3Com DUA1550-0AAA02 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of 3Com DUA1550-0AAA02, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of 3Com DUA1550-0AAA02 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of 3Com DUA1550-0AAA02. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of 3Com DUA1550-0AAA02 should contain:
- informations concerning technical data of 3Com DUA1550-0AAA02
- name of the manufacturer and a year of construction of the 3Com DUA1550-0AAA02 item
- rules of operation, control and maintenance of the 3Com DUA1550-0AAA02 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of 3Com DUA1550-0AAA02 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of 3Com DUA1550-0AAA02, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the 3Com service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of 3Com DUA1550-0AAA02.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the 3Com DUA1550-0AAA02 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    http://www.3com.com/ Part No. DUA1550-0AAA02 Published Dec ember 2005 3Com Network Access Manager User Guide V ersion 1.1[...]

  • Page 2

    3Com Corporati on 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2 005, 3Com Corporatio n. All rights reserved . No part of this documen tatio n may be repro duced in any form or by any means or used to make any derivative work (such as tran slation, transformation , or adaptation) without writt en permission fr om 3Com Corporation. 3[...]

  • Page 3

    C ONTENTS A BOUT T HIS G UIDE Naming Conventions 7 Screen Shots 7 Conventions 8 Related Documentat ion 8 1 I NTRODUCTION 3Com Network A ccess Manager Overview 9 3Com Network Access Man ager User Interfaces 11 Users of 3Com Network Access Manager 11 Network Administrato rs 11 Network Operators 12 3Com EFW Policy Support 1 3 Backing up 3Com Netwo rk [...]

  • Page 4

    4 2 I NSTALLING 3C OM N ETWORK A CCESS M ANAGER System R equir ements 21 Before Installation 23 Installing 3Com Network Access Manager 24 Overview 24 New Installation 24 Modifying and Repairing An Installation 30 Uninstalling 3Com Netw ork Access Manager 32 3 G ETTING S TARTED Using The Network Administ rator User Interfac e 35 User Interface 35 Se[...]

  • Page 5

    5 Associating Rules With A User 54 Displaying And Changing Rule s Associated With A User 56 Creating A New User 56 Groups View 57 Associating Rules With A Group 58 Displaying And Changing Rules Associated With A Group 59 Creating A New Group 60 Computers View 60 Entering MAC Addresses For A Computer 61 Associating Rules With A Computer 62 Displayin[...]

  • Page 6

    6 Case Study 4 - Hot Desking 81 Network Administrato r T asks 81 Network Operator T asks 8 2 What Happens When A User Logs In 82 Case Study 5 - Removing Infect ed Devices From The Network 84 Network Administrato r T asks 84 When a PC needs to be isolated for the first time : 85 Network Operator T asks 8 5 What Happens 86 Case Study 6 - Combining Ho[...]

  • Page 7

    A BOUT T HIS G UIDE This guide describes how to install and co nfigure the 3Com Network Access Manager . This guide is intended for use by network ad ministrators who are responsible for installing and setting up network equipment, and who ar e already familiar with configuring Mi crosoft’ s Active Dir ectory and IAS RADIUS servers. Certain secti[...]

  • Page 8

    8 A BOUT T HIS G UIDE Conventions T able 1 and T able 2 list conventions that are used throughout this guide. Related Documentation In addition to this g uide, each 3C om Networ k Access Mana ger pr ovides on-line help which can be accessed through the application. This guid e contains the instructions you need to install and configure your 3Com Ne[...]

  • Page 9

    1 I NTR ODUCTION This chapter provides: ■ an overview of how 3Com Network Access Manager integrates with Microsoft’ s IAS and Active Dir ectory , ■ an explanation of Rules, Rule Priority and RADIUS response, ■ an explanatio n of 3Com Network Acc ess Manager’ s r ole in authentication and authorization, ■ a list of 3Com devices supported[...]

  • Page 10

    10 C HAPTER 1: I NTRODUCTION ■ Moving specific users or computers (e.g. a PC infecte d with a virus) into an isolated network. Figur e 1 illustrates the integration of 3Com Network Access Manager with Microsoft's Internet Authentica tion Service (IAS) and Micr osoft's Active Dir ectory . Figure 1 3Com Network Access Manager Integrated w[...]

  • Page 11

    3Com Network Access Ma nager Overview 11 authorized computers or users that represent a security thr eat to the network. For example, a PC infected with a virus or a worm, or a user launching a DoS attack on the network. Further examp les of how 3Com Network Access Manager can be used to improve the security on a network are given in chapter 4. In [...]

  • Page 12

    12 C HAPTER 1: I NTRODUCTION and are familiar with MAC addresses and IEEE 802.1X authentication. T ypical tasks for a network admini strator using 3C om Network Access Manager include: ■ editing security profiles for users, groups and computers to include VLAN, QoS profile and EFW policy information, ■ adding computer MAC addresses, ■ setting[...]

  • Page 13

    3Com Network Access Ma nager Overview 13 3Com EFW Policy Support 3Com Network Access Manager prov ides support for 3Com EFW Policy Server v2.5, which adds the concept of user -based Embedded Firewall (EFW) policies rather than just NIC- based EFW policies. For example, the policy which is downloaded to the EFW can be specific to the user logged int[...]

  • Page 14

    14 C HAPTER 1: I NTRODUCTION priority rule associated w ith the us er , the EFW Policy fr om that rule is then associated with the user , a ll other associations are r emoved. ■ if a rule priority or group is change d, the corr ect associat ions have to be re-established. Clickin g on the Recalculat e EFW membership button will cause 3Com Network[...]

  • Page 15

    Concepts and Terminology 15 systems. As a RADIUS server , IAS per forms centralized connection authentication, authorizat ion, and accounting for network access servers (desktop switches and wireless access points acting as r adius clients), see Figur e 2. Remote Access Poli cy For 3Com Network Access Manager to aut henticate users and computers ac[...]

  • Page 16

    16 C HAPTER 1: I NTRODUCTION Only one pre-defined rule, the Default Rule, is supplied as standard. The Default Rule is used whenever an authentication finds that a user , group or computer is not a member of an y other rule. Further rules are added by the Network Administrator to implement the required network security policies, see “Creating A N[...]

  • Page 17

    Concepts and Terminology 17 The two forms of RADIUS authentication supported by 3Com Net work Access Manager are: ■ MAC-address based authenticati on, for example RADA (RADIUS Authenticated De vice Access). ■ IEEE 802.1X authentication, also known as dot1X, 802.1X and Network Log in. MAC-address based Authentication 3Com Network Access Manager [...]

  • Page 18

    18 C HAPTER 1: I NTRODUCTION Authorization Once a user ha s successfully authen ticated, the au thorization process determines which VLANs and QoS to return to the switch , as follows: 1 From the authentication rule selected , if any VLAN has been specified, re turn the VLAN ID in t he RADIUS r esponse. 2 From the authentication rule selected, if a[...]

  • Page 19

    Devices Supported 19 T able 4 lists suitable edge port security modes an d their typical use within a network.The case stu dies in Chapter 4 explain how these port se curity modes operate to control network access. Ta b l e 4 Edge Port Security Modes Compatible W ith 3Com Network Access Manager Port Security Mode Typical Use Supported B y RADA-Else[...]

  • Page 20

    20 C HAPTER 1: I NTRODUCTION[...]

  • Page 21

    2 I NSTALLING 3C OM N ETWORK A CCESS M ANAGER This chapter covers: ■ the operating systems and required PC configurations that ar e compatible with the 3Com Netw ork Access Manager components, ■ the tasks that need to be perfor med before installing and running 3Com Network Access Manager , ■ how to install 3Com Networ k Access Manager , ■ [...]

  • Page 22

    22 C HAPTER 2: I NSTALLING 3C OM N ETWO RK A CCESS M ANAGER T able 6 lists the confi guration requir e ments of PCs that will have 3Com Network Acc ess Manager components installed. .NET Framework v1.1 is included as part of W indows Ser ver 2003. For Windows 2000 and W indows XP Profe ssional, you can check if .NET Framework v1.1 is installed usin[...]

  • Page 23

    Before Installation 23 Before Installation Y ou must perform the following tasks on yo ur network before installing and setting up 3Com Network Access Manager: 1 Install and configure Micr osoft Inte rn et Authentication Service (IAS), a Install IAS on one or more Windows 2000 servers or W indows 20 03 servers in the network. IAS is included as par[...]

  • Page 24

    24 C HAPTER 2: I NSTALLING 3C OM N ETWO RK A CCESS M ANAGER Installing 3Com Network Access Manager Follow the instructions in this sect ion to install 3Com Network Access Manager . Overview 3Com Network Access Manager comprises five components: ■ Internet Authentication Server compon ent consisting of authorization/authentication DLLs, ■ Active[...]

  • Page 25

    Installing 3Com Network Access M anager 25 Follow these steps to install the 3Com Network Access Manager components: 1 Insert the 3Com Network Access Mana ger CD in the PC’ s CDROM drive. If Autorun is enabled on the PC, the installation starts automatically and you can skip steps 2 and 3. 2 From the Start menu, select Run . 3 Ty p e D:setup (su[...]

  • Page 26

    26 C HAPTER 2: I NSTALLING 3C OM N ETWO RK A CCESS M ANAGER 5 Select Next , the End User License Agre ement will display , Figure 4. Figure 4 End User Licence Agr eement dialog T o contin ue the installation select I accept the terms of the license agreement , and p ress the Next button. Otherwise, select Back to move to the previous dialog or Canc[...]

  • Page 27

    Installing 3Com Network Access M anager 27 Figure 5 Choose Destination Location 7 On the next dialog, Figure 6, sele ct the 3Com Network Access Manager components to install on the PC. T icked components will be installed. Un-ticked components will not be installed. The Next button will be grayed out until a component has been ticked. Any combinati[...]

  • Page 28

    28 C HAPTER 2: I NSTALLING 3C OM N ETWO RK A CCESS M ANAGER Figure 6 Component Selection 8 On the next dialog, Figur e 7, select Install to start the installation, or Back to return to the previous dialog.[...]

  • Page 29

    Installing 3Com Network Access M anager 29 Figure 7 Confirmation of Installation 9 The Installer will check the ha rd disk space available on the PC. If sufficie nt disk space is available, th e installer will install the components selected. If insufficient disk space is available, an error message is displayed, see Figure 8, the installation will[...]

  • Page 30

    30 C HAPTER 2: I NSTALLING 3C OM N ETWO RK A CCESS M ANAGER Figure 9 Installation Complete With the exception of installin g the Active Directory compon ent, any problems encountered durin g installation will result in an error message being displayed and the installation aborted. Y ou will ne ed to manually fix the problem before restarting the in[...]

  • Page 31

    Installing 3Com Network Access M anager 31 4 The splash scr een will display followed by the Maintenance dialog, see Figur e 10. Figure 10 Maintenance dialog 5 Click on the Modify button to change the components installed on the PC. a The Select Components dialog will display . b T ick the components to be installed. c Any unticked components will [...]

  • Page 32

    32 C HAPTER 2: I NSTALLING 3C OM N ETWO RK A CCESS M ANAGER on the Maintenance Complete dial og th at the Active Director y components are already pres ent in Active Directory . This will not affect Active Directory . Figure 11 Maintenance Complete dialog 7 Click Finish to exit the Maintenance program. If the Internet Authentication Server componen[...]

  • Page 33

    Installing 3Com Network Access M anager 33 4 The splash scr een will display followed by the Maintenance dialog, see Figur e 12. Figure 12 Maintenance dialog 5 Click on the Remove button. On the next dialo g, click Ye s to re move the 3Com Network Access Manager comp onents installed on the PC, click No to stop the uninstall and return to the Maint[...]

  • Page 34

    34 C HAPTER 2: I NSTALLING 3C OM N ETWO RK A CCESS M ANAGER Figure 13 Maintenance Complete dialog[...]

  • Page 35

    3 G ETTING S TARTED This chapter describes: ■ how to configure 3Com Network A ccess Manager afte r installation , using the Network Administrator User Interface, ■ how to configure the User Interface for Netwo rk Operators. Before configuring 3Com Network Ac cess Manager , make sure you have created a Remote Access Policy in IAS that 3Com Netwo[...]

  • Page 36

    36 C HAPTER 3: G ETTING S TARTED Figure 14 Network Administrator User Interface Decr ease Rule Priority Increa se Rule Priorit y New Rule New QoS Pr ofile New EFW Policy New VLAN Active Di re ctory Domain Recalculate EFW Membersh ip items known to the system in the Details pane The T ree pane. tree to display a list of Click on an object in the The[...]

  • Page 37

    Using The Network Administrator User Interface 37 Setting Up 3Com Network Access Manager T o config ure 3Com Network Access Manager after installation, follow these steps: Before adding entries for VLANs, QoS prof iles and EFW policies in 3Com Network Access Manager make sure that the VLANs, QoS profiles and EFW policies have already been set up in[...]

  • Page 38

    38 C HAPTER 3: G ETTING S TARTED Figure 15 VLANs View Detail Pane. Crea ting A New VLAN T o create a new VLAN entry in 3Com Network Access Manager , follow these steps: 1 Either click VLANs in the T ree pane and click the New VLAN button on th e T ool bar , or right-click VLANs in the T ree pane and select New> VLAN 2 In the dialog box enter the[...]

  • Page 39

    Using The Network Administrator User Interface 39 Y ou can no w: ■ associate rules with thi s VLAN if the rules hav e alr eady been cr eated, see “Changing Rule Properties”. Deleting An Existing VLAN T o delete an existing VLAN entry in 3Com Network Acc ess Manager , follow these steps: 1 Click on VLANs in the T ree pane. The De tails pane on[...]

  • Page 40

    40 C HAPTER 3: G ETTING S TARTED 4 Click OK This completes changing the ID for an existing VLAN entry in 3Com Network Access Manager . Displaying Rules Associated With A VLAN T o display the rules associated with a VLAN, follow these steps: 1 Click on VLANs in the T ree pane. The De tails pane on the right will list all of the VLANs i n 3Com Net wo[...]

  • Page 41

    Using The Network Administrator User Interface 41 Figure 16 QoS Pr ofiles View Detail Pane Creating A New QoS Pr ofile T o create a new QoS pr ofile entry in 3Com Network Access Manager , follow these steps: 1 Either click QoS Profiles in the T ree pane and click the New QoS Profile button on the T ool bar , or right-click QoS Profiles in the T ree[...]

  • Page 42

    42 C HAPTER 3: G ETTING S TARTED This completes cr eating a new QoS pr ofile ent ry in 3Com Network Access Manager . Y ou can no w: ■ associate rules with this QoS profil e if the rul es have alr eady been created, see “Changing Rule Properties”. Deleting An Existing QoS Pr ofile T o delete an existing QoS profile in 3Com Network Access Manag[...]

  • Page 43

    Using The Network Administrator User Interface 43 The ID should be a str ing of characters that match the ID assigned to the QoS profi le in the ne twork acce ss device (switc h or wireless a ccess point). 4 Click OK or Cancel. This completes changin g the ID for an existing QoS profile entry in 3Com Network Access Manager . Displaying Rules Asso c[...]

  • Page 44

    44 C HAPTER 3: G ETTING S TARTED Figure 17 EFW Policies View Detail Pane Creating A New EFW Policy Before cr eating an EFW policy in 3Com Network Access Manager make sure that the EFW policy has already been created in the EFW Policy Server . T o create a new EFW policy entry in 3Com Network Access Manager , follow these steps: 1 Either click EFW P[...]

  • Page 45

    Using The Network Administrator User Interface 45 This completes creating a new EFW policy entry in 3Com Network Access Manager . Y ou can no w: ■ associate rules with this EFW policy if the rules have already been created, see “Changing Rule Properties”. Deleting An Existing EFW Policy T o delete an existing EFW policy in 3Com Network Access[...]

  • Page 46

    46 C HAPTER 3: G ETTING S TARTED 3 Select the Members tab, a list of rules associat ed with the EFW policy will be displayed in the window . 4 Click OK or Cancel. This completes displaying the rule s assoc iated with an EFW pol icy . Rules View Clicking on Rules in the T ree pane d isp lays in the Detail pane a list of rules already entered into 3C[...]

  • Page 47

    Using The Network Administrator User Interface 47 Creating A New Rule T o create a new rule, assign a prio rity and network access response to the rule, follow these steps: 1 Either click Rules in the T ree pane and click the New Rule button on the T ool bar , or right-click Rules in the T ree pane and select New>Rule 2 In the dialog box enter t[...]

  • Page 48

    48 C HAPTER 3: G ETTING S TARTED Figure 19 Security T ab For A Rule c Repeat steps 7a and 7b for each group and user permitted to assign the rule. Ta b l e 7 Selecting Appropriate Rule Permissions Role Rule Permissions Network Administrator(s) or Network Operator(s) allowed to associate the rule with a user, group, or computer Tick Allow for Read a[...]

  • Page 49

    Using The Network Administrator User Interface 49 8 Select the Action tab and configure the action attributes for the rule, Figur e 20. Figure 20 Action T ab For A Rule a Y ou chan ged the Priority setting for the rule in step 5. There is no need to change it again unless y ou need to assign a differ ent unique priority . b Select the Net work Acce[...]

  • Page 50

    50 C HAPTER 3: G ETTING S TARTED T o un derstand the effect of this action, you need to be aware of how t he edge port security is set up on the network. In some port modes, the response may appear illogical, for instance, Allow can be used to implement a blacklist. c If Network Access is set to Allow , select th e VLAN from the dr op down list, th[...]

  • Page 51

    Using The Network Administrator User Interface 51 Contro lling Permission T o Apply A Rule Selecting who has permission to apply a rule, is perf ormed when the rule is cr eated. Permissions can be change d after a rule is created, pr oviding the user or group making the change has write permission for the rule. T o chan ge permissions on a rule, fo[...]

  • Page 52

    52 C HAPTER 3: G ETTING S TARTED 4 Click OK . 5 If EFW policies are used, click on th e Recalculate EFW Membersh ip button in the T ool bar after chang ing the rule priorities. Changing Rule Pr operties Selecting the properties for a rule is performed when the ru le is created. Rule properties can be changed after a rule is created, pr ovid ing the[...]

  • Page 53

    Using The Network Administrator User Interface 53 T o ad d or remove computers associated with a rule, refer to “Displaying And Changing The Rules And MAC Address Associated With A Computer”. Users View Clicking on Users in the T ree pane di splays in the Detail pane a list of Users which already exist in the domain, see Figure 21. Alternativel[...]

  • Page 54

    54 C HAPTER 3: G ETTING S TARTED Associating Rules With A User All users in the domain will have th e Default Rule applied until they are associated with other rules created with 3Com Network Access Manager . T o associate a rule(s) with a user , follow these steps: 1 Either click on Users in the T ree pane or if y ou have cr eated Organizational U[...]

  • Page 55

    Using The Network Administrator User Interface 55 Figure 22 Network Access T ab 4 T ick the box beside each rule that is to be associated with the user . If the rule is grayed out then the user is a member of a group which is alr e ady associated with the rule. A user can be associated with multip le rules, however only the highest priority rule as[...]

  • Page 56

    56 C HAPTER 3: G ETTING S TARTED Displaying And Changing Rules Associated With A User T o display and change the rules associated with a user , follow these steps: 1 Either click on Users in the T ree pane or if y ou have cr eated Organizational Units to structure your users, click on the o rganizational units subfolders until you reach the desir e[...]

  • Page 57

    Using The Network Administrator User Interface 57 Groups View Clicking on Groups in the T ree pane di splays in the Deta il pa ne a list of Groups which alr eady exist in the do main, see Figur e 23. Alter natively if you have cr eated Organizational Units to structure your gr oups, click on the organizational units subfolders until you reach the d[...]

  • Page 58

    58 C HAPTER 3: G ETTING S TARTED Associating Rules With A Group All groups in the domain will have th e Default Rule applied until they ar e associated with other rules created with 3Com Network Access Manager . T o associate a rule(s) with a gr oup, follow these steps: 1 Either click on Groups in the T r ee pane or if you have created Organization[...]

  • Page 59

    Using The Network Administrator User Interface 59 5 Click OK This completes associating rules with a group. Displaying And Changing Rules Associated With A Gr oup T o display and change the rules associated with a group, follow these steps: 1 Either click on Groups in the T r ee pane or if you have created Organizational Units to structure your gro[...]

  • Page 60

    60 C HAPTER 3: G ETTING S TARTED DO NOT change rule memb ership using the Memb ers Of tab. Creating A New Gr oup T o create a new group in the system, you will need to use a tool such as the “Active Directory Users and Computers” administration tool. Y ou cannot create gr oups through 3Com Network Access Manager . Follo w the instructions given[...]

  • Page 61

    Using The Network Administrator User Interface 61 Figure 25 Comp uters View Detail P ane Entering MAC Addresses For A Computer T o use MAC-add ress based authentication, the computers in the domain need to have their MAC addr esses entere d into 3Com Network Access Manager . T o enter the MAC address(es) for a computer follow the se steps: 1 Either[...]

  • Page 62

    62 C HAPTER 3: G ETTING S TARTED Associating Rules With A Computer Ensure you have entered the MAC add ress of the computer in your network, before associating rules with the comp uter . 3Com Network Access Manager will only apply a ru le to the computer if the RADIUS request includes the MAC addr ess as the Calling-Station-Id. All computers in the[...]

  • Page 63

    Using The Network Administrator User Interface 63 Figure 26 Network Access T ab 4 T ick the box beside each rule that is to be associated with the computer . If the rule is grayed out then the computer is a member of a group which is already associated with the rule. A computer can be assoc iated with multi ple rules, however only the highest prior[...]

  • Page 64

    64 C HAPTER 3: G ETTING S TARTED Displaying And Changing The Rules And MAC Addr ess Associated With A Computer T o display and change the rules a nd MAC addresses associated with a computer , follow these steps: 1 Either click on Computers in the T ree pane or if you have created Organizational Units to structure your computers, click on the organi[...]

  • Page 65

    Using The Network Administrator User Interface 65 7 Click OK. This completes displaying and cha nging the rules and MAC addresses associated with a computer . Creating A New Compu ter T o add a computer to the system, you will need to use a tool such as the “Active Directory Users and Computers” administration tool. Y ou cannot add computers th[...]

  • Page 66

    66 C HAPTER 3: G ETTING S TARTED Using The Operator User Interface Network Operators use th e standard Active Directory Users and Computers interface, accessed from Programs>Administrative T ools>Active Director y Users and Computers . 3Com Network Access Manager adds a new tab, named Network Access , to the Properti es pages for Users, Group[...]

  • Page 67

    Using The Operator User Interface 67 Figure 27 Changing Rules Associated With A User T able 11 Rules T ick Box For A User Tick Box Set ting Meaning Black, not ticked The rule does not apply to this user Black, ticked The rule is applied to this user Grey, ticked The rule is applied to this user indirectly through the user’s membership of one or m[...]

  • Page 68

    68 C HAPTER 3: G ETTING S TARTED 4 Change the rules applied to a user by either ticking or removing the tick from rules that ar e black. T o change a rule that is applied indir ectly through a group, see “Displaying And Changing Rules Associated W ith A Group”. 5 Click OK This completes displa ying and changing the rule s associated with a user[...]

  • Page 69

    Using The Operator User Interface 69 Displaying And Changing The Rule Associated With A Computer T o display and change th e rules associated with a computer , follow these steps: 1 Click on Computers in the T ree pane. The Details pane on the right will list all of the compu ters that the Network Operato r can manage. 2 Select a computer to view a[...]

  • Page 70

    70 C HAPTER 3: G ETTING S TARTED 4 Y ou can change which of these rules ar e applied to a computer by either ticking or removing the tick from rules that are black. T o chan ge a rule that is applied indirectly thr ough a group, see “Displaying And Changing Rules Associated W ith A Group”. 5 Click OK This completes displaying and cha nging the [...]

  • Page 71

    4 U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK This chapter provides: ■ six case studies on how 3Co m Netw ork Access Manager can be setu p to provide dif fer ent levels of security on a network. Case Study Assumptions All of the case studies described in this chapter assume the fo llowing: ■ Microsoft’ s Active Directory work in[...]

  • Page 72

    72 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK Case Study 1 - Controlling User Access T o The Network This case study describes the tasks that need to b e performed in order to control user access to the networ k using IEEE 802.1X. This method of authentication is based on the user , and does not perform authentication of [...]

  • Page 73

    Case Study 1 - Controlling User Access To The Network 73 Network Operator Ta s k s The following provides an overview of the tasks for a network ope rator responsible for contr olling user access to the network domain. On being informed that a specific user or group needs to be granted access to the network, use the Active Directory Users and Compu[...]

  • Page 74

    74 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK What Happens When A User Logs In The following takes place when a user conn ects and logs into the network domain. 1 The user’ s PC connects to the network and the user logs in with a username. 2 The IEEE 802.1X client on the PC sen ds the user’ s ID and credentials to the[...]

  • Page 75

    Case Study 2 - Restricting Network Access To Known Computers 75 Case Study 2 - Restricting Network Access T o Known Computers This case study describes the tasks that need to b e performed in order to restrict network access to known computers, using MAC-addr ess based authentication. It is an example of “block-by-default” or a whit e-list mode[...]

  • Page 76

    76 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK 6 Associate the Authorized Computers rule created in step 3 with the group cr eated in step 5. a Highlight the specific group in the Details pane, and right-click. Select Properties . b Select the Network Access tab from the Pr op erties dialog window . c T ick the Authorized [...]

  • Page 77

    Case Study 2 - Restricting Network Access To Known Computers 77 5 Click OK and exit the Active Directory Users and Computers interface. On being informed that a specific PC needs to be denied access to the network, use the Active Directory Users and Computers interface to perform the following: 1 Either: click on Computers in the T ree pane, or if [...]

  • Page 78

    78 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK Case Study 3 - Blocking A Specific PC From The Network This case study describes the tasks that need to b e performed in order to block a specific PC from the network, using MAC-address based authentication. It is an example of a Blacklist mode in which all devices are allowed[...]

  • Page 79

    Case Study 3 - Blocking A Specific PC From The Network 79 When a PC needs to be blacklisted: 1 Enter the MA C address for the comp uter that needs to be blacklist ed. For information on ent ering MAC addre sses, see “Entering MAC Addr esses For A Computer”in Chapter 3. 2 Associate the Blacklist rule with the computer , see “Associating Rules [...]

  • Page 80

    80 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK A list of rules that the operator has permission to apply will be displayed. 4 Untick the Blacklist rule applied to the PC. 5 Click OK and exit the Active Directory Users and Computers interface. What Happens The following takes place when a PC connects to the network. 1 The P[...]

  • Page 81

    Case Study 4 - Hot Desking 81 Case Study 4 - Hot Desking Combining Auto VLAN with IEEE 802.1 X enables users t o login anywhere on the network, and always have acce ss to their network (for example, the Engi neering VLAN, or Market ing VLAN). Th is makes hot -desking viable, as users can change desks a nd still gain access to their network. Network[...]

  • Page 82

    82 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK select the VLAN ID, QoS pr ofile and EFW policy (if appropriate) for each rule. 6 Associate the new rule s with users a nd groups alr eady listed in Active Directory . 7 Ensure the network operators or those individuals responsible for applying the rules have the Network Opera[...]

  • Page 83

    Case Study 4 - Hot Desking 83 a If the user is listed in Active Directory , and the new rule allowing access and assigning VLAN and QoS profile has been applied to the user (or a group that the user is a member of), IAS replies Accept with the VLAN ID and QoS profile for that user . Th e switch enables the port and configures the VLAN and QoS pr of[...]

  • Page 84

    84 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK Case Study 5 - Removing Infected Devices From The Network Combining Auto VLAN with MAC-a ddr ess based authenticat ion enables infected PCs to be moved to a se parate network, un til the network administrator has removed any viruses or worms. Network Administrator T asks The f[...]

  • Page 85

    Case Study 5 - Removing Infected Devices From The Network 85 When a PC needs to be isolated for the first time: 1 Enter the MAC address for the computer that needs to be r emoved from the network. For information on entering MAC addresses, see “Entering MAC Addr esses For A Computer”in Chapter 3. 2 Associate the Isolation rule with the computer[...]

  • Page 86

    86 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK What Happens The following takes place when a PC connects to the network. 1 The switch checks the MAC address of the PC with Active Directory . a If the PC is on the Isolation list, IA S replies Accept with the VLAN ID of the Isolation Network. The switch enables the port and [...]

  • Page 87

    Case Study 6 - Combining Hot Desking With Host Filtering 87 Case Study 6 - Combining Hot Desking With Host Filtering This case study describes the tasks that need to b e performed in order to set up hot desking with the ability to filter out specific hosts. This configuration allows infected PCs t o be isolated regardless of where the user has conn[...]

  • Page 88

    88 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK When a PC needs to be isolated for the first time: 1 Enter the MAC address for the computer that needs to be r emoved from the network. For information on entering MAC addresses, see “Entering MAC Addr esses For A Co mputer ”in Chapt er 3. 2 Associate the Isolation rule wi[...]

  • Page 89

    Case Study 6 - Combining Hot Desking With Host Filtering 89 What Happens When A User Logs In The following takes place when a user conn ects and logs into the network domain. 1 The switch checks both the PC and the use r with Active Directory . 2 If the Isolation ru le has been applied to the PC, IAS r eplies Accept with the VLAN ID of the Isolatio[...]

  • Page 90

    90 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK[...]

  • Page 91

    5 P RO B L E M S OLVING This chapter covers: ■ checking the Windows Event Vi ewer for ob vious pr oblems, ■ resolving pr oblems related to setting up 3Com Network Access Manager . Checking the Event Viewer If you experience netwo rk access or R ADIUS authentication problems on your network, first check the W indows Event Viewer to see whether t[...]

  • Page 92

    92 C HAPTER 5: P ROBLEM S OLVING Figure 29 System Event Log Figure 30 3Com Network Access Manager Authorization Lo g[...]

  • Page 93

    Checking the Event Viewer 93 Figure 31 Event detail Identifying Where The Problem Lies 3Com Network Access Manager is de pendent on IAS. A problem with 3Com Network Access Manager may be caused by an underlying issue with IAS. If that is the case then it will be IAS that logs an event and not 3Com Network Access Manager . In these instances you sho[...]

  • Page 94

    94 C HAPTER 5: P ROBLEM S OLVING Problems Related to Setting Up This section details possible problem s that you might experience when setting up and using 3Com Network Access Manager . Each problem is described by a symptom, an explanation of t he cause of the problem and a suggestion on what to do to remedy the problem. The problems ar e listed i[...]

  • Page 95

    Problems Related to Setting Up 95 Clicking on Rules in the Tree pane displays an empty Display pane. Note: After correct installation the Default Rule will alway s be shown in the Display pane Either: The Active Directory component for 3Com Network Access Mana ger has not been installed on an Ac tive Directory serv er in the network domain. Or: Cha[...]

  • Page 96

    96 C HAPTER 5: P ROBLEM S OLVING . On a PC used by a Network Operator, selecting Active Directory Users and Computers , then right-clicking Users or Computers in the Tree pane and selectin g Properties does not display a Network Access tab The Operator User Interface component has not been inst alled on the Network Operator’s PC. Check that the N[...]

  • Page 97

    Problems Related to Setting Up 97 The expected rules for a computer are not applied. The computer’s MAC address has not been entered correctly into 3Com Network Access Manager. Follow the steps in “Entering MAC Addresses For A Com puter” in Chapter 3. An event shown in the System event log displays the message: “Computer-Name = <unknown&[...]

  • Page 98

    98 C HAPTER 5: P ROBLEM S OLVING The Network Access tab, accessible by right-clicking Users or Groups or Computers in the Tree pane and selecting Properties does not show the actual rule being applied to the user, group or computer. You may not have been granted read permission for the rule which is actually being applied to the user, group or comp[...]

  • Page 99

    Problems Related to Setting Up 99 Incorrect EFW Policy is used for an EFW user Either: Active Directory has not been updated with changes which affect the EFW Po licy applied to the user. Or: There is a mismatch in configuration between Active Directory and the EFW Policy Server, Or: The EFW Policy has not been entered into 3Com Network Ac cess Man[...]

  • Page 100

    100 C HAPTER 5: P ROBLEM S OLVING[...]

  • Page 101

    A C RE A T I N G A R EMOTE A CCESS P OLICY For 3Com Network Access Manager to authenticate use rs and computer s accessing the network, an IAS Remote Access Policy must first be created. This appendix provides step by step instructions on creating an IAS remote policy , refer to section: ■ Using Microsoft Windows 2000 Server Operating System ■ [...]

  • Page 102

    102 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 2 Right-click Remote Access Policies in the T ree pane and select New Remote Access Policy , see Figure 33. Figure 33 New Remote Access Policy 3 T y pe the name of the new policy , see Figure 34. Click Next. Figure 34 Add A New Remote Access Policy[...]

  • Page 103

    Using Microsoft Windows 2000 Serv er Operating System 103 Y ou now need to add a condition that will cause the Remote Access Policy to run. 4 On the Conditions dialog, click Add. On the Select Attribute dialog select Client Vendor and click Add , see Figure 35. Figure 35 Selecting Attributes f or Remote Access Policy 5 Highlight 3Com in the Availab[...]

  • Page 104

    104 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY Figure 36 Selecting 3Com as Client-V endor for Remote Access Policy 6 On the Conditions dialog, Figure 37, click Next Figure 37 Setting Policy Conditions on Remote Access Policy[...]

  • Page 105

    Using Microsoft Windows 2000 Serv er Operating System 105 7 On the Permissions dialog, Figure 38, select Grant remote access permission and click Next . Figure 38 Granting Remote Access Permis sion[...]

  • Page 106

    106 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 8 Y ou now need to specify the profiles of the users who match the condition you have specified. Click the Edit Profile button, see Figure 39. Figure 39 Editing the Pr ofile[...]

  • Page 107

    Using Microsoft Windows 2000 Serv er Operating System 107 9 Select the Authentication tab, and select Encrypted authentication (CHAP) and Unencrypted authentication (PAP, SPAP), see Figure 40, accor ding to your network security policy and the devices on your network. Figure 40 Selecting Encryption Methods Ensure that the EAP type sele cted for the[...]

  • Page 108

    108 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 10 Select the Advanced tab and click Add, see Figure 41. Figure 41 Editing the Dial-in Pr ofile[...]

  • Page 109

    Using Microsoft Windows 2000 Serv er Operating System 109 11 Select Vendor Specific from the list of RADIUS attributes and click Add, see Figure 42. Figure 42 Adding V endor -Specific Attribute s[...]

  • Page 110

    110 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 12 On the Multivalued Att ribute Infor mation dialog, see Figure 43, click Ad d Figure 43 Multivalued Attribute Information Dialog[...]

  • Page 111

    Using Microsoft Windows 2000 Serv er Operating System 111 13 Select 3Com from the pull down list, click YES. It conforms and click C onfigure Attribute , see Figure 44 Figure 44 Configuring V endor -Specific Attribute[...]

  • Page 112

    112 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 14 Ty p e 9 as the Vendor assigned value , select Decimal as the Attribute format , and type 1 as the Attribute value. See Figure 45 . Click OK Figure 45 V endor Assigned Attr ibutes for 3Com 15 Click OK to close the V endor -Specific Attribute Information dialog . 16 Click OK to close the Multiv[...]

  • Page 113

    Using Microsoft Windows 2000 Serv er Operating System 113 20 After viewing the Online Help, click Finish . The r emote access policy that you have just created will be added to the list of policies, see Figur e 47 Figure 47 New Remote Access Policy Added to List 21 Select the new r emote access policy fr om the list in the Detail pane. Use the ( bu[...]

  • Page 114

    114 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY Using Microsoft Windows Server 2003 Operating System Follow these steps to create a new r e mote access policy within IAS using Microsoft Windows Server 2003 Op erating System. 1 Select Programs>Admin istrative T ools>In ternet Authentication Ser vice Figure 48 IAS Main Window 2 Right-click[...]

  • Page 115

    Using Microsoft Windows Server 2003 Operati ng System 115 Figure 49 New Remote Access Policy 3 The New Remote Access Policy W izard w ill be displayed, Figure 50. Select Next.[...]

  • Page 116

    116 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY Figure 50 New Remote Access Policy Wizard. 4 Select Set up a custom policy and type th e name of the policy . Click Next.[...]

  • Page 117

    Using Microsoft Windows Server 2003 Operati ng System 117 Figure 51 Set Up A Custom Policy Y ou now need to add a condition that will cause the Remote Access Policy to run. 5 On the Policy Conditions dialog, click Add. On the Select Attribute dialog select Client Vendor and click Add , see Figure 52.[...]

  • Page 118

    118 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY Figure 52 Selecting Attribu tes for Remote Access Policy 6 Highlight 3Com in the Available types list and use the Add>> button to move 3Com to the Selected types list, see Figure 53. Click OK.[...]

  • Page 119

    Using Microsoft Windows Server 2003 Operati ng System 119 Figure 53 Selecting 3Com as Client-V endor for Remote Access Policy 7 On the Policy Conditions dialog, Figur e 54 , click Next Figure 54 Setting Policy Conditions on Remote Access Policy[...]

  • Page 120

    120 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 8 On the Permissions dialog, Figure 55, select Grant remote access permission and click Next . Figure 55 Granting Remote Access Permis sion[...]

  • Page 121

    Using Microsoft Windows Server 2003 Operati ng System 121 9 Y ou now need to specify the profiles of the users who match the condition you have specified. Click the Edit Profile button, see Figure 56. Figure 56 Editing the Pr ofile[...]

  • Page 122

    122 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 10 Select the Authentication tab, and select both Encrypted authentication (CHAP) and Unencrypte d authentication (PAP, SPAP), see Figure 57, accor din g to your network security policy and the devices on your network. Figure 57 Selecting Encryption Methods Ensure that the EAP type select ed for [...]

  • Page 123

    Using Microsoft Windows Server 2003 Operati ng System 123 11 Select the Advanced tab and click Add, see Figure 58. Figure 58 Editing the Dial-in Pr ofile[...]

  • Page 124

    124 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 12 Select Vendor Specific from the list of RADIUS attributes and click Add, see Figure 59. Figure 59 Adding V endor -Specific Attributes[...]

  • Page 125

    Using Microsoft Windows Server 2003 Operati ng System 125 13 On the Multivalued Att ribute Infor mation dialog, see Figure 60, click Ad d Figure 60 Multivalued Attribute Information Dialog[...]

  • Page 126

    126 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 14 Select 3Com from the pull down list, click YES. It conforms and click C onfigure Attribute , see Figure 61 Figure 61 Configuring V endor -Specific Attribute[...]

  • Page 127

    Using Microsoft Windows Server 2003 Operati ng System 127 15 Ty p e 9 as the Vendor assigned value , select Decimal as the Attribute format , and type 1 as the Attribute value. See Figur e 62 . Click OK Figure 62 V endor Assigned Attr ibutes for 3Com 16 Click OK to close the V endor -Specific Attribute Informatio n dialog 17 Click OK to close the M[...]

  • Page 128

    128 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 21 After viewing the Online Help, click Finish . The r emote access policy that you have just created will be added to the list of policies, see Figur e 64 Figure 64 New Remote Access Policy Added to List 22 Select the new r emote access policy fr om the list in the Detail pane. Use the ( buttons[...]

  • Page 129

    B O BTAINING S UPPORT FOR Y OUR 3C OM P R ODUCTS 3Com offers pr oduct registration, ca se management, and repair services through eSupport.3com.com . Y ou must have a user name and password to access these services, which are described in this appendix. Register Y our Product to Gain Service Benefits T o take advantage of warranty and ot her servic[...]

  • Page 130

    130 A PPENDIX B: O BTAINING S UPPORT FOR Y OUR 3C OM P RODUCTS Purchase Extended W arranty and Professional Services T o enhance re sponse times or extend your warra nty benefit s, you can purchase value-added services such as 24x7 telephone technical support, software upgrades, onsite assistance, or advanced hardware replacement. Experienced engin[...]

  • Page 131

    Contact Us 131 T elephone T echnical Support and Repair T o obtain telephone support as part of your warranty and other service benefits, you must first register your pr oduct at: http://eSupport.3com.com/ When you contact 3Com for assistance, please have the following information ready: ■ Product model name, part number , and serial number ■ A[...]

  • Page 132

    132 A PPENDIX B: O BTAINING S UPPORT FOR Y OUR 3C OM P RODUCTS Europe, Middle East, an d Africa — T e lephone T echnical Support and Repair From anywhere in these regions, call: +44 (0)1442 435529 From the following countries, call the appropriate number: Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy 01 7956 7124 070[...]

  • Page 133

    I NDEX Numerics 3Com Enterprise Management Suite 23 3Com Knowledgebase tool 129 3Com Network Access Manager authorization log 91 before setting up 37 changing inst allation 30 devices supported 18 edge port security modes 18 installation 24 interfaces 11 network admi nistrator responsibilities 11 network operator responsibilities 12 online help 70 [...]

  • Page 134

    2 I NDEX Express services contract 130 extended warranty options 130 G group associating rules 58 changing associated rules 59 view 57 Guardian services contract 130 H hot desking 81 network access 81 with host filtering 87 I IAS Remote Acc ess Policy 23 installa tion checks 25 components 25 Internet Authentication Service component installation 24[...]

  • Page 135

    INDEX 3 changing members 52 changing priorities 51 changing properties 52 controlling permissions to apply 51 creating 47 Default Rule 16 deleting 50 displaying members 52 highest priority 16 network access setting 16 priority 16 view 46 what is 15 S screen shots 7 sending products to 3Com for repair 131 service benefits 129 , 131 services, repair [...]

  • Page 136

    4 I NDEX[...]