- Hewlett-Packard Secure Access Management and Configuration Guide

Manuals Brands HP Manuals Switch ProCurve 700wl Series

www.hp.com/go/hpprocurve

HP ProCurve

Secure Access

700wl Series

Management and

Configuration Guide

Summary of content (388 pages)

PAGE 1

Management and Configuration Guide HP ProCurve Secure Access 700wl Series www.hp.
PAGE 2
PAGE 3

HP PROCURVE SECURE ACCESS 700WL SERIES MANAGEMENT AND CONFIGURATION GUIDE
PAGE 4

© Copyright 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
PAGE 5

CONTENTS Preface Chapter 1 Chapter 2 Introduction ix 1-1 700wl Series Overview 1-1 700wl Series Functions Client Authentication Client Access Rights Wireless Data Privacy and VPN Protocols Roaming Support Network Address Translation VLAN Tag Support 1-3 1-3 1-4 1-4 1-4 1-5 1-6 Using the 700wl Series System 2-1 Initial Configuration of the 700wl Series System 2-1 Managing and Administering the 700wl Series System Centralized Administration 2-2 2-3 Logging on to the Administrative Console 2-4 C
PAGE 6

Chapter 3 Chapter 4 iv System Status 3-1 Viewing Status Information 3-1 Viewing Equipment Status Viewing Access Control Server Status Viewing Access Controller Status Viewing Access Controller Status Details 3-3 3-4 3-5 3-5 Viewing Client Status Filtering Client Status Information Viewing Client Details 3-7 3-9 3-9 Viewing Session Status Filtering Session Status Information 3-12 3-14 Viewing License Information 3-15 Configuring Rights 4-1 Access Rights in the 700wl Series System 4-1 The R
PAGE 7

Modifying the Outside World Filter to Restrict Access Setting Up HTTP Proxy Filters Chapter 5 Chapter 6 Configuring Authentication 4-82 4-83 5-1 Authentication in the 700wl Series System 5-1 The Rights Manager 5-4 Authentication Policies Creating or Editing an Authentication Policy 5-4 5-6 Configuring Authentication Services Configuring an LDAP Authentication Service Using the Active Directory LDAP Service Using a Netscape or iPlanet Directory Service Configuring the 802.
PAGE 8

SSL Certificate Chapter 7 Chapter 8 Chapter 9 vi 6-28 Configuring Network Interfaces Configuring the Port Speed and Duplex Settings Port Subnet IP Address and Subnet Netmask 6-34 6-34 6-36 Configuring SNMP 6-38 Setting the Date and Time 6-40 Setting Up Administrators Editing an Administrator’s Settings Editing Your Administrator Password 6-42 6-44 6-45 Setting up Wireless Data Privacy 7-1 Overview of Wireless Data Privacy 7-1 Wireless Data Privacy Setup Global Wireless Data Privacy Configu
PAGE 9

Appendix A Appendix B Appendix C Command Line Interface A-1 Accessing the Command Line Interface Connecting with a Serial Console Connecting Using SSH Using the CLI on an Integrated Access Manager A-2 A-2 A-2 A-2 Command Syntax A-3 Getting CLI Command Help A-3 Administrator Access Control Commands A-4 System Status and Information Commands A-6 Network Configuration Commands A-9 Port Configuration Commands Access Controller Port Status Commands A-12 A-13 Access Controller Configuration Adv
PAGE 10

Optional Elements Logon Page Template — A More Advanced Example Example 2 Changing the Logon Button Names Example 3 C-7 C-7 C-10 C11 Customizing the Logon Page Messages C-12 Guest Registration Template Example 4 C-13 C-14 Using a Logoff Pop-Up with a Customized Logon Page Example 5 Redisplaying the Logon Page in a New Window C-16 C-17 C-18 Customizing the Stop Page C-19 Appendix D Troubleshooting D-1 Appendix E Glossary E-1 Index of Commands Index viii C-5 IOC-1 IX-1 HP ProCurve Secure A
PAGE 11

PREFACE This preface describes the audience, use, and organization of the Management and Configuration Guide. It also outlines the document conventions, safety advisories, compliance information, related documentation, support information, and revision history. Audience The primary audience for this document are network administrators who want to enable their network users to communicate using the HP ProCurve system.
PAGE 12

The following notices and icons are used to alert you to important information. Table 2. Notices Icon Notice Type Alerts you to... None Note Helpful suggestions or information of special importance in certain situations. None Caution Risk of system functionality loss or data loss. Warning Risk of personal injury, system damage, or irrecoverable data loss.
PAGE 13

Chapter 6–Configuring the Network This chapter describes how to configure the 700wl Series system components so that they work with your enterprise network. Chapter 7–Setting up Wireless Data Privacy This chapter describes how to enforce security using IPSec, L2TP, and PPTP. Chapter 8–System Maintenance This chapter explains how to install new software, backup your system, and shutdown and reboot. Chapter 9–Logs This chapter explains how to configure, examine and use the 700wl Series system log.
PAGE 14

Index of Commands The Index of Commands is an alphabetized list of the CLI commands with references to the pages where they are documented. Related Publications There are several other publications related to the 700wl Series that may be useful: • 700wl Series Software Release Notes provides the most up-to-date information on the current software release.
PAGE 15

INTRODUCTION 1 This chapter provides a brief introduction to the 700wl Series system™ and its primary features. The topics covered in this chapter include: 700wl Series Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 700wl Series Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16

Introduction Figure 1-1 illustrates a 700wl Series system topology that is configured with redundant Access Control Servers for failover. Figure 1-1. 700wl Series topology Access Control Server Redundant Access Control Server Internet Access Controller Guest Employees Untrusted User Employee Access Controller Untrusted User Employee Access Controllers sit at or near the edge of the network, and enforce authentication and access policies.
PAGE 17

Introduction Clients that are successfully authenticated, Employees in Figure 1-1, are typically associated with Access Policies that provide access to secure network resources. Clients that are not successfully authenticated, Untrusted Users, are typically associated with an Access Policy that allows only the ability to logon.
PAGE 18

Introduction • RADIUS servers • Kerberos services • XML-RPC-based services • The Rights Manager’s built-in database. This is the default authentication service. You can populate it with user names and passwords through the Rights Manager. User Authentication is discussed in detail in Chapter 5, Configuring Authentication. Client Access Rights At any given time a certain set of rights is in effect for each client attached to an Access Controller.
PAGE 19

Introduction Because the 700wl Series system identifies clients by MAC address, it is simple to detect when a device roams. A Linger Timeout determines the length of time a client has to complete a roam, that is to appear at a new physical location after disappearing from the old physical location.
PAGE 20

Introduction Addressing in the 700wl Series System in Chapter 2, and Chapter 4, Configuring Rights include more extensive discussions of addressing considerations and NAT. VLAN Tag Support The HP System provides support for Virtual LAN (VLAN) tagging in several ways: • A client can be matched to a Connection Profile based on the VLAN ID (802.1Q tag) associated with the client traffic.
PAGE 21

USING THE 700WL SERIES SYSTEM 2 This chapter provides a brief introduction to using the 700wl Series system and its Administrative Console. It also provides an overview and discussion of a number of common tasks you may need to accomplish. The topics covered in this chapter include: Initial Configuration of the 700wl Series System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Managing and Administering the 700wl Series System . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 22

Using the 700wl Series System • Primary and secondary DNS server addresses • Shared secret, used to enable Access Controllers or a peer Access Control Server to establish a trusted communication relationship with the Access Control Server.
PAGE 23

Using the 700wl Series System The 700wl Series system provides three levels of administrator access: • A Network Administrator can configure the network parameters that enable the 700wl Series system to function in a network, such as configuring IP addressing, interface configuration, date and time settings, SNMP access, and performing software updates and backups. The network administrator can perform these functions for all system components that make up a 700wl Series system.
PAGE 24

Using the 700wl Series System • Enable or disable Wireless Data Privacy protocols, configuring the address method and range for VPN tunneling, and configuring IPSec parameters • Update the 700wl Series system software • Back up a 700wl Series system component’s configuration, and restore the backup if needed • Set up Connection Profiles that identify where and when clients connect to the 700wl Series system • Set up Authentication Policies that determine how clients authenticate themselves to the
PAGE 25

Using the 700wl Series System Note: It is strongly recommended that you change the built-in administrator logon name and password as soon as possible. You should also set the date and time for each 700wl Series system component (Access Control Server, Integrated Access Manager, and Access Controllers). Changing the Built-In Administrator Username and Password To change the built-in administrator name and password on a 700wl Series system unit do the following: Step 1.
PAGE 26

Using the 700wl Series System — Links within the page contents — Related Topics links: these are presented at the top of the page, or they can be accessed from a Related Topics menu displayed using the Related Topics button — Table of Contents and Index, accessed through the navigation panel at the left of the page. — You can display the Table of Contents by clicking the Contents button You can also print the page you are viewing by clicking the print button • .
PAGE 27

Using the 700wl Series System Using the Administrative Console When you first logon to the Administrative Console, your browser displays the Equipment Status tab of the Status pages (Figure 2-3). Figure 2-3. Initial Page of the Administrative Console . Header Bar Navigation Bar Tabs Page Title Sub-Tab Left Panel Main Panel The various pages of the Administrative Console have many elements in common, as well as elements specific to certain pages.
PAGE 28

Using the 700wl Series System Figure 2-4. Header and Navigation Bars for an Access Control Server Information at the right side of the Header bar shows the username of the logged in Administrator, the IP address of the Access Control Server, and the current date and time. • If the IP address is labeled simply Access Control Server, this Access Control Server is functioning as the only Access Control Server in the 700wl Series system.
PAGE 29

Using the 700wl Series System For details, refer to Chapter 4, Configuring Rights and Chapter 5, Configuring Authentication. Network The Network pages enable configuration of the 700wl Series system components to work with your enterprise network. Most pages in this area are available to Super Administrators and Network Administrators only. However, both Network Administrator and Policy Administrators can change their own passwords under this function.
PAGE 30

Using the 700wl Series System .
PAGE 31

Using the 700wl Series System Left Panel The left panel contains explanatory or descriptive text about the page and its functions. It also contains controls for the features of the page, and navigation aids. The specific controls in the left panel depend on the function of the page.
PAGE 32

Using the 700wl Series System Display Filters and Auto Refresh Settings Some data, such as the contents of the log, can be very lengthy. To control the display of such information you can use filters to selectively display subsets of the total information. Figure 2-8. Display Filters and Auto Refresh Settings Display Filter Options Select the desired filter values using the drop-down lists and click Apply Filters to refresh the display with data that matches the filter criteria.
PAGE 33

Using the 700wl Series System Tables In configure tables, each row in a table typically displays the key items that define the element represented by the table row. For example, rows in the Rights Assignment table show the Identity Profile, Connection Profile, and Access Policy that defines the Rights Assignment row. Configure tables, primarily those under the Rights tabs, provide the ability to edit the row definitions, add or delete rows, and edit or configure individual items within a row.
PAGE 34

Using the 700wl Series System Figure 2-10. Data Tables Sortable column • Sortable Column Headings In some tables you can sort the items in the table based on the table columns. Column headings that allow sorting appear as a link when the cursor is rolled over the column name, as shown in Figure 2-10. In some tables, such as the Log Files display, where there are multiple headings shown in a column, you can sort on each item in the column separately. This is the case with the example in Figure 2-10).
PAGE 35

Using the 700wl Series System Common Buttons The following table lists the common buttons used in the Administrative Console and gives their meaning. Table 2-1. Administrative Console Buttons Button Function Folder: This represents a user-defined folder for system components. Folders can be opened, revealing their contents, by clicking on the open folder button ( ). They can be closed by clicking on the close folder button ( ). This button appears in the System Components List.
PAGE 36

Using the 700wl Series System Basic System Configuration Tasks When you have completed the installation of your 700wl Series system following the instructions in the 700wl Series system Quick Start Guide or the 700wl Series system Installation and Getting Started Guide for the components in your system, there are still some basic configuration tasks you may need to perform. • If you have not done so already, change your administrator logon username and password.
PAGE 37

Using the 700wl Series System System Features and Concepts The following sections provide an introduction to some of the key concepts and functions that are central to the 700wl Series system. Many of these concepts are discussed in more detail in the appropriate chapters later in this Guide. However, some of the discussions below do require an understanding of other concepts such as how Access Rights are defined and administered in the 700wl Series system.
PAGE 38

Using the 700wl Series System Figure 2-12. Access Controller Redirect Page Enterprise Class Redundancy The 700wl Series system supports Access Control Server redundancy and failover. Access Control Server failover provides high availability operation for clients in case of system outages, network failures, or other disruptions.
PAGE 39

Using the 700wl Series System The communication between the two peer Access Control Servers is done via a proprietary message based protocol over TCP/IP. Upon restart, an Access Controller attempts to communicate with the primary Access Control Server. If that fails, the Access Controller attempts to communicate with the secondary Access Control Server.
PAGE 40

Using the 700wl Series System or has some other configuration information you would prefer not to lose. The act of making it a secondary Access Control Server in an active redundant peer relationship will cause its configuration to be overwritten by the Primary Access Control Server configuration. This situation can be avoided by backing up the configuration of the peer Access Control Server, and double-checking your peer configuration before enabling redundancy.
PAGE 41

Using the 700wl Series System If a client is logged onto the 700wl Series system using PPTP or IPSec encryption, overhead related to packet encryption can reduce the actual throughput experienced relative to the specified throughput. If encrypted traffic is tunneled between Access Managers due to client roaming, throughput may be further affected. When a client roams between Access Managers, existing client sessions are tunneled through the new Access Manager back to the original Access Manager.
PAGE 42

Using the 700wl Series System You specify the addressing mode for a client through the Access Policy. The 700wl Series system default is NAT mode. If PPTP or L2TP is enabled in the Access Policy, then the NAT setting only affects how the inner tunnel address is assigned. The outer tunnel address is always NAT‘ed. See the discussion in NAT and VPN Tunneling on page 2-23 for a more detailed explanation of how this is handled.
PAGE 43

Using the 700wl Series System Controller. If the client is using a real IP address, all sessions must be tunneled back through the original Access Controller. • NAT provides some amount of protection to a client since no device other than the Access Controller can talk directly to the client. This provides rudimentary firewall protection. • Allowing NAT can ensure that a client will be able to successfully communicate with the network.
PAGE 44

Using the 700wl Series System How the 700wl Series system handles roamed sessions depends on the protocol used by the client to connect to the 700wl Series system, and whether the client’s IP address has been mapped using NAT or not. • When a NAT’ed client roams between Access Controllers (rather than simply between ports on a single Access Controller) the Access Control Server can move the entire connection state from the original Access Controller to the “roamed-to” Access Controller.
PAGE 45

Using the 700wl Series System Figure 2-13. Connection Profile for Traffic Tagged with VLAN 10 You can then define an Access Policy that should apply to these clients and create a new row in the Rights table that associates the Access Policy with the VLAN-specific Connection Profile. For the purpose of this example, assume that the client matches the “Authenticated” Identity Profile, meaning it has been successfully authenticated with no other Identity Profile information provided.
PAGE 46

Using the 700wl Series System In this case, Authenticated clients with VLAN 20 tag will match the first row in the table, and will receive access rights based on the Access Policy created for members of that VLAN. Authenticated clients in VLAN 10 will not match the first row, but will match the second row, and receive access rights accordingly. Authenticated clients that do not use either of these VLAN tags will fall through to the third row and get the default set of rights for Authenticated users.
PAGE 47

Using the 700wl Series System • Create a variation of the default “Unauthenticated” Access Policy that includes the same access rights (which basically only allow a client to request authentication) but set the NAT option to When Necessary and the addressing option to Require DHCP. In the example, this is named “UnauthenticatedRealIP” • Make sure that the Access Policies you define for clients matching your target VLANs have the NAT option set to When Necessary and the addressing option to Require DHCP.
PAGE 48

Using the 700wl Series System One way to work with this limitation is to place a switch between the Access Points and the Access Controller, with a separate connection between the switch and the Access Controller for each VLAN. The switch can use the SSID to determine the port to use to send traffic to the Access Controller, ensuring that traffic for each VLAN gets sent to the correct Access Controller port and each client receives an IP address in the correct address range.
PAGE 49

SYSTEM STATUS 3 This chapter explains how to view the system status tables of the 700wl Series system. You can view the status of any and all system equipment (Access Controllers and Access Control Servers), clients (users, identified either by username and password or by MAC address), and sessions. You can view all the status information from one central location.The topics covered in this chapter are: Viewing Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 50

System Status Figure 3-1. Getting to Status Information There are four tabs in the status module: • Equipment Status presents an overview of the status of the Access Control Servers and Access Controllers. From this page you can view a more detailed status for each Access Controller. • Client Status presents a list of clients currently connected to the 700wl Series system through the connected Access Controllers.
PAGE 51

System Status If a display has more entries than will fit on one page (based on the Rows per Page filter setting), page navigation controls are enabled to let you navigate between the results pages. In the Client Status and Session Status views, you can sort the display by the data in any column. The headings of sortable columns are actually links, and clicking the link sorts the column. Click the heading once to sort in ascending order, then click a second time to reverse the sort order.
PAGE 52

System Status Viewing Access Control Server Status The Access Control Server status table, as shown in Figure 3-3, shows the following information: Table 3-1. Access Control Server status Row Description (Primary/Secondary) Access Control Server Status of the Access Control Server whose Administrative Console you are currently logged into.
PAGE 53

System Status Figure 3-3. Access Control Server Tab for the Primary Access Control Server in a redundant configuration Viewing Access Controller Status The Access Controller status table displays the following information about each Access Controller: Table 3-2. Active Access Controllers Display Column Description Component Name The name assigned to the Access Controller, see —Configuring Access Controllers“ on page 6-10.
PAGE 54

System Status Figure 3-4. Access Controller Detail Page The Access Controller Detail page shows general status information for the Access Controller at the top of the page. Below this is a System Inventory tab that shows the status for each port on the Access Controller, grouped by slot. Table 3-3. Access Controller Detail Page: System Inventory Display Column Description Equipment The name of the Access Controller. By default, the IP address appears as the name if the name has not been changed.
PAGE 55

System Status Table 3-3. Access Controller Detail Page: System Inventory Display » » Column Description Status This columns shows: • The MAC address of the port • The speed and duplex setting for the port, with the actual speed and duplex shown in parentheses. If the port is not connected the actual setting will be —none.“ • The status of the connection (active or no carrier). To refresh the data on the Access Controller Detail page, click Refresh.
PAGE 56

System Status » To display the client status, select the Access Controller and client type filtering parameters from the left panel and click Apply Filters. The display is updated to show the clients per your filter settings. You can view full client information only on a single Access Controller at a time. The All Access Controllers option shows a subset of the client information. See “Filtering Client Status Information” on page 3-9 for more information.
PAGE 57

System Status Filtering Client Status Information To make it easier to find the information you need from a client status page, you can filter the display to show only a subset of the entries. » To filter a display, select the filtering parameters from the filter drop down lists in the left panel of the status page and click Apply Filters. This refreshes the display with the status results based on the filtering parameters you have set.
PAGE 58

System Status Figure 3-6. Client Detail Page The following information is displayed on this page: Table 3-6. Active Client detail information Information Description User The descriptive name of the user, if known. Username The username (logon name) of the user or the MAC address, if the user is identified by MAC address. MAC Address The MAC address (hardware ID) of the client. Machine Name The name of the machine, if known. IP Address The IP address assigned to the client.
PAGE 59

System Status Table 3-6. Active Client detail information Information Description Current Access Controller Information about the Access Controller through which the user is connected: IP Security • Name of the Access Controller (by default the same as the IP address). • IP address of the Access Controller. • Slot and port through which the user is connected (or the port only if the unit does not provide multiple slots). The type of IP Security in place.
PAGE 60

System Status Figure 3-7. Client Detail page showing current rights in XML The Client Detail User Rights display shows the row in the Rights Table that this client matched, including the Identity Profile, Connection Profile and Access Policy associated with the client. The rest of the display shows the client’s rights as defined in XML. Viewing Session Status Viewing session status provides information on a client’s open sessions and network traffic.
PAGE 61

System Status The View Active Sessions page appears, as shown in Figure 3-8. Figure 3-8. Session Status Page » » » » To filter the session data, select the desired filters and click Apply Filters. To set an auto refresh interval, select the desired interval from the drop down list and click Apply Filters. To set the number of rows to display per page, select the desired number from the drop down list and click Apply Filters.
PAGE 62

System Status Table 3-7. View Active Sessions Information Column Description Client Source Client Source: The IP address and port of the client system, as placed in the packet header by the client. Actual Source Actual Source: For a client in NAT mode, the IP address and port of the Access Controller, as re-written after translation. If the address is shown in dark blue bold, the session has been tunneled from another Access Controller due to roaming.
PAGE 63

System Status Table 3-8. Session Status Filtering Parameters Filter by: Details Access Controllers Lets you display only sessions for a selected Access Controller. You select the Access Controller from the drop-down list. Default is the first Access Controller in the list. Port Lets you display only sessions for a selected port or for all ports of the selected Access Controller. You select the port from the drop-down list. Default is All Ports.
PAGE 64

System Status Figure 3-9.
PAGE 65

CONFIGURING RIGHTS 4 This chapter describes how network access rights are assigned to clients through the 700wl Series system, and explains how to configure access control policies. The topics covered in this chapter include: Access Rights in the 700wl Series System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 The Rights Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 66

Configuring Rights Time Window in which the connection exists, and optionally, a VLAN tag, to match the client to a Connection Profile. The combination of the Identity Profile and Connection Profile determines the Access Policy that is used to enforce access rights (the ability to pass traffic into the network) for the client. Access rights are implemented in the 700wl Series system through the Rights Assignment Table.
PAGE 67

Configuring Rights The network administrator configures network access control policies by defining Identity Profiles, Connection Profiles and Access Policies, or by modifying existing profiles and policies. • An Identity Profile is associated with a set of one or more individual users and devices, and a user may belong to more than one Identity Profile.
PAGE 68

Configuring Rights • An Access Policy defines aspects of how a client interacts with the network. The Access Policy defines what traffic is allowed to be passed into the network, and what traffic will be redirected to alternate destinations. It can include HTTP proxy filters that specify what web sites are accessible or restricted. It also defines how IP addressing is handled, and what type of encryption should be used, if any.
PAGE 69

Configuring Rights the Client Status tab under the Status button, and click Refresh User Rights Now. You can also refresh rights for individual clients, if appropriate. Configuring Access Rights–An Overview To configure rights in the 700wl Series system, you first need to decide how you want to control access to the resources on your network. Step 1. Create Identity Profiles to define who should have access to network resources.
PAGE 70

Configuring Rights Connection Profiles once the Access Controllers have been installed and the appropriate Locations have been created. b. Create Time Windows that specify hours of the day, days of the week, and so on, to allow or restrict access during specified times.
PAGE 71

Configuring Rights Series system is matched to a row in the table based on its Identity Profile and Connection Profile, and receives access rights as specified by the Access Policy for that row. The 700wl Series system looks for a matching row starting at the top of the table, and stops at the first match. Thus, the order of rows in the table is important. In a newly-installed system (or after a Factory Reset) the Rights Assignment Table will have only four rows, as shown in Figure 4-1. Figure 4-2.
PAGE 72

Configuring Rights the new identification information. The user will now match one of the Identity Profiles near the top of the table. For example: • Suppose the client initially matches row 5, (Identity Profile “Any” and Connection Profile “Accounting”) and his logon information is sent to an external authentication service such as an LDAP server. That service returns the group affiliation “Accounting” as part of the successful authentication.
PAGE 73

Configuring Rights Note: It is important that rows with the —Access Points“ Identity Profile appear in the table before rows that contain the —Any“ Identity Profile. Otherwise, the MAC address would match —Any“ first, and would never get to the row with the —Access Points“ Identity Profile. Modifying the Rights Assignment Table You can add new rows to the Rights Assignment Table, delete rows from it, or modify the rows in the table.
PAGE 74

Configuring Rights Figure 4-3. The New Rights Assignment Page Each field on this page contains a drop-down list from which you can select the components of a row in the Rights Assignment table, as defined in Table 4-1: Table 4-1. New/Edit Rights Assignment Page Field Definitions Field Description Identity Profile A drop-down list of all Identity Profiles currently defined in the system. Pull down the list to select a profile.
PAGE 75

Configuring Rights Step 2. Specify where in the table the new row should be placed. Order is important in matching a client to a row. The default position is to place the row at the top of the table. Step 3. When you have made your selections, click Save to add this row to the table. Cancel returns you to the previous page without saving any changes.
PAGE 76

Configuring Rights Figure 4-4. The Identity Profiles Page The 700wl Series system provides three predefined Identity Profiles, and a Rights Administrator can create additional ones. The predefined Identity Profiles can be considered default or implicit profiles, as users will match them automatically based on certain criteria.
PAGE 77

Configuring Rights Creating or Editing an Identity Profile To create a new Identity Profile, click the New Identity Profile... button at the bottom of the Identity Profile list. The New Identity Profile page appears, as shown in Figure 4-5, with an empty Name field. To edit an Identity Profile, click the Pencil icon at the end of the row.
PAGE 78

Configuring Rights Figure 4-6. Creating a New Identity Profile, with User list displayed From this page, with the Users or Network Equipment list displayed, you can also add a new user or equipment item, or edit a user or equipment item. See “Users in the Built-In Database” on page 4-16 and “Network Equipment in the Built-in Database” on page 4-20 for details on these functions. To create a new Identity Profile: Step 1. Enter a name for the Identity Profile in the Name field.
PAGE 79

Configuring Rights Limiting the number of logons per user does not prevent a user from logging on with that username and password—rather it prevents that user from matching this Identity Profile and thus getting rights based on matching this Identity Profile in the Rights Table. It is possible that the user could still get a set of rights based on matching a different Identity Profile.
PAGE 80

Configuring Rights Users in the Built-In Database Many organizations choose to authenticate their wireless users against a corporate database or authentication service. However, if you do not plan to use such a service, you can add users to the database built into the 700wl Series system and use that for authentication. The built-in database can have other uses as well. If you want to pre-register Guest users, you can do so by adding them to the built-in database.
PAGE 81

Configuring Rights Table 4-2. Users Page Field Definitions » » » » Field Description Identity Profile Assignment The Identity Profile to which the user has been assigned, if any. If no Identity Profile has been assigned, the user will automatically match either the —Authenticated“ profile (if it has been authenticated) or the —Any“ profile (if the user has not been authenticated–having not yet completed the logon process, or having bypassed authentication as a MAC address user).
PAGE 82

Configuring Rights Figure 4-8. Adding a New User The fields on this page are as follows: Table 4-3. New User Fields Field Description Name A descriptive name that identifies the user in the 700wl Series system‘s Administrative Console. This is the name that appears in Client Status display, among others. It can be the user‘s full name or any other meaningful name. This name may have up to 32 characters. Any 7-bit characters are allowed.
PAGE 83

Configuring Rights Table 4-3. New User Fields Field Description Username/MAC Address The user‘s username (logon ID) or MAC address. A user may be identified by one or the other, not both. A username may have up to 50 characters. Any 7-bit characters are allowed. A MAC address can be entered with colons (:) or dashes (-) separating the tuples, or without any separation. Thus, 00:01:a2:b3:4c:d5, 00-01-a2-b3-4c-d5, and 0001a2b34cd5 are all valid formats for a MAC address.
PAGE 84

Configuring Rights Step 2. Select the Identity Profile to which this user should be assigned by clicking the appropriate checkbox in the Identity Profiles table. As a rule, you would assign a user to only one Identity Profile, since the search for a match always stops at the first match found.
PAGE 85

Configuring Rights correctly in the system, however, if you want to manage these devices from within the 700wl Series system, you may want to assign them a specific set of access rights. You can add these devices to the built-in database and assign them to an Identity Profile so that they can get rights assigned through the Rights Assignment Table. » To view the list of network equipment currently defined in the built-in database, click the Network Equipment link from the main Identity Profiles page.
PAGE 86

Configuring Rights From the Network Equipment page you can also go directly to the Identity Profiles page or to the Users page by clicking the link near the top of the left-hand column, just below the page name. Creating or Editing an Equipment Entry To create a new network equipment entry, click New Network Equipment... at the bottom of the Network Equipment list. The New Network Equipment page appears, as shown in Figure 4-8, with empty fields and no Identity Profile selected.
PAGE 87

Configuring Rights The fields on this page are as follows: Table 4-5. New Network Equipment Fields Field Description Name A descriptive name for the device. This name may be up to 32 characters in length. Any 7-bit characters are allowed. MAC Address The MAC address of the network device. A MAC address can be entered with colons (:) or dashes (-) separating the tuples, or without any separation. Thus, 00:01:a2:b3:4c:d5, 00-01-a2-b3-4c-d5, and 0001a2b34cd5 are all valid formats for a MAC address.
PAGE 88

Configuring Rights To edit a Network Equipment entry in the built-in database, do the following: » » » Edit the fields to change the descriptive name or the MAC address. To change the Identity Profile to which the equipment is assigned, remove the check from the old Identity Profile and check the checkbox for the new Identity Profile to which this equipment should be assigned. When you have finished, click Save. This replaces the original equipment entry with the modified information.
PAGE 89

Configuring Rights an individual record for the MAC address. For example, suppose the record identified by cn=MACS contained the following values for uniqueMember: uniqueMember: cn=000122034a5b, o=XYZCorp, c=us uniqueMember: cn=01234567891a, o=XYZCorp, c=us uniqueMember: cn=22314a6721b7, o=XYZCorp, c=us The value of cn will be taken as the actual MAC address, and added to the built-in database.
PAGE 90

Configuring Rights Note: list. » » » » » If you have an LDAP service configured for user binding, that service does not appear in this To configure or change the settings for MAC address retrieval, click the configuration icon at the end of the row. You must configure the service for MAC address retrieval before you can enable it for retrieval. To select an LDAP service to use as the source of MAC address users, click the checkbox next to the service name.
PAGE 91

Configuring Rights Figure 4-12. Configuring MAC Addresses Retrieval Parameters for an LDAP Service The fields on this page are as follows: Table 4-6. Configuring MAC Address Retrieval, address retrieval parameters Field Description Authentication Service The name of the LDAP service being configured. Identity Search String The search string that specifies the record in the database that contains the set of MAC addresses.
PAGE 92

Configuring Rights Identity Profile membership information can be associated with a MAC address in one of two ways: • If each MAC address has its own record in the database, its group identity information may be kept as an attribute in the record. The Rights Manager can then search for each MAC address record using the search string returned in the initial search, and retrieve the group identity information from the appropriate attribute.
PAGE 93

Configuring Rights This means that the Rights Manager will use the search string found in the initial search (for example, the value returned from the uniqueMember attribute in the MACS record) to search for the individual MAC address record. Step 2.Type mymember in the field labeled Identity Information Attribute. The Rights Manager will look for instances of the attribute mymember, and take the values as group names.
PAGE 94

Configuring Rights The Connection Profile is used in the Rights Assignment Table, in concert with the Identity Profile, to determine a client’s access rights. If the client is unknown (i.e. has not been authenticated and does not match a known MAC address in the built-in database) the Connection Profile determines how to authenticate the client. This can include specification of a custom logon page as well as defining the Authentication Policy to use for authentication.
PAGE 95

Configuring Rights » » To edit a Connection Profile, click the Connection Profile name in the first column of the table, or click the pencil icon at the end of the row. This takes you directly to the Edit Connection Profile page (see “Creating or Editing a Connection Profile” on page 4-31). To delete a Connection Profile, click the trash can icon at the end of the row. Note: You cannot delete a Connection Profile that is in use–an error message will inform you if this is the case.
PAGE 96

Configuring Rights Figure 4-14. Creating a New Connection Profile, the Settings Tab To create or edit a Connection Profile, do the following: Step 1. Type a name for a new Connection Profile. You can change the name of an existing Connection Profile by typing a new name. Step 2. On the Settings tab, select or enter data into the fields as described in Table 4-9 below. The fields under the Settings tab are as follows: Table 4-9.
PAGE 97

Configuring Rights Table 4-9. New Connection Profile Settings Tab Contents (Continued) Column Description VLAN Identifier How an 802.
PAGE 98

Configuring Rights The Locations tab shows a list of the currently defined Locations. The columns in this list are as follows: Table 4-10. Locations Tab Column Definitions Column Description Name The descriptive name for the Location. Details The definition of the Access Controllers and ports included in the Location. • To select all Locations in the list, select the checkbox next to the Locations column heading.
PAGE 99

Configuring Rights • To select all Time Windows in the list, select the checkbox next to the Locations column heading. Clicking this checkbox a second time removes the checks from all Time Windows in the list. • To remove a Time Window from the profile, click its checkbox to remove the check. Step 5. Click Save to save this Connection Profile. If you are editing a Connection Profile, this replaces the original Connection Profile with the modified Connection Profile definition.
PAGE 100

Configuring Rights » » To delete a Location, click the trash can icon at the end of the row. To create a new Location, click the New Location... button at the bottom of the Locations list. This takes you to the New Location page (see “Creating or Editing a Location”). From this page you can also go directly to the Connection Profiles or Time Windows pages using the links directly under the page name in the left-hand panel of the page.
PAGE 101

Configuring Rights Time Windows A Time Window is a specification of a period of time, defined by specific dates or date ranges, days of the week, and hours of the day. Time Windows may be used to limit when a Connection Profile is available as a valid match for a client.
PAGE 102

Configuring Rights Creating or Editing a Time Window To create a new Time Window, click New Time Window... at the bottom of the Time Window list. The New Time Window page appears, as shown in Figure 4-18, with a blank name field and default time settings. The Edit Time Window page is almost identical to the New Time Window page, except that the name and port selections are displayed for the Time Window you have selected, and a Save As Copy button is available. Figure 4-20.
PAGE 103

Configuring Rights Table 4-14. New Time Window Settings Setting Description Valid Days Specify a Time Window by days of the week: Valid Times • The default is Any day • To specify particular days, click the Selected days radio button, then check the individual days of the week you want to include.
PAGE 104

Configuring Rights Figure 4-21. The Access Policies Page The 700wl Series system provides five predefined Access Policies, and a Rights Administrator can create additional ones. The predefined Access Policies are: • Authenticated: This defines a default set of rights for users that have been successfully authenticated. • Guest Access: This defines a default set of rights for users that have logged on using the “Logon as a Guest” feature.
PAGE 105

Configuring Rights Table 4-15. Access Policies Table Contents Column Description Allowed Traffic | Grid A list of the Allowed Traffic Filters selected for the Access Policy. Click Grid in the column heading to display all Access Policies and Allowed Traffic Filters in a grid format. See —The Allowed Traffic Filters Grid“ below for an explanation of that display format. See —Creating or Editing an Allowed Traffic Filter“ on page 4-64 for information about defining Allowed Traffic Filters.
PAGE 106

Configuring Rights Figure 4-22. Access Policies and Allowed Traffic Filters in a Grid Format Each row represents an Access Policy. The Allowed Traffic Filters are shown in columns. Filters that are enabled for the Access Policy are represented by checks in the appropriate column checkbox. This format makes it easy to compare which filters are enabled for different Access Policies. » » » » To edit an Access Policy, click the Access Policy name.
PAGE 107

Configuring Rights Figure 4-23. Access Policies and Redirected Traffic Filters in a Grid Format Each row represents an Access Policy. The Redirected Traffic Filters are shown in columns. Filters that are enabled for the Access Policy are represented by checks in the appropriate column checkbox. This format makes it easy to compare which filters are enabled for different Access Policies.
PAGE 108

Configuring Rights Figure 4-24. Creating a New Access Policy, the Settings Tab To create or edit an Access Policy, Step 1. Type a name for the policy in the Name field. You can change the name of an existing Access Policy by typing a new name. Step 2. Select settings or enter data on each of the tabs as appropriate. See the sections below for a detailed discussion of each tab. Step 3. Click Save to save this Access Policy.
PAGE 109

Configuring Rights To add the modified Access Policy as a new Access Policy, leaving the original Access Policy unchanged, click Save As Copy. The Save As Copy button is available only on the Edit Access Policy page. After a Save As Copy the page remains displayed so you can make additional changes. Click Cancel to return to the previous page without making any further changes. Note: To have your changes affect currently connected clients, you must go to the Client Status page and refresh user rights.
PAGE 110

Configuring Rights Table 4-16. New Access Policy Settings Tab Contents Column Description VLAN Identifier How a VLAN Identifier (tag) should be handled: • Select Remove any pre-existing tag to remove the VLAN tag (if any) associated with client packets, resulting in untagged traffic being forwarded onto the network. This is the default. • Select Use client tag to preserve the VLAN tag (if any) associated with client packets when forwarding traffic onto the network.
PAGE 111

Configuring Rights Table 4-16. New Access Policy Settings Tab Contents Column Description Key Length (PPTP only) For PPTP, the minimum MPPE (RC4) session key length: Authentication Method • Select 40 bits to allow a 40-bit or 128-bit key. This is the default. • Select 128 bits to allow a 128-bit key only. • Select no encryption to disable MPPE encryption.
PAGE 112

Configuring Rights address is valid if it falls within that address range. If the address does not fall within the port’s address range, NAT is used, even if the address is within the Access Controller’s subnet. — If there is no range assigned for the port, then the client’s IP address is valid if it falls within the Access Controller’s subnet. NAT is used only if it is not within that subnet.
PAGE 113

Configuring Rights The Allowed Traffic Tab Allowed Traffic filters are traffic filters that identify packets that are permitted to be forwarded by an Access Controller. If you are creating a new Access Policy, the Allowed Traffic filters are displayed in alphabetical order. If you are editing an Access Policy, the traffic filters that are included in this Access Policy are displayed at the top of the list, and the remaining filters that are not included in this Access Policy are at the bottom of the list.
PAGE 114

Configuring Rights Figure 4-25. Creating an Access Policy, the Allowed Filters Tab Note that if the filter you select is one of a DNS or WINS filter pair, you must also include the corresponding Redirected Traffic member of the pair in your Access Policy, to redirect traffic to the proper DNS or WINS server.
PAGE 115

Configuring Rights The Allowed Traffic list shows all existing Allowed Traffic filters. These are displayed in alphabetical order if you are creating a new Access Policy. If you are editing an Access Policy, the filters included in the policy are displayed at the top of the list. The following information is provided about each filter: Table 4-17. Allowed Traffic List Definitions » » » Column Description Name The name for the Allowed Traffic Filter. Details The optional description of the filter.
PAGE 116

Configuring Rights Table 4-18. Predefined Allowed Traffic Filters Allowed Traffic Filter Description Internal rights UI Allows access to the Rights Manager pages via the Access Controller defined in @INTERNAL@ (by default 42.0.0.
PAGE 117

Configuring Rights Figure 4-26. Creating an Access Policy, the Redirected Traffic Tab The Redirected Traffic list shows the following information about each filter: Table 4-19. Redirected Traffic List Definitions » » Column Description Name The name for the Redirected Traffic Filter. Details The optional description of the filter. To select a filter to include in this Access Policy, click the appropriate checkbox.
PAGE 118

Configuring Rights Note: Redirected Traffic filters are evaluated in the order that they appear in the Redirected traffic list of each Access Policy. When a packet matches a Redirect filter, it is immediately redirected to the appropriate destination. Therefore, an incorrect ordering of Redirect filters could cause some filters never to be evaluated.
PAGE 119

Configuring Rights Table 4-20. Predefined Redirected Traffic Filters Redirected Traffic Filter Description No internal IAM UI Redirects Integrated Access Manager UI access requires via 42.0.0.1 No internal rights UI Redirects Rights Manager UI access requests via 42.0.0.1 to the SSL Stop page No SSL internal UI Redirects SSL Administrative Interface access requests via 42.0.0.
PAGE 120

Configuring Rights To configure automatic HTTP Proxy filtering for this Access Policy, select the HTTP Proxy tab, as shown in Figure 4-27, and select or enter data into the fields as described in Table 4-21. Figure 4-27. Creating an Access Policy, the HTTP Proxy Tab The fields under the HTTP Proxy tab are as follows: Table 4-21. HTTP Proxy Tab Field Definitions Field/Column Description Automatic HTTP Proxy Enables or disables automatic HTTP proxy filtering for this Access Policy.
PAGE 121

Configuring Rights Table 4-21. HTTP Proxy Tab Field Definitions Field/Column Description • Allow FQDN Accept HTTP traffic destined for the specified fully-qualified domain name (e.g. www.domain.com) • Allow Host Accept HTTP traffic destined for the specified host name (e.g. www or home) • Allow Net Accept HTTP traffic destined for the specified network address (IP address and subnet mask) (e.g. 192.168.0.
PAGE 122

Configuring Rights The Bandwidth Tab 700wl Series system version 4.0 provides the ability to limit the bandwidth available to each client to prevent network performance degradation. Using Access Policies, bandwidth can be limited on a client by client basis. Separate limits can be set for upstream and downstream bandwidth. On the Bandwidth tab, as shown in Figure 4-28, select or enter data into the fields as described in Table 4-22 below. Figure 4-28.
PAGE 123

Configuring Rights Bandwidth Rate Limiting in the 700wl Series system 700wl Series system version 4.0 provides bandwidth rate limiting (or “policing”) on a per-client basis. Each client may use bandwidth as necessary up to the upstream or downstream limit set by the Access Policy currently in force for that client. This implementation does not attempt to shape bandwidth usage, just enforces a per-client cap.
PAGE 124

Configuring Rights The Linger Timeout The Linger timeout enables the 700wl Series system to force a logoff for clients that have disconnected from the network without logging off. If the Access Controller determines that a client has been nonresponsive for a specified period of time, the Access Controller sends a disassociate message to the Access Control Server, following which the Linger Timeout starts.
PAGE 125

Configuring Rights Figure 4-29. Creating an Access Policy, the Timeout Tab The fields under the Timeout tab are as follows: Table 4-23. Timeout Tab Field Definitions Field Description Linger Timeout How long a client remains known to the 700wl Series system after being disassociated from an Access Controller for failing to respond to repeated polls (ARPs). • Enter the number of seconds the system should wait before logging off the client from the system.
PAGE 126

Configuring Rights Table 4-23. Timeout Tab Field Definitions Field Description Never force users to reauthenticate Allows client sessions to remain connected indefinitely without requiring reauthentication. • Check the radio button to select this option. This is the default. Allowed Traffic Filters Allowed Traffic filters are traffic filters that identify packets that are permitted to be forwarded by an Access Controller.
PAGE 127

Configuring Rights Figure 4-30. The Allowed Traffic Filters List The Allowed Traffic list shows the Allowed Traffic filters in alphabetical order, and includes the following information about each filter: Table 4-24. Allowed Traffic List Definitions » Column Description Name The name for the Allowed Traffic Filter. Details The optional description of the filter. To edit a filter, click the filter name in the Name column, or click the pencil icon at the end of the row.
PAGE 128

Configuring Rights » » To delete a filter, click the trash can icon at the end of the row. To create a new filter, click the New Filter... button at the bottom of the filter list. This takes you to the New Filter: Allowed Traffic page (see “Creating or Editing an Allowed Traffic Filter”). From this page you can also go directly to the Access Policies, Redirected Traffic Filters, or HTTP Proxy FIlters pages using the links directly under the page name in the left-hand panel of the page.
PAGE 129

Configuring Rights To create or edit an Allowed Traffic filter, do the following: Step 1. Type a name for this filter. You can change the name of an existing Allowed Traffic filter by typing a new name. Step 2. Type a description for the filter, or modify the existing description. Step 3. To specify the filter by selecting the protocol, and providing the port and destination IP address, select the Allow traffic via a specific protocol/port/address radio button. Then do the following: a.
PAGE 130

Configuring Rights Redirected Traffic Filters Redirected Traffic filters are traffic filters that identify packets sent from a client that should be redirected to a new destination. Some Redirected Traffic filters may simply forward the packet to an alternate destination that performs the same function as the original destination—for example, a DNS server request could be redirected to the enterprise DNS server rather than the one that was originally specified.
PAGE 131

Configuring Rights The Redirected Traffic list shows the Redirected Traffic filters in alphabetical order, and includes the following information about each filter: Table 4-25. Allowed Traffic List Definitions » » » Column Description Name The name for the Redirected Traffic Filter. Details The optional description of the filter. To edit a filter, click the filter name in the Name column, or click the pencil icon at the end of the row.
PAGE 132

Configuring Rights Figure 4-33. Creating a New Redirected Traffic Filter You can create the filter specification in one of two ways: • Specify the traffic protocol, and the destination IP address and port, or • Define the filter as a regular expression in tcpdump syntax. This enables you to define complex filters. You specify the new destination by providing a port and IP address that the traffic should be redirected to. To create or edit a Redirected Traffic filter, do the following: Step 1.
PAGE 133

Configuring Rights b. If the protocol requires a destination port, type it into the Port field. If the protocol does not support port specifications, N/A appears in the port field. You can enter a single port, or use an asterisk (*) to specify all ports. You can access a list of ports by clicking the View button ( ) at the right of the Port field. This displays in a separate pop-up window a list of ports for common destinations such as the Stop pages or the Logon pages. c.
PAGE 134

Configuring Rights Click Cancel to return to the previous page without making any further changes. Built-in and User-defined Address Variables For use in both Allowed and Redirected Traffic Filters, the 700wl Series system provides a set of predefined address variables for various system components. These can be viewed (but not changed or deleted) in the Addresses tab of the pop-up window. User defined variables can be added, edited and deleted.
PAGE 135

Configuring Rights Table 4-26. Predefined Address Variables Address Variable Value/Description @INTERNAL@. The address of the Access Control Server Administrative Console. By default this is 42.0.0.1, but if you have reconfigured the address range for the internal DHCP server used for providing NAT addresses, this will be the first address in that range.
PAGE 136

Configuring Rights Table 4-27. Edit Address fields Field Definition Name The name of the variable. May be up to 32 uppercase alphabetic characters (no numerals or other characters). You may include the —@“ at the beginning and end, but do not need to– the system will add them if necessary. Value The value can be an IP address or host name, up to 255 characters in length. It can include the characters allowed for a fully-qualified host name–alphanumeric characters, period, dash, and slash.
PAGE 137

Configuring Rights Figure 4-36. WINS Filters List The Filter list shows the DNS or WINS filter pairs in alphabetical order, and includes the following information about each pair: Table 4-28. DNS or WINS Filter Pair list definitions » Column Description Name The name of the filter pair. Description The optional description of the filter pair. To edit a filter pair, click the filter pair name in the Name column, or click the pencil icon at the end of the row.
PAGE 138

Configuring Rights The Edit Filter pages are almost identical to the New Filter pages, except that the name, description, and server definitions are displayed for the filter you have selected, and a Save As Copy button is provided. Figure 4-37. Creating a New DNS Filter The first time you view one of these pages, the list of DNS or WINS servers will be empty. See Step 4 to manage the list of servers. To create or edit a DNS or WINS filter pair, do the following: Step 1.
PAGE 139

Configuring Rights the list, using the multi-select mechanism supported by your browser (typically Ctrl-click and Shift-click). The 700wl Series system selects a destination server at random from the servers you have selected, at the time rights are assigned to the client. That destination is used until the client reauthenticates and is given new rights, at which time a different destination server may be designated.
PAGE 140

Configuring Rights Figure 4-38. HTTP Proxy Filters List The HTTP Proxy list shows the HTTP Proxy filters in alphabetical order, and includes the following information about each filter: Table 4-29. HTTP Proxy Filter List Definitions » » » Column Description Name The name for the HTTP Proxy Filter. Filter The type of filter. Details The optional description of the filter. To edit a filter, click the filter name in the Name column, or click the pencil icon at the end of the row.
PAGE 141

Configuring Rights The Edit Filter: HTTP Proxy Traffic page is almost identical to the New Filter page, except that the name, description, and the filter and destination definitions are displayed for the filter you have selected, and a Save As Copy button is provided. Figure 4-39. Creating a New HTTP Proxy Filter To create or edit an HTTP Proxy filter, do the following: Step 1. Type a name for this filter in the Name field. You can change the name of an existing HTTP Proxy filter by typing a new name.
PAGE 142

Configuring Rights Table 4-30. HTTP Proxy Filter Types Filter Rule Type • Allow Reg Description Accepts HTTP traffic to a destination specified as a regular expression that evaluates to an address or address range For example —(.*).domain.com“ • Deny IP Redirects HTTP traffic destined for a specified IP address • Deny FQDN Redirects HTTP traffic destined for a specified fully-qualified domain name For example, www.domain.
PAGE 143

Configuring Rights Example–Modifying the —Guest Access“ Access Policy The following sections provide examples of how to modify access rights by editing the settings for an Access Policy. The Guest Access Access Policy is used as the example because you will need to modify this Access Policy (or create a copy and give it some additional rights) if you want to allow Guests users to log onto your network and have network or Internet access.
PAGE 144

Configuring Rights Step 2. In the Access Policy column of the table, click Guest Access to display the Edit Access Policy page for the Guest Access Access Policy. Step 3. Click the Allowed Traffic tab to display the Allowed Traffic filters currently selected for this Access Policy, as shown in Figure 4-41. Note that the Allowed Traffic filters that are selected for this Access Policy are sorted to the top of the list.
PAGE 145

Configuring Rights Figure 4-41. The Allowed Traffic filters for the Guest Access Access Policy Step 4. Find the row for the Outside World filter, as shown in Figure 4-41, and click the checkbox to select the filter. Step 5. Click Save to have this change take effect.
PAGE 146

Configuring Rights Modifying the Outside World Filter to Restrict Access If the Outside World Allowed Traffic filter is not sufficiently restrictive for your network environment, you can modify it (or create a new filter) to restrict access to multiple subnets or IP addresses. Step 1. From the Allowed Traffic tab, click the Outside World filter. The Edit Filter page for Allowed Traffic appears, with the Outside World filter displayed. Step 2. To rename this filter, type a new name in the Name field.
PAGE 147

Configuring Rights See Appendix B, “Filter Expression Syntax” for details of the tcpdump syntax. Note: Tcpdump syntax is case sensitive. All keywords must be in lower-case to be recognized. Step 6. If you have changed the Outside World filter, click Save to replace the current Outside World filter definition. To save this filter as a new filter, click Save as Copy.
PAGE 148

Configuring Rights Figure 4-43. Configuring Proxy Filters to limit access for the Guest Access Access Policy Step 3. To create the filters you need, click New Filter.... See “HTTP Proxy Filters” on page 4-75 for details on creating HTTP proxy filters. Step 4. Select Enabled from the drop down field to specify that filtering should be enabled. (This takes effect when you Save the Proxy Filter definition.) Step 5. Enter the ports you want the 700wl Series system to monitor for HTTP traffic. Step 6.
PAGE 149

CONFIGURING AUTHENTICATION 5 This chapter describes how clients are authenticated through the 700wl Series system, and explains how to configure authentication policies. The topics covered in this chapter include: Authentication in the 700wl Series System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 The Rights Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Authentication Policies . . . . . . .
PAGE 150

Configuring Authentication specification, determine a Connection Profile for the client. The client’s identity (who the client is) is determined through the authentication process. This is used to determine an Identity Profile for the client. The combination of the Connection Profile and Identity Profile determine the Access Policy that applies to the client. (See Chapter 4, “Configuring Rights” for a detailed discussion of Access Policies and access rights.
PAGE 151

Configuring Authentication client, the username and password is sent to the next service, and so on. If all services in the list fail to authenticate the user, then the user will continue to have only unauthenticated logon rights. • Monitored Logon With monitored logon, the HP system passes the initial packets from the client through to the network, and then monitors the returning packets looking for the message indicating that authentication has been successful.
PAGE 152

Configuring Authentication The Rights Manager The configuration of network Authentication Policies is done through the Rights module, accessed by clicking the Rights icon on the Navigation bar. Many of the functions within the Rights module—specifically those associated with creating or modifying access rights through the Rights Assignment table—are discussed in Chapter 4, “Configuring Rights”.
PAGE 153

Configuring Authentication Figure 5-1. The Authentication Policies Page The Authentication Policies table shows the currently defined Authentication Policies. This table shows the following information about each Authentication Policy: Table 5-1. Authentication Policy Table Contents Column Description Authentication Policy The name of the Authentication Policy Authentication Services A list of the Authentication Services selected for the Authentication Policy.
PAGE 154

Configuring Authentication Creating or Editing an Authentication Policy To create a new Authentication Policy, click the New Authentication Policy... button at the bottom of the list on the Authentication Policy page. The New Authentication Policy page appears (see Figure 5-2) with the Authentication Services tab initially displayed.
PAGE 155

Configuring Authentication • To edit an Authentication Service, click the name of the service you want to edit, or click the pencil icon at the end of the row. This takes you directly to the Edit Authentication Services page for the filter you selected. Note: You cannot edit the built-in Authentication Service or the NT Domain Logons service. For these two services, no configuration is required. • To delete a Authentication Service, click the trash can icon at the end of the row.
PAGE 156

Configuring Authentication Figure 5-3. The Authentication Services Page The Authentication Services table shows the currently defined Authentication Services. This table shows the following information about each Authentication Service: Table 5-2.
PAGE 157

Configuring Authentication appears (see Figure 5-4). The page initially displays the configuration options for an LDAP Authentication Service. The Edit Authentication Service -LDAP page is almost identical to the New Authentication Service LDAP page, except that the page and settings displayed are for the Authentication Service you have selected. Also, a Save As Copy button is provided. (Save As Copy allows you to edit an existing service and save it as a new service.) Figure 5-4.
PAGE 158

Configuring Authentication Figure 5-4 shows the configuration page for configuring an LDAP service with non-user binding. For many of the options on the LDAP service page, the values you enter are dependent on the configuration of your LDAP service, so a thorough knowledge of your LDAP implementation is necessary.
PAGE 159

Configuring Authentication The information required to configure an LDAP service for authentication is defined in the following tables. Table 5-3 defines the fields on the top part of the page: Table 5-3. LDAP Authentication Configuration Options, Top Part of the Page Field/Option Description Name Your name for this authentication method. You can use any alphanumeric string as the name. Server The Fully Qualified Domain Name (FQDN) or IP address of the server running the LDAP service.
PAGE 160

Configuring Authentication If you select Non-user bind, the remaining fields on the page are as follows: Table 5-4. LDAP Authentication Configuration Options, Non-User Bind Field/Option Description Use the username field as an alias to find the user‘s DN and authenticate by rebinding. Select this option if the user‘s DN is not the same as the username field (the user logon).
PAGE 161

Configuring Authentication » » For detailed instructions for setting up an Active Directory server, see “Using the Active Directory LDAP Service” on page 5-13. For detailed instructions for setting up a Netscape or iPlanet server, see “Using a Netscape or iPlanet Directory Service” on page 5-14. Using the Active Directory LDAP Service This section guides you through the configuration choices for authenticating using Active Directory LDAP. Step 1.
PAGE 162

Configuring Authentication To use User binding for authentication where the user logon ID is used as the DN, do the following: a. Select User bind from the drop-down field. b. Enter the following into the User bind string field: \%s For example, for domain XYZCorp.com, this would be XYZCorp\%s. To use Non-User binding you must bind with a Rootdn and Rootpw. You cannot use anonymous binding with Active Directory. a. b. Select Non-User bind from the drop-down field.
PAGE 163

Configuring Authentication Step 3. Specify some additional options for this LDAP server: a. The timeout value specifies the length of time the 700wl Series system waits for a response to an authentication request before it abandons the request. The default is 120 seconds. You can change this as appropriate for your situation. b. If your LDAP server is configured to use SSL, the 700wl Series system can use SSL to communicate with it.
PAGE 164

Configuring Authentication Then, do the following: Step 1. Because you are sending a password in the clear, make sure that you are using SSL. Step 2. Select Non-user bind. Step 3. Click the radio button labeled Use the username field as an alias to find the user's dn and authenticate by rebinding. Step 4. If your service allows it, you can use anonymous binding.
PAGE 165

Configuring Authentication Along with the authentication results, you can obtain the user’s group affiliation from the authentication process. The returned group information will be used to match the user to an Identity Profile in the Rights Assignment table. This assumes you have created Identity Profiles that match the groups that may be returned from the authentication process. Step 5. The information required to configure the RADIUS service for 802.
PAGE 166

Configuring Authentication Figure 5-6. Creating a New Authentication Service - Kerberos Step 5. Enter the information required to configure a Kerberos service for use with authentication as defined in Table 5-7: Table 5-7. Kerberos Authentication Service Configuration Field/Option Description Name Your name for this authentication method. You can use any alphanumeric string as the name.
PAGE 167

Configuring Authentication Configuring a RADIUS Authentication Service Note: The 700wl Series system Access Control Server must be configured as a RADIUS client on your RADIUS server. To configure the 700wl Series system to use a RADIUS database for user authentication: Step 1. Click the Rights button in the Navigation bar, then go to the Authentication Policies tab. Step 2. Click the Authentication Services link in the left panel to go to the Authentication Services page. Step 3.
PAGE 168

Configuring Authentication The information required to configure the RADIUS service for authentication is defined in Table 5-8 as follows: Table 5-8. RADIUS Authentication Service Configuration Field/Option Description Name Your name for this authentication method. You can use any alphanumeric string as the name. Server The Fully Qualified Domain Name (FQDN) or IP address of the server running the LDAP service. Port UDP Port for RADIUS (Default is 1812).
PAGE 169

Configuring Authentication » To use a RADIUS service for accounting, you must configure a RADIUS server as an Authentication Service, and check the Supports RADIUS Accounting (RFC-2866) on port checkbox and enter the appropriate port number to which the 700wl Series system should send the accounting data.
PAGE 170

Configuring Authentication Field Data Acct-Session-ID The unique ID for this client session Acct-Session-Time The seconds this client was logged on this Access Controller. Sent only with a Stop packet. Note: When an authenticated client roams to a new Access Controller, a Stop packet is sent upon disassociation from the first Access Controller, and a Start packet is sent upon association with the new Access Controller.
PAGE 171

Configuring Authentication • The Rights Manager uses the group information and the start and stop times from the user profile to temporarily map the user to a matching Identity Profile, during the timeframe defined by the stop and start times in the profile. At other times (outside the range defined by the start and stop times) the user will not match that Identity Profile.
PAGE 172

Configuring Authentication The information required to configure an XML-RPC authentication service is defined in Table 5-9 as follows: Table 5-9. XML-RPC Authentication Service Configuration Field/Option Description Name Your name for this authentication method. You can use any alphanumeric string as the name. URL The URL of the XML-RPC service to which authentication requests should be sent. Timeout Authentication request timeout (in seconds).
PAGE 173

Configuring Authentication These parameters are shown in Table 5-10: Table 5-10.
PAGE 174

Configuring Authentication Table 5-11. Name/value Pairs Returned by Authenticate Response Name validTimes Type Value and Description string An array of strings that define the times when a user is given the rights associated with the group.
PAGE 175

Configuring Authentication Monday:Wednesday:Friday startDate 2002-04-01 stopDate 2002-05-31 hashed_string NT Domain
PAGE 176

Configuring Authentication enabled in any other Access Policies that may be in force when a client is required to reauthenticate. The Allowed Traffic Filter for LDAP must be created and then enabled in the appropriate Access Policies. Note: Cached Logon requests from Windows clients are not supported because the 700wl Series system cannot reliably detect a logon in a cached request. To the client, the logon will appear to succeed, but the 700wl Series system will consider the client to be unauthenticated.
PAGE 177

Configuring Authentication • First, you must configure an LDAP Authentication Service to be used to retrieve the group identity information. You must specify Non-User binding—either rootdn/rootpw binding or anonymous binding (if the service allows anonymous bind). See “Configuring an LDAP Authentication Service” on page 5-8 for details on how to set up an LDAP service. • Second, you specify the LDAP service(s) you want to use for group identity retrieval.
PAGE 178

Configuring Authentication Logon Page Customization The 700wl Series system Rights Manager provides default Logon, Logoff, Stop, and Guest Registration pages that are displayed when users are to be authenticated using Web-based logon. The default logon page displays the HP ProCurve logo, and appears as shown in Figure 5-10. Figure 5-10. The default Logon page Through the Rights Manager in the Administrative Console, you can customize the Logon, Logoff, Stop, and Guest Registration pages.
PAGE 179

Configuring Authentication Through the Rights Manager, you can customize the appearance of the Logon, Logoff and Stop pages in the following ways: • You can create customized versions of the standard Logon, Logoff and Stop pages by including your own text and logos. • You can associate a different customized page for each Connection Profile you have created in the Rights Manager.
PAGE 180

Configuring Authentication Customizing a Logon Page To create a new logon customization page, do the following: Step 1. From anywhere within the Rights Manager, click the Logon Customization tab. Step 2. Click New Logon Customization… The New Logon Customization page appears, as shown in Figure 5-12. Step 3. Enter the name you wish to give this Logon Customization page. The name may include only characters that are valid in a file name: a-z, A-Z, 0-9, . (period).
PAGE 181

Configuring Authentication Figure 5-12. New Logon Customization Page Customizing the Logo In the Logos section of the New/Edit Logon Customization page you can customize the logo (image) that appears on the logon and logoff web pages. The filename of the current logo is displayed underneath the filename entry field for the logo, along with the date that the logo was uploaded to the Rights Manager. The HP logo is the default logo. You can use two different logos, a standard logo and a small logo.
PAGE 182

Configuring Authentication of a small screen. You can change this logo to be a small version of your own logo for use with small browsers. To change either logo, do the following: Step 1. Go to the Logos section of the New/Edit Logon Customization page and select the logo you wish to change. Step 2. In either the Logo or the Small Logo field, type the full path and name of a file, on your local system, format that contains the logo you want or Click Browse to locate the proper directory and file name.
PAGE 183

Configuring Authentication Step 2. Place a check mark in the Allow users to specify authentication policies checkbox if you want users to choose a specific Authentication Policy from a group of Authentication Policies. When this option is checked, the Logon page will display a drop-down field that will allow a user to select from the Authentication Policies configured for the 700wl Series system.
PAGE 184

Configuring Authentication If you select the Guest Registration option, the Guest Registration page appears as shown in Figure 5-14. Figure 5-14. Guest Registration page If you choose to require guests to register before logging on, the following process will occur when they log on to the system. • The Guest user fills in their first and last name and selects a username and a password.
PAGE 185

Configuring Authentication network. However, if the user goes to the logon page again while he/she is still logged on, the logon page indicates that the user is already logged on and provides a logoff button. As an option, you can have a small logoff page open in a new window as soon as the user successfully logs on. The user can go to this page to logoff. To specify that a logoff pop-up should be displayed: Step 1.
PAGE 186

Configuring Authentication Step 2. In the textbox labeled Stop Page Text enter the text you want to display on the Stop page. This can include HTML formatting commands. Step 3. Click Save. To clear the stop page text after it has been set, click Reset to Defaults at the bottom of the page. Note: Clicking Reset to Defaults will reset all the settings for this Logon Customization and Stop page to the default settings, not just the stop page text.
PAGE 187

Configuring Authentication Customized Page Templates If you want to create pages that are customized beyond the options provided on the Customize Web Pages by Connection Profile page, you can create your own templates for the Logon, Logoff, Stop, and Guest Registration pages. Through a template you can lay out the pages in any way you want, including changing the position and even the labels of the buttons, and using other HTML elements as you see fit.
PAGE 188

Configuring Authentication Figure 5-17. Logon Customization: Custom Templates Step 4. In the appropriate field (Logon Page, Logoff Window, Stop Page, or Guest Registration Page), type the path and name of a .tmpl file on your local system that contains the template, or click Browse to locate the proper directory and file name. If your template uses any images, you must add them in the Images for Templates field.
PAGE 189

Configuring Authentication The page will redisplay showing the loaded image, see Figure 5-18. Note: The template images area shows ALL images available for use in custom templates, not just those you have loaded for a specific custom template. To delete an image, click the trashcan icon on the same row at the graphic you wish to delete. Figure 5-18.
PAGE 190

Configuring Authentication Step 7. To indicate that an image is to be used with the customized logon page you are creating, check the box to the left of the image. This notifies the system that this image should be downloaded to the Access Controller with the custom template code. Note: Only those images you have checked will be sent to the Access Controller with the template code. Step 8. Click Save. The Administrative Console will return to the Logon Customization page.
PAGE 191

Configuring Authentication Note: The User Rights Simulator does NOT show you the actual rights of a user who is currently logged on, but shows you the rights a user would have as if they were logged on at a particular time and location. To view the current rights for a logged-on user, see —Viewing Client Status“ on page 3-7. » To use the Rights Simulator, click the Tools and Options tab visible at the top of any Rights module page. This displays the Simulate User Rights page, as shown in Figure 5-19.
PAGE 192

Configuring Authentication Table 5-12. User Rights Simulator Fields Field Description Access Controller and Port The Access Controller, slot and port to be used to simulate the user‘s physical connection location. This is one of the elements used to match the user to a Connection Profile. VLAN Identifier The 802.1q VLAN tag normally included in packets from this user, if any. This is also one of the elements that may be used to match the user to a Connection Profile.
PAGE 193

Configuring Authentication Figure 5-20. Rights for User —ann“ if Logged on at the Specified Time and Location The top portion of the Rights results shows the Identity Profile and Connection Profile that the user matched, based on the specified location, VLAN ID, and time, and the Access Policy that applies to this user as a result. It also shows when the user would be forced to reauthenticate.
PAGE 194

Configuring Authentication • If the Identity Profile is not what you expected: — For users in the built-in database, the user may have been assigned to a different profile than you expected. — If the user should match an Identity Profile based on a group or NT Domain name returned from an external authentication service, the service may be returning a different group name than you expected, or no matching Identity Profile has been created to match the group or Domain.
PAGE 195

Configuring Authentication Figure 5-21. The XML Representation of User Rights Tracing Authentication Service Transactions The Transaction Tracer lets you verify authentication transactions to one of the active authentication services—LDAP, RADIUS, Kerberos or XML-RPC. You can use this tool to verify that users are being authenticated correctly, and that the correct information is returned from the authentication service.
PAGE 196

Configuring Authentication service is working correctly, the service should return a successful result, including the information associated with that user, if appropriate. If the authentication service is not set up correctly, you will receive an error and incomplete results. This tool cannot be used with the built-in database, and it cannot trace transactions based on the passive (or monitored) authentication services (802.1x and NT Domain logon) Step 1.
PAGE 197

Configuring Authentication Figure 5-23. Results of a traced transaction The Result Parameters contain any parameters returned with the authentication, if appropriate. This will depend on the authentication service being used, and how that service has been configured (for example, whether you have it configured to return group information). The Result displays a message indicating whether the authentication was successful or not.
PAGE 198

Configuring Authentication » To Import or Export Rights, click the Tools and Options tab visible at the top of any Rights module page, then click the Import/Export Rights link in the left-hand column of the page. This displays the Import/Export Rights page, as shown in Figure 5-24. Figure 5-24. The Import/Export Rights page Exporting Rights Exporting Rights is a two-step process — you must first create an exportable Rights image, then you can save the image to a file on an external system.
PAGE 199

Configuring Authentication Figure 5-25. Rights Export in Progress page While the export is in progress, this page is refreshed every 15 seconds. • To stop the page refresh, click Stop Auto Refresh. • To cancel the import click Cancel. Step 2. When the export has completed, another informational page appears, telling you the process is complete. This export image will replace the previous export image, if one existed. • Click Continue to return to the main Import/Export Rights page.
PAGE 200

Configuring Authentication Figure 5-26. The Import/Export Rights page after a successful rights export Step 3. Under the Last Rights Export heading, click Save Export As... to save the rights export image as a file. This will start the file download process appropriate to your local system. Step 4. Specify the location where the Rights image should be stored. If you have created a backup of your 700wl Series system image, by default the Rights image will be stored in the same directory.
PAGE 201

Configuring Authentication • To stop the page refresh, click Stop Auto Refresh. • To cancel the import click Cancel. Step 3. When the import has completed, another informational page appears, telling you the process is complete. • Click Continue to return to the main Import/Export Rights page. When the import is done, a new field appears on the Import/Export Rights page, that indicates the date and time that the import was done, as shown in Figure 5-27. Figure 5-27.
PAGE 202

Configuring Authentication 5-54 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
PAGE 203

CONFIGURING THE NETWORK 6 This chapter describes how to configure the 700wl Series system components so that they work with your enterprise network. The topics covered in this chapter include: 700wl Series System Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Configuring an Access Control Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Configuring an Integrated Access Manager . . . . . . . . . . . . .
PAGE 204

Configuring the Network 700wl Series System Components When you first click on the Network icon the System Components page appears, as shown in Figure 6-1. Figure 6-1. System Components Page This page displays the System Components List, which lists all the 700wl Series system components known to the Access Control Server on which you are running the Administrative Console.
PAGE 205

Configuring the Network From this list you can click a component name or click the pencil icon at the right of the row to edit the component’s name and the folder to which it is assigned. For Access Control Servers, you can also edit settings related to its use in a failover configuration. See “Configuring an Access Control Server” on page 6-3 for more information. You can delete some components using the trash can icon to the right.
PAGE 206

Configuring the Network DHCP (the default) will boot up and run properly without a shared secret configured, but Access Controllers will not be able to communicate with it. In this case, you must edit the Access Control Server configuration to add a shared secret to enable the Access Control Server to manage its associated Access Controllers. See —The Access Control Server Shared Secret“ on page 6-7 for more information about the shared secret.
PAGE 207

Configuring the Network Note: The IP address can be changed under the Network Setup tab, along with other network configuration settings. The fields and options on this page are defined in Table 6-2: Table 6-2. Edit Access Control Server page field definitions Field/Option Description Name An alphanumeric name for this Access Control Server. The default name is the IP address of the unit. A name may be up to 50 characters in length. IP Address The IP address of this Access Control Server (read-only).
PAGE 208

Configuring the Network Table 6-2. Edit Access Control Server page field definitions Field/Option Description Redundancy Preferred Primary Access Control Server If checked, specifies that this Access Control Server (the one on which this configuration is being done, not the peer Access Control Server) should be the primary Access Control Server upon enabling redundancy. One (and only one) peer must have this option checked.
PAGE 209

Configuring the Network Deleting a Peer Access Control Server You must disable redundancy by editing the Primary Access Control Server configuration before you can delete the Secondary Access Control Server (uncheck the Enable Redundancy checkbox and Save). To delete a peer Access Control Server once redundancy is disabled, click the trash can icon ( far right of the Access Control Server in the System Components List.
PAGE 210

Configuring the Network Editing the Integrated Access Manager Configuration The Integrated Access Manager is typically configured with its network configuration parameters and shared secret when it is initially installed on the network, per the instructions in the Quick Start Guide or Installation and Getting Started Guide shipped with the hardware.
PAGE 211

Configuring the Network The Edit Integrated Access Manager page appears as shown in Figure 6-4. Figure 6-4. Edit Integrated Access Manager page The fields on the Edit Integrated Access Manager page show the current setting for the Integrated Access Manager. You can modify any of these values, except the IP address and MAC Address, which are readonly fields. Note: The IP address can be changed under the Network Setup tab, along with other network configuration settings.
PAGE 212

Configuring the Network Table 6-3. Edit Integrated Access Manager page field definitions Field/Option Description NAS-ID/Description A description for this unit. If using RADIUS accounting, this field is used as the NAS-ID and is sent to the RADIUS server as part of the accounting information. (If you do not enter a NAS-ID, the MAC address of the Integrated Access Manager is sent instead.) See —Using RADIUS for Accounting“ on page 5-20 for more details about the RADIUS accounting feature.
PAGE 213

Configuring the Network With the exception of the Access Control Server IP address and shared secret, Access Controllers are configured centrally from the Administrative Interface of the Access Control Server or Integrated Access Manager. From the Administrative Console you can configure and delete Access Controllers, as well as organize them into folders.
PAGE 214

Configuring the Network Table 6-4. Edit Access Controller page fields Field/Checkbox Description Name An alphanumeric name for the Access Controller. By default the name is the IP address of the unit. IP Address The IP address of this Access Controller (read-only). This can be changed under the Network Setup tab. MAC address The MAC address of this Access Controller (read-only). This can be changed under the Network Setup tab. NAS-ID/Description A description for this Access Controller.
PAGE 215

Configuring the Network You can modify an Access Controller’s name, administrator username and password, folder, SSH access permissions, and the Access Control Server IP address and shared secret. The IP address and MAC address are displayed read-only and cannot be modified on this page. » Click Save to save your changes, or Cancel to abandon your changes and revert to the current settings.
PAGE 216

Configuring the Network Figure 6-6. New Folder Page » » » » To change the name of a folder, click the folder name in the System Components List, or click the pencil icon ( ) to the far right of the folder. Either action displays the Edit Folder page. Enter the new folder name in the Folder Name field and click Save. To add an Access Controller to a folder, go to the Edit Access Controller page and select the folder by name from the drop-down Folder list, then click Save.
PAGE 217

Configuring the Network Configuring Failover with Redundant Access Control Servers Please read the section “Enterprise Class Redundancy” on page 2-18 in Chapter 2, “Configuring the Network” Note: Integrated Access Managers cannot be used as a peer in a redundant configuration. The 700wl Series system supports multiple Access Control Servers for Access Control Server redundancy and failover.
PAGE 218

Configuring the Network Step 4. When you are ready to initiate the peer relationship and start the data synchronization process, check the Enable Redundancy checkbox on the Primary Access Control Server (and Save). You only need to configure and enable redundancy on the primary Access Control Server to make the relationship active.
PAGE 219

Configuring the Network • Under Network, only the System Components, Network Setup, Interfaces, and Date &Time tabs are available. • Under Maintenance, and Logs, all the functions are available. Disabling Redundancy When you disable redundancy, the secondary Access Control Server is reset to Factory Defaults and restarted.
PAGE 220

Configuring the Network » To access the Network Setup pages, click the Network icon in the Navigation Toolbar, then select the Network Setup tab.
PAGE 221

Configuring the Network Network Communication–the Basic Setup Tab To configure the basic network communication settings for a 700wl Series system component, do the following: Step 1. Under the network icon, click the Network Setup tab to display the Basic Setup tab, as shown in Figure 6-8. Figure 6-8. Network Setup: Basic Setup page for an Access Control Server Step 2. In the System Components List at the left, select the component you want to configure.
PAGE 222

Configuring the Network Edit the contents of the fields on this page as appropriate. The fields and their settings are defined in Table 6-5. Table 6-5. Basic Setup tab fields Field Description Configure A drop-down list you use to specify how this component gets its IP address. • Select Using DHCP to have the unit request its IP address, subnet mask, gateway, DNS server and WINS server IP addresses from the DHCP server.
PAGE 223

Configuring the Network Table 6-5. Basic Setup tab fields Field Description Secondary DNS The IP address of the secondary DNS server Primary WINS The IP address of the primary WINS server Secondary WINS The IP address of the secondary WINS server Step 3. Click Save to save your settings. To restore these fields to the original default settings, click Reset to Defaults. You must then Save to actually have the defaults take effect.
PAGE 224

Configuring the Network Figure 6-9.
PAGE 225

Configuring the Network Access Control Server Configuration Advanced Options The following settings appear on this page if you are configuring an Access Control Server or an Integrated Access Manager. They do not appear if you are configuring an Access Controller. DHCP Network for NAT Clients Note: When you change this range, it also changes the default address (http://42.0.0.1) for the Administrative Interface. The Administrative Interface URL will become the first address in the new range.
PAGE 226

Configuring the Network Access Controller Advanced Configuration Options The following settings appear on this page if you are configuring an Access Controller or an Integrated Access Manager. They do not appear if you are configuring an Access Control Server. Bridging A 700wl Series system provides filtering and redirection of IP packets at Layer 3. With bridging, you can specify certain Layer 2 packets to be copied across an Access Controller to the clients. Bridging is disabled by default.
PAGE 227

Configuring the Network The following are the specifications in tcpdump syntax for the predefined bridging options: Table 6-7.
PAGE 228

Configuring the Network the client’s rights. Depending on the Wireless Data Privacy mechanism and the type of addressing in force, the client’s existing sessions may be tunneled from the original Access Controller to the new Access Controller. To change the client polling settings, do the following: Step 1. To change the length of time a client must be idle to generate a client probe, change the value in the Poll clients after field. The default idle time is 30 seconds.
PAGE 229

Configuring the Network You can specify an external proxy server, or the 700wl Series system can act as the proxy server and handle the traffic according to the configured ports and filters defined for each Access Policy. The automatic HTTP Proxy feature is configured and enabled specifically for each Access Policy. This lets you specify the HTTP proxy feature only for selected Access Policies, if appropriate. You also can configure sets of proxy filters per Access Policy.
PAGE 230

Configuring the Network available, the HTTP Proxy Server on the Access Controller will cycle to the next available IP address. Step 4. In the Proxy Server Port field, type the TCP port number used for the proxy server. Step 5. Click Save to have your changes take effect. To restore these fields to the original default settings, click Reset to Defaults. You must then Save to actually have the defaults take effect. To abandon your changes and revert to the current settings, click Cancel.
PAGE 231

Configuring the Network Figure 6-11. Network Settings: SSL Tab (Integrated Access Manager or Access Control Server only) The information at the top of the page shows information about the current certificate. Initially this will be the certificate generated and signed by HP ProCurve. Note: The Save button on this page saves the changes you make to any of the sub-tabs under the Network Setup tab.
PAGE 232

Configuring the Network Requesting an SSL Certificate To generate an SSL Certificate Signing Request (CSR): Step 1. From the SSL tab, click Generate CSR.... The Generate SSL Certificate Signing Request page appears, as shown in Figure 6-12, in a separate browser window. Figure 6-12. Input Page for Generating an SSL CSR Step 2. Fill in all the entry fields: a. Type the organization name. This is the name that will be published on the certificate. b. Type the E-mail address for the certificate contact.
PAGE 233

Configuring the Network Figure 6-13. The Certificate Signing Request You can use this certificate signing request either to request a certificate from a CA, or to create your own self-signed certificate using an SSL toolkit, such as OpenSSL. Step 4. You may be able to paste this signing request directly into a form on your CA’s web site. To do so, connect to your CA’s web site and begin the certificate request process.
PAGE 234

Configuring the Network Loading the SSL Certificate When you receive your certificate from the CA, you can either copy the certificate information and paste it into the field provided, or you can place the certificate in a file and upload the file. Do not edit, add line breaks, or otherwise change any of the characters in the certificate, as this will corrupt the certificate. Step 1. Go to the Access Control Server’s Network Setup page and click on the SSL tab. Step 2. Click Load Certificates....
PAGE 235

Configuring the Network Save and Restore Private Key The CSR you generate is based on a private key. If the private key is lost or regenerated, any CSRs based on the original private key become invalid. After generating the CSR, you should save the private key on your local system. It can then be recovered after a factory reset or hardware swap. To save the current private key: Step 1. Go to the Access Control Server’s Network Setup page and click on the SSL tab. Step 2.
PAGE 236

Configuring the Network Caution: Restoring a saved private key will invalidate an SSL certificate based on the current (different) private key. Restoring the Default SSL Certificate If the private key is lost or the certificate is corrupted or invalidated, you can revert to the default SSL certificate issued by HP ProCurve itself as the Certificate Authority (CA). To restore the default SSL certificate and private key, click Reset to Default, then click Save.
PAGE 237

Configuring the Network Figure 6-16. Example of a Port Connection Type selection list To configure a port for a specific connection type, do the following: Step 1. On the Interfaces setup page select the Access Controller to configure. Step 2. Click the Speed/Duplex tab. The Speed/Duplex page for Access Controllers appears. See Figure 6-17. Figure 6-17. Interfaces: Speed/Duplex Page Step 3. Select the connection type from the list provided in the drop-down list.
PAGE 238

Configuring the Network Note: If you want to set a port to half-duplex, but half-duplex is not offered as an option in the drop-down list, you will need to select a setting that does not specify an option, and allow the port to negotiate for half-duplex. For example, as shown in Figure 6-17, there is no setting for 100baseTX half-duplex. You must specify 100baseTX and allow the port to negotiate for halfduplex. Step 4. Click Save.
PAGE 239

Configuring the Network uplink port so that the default uplink (slot 0 port 2 on a 700wl Series system) is now a downlink port, then that port will appear on this page. The port being used as the uplink port will not appear. To configure subnet addresses for Access Controller ports: Step 1. On the Interfaces setup page select the Access Controller to configure. Step 2. Click the Subnet tab. The Subnet page for Access Controllers appears. See Figure 6-18. Figure 6-18.
PAGE 240

Configuring the Network configured to support routing the addresses you have configured for your ports through the Access Controller uplink port. For example, if the Access Controller’s IP address is 192.168.2.20 with subnet mask 255.255.255.0 (/24) and you configure a port to use 192.168.6.0 with mask /24, you must configure your router with a static route that routes the 192.168.6.x addresses to 192.168.2.20. You can typically do this with a command similar to: ip route 192.168.6.0 255.255.255.0 192.168.
PAGE 241

Configuring the Network Figure 6-19. SNMP Page Step 2. Select the system component for which you want to enable SNMP from the System Components List. Step 3. SNMP is disabled by default. Select Enabled from the SNMP drop-down menu to enable SNMP. This will enable SNMP for the selected component. Note: Enabling SNMP allows Read-only access to the device as indicated by the value in the SNMP Access Mode field. Step 4. Type the appropriate read Community Name.
PAGE 242

Configuring the Network Note: Include a trap IP address only if you have an SNMP trap receiver listening for this information. HP proprietary SNMP trap events include fan failure, fan operational, and out-of-range temperatures. General SNMP trap events include SNMP authentication failures, which are sent as trap information. You can download the HP ProCurve MIBs from the HP ProCurve support web site at www.hp.com/go/hpprocurve. Step 8. Type up to four Manager IP addresses in the fields provided.
PAGE 243

Configuring the Network Figure 6-20. Date & Time Page Step 2. Using the System Components List on the left select the component for which you wish to set the date and time. You can select an Access Control Server, a single Access Controller, or a folder. If you select a folder, the date and time settings you enter will be applied to all the Access Controllers in that folder. You can configure the system to get the date and time from a Network Time Protocol (NTP) server or you can set it manually.
PAGE 244

Configuring the Network The format for the date is MM/DD/YYYY. For example, June 4, 2003 would be entered as 06/04/2003. The format for the time is HH:MM, using a 24 hour clock. For example, 6:23 PM would be entered as 18:23. b. Click Set Time Now to set the date and time according to settings you entered. Note: If you have made any changes to the time zone or NTP server settings, you cannot manually change the time settings until you have saved or canceled the time zone or NTP changes.
PAGE 245

Configuring the Network Figure 6-21. Admin Setup page Step 2. Click New Admin... The New Admin page appears (see Figure 6-20). Figure 6-22. Admin Setup page Step 3. Fill in the fields as required (see Table 6-8) and select the administrator type from the drop- down menu.
PAGE 246

Configuring the Network Table 6-8. New/Edit Admin Fields Field Description Name A descriptive name that identifies the Administrator. It can be the administrator‘s full name or any other meaningful name. This name may have up to 32 characters. Any 7-bit characters are allowed. Username The administrator‘s logon ID. A username may have up to 50 characters. Any 7-bit characters are allowed. Password The password associated with the administrator‘s logon name.
PAGE 247

Configuring the Network • To edit an administrator account, click the administrator’s Name or Username, which are links to the Edit Admin page, or click the Pencil icon at the right of the row. The Super Administrator can change any of the settings for an administrator. • By default, a newly-added administrator account is enabled, meaning that the administrator can logon to the Administrative Console with the Username and password as set by the Super Administrator.
PAGE 248

Configuring the Network 6-46 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
PAGE 249

SETTING UP WIRELESS DATA PRIVACY 7 This chapter explains how to configure the global settings for the security protocols. The topics covered in this chapter are: Overview of Wireless Data Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Wireless Data Privacy Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 IPSec Certificate Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 250

Setting up Wireless Data Privacy The encryption policy that defines how encryption applies to a specific client is determined through the Access Policy that defines rights for that client. The Access Policy can specify that encryption is required, that it is allowed but not required, or that it is disabled. It also specifies which encryption methods can be used. These settings are specified when you create an Access Policy.
PAGE 251

Setting up Wireless Data Privacy Figure 7-1. The Wireless Data Privacy tab Global Wireless Data Privacy Configuration Select the Wireless Data Privacy protocols you want to enable for the 700wl Series system. By default, all protocols are disabled. Enabling a security protocol makes it available for use by clients within the constraints of the security settings embodied in the Access Policies for those clients.
PAGE 252

Setting up Wireless Data Privacy The fields and settings under the Configuration for IPSEc heading of the Wireless Data Privacy tab are as follows: Table 7-1. IPSec configuration settings Field Description IKE Authentication Method Select the IKE Authentication Method you plan to use: • To use certificate-based authentication, click Public Key Certificate. If you elect to use this method, you will need to configure a public key certificate.
PAGE 253

Setting up Wireless Data Privacy Table 7-1. IPSec configuration settings Field Description ESP Encryption Select the appropriate algorithms for ESP encryption, or specify None. The 700wl Series system supports the following algorithms: • DES • 3DES • AES • Blowfish • CAST • Null The default is DES, 3DES, and AES selected. ESP Integrity Select the appropriate algorithms for ESP integrity, or specify None.
PAGE 254

Setting up Wireless Data Privacy Figure 7-2. The IPSec Certificate Configuration tab By default the Current Certificate area of the page shows “No certificate configured.” This area will show information about the certificate if one is installed. Step 2. Click Generate CSR... to begin creating a Certificate Signing Request. The Generate CSR page appears, as shown in Figure 7-4. Figure 7-3.
PAGE 255

Setting up Wireless Data Privacy Step 3. Fill in the information in this form: a. Type the name in which the certificate should be granted. This can be an individual name or a title such as “Wireless Admin.” b. Type the email address for the certificate contact. c. Type your state or province. This is typically a two-character abbreviation. d. Type your two-character ISO country code (US for the United States, UK for the united Kingdom, and so on).
PAGE 256

Setting up Wireless Data Privacy Step 6. Copy and paste the generated PKCS#10 certificate request, including the lines ----BEGIN CERTIFICATE REQUEST---- and ----END CERTIFICATE REQUEST--- into the appropriate field in the request form. Once you have copied and pasted the CSR, click Done to return to the IPSec Certificate Configuration page. Figure 7-5 shows the enrollment form of a Netscape Certificate Management System with the CSR pasted into the PKCS#10 text area. Figure 7-5.
PAGE 257

Setting up Wireless Data Privacy You may need to enter the request ID or confirmation information you received when you submitted your certificate request. When your certificate is displayed, find the portions that you can copy and paste into the HP system. The example in Figure 7-6 shows the portion of the certificate where the information you need to copy is located. Note that the certificates are in the same format as the certificate request you generated.
PAGE 258

Setting up Wireless Data Privacy Figure 7-7. The Load Certificates page Step 12. Copy and paste the two certificates from your CA’s web site into the two fields provided, and click Save. Be sure to include the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- lines. Caution: Do not use the certificate import function, if there is one, from the CA‘s web page. It will not install the certificate on the 700wl Series system.
PAGE 259

Setting up Wireless Data Privacy Figure 7-8. The Certificates tab showing an installed certificate Step 13. Immediately create and save a backup of your system. This saves both the private key and the saved certificates. See “Backing Up and Restoring the System Configuration” on page 8-13 for information on backing up your system. Caution: Be sure to back up your system immediately. This is the only way to ensure that the certificates and keys can be restored if your system becomes corrupted.
PAGE 260

Setting up Wireless Data Privacy The default is to have addresses assigned by a DHCP server. » To configure the IP Address assignment method for the tunneling protocols, click the VPN icon in the Navigation bar at the top of the Administrative Console, then click the IP Address Assignment tab. This displays the IP Address Assignment page, as shown in Figure 7-9. Figure 7-9. The IP Address Assignment tab Step 1.
PAGE 261

Setting up Wireless Data Privacy • The first DHCP request is taken to be a request for an outer tunnel address, and NAT is ALWAYS used, even if the Access Policy specifies Never for the Network Address Translation setting. Note: A side-effect of this behavior is that if encryption is —Allowed but not required“ by the Access Policy, and a client connects without using a tunneling protocol, that client will always be NAT‘ed upon making a DHCP request.
PAGE 262

Setting up Wireless Data Privacy 7-14 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
PAGE 263

SYSTEM MAINTENANCE 8 This chapter explains how to perform common administrative tasks including creating, storing, and restoring a back up file, updating system software, and shutting down a 700wl Series system component. It also describes how to reset the 700wl Series system to its factory default settings. This chapter covers the following topics: Software Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 264

System Maintenance Figure 8-1. Software Setup page Step 2. From the System Components list in the left panel, select the component (Access Control Server or Access Controller) for which you want to restart or update the software image. This page displays information about the software installed in the selected component: Table 8-1. Software Setup version status display Field Description Installed Version Current Software The version number of the software image currently running in the selected unit.
PAGE 265

System Maintenance Access Controller and using the Wireless Data Privacy protocols will temporarily lose their connections, and any remote CLI sessions over SSH will be terminated. It is recommended that you update your flash-based Access Controllers during times when system usage is low. Upgrading the software image is a two step process. • First, download the software to the selected component. The downloaded software becomes the Alternate Version overwriting the previous Alternate Version.
PAGE 266

System Maintenance Figure 8-2. The Update Software page From the Remote Update page you can initiate a software update from a remote FTP, TFTP, or HTTP server, or just check to see if any updates are available. Alternately, you may be able to perform an update using a software distribution file placed on a local server. See “Local Update” on page 8-9 for more information on this option, found under the Local Update tab.
PAGE 267

System Maintenance Remote Update The information that is required to update the software image from a remote site is described in Table 8-2. Table 8-2. Update Software, field/settings descriptions Field/Option Description URL The URL from which you want to check for software upgrade availability, or download a new version. By default, this field contains the location of an HP ProCurve FTP server site where upgrade images are stored.
PAGE 268

System Maintenance If you want to check for upgrades on an alternate download site, you must enter the appropriate URL. Step 2. Click Check for Upgrades. This function checks the software version available on the download site against the software version currently installed in the component you have selected. A Confirm Software Update page opens, showing that the current version is up to date or that there is an update available. Figure 8-3 shows an example of this page. Figure 8-3.
PAGE 269

System Maintenance Select Continue to proceed with the upgrade, or Cancel to return to the previous page without proceeding. Note: If your currently installed software is significantly older than the new version you are downloading, it may not be possible to revert to your old (Alternate) image without doing a factory reset, which restores the unit to its default settings. If this is the case, a warning is displayed advising you to make a backup of the system before proceeding with the upgrade.
PAGE 270

System Maintenance If you enable Auto Refresh, the status page refreshes approximately every 15 seconds, displaying updated status information. After the download and unpack operations are complete, a completion message appears: New image successfully installed. If you specified an automatic restart, the status message also displays Initiating reboot and the restart operation starts. Step 4.
PAGE 271

System Maintenance Variable Value update_file Filename (including the path) of the software image Please contact HP ProCurve Technical Support for information on the current downloadable image. For TFTP or anonymous FTP, the path is relative to the anonymous FTP or TFTP root. If a username and password is required for FTP, then the full path to the update file must be specified. For HTTP, the path is always relative to the web server‘s site root directory.
PAGE 272

System Maintenance Step 2. In the 700wl Series system Administrative Console, under Maintenance/Software Update, select the Local Update tab to display the Local Update page, as shown in Figure 8-5. Table 8-3.
PAGE 273

System Maintenance Figure 8-5. The Local Update Tab of the Update Software Function Step 3. In the Uploaded Software Versions table, select the row where you want the new uploaded version to be placed. If there is already a software image in that row, it will be replaced by the new image you upload. Step 4. In the lower part of the window under the Upload New Software Version heading, type the appropriate keyword. The key is a password that allows you to upload and use the 700wl Series system software.
PAGE 274

System Maintenance Step 6. In the .vdist File field, type the full path and name of the distribution file you downloaded, or click Browse to locate the proper directory and file name. Note: You can save the vdist files under different names, if you want. They do not need to have a .vdist extension. Step 7. Click Upload Image to upload the software image to the Access Control Server or Integrated Access Manager.
PAGE 275

System Maintenance Caution: Restarting an Access Control Server or Integrated Access Manager will log off all clients on all Access Controllers. If possible, you should restart your system during a time when few clients are actively connected to the system. » To restart your system using the Alternate software version, click Restart to Alternate under the Software Setup tab. A confirmation/warning page appears.
PAGE 276

System Maintenance Note: You cannot restore from the internal backup image. You can only restore from an external file. Therefore, you must save the backup image to a file. » To back up a system configuration, click the Backup & Restore tab under the Maintenance button. The Backup & Restore page appears, as shown in Figure 8-7. Figure 8-7.
PAGE 277

System Maintenance Figure 8-8. Backup Confirmation Click Continue to proceed, or Cancel to return to the Backup & Restore page without creating the backup image. While the backup is in progress, an information page, as shown in Figure 8-9, is displayed. Figure 8-9. Backup In Progress Step 2. When the backup has completed, another informational page appears, telling you the process is complete. This export image will replace the previous export image, if one existed.
PAGE 278

System Maintenance Figure 8-10. Backup & Restore page after a successful backup » To save the backup to a file, click Save Backup As.... This initiates the File Download process on your local system. This typically involves a series of dialogs presented by your local system software, where you can select a location to store the file and enter a file name. By default, the backup image file is named “hp” concatenated with the date (-YYYY-MM-DD). You can use this default or rename it.
PAGE 279

System Maintenance Figure 8-11. Restore In Progress Confirmation Step 3. To proceed with the restore, click Continue. As part of the restore operation, the system is restarted. You will be required to log in again as administrator.
PAGE 280

System Maintenance Warning: DO NOT restore a backup to a duplicate Access Control Server that is connected to the same network as the original Access Control Server. Restoring a backup will restore the original Access Control Server‘s IP address (if a static IP address was configured) and the shared secret. This can result in the second Access Control Server taking control of the Access Controllers on the network away from the original Access Control Server.
PAGE 281

System Maintenance Figure 8-12. The Shutdown/Restart tab Restarting a System Component Restarting a component will briefly shutdown the unit, then restart it using the Installed Version software image. This action does not power off the unit. To restart a selected system component: Step 1. Select the unit you want to restart from the System Components List. Step 2. Click Restart Now. A confirmation page appears, as shown in Figure 8-13.
PAGE 282

System Maintenance Figure 8-13. Restart Confirmation Step 3. To proceed with the restart, click Continue. To cancel the restart, click Cancel. Shutting Down a System Component Shutting down a system component shuts down and powers off the selected unit. To shut down and power off a system component: Step 1. Select the unit you want to shut down from the System Components List. Step 2. Click Shutdown Now. A confirmation page appears, as shown in Figure 8-14. Figure 8-14.
PAGE 283

System Maintenance Step 3. To proceed with the shutdown, click Continue. To cancel the shutdown, click Cancel. Resetting to Factory Default Settings Resetting a system to its factory defaults will clear the configuration database, reset all options to the factory default settings, and restart the unit.
PAGE 284

System Maintenance restore your configuration, you must restore from a backup image that was created and saved to an external file before the reset. A reset erases the backup image stored on the unit.
PAGE 285

LOGS 9 This chapter presents tasks you can perform with these types of logging. Viewing 700wl Series System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Configuring Session Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Viewing the Session Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 The Session Log Entry Format . . . . . . .
PAGE 286

Logs Figure 9-1. Log file display The Log File display table shows the log entries that exist at the moment you request the display. By default, the list is not refreshed unless you request a new display by clicking the Apply Filters button. You can set an automatic refresh interval using the filter settings described below. Clicking the LOGS icon or the Log Files tab again also refreshes the page, but you lose any filter settings you may have selected previously.
PAGE 287

Logs The log file display itself shows the following information: Table 9-2. Log file display Column Description (empty) This column is used to call attention to log entries with severity levels or Critical or Major. Entries at lower severity levels are not flagged.
PAGE 288

Logs — Categories: All Categories (default), Error, Info, Debug, Function Trace, Object Trace, Session Log. This is a multiple selection box—by using CRTL-click or Shift-click you can select multiple categories to include in a single filter.
PAGE 289

Logs Figure 9-2. Setting Up Session Logging Step 2. Type the information and select options as defined in Table 9-3. Table 9-3. Logging Setup Fields Field/Option Description Session Logging: Settings for session logging to a remote syslog server. Enabled Check Enabled to enable session logging. Unchecking this option disables session logging without unconfiguring the syslog settings. Syslog Server The IP Address of the remote Syslog Server.
PAGE 290

Logs Note: Accurate time and date reporting is necessary for accurate and useful logs. To set the time and date, use the Date & Time tab in the Network area. Viewing the Session Logs The 700wl Series system log files provide informational messages, warnings and so on about the operation of the 700wl Series system. Session logging goes further to provide information about every completed session. These logs are optional.
PAGE 291

Logs Table 9-4. Session Log information Data Item Definition Actual Destination The actual destination IP address and port, if redirected or tunnelled through another Access Controller. Bytes Transmitted Total number of bytes transmitted during the session Bytes Received Total number of bytes received during the session UserID The client‘ s user (login) ID The session log also creates log entries whenever an Access Controller sends an associate or disassociate message to the Rights Manager.
PAGE 292

Logs 9-8 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
PAGE 293

COMMAND LINE INTERFACE A This appendix documents the commands that are available on the serial console as part of the Command Line Interface (CLI). The CLI enables initial configuration and subsequent troubleshooting of the 700wl Series system. The Command Line Interface commands are listed in the following categories: Accessing the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 Getting CLI Command Help . . . . . . . . . . . . . . . . . . . . . .
PAGE 294

Command Line Interface Accessing the Command Line Interface There are two ways to access the Command Line Interface—either by directly connecting a serial console to the serial port on an Access Controller, Access Control Server, or Integrated Access Manager, or by connecting to the system remotely using SSH. Connecting with a Serial Console The Serial Console is a terminal emulator running on another management computer.
PAGE 295

Command Line Interface Command Syntax You may see a variety of symbols shown as part of the command syntax. These symbols explain how to enter the command, and you do not type them as part of the command itself. Table A-1 summarizes command syntax symbols. Table A-1. Command Syntax Symbols Symbol Description angle brackets < > Enclose a variable or value. You must specify the variable or value.
PAGE 296

Command Line Interface This produces the following output: "add" add add add commands: bridging ... snmpmanager ... snmptrapreceiver ... Add bridging options Add an SNMP authorized manager Add an SNMP trap receiver To see details about one of these commands, you can again use a question mark.
PAGE 297

Command Line Interface set superadmin pass | enable | disable Set the password for a superadmin. Enable or disable a superadmin login. pass Change the password for the specified login name. The superadmin can change any password. enable Enable the specified login name. Only superadmins can enable admins. disable Disable the specified login name. Only superadmins can disable admins. Login name of a superadmin. delete superadmin Delete a superadmin with the specified login.
PAGE 298

Command Line Interface show policyadmin [] Show a specific policyadmin by specifying a login, or list all policy admins by not specifying a login. set remote on | off Enables or disables remote technical support access. The default is disabled. This should be enabled only at the direction of HP customer support personnel. show remote Displays the current remote technical support access setting.
PAGE 299

Command Line Interface 00:e0:18:7d:b5:3d 10.205.2.25 4 hrs, 50 mins show id Displays this system’s ID, which is the MAC address of Slot 0 port 1. On a 700wl Series unit, the default uplink port is slot 0 port 2. (Slot 0 port 1 is the Reserved port.) Therefore, the MAC address of the uplink port, shown on the label on the back of the unit, will be one higher than the MAC address used as the system ID.
PAGE 300

Command Line Interface show deviceport Shows the port or slot and port for a device. The device name associated with a port, for example, dc0, dc1, sis0 For example, on an Integrated Access Manager 760wl the command: show deviceport sis0 displays the following output: Slot/Port: 0/1 show product Displays the product name. For example, on an Integrated Access Manager 760wl, this command displays: Integrated Access Manager show serial Displays the product serial number.
PAGE 301

Command Line Interface Network Configuration Commands set hostname Note: This command is supported on the Access Control Server or Integrated Access Manager only. Sets the system's hostname. The system hostname is also used as the SNMP system name. If you set a hostname, it must be resolvable through DNS. The fully qualified host name of the system. clear hostname Note: This command is supported on the Access Control Server or Integrated Access Manager only.
PAGE 302

Command Line Interface show ip Shows the current IP configuration. Output from this command looks similar to the following: Hostname: Domain Name: xyzcorp.com IP address: 192.168.10.157/24 DHCP enabled: No Default gateway:192.168.10.1 DHCP server: None configured DNS servers: 192.168.2.248 192.168.2.205 WINS servers: None configured set gateway Sets the IP address of the default router. clear gateway Clears the gateway IP address (resets to 0.0.0.0).
PAGE 303

Command Line Interface set dns [] Note: This command is supported on the Access Control Server or Integrated Access Manager only. For an Access Controller, this function must be performed through the Administrative Console on the managing Access Control Server. Sets the IP addresses of the DNS servers. The IP address of the primary DNS server for the system.
PAGE 304

Command Line Interface Sets the IP addresses of the WINS servers. The IP address of the primary WINS server for the system. The IP address of the secondary WINS server for the system (optional). clear wins Note: This command is supported on the Access Control Server or Integrated Access Manager only. For an Access Controller, this function must be performed through the Administrative Console on the managing Access Control Server.
PAGE 305

Command Line Interface set portmedia { | /} " []" Sets the port media setting for the specified port or slot and port. | / The port, or slot and port on which to set the media type and option. The media type, for example 100baseTX or 10baseT/UTP. Must match one of the valid media types for the port, as displayed in the show portmedia command for the port. A media option, for example full-duplex. This is not required.
PAGE 306

Command Line Interface show portip Displays the current IP address and netmask settings, if set, for all ports in the system. Output from this command is similar to the following: Port settings Slot 1 Port Slot 1 Port Slot 1 Port Slot 1 Port Slot 2 Port Slot 2 Port Slot 2 Port Slot 2 Port Slot 3 Port Slot 3 Port Slot 3 Port Slot 3 Port 1 2 3 4 1 2 3 4 1 2 3 4 IP: IP: IP: IP: IP: IP: IP: IP: IP: IP: IP: IP: Not set 192.168.5.1 192.168.6.
PAGE 307

Command Line Interface Note: This command is not available on an Integrated Access Manager. Advanced Network Configuration Status show bridging Shows the current bridging settings. The current bridging types that may appear are: cdp Cisco Discovery Protocol wnmp Wireless Network Access Protocol atalk AppleTalk protocol custom Type was set using a custom bridging string. See —Bridging“ on page 6-24 in Chapter 6, and Appendix B, —Filter Expression Syntax“ for a detailed discussion.
PAGE 308

Command Line Interface show ac [mac ] Shows Access Controller settings for one or all Access Controllers connected to the Access Control Server or Integrated Access Manager. The default is to show all settings for all Access Controllers.
PAGE 309

Command Line Interface show redundancy Shows the current redundancy (failover) settings. For example: show redundancy ---- Redundancy configured state ---Redundancy is disabled. No peer is specified. Peering priority is 0. Retry timeout to disabled peers is 60 seconds. Failover timeout is 30 seconds. On an Access Control Server acting as the secondary Access Control Server, the show redundancy command produces output similar to: ---- Redundancy configured state ---Redundancy is enabled.
PAGE 310

Command Line Interface Advanced Network Configuration set natdhcp [ [] ] Sets the NAT DHCP subnet and lease time. The DHCP subnet address for NAT. The default is 42.0.0.0 The subnet mask, in the form xxx.xxx.xxx.xxx (e.g. 255.255.255.0). The / form (e.g. /24) cannot be used in this command. The length of time a lease remains valid, in units as specified by the time-units parameter.
PAGE 311

Command Line Interface remote datetime Sets the date and time on the system at . The current date in yyyy/mm/dd format The current time in h24:mm format. Caution: It is important that the system time be kept accurate, and the time should not be set backwards, either manually or by NTP, while the system is in operation.
PAGE 312

Command Line Interface remote reboot Reboot the system at remote rebootalt Reboot the system at to alternate software version. remote shutdown Shutdown the system at remote factoryreset Factory reset the system at remote upgrade Upgrade the system at the specified IP address. The URL encoded location of the software release to install.
PAGE 313

Command Line Interface remote upgradereboot Upgrades the system at the specified IP address and reboots the system. The URL encoded location of the software release to install. The format of the URL is :/// or ://[:]@/ can be ftp, http, or tftp. [:] specifies a username and optional password with access to the remote site, if required.
PAGE 314

Command Line Interface set pptp on | off Enables or disables PPTP. set l2tp on | off Enables or disables L2TP. set ipsecsecret [ ] Sets the IPSec shared secret. Prompts for the secret if not entered on the command line. clear ipsecsecret Clears the IPSec shared secret. set espencryption [des] [3des] [blowfish] [cast] [aes] [none] Sets the IPSec ESP encryption methods. You must specify at least one method. set espintegrity [md5] [sha1] [none] Set the IPSec ESP integrity methods.
PAGE 315

Command Line Interface show vpn Note: Even though you can only configure Wireless Data Privacy settings from the Access Control Server or Integrated Access Manager, you can use the show vpn command from an Access Controller to view these settings. Shows the current Wireless Data Privacy settings.
PAGE 316

Command Line Interface show clients [mac ] [sort {mac | ip | user | machine | port | sessions | idle} ] [reverse] Lists all active clients. You can optionally sort the list by a number of criteria. MAC (Ethernet) address to display. Specified in the format: xx:xx:xx:xx:xx:xx or xxxxxxxxxxxx (colons are optional).
PAGE 317

Command Line Interface Deny Deny Accept 0 False 0 False False ... (client rights abbreviated to save space) Active Sessions Protocol Source ----------------------UDP Client: 42.23.184.102:137 TCP Client: 42.23.184.102:1223 TCP Client: 42.23.184.102:1221 Actual: 42.23.184.
PAGE 318

Command Line Interface If you respond Y to continue with the backup, the following reminder appears: NOTE: After creating the backup image, you must transfer it from this Integrated Access Manager onto your local computer. store backup [] Stores the backup on another system using FTP. This command can be used only after a backup has been created. The URL encoded location to store the backup.
PAGE 319

Command Line Interface show backup Displays information about the list of local backups and the status of a running store backup or get backup task. Output from this command is similar to the following: Backup image created Nov 25 17:25:22 2002. No backup image ’store’ or ’get’ in progress. Upgrading the System Software get upgrade [ reboot | version | mindowngrade ] Downloads a software release from a specified URL via FTP, HTTP, or TFTP.
PAGE 320

Command Line Interface reboot Automatically reboot after installing the upgrade. The upgraded software is activated when the system is rebooted. version Displays the version of the software available for download at the specified URL. The software is not downloaded and the system is not restarted. mindowngrade For the software version at the specified URL, displays the lowest version to which you may downgrade without requiring a factory reset.
PAGE 321

Command Line Interface cancel upgrade Cancels the current get upgrade task. set upgradeproxy [on | off] [host [ ] ] [user [ ] ] Configure a proxy server for retrieving software releases via FTP. on | off Enables and disables the proxy server. Specifies the proxy server IP address (Optional) TCP port for the proxy server. Default is 3128.
PAGE 322

Command Line Interface shutdown Shuts down the system. You are prompted to confirm that you want to shut down the system: This operation will shutdown this system and users may lose their connections. Are you sure you want to shutdown this system [n]? Resetting to Factory Defaults factoryreset Resets all user configurable data to the factory defaults. This includes all network configuration parameters.
PAGE 323

Command Line Interface • info: show all information, notice, warning, error, and critical log entries The maximum number of lines to be displayed. The default is 23. The number of time units to be displayed, in combination with the variable. If no —for“ argument is given, the default is one day. The time unit associated with the .
PAGE 324

Command Line Interface Translates to: nslookup –timeout=10 ping { | } Pings an IP address or a hostname. If the hostname is not qualified, the domain name (as specified by the set domainname command) is appended. Translates to: ping –c 3 or ping –c 3 debug ip [ /] Shows IP traffic on an interface. The default (no slot/port specified) is the configured uplink. / The slot and port for which IP traffic should be displayed.
PAGE 325

Command Line Interface traceroute { | } [ [ [ ] ] ] Displays the traceroute for an IP address or hostname. If the hostname is not qualified, the domain name (as specified by the set domainname command) is appended. The maximum number of hops to trace. The default is 5. The maximum number of probes per hop. The default is 3. The maximum number of seconds to wait for each probe. The default is 2.
PAGE 326

Command Line Interface clear ntpserver Clears the NTP servers IP address or hostnames. This command also disables the NTP service if it was enabled. set ntp on | off Enables and disables the NTP service. set datetime Manually sets the current local date and time. The current date in yyyy/mm/dd format The current time in h24:mm format. This command also disables the NTP service if it was enabled.
PAGE 327

Command Line Interface Controller. To modify these settings on an Access Controller, you must use the Administrative Console on the managing Access Control Server. set snmp on | off Turns SNMP support on or off. Turning SNMP on enables read-only access to the MIB. Turning it on when already on, or off when already off has no effect. By default, SNMP support is off. set snmpport Sets the SNMP port. By default, the SNMP port is 161. clear snmpport Resets the SNMP port to the default, port 161.
PAGE 328

Command Line Interface set snmpcontact Sets the SNMP sysContact object, defined in RFC 1213 as “the textual identification of the contact person for this managed node, together with information on how to contact this person.” Note: You cannot set this object from an external manager via SNMP. clear snmpcontact Clears the SNMP sysContact object. Note: You cannot clear this object from an external manager via SNMP. set snmpcommunity Sets the SNMP read community string.
PAGE 329

Command Line Interface Trap IP Address: Authorized Managers: None None HP ProCurve Secure Access 700wl Series Management and Configuration Guide A-37
PAGE 330

Command Line Interface A-38 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
PAGE 331

FILTER EXPRESSION SYNTAX B This appendix describes the syntax used to define user access rights (allowed traffic filters and redirected traffic filters), bridged traffic, and HTTP Proxy filters. It includes the following sections: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 Filter Specification Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 332

Examples are: “fddi src myHost”, “ip net 122.43”, and “udp port 44”. fddi is an alias for ether; they are treated identically as meaning “the data link level used on the specified network interface.” FDDI headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ethernet fields. (FDDI headers also contain other fields, but you cannot name them explicitly in a filter expression.
PAGE 333

Table B-1. Allowable Primitives (Continued) Primitive Explanation host host True if either the source or destination of the packet is host. ether dst ehost True if the Ethernet destination address is ehost. Ehost can be either a name from /etc/ethers or a number (see ethers(3N) for numeric format). ether src ehost True if the Ethernet source address is ehost. ether host ehost True if either the ethernet source or destination address is ehost.
PAGE 334

Table B-1. Allowable Primitives (Continued) Primitive Explanation ip6 proto protocol True if the packet is an IPv6 packet of protocol type protocol. This primitive does not chase the protocol header chain. ip6 protochain protocol True if the packet is IPv6 packet, and contains protocol header with type protocol in its protocol header chain. For example, ip6 protochain 6 matches any IPv6 packet with TCP protocol header in the protocol header chain.
PAGE 335

Table B-1. Allowable Primitives (Continued) Primitive Explanation ether proto protocol True if the packet is of ether type protocol. Protocol can be a number or one of the names ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp, ipx, or netbeui. Note: Note these identifiers are also keywords and must be escaped via backslash (\). [In the case of FDDI (e.g., ”fddi protocol arp') and Token Ring (e.g.
PAGE 336

Table B-1. Allowable Primitives (Continued) Primitive Explanation expr relop expr True if the relation holds, where • relop is one of >, <, >=, <=, =, != • expr is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accessors. To access data inside the packet, use the syntax protocol [expr: size].
PAGE 337

CREATING CUSTOMIZED TEMPLATES C This Appendix explains how to develop custom templates for the Logon page, the optional Logoff popup page, and the optional Guest Registration page. It includes the following sections: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 A Simple Logon Page Template Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2 Logon Template Elements . . .
PAGE 338

A Simple Logon Page Template Example The 700wl Series system logon page, in its simplest form, consists of two fields where the user enters his/her user name and password, and a button to invoke the logon function. Other optional elements can include a Logoff button, a Guest logon or Guest registration button, and possibly a display of the user name of the logged-on user, and the time his/her rights will expire.
PAGE 339

@satmac() @interface() @java_works() @secret() @query() The template file is a standard HTML file with the tmpl functions included. You should be sure to include any tags or meta-tags needed to make the display correctly in your browser environment. The template file shown in Example 1 generates the very plain page shown in Figure C-1. Figure C-1.
PAGE 340

Required Elements Form Tag
For the logon page only, there must be a form with the name attribute set to logonForm. The action and method attributes must also be set as shown. Buttons At least one of these buttons must be present on the page to enable a user to log in.
PAGE 341

• @satmac(). This function returns an INPUT element of type hidden, with a value that is the client’s MAC address. • @interface(). This function returns an INPUT element of type hidden. • @java_works(). This function returns an INPUT element of type hidden, with a value of 0. If a Logoff popup is specified (see “Body Tag to Enable Logoff Popup” below) the value is changed by the 700wl Series system to 1. • @secret().
PAGE 342

In addition to including the realm field on the custom login page, the User specified authentication realm check box must be checked (on the Rights Manager Customize Web Pages by Location page). Note that this check box does not appear unless there are multiple authentication realms defined. Client Functions The following functions return information from the 700wl Series system about the client: @loggedon() Returns 1 if the client is logged on, or was logged on but has expired.
PAGE 343

@set(“variable”, “value”) Sets the value of a run-time variable. For example, to set the variable “month” to the month a client’s rights expire, you would use: @set("month", @xlate_month("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec", @month(@client_expire()))) Variables are global. @get(“variable”) Returns the value of a variable. For example: • expire (e.g., @get(“expire”)—Returns the client's reauthentication time, in seconds.

Figure C-2. Three-button logon page Changing the Logon Button Names If you want to change the names that appear on the buttons on the Logon page, you must use two INPUT statements per button: one with type=hidden and the value set to the required button value, and the other with type=submit and the value as the name you want to appear on the button. If you just change the button value, the button will no longer work as expected.

PAGE 347

Example 3 (This is the FORM statement required at the beginning of the Logon form.) @satmac() @interface() @java_works() @secret() @query() (Not shown -- Code here to set up a table, present username and password input fields etc. > The following replaces the “Displays three buttons” section in Example 2.

PAGE 348

Customizing the Logon Page Messages There are a number of informational messages that may appear on the Logon page in certain circumstances. These messages may appear in the following circumstances: • After the client has clicked the logoff button, but before a new logon page appears, a logoff transition message may be displayed. The default version of this message is: Logging off... If the logon page does not reappear, click here.

PAGE 349

Guest Registration Template To configure a location to allow custom guest registration, there are three elements that must be in place: • Your main custom logon page must have a “Register as Guest” button instead of the “Logon as a Guest” button. This requires using “Register” instead of “Logon as a Guest” for the “value” attribute of the INPUT specification.

PAGE 350

The page generated by this template is shown in Figure C-3. Example 4 HP ProCurve 700wl Series Guest Registration Page

PAGE 351

Username:
Last Name:
Preferred Username:
Password:
Confirm Password:	< PAGE 352 Figure C-3. Guest Registration page produced by the template in Example 4 Using a Logoff Pop-Up with a Customized Logon Page One of options for user logoff, in browsers that support JavaScript, is to have a Logoff button appear in a pop-up browser window as soon as the user has logged on to the system. You can create your own template for this pop-up window. When the user clicks the Logoff button, he/she is logged off the 700wl Series system. By default, the Logon page is then displayed in the same window. PAGE 353 The required elements in a Logoff Pop-up template are: Form Tag: A form with the name logoffForm is required, with action and method attributes set as shown. Buttons: One button must be present on the page to enable the user to log off. The button name, type, and value attributes must be set exactly as shown. PAGE 354 This generates the pop-up window shown in Figure C-4. Figure C-4. Logoff pop-up window When the user clicks the Logoff button, the Login window is immediately displayed in the same window, allowing the user to log in again. Redisplaying the Logon Page in a New Window The default 700wl Series-provided Logoff pop-up does not immediately display the Logon page; instead it displays a link that lets the user choose to go to the Logon page. PAGE 355 Figure C-5. Logoff confirmation window When you click the link, in this window, a fresh Logon page opens in a new window. To customize this logoff confirmation window, you can upload a custom template in the Logged Off Window field under the Custom Templates tab of the New or Edit Logon Customization page. PAGE 356 C-20 HP ProCurve Secure Access 700wl Series Management and Configuration Guide PAGE 357 D TROUBLESHOOTING This appendix presents troubleshooting procedures for the 700wl Series system. Table D-1 shows the symptoms, probable cause and recommended actions for a variety of problems. The following are problems you may encounter when configuring your 700wl Series system components for network connectivity and communication. Table D-1. PAGE 358 Table D-1. System Configuration Troubleshooting Guide (Continued) Symptom(s) RADIUS Authentication not working Probable Cause 1. RADIUS configuration incorrect 2. User name or password not valid Recommended Action Test client authentication using Transaction Tracer (under Rights > Authentication Policies> Tools and Options) 1. Verify RADIUS service selected in appropriate Authentication Policy 2. Check RADIUS server IP address 3. Check RADIUS —secret“ matches on unit and Radius server 4. PAGE 359 Table D-1. System Configuration Troubleshooting Guide (Continued) Symptom(s) Client has incorrect access rights Probable Cause Rights misconfigured Recommended Action For a connected client, view Client detailed status from the Status > Client Status page. For a non-connected client, use the Simulate User RIghts function (under Rights > Authentication Policies> Tools and Options) 1. Verify client is associated with the correct Connection Profile and Identity Profile 2. PAGE 360 D-4 HP ProCurve Secure Access 700wl Series Management and Configuration Guide PAGE 361 E GLOSSARY The glossary defines terms that are used throughout the 700wl Series system. Some of the following terms are in common usage but may have 700wl Series system-specific meanings. These terms are defined in context in the chapter where they first appear. Term Definition 802.11 See —IEEE 802.11“ on page E-5 802.11a See —IEEE 802.11a“ on page E-5 802.11b See —IEEE 802.11b“ on page E-5 802.11g See —IEEE 802.11g“ on page E-5 802.1x See —IEEE 802.1x“ on page E-5 802.3af See —IEEE 802. PAGE 362 Term Definition AH Authentication Header protocol. AH digitally signs the entire contents of each packet, protecting your network against three kinds of attacks: Replay attacks, where an attacker captures packets, saves them until later, and resends them. These attacks may allow an attacker to impersonate a machine after that machine's no longer on the network. The AH protocol prevents replay attacks by including a keyed hash of the packet, so no one else can resend the packets. Tampering. PAGE 363 Term Definition CLI Command Line Interface: 700wl Series system Access Controllers, Integrated Access Managers, and Access Control Servers all have a command line interface through which they can be controlled, as an alternate to using the Administrative Console. Client A machine, device, or user of the 700wl Series system. CMAK Connection Manager Administration Kit - This is a tool provided by Microsoft to allow you to customize the Microsoft Connection Manager. PAGE 364 Term Definition DNS Domain Name Server - A DNS translates Internet domain names such as xyzcorp.com, into IP addresses. Downlink port A port on an Access Controller or Integrated Access Manager to which a device at the network edge, such as a Wireless Access Point, switch, or hub, is connected. DSA Directory System Agent - In X.500, each local directory is called a Directory System Agent (DSA). A DSA can represent one organization or a group of organizations. PAGE 365 Term Definition HTTP Proxy An Web server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. Proxy servers have two main purposes: improving performance and filtering requests. Hub A piece of hardware that contains a series of ports (usually 4, 8, or 16), which allow you to network your computers or extend an existing network. PAGE 366 Term Definition IKE A part of IPSec: IKE=Internet Key Exchange (Negotiates session parameters for the authentication header and ESP. Sets up Security Associations (SA)) Inner Tunnel Address For a connection using PPTP or L2TP, the IP address associated with the actual data from the client, encapsulated within the outer tunnel. The inner tunnel address may be NAT‘ed, but NAT is not required. PAGE 367 Term Definition L2F Layer 2 Forwarding; a tunneling protocol from Cisco L2TP Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used to enable a virtual private network (VPN) over the Internet. L2TP merges the best features of two other tunneling protocols: PPTP and L2F. PAGE 368 Term Definition Outer Tunnel Address The IP address associated with a PPTP or L2TP connection within which the client traffic is encapsulated. This address will always be a NAT‘ed address, regardless of the group NAT settings. Packet A piece of data transmitted over a network that includes not only data, but also a header in which the intended address of the packet is listed. Depending on the protocol, additional information may be included in the packet's layers. PAGE 369 Term Definition Session redirectors Client TCP and UDP sessions can be redirected from their original destination IP address or port. SNMP Simple Network Management Protocol - The network management protocol of most modern TCP/IP-based networks. SNMP monitors the activity of various devices on a network. SOAP Simple Object Access Protocol - SOAP is designed to solve the problem of passing live objects over the network. SOAP structures its messages into headers and payloads. PAGE 370 Term Definition tcpdump A program that prints out the headers of packets on a network interface that match a specified filtering criteria. The syntax used by tcpdump is used 700wl Series system for specifying packet filters. TFTP Trivial File Transfer Protocol - A lightweight version of FTP Time Window A time windows is defined in the 700wl Series system Rights Manager as a range of hours, dates, or days of the week. PAGE 371 Term Definition Web server Network host that acts as an HTTP server; a computer that provides World Wide Web services on the Internet; it includes the hardware, operating system, Web server software, TCP/IP protocols, and the Web site content (Web pages). WEP Wired Equivalent Privacy - WEP is a common, but not very secure, way of protecting wireless networks and part of the Wi-Fi specification's built-in encryption scheme. Known to be vulnerable. PAGE 372 Term Definition XML-RPC XML-RPC is designed to be a simple procedural way for a client program to make function requests of another program. It provides similar functionality to SOAP, but is more limited and, generally, much simpler to use. The 700wl Series system supports the use of XML-RPC as an authentication service. PAGE 373 INDEX OF COMMANDS A add snmpmanager \| [/] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-35 add snmptrapreceiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-36 C cancel backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-26 cancel upgrade . . . PAGE 374 delete policyadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-5 delete snmpmanager all \| \| [/]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-35 delete snmptrapreceiver all \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-36 delete superadmin . . . . . . . . . . . . . . . PAGE 375 remote upgradecheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 remote upgradereboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 remote upgradestatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 restore backup. . . . . . . . . . . . . . . . . . . . PAGE 376 set syslogserver [] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-17 set timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-33 set upgradeproxy [on \| off] [host [ ] ] [user [ ] ] . . . . . . . . . . . . . . . . . . .A-29 set uplink [/] . . . . . . . . . . . . . . . . . . . . . PAGE 377 T traceroute { \| } [ [ [ ] ] ] . . . . . . . . . . . . . . . . . . . . . . . . . PAGE 378 IOC-6 HP ProCurve Secure Access 700wl Series Management and Configuration Guide PAGE 379 INDEX Numerics 802.1Q VLAN tag specifying in Access Policy specifying in Connection Profile 802.1x configuring as authentication service configuring RADIUS for monitored logon 802.2 protocol 802. PAGE 380 changing username/password on Integrated Access Manager 6-10 changing username/password on Integrated System 6-12 default name and password 2-4 logging in as 2-4 logging out 2-6 troubleshooting incorrect password D-1 Advanced Setup tab 6-21 DHCP Network for NAT Clients 6-23 aliasing in LDAP to get user information 5-15 Allowed Traffic filters 4-4 AC HTTPS Logon page 4-51 AC Logon-forward no URI 4-51 AC Logon-fwd append URI 4-51 AC SSL Stop page 4-51 AC Stop page 4-51 All IP Traffic 4-51 and bridging 6-25 Ap PAGE 381 browser-based logon 1-3, 5-2 Built-in authentication service 5-2 built-in database 4-16 adding Access Points 4-22 adding users 4-17 network equipment 4-21 retrieving MAC addresses from external 4-24 LDAP service users 4-16 C CDP bridge traffic 6-24 centralized management and administration 2-3, 2-17 Certificate Authority 7-7 Certificate Signing Request CSR 6-30 certificated-based IKE authentication 7-5 Cisco Discovery Protocol 6-24 client addressing using dynamic IP addressing (DHCP) 2-21 using NAT mode 2 PAGE 382 Ethernet bridging, enabling Expire timer, See reauthentication timeout export rights External external identity retrieval 6-24 5-50 4-51 5-28 Stop image types 5-38 uploading for custom templates 5-40 importing rights 5-52 inaccessible Access Control Server, D-1 troubleshooting incorrect network configuration, troubleshooting D-1 F Failover See Access Control Server redundancy filters display filters 2-12 folders creating or editing 6-13 selecting for an Access Controller 6-12 vs. PAGE 383 LDAP service authentication troubleshooting D-2 configuring for authentication 5-9 configuring MAC address retrieval 4-26 non-user binding 5-10 retrieving MAC address users from 4-24 user binding 5-10 using aliasing to get user information 5-15 License Information viewing 3-15 Lightweight Directory Access Protocol (LDAP)5-2 Linger timeout 2-23, 4-59 and client polling 6-25 configuring start 6-26 Locations 4-4, 4-35 creating or editing 4-36 Locations tab 4-33 logo customizing on Logon page 5-33 uploading ima PAGE 384 P password changing for administrator troubleshooting PDAs logon page options peer Access Control Server configuring peer name deleting PKI configuring for IPSec PKI certificates generating polling ARP request clients Port Address Translation (PAT) ports advanced network configuration configuring for valid IP addresses configuring IP broadcasting for port subnetting Reserved port setting connection type speed/duplex settings subnets and DHCP post-authentication group identity retrieval PPTP and authenticati PAGE 385 syslog server, configuring 9-5 Session Logs log entry format 9-6 viewing 9-6 session status filtering display 3-13 Settings tab in a Connection Profile 4-32 in Access Policy 4-45 shared secret 6-7, 6-10 configuring on Access Control Server 6-5 for IPSec 7-4 for RADIUS 5-20 SLC protocol 6-24 small browser logon page option 5-33 SNMP configuration via CLI A-34 configuring 6-38 enabling /disabling 6-38 management console configuration 6-40 MIB support 6-38 monitoring va network management application 6-38 sett PAGE 386 V Verify via DNS HTTP proxy filter option 4-78 Virtual LANs (VLANs) 1-6, 2-24 and IP addressing 2-26 and the 700wl system, overview 2-24 specifying tag in Access Policy 4-46 specifying tag in Connection Profile 4-33 VLAN tags in Connection Profiles 4-29 VPN tunneling and Network Address Translation 2-23 W warranty Whens See Time Windows Wheres See Locations WINS filter pairs creating or editing a filter pair filters list Wired Equivalent Privacy wireless data privacy overview of supported protocols wireles PAGE 387 PAGE 388 © Copyright 2003 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Who We Are About Us Company Careers Terms & Privacy Resources List of Manufacturers Support For the Press Media assets FAQ Get in touch Blog Email DMCA ManualShelf © 2013-2025