it by performing the following steps: 5-38...
Page 245
End-user Access End-user Access Windows Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Figure 5-27. Mac Terminal b. Enter the following at the command line: OSXNACAgent -v The build and version number are returned. If an error message is returned indicating that the agent could not be found, the agent was not installed properly.
End-user Access End-user Access Windows Removing the Mac OS Agent To remove the Mac OS agent: Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder Select Mac OS X Terminal. A terminal window opens (figure 5-27). Enter the following at the command line: remove_osxnacagent Remove the firewall entry: Select Apple Menu>>System Preferences>>Sharing->Firewall tab.
To enable active content, see “Active Content” on page C-4. TIP: Install any needed patches before installing the Agent. Agentless Test Windows If the end-users select Agentless test, NAC 800 needs login credentials in order to test the endpoint. Credentials can be obtained from the following: 5-41...
Page 248
Windows administrator account with a password in order to be tested by NAC 800. NOTE: NAC 800 uses the Windows Messenger Service when using agentless testing. If you have disabled this service (http://www.microsoft.com/windowsxp/ using/security/learnmore/stopspam.mspx), agentless testing will not work.
Page 249
End-user Access End-user Access Windows If the end-users do not enter the correct information in the login window fields, a login failure window appears: Figure 5-30. End-user Login Failed TIP: You can customize the logo and contact paragraph that appear on this window.
End-user Access End-user Access Windows Testing Window The following figure shows the window that appears during the testing process: Figure 5-31. End-user Testing The possible outcomes from the test are as follows: ■ Test successful window (see “Test Successful Window” on page 5-45) ■...
End-user Access End-user Access Windows Test Successful Window When the end-users’ endpoints meet the test criteria defined in the NAC policy, they are allowed access to the network, and a window indicating successful testing appears: Figure 5-32. End-user Testing Successful TIP: You can customize the logo and text that appears on this window as described in “End-user Screens”...
End-user Access End-user Access Windows Testing Cancelled Window If the Allow end users to cancel testing option on the System configuration>>Testing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled: Figure 5-33.
Page 253
End-user Access End-user Access Windows For each NAC policy, you can specify a temporary access period should the end- users fail the tests. See “Selecting Action Taken” on page 6-17 for more information. Figure 5-34. End-user Testing Failed Example 1 TIP: You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configura-...
End-user Access End-user Access Windows End-users can click Printable version to view the testing results in a printable format, as shown in the following figure: Figure 5-35. End-user Testing Failed, Printable Results Error Windows End-users might see any of the following error windows: Unsupported endpoint ■...
End-user Access Customizing Error Messages Customizing Error Messages The default error message strings (remediation messages) are defined in the follow- ing file: /usr/local/nac/scripts/BaseClasses/Strings.py You can create custom error message strings that appear in the test result reports, and on the test results access window that the end-user views by editing or creating the following file: /usr/local/nac/scripts/Custom/BaseClasses/CustomStrings.py To customize the error messages:...
Page 256
"name2" : "message2", NOTE: A “%s” in the description text is a special variable that is interpolated into extra information (passed from NAC 800) such as lists of missing patches, or missing software. CAUTION: Normally NAC 800 uses Strings.py. If you create a CustomStrings.py file, make sure that the number of placeholders (%s) for a given entry is equal to the placeholders for that entry in Strings.py.
Page 257
End-user Access Customizing Error Messages Test name Description checkAntiVirusUpdates.String.2 %s is installed but the service is not running and the virus signatures are not up-to-date (installed: %s required: %s)., checkAntiVirusUpdates.String.3 %s is installed but the service is not running., checkAntiVirusUpdates.String.4 (version: %s), checkAntiVirusUpdates.String.5 %s is installed but the virus signatures are not up-to-date...
Page 258
End-user Access Customizing Error Messages Test name Description checkIESecurityZoneSettings.String.1 There was no security zone specified., checkIESecurityZoneSettings.String.2 Internet Explorer %s security zone settings are acceptable., checkIESecurityZoneSettings.String.3 There was no security level specified., checkIESecurityZoneSettings.String.4 An invalid security level '%s' was specified., checkIESecurityZoneSettings.String.5 Could not test Internet Explorer %s security zone settings.
Page 259
End-user Access Customizing Error Messages Test name Description checkPersonalFirewalls.String.1 The required personal firewall software was not found. Install a personal firewall and keep it up-to-date. Supported firewall software: %s, checkPersonalFirewalls.String.2 %s is installed but not running., checkPersonalFirewalls.String.3 %s service is installed and running., checkServicePacks.String.1 An unsupported operating system was encountered., checkServicePacks.String.2...
Page 260
End-user Access Customizing Error Messages Test name Description checkSoftwareNotAllowed.String.3 Do not specify the HKEY_LOCAL_MACHINE\SOFTWARE registry key., checkSoftwareNotAllowed.String.4 The following software is not allowed: %s. Uninstall the software listed. Also, remove any file types listed by double- clicking My Computer>>select Tools>>Folder Options>>File Types and remove the file type mentioned., checkSoftwareNotAllowed.String.5 %s, # placeholder for link location for each software...
Page 261
End-user Access Customizing Error Messages Test name Description checkWormsVirusesAndTrojans.String.2 The following worms, viruses, or trojans were found: %s. Contact your network administrator for assistance on removing them., checkAntiSpyware.String.1 The %s software is installed and a scan was run recently on %s., checkAntiSpyware.String.2 The %s software was found but a scan has not performed...
"NAC policies" are collections of tests that evaluate remote endpoints attempt- ing to connect to your network. You can use the standard tests installed with NAC 800, or you can create your own custom tests. NOTE: The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name.
Page 265
NAC Policies Overview Figure 6-1. NAC Policies The following figure shows the legend explaining the NAC policies icons: Figure 6-2. NAC Policies Window Legend...
NAC Policies Standard NAC Policies Standard NAC Policies NAC 800 ships with three standard NAC policies: ■ High security ■ Low security Medium security ■ NAC policies are organized in groups. Groups include the clusters defined for your system, a Default group, and any other groups you create. Each standard policy has tests pre-selected.
NAC Policies NAC Policy Group Tasks NAC Policy Group Tasks Add a NAC Policy Group To add an NAC policy group: Home window>>NAC policies Click Add an NAC policy group. The Add NAC policy group window opens: Figure 6-3. Add NAC Policy Group Type a name for the group in the Name of NAC policy group text box.
NAC Policies NAC Policy Group Tasks Click on an existing NAC policy group name (for example, Default). The NAC policy group window opens. Figure 6-4. Edit NAC Policy Group Make any changes required. See “Add a NAC Policy Group” on page 6-5 for details on NAC policy group options.
NAC Policies NAC Policy Tasks NAC Policy Tasks Enabling or Disabling an NAC Policy Select which NAC polices are enabled or disabled. To enable/disable a NAC policy: Home window>>NAC policies Click on the enable or disable link. An X indicates disabled. Selecting the Default NAC Policy To select the default NAC policy: Home window>>NAC policies...
Page 270
NAC Policies NAC Policy Tasks Click Add a NAC policy. The Add NAC policy window opens as shown in the following figure: Figure 6-6. Add a NAC Policy, Basic Settings Area Enter a policy name. Enter a description in the Description text box. Select a NAC policy group.
Page 271
In DHCP mode, if an endpoint with an unsupported OS already has a DHCP- assigned IP address, NAC 800 cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with an unsupported OS has a static IP address, NAC 800 cannot affect this endpoint in any way.
Page 272
NAC Policies NAC Policy Tasks Click the Domains and endpoints menu option to open the Domains and endpoints window, shown in the following figure: Figure 6-7. Add a NAC Policy, Domains and Endpoints 10. Click on a cluster name. 11. Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a carriage return.
Page 273
NAC Policies NAC Policy Tasks NOTE: You can leave the Domains and Endpoints areas blank if you do not want to assign domains and endpoints to this policy. TIP: Move the mouse cursor over the question mark (?) by the word Endpoints, then click on the CIDR notation link to see the CIDR conversion table pop- up window.
Page 274
NAC Policies NAC Policy Tasks 13. Click the Tests menu option to open the Tests window: Figure 6-8. Add NAC Policy, Tests Area 6-12...
18. Click ok. TIP: Selecting the Send an email notification option sends an email to the address you identified in NAC 800 Home window>>System Configuration>>Notifications area. This option is defined per cluster. Editing a NAC Policy To edit an existing NAC policy: Home window>>NAC policies...
NAC Policies NAC Policy Tasks Change any of the options desired. See “Creating a New NAC Policy” on page 6-7 for details on the options available. Click ok. Deleting a NAC Policy To delete an existing NAC policy: Home window>>NAC policies Click the delete link to the right of the NAC policy you want to delete.
In the Retest frequency area, enter how frequently in minutes, hours, or days NAC 800 should retest a connected endpoint. TIP: A lower number ensures higher security, but puts more load on the NAC 800 server. Click ok. Setting Connection Time When an endpoint is inactive for a period of time, you can elect to automati- cally move the endpoint to a quarantined state.
NAC Policies NAC Policy Tasks In the Inactive endpoints area, enter how long an end-user can be inactive before they are quarantined. TIP: A lower number ensures higher security. Click ok. Defining Non-supported OS Access Settings To define what actions to take for endpoints with non-supported operating systems: Home window>>NAC policies>>Select a NAC Policy>>Basic settings area In the Operating systems area, select the check box beside any operating...
NAC Policies NAC Policy Tasks Selecting Action Taken Actions can be passive (send an email), active (quarantine) or a combination of both. To select the action to take: Home window>>NAC policies>>Select a NAC Policy>>Tests menu option Click on the name of test to display the test’s options. NOTE: Click a test name to display the options;...
Page 280
NAC Policies NAC Policy Tasks Click ok if you are done in the Tests window, or continue making changes to other tests. 6-18...
About NAC 800 Tests About NAC 800 Tests NAC 800 tests are assigned to NAC policies. NAC policies are used to test endpoints attempting to connect to your network. NAC 800 tests might be updated as often as hourly; however, at the time of this release, the tests shown in “Tests Help”...
NAC Policies About NAC 800 Tests You can enter any combination of these keys in the NAC 800 text entry fields to detect a vendor, software package and version on an endpoint (for example, you can also enter Mozilla\Firefox or simply Mozilla) and NAC 800 searches for them in the HKEY_LOCAL_MACHINE\Software registry key sub-tree.
NAC Policies About NAC 800 Tests Utility Manager ■ ■ Windows Installer Entering the Browser Version Number To specify the minimum browser version the end-user needs: For Mozilla Firefox: Clear the Check For Mozilla Firefox [1.5] check box. b. Type a version number in the text entry field.
In DHCP mode, if an endpoint with an unsupported OS already has a DHCP- assigned IP address, NAC 800 cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an endpoint with an unsupported OS has a static IP address, NAC 800 cannot affect this endpoint in any way.
Page 287
Quarantined Networks Endpoint Quarantine Precedence TIP: Use the Clear temporary access control status radio button to remove the temporary access or temporary quarantine state enabled by the Temporarily quarantine for/Temporarily grant access for radio buttons. Endpoint testing exceptions overrides items following it in the list (4, ■...
Quarantined Networks Using Ports in Accessible Services and Endpoints Using Ports in Accessible Services and Endpoints To use a port number when specifying accessible services and endpoints (cluster default): Home window>>System configuration>>Accessible services The following figure shows the Accessible services window: Figure 7-1.
Page 289
Quarantined Networks Using Ports in Accessible Services and Endpoints For all other deployment modes, the Fully Qualified Domain Name (FQDN) of the target servers should be added to the list (for example mycom- pany.com). If the specified servers are not behind an ES, a network firewall must be used to control access to only the desired ports.
Quarantined Networks Always Granting Access to an Endpoint Always Granting Access to an Endpoint To always grant access to a endpoint without testing: Home window>>System configuration>>Exceptions The following figure shows the Exceptions window. Figure 7-2. System Configuration, Exceptions In the Whitelist area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns.
Page 291
Quarantined Networks Always Granting Access to an Endpoint CAUTION: If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without testing option is used. CAUTION: Please read “Untestable Endpoints and DHCP Mode” on page 7-11 so that you fully understand the ramifications of allowing untested endpoints on your network.
Quarantined Networks Always Quarantining an Endpoint Always Quarantining an Endpoint To always quarantine a an endpoint without testing (cluster default): Home window>>System configuration>>Exceptions In the Blacklist area: In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns. b.
■ Inline mode – An IP address is assigned to the endpoint outside of NAC 800. When the end-user attempts to connect to the network, NAC 800 either blocks access or allows access by adding the endpoint IP address to the internal firewall.
Quarantined Networks Shared Resources Shared Resources If the end-users typically make connections to shared services and endpoints during the boot process, these shares are unable to connect while the endpoint has the quarantined IP address, unless the services and endpoints are listed in the Accessible services and endpoints area (see “Accessible Services”...
The IP address granted by your DHCP server has a lease expiration period that cannot be affected by the NAC 800 server. Once an untested endpoint has been allowed access and assigned a non-quarantined IP address by your DHCP server, that endpoint has continual access through that IP address until the IP address lease expires.
• • • 135-139 • 1025 NAC 800 will then lookup the Kerberos and LDAP services, and resolve those services within its own DNS server used for quarantined devices. For example: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88 dc01.lvh.com 7-12...
Page 297
Quarantined Networks Windows Domain Authentication and Quarantined Endpoints _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 389 dc01.lvh.com 7-13...
ES is unavailable, the notification indicates that at the top of the Home window. When NAC 800 is installed inline in a multiple-server configuration (figure 8- 1), the multiple ESs form a network loop (an undesired condition). The...
Page 301
High Availability and Load Balancing High Availability ports on the switch based on the switch configuration. If an ES becomes unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 8-1.
Page 302
High Availability and Load Balancing High Availability Figure 8-2. DHCP Installation...
Page 303
High Availability and Load Balancing High Availability Figure 8-3. 802.1X Installation...
Load Balancing Load balancing distributes the testing of endpoints across all NAC 800 ESs in a cluster. NAC 800 uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the ESs. If the MAC address is unavailable (untestable endpoint) the IP address is used to determine which ES should test an endpoint.
This is an undesirable situation. To prevent this, you may have to configure the switch that connects the NAC 800 ESs to use Spanning Tree Protocol (STP), if STP is not already configured. The STP automatically detects the loop, and closes one of the offending ports on the switch based on the switch configuration.
Page 307
Inline Quarantine Method Inline Figure 9-1. Inline Installations TIP: You can install NAC 800 at any “choke point” in your network; a VPN is not required.
DHCP Quarantine Method Overview Overview When configured with a Dynamic Host Configuration Protocol (DHCP) quar- antine area, all endpoints requesting a DHCP IP address are issued a tempo- rary address on a quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to the main LAN.
Configuring NAC 800 for DHCP Configuring NAC 800 for DHCP The primary configuration required for using NAC 800 and DHCP is setting up the quarantine area (see “Setting up a Quarantine Area” on page 10-4). You should also review the following topics related to quarantining endpoints: ■...
In order to sufficiently restrict access to and from the quarantine area, you must configure your router Access Control Lists (ACLs) as follows: ■ Allow traffic to and from the NAC 800 server and the quarantined network. If you want to allow access to other endpoints outside of the quaran- ■...
802.1X Quarantine Method About 802.1X About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows: ■ Supplicant – The client; the endpoint that wants to access the network. Authenticator– The access point, such as a switch, that prevents ■...
Page 317
802.1X Quarantine Method About 802.1X The AP (authenticator) opens a port for EAP messages, and blocks all others. The AP (authenticator) requests the client’s (supplicant’s) identity. The Client (supplicant) sends its identity. The AP (authenticator) passes the identity on to the authentication server. The authentication server performs the authentication and returns an accept or reject message to the AP (authenticator).
VLAN to place the endpoint, and returns the result to the switch. When NAC 800 is used in an 802.1X network, the configuration is as shown in figure 11-2, and the communication flow is shown in Figure 11-3 on page 11-6.
The NAC 800 802.1X solution must be integrated with the RADIUS authentication to “intervene” in the authentication process, test endpoints, and assign them to the appropriate VLAN. NAC 800 can be deployed and integrated with RADIUS in the following three ways: ■...
Page 322
Microsoft® Windows Server™ 2003 Internet Authentication Service (IAS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server. This section provides instructions on configuring this server to use with NAC 800. For details on the Windows Server 2003 IAS, refer to the following link: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/tech- nologies/ias.mspx...
Install any IAS and 802.1X updates that are available. http://www.microsoft.com/downloads/search.aspx?displaylang=en Configuring the Microsoft IAS RADIUS Server For an explanation of how the components communicate, see “NAC 800 and 802.1X” on page 11-4. Now that you have the RADIUS server installed, you need to log into it and perform the configuration steps described in this section.
Page 324
802.1X Quarantine Method Setting up the 802.1X Components From the RADIUS server main window, select Start>>Settings>>Control Panel>>Administrative Tools>>Internet Authentication Service. Configure IAS to use Active Directory: Right-click on Internet Authentication Service (Local). b. Select Register Server in Active Directory (figure 11-6). Click OK if a registration completed window appears.
Page 325
802.1X Quarantine Method Setting up the 802.1X Components Figure 11-8. IAS, Properties General tab – Enter a descriptive name in the Server Description text box. For example, IAS. ii. Select the Rejected authentication requests check box. iii. Select the Successful authentication requests check box. d.
Page 326
802.1X Quarantine Method Setting up the 802.1X Components b. Select New RADIUS Client. The New RADIUS Client window appears: Figure 11-9. IAS, New Client, Name and Address Enter a descriptive name for the Friendly name, such as Foundry. d. Enter the IP address of the authenticator in the Client address text box. TIP: Click Verify to test the connection.
Page 327
802.1X Quarantine Method Setting up the 802.1X Components Select RADIUS Standard from the Client Vendor drop-down list Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator. NOTE: See your system administrator to obtain the shared secret for your switch. h.
Page 328
802.1X Quarantine Method Setting up the 802.1X Components Click Next. Figure 11-12. IAS, Remote Access Policy, Access Method Select the Ethernet radio button. (The Ethernet option will not work for authenticating wireless clients with this policy.) h. Click Next. Figure 11-13. IAS, Remote Access Policy, Group Access You can configure your Access policy by user or group.
Page 329
802.1X Quarantine Method Setting up the 802.1X Components Click Add. The Select Groups pop-up window appears: Figure 11-14. IAS, Remote Access Policy, Find Group 11-15...
Page 330
802.1X Quarantine Method Setting up the 802.1X Components k. Click Advanced. Figure 11-15. Remote Access Policy, Select Group Click Find Now to populate the Search Results area. m. Select Domain Guests. n. Click OK. o. Click OK. 11-16...
Page 331
802.1X Quarantine Method Setting up the 802.1X Components p. Click Next. Figure 11-16. IAS, Remote Access Policy, Authentication Method NOTE: If you choose PEAP as your authentication mechanism in step q, see step 8 before completing step r and step s. Adding a certificate, if your server does not already have one, and configuring PEAP is explained in step 8.
Page 332
To import the certificate manually: 1. Right-click on the Personal folder>>select All Tasks>>Import. 2. When the wizard opens, click Next. 3.Enter the path to the NAC 800 certificate, for example: D:\support\ias\compliance.keystore.cer 4.Click Next, Next, and Finish. To request a certificate from a Domain Certificate Authority: Figure 11-17.
Page 333
To import the certificate manually: 1. Right-click on the Personal folder>>select All Tasks>>Import. 2. When the wizard opens, click Next. 3.Enter the path to the NAC 800 certificate, for example: D:\support\ias\compliance.keystore.cer 4.Click Next, Next, and Finish. Follow the instructions to generate a certificate request. If there are...
Page 334
802.1X Quarantine Method Setting up the 802.1X Components Click Configure to configure the certificate for use with the PEAP authentication method. The Protected EAP Properties window appears, as shown in the following figure: Figure 11-18. Protected EAP Properties 10. Configure the new Remote Access Policy. Figure 11-19.
Page 335
This example does not use additional selections. ii. Advanced tab – Add three RADIUS attributes: TIP: The attributes you select might be different for different switch types. Contact ProCurve Networking by HP if you would like assistance. 11-21...
Page 336
802.1X Quarantine Method Setting up the 802.1X Components 1) Click Add. Figure 11-21. IAS, Remote Access Policy, Add Attribute 2) Select Tunnel-Medium-Type. (Adding the first of the three attributes.) 3) Click Add. 4) Click Add again on the next window. 5) From the Attribute value drop-down list, select 802 (includes all 802 media.
Page 337
802.1X Quarantine Method Setting up the 802.1X Components 18) Click OK. 19) Click OK. 20) Click OK. 11. Repeat step 9 for every VLAN group defined in Active Directory. IMPORTANT: The order of the connection attributes should be most- specific at the top, and most-general at the bottom. 12.
Page 338
Select the When disk is full, delete older log files check box. iv. Click OK. 13. Install the NAC 800-to-IAS connector – The NAC 800 IAS Connector is a DLL file that is installed on your Windows Server 2003 machine where the IAS component is enabled.
Page 339
ProCurve ProCurve Networking by HP at or . b. Import the NAC 800 server’s certificate so the connector can communicate with NAC 800 over SSL: On the Windows Server 2003 machine, click Start.
Page 340
802.1X Quarantine Method Setting up the 802.1X Components vi. Click Add. Figure 11-25. IAS, Add/Remove Snap-in, Certificates vii. Select Certificates. viii. Click Add. ix. Select the Computer account radio button. x. Click Next. xi. Select the Local computer: (the computer this console is running on) radio button.
Page 341
14. Configure the NAC 800-to-IAS connector – Modify the INI file for your network environment. NAC 800 returns one of postures for an endpoint attempting to authenticate. For each posture received, a different RADIUS response to the switch can be configured using RADIUS attributes. This response determines into what VLAN the endpoint is placed.
Page 342
802.1X Quarantine Method Setting up the 802.1X Components Quarantined – The endpoint failed a test and the action is configured to quarantine. Unknown – The endpoint has not been tested. Infected – The endpoint failed the Worms, Virus, and Trojans test. To configure the response, edit the SAIASConnector.ini file.
Page 343
802.1X Quarantine Method Setting up the 802.1X Components From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers. Figure 11-27. Active Directory, Properties ii. Right-click on your directory name and select Properties. iii. Select the Group Policy tab. iv.
Page 344
802.1X Quarantine Method Setting up the 802.1X Components viii. Right-click Store passwords using reversible encryption. ix. Select the Enabled check box. x. Click OK. xi. Close the Group Policy Object Editor window. xii. Close the Group Policy Management window. xiii. Close the <Active Directory Name> Properties window. 16.
Page 345
802.1X Quarantine Method Setting up the 802.1X Components Select the Users folder. Figure 11-29. Active Directory Users and Computers 11-31...
Page 346
802.1X Quarantine Method Setting up the 802.1X Components d. Right-click a user name and select Properties. The Properties windows appears: Figure 11-30. Active Directory, User Account Properties Select the Dial-in tab. In the Remote Access Permission area, select the Allow Access radio button.
The realm NULL section must go after the realm LOCAL section, or you can comment out the realm LOCAL section. Configure your RADIUS server to allow the NAC 800 IP address as a client with the shared secret specified in the previous step. See your RADIUS server’s documentation for instructions on how to configure allowed...
Page 348
802.1X Quarantine Method Setting up the 802.1X Components Configure the SAFreeRADIUSConnector.conf file with the appropriate RADIUS attributes and VLANS. See comments in the following sample file for instructions. # FreeRADIUS Connector configuration file # TO DO - Change localhost to your server's IP if this is not the built-in FreeRADIUS server ServerUrl=https://localhost/servlet/AccessControlServlet DebugLevel=4...
Page 349
802.1X Quarantine Method Setting up the 802.1X Components "QuarantineRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "InfectedRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 15, Tunnel-Type := VLAN, "UnknownRadiusAttributes" Tunnel-Medium-Type := 6, Tunnel-Private-Group-ID := 5, Tunnel-Type := VLAN, # Use these attributes for Extreme switches #"HealthyRadiusAttributes"...
If you selected the Manual End-user authentication method in the Authentication settings area of the System configuration>>Quarantining>>802.1X window, con- figure NAC 800 according to the instructions in this section. To configure NAC 800 to handle RADIUS requests: Add users to the RADIUS server by modifying the /etc/raddb/users file.
Page 351
(CatOS), you need to refer to the VLAN by name, and not by number as shown in the following sample file. For example, use “Tunnel-Private-Group-ID := User_Seg_PA,” instead of “Tunnel-Private-Group-ID := 50,”. # NAC 800 FreeRADIUS Connector configuration file # General configuration parameters ServerUrl=https://<SERVER IP>:89/servlet/AccessControlServlet ServerUrl.1=https://<SERVER IP.1>:89/servlet/AccessControlServlet...
Tunnel-Type := VLAN, Enabling NAC 800 for 802.1X To enable NAC 800 for use in an 802.1X network, you need to select it in the user interface, and make a few changes to the properties using JMS and an XML file.
802.1X Quarantine Method Setting up the 802.1X Components detection can be run remotely by installing and configuring the end- point activity capture software on each DHCP server involved in the 802.1X deployment. In this case, choose the remote option. local – In simple configurations, it is possible to span, or mirror, the •...
Page 355
802.1X Quarantine Method Setting up the 802.1X Components Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears: Figure 11-32. Windows XP Pro Local Area Connection, General Tab Select the General tab. Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors.
802.1X Quarantine Method Setting up the 802.1X Components Select the Authentication tab. Figure 11-33. Windows XP Pro Local Area Connection Properties, Authentication Select the Enable IEE 802.1X authentication for this network check box. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
802.1X Quarantine Method Setting up the 802.1X Components Select Wireless Zero Configuration. If the Status column does not already show Started, start the service: Right click on Wireless Zero Configuration. ii. Select Start. b. Close the Services window. Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network Connections Right-click on Local Area Connection.
Page 358
802.1X Quarantine Method Setting up the 802.1X Components b. Close the Services window. Configure the network connections: Windows desktop>>Start>>Settings>>Control Panel>>Network and Dial-up Connections Right-click on Local Area Connection. Select Properties. The Local Area Connection windows appears. Figure 11-34. Windows 2000 Local Area Connection Properties, General Tab b.
802.1X Quarantine Method Setting up the 802.1X Components d. Select the Authentication tab. Figure 11-35. Windows 2000 Local Area Connection Properties, Authentication Tab Select the Enable network access control using IEE 802.1X check box. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
Page 360
802.1X Quarantine Method Setting up the 802.1X Components Start the wired service: Double-click on Wired AutoConfig. The Wired AutoConfig Properties window appears. Figure 11-36. Wired AutoConfig Properties b. Select Automatic from the Startup type drop-down list. Click Start in the Service status area. d.
Page 361
802.1X Quarantine Method Setting up the 802.1X Components Select Properties. The Local Area Connection windows appears: Figure 11-37. Windows Vista Local Area Connection, Networking Tab 11-47...
802.1X Quarantine Method Setting up the 802.1X Components Select the Authentication tab. Figure 11-38. Windows Vista Local Area Connection Properties, Authentication Tab Select the Enable IEE 802.1X authentication check box. Select an EAP type from the Choose a network authentication method drop- down list.
802.1X Quarantine Method Setting up the 802.1X Components BD70F5AAA2CF0C5DBAA5DA97FADFE95 set radius enable Extreme® Summit 48si TIP: When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS users file. TIP: Change the admin password to a non-blank password. create vlan "Operations"...
HP ProCurve Access Point 420(config)#interface ethernet Enter Ethernet configuration commands, one per line. HP ProCurve Access Point 420(if-ethernet)#no ip dhcp HP ProCurve Access Point 420(if-ethernet)#ip address <IP of Access Point Netmask Gateway> HP ProCurve Access Point 420(if-ethernet)#end HP ProCurve Access Point 420(config)#management-vlan 200 tagged HP ProCurve Access Point 420(config)#interface wireless g Enter Wireless configuration commands, one per line.
This section shows how to configure the security settings on the 530AP so that user access may be controlled using Dynamic VLAN provisioning. ProCurve Access Point 530#conf ProCurve Access Point 530(config)#interface ethernet ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway>...
Page 369
ProCurve Access Point 530(config)#write mem ProCurve Access Point 530(config)#exit Dynamic WEP: ProCurve Access Point 530#conf ProCurve Access Point 530(config)#interface ethernet ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway> ProCurve Access Point 530(ethernet)#management-vlan 200...
802.1X Quarantine Method Setting up the 802.1X Components ProCurve Access Point 530(radio1-wlan1)#wep-key-ascii ProCurve Access Point 530(radio1-wlan1)#wep-key-1 1q2w3e4r5t6y7 ProCurve Access Point 530(radio1-wlan1)#write mem ProCurve Access Point 530(radio1-wlan1)#enable ProCurve Access Point 530(radio2-wlan1)#enable ProCurve Access Point 530(config)#radio 1 ProCurve Access Point 530(radio1)#enable ProCurve Access Point 530(radio1)#radio 2...
Creating Custom Expect Scripts Expect is a tool that uses simple scripts to automate interactive applications. NAC 800 utilizes expect scripts when communicating with 802.1X devices. You can add 802.1X devices in the NAC 800 user interface (Home>>System configura- tion>>Quarantining menu option>>Add 802.1X device). There are 11 pre-defined devices, and one generic device.
Page 372
802.1X Quarantine Method Setting up the 802.1X Components When testing configuration settings from the NAC 800 user interface, all three scripts are executed once in sequence and the connection is closed. If any output is returned by a command sent in the re-authentication script, it is logged and returned to the user.
Page 373
802.1X Quarantine Method Setting up the 802.1X Components expect [OPTIONS] TEXT | "Waits for TEXT to appear on connection input" send [OPTIONS] TEXT | "Writes TEXT to connection output" The expect scripts use the following commands: Command Description and parameters Waits for TEXT to appear on the connection input expect [OPTIONS] TEXT...
Page 374
802.1X Quarantine Method Setting up the 802.1X Components IS_TELNET – Set to "true" for a telnet connection (otherwise unset) ■ ■ IS_SSH – Set to "true" for an SSH connection (otherwise unset) The following variables may be referenced from re-authentication script: PORT –...
Page 375
802.1X Quarantine Method Setting up the 802.1X Components expect (config)# Reauthorization script: send interface FastEthernet ${PORT} expect (config-if)# send eapol re-authenticate expect (config-if)# send exit expect (config)# Exit script: send exit expect # send exit expect press or to select option. send -noreturn l The conditions in the above scripts are driven by the values of the variables entered by the user, but sometimes it is necessary to drive conditions from interactions with...
NAC 800 auto-discovers endpoints on your network so that the testing and transition from quarantine to non-quarantine areas happens quickly and smoothly after an endpoint is booted up. NAC 800 also relies on auto-discovery functionality to track DHCP IP address transitions so that it can continue to communicate seamlessly with endpoints after an IP change.
Remote Device Activity Capture Creating a DAC Host Your DAC host can be a Windows server. This section provides instructions on setting up a Windows host. First, download the executable file to your Windows server, then run the installer to install the first interface. For this release, if you want to add additional interfaces, you must install them manually.
Page 380
Remote Device Activity Capture Creating a DAC Host interfaces or ESs to the wrapper.conf file after installing DAC. You can save your previous wrapper.conf file before you uninstall DAC for reference; do not save the old wrapper.conf file and copy it over the new wrapper.conf file. To run the Windows installer: Windows server Navigate to the EXE file downloaded in “Downloading the EXE File”...
Page 381
Remote Device Activity Capture Creating a DAC Host Click Next. The Setup Type window appears Figure 12-2. RDAC Installer, Setup Type Select Complete to install the DAC software, the JavaJRE software, and the WinPcap software. If you already have JavaJRE or WinPcap installed, select Custom.
Page 382
Remote Device Activity Capture Creating a DAC Host Click Next. The Choose Destination Location window appears: Figure 12-3. RDAC Installer, Choose Destination Location In most cases, you should accept the default location. (Click Change to select a different location.) Click Next. The Confirm New Folder window appears: Figure 12-4.
Page 383
Remote Device Activity Capture Creating a DAC Host Click Yes. If you selected Custom in step 4 on page 12-5, the Select Features window appears; otherwise the NIC Selection window appears (figure 12- Figure 12-5. RDAC Installer, Select Features 12-7...
Page 384
Remote Device Activity Capture Creating a DAC Host Select the features to install. Click Next. The NIC Selection window appears: Figure 12-6. RDAC Installer, NIC Selection 12-8...
Page 385
Remote Device Activity Capture Creating a DAC Host All of the interfaces installed on your Windows server are listed in this window. Select the one you want to use and click Next. The TCP Port Filter Specification window appears: Figure 12-7. RDAC Installer, TCP Port Filter Specification 12-9...
Page 386
Remote Device Activity Capture Creating a DAC Host 10. In most cases you should accept the default entry. Click Next. The Enforcement Server Specification window appears: Figure 12-8. RDAC Installer, Enforcement Server Specification 12-10...
Page 387
Remote Device Activity Capture Creating a DAC Host 11. Enter the IP address of the Enforcement Server (ES) to use. Click Next. The Ready to Install the Program window appears: Figure 12-9. RDAC Installer, Ready to Install the Program 12. Click Install. 13.
Page 388
Remote Device Activity Capture Creating a DAC Host When the installation is complete, the InstallShield Wizard Complete window appears: Figure 12-10. RDAC Installer, InstallShield Wizard Complete 14. The following folders and files are created: • VERSION – InstallSSDAC.bat rdac SSDAC.bat UninstallSSDAC.bat wrapper.exe –...
Remote Device Activity Capture Creating a DAC Host – wrapper.log 15. Perform the steps detailed in “Adding Additional Interfaces” if you have additional interfaces to add. 16. Perform the steps detailed in “Configuring the MS and ES for DAC” on page 12-14.
Configuring the MS and ES for DAC Create a keystore file containing a unique key, signed certificate, and a CA certificate that is required for SSL communication. On the NAC 800 MS, enter the following command at the command line: /usr/local/nac/bin/SSL-createRemoteDACCertificate...
Remote Device Activity Capture Creating a DAC Host b. When the command completes, copy the DAC_keystore file (from / tmp or wherever you specified) to C:\Program Files\Hewlett- Packard\DAC\lib\ . After copying the DAC_keystore file from the MS, delete the file from its temporary location on the MS.
Remote Device Activity Capture Creating a DAC Host wrapper.app.parameter.X Where X is the numerical value representing the order in which the parameter will be added to the command. b. Add additional ESs: Locate the line that represents the initial ES, for example wrapper.app.parameter.8=172.17.100.100 ii.
Remote Device Activity Capture Creating a DAC Host Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. The Services window appears: Figure 12-12. NAC Endpoint Activity Capture Service Right-click on the NAC Endpoint Activity Capture service and select Start. The service is set to automatic start at the next reboot by default. Viewing Version Information To view version information: Windows server...
Remote Device Activity Capture Creating a DAC Host Removing the Software Each of the three software packages must be removed individually. To remove the RDAC software: Windows server Select Start>>Settings>>Control Panel>>Add or Remove Programs. Click once on the DAC listing. Click Remove.
Page 395
Remote Device Activity Capture Creating a DAC Host Select Start>>Settings>>Control Panel>>Add or Remove Programs. Click once on the J2SE Runtime Environment listing. Click Remove. Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears: Select one of the options and click Finish.
You must configure syslog on the Infoblox server to send debug level DHCP logs to the NAC 800 ES IPs on TCP port 514, using the local3 facility. The actual steps to set this up may vary by NIOS. Contact Infoblox support for assistance (http://www.infoblox.com/support/).
Page 397
Click ok. Command line window NOTE: Perform the following steps on each ES in your system. Log in as root to the NAC 800 ES using SSH or directly with a keyboard. Enter the following command: egrep DeviceActivityCapture /usr/local/nac/ properties/nac-es.properties The expected results are: Compliance.DeviceActivityCapture.RunningRemotely=tru...
Page 398
Remote Device Activity Capture NAC 800 to Infoblox Connector d. In the ### LOG ENTRIES HERE ### area, add the following line: log { source(rdac); filter(f_mesg); destination(d_dac); }; Save and exit the file. Enter the following at the command line to restart the service:...
The Dynamic Host Configuration Protocol (DHCP) plug-in is an optional feature that allows you to use one or more DHCP servers (without an instal- lation of NAC 800 in front of each DHCP server) as shown in the following figure: Figure 13-1.
Page 401
DHCP server in your network, the plug-in processes or ignores DHCP packets based on the end-user device Media Access Control (MAC) address. NAC 800 tests endpoints that request access to the network and either assigns a quarantined Internet Protocol (IP) address (failed), or adds the MAC address of the end-user device as an authorized device (allowed) to the Access Control List (ACL) on the appropriate DHCP server.
Installation Overview Installation Overview When NAC 800 does not sit inline with the DHCP server, you need to set up a remote host for Device Activity Capture (DAC) to allow NAC 800 to listen on the network. This is done by installing a small program on the DHCP server or other remote (non-NAC 800) host, which then sends relevant endpoint device information back to NAC 800.
Page 403
13-1 shows options used in confg.xml: Group Item Description failopen failopen=“true” means that if the NAC 800 DHCP listener connection goes down, the DHCP server goes in to allow mode. failopen=“false” means that if the NAC 800 DHCP...
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface DHCP Plug-in and the NAC 800 User Interface In order to use the DHCP plug-in, you need to select DHCP as the quarantine (enforcement) method, select the DHCP servers using the DHCP plug-in check box, and add your DHCP servers.
Page 406
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Select the DHCP servers using the DHCP plug-in radio button. Figure 13-2. System Configuration, Quarantining, DHCP 13-8...
Page 407
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click download the DHCP plug-in. A Windows save window appears. Browse to a location on the DHCP server you will remember and save the file. On the DHCP server, navigate to the location of the saved file and double- click it.
Page 408
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Enter your User Name and Company Name. Click Next. The Ready to Install the Program window appears. Figure 13-5. DHCP Plug-in Ready to Install the Program window 10. Click Install. The progress is displayed on a Status window. When installation is complete, the InstallShield Wizard Complete window appears.
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Enabling the Plug-in and Adding Servers To enable the DHCP plug-in and add the DHCP servers: Home window>>System configuration>>Quarantining Select the DHCP radio button in the Quarantine area. Select the DHCP servers using the DHCP plug-in radio button (figure 13-2).
Page 410
Figure 13-9. DHCP Plug-in Legend NOTE: NAC 800 automatically attempts to connect to the DHCP server. The possible DHCP server status states are shown in figure 13-9. 10. Click ok to save the changes and return to the Home window.
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Viewing DHCP Server Plug-in Status DHCP server plug-in status is displayed in the following locations: System configuration>>Quarantining>>DHCP window ■ System monitor>>select a cluster>>Quarantining window ■ Home window>>System configuration>>Quarantining>>DHCP Quarantine ■...
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click ok to return to the System Configuration>>Quarantining window. Click ok to save the changes and return to the Home window. Deleting a DHCP Server Plug-in Configuration To delete a DHCP Server Plug-in Configuration: Home window>>System configuration>>Quarantining>>DHCP Quarantine...
Page 413
DHCP Plug-in DHCP Plug-in and the NAC 800 User Interface Click enable next to the DHCP server plug-in configuration you wish to enable. Click yes at the Enable DHCP plug-in configuration prompt. Click ok to save the changes and return to the Home window.
Reports Report Types Report Types NAC 800 generates the following types of reports: Report Description Report columns NAC policy results Lists each NAC policy and the last • policy name pass/fail policy results • test status • # of times •...
Page 417
Reports Report Types Report Description Report columns Test results by NetBIOS name Lists the number of tests that • netbios passed or failed for each netbios • cluster name. • ip address • user • test status • # of times •...
Reports Generating Reports Generating Reports To generate a report: Home window>>Reports The following figure shows the Reports window. Figure 14-1. Reports In the Report drop-down list, select the report to run. Select the Report period. Select the Rows per page. In the Endpoint search criteria area, select any of the following options to use for filtering the report: Cluster...
Page 419
Reports Generating Reports Endpoint test status Access control status Endpoints must match: of the selected criteria ii. Any of the selected criteria Select Generate report. After a short period of time the compiled report is displayed in a separate browser window. The following figure shows an example report.
Reports Viewing Report Details Viewing Report Details To view report details: Home window>>Reports Select the options for the report you want to run. Click Generate report. Click the details link. The Test details window appears: 14-6...
Reports Printing Reports Printing Reports To print a report: Home window>>Reports Select the options for the report you want to run. Click Generate report. Select Print. Select the printer options and properties. Select Print. 14-8...
Reports Saving Reports to a File Saving Reports to a File To save a report: Home window>>Reports Select the options for the report you want to run. Click Generate report. Select File>>Save Page As from the browser menu. Enter a name and location where you want to save the file. Select Web page, complete.
Reports Converting an HTML Report to a Word Document Converting an HTML Report to a Word Document To convert an HTML report: Run the report (see “Generating Reports” on page 14-4.) Save an HTML version of it (see “Saving Reports to a File” on page 14-9). Open the HTML report in Microsoft Word.
Page 426
System Administration Using an SSL Certificate from a known Certificate Authority (CA) . . . 15-28 Moving an ES from One MS to Another ......15-30 Recovering Quickly from a Network Failure .
Logging out of NAC 800 To log out of NAC 800: Any NAC 800 window Click Logout in the upper right corner of the NAC 800 home window. When the logout procedure completes, the ProCurve login window appears. Important Browser Settings There are several browser configuration settings to make, depending on which browser you are using.
This section lists the commands to stop and restart services associated with NAC 800 installations for MS, ES, or Single-server Installations. Restart instead of start is used for services already running in NAC 800.When running NAC 800 and monitoring systems on your network, you may encounter a warning on a server stating that a Connection cannot be established.
- Attempt to connect using wget form the NAC (the proxy command is optional): export http_proxy=,<your_web_proxy> wget http://update.procurve.com/monitor/ruleUpdate_status If the connection is successful, then the ProCurve server will return a file containing a date/time stamp file formatted as follows: 2008-02-04 23:21:02 NOTE: Your outbound SSL connection needs to access: For license validation and test updates: update.procurve.com port 443...
Ensure that the following ports on the domain controller/active directory (DC/AD) servers are available from quarantine: • • • 135-139 • 1025 NAC 800 will then lookup the Kerberos and LDAP services, and resolve those services within its own DNS server used for quarantined devices. For example: 15-6...
-> lookup the _kerberos and _ldap service location <- receive dc01.mycompany.com & dc02.mycompany.com -> lookup the dc01 IP address <- receive the dc IP address forwarded through NAC 800 named to the real DNS server (since dc01.mycompany.com is in the accessible services list). -> authenticate Matching Windows Domain Policies to NAC Policies Using a Windows domain might affect the end-user’s ability to change their...
System Administration System Settings For example, to change the NAC policy to not run the Windows automatic update test: Home window>>NAC policies Select the NAC policy that tests the domain's endpoints. Select the Tests menu option. Clear the Windows automatic updates check box. Click ok.
System Administration System Settings Changing the MS Host Name To change the MS host name: See “Modifying MS Network Settings” on page 3-23. Changing the ES Host Name To change the ES host name: See “Changing the ES Network Settings” on page 3-16. Changing the MS or ES IP Address To change the MS or ES IP address: The preferred method is to use the user interface:...
Page 434
MS to and ES or an ES to a MS. To reset your system to the as-shipped state: Command line window Log in as root to the NAC 800 MS or ES, either using SSH or directly with a keyboard. Enter the following command at the command line: resetSystem.py [both | ms | es]...
To reset your test data to the as-shipped state: Command line window For single-server installations: Log in as root to the NAC 800 MS, either using SSH or directly with a keyboard. b. Run the script by entering the following at the command line: resetTestData.py...
/usr/local/nac/bin Changing Properties To change the property values in the properties files: Command line window Log in as root to the NAC 800 MS using SSH. Enter the following at the command line: setProperty.py <DESTINATION> <TYPE> <VALUES> Where: •...
NAC 800 Enforcement clusters send alerts and notifications when certain events occur. You must specify an SMTP email server for sending these notifications. The server must allow SMTP messages from the NAC 800 ES. To specify an email server for sending notifications: See “Notifications”...
Entering Networks Using CIDR Format Entering Networks Using CIDR Format Networks and network endpoints can be specified in NAC 800 using Classless Inter Domain Routing (CIDR) format. CIDR is a commonly used method for specifying Internet objects. table 15-3 presents common CIDR naming con- ventions.
System Administration Database Database Creating a Backup File To create a backup file of system configuration and data: See “Initiating a New Backup” on page 3-105. Restoring from Backup NOTE: You must have backed up your system at least one time before you can restore from a backup.
“Resetting your System” on page 15-9 for more information. To reset a NAC 800 database to its pristine state: Command window Log in as root to the NAC 800 MS using SSH. Enter the following commands: resetSystem.py This script shuts down all of the services, cleans the database, iptables, and DHCP server, and restarts everything.
System Administration Supported VPNs Supported VPNs NAC 800 works with any VPN endpoint, since NAC 800 does not directly interface or inter-operate with VPN endpoints. The following commonly deployed VPN solutions have been tested: ■ Cisco VPN Concentrators OpenSSL VPNs ■...
To view the end-user access windows: IE browser window Point the IE browser to port 88 of your NAC 800 ES. For example, if the IP address of your NAC 800 ES is 10.0.16.18, point an IE browser window to: http://10.0.16.18:88...
How NAC 800 Handles Static IP Addresses How NAC 800 Handles Static IP Addresses The following list details how NAC 800 handles static IP addresses: Inline Mode – NAC 800 can detect, test, and quarantine static IP ■ addresses. The end-user cannot circumvent a quarantine. ■...
System Administration Managing Passwords Managing Passwords The passwords associated with your NAC 800 installation are listed in the following table: NAC 800 Set during Recovery process password NAC 800 Initial install process * See “Resetting the NAC 800 Server Management or Password”...
If you can remember the NAC 800 user interface password, but cannot remember the root login password for the NAC 800 MS or ES, log in to the NAC 800 user interface and navigate to one of the following windows: To reset the MS Password: Home>>System configuration>>Management server...
Compliance.ObjectManager.AdminUser= Compliance.ObjectManager.AdminPassword= Compliance.UI.FirstTimeConfigCompleted=true Enter characters following the equal sign that are the password (for example, CwR0(tW). Save the file and copy it to the NAC 800 server (either MS or ES). Log into the NAC 800 server as root. 15-22...
Page 447
System Administration Managing Passwords Enter the following command: setProperty.py -f<filename> From a workstation, open a browser window and point to the NAC 800 MS. Enter a new User Name and Password when prompted. 15-23...
System Administration Working with Ranges Working with Ranges In NAC 800 implementations, particularly in trial installations where you are connecting and disconnecting cables to a number of different types of end- points, you can filter the activity by specifying the following: ■...
Page 449
This is because Extreme switches forward the packets from the IP address closest to NAC 800 and not the IP address of the interface closest to the endpoint, so all the DHCPRelay packets will appear to come from a production network IP address.
In order to avoid SSL certificate warnings in the browser when connecting to the NAC 800 server (either as a NAC 800 user interface user, or from a redirected endpoint) you will need to install SSL certificates that have been signed by a Certificate Authority (CA) recognized by the browser, such as Thawte, Verisign, or your organization's own local SSL CA.
Page 451
Import the CA’s root certificates into the java cacerts file by entering the following command on the command line of the NAC 800 server: keytool -import -alias <CA_alias> -file <ca_root_cert_file>...
To generate a Certificate Signing Request (CSR) to be submitted to a Certifi- cate Authority (CA), first create a new self-signed certificate following the instructions in the previous section, then continue as follows: Log in as root to the NAC 800 server via SSH. Enter the following at the command line: <key_alias>...
Page 453
(see “Copying Files” on page 1-20), replacing the previously self- signed public certificate for your key by entering the following command on the command line of the NAC 800 server: keytool -import -alias <key_alias> -trustcacerts -file <signed_cert_file> -keystore /usr/local/nac/keystore/ compliance.keystore...
System Administration Moving an ES from One MS to Another Moving an ES from One MS to Another If you have an existing ES, you can move it to a different MS by performing the steps in this section. To move an ES to a different MS: Command line window Log in to the ES as root using SSH or directly with a keyboard.
System Administration Recovering Quickly from a Network Failure Recovering Quickly from a Network Failure If you have a network with a very large number of endpoints (around 3000 endpoints per ES), and your network goes down, perform the following steps to make sure that your endpoints can reconnect as quickly as possible: Place all of the clusters that have a large number of endpoints in allow all mode:...
In some cases, such as when the DHCP server is in a separate VLAN than the span/mirror port, the mirrored port traffic is 802.1q tagged. In this case, in order for NAC 800 to recognize the traffic, the following workaround must be performed.
Page 457
System Administration VLAN Tagging Append the following line to the bottom of the file: VLAN=yes Modify the IPADDR line if needed. Save and exit the file. h. Restart the network interface by entering the following at the command line: service network restart Change the interface the EDAC listens on: Log in to the MS using SSH or directly with a keyboard.
Page 458
System Administration VLAN Tagging Verify that the EDAC is using the virtual interface you created. The log should contain a line similar to the following: [070509-MDT 10:53:11.366 DeviceActivityCapture- INFO ] Listening on: eth1:1 15-34...
System Administration iptables Wrapper Script iptables Wrapper Script To avoid creating conflicts between iptables and the nac-es service, do not run the following commands manually: ■ /etc/init.d/iptables ■ service iptables start ■ service iptables stop ■ service iptables restart The nac-es service must be shutdown before making changes to the ipta- bles firewall.
Enable Temporary Ping To temporarily (until reboot) enable ICMP echo requests: Command line Log in to the NAC 800 server as root using SSH or directly with a keyboard. Enter the following command at the command line: echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all Pings will again be disabled after the next reboot.
System Administration Supporting Network Management System echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all Save and exit the file. At the command line, enter the following: /etc/rc.d/rc.local Restricting the ICMP Request If you wish to restrict the ping request to a specific interface, such as the interface facing the protected network, then after following the procedures above, follow the instructions in this section to add rules to the firewall chain so that ping requests are only viable through the interface specified.
Simple Network Management Protocol (SNMP) is a protocol used for communication between devices that uses MIBs to obtain SNMP message formats. NAC 800 supports SNMP v2c for incoming SNMP notifications. The following MIBs (located in /usr/share/snmp/mibs/ ) define the data that NAC 800 can read: ■...
Patch Management NAC 800 can integrate with patch management software. When an endpoint fails due to a missing patch, NAC 800 wakes the patch manager client, checks for the completion of the patch, and then retests upon completion. The patch management capability uses the following test statuses: ■...
Patch Management Flagging a Test to Launch a Patch Manager Flagging a Test to Launch a Patch Manager To flag a test to launch a patch manager: Home window>>NAC Policies>>Select or create a NAC policy>>Tests menu option Figure 16-1. Initiate a Patch Manager Check Box Select the check box for a test in the left column.
Patch Management Selecting the Patch Manager Selecting the Patch Manager To select the patch manager: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column. Select the Initiate patch manager check box.
Patch Management Specifying the Number of Retests Specifying the Number of Retests To select the maximum number of retest attempts: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column.
Patch Management Specifying the Retest Frequency Specifying the Retest Frequency To specify the retest interval: Home window>>NAC Policies>>Select or create an access policy>>Tests menu option Select the check box for a test in the left column. Click on the test name in the left column. Select the Initiate patch manager check box.
Patch Management SMS Patch Management SMS Patch Management Repair vulnerabilities using patch management with SMS. NOTE: Windows SMS 2003 is the only version supported. 16-7...
NOTE: SMS server has a setting that allows users to interact with and cancel patch installation. ProCurve recommends that you do not allow users to cancel patch installation. Once a patch installation has been canceled, the patch does not automatically attempt to install later and the endpoint will never pass the NAC policy test without manual intervention by the SMS administrator.
(SMS) which patches the endpoint. NAC 800 retests the endpoint. If the test fails again, NAC 800 keeps looping until patching com- pletes. If the test passes, NAC 800 allows the endpoint access to the network. NOTE: SMS patch management works with agent-based testing only.
To set up NAC 800 for use with SMS: Install and configure NAC 800 . Log into the NAC 800 user interface. Add the following IP addresses to the NAC 800 home window>>System configuration>>Accessible services area: SMS server IP address b.
Patch Management Learning More About SMS Learning More About SMS The following links provide additional information about SMS: ■ Microsoft SMS home page http://www.microsoft.com/smserver/ 16-11...
Overview Overview This section describes how to configure the remote server for use with the NAC 800 post-connect feature. The post-connect server can be a Windows server or a Linux server. This section details the following: ■ “Extracting the ZIP File” on page A-3 •...
Create a directory for the contents of the ZIP file on the Windows machine. ProCurve recommends C:\Program Files\ProCurve. These instructions assume that you used the C:\Program Files\ProCurve directory. Copy the ZIP file to a Windows machine. The ZIP file can be downloaded...
Download and install the Python for Windows version. Copy the cacerts file to the Windows server: Log in the NAC 800 MS as root using SSH or directly with a keyboard. b. Copy the /usr/local/nac/keystore/cacerts file from the MS into the \lib folder on the post-connect server where you extracted the ZIP file.
Configuring the Post-connect Server Setting up a Post-connect Host Change the product to be the product you are running. For example: product=IDS Product Name d. Save and exit the file. Edit the JMSConnection.properties file: Open the \postconnect\lib\JMSConnection.properties file with a text editor. b.
Page 481
Configuring the Post-connect Server Setting up a Post-connect Host Log in the NAC 800 MS as root using SSH or directly with a keyboard. b. Copy the /usr/local/nac/keystore/cacerts file from the MS into the /usr/local/postconnect/lib folder on the post- connect server where you extracted the ZIP file. See “Copying Files”...
Page 482
Configuring the Post-connect Server Setting up a Post-connect Host d. Start the service by entering the following at the command line: service postconnect start...
Configuring the Post-connect Server Viewing Logs Viewing Logs To view post-connect logs: The log files are as follows: /usr/local/postconnect/log/connector.log – Verify that the connector ■ is running. ■ /usr/local/postconnect/log/script.log – The script writes to this file.
/usr/local/postconnect/bin/Connector_ActionScript.py <endpoint ip> "Reason 1" "Reason 2" Where: <endpoint IP> is the IP address of an endpoint known to NAC 800. For example, 192.168.40.40 “Reason 1” and “Reason 2” are text strings that describe the reasons to quarantine the specified endpoint. For example, “P2P Software Installed”, or “Latest Windows XP Service Pack not applied”.
Configuring the Post-connect Server Configuring Your Sensor Configuring Your Sensor Configure your post-connect sensor to call Connector_ActionScript.py with the IP address of the endpoint to quarantine and the reasons to quaran- tine. A-11...
Allowing NAC 800 Through the Firewall Allowing NAC 800 Through the Firewall NAC 800 needs to communicate with the post-connect server through port 61616. See “Allowing the Windows RPC Service through the Firewall” on page 5-18 for instructions on how to open a port on a Windows machine.
Overview The tests performed on endpoints attempting to connect to the network are listed on the NAC 800 Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting NAC 800 Home window>>System Configuration>>Test Updates>>Check for Test Updates.
Tests Help Browser Security Policy – Windows Browser Security Policy – Windows The Browser security policy tests verify that any endpoint attempting to connect to your system meets your specified security requirements. Browser vulnerabilities are related to cookies, caches, and scripts (JavaScript, Java, and Active scripting / ActiveX).
Tests Help Browser Security Policy – Windows Item Description Active scripting / ActiveX Active scripting / ActiveX extends other programming languages (such as Java) by providing re-usable "controls" that enable developers to make Web pages "active". ActiveX is Microsoft's brand for active scripting. The following links provide more detailed information about ActiveX: http://www.active-x.com/articles/whatis.htm •...
Tests Help Browser Security Policy – Windows Internet Explorer (IE) Internet Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified Internet security zone stan- dards. Test Properties: Select the Internet Explorer Internet security zone settings required on your network.
Tests Help Browser Security Policy – Windows Internet Explorer (IE) Local Intranet Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified local intranet security zone standards. Test Properties: Select the Internet Explorer local intranet security zone set- tings required on your network.
Tests Help Browser Security Policy – Windows Internet Explorer (IE) Restricted Site Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified restricted site security zone standards. Test Properties: Select the Internet Explorer restricted sites security zone set- tings required on your network.
Tests Help Browser Security Policy – Windows Enter a domain name or IP address in the Add this Web site to the zone text box. Click Add. Click OK. Internet Explorer (IE) Trusted Sites Security Zone Description: This test verifies that the endpoint attempting to connect to your system is configured according to your specified trusted sites security zone standards.
Page 496
Tests Help Browser Security Policy – Windows Select one of the following: -Default Level to return to the default settings. - Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings. Select Sites. Enter a domain name or IP address in the Add this Web site to the zone text box.
Tests Help Operating System – Windows Operating System – Windows The Operating System (OS) tests verify that any endpoint attempting to connect to your system meets your specified OS requirements. Installing the most recent version of your OS helps protect your system against exploits targeting the latest vulnerabilities.
Tests Help Operating System – Windows What Do I Need to Do? : Manually initiate an update check (http://v4.window- supdate.microsoft.com/en/default.asp) if automatic update is not enabled, or is not working. Microsoft Office Hotfixes Description: This test verifies that the endpoint attempting to connect to your system had the latest Microsoft Office hotfixes installed.
Tests Help Operating System – Windows Test Properties: Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Tests Help Operating System – Windows Test Properties: Select the hotfixes required on your network. If needed select Deep Check to permit endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft.
Tests Help Operating System – Windows secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft. You don't have to keep checking by patch number. How Does this Affect Me?: Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on.
Tests Help Operating System – Windows Test Properties: Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to run at the file level. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft.
Tests Help Operating System – Windows What Do I Need to Do?: Enable automatic updates. See the following link for instructions: http://www.microsoft.com/protect/computer/updates/mu.mspx Enable automatic updates for Windows 2000: Select Start>>Settings>>Control Panel>>Automatic Updates Select Keep my computer up to date. Select Download the updates automatically and notify me when they are ready to be installed.
Tests Help Operating System – Windows Vista Enterprise ■ Test Properties: Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to run at the file level. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft.
Tests Help Operating System – Windows Windows XP SP2 Hotfixes Description: This test verifies that the endpoint attempting to connect to your system has the latest Windows XP SP2 hotfixes installed. Test Properties: Select the hotfixes from the list presented that are required on your network.
Tests Help Security Settings – OS X Security Settings – OS X Mac AirPort WEP Enabled Description: This test verifies that WEP encryption is enabled for Airport. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Wired Equivalent Privacy (WEP) is a wireless net- work security standard that provides the same level of security as the security in a wired network.
Tests Help Security Settings – OS X Mac AirPort User Prompt Description: This test verifies that the user is prompted before joining an open network. Test Properties: There are no properties to set for this test. How Does this Affect Me?: If you move between different locations, this option prompts you before automatically joining any network.
Tests Help Security Settings – OS X The following link provides more information on anti-virus software and protecting your computer: http://www.us-cert.gov/cas/tips/ST04-005.html Mac Bluetooth Description: This test verifies that Bluetooth is either completely disabled or if enabled is not discoverable. Test Properties: There are no properties to set for this test. How Does this Affect Me?: Bluetooth is a wireless technology that allows com- puters and other endpoints (such as mobile phones and personal digital assistants (PDAs)) to communicate.
Select the Quarantine access check box and enter a temporary access ■ period. This is the amount of time the endpoint will have access starting from when the endpoint was detected by NAC 800. Enter an Allowed grace period in the Test properties area. This is the ■...
Select the Quarantine access check box and enter a temporary access ■ period. This is the amount of time the endpoint will have access starting from when the endpoint was detected by NAC 800. Enter an Allowed grace period in the Test properties area. This is the ■...
Tests Help Security Settings – Windows Security Settings – Windows The Security settings tests verify that any endpoint attempting to connect to your system meets your specified security settings requirements. Allowed Networks Description: Checks for the presence of an unauthorized connection on a endpoint.
Tests Help Security Settings – Windows Low. (not recommended). You are not protected from potentially ■ unsafe macros. Use this setting only if you have virus scanning software installed, or you have checked the safety of all documents you open. How Does this Affect Me?: Macros are simple programs that are used to repeat commands and keystrokes within another program.
Tests Help Security Settings – Windows How Does this Affect Me?: Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document.
Tests Help Security Settings – Windows other files (such as the Normal template) and can potentially infect all of your files. If a user on another computer opens the infected file, the virus can spread to their computer as well. What Do I Need to Do?: Set the Microsoft Word macro security level as follows: Open Word.
Tests Help Security Settings – Windows How to change the service startup type: Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. Right-click on a service and select Properties. Select Manual or Disabled from the Startup type drop-down list. Click OK. Close the Services window. Close the Administrative Tools window.
Tests Help Security Settings – Windows Right-click on a service and select Properties. Select Automatic from the Startup type drop-down list. Click OK. Close the Services window. Close the Administrative Tools window. Windows Bridge Network Connection Description: This test verifies that the endpoint attempting to connect to the network does not have a bridged network connection present.
Tests Help Security Settings – Windows Test Properties: Enter a list of allowed Wireless SSIDs that are legitimate for your network. Enter the SSIDs as a comma-delimited list. For example, HomeNet, Work- Net. The following wireless adapters are supported: NetGear, LinkSYS, D-Link. How Does this Affect Me?: In order to use wireless networks, you must specify the network names to which the wireless endpoints connect.
Tests Help Security Settings – Windows Enable "Accounts: Limit local account use of blank passwords to console ■ logon only" http://www.microsoft.com/resources/documentation/IIS/6/all/proddocs/ en-us/Default.asp?url=/resources/documentation/IIS/6/all/proddocs/en-us/ 636.asp What Do I Need to Do?: To select the security policies: Select Start>>Settings>>Control Panel>>Administrative Tools. Double-click Local Security Policy. Double-click Local Policies.
Tests Help Security Settings – Windows run and runOnce keys cause programs to run automatically. Many worms and viruses are started by a call from the Windows Registry. If you limit what can start up when you log in, you can reduce the potential for worms and viruses to run on your system. The following links provide a description of the Microsoft Windows Registry and the Run keys: ■...
Page 520
Tests Help Security Settings – Windows http://www.pcworld.com/article/id,112138/article.html B-34...
Tests Help Software – Windows Software – Windows The Software tests verify that any endpoint attempting to connect to your system meets your specified software requirements. Installing the most recent version of your software helps protect your system against exploits targeting the latest vulner- abilities.
Tests Help Software – Windows How Does this Affect Me?: Anti-virus software scans your computer, email, and other files for known viruses, worms, and trojan horses. It searches for known files and automatically removes them. A virus is a program that infects other programs and files and can spread when a user opens a program or file containing the virus.
Tests Help Software – Windows Test Properties: Select the check box for one or more Microsoft Office packages. Any software package selected that does not have the latest version installed fails the test. How Does this Affect Me?: Some companies may support only the software listed. Using the most recently updated version of software can help protect your system from known vulnerabilities.
Tests Help Software – Windows How Does this Affect Me?: A firewall is hardware or software that views information as it flows to and from your computer. You configure the firewall to allow or block data based on criteria such as port number, content, source IP address, and so on. The following links provide more detailed information about firewalls: ■...
Tests Help Software – Windows Test Properties: Enter a list of applications that are required on all connecting end- points, separated with a carriage return. The format for an application is vendor\soft- ware package[\version]. Using this format stores the value in the HKEY_LOCAL_MACHINE\Software key.
Pop-up Windows Pop-up Windows The NAC 800 reports capability uses a pop-up window. In order for you to run reports on NAC 800, you must allow pop-up windows from the NAC 800 server. To allow pop-up windows in IE 6.0 with SP2: IE browser>>Tools>>Pop-up blocker>>Pop-up blocker settings...
Page 529
Important Browser Settings Pop-up Windows Clear the Block Popup Windows check box. Close the Content window.
Internet Explorer (IE) browser’s security settings. This change in settings displays an active content message (figure C-1), at the top of the browser window when you access the NAC 800 help feature. Figure C-1. Internet Explorer Security Warning Message To view the NAC 800 online help in IE: Click on the message box to display the options (figure C-2).
Page 531
Important Browser Settings Active Content IE browser>>Tools>>Internet Options>>Advanced tab Figure C-4. IE Internet Options, Advanced Tab In the Internet Options pop-up window, scroll down to the security section. Select the Allow active content to run in files on my computer check box. Click OK.
Important Browser Settings Minimum Font Size Minimum Font Size In order to properly display the NAC 800 user interface, do not specify the minimum font size. To clear the IE minimum font size: IE browser>>Tools>>Internet options>>General tab>>Accessibility button Make sure all of the check boxes are cleared on this window.
Page 533
Important Browser Settings Minimum Font Size Select the Allow pages to choose their own fonts, instead of my selections above check box. Click OK. Close the Content window.
Important Browser Settings Page Caching Page Caching To set the IE page caching options: Internet Explorer browser>>Tools>>Internet Options Select the General tab Click Settings. In the Check for new versions of stored pages area, select the Automatically radio button. Click OK. In the Internet Options dialog box, click the Advanced tab.
Important Browser Settings Temporary Files Temporary Files Periodically delete temporary files from your system to improve browser performance. To delete temporary files in IE: Internet Explorer>>Tools>>Internet Options>>General tab Click Delete Files. Select the Delete all offline content check box. Click OK. Click OK.
Page 536
Important Browser Settings Temporary Files Firefox menu>>Preferences>>Privacy In the Private Data area, click Settings. The Clear Private Data window appears. Select the Cache check box. Click OK. Click Clear Now. Close the Privacy window. C-10...
Page 537
Installation and Configuration Check List Chapter Contents Minimum System Requirements ........D-2 Installation Location .
Windows: Mozilla Firefox 1.5 or later Mozilla 1.7 Internet Explorer 6.0 Linux: Mozilla Firefox 1.5 or later Mozilla 1.7 Mac OS X: Mozilla Firefox 1.5 or later License key: (cut and paste from the email you receive from ProCurve)
Installation and Configuration Check List Installation Location Installation Location My office(s) Server room(s)/Data center(s) Test lab(s) Production network(s) I have access to the installation site(s) I do not have access to the installation site(s)
Passwords NOTE: This Installation and Configuration Checklist is a list of the items used in NAC 800 including passwords; however, ProCurve recommends as a security best practice that you never write down passwords. Single-server Installation Required fields are indicated by a red asterisk (*).
_______________________________________________ MS server root password: __________________________________ MS Database password:* ____________________________________ NAC 800 user interface administrator account name: _________ NAC 800 user interface administrator account password: ______ SMTP server IP address: ____________________________________ Enforcement Server 1 Required fields are indicated by a red asterisk (*).
Page 542
_______________________________________________ ES server root password: __________________________________ ES Database password:* _____________________________________ NAC 800 user interface administrator account name: _________ NAC 800 user interface administrator account password: ______ Enforcement Server 2 Required fields are indicated by a red asterisk (*). Create at least one ES.
Time zone: _______________________________________________ ES server root password: __________________________________ ES Database password: ____________________________________ NAC 800 user interface administrator account name: _________ NAC 800 user interface administrator account password: ______ Proxy Server Required fields are indicated by a red asterisk (*). If you use a proxy server for Internet connections, these fields are required:...
Installation and Configuration Check List Agentless Credentials Agentless Credentials Required fields are indicated by a red asterisk (*). The administrator credentials for endpoints on a domain. Set them globally for all clusters, or override them on a per-cluster basis. All clusters: Windows domain name: ____________________________ Administrator user ID: *______________________________...
Installation and Configuration Check List Quarantine Quarantine Define quarantine methods and settings for all clusters, or on a per-cluster basis. 802.1X Required fields are indicated by a red asterisk (*). Quarantine subnets: ________________________________________ RADIUS server type (local or remote IAS): ____________________ Local RADIUS server type end-user authentication method: Manual: ____________________________________________ Windows domain:...
Installation and Configuration Check List Quarantine Quarantine area 1 DHCP IP range: ___________________ Quarantine area 1 quarantined area gateway: *__________ Quarantine area 1 domain suffix: *_____________________ Quarantine area 1 corresponding non-quarantined subnets: DHCP quarantine area 2: Quarantine area 2 quarantined subnet: _________________ Quarantine area 2 DHCP IP range: ___________________ Quarantine area 2 quarantined area gateway: ___________...
Page 548
Installation and Configuration Check List Quarantine Networks: __________________________________________ Windows domain controller: __________________________ Accessible services and endpoints for cluster 2: Web sites:___________________________________________ Hostnames: _________________________________________ IP addresses / ports: _________________________________ Networks: __________________________________________ Windows domain controller: __________________________ Accessible services and endpoints for cluster 3: Web sites:___________________________________________ Hostnames: _________________________________________ IP addresses / ports: _________________________________...
Installation and Configuration Check List Notifications Notifications Notifications are defined for all clusters or on a per-cluster basis. All clusters Send information to: _________________________________ SNMP server IP address: _____________________________ Email information sent from:__________________________ Cluster 1 Send information to: _________________________________ SNMP server IP address: _____________________________ Email information sent from:__________________________ Cluster 2 Send information to: _________________________________...
Installation and Configuration Check List Test Exceptions Test Exceptions Exceptions are defined for all clusters or on a per-cluster basis. All cluster endpoint testing exceptions (endpoints that are whitelisted or blacklisted): MAC addresses: _____________________________________ IP addresses: ________________________________________ NetBIOS names: _____________________________________ Cluster 1 endpoint testing exceptions (endpoints that are whitelisted or blacklisted): MAC addresses: _____________________________________...
Ports used in NAC 800 The following table provides information about Ports used in NAC 800: Port Parties Description Comments Ports used for testing endpoints: 88 (TCP) Endpoint to ES When using agent-based testing, the Not configurable 89 (TCP) endpoint must point (using a browser...
Page 552
Ports used in NAC 800 Port Parties Description Comments Ports used by the admin user browser: 443 (TCP) Admin user The administration user interface (as Not configurable browser to MS opposed to the end user access screens) uses port 443 on the MS for communication.
Page 553
Configurable by making changes to connector to syslog connector, the Infoblox server both of the following: syslog service on sends DHCP information to NAC 800 • Infoblox server the ESs using syslog. • syslog-ng.conf file on the MS 61616 (TCP)
Page 554
Home window 389 (TCP) and Domain Controller are behind NAC >>System configuration 1025 (TCP) 800, you must specify ports 88, 135 to >>Accessible services 1026 (TCP) 159, 389, 1025, 1026, and 3268 as part of 3268 (TCP) the address. If you do not specify a DHCP address, users are blocked.
Page 555
Description Comments Ports used for accessible services and endpoints: Varies ES to endpoint In order to grant access for Configure in the NAC 800 user quarantined endpoints to needed interface: services, add entries to the Accessible Home window>>System services list.
Installation Requirements The following items are required as part of the installation of NAC 800 and are essential elements for recovery of an MS. ■...
Rule updates must be applied to both the primary and standby MS (so ■ they have the same version) ■ NAC 800 upgrades must be applied to both the primary and standby Regular backups need to be taken of the primary MS, and stored in a ■ safe location...
Page 560
MS Disaster Recovery Overview Locate the most recent backup of the primary MS. See “Restoring from Backup” on page 15. This will be the backup that you were instructed during initial installation to store in a safe place. Copy the backed up file of the primary MS to a Personal Computer (PC) with access to the standby MS.
Page 561
An information exchange process that works in conjunction with clients and servers to perform tasks. agentless credentials: When NAC 800 accesses and tests endpoints, it needs to know the administrator credentials for that endpoint. If your net- work uses a Windows domain controller and the connecting endpoint is a member of a configured domain, NAC 800 uses the information supplied to access and test the endpoint.
Page 562
A list of devices or endpoints that are denied access to a system or are denied privileges. In NAC 800, endpoints and domains that are always quarantined. CA/PKI: Certificate Authority/Public Key Infastructure cache: A location where information is stored that can be accessed quickly.
Page 563
Glossary client: A computer that requests services from another (server). cluster: A logical grouping of ESs. compliance: Meets defined standards or conditions. CSR: Certificate Signing Request – A request sent by a system when applying for a public key certificate. CTA: Cisco Trust Agent DAC: Device Activity Capture –...
Page 564
EAPOL EAP over LANs EDAC: Embedded Device Activity Capture – See DAC endpoint: A computer requesting access to a network. enforcement: In NAC 800, the process of upholding the access rules set in the NAC policies. ES Enforcement server FQDN: Fully Qualified Domain Name – A domain name that uniquely identifies a host computer.
Page 565
IE: Internet Explorer IM: Instant Messenging inline: An installation of NAC 800 where it is placed on the network and all traffic to be quarantined passes through NAC 800. IP: Internet protocol – A protocol by which data is sent from one computer to another on the Internet.
Page 566
In NAC 800, Load balancing distributes the testing of end- points across all NAC 800 ESs in a cluster. MAC: Media Access Control – The unique number that identifies a physical endpoint.
Page 567
Packet InterNet Groper – A utility used to test the connection to a host. post-connect: Post-connect in NAC 800 provides an interface where you can configure external systems, such as IDS/IPS, that request quarantining of an endpoint based on activity that occurs after the endpoint has connected to the network (post-connect).
Page 568
Glossary RADIUS: Remote Authentication Dial-In User Service RAM: Random access memory RAS: Remote access server RDAC: Remote Device Activity Capture RDBMS: Relational Database Management System (RDBMS) – Used to store information in related tables. RPC: Remote procedure call – a procedure where arguments or parameters are sent to a program on a remote system.
Page 569
TAR: Tape ARchive – A type of file that contains multiple files and directory structures. TCP: Transfer Control Protocol temporary access period: In NAC 800, a temporary period of time where an end-user is allowed access. TLS: Transport Layer Security...
Page 570
Glossary whitelist: A list of devices or endpoints that are allowed access to a system or are allowed privileges. In NAC 800, endpoints and domains that are always allowed access. Wi-Fi: Wireless Fidelity WU: Windows Update xml: eXtensible Markup Language...
Page 571
3-76 Foundry device 11-40, 11-42, 11-43 enable XP endpoint 3-78 HP ProCurve 11-8 installing the RADIUS server HP ProCurve 420 AP or HP ProCurve 530 AP de- 3-127 logging levels, set 3-84 vice 11-48 setting up the authenticator 3-81 HP ProCurve WESM device...
Page 573
Index 7-11 15-18 login end-user access screen 7-11 three minute Enforcement cluster 3-14 delete Enforcement server 3-11 cluster existing NAC policy 13-14 6-13 DHCP Server Plug-in Configuration NAC policy 3-20 3-96 quarantine area 6-14 15-18 NAC policy test results messages 3-36 NAC policy group user account...
Page 574
3-73 3-17 Add ExtremeWare Device change password 3-77 3-20 Add Foundry Device delete 3-84 3-14 Add HP ProCurve 420/530 AP Device edit 3-79 3-18 Add HP ProCurve Device view status 3-82 3-91 Add HP ProCurve WESM Device enforcement, set DHCP...
Page 575
Index 5-37 4-14 Applications, Utilities Folder Failed Endpoint 3-107 4-14 Backup Successful Message Failed Endpoint Allow All Mode 3-35 Copy User Account Failed Endpoint Allow All Mode Mouse Over 3-26 Date & Time Default NAC Policy Highlighted Fields 8-4, 10-3 DHCP Installation Home Window 13-2...
Page 576
Index 6-21 3-117 NAC Policy Test Icons System Configuration, Notifications 11-9 3-57 Networking Services System Configuration, OpenLDAP 11-58 3-101 Nortel Exit Script System Configuration, Post-connect 11-58 3-51 Nortel Initialization Script System Configuration, Quarantining 11-58 Nortel Re-authentication Script System Configuration, Quarantining, DHCP 3-100 Post-connect Configuration Message 3-102...
Page 577
Index 4-19 Firefox, supported version grant access to an endpoint 4-20 firewall quarantine an endpoint 5-25 changing port import 5-18 11-25 letting RPC service through certificate 3-99 11-25 post-connect service the server’s certificate 6-15 settings inactive, set time 5-22 testing the end-user through index 1-23 testing through...
Page 578
Index post-connect NAC policies 15-3 log out window, view 15-3 login NAC Policy 3-121, 5-41 credentials change to not run Windows automatic update 7-11 delay 15-8 test 3-121 domain NAC policy 3-112 save add group 5-42 saving 6-14 assign domains to 6-15 timeout 6-14...
Page 579
Index 3-99 not tested firewall open 7-11 supported posture 3-111 11-27 ordering test methods Checkup 11-27 Healthy 11-28 Infected 11-28 Quarantined 11-28 page caching Unknown 15-17 pane PPTP 1-23 index print 1-22 password file 3-17 1-22 change ES topic 3-27 14-8 change MS root print a report...
Page 580
Index 11-9 15-21 configure ES password 11-7 15-21 server and SA plug-in MS password 11-33 15-22 use existing server password 11-7 15-10 using a proxy system 11-7 15-11 using built-in testdata 15-22 range user interface password entering ports restore 3-114 15-16 of IP addresses original database...
Page 581
ExtremeWare 3-76 add, Foundry 16-10 3-78 setup add, HP ProCurve 3-117 SMTP server IP address add, HP ProCurve 420 AP or HP ProCurve 530 3-27 3-84 SNMP settings, select 3-81 software add, HP ProCurve WESM 1-15 3-88 installing 3rd-party add, non-listed 802.1X...
Page 582
Index 1-11 test method options 5-41 ActiveX error pros & cons 5-28 3-112 agent to display 5-28 agent-based testing 3-109 5-46 select cancel 3-111 5-46 select order failed screen test methods ports defined used 5-17 3-30 testing method 3-110 3-34 ActiveX copy 3-110...
Page 583
Index 5-26 end-user access Windows 2000 change NAC Policy to not run Windows automat- 15-8 ic update test 3-121 credentials 15-7 domain and end-user settings 3-54 domain settings, configure download and extract Zip file 12-3 download EXE file 5-18 Group policy 12-4 install 5-42...