HP 700wl Manuel d'utilisateur

www.hp.com/go/hpprocurve HP ProCurve Secure Access 700wl Series Management and Configuration Guide

Appendix D Appendix E Index of Commands Index Optional Elements C-5 Logon Page Template — A More Advanced Example C-7 Example 2 C-7 Changing the L

Configuring Rights » To delete a Location, click the trash can icon at the end of the row. » To create a new Location, click the New Location... but

Configuring Rights Time Windows A Time Window is a specification of a period of time, defined by specific dates or date ranges, days of the week, and

Configuring Rights Creating or Editing a Time Window To create a new Time Window, click New Time Window... at the bottom of the Time Window list. The

Configuring Rights Table 4-14. New Time Window Settings Setting Description Valid Days Specify a Time Window by days of the week: • The default is

Configuring Rights Figure 4-21. The Access Policies Page The 700wl Series system provides five predefined Access Policies, and a Rights Administrator

Configuring Rights Table 4-15. Access Policies Table Contents Column Description Allowed Traffic | Grid A list of the Allowed Traffic Filters selec

Configuring Rights Figure 4-22. Access Policies and Allowed Traffic Filters in a Grid Format Each row represents an Access Policy. The Allowed Traffi

Configuring Rights Figure 4-23. Access Policies and Redirected Traffic Filters in a Grid Format Each row represents an Access Policy. The Redirected

Configuring Rights Figure 4-24. Creating a New Access Policy, the Settings Tab To create or edit an Access Policy, Step 1. Type a name for the polic

Configuring Rights To add the modified Access Policy as a new Access Policy, leaving the original Access Policy unchanged, click Save As Copy. The Sav

PREFACE This preface describes the audience, use, and organization of the Management and Configuration Guide. It also outlines the document convention

Configuring Rights Table 4-16. New Access Policy Settings Tab Contents Column Description VLAN Identifier How a VLAN Identifier (tag) should be han

Configuring Rights Table 4-16. New Access Policy Settings Tab Contents Column Description Key Length (PPTP only) For PPTP, the minimum MPPE (RC4) s

Configuring Rights address is valid if it falls within that address range. If the address does not fall within the port’s address range, NAT is used,

Configuring Rights The Allowed Traffic Tab Allowed Traffic filters are traffic filters that identify packets that are permitted to be forwarded by an

Configuring Rights Figure 4-25. Creating an Access Policy, the Allowed Filters Tab Note that if the filter you select is one of a DNS or WINS filter

Configuring Rights The Allowed Traffic list shows all existing Allowed Traffic filters. These are displayed in alphabetical order if you are creating

Configuring Rights Table 4-18. Predefined Allowed Traffic Filters Allowed Traffic Filter Description Internal rights UI Allows access to the Rights

Configuring Rights Figure 4-26. Creating an Access Policy, the Redirected Traffic Tab The Redirected Traffic list shows the following information abo

Configuring Rights Note: Redirected Traffic filters are evaluated in the order that they appear in the Redirected traffic list of each Access Policy.

Configuring Rights Table 4-20. Predefined Redirected Traffic Filters Redirected Traffic Filter Description No internal IAM UI Redirects Integrated

The following notices and icons are used to alert you to important information. Table 2. Notices Icon Notice Type Alerts you to... None Note Help

Configuring Rights To configure automatic HTTP Proxy filtering for this Access Policy, select the HTTP Proxy tab, as shown in Figure 4-27, and select

Configuring Rights Table 4-21. HTTP Proxy Tab Field Definitions Field/Column Description • Allow FQDN Accept HTTP traffic destined for the specifi

Configuring Rights The Bandwidth Tab 700wl Series system version 4.0 provides the ability to limit the bandwidth available to each client to prevent n

Configuring Rights Bandwidth Rate Limiting in the 700wl Series system 700wl Series system version 4.0 provides bandwidth rate limiting (or “policing”)

Configuring Rights The Linger Timeout The Linger timeout enables the 700wl Series system to force a logoff for clients that have disconnected from the

Configuring Rights Figure 4-29. Creating an Access Policy, the Timeout Tab The fields under the Timeout tab are as follows: Table 4-23. Timeout Tab

Configuring Rights Table 4-23. Timeout Tab Field Definitions Field Description Never force users to Allows client sessions to remain connected inde

Configuring Rights Figure 4-30. The Allowed Traffic Filters List The Allowed Traffic list shows the Allowed Traffic filters in alphabetical order, an

Configuring Rights » To delete a filter, click the trash can icon at the end of the row. » To create a new filter, click the New Filter... button at

Configuring Rights To create or edit an Allowed Traffic filter, do the following: Step 1. Type a name for this filter. You can change the name of an

Chapter 6–Configuring the Network This chapter describes how to configure the 700wl Series system components so that they work with your enterprise n

Configuring Rights Redirected Traffic Filters Redirected Traffic filters are traffic filters that identify packets sent from a client that should be r

Configuring Rights The Redirected Traffic list shows the Redirected Traffic filters in alphabetical order, and includes the following information abou

Configuring Rights Figure 4-33. Creating a New Redirected Traffic Filter You can create the filter specification in one of two ways: • Specify the t

Configuring Rights b. If the protocol requires a destination port, type it into the Port field. If the protocol does not support port specifications,

Configuring Rights Click Cancel to return to the previous page without making any further changes. Built-in and User-defined Address Variables For use

Configuring Rights Table 4-26. Predefined Address Variables Address Variable Value/Description @INTERNAL@. The address of the Access Control Server

Configuring Rights Table 4-27. Edit Address fields Field Definition Name The name of the variable. May be up to 32 uppercase alphabetic characters

Configuring Rights Figure 4-36. WINS Filters List The Filter list shows the DNS or WINS filter pairs in alphabetical order, and includes the followin

Configuring Rights The Edit Filter pages are almost identical to the New Filter pages, except that the name, description, and server definitions are d

Configuring Rights the list, using the multi-select mechanism supported by your browser (typically Ctrl-click and Shift-click). The 700wl Series syste

Index of Commands The Index of Commands is an alphabetized list of the CLI commands with references to the pages where they are documented. Related Pu

Configuring Rights Figure 4-38. HTTP Proxy Filters List The HTTP Proxy list shows the HTTP Proxy filters in alphabetical order, and includes the foll

Configuring Rights The Edit Filter: HTTP Proxy Traffic page is almost identical to the New Filter page, except that the name, description, and the fil

Configuring Rights Table 4-30. HTTP Proxy Filter Types Filter Rule Type Description • Allow Reg Accepts HTTP traffic to a destination specified as

Configuring Rights Example–Modifying the —Guest Access“ Access Policy The following sections provide examples of how to modify access rights by editin

Configuring Rights Step 2. In the Access Policy column of the table, click Guest Access to display the Edit Access Policy page for the Guest Access A

Configuring Rights Figure 4-41. The Allowed Traffic filters for the Guest Access Access Policy Step 4. Find the row for the Outside World filter, as

Configuring Rights Modifying the Outside World Filter to Restrict Access If the Outside World Allowed Traffic filter is not sufficiently restrictive f

Configuring Rights See Appendix B, “Filter Expression Syntax” for details of the tcpdump syntax. Note: Tcpdump syntax is case sensitive. All keywords

Configuring Rights Figure 4-43. Configuring Proxy Filters to limit access for the Guest Access Access Policy Step 3. To create the filters you need,

5 CONFIGURING AUTHENTICATION This chapter describes how clients are authenticated through the 700wl Series system, and explains how to configure authe

1 INTRODUCTION This chapter provides a brief introduction to the 700wl Series system™ and its primary features. The topics covered in this chapter inc

Configuring Authentication specification, determine a Connection Profile for the client. The client’s identity (who the client is) is determined throu

Configuring Authentication client, the username and password is sent to the next service, and so on. If all services in the list fail to authenticate

Configuring Authentication The Rights Manager The configuration of network Authentication Policies is done through the Rights module, accessed by clic

Configuring Authentication Figure 5-1. The Authentication Policies Page The Authentication Policies table shows the currently defined Authentication

Configuring Authentication Creating or Editing an Authentication Policy To create a new Authentication Policy, click the New Authentication Policy...

Configuring Authentication • To edit an Authentication Service, click the name of the service you want to edit, or click the pencil icon at the end o

Configuring Authentication Figure 5-3. The Authentication Services Page The Authentication Services table shows the currently defined Authentication

Configuring Authentication appears (see Figure 5-4). The page initially displays the configuration options for an LDAP Authentication Service. The Edi

Configuring Authentication Figure 5-4 shows the configuration page for configuring an LDAP service with non-user binding. For many of the options on t

Configuring Authentication The information required to configure an LDAP service for authentication is defined in the following tables. Table 5-3 defi

Introduction Figure 1-1 illustrates a 700wl Series system topology that is configured with redundant Access Control Servers for failover. Figure 1-1.

Configuring Authentication If you select Non-user bind, the remaining fields on the page are as follows: Table 5-4. LDAP Authentication Configuration

Configuring Authentication » For detailed instructions for setting up an Active Directory server, see “Using the Active Directory LDAP Service” on pa

Configuring Authentication To use User binding for authentication where the user logon ID is used as the DN, do the following: a. Select User bind fr

Configuring Authentication Step 3. Specify some additional options for this LDAP server: a. The timeout value specifies the length of time the 700wl

Configuring Authentication Then, do the following: Step 1. Because you are sending a password in the clear, make sure that you are using SSL. Step 2.

Configuring Authentication Along with the authentication results, you can obtain the user’s group affiliation from the authentication process. The ret

Configuring Authentication Figure 5-6. Creating a New Authentication Service - Kerberos Step 5. Enter the information required to configure a Kerbero

Configuring Authentication Configuring a RADIUS Authentication Service Note: The 700wl Series system Access Control Server must be configured as a RA

Configuring Authentication The information required to configure the RADIUS service for authentication is defined in Table 5-8 as follows: Table 5-8.

Configuring Authentication » To use a RADIUS service for accounting, you must configure a RADIUS server as an Authentication Service, and check the S

Introduction Clients that are successfully authenticated, Employees in Figure 1-1, are typically associated with Access Policies that provide access t

Configuring Authentication Field Data Acct-Session-ID The unique ID for this client session Acct-Session-Time The seconds this client was logged on

Configuring Authentication • The Rights Manager uses the group information and the start and stop times from the user profile to temporarily map the

Configuring Authentication The information required to configure an XML-RPC authentication service is defined in Table 5-9 as follows: Table 5-9. XML

Configuring Authentication These parameters are shown in Table 5-10: Table 5-10. Parameters for Authenticate Call Parameter Type Description userid

Configuring Authentication Table 5-11. Name/value Pairs Returned by Authenticate Response Name Type Value and Description validTimes string An ar

Configuring Authentication <value><string>Monday:Wednesday:Friday </string></value> </member> <member><name>

Configuring Authentication enabled in any other Access Policies that may be in force when a client is required to reauthenticate. The Allowed Traffic

Configuring Authentication • First, you must configure an LDAP Authentication Service to be used to retrieve the group identity information. You must

Configuring Authentication Logon Page Customization The 700wl Series system Rights Manager provides default Logon, Logoff, Stop, and Guest Registratio

Configuring Authentication Through the Rights Manager, you can customize the appearance of the Logon, Logoff and Stop pages in the following ways: •

Introduction • RADIUS servers • Kerberos services • XML-RPC-based services • The Rights Manager’s built-in database. This is the default authenti

Configuring Authentication Customizing a Logon Page To create a new logon customization page, do the following: Step 1. From anywhere within the Righ

Configuring Authentication Figure 5-12. New Logon Customization Page Customizing the Logo In the Logos section of the New/Edit Logon Customization pa

Configuring Authentication of a small screen. You can change this logo to be a small version of your own logo for use with small browsers. To change e

Configuring Authentication Step 2. Place a check mark in the Allow users to specify authentication policies checkbox if you want users to choose a spe

Configuring Authentication If you select the Guest Registration option, the Guest Registration page appears as shown in Figure 5-14. Figure 5-14. Gue

Configuring Authentication network. However, if the user goes to the logon page again while he/she is still logged on, the logon page indicates that t

Configuring Authentication Step 2. In the textbox labeled Stop Page Text enter the text you want to display on the Stop page. This can include HTML f

Configuring Authentication Customized Page Templates If you want to create pages that are customized beyond the options provided on the Customize Web

Configuring Authentication Figure 5-17. Logon Customization: Custom Templates Step 4. In the appropriate field (Logon Page, Logoff Window, Stop Page,

Configuring Authentication The page will redisplay showing the loaded image, see Figure 5-18. Note: The template images area shows ALL images availabl

Introduction Because the 700wl Series system identifies clients by MAC address, it is simple to detect when a device roams. A Linger Timeout determine

Configuring Authentication Step 7. To indicate that an image is to be used with the customized logon page you are creating, check the box to the left

Configuring Authentication Note: The User Rights Simulator does NOT show you the actual rights of a user who is currently logged on, but shows you th

Configuring Authentication Table 5-12. User Rights Simulator Fields Field Description Access Controller and Port The Access Controller, slot and po

Configuring Authentication Figure 5-20. Rights for User —ann“ if Logged on at the Specified Time and Location The top portion of the Rights results s

Configuring Authentication • If the Identity Profile is not what you expected: — For users in the built-in database, the user may have been assigned

Configuring Authentication Figure 5-21. The XML Representation of User Rights Tracing Authentication Service Transactions The Transaction Tracer lets

Configuring Authentication service is working correctly, the service should return a successful result, including the information associated with that

Configuring Authentication Figure 5-23. Results of a traced transaction The Result Parameters contain any parameters returned with the authentication

Configuring Authentication » To Import or Export Rights, click the Tools and Options tab visible at the top of any Rights module page, then click the

Configuring Authentication Figure 5-25. Rights Export in Progress page While the export is in progress, this page is refreshed every 15 seconds. • T

Introduction Addressing in the 700wl Series System in Chapter 2, and Chapter 4, Configuring Rights include more extensive discussions of addressing co

Configuring Authentication Figure 5-26. The Import/Export Rights page after a successful rights export Step 3. Under the Last Rights Export heading,

Configuring Authentication • To stop the page refresh, click Stop Auto Refresh. • To cancel the import click Cancel. Step 3. When the import has co

Configuring Authentication 5-54 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

6 CONFIGURING THE NETWORK This chapter describes how to configure the 700wl Series system components so that they work with your enterprise network. T

Configuring the Network 700wl Series System Components When you first click on the Network icon the System Components page appears, as shown in Figure

Configuring the Network From this list you can click a component name or click the pencil icon at the right of the row to edit the component’s name an

Configuring the Network DHCP (the default) will boot up and run properly without a shared secret configured, but Access Controllers will not be able t

Configuring the Network Note: The IP address can be changed under the Network Setup tab, along with other network configuration settings. The fields

Configuring the Network Table 6-2. Edit Access Control Server page field definitions Field/Option Description Redundancy Preferred Primary Access Co

Configuring the Network Deleting a Peer Access Control Server You must disable redundancy by editing the Primary Access Control Server configuration b

2 USING THE 700WL SERIES SYSTEM This chapter provides a brief introduction to using the 700wl Series system and its Administrative Console. It also pr

Configuring the Network Editing the Integrated Access Manager Configuration The Integrated Access Manager is typically configured with its network con

Configuring the Network The Edit Integrated Access Manager page appears as shown in Figure 6-4. Figure 6-4. Edit Integrated Access Manager page The f

Configuring the Network Table 6-3. Edit Integrated Access Manager page field definitions Field/Option Description NAS-ID/Description A description

Configuring the Network With the exception of the Access Control Server IP address and shared secret, Access Controllers are configured centrally from

Configuring the Network Table 6-4. Edit Access Controller page fields Field/Checkbox Description Name An alphanumeric name for the Access Controlle

Configuring the Network You can modify an Access Controller’s name, administrator username and password, folder, SSH access permissions, and the Acces

Configuring the Network Figure 6-6. New Folder Page » iconTo change the name of a folder, click the folder name in the System Components List, or cli

Configuring the Network Configuring Failover with Redundant Access Control Servers Please read the section “Enterprise Class Redundancy” on page 2-18

Configuring the Network Step 4. When you are ready to initiate the peer relationship and start the data synchronization process, check the Enable Red

Configuring the Network • Under Network, only the System Components, Network Setup, Interfaces, and Date &Time tabs are available. • Under Maint

Using the 700wl Series System • Primary and secondary DNS server addresses • Shared secret, used to enable Access Controllers or a peer Access Contr

Configuring the Network » To access the Network Setup pages, click the Network icon in the Navigation Toolbar, then select the Network Setup tab. Net

Configuring the Network Network Communication–the Basic Setup Tab To configure the basic network communication settings for a 700wl Series system comp

Configuring the Network Edit the contents of the fields on this page as appropriate. The fields and their settings are defined in Table 6-5. Table 6-5

Configuring the Network Table 6-5. Basic Setup tab fields Field Description Secondary DNS The IP address of the secondary DNS server Primary WINS

Configuring the Network Figure 6-9. Network Setup: Advanced Setup page for an Integrated Access Manager 6-22 HP ProCurve Secure Access 700wl Series

Configuring the Network Access Control Server Configuration Advanced Options The following settings appear on this page if you are configuring an Acce

Configuring the Network Access Controller Advanced Configuration Options The following settings appear on this page if you are configuring an Access C

Configuring the Network The following are the specifications in tcpdump syntax for the predefined bridging options: Table 6-7. Tcpdump syntax for pre

Configuring the Network the client’s rights. Depending on the Wireless Data Privacy mechanism and the type of addressing in force, the client’s existi

Configuring the Network You can specify an external proxy server, or the 700wl Series system can act as the proxy server and handle the traffic accord

Using the 700wl Series System The 700wl Series system provides three levels of administrator access: • A Network Administrator can configure the netw

Configuring the Network available, the HTTP Proxy Server on the Access Controller will cycle to the next available IP address. Step 4. In the Proxy S

Configuring the Network Figure 6-11. Network Settings: SSL Tab (Integrated Access Manager or Access Control Server only) The information at the top o

Configuring the Network Requesting an SSL Certificate To generate an SSL Certificate Signing Request (CSR): Step 1. From the SSL tab, click Generate

Configuring the Network Figure 6-13. The Certificate Signing Request You can use this certificate signing request either to request a certificate fro

Configuring the Network Loading the SSL Certificate When you receive your certificate from the CA, you can either copy the certificate information and

Configuring the Network Save and Restore Private Key The CSR you generate is based on a private key. If the private key is lost or regenerated, any CS

Configuring the Network Caution: Restoring a saved private key will invalidate an SSL certificate based on the current (different) private key. Restor

Configuring the Network Figure 6-16. Example of a Port Connection Type selection list To configure a port for a specific connection type, do the foll

Configuring the Network Note: If you want to set a port to half-duplex, but half-duplex is not offered as an option in the drop-down list, you will ne

Configuring the Network uplink port so that the default uplink (slot 0 port 2 on a 700wl Series system) is now a downlink port, then that port will ap

Using the 700wl Series System • Enable or disable Wireless Data Privacy protocols, configuring the address method and range for VPN tunneling, and co

Configuring the Network configured to support routing the addresses you have configured for your ports through the Access Controller uplink port. For

Configuring the Network Figure 6-19. SNMP Page Step 2. Select the system component for which you want to enable SNMP from the System Components List.

Configuring the Network Note: Include a trap IP address only if you have an SNMP trap receiver listening for this information. HP proprietary SNMP tr

Configuring the Network Figure 6-20. Date & Time Page Step 2. Using the System Components List on the left select the component for which you wis

Configuring the Network The format for the date is MM/DD/YYYY. For example, June 4, 2003 would be entered as 06/04/2003. The format for the time is HH

Configuring the Network Figure 6-21. Admin Setup page Step 2. Click New Admin... The New Admin page appears (see Figure 6-20). Figure 6-22. Admin S

Configuring the Network Table 6-8. New/Edit Admin Fields Field Description Name A descriptive name that identifies the Administrator. It can be the

Configuring the Network • To edit an administrator account, click the administrator’s Name or Username, which are links to the Edit Admin page, or cl

Configuring the Network 6-46 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

7 SETTING UP WIRELESS DATA PRIVACY This chapter explains how to configure the global settings for the security protocols. The topics covered in this c

Using the 700wl Series System Note: It is strongly recommended that you change the built-in administrator logon name and password as soon as possible

Setting up Wireless Data Privacy The encryption policy that defines how encryption applies to a specific client is determined through the Access Polic

Setting up Wireless Data Privacy Figure 7-1. The Wireless Data Privacy tab Global Wireless Data Privacy Configuration Select the Wireless Data Privac

Setting up Wireless Data Privacy The fields and settings under the Configuration for IPSEc heading of the Wireless Data Privacy tab are as follows: Ta

Setting up Wireless Data Privacy Table 7-1. IPSec configuration settings Field Description ESP Encryption Select the appropriate algorithms for ESP

Setting up Wireless Data Privacy Figure 7-2. The IPSec Certificate Configuration tab By default the Current Certificate area of the page shows “No ce

Setting up Wireless Data Privacy Step 3. Fill in the information in this form: a. Type the name in which the certificate should be granted. This can

Setting up Wireless Data Privacy Step 6. Copy and paste the generated PKCS#10 certificate request, including the lines ----BEGIN CERTIFICATE REQUEST-

Setting up Wireless Data Privacy You may need to enter the request ID or confirmation information you received when you submitted your certificate req

Setting up Wireless Data Privacy Figure 7-7. The Load Certificates page Step 12. Copy and paste the two certificates from your CA’s web site into the

Setting up Wireless Data Privacy Figure 7-8. The Certificates tab showing an installed certificate Step 13. Immediately create and save a backup of y

Using the 700wl Series System — Links within the page contents — Related Topics menu displayed using the Related Topics button Related Topics links:

Setting up Wireless Data Privacy The default is to have addresses assigned by a DHCP server. » To configure the IP Address assignment method for the

Setting up Wireless Data Privacy • The first DHCP request is taken to be a request for an outer tunnel address, and NAT is ALWAYS used, even if the A

Setting up Wireless Data Privacy 7-14 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

8 SYSTEM MAINTENANCE This chapter explains how to perform common administrative tasks including creating, storing, and restoring a back up file, updat

System Maintenance Figure 8-1. Software Setup page Step 2. From the System Components list in the left panel, select the component (Access Control Se

System Maintenance Access Controller and using the Wireless Data Privacy protocols will temporarily lose their connections, and any remote CLI session

System Maintenance Figure 8-2. The Update Software page From the Remote Update page you can initiate a software update from a remote FTP, TFTP, or HT

System Maintenance Remote Update The information that is required to update the software image from a remote site is described in Table 8-2. Table 8-2

System Maintenance If you want to check for upgrades on an alternate download site, you must enter the appropriate URL. Step 2. Click Check for Upgra

System Maintenance Select Continue to proceed with the upgrade, or Cancel to return to the previous page without proceeding. Note: If your currently i

Using the 700wl Series System Using the Administrative Console When you first logon to the Administrative Console, your browser displays the Equipment

System Maintenance If you enable Auto Refresh, the status page refreshes approximately every 15 seconds, displaying updated status information. After

System Maintenance Variable Value update_file Filename (including the path) of the software image Please contact HP ProCurve Technical Support for i

System Maintenance Step 2. In the 700wl Series system Administrative Console, under Maintenance/Software Update, select the Local Update tab to displ

System Maintenance Figure 8-5. The Local Update Tab of the Update Software Function Step 3. In the Uploaded Software Versions table, select the row

System Maintenance Step 6. In the .vdist File field, type the full path and name of the distribution file you downloaded, or click Browse to locate t

System Maintenance Caution: Restarting an Access Control Server or Integrated Access Manager will log off all clients on all Access Controllers. If po

System Maintenance Note: You cannot restore from the internal backup image. You can only restore from an external file. Therefore, you must save the b

System Maintenance Figure 8-8. Backup Confirmation Click Continue to proceed, or Cancel to return to the Backup & Restore page without creating t

System Maintenance Figure 8-10. Backup & Restore page after a successful backup » To save the backup to a file, click Save Backup As... This in

System Maintenance Figure 8-11. Restore In Progress Confirmation Step 3. To proceed with the restore, click Continue. As part of the restore operatio

Using the 700wl Series System Figure 2-4. Header and Navigation Bars for an Access Control Server Information at the right side of the Header bar sho

System Maintenance Warning: DO NOT restore a backup to a duplicate Access Control Server that is connected to the same network as the original Access

System Maintenance Figure 8-12. The Shutdown/Restart tab Restarting a System Component Restarting a component will briefly shutdown the unit, then re

System Maintenance Figure 8-13. Restart Confirmation Step 3. To proceed with the restart, click Continue. To cancel the restart, click Cancel. Shutti

System Maintenance Step 3. To proceed with the shutdown, click Continue. To cancel the shutdown, click Cancel. Resetting to Factory Default Settings R

System Maintenance restore your configuration, you must restore from a backup image that was created and saved to an external file before the reset. A

9 LOGS This chapter presents tasks you can perform with these types of logging. Viewing 700wl Series System Logs . . . . . . . . . . . . . . . . . .

Logs Figure 9-1. Log file display The Log File display table shows the log entries that exist at the moment you request the display. By default, the

Logs The log file display itself shows the following information: Table 9-2. Log file display Column Description (empty) This column is used to cal

Logs — Categories: All Categories (default), Error, Info, Debug, Function Trace, Object Trace, Session Log. This is a multiple selection box—by using

Logs Figure 9-2. Setting Up Session Logging Step 2. Type the information and select options as defined in Table 9-3. Table 9-3. Logging Setup Fields

Using the 700wl Series System For details, refer to Chapter 4, Configuring Rights and Chapter 5, Configuring Authentication. Network The Network pages

Logs Note: Accurate time and date reporting is necessary for accurate and useful logs. To set the time and date, use the Date & Time tab in the N

Logs Table 9-4. Session Log information Data Item Definition Actual Destination The actual destination IP address and port, if redirected or tunnel

Logs 9-8 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

A COMMAND LINE INTERFACE This appendix documents the commands that are available on the serial console as part of the Command Line Interface (CLI). Th

Command Line Interface Accessing the Command Line Interface There are two ways to access the Command Line Interface—either by directly connecting a se

Command Line Interface Command Syntax You may see a variety of symbols shown as part of the command syntax. These symbols explain how to enter the com

Command Line Interface This produces the following output: "add" commands: add bridging ... Add bridging options add snmpmanager ... Add a

Command Line Interface set superadmin pass | enable | disable <login> Set the password for a superadmin. Enable or disable a superadmin login. p

Command Line Interface show policyadmin [<login>] Show a specific policyadmin by specifying a login, or list all policy admins by not specifying

Command Line Interface 00:e0:18:7d:b5:3d 10.205.2.25 4 hrs, 50 mins show id Displays this system’s ID, which is the MAC address of Slot 0 port 1. On

HP PROCURVE SECURE ACCESS 700WL SERIES MANAGEMENT AND CONFIGURATION GUIDE

Using the 700wl Series System . Status Rights Network VPN Maintenance Logs • Equipment • Rights Setup • System • Wireless Data • Softwar

-------------------- --------------------Command Line Interface show deviceport <device> Shows the port or slot and port for a device. <dev

Command Line Interface Network Configuration Commands set hostname <hostname> Note: This command is supported on the Access Control Server or In

Command Line Interface show ip Shows the current IP configuration. Output from this command looks similar to the following: Hostname: Domain Name: xy

Command Line Interface set dns <primary-ip-address> [<secondary-ip-address>] Note: This command is supported on the Access Control Server

Command Line Interface Sets the IP addresses of the WINS servers. <primary-ip-address> The IP address of the primary WINS server for the system

Command Line Interface set portmedia {<port> | <slot>/<port>} "<media> [<media-option>]" Sets the port media

Command Line Interface show portip Displays the current IP address and netmask settings, if set, for all ports in the system. Output from this command

Command Line Interface Note: This command is not available on an Integrated Access Manager. Advanced Network Configuration Status show bridging Shows

Command Line Interface show ac [mac <mac-address>] Shows Access Controller settings for one or all Access Controllers connected to the Access Co

---- ---- ---- Command Line Interface show redundancy Shows the current redundancy (failover) settings. For example: show redundancy Redundancy config

Using the 700wl Series System Left Panel The left panel contains explanatory or descriptive text about the page and its functions. It also contains co

Command Line Interface Advanced Network Configuration set natdhcp <ip-address> <subnetmask> [<lease-time> [<time-units>] ] Set

Command Line Interface remote datetime <ip-address> <date> <time> Sets the date and time on the system at <ip-address>. <da

Command Line Interface remote reboot <ip-address> Reboot the system at <ip-address> remote rebootalt <ip> Reboot the system at <i

Command Line Interface remote upgradereboot <ip-address> <url> <key> Upgrades the system at the specified IP address and reboots the

Command Line Interface set pptp on | off Enables or disables PPTP. set l2tp on | off Enables or disables L2TP. set ipsecsecret [ <secret> <se

Command Line Interface show vpn Note: Even though you can only configure Wireless Data Privacy settings from the Access Control Server or Integrated A

Command Line Interface show clients [mac <mac-address>] [sort {mac | ip | user | machine | port | sessions | idle} ] [reverse] Lists all active

----- ---------------- ------- ------ Command Line Interface <stance>Deny</stance> </ipsec> <pptp> <stance>Deny</st

Command Line Interface If you respond Y to continue with the backup, the following reminder appears: NOTE: After creating the backup image, you must

Command Line Interface show backup Displays information about the list of local backups and the status of a running store backup or get backup task. O

Using the 700wl Series System Display Filters and Auto Refresh Settings Some data, such as the contents of the log, can be very lengthy. To control th

Command Line Interface reboot Automatically reboot after installing the upgrade. The upgraded software is activated when the system is rebooted. vers

Command Line Interface cancel upgrade Cancels the current get upgrade task. set upgradeproxy [on | off] [host <ip-address> [<port> ] ] [u

Command Line Interface shutdown Shuts down the system. You are prompted to confirm that you want to shut down the system: This operation will shutdown

Command Line Interface • info: show all information, notice, warning, error, and critical log entries <lines> The maximum number of lines to be

Command Line Interface Translates to: nslookup –timeout=10 <hostname> ping {<ip-address> | <hostname>} Pings an IP address or a hos

Command Line Interface traceroute {<ip-address > | <hostname>} [<hops> [<probes> [<probewait> ] ] ] Displays the trace

Command Line Interface clear ntpserver Clears the NTP servers IP address or hostnames. This command also disables the NTP service if it was enabled. s

Command Line Interface Controller. To modify these settings on an Access Controller, you must use the Administrative Console on the managing Access Co

Command Line Interface set snmpcontact <contact> Sets the SNMP sysContact object, defined in RFC 1213 as “the textual identification of the cont

Command Line Interface Trap IP Address: None Authorized Managers: None HP ProCurve Secure Access 700wl Series Management and Configuration Guide A

Using the 700wl Series System Tables In configure tables, each row in a table typically displays the key items that define the element represented by

Command Line Interface A-38 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

B FILTER EXPRESSION SYNTAX This appendix describes the syntax used to define user access rights (allowed traffic filters and redirected traffic filter

Examples are: “fddi src myHost”, “ip net 122.43”, and “udp port 44”. fddi is an alias for ether; they are treated identically as meaning “the data

Table B-1. Allowable Primitives (Continued) Primitive Explanation host host True if either the source or destination of the packet is host. ether d

Table B-1. Allowable Primitives (Continued) Primitive Explanation ip6 proto protocol True if the packet is an IPv6 packet of protocol type protocol

Table B-1. Allowable Primitives (Continued) Primitive Explanation ether proto protocol True if the packet is of ether type protocol. Protocol can b

Table B-1. Allowable Primitives (Continued) Primitive Explanation expr relop expr True if the relation holds, where • relop is one of >, <,

C CREATING CUSTOMIZED TEMPLATES This Appendix explains how to develop custom templates for the Logon page, the optional Logoff pop- up page, and the o

A Simple Logon Page Template Example The 700wl Series system logon page, in its simplest form, consists of two fields where the user enters his/her us

<!-- required functions --> @satmac() @interface() @java_works() @secret() @query() </FORM> </body> </html> The template file

Using the 700wl Series System Figure 2-10. Data Tables Sortable column • Sortable Column Headings In some tables you can sort the items in the table

Required Elements Form Tag <FORM action=/logon method=post name=logonForm> For the logon page only, there must be a form with the name attribute

• @satmac(). This function returns an INPUT element of type hidden, with a value that is the client’s MAC address. • @interface(). This function ret

In addition to including the realm field on the custom login page, the User specified authentication realm check box must be checked (on the Rights Ma

@set(“variable”, “value”) Sets the value of a run-time variable. For example, to set the variable “month” to the month a client’s rights expire, you

</head> <body bgcolor="FFFFFF"> <!-- specifies an image and a solid black line at the top of the form. The image must be stor

@secret() @query() <!-- Displays user and password fields, and three buttons, in a table --> <table width="600" cellspacing="

Figure C-2. Three-button logon page Changing the Logon Button Names If you want to change the names that appear on the buttons on the Logon page, you

Example 3 <FORM action="/cgi-bin/logon" method=post name=logonForm> (This is the FORM statement required at the beginning of the Logo

Customizing the Logon Page Messages There are a number of informational messages that may appear on the Logon page in certain circumstances. These mes

Guest Registration Template To configure a location to allow custom guest registration, there are three elements that must be in place: • Your main c

Using the 700wl Series System Common Buttons The following table lists the common buttons used in the Administrative Console and gives their meaning.

The page generated by this template is shown in Figure C-3. Example 4 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<tr> <td align="right"><font size="2"> Last Name:</font></td> <td align="left"><

Figure C-3. Guest Registration page produced by the template in Example 4 Using a Logoff Pop-Up with a Customized Logon Page One of options for user

The required elements in a Logoff Pop-up template are: Form Tag: <FORM action=/logon method=post name=logoffForm> A form with the name logoffFor

This generates the pop-up window shown in Figure C-4. Figure C-4. Logoff pop-up window When the user clicks the Logoff button, the Login window is im

Figure C-5. Logoff confirmation window When you click the link, in this window, a fresh Logon page opens in a new window. To customize this logoff co

C-20 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

TROUBLESHOOTING D This appendix presents troubleshooting procedures for the 700wl Series system. Table D-1 shows the symptoms, probable cause and reco

Table D-1. System Configuration Troubleshooting Guide (Continued) RADIUS Authentication not 1. RADIUS configuration incorrect Test client authentic

Table D-1. System Configuration Troubleshooting Guide (Continued) Symptom(s) Probable Cause Recommended Action Client has incorrect access Rights

Using the 700wl Series System Basic System Configuration Tasks When you have completed the installation of your 700wl Series system following the inst

D-4 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

GLOSSARY E The glossary defines terms that are used throughout the 700wl Series system. Some of the following terms are in common usage but may have 7

Term Definition AH Authentication Header protocol. AH digitally signs the entire contents of each packet, protecting your network against three kind

Term Definition CLI Command Line Interface: 700wl Series system Access Controllers, Integrated Access Managers, and Access Control Servers all have

Term Definition DNS Domain Name Server - A DNS translates Internet domain names such as xyzcorp.com, into IP addresses. Downlink port A port on an

Term Definition HTTP Proxy An Web server that sits between a client application, such as a Web browser, and a real server. It intercepts all request

Term Definition IKE A part of IPSec: IKE=Internet Key Exchange (Negotiates session parameters for the authentication header and ESP. Sets up Securit

Term Definition L2F Layer 2 Forwarding; a tunneling protocol from Cisco L2TP Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Po

Term Definition Outer Tunnel Address The IP address associated with a PPTP or L2TP connection within which the client traffic is encapsulated. This

Term Definition Session redirectors Client TCP and UDP sessions can be redirected from their original destination IP address or port. SNMP Simple N

Using the 700wl Series System System Features and Concepts The following sections provide an introduction to some of the key concepts and functions th

Term Definition tcpdump A program that prints out the headers of packets on a network interface that match a specified filtering criteria. The synta

Term Definition Web server Network host that acts as an HTTP server; a computer that provides World Wide Web services on the Internet; it includes t

Term Definition XML-RPC XML-RPC is designed to be a simple procedural way for a client program to make function requests of another program. It prov

INDEX OF COMMANDS A add snmpmanager <hostname> | <ip-address> [/<mask>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

delete policyadmin <login> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

remote upgradecheck <ip-address> <url>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

set syslogserver <ip-address> [<facility>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

T traceroute {<ip-address > | <hostname>} [<hops> [<probes> [<probewait> ] ] ] . . . . . . . . . . . . . . . . . . . .

IOC-6 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

INDEX Numerics 802.1Q VLAN tag specifying in Access Policy 4-46 specifying in Connection Profile 4-33 802.1x configuring as authentication service 5-

Using the 700wl Series System Figure 2-12. Access Controller Redirect Page Enterprise Class Redundancy The 700wl Series system supports Access Contro

changing username/password on Integrated Access Manager 6-10 changing username/password on Integrated System 6-12 default name and password 2-4 log

browser-based logon 1-3, 5-2 Built-in authentication service 5-2 built-in database 4-16 adding Access Points 4-22 adding users 4-17 network equip

Ethernet bridging, enabling 6-24 Expire timer, See reauthentication timeout export rights 5-50 External 4-51 external identity retrieval 5-28 F Fai

LDAP service authentication troubleshooting D-2 configuring for authentication 5-9 configuring MAC address retrieval 4-26 non-user binding 5-10 ret

P password changing for administrator 2-5 troubleshooting D-1 PDAs logon page options 5-33 peer Access Control Server configuring peer name 6-6 delet

syslog server, configuring 9-5 Session Logs log entry format 9-6 viewing 9-6 session status filtering display 3-13 Settings tab in a Connection Prof

V Verify via DNS HTTP proxy filter option 4-78 Virtual LANs (VLANs) 1-6, 2-24 and IP addressing 2-26 and the 700wl system, overview 2-24 specifying

© Copyright 2003 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. June 2004 Manual Part

Using the 700wl Series System The communication between the two peer Access Control Servers is done via a proprietary message based protocol over TCP/

© Copyright 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. This document contain

Using the 700wl Series System or has some other configuration information you would prefer not to lose. The act of making it a secondary Access Contro

Using the 700wl Series System If a client is logged onto the 700wl Series system using PPTP or IPSec encryption, overhead related to packet encryption

Using the 700wl Series System You specify the addressing mode for a client through the Access Policy. The 700wl Series system default is NAT mode. Not

Using the 700wl Series System Controller. If the client is using a real IP address, all sessions must be tunneled back through the original Access Con

Using the 700wl Series System How the 700wl Series system handles roamed sessions depends on the protocol used by the client to connect to the 700wl S

Using the 700wl Series System Figure 2-13. Connection Profile for Traffic Tagged with VLAN 10 You can then define an Access Policy that should apply

Using the 700wl Series System In this case, Authenticated clients with VLAN 20 tag will match the first row in the table, and will receive access righ

Using the 700wl Series System • Create a variation of the default “Unauthenticated” Access Policy that includes the same access rights (which basical

Using the 700wl Series System One way to work with this limitation is to place a switch between the Access Points and the Access Controller, with a se

3 SYSTEM STATUS This chapter explains how to view the system status tables of the 700wl Series system. You can view the status of any and all system e

CONTENTS Preface Chapter 1 Introduction 700wl Series Overview 700wl Series Functions Client Authentication Client Access Rights Wireless Data Privac

System Status Figure 3-1. Getting to Status Information There are four tabs in the status module: • Equipment Status presents an overview of the stat

System Status If a display has more entries than will fit on one page (based on the Rows per Page filter setting), page navigation controls are enable

System Status Viewing Access Control Server Status The Access Control Server status table, as shown in Figure 3-3, shows the following information: Ta

System Status Figure 3-3. Access Control Server Tab for the Primary Access Control Server in a redundant configuration Viewing Access Controller Stat

System Status Figure 3-4. Access Controller Detail Page The Access Controller Detail page shows general status information for the Access Controller

System Status Table 3-3. Access Controller Detail Page: System Inventory Display Column Description Status This columns shows: • The MAC address o

System Status » To display the client status, select the Access Controller and client type filtering parameters from the left panel and click Apply F

System Status Filtering Client Status Information To make it easier to find the information you need from a client status page, you can filter the dis

System Status Figure 3-6. Client Detail Page The following information is displayed on this page: Table 3-6. Active Client detail information Inform

System Status Table 3-6. Active Client detail information Information Description Current Access Information about the Access Controller through wh

Chapter 3 System Status Viewing Status Information Viewing Equipment Status Viewing Access Control Server Status Viewing Access Controller Status Vi

System Status Figure 3-7. Client Detail page showing current rights in XML The Client Detail User Rights display shows the row in the Rights Table th

System Status The View Active Sessions page appears, as shown in Figure 3-8. Figure 3-8. Session Status Page » To filter the session data, select th

System Status Table 3-7. View Active Sessions Information Column Description Client Source Client Source: The IP address and port of the client sys

System Status Table 3-8. Session Status Filtering Parameters Filter by: Details Access Controllers Lets you display only sessions for a selected Ac

System Status Figure 3-9. License Information Page 3-16 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

4 CONFIGURING RIGHTS This chapter describes how network access rights are assigned to clients through the 700wl Series system, and explains how to con

Configuring Rights Time Window in which the connection exists, and optionally, a VLAN tag, to match the client to a Connection Profile. The combinatio

Configuring Rights The network administrator configures network access control policies by defining Identity Profiles, Connection Profiles and Access

Configuring Rights • An Access Policy defines aspects of how a client interacts with the network. The Access Policy defines what traffic is allowed t

Configuring Rights the Client Status tab under the Status button, and click Refresh User Rights Now. You can also refresh rights for individual client

Modifying the Outside World Filter to Restrict Access Setting Up HTTP Proxy Filters Chapter 5 Configuring Authentication Authentication in the 700wl

Configuring Rights Connection Profiles once the Access Controllers have been installed and the appropriate Locations have been created. b. Create Tim

Configuring Rights Series system is matched to a row in the table based on its Identity Profile and Connection Profile, and receives access rights as

Configuring Rights the new identification information. The user will now match one of the Identity Profiles near the top of the table. For example: •

Configuring Rights Note: It is important that rows with the —Access Points“ Identity Profile appear in the table before rows that contain the —Any“ Id

Configuring Rights Figure 4-3. The New Rights Assignment Page Each field on this page contains a drop-down list from which you can select the compone

Configuring Rights Step 2. Specify where in the table the new row should be placed. Order is important in matching a client to a row. The default posi

Configuring Rights Figure 4-4. The Identity Profiles Page The 700wl Series system provides three predefined Identity Profiles, and a Rights Administr

Configuring Rights Creating or Editing an Identity Profile To create a new Identity Profile, click the New Identity Profile... button at the bottom of

Configuring Rights Figure 4-6. Creating a New Identity Profile, with User list displayed From this page, with the Users or Network Equipment list dis

Configuring Rights Limiting the number of logons per user does not prevent a user from logging on with that username and password—rather it prevents t

SSL Certificate Configuring Network Interfaces Configuring the Port Speed and Duplex Settings Port Subnet IP Address and Subnet Netmask Configuring SN

Configuring Rights Users in the Built-In Database Many organizations choose to authenticate their wireless users against a corporate database or authe

Configuring Rights Table 4-2. Users Page Field Definitions Field Description Identity Profile Assignment The Identity Profile to which the user has

Configuring Rights Figure 4-8. Adding a New User The fields on this page are as follows: Table 4-3. New User Fields Field Description Name A descr

Configuring Rights Table 4-3. New User Fields Field Description Username/MAC Address The user‘s username (logon ID) or MAC address. A user may be i

Configuring Rights Step 2. Select the Identity Profile to which this user should be assigned by clicking the appropriate checkbox in the Identity Pro

Configuring Rights correctly in the system, however, if you want to manage these devices from within the 700wl Series system, you may want to assign t

Configuring Rights From the Network Equipment page you can also go directly to the Identity Profiles page or to the Users page by clicking the link ne

Configuring Rights The fields on this page are as follows: Table 4-5. New Network Equipment Fields Field Description Name A descriptive name for th

Configuring Rights To edit a Network Equipment entry in the built-in database, do the following: » Edit the fields to change the descriptive name or

Configuring Rights an individual record for the MAC address. For example, suppose the record identified by cn=MACS contained the following values for

Appendix A Command Line Interface Accessing the Command Line Interface Connecting with a Serial Console Connecting Using SSH Using the CLI on an Int

Configuring Rights Note: If you have an LDAP service configured for user binding, that service does not appear in this list. » To configure or chang

Configuring Rights Figure 4-12. Configuring MAC Addresses Retrieval Parameters for an LDAP Service The fields on this page are as follows: Table 4-6.

Configuring Rights Identity Profile membership information can be associated with a MAC address in one of two ways: • If each MAC address has its own

Configuring Rights This means that the Rights Manager will use the search string found in the initial search (for example, the value returned from the

Configuring Rights The Connection Profile is used in the Rights Assignment Table, in concert with the Identity Profile, to determine a client’s access

Configuring Rights » To edit a Connection Profile, click the Connection Profile name in the first column of the table, or click the pencil icon at th

Configuring Rights Figure 4-14. Creating a New Connection Profile, the Settings Tab To create or edit a Connection Profile, do the following: Step 1.

Configuring Rights Table 4-9. New Connection Profile Settings Tab Contents (Continued) Column Description VLAN Identifier How an 802.1Q VLAN Identi

Configuring Rights The Locations tab shows a list of the currently defined Locations. The columns in this list are as follows: Table 4-10. Locations

Configuring Rights • To select all Time Windows in the list, select the checkbox next to the Locations column heading. Clicking this checkbox a secon