Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
61626364656667686970
1-47
Access Control Concepts
ProCurve NAC 800
6. If the credentials are correct, IAS contacts the NAC 800 and requests the
endpoints integrity posture. (You can learn how to configure the IAS
server to do so in the ProCurve Access Control Implementation Guide.)
7. Initially, the posture is Unknown. IAS calls the SAIASConnector (a file
installed on the IAS server). The connector should contain a policy that
associates the Unknown posture with a test VLAN. IAS sends this VLAN
assignment to the PEP.
8. Detecting the endpoint that has been placed on the test VLAN, the NAC
800 begins to check its compliance with NAC policies.
The NAC 800 needs to receive mirrored DHCP traffic on its port 2 to detect
the endpoint.
Note In a cluster of ESs, any ES can test the endpoint; they share information
with each other.
9. When the testing is completed, the endpoint has gained a new posture.
The NAC 800 sends a message to the PEP to force the user to
reauthenticate.
10. Steps 2 to 7 repeat. Now, however, the user is assigned to a new VLAN
based on its new posture:
If the endpoint has the Healthy posture (complies with your policies)
or the Check-up posture (granted temporary access), the user
receives his or her normal dynamic VLAN assignment.
If, on the other hand, the endpoint has the Quarantine or Infected
posture, the user is placed in the quarantine or infected VLAN.
Network access in the quarantine and infected VLANs is limited,
typically to remediation services, in one or several of these ways:
The endpoint is assigned (via dynamic settings) a rate limit and
list of accessible resources.
The NAC 800 acts as the endpoint’s DNS server and redirects the
user’s Web browser away from all sites (except a limited list of
accessible services).
Network infrastructure devices might impose static ACLs on the
quarantine VLAN.