Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
61626364656667686970
1-52
Access Control Concepts
ProCurve NAC 800
Note A cluster of ESs can connect to the choke point and test endpoints using the
policies stored on the MS. Because the multiple NAC 800s may create a loop
in the topology, remember to set up Spanning Tree Protocol (STP) or Rapid
STP (RSTP) on the devices to which they connect.
Process for Inline Quarantining. A NAC 800 follows this process to con-
trol an endpoints access to the network:
1. The endpoint connects to the network. It may do so in a variety of
ways—for example, establishing a VPN tunnel with a gateway device.
Authentication—if it occurs at all—takes place within this step. For
example, a user must authenticate to connect to the VPN gateway. A
wireless user might enter a preshared key to connect to an AP. However,
the authentication is unrelated to the NAC 800.
2. The endpoint’s traffic reaches the NAC 800, which stands between the
endpoint and the rest of the network.
3. If it has not already done so, the NAC 800 tests the endpoint.
4. The NAC 800 decides whether to bridge the traffic to the rest of the
network or drop it, basing its decision on the endpoint’s posture:
Healthy or Check-up = Bridge the traffic
Unknown, Quarantine, or Infected = Drop the traffic (unless destined
to an allowed remediation service)
NAC 800 as a RADIUS-Only Solution
With its FreeRADIUS server, the NAC 800 can function as a traditional RADIUS
server. Querying an Active Directory, eDirectory, or OpenLDAP server, the
NAC 800 verifies users’ credentials. If you use IDM, the NAC 800 can also factor
more complex policies into its access control decisions, sending the appro-
priate dynamic settings to PEPs. (See “ProCurve IDM” on page 1-58.)
The ProCurve NAC 800 supports a variety of authentication protocols
including:
PAP
CHAP