HP ProCurve NAC 800 User Manual

HP ProCurve Network Access Controller 800

Users Guide

ProCurve
Network Access Controller 800

Users Guide

Release 1.1

© Copyright 2008 Hewlett-Packard Development Company, L.P.
All Rights Reserved.

This document contains information which is protected by
copyright. Reproduction, adaptation, or translation without
prior permission is prohibited, except as allowed under the
copyright laws.

Publication Number

5990-8851
November 2008

(rev-n)

Disclaimer

The information contained in this document is subject to
change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.

Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.

Trademark Credits

Adobe® and Acrobat® are trademarks of Adobe Systems
Incorporated. Microsoft®, Windows®, Windows NT®,
Windows XP®, and Windows Vista® are U.S. registered
trademarks of Microsoft Corporation. UNIX® is a registered
trademark of The Open Group.

Warranty

See the Customer Support/Warranty booklet included with
the product.

A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.

Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551

http://www.procurve.com

Contents

1 Introduction

What you Need to get Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Additional Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

NAC 800 Home Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

The NAC 800 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

About NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

NAC Policy Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Endpoint Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Compliance Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Automated and Manual Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Targeted Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

Conventions Used in This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Navigation Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Tip Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Note Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Caution Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Warning Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Bold Font . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Task Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Italic Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Courier Font . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Angled Brackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Square Brackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

Copying Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

SCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

PSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

Users’ Guide Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

Contents

2 Clusters and Servers

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Installation Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Single-server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

iii

Contents

Multiple-server Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

3 System Configuration

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Enforcement Clusters and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

Enforcement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

Adding an Enforcement Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

Editing Enforcement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Viewing Enforcement Cluster Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Deleting Enforcement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

Enforcement Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Adding an ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Cluster and Server Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Moving ESs between Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Editing ESs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15

Changing the ES Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Changing the ES Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Modifying the ES SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Modifying the ES root Account Password . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Viewing ES Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19

Deleting ESs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21

ES Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21

Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

Viewing Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

Modifying MS Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24

Selecting a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25

Setting the Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Automatically Setting the Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Manually Setting the Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27

Selecting the Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27

Enabling SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28

Modifying the MS root Account Password . . . . . . . . . . . . . . . . . . . . . . . . 3-28

Checking for NAC 800 Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

Changing the NAC 800 Upgrade Timeout . . . . . . . . . . . . . . . . . . . . . . . . 3-29

User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-31

Adding a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-31

Searching for a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34

Sorting the User Account Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35

Copying a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35

Editing a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37

iv

Contents

Deleting a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38

User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39

Adding a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39

Editing User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42

Deleting User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43

Sorting the User Roles Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44

License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45

Updating Your License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45

Test Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47

Manually Checking for Test Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47

Selecting Test Update Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48

Viewing Test Update Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-49

Quarantining, General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51

Selecting the Quarantine Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51

Selecting the Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53

Quarantining, 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54

Entering Basic 802.1X Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54

Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55

Selecting the RADIUS Authentication method . . . . . . . . . . . . . . . . . 3-55

Configuring Windows Domain Settings . . . . . . . . . . . . . . . . . . . . . . 3-55

Configuring OpenLDAP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57

Configuring Novell eDirectory Settings . . . . . . . . . . . . . . . . . . . . . . . 3-60

Adding 802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-63

Testing the Connection to a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-64

Cisco IOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-66

Cisco CatOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-68

CatOS User Name in Enable Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 3-70

Enterasys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-71

Extreme ExtremeWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-73

Extreme XOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-75

Foundry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-77

HP ProCurve Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-79

HP ProCurve WESM xl or HP ProCurve WESM zl . . . . . . . . . . . . . . . . . 3-82

HP ProCurve 420 AP or HP ProCurve 530 AP . . . . . . . . . . . . . . . . . . . . . 3-85

Nortel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-87

Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-89

Quarantining, DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-92

DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-92

Setting DHCP Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-92

Adding a DHCP Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-94

Sorting the DHCP Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-96

v

Contents

Editing a DHCP Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-97

Deleting a DHCP Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-97

Quarantining, Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-99

Post-connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-100

Allowing the Post-connect Service Through the Firewall . . . . . . . . . . . . 3-100

First Time Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-100

Setting NAC 800 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-101

Configuring a Post-connect System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-102

Launching Post-connect Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-103

Post-connect in the Endpoint Activity Window . . . . . . . . . . . . . . . . . . . 3-104

Adding Post-connect System Logos and Icons . . . . . . . . . . . . . . . . . . . . 3-104

Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106

Initiating a New Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106

Restoring From a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-108

Downloading Support Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-109

Cluster Setting Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-110

Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-110

Selecting Test Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-110

Ordering Test Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-111

Recommended Test Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-112

Selecting End-user Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-113

Accessible Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-113

Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-116

Always Granting Access to Endpoints and Domains . . . . . . . . . . . . 3-116

Always Quarantine Endpoints and Domains . . . . . . . . . . . . . . . . . . 3-117

Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-117

Enabling Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-118

End-user Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-119

Specifying an End-user Screen Logo . . . . . . . . . . . . . . . . . . . . . . . . 3-119

Specifying the End-user Screen Text . . . . . . . . . . . . . . . . . . . . . . . . 3-120

Specifying the End-user Test Failed Pop-up Window . . . . . . . . . . . 3-121

Agentless Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-122

Adding Windows Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-122

Testing Windows Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-124

Editing Windows Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-125

Deleting Windows Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-125

Sorting the Windows Credentials Area . . . . . . . . . . . . . . . . . . . . . . 3-126

Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-127

Setting ES Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-127

Setting 802.1X Devices Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . 3-128

Setting IDM Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-128

vi

Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-130

Setting the Agent Read Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-130

Setting the RPC Command Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-131

4 Endpoint Activity

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Filtering the Endpoint Activity Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

Filtering by Access Control or Test Status . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

Filtering by Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Limiting Number of Endpoints Displayed . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Searching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7

Access Control States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Endpoint Test Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Enforcement Cluster Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

Viewing Endpoint Access Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16

Selecting Endpoints to Act on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

Acting on Selected Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19

Manually Retest an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19

Immediately Grant Access to an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . 4-19

Immediately Quarantine an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20

Clearing Temporary Endpoint States . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20

Viewing Endpoint Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21

Troubleshooting Quarantined Endpoint s . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23

Contents

5 End-user Access

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Test Methods Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Agent Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Endpoints Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Browser Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Managed Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Unmanaged Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Making Changes to the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Windows Endpoint Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

IE Internet Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

Agent-based Test Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

Ports Used for Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

Windows Vista Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

vii

Contents

Agentless Test Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

Configuring Windows 2000 Professional for Agentless Testing . . . . 5-10

Configuring Windows XP Professional for Agentless Testing . . . . . 5-11

Configuring Windows Vista for Agentless Testing . . . . . . . . . . . . . . 5-12

Defining the Agentless Group Policy Object . . . . . . . . . . . . . . . . . . . 5-12

Ports Used for Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22

Allowing the Windows RPC Service through the Firewall . . . . . . . . 5-22

ActiveX Test Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

Ports Used for Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

Windows Vista Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

Mac OS X Endpoint Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Ports Used for Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Allowing NAC 800 through the OS X Firewall . . . . . . . . . . . . . . . . . . . . 5-25

End-user Access Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29

Opening Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30

Windows NAC Agent Test Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31

Automatically Installing the Windows Agent . . . . . . . . . . . . . . . . . . 5-31

Removing the Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34

Manually Installing the Windows Agent . . . . . . . . . . . . . . . . . . . . . . 5-34

How to View the Windows Agent Version Installed . . . . . . . . . . . . . 5-36

Mac OS Agent Test Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36

Installing the MAC OS Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36

Verifying the Mac OS Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39

Removing the Mac OS Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43

ActiveX Test Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44

Agentless Test Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44

Testing Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47

Test Successful Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-48

Testing Cancelled Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49

Testing Failed Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49

Error Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51

Customizing Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-52

6 NAC Policies

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Standard NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

NAC Policy Group Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Add a NAC Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Editing a NAC Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Deleting a NAC Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

NAC Policy Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

viii

Contents

Enabling or Disabling an NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

Selecting the Default NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

Creating a New NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

Editing a NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

Copying a NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

Deleting a NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14

Moving a NAC Policy Between NAC Policy Groups . . . . . . . . . . . . . . . . 6-14

Assigning Endpoints and Domains to a Policy . . . . . . . . . . . . . . . . . . . . . 6-14

NAC Policy Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15

Setting Retest Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15

Setting Connection Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15

Defining Non-supported OS Access Settings . . . . . . . . . . . . . . . . . . . . . . 6-16

Setting Test Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Selecting Action Taken . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17

About NAC 800 Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

Viewing Information About Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

Selecting Test Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

Entering Software Required/Not Allowed . . . . . . . . . . . . . . . . . . . . . 6-19

Entering Service Names Required/Not Allowed . . . . . . . . . . . . . . . . 6-20

Entering the Browser Version Number . . . . . . . . . . . . . . . . . . . . . . . 6-21

Test Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

7 Quarantined Networks

Endpoint Quarantine Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Using Ports in Accessible Services and Endpoints . . . . . . . . . . . . . . . . . . . . . 7-4

Always Granting Access to an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

Always Quarantining an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9

Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10

Untestable Endpoints and DHCP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

Windows Domain Authentica tion and Quarantined Endpoints . . . . . . . . 7-12

8 High Availability and Load Balancing

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

9 Inline Quarantine Method

Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

ix

Contents

10 DHCP Quarantine Method

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

Configuring NAC 800 for DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Setting up a Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Configuring the Router ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Configuring Windows Update Service for XP SP2 . . . . . . . . . . . . . . . . . . 10-5

11 802.1X Quarantine Method

About 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

NAC 800 and 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Setting up the 802.1X Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7

Setting up the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7

Using the NAC 800 IAS Plug-in to the Microsoft IAS RADIUS Server .

11-7

Configuring the Microsoft IAS RADIUS Server . . . . . . . . . . . . . . . . 11-9

Proxying RADIUS Requests to an Existing RADIUS Server Using the

Built-in NAC 800 RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . 11-33

Using the Built-in NAC 800 RADIUS Server for Authentication . . 11-36

Configuring Non-HP Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36

Enabling NAC 800 for 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-39

NAC 800 User Interface Configuration . . . . . . . . . . . . . . . . . . . . . . 11-39

Setting up the Supplicant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-40

Windows XP Professional Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-40

Windows XP Home Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-42

Windows 2000 Professional Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 11-43

Windows Vista Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-45

Setting up the Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-48

Cisco® 2950 IOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-49

Cisco® 4006 CatOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-50

Enterasys® Matrix 1H582-25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-50

Extreme® Summit 48si . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-51

ExtremeWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-51

ExtremeXOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-52

Foundry® FastIron® Edge 2402 . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-53

HP ProCurve 420AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-53

HP ProCurve 530AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-54

HP ProCurve 3400/3500/5400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-56

Nortel® 5510 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-56

Creating Custom Expect Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-57

x

12 Remote Device Activity Capture

Creating a DAC Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Downloading the EXE File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Running the Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Adding Additional Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13

Configuring the MS and ES for DAC . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14

Adding Additional ESs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15

Starting the Windows Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Viewing Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

Removing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18

NAC 800 to Infoblox Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20

Configuring the Infoblox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20

Configuring NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20

13 DHCP Plug-in

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2

Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

DHCP Plug-in and the NAC 800 User Interface . . . . . . . . . . . . . . . . . . . . . 13-7

Installing the Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7

Enabling the Plug-in and Adding Servers . . . . . . . . . . . . . . . . . . . . . . . . 13-11

Viewing DHCP Server Plug-in Status . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-13

Editing DHCP Server Plug-in Configurations . . . . . . . . . . . . . . . . . . . . . 13-13

Deleting a DHCP Server Plug-in Configuration . . . . . . . . . . . . . . . . . . . 13-14

Disabling a DHCP Server Plug-in Configuration . . . . . . . . . . . . . . . . . . 13-14

Enabling a DHCP Server Plug-in Configuration . . . . . . . . . . . . . . . . . . . 13-14

Contents

14 Reports

Report Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4

Viewing Report Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6

Printing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8

Saving Reports to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9

Converting an HTML Report to a Word Document . . . . . . . . . . . . . . . . . 14-10

15 System Administration

Launching NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Launching and Logging into NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Logging out of NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Important Browser Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

xi

Contents

Restarting NAC 800 System Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4

Downloading New Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5

System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-6

DNS/Windows Domain Authentication and Quarantined Endpoints . . . . 15-6

Matching Windows Domain Policies to NAC Policies . . . . . . . . . . . . . . . 15-7

Setting the Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8

Naming Your Enforcement Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8

Changing the MS Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-9

Changing the ES Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-9

Changing the MS or ES IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-9

Resetting your System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-9

Resetting your Test Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-11

Changing Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-12

Specifying an Email Server for Sending Notifications . . . . . . . . . . . . . . 15-13

Entering Networks Using CIDR Format . . . . . . . . . . . . . . . . . . . . . . . . . . 15-14

Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-15

Creating a Backup File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-15

Changing the Backup Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-15

Restoring from Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-16

Restoring the Original Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-17

Generating a Support Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-17

Supported VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-18

End-user Access Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-19

How NAC 800 Handles Static IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15-20

Managing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-21

Resetting the NAC 800 Server Password . . . . . . . . . . . . . . . . . . . . . . . . 15-22

Resetting the NAC 800 Database Password . . . . . . . . . . . . . . . . . . . . . . 15-23

Changing the NAC 800 Administrator Password . . . . . . . . . . . . . . . . . . 15-23

When the Password is Known . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-23

When the Password is Unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-23

Working with Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-25

Creating and Replacing SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 15-27

Creating a New Self-signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 15-27

Using an SSL Certificate from a known Certificate Authority (CA) . . . 15-29

Moving an ES from One MS to Another . . . . . . . . . . . . . . . . . . . . . . . . . . 15-32

Recovering Quickly from a Network Failure . . . . . . . . . . . . . . . . . . . . . . . 15-33

VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-34

iptables Wrapper Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-36

Supporting Network Management System . . . . . . . . . . . . . . . . . . . . . . . . . 15-37

xii

Enabling ICMP Echo Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-37

Enable Temporary Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-37

Enable Persistent Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-37

Restricting the ICMP Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-38

SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-39

16 Patch Management

Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2

Flagging a Test to Launch a Patch Manager . . . . . . . . . . . . . . . . . . . . . . . . 16-3

Selecting the Patch Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4

Specifying the Number of Retests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5

Specifying the Retest Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6

SMS Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-7

SMS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-8

NAC 800/SMS/NAC 800 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-9

NAC 800 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-10

Learning More About SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-11

Contents

A Configuring the Post-connect Server

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Extracting the ZIP File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3

Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3

Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3

ZIP File Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4

Setting up a Post-connect Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5

Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5

Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6

Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9

Testing the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10

Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10

Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10

Configuring Your Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11

Allowing NAC 800 Through the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12

B Tests Help

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3

Browser Security Policy – Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4

Browser Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5

Internet Explorer (IE) Internet Security Zone . . . . . . . . . . . . . . . . . . . . . . . B-6

xiii

Contents

Internet Explorer (IE) Local Intranet Security Zone . . . . . . . . . . . . . . . . . . B-7

Internet Explorer (IE) Restricted Site Security Zone . . . . . . . . . . . . . . . . . B-8

Internet Explorer (IE) Trusted Sites Security Zone . . . . . . . . . . . . . . . . . . . B-9

Operating System – Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-11

IIS Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-11

Internet Explorer Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-11

Microsoft Office Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-12

Microsoft Applications Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-12

Microsoft Servers Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13

Microsoft Tools Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13

Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-14

Windows 2000 SP4 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-14

Windows 2003 SP1 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-15

Windows 2003 SP2 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-15

Windows Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-16

Windows Media Player Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-17

Windows Vista™ SP0 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-17

Windows XP SP1 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-18

Windows XP SP2 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-19

Security Settings – OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-20

Mac AirPort WEP Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-20

Mac AirPort Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-20

Mac AirPort User Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-21

Mac Anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-21

Mac Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-22

Mac Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-22

Mac Internet Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-23

Mac QuickTime® Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-23

Mac Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-24

Mac Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-24

Security Settings – Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-25

Allowed Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-25

Microsoft Excel Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-25

Microsoft Outlook Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-26

Microsoft Word Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-27

Services Not Allowed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-28

Services Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-29

Windows Bridge Network Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . B-30

Windows Wireless Network SSID Connections . . . . . . . . . . . . . . . . . . . . B-30

Windows Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-31

xiv

Windows Startup Registry Entries Allowed . . . . . . . . . . . . . . . . . . . . . . . B-32

Wireless Network Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-33

Software – Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-35

Anti-spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-35

Anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-35

High-risk Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-36

Microsoft Office Version Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-36

P2P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-37

Personal Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-37

Software Not Allowed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-38

Software Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-38

Worms, Viruses, and Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-39

C Important Browser Settings

Pop-up Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2

Active Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-4

Minimum Font Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6

Page Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-8

Temporary Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-9

Contents

D Installation and Configuration Check List

Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-2

Installation Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-3

IP Addresses, Hostname, Logins, and Passwords . . . . . . . . . . . . . . . . . . . . . D-4

Single-server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-4

Multiple-server Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-4

Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-5

Enforcement Server 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-5

Enforcement Server 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-6

Enforcement Server 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-6

Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-7

Agentless Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-8

Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-9

802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-9

802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-9

DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-10

Accessible services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-11

Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-13

Test Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-14

xv

Contents

E Ports used in NAC 800

F MS Disaster Recovery

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-2

Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-2

Installing the Standby MS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-2

Ongoing Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-3

Failover process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-3

G Glossary

Index

xvi

Introduction

Chapter Contents

What you Need to get Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

NAC 800 Home Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Additional Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

Conventions Used in This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Copying Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

1

The NAC 800 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

About NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Navigation Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Tip Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Note Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Caution Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Warning Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Bold Font . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Task Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Italic Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Courier Font . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Angled Brackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Square Brackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

SCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

PSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

1-1

Introduction

What you Need to get Started

The following hardware and software is required to operate NAC 800:

■ One or more ProCurve NAC 800 appliances

■ Configuration information – See “Installation and Configuration

■ An Internet connection or a Web proxy server that allows outbound

■ Workstation – A workstation running one of the following browsers:

What you Need to get Started

Check List” on page D-1

HTTPS communications from the MS

•Windows –

Mozilla version 1.7

Mozilla Firefox version 1.5 or later

Internet Explorer 6.0

• Linux –

Mozilla version 1.7

Mozilla Firefox version 1.5 or later

• Mac OS X –

Mozilla Firefox version 1.5 or later

■ A ProCurve NAC Implementation Start-up Service, from an autho-

rized ProCurve partner or ProCurve.

■ A ProCurve NAC Endpoint Integrity Agent License

ProCurve NAC 800 is delivered as a hardware appliance that you install in your
network. After NAC 800 is installed in your network, you configure it using a
workstation with browser software installed.

The browser software must be configured as described in “Important Browser
Settings” on page C-1.

1-2

Introduction

Additional Documentation

Additional Documentation

The following documents provide information on installation and configura­tion, and are available at http://www.hp.com/rnd/support/manual/
NAC800.htm:

1. ProCurve Network Access Controller 800 Hardware Installation Guide
– Refer to this document first to see how to prepare for and perform the
physical installation of the appliance and how to establish initial
management access. This document contains appliance specifications,
safety information, and appliance certifications.

2. ProCurve Network Access Controller 800 Configuration Guide – Refer
to this document second, to understand the product's features,
capabilities, and use. This document explains how to configure the
appliance based on the usage model you choose to deploy in your
network.

3. ProCurve Network Access Controller 800 Users’ Guide – Refer to this
document last for information on configuring, monitoring activities,
creating NAC policies, and running reports.

1-3

Introduction

NAC 800 Home Window

NAC 800 Home Window

The NAC 800 Home window (figure 1-1) is a centralized management user
interface that allows you to quickly assess the status of your network. The
following list and figure describe and show the key features:

1. Important status announcements – If there is anything that needs your
immediate attention, a status announcement is displayed at the top of the
window. Click clear to remove the announcement.

2. Username’s account – Click this link to open the user account editing
window. See “User Accounts” on page 3-31 for details on creating and
editing user accounts. You must have administrator privileges to create
user accounts; however, any user can edit their own account.

3. Top 5 failed tests area – The Top 5 failed tests area indicates the tests that
fail the most. Click on an endpoint number or the Test results report option
to view details.

4. Window actions – Use these links to refresh the window, log out of the
user interface, and access online help.

5. Navigation pane – The menu items shown in this pane vary depending on
your permission level. See “User Roles” on page 3-39 for more information
on permissions. You must have administrator privileges to create and edit
user roles. Once you select a menu item from the navigation pane, use the
bread crumbs at the top of the windows to navigate throughout the user
interface (see figure 1-2. System Monitor Window on page 1-7).

6. Endpoint test status area – The Endpoint tests area displays the total
number of endpoints that NAC 800 has attempted to test, and what the
test status is for each endpoint. Click the number of endpoints to view
details.

7. Access control status area – The Access control area displays the total
number of endpoints that have attempted to connect to your network, and
what the access state is as a percentage and as a number. Click on the
number of endpoints to view details.

8. Enforcement server (ES) status area – The Enforcement server status area
provides status on your ESs. Click the System monitor option to view
details.

1-4

NAC 800 Home Window

3. Top 5 failed
tests area

2. User name

Introduction

1. Important status
announcements

5. Navigation
pane

6. Test
status area

7. Access control
status area

status area

4. Window actions

8. Enforcement server
status area

Figure 1-1. NAC 800 Home Window

1-5

Introduction

System Monitor

System Monitor

The System monitor window provides the following information:

■ Enforcement cluster name – The Enforcement clusters are listed by

name in the order they were created. Click on a cluster name to view
cluster details. You must have cluster-editing permissions to view and
edit cluster details.

■ Server name by cluster – The servers for each cluster are listed by

name in the order they were created. Click on a server name to view
server details. You must have cluster-editing permissions to view and
edit server details.

■ Cluster access mode – The cluster access mode is either normal or

allow all. See “Enforcement Clusters and Servers” on page 3-6 for

instructions on making the access mode selection.

■ Health status – Health status shows ok for servers with no problems,

and either warning or error for servers with problems. Click the server
name to view details.

■ Upgrade status – Upgrade status shows the status of any upgrades in

process.

■ % memory used – The amount of memory currently used by each

server is shown as a percentage of total memory available.

■ Endpoints tested/minute – The number of endpoints tested over the

last 15 minutes or less.

■ Endpoints queued – The number of tests running or scheduled to run

on that ES.

■ System load average – The number of processes waiting to run (top

command). In Linux, entering top at the command line returns a real­time look at processor activity.

1-6

Breadcrumbs for navigation

Introduction

System Monitor

Figure 1-2. System Monitor Window

The following figure shows the legend for the System monitor window icons:

Figure 1-3. System Monitor Window Legend

1-7

Introduction

Overview

Overview

NAC 800 protects the network by ensuring that endpoints are free from threats
and in compliance with the organization's IT security standards. NAC 800
systematically tests endpoints—with or without the use of a client or agent—
for compliance with organizational security policies, quarantining non-com­pliant machines before they damage the network.

NAC 800 ensures that the applications and services running on endpoints
(such as LAN, RAS, VPN, and WiFi endpoints) are up-to-date and free of
worms, viruses, trojans, P2P and other potentially damaging software. It
dramatically reduces the cost and effort of securing your network's weakest
links—the endpoints your IT group might not adequately control.

There are advantages and disadvantages inherent with each of the test method
technologies. Having a choice of testing solutions enables you to maximize
the advantages and minimize the disadvantages.

TIP: Agentless testing uses an existing Windows service (RPC). ActiveX testing

uses an ActiveX control. ProCurve agent testing installs an agent (ProCurve
NAC EI Agent) and runs as a new Windows service.

The trade-offs in the test methods are described in the following table:

Test method Trade-offs

Pros Cons

Agentless • Truly agentless, no install or download.

• No extra memory load on the client machine.

• Can begin testing, view test results, and give
network access without any end-user
interaction for
domains.

• Easiest of the three test methods to deploy.

• Saves administration time and is therefore
less expensive than agent-based solutions.

Table 1-1. Test Methods

endpoints on your Windows

• Requires RPC Service to be available to the
NAC 800 server (ports 139 or 445).

• Requires file and print sharing to be enabled.

• Not supported by legacy Windows™
operating systems and non-Windows
operating systems.

• If the endpoint is not on a domain, the user
must specify local credentials. A user often
does not know what credentials to enter.

1-8

Test method Trade-offs

Pros Cons

Introduction

Overview

ActiveX plug-in • No installation or upgrade to maintain.

• Supports all Windows operating systems.

• Only Internet Explorer application access
required through personal firewall. Must
open port 1500.

ProCurve NAC EI
Agent

• Always available for retesting.

• The agent is automatically updated with
product updates.

• Supports all Windows platforms.

Table 1-1. Test Methods (cont.)

The following list highlights key features:

■ Enforcement options – NAC 800 provides multiple enforcement

options for quarantining endpoints that do not comply with your
security policy (Inline, DHCP, and 802.1X). This enables NAC 800 to
enforce compliance across complex, heterogeneous networks.

• No retesting of endpoint once browser is
closed.

• Not supported by non-Windows operating
systems.

• Browser security settings must allow
ActiveX control operation of signed and safe
controls. This is the default for the Internet
zone. Raise the Internet zone setting and
make

NAC 800 part of the trusted zone.

• Requires interaction from end-users—they
must download the control before they can
access network.

• Install and upgrade to maintain.

• Requires one-time interaction from end­users—they must download and install
before they can access network.

■ High availability and load balancing – A multi-server NAC 800 deploy-

ment is mutually supporting. Should one server fail, other nodes
within a cluster will automatically provide coverage for the affected
network segment.

Load balancing is achieved by an algorithm that spreads the endpoint
testing load across all ESs in a cluster.

■ Multiple-user, role-based access – In enterprise deployments

numerous individuals, each with varying responsibilities, typically
require access to information within NAC 800. Role-based access
enables system administrators to control who has access to the data,
the functions they are allowed to perform, and the information they
can view and act on. Role-based access ensures the integrity of the
enterprise-wide NAC 800 deployment and creates the separation of
duties that conforms to security best-practices.

1-9

Introduction

Overview

■ Extensible – NAC 800’s easy-to-use open API allows administrators

to create custom tests for meeting unique organizational require­ments. The API is fully exposed and thoroughly documented. Custom
tests are created using scripts and can be seamlessly added to existing
policies.

■ Compatible with existing heterogeneous network infrastructure – No

upgrades to your existing network infrastructure are required.

■ Variety of enforcement options – Permit, deny, or quarantine based

on test results.

■ Self-remediation – Reduces IT administration by empowering users

to bring their machines into compliance.

■ Subscription-based licensing – Includes all test updates and software

upgrades.

The NAC 800 Process

NAC 800 administrators create "NAC policies" that define which applications
and services are permitted, and specify the actions to be taken when endpoints
do not comply. NAC 800 automatically applies the NAC policies to endpoints
as they log into the network, and periodically as the endpoints remain logged
into the network. Based on results, endpoints are either permitted or quaran­tined to a specific part of the network, thus enforcing the organizational
security standards. NAC 800 tracks all testing and connection activity and
produces a range of reports for auditors, managers, and IT staff.

1-10

NAC 800 performs pre-connect testing; when an endpoint passes the NAC
policy tests (or is otherwise granted access), the endpoint is allowed access
to the network. If you have external Intrusion Detection System/Intrusion
Prevention System (IDS/IPS) systems that monitor your network for attacks,
you can configure these external systems in NAC 800 so they can request that
NAC 800 quarantine an endpoint after it has been connected (post-connect).

About NAC 800

NAC Policy Definition

NAC policies consist of individual tests that evaluate the security status of
endpoints attempting to access the network. Specific tests assess operating
systems, verify that key hotfixes and patches have been installed, ensure
antivirus and other security applications are present and up-to-date, detect

Introduction

Overview

the presence of worms, trojans, and viruses, and check for potentially danger­ous applications such as file sharing, peer-to-peer (P2P), or spyware. See
“Tests Help” on page B-1 for more information.

Key features include:

■ Out-of-the-box NAC policies – High, medium, and low security are

ready to use with no additional configuration required.

■ Standard tests – NAC 800 comes with a broad range of tests.

■ Automatic test updates – NAC 800 is automatically updated with tests

that cover newly released patches, hotfixes, software updates,
worms, and trojans, and recommended security settings for common
applications. New tests are automatically added to the test database
as frequently as hourly, ensuring immediate protection against newly
discovered threats.

■ Organization-specific policies – Any number of NAC policies can be

created and tailored to your organizational needs. Create policies for
like endpoints (for example, all Windows 2000 workstations), for an
IP range or specific IPs, or by geographic location.

Endpoint Testing

NAC 800 automatically tests all endpoints attempting to access your network
through a LAN, RAS, VPN, or WiFi connection. Tests are fast and you are kept
informed of test progress and results. After the initial compliance tests, NAC
800 periodically tests endpoints that have been granted access to ensure that
real-time system changes do not violate the NAC policy.

TIP: NAC 800 passes approximately 9 to 16 kilobytes of total data between a single

endpoint and a single NAC 800 server for a single testing session with the High
Security NAC policy (approximately 20 tests). It typically takes between 5 and
10 seconds to all tests in a policy on a 100Mb LAN. If your endpoints are taking
longer to test, there might be a configuration problem with DNS on the NAC
800 server.

NOTE: If the end-user selects ActiveX test and then closes the browser, their endpoint

is not retested until the end-user opens another browser session, reloading
the ActiveX agent.

Key features include:

■ Multiple test method options – Agentless, ActiveX, or ProCurve NAC

EI Agent. Select the most appropriate method for your environment
or endpoint.

1-11

Introduction

Overview

■ Rapid testing and robust endpoint management – Thousands of

endpoints can be tested and managed simultaneously.

■ Continual testing – Endpoints are retested on an administrator-

defined interval as long as they remain connected to the network.

Compliance Enforcement

Based on endpoint test results, NAC 800 takes the appropriate action. End­points that test compliant with the applied policy are permitted access. Non­compliant endpoints are either quarantined, or are given access for a tempo­rary period. Implement the necessary fixes during this period.

Key features include:

■ Flexible enforcement options – Grant or quarantine access criteria is

designated by the administrator and driven by the criticality of
selected tests and corporate security standards.

■ Manual overrides – Administrators can retest, quarantine, or grant

access to endpoints on demand.

■ User notifications – Users of non-compliant endpoints receive imme-

diate notification about the location of the endpoint deficiencies, as
well as step-by-step information about implementing the corrections
to achieve compliance.

■ Administrator notifications – Administrators receive a variety of noti-

fications and alerts based on testing and access activity.

■ Graduated enforcement – Allows controlled system rollout.

Automated and Manual Repair

■ Self-remediation – End-users are notified of where their endpoints are

deficient and provided with remediation instructions.

■ Access "grace period" – Non-compliant endpoints are granted access

for a temporary, administrator-defined period to facilitate remedia­tion.

■ Patch Management – NAC 800 can integrate with patch manage-

ment software, automating the process to get an endpoint updated
and on the network.

1-12