3Com DUA1550-0AAA02 User Manual
3Com Network Access Manager
User Guide
Version 1.1
http://www.3com.com/
Part No. DUA1550-0AAA02
Published December 2005
3Com Corporation
350 Campus Drive
Marlborough, MA USA
01752-3064
Copyright © 2005, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced
in any form or by any means or used to make any derivative work (such as translation, transformation, or
adaptation) without written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time
to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either
implied or expressed, including, but not limited to, the implied warranties, terms or conditions of
merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or
changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license
agreement included with the product as a separate document, in the hard copy documentation, or on the
removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,
please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are
provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense.
Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or
as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are
provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights
only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.
You agree not to remove or deface any portion of any legend provided on any licensed program or
documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not
be registered in other countries.
3Com, the 3Com logo and SuperStack are registered trademarks of 3Com Corporation.
Microsoft, and Windows are registered trademarks of Microsoft Corporation.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are
associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we
are committed to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental
standards. Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
CONTENTS
ABOUT THIS GUIDE
Naming Conventions 7
Screen Shots 7
Conventions 8
Related Documentation 8
1 INTRODUCTION
3Com Network Access Manager Overview 9
3Com Network Access Manager User Interfaces 11
Users of 3Com Network Access Manager 11
Network Administrators 11
Network Operators 12
3Com EFW Policy Support 13
Backing up 3Com Network Access Manager Data 14
Concepts and Terminology 14
Active Directory 14
Users/Groups/Computers 14
Internet Authentication Service (IAS) 14
Remote Access Policy 15
Rules 15
Rule Priority 16
Network Access Setting 16
RADIUS Authentication and Authorization 16
MAC-address based Authentication 17
IEEE 802.1X Authentication 17
Authorization 18
Devices Supported 18
Configuring Edge Port Security 18
4
2 INSTALLING 3COM NETWORK ACCESS MANAGER
System Requirements 21
Before Installation 23
Installing 3Com Network Access Manager 24
Overview 24
New Installation 24
Modifying and Repairing An Installation 30
Uninstalling 3Com Network Access Manager 32
3 GETTING STARTED
Using The Network Administrator User Interface 35
User Interface 35
Setting Up 3Com Network Access Manager 37
VLANs View 37
Creating A New VLAN 38
Deleting An Existing VLAN 39
Renaming A VLAN And Changing The VLAN ID 39
Displaying Rules Associated With A VLAN 40
QoS Profiles View 40
Creating A New QoS Profile 41
Deleting An Existing QoS Profile 42
Renaming A QoS Profile And Changing The QoS Profile ID 42
Displaying Rules Associated With A QoS Profile 43
EFW Policies View 43
Creating A New EFW Policy 44
Deleting An Existing EFW Policy 45
Renaming An EFW Policy 45
Displaying Rules Associated With An EFW Policy 45
Rules View 46
Creating A New Rule 47
Deleting An Existing Rule 50
Controlling Permission To Apply A Rule 51
Changing Rule Priorities 51
Changing Rule Properties 52
Displaying Members Of A Rule 52
Changing Members Of A Rule 52
Users View 53
Associating Rules With A User 54
Displaying And Changing Rules Associated With A User 56
Creating A New User 56
Groups View 57
Associating Rules With A Group 58
Displaying And Changing Rules Associated With A Group 59
Creating A New Group 60
Computers View 60
Entering MAC Addresses For A Computer 61
Associating Rules With A Computer 62
Displaying And Changing The Rules And MAC Address Associated
With A Computer 64
Creating A New Computer 65
Selecting Appropriate Permissions For An Operator 65
Using The Operator User Interface 66
Operator Tasks 66
Displaying And Changing Rules Associated With A User 66
Displaying And Changing Rules Associated With A Group 68
Displaying And Changing The Rule Associated With A Computer 69
Using The Online Help 70
5
4 USING 3COM NETWORK ACCESS MANAGER WITHIN A
N
ETWORK
Case Study Assumptions 71
Case Study 1 - Controlling User Access To The Network 72
Network Administrator Tasks 72
Network Operator Tasks 73
What Happens When A User Logs In 74
Case Study 2 - Restricting Network Access To Known Computers 75
Network Administrator Tasks 75
Network Operator Tasks 76
What Happens 77
Case Study 3 - Blocking A Specific PC From The Network 78
Network Administrator Tasks 78
When a PC needs to be blacklisted: 79
Network Operator Tasks 79
What Happens 80
6
Case Study 4 - Hot Desking 81
Network Administrator Tasks 81
Network Operator Tasks 82
What Happens When A User Logs In 82
Case Study 5 - Removing Infected Devices From The Network 84
Network Administrator Tasks 84
When a PC needs to be isolated for the first time: 85
Network Operator Tasks 85
What Happens 86
Case Study 6 - Combining Hot Desking With Host Filtering 87
Network Administrator Tasks 87
When a PC needs to be isolated for the first time: 88
Network Operator Tasks 88
What Happens When A User Logs In 89
5 PROBLEM SOLVING
Checking the Event Viewer 91
Identifying Where The Problem Lies 93
Problems Related to Setting Up 94
A CREATING A REMOTE ACCESS POLICY
Using Microsoft Windows 2000 Server Operating System 101
Using Microsoft Windows Server 2003 Operating System 114
B OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS
Register Your Product to Gain Service Benefits 129
Solve Problems Online 129
Purchase Extended Warranty and Professional Services 130
Access Software Downloads 130
Contact Us 130
Telephone Technical Support and Repair 131
INDEX
ABOUT THIS GUIDE
This guide describes how to install and configure the 3Com Network
Access Manager.
This guide is intended for use by network administrators who are
responsible for installing and setting up network equipment, and who are
already familiar with configuring Microsoft’s Active Directory and IAS
RADIUS servers. Certain sections of the guide may also be useful to
non-IT staff responsible for the day-to-day routine of administering
network access.
If a release note is shipped with the 3Com Network Access Manager and
contains information that differs from the information in this guide,
follow the information in the release note.
Most 3Com user guides and release notes are available in Adobe Acrobat
Reader Portable Document Format (PDF) on the 3Com World Wide Web
site:
http://www.3com.com
Naming Conventions
Screen Shots With the exception of Appendix A, all screen shots in this User Guide are
This guide refers to Microsoft Active Directory domain controllers as
Active Directory servers.
for Windows Server 2003. However, Appendix A shows screen shots for
both Windows 2000 Server and Windows Server 2003 in their respective
sections.
8 ABOUT THIS GUIDE
Conventions Table 1 and Table 2 list conventions that are used throughout this guide.
Tab le 1 Notice Icons
Icon Notice Type Description
Information note Information that describes important features or
instructions
Caution Information that alerts you to potential loss of data or
Warning Information that alerts you to potential personal injury
Tab le 2 Text Conventions
Convention Description
Screen displays This typeface represents information as it appears on the
Words in italics Italics are used to:
User entry This typeface represents information that you must enter
The words “enter”
and “type”
potential damage to an application, system, or device
screen.
■ Emphasize a point.
■ Denote a new term at the place where it is defined in the
text.
■ Identify menu names, menu commands, and software
button names. Examples:
From the Help menu, select Contents.
Click OK.
When you see the word “enter” in this guide, you must type
something, and then press Return or Enter. Do not press
Return or Enter when an instruction simply says “type.”
Related Documentation
In addition to this guide, each 3Com Network Access Manager provides
on-line help which can be accessed through the application. This guide
contains the instructions you need to install and configure your 3Com
Network Access Manager.
1
INTRODUCTION
This chapter provides:
■ an overview of how 3Com Network Access Manager integrates with
Microsoft’s IAS and Active Directory,
■ an explanation of Rules, Rule Priority and RADIUS response,
■ an explanation of 3Com Network Access Manager’s role in
authentication and authorization,
■ a list of 3Com devices supported by 3Com Network Access Manager,
■ advice on configuring edge port security.
3Com Network Access Manager Overview
3Com Network Access Manager is designed for network administrators
responsible for networks using Microsoft Active Directory and Microsoft's
Internet Authentication Service (IAS). 3Com Network Access Manager
simplifies the task of controlling who connects to the network using
either IEEE 802.1X (also known as Network Login ) or MAC-address
based authentication (for example RADA). Today this task can be very
complex to install and configure, particularly if using some of the more
advanced security features.
In summary, 3Com Network Access Manager simplifies the administration
of:
■ Network access for users via IEEE 802.1X.
■ Network access for computers via MAC-address based authentication.
■ Automatic VLAN assignment when a user or computer connects.
■ Automatic QoS configuration when a user or computer connects.
■ Automatic EFW policy configuration when an EFW user connects.
■ Preventing specific users or computers from connecting to the
network.
10 CHAPTER 1: INTRODUCTION
Microsoft
Active Directory
RADIUS Server
Microsoft
Internet
Authentication
Service
3Com Network
Access Manager
User Interface
Active Directory
Users and Computers
Network
Administrator
Network
Operator
RADIUS requests
RADIUS responses
RADIUS clients
■ Moving specific users or computers (e.g. a PC infected with a virus)
into an isolated network.
Figure 1 illustrates the integration of 3Com Network Access Manager
with Microsoft's Internet Authentication Service (IAS) and Microsoft's
Active Directory.
Figure 1 3Com Network Access Manager Integrated with IAS and Active
Directory
3Com Network
Access Manager
User Interface
Network
Administrator
Network
Operator
Users and Computers
Internet
Authentication
Service
Microsoft
Active Directory
Microsoft
Active Directory
3Com Network Access Manager is not a standalone RADIUS server.
3Com Network Access Manager is a rule based application that extends
the RADIUS response from the IAS RADIUS server to include the VLAN
and QoS profile associated with the rule, if the rule is obeyed. Network
administrators create rules through the 3Com Network Access Manager
Network Administration interface, and apply them to the users, groups
and computers configured within the domain. Network operators, if
assigned permission by the network administrator, can apply rules to
users, groups and computers, see “Selecting Appropriate Permissions For
An Operator” in Chapter 3.
3Com Network Access Manager can be used to extend the security on a
network by setting up a self-protecting network. Creating a “Restricted
Access” user group and corresponding “Isolation” VLAN and QoS
settings will enable the network administrator to keep separate otherwise
3Com Network Access Manager Overview 11
authorized computers or users that represent a security threat to the
network. For example, a PC infected with a virus or a worm, or a user
launching a DoS attack on the network. Further examples of how 3Com
Network Access Manager can be used to improve the security on a
network are given in chapter 4.
In addition, 3Com Network Access Manager provides facilities for the
configuration of Active Directory based information for use by a 3Com
EFW Policy Server, see “3Com EFW Policy Support”.
3Com Network
Access Manager User
Interfaces
Users of 3Com
Network Access
Manager
3Com Network Access Manager provides two interfaces: an
Administration interface and an Operator interface, see Figure 1.
The Administration interface is a Microsoft Management Console (MMC)
snap-in that enables the user to quickly configure Active Directory/IAS to
provide user and device authentication, with VLAN and QoS
configuration. It is an extension of the existing Active Directory database
so the list of users, groups and computers already set up in Active
Directory are used to authenticate users. The administrator can also
configure a safe network, to isolate PCs identified as being infected with
a virus or worm.
The Operator interface is a simple extension to the current Active
Directory Users and Computers interface, through the addition of an
extra tab added to the Properties pages for users and computers. This
allows non IT staff, granted with appropriate permissions, to apply rules
that have already been setup by the network administrator.
The 3Com Network Access Manager interfaces enables two different
types of users to control and apply rules on a network: Network
Administrators and Network Operators. This enables network
administrators to delegate much of the day-to-day routine of
administering network access to non technical staff.
Network Administrators
3Com Network Access Manager assumes network administrators are
responsible for:
■ setting up the RADIUS server and edge-port security, including the
VLAN, QoS profiles and EFW policies across the network,
■ creating the user group structure within Active Directory,
12 CHAPTER 1: INTRODUCTION
and are familiar with MAC addresses and IEEE 802.1X authentication.
Typical tasks for a network administrator using 3Com Network Access
Manager include:
■ editing security profiles for users, groups and computers to include
VLAN, QoS profile and EFW policy information,
■ adding computer MAC addresses,
■ setting up appropriate rules to control access to the network, to
ensure an appropriate level of security and protection for the network,
■ setting appropriate administration privileges for network operators.
Network Operators
Network operators are allocated some limited administration privileges by
network administrators, the extent of the privileges being specific to the
individual and their role. For example, one operator may be limited to
blocking access for specific users, whereas another operator may be
allowed to move users between arbitrary groups.
Typical tasks for a network operator include specifying:
■ if a user is allowed access to the network,
■ if a computer (defined by the MAC address) is allowed access to the
network,
■ if allowed access, which VLAN should the user or computer connect
to, and using which QoS configuration,
■ if a computer should be isolated from the main network,
■ if a user should be isolated from the main network,
■ the EFW Policy for each user when they log into a PC with an EFW NIC
installed.
Network operators using 3Com Network Access Manager, do not need to
understand the complexities of the network or the technicalities of
VLANs, QoS, EFW or RADIUS.
3Com Network Access Manager Overview 13
3Com EFW Policy
Support
3Com Network Access Manager provides support for 3Com EFW Policy
Server v2.5, which adds the concept of user-based Embedded Firewall
(EFW) policies rather than just NIC-based EFW policies. For example, the
policy which is downloaded to the EFW can be specific to the user logged
into the PC and not just the PC itself. 3Com Network Access Manager
enables the network administrator to define an EFW Policy for each user
in Active Directory. The EFW Policy Server then queries Active Directory to
determine the profile for each user and replies to the EFW with the
relevant configuration.
Through 3Com Network Access Manager, the network administrator can
change an EFW policy at the same time as the port security settings,
speeding up the configuration of the network. The EFW policy is not
returned in any RADIUS response.
To ensure that 3Com Network Access Manager and the 3Com EFW Policy
Server operate together, the following steps must be followed using
3Com Network Access Manager:
■ Define each EFW policy in 3Com Network Access Manager, see
“Creating A New EFW Policy” in Chapter 3. 3Com Network Access
Manager creates the EFW policy as an Active Directory object.
■ Associate the EFW policy with rules created in 3Com Network Access
Manager. This can be done during the creation of a new rule, or after
a rule has been created, see “Creating A New Rule” and “Changing
Rule Properties”in Chapter 3.
■ Make sure that appropriate users and groups have been associated
with each rule associated with the EFW policy, see “Displaying
Members Of A Rule” in Chapter 3.
Any changes to EFW policy associations must be made through the 3Com
Network Access Manager user interface. 3Com Network Access Manager
will not recognize any externally made changes.
After making any change that might affect the EFW policy of a user, the
EFW group associations must be recalculated for the user, this is done by
clicking the Recalculate EFW membership button on the Tool bar at the
top of the Administration Interface window, see Figure 14 in Chapter 3.
Examples of changes that might affect the EFW policy of a user are:
■ if a user’s properties are changed, the correct rule association has to
be re-established. Clicking on the Recalculate EFW membership
button will cause 3Com Network Access Manager to find the highest
14 CHAPTER 1: INTRODUCTION
priority rule associated with the user, the EFW Policy from that rule is
then associated with the user, all other associations are removed.
■ if a rule priority or group is changed, the correct associations have to
be re-established. Clicking on the Recalculate EFW membership
button will cause 3Com Network Access Manager to find all users that
are members of that rule or group, and then finding the authorization
rules applied for each. In a large network this can take a considerable
time.
Backing up 3Com
Network Access
Manager Data
Data from 3Com Network Access Manager is stored in Active Directory,
via an LDAP interface. Your normal methods for backing up/restoring of
data from Active Directory will also cover 3Com Network Access Manager
data. No special backup/restore is required for 3Com Network Access
Manager data.
Concepts and Terminology
This section provides descriptions of concepts and terminology that you
will need to be familiar with in order to use 3Com Network Access
Manager.
Active Directory Active Directory is the distributed directory service included with
Microsoft Windows Server 2003 and Microsoft Windows 2000 Server
operating systems. Active Directory enables centralized, secure
management of an entire network, which might span a building, a city, or
multiple locations throughout the world. Active Directory stores
information about objects on the computer network and makes this
information easy for administrators and users to find and apply. With
Active Directory, users can access resources anywhere in the network with
a single logon, and administrators have a single point of administration
for all objects in the network. When interfaced to IAS, Active Directory
provides secure single login for users, and administrators.
Internet
Authentication
Service (IAS)
Users/Groups/Computers
Users, groups and computers are standard Active Directory objects,
membership of a group is managed using normal Active Directory
management tools.
IAS is Microsoft’s implementation of a RADIUS server, providing
authentication and authorization of users. IAS is included with Microsoft
Windows Server 2003 and Microsoft Windows 2000 Server operating
Concepts and Terminology 15
Microsoft
Active Directory
Microsoft
Internet
Authentication
Service with
3Com Network
Access Manager
SuperStack3 Switch 4400
SuperStack4 Switch 5500
Wireless LAN Access Points
RADIUS protocol
with VLAN and
QoS associations
systems. As a RADIUS server, IAS performs centralized connection
authentication, authorization, and accounting for network access servers
(desktop switches and wireless access points acting as radius clients), see
Figure 2.
Remote Access Policy
For 3Com Network Access Manager to authenticate users and computers
accessing the network, an IAS Remote Access Policy must be created.
Appendix A provides step by step instructions on how to create a Remote
Access Policy.
In a mixed-vendor network where only 3Com switches are to be
authenticated through 3Com Network Access Manager, the Remote
Access Policy needs to be adjusted to only match 3Com devices.
Figure 2 Network Access Servers within a Domain
Microsoft
Active Directory
Microsoft
Internet
Authentication
Service with
3Com Network
Access Manager
RADIUS protocol
with VLAN and
QoS associations
Network Access
Servers
Rules 3Com Network Access Manager provides its functionality through a set
of rules implemented in Active Directory. Each rule comprises a priority, a
Network Access setting (allow/deny), an optional authorization response
(VLAN and QoS), and an optional EFW policy name.
Users, groups and computers (through the MAC address of the PC) are
associated with rules. When multiple rules are associated with a user,
group or computer then the rule with the highest priority takes
precedence.
16 CHAPTER 1: INTRODUCTION
Only one pre-defined rule, the Default Rule, is supplied as standard. The
Default Rule is used whenever an authentication finds that a user, group
or computer is not a member of any other rule. Further rules are added
by the Network Administrator to implement the required network
security policies, see “Creating A New Rule” in Chapter 3.
Rule Priority
Each rule has a priority associated with it. The rule with priority 1 has the
highest priority, and will take precedence over all other rules. Whenever a
RADIUS request is authenticated, all associated rules will be found, but
only the rule with the highest priority will be used. No two rules can have
the same priority. It is the network administrator's responsibility to ensure
that each rule has a unique priority.
The Default Rule always has the lowest priority.
Network Access Setting
A rule defines the Network Access as either:
Allow - The authentication is valid, or
RADIUS
Authentication and
Authorization
Deny - The authentication is refused
If the Network Access for a rule is set to Allow, and the rule is selected,
then the RADIUS response will be Accept and will contain the VLAN and
QoS profile associated with the rule. If the Network Access for a rule is set
to Deny, and the rule is selected, then the RADIUS response will be Reject.
To understand the effect that the Network Access setting has in a
network, the Network Administrator needs to be aware of how the edge
port security has been set up. In some port modes, the setting may
appear counter-intuitive, for example Allow can be used to implement a
blacklist. For more information on edge port security modes, see
“Configuring Edge Port Security”.
Authentication/ authorization DLLs for IAS are provided as part of the
3Com Network Access Manager installation. The Authentication DLL is
used to verify the identity of the user or computer being authenticated
through 3Com Network Access Manager. The Authorization DLL is
responsible for sending the RADIUS response for a user or computer that
is recognized by 3Com Network Access Manager.
Concepts and Terminology 17
The two forms of RADIUS authentication supported by 3Com Network
Access Manager are:
■ MAC-address based authentication, for example RADA (RADIUS
Authenticated Device Access).
■ IEEE 802.1X authentication, also known as dot1X, 802.1X and
Network Login.
MAC-address based Authentication
3Com Network Access Manager relies on the RADIUS server to perform
MAC-address based authentication through a single authentication user
name (as opposed to the MAC address as a user name).
When 3Com Network Access Manager receives an authentication request
to the MAC authentication user name, it also authenticates the MAC
address of the computer against the 3Com Network Access Manager
rules to determine the authentication outcome, as follows:
1 Look up the MAC address against all Computers configured, to find all
associated rules.
2 If rules are found, select the highest priority rule.
3 If no rules are found, select the Default Rule.
4 Return the authentication result from the selected rule.
IEEE 802.1X Authentication
When a switch performs IEEE 802.1X authentication, the process is
similar to the MAC-address based authentication, but 3Com Network
Access Manager also checks the user requested, as follows:
1 Look up the IEEE 802.1X username against all Users configured, to find
all associated rules.
2 Look up the MAC address against all Computers configured, to find all
associated rules.
3 If rules are found, select the highest priority rule.
4 If no rules are found, select the Default Rule.
5 Return the authentication result from the selected rule.
Checking the MAC address ensures that network policies such as blocked
hosts can be maintained, regardless of edge port security mode.
18 CHAPTER 1: INTRODUCTION
Authorization
Once a user has successfully authenticated, the authorization process
determines which VLANs and QoS to return to the switch, as follows:
1 From the authentication rule selected, if any VLAN has been specified,
return the VLAN ID in the RADIUS response.
2 From the authentication rule selected, if a QoS profile has been specified,
return the QoS Profile ID in the RADIUS response.
Devices Supported The following 3Com devices are supported by 3Com Network Access
Manager v1.1:
Tab le 3 3Com Devices Supported By 3Com Network Access Manager
Configuring Edge
Port Security
Device Type
SuperStack3 Switch 4400 v5.0
SuperStack3 Switch 4400 SE v5.0
SuperStack4 Switch 5500 v1.0
Wireless LAN Access Point 8250 v3.2 supporting RADIUS and VSA
Wireless LAN Access Point 8750 v3.2 supporting RADIUS and VSA
Wireless LAN Access Point 7250 v3.2 supporting RADIUS and VSA
Minimum Agent Version or
other requirement
Ensure that the configurations of the devices on your network are
consistent with the security policy to be set up using 3Com Network
Access Manager.
If VLANs are to be configured in 3Com Network Access Manager then
edge ports on switches across the network need to be set to a security
mode that supports auto-VLANS. If VLANs are not to be set up in 3Com
Network Access Manager, then the devices do not need to support
auto-VLANs.
In addition, the edge ports on switches must be set to consistent modes,
otherwise the same RADIUS response will yield different actions on
different ports. For example, RADA And Network Login only allows user
login if the RADIUS server returns Accept. RADA-Else-Network Login only
allows user login if the RADIUS server returns Reject.
Devices Supported 19
Table 4 lists suitable edge port security modes and their typical use within
a network.The case studies in Chapter 4 explain how these port security
modes operate to control network access.
Tab le 4 Edge Port Security Modes Compatible With 3Com Network Access Manager
Port Security Mode Typical Use Supported By
RADA-Else-Network Login Primarily used for blocking unwanted hosts, as the
RADA authorization overrides the ability for the user
to log-in.
This is the recommended edge port security mode,
if the devices on your network support it. All users
have to be authorised before being allowed access.
Any computer or device can access the network as
long as that they have not been identified as
infected. This allows a network administrator to
easily add host filtering to an existing IEEE 802.1X
network.
RADA And Network Login Both the computer and the user need to be
authorized to gain access to the network.
It is primarily used for “White-list” style of security,
where all known computers have to be first
configured before a user can log-in from one of
these computers.
RADA Or Network Login Access to the network is granted if either the
RADA (MAC-address based
Authentication)
Network Login (IEEE 802.1X) Use to control user access and manage QoS and
computer or the user is authorised. This mode is
flexible for environments where not every device
has a IEEE 802.1X client
Use to control computer access to the network. SuperStack3 Switch4400 v5.0
VLAN configuration.
SuperStack3 Switch4400 v5.0
SuperStack3 Switch4400SE
v5.0 (does not support QoS
profiles)
SuperStack3 Switch4400 v6.0
SuperStack3 Switch4400SE
v6.0 (does not support QoS
profiles)
SuperStack3 Switch4400 v5.0
SuperStack3 Switch4400SE
v5.0 (does not support QoS
profiles)
SuperStack3 Switch4400SE
v5.0 (does not support QoS
profiles)
SuperStack4 Switch 5500 v1.0
SuperStack3 Switch4400 v4.0
SuperStack3 Switch4400SE
v5.0 (does not support QoS
profiles)
SuperStack4 Switch 5500 v1.0
Wireless LAN Access Point
8250 v3.2
Wireless LAN Access Point
8750 v3.2
Wireless LAN Access Point
7250 v3.2
20 CHAPTER 1: INTRODUCTION
2
INSTALLING 3COM NETWORK ACCESS MANAGER
This chapter covers:
■ the operating systems and required PC configurations that are
compatible with the 3Com Network Access Manager components,
■ the tasks that need to be performed before installing and running
3Com Network Access Manager,
■ how to install 3Com Network Access Manager,
■ how to modify and repair an existing 3Com Network Access Manager
installation,
■ how to uninstall 3Com Network Access Manager.
System Requirements
Tab le 5 Microsoft Windows Operating Systems Supported By 3Com Network Access Manager
3Com Network
Access Manager
Component
IAS component yes yes no no
Active Directory
component
Network Administrator
User Interface
Network Operator User
Interface
User Guide yes yes yes yes
Table 5 lists the Microsoft Windows operating systems compatible with
installing and running the 3Com Network Access Manager components.
For more information about the different 3Com Network Access
Manager components see “Installing 3Com Network Access Manager”.
Windows 2000
Server SP4
yes yes no no
yes yes yes yes
yes yes yes yes
Windows Server 2003 SP1,
standard and enterprise
editions
Windows 2000
client
Windows XP
Professional
22 CHAPTER 2: INSTALLING 3COM NETWORK ACCESS MANAGER
Table 6 lists the configuration requirements of PCs that will have 3Com
Network Access Manager components installed.
Tab le 6 PC Configuration Requirements
3Com Network
Access Manager
Component
IAS component Ensure IAS is installed on PC.
Active Directory
component
Network Administrator
User Interface
Network Operator User
Interface
User Guide Adobe Acrobat Reader is required on each PC used to view
For each PC that will have 3Com Network Access
Manager component installed:
Ensure the PC is a member of the required domain.
Ensure .NET Framework version 1.1 or later, is installed on
the PC.
Only install on one domain controller. This must become
the schema master (schema FSMO) to perform the install.
You will need to have Schema Administrator privileges to
install the Active Directory component.
Ensure the PC is a member of the required domain.
Ensure .NET Framework version 1.1 or later, is installed on
the PC.
Install Active Directory Users and Computers, if not already
installed.
Ensure the PC is a member of the required domain.
Ensure .NET Framework version 1.1 or later, is installed on
the PC.
Install Active Directory Users and Computers, if not already
installed.
the 3Com Network Access Manager user guide (this
guide). Obtain a free download of Adobe Acrobat Reader
from http://www.adobe.com/
.NET Framework v1.1 is included as part of Windows Server 2003. For
Windows 2000 and Windows XP Professional, you can check if .NET
Framework v1.1 is installed using the Add/Remove Programs utility on the
Control Panel. Download the .NET Framework version 1.1 files from
www.microsoft.com/download
Before Installation 23
Before Installation You must perform the following tasks on your network before installing
and setting up 3Com Network Access Manager:
1 Install and configure Microsoft Internet Authentication Service (IAS),
a Install IAS on one or more Windows 2000 servers or Windows 2003
servers in the network. IAS is included as part of the operating system.
For information on setting up IAS, refer to the Microsoft
documentation supplied with IAS.
b Ensure all 3Com devices in the network that will use IAS are
configured in IAS as RADIUS clients with client-vendor set to ‘3Com’.
c Setup an IAS Remote Access Policy that 3Com Network Access
Manager will be required to use to authenticate users and computers.
Refer to Appendix A for details on how to create an IAS Remote
Access Policy.
For 3Com Network Access Manager to operate correctly with IAS, do not
specify a VLAN list or QoS profile as part of the Remote Access Policy.
2 Ensure all Users, Groups and Computers have been added to Microsoft
Active Directory for your network domain, refer to the user
documentation supplied with Active Directory for details.
3 Configure the 3Com switches and wireless access points on your network
a Configure the 3Com switches with consistent VLAN and QoS settings
throughout the network.
b Configure all edge ports on 3Com switches with a suitable and
consistent edge port security mode and Intrusion Action setting. For
information on edge port security modes suitable for use with 3Com
Network Access Manager, see “Configuring Edge Port Security” in
Chapter 1.
CAUTION: Using different security modes on switch edge ports on
your network, will result in different meanings for RADIUS
responses across the network.
Use 3Com Network Director or 3Com Enterprise Management Suite to
make the VLAN, QoS and port security mode settings, or else configure
each switch through its web or command line interface. Refer to the user
documentation accompanying the management application or switch for
details.
24 CHAPTER 2: INSTALLING 3COM NETWORK ACCESS MANAGER
Installing 3Com
Network Access
Follow the instructions in this section to install 3Com Network Access
Manager.
Manager
Overview 3Com Network Access Manager comprises five components:
■ Internet Authentication Server component consisting of
authorization/authentication DLLs,
■ Active Directory Server component, this component will make
changes to your Active Directory schema configuration which cannot
be deleted from AD,
■ Network Administrator User Interface,
■ Network Operator User Interface,
■ this user guide.
Each component is installed through the 3Com Network Access Manager
installer.
You will need to have Schema Administrator privileges to install the
Active Directory component.
New Installation The Internet Authentication Server component needs to be installed on
each IAS in the network. However, the Active Directory Server component
should only be installed on one Active Directory server (also known as a
domain controller) which should be the schema master on your network.
The changes that the Active Directory Server component makes to the
Active Directory server will be replicated across all of the Active Directory
servers on your network.
CAUTION: The changes that the Active Directory Server component
makes to the Active Directory schema configuration cannot be deleted.
The 3Com Network Access Manager uninstaller will not affect or remove
these Active Directory changes.
Install the Network Administrator User Interface and Network Operator
User Interface on the PCs that will be used by the network administrators
and operators using 3Com Network Access Manager. Before installing,
check that the operating system and configuration of the PC complies
with Table 5 and Table 6.
Installing 3Com Network Access Manager 25
Follow these steps to install the 3Com Network Access Manager
components:
1 Insert the 3Com Network Access Manager CD in the PC’s CDROM drive.
If Autorun is enabled on the PC, the installation starts automatically and
you can skip steps 2 and 3.
2 From the Start menu, select Run.
3 Typ e
D:\setup (substitute the appropriate letter of your CD-ROM drive
for D), and click OK.
4 A splash screen will display and the installer will check that:
■ .NET Framework version 1.1 or later is installed on the PC,
■ a supported version of Windows is installed on the PC, as shown in
Ta bl e 5 ,
■ the PC is a member of a domain,
if any of the checks fail, an error message will display indicating the
problem and the installer will abort. You need to correct the problem
before restarting the installer.
If the checks are successful, the Welcome dialog is displayed, Figure 3.
Figure 3 InstallShield Wizard
26 CHAPTER 2: INSTALLING 3COM NETWORK ACCESS MANAGER
5 Select Next, the End User License Agreement will display, Figure 4.
Figure 4 End User Licence Agreement dialog
To continue the installation select I accept the terms of the license
agreement, and press the Next button. Otherwise, select Back to move to
the previous dialog or Cancel to end the installation.
6 On the next dialog, Figure 5, either select the destination location for the
3Com Network Access Manager files using the Change button or else use
the default location Program Files\3Com\Network Access Manager. Press
Next.
Installing 3Com Network Access Manager 27
Figure 5 Choose Destination Location
7 On the next dialog, Figure 6, select the 3Com Network Access Manager
components to install on the PC. Ticked components will be installed.
Un-ticked components will not be installed. The Next button will be
grayed out until a component has been ticked.
Any combination of components is permitted on a PC providing they are
supported by the PC’s operating system, see Table 5.
CAUTION: The changes that the Active Directory Server component
makes to the Active Directory schema configuration cannot be deleted.
You will need to have Schema Administrator privileges to install the
Active Directory component.
28 CHAPTER 2: INSTALLING 3COM NETWORK ACCESS MANAGER
Figure 6 Component Selection
8 On the next dialog, Figure 7, select Install to start the installation, or Back
to return to the previous dialog.
Installing 3Com Network Access Manager 29
Figure 7 Confirmation of Installation
9 The Installer will check the hard disk space available on the PC. If
sufficient disk space is available, the installer will install the components
selected.
If insufficient disk space is available, an error message is displayed, see
Figure 8, the installation will stop until sufficient space is made available.
Figure 8 Insufficient Disk Space Error Message
10 Once each of the selected components have been successfully installed,
the Installer displays a Wizard Complete dialog, see Figure 9. If the
Internet Authentication Server component was installed, then the IAS
server will need to be restarted.
30 CHAPTER 2: INSTALLING 3COM NETWORK ACCESS MANAGER
Figure 9 Installation Complete
Modifying and
Repairing An
Installation
With the exception of installing the Active Directory component, any
problems encountered during installation will result in an error message
being displayed and the installation aborted. You will need to manually
fix the problem before restarting the installation.
If the installer encounters problems during installation of the Active
Directory component, a
warnings.txt file will be created and the Wizard
Complete dialog will shows its location.
11 Repeat steps 1 to 8 for any other PC being used for RADIUS,
Administrator or Operator users.
To change the 3Com Network Access Manager components installed on
a PC or repair an existing installation, follow these steps:
1 Insert the 3Com Network Access Manager CD in the PC’s CDROM drive.
If Autorun is enabled on the PC, the installation starts automatically and
you can skip steps 2 and 3.
2 From the Start menu, select Run.
3 Typ e
D:\setup (substitute the appropriate letter of your CD-ROM drive
for D), and click OK.
Loading...