Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
61626364656667686970
1-48
Access Control Concepts
ProCurve NAC 800
DHCP Deployment
With this deployment method, the NAC 800 intercepts and responds to end-
points’ DHCP requests, assigning them IP addresses on a quarantine subnet.
It then tests endpoints for compliance with NAC policies. Healthy endpoints
are allowed to receive DHCP addresses from the network DHCP server and
are granted complete network access. Non-compliant endpoints, on the other
hand, remain in the quarantine subnet.
In a cluster of NAC 800s, the devices might share roles between them. For
example, one or two NAC 800 ESs act as PEPs, intercepting DHCP requests,
while multiple NAC 800 ESs test the endpoints and decide whether they should
be quarantined. All the ESs are controlled by an MS, which acts as the
repository for NAC policies.
Process for DHCP Quarantining. The NAC 800 enforces this process to
control a endpoint’s network access:
1. The endpoint connects to a switch port or associates to an AP. The PEP
does not enforce an access control method on the port, so the Data-Link
Layer connection activates.
2. The endpoint sends a DHCP message, requesting a valid IP address for
itself, the IP address of its default gateway and DNS server, and all the
other configurations necessary for full connectivity.
3. Network infrastructure devices forward the DHCP request to the DHCP
server.
Note Exactly how the devices forward the request depends on the network
infrastructure.
In a network with a single VLAN, the devices flood the request as a
broadcast. In a network with multiple VLANs, network infrastructure
devices usually implement DHCP relay, routing DHCP requests to a helper
address (the address of a DHCP server on another subnet). When you add
a NAC 800 deployed with the DHCP method, you must configure two
helper addresses: the network DHCP server’s and the NAC 800’s. The
devices initially send DHCP requests to the first helper address, the
network DHCP server’s.
4. The NAC 800, which is installed between the DHCP server and the server’s
switch, intercepts the request. It decides how to handle the request based
on the endpoint’s integrity posture.