HP ProCurve 800 Installation Manual
ProCurve Network Access
Controller 800
Hardware Installation Guide
© Copyright 2007, 2012
Hewlett-Packard Development Company, LP.
The information contained herein is subject to change
without notice.
Publication Number
5998-3237
March 2012
Applicable Products
• ProCurve Network Access Controller 800
J9065A
Trademark Credits
Microsoft®, Windows®, and Windows NT® are US
registered trademarks of Microsoft Corporation.
Adobe® and Acrobat® are trademarks of Adobe Systems
Incorporated. Java™ is a US trademark of Sun
Microsystems, Inc.
Software Credits
SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by
the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit
http:// www.openssh.com.
SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes s
the OpenSSL Project for use in the OpenSSL
more information on OpenSSL, visit
http://www.openssl.org.
This product includes cryptographic software written by
Eric Young
software written by Tim Hudson (tjh@cryptsoft.com)
(eay@cryptsoft.com). This product includes
oftware developed by
Toolkit. For
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
The only warranties for HP products and services are set
forth in the express warranty statements accompanying
such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Safety
Before installing and operating this product, please read the
“Installation Precautions:” beginning on page 2-3 and the
safety statements in the “Safety and EMC Regulatory
Statements” beginning on page A-1.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.hp.com/networking
Contents
1 Introduction
ProCurve Network Access Controller 800 . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
The ProCurve NAC 800 Endpoint Integrity Solution . . . . . . . . . . . . . . 1-2
802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
2 Quick Install
Quick Install Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Included Parts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Installation Precautions: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Hardware Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Electrical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Environmental . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Acoustic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Installing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
1. Prepare the Installation Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
2. Mount the Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Rack Mounting the ProCurve NAC 800 . . . . . . . . . . . . . . . . . . . . . . 2-6
Horizontal Surface Mounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
3. Connect the Unit to a Power Source . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
4. Connect the Network Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
5. (Optional) Connect a Console to the Appliance . . . . . . . . . . . . . . . . 2-9
Terminal Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
6. Initial Appliance Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Configuring via the Front LCD Display . . . . . . . . . . . . . . . . . . . . . 2-12
A Safety and EMC Regulatory Statements
Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
iii
Informations concernant la sécurité . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Hinweise zur Sicherheit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
Considerazioni sulla sicurezza . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Consideraciones sobre seguridad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Safety Information (Japan) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6
Safety Information (China) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7
EMC Regulatory Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8
U.S.A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8
Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8
Australia/New Zealand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8
Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8
Korea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9
Taiwan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9
B Recycle Statements
Waste Electrical and Electronic Equipment (WEEE) Statements . . . . . . B-1
Index
iv
ProCurve Network Access Controller 800
Introduction
1
Introduction
ProCurve Network Access Controller
800
The ProCurve Network Access Controller 800 (ProCurve NAC 800) provides
a complete solution for managing network access at the network edge. When
used with the ProCurve Manager (PCM) and ProCurve Identity Driven
Manager (IDM) products, you get a single, centralized network management
tool, that lets you secure your network from unauthorized access.
The ProCurve Network Access Controller is comprised of:
• A Linux-based server, with FreeRADIUS software
• Pro
• ProCurve Network Access Control Endpoint Integrity software
Curve Identity Driven Manager (IDM) Agent
Introduction
Note Two additional items are required to enable endpoint integrity functionality:
• A ProCurve NAC Endpoint Integrity Agent License
• A P
This configuration allows you to deploy the appliance in any of the following
methods, to meet
• As a complete access control solution, i
• As a RADIUS server and Endpoint Integrity solution, independent of
• As a RADIUS server with the IDM Agent, to provide user authentica-
• As a standalone RADIUS server, using the LINUX-based freeRADIUS
roCurve NAC Implementation Start-up Service, from an autho-
rized ProCurve partner or ProCurve.
your network security needs:
ncluding a RADIUS server,
with Endpoint Integrity (EI) enforcement, and IDM agent for use with
the PCM and IDM applications
PCM and IDM applications.
tion and user-based access control to network resources
software pre-installed on the appliance.
1-1
Introduction
ProCurve Network Access Controller 800
The ProCurve NAC 800 appliance is fully integrated into the ProCurve Management software. Once installed on a network with PCM, the appliance will be
discovered by PCM an
configuration application via the PCM and IDM windows.
The ProCurve NAC 800 Endpoint Integrity Solution
d you can access the ProCurve NAC management and
Introduction
Due to the complexity of the configuration options available with the full
ProCurve NAC 800 Endpoint Integrity (EI) solution, ProCurve requires an
implementation service to ensure successful deployment. Please contact your
Authorized ProCurve reseller, or HP ProCurve Support for information on
ordering the ProCurve NAC 800 Endpoint Integrity Implementation service.
The following section provides a brief overview of the options available for
deployment of the endpoint integrity solution.
When utilizing the Endpoint Integrity features of the ProCurve NAC 800, you
ploy a singl
can de
management and enforcement capabilities. You can also install multiple
ProCurve NAC 800 appliances as Enforcement servers (ESs) across a network
and manage them from one central ProCurve NAC 800 appliance configured
as a Management server (MS). Deploying the appliance in such “clusters”
provides improved performance and redundancy of the RADIUS servers.
The ProCurve NAC Management Server (MS) specifies the enforcement
hod (
met
the tests run on the end-user clients, and how to control the end-user clients’
access. The ProCurve NAC Enforcement Servers detect and test end-user
clients on the network for compliance.
802.1X, inline, or DHCP), how often the end-user clients are retested,
e ProCurve NAC 800 appliance with endpoint integrity
1-2
ProCurve Network Access Controller 800
You can deploy each ProCurve NAC endpoint integrity cluster in one of the
following configurations.
Introduction
802.1X
When deploying ProCurve NAC in an 802.1X environment, you must install it
where it can communicate with the Remote Authentication Dial-In User
Service (RADIUS) server (or, use the built-in RADIUS server on the ProCurve
NAC 800). The RADIUS server communicates with the 802.1X authenticator,
which performs the quarantining by moving ports or MAC addresses in and
out of virtual local area networks (VLANs).
Inline
When deploying ProCurve NAC inline, it monitors and enforces all client
traffic. When ProCurve NAC is deployed as a single-server installation, it
works as a Layer 2 bridge that requires no changes to the network configura-
ed in a
tion settings. When ProCurve NAC is install
you need to configure the switch that connects the ProCurve NAC Enforcement servers to use Spanning Tree Protocol (STP) if STP is not already
configured.
ProCurve NAC allows clients to access the network, or blocks clients from
accessing th
built-in firewall (iptables).
e network based on their Internet Protocol (IP) address with a
multiple-server installation,
DHCP
Introduction
When deploying a ProCurve NAC appliance inline with a Dynamic Host
Configuration Protocol (DHCP) server, all DHCP requests pass through the
ProCurve NAC appliance’s Layer 2 bridge. For a quarantined client, the
ProCurve NAC appliance distributes a quarantined IP address for the client.
ProCurve NAC assigns a DHCP IP address based on the quarantine area
parameters you define during configuration.
If the ProCurve NAC appliance allows the cl
real DHCP server to distribute a non-quarantined IP address. You can place
restrictions on network access either at the gateway for the client using
Access Control Lists (ACLs), or on the client by removing the client’s gateway
and adding static routes for accessible networks.
ient to have acc
ess, it allows your
1-3
(This page intentionally left blank)
Quick Install
The ProCurve Network Access Controller 800 appliance is easy to install. It
comes with an accessory kit that includes the brackets for mounting the box
in a standard 19-inch telco rack or in an equipment cabinet, and with rubber
feet that can be attached so the appliance can be securely located on a
horizontal surface. The brackets are designed to allow it to be mounted in a
variety of locations and orientations. This chapter shows how to install the
appliance (also referred to here as ‘the unit’).
Quick Install Summary
Follow these steps to install the ProCurve NAC 800. The rest of this chapter
provides details on these steps.
2
Quick Install
1. Prepare the installation site (page 2-
ronment is properly prepared, including having the correct network
cabling ready to connect to the unit and having an appropriate location
for the unit. Please see page 2-3 for some installation precautions.
2. Mount the appliance (page 2-6). The ProCurve NAC 800 appliance
can be mounted in a 19-inch telco rack, in an equipment cabinet, or on a
horizontal surface.
3. Connect power to the appliance (page 2-8). Once the unit is
mounted, plug it into the nearby main power source.
4. Connect the network cables (page 2-9). Using the appropriate
network cables, connect the unit to the network.
5. Connect a console to the appliance (optional—page 2-9). You may
wish to modify the ProCurve NAC 800 configuration, for example, to
configure an IP address so it can be managed using a Web browser, from
an SNMP network management station, or through a Telnet session.
Configuration changes can easily be made by using the included console
cable to connect a PC to the unit’s console port.
6. Perform the initial appliance configuration (page 2-11). Use the
front panel LCD to set the appliance’s IP address and server type.
5). Ensure the physical envi-
2-1
Quick Install
Quick Install Summary
At this point, the unit is fully installed. See the rest of this chapter if you need
more detailed information on any of these installation steps.
Included Parts
The ProCurve NAC 800 appliance (J9065A) has the following components
shipped with it:
■ Console cable, DB-9 to RJ45 (5188-6699)
■ Accessory kit for ProCurve NAC 800 (5069-5705), which includes:
– two mounting brackets
– eight 8mm Machine Screws screws to attach the mounting brackets to
the unit
– four 5/8-inch number 12-24 screws to attach the unit to a rack
– four rubber feet for horizontal mounting on flat surface
■ ProCurve Network Access Controller 800 Hardware Installation Guide,
this manual (5998-3237).
■ Customer Support/Warranty booklet (5990-8862)
Quick Install
■ Power cord, one of the following:
Japan Power
Cord Warning
Australia/New Zealand
China
Continental Europe
Denmark
India
Israel
Japan
Switzerland
South Africa
Taiwan
Thailand
United Kingdom/Hong Kong/
United States/Canada/Mexico
8121-0838
8121-0910
8120-8861
8120-8930
8121-0780
8121-1035
8120-4753
8121-0908
8120-8929
8121-0974
8121-0673
8121-0909
8121-0921
For additional configuration information and user instructions, PDF versions
of the documentation for the ProCurve Network Access Controller 800 appliance, including the Users’ Guide, and this Insta
llation Guide are available on
the Web at:
http://www.hp.com/rnd/support/manuals
2-2
Quick Install Summary
Quick Install
Installation Precautions:
Follow these precautions when installing the ProCurve NAC 800 appliance.
Warning ■ The rack or cabinet should be adequately secured to prevent it from
becoming unstable and/or falling over.
Units installed in a rack or cabinet should be mounted as low as possible,
with the heaviest devices at the bottom and progressively lighter devices
installed above.
■ For safe operation, only install the unit horizontally, with the bottom side
down.
Cautions ■ Ensure the power source circuits are properly grounded, then use the
power cord supplied with the unit to connect it to the power source.
■ If your installation requires a different power cord than the one supplied
with the unit, be sure to use a power cord displaying the mark of the safety
agency that defines the regulations for power cords in your country. The
mark is your assurance that the power cord can be used safely with the
unit.
■ When installing the unit, the AC outlet should be near the unit and should
be easily accessible in case the unit must be powered off.
■ Ensure the unit does not overload the power circuits, wiring, and over-
current protection. To determine the possibility of overloading the supply
circuits, add together the ampere ratings of all devices installed on the
same circuit as the ProCurve NAC unit and compare the total with the
rating limit for the circuit. The maximum ampere ratings are usually
printed on the devices near the AC power connectors.
■ Do not install the unit in an environment where the operating ambient
temperature might exceed 40°C (104°F).
■ Ensure the air flow around the sides and back of the unit is not restricted.
Quick Install
2-3
Quick Install
Quick Install Summary
Hardware Specifications
System specifications for ProCurve Network Access Controller 800 (J9065A).
Physical
Width: 44.3 cm (17.42 in)
Depth: 39 cm (15.4 in)
Height: 4.2 cm (1.64 in)
Weight: 6.1 kg (13.45 lbs)
Electrical
The appliance automatically adjusts to any voltage between 100-127 and 200240 volts and either 50 or 60 Hz.
AC voltage: 100-127/200-240 volts
Maximum current: 2 A / 1A
Frequency range: 50/60 Hz
Quick Install
Environmental
Operating Non-Operating
Temperature: 5°C to 40°C (41°F to 122°F) -40°C to 65°C (-40°F to 149°F)
Relative humidity:
(non-condensing)
Maximum altitude: 2 km (6,500 ft) 4.6 km (15,000 ft)
15% to 80% at 40°C (104°F) 20% to 90% at 65°C (149°F)
2-4
Acoustic
Geraeuschemission LwA=52 dB am fiktiven Arbeitsplatz nach DIN 45635 T.19
Noise Emission LwA=52 dB at virtual work space accordi
ng to DIN 45635 T.19
Connectors
The 10/100/1000 Mbps RJ-45 twisted-pair ports are compatible with the
following standards:
■ IEEE 802.3ab 1000Base-T
■ IEEE 802.3u 100Base-TX
■ IEEE 802.3 10Base-T
Safety
Complies with:
■ EN60950-1 / IEC 60950-1
■ CSA 22.2 No. 60950-1
■ UL 60950-1
Installing the Appliance
Quick Install
Installing the Appliance
1. Prepare the Installation Site
■ Cabling Infrastructure - Ensure the cabling infrastructure meets the
necessary network specifications. See the following table for cable types
and lengths, and see appendix B, “Cables and Connectors” for more
information:
Table 1. Summary of Cable Types to Use With the ProCurve NAC
800
Port Type Cable Type Length Limits
Twisted-Pair Cables
10/100/1000Base-TFor either 10, 100 Mbps, or 1000 Mbps
operation:
Category 5 or better, 100-ohm unshielded
twisted-pair (UTP) or shielded twisted-pair
(STP) balanced cable. For 1000 Mbps
(gigabit) operation, Category 5E cabling or
better is recommended.
■ Installation Location - Before installing the unit, plan its location and
100 meters
Note: The ProCurve NAC 800 appliance is
compatible with the IEEE 802.3ab
standard including the “Auto MDI/MDI-X”
feature, which allows use of either
straight-through or crossover twisted-pair
cables for connecting to any network
devices including end nodes, such as
computers, or to other switches, hubs, and
routers.
Note: For 1000 Mbps operation, all four
wire pairs are used for data transmission.
orientation relative to other devices and equipment. Please refer to
Chapter 1, “Introduction” for details on the deployment method and
configuration options:
• In the front of the unit, leave at least 7.6 cm (3 inches) of space for
the twisted-pair cabling.
• In the back of the unit, leave at least 3.8 cm (1 1/2 inches) of space for
the power cord.
• On the sides of the unit, leave at least 7.6 cm (3 inches) for cooling,
except if the unit is installed in an open EIA/TIA rack.
Quick Install
2-5
Quick Install
Installing the Appliance
2. Mount the Unit
After determining the configuration and preparing the site, you are ready to
mount the ProCurve NAC 800 appliance in a stable location. The ProCurve
NAC 800 unit can be mounted in a rack or cabinet
Warning For safe operation, please read the mounting precautions on
page 2-3, before mounting a switch.
Rack Mounting the ProCurve NAC 800
The ProCurve NAC 800 appliance is. designed to be mounted in any EIAstandard 19-inch telco rack or communication equipment cabinet.
Equipment
Cabinet
Note
Quick Install
The 12-24 screws supplied with the unit are the correct threading for standard
EIA/TIA open 19-inch racks. If you are installing the unit in an equipment
cabinet such as a server cabinet, use the clips and screws that came with the
cabinet in place of the 12-24 screws that are supplied with the unit.
Complete step 1, and plan which four holes you will
and install all four clips. Then proceed to step 2.
1. Use a #1 Phillips (cross-head) screwdriver and attach the mounting
brackets to the ProCurve NAC unit with the included 8-mm M4 screws.
be using in the cabinet
2-6
Figure 3. ProCurve NAC 800 with mounting brackets
Loading...