Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
61626364656667686970
1-49
Access Control Concepts
ProCurve NAC 800
Note By default the NAC 800 intercepts all DHCP requests. In a network that
uses DHCP relay, however, you can configure the NAC 800 to respond to
only those requests with source IP addresses in the quarantine and non-
quarantine subnets. (The source IP address originates from the DHCP
relay device; the endpoint, of course, does not yet have one).
5. Initially, an endpoint has the Unknown posture. The NAC 800 sends a
DHCP reply that has a configuration for the quarantine subnet.
Note The actual process differs slightly depending on whether your network
implements DHCP relay. The NAC 800 immediately replies to a broadcast
DHCP request. On the other hand, it simply drops a relayed request
destined to the network DHCP server. The DHCP relay device then sends
a DHCP request to the NAC 800s IP address (which is configured as a
secondary helper address). The NAC 800 replies to that request.
6. The NAC 800 (or one of the NAC 800s in a cluster) tests the endpoint, and
the endpoint gains a new posture.
7. If the endpoint has proven to be Healthy (or granted the Check-up
posture):
a. The NAC 800 forces it to release the address in the quarantine subnet.
b. The endpoint again sends a DHCP request.
c. The NAC 800 intercepts the request, but because the endpoint has the
Healthy or Check-up posture, the NAC 800 forwards the request to
the network DHCP server.
d. The DHCP server replies, sending the endpoint an IP address in one
of the network’s normal user VLANs.
8. If the endpoint is assigned the Quarantine or Infected posture, the NAC
800 continues to respond to its DHCP requests with an IP address in the
quarantine subnet.
Establishing the Quarantine Subnet. Some network access controllers
quarantine endpoints completely: they assign endpoints IP addresses in a
subnet that does not exist in the private network. For example, a network uses
the 10.1.0.0/16 range, and the quarantine subnet is 192.168.1.0/24. Should a
quarantined user attempt to reach a resource on the network, network devices
see the invalid IP address and drop the traffic. The problem with this approach
is that users cannot reach any resources—including those that help them
become compliant.