HP (Hewlett-Packard) 700wl Series инструкция обслуживания

www .hp .com/go/hppr oc ur v e HP Pr oCurv e Sec ur e Acces s 7 00w l S er i es Management and Co nf i gur ati on Guide[...]

[...]

HP P RO C URVE S ECUR E A CCESS 700 WL S ERIES M ANAG EMEN T AN D C ONFI GURATI ON G UIDE[...]

© Copyright 2 004 Hewle tt-P ac kard D e velopm ent Compa n y, L. P. The information c o ntained he r e in is subj ec t to c hange w ithout notice . This do cumen t co nt ai ns pr op riet ar y in format ion , wh ich is pr ot ected by copy ri ght. No pa rt of t his do cument may b e phot oco p ied, re pr oduced, or translate d into ano t her lan g [...]

C ONTENTS Pr efac e Chapter 1 Introdu ct ion 700wl Ser i es O v ervie w 700wl Ser i es Function s Client Au th en ti ca ti o n Clien t Access Ri gh ts W ire less D ata Pr ivacy a nd VPN Pr ot oco ls Roami n g S u pport Network Addre ss T r ansla t io n VLAN T ag Support Cha p te r 2 Using t h e 700 wl Ser i es Sy stem Ini t ial C o nfigurati o n o [...]

Ch apt er 3 S yst e m Sta t us V i ew ing Status In form atio n V iew in g Equ ipment Status V i ewing Access Co ntrol Se rver Status V i ewing Access Co ntroll er S tatus V i ewing Access Cont ro l l er S t atu s Detail s V iew in g Cli e nt St atus Filtering Clien t St atu s Inf o rma t io n V i ewing Cli ent Det ails V iew in g Sessio n Sta t us[...]

Modifyin g the Ou tside W o rld F ilter to Res t rict Access Sett ing Up HTTP P rox y Filters Chapter 5 Configuring Authentica ti on Aut h ent i cation in the 700wl S e ri es Syste m Th e R igh ts M a nage r Au th e n ti cation Po li cies Creatin g or Edit i ng an Au thentica tio n Po licy Conf ig ur ing Au th en ti catio n Servic es Con f igurin g[...]

SSL Certifica te Confi gur ing Ne tw or k I n terf ace s Co nf igurin g the Po rt S p eed and D u plex Settin gs Po rt S u bnet IP A ddres s an d Subnet Netm as k Conf igur ing SNMP Settin g th e D a te a nd T i me Settin g Up A d ministrators Editi ng an Ad m i ni st ra to r ’ s S ettin gs Edi ti ng Y o ur Ad mini strator Pass wor d Ch apt er 7 [...]

Append ix A C ommand Line Int e rfac e Accessing the Co mmand Line I n te rf ace Con n ecting w i th a Se ria l Conso le Co nn ecti ng Usin g SSH Us ing the CL I on an Integ r ated A ccess M a na ger Command Synta x Getting CLI Command He lp Administr ator Access Contr o l Commands Syste m Stat us and I nform ati o n Commands Ne tw or k Configur at[...]

A ppendix D Appendix E Index of Commands Inde x Op ti onal El ements C-5 Lo go n P age T e mplate — A Mo re Adva nced Example C-7 Exa m ple 2 C-7 Changi ng the L o gon B u tto n N ames C-10 Exa m ple 3 C1 1 Customi zin g t he Lo gon Pa ge Messag es C-12 Gu est Regi str a tion T e mpl a te C-1 3 Exa m ple 4 C -1 4 Usi ng a Lo goff Po p- Up w i th [...]

P REFACE This preface describes th e a udi ence, use, a n d o r gan i zatio n of th e Ma nag ement and C o nfigur at io n Guide. It al so ou tlines the d o cumen t con v enti ons , saf e ty ad vis o ries, compliance inf o rmat ion, r e lated do cumen ta t ion , support inf o rma t io n, an d re vis i on his t ory . A udie n ce The prima r y a udi e[...]

The f oll owing notices a nd ico ns ar e used to al ert you to im po rt ant inf o rma t ion. T ab l e 2 . No tices Ic on No ti ce T ype Aler ts yo u to... No ne Note Help ful su ggestions or info rma t ion of speci al impo rtance in ce rtain si tuations . No ne Ca ution Risk of syste m f unctio na lity lo ss or data l oss. Wa rn in g Ri sk of pers [...]

Cha p te r 6 – Configuring the Ne tw ork Th is ch apter de sc ribes h ow to co nf igu re the 700w l Series syst em co mpon ents s o th at they w o rk wi th yo ur enterpris e ne tw or k. Cha p te r 7 – Se tting up Wireless Data Privacy Thi s cha p ter d e scribe s h ow to e nforce securit y usi n g IPSec, L2 TP , an d PPTP . Cha p te r 8 – Sy [...]

Index of Commands The Index o f Co mmands is an al phabetized list of th e CLI co mman ds with re fer enc es to the pages wh er e they are docum ent ed. Related Publications Ther e are s eve ral o the r publi cat io ns re lated to th e 700w l Series th at m a y be useful : • 70 0w l Se ries Softwa re Re le a se N otes pro v ides th e mos t up-to [...]

1 I NTRODU CTIO N This chapt e r pr ovi d es a brief intr oduc tio n to th e 7 00wl Se ries s y stem™ a nd its primary f eat ures . Th e topics cover e d in this chapter include: 700w l Ser i es Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 700w l Ser i es Fu nc tio ns[...]

Introduction Figur e 1- 1 i llus t rates a 7 00wl Se ries syst em topology t hat is configu red wit h redund ant A ccess Contr ol Se rvers for fai lo ver . Figure 1-1. 700wl Serie s topolo gy Access Co nt ro ll er Access Co nt ro l Se rver Access Co nt ro ll er In ternet Red undan t Acces s Co nt ro l Se rver Gu est Em plo yees Un tru s ted User Em[...]

Introduction Clien t s that a r e s u ccessfull y au thenticated , Em plo y ees in Figu re 1- 1, a r e typically a ssocia t ed wi th A cces s Policies t hat pr o v id e access to s e cu re network re sou r ces. Cli ent s th at ar e not success ful ly a u th en ticate d, Un tr us ted Us ers, are typically as sociated wi th a n A ccess Pol i cy that [...]

Introduction • RADIUS servers • K erbero s services • XML-RPC -b ased servi c es • T he Rig h ts Mana ger’s built- in da tabas e. This is the d efa ult au thenticatio n service. Y ou can populate it wit h user n ame s a n d pa ss words thro ugh the Rights M an a ger. Us er A u thentication is dis c uss ed in detail in Cha p ter 5, Configu[...]

Introduction Because the 700w l Se ries syst em identi fi es clien ts by MAC addres s, it is simp le to detect w h en a device ro ams. A Li nger T imeout deter m ines the len g th of time a client has to complet e a r oam , tha t is to a ppea r at a ne w physica l lo cation af ter dis a ppea r ing fr om the o l d phys ica l lo ca tion. The settin g[...]

Introduction Addressin g in the 7 00 wl Ser i es Syst em in C h ap ter 2, an d Chapter 4 , Conf igur ing Righ ts includ e more ex tensi ve di scussio n s o f addre ssin g consi derat io ns an d NAT . VLAN Tag Support The HP Sy stem pr ovi des suppo rt f o r V i rtual L AN (VLA N) tagging in severa l ways: • A client ca n be ma tched to a Connecti[...]

2 U SING THE 700 WL S ERIE S S YSTEM This chapt e r pr ovi d es a brief intr oduc tio n to u s ing th e 700wl Seri es sys t em a nd its A dmini strative Console. It also provides an overview and discussion of a number of common tasks you ma y ne ed to acco mp lis h. Th e topics cover e d in this chapter include: Initia l Co n f iguratio n of th e 7[...]

Us ing the 7 00wl Se ri es Syste m • P rim a ry an d se co nd ary D NS se rver add r esses • Sha red s e cret, used to en able Acces s Co nt roller s or a peer Acces s Co nt rol S e rver to es t a blis h a trus ted com mun ica t io n relatio n ship with th e A ccess Con t rol S e rver. This is actuall y an opti onal i t em in the ini t ial in s[...]

Usi ng the 70 0wl Se ri es S y ste m The 700wl S e ries syst em pr o v ides th r ee levels of administ rator acces s: • A N e two rk A d ministrato r ca n co nf igure th e n e tw or k para me ters th at en ab le th e 700wl S e ries sys t em to f u nction in a network, such as con f iguring I P a ddr essing , interface con f ig ur at ion , da te a[...]

Us ing the 7 00wl Se ri es Syste m • E nable o r dis a ble Wi rele ss Data Privacy protocols, co nfiguring t he add res s me th od and ra nge for VPN tun n eling, a nd con fig uring IPS e c para mete rs • U pda t e th e 700 wl Series syst em so ftw a re • Back up a 700w l Series syst em co mpon ent’s co nf igura t io n, an d res tor e the b[...]

Usi ng the 70 0wl Se ri es S y ste m Note: It i s stro ngl y reco mmend ed that yo u c ha nge the built- in admini strat or l ogon n a me and pa sswor d as soon a s possible . Y ou s hou ld als o se t the date an d time fo r each 700 wl S eries sys tem c o mponent (Access Con tr o l S erv er, Integr ated Ac ce ss Ma nager, and Ac cess Contr ol l er[...]

Us ing the 7 00wl Se ri es Syste m — L ink s wi thin the page con t ents — Rela ted To pi cs me nu di splaye d us ing the Re la ted Topics butt on R el at ed To pi cs links: these a r e presen ted at th e top o f the page, o r th e y ca n be acces se d fro m a — Tab le of C o nt ents and I n de x, ac cesse d t hroug h t h e na vi gati on pa n[...]

Usi ng the 70 0wl Se ri es S y ste m Using the Ad min i strativ e Con s ole Wh en you f i rst logon to t h e A d min i strative Cons ole, your br ow ser d isp lays th e E quipment S t atu s tab of the S tat us pages (F igur e 2- 3) . Figure 2-3. Initi a l Page of the Administrative Console . Ta bs He ader Ba r Pag e T i tle Left Pan el Sub -T ab Na[...]

Us ing the 7 00wl Se ri es Syste m Figure 2-4. Header and Nav i gation Bars for a n Acc es s Cont ro l Server Inf o rma ti on at th e right sid e of the H ea d er ba r sho w s the userna me of th e logged in Adm i nistrator , th e IP addr es s of the Acc ess Contr o l Ser v er, an d the curr ent date a n d ti me. • I f the IP add res s is labeled[...]

Usi ng the 70 0wl Se ri es S y ste m Fo r details , refe r to Cha p ter 4 , Co nfigur ing Rig hts an d Chapter 5 , Con figurin g Authenticati on . Network The Netw ork pa ges en able co nfig uratio n of th e 700 wl Series syst em co mpon ents to work with your enterprise n e two r k. Most pages in this a r ea ar e ava ilable to Su per A dm i nis t [...]

Us ing the 7 00wl Se ri es Syste m . St at us Ri ghts N e twork VPN Main tenanc e Logs • Equi pmen t • Rig h ts Set up • Sy stem • Wireless Dat a • Sof t ware Setu p • Log Files Sta t us Compo nents Privac y Setu p • Clie nt St at us • Identity Prof ile s • Ne twork Setu p • Ce rtificat es • Bac kup & • Logging Setu p Re[...]

Usi ng the 70 0wl Se ri es S y ste m Le ft Pa nel The lef t pan e l co ntain s ex plan ato r y o r descriptive text a bou t the page and its fun c tio n s. It a lso co n t ain s contr o ls f o r th e fe atur es o f the page, an d n a vigation a ids . Th e s p ecific contr o ls in the lef t panel d e pend on the f un c tio n of th e page. Th e lef t[...]

Us ing the 7 00wl Se ri es Syste m Display Fil t ers and Auto Re fre s h Settings Some data, such a s the co nt en ts of the log, ca n be very l eng th y . T o contr ol the di splay o f such i n form ation you can use filters t o selecti v ely d isp lay subs et s of th e to tal in fo rma t ion. Figure 2-8. Di splay Filte r s an d Au to R e fres h S[...]

Usi ng the 70 0wl Se ri es S y ste m Ta bles In co nf igure tables, e a ch row i n a table typically dis p lays the key ite ms that def in e th e elemen t re prese n ted by the table r ow . For exa m ple , row s in the Rights A s signm en t table s h ow th e Ide n tity Profile , Co nne ct ion Profi le, and Ac cess Po licy tha t d e fin es th e Ri g[...]

Us ing the 7 00wl Se ri es Syste m Figure 2-10 . D at a Tables So rt able column • Sortable C o lum n H e ading s In som e table s you c a n so rt the items in th e ta bl e ba se d on th e table colum n s. Column hea d ings tha t a llow so rting appear as a link wh en the cursor is r o lle d over t h e col u mn na me, as sho w n in Figur e 2-10 .[...]

Usi ng the 70 0wl Se ri es S y ste m Common Butt ons The fo llow in g ta bl e lis ts the co mmon butto ns us ed in the A dminist rative Co nsol e and gives their me anin g. T ab l e 2 - 1. Ad ministr a tive C onso l e B u ttons Button Function Fo ld er : This rep r esents a us er-defined fo lde r for sy st em c om ponents. Fol ders c an be ope n ed[...]

Us ing the 7 00wl Se ri es Syste m Basic System C on f igu r ation Tasks Wh en you have com p leted the installati on o f your 700wl Se ri es sys t em f oll owin g the instructions i n th e 7 00w l Se ri es syst em Qu ick Star t Gu ide or the 70 0wl Seri es syst em In st a lla tion and Get ti ng S tar ted Gui de fo r the com p onents in your system[...]

Usi ng the 70 0wl Se ri es S y ste m System Features an d Concepts The followin g sec t ions p r ovid e an introduc tion to some of th e ke y c o nc ep ts and f u nction s that a re ce ntra l to the 7 00w l Ser i es s ys tem. Ma ny o f these co nc epts a r e dis c us s ed in more detail in th e appr op ria te cha p ters later in this Guide. How e v[...]

Us ing the 7 00wl Se ri es Syste m Figur e 2-12 . A ccess Cont r o ller Re dir ect Pag e Ente rp rise Cl a ss R ed undan cy The 700wl S e rie s syste m suppo rt s Access Contr o l S erv er redun da n cy an d f a ilove r . A ccess Contr o l Se rve r fa ilover provid es hi gh a va ila bi lity oper at ion f o r clie nt s in case of system outages, ne [...]

Usi ng the 70 0wl Se ri es S y ste m The c ommu ni catio n betw een the tw o peer Acce ss Co n trol Serv ers is do ne vi a a pr op rieta r y m es sag e ba se d pr otocol o ver TC P/IP . Upo n re sta r t, a n A ccess Con tro ller a t tempts to comm unica t e w i th the prima ry A ccess Contr o l S e rver. If tha t f a ils, the A c cess Con t ro ller[...]

Us ing the 7 00wl Se ri es Syste m or has s o me othe r co nf iguration inf or m ati o n you w o uld pref er n o t to lose . Th e a ct o f making i t a sec o ndary Acce ss Contr o l S e rver in a n a c tive redu nda n t peer re latio n ship will cau se its configura t ion to be ov erwritten by the Prim ary A c cess Con tro l S e rver con f igu rat [...]

Usi ng the 70 0wl Se ri es S y ste m If a clien t is l o gged ont o th e 700wl Se ries sys t em u s ing PP TP or IPS e c encrypti on , ov er he ad re lated to packet encrypt ion ca n re duce the actual th r o ugh p ut experienced r e lativ e to the s p ecified thr o ugh p ut. If encrypted traffic is tunneled between Access M anagers due to client r[...]

Us ing the 7 00wl Se ri es Syste m Y o u spe c ify th e a ddres si ng m ode fo r a cl ie nt thr ou g h the A cce ss Policy. The 700wl Serie s syste m d efa ult is NA T mo d e. Note: If PPTP o r L2 TP i s en abl ed in the Access Po li cy, t hen the NAT se tting only affect s ho w t he inner tunnel address is assi gned . Th e oute r t unnel address i[...]

Usi ng the 70 0wl Se ri es S y ste m Contr o ller . If the c lien t is usin g a re al IP ad dress , all sessio n s must be tun n eled back thr o ugh the origina l A ccess C o ntr o ller. • NAT prov id es s ome a mou nt o f pr ote ctio n t o a cl ien t si nce no de vic e o ther than the A cce ss Contr o ller can talk d i rectly to th e client. Thi[...]

Us ing the 7 00wl Se ri es Syste m How th e 7 00 w l Serie s syste m hand les r oame d sessio n s d e pends on the protocol use d by th e client to conn ec t to the 700w l S eri es sy ste m, a nd whe t he r th e client’s IP a ddre ss has be en ma ppe d usi n g NA T or not. • Whe n a NAT’ed clien t roams be tw ee n Access Co n t rollers ( rath[...]

Usi ng the 70 0wl Se ri es S y ste m Figure 2-13 . C onnec t ion Pro f ile for Traffic Tagged w i th VL AN 10 Y o u can then def ine a n A ccess Poli cy th a t sho u ld a pply to these clients an d create a new r o w in the Rights table tha t a ssocia tes th e A ccess Po licy with th e VLA N- s pecif i c Conn ec tio n Pr ofile. F or th e pur pos e [...]

Us ing the 7 00wl Se ri es Syste m In this cas e , A u th en ticated clients wi th VL AN 2 0 tag will match th e fi rst r o w in th e table , an d will re ceive access r i ghts base d on the A c cess Policy c rea te d fo r m e mbe r s o f tha t VL A N. A u the n tica te d clie nt s i n VL AN 10 will not m a tch the f i rst r ow , but will m a tch t[...]

Usi ng the 70 0wl Se ri es S y ste m • C rea t e a vari atio n o f th e d e fau lt “Un a ut hen t ic ated” Access Polic y t h at in cl ud es th e s ame acces s ri gh ts (which basically o nly al low a cli e nt to req u est a u th enti ca tion) but s e t th e NAT option to When Ne cess ary an d the addressing o p tio n to Requi re DHCP . In th[...]

Us ing the 7 00wl Se ri es Syste m One way to work with this limita t ion i s to pl ace a switch between the A cce ss Points a nd the Access Contr o ller , with a sep a rate c o nnection between the switch a nd the A cce ss Co ntr o ller f or ea ch VL A N. The switch ca n us e the S S ID to determine th e port to use to send tr af fic to th e A cce[...]

3 S YS TEM S TAT US This ch apte r explain s how t o view th e s yst em stat us tables of th e 700wl Series syst em . Y o u can view th e stat us o f an y an d all s y stem eq ui pment (Acces s Co ntro llers and Access Co ntrol Se rvers), clien t s (users, id entified either by usern ame an d pas sword or by MAC addres s) , a n d s essions. Y o u c[...]

System Stat us Figure 3-1. Ge tting to Sta t us Information Ther e are fo ur ta bs in the s t atus mo dul e: • Equipment S t atu s presen ts an ov erview of the s t atus of the Acces s Co nt rol S e rvers and Acces s Co nt ro ll ers. Fro m this pa ge yo u can view a mo re de tail ed stat us for each Acce ss Co nt ro ll er. • Cli e nt S t atus p[...]

System Statu s If a disp lay has more entries than will fi t on one page (based on t he R ows pe r Page filter setting), page navig a tion co ntr ols ar e ena b led to let y o u n a vigate between t h e r e sults pages. In the Clien t St atu s an d S ess io n Status view s, yo u ca n sort the dis play by the data in an y colum n . Th e hea d ing s [...]

System Stat us Viewing Acces s Contr ol Se rver Sta tus The Access Contr ol Se rver sta t us ta bl e, a s shown in Figur e 3-3, shows the f ol l owing inf o rma t ion: T ab l e 3 - 1. A ccess C ontr ol Ser ver stat us Row Des c ription (Prim a ry/Se c on dary) Ac cess Cont rol Server Sta t us of the Acc ess Co ntrol Se rve r w hose A d mi nistrativ[...]

System Statu s Figure 3-3. Access Control Serve r Tab for the Prima r y Access Control Serve r in a redundant configu rat ion Viewing Acces s Control ler Stat us The Access Contr oll er sta t us table d is p lays th e fo llowin g in fo rma t ion a b ou t each A cces s Con tro ller: T ab l e 3 - 2. Ac tiv e Access C ont ro ller s Di splay Column Des[...]

System Stat us Figur e 3-4. A ccess C ontr oller De tail Page The Access Con tro ller Detail pag e sho ws general sta t us in fo rma t io n f o r t h e Access Contr oll er at t h e top of the page. B e low thi s is a Sy stem Inven t ory t a b that shows th e sta t us fo r e a ch po rt on the Access Con tro ller, grouped by s l ot. T ab l e 3 - 3. A[...]

System Statu s T ab l e 3 - 3. A ccess C ontroll er Deta il Pa ge: Syste m Inven tor y Disp la y Column Des c ri pt ion Status This colu mns sh ow s: • The M AC addres s of the port • The spe ed an d dup l ex sett ing for t he port, wi th the ac tual sp ee d a nd duple x show n in paren t hes es. If the po rt is not connec ted the actua l se tt[...]

System Stat us » To d isp lay the clien t sta t us , sele ct the Access Contro ller an d client type f ilt ering para meters f r om the lef t pan e l an d click Apply Fil t ers . Th e d i splay is upd ated to sho w the client s per yo ur filter setting s. Y o u can view f u ll c lien t in fo rm ation only o n a sin g le A ccess Contr oller at a ti[...]

System Statu s Fil t ering Cl ient Status I n formation T o make it easier to fin d the in fo rmati on y o u need fr om a clien t sta t us pag e, yo u can f ilt er the d i splay to show only a su bset o f t h e entries . » To filt er a di spl ay, se lect the filt erin g para meters f r o m the f i lter d r op do wn list s in th e lef t pa nel o f [...]

System Stat us Figure 3-6. Clien t Detail Pa ge The f oll owing inf ormat io n is d i splayed on this pag e: T ab l e 3 - 6. Activ e Client d et ail informati on Informa t ion Descrip t io n Us er T he descri p ti ve nam e of the u ser , if known. User nam e T he use r name (logon name) of the u ser or the MAC a ddre ss, if the user is ide n tifie [...]

System Statu s T ab l e 3 - 6. Activ e Client d et ail informati on Informa t ion Descrip t io n Curre nt A c ce ss In format ion about the Acc ess Co ntroller th rough w h ich th e user is conne cte d: Co nt ro ller • Na me of the Acc ess Co ntroller (by defau l t the s ame as the IP addre ss). • IP addres s of the Access Cont rol l er. • Sl[...]

System Stat us Figure 3-7. Clien t Detail pa ge showing cu r ren t righ ts in XML The Cli e nt D eta il Us er Righ ts di splay show s th e row in the Right s T a ble th at this client m at c hed , including th e Ident i ty Pr of ile, Co nn ecti on Profil e an d A ccess Policy associat ed wit h th e cli e nt. Th e r e st o f the d isp lay sh ows the[...]

System Statu s The V i ew A c tive S e ssio n s pa g e appear s, as s how n in Figur e 3-8. Figur e 3-8. Ses s ion Statu s Pag e » To filt er th e se ssion da ta , se lect the d e sired f ilters a nd click Apply Filte rs . » To set an au to re fr esh interva l , select the d esi red in terva l fr om the dr op dow n list a n d click Apply Fil t er[...]

System Stat us T a bl e 3- 7. View Acti ve Se ss ions In form at ion Column Descrip tion Cli ent Sourc e Cli e nt So ur ce : The IP a ddress and p o rt of the cli ent syst em, as pl aced in the pa cket heade r by the cl ient. Actua l Sou rce : For a c li ent in NAT mo de, the IP add res s and port o f th e Acc ess Co ntro ller, as re-written aft e [...]

System Statu s T ab l e 3 - 8. Ses s ion St at us Filtering Para met e rs Filter by: Det a ils Acc ess C ontr o ll ers Lets y ou dis play onl y ses si ons f o r a se lec t ed Acces s C ontroller. You s elect the Acces s Co ntroller fro m the drop -dow n list. De fau l t i s the first Access Con t rol l er i n t he l i s t. Port Lets y ou dis play o[...]

System Stat us Figure 3-9. Lic e nse In formation Page 3- 16 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

4 C ONFIGURIN G R IG HT S This ch apte r describes how network access rig h ts ar e assigned to cl ients thr o ugh th e 700wl Se ri es sys t em, and explain s ho w to co nfig ur e access co ntrol policies. The topics cover e d in th is chapter in clu de: Acce ss Ri ghts in th e 70 0wl Se ries Sy st em . . . . . . . . . . . . . . . . . . . . . . . .[...]

Con f iguring Righ ts T ime W i ndo w in which th e con n ectio n exists, a n d option ally , a VLA N tag, to m at c h th e client to a Connection Pr of ile . Th e com b ina t io n of the Identity Profile a n d Connectio n Pr ofile deter m ines th e Access Poli cy th at is used to enfor c e access righ ts (the a b ility to pa ss tra ffic in to the [...]

Con f iguring Righ ts The n etwork ad m i nistrator configu re s n e two r k acces s con tro l pol i cies by defin i ng Identit y Pr of iles, Con n ection P r ofi l es a nd A cce ss Policies , or by m odif ying existing pr ofil es a nd pol i cies. • An Id en tit y Profile is asso ci at ed w i th a set of one or mo re in dividual users a n d devic[...]

Con f iguring Righ ts • An Access P o licy defin e s aspects of how a clien t interacts w i th the n e two r k. Th e Access P o licy defin es what tra ffi c is allowed to be pa ssed int o th e ne two r k, an d what tra ffi c will be red i rected to al terna te de stinat ion s. It can includ e H TTP proxy filter s tha t spe ci fy what web s i tes [...]

Con f iguring Righ ts the Cli ent S tat us t ab under the S t atus button , and clic k R efr es h U ser Rig h ts No w . Y ou ca n a l so re fresh r i gh ts f or individ ual clie nts, if appropr ia te. Con f iguring Acces s Rights– A n Overview T o configu re ri ghts in th e 700wl Se ries sys t em, yo u fi rs t n eed to de cid e how yo u want to c[...]

Con f iguring Righ ts Connectio n Prof iles onc e the Ac cess Co ntr ollers have been ins t alled and the approp ri ate Location s ha ve been c rea ted . b. Crea te T i me Wi ndo ws that s pec ify h o urs of th e da y , days of the week, an d s o o n, to allo w or re strict ac ce ss d uri ng spe c ifie d times. For ex am ple, if you have tempo ra r[...]

Con f iguring Righ ts Se ri es sys t em is ma tched to a ro w i n th e ta bl e based o n its Identity Pr of ile a n d Con n ectio n Prof ile, and re ceives access rights as specified by th e Access Po li cy for th at row . The 700wl S e ries syst em lo oks fo r a matching row star ti ng at th e to p o f the table, an d s tops at the f irst match. T[...]

Con f iguring Righ ts the n ew iden ti fica tion informatio n. The user w ill n ow ma tch on e o f the Identit y Pr of iles near th e top o f th e table. For exampl e: • S uppos e th e clien t init ially m a tch e s row 5, ( Ident ity Profil e “A ny” and Con n ection P r ofile “A c coun tin g ”) a n d h is lo gon in forma t io n is sent t[...]

Con f iguring Righ ts Note: It i s im po rt a n t that r o ws with the —A cces s Poi nt s “ Identity Prof il e appea r in the t abl e befor e ro ws that contain the — Any“ Ide n tity P r ofi l e. Otherw ise, t he M A C address w ould match —A ny “ fir s t, an d wou l d n ever get to the ro w with the — A cc es s Points“ I dentity Pr[...]

Con f iguring Righ ts Figure 4-3. The New Righ ts Ass i gnment Page Ea ch fi eld on th is pag e conta ins a dr op- d own l i st f r o m wh ich you can select th e c omp on en ts o f a ro w in the Rights A ss ignmen t tab l e, as defi ned in T a ble 4-1: T ab l e 4 - 1. New / Edit Right s Ass i gnment P a ge Field Definition s Fie ld D escrip t io n[...]

Con f iguring Righ ts Ste p 2. Spe cify wh er e i n the table the n ew row shou ld be pla c ed. O r der is im porta n t in ma tch ing a clien t to a row . The default position is to place the row at the top of the table. Ste p 3. Wh en you have ma de you r se lections, cli ck Save to add th is r ow to the table. Can cel re turns you to th e previou[...]

Con f iguring Righ ts Figure 4-4. The Ide n tity Profile s Page The 700wl S e ries syst em pr o v ides th r ee predefin ed Identity P rof iles, a n d a Rights Adm inist rator ca n create a dditi onal on es . The predefin ed Identity Pr of iles ca n be co ns idered def a ult or implicit pr of iles , as users will ma tch th em a u tomatically b ase d[...]

Con f iguring Righ ts Cre at ing or Editi ng an Iden tity Prof ile T o crea te a n ew Identity P r of il e, cli c k th e New Id entity Profile... button at the bottom o f the Ide n tity Pr of ile list. T h e New Iden tity P rofil e pag e a ppea r s, as shown in F igur e 4- 5, w i th a n empty N ame fi el d. T o edit an Identit y Profile, click the [...]

Con f iguring Righ ts Figure 4-6. Creating a New Ide n tity Profile, w i th User lis t dis p layed Fr om th is page , w i th t h e U s ers or Netw ork Eq uipment list d i splayed , you can als o add a new user or eq ui pment item , or ed it a us er o r eq ui pment item . See “ Use rs in the Built-In Da ta base ” o n page 4- 16 an d “N etw o r[...]

Con f iguring Righ ts Lim i tin g the n umber of lo go ns per u s er d o es no t pr event a us er f rom lo g ging o n wi th th at usern ame an d pas swor d—ra th er it p r events that u s er fr om matching this Id entity Pr of ile and t h us getting rig h ts ba sed on matching th is Ident i ty Profile in th e Right s T a ble. It is pos s ible tha[...]

Con f iguring Righ ts Users in the Built -In Database Many organiz at ions ch oose to a u thenti cate their wir e less us ers a gai nst a corpora t e databa se or au thenticatio n service. However , if yo u do not pla n to u s e such a se rvi ce, yo u ca n add us ers to the database built int o th e 700wl Seri es sys t em a n d use tha t fo r a u t[...]

Con f iguring Righ ts T ab l e 4 - 2. Users Page Fie l d Definiti ons Fie ld D escrip t io n Ide n tity Profi l e Ass i gnment The Ide n tit y Pro f il e to which the user ha s been as si gn ed, if a ny. If n o Id entity Profile has been assigned, th e u ser w ill autom a tically ma tch e i ther the —Au t he nti c ated“ profile (if it h as bee [...]

Con f iguring Righ ts Figure 4-8. A ddin g a N ew U ser The f i eld s on this page a r e a s f o llows : T ab l e 4 - 3. New User Fields Fie ld D escrip t io n Name A descript ive n ame th at i den tif i es the u ser in the 700w l Series system‘ s Adm i nistra tiv e Co nsole . Th is is the n am e that appears in Cl ien t S t atu s dis play , amon[...]

Con f iguring Righ ts T ab l e 4 - 3. New User Fields Fie ld D escrip t io n User name/MAC Addre ss The user‘ s us ern ame (l ogon ID) or MAC addres s . A user may be identifie d by o ne or the o t her , not both. A usern a me may have up to 50 cha r acters . An y 7-bit c h ara cte rs are allow e d. A MA C addres s can be entered with colons (:) [...]

Con f iguring Righ ts Ste p 2. Sele ct the Identity Profile to wh ich t h is us er sho u ld be assi gned by clicking th e a ppropria te checkbo x in th e Identi ty Profiles ta bl e. As a rule, yo u wo uld a ssign a user to only one Id entity Pr o fil e, s ince th e s e ar ch fo r a m a tch always s t ops at the f i rst match fo un d. Ass igning a u[...]

Con f iguring Righ ts corr ect ly in the system , how e ver , if you wa nt to m anage th ese d e vices f r om w i thin the 70 0w l S e ries sys t em, you m a y w ant to assign them a s p ecif ic set of a ccess righ ts. Y o u can ad d th ese d e vices to t he built- in database a n d a ssign them to an Identi ty Profile so tha t they can get rig h t[...]

Con f iguring Righ ts Fr om th e Network E q uipment page yo u can a l so go d ire ctly to the Ident i ty P r ofiles pag e or to t h e U s ers pag e by click i ng the link n ear th e to p of th e lef t-h an d column , ju st bel ow th e page name. Creating or Edi ti ng an Equ i pment Entry T o crea te a n ew ne tw or k equipment entry , click New Ne[...]

Con f iguring Righ ts The f i eld s on this page a r e a s f o llows : T ab l e 4 - 5. New Network Equip m en t Fie l ds Fie ld D escrip t io n Name A descrip t ive n ame fo r the device. Thi s nam e may b e up to 3 2 cha r ac ters in le ngth. Any 7-b it c har acters are allow e d. MA C Addre s s Th e M AC addr es s of th e n etwor k d evice. A MA [...]

Con f iguring Righ ts T o edit a Network Equip m ent en try in the bui l t-in da tabase, do the fol l owing: » Edit th e fields to chan ge the de sc riptive n ame or the MAC addres s. » To ch an ge the Ident i ty Pro f ile to w h ich the equipm en t is a ss ign ed , remove the check fro m th e old Identit y Pr ofile and check th e checkbo x fo r [...]

Con f iguring Righ ts an in di vidual r e co r d for the MAC addres s. Fo r example, su ppo se the r e co r d identified by cn = MACS con tai ned th e fo llowin g values f o r uniq ueM e mber: uniqueMember: cn=000122034a5b, o=XYZCo rp, c=us uniqueMember: cn=01234567891a, o=XYZCo rp, c=us uniqueMember: cn=22314a6721b7, o=XYZCo rp, c=us The value o f[...]

Con f iguring Righ ts Note: If you h av e an L D AP se r vice configur ed f or use r bind in g, that s ervice does n o t ap pear in thi s list . » To configure o r change the settings for MAC addr ess retrieval, click the configuration icon at the end of the row . You mus t configure th e service fo r M A C a ddr ess retrieva l bef o re yo u can e[...]

Con f iguring Righ ts Figure 4-12 . C onfiguring M AC Addres ses Retrieval Param e ters for a n LDAP Service The f i eld s on this page a r e a s f o llows : T ab l e 4 - 6. Configuring MAC Add ress Retriev a l, add re ss retriev a l p a ram e te rs Fie ld Descrip t io n Authentic a tion Servi ce T he n ame of th e LDAP servic e being con f ig ure [...]

Con f iguring Righ ts Identit y Profile m emb ersh ip in fo rma t ion ca n be associa t ed wi th a M A C ad dr ess in on e of two wa ys: • If each MA C a ddr ess h a s its ow n reco rd in the d ata base, its group identity i nfo rmati on may be k e pt a s an at tribute in th e record. The R igh ts Man age r can th en sear ch for e a ch MA C addre[...]

Con f iguring Righ ts Thi s mea ns tha t th e Righ ts M a nager will us e th e sea r ch st rin g fo un d in th e in itial se arch (for example, the value r e turned fr om th e uniqueMember a ttribu t e in th e MACS re co r d) to search fo r the individual MAC addr e s s r e co rd. Ste p 2. Ty pe mymember in the f i eld la beled Identity I n forma t[...]

Con f iguring Righ ts The Conn ecti on Pr o f ile is u s ed in the Ri ghts As sig nme nt T a ble, in con cert wi th the Ident i ty P r ofil e, to determine a cli ent ’s a ccess ri ght s . If the clien t is unknown ( i .e. has not been a u thenticated a n d d o es n ot match a know n MAC address in the built-in database) the Con nection Profile de[...]

Con f iguring Righ ts » To ed it a Co nn ectio n P rof ile, cli c k the Co nn ectio n Prof ile n ame i n th e firs t co lumn of th e ta bl e, o r click the pen c il ico n at th e end of th e row. Thi s tak e s yo u d i rectly to the E di t Con n ection P r ofile page ( s ee “C reat ing or Edi ting a Connect i on Pr ofi le” on pag e 4-31) . » [...]

Con f iguring Righ ts Figure 4-14 . Creat ing a New Conn ec tion Pr of ile, the Settin gs Tab T o crea te or ed it a Co nn ectio n Pr of ile, do the f o llo wing: Ste p 1. T yp e a name fo r a new C o nne ct ion Profile . Y o u c a n c h an ge th e name o f an ex istin g Co nne ct ion Profile by typ ing a new nam e. Ste p 2. On the Settings t a b, [...]

Con f iguring Righ ts T ab l e 4 - 9. New Connection Profi l e Se ttings T ab Co nten ts (Co n tinue d) Column D escrip t io n VLAN Identifi er How an 802.1 Q VLAN I dentifi er (tag ) shou ld be used to de termi n e w h et her a client m atc he s this Connec tion Profi l e: • Sele ct Ma tch a ny V L AN t ag if c li ent s s hou ld al wa ys ma tch [...]

Con f iguring Righ ts The Locatio ns ta b sho w s a list of th e cu rre ntl y def i ned Locatio n s. Th e colum ns in this l i st a r e a s fo llows : T ab l e 4 - 10. Locations T a b Column De finit i ons Column D escrip t io n Name The descr iptive na me for the Locati on. De tails The defini t io n of the Acc ess C ontr o llers and po rts inc lu[...]

Con f iguring Righ ts • T o sel ect all Time Win d ow s in th e list, se lect the ch eckb ox n e xt to the L o cations colu mn hea d ing . Cli c kin g thi s ch eckbo x a secon d time re moves t he checks fr om all Tim e Win dows in the list. • T o remove a Time Win d ow f rom th e pro fil e, click its checkbo x to remo ve the check . Ste p 5. C[...]

Con f iguring Righ ts » To delete a Lo ca ti on , click th e tra sh ca n icon at th e end of the row . » To cre a te a n ew Locatio n , cli c k th e New Locatio n ... but ton at the bo tto m of th e Locatio ns list. Th is takes you to th e Ne w L o ca tio n page ( s ee “C rea t ing or E dit ing a L o cati on”) . Fr om thi s page y o u ca n al[...]

Con f iguring Righ ts Tim e Windo ws A T ime W indow is a sp ecificatio n of a peri od of tim e, defin e d by s p eci fic dates or date ran g es , d a ys of the week, a nd hours of th e day . T ime W i ndows m a y be us ed to limit when a Conn ectio n Profile is ava ilable a s a valid m atc h f or a c lient . If a c lient co nn e c ts to the 700wl [...]

Con f iguring Righ ts Cre a ting or E d iting a Ti me Window T o create a new T ime W indow , cl ick Ne w T i me Win dow ... at the bottom of the T ime W indow list. Th e New T i me W in d ow pag e ap pears , as shown in Figur e 4 -18, wi th a bl ank n ame field and def aul t ti me set ti ng s. The Edit T ime W indow page is alm ost identical to th[...]

Con f iguring Righ ts T ab l e 4 - 14. New Time Wi nd ow Settin gs Setting D escrip t io n Val i d D ays Specify a Tim e Wi ndow by days of the w ee k : • The defaul t is Any da y • To s pec ify p articul ar days, click the Selec t ed days rad io button, the n ch eck t he in dividual da ys of th e w e ek you w ant to incl ude. Val i d Tim es ?[...]

Con f iguring Righ ts Figur e 4-21 . The Access Pol i cie s Pa ge The 700wl S e ries syst em pr ov ides five predefined Acces s Po li cies, and a Rig h ts Adm inist rator can cr eate a ddit ional ones. Th e predefined Acces s Po licies ar e: • Au th en ti ca ted : This def i nes a default s et of right s fo r users th at hav e been su ccessfully [...]

Con f iguring Righ ts T ab l e 4 - 15. Acc ess Policie s T a ble C on t ent s Column D escrip t io n Al lo we d T raffi c | Gr id A list o f th e Allowed Traffi c Filte rs sel e ct ed for the Acc ess Po li cy . Cl ick Gri d in the c olumn heading to dis pla y all Ac cess Polici es and A llo w ed Tra ffic Fil t ers in a g r id format. See —The All[...]

Con f iguring Righ ts Figur e 4-22 . A ccess Pol i cie s and Allowed Tr a ffic Filter s in a Gr id Fo rm at Ea ch ro w r e presents an A cces s Policy. Th e Allowed T r af fi c Filt ers ar e shown in colum n s. Filters th at a re enabled for the Acces s Po li cy are r e presented by checks in the appr op riate co l umn ch eckbox . This fo rm at ma [...]

Con f iguring Righ ts Figur e 4-23 . A ccess Pol i cie s and R edir ecte d Tr a ffic Filte rs in a G r id Fo rm at Ea ch row re pr esent s an A ccess Pol i cy. The R edire ct ed T ra f fic Filters ar e s hown in co lum ns. Filters t hat are enabled f or th e Acces s Po li cy ar e r e pr es en ted by checks in the appr op riate colum n check box . T[...]

Con f iguring Righ ts Figur e 4-24 . Creat ing a N ew Ac ces s Pol i cy, the Settin g s T ab T o crea te or ed it an Acce ss Policy , Ste p 1. T y pe a n a me fo r the poli cy in th e Na me field. Y o u ca n change th e nam e o f an ex istin g A ccess Policy by typ i ng a new name . Ste p 2. Se le ct s e ttin gs or enter da ta on each of th e ta bs[...]

Con f iguring Righ ts T o ad d th e modifi ed A ccess P o licy as a n e w Access Policy , le avi n g the origina l A ccess P o li cy unchanged, click Save As Copy . Th e Sav e As Co py button is ava ilable o n ly on the E di t Acce ss Policy page. Af te r a Save A s C opy th e pag e re mains d i spl ayed so yo u can m a ke a ddi tio nal chan ges. C[...]

Con f iguring Righ ts T ab l e 4 - 16. New Ac cess Po licy Settin g s T a b Conte nts Column D escrip t io n VLAN Identifi er How a V L AN Identi f ier (ta g ) shou ld be handle d: • Sele ct Remo ve an y pre-e x is ting t ag to remo ve th e VLAN tag (if a ny) assoc i ated wi th client pac ke ts , resu lting in un tagge d traff i c being fo rward [...]

Con f iguring Righ ts T ab l e 4 - 16. New Ac cess Pol i cy Settin g s T a b Conte nt s Column D escrip t io n Key Lengt h (PPTP only) For PPTP, th e m inimum M PPE (RC 4 ) s ess ion k ey lengt h: • Sele ct 40 b it s to allo w a 4 0 -bit o r 12 8-bit k ey. Thi s is the defaul t. • Sele ct 128 bit s to all ow a 128-bi t key onl y. • Sele ct no[...]

Con f iguring Righ ts ad dr ess is valid if it f a lls wit h in tha t ad d r ess rang e. If th e addr ess d o es not fa ll w i thi n th e port’s a ddres s ran g e, N A T is used, e ven if the addres s is wi thin the Acces s Co nt roller’s su bnet. — If th ere is no ra ng e a ssign ed f o r the port , then th e clien t ’s IP addres s is vali[...]

Con f iguring Righ ts The Allowed Traffic T ab Al lowe d T r af fic fi lt ers ar e t r affic fi lt ers t h at id en tify pa cket s th at ar e permit te d t o be forwa r de d by an Acce ss Co ntro ller. If you ar e cr eati ng a new A cces s Policy, th e A llowed T r af fi c f i lters a r e d i spl a yed in alpha b etica l or der . If you are editing[...]

Con f iguring Righ ts Figur e 4-25 . Creat ing an A c ces s Policy , the A llow ed Filte r s Ta b Not e that if the filter yo u select is one of a D NS or WINS f ilter pair , you must also in clude th e corr es pon d ing Redire ct ed T r af fi c m e mber of the pair in your A cce ss Policy, to redir e ct tra ffi c to th e proper DNS o r W INS serve[...]

Con f iguring Righ ts The Allowed T r a f fi c li st shows all exist i ng Al low ed T ra f fi c f i lters. Thes e ar e d isp la yed in a l phabeti c al order if you are cr eating a ne w Access Policy. If you are editing an Access Poli cy, the filters included i n the policy ar e d isp layed at t h e top o f th e list. The f o llowing i nfo rm at io[...]

Con f iguring Righ ts T ab l e 4 - 18. Predefine d Allowe d T r affic Filte rs Allowe d T raffic Fi lter Des c ription Int e rna l ri ght s UI Allows access to the Rig h ts Manag er page s via the Access Con t rol ler def ine d in @INTE R NAL @ (by defau l t 4 2 .0 .0.1 ) IP F r agmen ts Allow s s ubs equent p a cket fragme nt s for p ackets that e[...]

Con f iguring Righ ts Figur e 4-26 . Creat ing an A c ces s Pol i cy, the Re dir e cted Traffic Ta b The R edire cted T raffi c list shows th e fo llow ing in fo rma t ion a b out each filt er: T ab l e 4 - 19. Redir ecte d T ra ffic List De finitions Column D escrip t io n Name The nam e for the R e direct ed T r affi c Fil t er. De tails The opti[...]

Con f iguring Righ ts Note: Red irec t ed T r aff ic fil t er s are eval uate d in the o rder that they ap pea r in the Redi rec t ed tr a ffic list of ea ch A c cess Policy. W hen a p acke t match es a Red irect fi lte r , it i s imm ediate ly re di re cte d to the a pprop ri ate destinati on . T herefo re, an i ncor rect order i ng of R edi re ct[...]

Con f iguring Righ ts T ab l e 4 - 20. Predefine d Re dir ec t ed T r affic Filte rs Redire cted T r af fi c F ilter Des c ription No i n ternal IAM UI Redi rect s Integ r ate d Access M anager UI ac ce ss requires via 42 .0. 0 .1 No in ternal ri ght s UI Redi rect s Rights Man ager U I access r eques ts via 42.0. 0 .1 to t he SSL S top pa ge No SS[...]

Con f iguring Righ ts T o con f igur e au tom a tic H TTP P r oxy f iltering f o r thi s A ccess Policy, s e lect th e HTTP Prox y tab, a s shown in Fig ur e 4- 27, and s ele ct o r enter data in to the fields as des c ribed i n T a bl e 4 -21. Figur e 4-27 . Creat ing an A c ces s Policy , the H TTP Pr o xy T ab The fields un der th e HTTP P roxy [...]

Con f iguring Righ ts T ab l e 4 - 21. HTTP Proxy T a b F i eld De finitions Fie l d/Column D escrip t io n • Al lo w FQDN Accept H TTP t r affic d est ined f o r the s pec ified ful ly- quali f ie d domain na me (e. g. www.domain.com ) • Al lo w Host Accept H TTP t r affic d est in ed f o r the s pe c ified host name (e .g. www or home ) • A[...]

Con f iguring Righ ts The Bandwidth Tab 70 0w l S e ries s y stem ver s ion 4 .0 pr ov ides the ability t o limit the ban d wid th av ail a bl e to each clien t to prevent network perform anc e d egr ad at ion. U s ing Access Po lici es, ban d wid th can be limited on a cli ent by client basis. Se parate li mits can be set for upstream a nd dow nst[...]

Con f iguring Righ ts Bandwi d th Rate Limit i ng i n the 700wl Ser i es system 70 0w l S e ries s y stem ver s ion 4 .0 pr ov ides band widt h rate lim iti n g ( o r “ p olicin g” ) on a per - client bas i s. Each client may use bandw idth as ne cessary up to the upstream o r down stream limit set by the A ccess Policy currently in forc e f or[...]

Con f iguring Righ ts The L i nger Ti meout The Lin g er tim eou t en ables the 700wl S e ries syst em to forc e a lo goff for clien ts th at ha ve di sconne cted fr om the n e two r k witho u t logging o ff. If the Access Con tro ller d e termines th at a clien t has been n on- re spo nsi ve fo r a spe c ifie d perio d of time , th e A ccess Con t[...]

Con f iguring Righ ts Figur e 4-29 . Creat ing an A c ces s Pol i cy, the Tim e out Tab The fields un der th e Ti me out tab ar e as fo llows: T ab l e 4 - 23. Ti meout T a b Field De finitio ns Fie ld D escrip t io n Linger Ti meo ut H ow lo ng a client r e mains k nown to the 700wl Serie s syst em a fter being dis associa ted fro m an Access Cont[...]

Con f iguring Righ ts T ab l e 4 - 23. Ti meout T a b Field De finitio ns Fie ld D escrip t io n Nev e r forc e us ers to Allows c li ent session s to remain con nec ted indefini tel y wi tho u t requ irin g re au thent ic at e reauthe n tic at i on . • Ch eck the radi o b u tton to se lect t h is op tio n . T h is is the d e fault. Allowed T r a[...]

Con f iguring Righ ts Figure 4-30 . The Allo we d Traffic Filters Lis t The A llowed T r af fi c lis t shows th e Al low ed T raffi c filters i n al ph abeti c al or der , and includes t h e f o llow ing inf o rma t ion a b out ea ch filt er: T ab l e 4 - 24. A llowed T r a ffic List De finitions Column D escrip t io n Name The nam e for the Allo w[...]

Con f iguring Righ ts » To delete a fil t er, cli c k the tra sh ca n ic on at th e en d of th e row . » To create a new fi lter, click th e New Fil t er ... button at the bottom of the filter list. This ta kes you to the New Filter: A l low ed Tra ffic pag e (s ee “ Cr ea t ing o r Edi ting a n A llo wed Tra ffi c Filter” ). Fr om th is page[...]

Con f iguring Righ ts T o creat e or edit an A llo wed T raffi c filter , d o th e fo llowin g: Ste p 1. T y pe a name f o r this f il ter . Y o u can change th e na me of an existin g A llo wed T ra ffic f ilter by typin g a new name . Ste p 2. T y pe a d e scription fo r the filter , or m odify the e xis tin g de script ion . Ste p 3. T o specify[...]

Con f iguring Righ ts Redirec t ed Tr affic Filters Re dir e cted T r affic fil t er s ar e traffic filt ers that i den tify pa ck et s sen t fr om a clien t that sh ou ld be r e di re cted to a n ew dest in ation. So me Re dir e cted T r affic filters may simp ly forw ar d the packet to an altern ate de stinat ion tha t performs the sa me func tio[...]

Con f iguring Righ ts The Redir e cted T r affic li st shows th e Redir e cted T raf fic fil t er s in alph ab eti cal or der , an d inclu des th e fo llowing i nfo rmation abo u t each filter: T ab l e 4 - 25. A llowed T r a ffic List De finitions Column D escrip t io n Name The nam e for the R e direct ed T r affi c Fil t er. De tails The option [...]

Con f iguring Righ ts Figur e 4-33 . Creat ing a N ew Re dir ec t ed T r affic Filte r Y o u can create the f i lter specifica t ion in on e of two wa ys: • S peci fy the traf fic proto c ol, a nd the de stinati on IP a ddr es s an d port, o r • D efin e th e f ilter as a regu la r express i on i n tcpdump synta x. This ena b les yo u to define[...]

Con f iguring Righ ts b. If the protocol re qui r es a de stinat ion port, type it in to th e Port f iel d. If the pr otoc ol d oes not support port spe c ification s , N/A appears in the po rt fi eld. Y o u can enter a sin g le port, o r us e an a s ter is k ( *) to specify all po rts. Y o u can access a lis t of ports by click i ng the V i ew but[...]

Con f iguring Righ ts Click Canc el to re turn to th e pr evio us page witho u t maki ng a ny fu rther cha nge s. Built-in and User -defined Addres s V a ria b les Fo r us e in both All owed and Redir e cted T r affic Filters , th e 700 wl Ser i es syst em pr ovid es a se t o f pr e- def ine d addr e s s varia b les for var ious sys t em co mpon en[...]

Con f iguring Righ ts T ab l e 4 - 26. Predefine d Addr ess V ariab les Addr ess V ariab le V a lue / Desc ription @INTERNAL @. The addre ss of the Acc ess C ontrol Serve r Adm inis t rative C onsole. B y de fault thi s is 42 .0 .0 .1 , but if yo u have re co nfigured th e add ress ra nge fo r th e inte rn al DHCP serve r used for providing NA T a [...]

Con f iguring Righ ts T ab l e 4 - 27. Edi t A ddress fields Fie ld De fini ti on Na me The name of t he var i able. May b e up to 32 upperc ase al phabe tic c hara c ters (no numera ls or oth e r chara c ters). You may in clude t he —@“ at th e beginn ing and e nd, bu t do n o t need to – the syst em w ill add th em if neces sary. Valu e The[...]

Con f iguring Righ ts Figur e 4-36 . WINS Filte r s List The Filter list sho ws the DN S or WINS f ilter pairs in alph ab etica l or d er , an d includ es th e fo llowin g inf o rma t ion a b out ea ch pair: T ab l e 4 - 28. DNS or W I NS Filter Pair list definition s Column D escrip t io n Name The nam e of the filte r pair. Descri ption The optio[...]

Con f iguring Righ ts The E di t Filter pages a r e al most identical to the New Fi lter pages, except tha t th e na me, d esc ription, a nd se rver defin i ti ons ar e d isp layed for th e fil t er yo u h ave se lected, and a Sa ve A s C opy button is provided . Figur e 4-37 . Creat ing a N ew DNS F ilter The first t ime you view one of th ese pag[...]

Con f iguring Righ ts the list, using the multi-selec t m e cha n ism supporte d by your browser (typically Ctrl- c lick an d S h ift-click) . The 700wl S e rie s syste m selects a d e stina ti o n serve r at ran do m f r om the serv er s you h a ve selected , a t th e tim e rights are ass i gned to th e client. That d e stina t ion is used until t[...]

Con f iguring Righ ts Figure 4-38 . H TTP Proxy Filte r s Li st The HTT P Pr ox y list show s th e H TTP Proxy f ilt er s in a l phabet ical or der , an d inclu d es the f oll ow ing inf o rma t ion a b out each f ilt er: T a bl e 4- 29. HT TP Prox y F ilt er Li st Defi ni tions Column D escrip t io n Name The nam e for the H T TP Prox y Fil t er. [...]

Con f iguring Righ ts The E di t Filt er : HTTP Pr oxy T r af fic page is a l most identica l to the New Filter pa ge, except that th e name, des c ripti on, an d t h e fi lt er an d des tinatio n definition s ar e di splayed fo r the fi lt er you ha ve s ele cted, and a Save A s C opy button is provided . Figure 4-39 . C rea t ing a New HTT P Prox[...]

Con f iguring Righ ts T ab l e 4 - 30. HTTP Proxy Filte r T y pe s Filter Rule T y pe Desc rip t io n • Al lo w Re g Accepts HTTP traff ic to a desti na t ion s pecified as a regular e xpr es sio n t hat eval uates to an addres s or ad dres s rang e Fo r e x am ple — (.*).domain.com “ • Den y IP Re directs HTTP traffic desti ned for a s pe [...]

Con f iguring Righ ts Examp l e–Modify ing t h e —Guest Access“ Access Policy The f oll owing sections provi de exa m ples of ho w to mo dify a cce ss righ ts by edit ing the sett ing s fo r an Acce ss Policy . The G u est Acces s Acce ss Policy is used as th e example because yo u w ill n eed to mo dify thi s A ccess Policy (o r creat e a co[...]

Con f iguring Righ ts Ste p 2. In th e Access P o licy co lumn of th e ta bl e, click G u est A ccess to di splay the Edit Access P o licy page for the G u est Access Access Po li cy. Ste p 3. Click the Allowed T ra f fic tab to d isplay the Allowed T raff i c filters curr ently s elected for this A cce ss Policy , as show n in Figur e 4-41. Not e [...]

Con f iguring Righ ts Figur e 4-41 . The A llowed Tr a ffic f ilter s for the Gu es t Access A ccess Polic y Ste p 4. Fin d the r o w f or the Out s ide W o rld f ilter , as shown in Figur e 4- 41, an d click t h e checkbo x to select the f i lter . Ste p 5. Click S ave to have thi s cha nge ta k e eff e ct. HP Pr oCur ve Se cur e A ccess 700 wl Se[...]

Con f iguring Righ ts Modifying the Outsi de Wor l d F i lter to R e strict Access If th e Outside W o rld A llowed T raffi c filt er is no t suf f ici e ntly re strictive f o r your network envir o nment, you can mo dify it ( o r cr ea te a new filt er) to re stri ct access to m u lti p le subn et s or IP ad dres ses. Ste p 1. Fr om the A llow ed [...]

Con f iguring Righ ts Se e Appen di x B , “ Fil ter E x press i on S y ntax” fo r deta il s of the tcpdump s y nt ax. Note: T cp dump s ynt ax is case sen sitiv e. All k eyw ords mus t b e in lo we r- case to be re cognize d. Ste p 6. If you ha ve ch an ged th e Ou ts id e W o rld fi lter , cli ck Sav e to r e pla c e the current Outside W o rl[...]

Con f iguring Righ ts Figur e 4-43 . C onfiguring Proxy Fil t ers to limit ac cess fo r the Gu est A c cess A c cess Policy Ste p 3. T o crea te the f ilt ers you need, click New F ilter ... . S ee “HTTP Pr oxy F ilters ” on pa ge 4-7 5 for deta ils on crea ting HT TP pr oxy f ilte r s. Ste p 4. Se le ct Enable d fr om th e dr op d own fi eld t[...]

5 C ONFIGURIN G A UT HENTI CATION Thi s cha pte r des c ribe s h ow cl ie nt s ar e au thenti cat e d t hrough th e 700w l Series s y st em, an d explains how to co nfig ur e authentica tion policies. The topics cover e d in th is chapter in clu de: Authenticatio n in th e 700w l Series Sys t em . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

Con f iguring Authe n tic a tio n specifica t ion, d e termin e a Co nnect io n Pr ofile for the client. The client’s iden tity (who the client is) is determined thro ugh the a u thenticatio n process . This i s used to determine a n Ide n tity Pr of ile for the cl ient. The com b in ation of th e Conn ectio n Profile a n d Id entity P r o file d[...]

Co nfigu r ing Authenti cati on clie nt, the usernam e an d passw or d is sent to the next service , and so on. If a ll services in th e list f a il to auth en ticate the user , th en the user will con t inue to ha ve only una u thenticated logon ri ghts. • Monito re d Lo gon W i th mon i to red lo go n, the HP s yst em pas ses the initia l packe[...]

Con f iguring Authe n tic a tio n The Rights Ma nage r The configu ra tio n o f ne two r k A u thenticatio n Po licies is done th ro ugh th e Righ ts module, acce ss ed by click i ng t he Righ t s icon on the Na viga ti on ba r . Many of th e f u nct i on s with in the Righ ts mo du le—speci fi cally t hos e a ssocia t ed wi th cr eatin g or modi[...]

Co nfigu r ing Authenti cati on Figure 5-1. The Authe n tica tion Policies Page The A u thenticati on P o licies table show s the currently def i ned A u thenticatio n Policies . This t a ble s hows the f oll owin g inf o rma t ion a b out each A uth ent i cat i on Pol i cy: T ab l e 5 - 1. Au the n tication Policy T abl e C on t ent s Column D esc[...]

Con f iguring Authe n tic a tio n Creati ng or Editing an Authenticati on Pol i cy T o crea te a new Au thenticatio n Policy , cli c k th e New Authe n tication Polic y... bu tton a t the bo ttom of th e list on th e A u thenti ca tion Policy pa ge. The N e w A u thenti cation Policy pa ge appea rs (s ee Figur e 5-2) wi th the Authe n tication Serv[...]

Co nfigu r ing Authenti cati on • T o edit a n Au thenti ca tion S e rvice, click the name of th e serv ice yo u w ant to edit, o r click th e pencil icon at th e end of the row . This takes yo u directl y to the E dit Au then tication Se rvi ces page f or th e filter you selected . Note: Y ou c an not e d it the b u ilt-in A ut henticati on S er[...]

Con f iguring Authe n tic a tio n Figure 5-3. The Authe n tica tion Services Page The Authenticati on Services table shows th e curr ent ly defined Authentication Services. Th is table shows the f oll owin g inf o rma t ion a b out ea ch A uth ent i cat i on Se rvice: T ab l e 5 - 2. Au the n tication Ser v ices T a ble C onte nts Column D escrip t[...]

Co nfigu r ing Authenti cati on app ear s ( s ee Fi gur e 5- 4). The page in itially di splays t h e con fig ura t ion o p tion s f o r a n LDAP Au thenticatio n Se rvice. The Edit A u thenticati on Se rvice - L DAP page is almos t identical t o th e New Au thentica tio n Se rvice - LDA P page, except tha t th e page a n d set t ing s displ aye d a[...]

Con f iguring Authe n tic a tio n Figur e 5-4 sh ows the configu ration pag e fo r configuring an LDAP service w i th non- user bin d ing . For many of the op tio ns on th e L D AP s e rvice page, th e values you en ter a re depen den t o n th e co nf ig ura tion of your LDAP serv ice, so a thorough knowledge of your L DAP i mplementation is necess[...]

Co nfigu r ing Authenti cati on The in fo rma ti o n r e quir ed to conf igure a n LDAP se rvice f o r authentication is d efi ned in the f ol l owin g tables. T a ble 5-3 def i nes the f ie l ds on the top part o f t h e page: T ab l e 5 - 3. LDAP Authentic a tio n Confi guration O p tio n s, T o p Part of the Page Fie l d/O p tion D escrip t io n[...]

Con f iguring Authe n tic a tio n If y ou s e lect Non - use r bind , the r ema in ing f i eld s on th e page a r e a s fo llows : T ab l e 5 - 4. LDAP Authentic a tio n Confi guration O p tio n s, Non-Use r Bind Fie l d/O p tion D escrip t io n Us e t h e u ser name fiel d a s an alias to fin d the u s er‘s DN and a u the n ticate b y re bi ndin[...]

Co nfigu r ing Authenti cati on » Fo r de tailed instructi ons fo r settin g up a n Ac tive Directory server, see “U sing the A cti ve Directo ry LDAP Service” on page 5- 13 . » Fo r detailed instructi on s fo r settin g up a Netscape or iPl ane t server, see “ U sin g a Netscape o r iP lanet Directo r y S erv ice” o n page 5- 14. Usi ng [...]

Con f iguring Authe n tic a tio n To use Use r binding for auth en ticatio n wh ere th e u s er lo gon ID is used a s the D N, do th e fo llowing: a. Se le ct Us er bin d from the drop-d own field. b. Enter the f ol l owin g in to the User b i nd s t ring field: < domain name >%s For example, for do ma in XY ZCor p.c om, this wo ul d be XYZC[...]

Co nfigu r ing Authenti cati on Ste p 3. Specify som e ad diti onal options fo r thi s LDAP se rver : a. The t imeou t value sp ecifies t h e len g th of ti me the 700w l Seri es syst em wa its fo r a r esp onse to an au thenti cation requ est befor e it a ban dons the requ est. T h e defa ul t i s 120 secon d s. Y o u ca n change t his as appr op [...]

Con f iguring Authe n tic a tio n Then , do the fo llow in g: Ste p 1. B e cause you a r e s en d ing a pa ssw or d i n the clear , m a ke sur e that you ar e using S S L. Ste p 2. Se le ct Non-use r bind . Ste p 3. Click the radio button la bel ed U se the userna me field as a n a lias to fin d the use r's dn and au thentica te by rebin d ing[...]

Co nfigu r ing Authenti cati on Al ong with th e a u thentication re sults, you ca n obta in th e us er ’s g r oup a ffiliat ion fr om th e au thenticatio n pr oc ess. Th e r e turned grou p inform at ion will be used to match the user to an Identity Profile in the Rights A ss ignmen t table. This a ssu mes yo u h a ve created Ident i ty P r ofil[...]

Con f iguring Authe n tic a tio n Figur e 5-6. Cr eating a New Au the n tic a tion Ser vi ce - K erb er os Ste p 5. Enter th e in form at ion requ ired to con fig ur e a Kerber os s e rvi ce for us e wit h au th en ticatio n as def ine d i n T a bl e 5 -7 : T ab l e 5 - 7. Kerbe ros Authentic a tio n Serv ice Configuratio n Fie l d/O p tion D escri[...]

Co nfigu r ing Authenti cati on Configuring a RADIUS Authenticatio n Service Note: T he 700wl Se ri es sy st em A c cess Con tro l S erver must be con f igured a s a RA DIU S cli ent o n your RADIUS serv er . T o co nf igure the 700wl Series syst em to us e a RA D I US databa se fo r us er a u th en ticatio n: Ste p 1. Click th e R i ghts button in[...]

Con f iguring Authe n tic a tio n The in fo rma tio n r e quired to config ur e th e RA DIU S service f o r a u th en ticatio n is defined in T a bl e 5-8 as fo llows : T ab le 5-8. RADIUS Authe n tic a tion Serv ice Co nfigu rat ion Fie l d/O p tion D escrip t io n Name Your name f o r this authentic a ti on metho d . Yo u can use an y a lp hanume[...]

Co nfigu r ing Authenti cati on » To us e a RA DI US se rvi ce fo r acco un tin g , you m ust co nfig ure a RAD I US s e rver as an Authenticati on Servi ce, and check t he Support s RADIUS Accounting (RFC-2 866) on port checkb ox an d enter th e approp riate port n umb er to which th e 700 wl Se ries system sh ould send the accountin g da ta. Spe[...]

Con f iguring Authe n tic a tio n Fie ld Da t a Acct-Ses sio n -ID T he uniqu e ID for t h is c lient s ession Acct-Ses sio n -Ti me T he seco nds thi s cli ent wa s l ogg ed on t h is Acc ess Co ntro ller. Sen t only wi th a Stop packet. Note: When a n aut hentic a te d client r oa ms to a n e w Ac cess Co ntr oller , a St op p a ck et i s sent up[...]

Co nfigu r ing Authenti cati on • T he Rights M a na g e r uses the gr ou p inf o rmat ion a nd the sta r t a n d stop times f r om the us er prof il e to tempora r ily m a p the user to a match i ng Identity Pr of ile, d u rin g th e tim e fram e def in e d by the stop an d sta r t tim e s in the pro f ile . A t other times ( o utsid e th e ran [...]

Con f iguring Authe n tic a tio n The informati on requ ir ed to co nf igure an XML-RPC authenticatio n se rvice i s def ine d in T a bl e 5 -9 as fo llows : T ab l e 5 - 9. XML -RPC Au then tication Ser vi ce C o nfigu rat ion Fie l d/O p tion Descrip t io n Name Your name for thi s auth ent ication me tho d. Y ou ca n use any alp ha numeri c stri[...]

Co nfigu r ing Authenti cati on Thes e param e ters ar e sh own in T a ble 5 -10 : T ab l e 5 - 10. Pa ra meters for Authe n tica te Call Pa rame te r Ty pe Descrip tion useri d str i ng User logon fro m 7 00w l Series system logon pag e pass wo rd str i ng Pas swo rd from 700 wl Se ries syst em logon pa ge, in clear tex t loca tion str i ng Name o[...]

Con f iguring Authe n tic a tio n T ab l e 5 -1 1. Name/valu e Pairs Returned by Au thenticate Respons e Name Ty pe V a lue an d Descrip t io n validTi m es str i ng An a rray of s t rin gs t hat d e fine th e tim es w hen a user is gi ven the ri ghts associ ate d wi th t he g r oup. Mem bers a r e n ame -valu e pairs as follo ws: st artTime str i [...]

Co nfigu r ing Authenti cati on <value><string>Monday:Wednesday:Frid ay </string></value> </member> <member><name>startDate</name> <value><string>2002-04-01</string></v alue> </member> <member><name>stopDate</name> <value><string>2002-05-31&l[...]

Con f iguring Authe n tic a tio n enabled in any o t her A ccess P o licies that m ay be in fo rce when a clie nt is re quir ed to rea u thenticate. The Allowed T raffi c Filter f or LDA P must be c rea ted and th en en abled in the a ppr opriate A c cess Policies. Note: Cached Log on r eq ues ts from Windows cli ent s are not suppo rt ed becaus e [...]

Co nfigu r ing Authenti cati on • Firs t, yo u m u st configu re an LD AP Au thentication Se rvi ce to be us ed to retrieve the g rou p ident i ty in fo rma t io n. You must specif y No n-U s er binding —eith er rootd n /rootpw b i nding or a nony mous bin din g (if th e se rvice a l lo ws anon ym ous bin d). S ee “ Con fig u rin g an LDAP A [...]

Con f iguring Authe n tic a tio n Logon Page C u stomization The 7 00w l S e ries syst em Rights M ana ger pr ov id es d efa ult Lo gon, L og of f , S t op, an d Gu es t Reg i stratio n pa ges th at are dis p la yed wh en users ar e to be aut h en ti ca te d usin g W e b-bas e d lo gon . The def a ult lo go n pag e di splays t h e HP ProC urve log [...]

Co nfigu r ing Authenti cati on Thr o ugh the Rig h ts Manager, you can cust omize the appea r an ce of th e Lo gon, L o go f f an d St op pages in the f oll owin g ways : • You can create cus t om ized versi ons of the stan da rd Logon, Lo gof f an d Sto p pag e s by including yo ur own text a nd lo gos . • You ca n asso cia te a differen t cu[...]

Con f iguring Authe n tic a tio n Customizing a Logon Pa ge T o creat e a new log on custo mizat ion page, d o th e fo llo win g: Ste p 1. From anywher e w i thin the Rights Manag e r, click the Logon Custo m iz atio n tab. Ste p 2. Click Ne w Logo n Custo m ization… The New Lo gon Cus t omization pag e a ppea r s, as sho wn in Figur e 5- 12. Ste[...]

Co nfigu r ing Authenti cati on Figure 5-12 . N ew L ogon Custo m iz ation Pag e Customizing t he Logo In the Logo s s ect ion of the N ew/Edit Lo go n Custo mizat io n pag e you can custo m ize the logo (i mage) that app ear s o n th e lo gon a nd logo ff web pages. The filen ame of the current logo is d i spl ayed unde rneath th e filena me entry[...]

Con f iguring Authe n tic a tio n of a sma ll s cr een. Y ou can cha n ge this l o go to be a sm all version of yo ur own logo for us e wi th sm a ll br ow sers . T o change either log o, do the following: Ste p 1. Go to the Log os se cti on o f th e Ne w/ Edit Logon Custo m iza t ion pag e an d select the logo yo u wi sh to ch an ge. Ste p 2. In e[...]

Co nfigu r ing Authenti cati on Ste p 2. Place a check m a rk in th e A llow us ers to spe c ify auth entication policie s checkb ox if you want users to ch oose a s p ecific Authentica tion Po li cy fr om a gr ou p o f Authenticati on Po licies. When thi s opt i on is ch ecked, the L o gon pa ge will d isp la y a d r op- d own f i eld that w ill a[...]

Con f iguring Authe n tic a tio n If yo u s e lect the G u est R e gis tra t ion option, the Gues t Reg i stratio n page a p pe ar s a s show n in Figur e 5 -14. Figure 5-14 . G uest Reg i stration p a ge If yo u choose to re quire gu es ts to re gister bef ore logging o n , th e fo llowin g pr oc ess will o ccur when they log on to th e system. ?[...]

Co nfigu r ing Authenti cati on network. H o wever , if the user go es t o th e lo go n page a gai n w hil e he/s he is still log g ed on , th e logon page ind i cates tha t the u s er is a lread y logged on an d pr ov ides a log of f butto n. As an opt i on , yo u can h ave a smal l log off page op en in a new win d ow as soon as th e us er succes[...]

Con f iguring Authe n tic a tio n Ste p 2. In th e textbox labeled S t op Page T ext enter the text you want t o dis p la y on the S top page. This ca n include HTM L fo rma ttin g comm an ds. Ste p 3. Click S ave . T o clear the stop p a ge text a f ter it has been se t, click Reset to Default s at the bottom of th e page. Note: Cli c ki ng Re se [...]

Co nfigu r ing Authenti cati on Customiz ed Page Tem pla tes If you want to create pa ges that ar e cus tomiz ed beyo nd th e op tio ns pr ov ided on the Cus tomiz e W eb Pages by Connectio n Profile page, you can create your own templates for the L ogon, Logoff, Stop, and Gu es t R e gi stration pages . Th rough a tem p late y ou can lay o ut the [...]

Con f iguring Authe n tic a tio n Figure 5-17 . Lo gon C u stomization : Custo m Templ a tes Ste p 4. In the appr op riate field ( Log on Page , Logoff W i ndow , St op Page , o r Gue s t Regi stratio n Page ), t y pe the path an d na me of a .tmpl f ile o n your lo cal system th at con tai ns the tem p late, or click Brows e to l o cate the pr op [...]

Co nfigu r ing Authenti cati on The page will r edisp lay sh owing the lo aded image, see F igur e 5- 18. Note: T he templ a te images area shows ALL image s availa ble for use i n custom te mpl a tes, n ot just th ose you h a ve loaded for a spec if ic cu stom templ a te . T o de le te an imag e, cl ick th e t r as hc an ico n on th e s ame r ow a[...]

Con f iguring Authe n tic a tio n Ste p 7. T o indicate th at an imag e is to be used wi th the custo miz ed logon pa ge you are crea ti ng, check the box to the left o f th e im age. Th is no tifies th e s yst em t h at th is im ag e s hou ld be do wnlo ade d to the Access Co ntroll er with the cus tom tem p la te code. Note: On ly tho se images y[...]

Co nfigu r ing Authenti cati on Note: T he User Right s Simu lat or does NO T show you the ac tual r ights of a u se r who is curren tl y logged on, bu t shows y ou the r ights a user woul d h ave as if th ey wer e logge d on at a p art icula r ti me and loc at i on. T o view the curren t ri ght s fo r a log ged -o n user , s ee —Vie wing Clie nt[...]

Con f iguring Authe n tic a tio n T ab l e 5 - 12. User Ri ght s Sim u lator Fie l ds Fie ld Des c ri pt ion Acc ess C ontr o ller and P o rt Th e Acc ess Cont rol l er, slot and po rt to b e used to simula te the user‘ s ph ysical c onnec tio n locatio n . T h is is one o f the elemen ts u sed to ma tch th e u ser to a Con necti on Profile. VLAN[...]

Co nfigu r ing Authenti cati on Figure 5-20 . R ights for User — ann “ i f Logged on a t the Specified Tim e a nd Lo cati on The top porti o n o f the R ights r esu lts show s t h e Identity Profile a n d Connect ion Pr of ile tha t th e user m a tch e d, based o n th e sp ecified loca tio n , VLA N ID, a n d tim e , a n d the Access Policy tha[...]

Con f iguring Authe n tic a tio n • If th e Identit y Pro f il e is no t w hat yo u expected: — F or user s in th e built-in database, the user m a y have bee n assigned to a dif feren t pr of ile than you exp e cted . — I f the use r s h ould matc h an Id en tity Pr of ile ba se d on a gr oup or NT Do main name re turned fr om an external a [...]

Co nfigu r ing Authenti cati on Figure 5-21 . The XML Representati on of User Rig h ts Traci ng Au thenticati on Ser vi ce T r ansactions The T ransactio n T racer lets you verify auth entication transaction s to one of the active authentication se rvices —LDAP , RAD I US, Ke rber os or XML-RPC. Y o u can use this to ol to verify th at users are [...]

Con f iguring Authe n tic a tio n service is wo rking correctl y , the service shoul d re turn a su cc essful r esu lt, including th e info rmation as socia ted wi th t hat user , if appropria t e. If the a u thentica tio n servi c e i s not set up correctly , you wi ll re ceive a n err o r an d in complet e re sults. This tool cann ot be used with[...]

Co nfigu r ing Authenti cati on Figur e 5-23 . R esults of a trace d tr an saction Th e Re su lt Para mete rs contain any parameters returned with the au thentication, if appropriate. This will depen d on th e authenticati on se rvice be ing used, an d ho w th at s e rvi ce has be en co nf igu re d (for exam pl e, whether you ha ve it configu red t[...]

Con f iguring Authe n tic a tio n » To I m port or E x po rt Rights, cli c k th e T ool s and Op tions tab visib l e at the t o p o f any Rights mo du le page, then click th e Im po rt/E xpo r t Right s link in the lef t-hand co lum n of th e page. Thi s di splays the Import/Expo r t Ri ght s pag e, as sh own in Figure 5- 24 . Figure 5-24 . The Im[...]

Co nfigu r ing Authenti cati on Figure 5-25 . R ights Export in Progre ss p a ge While the export is in pr ogress , this pag e is r ef r eshed every 15 seconds. • T o stop th e page ref r esh, click St op Auto Refr esh . • T o cancel the import click Canc el . Ste p 2. Wh en the export has com p leted , another inf o rma t io nal page appea r s[...]

Con f iguring Authe n tic a tio n Figure 5-26 . The Import/Export Rig h ts page after a s u ccess ful rig h ts e x po rt Ste p 3. Under t h e Last Righ ts Export hea d ing, click Sav e Exp o rt As.. . to save the rights export ima g e a s a f ile. This wil l sta r t the file d o wnloa d pr oces s appr op riat e to your lo ca l s y stem . Ste p 4. S[...]

Co nfigu r ing Authenti cati on • T o stop th e page ref r esh, click St op Auto Refr esh . • T o cancel the import click Canc el . Ste p 3. Wh en the i m po rt has com p leted , anoth e r inf o rmat ional page appea r s, telling y o u the pr oces s is co mp lete. • C lick Co ntinue to return to th e ma in Import/ E xport R ights page. Wh en [...]

Con f iguring Authe n tic a tio n 5- 54 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

6 C ONFIGURIN G TH E N ETWOR K This cha pter describes how to configure the 700wl Seri es system compo nents so that they w ork with your enterprise network . The topics cover ed in this cha p ter include: 700w l Ser i es Sys t em Co mpon en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6- 2 Co nf ig u[...]

Con f iguring the Network 700wl Series System Comp onents Wh en you f i rst click on t he Network ic on t h e S y stem Com p onents pa ge a ppea r s, as s hown in Figur e 6 -1. Figure 6-1. Sys t em C o mpo n ent s Pag e Thi s pag e di spla ys the Sy ste m Com p on en ts Li st, which l i sts all the 7 00wl Serie s syst em com p on en ts known to t h[...]

Configuring the Ne twork Fr om th is list y o u can cli c k a component na m e or click the pencil icon at th e right of the r ow to edit th e component’s name and the folder to which it is assigned. For Access Control Servers, you can a lso edit settings re lated to its use in a f a ilover config urati on. S ee “ Configu rin g an Acce ss Contr[...]

Con f iguring the Network DHCP (t he defau l t) wi ll b oot u p and run pro perl y without a shared secr et c onfig ured, b u t A cces s Con tro llers wi ll not be able to c o mmuni ca te with it. In this case , you mu st edi t the Access Con tro l Se rv er c onfi gurat ion to a dd a s hared se cr e t to enable the Ac cess Contr ol Ser v er to mana[...]

Configuring the Ne twork Note: T he IP addr ess can b e c hang ed unde r th e Net w ork S e tu p t ab, along with o t her networ k configur ation se ttin gs. The fields and option s on thi s pag e ar e def ine d i n T a bl e 6 -2: T ab l e 6 - 2. Edit A c cess C o ntr o l Se r ver p a ge field definitio ns Fie l d/O p tion Descrip t io n Name An al[...]

Con f iguring the Network T ab l e 6 - 2. Edit A c cess C o ntr o l Se r ver p a ge field definitio ns Fie l d/O p tion Descrip t io n Redundan cy Preferred Prim ary Ac cess Con t rol Serv er If checked, s pe c ifies that t h is Ac ces s C ontrol Serv er (th e one on wh ich th is configura t ion is be ing d one, not the pe er Ac ce ss Cont rol Serv[...]

Configuring the Ne twork Deleti ng a Peer A c cess Control S e rv er Y ou mus t d isa ble r edund ancy by editin g the P r ima ry A cces s Contr ol Se rver config uration bef ore you ca n delete the Seco ndar y Access Contro l S e rver (un che ck th e En able Redun d ancy checkb ox an d Save ). T o delete a peer Acces s Co ntro l Serve r on ce r e [...]

Con f iguring the Network Editi ng t he Integra ted Acc es s Manager Configura t ion The Integra t ed A ccess Ma na ger is typically con fig ur ed wi th it s n etwork con fig ura t ion pa rame ters an d shared secr et when it i s initially i nst alled on the network, per th e in st ru ctions in th e Qu ick Start Guide or I ns ta llation and Ge tt i[...]

Configuring the Ne twork The E di t Integra t ed A ccess Ma nage r page appears as shown in Fi gur e 6- 4. Figure 6-4. Edit Integ rat ed Acce ss Man a ge r pag e The fields on th e Edit Integrated Acces s Ma na ger page s how th e current s e tti ng for the In t egrat ed Acce ss Ma nager. Y o u ca n mo dify a n y o f these values, except the IP a d[...]

Con f iguring the Network T ab l e 6 - 3. Edit I n teg rat ed A cce ss Man a ge r p age fie l d d e fini tions Fie l d/O p tion Descrip t io n NAS-ID/De scr ipt i on A descri p tion for t h is unit. If u s ing RADIUS acc ou n ting, thi s fiel d i s used as th e NAS-ID a nd i s sent to the R AD IUS server as part of th e acc ountin g in forma t ion [...]

Configuring the Ne twork W i th the exce pt io n of the Acces s Contro l S e rver IP addr es s an d sh ared s e cr et, Acces s Co ntro llers ar e co nfig ured cen t ra l ly fr om the A dminist rative In ter f ace o f the Acces s Co ntrol Se rver o r Integrated Acces s Manager. From the A d mi nis t rat i ve Con s ol e you ca n configure a nd de let[...]

Con f iguring the Network T ab l e 6 - 4. Edit A c cess C o ntr olle r page fie l ds Fie l d/Che ck bo x Desc rip t io n Name An al phanumeri c nam e f o r the Acce ss Cont rol l er. By defa ult the name is the I P addres s of the u n it . IP Addres s T he I P ad dres s of t h is Ac ces s C ontroller (re ad-only). Thi s can be chan ged un d er th e[...]

Configuring the Ne twork Y o u c a n mod ify an A cce ss Con tro ller’s na me, admin i strator use rn am e an d passwor d, fo ld e r , SS H access permissions, a nd the A cce s s Contr ol S erv er IP a ddres s a nd sha re d secr et. Th e IP ad dre ss an d MA C a ddres s ar e di spl aye d r ead -o nly and c an no t b e mo difi ed on th is pag e. ?[...]

Con f iguring the Network Figure 6-6. New Folder Pa ge » icon To change the na m e of a fo lder, cli c k the f o lder na me in the S y stem Com p onents List, or click th e pen c il name in the Folder Na me fi el d and cl i ck Save . ( ) to the fa r right o f the folder. Ei ther a c tio n dis p lays the Edit Fol der p a ge. Enter th e new fo lder [...]

Configuring the Ne twork Con f iguring Fail over with Redund ant Access Control Servers Pl eas e re ad t h e s e ction “ E nterpri s e Clas s Redu nd ancy” on pag e 2-18 in Cha pter 2, “Con fi gu ri ng t he Network” Note: Integrate d Ac cess M anag er s can not b e used as a pee r in a r ed undant c on f igu r ation. The 700wl Ser i es sy s[...]

Con f iguring the Network Ste p 4. Wh en you a r e r eady to initi a te the peer r elati onship a n d sta r t the data sy nch r o nizat ion process, check th e Enable Redu ndan cy checkbo x on the Prim ar y A ccess Con tr o l S e rver (a nd Sav e ). Y o u on ly need to co nfig ur e an d enable r edund ancy on the p rim ary Acces s Co ntro l Server [...]

Configuring the Ne twork • Under Netw ork , only th e Syst em Co mpo n ents, Netwo r k S e tup, Interf a ces, an d D a te & T ime tabs are av ailabl e. • Under Main t en an ce, an d Log s , all the fu nc ti ons ar e a v ailab le. Disabl i ng Redu ndancy Wh en you disable r e dun dan cy , the seco nd ary Acce ss Co ntr o l Server is reset to[...]

Con f iguring the Network » To access th e Ne two r k S e tup pa ges, click th e Network icon in the Navi gation Too l bar, then sel e ct the Network Setup tab. Netwo r k S e tup is di vid ed into fo ur secti ons: • Bas ic S e tup—setting s tha t a llow th e 700wl Se ries syst em com p onent to com mun ica t e wit h th e ne two rk • Advan ce[...]

Configuring the Ne twork Netw or k Co mm unication–the Basic Setup Tab T o co nf igure the ba si c n et work co mm unic at ion set ting s fo r a 700wl S e ries syst em co mpon en t, do th e fo llowing: Ste p 1. Unde r the n e twork ico n , click the Ne twork Setup tab t o di spla y the Ba sic S e tu p ta b, as sho w n in Figur e 6-8. Figure 6-8. [...]

Con f iguring the Network Edit the co nt ents of the f i elds on th is page a s appr op riate. The fields and their s e tti ngs are defin e d in Ta ble 6-5 . T ab l e 6 - 5. B asic Setup t a b fie l ds Fie ld D escrip t io n Co nf ig ur e A dro p -do w n l i st yo u u se to s pecif y h ow th is compon ent gets it s I P ad dress. • Sele ct Using D[...]

Configuring the Ne twork T ab l e 6 - 5. B asic Setup t a b fie l ds Fie ld D escrip t io n Se cond ar y DNS The IP addre ss of the secon dar y D NS se rver Primary WI NS The IP ad dre ss of the prim ary WI NS serve r Se cond a r y W INS Th e I P addr ess o f the seco ndar y WI NS serv er Ste p 3. Click S ave to save you r se ttin g s. T o restor e[...]

Con f iguring the Network Figure 6-9. Network Setup: Advance d Setup pa ge for an Integ rat ed Access Manage r 6- 22 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

Configuring the Ne twork Acc ess Control S e rver Configuration Adv a nce d Options The f oll owing settin gs a ppea r on t h is p a ge i f you a r e con f iguring a n A ccess Cont r ol Se rver or a n Integ r ated A ccess M a nager. They d o not appea r if you a re co nfiguring an A cces s Con tro ller. DHCP Network for NA T Client s Note: When y o[...]

Con f iguring the Network Acc ess Controlle r Advanced C onfigura tion Options The f oll owing settin gs a ppea r on t h is p a ge i f you a r e con f iguring a n A ccess Cont r ol l er or a n Int e grat ed Acce ss Ma na ger. They do no t appear if yo u are co n f iguri ng an Access Co ntro l S e rver. Bridging A 700 wl Series syst em pr ovi d es f[...]

Configuring the Ne twork The f oll owing are the specifica t ions in tcpd u m p synta x fo r the pred ef ined bridgin g opt i ons: T a ble 6 - 7. Tcpdump synt a x f o r p r e- def i ned bri dg i ng op t i ons T r af fi c t o enable tcp dump s y nt ax CDP et her [12 : 2] <= 1514 an d e t her dst 01 :00 : 0c:cc :cc :c c Wi re less Ne tw ork Access[...]

Con f iguring the Network the client’ s rig h ts. D e pending o n t h e Wi rele ss D ata Pr iva c y m e ch an ism a nd t h e type of addr essin g in force, the client’s existing sess ions may be tunneled fro m the original Access Co ntroller to the new Acce ss Co nt roller. T o cha n ge the client polling se ttin g s, d o the f o llowing: Ste p[...]

Configuring the Ne twork Y o u can sp ecify a n external pr o x y s e rver , or the 700wl S e ri es syst em can act a s the pr ox y s e rver an d handle the tra ffi c acco rd ing to th e co nfig ured po rts and filters defin ed fo r each Access P oli cy. The autom at ic H TTP Pr ox y f eat ur e is configu red and ena b led specifically f o r each A[...]

Con f iguring the Network available, th e HTTP Proxy S e rve r on th e Ac ce ss Con t ro ller will cycle to th e ne xt ava ilable IP a ddres s . Ste p 4. In th e Proxy Server Po r t fiel d, type the TCP port n umb er used for th e pro xy se rver . Ste p 5. Click S ave to have your changes take effect. T o restor e th ese f i elds to t h e o r igina[...]

Configuring the Ne twork Figur e 6-11 . N etwor k Settings: SSL Tab (In t egr at e d A c cess M a na ger or A ccess Co ntr o l S erv er only ) The informati on at the top o f the pa ge shows in form at io n abou t the curren t certi ficat e. Initially thi s will be the certifica t e gen era ted and sig n ed by HP Pr oC urve. Note: T he Sav e bu tto[...]

Con f iguring the Network Requesting a n SSL C e rtifica t e T o generate an SSL Certif ica t e S i gni n g R equ est ( CSR): Ste p 1. From th e SSL ta b, click Gene rate CSR... . The G e nerat e SSL Certif ica te Sign ing R e qu es t page appea r s, a s shown in F igu re 6- 12 , in a separate browser win d ow . Figure 6-12 . In put Page f o r G e [...]

Configuring the Ne twork Figure 6-13 . The Certi f ica t e Sig n ing Request Y o u can us e th is certifica te s ignin g r e quest either to re quest a certificate fr o m a CA , o r to cr eate your own self - s igned certifica t e usin g a n SSL t oolkit, su ch a s Open SSL. Ste p 4. Y ou may be a b le to pa ste this signin g r eq u est dire ctly i[...]

Con f iguring the Network Loa di ng t he SSL Certificate Wh en you r e ceive your certifica t e f r om the CA, you can ei ther cop y the certifica t e in fo rma t ion a nd paste it into the f i eld pr ov ided , or you ca n p l ace the cer t ificat e in a fi le an d up loa d th e file. Do not edit , ad d line br e aks, or ot he rwise chang e any of [...]

Configuring the Ne twork S ave and Rest ore Private Ke y The CS R yo u g e nerat e is based on a priva t e key . If the priva t e key i s los t or r ege nerated , any CS Rs based on th e origina l priva te ke y bec ome inval id. Af ter ge nerating th e CS R, you s h ould sav e th e private key o n your local system . It can th en be r e cover e d a[...]

Con f iguring the Network Caution: Res t or i ng a s aved private k ey will inv a lidate a n SS L certif icate based o n t he cur ren t (di ffer ent) private ke y . Res t oring the De fa ult SSL C e rtifica t e If th e priva t e key is los t or th e certi fic ate is corrupt ed or invali da ted , you can re vert to t h e d efa ult SSL certifica te i[...]

Configuring the Ne twork Figure 6-16 . Exa mple o f a Po rt Connection Type s e le ction list T o configure a port f o r a specific co nn ecti on type, d o the f o llowin g: Ste p 1. On the Inter fac es setup page select th e Ac cess Contr o ller to con f igur e. Ste p 2. Click the Spe e d/Duplex tab. The S p eed/Duplex page f o r Acces s Con tro l[...]

Con f iguring the Network Note: If you wa nt to set a por t to half-dup lex , but half-dup lex i s no t off er ed a s an opti on in th e drop-down l is t, you will nee d to s elect a s e tti ng t hat does not sp ecify an o p ti on, and allo w the port to neg oti a te fo r ha lf -d uplex. F or examp l e, as show n i n Fig ure 6-17 , the re is no s e[...]

Configuring the Ne twork uplink p ort so that the d e fau l t u p li nk (slo t 0 p ort 2 on a 700 wl S eries sys te m) is now a downli nk port, the n tha t port w ill a ppear on th is p age. The p ort bei ng u sed as the upl ink po rt wil l not appear . T o configure su bnet ad dr es ses f or Ac ce ss Co nt roller por ts: Ste p 1. On the Inter fac [...]

Con f iguring the Network configur ed to suppor t r o uting the addr esses you h ave c onfigured for y our por ts thr ou gh th e Ac cess Con tro ller uplink p or t. For example, if th e Access Cont r olle r’s I P a ddres s is 192. 168.2.20 w ith sub n et ma sk 2 55. 255.255.0 ( /24) an d y ou config ur e a port to us e 192.168.6 . 0 w ith mask /2[...]

Configuring the Ne twork Figure 6-19 . SNMP Pag e Ste p 2. Se le ct the s yst em co mpon ent for w h ich yo u w ant to enable S NMP from the Sys tem Co mpon ents Li st. Ste p 3. SNMP is disabl ed by default. Select Ena b le d fr o m the SNMP drop-down menu to enable SNMP . This will enable S NMP f or th e selecte d com ponent. Note: Enabl ing SN MP[...]

Con f iguring the Network Note: Inc lu de a tr a p IP add ress only if you hav e a n SNMP t rap rece iver list eni ng for thi s in for m ati on . HP proprieta r y S NMP tra p events inclu de fa n f a ilur e, fa n op erat io nal, a nd out- of -range tem p eratures . G ene ral S NMP tr ap events in clude SNMP a u th en ticatio n fa ilu res, wh ich ar[...]

Configuring the Ne twork Figur e 6-20 . D ate & Time Page Ste p 2. Us ing the S yst em Compo n ents List o n the lef t select th e compo n ent f o r which y o u w i sh to set th e date and ti me. Y o u can se lect a n Acces s Co ntro l Server, a single Access Co ntr ol l er, or a fo lder . If yo u select a fo lder , t h e d ate and time setting[...]

Con f iguring the Network The form at f or t he d ate is MM /DD /Y YYY . F or e xam ple, Jun e 4, 2 00 3 wou ld b e en tered as 06/04/2 003 . The for m at fo r t h e t im e is H H: MM, us ing a 24 ho ur clo c k. For e x am pl e, 6:23 PM w ould be en tered as 18:23 . b. Click Set T i me Now to set th e date a n d time accor d ing to settings yo u en[...]

Configuring the Ne twork F i gu r e 6- 2 1 . Admi n S et u p p ag e Ste p 2. Click Ne w A dmin. .. The New A dm in page appea rs (se e Figur e 6-20). F i gu r e 6- 2 2 . Admi n S et u p p ag e Ste p 3. Fill in the f ield s a s re quir ed (s ee T a ble 6-8) and select th e a dmi nistrato r type f r om th e dr op- do wn me nu. HP Pr oCur ve Se cur e [...]

Con f iguring the Network T a ble 6 - 8. New / Edit Ad m i n Fi el ds Fie ld D esc ri ption Name A descrip t ive n ame th at ide n tifies th e Admini strator . It c an be the adminis trato r ‘s fu ll name o r any oth e r m ean ingfu l name. Thi s name may hav e up t o 32 char act e rs. Any 7- bit chara c te rs are all owed. User nam e The adminis[...]

Configuring the Ne twork • To edit an a dmi ni strator account, click the a dmin i strator’s Nam e or Usern a me, wh ich are lin k s to the E d it A dmi n page, or click the Pencil icon at the right of th e row. The Super Ad min i str a tor can change an y of the settings f or a n a dmi nistrato r. • By def a ult, a newly- a dded adm i nistra[...]

Con f iguring the Network 6- 46 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

7 S E TTING UP W IRELESS D AT A P RIVACY This chapter explain s how to configure the global settin gs for the security protocols. The topics covered in this ch ap ter ar e: Ov erview o f W ire les s Da ta Privac y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7- 1 W ire les s Da ta Privacy Setup . . . . . .[...]

Setting up W i reles s Data Privacy The encry p tio n policy th at define s how en cr yp tio n a pplies t o a sp ecif ic clien t is d e termi n ed thr oug h th e A cce ss Pol i cy tha t defines right s for that clien t. Th e A ccess Policy can specify tha t en cryption is requ ired , tha t it is al low ed but n ot r eq u ired , o r that it i s d i [...]

Setting up Wireless Data Pr iv ac y Figur e 7-1. The Wir e less Da ta Privacy tab Global Wir el ess Data Priva cy Confi g urati o n Sele ct the W ire les s Data Priva c y proto c ols you w a nt to ena b le f o r the 7 0 0wl Se ri es sys t em. B y defa ul t, all pr ot oc ol s ar e di sa bled. Enab ling a security p r otoco l makes i t availa ble f o[...]

Setting up W i reles s Data Privacy The f i el ds and s e ttin gs und e r th e Configu ra tion fo r IP SE c h e ad i ng of the W ire les s Data Priva c y ta b a re as fo llows : T ab l e 7 - 1. IPSec configu rat ion settings Fie ld Des c ri pt ion IKE Authe n ti cat i on Metho d Sel ect the IKE Authenti cat ion M e thod you pl an to u se: • To us[...]

Setting up Wireless Data Pr iv ac y T ab l e 7 - 1. IPSec configura t ion settings Fie ld Des c ri pt ion ESP En cryp tion Sel ec t the appro p ria te alg o rit hms for ESP e ncryp tion, o r sp ecify Non e . Th e 700wl Serie s syste m sup ports t he followin g al gorith ms : • DES • 3DES • AES • Blo w fis h • CAST • Nu ll The d e fau lt[...]

Setting up W i reles s Data Privacy Figure 7-2. The IPSec Certifi cate Configuration ta b By defa ult the Curr en t Certifica t e area o f th e page sho ws “No certifica t e con f igur ed.” This area wil l show i nfo rm at ion abo u t th e cer t ificat e if on e is in stal led . Ste p 2. Click Generate CSR... to begin cr ea tin g a Certificat e[...]

Setting up Wireless Data Pr iv ac y Ste p 3. Fill in the inf o rma t ion in thi s fo rm: a. T y pe the na m e in wh ich the certifica t e should be gra nted. This can be a n in di vid ual name or a t itle su ch as “W ire le ss A d min. ” b. T y pe th e email addr es s fo r th e certificate co nt ac t. c. T y pe your state or pr ov ince. This is[...]

Setting up W i reles s Data Privacy Ste p 6. Copy an d paste th e gen e rated PK CS #10 certifica t e r eq u est , includ in g the lin es ----BEGIN CERTIFICATE REQUEST---- an d ----END CE RTIFICATE REQUEST---- in to th e appr op riate field in th e r e quest form . Once yo u ha ve copied a n d pa st ed the CSR , cli ck Don e to re turn to th e IPSe[...]

Setting up Wireless Data Pr iv ac y Y o u m ay n eed to enter the r e quest ID or co nf irm a tio n in form at io n yo u re ceived w h en yo u submitted your certifica t e r eq u est. Wh en your cer t ificat e is di spl ayed, fi nd the porti o ns tha t you can copy an d pas t e into the H P sys tem. The example i n Figur e 7 -6 shows th e po rtio n[...]

Setting up W i reles s Data Privacy Figure 7-7. The Load Certif icate s pa ge Ste p 12 . Copy an d pas te th e two certifica t es f rom your CA ’s web s i te int o th e tw o f i eld s pr ov ided , and click Save . Be sure to include the ---BEGIN CERTIFICATE--- an d ---END CERTIFICATE--- li nes. Caution: Do not use th e ce rt ifi cat e i m po rt f[...]

Setting up Wireless Data Pr iv ac y Figure 7-8. The Certificate s tab show i ng a n in stall e d c e rtificate Ste p 13 . Imm ediat ely cr ea te a nd save a ba cku p of you r sy st em . This saves both the priv ate key an d the sa ved c e rtif ica t es. See “Back ing Up and Re st oring th e S yst em Config ur at ion” on pag e 8-13 f o r in fo r[...]

Setting up W i reles s Data Privacy The defa ult is to have ad dres ses a ss ign ed by a DH CP serve r . » To configu re the IP A ddr ess assignmen t method fo r th e tunn eling proto c ols , click th e VPN ico n in the Navigation bar at the top of the Adm inistrative Console, then click t he I P Address As signmen t tab. Thi s di spl a ys the IP [...]

Setting up Wireless Data Pr iv ac y • T he first D H CP req u est is ta ke n to be a req u est f o r a n outer tun n el a ddress, a n d NAT is AL W A YS used, even if the Access P o licy specifies Neve r for the Networ k Address Translation setting . Note: A s id e-e ffect of thi s b eha vior is tha t if e ncryp tion i s —A llowe d but not r eq[...]

Setting up W i reles s Data Privacy 7- 14 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

8 S YS TEM M AI NTENANCE This ch apte r explain s h o w t o perf orm co mmon admini strative tasks includin g cr eatin g, stori n g, an d re sto rin g a back up f i le , upd a tin g sys tem so ft wa re, and sh uttin g down a 7 00wl Se rie s sys tem com p on en t. It also describes h ow to r e set the 7 00w l Se ri es sys t em to its factory defa ul[...]

System Ma inte nan ce Figur e 8-1. Softwar e Setup pag e Ste p 2. Fr om t h e Sys t em Co mpon ents list i n th e left pan el, se lect the co mpon ent ( A cces s Co ntr o l S e rver or Access Controller) for which you wa nt to restart or update the software image. Thi s pag e di spla ys info rm at ion abo u t the sof tware ins t al led in the selec[...]

Sys t em Ma intenanc e Ac cess Contr o lle r and us i ng the Wir el ess Data Privac y proto cols will te mpo rarily lose t hei r conne cti ons, and any re mo te CLI sess ions over SSH wil l be ter mi nat ed. It is re co mmended tha t you up da te your fla sh-bas ed A ccess Cont ro llers d ur i ng tim es when system u sa ge i s low . Up grad in g th[...]

System Ma inte nan ce Figure 8-2. The Update Sof twa re page From the Remote Update page you can initiate a so ftware update from a remote F TP , TF TP , or HTTP se rver , o r just check to s ee if a n y updates ar e ava i lable. Al terna t ely , you may be a b le to perform an upd a te using a sof tw are di stributio n f ile pla c ed on a lo cal s[...]

Sys t em Ma intenanc e Remote Update The information that is required to upda te th e softw are image from a remote sit e is described in Ta ble 8-2 . T ab l e 8 - 2. Up da te Softwa r e, field/s e ttin gs desc ri ptions Fie l d/O p tion D escrip t io n URL The U RL fro m which you wa nt to check for software upgrade ava ila bi lit y , or do wn loa[...]

System Ma inte nan ce If you w ant to chec k fo r upg r ades on an alternate do wn lo ad si te, yo u must enter the a p pr opriate URL. Ste p 2. Click Ch eck for U pgr ad es . Th is fun c ti on checks the s oftware versio n ava i la bl e o n th e do wn load si te a gainst th e s oftwa r e version currently installed in the component you have select[...]

Sys t em Ma intenanc e Se le ct Continu e to pr oc eed w i th the upgrade, or Canc el to r e turn to the previous page witho ut pr oc eed in g. Note: If your c urren tly i nst alled software i s signi f icantly ol der tha n the new v ers ion yo u ar e downlo ading, it may n o t be pos si ble to re ve rt to yo ur old (Alt ernate ) ima ge witho u t d[...]

System Ma inte nan ce If yo u enable A u to Ref r es h, the s t atus page r e fres hes appr ox imately every 1 5 se co nds, disp layi ng updated st atus in form atio n. After the do w nlo ad a nd un pack ope r ati ons are com ple te, a co mp leti on me ssage ap pear s: New ima g e s u ccessfully ins t all e d. If you spec ifie d an au tomatic re st[...]

Sys t em Ma intenanc e Va riable Va lue update_file Fil ena me (in c l udi ng the path) o f the s o ftw ar e i mage Ple ase co nta c t H P Pro C urv e Te chnic al Support fo r informati o n o n the c u rren t do wn loada ble image. For TFTP or a nonymous FT P, the p a th is relativ e to the anon ymous F T P or TFTP ro ot . If a user name and pa ssw[...]

System Ma inte nan ce Ste p 2. In the 7 0 0w l Ser i es sy st em Adm in ist ra tive Co ns ol e, under Mainte nanc e/Softw are Upd a te, select the L o cal U pda te tab to d isp lay the L o cal U pda te page, as shown in Figure 8- 5 . T a ble 8 - 3. U pda te S of tw a re , fiel d/set t ings descript i on s Fie l d/Col u mn/ Opt ion De sc ripti on Up[...]

Sys t em Ma intenanc e F ig u re 8-5. Th e Lo cal U p d a te T ab o f th e U p d a te So f tw a re F un c ti o n Ste p 3. In the Upl oad ed Sof twa re Versio ns table, s e le ct the r ow w h ere you w ant the n e w uploaded version to be pla ced . I f ther e is alr eady a sof t war e image in tha t row , it will be r e placed by th e new ima g e yo[...]

System Ma inte nan ce Ste p 6. In the .vd ist File fie ld, type th e fu ll path a n d na me of the distrib u tion file you d o wnlo ad ed, or click Bro wse to lo ca te th e pr o per dir e ct o ry a n d f il e name. Note: You ca n s ave the vdis t fi le s unde r differ ent n ames, if you want. They do no t n eed to have a .v di st extension. Ste p 7[...]

Sys t em Ma intenanc e Caution: Res t arting an A c ce ss Contr ol S erver or Integr ate d Ac ces s Ma nager will log off a ll cli ent s on al l Ac cess Contr oll er s. If poss ib le, you s hould r est art your syst em dur i ng a ti me when few c lient s ar e activ ely con nected to the s yst em . » To res t art your s yst em usin g th e Alternate[...]

System Ma inte nan ce Note: Y ou c an not r est or e from the int er nal bac k up i m age. Y ou can onl y re sto re from a n exter nal fil e . T h erefore, you must save t he ba ckup im age t o a file . » To back up a s yst em co nf iguratio n , click the Ba ckup & Re st ore ta b un der the Ma int en an ce butto n. The B a ck u p & R es t [...]

Sys t em Ma intenanc e Figure 8-8. Backup Confirmation Click Con t inue to pr oc eed, or Can cel to re turn to the Ba cku p & Rest ore page w i tho ut cr ea ti ng th e backup im ag e. While the backup i s in prog r e ss , an info rmation pag e, as sh own i n Figur e 8-9 , is d isp layed . Figure 8-9. Backup I n Progre ss Ste p 2. Wh en the back[...]

System Ma inte nan ce Figur e 8-10 . B ackup & Rest ore p a ge after a succe ssfu l backu p » To s a ve the backup to a file, click Save B ackup A s ... . This initi a tes the File Do wnload process on your local sys tem . This ty pi cally invol v es a s e ries of di alogs p resen te d by your local syste m sof t war e, wh ere you can select a[...]

Sys t em Ma intenanc e Figure 8-11 . R estore In Progress Confirm a tion Ste p 3. T o pr oc eed w i th the r estor e, click Continue . As pa rt of the r est or e op eration , the system i s r e st arted . Y o u will be r e qui r ed to l o g in ag ain a s ad mini st r ator . Transferring a Backup to a Differ e nt System Ther e m a y be s i tu ations[...]

System Ma inte nan ce Warn ing: DO NO T restore a bac k up to a dupli c ate A cce ss Cont ro l S erver that i s c onnected to the same ne twor k as the o rigi nal Access Con tro l S erv er. Res t or i ng a b ackup wi ll r estore the origina l Access Contr o l S erve r‘ s IP a ddres s (i f a s t ati c IP addres s was c onf ig ured) and the shared [...]

Sys t em Ma intenanc e Figure 8-12 . The Shu t down/Restart tab Restart i ng a System Co mp onent Res t arting a com p onent will b riefl y s h utd o wn the un it, t h en re start it u s ing t h e Insta lled V e rs ion soft wa re imag e. This a c tio n do es not pow e r o ff the unit. T o rest art a se lected s yst em co mpon en t: Ste p 1. Se lect[...]

System Ma inte nan ce Figure 8-13 . R estar t Conf irmation Ste p 3. T o proceed w i th the r e sta r t, click Continu e . T o ca nc el the r est ar t, click Can cel . Shutting Dow n a System Component Sh utt ing dow n a syst em co mpon ent s h uts dow n an d po we rs of f the sele cted un it. T o shut do wn an d po we r of f a syst em co mpon ent:[...]

Sys t em Ma intenanc e Ste p 3. T o pr oc eed w i th the s h utdo wn , click Continu e . T o ca nc el the s h utdo wn, click Can cel . Resetting to Factory Def a ult Sett i ngs Res e ttin g a sy stem to i t s facto r y defaults will clear the co nfigu ra tio n databa se , r e set a ll opt i ons to the facto r y def a ult settin g s, a n d r estart [...]

System Ma inte nan ce re store y our c onfigurat ion , you mu st r estore fr o m a b ackup image that was cr eated a nd s aved to an exter na l file be fo re the r es e t. A rese t erases the bac k up i m age s t ored o n the uni t. On an Access Co nt ro ll er , h o weve r, i f yo u ha ve n ot de lete d t h e Access C ont ro ll er fr o m the Acce s[...]

9 L OG S This ch apte r presents tasks y o u can perform wit h th es e types o f lo gging . V iew in g 700w l Ser ies Sy st em Lo gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9- 1 Co nf ig urin g Se ss io n Loggin g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

Logs Figure 9-1. Log file display The L og File d isp la y table shows the lo g ent r ies tha t exist at t h e momen t you r equ est the d i spla y . By defa ult , th e list is no t r efr eshed unless yo u re quest a new dis p la y by clicking the App l y Filte rs button. Y ou ca n set a n au tomatic r e fr es h interva l using th e fil t er settin[...]

Log s The log file d is p lay itself show s the f o llowin g in f o rma t ion: T ab l e 9 - 2. Log file display Column D escrip t io n (em p ty ) Thi s col umn is used to ca ll a tten t ion t o l og entrie s wi th se verity lev e ls or Crit ical or Major. Entri es at l ower seve rity levels are not flagge d. • The red octago n indicates an entry [...]

Logs — Cat e gorie s : All Categories (defau lt), Error, Info, Debug, Function Trace, Obj ect Trace, Session L og. Thi s is a mul t iple selecti on box—by us ing CRTL -c li ck or S h ift-click you ca n se lect mul t iple cat ego ries to include in a single filter. — Acce ss Contr o ll e rs : All Sy st em s (d efault), localh ost (the Acces s [...]

Log s Figure 9-2. Setting Up Session L ogging Ste p 2. T y pe the i nfo rmati on and s ele ct op tion s as defined i n T a bl e 9-3. T ab l e 9 - 3. Logging Setup Fiel ds Fie l d/O p tion Des c ription Ses si on Loggin g: Enabled Settin gs for ses si on loggi ng to a rem o te sy sl og serve r. Ch eck Ena b le d to enable se ssio n logging . Uncheck[...]

Logs Note: Ac cura te tim e and da te r eport ing i s necessary fo r accurat e and useful l ogs. T o se t the t i me and date, use th e Date & Time t ab i n the Network area . Viewing t h e Sess ion L ogs The 7 00w l S e ries syst em log files provide in fo rmati ona l m e ssages , wa rn ing s and so on abou t th e opera t ion of th e 700wl S e[...]

Log s T ab l e 9 - 4. Ses s ion Log inform ation Da ta Item De fi niti on Actual Des t inati on The actua l dest ina t ion IP addres s a nd port , if redirec t ed or t u nnell ed through an oth e r Access C ont rol l er. By tes T ransmit te d Tot a l n um ber of b ytes transmitted d u rin g t he s ession By tes Rece ived Tot a l n um ber of b ytes [...]

Logs 9-8 H P ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

A C OMMAND L INE I NT ERF ACE Thi s a ppendi x documen t s the commands th at ar e avai la ble o n th e s e rial con s ole as part of th e Com mand Line Interf ac e (CLI). The CLI ena b les initi a l configuration an d subsequen t tr ou blesh oot in g of the 7 00wl Se rie s syste m . The Co mm and Lin e Interface co mman ds are listed in the f o ll[...]

Com ma nd Li ne I n terfa ce Accessing t h e C o mmand Lin e Int e rface Ther e are tw o ways to a cces s the Comm and Lin e Interface — eith e r by dir e ctl y co nn ectin g a se rial c onsole to the serial port o n an Access Co ntroll er, Access Co ntr o l Server, o r In tegrated Acces s Ma nage r, o r by con n ectin g to the sy stem re motely [...]

Com m and Lin e Interfac e Com m and Syn t ax Y o u m ay s ee a variety o f symbols shown as part o f th e co mm and s yntax . Thes e symbols ex plain how to enter th e comm an d, a n d you do no t type them a s part of the comm an d itsel f . T a ble A -1 summ ariz es com mand sy nt ax symbo l s. T ab l e A-1 . Command Synt ax Symbol s Symbol Desc[...]

Com ma nd Li ne I n terfa ce Th is p r oduc es the fol l owing output: "add" commands: add bridging ... Add bridging options add snmpmanager ... Add an SNMP authorize d manager add snmptrapreceiver ... Add an SNMP trap receiver T o se e de tails abo u t o n e o f th ese co mma nd s, you ca n ag ain use a que s tio n ma rk. Fo r example to[...]

Com m and Lin e Interfac e set su p e ra d m in pass | en a b le | di sable < l ogin > Set the passwor d for a supera dm in. En able or di sable a supera dm in login. pass C hange the passw ord for the spe cif ie d login n am e . The supera dmin can change any p asswor d. e nable Enable the sp ecified log i n nam e. On ly s upe radmins ca n e[...]

Com ma nd Li ne I n terfa ce s how pol icy a dmin [<login >] Sh ow a spe c ific policyad m in by spec if yin g a login, or list all policy ad min s by not specif yi ng a login. se t rem o te on | off En ables or d i sa bl es r e mote techn i cal support ac cess. Th e d efa ult is d i sabled . Th is sh ould be e n abled only a t the dir ec t i[...]

Com m and Lin e Interfac e 0 0:e0:18:7d:b5:3d 10.205.2.25 4 hrs, 50 min s s how id Displays this sys t em ’s ID, w h ich is the MAC ad dr ess of Sl ot 0 po rt 1. On a 700wl S e ries unit, the d e fa ult uplin k po rt is slo t 0 port 2 . ( S lot 0 por t 1 is the Reserved port .) Theref o r e, the MAC ad dr ess of th e uplink port, shown o n the la[...]

-------------------- --------- ----------- Com ma nd Li ne I n terfa ce s how de viceport < d evice> Shows th e por t or slot an d po rt f or a d evic e. <devic e> The d evi ce na me associ ated wi th a port , for example , dc0, dc1 , sis0 Fo r example, on an I nte gr at ed Acces s Ma na ger 760w l t h e co mma n d: show deviceport sis0[...]

Com m and Lin e Interfac e Netw ork C o nf ig ura tion Comman ds se t hostna me <hostname> Note: Th is c o mmand is su ppo rt ed on the A c cess Con tro l S erver or In teg rat ed A c cess Manage r onl y . Sets the sy ste m 's hostn am e. Th e syste m ho stnam e is als o us ed as the SN MP sys t em n a me . If you se t a hostname , it mu[...]

Com ma nd Li ne I n terfa ce s how ip Sh ows th e current IP c o nfiguration . O u tp ut fr om this comman d looks similar to the f o llowin g : Hostname: D omain Name: xyzcorp.com I P address: 192.168.10.157/24 D HCP enabled: No D efault gateway: 192.168.10.1 D HCP server: None configured D NS servers: 192.168.2.248 192.168.2.205 W INS servers: No[...]

Com m and Lin e Interfac e se t dns <p ri mar y -ip-address> [ < secondary-ip -addr e ss> ] Note: Th is c o mmand is su ppo rt ed on the A c cess Con tro l S erver or In teg rat ed A c cess Manage r onl y . Fo r an Access Con tro ller , thi s functio n mus t be perf orme d thr ou gh the Adm inistra tive C onsol e on the ma naging Ac c e[...]

Com ma nd Li ne I n terfa ce Sets the IP ad d re sses of th e WINS serve r s. <prim a ry -ip - addres s> The IP addres s of th e p r imary WINS s e rver f o r the s ystem. <secon dary - ip-ad d res s> Th e IP addres s of the s e c ond ary WIN S server for the s ys tem (opti onal). cl ear win s Note: Th is c o mmand is su ppo rt ed on th[...]

Com m and Lin e Interfac e se t portmed i a {<p o rt> | < s lot > /<po r t >} "< media> [<m e dia - option>]" Se ts the port m ed ia setting fo r th e specified port o r sl ot and port. <port> | <sl o t>/<port> The po rt, or s l ot and po rt o n whi ch to set the media ty pe and optio n. <[...]

Com ma nd Li ne I n terfa ce s how porti p Displays the cur ren t IP ad dres s and netma s k settings , if set, f o r all ports in th e syste m . O u tput f rom this com m an d is s i mila r to th e f o llow i ng: Port settings Slot 1 Port 1 IP: Not set Slot 1 Port 2 IP: 192.168.5.1 Netmask: 255.255.255.0 Slot 1 Port 3 IP: 192.168.6.1 Netmask: 255.[...]

Com m and Lin e Interfac e Note: Th is c o mmand is not a vail able on an In tegrated A cce ss Man age r. Advanced N e twork Con f iguration St atus s how bridg i ng Sh ows th e current br idgin g settings. The c u rr ent bridgin g types that ma y appear ar e: cd p C isco Dis cover y P rot ocol wnmp Wi re le ss Netwo r k Acc ess Pro tocol at alk Ap[...]

Com ma nd Li ne I n terfa ce s how ac [ma c <mac-add re ss> ] Shows A c ce ss Contr o ll er settings f o r one or all A c cess Con tro llers connecte d to th e A ccess Contr ol Serve r or Integrate d A cce ss M a nag e r. Th e d efa ult is to sho w all settings fo r all A ccess Contr ol ler s. mac <mac -addres s> Spe cifie s t he MAC a [...]

---- ---- ---- Com m and Lin e Interfac e s how redu ndan cy Sh ow s th e current r e dund an cy (failover) settings. For exam ple: show redundancy Redundancy configured state ---- Redundancy is disabled. No peer is specified . Peering priority is 0. Retry timeout to disabled peers is 6 0 seconds. Failover timeout is 30 seconds. On a n Access Contr[...]

Com ma nd Li ne I n terfa ce Advanced N e twork Con f iguration se t na t dhcp <ip-ad dress> <subnetmask> [<lease-time> [< time-unit s >] ] Se ts the NA T D H CP su bn et and lease tim e . <ip-addre ss> T he DHCP subnet ad dres s for N AT. The d e fault is 42. 0.0. 0 <subnet mask > T he sub net mask, i n the form[...]

Com m and Lin e Interfac e rem o te date time <ip - address> <da t e> <time > Se ts the date a n d time on th e syste m at < ip-address > . <date > The c urrent dat e in yyyy/m m/d d for m at <time> T he curr ent tim e in h 24:m m format . Caution: It i s im po rtan t that the syst em t i me be k ep t ac cura te,[...]

Com ma nd Li ne I n terfa ce rem o te reboo t <ip - address> Re bo ot t h e s y st em at < ip-address > rem o t e reb o otalt <ip > Re bo ot t h e s y st em at <ip-address> to al ternate so ftw are versio n. rem o te shu t down < i p-address > Shutd o wn the syste m at < ip-address > remo te fact oryreset <ip-[...]

Com m and Lin e Interfac e rem o te upgra d ereboot < i p-addres s> < u rl> <key > Up grades the s yst em at th e sp ecified IP addr es s an d re bo o ts th e sys t em . <url> T he URL encoded loc ati on of the so ftware releas e t o install . The forma t of the URL is <protocol>://<host>/<update file> or &[...]

Com ma nd Li ne I n terfa ce se t pptp on | off En able s or d i sable s PP TP . se t l2tp on | off En able s or d i sable s L 2 TP . se t ip secsecret [ <se c ret> <se c ret>] Se ts the IPS e c s h ared se cret. P rom pts for the s e cr et if no t enter ed on th e co m man d line. cl ear ip secsecret Cl ea rs the IP Se c sh ared se cre[...]

Com m and Lin e Interfac e s how vp n Note: Even though you c an only c onf ig ure Wir eless Da ta Privacy se tti ngs from the A cce ss Contr ol Se rv er or Int egrate d Acces s M anager, you c an use the sho w v pn c o mmand from an Ac ces s Con tro ller to v iew these s e tt ing s. Sh ows th e current W ir e less D a ta Priva cy se ttin gs. Ou tp[...]

Com ma nd Li ne I n terfa ce show c lien t s [ m a c < m a c -a dd ress> ] [ s ort { m ac | ip | u s er | m a chin e | p o rt | sessio n s | idle} ] [r everse] Li sts all a c tive clients. Y o u can option ally so rt th e list by a nu mber o f crite r ia . <mac-ad d ress > M AC (Ethern e t) addres s to di spla y . Spe cif ie d i n the f[...]

----- ---------------- ---- --- - ----- Com m and Lin e Interfac e <stance>Deny</stance> < /ipsec> < pptp> <stance>Deny</stance> <mppe_stance>Accept</mppe_stance> <mppe_bits>0</mppe_bits> <mppe_stateful>False</mppe_stateful> <min_mschap>0</min_mschap> <allow_pap&[...]

Com ma nd Li ne I n terfa ce If yo u res pon d Y to continue w i th the backup, th e f o llowing r emi nde r a ppea r s: NOTE: After creating the backup image, you must transf er it from this Integrated Access Manag er onto your local computer. st ore b ackup < url > [<filen a me >] Sto r es the backup o n a n other system using F TP . [...]

Com m and Lin e Interfac e s how ba cku p Displays inf o rma t ion about the list o f lo ca l backups a nd the sta tus of a r u nning sto r e b a ckup or get backup task . Output f r om this comm an d is similar to the f o llowing: Backup image created Nov 25 17:25:22 2 002. No backup image ’store’ or ’get’ in pr ogress. Upgradi n g the S y[...]

Com ma nd Li ne I n terfa ce reboo t Au t omati ca lly re boot after i nst al ling the upgrade. The upgrad ed software is activ a te d wh en the syste m is reboote d. ve rsion Displ ay s the ve rsion o f the s o ft wa re a va ilable for dow nlo ad a t th e specified URL. T he sof twa re is not do w n lo aded and the s ys tem i s not res t arted. mi[...]

Com m and Lin e Interfac e ca ncel up grade Ca nc els the cur rent ge t upgrade task. se t upgrade p roxy [on | off] [host <ip-a ddress> [ < port> ] ] [u ser <user> [<pass wo rd> ] ] Con fig ure a proxy ser ver f or re tri evi ng so ftw a re re le ase s via F TP . on | off En ables and d i sables the prox y serve r. <ip-a[...]

Com ma nd Li ne I n terfa ce s hut do wn Shuts d o wn the syste m. Y o u ar e pr o m pte d to con f irm th at you want to shut dow n the syste m : This operation will shutdown this syst em and users may lose their connections. Are you sure you want to shutdown this system [n]? Resetting to Factor y Def a ults factor yre set Resets all user configur[...]

Com m and Lin e Interfac e • info: show all i n fo rma t ion, n o tic e, wa rni ng, error, and c r itica l l og ent ries <lines> T he max im u m nu mb er o f li nes t o be display ed. Th e defau l t i s 23. <count> T he number of tim e un its to be di spl ay ed, in combina t io n w ith the <time-un it> va riable. If no —for“[...]

Com ma nd Li ne I n terfa ce T r anslat es to: nslookup –timeout=10 <hostname> ping {<i p -add ress> | <hostname >} Pings an IP ad dre ss or a h o stname . If the hostn am e is not qualif i ed, the do ma in nam e (a s spe c ifie d by the set d o ma inname co mmand) is a p pen ded . T r anslat es to: ping –c 3 <ip-address>[...]

Com m and Lin e Interfac e traceroute {<ip -add re ss > | <hostn ame > } [<h ops > [<probes > [< probe wa it> ] ] ] Displays the tr ac er oute f o r a n IP a ddre ss o r h o stname. If the hostn am e is no t q u ali f ied , the d o main na me (as specif ied by th e set dom ainname co mman d) is a ppen d ed . <hops&g[...]

Com ma nd Li ne I n terfa ce cl ear ntp s erver Cle a rs the NTP se rve r s IP a ddre ss or ho stnames. This c o mmand also dis a ble s the NT P s e rvice if it was e n able d. se t ntp on | off En able s an d d i sable s th e NTP servic e. se t datetim e <d ate > <ti m e> Manually sets the c u rrent lo ca l d a te and time. <date &g[...]

Com m and Lin e Interfac e Co ntro ller. T o mo dif y thes e se ttin gs on an Acces s Co ntro ller, y o u m ust use the Adm inist rative Console on the m anaging A cces s Co ntro l Serve r. se t s n mp on | off T u rns S N MP su pp or t o n or of f. T u rning SNM P on en ables r e ad -o nly a c cess to the MIB . T ur n ing it o n wh en alre ady on [...]

Com ma nd Li ne I n terfa ce se t sn m p co nt ac t <c ontact> Se ts the S N MP sysContact obj e ct , def i ne d in RFC 1213 as “ t he tex tua l i dent ifi cati on of th e c ont ac t perso n fo r thi s man a ged node, tog e th e r with in fo rma t ion on how to conta ct th is perso n .” Note: Y ou c an not s e t t h is objec t from an ext[...]

Com m and Lin e Interfac e Trap IP Address: None Authorized Managers: None HP Pr oCur ve Se cur e A ccess 700 wl Ser ies Ma nagem e nt and C onfigu r ation Gu ide A -3 7[...]

Com ma nd Li ne I n terfa ce A-3 8 HP ProCurve Sec u re Access 7 00wl Series Ma nagement and Con f igurati on G u id e[...]

B F ILT ER E XPR ESSION S YNTAX This appendix d esc ribes the syn t ax used to d efi ne us er a ccess rights ( a llow ed tra ffic f ilt ers and redir e cted tra ffi c filters ) , bridged tra ffi c, an d HTTP P r oxy fi lters. It in clu d es the f o llowing sectio ns: In trod uctio n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

Ex a mple s are: “ fddi src myHost ”, “ ip net 122.43 ”, and “ udp port 44 ”. f ddi is an alias f or et her ; th ey ar e treated identically as m ean ing “t he d a ta link level used o n the specified ne tw ork inter fac e.” FDD I hea der s con t ain E t hernet-lik e source an d d e stina t ion a ddres se s, an d of ten co nt ain Et[...]

T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n hos t host Tr ue if e i ther the s our ce or d est ina t ion o f the packet is hos t . eth er ds t eho st Tr ue if t he Ethern e t d es t ination a ddr es s i s e hos t . Ehos t c an be e i ther a na me from /etc/ethers or a number (see eth e rs (3N) fo r nume ri c fo r[...]

T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n ip6 proto prot ocol Tr ue if t he p acket is an IPv 6 pack et of proto col type pro t ocol . Thi s primiti ve does not chase the pro t ocol header chain . ip6 protochai n pro t ocol Tr ue if the pack et is IPv 6 packet, and c onta i ns pr oto col h eader w i th type pro[...]

T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n eth e r proto pro t ocol Tr ue if t he p acket is of eth e r type pro t ocol . Proto col can be a n u mb er o r one o f th e name s ip , ip6 , ar p , ra rp , atal k , aa rp , decnet , sca , lat , m opdl , mop rc , iso , stp , ip x , or netbeu i . Not e: Note the se iden[...]

T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n expr relo p expr Tr ue if the r e latio n holds , wh ere • re l op is o ne o f >, <, > = , < = , =, != • expr is an ari t hmeti c exp r ession com posed of integ e r c onstants (ex p re ssed in sta ndard C synt ax), the n o rmal bin a ry operat ors [+, -[...]

C C REATIN G C USTOMIZE D T EM PLA T ES This Appendix explains how to develop custo m templates for the Logon page, the o ptional Logoff pop- up pa ge, a n d th e op tio na l Gu est R e gistra tion pa ge. It in clu d es the f o llowing sectio ns: In trod uctio n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

A Simple Logo n Pag e Tem p lat e Examp le The 700wl S e ries syst em logo n page, in its simp les t fo rm , co ns ists of tw o fields w h er e the user en te rs his /her user na me and pa ssword, and a bu tto n to in voke the lo gon f u ncti on . Ot he r op tion al elemen ts c an include a L o gof f but t on , a Gu est logon or G u est r e gist ra[...]

<!-- required functions --> @satmac() @interface() @java_works() @secret() @query() </FORM> </body> </html> The tem p late f i le is a sta n da rd HTM L file with th e tmpl fun c tio ns in clu d ed. Y ou sho u ld be sur e to include a n y tags or me ta-ta gs n eeded to make the dis play correctly in yo ur br owse r envir onm[...]

Required Elements Form Tag <FORM action=/logon method=post name=l ogonForm> Fo r th e logon pa g e only , th ere m u st be a fo rm w i th the na m e a ttri b ute set to logonForm . The act i on an d method attribut es must a l so be se t a s sho wn. Buttons At least one of these bu ttons must be present on the page to enable a u ser to log in[...]

• @satmac() . Thi s fu nction retu rn s a n INP U T element o f type hi dden, with a va lue that is th e client’ s MAC addre ss. • @interface() . This fu nctio n returns a n INPU T elem ent of type hi dden. • @java_works() . Th is func tion retu rns an INPUT element of type hid den, w i th a value of 0. If a Logoff popup is specif ied (s ee[...]

In additio n to incl uding the r ealm fi eld on th e custom log i n page, the U ser sp ec ified authenticatio n realm check box must be checked ( on the Rights M a nager Custo miz e W e b Pages by L o cati on pag e). Not e that thi s check box does n o t appea r un les s there a r e mu lt iple a u thenticatio n realms def i ned. Client Functions Th[...]

@set(“variable”, “value”) Sets th e val ue of a run- ti me variable. For ex ampl e, to se t th e va ri able “mo n th” t o th e month a cl ient’s righ ts ex pire , you wou ld u se: @set("month", @xlate_month("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", [...]

</head> <body bgcolor="FFFFFF"> <!-- specifies an image and a solid black line at the top of the form. The image must be stored in the Rights Manager vi a Images Upload --> <center> <img src="/images/galactic.gif"><br > <img src="/dot-black.gif" width="60 0" height="[...]

@secret() @query() <!-- Displays user and password fields, and three buttons, in a table - -> <table width="600" cellspacing="0" ce llpadding="1" bgcolor="#000000"> <tr><td> <table cellspacing="0" cellpadding="5" width="1 00%" bgcolor="#ffffff"[...]

Figure C- 2. Th ree-button logon pa ge Chang i ng the Logon Button Nam es If yo u wa nt to ch an ge the na mes t hat a ppea r on the buttons on th e Log on page, you mu st use tw o INPU T st atements per butt on: on e w i th type=hidden an d th e value s e t to the r e quired butto n value, a n d th e oth er with type=submit an d th e valu e as the[...]

Example 3 <FORM action="/cgi-bin/logon" method=p ost name=logonForm> ( This is the F O RM sta t emen t re qu ir ed at the beginnin g of the Logo n fo rm .) @satmac() @interface() @java_works() @secret() @query() (Not sho wn -- Code here to set u p a tab l e, pr esent usernam e a nd pa ssword input fields etc . > Th e foll ow in g[...]

Customizing th e Logon Pag e Me s s ag es Ther e ar e a num ber of inform at i ona l m essa ges th at m a y appea r on the Logo n pa ge in certain cir c umsta n ces. The se messa ges may a ppe ar in the fo llowing cir c umstances: • Aft er th e client has c l ic ked the logo ff butto n, but bef ore a new lo gon page appe ar s, a logof f tr an sit[...]

Guest Registratio n Template T o co nf igure a locatio n to allo w cus tom gu est r e gis tr atio n, there ar e th r ee el emen ts that m ust be in place: • You r main custo m logon page mus t ha ve a “ R egi s ter as Guest” but t on ins t ead of th e “L ogon as a Gu es t” button . This req u ires us ing “Regis ter” instea d of “L o[...]

The page gen e rated by th is tem p late is s h own i n Figur e C-3. Example 4 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTM L 4.01 Transitional//EN"> <html> <head> <title>HP ProCurve 700wl Series Guest Registration Page</title> <meta HTTP-EQUIV="Content-Type" CONTEN T="text/html; charset=iso-8859-[...]

<tr> <td align="right"><font size="2"> Last Name:</font></td> <td align="left"><INPUT type="text" na me="lastname" size=15 /> </td> </tr> <tr> <td align="right"><font size="2"> Pref erred Username: </font&[...]

Figure C- 3. Gues t Registration page produced by the t e mplate in Examp l e 4 Using a Logo ff Pop-Up w it h a Custo m ized L og on Page On e of option s for user logof f, in br owsers th at su pport J a va Sc ript, is to have a Lo gof f button appear in a pop-up br owse r w indow as soon as th e us er h as logged o n to th e s yst em. Y ou ca n c[...]

The r e qui r ed elements in a Lo goff Pop-up tem p la te are: Form Tag: <FORM action=/logon method=post name=l ogoffForm> A form w i th the name lo go ff Form is r equir ed, with acti on an d method attributes set a s shown . Bu ttons: One butto n must be pres en t o n the page to enable the user to log o ff. <INPUT name=logon_action type[...]

Thi s generates the pop- up w i nd ow show n in Figur e C-4. Figure C - 4. L ogoff pop-u p wi ndo w Wh en the user click s the L o go ff button, the L og i n wind ow is immed iat ely d isp layed in the same w i nd o w , allow in g the user to log in aga in . Redisplaying the L ogon Page in a N ew Wind ow The default 700w l Seri es-pr o vided Lo gof[...]

Figure C -5. L ogoff confirmation wi ndow When yo u click the link , in this window , a fr esh Lo gon pag e opens in a new win do w . T o custom ize this logof f co nfir ma tio n window , you can upload a custom tem pla te in the Lo gged O ff Windo w fi eld und er th e Custo m T e mplate s tab of th e New or E d it L o go n Customiza t ion pag e. T[...]

C-2 0 HP ProCurve Sec u re Access 7 00wl Series Ma nagement and Con f igurati on G u id e[...]

T ROUBLES HOOTING D This appen dix presen ts tr ou bles hoot ing pr oc edur es fo r the 700w l Se ries system . T a ble D -1 s hows the sy mpto ms, pr oba b le cau se and r e commend e d act i on s for a variet y of pr oble ms . The f o llow ing ar e problem s you may encou n ter w h en con fig uring y o ur 70 0wl Se ries sys t em com p on ents for[...]

T ab l e D-1 . Syste m Con f igurat ion T r ouble s ho oting Gu ide (Continued) RADIUS Authen tic a tion not 1. RADIUS co nfiguration in corre ct Test c lient a u thenti cat ion u s i ng T r ansactio n worki ng 2 . Use r name or p ass word no t Tr acer (u nder Rig h ts > Authe n ticat i on va lid Po lici es> Tools an d O p tions) 1. Verify RA[...]

T ab l e D-1 . Syste m Con f igurat ion T r ouble s ho oting Gu ide (Continued) Sy mpt o m(s) Proba b l e Caus e Re co mmended Action Cli ent has incorrec t ac c e ss Ri gh ts mi sc on fi gu red Fo r a connected c li ent, v i ew Cl ien t detai l ed rig h ts stat us from the Status > Cl ie nt Status page . Fo r a non-co nnecte d clien t, use the [...]

D-4 H P ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e[...]

G LOSSAR Y E Th e glossa ry d e fin es term s th at are used th ro ug ho ut the 700wl Series syst em. S ome of the foll ow in g term s are in co mmon us age bu t m a y h a ve 700wl S e ries syst em-specific m ean ings. Thes e te rm s are def ine d in co nt ext i n th e ch ap ter wh er e th ey first appear . T e rm Definit i on 802.11 S ee — I EEE[...]

T erm Definition AH Authentic a tion H eader p r oto col . AH di gital ly si gns the e n ti re c o ntents of ea ch pa cket , pro t ectin g y our net wo rk agains t th ree kinds of att acks: Re play at ta ck s , w h ere a n a ttac ker c aptu r es packets , saves the m un til later, and resends t hem. The se a ttac ks may al low an a ttac ker to impe[...]

T er m Definition CLI C om m and Line Interface: 7 00wl Series sy st em Acc ess C ontr o ll ers , Integra t ed Access M anagers , a nd Acc ess Co ntrol Server s all have a command l i ne in terfac e through w h ic h they can be c ontr o lled, as an alt e rna t e t o using th e Admini st ra tive Consol e. Cl ien t A m achi ne, dev ice, or u s er of [...]

T erm Definition DNS Domain Na me Server - A D NS transl ate s In ternet dom ain n a me s suc h as xyzc or p. com, in to IP ad dr es ses. Down link port A port on an Access C o ntro ller or Integrated Acc ess M anage r to whic h a devic e at the ne twork edge, su ch as a W i rel ess Ac ce ss Point , sw it ch, o r hub , i s c onnec ted . DSA D irect[...]

T er m Definition HTTP Prox y An Web serve r th at s i ts betwee n a clien t ap plica t ion, s uc h as a We b b r owser, a nd a real s e rver. It i n terce p ts all reque sts to the rea l se rve r to see if it ca n ful f il l the reque sts i t self. If n o t, it forwa r ds the reques t t o the real serve r . Pro xy se rv ers ha ve tw o main purpos [...]

T erm Definition IKE A part of I PSec : I KE=Int e rne t Key Exchange (Nego tia t es sessi on param e te rs for the a u the n ticatio n he ader and ESP. Sets u p Sec u rity Ass oci at ion s ( SA)) Inner Tunnel Add r es s For a connec tio n using PPTP or L2TP, the IP addres s assoc i ate d with the actua l da ta from the client, enc apsul a ted w i [...]

T er m Definition L2F L aye r 2 Forw ardin g ; a tun neling protoc ol from Ci sc o L2 TP La yer Tw o Tunneling Prot ocol (L2TP ) is an exten s io n o f the Point- to-Po i nt Tunneli ng Pro t ocol (PPTP) u s ed to enable a v i rtu a l p r ivate netw o rk (VP N) ove r the Intern et. L2TP merge s the b est fea t ure s of tw o oth e r t unneling prot o[...]

T erm Definition Ou ter Tunne l Addres s The IP add res s associat ed wi th a PPT P or L 2 TP c on necti on w i thi n which the c lient traffi c is encap sulated. Thi s a ddre ss will always be a NA T‘ed a ddress , regard l es s of the grou p N AT set t ings. Packet A p i ece o f da ta tran smitted o ver a n e twork that i ncl ud es not onl y dat[...]

T er m Definition Session red i recto rs C li ent TCP and UDP se ssion s can be red i rec t ed fro m t hei r ori g inal des t inati on IP addres s or port. SN MP Simp le N e twork Man agement Proto c ol - The net wo rk m anagemen t protocol of most m odern T CP /IP-ba sed network s. SNMP monitors the activ i ty of variou s de vice s o n a networ k [...]

T erm Definition tcpdum p A pr ogram tha t pri n ts out the head ers of p ackets on a network interfa ce tha t ma tch a sp ecified filt ering c r iteria . The s ynt ax us ed by tcp dump is used 700 wl Series syst em for specify i ng packet filt ers . TFTP Tri vial Fil e Tra nsf er Proto c ol - A l igh tw eight version of F TP Time Wi ndo w A time w[...]

T er m Definition We b se rver Ne tw ork host th at acts as an HTTP se rver; a c o mput er th at pr o vid es Wo rl d W i de Web s e rv ices on the Intern et; i t include s the hardw a re, op era t ing sy s t em, We b se rver s o ft w a re, TCP/IP p r oto cols, and th e Web s i te c onte nt (Web pages). WEP Wir ed Equ i valent Pri va c y - WE P is a[...]

T erm Definition XML-R PC XML -RPC i s desi gn ed to b e a simp le procedural w ay for a c li ent prog ram to make functio n requests of anothe r pro g ra m. I t pro vi des sim ila r funct i onali ty to SOAP, b u t i s more limited and, general l y, much si mpler to u se. Th e 700wl Series syst em support s the us e of XML-R PC as an au thenti cat [...]

I NDEX OF C OMMAND S A a dd s nmpman ager <hostname> | < i p-addres s> [/<m ask>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -3 5 a dd s nmpt r apre ceive r <ip-addre ss> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

de lete p o licyadmin <l ogin> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A -5 de lete s nm pman ager all | <ho st name> | < i p-a ddr ess > [/ <mask>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-3 5 de le[...]

remote u pgra dec heck <ip-ad dre ss> <url>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -2 1 remote u pgra der eboot < i p-a ddress > <u rl> <k ey > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -2 1[...]

se t s ysl ogs erv e r < i p-address > [< fac ili ty>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1 7 se t t imez one <general-tz> <sp eci fic-tz > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

T tra cer out e {<i p -addre ss > | <h ostna me> } [<hops > [<pro bes> [<p r obewait> ] ] ] . . . . . . . . . . . . . . . . . . . . . . . . . A- 32 HP Pr oCur ve Se cur e A ccess 700 wl Ser ies Ma nagem e nt and C onfigu r ation Gu ide IOC -5[...]

IOC-6 H P ProCurve Sec u re Acces s 700wl Series Management and Con f iguration G u id e[...]

I NDEX Nu me rics 802.1Q VL AN tag sp ecifying in A cces s Policy 4-4 6 sp ecifyin g in Con n ectio n Profile 4-3 3 802.1x configuring as au thentication service 5-1 6 config uring RA DIUS for 5-1 7 moni to red logon 5- 3 802 .2 pr ot o c ol 6-2 4 802 .3 pr ot o c ol 6-2 4 A Access Co ntro l Ser v er changin g a d minis t rato r usern ame /pa ss w [...]

changi ng us ername/ p as swor d o n Inte grated Acce ss Man a ger 6- 1 0 changi ng us ername/ p as swor d o n Inte grated Sy st em 6- 12 def a ul t name and pas sword 2-4 logging in as 2-4 logging o ut 2-6 tr ou bleshoo t ing incorrect pas s wo r d D-1 Ad va nced Set up tab 6- 21 DHCP Network f or NA T C lient s 6- 23 aliasin g in LDAP to get us e[...]

br ow ser - ba se d l o go n 1-3 , 5-2 Built -in au thentica tio n se rvi ce 5-2 built- in databa se 4- 16 a dding Acces s Poin ts 4- 22 a dding users 4- 17 ne tw or k equip m en t 4- 21 re trieving M A C a ddr esses fr om externa l LDAP se rvi ce 4- 24 users 4- 1 6 C CDP bridge tra ffic 6- 24 ce ntr a liz ed manage me nt a n d a dmi nis trati on 2[...]

Et hern et bridgin g, ena b lin g 6- 24 Expi re ti mer , See reau thenticatio n t i meo ut export rig h ts 5- 50 External 4- 51 externa l ident i ty r e trieva l 5- 28 F Failover See A cces s Co ntro l Server r e dun dan cy f ilters disp la y fi lt ers 2- 12 fo ld ers creatin g or editi ng 6- 1 3 selecting for an Access Controller 6- 12 vs. Locatio[...]

LDAP se rvi ce au thenticatio n troubl es hooti ng D-2 con fig uring for a u th entication 5-9 con fig uring M A C ad dr ess r e trieval 4- 26 non-use r bi ndin g 5- 10 re trieving M A C a ddre ss u ser s f rom 4- 24 user bin d in g 5- 10 usi n g aliasi ng to get user in fo rma t io n 5- 15 Licen se Inform ation viewi ng 3- 15 L ightweig h t D ire [...]

P pa ssword chan ging fo r a dmini strato r 2-5 tr ou bles ho ot in g D-1 PD As lo gon p a ge option s 5- 33 peer Acces s Co ntro l Server con fig uring peer na m e 6-6 del e ting 6-7 PK I con fig uring f o r IP Sec 7-5 PKI cer t ificat es generatin g 7-5 polling AR P requ es t 6- 25 clien ts 6- 25 Po rt Ad dre ss T r ansla t ion ( P A T) 2- 21 por[...]

sys l og serve r , config uring 9-5 Sess ion L o gs log entry fo rma t 9-6 viewi ng 9-6 session sta t us f iltering d i spl ay 3- 13 Se ttings tab in a Conn ection Profile 4- 32 in Acces s Policy 4- 45 shar ed se cr et 6- 7 , 6- 10 con fig uring o n A ccess C o nt ro l S e rver 6-5 for IPSec 7-4 for RADIUS 5- 20 SLC pr otoc ol 6- 24 small br owse r[...]

V Ve rify via DNS HT TP pr ox y f ilte r op t i on 4- 78 V irt ua l LA Ns (VLANs ) 1- 6 , 2- 24 an d IP addr es sing 2- 2 6 an d the 700 wl syst em , ov erview 2- 24 specifying t a g i n A ccess Pol i cy 4- 46 specifying t a g i n Connection Profile 4- 33 VL AN tags i n Conn ecti on Pr of iles 4- 29 VPN t u nnelin g an d Netw ork Addres s T r an s [...]

[...]

© Cop yr i ght 200 3 He w let t -P ac k ard De ve lopment C ompan y , L .P . The inf ormation contained her e in is su bject to c hange w ithout n oti ce . June 2004 Manual P art Number 5 9 90 -88 09 *5990-8809*[...]