Installation guide

ManualsBrandsProCurve ManualsMusical equipment800

Users’ Guide

www.procurve.com

ProCurve Network Access Controller 800

Summary of content (474 pages)

PAGE 1
Users’ Guide ProCurve Network Access Controller 800 www.procurve.
PAGE 2
PAGE 3
ProCurve Network Access Controller 800 Release 1.
PAGE 4
© Copyright 2007 Hewlett-Packard Development Company, L.P. All Rights Reserved. This document contains information which is protected by copyright. Reproduction, adaptation, or translation without prior permission is prohibited, except as allowed under the copyright laws. Publication Number 5991-8571 August 2007 (rev-h) Trademark Credits Microsoft, Windows, Windows 95, and Microsoft Windows NT are registered trademarks of Microsoft Corporation. Internet Explorer is a trademark of Microsoft Corporation.
PAGE 5
Contents 1 Introduction What you Need to get Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 NAC 800 Home Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 The NAC 800 Process . . . . . . . . .
PAGE 6
Contents Single-server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Multiple-server Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 3 System Configuration Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Enforcement Clusters and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Enforcement Clusters . . . . . . . . .
PAGE 7
Contents User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37 Adding a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37 Editing User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40 Deleting User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41 Sorting the User Roles Area . . . . . . . . . . . . . .
PAGE 8
Contents Cluster Setting Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-95 Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-95 Selecting Test Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-95 Ordering Test Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-96 Recommended Test Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 9
Contents Selecting Endpoints to Act on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Acting on Selected Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manually Retest an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Immediately Grant Access to an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . Immediately Quarantine an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 10
Contents Customizing Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40 6 NAC Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Standard NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 NAC Policy Group Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Add a NAC Policy Group . . . . . . . .
PAGE 11
Contents Untestable Endpoints and DHCP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18 8 High Availability and Load Balancing High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 9 Inline Quarantine Method Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12
Contents Setting Up the Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco® 2950 IOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco® 4006 CatOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enterasys® Matrix 1H582-25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Extreme® Summit 48si . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ExtremeWare . . . . . . . . . . . . . . . . .
PAGE 13
Contents Restoring from Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10 Restoring the Original Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-11 Generating a Support Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-11 Supported VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12 Adding Custom Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 14
Contents Internet Explorer (IE) Local Intranet Security Zone . . . . . . . . . . . . . . . . . A-7 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7 Test Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7 How Does this Affect me? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8 What Do I Need to Do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 15
Contents Windows Media Player Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Test Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Does this Affect Me? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Do I Need to Do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16
Contents Mac AirPort User Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Test Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Does this Affect Me? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Do I Need to Do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mac AirPort WEP Enabled . . .
PAGE 17
Contents MS Outlook Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Test Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Does this Affect Me? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Do I Need to Do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MS Word Macros . . . . . .
PAGE 18
Contents Anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Test Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Does this Affect Me? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Do I Need to Do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 19
Contents Minimum Font Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5 Page Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6 Temporary Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-7 C Installation and Configuration Check List Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 20
Contents (This page intentionally left blank.
PAGE 21
1 Introduction Chapter Contents What you Need to get Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 NAC 800 Home Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 22
Introduction What you Need to get Started What you Need to get Started The following hardware and software is required to operate NAC 800: ■ One or more ProCurve NAC 800 appliances ■ Configuration information – See “Installation and Configuration Check List” on page C-1 ■ An Internet connection or a web proxy server that allows outbound HTTPS communications from the MS ■ Workstation – A workstation running one of the following browsers with 128-bit encryption: • Windows – Mozilla version 1.
PAGE 23
Introduction What you Need to get Started 3. ProCurve Network Access Controller 800Users’ Guide – Refer to this document last for information on configuring, monitoring activities, creating NAC policies, and running reports.
PAGE 24
Introduction NAC 800 Home Window NAC 800 Home Window The NAC 800 Home window (figure 1-1) is a centralized management console that allows you to quickly assess the status of your network. The following list and figure describe and show the key features: 1-4 1. Important status announcements – If there is anything that needs your immediate attention, a status announcement is displayed at the top of the window. Click clear to remove the announcement. 2.
PAGE 25
Introduction NAC 800 Home Window 3. Top 5 failed tests area 2. User name 1. Important status announcements 5. Navigation pane 4. Window actions 6. Test status area 7. Access control status area 8. Enforcement server status area Figure 1-1.
PAGE 26
Introduction System Monitor System Monitor The System monitor window provides the following information: 1-6 ■ Enforcement cluster name – The Enforcement clusters are listed by name in the order they were created. Click on a cluster name to view cluster details. You must have cluster-editing permissions to view and edit cluster details. ■ Server name by cluster – The servers for each cluster are listed by name in the order they were created. Click on a server name to view server details.
PAGE 27
Introduction System Monitor Breadcrumbs for navigation Figure 1-2. System Monitor Window The following figure shows the legend for the System monitor window icons: Figure 1-3.
PAGE 28
Introduction Overview Overview NAC 800 protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. NAC 800 systematically tests endpoints—with or without the use of a client or agent— for compliance with organizational security policies, quarantining non-compliant machines before they damage the network.
PAGE 29
Introduction Overview Test method Trade-offs Pros Cons ActiveX plug-in • No installation or upgrade to maintain. • Supports all Windows operating systems. • Only Internet Explorer application access required through personal firewall. Must open port 1500. • No retesting of endpoint once browser is closed. • Not supported by non-Windows operating systems. • Browser security settings must allow ActiveX control operation of signed and safe controls. This is the default for the Internet zone.
PAGE 30
Introduction Overview ■ Extensible – NAC 800’s easy-to-use open API allows administrators to create custom tests for meeting unique organizational requirements. The API is fully exposed and thoroughly documented. Custom tests are created using scripts and can be seamlessly added to existing policies. ■ Compatible with existing heterogeneous network infrastructure – No upgrades to your existing network infrastructure are required.
PAGE 31
Introduction Overview ■ Automatic test updates – NAC 800 is automatically updated with tests that cover newly released patches, hotfixes, software updates, worms, and trojans, and recommended security settings for common applications. New tests are automatically added to the test database as frequently as hourly, ensuring immediate protection against newly discovered threats. ■ Organization-specific policies – Any number of NAC policies can be created and tailored to your organizational needs.
PAGE 32
Introduction Overview Compliance Enforcement Based on endpoint test results, NAC 800 takes the appropriate action. Endpoints that test compliant with the applied policy are permitted access. Noncompliant endpoints are either quarantined, or are given access for a temporary period. Implement the necessary fixes during this period.
PAGE 33
Introduction Technical Support Technical Support Technical support is available through www.procurve.com.
PAGE 34
Introduction Additional Documentation Additional Documentation NAC 800 documentation is available in a number of media formats and is accessible in a variety of ways: 1-14 ■ Quick-start card – The Quick-start card provides a high-level overview of the physical deployment options, software installation, post-installation configuration, the Users’ Guide, and how to get support.
PAGE 35
Introduction Upgrading Upgrading Upgrading is described in“Checking for NAC 800 Upgrades” on page 3-27. CAUTION: Installing third-party software on the NAC 800 server is not supported. If you install additional software on the NAC 800 server, you need to remove it in order to troubleshoot any NAC 800 issues, and it will likely be partially or fully overwritten during NAC 800 release upgrades or patch installs, compromising the third-party software functionality.
PAGE 36
Introduction Conventions Used in This Document Conventions Used in This Document The conventions used in this document are described in this section: Navigation Paragraph Navigation paragraphs provide a quick visual on how to get to the screen or area discussed. Example: NAC 800 main window>>Configure system Tip Paragraph Tips provide helpful, but not required information. Example: TIP: Hover the cursor over the “x dhcp servers with errors” text to get additional information in a pop-up window.
PAGE 37
Introduction Conventions Used in This Document Warning Paragraph Warnings notify you of conditions that can lock your system or cause damage to your data. Example: WARNING: Do not log in using SSH—this kills your session and causes your session to hang. Bold Font Bold font indicates the text that appears on a window or screen. Example: 9. If the Domains connection method is enabled (Credentials tab, enabled check box), you must specify your Windows domain controller here.
PAGE 38
Introduction Conventions Used in This Document Courier Font Courier font is used in the following cases: ■ Indicating path names – Change the working directory to the following: C:\Program Files\\ProCurve NAC EI Agent ■ Indicating text; enter exactly as shown – Enter the following URL in the browser address field: https:///index.html In this case, you must replace with the actual IP address, such as 10.0.16.99. Do not type the angled brackets.
PAGE 39
Introduction Conventions Used in This Document ■ Indicating a variable section in a *.INI file – [Global] NASList=192.168.200.135 ■ Indicating a list in a properties file – Compliance.ObjectManager.DHCPConnectorServers=[192.168.51.130, 192.168.99.1] Terms Terms are defined in the “Glossary” on page D-1. Example: MAC Media Access Control – The unique number that identifies a physical endpoint. Generally referred to as the MAC address.
PAGE 40
Introduction Copying Files Copying Files Whenever you copy a file from one machine to another, copy it using a secure copy utility that uses the Secure Shell (SSH) protocol. The exact syntax of the copy command will vary based on the utility you use. Example: 10. Copy the /usr/local/nac/properties/NACAVPs.txt file from the NAC 800 server to the ACS server using PSCP (or other secure copy utility). SCP scp is a Linux/UNIX command used to copy files between Linux/UNIX machines.
PAGE 41
Introduction Copying Files To copy a file from a Windows machine to a Linux machine, enter the following: \pscp c:\documents\foo.txt fred@example.com:/tmp/foo You will be prompted to enter a password for the Linux/UNIX machine. NOTE: You can either enter the path to the PSCP.EXE file as part of the command, or cd to the directory where you saved the PSCP.EXE file before entering the pscp command.
PAGE 42
Introduction Copying Files (This page intentionally left blank.
PAGE 43
2 Clusters and Servers Chapter Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Installation Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 44
Clusters and Servers Overview Overview NAC 800 uses clusters and servers. A "cluster" is a logical grouping of one or more Enforcement servers (ESs) that are managed by one Management server (MS). A single-server installation is one where the MS and ES are on one server. The ES is assigned to a Default cluster. This configuration is illustrated in figure 21. A multiple-server installation is one where the MS is on one server and there are one or more ESs on separate servers.
PAGE 45
Clusters and Servers Installation Examples Installation Examples Single-server Installation The simplest installation is where the MS and ES are installed on the same physical server as shown in the following figure: Figure 2-1. Single-server Installation Multiple-server Installations By using at least three servers, one for the MS and two for Enforcement servers, you gain the advantage of high availability and load balancing.
PAGE 46
Clusters and Servers Installation Examples High availability is where Enforcement servers take over for any other Enforcement server or servers that become unavailable. Load balancing is where the testing of endpoints is spread evenly over all of the Enforcement servers. A three-server installation is shown in the following figure: Figure 2-2.
PAGE 47
Clusters and Servers Installation Examples When your network is more complex, you can continue to add clusters as shown in the following figure: Figure 2-3. Multiple-server, Multiple-cluster Installation The system configuration area allows you to select default settings for all clusters, as well as override the default settings on a per-cluster basis. See “System Configuration” on page 3-1 for task-based instructions.
PAGE 48
Clusters and Servers Installation Examples (This page intentionally left blank.
PAGE 49
3 System Configuration Chapter Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Enforcement Clusters and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Enforcement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Adding an Enforcement Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 50
System Configuration Sorting the User Account Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33 Copying a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33 Editing a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34 Deleting a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35 User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 51
System Configuration Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-91 Initiating a New Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-91 Restoring From a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-93 Downloading Support Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-94 Cluster Setting Defaults . . . . . . . . . . . . . . . .
PAGE 52
System Configuration Introduction Introduction User logins and associated user roles determine the access permissions for specific functionality within NAC 800.
PAGE 53
System Configuration Introduction NOTE: ■ Quarantining – “Quarantining” on page 3-49 ■ Maintenance – “Maintenance” on page 3-91 ■ Cluster setting defaults • Testing Methods – “Testing Methods” on page 3-95 • Accessible services – “Accessible Services” on page 3-98 • Exceptions – “Exceptions” on page 3-100 • Notifications – “Notifications” on page 3-102 • End-user screens – “End-user Screens” on page 3-104 • Agentless credentials – “Agentless Credentials” on page 3-107 • Logging – “Loggin
PAGE 54
System Configuration Enforcement Clusters and Servers Enforcement Clusters and Servers The Enforcement clusters & servers menu option (figure 3-3) is where you configure Enforcement clusters and servers.
PAGE 55
System Configuration Enforcement Clusters Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster: NAC 800 Home window>>System configuration>>Enforcement clusters & servers Figure 3-1.
PAGE 56
System Configuration Enforcement Clusters 1. Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add Enforcement cluster window appears. The General area is displayed by default. Figure 3-2. Add Enforcement Cluster Window NOTE: a. Enter a name for the Enforcement cluster in the Cluster name field. b.
PAGE 57
System Configuration Enforcement Clusters TIP: You can also access the quarantine area Enforcement cluster by clicking Quarantining in the System configuration window (see “Quarantining” on page 3-49 for more information). 3. The following cluster settings take on default values set from the System configuration window.
PAGE 58
System Configuration Enforcement Clusters • Advanced 3. Enter or change information in the fields you want to modify, as described in “Adding an Enforcement Cluster” on page 3-7. 4. Click ok.
PAGE 59
System Configuration Enforcement Clusters Click a cluster name, for example Austin. The Enforcement cluster window appears: Figure 3-3. Enforcement Cluster Window, General Option The statistics shown in this window are per cluster, where the statistics shown in the Home window are system-wide. Deleting Enforcement Clusters NOTE: Enforcement clusters need to be empty before the delete option appears next to the name in the NAC 800 console.
PAGE 60
System Configuration Enforcement Clusters 3-12 1. Click delete next to the cluster you want to remove. The Delete Enforcement cluster confirmation window appears. 2. Click yes. The System configuration window appears (figure 3-1).
PAGE 61
System Configuration Enforcement Servers Enforcement Servers Adding an Enforcement Server To add an Enforcement server: NAC 800 home window>>System configuration>>Enforcement clusters & servers Figure 3-4.
PAGE 62
System Configuration Enforcement Servers 1. Click Add an Enforcement server in the Enforcement clusters & servers area. The Add Enforcement server window appears. Figure 3-5. Add Enforcement Server Window 3-14 2. Select a cluster from the Cluster drop-down list. 3. Enter the IP address for this Enforcement server in the IP address text box. 4. Enter the fully qualified hostname to set on this server in the Host name text box. 5.
PAGE 63
System Configuration Enforcement Servers Cluster and Server Icons The following figure shows the legend explaining the Enforcement cluster and server status icons: Figure 3-6. Enforcement Cluster Legend Editing Enforcement Servers To edit Enforcement server settings: 1. NAC 800 Home window>>System configuration>>Enforcement clusters & servers Click the Enforcement server you want to edit. The Enforcement server window appears, as shown in Figure 3-7 on page 3-16.
PAGE 64
System Configuration Enforcement Servers 2. Click the Configuration menu option to access the Enforcement server’s settings. The Configuration area is displayed: Figure 3-7. Enforcement Server Configuration Window 3. 4.
PAGE 65
System Configuration Enforcement Servers Changing the Enforcement Server Network Settings CAUTION: Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems. See “Maintenance” on page 3-91 for instructions on backing up and restoring your system.
PAGE 66
System Configuration Enforcement Servers NAC 800 Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration 1. Select a Region from the Region drop-down list in the Date and time area. 2. Select a time zone from the Time zone drop-down list. 3. Click ok. NOTE: See “Selecting the Time Zone” on page 3-26 for information on changing the time zone settings for the Management server.
PAGE 67
System Configuration Enforcement Servers • Percentage of memory used on the server • Disk space usage for the server To view Enforcement server status: 1. NAC 800 Home window>>System configuration>>Enforcement clusters & servers Click the server for which you want to view the status. The Enforcement server window appears: Figure 3-8. Enforcement Server Window, Status Option 2. Click ok or cancel.
PAGE 68
System Configuration Enforcement Servers Deleting Enforcement Servers NOTE: Servers need to be powered down for the delete option to appear next to the name in the NAC 800 console. To delete Enforcement servers: NAC 800 Home window>>System configuration>>Enforcement clusters & servers 1. Click delete next to the server you want to remove from the cluster. The Delete Enforcement server confirmation window appears. 2. Click yes. The System configuration window appears.
PAGE 69
System Configuration Management Server Management Server Viewing Network Settings To view Management servers status: NAC 800 Home window>>System configuration>>Management server 3-21
PAGE 70
System Configuration Management Server Figure 3-9. System Configuration, Management Server Window 3-22 1. Server status is shown in the Network settings area. 2. Click ok or cancel.
PAGE 71
System Configuration Management Server Modifying Management Server Network Settings CAUTION: Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP address, and later restore your system, it will restore the previous IP address which can show an ES error condition and cause authentication problems. See “Maintenance” on page 3-91 for instructions on backing up and restoring your system.
PAGE 72
System Configuration Management Server To select a proxy server: NAC 800 Home window>>System configuration>>Management server 1. Select Use a proxy server for Internet connections. 2. Enter the IP address of the server that will act as the proxy for Internet connections in the Proxy server IP address text field. 3. Enter the port used for connecting to the proxy server in the Proxy server port text field. 4.
PAGE 73
System Configuration Management Server • NOTE: Set time Date and time settings are applied to the MS; however, you can set the time zone for each ES. Automatically Setting the Time To automatically set the time: NAC 800 Home window>>System configuration>>Management server 1. Select Automatically receive NTP updates from and enter one or more Network Time Protocol (NTP) servers, separated by commas.
PAGE 74
System Configuration Management Server CAUTION: 3. Select the correct date and time. 4. Click ok. 5. Click ok. Manually changing the date/time (other than a time zone change) a large amount will require a restart of all servers. Rolling back the clock will have adverse effects on the system. Selecting the Time Zone To set the time zone: 1. 2. NAC 800 Home window>>System configuration>>Management server Select the following: a.
PAGE 75
System Configuration Management Server NAC 800 Home window>>System configuration>>Management server 1. Enter the new password in the Root password text box in the Other settings area. 2. Re-enter the password in the Re-enter root password text box. 3. Click ok. Checking for NAC 800 Upgrades To check for system upgrades: 1. 2. CAUTION: NAC 800 Home window>>System configuration>>Management server Click check for upgrades in the System upgrade area. A progress window appears.
PAGE 76
System Configuration Management Server 2. Enter the following at the command line: setProperty.py -m Compliance.UpgradeManager.UpgradeTimeout= Where: is the number of minutes of inactivity NAC 800 will wait before requiring the user to log in to the console again. For example,30.
PAGE 77
System Configuration User Accounts User Accounts NAC 800 allows you to create multiple user accounts. User accounts provide and limit access to NAC 800 functions based on permissions (user roles) and clusters assigned. See “User Roles” on page 3-37 for more information on setting permissions for the user roles.
PAGE 78
System Configuration User Accounts Figure 3-11.
PAGE 79
System Configuration User Accounts 1. Click Add a user account. The Add user account window appears: Figure 3-12. Add User Account 2. 3. 4.
PAGE 80
System Configuration User Accounts NOTE: Cluster Administrator • View-Only User • System Administrator • Help Desk Technician • You can select a custom user role if you have created any. Users must be assigned at least one role. 5. NOTE: • In the Clusters area, select a cluster or clusters. Users must be assigned at least one Enforcement cluster.
PAGE 81
System Configuration User Accounts 2. Enter the text to search for in the for field. 3. Click search. TIP: Click reset to clear the text field and to refresh the display to show all accounts after a search. Sorting the User Account Area To sort the user account area: NAC 800 Home window>>System configuration>>User accounts Click the column heading for user id, full name, email address, user roles, or clusters. The user accounts reorder according to the column heading selected.
PAGE 82
System Configuration User Accounts 1. Click copy next to the user account you want to duplicate. The Copy user account window appears. The account information is duplicated from the original account. Figure 3-13. Copy User Account 2. Enter the User ID of the new account. 3. Enter the Password. 4. Re-enter the password. 5. Select the Account status (enable or disable). 6. Select the User role for the account. 7. Select the Cluster(s) that the user account can access. 8. Click ok.
PAGE 83
System Configuration User Accounts 1. NAC 800 Home window>>System configuration>>User accounts Click the name of the user account that you want to edit. The User account window appears: Figure 3-14. User Account 2. Change or enter information in the fields you want to change. See “Adding a User Account” on page 3-29 for information on user account settings. 3. Click ok. Deleting a User Account You must always have at least one account with System Administrator permissions.
PAGE 84
System Configuration User Accounts To delete a user account: 3-36 NAC 800 Home window>>System configuration>>User accounts 1. Click delete next to the user account you want to remove. The Delete user account confirmation window appears. 2. Click yes.
PAGE 85
System Configuration User Roles User Roles The User roles menu option allows you to configure the following: ■ View current user roles and details associated with those roles ■ Add a new user role ■ ■ • Name the new user role • Provide a detail description for the new user role • Assign permissions to the new user role Edit a user role • Edit the name of the user role • Edit the detail description of the user role • Edit the assigned permissions for the user role Delete a user role Addin
PAGE 86
System Configuration User Roles Figure 3-15.
PAGE 87
System Configuration User Roles 1. Click add a user role in the User roles area. The Add user role window appears. Figure 3-16. Add User Role Window 2. Enter a descriptive name in the Role name field. 3. Enter a description of the role in the Description field. 4. Select the permissions for the user role.
PAGE 88
System Configuration User Roles Permission Description Manage NAC policies Allows you to manage the NAC policies for all of your clusters View endpoint activity Allows you to view details about all endpoints in your clusters Monitor system status Allows you to monitor the system status Control Access Allows you to quarantine or grant network access to endpoints in your clusters Retest endpoints Allows you to have endpoints in your clusters retested Table 3-3.User Role Permissions (cont.
PAGE 89
System Configuration User Roles 1. Click the role you want to edit. The user role window appears: Figure 3-17. User Role Window 2. Enter the information in the fields you want to change. See “Adding a User Role” on page 3-37 for information on user role settings. 3. Click ok. Deleting User Roles NOTE: You cannot delete the System Administrator role. To delete user roles: NAC 800 Home window>>System configuration>>User roles 1. Click delete next to the user role you want to remove.
PAGE 90
System Configuration User Roles Sorting the User Roles Area To sort the user roles area: 3-42 NAC 800 Home window>>System configuration>>User roles 1. Click user role name or description column heading. The selected category sorts in ascending or descending order. 2. Click ok.
PAGE 91
System Configuration License License The License menu option allows you to configure the following: ■ View license start and end dates ■ View number of days remaining on license, and associated renewal date ■ View remaining endpoints and servers available under license Updating Your License To update your license: NAC 800 Home window>>System configuration>>License 3-43
PAGE 92
System Configuration License Figure 3-18. System Configuration Window, License 3-44 1. Click submit license request. 2. Click ok on the license validated pop-up window.
PAGE 93
System Configuration Test Updates Test Updates The Test updates menu option allows you to configure the following: ■ View last successful test update date/time ■ Check for test updates (forces an immediate check for test updates) ■ Set time or times for downloading test updates ■ View test update logs Manually Checking for Test Updates To manually check for test updates: NAC 800 Home window>>System configuration>>Test updates 3-45
PAGE 94
System Configuration Test Updates Figure 3-19. System Configuration Window, Test Updates NOTE: 1. In the Last successful test update area, click check for test updates. 2. Click ok. It is important to check for test updates during the initial configuration of NAC 800.
PAGE 95
System Configuration Test Updates 1. Using the hour check boxes, select the time periods in which you would like NAC 800 to check for available test updates. By default, NAC 800 checks once every hour using the ProCurve Secure Rule Distribution Center. All times listed are dependent upon the clock setting and time zone of the hardware on which NAC 800 is running. 2. Click ok.
PAGE 96
System Configuration Test Updates 1. Click the View test update log link just to the right of the Check for test updates button. The Test update log window appears: Figure 3-20. Test Update Log Window The Test update log window legend is shown in the following figure: Figure 3-21.
PAGE 97
System Configuration Quarantining Quarantining The Quarantining menu option allows you to configure the following by cluster: ■ Select the quarantine method ■ Basic 802.1X settings ■ Set up authentication method ■ Add, edit, delete 802.
PAGE 98
System Configuration Quarantining Figure 3-22. System Configuration Window, Quarantining 3-50 1. Select a cluster. 2. In the Quarantine method area, select one of the following quarantine methods: • 802.1X – When using the 802.1X quarantine method, NAC 800 must sit in a place on the network where it can communicate with your RADIUS server, which communicates with your switch or router, which performs the quarantining.
PAGE 99
System Configuration Quarantining • 3. Inline – When using the inline quarantine method, NAC 800 must be placed on the network where all traffic to be quarantined passes through NAC 800. It must be inline with an endpoint like a VPN. Click ok. Entering Basic 802.1X Settings To enter basic 802.1X settings: NAC 800 home window>>System configuration>>Quarantining>>802.1X quarantine method radio button 1. Enter an IP address in the Identity Driven Manager (IDM) server IP address text field. 2.
PAGE 100
System Configuration Quarantining 3. • Windows domain – Authentication requests are handled by a Windows domain through NTLM protocol. The Enforcement server must be able to join to the domain for this to work. See “Configuring Windows Domain Settings” on page 3-52 for more information. • OpenLDAP – User credentials are queried from an OpenLDAP directory service. See “Configuring OpenLDAP Settings” on page 3-54 for more information.
PAGE 101
System Configuration Quarantining 1. Select Windows domain from the End-user authentication method drop-down list. Figure 3-23. System Configuration, Windows Domain Window 2. Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name text field.
PAGE 102
System Configuration Quarantining 3. Enter the user name of an account with sufficient administrative rights to join an Enforcement server to the domain in the Administrator user name text field. 4. Enter the password of the account entered into the Administrator user name field in the Administrator password text field. 5. Enter the list of domain controllers, separated by commas, for this domain in the Domain controllers text field. 6. To test the Windows domain settings: a.
PAGE 103
System Configuration Quarantining 1. Select OpenLDAP from the End-user authentication method drop-down list. Figure 3-24.
PAGE 104
System Configuration Quarantining 2. Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 3. Enter the DN under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA 4. Enter the password that authenticates the DN entered into the Identity text field in the Password text field. 5. Type the same password you entered into the Password field in the Reenter password field. 6.
PAGE 105
System Configuration Quarantining Configuring Novell eDirectory Settings To configuring Novell eDirectory settings: NAC 800 home window>>System configuration>>Quarantining>>802.
PAGE 106
System Configuration Quarantining 1. Select Novell eDirectory from the End-user authentication type drop-down list. Figure 3-25.
PAGE 107
System Configuration Quarantining 2. Enter the LDAP server hostname or IP address and optional port number in the Server text field. For example: 10.0.1.2:636 3. Enter the Distinguished Name (DN) under which LDAP searches should be done in the Identity text field. For example: cn=admin,o=My Org,c=UA 4. Enter the password that authenticates the DN entered into the Identity text field in the Password text field. 5.
PAGE 108
System Configuration Quarantining 11. Click ok. Adding 802.1X Devices To add an 802.1X device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-26. Add 802.1X Device Window 1. Enter the IP address of the 802.1X device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3.
PAGE 109
System Configuration Quarantining 7. • HP ProCurve switch – See “HP ProCurve Switch” on page 3-73. • HP ProCurve WESM – See “HP ProCurve WESM” on page 3-76. • HP ProCurve 420/530 AP – See “HP ProCurve 420 AP or HP ProCurve 530 AP” on page 3-79. • Nortel – See “Nortel” on page 3-81. • Other – See “Other” on page 3-83. Click ok. Testing the Connection to a Device To test the connection to an 802.1X device: NOTE: NAC 800 home window>>System configuration>>Quarantining>>802.
PAGE 110
System Configuration Quarantining 3. Click test connection to device. Cisco IOS To add a Cisco IOS device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-28. Add Cisco IOS Device Window 3-62 1. Enter the IP address of the Cisco IOS device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server.
PAGE 111
System Configuration Quarantining 4. Enter an alias for this device that appears in log files in the Short name text field. 5. Select Cisco IOS from the Device type drop-down list. 6. Select telnet or SSH from the Connection method drop-down list. 7. Enter the User name with which to log into the device's console. 8. Enter the Password with which to log into the device's console. 9. Re-enter the console password. 10. Enter the Cisco port mask in the text field.
PAGE 112
System Configuration Quarantining Figure 3-29. Add Cisco CatOS Device Window 3-64 1. Enter the IP address of the Cisco CatOS device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5.
PAGE 113
System Configuration Quarantining 9. Re-enter the console password. 10. Enter the password with which to enter enable mode. 11. Re-enter the enable mode password. 12. Enter the networks (using CIDR notation) that this device is in direct control over in the Network list text field. This is only necessary if the device does not send its IP address with its supplicant request. 13. Enter the Cisco port mask in the text field.
PAGE 114
System Configuration Quarantining Figure 3-30. Add Enterasys Device Window 3-66 1. Enter the IP address of the Enterasys device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5.
PAGE 115
System Configuration Quarantining 10. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet/SSH console can remain idle or unused before it is reset. 11. Select the Show scripts plus symbol to show the following scripts: • Initialization script – The expect script used to log into the console and enter enable mode. • Re-authentication script – The expect script used to perform endpoint re-authentication. • Exit script – The expect script used to exit the console. 12.
PAGE 116
System Configuration Quarantining Figure 3-31. Add ExtremeWare Device Window 1. Enter the IP address of the ExtremeWare device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5.
PAGE 117
System Configuration Quarantining 11. Select the Show scripts plus symbol to show the following scripts: • Initialization script – The expect script used to log into the console and enter enable mode. • Re-authentication script – The expect script used to perform endpoint re-authentication. • Exit script – The expect script used to exit the console. 12. Click ok. TIP: Click revert to defaults to restore the default settings.
PAGE 118
System Configuration Quarantining Figure 3-32. Add Extreme XOS Device Window 3-70 1. Enter the IP address of the Extreme XOS device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5.
PAGE 119
System Configuration Quarantining 10. Select the Show scripts plus symbol to show the following scripts: • Initialization script – The expect script used to log into the console and enter enable mode. • Re-authentication script – The expect script used to perform endpoint re-authentication. • Exit script – The expect script used to exit the console. 11. Click ok. TIP: Click revert to defaults to restore the default settings.
PAGE 120
System Configuration Quarantining Figure 3-33. Add Foundry Device Window 3-72 1. Enter the IP address of the Foundry device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5.
PAGE 121
System Configuration Quarantining 10. Enter the password with which to enter enable mode. 11. Re-enter the enable mode password. 12. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet/SSH console can remain idle or unused before it is reset. 13. Select the Show scripts plus symbol to show the following scripts: • Initialization script – The expect script used to log into the console and enter enable mode.
PAGE 122
System Configuration Quarantining Figure 3-34. Add HP ProCurve Device Window 3-74 1. Enter the IP address of the HP ProCurve device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5.
PAGE 123
System Configuration Quarantining 8. 9. c. To help confirm accuracy, type the same password you entered into the Password field in the Re-enter Password field. d. Enter the Enable mode user name that is used to enter enable mode on this device. e. Enter the Password used to enter enable mode on this device. f. To help confirm accuracy, type the same password you entered into the Enable password field in the Re-enter Password field. g.
PAGE 124
System Configuration Quarantining – NULLOBJ d. Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. e. Select the Use a different OID for MAC authentication check box to reauthenticate using a different OID when the supplicant request is for a MAC authenticated device. i. Enter the Re-authenticate OID used to re-authenticate an endpoint.
PAGE 125
System Configuration Quarantining Figure 3-35. Add HP ProCurve WESM Device Window 1. Enter the IP address of the HP ProCurve WESM device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5.
PAGE 126
System Configuration Quarantining 7. Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings "${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port and MAC address of the endpoint to be reauthenticated. 8. Select the type of the re-authentication OID from the OID type drop-down list: 9.
PAGE 127
System Configuration Quarantining TIP: Click revert to defaults to restore the default settings. HP ProCurve 420 AP or HP ProCurve 530 AP To add an HP ProCurve 420 AP or HP ProCurve 530 AP device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.1X device Figure 3-36. Add HP ProCurve 420/530 AP Device Window 1. Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field. 2.
PAGE 128
System Configuration Quarantining 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5. Select ProCurve 420 AP or ProCurve 530 AP from the Device type drop-down list. 6. Enter the Community string used to authorize writes to SNMP objects. 7. Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field.
PAGE 129
System Configuration Quarantining – – – – c. HEX STRING DECIMAL STRING BITS NULLOBJ Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text field. TIP: Click revert to defaults to restore the default settings. Nortel To add a Nortel device: NAC 800 home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add an 802.
PAGE 130
System Configuration Quarantining Figure 3-37. Add Nortel Device Window 3-82 1. Enter the IP address of the Nortel device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5.
PAGE 131
System Configuration Quarantining 9. Re-enter the console password. 10. Enter the Enable mode user name. 11. Enter the password with which to enter enable mode. 12. Re-enter the enable mode password. 13. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet/SSH console can remain idle or unused before it is reset. 14. Select the Device is stacked check box if the device is in a stacked configuration. 15.
PAGE 132
System Configuration Quarantining Figure 3-38. Add Other Device Window 3-84 1. Enter the IP address of the new device in the IP address text field. 2. Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign packets between the device and RADIUS server. 3. Re-enter the shared secret in the Re-enter shared secret text field. 4. Enter an alias for this device that appears in log files in the Short name text field. 5.
PAGE 133
System Configuration Quarantining 9. Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet/SSH console can remain idle or unused before it is reset. 10. Select the Show scripts plus symbol to show the following scripts: NOTE: You must enter the script contents yourself for the 802.1X device you are adding. • Initialization script – The expect script used to log into the console and enter enable mode.
PAGE 134
System Configuration Quarantining Figure 3-39. DHCP Enforcement Window 1. Select one of the following radio buttons: • Enforce DHCP requests from all IP addresses – Allows DHCP requests from all IP addresses. • Restrict enforcement of DHCP requests to these relay agent IP addresses – Specify individual DHCP relay agent IP addresses, separated by carriage returns. in the text box.
PAGE 135
System Configuration Quarantining quarantined subnets. This limits the enforcement scope to DHCP requests relayed via these IP addresses, allowing you to restrict enforcement to only those DHCP requests which are forwarded via particular routers or layer-3 switches. If set, DHCP traffic coming from a source IP not listed will be passed without intervention. NOTE: Construction of the DHCP relay packet's source IP address is vendor-dependent.
PAGE 136
System Configuration Quarantining 1. NOTE: In the Add quarantine area window, enter the following information: • Quarantined subnet – The CIDR network that represents the IP space and netmask. • DHCP IP Range – The start and end DHCP IP addresses to be assigned to quarantined endpoints. • Gateway – The gateway temporarily assigned to endpoints. • Domain suffix – The domain name assigned to DHCP clients.
PAGE 137
System Configuration Quarantining TIP: To set up multiple quarantine areas, click Add a quarantine area, then enter the information detailed in step 1 for each additional quarantine area. 3. Click ok. Sorting the DHCP Quarantine Area To sort the quarantine area: 1. 2.
PAGE 138
System Configuration Quarantining 1. Click edit next to the quarantine area you want to edit. The Quarantine area window appears: Figure 3-41. Quarantine Area 2. Edit the information in the fields you want to change. See “Adding a DHCP Quarantine Area” on page 3-87 for information on Quarantine area options. 3. Click ok. Deleting a DHCP Quarantine Area To delete a DHCP quarantine area: 3-90 NAC 800 Home window>>System configuration>>Quarantining 1.
PAGE 139
System Configuration Maintenance Maintenance The Maintenance window allows you to back up the MS database, properties files, keystore files, and subscription files in a file with the following name: backup-Thh-mm-ss.tar.
PAGE 140
System Configuration Maintenance Figure 3-42. System Configuration Window, Maintenance 1. Click begin backup now in the Backup area. The Operation in progress confirmation window appears. 2. A pop-up window appears asking you if you want to save or open the file. Select Save to disk and click OK. Depending on your browser settings, you might be prompted to select a location for the file. 3.
PAGE 141
System Configuration Maintenance Restoring From a Backup See “Restoring from Backup” on page 13-10 for information about restoring from a backup file.
PAGE 142
System Configuration Downloading Support Packages Downloading Support Packages Support packages are useful when debugging your system with ProCurve Networking by HP. If a support package is necessary, ProCurve Networking by HP will instruct you to generate one and will provide instructions on how to upload the generated package (a TAR file). To save a support package to your local computer: NAC 800 Home window>>System configuration>>Maintenance 1.
PAGE 143
System Configuration Cluster Setting Defaults Cluster Setting Defaults The following sections describe how to globally set the default settings for all clusters. For information on overriding the default settings for a specific cluster, see “Enforcement Clusters and Servers” on page 3-6.
PAGE 144
System Configuration Cluster Setting Defaults Figure 3-44. System Configuration Window, Testing Methods 1. 2. Select one or more of the following a. ProCurve NAC EI Agent – This test method installs a service (ProCurve NAC EI Agent) the first time the user connects. b. ActiveX plug-in – This test method downloads an ActiveX control each time the user connects to the network. Testing is accomplished through the browser. If the browser window is closed, retesting is not performed. c.
PAGE 145
System Configuration Cluster Setting Defaults 3. If ActiveX is not available and if credentials for the endpoint or domain exist, NAC 800 tries to test with the agentless test method. 4. If the endpoint can not be tested transparently, then NAC 800 uses the end-user access screens to set up a test method and sequence for interacting with the end-user. This order of presentation is defined on the Testing methods window. At least one testing method is required.
PAGE 146
System Configuration Cluster Setting Defaults Selecting End-user Options To select end-user options: 1. 2. NAC 800 Home window>>System configuration>>Testing methods Select one or more of the following options: • Allow end-users to have their administrator login information saved for future access (Agentless testing method only) – This option allows the end-users to elect to save their login credentials so they do not have to enter them each time they connect.
PAGE 147
System Configuration Cluster Setting Defaults Figure 3-45. System Configuration Window, Accessible Services 1. Enter one or more Web sites, host names, IP addresses, ports, endpoints, or networks, that are accessible to connecting endpoints when they fail their compliance tests. You can enter these endpoints and services in the following formats separated by a carriage return. Enter a range of IPs with a dash (-) between the IPs, or use CIDR addresses.
PAGE 148
System Configuration Cluster Setting Defaults do, it can cause redirection problems when end-users try to connect. You do need to add any update server names, such as the ones that provide anti-virus and software updates. NAC 800 ships with many of the default server names pre-populated, such as windowsupdate.com. 2. Click ok. The following table provides additional information about accessible services and endpoints.
PAGE 149
System Configuration Cluster Setting Defaults ■ The endpoints and domains that are always quarantined Always Granting Access to Endpoints and Domains To always grant access to endpoints and domains: NAC 800 Home window>>System configuration>>Exceptions Figure 3-46. System Configuration, Exceptions CAUTION: 1. To exempt endpoints from testing, in the Always grant access and never test area, enter the endpoint(s) by MAC or IP address, or NetBIOS name. 2.
PAGE 150
System Configuration Cluster Setting Defaults Always Quarantine Endpoints and Domains To always quarantine endpoints and domains: NAC 800 Home window>>System configuration>>Exceptions 1. To always quarantine endpoint(s) when testing, in the Always quarantine and never test area, enter the endpoint(s) by MAC or IP address, or NetBIOS name. 2. To always quarantine domain(s) when testing, in the Always quarantine and never test area, enter the domain(s).
PAGE 151
System Configuration Cluster Setting Defaults Figure 3-47. System Configuration, Notifications 1. 2. To send email notifications, you must provide NAC 800 with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the NAC 800 machine. Use the following steps to configure the SMTP email server function: a. Select the radio button next to Send email notifications. b.
PAGE 152
System Configuration Cluster Setting Defaults NAC 800 Home window>>System configuration 1. Select a cluster. The Enforcement cluster window appears. 2. Select the Notifications menu item. 3. Select the For this cluster, override the default settings check box. 4. Select Do not send email notifications. 5. Click ok.
PAGE 153
System Configuration Cluster Setting Defaults Figure 3-48. System Configuration Window, End-user Screens 1. Enter the customization information: Organization logo image – Enter a path to your organization’s logo, or click Browse to select a file on your network. ProCurve recommends you place your logo here to help end-users feel secure about having their computers tested. The logo should be no larger than 450x50 pixels. 2. Click ok.
PAGE 154
System Configuration Cluster Setting Defaults 2. b. Test successful message (final screen) – Enter the text for the final, test successful window. ProCurve recommends that this text informs the end-user that the test was successful and provides any additional helpful information such as instructions, notices, and so on. c. Footer (most screens) – Enter the text for the footer that appears on most of the end-user windows.
PAGE 155
System Configuration Cluster Setting Defaults browser window to: http://10.0.16.18:88 3. Click ok. Agentless Credentials When NAC 800 accesses and tests endpoints, it needs to know the administrator credentials for that endpoint. If your network uses a Windows domain controller and the connecting endpoint is a member of a configured domain, NAC 800 uses the information supplied to access and test the endpoint. TIP: Setting windows credentials here sets them as default settings for all clusters.
PAGE 156
System Configuration Cluster Setting Defaults Figure 3-49. System Configuration Window, Agentless Credentials 1. Click Add administrator credentials. The Add Windows administrator credentials window appears: Figure 3-50. Agentless Credentials, Add Windows Administrator Credentials Window 2.
PAGE 157
System Configuration Cluster Setting Defaults 3. • Windows domain name – Enter the domain name of the Windows machine, for example: mycompanyname. You can also enter a group name, for example: WORKGROUP or HOME. • Administrator user ID – Enter the administrator login name of the Windows machine, for example: jsmith. • Administrator password – Enter the password for the administrator login name used in the ID text field. Click ok. Testing Windows Credentials To test Windows credentials: 1.
PAGE 158
System Configuration Cluster Setting Defaults 1. Click edit next to the name of the Windows administrator credentials you want to edit. 2. Enter or change information in the fields you want to change. (See “Adding Windows Credentials” on page 3-107 for more information about Windows administrator credentials. 3. Click ok. Deleting Windows Credentials To delete Windows credentials: NAC 800 Home window>>System configuration>>Agentless credentials 1.
PAGE 159
System Configuration Logging Logging Setting ES Logging Levels You can configure the amount of diagnostic information written to log files, ranging from error (error-level messages only) to trace (everything). To set ES logging levels: NAC 800 home window>>System configuration>>Logging Figure 3-51. System Configuration Window, Logging Option 1.
PAGE 160
System Configuration Logging CAUTION: Setting the log level to trace may adversely affect performance. 2. Click ok. Setting 802.1X Devices Logging Levels You can configure the amount of diagnostic information written to log files related to 802.1X re-authentication, ranging from error (error-level messages only) to trace (everything). To set 802.1X logging levels: 1.
PAGE 161
System Configuration Logging CAUTION: • info – log info-level messages only • debug – log debug-level messages only • trace – log everything Setting the log level to trace may adversely affect performance. 2. Click ok.
PAGE 162
System Configuration Advanced Settings Advanced Settings This section describes setting the timeout periods. Endpoint detection is described in “Working with Ranges” on page 13-39. Setting the Agent Read Timeout To set the Agent read timeout period: NAC 800 home window>>System configuration>>Advanced Figure 3-52. System Configuration Window, Advanced Option 1. Enter a number of seconds in the Agent read timeout period text field.
PAGE 163
System Configuration Advanced Settings NAC 800 home window>>System configuration>>Advanced 1. Enter a number of seconds in the RPC connection timeout period text field. The RPC connection timeout is the time in seconds that NAC 800 waits on a connection to the RPC port. Use a larger number for systems with network latency issues. 2. Click ok. Setting the RPC Command Timeout To set the RPC command timeout period: NAC 800 home window>>System configuration>>Advanced 1.
PAGE 164
System Configuration Advanced Settings (This page intentionally left blank.
PAGE 165
4 Endpoint Activity Chapter Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Filtering the Endpoint Activity Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Filtering by Access Control or Test Status . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Filtering by Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Limiting Number of Endpoints Displayed .
PAGE 166
Endpoint Activity Overview Overview Use the Endpoint activity window, to monitor end-user connection activity. NAC 800 Home window>>Endpoint activity The Endpoint activity window has the following sections: 4-2 ■ Endpoint selection area – The left column of the window provides links that allow you to quickly filter the results area by Access control status or Endpoint test status.
PAGE 167
Endpoint Activity Overview 2. Search criteria area 1. Endpoint selection area 3. Search results area Figure 4-1.
PAGE 168
Endpoint Activity Filtering the Endpoint Activity Window Filtering the Endpoint Activity Window You can modify the results shown in the Endpoint activity window to include activity for the following: ■ Access control status ■ Endpoint test status ■ Configurable time frame ■ Cluster ■ NetBIOS name ■ IP address ■ MAC address ■ User ID ■ Windows domain ■ NAC policy ■ Operating system ■ Number of endpoints to display Filtering by Access Control or Test Status 4-4 NAC 800 Home windo
PAGE 169
Endpoint Activity Filtering the Endpoint Activity Window Select a method for filtering the results window; by a specific access control status or endpoint status as shown in the following figure: Figure 4-2.
PAGE 170
Endpoint Activity Filtering the Endpoint Activity Window Figure 4-3. View Activity for the Last Drop-down List The View activity for the last drop-down list is a high-level filter that drives all the information displayed. All the information in the Endpoint activity window pertains only to the selected time. Select one of the options from the drop-down list; the results area updates to match the time frame selected.
PAGE 171
Endpoint Activity Filtering the Endpoint Activity Window Select a number from the drop down list. The results area updates to show only the number of endpoints selected with page navigation links as shown in the following figure: Figure 4-5. Endpoint Activity Page Navigation Links Searching To search the Endpoint activity window. NAC 800 Home window>>Endpoint activity>>Search criteria area Figure 4-6. Search Criteria Window 1.
PAGE 172
Endpoint Activity Filtering the Endpoint Activity Window TIP: The search box is not case-sensitive. Searching matches entire words. You must enter wildcard characters (*) to match substrings. For example, 192.168.*.
PAGE 173
Endpoint Activity Access Control States Access Control States NAC 800 provides on-going feedback on the access status of endpoints as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-14. ■ Quarantined – The endpoint has been assigned a quarantined IP address. For example, an endpoint could have been quarantined because it failed a test or it could not be tested.
PAGE 174
Endpoint Activity Test Status States Test Status States NAC 800 provides on-going feedback on the test status of endpoints as follows: TIP: To view access status, see “Viewing Endpoint Access Status” on page 4-14. 4-10 ■ Unknown error – This is most likely a problem that cannot be resolved without contacting ProCurve. Try to force a retest from the NAC 800 console.
PAGE 175
Endpoint Activity Test Status States ■ Access always allowed – NAC 800 shows this status when an endpoint has been listed in the System configuration>>Exceptions window to always grant access. These endpoints are never tested and always allowed access. ■ Access always quarantined – NAC 800 shows this status when an endpoint has been listed in the System configuration>>Exceptions window to always quarantine. These endpoints are never tested and always quarantined.
PAGE 176
Endpoint Activity Test Status States 4-12 ■ Awaiting ip transition – NAC 800 shows this status during a transition from a quarantined IP address and a non-quarantined IP address and vice versa. ■ Connection failed - endpoint busy or file and print sharing disabled – During the connection to the endpoint, the endpoint is not able to complete the requested testing by NAC 800.
PAGE 177
Endpoint Activity Test Status States ■ Test failed - insufficient test privileges – The credentials NAC 800 used to test the endpoint do not have sufficient privileges to read the registry or enumerate the services. An easy way to debug this is to run regedit and connect to the remote endpoint using the same admin credentials supplied to NAC 800. You should be allowed to browse the HKLM\Software and HKLM\System keys on the endpoint.
PAGE 178
Endpoint Activity Viewing Endpoint Access Status Viewing Endpoint Access Status To view access status for a endpoint: NAC 800 Home window>>Endpoint activity window 1. Locate the endpoint you are interested in. 2. The first column is the selection column, the second column is the Endpoint test status column, and the third column is the Access control status column. The icons shown in the following figure provide status: Figure 4-7.
PAGE 179
Endpoint Activity Selecting Endpoints to Act on Selecting Endpoints to Act on To select endpoint to act on: NAC 800 Home window>>Endpoint activity Click a box or boxes in the first column to select the endpoints of interest. TIP: Click the box at the top of the column to select all of the endpoints.
PAGE 180
Endpoint Activity Acting on Selected Endpoints Acting on Selected Endpoints Once you have filtered the Endpoint activity window and selected which endpoints to take action on, you can perform the following actions: ■ Retest an endpoint (“Manually Retest an Endpoint” on page 4-16) ■ Allow temporary access for a specific period of time (“Immediately Grant Access to an Endpoint” on page 4-16) ■ Temporarily quarantine the endpoint for a specific period of time (“Immediately Quarantine an Endpoint” on page
PAGE 181
Endpoint Activity Acting on Selected Endpoints Immediately Quarantine an Endpoint To immediately quarantine an endpoint: NAC 800 Home window>>Endpoint activity 1. Select a box or boxes to select the endpoints of interest. 2. Click change access. 3. Select the Temporarily Quarantine for radio button. 4. Select minutes, hours, or days from the drop-down list. 5. Enter the number of minutes, hours, or days that the endpoint will be temporarily quarantined. 6. Click ok.
PAGE 182
Endpoint Activity Viewing Endpoint Information Viewing Endpoint Information To view information about an endpoint: 1. NAC 800 Home window>>Endpoint activity Click on an endpoint name to view the Endpoint window: Figure 4-8.
PAGE 183
Endpoint Activity Viewing Endpoint Information 2. Click Test results to view the details of the test: Figure 4-9. Endpoint Activity, Endpoint Test Results Option TIP: Click on any underlined link (for example, change access) to make changes such as changing access or test credentials.
PAGE 184
Endpoint Activity Viewing Endpoint Information (This page intentionally left blank.
PAGE 185
5 End-user Access Chapter Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Endpoints Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Browser Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Browser Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 186
End-user Access Overview Overview End-users can connect to your network from a number of different types of computers (see “Endpoints Supported” on page 5-3), be tested for compliance based on your definitions in the standard (high, medium, or low security) or custom NAC policies (see “NAC Policies” on page 6-1), and are allowed or denied access based on test results and your quarantine settings (see “Quarantining” on page 3-49).
PAGE 187
End-user Access Endpoints Supported Endpoints Supported This NAC 800 release supports the following: NOTE: ■ Windows 98 ■ Windows 2000 ■ Windows Server (2000, 2003) ■ Windows XP Professional ■ Windows XP Home ■ Windows NT ■ Mac OS (version 10.3.7 or later) Other operating system support (for example Linux) will be included in future releases. Windows ME and Windows 95 are not supported in this release.
PAGE 188
End-user Access Browser Version Browser Version The browser that should be used is based on the test method as follows: 5-4 ■ ActiveX test method – Microsoft Internet Explorer (IE) version 5.0 or 6.0. ■ Agentless and agent-based test methods – IE, Firefox, or Mozilla.
PAGE 189
End-user Access Browser Settings Browser Settings If the end-user has their IE Internet security zone set to High, the endpoint is not testable. Using one of the following options will allow the endpoint to be tested: ■ The end-user could change the Internet security to Medium (Tools>>Internet options>>Security>>Custom level>>Reset to Medium). ■ The end-user could add the IP address of the NAC 800 server to the Trusted sites zone, and then set the Trusted sites zone to Medium.
PAGE 190
End-user Access Agentless Settings Agentless Settings The agentless test method requires file and printer sharing to be enabled. To enable file and printer sharing on Windows XP Professional: Endpoint>>Start>>Settings>>Control Panel 1. Double-click Network connections. 2. Right-click Local area connection. 3. Select Properties. The Local area connection properties window appears: Figure 5-1. Local Area Connection Properties Window 4.
PAGE 191
End-user Access Agentless Settings ■ To add a network component – http://www.microsoft.com/resources/ documentation/windows/xp/all/proddocs/en-us/ howto_config_fileandprintsharing.
PAGE 192
End-user Access Ports Used for Testing Ports Used for Testing You might need to configure some firewalls and routers to allow NAC 800 to access the following ports for testing: – 5-8 ■ Agentless test method – 137, 138, 139, and 445 ■ ActiveX and agent-based test method – 1500
PAGE 193
End-user Access Firewall Settings Firewall Settings NAC 800 can perform tests through firewalls on both managed and unmanaged endpoints. Managed Endpoints Typically, a managed endpoint’s firewall is controlled with the Domain Group Policy for Windows, or a central policy manager for other firewalls. In this case, the network administrator opens up the agent port or agentless ports only to the NAC 800 server using the centralized policy.
PAGE 194
End-user Access Firewall Settings 1. Click Add. 2. In the Service Settings window, enter the following information: Description: NAC 800 Server 137 IP: External port number: 137 Select UDP. 3. Click OK. 4. Click Add. 5. In the Service Settings window, enter the following information: Description: NAC 800 Server 138 IP: External port number: 138 Select UDP. 6. Click OK. 7. Click Add. 8.
PAGE 195
End-user Access Firewall Settings Windows>>Start>>Settings>>Control Panel>>Windows Firewall>>Exceptions tab 1. Select File and Print Sharing. (Verify that the check box is also selected.) 2. Click Edit. 3. Verify that the check boxes for all four ports are selected. 4. Select TCP 139. 5. Click Change Scope. 6. Select Custom List. 7. Enter the NAC 800 Server IP address and the 255.255.255.0 mask. 8. Click OK. 9. Select UDP 137. 10. Click Change Scope. 11. Select Custom List. 12.
PAGE 196
End-user Access Firewall Settings TIP: You can add more security by specifying the endpoints allowed for File and Print Sharing as follows: Select File and Print Sharing, Click Edit, Select Change Scope, and select either My Network or Custom List (and then specify the endpoints). Allowing NAC 800 through the OS X Firewall To verify that NAC 800 can test the end-user through the end-user’s firewall: Apple Menu>>System Preferences Figure 5-2.
PAGE 197
End-user Access Firewall Settings 1. Select the Sharing icon. The Sharing window opens. Figure 5-3. Mac Sharing Window 2. 3. Select the Firewall tab.
PAGE 198
End-user Access Firewall Settings To change the port: Apple Menu>>System Preferences>>Sharing icon>>Firewall tab 1. Select OS X NAC Agent. 2. Click Edit. The port configuration window appears: Figure 5-4. Mac Ports Window 5-14 3. Enter 1500 in the Port Number, Range or Series text field. 4. Click OK.
PAGE 199
End-user Access End-user Access Windows End-user Access Windows Several end-user access templates come with NAC 800. The End-user window provides a way to customize these templates from within the console (see “End-user Screens” on page 3-104). For optimal end-user experience, brand these windows as your own and keep them friendly and helpful. It is important to convey to your end-users what is happening during and after the testing process.
PAGE 200
End-user Access End-user Access Windows Opening Window When the end-user directs their browser to go to a location that is not listed in the Accessible services and endpoints list, the testing option window appears: Figure 5-5. End-user Opening Window The end-users select Get connected.
PAGE 201
End-user Access End-user Access Windows Windows NAC Agent Test Windows Automatically Installing the Windows Agent When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears: Figure 5-6. End-user Installing Window TIP: The end-user can also manually install the agent as described in “Manually Installing the Windows Agent” on page 5-20.
PAGE 202
End-user Access End-user Access Windows If Active Content is disabled in the browser, the following error window appears: Figure 5-7. End-user Agent Installation Failed TIP: To enable active content, see “Active Content” on page B-3. If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears. In order to proceed with the test, the user must select to Install the digital signature.
PAGE 203
End-user Access End-user Access Windows Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation: Figure 5-8. End-user Agent Installation Window (Start) The user must click Finish to complete the agent installation and begin testing: Figure 5-9. End-user Agent Installation Window (Finish) As soon as the installation is complete, the endpoint is tested. See “Testing Window” on page 5-33.
PAGE 204
End-user Access End-user Access Windows Removing the Agent To remove the agent: Start button>>Settings>>Control panel>>Add/remove programs Figure 5-10. Add/Remove Programs 1. Find the ProCurve NAC EI Agent in the list of installed programs. 2. Click Remove.
PAGE 205
End-user Access End-user Access Windows 1. Point the browser to the following URL: https://:89/setup.exe The security certificate window appears: Figure 5-11. Security Certificate Window 2. Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file: Figure 5-12. Run or Save to Disk Window 3. Click Run to begin the install process. 4. The Agent Installation Wizard starts (Figure 5-8 on page 5-19).
PAGE 206
End-user Access End-user Access Windows 1. Command line window on the endpoint Change the working directory to the following: C:\Program Files\Hewlett-Packard\ProCurve NAC Endpoint Integrity Agent 2. Enter the following command: SAService version The version number is returned. For example: 4,0,0,567 Mac OS Agent Test Windows When the test method selected is agent-based, the first time the end-user logs in to their Macintosh computer and opens a browser window, NAC 800 attempts to test the endpoint.
PAGE 207
End-user Access End-user Access Windows 4. Click Continue. The installer appears: Figure 5-14. Mac OS Installer Window 1 of 5 5. Click Continue. The Select a Destination window appears: Figure 5-15.
PAGE 208
End-user Access End-user Access Windows 6. Click Continue. The Easy Install window appears: Figure 5-16. Mac OS Installer Window 3 of 5 7. Click Install. The Authenticate window appears: Figure 5-17.
PAGE 209
End-user Access End-user Access Windows 8. Enter your password. Click OK. The agent is installed and the confirmation window appears: Figure 5-18. Mac OS Installer Window 5 of 5 9. Click Close.
PAGE 210
End-user Access End-user Access Windows Figure 5-19.
PAGE 211
End-user Access End-user Access Windows 1. Double-click Activity Monitor. The Activity Monitor window appears: Figure 5-20. Activity Monitor Window 2. Verify that the osxnactunnel process is running. 3.
PAGE 212
End-user Access End-user Access Windows a. Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens: Figure 5-21. Mac Terminal Window b. Enter the following at the command line: OSXNACAgent -v The build and version number are returned. c. If an error message is returned indicating that the agent could not be found, the agent was not installed properly. Re-install the agent as described in “Installing the MAC OS Agent” on page 5-22. d.
PAGE 213
End-user Access End-user Access Windows Removing the Mac OS Agent To remove the Mac OS agent: Double-click Desktop icon>>Aplication folder>>Utilities folder 1. Select Mac OS X Terminal. A terminal window opens (figure 5-21). 2. Enter the following at the command line: remove_osxnacagent 3. Remove the firewall entry: a. Select Apple Menu>>System Preferences>>Sharing->Firewall tab. b. Select OS X NAC Agent. c. Click Delete.
PAGE 214
End-user Access End-user Access Windows ActiveX Test Windows For the ActiveX test, the Testing window appears (see “Testing Window” on page 5-33) and an ActiveX component is downloaded. If there is an error running the ActiveX component, an error window appears: Figure 5-22. End-user ActiveX Plug-in Failed Window TIP: To enable active content, see “Active Content” on page B-3. Agentless Test Windows If the end-users select Agentless test, NAC 800 needs login credentials in order to test the endpoint.
PAGE 215
End-user Access End-user Access Windows ■ NOTE: Require the user to log in. End-users must set up their local endpoints to have a Windows administrator account with a password in order to be tested by NAC 800. NAC 800 uses the Windows Messenger Service when using agentless testing. If you have disabled this service (http://www.microsoft.com/windowsxp/ using/security/learnmore/stopspam.mspx), agentless testing will not work.
PAGE 216
End-user Access End-user Access Windows If the end-users do not enter the correct information in the login window fields, a login failure window appears: Figure 5-24. End-user Login Failed TIP: You can customize the logo and contact paragraph that appear on this window. See “Customizing Error Messages” on page 5-40 for more details.
PAGE 217
End-user Access End-user Access Windows Testing Window The following figure shows the window that appears during the testing process: Figure 5-25.
PAGE 218
End-user Access End-user Access Windows Test Successful Window When the end-users’ endpoints meet the test criteria defined in the NAC policy, they are allowed access to the network, and a window indicating successful testing appears: Figure 5-26. End-user Testing Successful Window TIP: You can customize the logo and text that appears on this window as described in “End-user Screens” on page 3-104.
PAGE 219
End-user Access End-user Access Windows Temporary Quarantine Window When the end-users meet the test criteria defined in the NAC policy, but the NAC 800 Quarantine all setting is enabled, the quarantine window appears: Figure 5-27. Temporary Quarantine Window TIP: You can customize the logo and contact paragraph that appear on this window. See “Customizing Error Messages” on page 5-40 for more details.
PAGE 220
End-user Access End-user Access Windows Testing Cancelled Window If the Allow end users to cancel testing option on the System configuration>>Testing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled: Figure 5-28.
PAGE 221
End-user Access End-user Access Windows Testing Failed Window When the end-user’s endpoints fail to meet the test criteria defined in the NAC policy, the end-users are not allowed access to the network (are quarantined) and the following testing failed window appears: Figure 5-29.
PAGE 222
End-user Access End-user Access Windows End-users can click Printable version to view the testing results in a printable format, as shown in the following figure: Figure 5-30. End-user Testing Failed, Printable Results Window Setting the Temporary Access Period For each NAC policy, you can specify a temporary access period should the end-users fail the tests. To set the temporary access period: 1. 2.
PAGE 223
End-user Access End-user Access Windows ■ Unsupported endpoint ■ Unknown error The following figure shows an example of an error window: Figure 5-31.
PAGE 224
End-user Access Customizing Error Messages Customizing Error Messages The default error message strings (remediation messages) are defined in the following file: /usr/local/nac/scripts/BaseClasses/Strings.py You can create custom error message strings that appear in the test result reports, and on the test results access window that the end-user views by editing or creating the following file: /usr/local/nac/scripts/BaseClasses/CustomStrings.py To customize the error messages: 1.
PAGE 225
End-user Access Customizing Error Messages the software from this location Location Name", "name2" : "message2", } NOTE: A “%s” in the description text is a special variable that is interpolated into extra information (passed from NAC 800) such as lists of missing patches, or missing software. NOTE: While editing the description avoid the use of double quotes “”. Use single quotes instead.
PAGE 226
End-user Access Customizing Error Messages Test name Description checkAutoUpdateStatus.String.3 Automatic Updates have not been configured. For Windows 2000, install Service Pack 4, then enable Automatic Updates by selecting: Control Panel>>Automatic Updates. For Windows XP: select Control Panel>>System>>Automatic Updates tab., checkAutoUpdateStatus.String.4 Automatic Updates are set to: %s, checkAutoUpdateStatus.String.5 Automatic Updates must be configured to %s.
PAGE 227
End-user Access Customizing Error Messages Test name Description checkIESecurityZoneSettings.String.6 The required security level for your Internet Explorer %s security zone is %s or greater. To change the setting, select Tools>>Internet Options>>Security>>%s>> select the setting and click OK. If you are using a custom setting, higher security settings are required for:
* indicates an Internet Explorer 6 or later setting, checkIESecurityZoneSettings.String.
PAGE 228
End-user Access Customizing Error Messages Test name Description checkServicePacks.String.3 There are no service packs installed. Run Windows Update to install the most recent service packs., checkServicePacks.String.4 There are no service packs installed. Run Windows Update to install the most recent service packs., checkServicePacks.String.5 All required service packs are installed, checkServicePacks.String.6 The service packs installed are not current.
PAGE 229
End-user Access Customizing Error Messages Test name Description checkSoftwareRequired.String.2 All required software is installed., checkSoftwareRequired.String.3 The required software was not found: %s., checkSoftwareRequired.String.4 %s, # placeholder for link location for each software package. checkUniqueId.String.1 An unsupported operating system was encountered., checkUniqueId.String.2 Could not determine unique ID, checkWindowsSecurityPolicy.String.
PAGE 230
End-user Access Customizing Error Messages Test name Description checkAntiSpyware.String.5 The %s software was found but a scan has never been performed., checkBadIP.String.1 There were no unauthorized network connections found., checkBadIP.String.2 An unsupported operating system was encountered., checkBadIP.String.3 The IP addresses %s are on unauthorized networks., checkBadIP.String.4 The IP address %s is on an unauthorized network., Table 5-1.Default Test Names and Descriptions (cont.
PAGE 231
6 NAC Policies Chapter Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Standard NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 NAC Policy Group Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Add a NAC Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Editing a NAC Policy Group .
PAGE 232
NAC Policies Overview Overview "NAC policies" are collections of tests that evaluate remote endpoints attempting to connect to your network. You can use the standard tests installed with NAC 800, or you can create your own custom tests. NOTE: The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name. See “Selecting the Default NAC Policy” on page 6-7 for instructions on selecting and charging the default NAC policy.
PAGE 233
NAC Policies Overview Figure 6-1. NAC Policies Window The following figure shows the legend explaining the NAC policies icons: Figure 6-2.
PAGE 234
NAC Policies Standard NAC Policies Standard NAC Policies NAC 800 ships with three standard NAC policies: ■ High security ■ Low security ■ Medium security NAC policies are organized in groups, which include the clusters defined for your system, a Default group, and any other groups you create. Each standard policy has tests pre-selected. You can modify these policies, or create custom policies.
PAGE 235
NAC Policies NAC Policy Group Tasks NAC Policy Group Tasks Add a NAC Policy Group To add an NAC policy group: 1. NAC 800 Home window>>NAC policies Click Add an NAC policy group. The Add NAC policy group window opens: Figure 6-3. Add NAC Policy Group Window 2. Type a name for the group in the Name of NAC policy group text box. 3. Optional: Select the check box next to any NAC policy to move to this group. 4. Optional: Select the check box next to any cluster to move to this group. 5. Click ok.
PAGE 236
NAC Policies NAC Policy Group Tasks 1. Click on an existing NAC policy group name (for example, Default). The NAC policy group window opens. Figure 6-4. Edit NAC Policy Group Window 2. Make any changes required. See “Add a NAC Policy Group” on page 6-5 for details on NAC policy group options. 3. Click OK to save or Cancel to return without saving.
PAGE 237
NAC Policies NAC Policy Tasks NAC Policy Tasks Enabling or Disabling an NAC Policy Select which NAC polices are enabled or disabled. To enable/disable a NAC policy: NAC 800 Home window>>NAC policies Click on the enable or disable link. An X indicates disabled. Selecting the Default NAC Policy To select the default NAC policy: NAC 800 Home window>>NAC policies Click on the up or down arrow to move the NAC policy.
PAGE 238
NAC Policies NAC Policy Tasks 1. Click Add a NAC policy. The Add a NAC policy window opens as shown in the following figure: Figure 6-6. Add an NAC Policy, Basic Settings Area NOTE: 6-8 2. Enter a policy name. 3. Enter a description in the Description text box. 4. Select a NAC policy group. 5. Select either the enabled radio button or the disabled radio button. 6. Select the Operating systems that will not be tested but are allowed network access.
PAGE 239
NAC Policies NAC Policy Tasks endpoint in any way. In both of these cases, the System Monitor window may show the quarantined icon next to these endpoints; however, if you hover your mouse over the red circle, the actual status shows that the endpoint should be quarantined, but the quarantine action was unsuccessful. CAUTION: Allowing untested endpoints on your network contains risks. See “Untestable Endpoints and DHCP Mode” on page 7-18 for more information. 7.
PAGE 240
NAC Policies NAC Policy Tasks 10. Click on a cluster name. 11. Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a carriage return. 12. Enter a single endpoint or list of endpoints separated by a carriage return using the endpoint IP address, MAC address, NetBIOS name, or host name. Enter a range of IPs using a dash (-) between or by using CIDR notation (see table 13-1, “CIDR Naming Conventions,” on page 13-9).
PAGE 241
NAC Policies NAC Policy Tasks 13. Click the Tests menu option to open the Tests window: Figure 6-8.
PAGE 242
NAC Policies NAC Policy Tasks 14. Select a test to include in the NAC policy by clicking on the check box next to the test name. 15. Select a test by clicking on the test name to view the properties. For more information about test properties, see “Selecting Test Properties” on page 6-17. 16. Select the test properties for this test. For more information about the specific tests, see “Tests Help” on page A-1. 17.
PAGE 243
NAC Policies NAC Policy Tasks Deleting a NAC Policy To delete an existing NAC policy: NAC 800 Home window>>NAC policies 1. Click the delete link to the right of the NAC policy you want to delete. A confirmation window appears. 2. Click yes. Moving a NAC Policy Between NAC Policy Groups To move a NAC policy between NAC policy groups: NAC 800 Home window>>NAC policies 1. To open the NAC policies window, click a NAC policy name. 2.
PAGE 244
NAC Policies NAC Policy Tasks NAC Policy Hierarchy If an endpoint is listed in more than one NAC policy, the order of use is as alphabetical by name of NAC policy (not including the default NAC policy). Setting Retest Time Retest endpoints connected to your network frequently to guard against potential changes in the remote endpoint configurations. To set the time to wait before retesting a connected endpoint: 1.
PAGE 245
NAC Policies NAC Policy Tasks Defining Non-supported OS Access Settings To define what actions to take for endpoints with non-supported operating systems: Main NAC 800 window>>NAC policies>>Select a NAC Policy>>Basic settings area 1. In the Operating systems area, select the check box beside any operating system that you will allow access without being tested. 2. Click ok. Setting Test Properties Test properties are specific to the particular test. Select the properties you want applied.
PAGE 246
NAC Policies NAC Policy Tasks 1. NOTE: NAC 800 Home window>>NAC policies>>Select a NAC Policy>>Tests menu option Click on the name of test to display the test’s options. Click a test name to display the options; select the test check box to enable the test for the policy you are modifying. 2. Select an action to take when an endpoint fails this test. a. NOTE: Send an email notification... – sends an email to the email address specified (see “Notifications” on page 3-102).
PAGE 247
NAC Policies About NAC 800 Tests About NAC 800 Tests NAC 800 tests are assigned to NAC policies. NAC policies are used to test endpoints attempting to connect to your network. NAC 800 tests might be updated as often as hourly; however, at the time of this release, the tests shown in “Tests Help” on page A-1 were included (see “Viewing Information About Tests” on page 6-17 for instructions on viewing the latest list of tests).
PAGE 248
NAC Policies About NAC 800 Tests You can enter any combination of these keys in the NAC 800 text entry fields to detect a vendor, software package and version on an endpoint (for example, you can also enter Mozilla\Firefox or simply Mozilla) and NAC 800 searches for them in the HKEY_LOCAL_MACHINE\Software registry key sub-tree. TIP: The entries are not case sensitive. This test simply checks to see if the registry key exists in HKEY_LOCAL_MACHINE\Software or HKEY_CURRENT_USER\Software.
PAGE 249
NAC Policies About NAC 800 Tests ■ Utility Manager ■ Windows Installer Entering the Browser Version Number To specify the minimum browser version the end-user needs: 1. 2. 3. For Mozilla Firefox: a. Clear the Check For Mozilla Firefox [1.5] check box. b. Type a version number in the text entry field. For Internet Explorer on Windows XP and Windows 2003: a. Clear the Check For Internet Explorer for Windows XP and Windows 2003 [6.0.2900.2180] check box. b.
PAGE 250
NAC Policies About NAC 800 Tests (This page intentionally left blank.
PAGE 251
7 Quarantined Networks Chapter Contents Endpoint Quarantine Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Using Ports in Accessible Services and Endpoints . . . . . . . . . . . . . . . . . . . . . . . 7-4 Determining Accessible Services Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 Always Granting Access to an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13 Always Quarantining an Endpoint . . . . . . . . . . . . . . . . .
PAGE 252
Quarantined Networks Endpoint Quarantine Precedence Endpoint Quarantine Precedence Endpoints are quarantined in the following hierarchical order: NOTE: 1. Access mode (normal operation, quarantine all, or allow all) 2. Temporarily quarantine for/Temporarily grant access for radio buttons 3. Endpoint testing exceptions (always grant access, always quarantine) 4.
PAGE 253
Quarantined Networks Endpoint Quarantine Precedence TIP: Use the Clear temporary access control status radio button to remove the temporary access or temporary quarantine state enabled by the Temporarily quarantine for/Temporarily grant access for radio buttons. ■ Endpoint testing exceptions overrides items following it in the list (4). Use Endpoint testing exceptions (System configuration>>Exceptions) to always allow or always quarantine endpoints that are defined in NAC policies.
PAGE 254
Quarantined Networks Using Ports in Accessible Services and Endpoints Using Ports in Accessible Services and Endpoints To use a port number when specifying accessible services and endpoints (cluster default): NAC 800 Home window>>System configuration>>Accessible services The following figure shows the Accessible services window: Figure 7-1. Accessible Services Window In order to grant access for quarantined endpoints to needed services, add entries to the Accessible services list.
PAGE 255
Quarantined Networks Using Ports in Accessible Services and Endpoints For all other deployment modes, the Fully Qualified Domain Name (FQDN) of the target servers should be added to the list (for example mycompany.com). If the specified servers are not behind an ES, a network firewall must be used to control access to only the desired ports. 1.
PAGE 256
Quarantined Networks Determining Accessible Services Example Determining Accessible Services Example Determining which services to add in the Accessible services area can be tricky. This section details the steps used to determine all of the accessible services required to allow a quarantined endpoint to access the Windows Update service and retrieve the required service packs and/or hotfixes.
PAGE 257
Quarantined Networks Determining Accessible Services Example 16:20:50.529861 IP 172.21.20.20.2586 > SA00.domain: 40773+ A? windowsupdate.microsoft.com. (45) 16:20:50.531469 IP SA00.domain > 172.21.20.20.2586: 40773 NXDomain* 0/1/0 (96) 5. Log into the NAC 800 MS console using an administrator account. 6. Navigate to the Accessible services window (System configuration>>Accessible services). 7. Add microsoft.com to the accessible services and endpoints list. 8. Click OK. 9.
PAGE 258
Quarantined Networks Determining Accessible Services Example The final list of accessible services for this example is shown in the following figure. Figure 7-3. Final List of Accessible Services Example The complete tcpdump results for this example are shown below: tcpdump -i eth0 -s0 -w /tmp/dns.pcap port 53 and host 172.21.20.20 waldo:~ # tcpdump -i eth0 -s0 port 53 and host 172.21.20.
PAGE 259
Quarantined Networks Determining Accessible Services Example 16:23:56.240873 IP 172.21.20.20.2586 > SA00.domain: 55115+ A? windowsupdate.microsoft.com. (45) 16:23:56.245644 IP SA00.domain > 172.21.20.20.2586: 55115 2/7/7 CNAME windowsupdate.microsoft.nsatc.net., A 207.46.225.221 (353) 16:23:56.981306 IP 172.21.20.20.2586 > SA00.domain: 34378+ A? update.microsoft.com. (38) 16:23:56.981667 IP SA00.domain > 172.21.20.20.2586: 34378 NXDomain* 0/1/0 (89) 16:25:03.645582 IP 172.21.20.20.2586 > SA00.
PAGE 260
Quarantined Networks Determining Accessible Services Example 16:27:09.136659 IP 172.21.20.20.2586 > SA00.domain: 5201+ A? download.windowsupdate.com. (44) 16:27:09.137238 IP SA00.domain > 172.21.20.20.2586: 5201* 1/1/1 A SA00 (100) 16:27:09.172260 IP 172.21.20.20.2586 > SA00.domain: 27984+ A? download.microsoft.com. (40) 16:27:09.172793 IP SA00.domain > 172.21.20.20.2586: 27984 2/1/1 CNAME main.dl.ms.akadns.net., A SA00 (131) 16:27:09.991527 IP 172.21.20.20.2586 > SA00.domain: 5968+ A? c.microsoft.com.
PAGE 261
Quarantined Networks Determining Accessible Services Example 16:29:56.590312 IP 172.21.20.20.2586 > SA00.domain: 3934+ A? download.microsoft.com. (40) 16:29:56.715218 IP SA00.domain > 172.21.20.20.2586: 3934 4/1/1 CNAME main.dl.ms.akadns.net., CNAME dom.dl.ms.akadns.net., CNAME dl.ms.d4p.net., A SA00 (173) 16:29:57.402083 IP 172.21.20.20.2586 > SA00.domain: 25181+ A? c.microsoft.com. (33) 16:29:57.403740 IP SA00.domain > 172.21.20.20.2586: 25181 2/1/1 CNAME c.microsoft.akadns.net., A 64.4.52.
PAGE 262
Quarantined Networks Determining Accessible Services Example 16:37:40.332613 IP SA00.domain > 172.21.20.20.1045: 28344 6/1/1 CNAME main.dl.wu.akadns.net., CNAME dom.dl.wu.akadns.net., CNAME dl.wu.ms.edgesuite.net., CNAME a258.g.akamai.net., A 89.149.169.57, A 89.149.169.66 (234) 16:37:40.332723 IP SA00.domain > 172.21.20.20.1045: 28344 6/1/1 CNAME main.dl.wu.akadns.net., CNAME dom.dl.wu.akadns.net., CNAME dl.wu.ms.edgesuite.net., CNAME a258.g.akamai.net., A 89.149.169.57, A 89.149.169.66 (234) 16:37:40.
PAGE 263
Quarantined Networks Always Granting Access to an Endpoint Always Granting Access to an Endpoint To always grant access to a endpoint without testing: NAC 800 Home window>>System configuration>>Exceptions The following figure shows the Exceptions window. Figure 7-4. Exceptions Window 1. 2. In the Always grant access and never test area: a. In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns. b.
PAGE 264
Quarantined Networks Always Granting Access to an Endpoint CAUTION: If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without testing option is used. CAUTION: Please read “Untestable Endpoints and DHCP Mode” on page 7-18 so that you fully understand the ramifications of allowing untested endpoints on your network.
PAGE 265
Quarantined Networks Always Quarantining an Endpoint Always Quarantining an Endpoint To always quarantine a an endpoint without testing (cluster default): 1. 2. CAUTION: NAC 800 Home window>>System configuration>>Exceptions In the Always quarantine and never test area: a. In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names separated by carriage returns. b. In the Windows domains area, enter one or more domain names separated by carriage returns. Click ok.
PAGE 266
Quarantined Networks New Users New Users The process NAC 800 follows for allowing end-users to connect is: 7-16 ■ Inline mode – An IP address is assigned to the endpoint outside of NAC 800. When the end-user attempts to connect to the network, NAC 800 either blocks access or allows access by adding the endpoint IP address to the internal firewall. ■ DHCP mode – New end-users boot their computers.
PAGE 267
Quarantined Networks Shared Resources Shared Resources If the end-users typically make connections to shared services and endpoints during the boot process, these shares are unable to connect while the endpoint has the quarantined IP address, unless the services and endpoints are listed in the Accessible services and endpoints area (see “Accessible Services” on page 3-98).
PAGE 268
Quarantined Networks Untestable Endpoints and DHCP Mode Untestable Endpoints and DHCP Mode If you have an endpoint that does not have a supported operating system, you can allow access or quarantine the endpoint. The current supported operating systems are listed in “Endpoints Supported” on page 5-3. If you allow an untested endpoint to have access, there are several important items to keep in mind.
PAGE 269
8 High Availability and Load Balancing Chapter Contents High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 270
High Availability and Load Balancing High Availability High Availability High availability occurs when one or more Enforcement servers takes over for an Enforcement server that has become unavailable in a multiple-server installation. Once an ES becomes unavailable, the other ESs take over enforcement from the ES that is now unavailable. All ESs participate in enforcement. The MS provides notification in the console at the top of the Home window.
PAGE 271
High Availability and Load Balancing High Availability ES becomes unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 8-1.
PAGE 272
High Availability and Load Balancing High Availability Figure 8-2.
PAGE 273
High Availability and Load Balancing High Availability Figure 8-3. 802.
PAGE 274
High Availability and Load Balancing Load Balancing Load Balancing Load balancing distributes the testing of endpoints across all NAC 800 Enforcement servers in a cluster. NAC 800 uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the Enforcement servers. If the MAC address is unavailable (untestable endpoint) the IP address is used to determine which ES should test an endpoint.
PAGE 275
9 Inline Quarantine Method Chapter Contents Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 276
Inline Quarantine Method Inline Inline Inline is the most basic NAC 800 installation. When deploying NAC 800 inline, NAC 800 monitors and enforces all endpoint traffic. When NAC 800 is installed in a single-server installation, NAC 800 becomes a Layer 2 bridge that requires no changes to the network configuration settings.
PAGE 277
Inline Quarantine Method Inline ES becomes unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES firewalls continuously stay in sync with each other. Figure 9-1. Inline Installations TIP: You can install NAC 800 at any “choke point” in your network; a VPN is not required.
PAGE 278
Inline Quarantine Method Inline (This page intentionally left blank.
PAGE 279
10 DHCP Quarantine Method Chapter Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring NAC 800 for DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up a Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 280
DHCP Quarantine Method Overview Overview When configured with a Dynamic Host Configuration Protocol (DHCP) quarantine area, all endpoints requesting a DHCP IP address are issued a temporary address on a quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to the main LAN. With a multiple subnetwork or VLAN network, one quarantine area must be configured for each subnetwork.
PAGE 281
DHCP Quarantine Method Overview Figure 10-1.
PAGE 282
DHCP Quarantine Method Configuring NAC 800 for DHCP Configuring NAC 800 for DHCP The primary configuration required for using NAC 800 and DHCP is setting up the quarantine area (see “Setting Up a Quarantine Area” on page 10-4). You should also review the following topics related to quarantining endpoints: ■ Endpoint quarantine precedence (see “Endpoint Quarantine Precedence” on page 7-2). ■ Untested endpoints (see “Untestable Endpoints and DHCP Mode” on page 7-18).
PAGE 283
DHCP Quarantine Method Configuring NAC 800 for DHCP Configuring the Router ACLs In order to sufficiently restrict access to and from the quarantine area, you must configure your router Access Control Lists (ACLs) as follows: ■ Allow traffic to and from the NAC 800 server and the quarantined network. ■ If you want to allow access to other endpoints outside of the quarantine area (for example a Software Update Service (SUS) server), allow access to the server and port to and from the quarantined network.
PAGE 284
DHCP Quarantine Method Configuring NAC 800 for DHCP (This page intentionally left blank.
PAGE 285
11 802.1X Quarantine Method Chapter Contents About 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 NAC 800 and 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Setting Up the 802.1X Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Setting up the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Enabling NAC 800 for 802.1X . . .
PAGE 286
802.1X Quarantine Method About 802.1X About 802.1X 802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows: ■ Supplicant – The client; the endpoint that wants to access the network. ■ Authenticator– The access point, such as a switch, that prevents access when authentication fails. The authenticator can be simple and dumb.
PAGE 287
802.1X Quarantine Method About 802.1X 2. The AP (authenticator) opens a port for EAP messages, and blocks all others. 3. The AP (authenticator) requests the client’s (supplicant’s) identity. 4. The Client (supplicant) sends its identity. 5. The AP (authenticator) passes the identity on to the authentication server. 6. The authentication server performs the authentication and returns an accept or reject message to the AP (authenticator). 7.
PAGE 288
802.1X Quarantine Method NAC 800 and 802.1X NAC 800 and 802.1X When configured as 802.1X-enabled, NAC 800 can be installed with three different configurations depending on your network environment: ■ Microsoft IAS and NAC 800 IAS Plug-in With this method, the switch is configured with the IAS server IP address as the RADIUS server host. When the switch performs the RADIUS authentication, IAS authenticates the user.
PAGE 289
802.1X Quarantine Method NAC 800 and 802.1X Figure 11-2. NAC 800 802.
PAGE 290
802.1X Quarantine Method NAC 800 and 802.1X Figure 11-3. 802.
PAGE 291
802.1X Quarantine Method Setting Up the 802.1X Components Setting Up the 802.1X Components In order to use NAC 800 in an 802.1X environment, ProCurve recommends configuring your environment first, then installing and configuring NAC 800. This section provides instructions for the following: ■ “Setting up the RADIUS Server” on page 11-7 ■ “Enabling NAC 800 for 802.
PAGE 292
802.1X Quarantine Method Setting Up the 802.1X Components Microsoft® Windows Server™ 2003 Internet Authentication Service (IAS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server. This section provides instructions on configuring this server to use with NAC 800. For details on the Windows Server 2003 IAS, refer to the following link: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ias.
PAGE 293
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-4. Windows Components Wizard Window 3. Select the Networking Services check box. 4. Click Details. The Networking Services window appears, as shown in the following figure. Figure 11-5.
PAGE 294
802.1X Quarantine Method Setting Up the 802.1X Components 5. Select the check box for Internet Authentication Service and any other Windows Internet Authentication Service (IAS) components you want to install. 6. Click OK. 7. Click Next. 8. Click Finish. 9. Install any IAS and 802.1X updates that are available. http://www.microsoft.com/downloads/search.aspx?displaylang=en Configuring the Microsoft IAS RADIUS server For an explanation of how the components communicate, see “NAC 800 and 802.
PAGE 295
802.1X Quarantine Method Setting Up the 802.1X Components 4. Configure the RADIUS server parameters: Figure 11-6. IAS, Register Server in Active Directory Window a. Right-click on Internet Authentication Service (local) b. Select Properties (figure 11-7). The Properties window appears (figure 11-8). Figure 11-7.
PAGE 296
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-8. IAS, Properties Window 5. 11-12 c. General tab – i. Enter a descriptive name in the Server Description text box. For example, IAS. ii. Select the Rejected authentication requests check box. iii. Select the Successful authentication requests check box. d. Ports tab – i. Enter the authentication port number(s) in the Authentication text box. The authentication port (1812) is used to verify the user. ii.
PAGE 297
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-9. IAS, New Client, Name and Address Window c. Enter a descriptive name for the Frendly name, such as Foundry. d. Enter the IP address of the authenticator in the Client address text box. TIP: Click Verify to test the connection. e. Click Next.
PAGE 298
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-10. IAS, New Client, Additional Information Window f. Select RADIUS Standard from the Client Vendor drop-down list g. Enter a password in the Shared secret text box. This password also needs to be entered when you configure the authenticator. h. Re-enter the password in the Confirm shared secret text box. i. Select the Request must contain the Message Authenticator attribute check box. j. Click Finish. 6.
PAGE 299
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-11. IAS, New Remote Access Policy d. Select the Use the wizard radio button. e. Enter a meaningful name in the Policy Name text field. f. Click Next. Figure 11-12.
PAGE 300
802.1X Quarantine Method Setting Up the 802.1X Components g. Select the Ethernet radio button. (The Ethernet option will not work for authenticating wireless clients with this policy.) h. Click Next. Figure 11-13. IAS, Remote Access Policy, Group Access 11-16 i. You can configure your Access policy by user or group. This example uses the group method. Select the Group radio button. j. Click Add.
PAGE 301
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-14. IAS, Remote Access Policy, Find Group k. Click Advanced.
PAGE 302
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-15. Remote Access Policy, Select Group l. Click Find Now to populate the Search Results area. m. Select Domain Guests. 11-18 n. Click OK. o. Click OK. p. Click Next.
PAGE 303
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-16. IAS, Remote Access Policy, Authentication Method NOTE: If you choose PEAP as your authentication mechanism in step q, see step 8 before completing step r and step s. Adding a certificate, if your server does not already have one, and configuring PEAP is explained in step 8. q. Select the EAP type from the drop-down list.
PAGE 304
802.1X Quarantine Method Setting Up the 802.1X Components to request a certificate. If there is not a CA available, the certificate needs to be imported manually. To request a certificate from a Domain Certificate Authority: Figure 11-17. Error Message 11-20 a. Open the Microsoft management console by choosing Start>>Run and entering mmc. b. Choose File>>Add/Remove Snap-in. c. Click Add. d. Choose the certificates snap-in and click Add. e. Select Computer account and click Next. f.
PAGE 305
802.1X Quarantine Method Setting Up the 802.1X Components right-click on the template, select properties, and change the permissions for your user) on the certificate authority. The Computer or RAS and IAS templates both work. k. Once the Certificate is granted by the certificate authority, return to the IAS policy editor to continue the setup. l. Click Configure to configure the certificate for use with the PEAP authentication method. The Protected EAP Properties window appears (figure 11-18). m.
PAGE 306
802.1X Quarantine Method Setting Up the 802.1X Components 9. Configure the new Remote Access Policy. Figure 11-19. IAP, Remote Access Policy, Properties a. Select Remote Access Policies. b. In the right pane, right-click the new policy name and select Properties. The Guest Policy Properties window appears: Figure 11-20.
PAGE 307
802.1X Quarantine Method Setting Up the 802.1X Components c. Click Edit Profile. The Edit Dial-in Profile window appears. i. Authentication tab – Select the check boxes for the authentication methods you will allow. This example does not use additional selections. ii. Advanced tab – Add three RADIUS attributes: TIP: The attributes you select might be different for different switch types. Contact ProCurve Networking by HP if you would like assistance. 1) Click Add. Figure 11-21.
PAGE 308
802.1X Quarantine Method Setting Up the 802.1X Components 11) In the Enter the attribute value area, select the String radio button and type the VLAN ID (usually a number such as 50) in the text box. 12) Click OK. 13) Click OK. 14) Select Tunnel-Type. (Adding the third of the three attributes.) 15) Click Add. 16) Click Add again on the next window. 17) From the Attribute value drop-down list, select Virtual LANS (VLAN). 18) Click OK. 19) Click OK. 20) Click OK. 10.
PAGE 309
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-22. IAS, Remote Access Logging Properties d. Settings tab – Select any of the request and status options you are interested in logging. e. Log file tab – i. In the Format area, select the IAS radio button. ii. In the Create a new log file area, select a frequency, such as Daily. iii. Select the When disk is full, delete older log files check box. iv. Click OK. 12.
PAGE 310
802.1X Quarantine Method Setting Up the 802.1X Components endpoint. Depending on the posture of the endpoint, the plug-in can return RADIUS attributes to your switch instructing it into which VLAN to place an endpoint. The following figure illustrates this process: Figure 11-23. NAC 800-to-IAS Connector a. Copy the following NAC 800 IAS Connector files from the NAC 800 CD-ROM (/support directory) to the WINDOWS/system32 directory on your Windows Server 2003 machine. support/ias/SAIASConnector.
PAGE 311
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-24. IAS, Add/Remove Snap-in v. Select File>>Add/Remove Snap-in. vi. Click Add. Figure 11-25. IAS, Add/Remove Snap-in, Certificates vii. Select Certificates. viii. Click Add. ix. Select the Computer account radio button. x. Click Next.
PAGE 312
802.1X Quarantine Method Setting Up the 802.1X Components xi. Select the Local computer: (the computer this console is running on) radio button. xii. Click Finish. xiii. Click Close. xiv. Click OK. Figure 11-26. IAS, Import Certificate xv. Right-click on Console Root>>Certificates (Local Computer)>>Trusted Root Certificate Authorities. xvi. Select All tasks>>import. xvii.Click Next. xviii.Click Browse and choose the certificate.
PAGE 313
802.1X Quarantine Method Setting Up the 802.1X Components authenticate. For each posture received, a different RADIUS response to the switch can be configured using RADIUS attributes. This response determines into what VLAN the endpoint is placed. Healthy – The endpoint passed all tests or no failed tests were configured to quarantine. Checkup – The endpoint failed a test and the action is configured to grant temporary access.
PAGE 314
802.1X Quarantine Method Setting Up the 802.1X Components ; These timeouts should be coordinated with the RADIUS server and switch timeouts for authentication.
PAGE 315
802.1X Quarantine Method Setting Up the 802.1X Components ; in the RadiusAttribute settings above. ; ; ; TO DO - Use these settings for Extreme switches. Change the Value setting to match the VLAN names on your switch. ; [Healthy] Type=26 VendorId=1916 VendorType=203 DataType=1 Value=Healthy [Quarantine] Type=26 VendorId=1916 VendorType=203 DataType=1 Value=Quarantine [Unknown] Type=26 VendorId=1916 VendorType=203 DataType=1 Value=Guest ; ; Use the following settings for all non-Extreme switches.
PAGE 316
802.1X Quarantine Method Setting Up the 802.
PAGE 317
802.1X Quarantine Method Setting Up the 802.1X Components ix. Type AuthorizationDLLs for the name and press Enter on the keyboard. x. Right-click AuthorizationDLLs, and select Modify. xi. Enter the following value in the Value Data text box. C:\Windows\System32\SAIASConnector.dll xii. Click OK. c. Restart the IAS server (Start>>Settings>>Control Panel>>Services>>Internet Authentication Services>>Restart). A log file (SAIASConnector.log) is created in the WINDOWS\system32 directory for debugging purposes.
PAGE 318
802.1X Quarantine Method Setting Up the 802.1X Components iv. Click Open. v. Right-click Default Domain Policy and select Edit (click OK if you get a global changes pop-up message). Figure 11-28. Active Directory, Store Passwords vi. Navigate to Computer Configuration>>Windows Settings>>Security Settings>>Account Policies>>Password Policy. vii. Select Password Policy. viii. Right-click Store passwords using reversible encryption. ix. Select the Enabled check box. x. Click OK. xi.
PAGE 319
802.1X Quarantine Method Setting Up the 802.1X Components 16. Configure user accounts for Dial-in access and Password Reversible Encryption: a. From the Windows Server 2003 machine, select Start>>Settings>>Control Panel>>Administrative Tools>>Active Directory Users and Computers. b. Click the plus symbol next to the domain to expand the selection. c. Select the Users folder. Figure 11-29. Active Directory Users and Computers Window d. Right-click a user name and select Properties.
PAGE 320
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-30. Active Directory, User Account Properties e. Select the Dial-in tab. f. In the Remote Access Permission area, select the Allow Access radio button. g. Select the Account tab. h. Verify that you are using Microsoft’s version of the challengehandshake authentication protocol (CHAP) MSCHAPv2.
PAGE 321
802.1X Quarantine Method Setting Up the 802.1X Components Proxying RADIUS Requests to an Existing RADIUS Server Using the Built-in NAC 800 RADIUS Server TIP: For an explanation of how the components communicate, see “NAC 800 and 802.1X” on page 11-4. To configure NAC 800 to proxy RADIUS requests to an existing RADIUS server: 1. To configure the RADIUS server to proxy requests to your existing RADIUS server: a. Log in to the ES as root via SSH. b.
PAGE 322
802.1X Quarantine Method Setting Up the 802.1X Components 3. Configure the SAFreeRADIUSConnector.conf file with the appropriate RADIUS attributes and VLANS. See comments in the following sample file for instructions.
PAGE 323
802.1X Quarantine Method Setting Up the 802.
PAGE 324
802.1X Quarantine Method Setting Up the 802.1X Components 4. Test the RADIUS server proxy: radtest Using the Built-in NAC 800 RADIUS Server for Authentication If you selected the Manual End-user authentication method in the Authentication settings area of the System configuration>>Quarantining>>802.1X window, configure NAC 800 according to the instructions in this section.
PAGE 325
802.1X Quarantine Method Setting Up the 802.1X Components NOTE: When using the Cisco® Catalyst® 6509 with the Catalyst operating system (CatOS), you need to refer to the VLAN by name, and not by number as shown in the following sample file. For example, use “Tunnel-Private-Group-ID := User_Seg_PA,” instead of “Tunnel-Private-Group-ID := 50,”.
PAGE 326
802.1X Quarantine Method Setting Up the 802.
PAGE 327
802.1X Quarantine Method Setting Up the 802.1X Components # #"RadiusAttributes-" # Tunnel-Medium-Type := 6, # Tunnel-Private-Group-ID := 15, # Tunnel-Type := VLAN, Enabling NAC 800 for 802.1X To enable NAC 800 for use in an 802.1X network, you need to select it in the console, and make a few changes to the properties using JMS and an XML file. NAC 800 Console Configuration To enable 802.1X in the NAC 800 console: 1.
PAGE 328
802.1X Quarantine Method Setting Up the 802.1X Components • 3. local – In simple configurations, it is possible to span, or mirror, the switch port into which the DHCP server is connected. The eth1 interface of the Enforcement server is then plugged into the spanned port and endpoint traffic is monitored on the eth1 interface. In this case, choose the local option. Click OK. Setting Up the Supplicant Now you must enable the endpoint for 802.1X.
PAGE 329
802.1X Quarantine Method Setting Up the 802.1X Components Figure 11-32. IAS, Windows Client Authentication 3. General tab – a. 4. Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors. Authentication tab – a. Select the Enable IEE 802.1X authentication for this network check box. b. Select an EAP type from the drop-down list.
PAGE 330
802.1X Quarantine Method Setting Up the 802.1X Components Windows Main Window>>Start>>Settings>>Control Panel>>Administrative Tools>>Services 1. Wireless Zero Configuration (this service needs to be started, if not already running the user needs to right-click on the service named Wireless Zero Configuration and click 'start'). 2. Right-click on Local Area Connection. The Local Area Connection windows appears, as shown in Figure 11-32 on page 11-45. 3.
PAGE 331
802.1X Quarantine Method Setting Up the 802.1X Components a. 5. Select the Show icon in notification area when connected check box. This enables the Windows XP balloon help utility, which can assist you when entering information and troubleshooting errors. Authentication tab – a. Select the Enable IEE 802.1X authentication for this network check box. b. Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
PAGE 332
802.1X Quarantine Method Setting Up the 802.
PAGE 333
802.1X Quarantine Method Setting Up the 802.1X Components set set set set port port port port dot1x dot1x dot1x dot1x 2/15 2/17 2/18 2/19 guest-vlan guest-vlan guest-vlan guest-vlan 40 40 40 40 Enterasys® Matrix 1H582-25 ! dot1x set dot1x auth-config authcontrolled-portcontrol forcedauth fe.0.5-24 set dot1x auth-config maxreq 10000 fe.0.1-4 set dot1x auth-config keytxenabled true fe.0.1-4 set dot1x enable ! ! radius set radius timeout 30 set radius server 1 10.11.100.
PAGE 334
802.1X Quarantine Method Setting Up the 802.1X Components enable netlogin port 36 vlan Temp enable netlogin port 37 vlan Temp enable netlogin port 38 vlan Temp enable netlogin port 39 vlan Temp enable netlogin port 40 vlan Temp configure netlogin redirect-page "https://10.10.100.100:89" ExtremeWare TIP: When authenticating via the onboard FreeRadius server, you need to add the administrative line in the RADIUS users file. TIP: Change the admin password to a non-blank password.
PAGE 335
802.1X Quarantine Method Setting Up the 802.1X Components 100 supp-resp-timeout 30 configure netlogin dot1x eapol-transmit-version v1 configure netlogin dot1x guest-vlan Guest enable netlogin logout-privilege enable netlogin session-refresh 3 configure netlogin base-url "network-access.com" configure netlogin redirect-page "http:// www.extremenetworks.
PAGE 336
802.1X Quarantine Method Setting Up the 802.1X Components Enter Wireless configuration commands, one per line.
PAGE 337
802.1X Quarantine Method Setting Up the 802.
PAGE 338
802.1X Quarantine Method Setting Up the 802.1X Components aaa aaa aaa aaa aaa aaa accounting network start-stop radius authentication port-access eap-radius port-access authenticator 1-8 port-access authenticator 1-8 auth-vid 100 port-access authenticator 1-8 unauth-vid 101 port-access authenticator active Nortel® 5510 NOTE: When the Nortel switch is used in unstacked mode, a range of ports is defined as 1-24.
PAGE 339
12 Reports Chapter Contents Report Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing Report Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Printing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Saving Reports to a File . . . . . . .
PAGE 340
Reports Report Types Report Types NAC 800 generates the following types of reports: Report Description Report columns NAC policy results Lists each NAC policy and the last pass/fail policy results • • • • • policy name test status # of times % of total details Endpoint list Lists each endpoint and the last pass/fail policy results • • • • • • mac address ip address cluster netbios user test status Test details Comprehensive list of all test results, including remediation messages.
PAGE 341
Reports Report Types Report Description Report columns Test results by NetBIOS name Lists the number of tests that passed or failed for each netbios name. • • • • • • • • netbios cluster ip address user test status # of times % of total details Test results by user Lists the number of tests that passed or failed for each user. • • • • • • • • user cluster ip address netbios test status # of times % of total details Table 12-1.Report Types and Fields (cont.
PAGE 342
Reports Generating Reports Generating Reports To generate a report: NAC 800 Home window>>Reports The following figure shows the Reports window. Figure 12-1. Reports Window 12-4 1. In the Report drop-down list, select the report to run. 2. Select the Report period. 3. Select the Rows per page. 4. In the Endpoint search criteria area, select any of the following options to use for filtering the report: a. Cluster b. Endpoint NetBIOS c. Endpoint IP address d. Endpoint MAC address e.
PAGE 343
Reports Generating Reports ii. 5. Any of the selected criteria Select Generate report. After a short period of time the compiled report is displayed in a separate browser window. The following figure shows an example report. Figure 12-2. NAC Policy Results Report CAUTION: The reports capability uses pop-up windows; if you have blocked pop-up windows in your browser, you will not be able to view reports. See “Pop-up Windows” on page B-2 for more information.
PAGE 344
Reports Viewing Report Details Viewing Report Details To view report details: NAC 800 Home window>>Reports 1. Select the options for the report you want to run. 2. Click Generate report. 3. Click the details link. The Test details window appears: Figure 12-3.
PAGE 345
Reports Printing Reports Printing Reports To print a report: NAC 800 Home window>>Reports 1. Select the options for the report you want to run. 2. Click Generate report. 3. Select Print. 4. Select the printer options and properties. 5. Select Print.
PAGE 346
Reports Saving Reports to a File Saving Reports to a File To save a report: 12-8 NAC 800 Home window>>Reports 1. Select the options for the report you want to run. 2. Click Generate report. 3. Select File>>Save Page As from the browser menu. 4. Enter a name and location where you want to save the file. 5. Select Web page, complete. 6. Click Save. The file is saved as an HTML file that can be viewed in a browser window.
PAGE 347
Reports Converting an HTML Report to a Word Document Converting an HTML Report to a Word Document To convert an HTML report: 1. Run the report (see “Generating Reports” on page 12-4.) 2. Save an HTML version of it (see “Saving Reports to a File” on page 12-8). 3. Open the HTML report in Microsoft Word. 4. Select File>>Save as. 5. In the Save as type drop-down list, select .doc. 6. Click Save. This creates a standalone file that retains all of its graphics and formatting. 7.
PAGE 348
Reports Converting an HTML Report to a Word Document (This page intentionally left blank.
PAGE 349
13 System Administration Chapter Contents Launching NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Launching and Logging into NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Logging out of NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Important Browser Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Downloading New Tests . . . . . . . . . . . . . . . . .
PAGE 350
System Administration Resetting the NAC 800 Database Password . . . . . . . . . . . . . . . . . . . . . . Changing the NAC 800 Administrator Password . . . . . . . . . . . . . . . . . . Working with Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating and Replacing SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a New Self-signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 351
System Administration Launching NAC 800 Launching NAC 800 Launching and Logging into NAC 800 To launch and log into NAC 800: Browser window on the workstation 1. Using https://, point your browser to the NAC 800 Management Server (MS) IP address or host name. The login page appears. 2. Enter the User name and Password that you defined the first time you logged in. 3. Click log in. The NAC 800 Home window appears.
PAGE 352
System Administration Downloading New Tests Downloading New Tests To download the latest tests from the ProCurve server: NAC 800 Home window>>System configuration>>Test updates>>Check for test updates button TIP: If you are not receiving test updates, try the following checks: - Verify that the system time is correct - Attempt to connect using telnet: At a command prompt on the MS, enter: telnet update.hp.com 443 If you do not get a “connected” response, the firewall might be blocking the traffic.
PAGE 353
System Administration System Settings System Settings Matching Windows Domain Policies to NAC Policies Using a Windows domain might affect the end-user’s ability to change their system configuration to pass the tests. For example, in a corporate environment, each machine gets their domain information from the domain controller, and the user is not allowed to change any of the related settings, such as receiving automatic updates and other IE security settings.
PAGE 354
System Administration System Settings • 2. quarantine all – No access is granted, but endpoints are still tested Click ok. Naming your Enforcement Cluster To name your Enforcement cluster: NAC 800 Home window>>System configuration>>Enforcement clusters & servers>>Select an Enforcement cluster 1. In the Cluster name text field, enter a name. Choose a name that describes the cluster, such as a geographic location (like a street or city name), a building, or your company name. 2. Click ok.
PAGE 355
System Administration System Settings No arguments – The system is reset to the same type (either a single-server installation with the MS and ES on the same server, an MS, or an ES), the database is cleared, and the property files are restored to their defaults ms – The system is reset to be an MS, the database is cleared, and the property files are restored to their defaults es – The system is reset to be an ES, the database is cleared, and the property files are restored to their defaults.
PAGE 356
System Administration System Settings • is one of: -f Filename of lines containing key=value Standard input containing key=value = One or more key=value settings Note: a of '-' will delete the property Specifying an Email Server for Sending Notifications NAC 800 Enforcement clusters send alerts and notifications when certain events occur. You must specify an SMTP email server for sending these notifications.
PAGE 357
System Administration Entering Networks Using CIDR Format Entering Networks Using CIDR Format Networks and network endpoints can be specified in NAC 800 using Classless Inter Domain Routing (CIDR) format. CIDR is a commonly used method for specifying Internet objects. table 13-1 presents common CIDR naming conventions. Block Netmask Networks Hosts /32 255.255.255.255 1/256 of a Class C Network 1 /31 255.255.255.254 1/128 2 /30 255.255.255.252 1/64 4 /29 255.255.255.248 1/32 8 /28 255.
PAGE 358
System Administration Database Database Creating a Backup File To create a backup file of system configuration and data: See “Initiating a New Backup” on page 3-91. Restoring from Backup To restore system configuration and data from a backup file: NOTE: You must have backed up your system at least one time before you can restore from a backup. 1. NAC 800 Home window>>System configuration>>Maintenance Click restore system from backup file. The Restore system window appears: Figure 13-1.
PAGE 359
System Administration Database 4. The system data is restored and the login window appears: Figure 13-2. Login Window Restoring the Original Database CAUTION: Running this script resets your entire system, not just the database. See “Resetting your System” on page 13-6 for more information. To reset a NAC 800 database to its pristine state: Command window 1. Log in as root to the NAC 800 MS using SSH. 2. Enter the following commands: resetSystem.
PAGE 360
System Administration Supported VPNs Supported VPNs NAC 800 works with any VPN endpoint, since NAC 800 does not directly interface or inter-operate with VPN endpoints.
PAGE 361
System Administration Adding Custom Tests Adding Custom Tests Introduction NAC 800 is an efficient, flexible and extensible testing platform. All tests are implemented in the object oriented programming language called Python. Python is a well- respected, clean, and efficient scripting language. Because the language is object oriented and the NAC 800 test platform is extensible, new tests can be developed easily.
PAGE 362
System Administration Adding Custom Tests 1. Log in as root to the NAC 800 server using SSH. 2. Open the /sampleTests/myCheckSoftwareNotAllowed.py file on the NAC 800 CD in a text editor. 3. Examine the code. The comments explain each section of code. The following example shows the contents of the file. #!/usr/bin/python from checkSoftwareNotAllowed import CheckSoftwareNotAllowed # # This allows a script to be tested from the command line.
PAGE 363
System Administration Adding Custom Tests # # All test classes must define the runTest method with the self and debug # parameters # def runTest(self,debug=0): # # Get the result hash from the CheckSoftwareNotAllowed test # and modify the result message based on the result code. # result = CheckSoftwareNotAllowed.runTest(self,debug) if result["result_code"] == "fail": result["result_message"] = "The MyCheckSoftwareNotAllowed test failed.
PAGE 364
System Administration Adding Custom Tests CAUTION: When updating or modifying files, use the Custom directory tree (Custom/ BaseClasses, Custom/Tests). The Custom directory tree is a mirror (with symbolic links) to the live test tree (scripts/BaseClasses and scripts/Tests). The live tree is not modified directly, but is modified with the installCustomTests script and the RPM mechanism. 8.
PAGE 365
System Administration Adding Custom Tests 00:22:34 DEBUG TCP consumer thread starting 00:22:34 DEBUG Created temporary queue: TemporaryQueue-{TD{ID:perf-ms1-406121162365754580-1:0}TD}ID:perf-ms1-40612-1162365754580-6:0 00:22:34 DEBUG Sending request: UPDATE_DATA /tmp/customUpdatePkg.29285.tar.
PAGE 366
System Administration Adding Custom Tests 00:22:36 DEBUG Message received: ACTIVEMQ_TEXT_MESSAGE: id = 0 ActiveMQMessage{ , jmsMessageID = ID:perf-ms1-51331-1162363440379-15:3, bodyAsBytes = org.activemq.io.util.
PAGE 367
System Administration Adding Custom Tests #!/usr/bin/python from BaseClasses.SABase import SABase as SABase # # This allows a script to be tested from the command line. # if __name__ == '__main__': import testTemplate t = testTemplate.TestTemplate() t.processCommandLine() # # The class definition. All classes must be derived from the SABase class. # class TestTemplate(SABase): # # Make up a test id. Just make sure it doesn't match any existing test ids. # testId = "TestId" # # Make up test name.
PAGE 368
System Administration Adding Custom Tests # # Assign the test to an existing group or create a new group. # Groups are configured and created in the policies.xml file # section (See the Adding new groups section). # testGroupId = "TestGroup" # # This is the HTML that will be displayed in the test properties page # in the policy editor. # testConfig = \ """ Test Config HTML """ # # These are any default values you want to assign to the input parameters # in the testConfig HTML.
PAGE 369
System Administration Adding Custom Tests # # All tests must define the runTest method with the self and the debug # parameters. # def runTest(self,debug=0): # # All tests must call the initialize routine # self.initTest() # # Create a hash to store the return results.
PAGE 370
System Administration Adding Custom Tests # # Always use the doReturn function; this allows superclass to add or modify # any items in the returnHash as necessary. # return(self.doReturn(returnHash)) Figure 13-5. testTemplate.py (cont.) 1. Use the template, as shown in figure 13-5, to create a new test script. As an example, the new test script is called checkOpenPorts.py, and it fails if any of the specified ports are open on the target host being tested.
PAGE 371
System Administration Adding Custom Tests 2. figure 13-6 shows the code for the new checkOpenPorts.py test. The file is included on the NAC 800 CD as /sampleTests/ checkOpenPorts.py. Review the code. The comments explain each section of the code. #!/usr/bin/python from BaseClasses.SABase import SABase as SABase # # This allows a script to be tested from the command line. # if __name__ == '__main__': import checkOpenPorts t = checkOpenPorts.CheckOpenPorts() t.

PAGE 372

System Administration Adding Custom Tests testConfig = \ """

Enter a list of ports that are not allowed to be open on the endpoint. Add ports separated by a comma. For example, 23,80.

System Administration Adding Custom Tests # # Make up a summary for the test. This will show up in the description # field in the policy editor. # testSummary = "This test takes a list of ports that should NOT be found open on the remote host. If any port is found open, this test will fail. This script will only succeed if none of the undesired ports are found open." # # These are the arguments to run the test. This is displayed in the command # line help.

PAGE 374

System Administration Adding Custom Tests try: ports = [] if self.inputParams.has_key("ports_not_allowed"): ports = self.inputParams["ports_not_allowed"].split(",") else: # No ports not allowed, pass return(self.doReturn(returnHash)) if debug: print "Checking ports " + str(ports) + " on host " + self.session.host() # # Do your test here. Modify the returnHash accordingly. # portsOpen = "" # # Use a Python socket to connect directly to the target host # import socket for p in ports: hp = self.session.

PAGE 375

System Administration Adding Custom Tests s.close() if debug: print "Connected to "+hp+". Port open!" # # Add the port to our list of open ports for use later # portsOpen += str(p) + "," except: if s is not None: try: s.close() except: pass import sys print "checkOpenPorts(host="+self.session.host()+", session="+self.session.id()+"): ", sys.exc_type, sys.exc_value if debug: print "Could not connect to "+hp+". Port not open.

PAGE 376

System Administration Adding Custom Tests 4. Save any new classes as described in step 7 on page 13-15. 5. Push the new test out to all ESs as described in step 8 on page 13-16. 6. For the final test, connect to: http://:88 and test your Windows endpoint. If you have ports open that are not allowed, this test fails. BasicTests API Every NAC 800 test has a base functionality described as follows: … try: self.bt.

PAGE 377

PAGE 378

System Administration Adding Custom Tests The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method String getServiceStatus(list serviceNames, debug=0) Gets the status for a list of services. Returns a hash containing the result_data key. The value of this key is a hash with a key for each service in the serviceNames.

PAGE 379

System Administration Adding Custom Tests The BasicTests API accesses these functions with the SABase self.bt member. All methods throw an exception that should be caught if an unexpected error occurs. Return Value Public Method Boolean getRegKeyExists(string key, debug=0) Check to see if a single key exists in the registry.

PAGE 380

PAGE 381

System Administration End-user Access Windows End-user Access Windows The end-user access windows are completely customizable. You can enter general text through the NAC 800 interface and edit the file that contains the messages that are returned to the end-user. TIP: If you need more end-user access window customization than is described in this Users’ Guide, please contact ProCurve Networking by HP. Editing the end-user access window logo and general text: See “End-user Screens” on page 3-104.

PAGE 382

System Administration How NAC 800 Handles Static IP Addresses How NAC 800 Handles Static IP Addresses The following list details how NAC 800 handles static IP addresses: ■ Inline Mode – NAC 800 can detect, test, and quarantine static IP addresses. The end-user cannot circumvent a quarantine. ■ DHCP mode • NAC 800 can detect and test static IP addresses but cannot quarantine static IP addresses.

PAGE 383

System Administration Managing Passwords Managing Passwords The passwords associated with your NAC 800 installation are listed in the following table: NAC 800 password Set during Recovery process NAC 800 Management or Enforcement server Initial install process * See “Resetting the NAC 800 Server Password” on page 13-36. NAC 800 database Initial install process * NAC 800 console, administrator account Initial install process * See “Resetting the NAC 800 Database Password” on page 13-37.

PAGE 384

System Administration Managing Passwords NAC 800 password Set during Recovery process Novell eDirectory Manually entered after installation on the System configuration>>Quarantining>>802.1x Quarantine method radio button window. Novell eDirectory password recovery is beyond the scope of this document. * See the NAC 800 Installation Guide for the installation process. Table 13-3.

PAGE 385

System Administration Managing Passwords 6. Enter the following command: passwd 7. Enter a new password at the New Password prompt. 8. Press [ENTER]. 9. Retype the password at the Retype new password prompt. 10. Press [b]. The password is changed. 11. Press [b] to continue booting. Reset Appliance Mode On the appliance’s LCD, reset the server mode (personality). See the installation guide for instructions on setting and changing the personality.

PAGE 386

System Administration Managing Passwords 1. Create a text file with the following lines: Compliance.ObjectManager.AdminUser= Compliance.ObjectManager.AdminPassword= Compliance.UI.FirstTimeConfigCompleted=true Enter characters following the equal sign that are the password (for example, CwR0(tW). 2. Save the file and copy it to the NAC 800 server (either MS or ES). 3. Log into the NAC 800 server as root. 4. Enter the following command: setProperty.py -f 13-38 5.

PAGE 387

System Administration Working with Ranges Working with Ranges In NAC 800 implementations, particularly in trial installations where you are connecting and disconnecting cables to a number of different types of endpoints, you can filter the activity by specifying the following: ■ Ranges to monitor – This property filters results in the display window, it does not keep NAC 800 from testing other systems. ■ Ranges to ignore – Does not test the ranges listed.

PAGE 388

System Administration Working with Ranges NOTE: When using Extreme switches, DHCP relay IP addresses to enforce will NOT work when the quarantine subnet is a subset of the production network. This is because Extreme switches forward the packets from the IP address closest to NAC 800 and not the IP address of the interface closest to the endpoint, so all the DHCPRelay packets will appear to come from a production network IP address. For example, the following scenario will not work: NAC 800 IP: 10.241.88.

PAGE 389

System Administration Creating and Replacing SSL Certificates Creating and Replacing SSL Certificates The Secure Sockets Layer (SSL) protocol uses encryption by way of certificates to provide security for data or information sent over HTTP. Certificates are digitally signed statements that verify the authenticity of a server for security purposes. They use two keys; one public key to encrypt information and one private key to decipher that information.

PAGE 390

System Administration Creating and Replacing SSL Certificates Creating a New Self-signed Certificate To generate a private keystore containing a new private key/public certificate pair: Command line window 1. Log in as root to the NAC 800 server via SSH. 2. Remove the existing keystore by entering the following at the command line: rm -f /usr/local/nac/keystore/compliance.keystore 3.

PAGE 391

System Administration Creating and Replacing SSL Certificates 6. The keytool utility prompts you for the following information: Key password for key_alias – Do not enter a password; press [Return] to use the same password that was given for the keystore password. Using an SSL Certificate from a known Certificate Authority (CA) To generate a Certificate Signing Request (CSR) to be submitted to a Certificate Authority (CA): 1. Log in as root to the NAC 800 server via SSH. 2.

PAGE 392

System Administration Creating and Replacing SSL Certificates the CA to which it pertains is the file containing the CA's root certificate 6. keytool prompts for the password for the cacerts file, which should be the default: changeit. 7. If you are prompted, enter yes to trust the certificate. 8.

PAGE 393

System Administration Moving an ES from One MS to Another Moving an ES from One MS to Another If you have an existing ES, you can move it to a different MS by performing the steps in this section. To move an ES to a different MS: Command line window 1. Log in to the ES as root using SSH or directly with a keyboard. 2. Enter the following command at the command line: service nac-es stop 3. Log in the MS console that currently manages the ES you want to move. 4.

PAGE 394

System Administration Recovering Quickly from a Network Failure Recovering Quickly from a Network Failure If you have a network with a very large number of endpoints (around 3000 endpoints per ES), and your network goes down, perform the following steps to make sure that your endpoints can reconnect as quickly as possible: 1. Place all of the clusters that have a large number of endpoints in allow all mode: a. 2. NOTE: b. Click a cluster name. c. Select the allow all radio button. d. Click ok.

PAGE 395

A Tests Help Chapter Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 Security Settings – Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-24 Allowed Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-24 MS Excel Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-24 MS Outlook Macros . . . . . . . . . . . . .

PAGE 396

Tests Help Windows 2000 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-13 Windows Media Player Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-14 Windows Server 2003 SP1 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-14 Windows Server 2003 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-15 Windows XP SP2 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PAGE 397

Tests Help Overview Overview The tests performed on endpoints attempting to connect to the network are listed on the NAC 800 Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you download the latest versions by selecting NAC 800 Home window>>System Configuration>>Test Updates>>Check for Test Updates. This appendix describes tests available to NAC policies.

PAGE 398

Tests Help Browser Security Policy – Windows Browser Security Policy – Windows The Browser security policy tests verify that any endpoint attempting to connect to your system meets your specified security requirements. Browser vulnerabilities are related to cookies, caches, and scripts (JavaScript, Java, and Active scripting / ActiveX). You can specify generally what level of security to enforce (High, Medium, Medium-low, or Low) or you can specify exactly what feature to allow or disallow.

PAGE 399

Tests Help Browser Security Policy – Windows Item Description JavaScript JavaScript is a scripting language used to enhance Web pages. JavaScript programs are embedded in Web pages and enable active functionality; for example, JavaScript allows you to create images that change when you move the mouse over them and clocks with moving parts. The following links provide more detailed information about JavaScript: • http://www.javascript.com/ • http://javascript.internet.com/ • http://www.javascriptkit.

PAGE 400

Tests Help Browser Security Policy – Windows How Does this Affect Me? Older browsers may not have adequate security or fixes against vulnerabilities. What Do I Need to Do? Install a required browser or update your browser to the required version. See the following links for browser information: http://www.mozilla.com/en-US/firefox/ http://www.microsoft.com/windows/ie/ie6/default.

PAGE 401

Tests Help Browser Security Policy – Windows How Does this Affect Me? The Internet security zone defines a security level for all external Web sites that you visit (unless you have specified exceptions in the trusted and restricted site configurations). The default setting is Medium. The following link provides details about the specific security options in the Custom Level window: http://www.microsoft.com/windows/ie/using/howto/ security/setup.

PAGE 402

Tests Help Browser Security Policy – Windows ■ Medium-low. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a mix of enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login for intranet ■ Low.

PAGE 403

Tests Help Browser Security Policy – Windows ■ High. Disables all ActiveX Controls and plug-ins, disables file downloads, prompts for font downloads, disables or prompts for Miscellaneous options, disables Scripting, requires login ■ Medium. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a mix of enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login for intranet ■ Medium-low.

PAGE 404

Tests Help Browser Security Policy – Windows 5. Click Add. 6. Click OK. Internet Explorer (IE) Trusted Sites Security Zone Description This test verifies that the endpoint attempting to connect to your system is configured according to your specified trusted sites security zone standards. Test properties Select the Internet Explorer trusted sites security zone settings required on your network. A-10 ■ High.

PAGE 405

Tests Help Operating System – Windows Operating System – Windows The Operating System (OS) tests verify that any endpoint attempting to connect to your system meets your specified OS requirements. Installing the most recent version of your OS helps protect your system against exploits targeting the latest vulnerabilities. IIS Hotfixes Description Checks for updates to Microsoft Internet Information Services (IIS). Test Properties Select the check box for each IIS update to verify.

PAGE 406

Tests Help Operating System – Windows Test Properties Select the hotfixes required on your network. Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft. How Does this Affect Me? Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a patch includes multiple hotfixes.

PAGE 407

Tests Help Operating System – Windows Service Packs Description This test verifies that the endpoint attempting to connect to your system has the latest operating system (OS) service packs installed. Test Properties The service packs are listed here by operating system. How Does this Affect Me? Service packs are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on.

PAGE 408

Tests Help Operating System – Windows What Do I Need to Do? Manually initiate an update check (http://v4.windowsupdate.microsoft.com/ en/default.asp) if automatic update is not enabled, or is not working. Windows Media Player Hotfixes Description Checks for Windows Media Player hotfixes. Test Properties Select the hotfixes required on your network. Selecting All critical updates requires all the critical patches that have been released or will be released by Microsoft.

PAGE 409

Tests Help Operating System – Windows How Does this Affect Me? Hotfixes are programs that update the software and may include performance enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix, whereas a patch includes multiple hotfixes. What Do I Need to Do? Manually initiate an update check (http://v4.windowsupdate.microsoft.com/ en/default.asp) if automatic update is not enabled, or is not working.

PAGE 410

Tests Help Operating System – Windows Test Properties Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated. The most secure option is to select the All critical updates option, as this requires all the critical patches that have been released or that will be released by Microsoft. You don't have to keep checking by patch number.

PAGE 411

Tests Help Operating System – Windows Windows XP Hotfixes Description This test verifies that the endpoint attempting to connect to your system has the latest Windows XP hotfixes installed. Test Properties Select the hotfixes from the list presented that are required on your network. This list will occasionally change as tests are updated.

PAGE 412

Tests Help Operating System – Windows How Does this Affect Me? Microsoft periodically releases software updates to "patch holes" (vulnerabilities) and incorporate other fixes and updates. Although you can manually initiate an update check (http://v4.windowsupdate.microsoft.com/en/ default.asp), automatically checking for updates ensures a higher level of security. Updates can be service packs or hotfixes. Read more about Windows Update here: http://www.microsoft.com/security/ protect/update.asp.

PAGE 413

Tests Help Security Settings – OS X Security Settings – OS X Mac AirPort Preference Description This test verifies that the Mac AirPort® joins only preferred networks. Test Properties There are no properties to set for this test. How Does this Affect Me? If you move between different locations, and you use an AirPort network in each one, you can choose your preferred AirPort network for each network location you create.

PAGE 414

Tests Help Security Settings – OS X What Do I Need to Do? Configure the Mac endpoint to prompt before joining open networks. Select Mac Help, or refer to the following link for assistance on configuring AirPort: http://www.apple.com/support/airport/ Mac AirPort WEP Enabled Description This test verifies that WEP encryption is enabled for Airport. Test Properties There are no properties to set for this test.

PAGE 415

Tests Help Security Settings – OS X How Does this Affect Me? Bluetooth is a wireless technology that allows computers and other devices (such as mobile phones and personal digital assistants (PDAs)) to communicate. Whenever you use a wireless technology, you should make sure that it is secure so that others cannot access your network. What Do I Need to Do? Disable Bluetooth, or configure Bluetooth so that it is not discoverable on the endpoint.

PAGE 416

Tests Help Security Settings – OS X Mac Internet Sharing Description This test verifies that the internet sharing is disabled. Test Properties There are no properties to set for this test. How Does this Affect Me? Mac internet sharing allows one computer to share its internet connection with other computers. This can present security risks by allowing other users to access the network. What Do I Need to Do? Disable internet sharing on the endpoint. Apple Menu>>System Preferences>>Sharing 1.

PAGE 417

Tests Help Security Settings – OS X What Do I Need to Do? Enable or disable services on the endpoint. Apple Menu>>System Preferences>>Sharing 1. Select the Services tab. 2. Select a service, such as Personal File Sharing. 3. Click Stop to turn off sharing for that service, or Start to turn on sharing for that service.

PAGE 418

Tests Help Security Settings – Windows Security Settings – Windows The Security settings tests verify that any endpoint attempting to connect to your system meets your specified security settings requirements. Allowed Networks Description Checks for the presence of an unauthorized connection on a endpoint. These might include connections to a rogue wireless access point, VPN, or other remote network. Test Properties Enter a list of IP ranges that are legitimate for your network.

PAGE 419

Tests Help Security Settings – Windows ■ Medium. You can choose whether or not to run potentially unsafe macros. ■ Low. You are not protected from potentially unsafe macros. (Not recommended) How Does this Affect Me? Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document.

PAGE 420

Tests Help Security Settings – Windows ■ Low. You are not protected from potentially unsafe macros. (Not recommended). How Does this Affect Me? Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document. When you open an infected document, the macro virus runs.

PAGE 421

Tests Help Security Settings – Windows How Does this Affect Me? Macros are simple programs that are used to repeat commands and keystrokes within another program. A macro can be invoked (run) with a simple command that you assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document. When you open an infected document, the macro virus runs. A macro virus can save itself to other files (such as the Normal template) and can potentially infect all of your files.

PAGE 422

Tests Help Security Settings – Windows Services explained: http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/ tcgch07n.mspx How to identify the services running in a process: http://www.microsoft.com/resources/documentation/windows/2000/server/ scriptguide/en-us/sas_ser_arwi.mspx Tips on Windows XP services: http://www.theeldergeek.com/services_guide.htm What do I need to do? For services you never use, disable the service.

PAGE 423

Tests Help Security Settings – Windows How Does this Affect Me? Services are Windows operating system applications that run automatically, without manual intervention. Services explained: http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/ tcgch07n.mspx How to identify the services running in a process: http://www.microsoft.com/resources/documentation/windows/2000/server/ scriptguide/en-us/sas_ser_arwi.mspx Tips on Windows XP services: http://www.theeldergeek.com/services_guide.

PAGE 424

Tests Help Security Settings – Windows Test Properties Any endpoint which has a Windows bridge Network Connection will fail this test. How Does this Affect Me? Using network bridges can be useful in some environments; however, they also create a security risk. What Do I Need to Do? Do not use network bridges. The following articles describe bridge networking: http://technet2.microsoft.com/windowsserver/en/library/df594316-cd924c38-9773-4c6d74e02a431033.mspx?mfr=true http://www.microsoft.

PAGE 425

Tests Help Security Settings – Windows How Does this Affect Me? Certain configurations, such as the ones listed above, create potential holes that can leak sensitive information if your system is compromised. Selecting the above policy options creates a more secure network environment. The following links provide detailed information on these security settings: ■ Enable "Network access: Do not allow storage of credentials or .NET Passports for network authentication" http://technet2.microsoft.

PAGE 426

Tests Help Security Settings – Windows Windows Startup Registry Entries Allowed Description This test verifies that the endpoint attempting to connect to your system does not contain non-compliant registry entries in the run and runOnce Windows registry keys. Test Properties Enter a list of registry key and values that are allowed in the run and runOnce Windows registry keys. If the endpoint has any other values in those keys, the test will fail.

PAGE 427

Tests Help Security Settings – Windows What Do I Need to Do? Verify that the run and runOnce registry keys run only compliant programs. CAUTION: Modifying registry entries incorrectly can cause serious problems that may require you to reinstall your operating system. 1. Back up the registry as described at the following links: XP and Windows Server 2003 – http://support.microsoft.com/ default.aspx?scid=kb;EN-US;322756 2000 – http://support.microsoft.com/default.aspx?scid=kb;EN-US;322755 NT 4.

PAGE 428

Tests Help Software – Windows Software – Windows The Software tests verify that any endpoint attempting to connect to your system meets your specified software requirements. Installing the most recent version of your software helps protect your system against exploits targeting the latest vulnerabilities. Anti-spyware Description This test verifies that the endpoint attempting to connect to your system has anti-spyware tools installed and that the anti-spyware definitions are up-todate.

PAGE 429

Tests Help Software – Windows Anti-virus Description This test verifies that the endpoint attempting to connect to your system has the latest anti-virus software installed, that it is running, and that the virus definitions are up-to-date. Test Properties Select the anti-virus software allowed on your network. Any endpoint that does not have at least one of the anti-virus software packages selected will fail this test.

PAGE 430

Tests Help Software – Windows High-risk Software Description This test verifies that the endpoint attempting to connect to your system does not have High-risk software installed. Test Properties Select the high-risk software not allowed on your network. Any endpoint that has at least one of the high-risk software packages selected fails this test. How Does this Affect Me? Some software provides security risks, such as allowing data to be stored on external servers, or not encrypting sensitive data.

PAGE 431

Tests Help Software – Windows http://office.microsoft.com/en-us/downloads/default.aspx P2P Description This test verifies that the endpoint attempting to connect to your system has only approved person-to-person (P2P) software installed. Test Properties Select the P2P software allowed on your network. If none of the P2P packages are selected, this means that you do not allow P2P software and any endpoint with P2P software enabled will fail this test.

PAGE 432

Tests Help Software – Windows How Does this Affect Me? A firewall is hardware or software that views information as it flows to and from your computer. You configure the firewall to allow or block data based on criteria such as port number, content, source IP address, and so on. The following links provide more detailed information about firewalls: ■ http://computer.howstuffworks.com/firewall.htm ■ http://www.pcstats.com/articleview.cfm?articleid=1450&page=4 ■ http://www.microsoft.

PAGE 433

Tests Help Software – Windows What Do I Need to Do? Remove the software that is not allowed. Software Required Description This test verifies that the endpoint attempting to connect to your system has the required software packages installed. Test Properties Enter a list of applications that are required on all connecting endpoints, separated with a carriage return. The format for an application is vendor\software package[\version].

PAGE 434

Tests Help Software – Windows Test Properties This area of the window displays the current list of worms, viruses, and trojans. No selection actions are required. How Does this Affect Me? A virus is a program that infects other programs and files and can spread when a user opens a program or file containing the virus. A virus needs a host (the program or file) to spread.

PAGE 435

B Important Browser Settings Chapter Contents Pop-up Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Minimum Font Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Temporary Files . . .

PAGE 436

Important Browser Settings Pop-up Windows Pop-up Windows The NAC 800 reports capability uses a pop-up window. In order for you to run reports on NAC 800, you must allow pop-up windows from the NAC 800 server. To allow pop-up windows in IE 6.0 with SP2: IE browser>>Tools>>Pop-up blocker>>Pop-up blocker settings 1. Enter the IP address or partial IP address of NAC 800. 2. Click Add. 3. Click Close.

PAGE 437

Important Browser Settings Active Content Active Content The Windows® XP Service Pack 2 (SP2) installation changes some of the Internet Explorer (IE) browser’s security settings. This change in settings causes the message (figure B-1), to display at the top of the browser window when you access the NAC 800 help feature. Figure B-1. Internet Explorer Security Warning Message To view the NAC 800 online help in IE: 1. Click on the message box to display the options: Figure B-2.

PAGE 438

Important Browser Settings Active Content IE browser>>Tools>>Options>>Advanced tab Figure B-4. IE Internet Options, Advanced Tab B-4 1. Scroll down to the security section. 2. Select the Allow active content to run in files on my computer check box. 3. Click OK.

PAGE 439

Important Browser Settings Minimum Font Size Minimum Font Size In order to properly display the NAC 800 console, do not specify the minimum font size. To clear the IE minimum font size: IE browser>>Tools>>Internet options>>General tab>>Accessibility button 1. Make sure all of the check boxes are cleared on this window. 2. Click OK. 3. Click OK. To clear the Mozilla minimum font size: Mozilla browser>>Edit>>Preferences>>Appearance>>Fonts 1.

PAGE 440

Important Browser Settings Page Caching Page Caching To set the IE page caching options: B-6 Internet Explorer browser>>Tools>>Internet Options 1. On the General tab, click Settings. 2. Under Check for new versions of stored pages, select the Automatically radio button. 3. Click OK. 4. In the Internet Options dialog box, click the Advanced tab. 5. In the Security options, make sure that Do not save encrypted pages to disk is not checked. 6. Click OK.

PAGE 441

Important Browser Settings Temporary Files Temporary Files Periodically delete temporary files from your system to improve browser performance. To delete temporary files in IE: Internet Explorer>>Tools>>Internet Options>>General tab 1. Click Delete Files. 2. Select the Delete all offline content check box. 3. Click OK. 4. Click OK. To delete temporary files in Mozilla: Mozilla browser>>Edit>>Preferences 1. Select the plus (+) symbol next to Advanced to expand the topic. 2.

PAGE 442

Important Browser Settings Temporary Files (This page intentionally left blank.

PAGE 443

C Installation and Configuration Check List Chapter Contents Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2 IP Addresses, Hostname, Logins, and Passwords . . . . . . . . . . . . . . . . . . . . . . C-3 Single-server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3 Multiple-server Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3 Proxy Server . . . . . . . . . . . . . . . .

PAGE 444

Installation and Configuration Check List Minimum System Requirements Minimum System Requirements Required fields are indicated by a red asterisk (*). Internet connection with outbound SSL communications * NOTE: You must have access to the following: C-2 For software and operating system updates: download.hp.com port 80 * Workstation running one of the following browsers with 128-bit encryption: * For license validation and test updates: update.hp.

PAGE 445

Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords IP Addresses, Hostname, Logins, and Passwords Required fields are indicated by a red asterisk (*). Single-server Installation The MS and ES are installed on the same physical server (appliance).

PAGE 446

Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords MS Netmask IP address (Network mask): * ___________________ Default gateway IP address: * ________________________________ Primary nameserver IP address (DNS server): * ________________ Secondary nameserver IP address (DNS server): _______________ Tertiary nameserver IP address (DNS server): _________________ MS hostname (FQDN): * ____________________________________ TIP: Select simple names that are short

PAGE 447

Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords NAC 800 console administrator account name: * _______________ NAC 800 console administrator account password: * ___________ Enforcement Server 2 Create at least one ES.

PAGE 448

Installation and Configuration Check List IP Addresses, Hostname, Logins, and Passwords ES Database password: * ____________________________________ NAC 800 console administrator account name: * _______________ NAC 800 console administrator account password: * ___________ Proxy Server If you use a proxy server for Internet connections, these fields are required: C-6 Proxy server IP address: *____________________________________ Proxy server port: * _____________________________________

PAGE 449

Installation and Configuration Check List Agentless Credentials Agentless Credentials Required fields are indicated by a red asterisk (*). The administrator credentials for endpoints on a domain. Set them globally for all clusters, or override them on a per-cluster basis.

PAGE 450

Installation and Configuration Check List Quarantine Quarantine Required fields are indicated by a red asterisk (*). Define quarantine methods and settings for all clusters, or on a per-cluster basis. 802.

PAGE 451

Installation and Configuration Check List Quarantine Identity: * ___________________________________ Password: * _________________________________ Base DN: * __________________________________ Filter: * _____________________________________ Password attribute: * _________________________ End-user credentials user name: *______________ End-user credentials Password: * ______________ 802.1X Devices Define 802.1X devices globally for all clusters, or on a per-cluster basis.

PAGE 452

Installation and Configuration Check List Quarantine DHCP Define quarantine areas for all clusters, or on a per-cluster basis. Create as many quarantine areas as you need. NOTE: If you select DHCP quarantine, you must create at least one area or you will get a process error.

PAGE 453

Installation and Configuration Check List Quarantine Hostnames: _________________________________________ IP addresses / ports: _________________________________ Networks: __________________________________________ Windows domain controller: __________________________ Accessible services and endpoints for cluster 1: Web sites:___________________________________________ Hostnames: _________________________________________ IP addresses / ports: _________________________________

PAGE 454

Installation and Configuration Check List Notifications Notifications Required fields are indicated by a red asterisk (*). Notifications are defined for all clusters, or on a per-cluster basis.

PAGE 455

Installation and Configuration Check List Test Exemptions Test Exemptions Required fields are indicated by a red asterisk (*). Exemptions are defined for all clusters, or on a per-cluster basis.

PAGE 456

Installation and Configuration Check List Test Exemptions (This page intentionally left blank.

PAGE 457

D Glossary The following terms and definitions are used in this book, and in other ProCurve Management Software documentation. 802.1X: A port-based authentication protocol that can dynamically vary encryption keys, and has three components: a supplicant, an authenticator, and an authentication server. NAC policies: In NAC 800, NAC policies consist of individual tests that evaluate endpoints attempting to access the network.

PAGE 458

Glossary cache: A location where information is stored that can be accessed quickly. This location can be in memory or in a file. CD: Compact disc CIDR: Classless InterDomain Routing – a method of specifying networks and sub networks (subnets) that allows grouping and results in less router overhead. client: A computer that requests services from another (server). cluster: A logical grouping of Enforcement servers. compliance: Meets defined standards or conditions.

PAGE 459

Glossary HA: High Availability – A multiple-server NAC 800 deployment is mutually supporting. Should one server fail, other nodes within a cluster will automatically provide coverage for the affected network segment. HTML: Hyper text markup language – A language that tells a web browser how to display the web page. IE: Internet Explorer IP: Internet protocol – A protocol by which data is sent from one computer to another on the Internet.

PAGE 460

Glossary MAC: Media Access Control – The unique number that identifies a physical endpoint. Generally referred to as the MAC address. Management server: When using NAC 800 in a multiple-server installation, the server that is used for managing Enforcement servers. MS: Management server multinet A physical network of two or more logical networks. NAC: Network Admission Control non-compliance: Does not meet defined standards or conditions.

PAGE 461

Glossary RAM: Random access memory RAS: Remote access server RDBMS: Relational Database Management System (RDBMS) – used to store information in related tables. RPC: Remote procedure call – a procedure where arguments or parameters are sent to a program on a remote system. The remote program executes and returns the results. server: A computer that provides services to another (client). SMTP: Simple mail transfer protocol – A TCP/IP protocol used in sending and receiving email.

PAGE 462

Glossary (This page intentionally left blank.

PAGE 463

Index Index Numerics 3rd-party software, installing 15 802.

PAGE 464

Index grant access 101 quarantine an endpoint without testing 15 always quarantine domains 102 endpoints 102 AP 2 assign endpoints and domains to a policy 13 authentication information 109 server 2 Authenticator 2 authenticators, define 12 authorization DLL file 32 B backup 91 system and data 10 BaseTests API 28 BasicTests API 28 browser allow pop-ups 2 and active content 3 end-user 4 end-user version 106 important settings 3 pop-ups required for reports 5 settings 1 version 4 button check for test update

PAGE 465

Index three minute 18 delete cluster 11 ES 20 NAC policy 13 NAC policy group 6 quarantine area 90 user account 36 user role 41 details, view report 6 DHCP configuration 4 ports to specify 100 server IP address 100 DHCP mode and MAC address 102 directory, end-user template 15 disable a NAC policy 7 disconnected 9 display limited endpoints 6 documentation 14 domain controller 107 matching policies 5 Domain Controller IP address 100 specifying the name 100 domains, always quarantine 102 download the latest te

PAGE 466

Index test successful screen 34 testing failed screen 37 view access screens 106 end-user access screens customize 105, 106 editing 33 viewing 33 end-user options, selecting 98 end-user screen specify logo 104 specify test failed pop-up 106 specify text 105 end-user template directory 15 Enforcement cluster add 7 delete 11 edit 9 view statistics 10 Enforcement server add 13 change date and time 17 change network settings 17 change password 18 delete 20 edit 15 view status 19 enforcement, set DHCP 85 enforc

PAGE 467

Index quarantine an endpoint 17 import certificate 26 the server’s certificate 26 inactive, set time 14 INI file, connector 28 inline 2 install agent manually 20 naming 6 screen 17 installing 15 IP address, static 34 IPSec 12 K Kerberos 2 key features 10 L L2TP 12 launch and log into 3 lease expiration 18 and access status 18 short times 18 license agreement, violation of 15 updating 43 validation and test updates 2 limit endpoints displayed 6 Linux 3 log out 3 login 3 credentials 107, 30 delay 18 domain

PAGE 468

Index low security 4 MAC address 10 medium security 4 move to new set 13 NetBIOS name 10 select default 7 name Enforcement server 6 MS host 6 NetBIOS in a NAC policy 10 network naming, CIDR format 9 settings, change ES 17 non-supported operating systems 15 notifications server 8 specifying email server 8 O one-time passwords 2 online help 14 viewing 3 opening screen 16 operating systems non-supported 15 not tested 8 supported 18 ordering test methods 97 P page caching 6 password change ES 18 change MS ro

PAGE 469

Index built-in 40 configure 10 server and SA plug-in 7 use existing server 37 using a proxy 7 using built-in 7 range entering ports 5 of IP addresses 100 ranges to enforce 39 to ignore 39 to monitor 39 refresh 7 regedit 18 registry 17 keys 18 remote access logging 24 Remote Access Policy, configure 22 remove Mac OS agent 29 the agent 20 re-naming installation 6 report convert HTML to Word 9 convert to DOC 9 generate 4 NAC policy results 2 options 4 print 7 save 6, 7, 8 Test details 2 Test results 2 Test re

PAGE 470

Index settings 802.1X, entering 51 change MS SNMP 26 modify MS 23 required for agentless 6 Windows 2003 Server 8 shared services 17 SMTP server IP address 103 software and operating system updates 2 installing 3rd-party 15 not allowed 17 registry keys 18 required 17 sort quarantine area 89 user account area 33 user role area 42 specifying an email server for notifications 8 SSH 15 SSL 12 standard tests 2 static IP addresses 34 status access 9 Strings.

PAGE 471

Index extending existing 13 help 17 standard 2 updating 4 viewing help 17 three-minute delay 18 time between tests 9 set automatically 25 set connection 14 set manually 25 set retest 14 zone set 26 timeout 16 change console 27 login 14 Tokens 2 troubleshooting browser settings 3 U unmanaged endpoint 9 untested endpoint 8, 18 and lease expiration 18 update server names 100 setting frequency 47 tests 4 updates 15 upgrades 15, 27 user account add 29 copy 33 delete 36 edit 34 search 32 sort area 33 user accou