HP (Hewlett-Packard) 700wl Series manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of HP (Hewlett-Packard) 700wl Series, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of HP (Hewlett-Packard) 700wl Series one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of HP (Hewlett-Packard) 700wl Series. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of HP (Hewlett-Packard) 700wl Series should contain:
- informations concerning technical data of HP (Hewlett-Packard) 700wl Series
- name of the manufacturer and a year of construction of the HP (Hewlett-Packard) 700wl Series item
- rules of operation, control and maintenance of the HP (Hewlett-Packard) 700wl Series item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of HP (Hewlett-Packard) 700wl Series alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of HP (Hewlett-Packard) 700wl Series, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the HP (Hewlett-Packard) service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of HP (Hewlett-Packard) 700wl Series.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the HP (Hewlett-Packard) 700wl Series item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    www .hp .com/go/hppr oc ur v e HP Pr oCurv e Sec ur e Acces s 7 00w l S er i es Management and Co nf i gur ati on Guide[...]

  • Page 2

    [...]

  • Page 3

    HP P RO C URVE S ECUR E A CCESS 700 WL S ERIES M ANAG EMEN T AN D C ONFI GURATI ON G UIDE[...]

  • Page 4

    © Copyright 2 004 Hewle tt-P ac kard D e velopm ent Compa n y, L. P. The information c o ntained he r e in is subj ec t to c hange w ithout notice . This do cumen t co nt ai ns pr op riet ar y in format ion , wh ich is pr ot ected by copy ri ght. No pa rt of t his do cument may b e phot oco p ied, re pr oduced, or translate d into ano t her lan g [...]

  • Page 5

    C ONTENTS Pr efac e Chapter 1 Introdu ct ion 700wl Ser i es O v ervie w 700wl Ser i es Function s Client Au th en ti ca ti o n Clien t Access Ri gh ts W ire less D ata Pr ivacy a nd VPN Pr ot oco ls Roami n g S u pport Network Addre ss T r ansla t io n VLAN T ag Support Cha p te r 2 Using t h e 700 wl Ser i es Sy stem Ini t ial C o nfigurati o n o [...]

  • Page 6

    Ch apt er 3 S yst e m Sta t us V i ew ing Status In form atio n V iew in g Equ ipment Status V i ewing Access Co ntrol Se rver Status V i ewing Access Co ntroll er S tatus V i ewing Access Cont ro l l er S t atu s Detail s V iew in g Cli e nt St atus Filtering Clien t St atu s Inf o rma t io n V i ewing Cli ent Det ails V iew in g Sessio n Sta t us[...]

  • Page 7

    Modifyin g the Ou tside W o rld F ilter to Res t rict Access Sett ing Up HTTP P rox y Filters Chapter 5 Configuring Authentica ti on Aut h ent i cation in the 700wl S e ri es Syste m Th e R igh ts M a nage r Au th e n ti cation Po li cies Creatin g or Edit i ng an Au thentica tio n Po licy Conf ig ur ing Au th en ti catio n Servic es Con f igurin g[...]

  • Page 8

    SSL Certifica te Confi gur ing Ne tw or k I n terf ace s Co nf igurin g the Po rt S p eed and D u plex Settin gs Po rt S u bnet IP A ddres s an d Subnet Netm as k Conf igur ing SNMP Settin g th e D a te a nd T i me Settin g Up A d ministrators Editi ng an Ad m i ni st ra to r ’ s S ettin gs Edi ti ng Y o ur Ad mini strator Pass wor d Ch apt er 7 [...]

  • Page 9

    Append ix A C ommand Line Int e rfac e Accessing the Co mmand Line I n te rf ace Con n ecting w i th a Se ria l Conso le Co nn ecti ng Usin g SSH Us ing the CL I on an Integ r ated A ccess M a na ger Command Synta x Getting CLI Command He lp Administr ator Access Contr o l Commands Syste m Stat us and I nform ati o n Commands Ne tw or k Configur at[...]

  • Page 10

    A ppendix D Appendix E Index of Commands Inde x Op ti onal El ements C-5 Lo go n P age T e mplate — A Mo re Adva nced Example C-7 Exa m ple 2 C-7 Changi ng the L o gon B u tto n N ames C-10 Exa m ple 3 C1 1 Customi zin g t he Lo gon Pa ge Messag es C-12 Gu est Regi str a tion T e mpl a te C-1 3 Exa m ple 4 C -1 4 Usi ng a Lo goff Po p- Up w i th [...]

  • Page 11

    P REFACE This preface describes th e a udi ence, use, a n d o r gan i zatio n of th e Ma nag ement and C o nfigur at io n Guide. It al so ou tlines the d o cumen t con v enti ons , saf e ty ad vis o ries, compliance inf o rmat ion, r e lated do cumen ta t ion , support inf o rma t io n, an d re vis i on his t ory . A udie n ce The prima r y a udi e[...]

  • Page 12

    The f oll owing notices a nd ico ns ar e used to al ert you to im po rt ant inf o rma t ion. T ab l e 2 . No tices Ic on No ti ce T ype Aler ts yo u to... No ne Note Help ful su ggestions or info rma t ion of speci al impo rtance in ce rtain si tuations . No ne Ca ution Risk of syste m f unctio na lity lo ss or data l oss. Wa rn in g Ri sk of pers [...]

  • Page 13

    Cha p te r 6 – Configuring the Ne tw ork Th is ch apter de sc ribes h ow to co nf igu re the 700w l Series syst em co mpon ents s o th at they w o rk wi th yo ur enterpris e ne tw or k. Cha p te r 7 – Se tting up Wireless Data Privacy Thi s cha p ter d e scribe s h ow to e nforce securit y usi n g IPSec, L2 TP , an d PPTP . Cha p te r 8 – Sy [...]

  • Page 14

    Index of Commands The Index o f Co mmands is an al phabetized list of th e CLI co mman ds with re fer enc es to the pages wh er e they are docum ent ed. Related Publications Ther e are s eve ral o the r publi cat io ns re lated to th e 700w l Series th at m a y be useful : • 70 0w l Se ries Softwa re Re le a se N otes pro v ides th e mos t up-to [...]

  • Page 15

    1 I NTRODU CTIO N This chapt e r pr ovi d es a brief intr oduc tio n to th e 7 00wl Se ries s y stem™ a nd its primary f eat ures . Th e topics cover e d in this chapter include: 700w l Ser i es Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 700w l Ser i es Fu nc tio ns[...]

  • Page 16

    Introduction Figur e 1- 1 i llus t rates a 7 00wl Se ries syst em topology t hat is configu red wit h redund ant A ccess Contr ol Se rvers for fai lo ver . Figure 1-1. 700wl Serie s topolo gy Access Co nt ro ll er Access Co nt ro l Se rver Access Co nt ro ll er In ternet Red undan t Acces s Co nt ro l Se rver Gu est Em plo yees Un tru s ted User Em[...]

  • Page 17

    Introduction Clien t s that a r e s u ccessfull y au thenticated , Em plo y ees in Figu re 1- 1, a r e typically a ssocia t ed wi th A cces s Policies t hat pr o v id e access to s e cu re network re sou r ces. Cli ent s th at ar e not success ful ly a u th en ticate d, Un tr us ted Us ers, are typically as sociated wi th a n A ccess Pol i cy that [...]

  • Page 18

    Introduction • RADIUS servers • K erbero s services • XML-RPC -b ased servi c es • T he Rig h ts Mana ger’s built- in da tabas e. This is the d efa ult au thenticatio n service. Y ou can populate it wit h user n ame s a n d pa ss words thro ugh the Rights M an a ger. Us er A u thentication is dis c uss ed in detail in Cha p ter 5, Configu[...]

  • Page 19

    Introduction Because the 700w l Se ries syst em identi fi es clien ts by MAC addres s, it is simp le to detect w h en a device ro ams. A Li nger T imeout deter m ines the len g th of time a client has to complet e a r oam , tha t is to a ppea r at a ne w physica l lo cation af ter dis a ppea r ing fr om the o l d phys ica l lo ca tion. The settin g[...]

  • Page 20

    Introduction Addressin g in the 7 00 wl Ser i es Syst em in C h ap ter 2, an d Chapter 4 , Conf igur ing Righ ts includ e more ex tensi ve di scussio n s o f addre ssin g consi derat io ns an d NAT . VLAN Tag Support The HP Sy stem pr ovi des suppo rt f o r V i rtual L AN (VLA N) tagging in severa l ways: • A client ca n be ma tched to a Connecti[...]

  • Page 21

    2 U SING THE 700 WL S ERIE S S YSTEM This chapt e r pr ovi d es a brief intr oduc tio n to u s ing th e 700wl Seri es sys t em a nd its A dmini strative Console. It also provides an overview and discussion of a number of common tasks you ma y ne ed to acco mp lis h. Th e topics cover e d in this chapter include: Initia l Co n f iguratio n of th e 7[...]

  • Page 22

    Us ing the 7 00wl Se ri es Syste m • P rim a ry an d se co nd ary D NS se rver add r esses • Sha red s e cret, used to en able Acces s Co nt roller s or a peer Acces s Co nt rol S e rver to es t a blis h a trus ted com mun ica t io n relatio n ship with th e A ccess Con t rol S e rver. This is actuall y an opti onal i t em in the ini t ial in s[...]

  • Page 23

    Usi ng the 70 0wl Se ri es S y ste m The 700wl S e ries syst em pr o v ides th r ee levels of administ rator acces s: • A N e two rk A d ministrato r ca n co nf igure th e n e tw or k para me ters th at en ab le th e 700wl S e ries sys t em to f u nction in a network, such as con f iguring I P a ddr essing , interface con f ig ur at ion , da te a[...]

  • Page 24

    Us ing the 7 00wl Se ri es Syste m • E nable o r dis a ble Wi rele ss Data Privacy protocols, co nfiguring t he add res s me th od and ra nge for VPN tun n eling, a nd con fig uring IPS e c para mete rs • U pda t e th e 700 wl Series syst em so ftw a re • Back up a 700w l Series syst em co mpon ent’s co nf igura t io n, an d res tor e the b[...]

  • Page 25

    Usi ng the 70 0wl Se ri es S y ste m Note: It i s stro ngl y reco mmend ed that yo u c ha nge the built- in admini strat or l ogon n a me and pa sswor d as soon a s possible . Y ou s hou ld als o se t the date an d time fo r each 700 wl S eries sys tem c o mponent (Access Con tr o l S erv er, Integr ated Ac ce ss Ma nager, and Ac cess Contr ol l er[...]

  • Page 26

    Us ing the 7 00wl Se ri es Syste m — L ink s wi thin the page con t ents — Rela ted To pi cs me nu di splaye d us ing the Re la ted Topics butt on R el at ed To pi cs links: these a r e presen ted at th e top o f the page, o r th e y ca n be acces se d fro m a — Tab le of C o nt ents and I n de x, ac cesse d t hroug h t h e na vi gati on pa n[...]

  • Page 27

    Usi ng the 70 0wl Se ri es S y ste m Using the Ad min i strativ e Con s ole Wh en you f i rst logon to t h e A d min i strative Cons ole, your br ow ser d isp lays th e E quipment S t atu s tab of the S tat us pages (F igur e 2- 3) . Figure 2-3. Initi a l Page of the Administrative Console . Ta bs He ader Ba r Pag e T i tle Left Pan el Sub -T ab Na[...]

  • Page 28

    Us ing the 7 00wl Se ri es Syste m Figure 2-4. Header and Nav i gation Bars for a n Acc es s Cont ro l Server Inf o rma ti on at th e right sid e of the H ea d er ba r sho w s the userna me of th e logged in Adm i nistrator , th e IP addr es s of the Acc ess Contr o l Ser v er, an d the curr ent date a n d ti me. • I f the IP add res s is labeled[...]

  • Page 29

    Usi ng the 70 0wl Se ri es S y ste m Fo r details , refe r to Cha p ter 4 , Co nfigur ing Rig hts an d Chapter 5 , Con figurin g Authenticati on . Network The Netw ork pa ges en able co nfig uratio n of th e 700 wl Series syst em co mpon ents to work with your enterprise n e two r k. Most pages in this a r ea ar e ava ilable to Su per A dm i nis t [...]

  • Page 30

    Us ing the 7 00wl Se ri es Syste m . St at us Ri ghts N e twork VPN Main tenanc e Logs • Equi pmen t • Rig h ts Set up • Sy stem • Wireless Dat a • Sof t ware Setu p • Log Files Sta t us Compo nents Privac y Setu p • Clie nt St at us • Identity Prof ile s • Ne twork Setu p • Ce rtificat es • Bac kup & • Logging Setu p Re[...]

  • Page 31

    Usi ng the 70 0wl Se ri es S y ste m Le ft Pa nel The lef t pan e l co ntain s ex plan ato r y o r descriptive text a bou t the page and its fun c tio n s. It a lso co n t ain s contr o ls f o r th e fe atur es o f the page, an d n a vigation a ids . Th e s p ecific contr o ls in the lef t panel d e pend on the f un c tio n of th e page. Th e lef t[...]

  • Page 32

    Us ing the 7 00wl Se ri es Syste m Display Fil t ers and Auto Re fre s h Settings Some data, such a s the co nt en ts of the log, ca n be very l eng th y . T o contr ol the di splay o f such i n form ation you can use filters t o selecti v ely d isp lay subs et s of th e to tal in fo rma t ion. Figure 2-8. Di splay Filte r s an d Au to R e fres h S[...]

  • Page 33

    Usi ng the 70 0wl Se ri es S y ste m Ta bles In co nf igure tables, e a ch row i n a table typically dis p lays the key ite ms that def in e th e elemen t re prese n ted by the table r ow . For exa m ple , row s in the Rights A s signm en t table s h ow th e Ide n tity Profile , Co nne ct ion Profi le, and Ac cess Po licy tha t d e fin es th e Ri g[...]

  • Page 34

    Us ing the 7 00wl Se ri es Syste m Figure 2-10 . D at a Tables So rt able column • Sortable C o lum n H e ading s In som e table s you c a n so rt the items in th e ta bl e ba se d on th e table colum n s. Column hea d ings tha t a llow so rting appear as a link wh en the cursor is r o lle d over t h e col u mn na me, as sho w n in Figur e 2-10 .[...]

  • Page 35

    Usi ng the 70 0wl Se ri es S y ste m Common Butt ons The fo llow in g ta bl e lis ts the co mmon butto ns us ed in the A dminist rative Co nsol e and gives their me anin g. T ab l e 2 - 1. Ad ministr a tive C onso l e B u ttons Button Function Fo ld er : This rep r esents a us er-defined fo lde r for sy st em c om ponents. Fol ders c an be ope n ed[...]

  • Page 36

    Us ing the 7 00wl Se ri es Syste m Basic System C on f igu r ation Tasks Wh en you have com p leted the installati on o f your 700wl Se ri es sys t em f oll owin g the instructions i n th e 7 00w l Se ri es syst em Qu ick Star t Gu ide or the 70 0wl Seri es syst em In st a lla tion and Get ti ng S tar ted Gui de fo r the com p onents in your system[...]

  • Page 37

    Usi ng the 70 0wl Se ri es S y ste m System Features an d Concepts The followin g sec t ions p r ovid e an introduc tion to some of th e ke y c o nc ep ts and f u nction s that a re ce ntra l to the 7 00w l Ser i es s ys tem. Ma ny o f these co nc epts a r e dis c us s ed in more detail in th e appr op ria te cha p ters later in this Guide. How e v[...]

  • Page 38

    Us ing the 7 00wl Se ri es Syste m Figur e 2-12 . A ccess Cont r o ller Re dir ect Pag e Ente rp rise Cl a ss R ed undan cy The 700wl S e rie s syste m suppo rt s Access Contr o l S erv er redun da n cy an d f a ilove r . A ccess Contr o l Se rve r fa ilover provid es hi gh a va ila bi lity oper at ion f o r clie nt s in case of system outages, ne [...]

  • Page 39

    Usi ng the 70 0wl Se ri es S y ste m The c ommu ni catio n betw een the tw o peer Acce ss Co n trol Serv ers is do ne vi a a pr op rieta r y m es sag e ba se d pr otocol o ver TC P/IP . Upo n re sta r t, a n A ccess Con tro ller a t tempts to comm unica t e w i th the prima ry A ccess Contr o l S e rver. If tha t f a ils, the A c cess Con t ro ller[...]

  • Page 40

    Us ing the 7 00wl Se ri es Syste m or has s o me othe r co nf iguration inf or m ati o n you w o uld pref er n o t to lose . Th e a ct o f making i t a sec o ndary Acce ss Contr o l S e rver in a n a c tive redu nda n t peer re latio n ship will cau se its configura t ion to be ov erwritten by the Prim ary A c cess Con tro l S e rver con f igu rat [...]

  • Page 41

    Usi ng the 70 0wl Se ri es S y ste m If a clien t is l o gged ont o th e 700wl Se ries sys t em u s ing PP TP or IPS e c encrypti on , ov er he ad re lated to packet encrypt ion ca n re duce the actual th r o ugh p ut experienced r e lativ e to the s p ecified thr o ugh p ut. If encrypted traffic is tunneled between Access M anagers due to client r[...]

  • Page 42

    Us ing the 7 00wl Se ri es Syste m Y o u spe c ify th e a ddres si ng m ode fo r a cl ie nt thr ou g h the A cce ss Policy. The 700wl Serie s syste m d efa ult is NA T mo d e. Note: If PPTP o r L2 TP i s en abl ed in the Access Po li cy, t hen the NAT se tting only affect s ho w t he inner tunnel address is assi gned . Th e oute r t unnel address i[...]

  • Page 43

    Usi ng the 70 0wl Se ri es S y ste m Contr o ller . If the c lien t is usin g a re al IP ad dress , all sessio n s must be tun n eled back thr o ugh the origina l A ccess C o ntr o ller. • NAT prov id es s ome a mou nt o f pr ote ctio n t o a cl ien t si nce no de vic e o ther than the A cce ss Contr o ller can talk d i rectly to th e client. Thi[...]

  • Page 44

    Us ing the 7 00wl Se ri es Syste m How th e 7 00 w l Serie s syste m hand les r oame d sessio n s d e pends on the protocol use d by th e client to conn ec t to the 700w l S eri es sy ste m, a nd whe t he r th e client’s IP a ddre ss has be en ma ppe d usi n g NA T or not. • Whe n a NAT’ed clien t roams be tw ee n Access Co n t rollers ( rath[...]

  • Page 45

    Usi ng the 70 0wl Se ri es S y ste m Figure 2-13 . C onnec t ion Pro f ile for Traffic Tagged w i th VL AN 10 Y o u can then def ine a n A ccess Poli cy th a t sho u ld a pply to these clients an d create a new r o w in the Rights table tha t a ssocia tes th e A ccess Po licy with th e VLA N- s pecif i c Conn ec tio n Pr ofile. F or th e pur pos e [...]

  • Page 46

    Us ing the 7 00wl Se ri es Syste m In this cas e , A u th en ticated clients wi th VL AN 2 0 tag will match th e fi rst r o w in th e table , an d will re ceive access r i ghts base d on the A c cess Policy c rea te d fo r m e mbe r s o f tha t VL A N. A u the n tica te d clie nt s i n VL AN 10 will not m a tch the f i rst r ow , but will m a tch t[...]

  • Page 47

    Usi ng the 70 0wl Se ri es S y ste m • C rea t e a vari atio n o f th e d e fau lt “Un a ut hen t ic ated” Access Polic y t h at in cl ud es th e s ame acces s ri gh ts (which basically o nly al low a cli e nt to req u est a u th enti ca tion) but s e t th e NAT option to When Ne cess ary an d the addressing o p tio n to Requi re DHCP . In th[...]

  • Page 48

    Us ing the 7 00wl Se ri es Syste m One way to work with this limita t ion i s to pl ace a switch between the A cce ss Points a nd the Access Contr o ller , with a sep a rate c o nnection between the switch a nd the A cce ss Co ntr o ller f or ea ch VL A N. The switch ca n us e the S S ID to determine th e port to use to send tr af fic to th e A cce[...]

  • Page 49

    3 S YS TEM S TAT US This ch apte r explain s how t o view th e s yst em stat us tables of th e 700wl Series syst em . Y o u can view th e stat us o f an y an d all s y stem eq ui pment (Acces s Co ntro llers and Access Co ntrol Se rvers), clien t s (users, id entified either by usern ame an d pas sword or by MAC addres s) , a n d s essions. Y o u c[...]

  • Page 50

    System Stat us Figure 3-1. Ge tting to Sta t us Information Ther e are fo ur ta bs in the s t atus mo dul e: • Equipment S t atu s presen ts an ov erview of the s t atus of the Acces s Co nt rol S e rvers and Acces s Co nt ro ll ers. Fro m this pa ge yo u can view a mo re de tail ed stat us for each Acce ss Co nt ro ll er. • Cli e nt S t atus p[...]

  • Page 51

    System Statu s If a disp lay has more entries than will fi t on one page (based on t he R ows pe r Page filter setting), page navig a tion co ntr ols ar e ena b led to let y o u n a vigate between t h e r e sults pages. In the Clien t St atu s an d S ess io n Status view s, yo u ca n sort the dis play by the data in an y colum n . Th e hea d ing s [...]

  • Page 52

    System Stat us Viewing Acces s Contr ol Se rver Sta tus The Access Contr ol Se rver sta t us ta bl e, a s shown in Figur e 3-3, shows the f ol l owing inf o rma t ion: T ab l e 3 - 1. A ccess C ontr ol Ser ver stat us Row Des c ription (Prim a ry/Se c on dary) Ac cess Cont rol Server Sta t us of the Acc ess Co ntrol Se rve r w hose A d mi nistrativ[...]

  • Page 53

    System Statu s Figure 3-3. Access Control Serve r Tab for the Prima r y Access Control Serve r in a redundant configu rat ion Viewing Acces s Control ler Stat us The Access Contr oll er sta t us table d is p lays th e fo llowin g in fo rma t ion a b ou t each A cces s Con tro ller: T ab l e 3 - 2. Ac tiv e Access C ont ro ller s Di splay Column Des[...]

  • Page 54

    System Stat us Figur e 3-4. A ccess C ontr oller De tail Page The Access Con tro ller Detail pag e sho ws general sta t us in fo rma t io n f o r t h e Access Contr oll er at t h e top of the page. B e low thi s is a Sy stem Inven t ory t a b that shows th e sta t us fo r e a ch po rt on the Access Con tro ller, grouped by s l ot. T ab l e 3 - 3. A[...]

  • Page 55

    System Statu s T ab l e 3 - 3. A ccess C ontroll er Deta il Pa ge: Syste m Inven tor y Disp la y Column Des c ri pt ion Status This colu mns sh ow s: • The M AC addres s of the port • The spe ed an d dup l ex sett ing for t he port, wi th the ac tual sp ee d a nd duple x show n in paren t hes es. If the po rt is not connec ted the actua l se tt[...]

  • Page 56

    System Stat us » To d isp lay the clien t sta t us , sele ct the Access Contro ller an d client type f ilt ering para meters f r om the lef t pan e l an d click Apply Fil t ers . Th e d i splay is upd ated to sho w the client s per yo ur filter setting s. Y o u can view f u ll c lien t in fo rm ation only o n a sin g le A ccess Contr oller at a ti[...]

  • Page 57

    System Statu s Fil t ering Cl ient Status I n formation T o make it easier to fin d the in fo rmati on y o u need fr om a clien t sta t us pag e, yo u can f ilt er the d i splay to show only a su bset o f t h e entries . » To filt er a di spl ay, se lect the filt erin g para meters f r o m the f i lter d r op do wn list s in th e lef t pa nel o f [...]

  • Page 58

    System Stat us Figure 3-6. Clien t Detail Pa ge The f oll owing inf ormat io n is d i splayed on this pag e: T ab l e 3 - 6. Activ e Client d et ail informati on Informa t ion Descrip t io n Us er T he descri p ti ve nam e of the u ser , if known. User nam e T he use r name (logon name) of the u ser or the MAC a ddre ss, if the user is ide n tifie [...]

  • Page 59

    System Statu s T ab l e 3 - 6. Activ e Client d et ail informati on Informa t ion Descrip t io n Curre nt A c ce ss In format ion about the Acc ess Co ntroller th rough w h ich th e user is conne cte d: Co nt ro ller • Na me of the Acc ess Co ntroller (by defau l t the s ame as the IP addre ss). • IP addres s of the Access Cont rol l er. • Sl[...]

  • Page 60

    System Stat us Figure 3-7. Clien t Detail pa ge showing cu r ren t righ ts in XML The Cli e nt D eta il Us er Righ ts di splay show s th e row in the Right s T a ble th at this client m at c hed , including th e Ident i ty Pr of ile, Co nn ecti on Profil e an d A ccess Policy associat ed wit h th e cli e nt. Th e r e st o f the d isp lay sh ows the[...]

  • Page 61

    System Statu s The V i ew A c tive S e ssio n s pa g e appear s, as s how n in Figur e 3-8. Figur e 3-8. Ses s ion Statu s Pag e » To filt er th e se ssion da ta , se lect the d e sired f ilters a nd click Apply Filte rs . » To set an au to re fr esh interva l , select the d esi red in terva l fr om the dr op dow n list a n d click Apply Fil t er[...]

  • Page 62

    System Stat us T a bl e 3- 7. View Acti ve Se ss ions In form at ion Column Descrip tion Cli ent Sourc e Cli e nt So ur ce : The IP a ddress and p o rt of the cli ent syst em, as pl aced in the pa cket heade r by the cl ient. Actua l Sou rce : For a c li ent in NAT mo de, the IP add res s and port o f th e Acc ess Co ntro ller, as re-written aft e [...]

  • Page 63

    System Statu s T ab l e 3 - 8. Ses s ion St at us Filtering Para met e rs Filter by: Det a ils Acc ess C ontr o ll ers Lets y ou dis play onl y ses si ons f o r a se lec t ed Acces s C ontroller. You s elect the Acces s Co ntroller fro m the drop -dow n list. De fau l t i s the first Access Con t rol l er i n t he l i s t. Port Lets y ou dis play o[...]

  • Page 64

    System Stat us Figure 3-9. Lic e nse In formation Page 3- 16 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

  • Page 65

    4 C ONFIGURIN G R IG HT S This ch apte r describes how network access rig h ts ar e assigned to cl ients thr o ugh th e 700wl Se ri es sys t em, and explain s ho w to co nfig ur e access co ntrol policies. The topics cover e d in th is chapter in clu de: Acce ss Ri ghts in th e 70 0wl Se ries Sy st em . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 66

    Con f iguring Righ ts T ime W i ndo w in which th e con n ectio n exists, a n d option ally , a VLA N tag, to m at c h th e client to a Connection Pr of ile . Th e com b ina t io n of the Identity Profile a n d Connectio n Pr ofile deter m ines th e Access Poli cy th at is used to enfor c e access righ ts (the a b ility to pa ss tra ffic in to the [...]

  • Page 67

    Con f iguring Righ ts The n etwork ad m i nistrator configu re s n e two r k acces s con tro l pol i cies by defin i ng Identit y Pr of iles, Con n ection P r ofi l es a nd A cce ss Policies , or by m odif ying existing pr ofil es a nd pol i cies. • An Id en tit y Profile is asso ci at ed w i th a set of one or mo re in dividual users a n d devic[...]

  • Page 68

    Con f iguring Righ ts • An Access P o licy defin e s aspects of how a clien t interacts w i th the n e two r k. Th e Access P o licy defin es what tra ffi c is allowed to be pa ssed int o th e ne two r k, an d what tra ffi c will be red i rected to al terna te de stinat ion s. It can includ e H TTP proxy filter s tha t spe ci fy what web s i tes [...]

  • Page 69

    Con f iguring Righ ts the Cli ent S tat us t ab under the S t atus button , and clic k R efr es h U ser Rig h ts No w . Y ou ca n a l so re fresh r i gh ts f or individ ual clie nts, if appropr ia te. Con f iguring Acces s Rights– A n Overview T o configu re ri ghts in th e 700wl Se ries sys t em, yo u fi rs t n eed to de cid e how yo u want to c[...]

  • Page 70

    Con f iguring Righ ts Connectio n Prof iles onc e the Ac cess Co ntr ollers have been ins t alled and the approp ri ate Location s ha ve been c rea ted . b. Crea te T i me Wi ndo ws that s pec ify h o urs of th e da y , days of the week, an d s o o n, to allo w or re strict ac ce ss d uri ng spe c ifie d times. For ex am ple, if you have tempo ra r[...]

  • Page 71

    Con f iguring Righ ts Se ri es sys t em is ma tched to a ro w i n th e ta bl e based o n its Identity Pr of ile a n d Con n ectio n Prof ile, and re ceives access rights as specified by th e Access Po li cy for th at row . The 700wl S e ries syst em lo oks fo r a matching row star ti ng at th e to p o f the table, an d s tops at the f irst match. T[...]

  • Page 72

    Con f iguring Righ ts the n ew iden ti fica tion informatio n. The user w ill n ow ma tch on e o f the Identit y Pr of iles near th e top o f th e table. For exampl e: • S uppos e th e clien t init ially m a tch e s row 5, ( Ident ity Profil e “A ny” and Con n ection P r ofile “A c coun tin g ”) a n d h is lo gon in forma t io n is sent t[...]

  • Page 73

    Con f iguring Righ ts Note: It i s im po rt a n t that r o ws with the —A cces s Poi nt s “ Identity Prof il e appea r in the t abl e befor e ro ws that contain the — Any“ Ide n tity P r ofi l e. Otherw ise, t he M A C address w ould match —A ny “ fir s t, an d wou l d n ever get to the ro w with the — A cc es s Points“ I dentity Pr[...]

  • Page 74

    Con f iguring Righ ts Figure 4-3. The New Righ ts Ass i gnment Page Ea ch fi eld on th is pag e conta ins a dr op- d own l i st f r o m wh ich you can select th e c omp on en ts o f a ro w in the Rights A ss ignmen t tab l e, as defi ned in T a ble 4-1: T ab l e 4 - 1. New / Edit Right s Ass i gnment P a ge Field Definition s Fie ld D escrip t io n[...]

  • Page 75

    Con f iguring Righ ts Ste p 2. Spe cify wh er e i n the table the n ew row shou ld be pla c ed. O r der is im porta n t in ma tch ing a clien t to a row . The default position is to place the row at the top of the table. Ste p 3. Wh en you have ma de you r se lections, cli ck Save to add th is r ow to the table. Can cel re turns you to th e previou[...]

  • Page 76

    Con f iguring Righ ts Figure 4-4. The Ide n tity Profile s Page The 700wl S e ries syst em pr o v ides th r ee predefin ed Identity P rof iles, a n d a Rights Adm inist rator ca n create a dditi onal on es . The predefin ed Identity Pr of iles ca n be co ns idered def a ult or implicit pr of iles , as users will ma tch th em a u tomatically b ase d[...]

  • Page 77

    Con f iguring Righ ts Cre at ing or Editi ng an Iden tity Prof ile T o crea te a n ew Identity P r of il e, cli c k th e New Id entity Profile... button at the bottom o f the Ide n tity Pr of ile list. T h e New Iden tity P rofil e pag e a ppea r s, as shown in F igur e 4- 5, w i th a n empty N ame fi el d. T o edit an Identit y Profile, click the [...]

  • Page 78

    Con f iguring Righ ts Figure 4-6. Creating a New Ide n tity Profile, w i th User lis t dis p layed Fr om th is page , w i th t h e U s ers or Netw ork Eq uipment list d i splayed , you can als o add a new user or eq ui pment item , or ed it a us er o r eq ui pment item . See “ Use rs in the Built-In Da ta base ” o n page 4- 16 an d “N etw o r[...]

  • Page 79

    Con f iguring Righ ts Lim i tin g the n umber of lo go ns per u s er d o es no t pr event a us er f rom lo g ging o n wi th th at usern ame an d pas swor d—ra th er it p r events that u s er fr om matching this Id entity Pr of ile and t h us getting rig h ts ba sed on matching th is Ident i ty Profile in th e Right s T a ble. It is pos s ible tha[...]

  • Page 80

    Con f iguring Righ ts Users in the Built -In Database Many organiz at ions ch oose to a u thenti cate their wir e less us ers a gai nst a corpora t e databa se or au thenticatio n service. However , if yo u do not pla n to u s e such a se rvi ce, yo u ca n add us ers to the database built int o th e 700wl Seri es sys t em a n d use tha t fo r a u t[...]

  • Page 81

    Con f iguring Righ ts T ab l e 4 - 2. Users Page Fie l d Definiti ons Fie ld D escrip t io n Ide n tity Profi l e Ass i gnment The Ide n tit y Pro f il e to which the user ha s been as si gn ed, if a ny. If n o Id entity Profile has been assigned, th e u ser w ill autom a tically ma tch e i ther the —Au t he nti c ated“ profile (if it h as bee [...]

  • Page 82

    Con f iguring Righ ts Figure 4-8. A ddin g a N ew U ser The f i eld s on this page a r e a s f o llows : T ab l e 4 - 3. New User Fields Fie ld D escrip t io n Name A descript ive n ame th at i den tif i es the u ser in the 700w l Series system‘ s Adm i nistra tiv e Co nsole . Th is is the n am e that appears in Cl ien t S t atu s dis play , amon[...]

  • Page 83

    Con f iguring Righ ts T ab l e 4 - 3. New User Fields Fie ld D escrip t io n User name/MAC Addre ss The user‘ s us ern ame (l ogon ID) or MAC addres s . A user may be identifie d by o ne or the o t her , not both. A usern a me may have up to 50 cha r acters . An y 7-bit c h ara cte rs are allow e d. A MA C addres s can be entered with colons (:) [...]

  • Page 84

    Con f iguring Righ ts Ste p 2. Sele ct the Identity Profile to wh ich t h is us er sho u ld be assi gned by clicking th e a ppropria te checkbo x in th e Identi ty Profiles ta bl e. As a rule, yo u wo uld a ssign a user to only one Id entity Pr o fil e, s ince th e s e ar ch fo r a m a tch always s t ops at the f i rst match fo un d. Ass igning a u[...]

  • Page 85

    Con f iguring Righ ts corr ect ly in the system , how e ver , if you wa nt to m anage th ese d e vices f r om w i thin the 70 0w l S e ries sys t em, you m a y w ant to assign them a s p ecif ic set of a ccess righ ts. Y o u can ad d th ese d e vices to t he built- in database a n d a ssign them to an Identi ty Profile so tha t they can get rig h t[...]

  • Page 86

    Con f iguring Righ ts Fr om th e Network E q uipment page yo u can a l so go d ire ctly to the Ident i ty P r ofiles pag e or to t h e U s ers pag e by click i ng the link n ear th e to p of th e lef t-h an d column , ju st bel ow th e page name. Creating or Edi ti ng an Equ i pment Entry T o crea te a n ew ne tw or k equipment entry , click New Ne[...]

  • Page 87

    Con f iguring Righ ts The f i eld s on this page a r e a s f o llows : T ab l e 4 - 5. New Network Equip m en t Fie l ds Fie ld D escrip t io n Name A descrip t ive n ame fo r the device. Thi s nam e may b e up to 3 2 cha r ac ters in le ngth. Any 7-b it c har acters are allow e d. MA C Addre s s Th e M AC addr es s of th e n etwor k d evice. A MA [...]

  • Page 88

    Con f iguring Righ ts T o edit a Network Equip m ent en try in the bui l t-in da tabase, do the fol l owing: » Edit th e fields to chan ge the de sc riptive n ame or the MAC addres s. » To ch an ge the Ident i ty Pro f ile to w h ich the equipm en t is a ss ign ed , remove the check fro m th e old Identit y Pr ofile and check th e checkbo x fo r [...]

  • Page 89

    Con f iguring Righ ts an in di vidual r e co r d for the MAC addres s. Fo r example, su ppo se the r e co r d identified by cn = MACS con tai ned th e fo llowin g values f o r uniq ueM e mber: uniqueMember: cn=000122034a5b, o=XYZCo rp, c=us uniqueMember: cn=01234567891a, o=XYZCo rp, c=us uniqueMember: cn=22314a6721b7, o=XYZCo rp, c=us The value o f[...]

  • Page 90

    Con f iguring Righ ts Note: If you h av e an L D AP se r vice configur ed f or use r bind in g, that s ervice does n o t ap pear in thi s list . » To configure o r change the settings for MAC addr ess retrieval, click the configuration icon at the end of the row . You mus t configure th e service fo r M A C a ddr ess retrieva l bef o re yo u can e[...]

  • Page 91

    Con f iguring Righ ts Figure 4-12 . C onfiguring M AC Addres ses Retrieval Param e ters for a n LDAP Service The f i eld s on this page a r e a s f o llows : T ab l e 4 - 6. Configuring MAC Add ress Retriev a l, add re ss retriev a l p a ram e te rs Fie ld Descrip t io n Authentic a tion Servi ce T he n ame of th e LDAP servic e being con f ig ure [...]

  • Page 92

    Con f iguring Righ ts Identit y Profile m emb ersh ip in fo rma t ion ca n be associa t ed wi th a M A C ad dr ess in on e of two wa ys: • If each MA C a ddr ess h a s its ow n reco rd in the d ata base, its group identity i nfo rmati on may be k e pt a s an at tribute in th e record. The R igh ts Man age r can th en sear ch for e a ch MA C addre[...]

  • Page 93

    Con f iguring Righ ts Thi s mea ns tha t th e Righ ts M a nager will us e th e sea r ch st rin g fo un d in th e in itial se arch (for example, the value r e turned fr om th e uniqueMember a ttribu t e in th e MACS re co r d) to search fo r the individual MAC addr e s s r e co rd. Ste p 2. Ty pe mymember in the f i eld la beled Identity I n forma t[...]

  • Page 94

    Con f iguring Righ ts The Conn ecti on Pr o f ile is u s ed in the Ri ghts As sig nme nt T a ble, in con cert wi th the Ident i ty P r ofil e, to determine a cli ent ’s a ccess ri ght s . If the clien t is unknown ( i .e. has not been a u thenticated a n d d o es n ot match a know n MAC address in the built-in database) the Con nection Profile de[...]

  • Page 95

    Con f iguring Righ ts » To ed it a Co nn ectio n P rof ile, cli c k the Co nn ectio n Prof ile n ame i n th e firs t co lumn of th e ta bl e, o r click the pen c il ico n at th e end of th e row. Thi s tak e s yo u d i rectly to the E di t Con n ection P r ofile page ( s ee “C reat ing or Edi ting a Connect i on Pr ofi le” on pag e 4-31) . » [...]

  • Page 96

    Con f iguring Righ ts Figure 4-14 . Creat ing a New Conn ec tion Pr of ile, the Settin gs Tab T o crea te or ed it a Co nn ectio n Pr of ile, do the f o llo wing: Ste p 1. T yp e a name fo r a new C o nne ct ion Profile . Y o u c a n c h an ge th e name o f an ex istin g Co nne ct ion Profile by typ ing a new nam e. Ste p 2. On the Settings t a b, [...]

  • Page 97

    Con f iguring Righ ts T ab l e 4 - 9. New Connection Profi l e Se ttings T ab Co nten ts (Co n tinue d) Column D escrip t io n VLAN Identifi er How an 802.1 Q VLAN I dentifi er (tag ) shou ld be used to de termi n e w h et her a client m atc he s this Connec tion Profi l e: • Sele ct Ma tch a ny V L AN t ag if c li ent s s hou ld al wa ys ma tch [...]

  • Page 98

    Con f iguring Righ ts The Locatio ns ta b sho w s a list of th e cu rre ntl y def i ned Locatio n s. Th e colum ns in this l i st a r e a s fo llows : T ab l e 4 - 10. Locations T a b Column De finit i ons Column D escrip t io n Name The descr iptive na me for the Locati on. De tails The defini t io n of the Acc ess C ontr o llers and po rts inc lu[...]

  • Page 99

    Con f iguring Righ ts • T o sel ect all Time Win d ow s in th e list, se lect the ch eckb ox n e xt to the L o cations colu mn hea d ing . Cli c kin g thi s ch eckbo x a secon d time re moves t he checks fr om all Tim e Win dows in the list. • T o remove a Time Win d ow f rom th e pro fil e, click its checkbo x to remo ve the check . Ste p 5. C[...]

  • Page 100

    Con f iguring Righ ts » To delete a Lo ca ti on , click th e tra sh ca n icon at th e end of the row . » To cre a te a n ew Locatio n , cli c k th e New Locatio n ... but ton at the bo tto m of th e Locatio ns list. Th is takes you to th e Ne w L o ca tio n page ( s ee “C rea t ing or E dit ing a L o cati on”) . Fr om thi s page y o u ca n al[...]

  • Page 101

    Con f iguring Righ ts Tim e Windo ws A T ime W indow is a sp ecificatio n of a peri od of tim e, defin e d by s p eci fic dates or date ran g es , d a ys of the week, a nd hours of th e day . T ime W i ndows m a y be us ed to limit when a Conn ectio n Profile is ava ilable a s a valid m atc h f or a c lient . If a c lient co nn e c ts to the 700wl [...]

  • Page 102

    Con f iguring Righ ts Cre a ting or E d iting a Ti me Window T o create a new T ime W indow , cl ick Ne w T i me Win dow ... at the bottom of the T ime W indow list. Th e New T i me W in d ow pag e ap pears , as shown in Figur e 4 -18, wi th a bl ank n ame field and def aul t ti me set ti ng s. The Edit T ime W indow page is alm ost identical to th[...]

  • Page 103

    Con f iguring Righ ts T ab l e 4 - 14. New Time Wi nd ow Settin gs Setting D escrip t io n Val i d D ays Specify a Tim e Wi ndow by days of the w ee k : • The defaul t is Any da y • To s pec ify p articul ar days, click the Selec t ed days rad io button, the n ch eck t he in dividual da ys of th e w e ek you w ant to incl ude. Val i d Tim es ?[...]

  • Page 104

    Con f iguring Righ ts Figur e 4-21 . The Access Pol i cie s Pa ge The 700wl S e ries syst em pr ov ides five predefined Acces s Po li cies, and a Rig h ts Adm inist rator can cr eate a ddit ional ones. Th e predefined Acces s Po licies ar e: • Au th en ti ca ted : This def i nes a default s et of right s fo r users th at hav e been su ccessfully [...]

  • Page 105

    Con f iguring Righ ts T ab l e 4 - 15. Acc ess Policie s T a ble C on t ent s Column D escrip t io n Al lo we d T raffi c | Gr id A list o f th e Allowed Traffi c Filte rs sel e ct ed for the Acc ess Po li cy . Cl ick Gri d in the c olumn heading to dis pla y all Ac cess Polici es and A llo w ed Tra ffic Fil t ers in a g r id format. See —The All[...]

  • Page 106

    Con f iguring Righ ts Figur e 4-22 . A ccess Pol i cie s and Allowed Tr a ffic Filter s in a Gr id Fo rm at Ea ch ro w r e presents an A cces s Policy. Th e Allowed T r af fi c Filt ers ar e shown in colum n s. Filters th at a re enabled for the Acces s Po li cy are r e presented by checks in the appr op riate co l umn ch eckbox . This fo rm at ma [...]

  • Page 107

    Con f iguring Righ ts Figur e 4-23 . A ccess Pol i cie s and R edir ecte d Tr a ffic Filte rs in a G r id Fo rm at Ea ch row re pr esent s an A ccess Pol i cy. The R edire ct ed T ra f fic Filters ar e s hown in co lum ns. Filters t hat are enabled f or th e Acces s Po li cy ar e r e pr es en ted by checks in the appr op riate colum n check box . T[...]

  • Page 108

    Con f iguring Righ ts Figur e 4-24 . Creat ing a N ew Ac ces s Pol i cy, the Settin g s T ab T o crea te or ed it an Acce ss Policy , Ste p 1. T y pe a n a me fo r the poli cy in th e Na me field. Y o u ca n change th e nam e o f an ex istin g A ccess Policy by typ i ng a new name . Ste p 2. Se le ct s e ttin gs or enter da ta on each of th e ta bs[...]

  • Page 109

    Con f iguring Righ ts T o ad d th e modifi ed A ccess P o licy as a n e w Access Policy , le avi n g the origina l A ccess P o li cy unchanged, click Save As Copy . Th e Sav e As Co py button is ava ilable o n ly on the E di t Acce ss Policy page. Af te r a Save A s C opy th e pag e re mains d i spl ayed so yo u can m a ke a ddi tio nal chan ges. C[...]

  • Page 110

    Con f iguring Righ ts T ab l e 4 - 16. New Ac cess Po licy Settin g s T a b Conte nts Column D escrip t io n VLAN Identifi er How a V L AN Identi f ier (ta g ) shou ld be handle d: • Sele ct Remo ve an y pre-e x is ting t ag to remo ve th e VLAN tag (if a ny) assoc i ated wi th client pac ke ts , resu lting in un tagge d traff i c being fo rward [...]

  • Page 111

    Con f iguring Righ ts T ab l e 4 - 16. New Ac cess Pol i cy Settin g s T a b Conte nt s Column D escrip t io n Key Lengt h (PPTP only) For PPTP, th e m inimum M PPE (RC 4 ) s ess ion k ey lengt h: • Sele ct 40 b it s to allo w a 4 0 -bit o r 12 8-bit k ey. Thi s is the defaul t. • Sele ct 128 bit s to all ow a 128-bi t key onl y. • Sele ct no[...]

  • Page 112

    Con f iguring Righ ts ad dr ess is valid if it f a lls wit h in tha t ad d r ess rang e. If th e addr ess d o es not fa ll w i thi n th e port’s a ddres s ran g e, N A T is used, e ven if the addres s is wi thin the Acces s Co nt roller’s su bnet. — If th ere is no ra ng e a ssign ed f o r the port , then th e clien t ’s IP addres s is vali[...]

  • Page 113

    Con f iguring Righ ts The Allowed Traffic T ab Al lowe d T r af fic fi lt ers ar e t r affic fi lt ers t h at id en tify pa cket s th at ar e permit te d t o be forwa r de d by an Acce ss Co ntro ller. If you ar e cr eati ng a new A cces s Policy, th e A llowed T r af fi c f i lters a r e d i spl a yed in alpha b etica l or der . If you are editing[...]

  • Page 114

    Con f iguring Righ ts Figur e 4-25 . Creat ing an A c ces s Policy , the A llow ed Filte r s Ta b Not e that if the filter yo u select is one of a D NS or WINS f ilter pair , you must also in clude th e corr es pon d ing Redire ct ed T r af fi c m e mber of the pair in your A cce ss Policy, to redir e ct tra ffi c to th e proper DNS o r W INS serve[...]

  • Page 115

    Con f iguring Righ ts The Allowed T r a f fi c li st shows all exist i ng Al low ed T ra f fi c f i lters. Thes e ar e d isp la yed in a l phabeti c al order if you are cr eating a ne w Access Policy. If you are editing an Access Poli cy, the filters included i n the policy ar e d isp layed at t h e top o f th e list. The f o llowing i nfo rm at io[...]

  • Page 116

    Con f iguring Righ ts T ab l e 4 - 18. Predefine d Allowe d T r affic Filte rs Allowe d T raffic Fi lter Des c ription Int e rna l ri ght s UI Allows access to the Rig h ts Manag er page s via the Access Con t rol ler def ine d in @INTE R NAL @ (by defau l t 4 2 .0 .0.1 ) IP F r agmen ts Allow s s ubs equent p a cket fragme nt s for p ackets that e[...]

  • Page 117

    Con f iguring Righ ts Figur e 4-26 . Creat ing an A c ces s Pol i cy, the Re dir e cted Traffic Ta b The R edire cted T raffi c list shows th e fo llow ing in fo rma t ion a b out each filt er: T ab l e 4 - 19. Redir ecte d T ra ffic List De finitions Column D escrip t io n Name The nam e for the R e direct ed T r affi c Fil t er. De tails The opti[...]

  • Page 118

    Con f iguring Righ ts Note: Red irec t ed T r aff ic fil t er s are eval uate d in the o rder that they ap pea r in the Redi rec t ed tr a ffic list of ea ch A c cess Policy. W hen a p acke t match es a Red irect fi lte r , it i s imm ediate ly re di re cte d to the a pprop ri ate destinati on . T herefo re, an i ncor rect order i ng of R edi re ct[...]

  • Page 119

    Con f iguring Righ ts T ab l e 4 - 20. Predefine d Re dir ec t ed T r affic Filte rs Redire cted T r af fi c F ilter Des c ription No i n ternal IAM UI Redi rect s Integ r ate d Access M anager UI ac ce ss requires via 42 .0. 0 .1 No in ternal ri ght s UI Redi rect s Rights Man ager U I access r eques ts via 42.0. 0 .1 to t he SSL S top pa ge No SS[...]

  • Page 120

    Con f iguring Righ ts T o con f igur e au tom a tic H TTP P r oxy f iltering f o r thi s A ccess Policy, s e lect th e HTTP Prox y tab, a s shown in Fig ur e 4- 27, and s ele ct o r enter data in to the fields as des c ribed i n T a bl e 4 -21. Figur e 4-27 . Creat ing an A c ces s Policy , the H TTP Pr o xy T ab The fields un der th e HTTP P roxy [...]

  • Page 121

    Con f iguring Righ ts T ab l e 4 - 21. HTTP Proxy T a b F i eld De finitions Fie l d/Column D escrip t io n • Al lo w FQDN Accept H TTP t r affic d est ined f o r the s pec ified ful ly- quali f ie d domain na me (e. g. www.domain.com ) • Al lo w Host Accept H TTP t r affic d est in ed f o r the s pe c ified host name (e .g. www or home ) • A[...]

  • Page 122

    Con f iguring Righ ts The Bandwidth Tab 70 0w l S e ries s y stem ver s ion 4 .0 pr ov ides the ability t o limit the ban d wid th av ail a bl e to each clien t to prevent network perform anc e d egr ad at ion. U s ing Access Po lici es, ban d wid th can be limited on a cli ent by client basis. Se parate li mits can be set for upstream a nd dow nst[...]

  • Page 123

    Con f iguring Righ ts Bandwi d th Rate Limit i ng i n the 700wl Ser i es system 70 0w l S e ries s y stem ver s ion 4 .0 pr ov ides band widt h rate lim iti n g ( o r “ p olicin g” ) on a per - client bas i s. Each client may use bandw idth as ne cessary up to the upstream o r down stream limit set by the A ccess Policy currently in forc e f or[...]

  • Page 124

    Con f iguring Righ ts The L i nger Ti meout The Lin g er tim eou t en ables the 700wl S e ries syst em to forc e a lo goff for clien ts th at ha ve di sconne cted fr om the n e two r k witho u t logging o ff. If the Access Con tro ller d e termines th at a clien t has been n on- re spo nsi ve fo r a spe c ifie d perio d of time , th e A ccess Con t[...]

  • Page 125

    Con f iguring Righ ts Figur e 4-29 . Creat ing an A c ces s Pol i cy, the Tim e out Tab The fields un der th e Ti me out tab ar e as fo llows: T ab l e 4 - 23. Ti meout T a b Field De finitio ns Fie ld D escrip t io n Linger Ti meo ut H ow lo ng a client r e mains k nown to the 700wl Serie s syst em a fter being dis associa ted fro m an Access Cont[...]

  • Page 126

    Con f iguring Righ ts T ab l e 4 - 23. Ti meout T a b Field De finitio ns Fie ld D escrip t io n Nev e r forc e us ers to Allows c li ent session s to remain con nec ted indefini tel y wi tho u t requ irin g re au thent ic at e reauthe n tic at i on . • Ch eck the radi o b u tton to se lect t h is op tio n . T h is is the d e fault. Allowed T r a[...]

  • Page 127

    Con f iguring Righ ts Figure 4-30 . The Allo we d Traffic Filters Lis t The A llowed T r af fi c lis t shows th e Al low ed T raffi c filters i n al ph abeti c al or der , and includes t h e f o llow ing inf o rma t ion a b out ea ch filt er: T ab l e 4 - 24. A llowed T r a ffic List De finitions Column D escrip t io n Name The nam e for the Allo w[...]

  • Page 128

    Con f iguring Righ ts » To delete a fil t er, cli c k the tra sh ca n ic on at th e en d of th e row . » To create a new fi lter, click th e New Fil t er ... button at the bottom of the filter list. This ta kes you to the New Filter: A l low ed Tra ffic pag e (s ee “ Cr ea t ing o r Edi ting a n A llo wed Tra ffi c Filter” ). Fr om th is page[...]

  • Page 129

    Con f iguring Righ ts T o creat e or edit an A llo wed T raffi c filter , d o th e fo llowin g: Ste p 1. T y pe a name f o r this f il ter . Y o u can change th e na me of an existin g A llo wed T ra ffic f ilter by typin g a new name . Ste p 2. T y pe a d e scription fo r the filter , or m odify the e xis tin g de script ion . Ste p 3. T o specify[...]

  • Page 130

    Con f iguring Righ ts Redirec t ed Tr affic Filters Re dir e cted T r affic fil t er s ar e traffic filt ers that i den tify pa ck et s sen t fr om a clien t that sh ou ld be r e di re cted to a n ew dest in ation. So me Re dir e cted T r affic filters may simp ly forw ar d the packet to an altern ate de stinat ion tha t performs the sa me func tio[...]

  • Page 131

    Con f iguring Righ ts The Redir e cted T r affic li st shows th e Redir e cted T raf fic fil t er s in alph ab eti cal or der , an d inclu des th e fo llowing i nfo rmation abo u t each filter: T ab l e 4 - 25. A llowed T r a ffic List De finitions Column D escrip t io n Name The nam e for the R e direct ed T r affi c Fil t er. De tails The option [...]

  • Page 132

    Con f iguring Righ ts Figur e 4-33 . Creat ing a N ew Re dir ec t ed T r affic Filte r Y o u can create the f i lter specifica t ion in on e of two wa ys: • S peci fy the traf fic proto c ol, a nd the de stinati on IP a ddr es s an d port, o r • D efin e th e f ilter as a regu la r express i on i n tcpdump synta x. This ena b les yo u to define[...]

  • Page 133

    Con f iguring Righ ts b. If the protocol re qui r es a de stinat ion port, type it in to th e Port f iel d. If the pr otoc ol d oes not support port spe c ification s , N/A appears in the po rt fi eld. Y o u can enter a sin g le port, o r us e an a s ter is k ( *) to specify all po rts. Y o u can access a lis t of ports by click i ng the V i ew but[...]

  • Page 134

    Con f iguring Righ ts Click Canc el to re turn to th e pr evio us page witho u t maki ng a ny fu rther cha nge s. Built-in and User -defined Addres s V a ria b les Fo r us e in both All owed and Redir e cted T r affic Filters , th e 700 wl Ser i es syst em pr ovid es a se t o f pr e- def ine d addr e s s varia b les for var ious sys t em co mpon en[...]

  • Page 135

    Con f iguring Righ ts T ab l e 4 - 26. Predefine d Addr ess V ariab les Addr ess V ariab le V a lue / Desc ription @INTERNAL @. The addre ss of the Acc ess C ontrol Serve r Adm inis t rative C onsole. B y de fault thi s is 42 .0 .0 .1 , but if yo u have re co nfigured th e add ress ra nge fo r th e inte rn al DHCP serve r used for providing NA T a [...]

  • Page 136

    Con f iguring Righ ts T ab l e 4 - 27. Edi t A ddress fields Fie ld De fini ti on Na me The name of t he var i able. May b e up to 32 upperc ase al phabe tic c hara c ters (no numera ls or oth e r chara c ters). You may in clude t he —@“ at th e beginn ing and e nd, bu t do n o t need to – the syst em w ill add th em if neces sary. Valu e The[...]

  • Page 137

    Con f iguring Righ ts Figur e 4-36 . WINS Filte r s List The Filter list sho ws the DN S or WINS f ilter pairs in alph ab etica l or d er , an d includ es th e fo llowin g inf o rma t ion a b out ea ch pair: T ab l e 4 - 28. DNS or W I NS Filter Pair list definition s Column D escrip t io n Name The nam e of the filte r pair. Descri ption The optio[...]

  • Page 138

    Con f iguring Righ ts The E di t Filter pages a r e al most identical to the New Fi lter pages, except tha t th e na me, d esc ription, a nd se rver defin i ti ons ar e d isp layed for th e fil t er yo u h ave se lected, and a Sa ve A s C opy button is provided . Figur e 4-37 . Creat ing a N ew DNS F ilter The first t ime you view one of th ese pag[...]

  • Page 139

    Con f iguring Righ ts the list, using the multi-selec t m e cha n ism supporte d by your browser (typically Ctrl- c lick an d S h ift-click) . The 700wl S e rie s syste m selects a d e stina ti o n serve r at ran do m f r om the serv er s you h a ve selected , a t th e tim e rights are ass i gned to th e client. That d e stina t ion is used until t[...]

  • Page 140

    Con f iguring Righ ts Figure 4-38 . H TTP Proxy Filte r s Li st The HTT P Pr ox y list show s th e H TTP Proxy f ilt er s in a l phabet ical or der , an d inclu d es the f oll ow ing inf o rma t ion a b out each f ilt er: T a bl e 4- 29. HT TP Prox y F ilt er Li st Defi ni tions Column D escrip t io n Name The nam e for the H T TP Prox y Fil t er. [...]

  • Page 141

    Con f iguring Righ ts The E di t Filt er : HTTP Pr oxy T r af fic page is a l most identica l to the New Filter pa ge, except that th e name, des c ripti on, an d t h e fi lt er an d des tinatio n definition s ar e di splayed fo r the fi lt er you ha ve s ele cted, and a Save A s C opy button is provided . Figure 4-39 . C rea t ing a New HTT P Prox[...]

  • Page 142

    Con f iguring Righ ts T ab l e 4 - 30. HTTP Proxy Filte r T y pe s Filter Rule T y pe Desc rip t io n • Al lo w Re g Accepts HTTP traff ic to a desti na t ion s pecified as a regular e xpr es sio n t hat eval uates to an addres s or ad dres s rang e Fo r e x am ple — (.*).domain.com “ • Den y IP Re directs HTTP traffic desti ned for a s pe [...]

  • Page 143

    Con f iguring Righ ts Examp l e–Modify ing t h e —Guest Access“ Access Policy The f oll owing sections provi de exa m ples of ho w to mo dify a cce ss righ ts by edit ing the sett ing s fo r an Acce ss Policy . The G u est Acces s Acce ss Policy is used as th e example because yo u w ill n eed to mo dify thi s A ccess Policy (o r creat e a co[...]

  • Page 144

    Con f iguring Righ ts Ste p 2. In th e Access P o licy co lumn of th e ta bl e, click G u est A ccess to di splay the Edit Access P o licy page for the G u est Access Access Po li cy. Ste p 3. Click the Allowed T ra f fic tab to d isplay the Allowed T raff i c filters curr ently s elected for this A cce ss Policy , as show n in Figur e 4-41. Not e [...]

  • Page 145

    Con f iguring Righ ts Figur e 4-41 . The A llowed Tr a ffic f ilter s for the Gu es t Access A ccess Polic y Ste p 4. Fin d the r o w f or the Out s ide W o rld f ilter , as shown in Figur e 4- 41, an d click t h e checkbo x to select the f i lter . Ste p 5. Click S ave to have thi s cha nge ta k e eff e ct. HP Pr oCur ve Se cur e A ccess 700 wl Se[...]

  • Page 146

    Con f iguring Righ ts Modifying the Outsi de Wor l d F i lter to R e strict Access If th e Outside W o rld A llowed T raffi c filt er is no t suf f ici e ntly re strictive f o r your network envir o nment, you can mo dify it ( o r cr ea te a new filt er) to re stri ct access to m u lti p le subn et s or IP ad dres ses. Ste p 1. Fr om the A llow ed [...]

  • Page 147

    Con f iguring Righ ts Se e Appen di x B , “ Fil ter E x press i on S y ntax” fo r deta il s of the tcpdump s y nt ax. Note: T cp dump s ynt ax is case sen sitiv e. All k eyw ords mus t b e in lo we r- case to be re cognize d. Ste p 6. If you ha ve ch an ged th e Ou ts id e W o rld fi lter , cli ck Sav e to r e pla c e the current Outside W o rl[...]

  • Page 148

    Con f iguring Righ ts Figur e 4-43 . C onfiguring Proxy Fil t ers to limit ac cess fo r the Gu est A c cess A c cess Policy Ste p 3. T o crea te the f ilt ers you need, click New F ilter ... . S ee “HTTP Pr oxy F ilters ” on pa ge 4-7 5 for deta ils on crea ting HT TP pr oxy f ilte r s. Ste p 4. Se le ct Enable d fr om th e dr op d own fi eld t[...]

  • Page 149

    5 C ONFIGURIN G A UT HENTI CATION Thi s cha pte r des c ribe s h ow cl ie nt s ar e au thenti cat e d t hrough th e 700w l Series s y st em, an d explains how to co nfig ur e authentica tion policies. The topics cover e d in th is chapter in clu de: Authenticatio n in th e 700w l Series Sys t em . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 150

    Con f iguring Authe n tic a tio n specifica t ion, d e termin e a Co nnect io n Pr ofile for the client. The client’s iden tity (who the client is) is determined thro ugh the a u thenticatio n process . This i s used to determine a n Ide n tity Pr of ile for the cl ient. The com b in ation of th e Conn ectio n Profile a n d Id entity P r o file d[...]

  • Page 151

    Co nfigu r ing Authenti cati on clie nt, the usernam e an d passw or d is sent to the next service , and so on. If a ll services in th e list f a il to auth en ticate the user , th en the user will con t inue to ha ve only una u thenticated logon ri ghts. • Monito re d Lo gon W i th mon i to red lo go n, the HP s yst em pas ses the initia l packe[...]

  • Page 152

    Con f iguring Authe n tic a tio n The Rights Ma nage r The configu ra tio n o f ne two r k A u thenticatio n Po licies is done th ro ugh th e Righ ts module, acce ss ed by click i ng t he Righ t s icon on the Na viga ti on ba r . Many of th e f u nct i on s with in the Righ ts mo du le—speci fi cally t hos e a ssocia t ed wi th cr eatin g or modi[...]

  • Page 153

    Co nfigu r ing Authenti cati on Figure 5-1. The Authe n tica tion Policies Page The A u thenticati on P o licies table show s the currently def i ned A u thenticatio n Policies . This t a ble s hows the f oll owin g inf o rma t ion a b out each A uth ent i cat i on Pol i cy: T ab l e 5 - 1. Au the n tication Policy T abl e C on t ent s Column D esc[...]

  • Page 154

    Con f iguring Authe n tic a tio n Creati ng or Editing an Authenticati on Pol i cy T o crea te a new Au thenticatio n Policy , cli c k th e New Authe n tication Polic y... bu tton a t the bo ttom of th e list on th e A u thenti ca tion Policy pa ge. The N e w A u thenti cation Policy pa ge appea rs (s ee Figur e 5-2) wi th the Authe n tication Serv[...]

  • Page 155

    Co nfigu r ing Authenti cati on • T o edit a n Au thenti ca tion S e rvice, click the name of th e serv ice yo u w ant to edit, o r click th e pencil icon at th e end of the row . This takes yo u directl y to the E dit Au then tication Se rvi ces page f or th e filter you selected . Note: Y ou c an not e d it the b u ilt-in A ut henticati on S er[...]

  • Page 156

    Con f iguring Authe n tic a tio n Figure 5-3. The Authe n tica tion Services Page The Authenticati on Services table shows th e curr ent ly defined Authentication Services. Th is table shows the f oll owin g inf o rma t ion a b out ea ch A uth ent i cat i on Se rvice: T ab l e 5 - 2. Au the n tication Ser v ices T a ble C onte nts Column D escrip t[...]

  • Page 157

    Co nfigu r ing Authenti cati on app ear s ( s ee Fi gur e 5- 4). The page in itially di splays t h e con fig ura t ion o p tion s f o r a n LDAP Au thenticatio n Se rvice. The Edit A u thenticati on Se rvice - L DAP page is almos t identical t o th e New Au thentica tio n Se rvice - LDA P page, except tha t th e page a n d set t ing s displ aye d a[...]

  • Page 158

    Con f iguring Authe n tic a tio n Figur e 5-4 sh ows the configu ration pag e fo r configuring an LDAP service w i th non- user bin d ing . For many of the op tio ns on th e L D AP s e rvice page, th e values you en ter a re depen den t o n th e co nf ig ura tion of your LDAP serv ice, so a thorough knowledge of your L DAP i mplementation is necess[...]

  • Page 159

    Co nfigu r ing Authenti cati on The in fo rma ti o n r e quir ed to conf igure a n LDAP se rvice f o r authentication is d efi ned in the f ol l owin g tables. T a ble 5-3 def i nes the f ie l ds on the top part o f t h e page: T ab l e 5 - 3. LDAP Authentic a tio n Confi guration O p tio n s, T o p Part of the Page Fie l d/O p tion D escrip t io n[...]

  • Page 160

    Con f iguring Authe n tic a tio n If y ou s e lect Non - use r bind , the r ema in ing f i eld s on th e page a r e a s fo llows : T ab l e 5 - 4. LDAP Authentic a tio n Confi guration O p tio n s, Non-Use r Bind Fie l d/O p tion D escrip t io n Us e t h e u ser name fiel d a s an alias to fin d the u s er‘s DN and a u the n ticate b y re bi ndin[...]

  • Page 161

    Co nfigu r ing Authenti cati on » Fo r de tailed instructi ons fo r settin g up a n Ac tive Directory server, see “U sing the A cti ve Directo ry LDAP Service” on page 5- 13 . » Fo r detailed instructi on s fo r settin g up a Netscape or iPl ane t server, see “ U sin g a Netscape o r iP lanet Directo r y S erv ice” o n page 5- 14. Usi ng [...]

  • Page 162

    Con f iguring Authe n tic a tio n To use Use r binding for auth en ticatio n wh ere th e u s er lo gon ID is used a s the D N, do th e fo llowing: a. Se le ct Us er bin d from the drop-d own field. b. Enter the f ol l owin g in to the User b i nd s t ring field: < domain name >%s For example, for do ma in XY ZCor p.c om, this wo ul d be XYZC[...]

  • Page 163

    Co nfigu r ing Authenti cati on Ste p 3. Specify som e ad diti onal options fo r thi s LDAP se rver : a. The t imeou t value sp ecifies t h e len g th of ti me the 700w l Seri es syst em wa its fo r a r esp onse to an au thenti cation requ est befor e it a ban dons the requ est. T h e defa ul t i s 120 secon d s. Y o u ca n change t his as appr op [...]

  • Page 164

    Con f iguring Authe n tic a tio n Then , do the fo llow in g: Ste p 1. B e cause you a r e s en d ing a pa ssw or d i n the clear , m a ke sur e that you ar e using S S L. Ste p 2. Se le ct Non-use r bind . Ste p 3. Click the radio button la bel ed U se the userna me field as a n a lias to fin d the use r's dn and au thentica te by rebin d ing[...]

  • Page 165

    Co nfigu r ing Authenti cati on Al ong with th e a u thentication re sults, you ca n obta in th e us er ’s g r oup a ffiliat ion fr om th e au thenticatio n pr oc ess. Th e r e turned grou p inform at ion will be used to match the user to an Identity Profile in the Rights A ss ignmen t table. This a ssu mes yo u h a ve created Ident i ty P r ofil[...]

  • Page 166

    Con f iguring Authe n tic a tio n Figur e 5-6. Cr eating a New Au the n tic a tion Ser vi ce - K erb er os Ste p 5. Enter th e in form at ion requ ired to con fig ur e a Kerber os s e rvi ce for us e wit h au th en ticatio n as def ine d i n T a bl e 5 -7 : T ab l e 5 - 7. Kerbe ros Authentic a tio n Serv ice Configuratio n Fie l d/O p tion D escri[...]

  • Page 167

    Co nfigu r ing Authenti cati on Configuring a RADIUS Authenticatio n Service Note: T he 700wl Se ri es sy st em A c cess Con tro l S erver must be con f igured a s a RA DIU S cli ent o n your RADIUS serv er . T o co nf igure the 700wl Series syst em to us e a RA D I US databa se fo r us er a u th en ticatio n: Ste p 1. Click th e R i ghts button in[...]

  • Page 168

    Con f iguring Authe n tic a tio n The in fo rma tio n r e quired to config ur e th e RA DIU S service f o r a u th en ticatio n is defined in T a bl e 5-8 as fo llows : T ab le 5-8. RADIUS Authe n tic a tion Serv ice Co nfigu rat ion Fie l d/O p tion D escrip t io n Name Your name f o r this authentic a ti on metho d . Yo u can use an y a lp hanume[...]

  • Page 169

    Co nfigu r ing Authenti cati on » To us e a RA DI US se rvi ce fo r acco un tin g , you m ust co nfig ure a RAD I US s e rver as an Authenticati on Servi ce, and check t he Support s RADIUS Accounting (RFC-2 866) on port checkb ox an d enter th e approp riate port n umb er to which th e 700 wl Se ries system sh ould send the accountin g da ta. Spe[...]

  • Page 170

    Con f iguring Authe n tic a tio n Fie ld Da t a Acct-Ses sio n -ID T he uniqu e ID for t h is c lient s ession Acct-Ses sio n -Ti me T he seco nds thi s cli ent wa s l ogg ed on t h is Acc ess Co ntro ller. Sen t only wi th a Stop packet. Note: When a n aut hentic a te d client r oa ms to a n e w Ac cess Co ntr oller , a St op p a ck et i s sent up[...]

  • Page 171

    Co nfigu r ing Authenti cati on • T he Rights M a na g e r uses the gr ou p inf o rmat ion a nd the sta r t a n d stop times f r om the us er prof il e to tempora r ily m a p the user to a match i ng Identity Pr of ile, d u rin g th e tim e fram e def in e d by the stop an d sta r t tim e s in the pro f ile . A t other times ( o utsid e th e ran [...]

  • Page 172

    Con f iguring Authe n tic a tio n The informati on requ ir ed to co nf igure an XML-RPC authenticatio n se rvice i s def ine d in T a bl e 5 -9 as fo llows : T ab l e 5 - 9. XML -RPC Au then tication Ser vi ce C o nfigu rat ion Fie l d/O p tion Descrip t io n Name Your name for thi s auth ent ication me tho d. Y ou ca n use any alp ha numeri c stri[...]

  • Page 173

    Co nfigu r ing Authenti cati on Thes e param e ters ar e sh own in T a ble 5 -10 : T ab l e 5 - 10. Pa ra meters for Authe n tica te Call Pa rame te r Ty pe Descrip tion useri d str i ng User logon fro m 7 00w l Series system logon pag e pass wo rd str i ng Pas swo rd from 700 wl Se ries syst em logon pa ge, in clear tex t loca tion str i ng Name o[...]

  • Page 174

    Con f iguring Authe n tic a tio n T ab l e 5 -1 1. Name/valu e Pairs Returned by Au thenticate Respons e Name Ty pe V a lue an d Descrip t io n validTi m es str i ng An a rray of s t rin gs t hat d e fine th e tim es w hen a user is gi ven the ri ghts associ ate d wi th t he g r oup. Mem bers a r e n ame -valu e pairs as follo ws: st artTime str i [...]

  • Page 175

    Co nfigu r ing Authenti cati on <value><string>Monday:Wednesday:Frid ay </string></value> </member> <member><name>startDate</name> <value><string>2002-04-01</string></v alue> </member> <member><name>stopDate</name> <value><string>2002-05-31&l[...]

  • Page 176

    Con f iguring Authe n tic a tio n enabled in any o t her A ccess P o licies that m ay be in fo rce when a clie nt is re quir ed to rea u thenticate. The Allowed T raffi c Filter f or LDA P must be c rea ted and th en en abled in the a ppr opriate A c cess Policies. Note: Cached Log on r eq ues ts from Windows cli ent s are not suppo rt ed becaus e [...]

  • Page 177

    Co nfigu r ing Authenti cati on • Firs t, yo u m u st configu re an LD AP Au thentication Se rvi ce to be us ed to retrieve the g rou p ident i ty in fo rma t io n. You must specif y No n-U s er binding —eith er rootd n /rootpw b i nding or a nony mous bin din g (if th e se rvice a l lo ws anon ym ous bin d). S ee “ Con fig u rin g an LDAP A [...]

  • Page 178

    Con f iguring Authe n tic a tio n Logon Page C u stomization The 7 00w l S e ries syst em Rights M ana ger pr ov id es d efa ult Lo gon, L og of f , S t op, an d Gu es t Reg i stratio n pa ges th at are dis p la yed wh en users ar e to be aut h en ti ca te d usin g W e b-bas e d lo gon . The def a ult lo go n pag e di splays t h e HP ProC urve log [...]

  • Page 179

    Co nfigu r ing Authenti cati on Thr o ugh the Rig h ts Manager, you can cust omize the appea r an ce of th e Lo gon, L o go f f an d St op pages in the f oll owin g ways : • You can create cus t om ized versi ons of the stan da rd Logon, Lo gof f an d Sto p pag e s by including yo ur own text a nd lo gos . • You ca n asso cia te a differen t cu[...]

  • Page 180

    Con f iguring Authe n tic a tio n Customizing a Logon Pa ge T o creat e a new log on custo mizat ion page, d o th e fo llo win g: Ste p 1. From anywher e w i thin the Rights Manag e r, click the Logon Custo m iz atio n tab. Ste p 2. Click Ne w Logo n Custo m ization… The New Lo gon Cus t omization pag e a ppea r s, as sho wn in Figur e 5- 12. Ste[...]

  • Page 181

    Co nfigu r ing Authenti cati on Figure 5-12 . N ew L ogon Custo m iz ation Pag e Customizing t he Logo In the Logo s s ect ion of the N ew/Edit Lo go n Custo mizat io n pag e you can custo m ize the logo (i mage) that app ear s o n th e lo gon a nd logo ff web pages. The filen ame of the current logo is d i spl ayed unde rneath th e filena me entry[...]

  • Page 182

    Con f iguring Authe n tic a tio n of a sma ll s cr een. Y ou can cha n ge this l o go to be a sm all version of yo ur own logo for us e wi th sm a ll br ow sers . T o change either log o, do the following: Ste p 1. Go to the Log os se cti on o f th e Ne w/ Edit Logon Custo m iza t ion pag e an d select the logo yo u wi sh to ch an ge. Ste p 2. In e[...]

  • Page 183

    Co nfigu r ing Authenti cati on Ste p 2. Place a check m a rk in th e A llow us ers to spe c ify auth entication policie s checkb ox if you want users to ch oose a s p ecific Authentica tion Po li cy fr om a gr ou p o f Authenticati on Po licies. When thi s opt i on is ch ecked, the L o gon pa ge will d isp la y a d r op- d own f i eld that w ill a[...]

  • Page 184

    Con f iguring Authe n tic a tio n If yo u s e lect the G u est R e gis tra t ion option, the Gues t Reg i stratio n page a p pe ar s a s show n in Figur e 5 -14. Figure 5-14 . G uest Reg i stration p a ge If yo u choose to re quire gu es ts to re gister bef ore logging o n , th e fo llowin g pr oc ess will o ccur when they log on to th e system. ?[...]

  • Page 185

    Co nfigu r ing Authenti cati on network. H o wever , if the user go es t o th e lo go n page a gai n w hil e he/s he is still log g ed on , th e logon page ind i cates tha t the u s er is a lread y logged on an d pr ov ides a log of f butto n. As an opt i on , yo u can h ave a smal l log off page op en in a new win d ow as soon as th e us er succes[...]

  • Page 186

    Con f iguring Authe n tic a tio n Ste p 2. In th e textbox labeled S t op Page T ext enter the text you want t o dis p la y on the S top page. This ca n include HTM L fo rma ttin g comm an ds. Ste p 3. Click S ave . T o clear the stop p a ge text a f ter it has been se t, click Reset to Default s at the bottom of th e page. Note: Cli c ki ng Re se [...]

  • Page 187

    Co nfigu r ing Authenti cati on Customiz ed Page Tem pla tes If you want to create pa ges that ar e cus tomiz ed beyo nd th e op tio ns pr ov ided on the Cus tomiz e W eb Pages by Connectio n Profile page, you can create your own templates for the L ogon, Logoff, Stop, and Gu es t R e gi stration pages . Th rough a tem p late y ou can lay o ut the [...]

  • Page 188

    Con f iguring Authe n tic a tio n Figure 5-17 . Lo gon C u stomization : Custo m Templ a tes Ste p 4. In the appr op riate field ( Log on Page , Logoff W i ndow , St op Page , o r Gue s t Regi stratio n Page ), t y pe the path an d na me of a .tmpl f ile o n your lo cal system th at con tai ns the tem p late, or click Brows e to l o cate the pr op [...]

  • Page 189

    Co nfigu r ing Authenti cati on The page will r edisp lay sh owing the lo aded image, see F igur e 5- 18. Note: T he templ a te images area shows ALL image s availa ble for use i n custom te mpl a tes, n ot just th ose you h a ve loaded for a spec if ic cu stom templ a te . T o de le te an imag e, cl ick th e t r as hc an ico n on th e s ame r ow a[...]

  • Page 190

    Con f iguring Authe n tic a tio n Ste p 7. T o indicate th at an imag e is to be used wi th the custo miz ed logon pa ge you are crea ti ng, check the box to the left o f th e im age. Th is no tifies th e s yst em t h at th is im ag e s hou ld be do wnlo ade d to the Access Co ntroll er with the cus tom tem p la te code. Note: On ly tho se images y[...]

  • Page 191

    Co nfigu r ing Authenti cati on Note: T he User Right s Simu lat or does NO T show you the ac tual r ights of a u se r who is curren tl y logged on, bu t shows y ou the r ights a user woul d h ave as if th ey wer e logge d on at a p art icula r ti me and loc at i on. T o view the curren t ri ght s fo r a log ged -o n user , s ee —Vie wing Clie nt[...]

  • Page 192

    Con f iguring Authe n tic a tio n T ab l e 5 - 12. User Ri ght s Sim u lator Fie l ds Fie ld Des c ri pt ion Acc ess C ontr o ller and P o rt Th e Acc ess Cont rol l er, slot and po rt to b e used to simula te the user‘ s ph ysical c onnec tio n locatio n . T h is is one o f the elemen ts u sed to ma tch th e u ser to a Con necti on Profile. VLAN[...]

  • Page 193

    Co nfigu r ing Authenti cati on Figure 5-20 . R ights for User — ann “ i f Logged on a t the Specified Tim e a nd Lo cati on The top porti o n o f the R ights r esu lts show s t h e Identity Profile a n d Connect ion Pr of ile tha t th e user m a tch e d, based o n th e sp ecified loca tio n , VLA N ID, a n d tim e , a n d the Access Policy tha[...]

  • Page 194

    Con f iguring Authe n tic a tio n • If th e Identit y Pro f il e is no t w hat yo u expected: — F or user s in th e built-in database, the user m a y have bee n assigned to a dif feren t pr of ile than you exp e cted . — I f the use r s h ould matc h an Id en tity Pr of ile ba se d on a gr oup or NT Do main name re turned fr om an external a [...]

  • Page 195

    Co nfigu r ing Authenti cati on Figure 5-21 . The XML Representati on of User Rig h ts Traci ng Au thenticati on Ser vi ce T r ansactions The T ransactio n T racer lets you verify auth entication transaction s to one of the active authentication se rvices —LDAP , RAD I US, Ke rber os or XML-RPC. Y o u can use this to ol to verify th at users are [...]

  • Page 196

    Con f iguring Authe n tic a tio n service is wo rking correctl y , the service shoul d re turn a su cc essful r esu lt, including th e info rmation as socia ted wi th t hat user , if appropria t e. If the a u thentica tio n servi c e i s not set up correctly , you wi ll re ceive a n err o r an d in complet e re sults. This tool cann ot be used with[...]

  • Page 197

    Co nfigu r ing Authenti cati on Figur e 5-23 . R esults of a trace d tr an saction Th e Re su lt Para mete rs contain any parameters returned with the au thentication, if appropriate. This will depen d on th e authenticati on se rvice be ing used, an d ho w th at s e rvi ce has be en co nf igu re d (for exam pl e, whether you ha ve it configu red t[...]

  • Page 198

    Con f iguring Authe n tic a tio n » To I m port or E x po rt Rights, cli c k th e T ool s and Op tions tab visib l e at the t o p o f any Rights mo du le page, then click th e Im po rt/E xpo r t Right s link in the lef t-hand co lum n of th e page. Thi s di splays the Import/Expo r t Ri ght s pag e, as sh own in Figure 5- 24 . Figure 5-24 . The Im[...]

  • Page 199

    Co nfigu r ing Authenti cati on Figure 5-25 . R ights Export in Progre ss p a ge While the export is in pr ogress , this pag e is r ef r eshed every 15 seconds. • T o stop th e page ref r esh, click St op Auto Refr esh . • T o cancel the import click Canc el . Ste p 2. Wh en the export has com p leted , another inf o rma t io nal page appea r s[...]

  • Page 200

    Con f iguring Authe n tic a tio n Figure 5-26 . The Import/Export Rig h ts page after a s u ccess ful rig h ts e x po rt Ste p 3. Under t h e Last Righ ts Export hea d ing, click Sav e Exp o rt As.. . to save the rights export ima g e a s a f ile. This wil l sta r t the file d o wnloa d pr oces s appr op riat e to your lo ca l s y stem . Ste p 4. S[...]

  • Page 201

    Co nfigu r ing Authenti cati on • T o stop th e page ref r esh, click St op Auto Refr esh . • T o cancel the import click Canc el . Ste p 3. Wh en the i m po rt has com p leted , anoth e r inf o rmat ional page appea r s, telling y o u the pr oces s is co mp lete. • C lick Co ntinue to return to th e ma in Import/ E xport R ights page. Wh en [...]

  • Page 202

    Con f iguring Authe n tic a tio n 5- 54 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

  • Page 203

    6 C ONFIGURIN G TH E N ETWOR K This cha pter describes how to configure the 700wl Seri es system compo nents so that they w ork with your enterprise network . The topics cover ed in this cha p ter include: 700w l Ser i es Sys t em Co mpon en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6- 2 Co nf ig u[...]

  • Page 204

    Con f iguring the Network 700wl Series System Comp onents Wh en you f i rst click on t he Network ic on t h e S y stem Com p onents pa ge a ppea r s, as s hown in Figur e 6 -1. Figure 6-1. Sys t em C o mpo n ent s Pag e Thi s pag e di spla ys the Sy ste m Com p on en ts Li st, which l i sts all the 7 00wl Serie s syst em com p on en ts known to t h[...]

  • Page 205

    Configuring the Ne twork Fr om th is list y o u can cli c k a component na m e or click the pencil icon at th e right of the r ow to edit th e component’s name and the folder to which it is assigned. For Access Control Servers, you can a lso edit settings re lated to its use in a f a ilover config urati on. S ee “ Configu rin g an Acce ss Contr[...]

  • Page 206

    Con f iguring the Network DHCP (t he defau l t) wi ll b oot u p and run pro perl y without a shared secr et c onfig ured, b u t A cces s Con tro llers wi ll not be able to c o mmuni ca te with it. In this case , you mu st edi t the Access Con tro l Se rv er c onfi gurat ion to a dd a s hared se cr e t to enable the Ac cess Contr ol Ser v er to mana[...]

  • Page 207

    Configuring the Ne twork Note: T he IP addr ess can b e c hang ed unde r th e Net w ork S e tu p t ab, along with o t her networ k configur ation se ttin gs. The fields and option s on thi s pag e ar e def ine d i n T a bl e 6 -2: T ab l e 6 - 2. Edit A c cess C o ntr o l Se r ver p a ge field definitio ns Fie l d/O p tion Descrip t io n Name An al[...]

  • Page 208

    Con f iguring the Network T ab l e 6 - 2. Edit A c cess C o ntr o l Se r ver p a ge field definitio ns Fie l d/O p tion Descrip t io n Redundan cy Preferred Prim ary Ac cess Con t rol Serv er If checked, s pe c ifies that t h is Ac ces s C ontrol Serv er (th e one on wh ich th is configura t ion is be ing d one, not the pe er Ac ce ss Cont rol Serv[...]

  • Page 209

    Configuring the Ne twork Deleti ng a Peer A c cess Control S e rv er Y ou mus t d isa ble r edund ancy by editin g the P r ima ry A cces s Contr ol Se rver config uration bef ore you ca n delete the Seco ndar y Access Contro l S e rver (un che ck th e En able Redun d ancy checkb ox an d Save ). T o delete a peer Acces s Co ntro l Serve r on ce r e [...]

  • Page 210

    Con f iguring the Network Editi ng t he Integra ted Acc es s Manager Configura t ion The Integra t ed A ccess Ma na ger is typically con fig ur ed wi th it s n etwork con fig ura t ion pa rame ters an d shared secr et when it i s initially i nst alled on the network, per th e in st ru ctions in th e Qu ick Start Guide or I ns ta llation and Ge tt i[...]

  • Page 211

    Configuring the Ne twork The E di t Integra t ed A ccess Ma nage r page appears as shown in Fi gur e 6- 4. Figure 6-4. Edit Integ rat ed Acce ss Man a ge r pag e The fields on th e Edit Integrated Acces s Ma na ger page s how th e current s e tti ng for the In t egrat ed Acce ss Ma nager. Y o u ca n mo dify a n y o f these values, except the IP a d[...]

  • Page 212

    Con f iguring the Network T ab l e 6 - 3. Edit I n teg rat ed A cce ss Man a ge r p age fie l d d e fini tions Fie l d/O p tion Descrip t io n NAS-ID/De scr ipt i on A descri p tion for t h is unit. If u s ing RADIUS acc ou n ting, thi s fiel d i s used as th e NAS-ID a nd i s sent to the R AD IUS server as part of th e acc ountin g in forma t ion [...]

  • Page 213

    Configuring the Ne twork W i th the exce pt io n of the Acces s Contro l S e rver IP addr es s an d sh ared s e cr et, Acces s Co ntro llers ar e co nfig ured cen t ra l ly fr om the A dminist rative In ter f ace o f the Acces s Co ntrol Se rver o r Integrated Acces s Manager. From the A d mi nis t rat i ve Con s ol e you ca n configure a nd de let[...]

  • Page 214

    Con f iguring the Network T ab l e 6 - 4. Edit A c cess C o ntr olle r page fie l ds Fie l d/Che ck bo x Desc rip t io n Name An al phanumeri c nam e f o r the Acce ss Cont rol l er. By defa ult the name is the I P addres s of the u n it . IP Addres s T he I P ad dres s of t h is Ac ces s C ontroller (re ad-only). Thi s can be chan ged un d er th e[...]

  • Page 215

    Configuring the Ne twork Y o u c a n mod ify an A cce ss Con tro ller’s na me, admin i strator use rn am e an d passwor d, fo ld e r , SS H access permissions, a nd the A cce s s Contr ol S erv er IP a ddres s a nd sha re d secr et. Th e IP ad dre ss an d MA C a ddres s ar e di spl aye d r ead -o nly and c an no t b e mo difi ed on th is pag e. ?[...]

  • Page 216

    Con f iguring the Network Figure 6-6. New Folder Pa ge » icon To change the na m e of a fo lder, cli c k the f o lder na me in the S y stem Com p onents List, or click th e pen c il name in the Folder Na me fi el d and cl i ck Save . ( ) to the fa r right o f the folder. Ei ther a c tio n dis p lays the Edit Fol der p a ge. Enter th e new fo lder [...]

  • Page 217

    Configuring the Ne twork Con f iguring Fail over with Redund ant Access Control Servers Pl eas e re ad t h e s e ction “ E nterpri s e Clas s Redu nd ancy” on pag e 2-18 in Cha pter 2, “Con fi gu ri ng t he Network” Note: Integrate d Ac cess M anag er s can not b e used as a pee r in a r ed undant c on f igu r ation. The 700wl Ser i es sy s[...]

  • Page 218

    Con f iguring the Network Ste p 4. Wh en you a r e r eady to initi a te the peer r elati onship a n d sta r t the data sy nch r o nizat ion process, check th e Enable Redu ndan cy checkbo x on the Prim ar y A ccess Con tr o l S e rver (a nd Sav e ). Y o u on ly need to co nfig ur e an d enable r edund ancy on the p rim ary Acces s Co ntro l Server [...]

  • Page 219

    Configuring the Ne twork • Under Netw ork , only th e Syst em Co mpo n ents, Netwo r k S e tup, Interf a ces, an d D a te & T ime tabs are av ailabl e. • Under Main t en an ce, an d Log s , all the fu nc ti ons ar e a v ailab le. Disabl i ng Redu ndancy Wh en you disable r e dun dan cy , the seco nd ary Acce ss Co ntr o l Server is reset to[...]

  • Page 220

    Con f iguring the Network » To access th e Ne two r k S e tup pa ges, click th e Network icon in the Navi gation Too l bar, then sel e ct the Network Setup tab. Netwo r k S e tup is di vid ed into fo ur secti ons: • Bas ic S e tup—setting s tha t a llow th e 700wl Se ries syst em com p onent to com mun ica t e wit h th e ne two rk • Advan ce[...]

  • Page 221

    Configuring the Ne twork Netw or k Co mm unication–the Basic Setup Tab T o co nf igure the ba si c n et work co mm unic at ion set ting s fo r a 700wl S e ries syst em co mpon en t, do th e fo llowing: Ste p 1. Unde r the n e twork ico n , click the Ne twork Setup tab t o di spla y the Ba sic S e tu p ta b, as sho w n in Figur e 6-8. Figure 6-8. [...]

  • Page 222

    Con f iguring the Network Edit the co nt ents of the f i elds on th is page a s appr op riate. The fields and their s e tti ngs are defin e d in Ta ble 6-5 . T ab l e 6 - 5. B asic Setup t a b fie l ds Fie ld D escrip t io n Co nf ig ur e A dro p -do w n l i st yo u u se to s pecif y h ow th is compon ent gets it s I P ad dress. • Sele ct Using D[...]

  • Page 223

    Configuring the Ne twork T ab l e 6 - 5. B asic Setup t a b fie l ds Fie ld D escrip t io n Se cond ar y DNS The IP addre ss of the secon dar y D NS se rver Primary WI NS The IP ad dre ss of the prim ary WI NS serve r Se cond a r y W INS Th e I P addr ess o f the seco ndar y WI NS serv er Ste p 3. Click S ave to save you r se ttin g s. T o restor e[...]

  • Page 224

    Con f iguring the Network Figure 6-9. Network Setup: Advance d Setup pa ge for an Integ rat ed Access Manage r 6- 22 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

  • Page 225

    Configuring the Ne twork Acc ess Control S e rver Configuration Adv a nce d Options The f oll owing settin gs a ppea r on t h is p a ge i f you a r e con f iguring a n A ccess Cont r ol Se rver or a n Integ r ated A ccess M a nager. They d o not appea r if you a re co nfiguring an A cces s Con tro ller. DHCP Network for NA T Client s Note: When y o[...]

  • Page 226

    Con f iguring the Network Acc ess Controlle r Advanced C onfigura tion Options The f oll owing settin gs a ppea r on t h is p a ge i f you a r e con f iguring a n A ccess Cont r ol l er or a n Int e grat ed Acce ss Ma na ger. They do no t appear if yo u are co n f iguri ng an Access Co ntro l S e rver. Bridging A 700 wl Series syst em pr ovi d es f[...]

  • Page 227

    Configuring the Ne twork The f oll owing are the specifica t ions in tcpd u m p synta x fo r the pred ef ined bridgin g opt i ons: T a ble 6 - 7. Tcpdump synt a x f o r p r e- def i ned bri dg i ng op t i ons T r af fi c t o enable tcp dump s y nt ax CDP et her [12 : 2] <= 1514 an d e t her dst 01 :00 : 0c:cc :cc :c c Wi re less Ne tw ork Access[...]

  • Page 228

    Con f iguring the Network the client’ s rig h ts. D e pending o n t h e Wi rele ss D ata Pr iva c y m e ch an ism a nd t h e type of addr essin g in force, the client’s existing sess ions may be tunneled fro m the original Access Co ntroller to the new Acce ss Co nt roller. T o cha n ge the client polling se ttin g s, d o the f o llowing: Ste p[...]

  • Page 229

    Configuring the Ne twork Y o u can sp ecify a n external pr o x y s e rver , or the 700wl S e ri es syst em can act a s the pr ox y s e rver an d handle the tra ffi c acco rd ing to th e co nfig ured po rts and filters defin ed fo r each Access P oli cy. The autom at ic H TTP Pr ox y f eat ur e is configu red and ena b led specifically f o r each A[...]

  • Page 230

    Con f iguring the Network available, th e HTTP Proxy S e rve r on th e Ac ce ss Con t ro ller will cycle to th e ne xt ava ilable IP a ddres s . Ste p 4. In th e Proxy Server Po r t fiel d, type the TCP port n umb er used for th e pro xy se rver . Ste p 5. Click S ave to have your changes take effect. T o restor e th ese f i elds to t h e o r igina[...]

  • Page 231

    Configuring the Ne twork Figur e 6-11 . N etwor k Settings: SSL Tab (In t egr at e d A c cess M a na ger or A ccess Co ntr o l S erv er only ) The informati on at the top o f the pa ge shows in form at io n abou t the curren t certi ficat e. Initially thi s will be the certifica t e gen era ted and sig n ed by HP Pr oC urve. Note: T he Sav e bu tto[...]

  • Page 232

    Con f iguring the Network Requesting a n SSL C e rtifica t e T o generate an SSL Certif ica t e S i gni n g R equ est ( CSR): Ste p 1. From th e SSL ta b, click Gene rate CSR... . The G e nerat e SSL Certif ica te Sign ing R e qu es t page appea r s, a s shown in F igu re 6- 12 , in a separate browser win d ow . Figure 6-12 . In put Page f o r G e [...]

  • Page 233

    Configuring the Ne twork Figure 6-13 . The Certi f ica t e Sig n ing Request Y o u can us e th is certifica te s ignin g r e quest either to re quest a certificate fr o m a CA , o r to cr eate your own self - s igned certifica t e usin g a n SSL t oolkit, su ch a s Open SSL. Ste p 4. Y ou may be a b le to pa ste this signin g r eq u est dire ctly i[...]

  • Page 234

    Con f iguring the Network Loa di ng t he SSL Certificate Wh en you r e ceive your certifica t e f r om the CA, you can ei ther cop y the certifica t e in fo rma t ion a nd paste it into the f i eld pr ov ided , or you ca n p l ace the cer t ificat e in a fi le an d up loa d th e file. Do not edit , ad d line br e aks, or ot he rwise chang e any of [...]

  • Page 235

    Configuring the Ne twork S ave and Rest ore Private Ke y The CS R yo u g e nerat e is based on a priva t e key . If the priva t e key i s los t or r ege nerated , any CS Rs based on th e origina l priva te ke y bec ome inval id. Af ter ge nerating th e CS R, you s h ould sav e th e private key o n your local system . It can th en be r e cover e d a[...]

  • Page 236

    Con f iguring the Network Caution: Res t or i ng a s aved private k ey will inv a lidate a n SS L certif icate based o n t he cur ren t (di ffer ent) private ke y . Res t oring the De fa ult SSL C e rtifica t e If th e priva t e key is los t or th e certi fic ate is corrupt ed or invali da ted , you can re vert to t h e d efa ult SSL certifica te i[...]

  • Page 237

    Configuring the Ne twork Figure 6-16 . Exa mple o f a Po rt Connection Type s e le ction list T o configure a port f o r a specific co nn ecti on type, d o the f o llowin g: Ste p 1. On the Inter fac es setup page select th e Ac cess Contr o ller to con f igur e. Ste p 2. Click the Spe e d/Duplex tab. The S p eed/Duplex page f o r Acces s Con tro l[...]

  • Page 238

    Con f iguring the Network Note: If you wa nt to set a por t to half-dup lex , but half-dup lex i s no t off er ed a s an opti on in th e drop-down l is t, you will nee d to s elect a s e tti ng t hat does not sp ecify an o p ti on, and allo w the port to neg oti a te fo r ha lf -d uplex. F or examp l e, as show n i n Fig ure 6-17 , the re is no s e[...]

  • Page 239

    Configuring the Ne twork uplink p ort so that the d e fau l t u p li nk (slo t 0 p ort 2 on a 700 wl S eries sys te m) is now a downli nk port, the n tha t port w ill a ppear on th is p age. The p ort bei ng u sed as the upl ink po rt wil l not appear . T o configure su bnet ad dr es ses f or Ac ce ss Co nt roller por ts: Ste p 1. On the Inter fac [...]

  • Page 240

    Con f iguring the Network configur ed to suppor t r o uting the addr esses you h ave c onfigured for y our por ts thr ou gh th e Ac cess Con tro ller uplink p or t. For example, if th e Access Cont r olle r’s I P a ddres s is 192. 168.2.20 w ith sub n et ma sk 2 55. 255.255.0 ( /24) an d y ou config ur e a port to us e 192.168.6 . 0 w ith mask /2[...]

  • Page 241

    Configuring the Ne twork Figure 6-19 . SNMP Pag e Ste p 2. Se le ct the s yst em co mpon ent for w h ich yo u w ant to enable S NMP from the Sys tem Co mpon ents Li st. Ste p 3. SNMP is disabl ed by default. Select Ena b le d fr o m the SNMP drop-down menu to enable SNMP . This will enable S NMP f or th e selecte d com ponent. Note: Enabl ing SN MP[...]

  • Page 242

    Con f iguring the Network Note: Inc lu de a tr a p IP add ress only if you hav e a n SNMP t rap rece iver list eni ng for thi s in for m ati on . HP proprieta r y S NMP tra p events inclu de fa n f a ilur e, fa n op erat io nal, a nd out- of -range tem p eratures . G ene ral S NMP tr ap events in clude SNMP a u th en ticatio n fa ilu res, wh ich ar[...]

  • Page 243

    Configuring the Ne twork Figur e 6-20 . D ate & Time Page Ste p 2. Us ing the S yst em Compo n ents List o n the lef t select th e compo n ent f o r which y o u w i sh to set th e date and ti me. Y o u can se lect a n Acces s Co ntro l Server, a single Access Co ntr ol l er, or a fo lder . If yo u select a fo lder , t h e d ate and time setting[...]

  • Page 244

    Con f iguring the Network The form at f or t he d ate is MM /DD /Y YYY . F or e xam ple, Jun e 4, 2 00 3 wou ld b e en tered as 06/04/2 003 . The for m at fo r t h e t im e is H H: MM, us ing a 24 ho ur clo c k. For e x am pl e, 6:23 PM w ould be en tered as 18:23 . b. Click Set T i me Now to set th e date a n d time accor d ing to settings yo u en[...]

  • Page 245

    Configuring the Ne twork F i gu r e 6- 2 1 . Admi n S et u p p ag e Ste p 2. Click Ne w A dmin. .. The New A dm in page appea rs (se e Figur e 6-20). F i gu r e 6- 2 2 . Admi n S et u p p ag e Ste p 3. Fill in the f ield s a s re quir ed (s ee T a ble 6-8) and select th e a dmi nistrato r type f r om th e dr op- do wn me nu. HP Pr oCur ve Se cur e [...]

  • Page 246

    Con f iguring the Network T a ble 6 - 8. New / Edit Ad m i n Fi el ds Fie ld D esc ri ption Name A descrip t ive n ame th at ide n tifies th e Admini strator . It c an be the adminis trato r ‘s fu ll name o r any oth e r m ean ingfu l name. Thi s name may hav e up t o 32 char act e rs. Any 7- bit chara c te rs are all owed. User nam e The adminis[...]

  • Page 247

    Configuring the Ne twork • To edit an a dmi ni strator account, click the a dmin i strator’s Nam e or Usern a me, wh ich are lin k s to the E d it A dmi n page, or click the Pencil icon at the right of th e row. The Super Ad min i str a tor can change an y of the settings f or a n a dmi nistrato r. • By def a ult, a newly- a dded adm i nistra[...]

  • Page 248

    Con f iguring the Network 6- 46 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

  • Page 249

    7 S E TTING UP W IRELESS D AT A P RIVACY This chapter explain s how to configure the global settin gs for the security protocols. The topics covered in this ch ap ter ar e: Ov erview o f W ire les s Da ta Privac y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7- 1 W ire les s Da ta Privacy Setup . . . . . .[...]

  • Page 250

    Setting up W i reles s Data Privacy The encry p tio n policy th at define s how en cr yp tio n a pplies t o a sp ecif ic clien t is d e termi n ed thr oug h th e A cce ss Pol i cy tha t defines right s for that clien t. Th e A ccess Policy can specify tha t en cryption is requ ired , tha t it is al low ed but n ot r eq u ired , o r that it i s d i [...]

  • Page 251

    Setting up Wireless Data Pr iv ac y Figur e 7-1. The Wir e less Da ta Privacy tab Global Wir el ess Data Priva cy Confi g urati o n Sele ct the W ire les s Data Priva c y proto c ols you w a nt to ena b le f o r the 7 0 0wl Se ri es sys t em. B y defa ul t, all pr ot oc ol s ar e di sa bled. Enab ling a security p r otoco l makes i t availa ble f o[...]

  • Page 252

    Setting up W i reles s Data Privacy The f i el ds and s e ttin gs und e r th e Configu ra tion fo r IP SE c h e ad i ng of the W ire les s Data Priva c y ta b a re as fo llows : T ab l e 7 - 1. IPSec configu rat ion settings Fie ld Des c ri pt ion IKE Authe n ti cat i on Metho d Sel ect the IKE Authenti cat ion M e thod you pl an to u se: • To us[...]

  • Page 253

    Setting up Wireless Data Pr iv ac y T ab l e 7 - 1. IPSec configura t ion settings Fie ld Des c ri pt ion ESP En cryp tion Sel ec t the appro p ria te alg o rit hms for ESP e ncryp tion, o r sp ecify Non e . Th e 700wl Serie s syste m sup ports t he followin g al gorith ms : • DES • 3DES • AES • Blo w fis h • CAST • Nu ll The d e fau lt[...]

  • Page 254

    Setting up W i reles s Data Privacy Figure 7-2. The IPSec Certifi cate Configuration ta b By defa ult the Curr en t Certifica t e area o f th e page sho ws “No certifica t e con f igur ed.” This area wil l show i nfo rm at ion abo u t th e cer t ificat e if on e is in stal led . Ste p 2. Click Generate CSR... to begin cr ea tin g a Certificat e[...]

  • Page 255

    Setting up Wireless Data Pr iv ac y Ste p 3. Fill in the inf o rma t ion in thi s fo rm: a. T y pe the na m e in wh ich the certifica t e should be gra nted. This can be a n in di vid ual name or a t itle su ch as “W ire le ss A d min. ” b. T y pe th e email addr es s fo r th e certificate co nt ac t. c. T y pe your state or pr ov ince. This is[...]

  • Page 256

    Setting up W i reles s Data Privacy Ste p 6. Copy an d paste th e gen e rated PK CS #10 certifica t e r eq u est , includ in g the lin es ----BEGIN CERTIFICATE REQUEST---- an d ----END CE RTIFICATE REQUEST---- in to th e appr op riate field in th e r e quest form . Once yo u ha ve copied a n d pa st ed the CSR , cli ck Don e to re turn to th e IPSe[...]

  • Page 257

    Setting up Wireless Data Pr iv ac y Y o u m ay n eed to enter the r e quest ID or co nf irm a tio n in form at io n yo u re ceived w h en yo u submitted your certifica t e r eq u est. Wh en your cer t ificat e is di spl ayed, fi nd the porti o ns tha t you can copy an d pas t e into the H P sys tem. The example i n Figur e 7 -6 shows th e po rtio n[...]

  • Page 258

    Setting up W i reles s Data Privacy Figure 7-7. The Load Certif icate s pa ge Ste p 12 . Copy an d pas te th e two certifica t es f rom your CA ’s web s i te int o th e tw o f i eld s pr ov ided , and click Save . Be sure to include the ---BEGIN CERTIFICATE--- an d ---END CERTIFICATE--- li nes. Caution: Do not use th e ce rt ifi cat e i m po rt f[...]

  • Page 259

    Setting up Wireless Data Pr iv ac y Figure 7-8. The Certificate s tab show i ng a n in stall e d c e rtificate Ste p 13 . Imm ediat ely cr ea te a nd save a ba cku p of you r sy st em . This saves both the priv ate key an d the sa ved c e rtif ica t es. See “Back ing Up and Re st oring th e S yst em Config ur at ion” on pag e 8-13 f o r in fo r[...]

  • Page 260

    Setting up W i reles s Data Privacy The defa ult is to have ad dres ses a ss ign ed by a DH CP serve r . » To configu re the IP A ddr ess assignmen t method fo r th e tunn eling proto c ols , click th e VPN ico n in the Navigation bar at the top of the Adm inistrative Console, then click t he I P Address As signmen t tab. Thi s di spl a ys the IP [...]

  • Page 261

    Setting up Wireless Data Pr iv ac y • T he first D H CP req u est is ta ke n to be a req u est f o r a n outer tun n el a ddress, a n d NAT is AL W A YS used, even if the Access P o licy specifies Neve r for the Networ k Address Translation setting . Note: A s id e-e ffect of thi s b eha vior is tha t if e ncryp tion i s —A llowe d but not r eq[...]

  • Page 262

    Setting up W i reles s Data Privacy 7- 14 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

  • Page 263

    8 S YS TEM M AI NTENANCE This ch apte r explain s h o w t o perf orm co mmon admini strative tasks includin g cr eatin g, stori n g, an d re sto rin g a back up f i le , upd a tin g sys tem so ft wa re, and sh uttin g down a 7 00wl Se rie s sys tem com p on en t. It also describes h ow to r e set the 7 00w l Se ri es sys t em to its factory defa ul[...]

  • Page 264

    System Ma inte nan ce Figur e 8-1. Softwar e Setup pag e Ste p 2. Fr om t h e Sys t em Co mpon ents list i n th e left pan el, se lect the co mpon ent ( A cces s Co ntr o l S e rver or Access Controller) for which you wa nt to restart or update the software image. Thi s pag e di spla ys info rm at ion abo u t the sof tware ins t al led in the selec[...]

  • Page 265

    Sys t em Ma intenanc e Ac cess Contr o lle r and us i ng the Wir el ess Data Privac y proto cols will te mpo rarily lose t hei r conne cti ons, and any re mo te CLI sess ions over SSH wil l be ter mi nat ed. It is re co mmended tha t you up da te your fla sh-bas ed A ccess Cont ro llers d ur i ng tim es when system u sa ge i s low . Up grad in g th[...]

  • Page 266

    System Ma inte nan ce Figure 8-2. The Update Sof twa re page From the Remote Update page you can initiate a so ftware update from a remote F TP , TF TP , or HTTP se rver , o r just check to s ee if a n y updates ar e ava i lable. Al terna t ely , you may be a b le to perform an upd a te using a sof tw are di stributio n f ile pla c ed on a lo cal s[...]

  • Page 267

    Sys t em Ma intenanc e Remote Update The information that is required to upda te th e softw are image from a remote sit e is described in Ta ble 8-2 . T ab l e 8 - 2. Up da te Softwa r e, field/s e ttin gs desc ri ptions Fie l d/O p tion D escrip t io n URL The U RL fro m which you wa nt to check for software upgrade ava ila bi lit y , or do wn loa[...]

  • Page 268

    System Ma inte nan ce If you w ant to chec k fo r upg r ades on an alternate do wn lo ad si te, yo u must enter the a p pr opriate URL. Ste p 2. Click Ch eck for U pgr ad es . Th is fun c ti on checks the s oftware versio n ava i la bl e o n th e do wn load si te a gainst th e s oftwa r e version currently installed in the component you have select[...]

  • Page 269

    Sys t em Ma intenanc e Se le ct Continu e to pr oc eed w i th the upgrade, or Canc el to r e turn to the previous page witho ut pr oc eed in g. Note: If your c urren tly i nst alled software i s signi f icantly ol der tha n the new v ers ion yo u ar e downlo ading, it may n o t be pos si ble to re ve rt to yo ur old (Alt ernate ) ima ge witho u t d[...]

  • Page 270

    System Ma inte nan ce If yo u enable A u to Ref r es h, the s t atus page r e fres hes appr ox imately every 1 5 se co nds, disp layi ng updated st atus in form atio n. After the do w nlo ad a nd un pack ope r ati ons are com ple te, a co mp leti on me ssage ap pear s: New ima g e s u ccessfully ins t all e d. If you spec ifie d an au tomatic re st[...]

  • Page 271

    Sys t em Ma intenanc e Va riable Va lue update_file Fil ena me (in c l udi ng the path) o f the s o ftw ar e i mage Ple ase co nta c t H P Pro C urv e Te chnic al Support fo r informati o n o n the c u rren t do wn loada ble image. For TFTP or a nonymous FT P, the p a th is relativ e to the anon ymous F T P or TFTP ro ot . If a user name and pa ssw[...]

  • Page 272

    System Ma inte nan ce Ste p 2. In the 7 0 0w l Ser i es sy st em Adm in ist ra tive Co ns ol e, under Mainte nanc e/Softw are Upd a te, select the L o cal U pda te tab to d isp lay the L o cal U pda te page, as shown in Figure 8- 5 . T a ble 8 - 3. U pda te S of tw a re , fiel d/set t ings descript i on s Fie l d/Col u mn/ Opt ion De sc ripti on Up[...]

  • Page 273

    Sys t em Ma intenanc e F ig u re 8-5. Th e Lo cal U p d a te T ab o f th e U p d a te So f tw a re F un c ti o n Ste p 3. In the Upl oad ed Sof twa re Versio ns table, s e le ct the r ow w h ere you w ant the n e w uploaded version to be pla ced . I f ther e is alr eady a sof t war e image in tha t row , it will be r e placed by th e new ima g e yo[...]

  • Page 274

    System Ma inte nan ce Ste p 6. In the .vd ist File fie ld, type th e fu ll path a n d na me of the distrib u tion file you d o wnlo ad ed, or click Bro wse to lo ca te th e pr o per dir e ct o ry a n d f il e name. Note: You ca n s ave the vdis t fi le s unde r differ ent n ames, if you want. They do no t n eed to have a .v di st extension. Ste p 7[...]

  • Page 275

    Sys t em Ma intenanc e Caution: Res t arting an A c ce ss Contr ol S erver or Integr ate d Ac ces s Ma nager will log off a ll cli ent s on al l Ac cess Contr oll er s. If poss ib le, you s hould r est art your syst em dur i ng a ti me when few c lient s ar e activ ely con nected to the s yst em . » To res t art your s yst em usin g th e Alternate[...]

  • Page 276

    System Ma inte nan ce Note: Y ou c an not r est or e from the int er nal bac k up i m age. Y ou can onl y re sto re from a n exter nal fil e . T h erefore, you must save t he ba ckup im age t o a file . » To back up a s yst em co nf iguratio n , click the Ba ckup & Re st ore ta b un der the Ma int en an ce butto n. The B a ck u p & R es t [...]

  • Page 277

    Sys t em Ma intenanc e Figure 8-8. Backup Confirmation Click Con t inue to pr oc eed, or Can cel to re turn to the Ba cku p & Rest ore page w i tho ut cr ea ti ng th e backup im ag e. While the backup i s in prog r e ss , an info rmation pag e, as sh own i n Figur e 8-9 , is d isp layed . Figure 8-9. Backup I n Progre ss Ste p 2. Wh en the back[...]

  • Page 278

    System Ma inte nan ce Figur e 8-10 . B ackup & Rest ore p a ge after a succe ssfu l backu p » To s a ve the backup to a file, click Save B ackup A s ... . This initi a tes the File Do wnload process on your local sys tem . This ty pi cally invol v es a s e ries of di alogs p resen te d by your local syste m sof t war e, wh ere you can select a[...]

  • Page 279

    Sys t em Ma intenanc e Figure 8-11 . R estore In Progress Confirm a tion Ste p 3. T o pr oc eed w i th the r estor e, click Continue . As pa rt of the r est or e op eration , the system i s r e st arted . Y o u will be r e qui r ed to l o g in ag ain a s ad mini st r ator . Transferring a Backup to a Differ e nt System Ther e m a y be s i tu ations[...]

  • Page 280

    System Ma inte nan ce Warn ing: DO NO T restore a bac k up to a dupli c ate A cce ss Cont ro l S erver that i s c onnected to the same ne twor k as the o rigi nal Access Con tro l S erv er. Res t or i ng a b ackup wi ll r estore the origina l Access Contr o l S erve r‘ s IP a ddres s (i f a s t ati c IP addres s was c onf ig ured) and the shared [...]

  • Page 281

    Sys t em Ma intenanc e Figure 8-12 . The Shu t down/Restart tab Restart i ng a System Co mp onent Res t arting a com p onent will b riefl y s h utd o wn the un it, t h en re start it u s ing t h e Insta lled V e rs ion soft wa re imag e. This a c tio n do es not pow e r o ff the unit. T o rest art a se lected s yst em co mpon en t: Ste p 1. Se lect[...]

  • Page 282

    System Ma inte nan ce Figure 8-13 . R estar t Conf irmation Ste p 3. T o proceed w i th the r e sta r t, click Continu e . T o ca nc el the r est ar t, click Can cel . Shutting Dow n a System Component Sh utt ing dow n a syst em co mpon ent s h uts dow n an d po we rs of f the sele cted un it. T o shut do wn an d po we r of f a syst em co mpon ent:[...]

  • Page 283

    Sys t em Ma intenanc e Ste p 3. T o pr oc eed w i th the s h utdo wn , click Continu e . T o ca nc el the s h utdo wn, click Can cel . Resetting to Factory Def a ult Sett i ngs Res e ttin g a sy stem to i t s facto r y defaults will clear the co nfigu ra tio n databa se , r e set a ll opt i ons to the facto r y def a ult settin g s, a n d r estart [...]

  • Page 284

    System Ma inte nan ce re store y our c onfigurat ion , you mu st r estore fr o m a b ackup image that was cr eated a nd s aved to an exter na l file be fo re the r es e t. A rese t erases the bac k up i m age s t ored o n the uni t. On an Access Co nt ro ll er , h o weve r, i f yo u ha ve n ot de lete d t h e Access C ont ro ll er fr o m the Acce s[...]

  • Page 285

    9 L OG S This ch apte r presents tasks y o u can perform wit h th es e types o f lo gging . V iew in g 700w l Ser ies Sy st em Lo gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9- 1 Co nf ig urin g Se ss io n Loggin g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 286

    Logs Figure 9-1. Log file display The L og File d isp la y table shows the lo g ent r ies tha t exist at t h e momen t you r equ est the d i spla y . By defa ult , th e list is no t r efr eshed unless yo u re quest a new dis p la y by clicking the App l y Filte rs button. Y ou ca n set a n au tomatic r e fr es h interva l using th e fil t er settin[...]

  • Page 287

    Log s The log file d is p lay itself show s the f o llowin g in f o rma t ion: T ab l e 9 - 2. Log file display Column D escrip t io n (em p ty ) Thi s col umn is used to ca ll a tten t ion t o l og entrie s wi th se verity lev e ls or Crit ical or Major. Entri es at l ower seve rity levels are not flagge d. • The red octago n indicates an entry [...]

  • Page 288

    Logs — Cat e gorie s : All Categories (defau lt), Error, Info, Debug, Function Trace, Obj ect Trace, Session L og. Thi s is a mul t iple selecti on box—by us ing CRTL -c li ck or S h ift-click you ca n se lect mul t iple cat ego ries to include in a single filter. — Acce ss Contr o ll e rs : All Sy st em s (d efault), localh ost (the Acces s [...]

  • Page 289

    Log s Figure 9-2. Setting Up Session L ogging Ste p 2. T y pe the i nfo rmati on and s ele ct op tion s as defined i n T a bl e 9-3. T ab l e 9 - 3. Logging Setup Fiel ds Fie l d/O p tion Des c ription Ses si on Loggin g: Enabled Settin gs for ses si on loggi ng to a rem o te sy sl og serve r. Ch eck Ena b le d to enable se ssio n logging . Uncheck[...]

  • Page 290

    Logs Note: Ac cura te tim e and da te r eport ing i s necessary fo r accurat e and useful l ogs. T o se t the t i me and date, use th e Date & Time t ab i n the Network area . Viewing t h e Sess ion L ogs The 7 00w l S e ries syst em log files provide in fo rmati ona l m e ssages , wa rn ing s and so on abou t th e opera t ion of th e 700wl S e[...]

  • Page 291

    Log s T ab l e 9 - 4. Ses s ion Log inform ation Da ta Item De fi niti on Actual Des t inati on The actua l dest ina t ion IP addres s a nd port , if redirec t ed or t u nnell ed through an oth e r Access C ont rol l er. By tes T ransmit te d Tot a l n um ber of b ytes transmitted d u rin g t he s ession By tes Rece ived Tot a l n um ber of b ytes [...]

  • Page 292

    Logs 9-8 H P ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

  • Page 293

    A C OMMAND L INE I NT ERF ACE Thi s a ppendi x documen t s the commands th at ar e avai la ble o n th e s e rial con s ole as part of th e Com mand Line Interf ac e (CLI). The CLI ena b les initi a l configuration an d subsequen t tr ou blesh oot in g of the 7 00wl Se rie s syste m . The Co mm and Lin e Interface co mman ds are listed in the f o ll[...]

  • Page 294

    Com ma nd Li ne I n terfa ce Accessing t h e C o mmand Lin e Int e rface Ther e are tw o ways to a cces s the Comm and Lin e Interface — eith e r by dir e ctl y co nn ectin g a se rial c onsole to the serial port o n an Access Co ntroll er, Access Co ntr o l Server, o r In tegrated Acces s Ma nage r, o r by con n ectin g to the sy stem re motely [...]

  • Page 295

    Com m and Lin e Interfac e Com m and Syn t ax Y o u m ay s ee a variety o f symbols shown as part o f th e co mm and s yntax . Thes e symbols ex plain how to enter th e comm an d, a n d you do no t type them a s part of the comm an d itsel f . T a ble A -1 summ ariz es com mand sy nt ax symbo l s. T ab l e A-1 . Command Synt ax Symbol s Symbol Desc[...]

  • Page 296

    Com ma nd Li ne I n terfa ce Th is p r oduc es the fol l owing output: "add" commands: add bridging ... Add bridging options add snmpmanager ... Add an SNMP authorize d manager add snmptrapreceiver ... Add an SNMP trap receiver T o se e de tails abo u t o n e o f th ese co mma nd s, you ca n ag ain use a que s tio n ma rk. Fo r example to[...]

  • Page 297

    Com m and Lin e Interfac e set su p e ra d m in pass | en a b le | di sable < l ogin > Set the passwor d for a supera dm in. En able or di sable a supera dm in login. pass C hange the passw ord for the spe cif ie d login n am e . The supera dmin can change any p asswor d. e nable Enable the sp ecified log i n nam e. On ly s upe radmins ca n e[...]

  • Page 298

    Com ma nd Li ne I n terfa ce s how pol icy a dmin [<login >] Sh ow a spe c ific policyad m in by spec if yin g a login, or list all policy ad min s by not specif yi ng a login. se t rem o te on | off En ables or d i sa bl es r e mote techn i cal support ac cess. Th e d efa ult is d i sabled . Th is sh ould be e n abled only a t the dir ec t i[...]

  • Page 299

    Com m and Lin e Interfac e 0 0:e0:18:7d:b5:3d 10.205.2.25 4 hrs, 50 min s s how id Displays this sys t em ’s ID, w h ich is the MAC ad dr ess of Sl ot 0 po rt 1. On a 700wl S e ries unit, the d e fa ult uplin k po rt is slo t 0 port 2 . ( S lot 0 por t 1 is the Reserved port .) Theref o r e, the MAC ad dr ess of th e uplink port, shown o n the la[...]

  • Page 300

    -------------------- --------- ----------- Com ma nd Li ne I n terfa ce s how de viceport < d evice> Shows th e por t or slot an d po rt f or a d evic e. <devic e> The d evi ce na me associ ated wi th a port , for example , dc0, dc1 , sis0 Fo r example, on an I nte gr at ed Acces s Ma na ger 760w l t h e co mma n d: show deviceport sis0[...]

  • Page 301

    Com m and Lin e Interfac e Netw ork C o nf ig ura tion Comman ds se t hostna me <hostname> Note: Th is c o mmand is su ppo rt ed on the A c cess Con tro l S erver or In teg rat ed A c cess Manage r onl y . Sets the sy ste m 's hostn am e. Th e syste m ho stnam e is als o us ed as the SN MP sys t em n a me . If you se t a hostname , it mu[...]

  • Page 302

    Com ma nd Li ne I n terfa ce s how ip Sh ows th e current IP c o nfiguration . O u tp ut fr om this comman d looks similar to the f o llowin g : Hostname: D omain Name: xyzcorp.com I P address: 192.168.10.157/24 D HCP enabled: No D efault gateway: 192.168.10.1 D HCP server: None configured D NS servers: 192.168.2.248 192.168.2.205 W INS servers: No[...]

  • Page 303

    Com m and Lin e Interfac e se t dns <p ri mar y -ip-address> [ < secondary-ip -addr e ss> ] Note: Th is c o mmand is su ppo rt ed on the A c cess Con tro l S erver or In teg rat ed A c cess Manage r onl y . Fo r an Access Con tro ller , thi s functio n mus t be perf orme d thr ou gh the Adm inistra tive C onsol e on the ma naging Ac c e[...]

  • Page 304

    Com ma nd Li ne I n terfa ce Sets the IP ad d re sses of th e WINS serve r s. <prim a ry -ip - addres s> The IP addres s of th e p r imary WINS s e rver f o r the s ystem. <secon dary - ip-ad d res s> Th e IP addres s of the s e c ond ary WIN S server for the s ys tem (opti onal). cl ear win s Note: Th is c o mmand is su ppo rt ed on th[...]

  • Page 305

    Com m and Lin e Interfac e se t portmed i a {<p o rt> | < s lot > /<po r t >} "< media> [<m e dia - option>]" Se ts the port m ed ia setting fo r th e specified port o r sl ot and port. <port> | <sl o t>/<port> The po rt, or s l ot and po rt o n whi ch to set the media ty pe and optio n. <[...]

  • Page 306

    Com ma nd Li ne I n terfa ce s how porti p Displays the cur ren t IP ad dres s and netma s k settings , if set, f o r all ports in th e syste m . O u tput f rom this com m an d is s i mila r to th e f o llow i ng: Port settings Slot 1 Port 1 IP: Not set Slot 1 Port 2 IP: 192.168.5.1 Netmask: 255.255.255.0 Slot 1 Port 3 IP: 192.168.6.1 Netmask: 255.[...]

  • Page 307

    Com m and Lin e Interfac e Note: Th is c o mmand is not a vail able on an In tegrated A cce ss Man age r. Advanced N e twork Con f iguration St atus s how bridg i ng Sh ows th e current br idgin g settings. The c u rr ent bridgin g types that ma y appear ar e: cd p C isco Dis cover y P rot ocol wnmp Wi re le ss Netwo r k Acc ess Pro tocol at alk Ap[...]

  • Page 308

    Com ma nd Li ne I n terfa ce s how ac [ma c <mac-add re ss> ] Shows A c ce ss Contr o ll er settings f o r one or all A c cess Con tro llers connecte d to th e A ccess Contr ol Serve r or Integrate d A cce ss M a nag e r. Th e d efa ult is to sho w all settings fo r all A ccess Contr ol ler s. mac <mac -addres s> Spe cifie s t he MAC a [...]

  • Page 309

    ---- ---- ---- Com m and Lin e Interfac e s how redu ndan cy Sh ow s th e current r e dund an cy (failover) settings. For exam ple: show redundancy Redundancy configured state ---- Redundancy is disabled. No peer is specified . Peering priority is 0. Retry timeout to disabled peers is 6 0 seconds. Failover timeout is 30 seconds. On a n Access Contr[...]

  • Page 310

    Com ma nd Li ne I n terfa ce Advanced N e twork Con f iguration se t na t dhcp <ip-ad dress> <subnetmask> [<lease-time> [< time-unit s >] ] Se ts the NA T D H CP su bn et and lease tim e . <ip-addre ss> T he DHCP subnet ad dres s for N AT. The d e fault is 42. 0.0. 0 <subnet mask > T he sub net mask, i n the form[...]

  • Page 311

    Com m and Lin e Interfac e rem o te date time <ip - address> <da t e> <time > Se ts the date a n d time on th e syste m at < ip-address > . <date > The c urrent dat e in yyyy/m m/d d for m at <time> T he curr ent tim e in h 24:m m format . Caution: It i s im po rtan t that the syst em t i me be k ep t ac cura te,[...]

  • Page 312

    Com ma nd Li ne I n terfa ce rem o te reboo t <ip - address> Re bo ot t h e s y st em at < ip-address > rem o t e reb o otalt <ip > Re bo ot t h e s y st em at <ip-address> to al ternate so ftw are versio n. rem o te shu t down < i p-address > Shutd o wn the syste m at < ip-address > remo te fact oryreset <ip-[...]

  • Page 313

    Com m and Lin e Interfac e rem o te upgra d ereboot < i p-addres s> < u rl> <key > Up grades the s yst em at th e sp ecified IP addr es s an d re bo o ts th e sys t em . <url> T he URL encoded loc ati on of the so ftware releas e t o install . The forma t of the URL is <protocol>://<host>/<update file> or &[...]

  • Page 314

    Com ma nd Li ne I n terfa ce se t pptp on | off En able s or d i sable s PP TP . se t l2tp on | off En able s or d i sable s L 2 TP . se t ip secsecret [ <se c ret> <se c ret>] Se ts the IPS e c s h ared se cret. P rom pts for the s e cr et if no t enter ed on th e co m man d line. cl ear ip secsecret Cl ea rs the IP Se c sh ared se cre[...]

  • Page 315

    Com m and Lin e Interfac e s how vp n Note: Even though you c an only c onf ig ure Wir eless Da ta Privacy se tti ngs from the A cce ss Contr ol Se rv er or Int egrate d Acces s M anager, you c an use the sho w v pn c o mmand from an Ac ces s Con tro ller to v iew these s e tt ing s. Sh ows th e current W ir e less D a ta Priva cy se ttin gs. Ou tp[...]

  • Page 316

    Com ma nd Li ne I n terfa ce show c lien t s [ m a c < m a c -a dd ress> ] [ s ort { m ac | ip | u s er | m a chin e | p o rt | sessio n s | idle} ] [r everse] Li sts all a c tive clients. Y o u can option ally so rt th e list by a nu mber o f crite r ia . <mac-ad d ress > M AC (Ethern e t) addres s to di spla y . Spe cif ie d i n the f[...]

  • Page 317

    ----- ---------------- ---- --- - ----- Com m and Lin e Interfac e <stance>Deny</stance> < /ipsec> < pptp> <stance>Deny</stance> <mppe_stance>Accept</mppe_stance> <mppe_bits>0</mppe_bits> <mppe_stateful>False</mppe_stateful> <min_mschap>0</min_mschap> <allow_pap&[...]

  • Page 318

    Com ma nd Li ne I n terfa ce If yo u res pon d Y to continue w i th the backup, th e f o llowing r emi nde r a ppea r s: NOTE: After creating the backup image, you must transf er it from this Integrated Access Manag er onto your local computer. st ore b ackup < url > [<filen a me >] Sto r es the backup o n a n other system using F TP . [...]

  • Page 319

    Com m and Lin e Interfac e s how ba cku p Displays inf o rma t ion about the list o f lo ca l backups a nd the sta tus of a r u nning sto r e b a ckup or get backup task . Output f r om this comm an d is similar to the f o llowing: Backup image created Nov 25 17:25:22 2 002. No backup image ’store’ or ’get’ in pr ogress. Upgradi n g the S y[...]

  • Page 320

    Com ma nd Li ne I n terfa ce reboo t Au t omati ca lly re boot after i nst al ling the upgrade. The upgrad ed software is activ a te d wh en the syste m is reboote d. ve rsion Displ ay s the ve rsion o f the s o ft wa re a va ilable for dow nlo ad a t th e specified URL. T he sof twa re is not do w n lo aded and the s ys tem i s not res t arted. mi[...]

  • Page 321

    Com m and Lin e Interfac e ca ncel up grade Ca nc els the cur rent ge t upgrade task. se t upgrade p roxy [on | off] [host <ip-a ddress> [ < port> ] ] [u ser <user> [<pass wo rd> ] ] Con fig ure a proxy ser ver f or re tri evi ng so ftw a re re le ase s via F TP . on | off En ables and d i sables the prox y serve r. <ip-a[...]

  • Page 322

    Com ma nd Li ne I n terfa ce s hut do wn Shuts d o wn the syste m. Y o u ar e pr o m pte d to con f irm th at you want to shut dow n the syste m : This operation will shutdown this syst em and users may lose their connections. Are you sure you want to shutdown this system [n]? Resetting to Factor y Def a ults factor yre set Resets all user configur[...]

  • Page 323

    Com m and Lin e Interfac e • info: show all i n fo rma t ion, n o tic e, wa rni ng, error, and c r itica l l og ent ries <lines> T he max im u m nu mb er o f li nes t o be display ed. Th e defau l t i s 23. <count> T he number of tim e un its to be di spl ay ed, in combina t io n w ith the <time-un it> va riable. If no —for“[...]

  • Page 324

    Com ma nd Li ne I n terfa ce T r anslat es to: nslookup –timeout=10 <hostname> ping {<i p -add ress> | <hostname >} Pings an IP ad dre ss or a h o stname . If the hostn am e is not qualif i ed, the do ma in nam e (a s spe c ifie d by the set d o ma inname co mmand) is a p pen ded . T r anslat es to: ping –c 3 <ip-address>[...]

  • Page 325

    Com m and Lin e Interfac e traceroute {<ip -add re ss > | <hostn ame > } [<h ops > [<probes > [< probe wa it> ] ] ] Displays the tr ac er oute f o r a n IP a ddre ss o r h o stname. If the hostn am e is no t q u ali f ied , the d o main na me (as specif ied by th e set dom ainname co mman d) is a ppen d ed . <hops&g[...]

  • Page 326

    Com ma nd Li ne I n terfa ce cl ear ntp s erver Cle a rs the NTP se rve r s IP a ddre ss or ho stnames. This c o mmand also dis a ble s the NT P s e rvice if it was e n able d. se t ntp on | off En able s an d d i sable s th e NTP servic e. se t datetim e <d ate > <ti m e> Manually sets the c u rrent lo ca l d a te and time. <date &g[...]

  • Page 327

    Com m and Lin e Interfac e Co ntro ller. T o mo dif y thes e se ttin gs on an Acces s Co ntro ller, y o u m ust use the Adm inist rative Console on the m anaging A cces s Co ntro l Serve r. se t s n mp on | off T u rns S N MP su pp or t o n or of f. T u rning SNM P on en ables r e ad -o nly a c cess to the MIB . T ur n ing it o n wh en alre ady on [...]

  • Page 328

    Com ma nd Li ne I n terfa ce se t sn m p co nt ac t <c ontact> Se ts the S N MP sysContact obj e ct , def i ne d in RFC 1213 as “ t he tex tua l i dent ifi cati on of th e c ont ac t perso n fo r thi s man a ged node, tog e th e r with in fo rma t ion on how to conta ct th is perso n .” Note: Y ou c an not s e t t h is objec t from an ext[...]

  • Page 329

    Com m and Lin e Interfac e Trap IP Address: None Authorized Managers: None HP Pr oCur ve Se cur e A ccess 700 wl Ser ies Ma nagem e nt and C onfigu r ation Gu ide A -3 7[...]

  • Page 330

    Com ma nd Li ne I n terfa ce A-3 8 HP ProCurve Sec u re Access 7 00wl Series Ma nagement and Con f igurati on G u id e[...]

  • Page 331

    B F ILT ER E XPR ESSION S YNTAX This appendix d esc ribes the syn t ax used to d efi ne us er a ccess rights ( a llow ed tra ffic f ilt ers and redir e cted tra ffi c filters ) , bridged tra ffi c, an d HTTP P r oxy fi lters. It in clu d es the f o llowing sectio ns: In trod uctio n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 332

    Ex a mple s are: “ fddi src myHost ”, “ ip net 122.43 ”, and “ udp port 44 ”. f ddi is an alias f or et her ; th ey ar e treated identically as m ean ing “t he d a ta link level used o n the specified ne tw ork inter fac e.” FDD I hea der s con t ain E t hernet-lik e source an d d e stina t ion a ddres se s, an d of ten co nt ain Et[...]

  • Page 333

    T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n hos t host Tr ue if e i ther the s our ce or d est ina t ion o f the packet is hos t . eth er ds t eho st Tr ue if t he Ethern e t d es t ination a ddr es s i s e hos t . Ehos t c an be e i ther a na me from /etc/ethers or a number (see eth e rs (3N) fo r nume ri c fo r[...]

  • Page 334

    T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n ip6 proto prot ocol Tr ue if t he p acket is an IPv 6 pack et of proto col type pro t ocol . Thi s primiti ve does not chase the pro t ocol header chain . ip6 protochai n pro t ocol Tr ue if the pack et is IPv 6 packet, and c onta i ns pr oto col h eader w i th type pro[...]

  • Page 335

    T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n eth e r proto pro t ocol Tr ue if t he p acket is of eth e r type pro t ocol . Proto col can be a n u mb er o r one o f th e name s ip , ip6 , ar p , ra rp , atal k , aa rp , decnet , sca , lat , m opdl , mop rc , iso , stp , ip x , or netbeu i . Not e: Note the se iden[...]

  • Page 336

    T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n expr relo p expr Tr ue if the r e latio n holds , wh ere • re l op is o ne o f >, <, > = , < = , =, != • expr is an ari t hmeti c exp r ession com posed of integ e r c onstants (ex p re ssed in sta ndard C synt ax), the n o rmal bin a ry operat ors [+, -[...]

  • Page 337

    C C REATIN G C USTOMIZE D T EM PLA T ES This Appendix explains how to develop custo m templates for the Logon page, the o ptional Logoff pop- up pa ge, a n d th e op tio na l Gu est R e gistra tion pa ge. It in clu d es the f o llowing sectio ns: In trod uctio n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 338

    A Simple Logo n Pag e Tem p lat e Examp le The 700wl S e ries syst em logo n page, in its simp les t fo rm , co ns ists of tw o fields w h er e the user en te rs his /her user na me and pa ssword, and a bu tto n to in voke the lo gon f u ncti on . Ot he r op tion al elemen ts c an include a L o gof f but t on , a Gu est logon or G u est r e gist ra[...]

  • Page 339

    <!-- required functions --> @satmac() @interface() @java_works() @secret() @query() </FORM> </body> </html> The tem p late f i le is a sta n da rd HTM L file with th e tmpl fun c tio ns in clu d ed. Y ou sho u ld be sur e to include a n y tags or me ta-ta gs n eeded to make the dis play correctly in yo ur br owse r envir onm[...]

  • Page 340

    Required Elements Form Tag <FORM action=/logon method=post name=l ogonForm> Fo r th e logon pa g e only , th ere m u st be a fo rm w i th the na m e a ttri b ute set to logonForm . The act i on an d method attribut es must a l so be se t a s sho wn. Buttons At least one of these bu ttons must be present on the page to enable a u ser to log in[...]

  • Page 341

    • @satmac() . Thi s fu nction retu rn s a n INP U T element o f type hi dden, with a va lue that is th e client’ s MAC addre ss. • @interface() . This fu nctio n returns a n INPU T elem ent of type hi dden. • @java_works() . Th is func tion retu rns an INPUT element of type hid den, w i th a value of 0. If a Logoff popup is specif ied (s ee[...]

  • Page 342

    In additio n to incl uding the r ealm fi eld on th e custom log i n page, the U ser sp ec ified authenticatio n realm check box must be checked ( on the Rights M a nager Custo miz e W e b Pages by L o cati on pag e). Not e that thi s check box does n o t appea r un les s there a r e mu lt iple a u thenticatio n realms def i ned. Client Functions Th[...]

  • Page 343

    @set(“variable”, “value”) Sets th e val ue of a run- ti me variable. For ex ampl e, to se t th e va ri able “mo n th” t o th e month a cl ient’s righ ts ex pire , you wou ld u se: @set("month", @xlate_month("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", [...]

  • Page 344

    </head> <body bgcolor="FFFFFF"> <!-- specifies an image and a solid black line at the top of the form. The image must be stored in the Rights Manager vi a Images Upload --> <center> <img src="/images/galactic.gif"><br > <img src="/dot-black.gif" width="60 0" height="[...]

  • Page 345

    @secret() @query() <!-- Displays user and password fields, and three buttons, in a table - -> <table width="600" cellspacing="0" ce llpadding="1" bgcolor="#000000"> <tr><td> <table cellspacing="0" cellpadding="5" width="1 00%" bgcolor="#ffffff"[...]

  • Page 346

    Figure C- 2. Th ree-button logon pa ge Chang i ng the Logon Button Nam es If yo u wa nt to ch an ge the na mes t hat a ppea r on the buttons on th e Log on page, you mu st use tw o INPU T st atements per butt on: on e w i th type=hidden an d th e value s e t to the r e quired butto n value, a n d th e oth er with type=submit an d th e valu e as the[...]

  • Page 347

    Example 3 <FORM action="/cgi-bin/logon" method=p ost name=logonForm> ( This is the F O RM sta t emen t re qu ir ed at the beginnin g of the Logo n fo rm .) @satmac() @interface() @java_works() @secret() @query() (Not sho wn -- Code here to set u p a tab l e, pr esent usernam e a nd pa ssword input fields etc . > Th e foll ow in g[...]

  • Page 348

    Customizing th e Logon Pag e Me s s ag es Ther e ar e a num ber of inform at i ona l m essa ges th at m a y appea r on the Logo n pa ge in certain cir c umsta n ces. The se messa ges may a ppe ar in the fo llowing cir c umstances: • Aft er th e client has c l ic ked the logo ff butto n, but bef ore a new lo gon page appe ar s, a logof f tr an sit[...]

  • Page 349

    Guest Registratio n Template T o co nf igure a locatio n to allo w cus tom gu est r e gis tr atio n, there ar e th r ee el emen ts that m ust be in place: • You r main custo m logon page mus t ha ve a “ R egi s ter as Guest” but t on ins t ead of th e “L ogon as a Gu es t” button . This req u ires us ing “Regis ter” instea d of “L o[...]

  • Page 350

    The page gen e rated by th is tem p late is s h own i n Figur e C-3. Example 4 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTM L 4.01 Transitional//EN"> <html> <head> <title>HP ProCurve 700wl Series Guest Registration Page</title> <meta HTTP-EQUIV="Content-Type" CONTEN T="text/html; charset=iso-8859-[...]

  • Page 351

    <tr> <td align="right"><font size="2"> Last Name:</font></td> <td align="left"><INPUT type="text" na me="lastname" size=15 /> </td> </tr> <tr> <td align="right"><font size="2"> Pref erred Username: </font&[...]

  • Page 352

    Figure C- 3. Gues t Registration page produced by the t e mplate in Examp l e 4 Using a Logo ff Pop-Up w it h a Custo m ized L og on Page On e of option s for user logof f, in br owsers th at su pport J a va Sc ript, is to have a Lo gof f button appear in a pop-up br owse r w indow as soon as th e us er h as logged o n to th e s yst em. Y ou ca n c[...]

  • Page 353

    The r e qui r ed elements in a Lo goff Pop-up tem p la te are: Form Tag: <FORM action=/logon method=post name=l ogoffForm> A form w i th the name lo go ff Form is r equir ed, with acti on an d method attributes set a s shown . Bu ttons: One butto n must be pres en t o n the page to enable the user to log o ff. <INPUT name=logon_action type[...]

  • Page 354

    Thi s generates the pop- up w i nd ow show n in Figur e C-4. Figure C - 4. L ogoff pop-u p wi ndo w Wh en the user click s the L o go ff button, the L og i n wind ow is immed iat ely d isp layed in the same w i nd o w , allow in g the user to log in aga in . Redisplaying the L ogon Page in a N ew Wind ow The default 700w l Seri es-pr o vided Lo gof[...]

  • Page 355

    Figure C -5. L ogoff confirmation wi ndow When yo u click the link , in this window , a fr esh Lo gon pag e opens in a new win do w . T o custom ize this logof f co nfir ma tio n window , you can upload a custom tem pla te in the Lo gged O ff Windo w fi eld und er th e Custo m T e mplate s tab of th e New or E d it L o go n Customiza t ion pag e. T[...]

  • Page 356

    C-2 0 HP ProCurve Sec u re Access 7 00wl Series Ma nagement and Con f igurati on G u id e[...]

  • Page 357

    T ROUBLES HOOTING D This appen dix presen ts tr ou bles hoot ing pr oc edur es fo r the 700w l Se ries system . T a ble D -1 s hows the sy mpto ms, pr oba b le cau se and r e commend e d act i on s for a variet y of pr oble ms . The f o llow ing ar e problem s you may encou n ter w h en con fig uring y o ur 70 0wl Se ries sys t em com p on ents for[...]

  • Page 358

    T ab l e D-1 . Syste m Con f igurat ion T r ouble s ho oting Gu ide (Continued) RADIUS Authen tic a tion not 1. RADIUS co nfiguration in corre ct Test c lient a u thenti cat ion u s i ng T r ansactio n worki ng 2 . Use r name or p ass word no t Tr acer (u nder Rig h ts > Authe n ticat i on va lid Po lici es> Tools an d O p tions) 1. Verify RA[...]

  • Page 359

    T ab l e D-1 . Syste m Con f igurat ion T r ouble s ho oting Gu ide (Continued) Sy mpt o m(s) Proba b l e Caus e Re co mmended Action Cli ent has incorrec t ac c e ss Ri gh ts mi sc on fi gu red Fo r a connected c li ent, v i ew Cl ien t detai l ed rig h ts stat us from the Status > Cl ie nt Status page . Fo r a non-co nnecte d clien t, use the [...]

  • Page 360

    D-4 H P ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

  • Page 361

    G LOSSAR Y E Th e glossa ry d e fin es term s th at are used th ro ug ho ut the 700wl Series syst em. S ome of the foll ow in g term s are in co mmon us age bu t m a y h a ve 700wl S e ries syst em-specific m ean ings. Thes e te rm s are def ine d in co nt ext i n th e ch ap ter wh er e th ey first appear . T e rm Definit i on 802.11 S ee — I EEE[...]

  • Page 362

    T erm Definition AH Authentic a tion H eader p r oto col . AH di gital ly si gns the e n ti re c o ntents of ea ch pa cket , pro t ectin g y our net wo rk agains t th ree kinds of att acks: Re play at ta ck s , w h ere a n a ttac ker c aptu r es packets , saves the m un til later, and resends t hem. The se a ttac ks may al low an a ttac ker to impe[...]

  • Page 363

    T er m Definition CLI C om m and Line Interface: 7 00wl Series sy st em Acc ess C ontr o ll ers , Integra t ed Access M anagers , a nd Acc ess Co ntrol Server s all have a command l i ne in terfac e through w h ic h they can be c ontr o lled, as an alt e rna t e t o using th e Admini st ra tive Consol e. Cl ien t A m achi ne, dev ice, or u s er of [...]

  • Page 364

    T erm Definition DNS Domain Na me Server - A D NS transl ate s In ternet dom ain n a me s suc h as xyzc or p. com, in to IP ad dr es ses. Down link port A port on an Access C o ntro ller or Integrated Acc ess M anage r to whic h a devic e at the ne twork edge, su ch as a W i rel ess Ac ce ss Point , sw it ch, o r hub , i s c onnec ted . DSA D irect[...]

  • Page 365

    T er m Definition HTTP Prox y An Web serve r th at s i ts betwee n a clien t ap plica t ion, s uc h as a We b b r owser, a nd a real s e rver. It i n terce p ts all reque sts to the rea l se rve r to see if it ca n ful f il l the reque sts i t self. If n o t, it forwa r ds the reques t t o the real serve r . Pro xy se rv ers ha ve tw o main purpos [...]

  • Page 366

    T erm Definition IKE A part of I PSec : I KE=Int e rne t Key Exchange (Nego tia t es sessi on param e te rs for the a u the n ticatio n he ader and ESP. Sets u p Sec u rity Ass oci at ion s ( SA)) Inner Tunnel Add r es s For a connec tio n using PPTP or L2TP, the IP addres s assoc i ate d with the actua l da ta from the client, enc apsul a ted w i [...]

  • Page 367

    T er m Definition L2F L aye r 2 Forw ardin g ; a tun neling protoc ol from Ci sc o L2 TP La yer Tw o Tunneling Prot ocol (L2TP ) is an exten s io n o f the Point- to-Po i nt Tunneli ng Pro t ocol (PPTP) u s ed to enable a v i rtu a l p r ivate netw o rk (VP N) ove r the Intern et. L2TP merge s the b est fea t ure s of tw o oth e r t unneling prot o[...]

  • Page 368

    T erm Definition Ou ter Tunne l Addres s The IP add res s associat ed wi th a PPT P or L 2 TP c on necti on w i thi n which the c lient traffi c is encap sulated. Thi s a ddre ss will always be a NA T‘ed a ddress , regard l es s of the grou p N AT set t ings. Packet A p i ece o f da ta tran smitted o ver a n e twork that i ncl ud es not onl y dat[...]

  • Page 369

    T er m Definition Session red i recto rs C li ent TCP and UDP se ssion s can be red i rec t ed fro m t hei r ori g inal des t inati on IP addres s or port. SN MP Simp le N e twork Man agement Proto c ol - The net wo rk m anagemen t protocol of most m odern T CP /IP-ba sed network s. SNMP monitors the activ i ty of variou s de vice s o n a networ k [...]

  • Page 370

    T erm Definition tcpdum p A pr ogram tha t pri n ts out the head ers of p ackets on a network interfa ce tha t ma tch a sp ecified filt ering c r iteria . The s ynt ax us ed by tcp dump is used 700 wl Series syst em for specify i ng packet filt ers . TFTP Tri vial Fil e Tra nsf er Proto c ol - A l igh tw eight version of F TP Time Wi ndo w A time w[...]

  • Page 371

    T er m Definition We b se rver Ne tw ork host th at acts as an HTTP se rver; a c o mput er th at pr o vid es Wo rl d W i de Web s e rv ices on the Intern et; i t include s the hardw a re, op era t ing sy s t em, We b se rver s o ft w a re, TCP/IP p r oto cols, and th e Web s i te c onte nt (Web pages). WEP Wir ed Equ i valent Pri va c y - WE P is a[...]

  • Page 372

    T erm Definition XML-R PC XML -RPC i s desi gn ed to b e a simp le procedural w ay for a c li ent prog ram to make functio n requests of anothe r pro g ra m. I t pro vi des sim ila r funct i onali ty to SOAP, b u t i s more limited and, general l y, much si mpler to u se. Th e 700wl Series syst em support s the us e of XML-R PC as an au thenti cat [...]

  • Page 373

    I NDEX OF C OMMAND S A a dd s nmpman ager <hostname> | < i p-addres s> [/<m ask>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -3 5 a dd s nmpt r apre ceive r <ip-addre ss> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 374

    de lete p o licyadmin <l ogin> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A -5 de lete s nm pman ager all | <ho st name> | < i p-a ddr ess > [/ <mask>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-3 5 de le[...]

  • Page 375

    remote u pgra dec heck <ip-ad dre ss> <url>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -2 1 remote u pgra der eboot < i p-a ddress > <u rl> <k ey > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -2 1[...]

  • Page 376

    se t s ysl ogs erv e r < i p-address > [< fac ili ty>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1 7 se t t imez one <general-tz> <sp eci fic-tz > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 377

    T tra cer out e {<i p -addre ss > | <h ostna me> } [<hops > [<pro bes> [<p r obewait> ] ] ] . . . . . . . . . . . . . . . . . . . . . . . . . A- 32 HP Pr oCur ve Se cur e A ccess 700 wl Ser ies Ma nagem e nt and C onfigu r ation Gu ide IOC -5[...]

  • Page 378

    IOC-6 H P ProCurve Sec u re Acces s 700wl Series Management and Con f iguration G u id e[...]

  • Page 379

    I NDEX Nu me rics 802.1Q VL AN tag sp ecifying in A cces s Policy 4-4 6 sp ecifyin g in Con n ectio n Profile 4-3 3 802.1x configuring as au thentication service 5-1 6 config uring RA DIUS for 5-1 7 moni to red logon 5- 3 802 .2 pr ot o c ol 6-2 4 802 .3 pr ot o c ol 6-2 4 A Access Co ntro l Ser v er changin g a d minis t rato r usern ame /pa ss w [...]

  • Page 380

    changi ng us ername/ p as swor d o n Inte grated Acce ss Man a ger 6- 1 0 changi ng us ername/ p as swor d o n Inte grated Sy st em 6- 12 def a ul t name and pas sword 2-4 logging in as 2-4 logging o ut 2-6 tr ou bleshoo t ing incorrect pas s wo r d D-1 Ad va nced Set up tab 6- 21 DHCP Network f or NA T C lient s 6- 23 aliasin g in LDAP to get us e[...]

  • Page 381

    br ow ser - ba se d l o go n 1-3 , 5-2 Built -in au thentica tio n se rvi ce 5-2 built- in databa se 4- 16 a dding Acces s Poin ts 4- 22 a dding users 4- 17 ne tw or k equip m en t 4- 21 re trieving M A C a ddr esses fr om externa l LDAP se rvi ce 4- 24 users 4- 1 6 C CDP bridge tra ffic 6- 24 ce ntr a liz ed manage me nt a n d a dmi nis trati on 2[...]

  • Page 382

    Et hern et bridgin g, ena b lin g 6- 24 Expi re ti mer , See reau thenticatio n t i meo ut export rig h ts 5- 50 External 4- 51 externa l ident i ty r e trieva l 5- 28 F Failover See A cces s Co ntro l Server r e dun dan cy f ilters disp la y fi lt ers 2- 12 fo ld ers creatin g or editi ng 6- 1 3 selecting for an Access Controller 6- 12 vs. Locatio[...]

  • Page 383

    LDAP se rvi ce au thenticatio n troubl es hooti ng D-2 con fig uring for a u th entication 5-9 con fig uring M A C ad dr ess r e trieval 4- 26 non-use r bi ndin g 5- 10 re trieving M A C a ddre ss u ser s f rom 4- 24 user bin d in g 5- 10 usi n g aliasi ng to get user in fo rma t io n 5- 15 Licen se Inform ation viewi ng 3- 15 L ightweig h t D ire [...]

  • Page 384

    P pa ssword chan ging fo r a dmini strato r 2-5 tr ou bles ho ot in g D-1 PD As lo gon p a ge option s 5- 33 peer Acces s Co ntro l Server con fig uring peer na m e 6-6 del e ting 6-7 PK I con fig uring f o r IP Sec 7-5 PKI cer t ificat es generatin g 7-5 polling AR P requ es t 6- 25 clien ts 6- 25 Po rt Ad dre ss T r ansla t ion ( P A T) 2- 21 por[...]

  • Page 385

    sys l og serve r , config uring 9-5 Sess ion L o gs log entry fo rma t 9-6 viewi ng 9-6 session sta t us f iltering d i spl ay 3- 13 Se ttings tab in a Conn ection Profile 4- 32 in Acces s Policy 4- 45 shar ed se cr et 6- 7 , 6- 10 con fig uring o n A ccess C o nt ro l S e rver 6-5 for IPSec 7-4 for RADIUS 5- 20 SLC pr otoc ol 6- 24 small br owse r[...]

  • Page 386

    V Ve rify via DNS HT TP pr ox y f ilte r op t i on 4- 78 V irt ua l LA Ns (VLANs ) 1- 6 , 2- 24 an d IP addr es sing 2- 2 6 an d the 700 wl syst em , ov erview 2- 24 specifying t a g i n A ccess Pol i cy 4- 46 specifying t a g i n Connection Profile 4- 33 VL AN tags i n Conn ecti on Pr of iles 4- 29 VPN t u nnelin g an d Netw ork Addres s T r an s [...]

  • Page 387

    [...]

  • Page 388

    © Cop yr i ght 200 3 He w let t -P ac k ard De ve lopment C ompan y , L .P . The inf ormation contained her e in is su bject to c hange w ithout n oti ce . June 2004 Manual P art Number 5 9 90 -88 09 *5990-8809*[...]