How it Works
HP
Loading...
700wl
User Manual
388 pgs8.67 Mb0
Table of contents
Loading...

HP 700wl User Manual

Management and
Configuration Guide
HP ProCurve
Secure Access
700wl Series
www.hp.com/go/hpprocurve
SECURE ACCESS 700WL SERIES
MANAGEMENT AND CONFIGURATION GUIDE
© Copyright 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
Publication Number
5990-8809 March, 2004 Edition 1
Applicable Products
HP ProCurve Access Controller 720wl (J8153A) HP ProCurve Access Control Server 740wl (J8154A) HP ProCurve Integrated Access Manager 760wl (J8155A) HP ProCurve 700wl 10/100 Module (J8156A) HP ProCurve 700wl Gigabit-SX Module (J8157A) HP ProCurve 700wl Gigabit-LX Module (J8158A) HP ProCurve 700wl 10/100/1000Base-T (J8159A) HP ProCurve 700wl Acceleration Module (J8160A)
Trademark Credits
Windows NT®, Windows®, and MS Windows® are US registered trademarks of Microsoft Corporation.
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with the product.
A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.
ii

CONTENTS

Preface
Chapter 1 Introduction
700wl Series Overview
700wl Series Functions
Client Authentication Client Access Rights Wireless Data Privacy and VPN Protocols Roaming Support Network Address Translation VLAN Tag Support
Chapter 2 Using the 700wl Series System
Initial Configuration of the 700wl Series System
Managing and Administering the 700wl Series System 2-2
Centralized Administration 2-3
Logging on to the Administrative Console 2-4
Changing the Built-In Administrator Username and Password 2-5 Using Online Help Logging Out
ix
1-1
1-1
1-3
1-3 1-4 1-4 1-4 1-5 1-6
2-1
2-1
2-5 2-6
Using the Administrative Console
Header Bar and Navigation Bar Tabs
Basic System Configuration Tasks
Setting Up Authentication and Access Rights
System Features and Concepts
Centralized Management and Administration Enterprise Class Redundancy Bandwidth Management Addressing in the 700wl Series System Layer 3 Roaming Support VLANs and the 700wl Series System
2-7
2-7
2-10
2-16
2-16
2-17
2-17 2-18 2-20 2-21 2-23 2-24
iii
Chapter 3 System Status
3-1
Viewing Status Information
Viewing Equipment Status
Viewing Access Control Server Status Viewing Access Controller Status Viewing Access Controller Status Details
Viewing Client Status
Filtering Client Status Information Viewing Client Details
Viewing Session Status
Filtering Session Status Information
Viewing License Information
Chapter 4 Configuring Rights
Access Rights in the 700wl Series System
The Rights Manager
Configuring Access Rights—An Overview
The Rights Assignment Table
Adding or Editing a Rights Assignment
Identity Profiles
Creating or Editing an Identity Profile
3-1
3-3
3-4 3-5 3-5
3-7
3-9 3-9
3-12
3-14
3-15
4-1
4-1
4-4
4-5
4-6
4-9
4-11
4-13
Users in the Built-In Database
Creating or Editing a User
Network Equipment in the Built-in Database
Creating or Editing an Equipment Entry
Retrieving MAC Addresses from an LDAP Database
Specifying an LDAP Service for MAC Address Retrieval Configuring the Search for MAC Addresses
Connection Profiles
Creating or Editing a Connection Profile Locations Time Windows
Access Policies
Viewing Filters—the Grid Views Creating or Editing an Access Policy Allowed Traffic Filters Redirected Traffic Filters DNS/WINS Filter Pairs HTTP Proxy Filters
Example—Modifying the “Guest Access” Access Policy
Enabling an Existing Allowed Traffic Filter—Outside World
4-16
4-17
4-20
4-22
4-24
4-25 4-26
4-29
4-31 4-35 4-37
4-39
4-41 4-43 4-62 4-66 4-72 4-75
4-79
4-79
iv HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Modifying the Outside World Filter to Restrict Access Setting Up HTTP Proxy Filters
4-82 4-83
Chapter 5 Configuring Authentication
Authentication in the 700wl Series System
The Rights Manager
Authentication Policies
Creating or Editing an Authentication Policy
Configuring Authentication Services
Configuring an LDAP Authentication Service Using the Active Directory LDAP Service Using a Netscape or iPlanet Directory Service Configuring the 802.1X Authentication Service Configuring a Kerberos Authentication Service Configuring a RADIUS Authentication Service Using RADIUS for Accounting Configuring an XML-RPC Authentication Service NT Domain Logon External Identity Retrieval
Logon Page Customization
Customizing a Logon Page Customizing the Stop Page Customized Page Templates
Tools and Options
Simulating User Rights Tracing Authentication Service Transactions Importing and Exporting the Rights Configuration
5-1
5-1
5-4
5-4
5-6
5-7
5-8 5-13 5-14 5-16 5-17 5-19 5-20 5-22 5-27 5-28
5-30
5-32 5-37 5-39
5-42
5-42 5-47 5-49
Chapter 6 Configuring the Network
700wl Series System Components
The System Components List Configuring an Access Control Server Configuring an Integrated Access Manager Configuring Access Controllers Organizing Access Controllers into Folders
Configuring Failover with Redundant Access Control Servers
The Secondary Access Control Server Disabling Redundancy
Configuring Network Communication—Network Setup
Network Communication—the Basic Setup Tab Advanced Network Configuration—the Advanced Setup Tab 6-21 Automatic HTTP Proxy Server Specification 6-26
HP ProCurve Secure Access 700wl Series Management and Configuration Guide v
6-1
6-2
6-2
6-3
6-7 6-10 6-13
6-15
6-16 6-17
6-17
6-19
SSL Certificate
6-28
Configuring Network Interfaces
Configuring the Port Speed and Duplex Settings Port Subnet IP Address and Subnet Netmask
Configuring SNMP
Setting the Date and Time
Setting Up Administrators
Editing an Administrator’s Settings Editing Your Administrator Password
Chapter 7 Setting up Wireless Data Privacy
Overview of Wireless Data Privacy
Wireless Data Privacy Setup
Global Wireless Data Privacy Configuration Configuration for IPSec
IPSec Certificate Configuration
IP Address Assignment for Tunneling
VPN Tunneling and Network Address Translation
Chapter 8 System Maintenance
6-34
6-34 6-36
6-38
6-40
6-42
6-44 6-45
7-1
7-1
7-2
7-3 7-3
7-5
7-11
7-12
8-1
Software Setup
Updating the System Software
Remote Update Local Update
Restarting Using the Alternate Version Software
Backing Up and Restoring the System Configuration
Creating the Backup Image Saving the Backup as a File Restoring From a Backup File Transferring a Backup to a Different System
Shutting Down and Restarting a System Component
Restarting a System Component Shutting Down a System Component Resetting to Factory Default Settings
Chapter 9 Logs
Viewing 700wl Series System Logs
Configuring Session Logging
Viewing the Session Logs
The Session Log Entry Format
8-1
8-2
8-5 8-9
8-12
8-13
8-14 8-15 8-16 8-17
8-18
8-19 8-20 8-21
9-1
9-1
9-4
9-6
9-6
vi HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Appendix A Command Line Interface
A-1
Accessing the Command Line Interface
Connecting with a Serial Console Connecting Using SSH Using the CLI on an Integrated Access Manager
Command Syntax
Getting CLI Command Help
Administrator Access Control Commands
System Status and Information Commands
Network Configuration Commands
Port Configuration Commands
Access Controller Port Status Commands
Access Controller Configuration
Advanced Network Configuration Status
Access Control Server Configuration
Advanced Network Configuration
Remote Commands
Wireless Data Privacy Configuration
Active Client Management Commands
System Backup, Upgrade and Shutdown Commands
Backup and Restore Upgrading the System Software Stopping and Restarting the System Resetting to Factory Defaults
A-2
A-2 A-2 A-2
A-3
A-3
A-4
A-6
A-9
A-12
A-13
A-14
A-15
A-15
A-18
A-18
A-21
A-23
A-25
A-25 A-27 A-29 A-30
Diagnostic and Log Commands
Time Configuration
SNMP Configuration and Reporting Commands
Appendix B Filter Expression Syntax
Introduction
Filter Specification Syntax
Tcpdump Primitives
Appendix C Creating Customized Templates
Introduction
A Simple Logon Page Template Example
Example 1
Logon Template Elements
Required Elements
HP ProCurve Secure Access 700wl Series Management and Configuration Guide vii
A-30
A-33
A-34
B-1
B-1
B-1
B-2
C-1
C-1
C-2
C-2
C-3
C-4
Optional Elements C-5
Logon Page Template — A More Advanced Example C-7
Example 2 C-7 Changing the Logon Button Names C-10
Example 3 C11
Customizing the Logon Page Messages C-12
Guest Registration Template C-13
Example 4 C-14
Using a Logoff Pop-Up with a Customized Logon Page C-16
Example 5 C-17 Redisplaying the Logon Page in a New Window C-18
Customizing the Stop Page C-19
Appendix D
Appendix E
Index of Commands
Index
Troubleshooting D-1
Glossary E-1
IOC-1
IX-1
viii HP ProCurve Secure Access 700wl Series Management and Configuration Guide

PREFACE

This preface describes the audience, use, and organization of the Management and Configuration Guide. It also outlines the document conventions, safety advisories, compliance information, related documentation, support information, and revision history.
Audience
The primary audience for this document are network administrators who want to enable their network users to communicate using the HP ProCurve system. This document is intended for authorized personnel who have previous experience working with network telecommunications systems or similar equipment. It is assumed that the personnel using this document have the appropriate background and knowledge to complete the procedures described in this document.
How To Use This Document
This document contains procedural information describing the configuration and management of the HP ProCurve Integrated Access Manager, Access Control Server, and Access Controller. Where applicable, navigation aids also refer you to supplemental information such as figures, tables, and other procedures in this document or another document. Main chapters are followed by supplemental information such as appendices and an index.
Document Conventions
The following text conventions are used in this document:
Table 1. Text Conventions
Convention Definition
Boldface Tahoma Screen menus, commands, or field names that you select are in boldface Arial.
Boldface Italic Palatino
Italic Palatino
Courier Filenames and text that you type are in Courier.
New terms that are introduced are in boldface italic Palatino.
Emphasized terms and cross references to other areas in the manual are in italic Palatino.
ix
The following notices and icons are used to alert you to important information.
Table 2. Notices
Icon Notice Type Alerts you to...
None Note Helpful suggestions or information of special importance in certain
situations.
None Caution Risk of system functionality loss or data loss.
Warning Risk of personal injury, system damage, or irrecoverable data loss.
Document Organization
This manual is organized as follows:
Chapter 1Introduction
This chapter provides an introduction to the 700wl Series system.
Chapter 2Using the 700wl Series System
This chapter helps you get started using the 700wl Series system and its Administrative Console. It gives an overview of what you can do and provides pointers to where to learn more for each task and procedure.
Chapter 3System Status
This chapter describes the status component of the 700wl Series system. It explains how to monitor equipment. client, and session status.
Chapter 4Configuring Rights
This chapter describes how network access rights are assigned to clients through the 700wl Series system, and explains how to configure access control policies.
Chapter 5Configuring Authentication
This chapter describes how clients are authenticated through the 700wl Series system, and explains how to configure authentication policies.
x HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Chapter 6Configuring the Network
This chapter describes how to configure the 700wl Series system components so that they work with your enterprise network.
Chapter 7Setting up Wireless Data Privacy
This chapter describes how to enforce security using IPSec, L2TP, and PPTP.
Chapter 8System Maintenance
This chapter explains how to install new software, backup your system, and shutdown and reboot.
Chapter 9Logs
This chapter explains how to configure, examine and use the 700wl Series system log.
Appendices
Appendix ACommand Line Interface
This appendix provides a description of the 700wl Series system command line interface.
Appendix BFilter Expression Syntax
This appendix describes the syntax of the filter specifications used by the Rights Manager for defining Allows, Redirects, Bridged traffic, and HTTP Proxy filters.
Appendix CCreating Customized Templates
This appendix explains how to create customized templates for the Logon, Guest Registration, and Logoff web pages.
Appendix DTroubleshooting
This appendix presents troubleshooting procedures for the 700wl Series system, including the symptoms, probable cause and recommended actions for a variety of problems.
Appendix EGlossary
The Glossary explains terms that are relevant to the 700wl Series system. These terms are shown in italics when first used.
HP ProCurve Secure Access 700wl Series Management and Configuration Guide xi
Index of Commands
The Index of Commands is an alphabetized list of the CLI commands with references to the pages where they are documented.
Related Publications
There are several other publications related to the 700wl Series that may be useful:
700wl Series Software Release Notes provides the most up-to-date information on the current software
release.
• The 700wl Series Installation and Getting Started Guide documents the initial system installation and
configuration of your HP ProCurve hardware unit.
• The 700wl Series Quick Start Guide provides a much briefer overview of the system installation of your
hardware unit.
• The700wl Series Wireless Data Privacy™ Guide provides information and instructions for configuring
Wireless Data Privacy on the 700wl Series system, including information and instructions on configuring selected Wireless Data Privacy clients on Windows and Macintosh client systems.
• The 700wl Series Software Migration Guide provides important information and instructions for
customers who are upgrading from 700wl Series system software version 3.0 or 3.1 to version 4.0 or later.
All system documentation is available on the HP ProCurve Technical Support web site at http://www.hp.com/rnd/index.htm. In addition, all documentation except the Release Notes is available on the 700wl Series Documentation CD-ROM which accompanies each 700wl Series system unit.
xii HP ProCurve Secure Access 700wl Series Management and Configuration Guide
1

INTRODUCTION

This chapter provides a brief introduction to the 700wl Series system™ and its primary features. The topics covered in this chapter include:
700wl Series Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
700wl Series Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

700wl Series Overview

The 700wl Series system’s industry-leading cost-performance and uniquely flexible and scalable deployment architecture provides the foundation for a secure, scalable, mission-critical 802.11 wireless network. At the core of the wireless LAN (WLAN) the 700wl Series system provides key services including centralized management and control, role-based fine-grained access policy enforcement, secure Layer 3 roaming, and tiered layers of security, which enables companies to deploy and manage 802.11 networks ranging from tens to thousands of access points (APs).
A 700wl Series system consists of a central Access Control Server 740wl that provides services such as authentication, roaming, and policy management, and one or more Access Controller 720wl units. Access Controllers are gateway devices deployed at the edge of the network in the user data path enforcing network authorization and business policy.
The Access Controller (the HP ProCurve Access Controller 720wl) is a low cost, high-performance appliance with modular connectivity options that require minimal configuration, and are deployed in conjunction with an HP ProCurve Access Control Server 740wl. The Access Controller sits between the Wireless Access Points and the network, and implements a powerful Packet Inspection Engine (Layer 2-
7) that can rewrite and redirect client traffic based on an Access Policy received from the Access Control Server. Each Access Policy is tailored to the individual client based on who the client is (per a successful authentication) and where and when the client has connected to the network.
The Access Control Server (the HP ProCurve Access Control Server 740wl) is a centralized resource on the network that provides services to the connected Access Controllers such as authentication management, mobility management (roaming support), policy management, and system monitoring and reporting. The Access Control Server is deployed as a dedicated control function and does not sit in the user data path. A second Access Control Server can be deployed in a redundant configuration to support stateful failover.
1-1
Introduction
Figure 1-1 illustrates a 700wl Series system topology that is configured with redundant Access Control Servers for failover.
Figure 1-1. 700wl Series topology
Access Control Server
Internet
Access Controller
Guest Employees Untrusted User Employee Untrusted User Employee
Redundant Access
Control Server
Access Controller
Access Controllers sit at or near the edge of the network, and enforce authentication and access policies. As shown in
Figure 1-1, Access Points are typically connected directly to Access Controller ports, but it is
also possible to connect APs or clients through devices such as switches or hubs. When a client is detected at an Access Controller port, the Access Controller must first determines who the client is based on the Authentication Policy in force for that port at that time of day. The 700wl Series system supports a variety of authentication methods, and can interface with an organization’s existing authentication services (such as an LDAP service, RADIUS, Kerberos, 802.1x or NT Domain Logon) or can handle authentication through its own built-in user database.
The Access Controller actually hands off the client authentication to the central Access Control Server, which manages the authentication process and returns the appropriate Access Policy to the Access Controller.
An Access Policy specifies the network addresses, services, and resources the client is permitted to access. The Access Policy can also specify that client traffic for certain destinations be redirected to alternate destinations. This capability is used by the 700wl Series system to redirect traffic from an unknown client to a logon page. It can also be used to notify clients when they attempt to access non-permitted resources, or to redirect a request to a permitted resource. Traffic to a destination that is neither permitted nor redirected is dropped. An Access Policy may also specify other settings such as bandwidth limitations, HTTP Proxy Servers (including filtering to impose HTTP access control), and encryption requirements. Access Policies can be configured to “expire” after a specified length of time, or at a specific time, forcing the client to reauthenticate.
1-2 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Introduction
Clients that are successfully authenticated, Employees in Figure 1-1, are typically associated with Access Policies that provide access to secure network resources. Clients that are not successfully authenticated, Untrusted Users, are typically associated with an Access Policy that allows only the ability to logon. The 700wl Series system also provides a Guest logon feature and Access Policy, that can be used to provide limited network access to users designated as Guests, for example, Internet access via the network with no intranet access.
Access Policies are defined and maintained by the Access Control Server, but are administered by the Access Controller. Once a client has been identified and the appropriate Access Policy has been returned to the Access Controller, the Access Controller is responsible for filtering client traffic and either forwarding it to its destination, redirecting it to the appropriate alternate destination, or dropping it. The Access Control Server does not get involved again unless something occurs that requires a renewal of the client’s rights, such as expiration of their existing rights, or roaming to a different location.
In addition to being the repository for the Authentication Policies, Access Policies, and other system configuration information, the Access Control Server maintains status for every Access Controller. This includes status for every client connected to the 700wl Series system and every client session.

700wl Series Functions

The 700wl Series system provides central control of Access Controllers, and clients. The key system functions are: client authentication, rights management, Wireless Data Privacy, roaming support, NAT, and VLANs.

Client Authentication

The 700wl Series system provides a great deal of flexibility in authenticating users. The system supports three types of authentication:
Browser-based logon: With browser-based logon, the first time a client attempts an HTTP access, the Access Controller presents a browser-based logon page. After the user enters a logon ID and password, the Rights Manager authenticates the client using one or more Authentication services, such as an LDAP database, RADIUS server, Kerberos service, or through the Rights Manager’s own built-in authentication database.
VPN logon: With VPN logon, the client initiates a connection to the network using L2TP or PPTP. The Access Controller uses the login information provided by the VPN client for authentication via RADIUS or the built-in database. In this case, the user does not see the HP ProCurve logon page.
Monitored logon: The 700wl Series system supports both 802.1x logon and NT Domain logon. In both these cases, the system simply forwards the packets on to the RADIUS or NT Domain server, and monitors the response to determine whether the client has been successfully authenticated.
Once the client has been authenticated, rights for the client are requested from the Rights Manager.
The Rights Manager uses the concept of Authentication Policies, which are ordered lists of one or more authentication services. By defining multiple Authentication Policies, you can use different authentication methods for users logging in through different locations or at different times.
The 700wl Series system supports the following authentication services, any of which can be used in an Authentication Policy:
• LDAP directory services, such as Active Directory or iPlanet LDAP server
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 1-3
Introduction
RADIUS servers
• Kerberos services
• XML-RPC-based services
• The Rights Manager’s built-in database. This is the default authentication service. You can populate it with user names and passwords through the Rights Manager.
User Authentication is discussed in detail in Chapter 5, Configuring Authentication.

Client Access Rights

At any given time a certain set of rights is in effect for each client attached to an Access Controller. These rights are based on a number of factors, including client authentication, client identity, location of the connection, VLAN tags, and the time and day. The Rights Manager manages the criteria for each client connection.
• The Rights Manager uses Access Policies to define what network resources a user can access at any given time. Access Policies are defined for a group, and an individual user’s rights are determined by the groups to which he or she belongs.
• The Rights Manager uses Identity Profiles and Connection Profiles to define which users can access the network at any given time, what sorts of logon and authentication mechanisms may be used, and what type of security is required.
• A client is matched to an Identity Profile based on who they are. They are matched to a Connection Profile based on when and where they connect to the network. The Rights Manager uses the Identity Profile and Connection Profile to match the client with the appropriate Access Policy. This in done in the Rights Assignment Table.
Chapter 4, Configuring Rights describes this process in detail.

Wireless Data Privacy and VPN Protocols

The 700wl Series system’s VPN component enables strong encryption of data between a client and the Access Controller. This provides additional security for data sent over the airwaves, replacing the relatively insecure Wired Equivalent Privacy (WEP) of a wireless network.
The 700wl Series system offers four choices for encrypting data between a client and the Access Controller: PPTP, L2TP/IPSec, tunnel mode IPSec, and SSH. It also supports a variety of authentication and encryption algorithms related to these choices. It supports a number of client software packages that handle the client side of the security method. In most cases, the 700wl Series system accepts the authentication performed by the security protocol and provides user access rights as soon as the secure connection has been set up.
Once a secure connection has been set up, clients can roam between access points and the 700wl Series system will maintain each session transparently to the client.

Roaming Support

One of the key features of the 700wl Series system is its support of layer 3 roaming—enabling clients to move around physically between access points without having to reauthenticate or establish a new session.
1-4 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Introduction
Because the 700wl Series system identifies clients by MAC address, it is simple to detect when a device roams. A Linger Timeout determines the length of time a client has to complete a roam, that is to appear at a new physical location after disappearing from the old physical location. The settings for timing out a roaming client are part of the client’s assigned Access Policy; different clients can have different settings and one client can have different settings depending on their location, time of day, and so on.
If the client completes the roam within the linger time, no reconnect or authentication is needed—the client’s connection state is maintained intact. If the client fails to complete the roam before the linger timer expires the 700wl Series system concludes the client has actually disconnected and logs the client off.
Roaming support is discussed in more detail in VLANs and the 700wl Series System in Chapter 2, Using the
700wl Series System.

Network Address Translation

By default, an Access Controller provides Network Address Translation (NAT) services for clients that request a DHCP IP address when they initiate a connection to the Access Controller. The 700wl Series system implements NAT as a form of “overloading,” where a range of private IP addresses are mapped to a single public IP address (the IP address of the Access Controller) by using TCP ports. When a client sends a packet through the Access Controller, the Access Controller rewrites the IP address field and the port number field to a value that is unique within the entire 700wl Series system and uses this unique identifier for returned packets.
Although NAT is enabled by default in the 700wl Series system you can elect whether to use it or not depending on your application. Following are some points in favor of using NAT within the 700wl Series system:
• NAT makes roaming much more efficient. Because each NAT address is unique for the entire 700wl Series system, the client’s connection state can be moved to the nearest Access Controller while roaming, rather than requiring every connection to be tunneled back to the original Access Controller.
• NAT provides some amount of protection to a client since no device other than an Access Controller can talk directly to the client. This provides rudimentary firewall protection.
• Allowing NAT can ensure that a client will be able to successfully communicate with the network—if NAT is not allowed, and a client has an IP address that is not within the subnet used by the Access Controller, return packets will not be able to reach the client. A client having an IP address not within the Access Controller’s subnet can occur if the client uses a static IP address or receives an IP address from an external DHCP server.
However, certain applications may require a host or server system to know the actual IP address of a client. Some examples include multi-player games, file transfer in Instant Messenger applications, and other peer-to-peer applications.
To allow flexibility, the 700wl Series system provides alternate addressing schemes:
• Use NAT only if the client’s IP address is on the wrong subnet, that is specifically not within the Access Controller’s subnet. Otherwise, use the client’s real or static IP address.
• Always use the client’s real or static IP address and never use NAT, regardless of the subnet. This setting is intended for access points, and should be used with caution.
There is one case where NAT will always be used—when PPTP/L2TP tunneling is used.
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 1-5
Introduction
Addressing in the 700wl Series System in Chapter 2, and Chapter 4, Configuring Rights include more extensive discussions of addressing considerations and NAT.

VLAN Tag Support

The HP System provides support for Virtual LAN (VLAN) tagging in several ways:
• A client can be matched to a Connection Profile based on the VLAN ID (802.1Q tag) associated with the client traffic.
• The VLAN tag associate with the client traffic can be stripped, added, or rewritten before the traffic is forwarded onto the network, based on the Access Policy in force for the client.
Matching a client to a Connection Profile based on the VLAN tag effectively enables you to assign an Access Policy to clients in a specific VLAN. The Access Policies associated with the VLAN-specific Connection Profiles can be configured to modify the VLAN tagging of these clients, if necessary. By default, the tag associated with the client’s traffic is removed so the client’s traffic is sent on to the network untagged. This scenario can be useful if you want to use the client’s VLAN membership only to assign access rights for the client, and once the Access Policy is in place, the VLAN tag is no longer used. Optionally you can configure the Access Policy to preserve the tag or you can replace the original tag with a different tag.
The 700wl Series system also provides limited support for assigning IP addresses through DHCP based on the VLAN tag of the incoming traffic. In the 700wl Series system, IP subnet ranges may be specified on a port-by-port basis. In order to restrict an IP range to members of a specific VLAN, you can associate a Connection Profile that filters for the desired VLAN with the port that defines the subnet range.
1-6 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
2

USING THE 700WL SERIES SYSTEM

This chapter provides a brief introduction to using the 700wl Series system and its Administrative Console. It also provides an overview and discussion of a number of common tasks you may need to accomplish. The topics covered in this chapter include:
Initial Configuration of the 700wl Series System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Managing and Administering the 700wl Series System . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Logging on to the Administrative Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Using the Administrative Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Basic System Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
System Features and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
This chapter assumes that you have installed your HP ProCurve Access Control Server or Integrated Access Manager as instructed in the 700wl Series Quick Start Guide or the 700wl Series Installation and Getting Started Guide. This chapter takes you through the next steps towards configuring and using the 700wl Series system. The first section takes you through the required settings from the “Complete the Configuration” steps in the 700wl Series System Quick Start Guide.
This chapter assumes you are new to the 700wl Series system. For users who are upgrading their 700wl Series system from a previous software version to version 4.1, you should read the 700wl Series Introduction to Software Version 4.x. The Introduction to Software Version 4.x document introduces you to software version 4.0 as part of the process of migrating your system, and explains what has changed from versions 3.0 and 3.1.

Initial Configuration of the 700wl Series System

The initial configuration of a 700wl Series system component, sufficient to allow network access, is described in both the 700wl Series Quick Start Guide shipped with each hardware unit, and in more detail in the 700wl Series Installation and Getting Started Guide.
If you have installed your 700wl Series system according to the instructions in the Quick Start Guide, it should be configured with a set of basic network configuration settings.
For an Access Control Server, these settings include:
• An IP address of the Access Control Server
• Subnet mask that defines the subnet associated with the Access Control Server (the default is
255.255.255.0 (/24))
• Name of the domain in which the 700wl Series system resides
• Default router (gateway) IP address
2-1
Using the 700wl Series System
• Primary and secondary DNS server addresses
• Shared secret, used to enable Access Controllers or a peer Access Control Server to establish a trusted communication relationship with the Access Control Server. This is actually an optional item in the initial installation process of an Access Control Server, but no system components will be able to communicate with the 700wl Series system until this is set, so it is recommended that you do it as part of the initial installation.
For an Access Controller, the initial settings include:
• IP address of the Access Controller
• Subnet mask that defines the subnet associated with the Access Controller (the default is
255.255.255.0 (/24))
• Domain name
• Default router (gateway) IP address
• Primary and secondary DNS server addresses
• IP address of the Access Control Server that will manage the Access Controller
• Shared secret of the Access Control Server
If you allow your 700wl Series system components to get their IP address from a DHCP server, the DHCP server can provide the domain, default router IP address, DNS addresses, and WINS addresses.
On a newly-installed or Factory Reset Access Control Server, the following defaults are in effect:
• The DHCP address range for use with NAT’ed clients is the 42.0.0.0 subnet
• An HP ProCurve-signed SSL certificate is in place
SNMP is disabled
• Wireless Data Privacy settings (encryption protocols) are disabled
• The default Authentication Policy uses the built-in database for user authentication

Managing and Administering the 700wl Series System

A 700wl Series system consists of an HP ProCurve Access Control Server and one or more HP ProCurve Access Controllers, or an HP ProCurve Integrated Access Manager, optionally with additional Access Controllers connected. All the elements of your 700wl Series system are configured, monitored and managed centrally from the Access Control Server or Integrated Access Manager. This monitoring and management is done through the Administrative Console, a web-browser-based interface that runs on the Access Control Server or Integrated Access Manager.
Note: An HP ProCurve Integrated Access Manager is effectively an Access Control Server and an Access Controller physically integrated into a single module. However, the 700wl Series system software internally handles the functions within an Integrated Access Manager as if they are two separate subsystems. Therefore, throughout this guide, system features are described in terms of Access Control Servers and Access Controllers. These features all apply to an Integrated Access Manager as well.
2-2 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Using the 700wl Series System
The 700wl Series system provides three levels of administrator access:
• A Network Administrator can configure the network parameters that enable the 700wl Series system
to function in a network, such as configuring IP addressing, interface configuration, date and time settings, SNMP access, and performing software updates and backups. The network administrator can perform these functions for all system components that make up a 700wl Series system. A Network Administrator cannot perform any functions under the Rights Manager, such as adding users, creating or modifying Access Policies, modifying the Rights Table, setting up Authentication Services or Authentication Policies, or other similar functions. A Network Administrator can view all the pages in the Status and Logs areas.
• A
Policy Administrator
removing users, configuring Authentication, setting up Identity Profiles, Connection Profiles, and Access Policies, and manipulating the Rights Assignment Table. A Policy Administrator cannot modify any of the network configuration parameters, or perform system software updates, backups, or restarts. A Policy Administrator can view all the pages in the Status and Logs areas.
• A
Super Administrator
a 700wl Series system—both network and rights configuration. In addition, a Super Administrator can add, delete, enable, and disable other administrator.
There is one built-in administrator that has Super Administrator capabilities. This is the only administrator that exists on a new unit. While all other administrator settings are maintained in the 700wl Series system database, and thus are deleted if the system is reset to factory defaults, the built-in administrator simply has its name and password reset to the default.
The built-in administrator name and password can be changed on the System Components Edit page for an individual system component. For information about creating additional administrator accounts, see
Setting Up Administrators on page 6-42.
can perform functions under the Rights Manager, such as adding and
can perform all the administrative functions for all connected components of

Centralized Administration

Wireless network clients connect through an Access Controller, but authentication and rights administration for these clients is handled centrally from the Access Control Server. In addition, all configuration of the Access Control Server and all Access Controllers connected to the 700wl Series system is handled through the Administrative Console running on the Access Control Server. Once you have installed an Access Controller onto your network following the instructions in the 700wl Series Quick Start Guide, all other administration on the Access Controller is handled through the Access Control Server.
From the centralized Administrative Console on your Access Control Server you can perform the following functions:
• Monitor in real-time the status of all the 700wl Series system components
• Monitor in real-time the status of all clients logged onto the system, and monitor the status of all their sessions
• View the 700wl Series system logs
• Update access rights for clients in real-time
• Log clients out of the system
• Configure advanced network settings for 700wl Series system components, including bridging, DHCP addressing for use with NAT, IP broadcast forwarding, setting up HTTP proxies, configuring SNMP settings, and setting the system date and time
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 2-3
Using the 700wl Series System
• Enable or disable Wireless Data Privacy protocols, configuring the address method and range for VPN tunneling, and configuring IPSec parameters
• Update the 700wl Series system software
• Back up a 700wl Series system component’s configuration, and restore the backup if needed
• Set up Connection Profiles that identify where and when clients connect to the 700wl Series system
• Set up Authentication Policies that determine how clients authenticate themselves to the system
• Set up Access Policies to control what users can do over the network
• Set up Identity Profiles to put users in groups that share the same access policies
• Customize login pages

Logging on to the Administrative Console

To monitor or configure the 700wl Series system you use the Administrative Console. This is a web-based interface. To log in to the Administration Interface over the network, follow these steps:
Step 1. Set your browser to the IP address or hostname of your Integrated Access Manager or Access
Control Server.
For example, if the IP address of your Access Control Server is 10.2.3.4, you can access its Administrative Console by entering browser software.
http://10.2.3.4 in the address or location textbox of the
The Administrator Logon page appears, as shown in Figure 2-1.
Note: Your browser must accept cookies to enable logging on.
Step 2. Enter your administrator name and password and click Logon.
The initial administrator name is “admin” and the initial password is “admin.”
Figure 2-1. Administrator Logon Page
The Administrative Console initially displays the Equipment Status tab under the Status module.
2-4 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Using the 700wl Series System
Note: It is strongly recommended that you change the built-in administrator logon name and password as soon as possible. You should also set the date and time for each 700wl Series system component (Access Control Server, Integrated Access Manager, and Access Controllers).

Changing the Built-In Administrator Username and Password

To change the built-in administrator name and password on a 700wl Series system unit do the following:
Step 1. Click the Network button in the Navigation bar. The System Components page appears, with a
System Components list that shows the components that make up your 700wl Series system.
Step 2. Click a system component name listed under the Component Name heading to bring up the
Edit page.
Step 3. In the Admin Username field, type a new administrator user name.
Type a new password in the
Password
Step 4. Click Save.
field.
Admin Password field, and type it again in the Confirm Admin
You can make other changes on this Edit page, such as giving the unit a descriptive name, changing the shared secret, and so on. See Configuring an Access Control Server on page 6-3, Configuring an Integrated Access Manager on page 6-7, or Configuring Access Controllers on page 6-10 in Chapter 6 for more information on changing these settings.
Note:
logon name and password are also reset to their defaults.
When a 700wl Series system unit is reset to its factory default settings, the built-in administrator
The built-in administrator for an Access Control Server or Integrated Access Manager has the equivalent of Super Administrator capabilities—this administrator can configure all network and Rights settings for the Access Control Server or Integrated Access Manager as well as perform configuration through the Administrative Console for any Access Controllers connected to the Access Control Server or Integrated Access Manager. The built-in administrator for an Access Controller can only log on to that Access Controller through the Command Line Interface (CLI).
You can create additional 700wl Series system administrators on the Access Control Server or Integrated Access Manager, with different administration roles—Super Administrators, Network Administrators, and Policy Administrators. See
Setting Up Administrators on page 6-42 for information about creating
additional administrators.

Using Online Help

The 700wl Series system offers several levels of Help:
Each page of the Administrative Console includes some basic Help, normally displayed in the left panel under the page name (and beneath the System Components List or page links, if they are present on the pa
ge).
• The Help button displays context-sensitive help presented in a separate browser window. The contents of this page are different depending on the page of the Administrative Console you are viewing when you click Help. Once inside the help system you can move around to view different topics using a variety of navigation tools:
— Next/previous page buttons
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 2-5
Using the 700wl Series System
— Links within the page contents
Related Topics links: these are presented at the top of the page, or they can be accessed from a Related Topics menu displayed using the Related Topics button
— Table of Contents and Index, accessed through the navigation panel at the left of the page.
— You can display the Table of Contents by clicking the Contents button
You can also print the page you are viewing by clicking the print button .
• From the Help window, you can display the full 700wl Series system Management and Configuration
Guide by clicking the PDF button (
This requires a version of Adobe’s Acrobat Reader software, which is available free of charge from Adobe Systems at http://www.adobe.com.
).

Logging Out

To log out of the Administrative Console:
» From any page, click the Logout button at the right of the Navigation bar. See Figure 2-2.
Figure 2-2. Logging Out
2-6 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Using the 700wl Series System

Using the Administrative Console

When you first logon to the Administrative Console, your browser displays the Equipment Status tab of the Status pages (Figure 2-3).
Figure 2-3. Initial Page of the Administrative Console
.
Header Bar
Navigation Bar
Tabs
Page Title
Left Panel
Sub-Tab
Main Panel
The various pages of the Administrative Console have many elements in common, as well as elements specific to certain pages.
All pages have the following elements in common:
• The Header bar—Administrative Console session information
• The Navigation bar—Navigation and Logout buttons
• Tabs—Main function pages under each Navigation button containing left and main panels
• Left Panel—Instructive page information, page and component links, and data filters
• Main Panel—Input interfaces in the form of tables or sub-tabs, and tables displaying logs or status

Header Bar and Navigation Bar

The Header bar identifies the Access Control Server on which you are running the Administrative Console. The Navigation bar shows the top-level set of options provided by the Administrative Console based on the type of access the logged-in Administrator is permitted. Navigation bars of a single Access Control Server for an administrator with Super Admin access.
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 2-7
Figure 2-4 shows the Header and
Using the 700wl Series System
Figure 2-4. Header and Navigation Bars for an Access Control Server
Information at the right side of the Header bar shows the username of the logged in Administrator, the IP address of the Access Control Server, and the current date and time.
• If the IP address is labeled simply Access Control Server, this Access Control Server is functioning as the only Access Control Server in the 700wl Series system. If the system is an Integrated Access Manager, the label will reflect that.
• If the IP address is labeled Primary Access Control Server, this Access Control Server is currently functioning as the primary Access Control Server in a redundant configuration. You can perform all management and configuration functions for your 700wl Series system from this Access Control Server.
• If the IP address is labeled Secondary Access Control Server, this Access Control Server is functioning as a secondary Access Control Server in a redundant configuration. In this case, the Header bar is also labeled with a large “secondary” and only a subset of the Navigation buttons are available. (see Secondary Access Control Server.
Figure 2-5). Limited configuration capabilities are available directly through the
Figure 2-5. Header and Navigation Bars for a Secondary Access Control Server
The Navigation bar is always accessible from anywhere in the Administrative Console. Each Navigation button takes you to a set of pages related to specific administrative functions.
Status
The Status pages of the Administrative Console provide views of the status of system equipment, clients, and sessions. The Equipment Status tab is displayed when a 700wl Series system administrator first enters the Administrative Console. These pages are available to administrators of all access levels.
For details, refer to Chapter 3, System Status.
Rights
The Rights Manager pages of the Administrative Console enable you to manage access rights for clients, customize client logon windows, and configure authentication and access control policies. These pages are available to Super Administrators and Policy Administrators. Additional tools such as simulating user rights for testing are also available.
2-8 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Using the 700wl Series System
For details, refer to Chapter 4, Configuring Rights and Chapter 5, Configuring Authentication.
Network
The Network pages enable configuration of the 700wl Series system components to work with your enterprise network. Most pages in this area are available to Super Administrators and Network Administrators only. However, both Network Administrator and Policy Administrators can change their own passwords under this function.
For details, refer to Chapter 6, Configuring the Network.
VPN
The VPN pages enable Wireless Data Privacy configuration, such as configuring IPSec, certificates, and IP address assignment for tunneling. These pages are available to administrators of all access levels.
For details, refer to Chapter 7, Setting up Wireless Data Privacy.
Maintenance
The Maintenance pages provide the following functions: Software Setup, Backup & Restore, and Shutdown/Restart of 700wl Series system equipment. These pages are available to Super Administrators and Network Administrators.
For details, refer to Chapter 8, System Maintenance.
Logs
The Logs pages provide views of the log data, which includes time, source, severity and event description. Log data can be filtered and exported as text files. Configure the settings for a syslog server. These pages are available to administrators of all access levels.
For details, refer to Chapter 9, Logs.
Help
Click this button in the Navigation bar to view context-sensitive HTML help for the tab or subordinate tab displayed. You can also access the complete 700wl Series system Management and Configuration Guide in PDF format from the Help interface.
Logout
Click this button to log out of the 700wl Series system. A new logon window is displayed. You will need to log on again to perform additional system tasks with the Administrative Console.
Summary of Functions
The main administrative functions and the first level of tabs available under each Navigation button are listed below.
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 2-9
Using the 700wl Series System
.
Status Rights Network VPN Maintenance Logs
Equipment Rights Setup System Wireless Data Software Setup Log Files
Status Components Privacy Setup
Client Status Identity Profiles Network Setup Certificates Backup & Logging Setup
Restore
Session Status Connection Interfaces IP Address Shutdown/
Profiles Assignment Restart
(for Tunneling)
License Authentication SNMP
Information Policies
Access Policies Date & Time
Login Admin Setup
Customization
Tools & Options

Tabs

Tabs are used to access the pages found under a Navigation button. Clicking a button on the Navigation bar displays the first (left-most) tab for that set of functions, as shown in Figure 2-3. The active tab is shown in white. Clicking an inactive tab makes it the active tab and displays the page for that subset of functions.
Some tabs represent complex sets of functions. These may use sub-tabs to further organize the functions and make them easier to use. Sub-tabs work the same as tabs, with the active tab shown in white and inactive tabs grayed out.
When there are action buttons, for example, the the page, the buttons pertain to the entire set of functions available under the tab. When the action buttons are displayed within the grayed area under a sub-tab, the buttons apply only to the input fields for the sub-tab.
A main tab page is divided into two distinct areas—the left panel containing informational and navigational aids, and the main panel containing the main functional area of the page (see
Function-specific elements that are common to many pages include:
• System Component list, Navigation links, or Display filters
• Input interfaces such as text fields, check boxes, buttons, drop-down lists
• Table manipulation buttons for re-ordering, editing, or deleting rows
• Page navigation controls for viewing large amounts of data spanning multiple pages
• Refresh mechanisms for updating the page, and Save, Save As Copy, Reset to Defaults, and Cancel buttons
Save button ( ), displayed at the bottom of
Figure 2-3).
2-10 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
Loading...
+ 358 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use