Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
51525354555657585960
1-46
Access Control Concepts
ProCurve NAC 800
A NAC policy consists of a list of tests. The NAC 800 provides a wide array of
customizable tests, and Chapter 2: “Customer Needs Assessment” gives you
some guidelines in choosing tests that meet your needs. The NAC policy also
dictates whether an endpoint that fails a particular test should be quarantined
immediately, quarantined after a grace period, or not quarantined at all. The
NAC policy repository depends on the deployment:
The NAC policy is stored on the NAC 800 that runs the tests if that NAC
800 is a stand-alone device (a CS).
If the NAC 800 is part of a cluster, an MS acts as the repository for policies.
The ESs run the tests.
As an endpoint-integrity-only solution, the NAC 800 supports all three deploy-
ment methods. Let’s look at how those methods work in more detail.
802.1X Deployment
In an endpoint-integrity-only 802.1X deployment, the NAC 800 tests endpoints
for compliance with the system’s NAC policies, but a different RADIUS server
authenticates the users.
This RADIUS server must be an IAS server, which is configured to contact the
NAC 800 after authenticating a user and request the integrity posture for the
user’s endpoint. The IAS server then assigns the user to a test or a quarantine
VLAN, if necessary.
Process for 802.1X Quarantining (Endpoint Integrity Only). The
NAC 800 imposes this process to control an endpoint’s network access:
1. The endpoint establishes a Data-Link Layer connection to the PEP:
An Ethernet cable is plugged into a switch, and the link opens.
A wireless endpoint associates with a wireless AP.
2. The PEP shuts down the connection to all traffic except EAP
authentication messages. It sends an EAP challenge to the endpoints
802.1X supplicant.
3. The endpoint returns an EAP message that typically contains its user-
name. The PEP proxies this response to IAS and IASs reply back to the
endpoint.
4. The endpoint and IAS exchange authentication information (proxied by
the PEP) as dictated by the EAP method.
5. IAS verifies the users credentials (typically against Active Directory).