Instruction/ maintenance manual of the product 700wl Series HP (Hewlett-Packard)
Go to page of 388
www .hp .com/go/hppr oc ur v e HP Pr oCurv e Sec ur e Acces s 7 00w l S er i es Management and Co nf i gur ati on Guide.
.
HP P RO C URVE S ECUR E A CCESS 700 WL S ERIES M ANAG EMEN T AN D C ONFI GURATI ON G UIDE.
© Copyright 2 004 Hewle tt-P ac kard D e velopm ent Compa n y, L. P. The information c o ntained he r e in is subj ec t to c hange w ithout notice . This do cumen t co nt ai ns pr op riet ar y in format ion , wh ich is pr ot ected by copy ri ght.
C ONTENTS Pr efac e Chapter 1 Introdu ct ion 700wl Ser i es O v ervie w 700wl Ser i es Function s Client Au th en ti ca ti o n Clien t Access Ri gh ts W ire less D ata Pr ivacy a nd VPN Pr ot oco ls R.
Ch apt er 3 S yst e m Sta t us V i ew ing Status In form atio n V iew in g Equ ipment Status V i ewing Access Co ntrol Se rver Status V i ewing Access Co ntroll er S tatus V i ewing Access Cont ro l l.
Modifyin g the Ou tside W o rld F ilter to Res t rict Access Sett ing Up HTTP P rox y Filters Chapter 5 Configuring Authentica ti on Aut h ent i cation in the 700wl S e ri es Syste m Th e R igh ts M a.
SSL Certifica te Confi gur ing Ne tw or k I n terf ace s Co nf igurin g the Po rt S p eed and D u plex Settin gs Po rt S u bnet IP A ddres s an d Subnet Netm as k Conf igur ing SNMP Settin g th e D a .
Append ix A C ommand Line Int e rfac e Accessing the Co mmand Line I n te rf ace Con n ecting w i th a Se ria l Conso le Co nn ecti ng Usin g SSH Us ing the CL I on an Integ r ated A ccess M a na ger .
A ppendix D Appendix E Index of Commands Inde x Op ti onal El ements C-5 Lo go n P age T e mplate — A Mo re Adva nced Example C-7 Exa m ple 2 C-7 Changi ng the L o gon B u tto n N ames C-10 Exa m pl.
P REFACE This preface describes th e a udi ence, use, a n d o r gan i zatio n of th e Ma nag ement and C o nfigur at io n Guide. It al so ou tlines the d o cumen t con v enti ons , saf e ty ad vis o ries, compliance inf o rmat ion, r e lated do cumen ta t ion , support inf o rma t io n, an d re vis i on his t ory .
The f oll owing notices a nd ico ns ar e used to al ert you to im po rt ant inf o rma t ion. T ab l e 2 . No tices Ic on No ti ce T ype Aler ts yo u to... No ne Note Help ful su ggestions or info rma t ion of speci al impo rtance in ce rtain si tuations .
Cha p te r 6 – Configuring the Ne tw ork Th is ch apter de sc ribes h ow to co nf igu re the 700w l Series syst em co mpon ents s o th at they w o rk wi th yo ur enterpris e ne tw or k. Cha p te r 7 – Se tting up Wireless Data Privacy Thi s cha p ter d e scribe s h ow to e nforce securit y usi n g IPSec, L2 TP , an d PPTP .
Index of Commands The Index o f Co mmands is an al phabetized list of th e CLI co mman ds with re fer enc es to the pages wh er e they are docum ent ed.
1 I NTRODU CTIO N This chapt e r pr ovi d es a brief intr oduc tio n to th e 7 00wl Se ries s y stem™ a nd its primary f eat ures . Th e topics cover e d in this chapter include: 700w l Ser i es Ov er view . . . . . . . . . . . . . . . . . . . . . .
Introduction Figur e 1- 1 i llus t rates a 7 00wl Se ries syst em topology t hat is configu red wit h redund ant A ccess Contr ol Se rvers for fai lo ver .
Introduction Clien t s that a r e s u ccessfull y au thenticated , Em plo y ees in Figu re 1- 1, a r e typically a ssocia t ed wi th A cces s Policies t hat pr o v id e access to s e cu re network re sou r ces.
Introduction • RADIUS servers • K erbero s services • XML-RPC -b ased servi c es • T he Rig h ts Mana ger’s built- in da tabas e. This is the d efa ult au thenticatio n service. Y ou can populate it wit h user n ame s a n d pa ss words thro ugh the Rights M an a ger.
Introduction Because the 700w l Se ries syst em identi fi es clien ts by MAC addres s, it is simp le to detect w h en a device ro ams. A Li nger T imeout deter m ines the len g th of time a client has to complet e a r oam , tha t is to a ppea r at a ne w physica l lo cation af ter dis a ppea r ing fr om the o l d phys ica l lo ca tion.
Introduction Addressin g in the 7 00 wl Ser i es Syst em in C h ap ter 2, an d Chapter 4 , Conf igur ing Righ ts includ e more ex tensi ve di scussio n s o f addre ssin g consi derat io ns an d NAT .
2 U SING THE 700 WL S ERIE S S YSTEM This chapt e r pr ovi d es a brief intr oduc tio n to u s ing th e 700wl Seri es sys t em a nd its A dmini strative Console. It also provides an overview and discussion of a number of common tasks you ma y ne ed to acco mp lis h.
Us ing the 7 00wl Se ri es Syste m • P rim a ry an d se co nd ary D NS se rver add r esses • Sha red s e cret, used to en able Acces s Co nt roller s or a peer Acces s Co nt rol S e rver to es t a blis h a trus ted com mun ica t io n relatio n ship with th e A ccess Con t rol S e rver.
Usi ng the 70 0wl Se ri es S y ste m The 700wl S e ries syst em pr o v ides th r ee levels of administ rator acces s: • A N e two rk A d ministrato r ca n co nf igure th e n e tw or k para me ters t.
Us ing the 7 00wl Se ri es Syste m • E nable o r dis a ble Wi rele ss Data Privacy protocols, co nfiguring t he add res s me th od and ra nge for VPN tun n eling, a nd con fig uring IPS e c para met.
Usi ng the 70 0wl Se ri es S y ste m Note: It i s stro ngl y reco mmend ed that yo u c ha nge the built- in admini strat or l ogon n a me and pa sswor d as soon a s possible .
Us ing the 7 00wl Se ri es Syste m — L ink s wi thin the page con t ents — Rela ted To pi cs me nu di splaye d us ing the Re la ted Topics butt on R el at ed To pi cs links: these a r e presen ted.
Usi ng the 70 0wl Se ri es S y ste m Using the Ad min i strativ e Con s ole Wh en you f i rst logon to t h e A d min i strative Cons ole, your br ow ser d isp lays th e E quipment S t atu s tab of the S tat us pages (F igur e 2- 3) . Figure 2-3. Initi a l Page of the Administrative Console .
Us ing the 7 00wl Se ri es Syste m Figure 2-4. Header and Nav i gation Bars for a n Acc es s Cont ro l Server Inf o rma ti on at th e right sid e of the H ea d er ba r sho w s the userna me of th e logged in Adm i nistrator , th e IP addr es s of the Acc ess Contr o l Ser v er, an d the curr ent date a n d ti me.
Usi ng the 70 0wl Se ri es S y ste m Fo r details , refe r to Cha p ter 4 , Co nfigur ing Rig hts an d Chapter 5 , Con figurin g Authenticati on . Network The Netw ork pa ges en able co nfig uratio n of th e 700 wl Series syst em co mpon ents to work with your enterprise n e two r k.
Us ing the 7 00wl Se ri es Syste m . St at us Ri ghts N e twork VPN Main tenanc e Logs • Equi pmen t • Rig h ts Set up • Sy stem • Wireless Dat a • Sof t ware Setu p • Log Files Sta t us C.
Usi ng the 70 0wl Se ri es S y ste m Le ft Pa nel The lef t pan e l co ntain s ex plan ato r y o r descriptive text a bou t the page and its fun c tio n s. It a lso co n t ain s contr o ls f o r th e fe atur es o f the page, an d n a vigation a ids . Th e s p ecific contr o ls in the lef t panel d e pend on the f un c tio n of th e page.
Us ing the 7 00wl Se ri es Syste m Display Fil t ers and Auto Re fre s h Settings Some data, such a s the co nt en ts of the log, ca n be very l eng th y . T o contr ol the di splay o f such i n form ation you can use filters t o selecti v ely d isp lay subs et s of th e to tal in fo rma t ion.
Usi ng the 70 0wl Se ri es S y ste m Ta bles In co nf igure tables, e a ch row i n a table typically dis p lays the key ite ms that def in e th e elemen t re prese n ted by the table r ow .
Us ing the 7 00wl Se ri es Syste m Figure 2-10 . D at a Tables So rt able column • Sortable C o lum n H e ading s In som e table s you c a n so rt the items in th e ta bl e ba se d on th e table colum n s. Column hea d ings tha t a llow so rting appear as a link wh en the cursor is r o lle d over t h e col u mn na me, as sho w n in Figur e 2-10 .
Usi ng the 70 0wl Se ri es S y ste m Common Butt ons The fo llow in g ta bl e lis ts the co mmon butto ns us ed in the A dminist rative Co nsol e and gives their me anin g. T ab l e 2 - 1. Ad ministr a tive C onso l e B u ttons Button Function Fo ld er : This rep r esents a us er-defined fo lde r for sy st em c om ponents.
Us ing the 7 00wl Se ri es Syste m Basic System C on f igu r ation Tasks Wh en you have com p leted the installati on o f your 700wl Se ri es sys t em f oll owin g the instructions i n th e 7 00w l Se.
Usi ng the 70 0wl Se ri es S y ste m System Features an d Concepts The followin g sec t ions p r ovid e an introduc tion to some of th e ke y c o nc ep ts and f u nction s that a re ce ntra l to the 7 00w l Ser i es s ys tem. Ma ny o f these co nc epts a r e dis c us s ed in more detail in th e appr op ria te cha p ters later in this Guide.
Us ing the 7 00wl Se ri es Syste m Figur e 2-12 . A ccess Cont r o ller Re dir ect Pag e Ente rp rise Cl a ss R ed undan cy The 700wl S e rie s syste m suppo rt s Access Contr o l S erv er redun da n cy an d f a ilove r .
Usi ng the 70 0wl Se ri es S y ste m The c ommu ni catio n betw een the tw o peer Acce ss Co n trol Serv ers is do ne vi a a pr op rieta r y m es sag e ba se d pr otocol o ver TC P/IP . Upo n re sta r t, a n A ccess Con tro ller a t tempts to comm unica t e w i th the prima ry A ccess Contr o l S e rver.
Us ing the 7 00wl Se ri es Syste m or has s o me othe r co nf iguration inf or m ati o n you w o uld pref er n o t to lose . Th e a ct o f making i t a sec o ndary Acce ss Contr o l S e rver in a n a .
Usi ng the 70 0wl Se ri es S y ste m If a clien t is l o gged ont o th e 700wl Se ries sys t em u s ing PP TP or IPS e c encrypti on , ov er he ad re lated to packet encrypt ion ca n re duce the actual th r o ugh p ut experienced r e lativ e to the s p ecified thr o ugh p ut.
Us ing the 7 00wl Se ri es Syste m Y o u spe c ify th e a ddres si ng m ode fo r a cl ie nt thr ou g h the A cce ss Policy. The 700wl Serie s syste m d efa ult is NA T mo d e. Note: If PPTP o r L2 TP i s en abl ed in the Access Po li cy, t hen the NAT se tting only affect s ho w t he inner tunnel address is assi gned .
Usi ng the 70 0wl Se ri es S y ste m Contr o ller . If the c lien t is usin g a re al IP ad dress , all sessio n s must be tun n eled back thr o ugh the origina l A ccess C o ntr o ller. • NAT prov id es s ome a mou nt o f pr ote ctio n t o a cl ien t si nce no de vic e o ther than the A cce ss Contr o ller can talk d i rectly to th e client.
Us ing the 7 00wl Se ri es Syste m How th e 7 00 w l Serie s syste m hand les r oame d sessio n s d e pends on the protocol use d by th e client to conn ec t to the 700w l S eri es sy ste m, a nd whe t he r th e client’s IP a ddre ss has be en ma ppe d usi n g NA T or not.
Usi ng the 70 0wl Se ri es S y ste m Figure 2-13 . C onnec t ion Pro f ile for Traffic Tagged w i th VL AN 10 Y o u can then def ine a n A ccess Poli cy th a t sho u ld a pply to these clients an d create a new r o w in the Rights table tha t a ssocia tes th e A ccess Po licy with th e VLA N- s pecif i c Conn ec tio n Pr ofile.
Us ing the 7 00wl Se ri es Syste m In this cas e , A u th en ticated clients wi th VL AN 2 0 tag will match th e fi rst r o w in th e table , an d will re ceive access r i ghts base d on the A c cess Policy c rea te d fo r m e mbe r s o f tha t VL A N.
Usi ng the 70 0wl Se ri es S y ste m • C rea t e a vari atio n o f th e d e fau lt “Un a ut hen t ic ated” Access Polic y t h at in cl ud es th e s ame acces s ri gh ts (which basically o nly al low a cli e nt to req u est a u th enti ca tion) but s e t th e NAT option to When Ne cess ary an d the addressing o p tio n to Requi re DHCP .
Us ing the 7 00wl Se ri es Syste m One way to work with this limita t ion i s to pl ace a switch between the A cce ss Points a nd the Access Contr o ller , with a sep a rate c o nnection between the switch a nd the A cce ss Co ntr o ller f or ea ch VL A N.
3 S YS TEM S TAT US This ch apte r explain s how t o view th e s yst em stat us tables of th e 700wl Series syst em . Y o u can view th e stat us o f an y an d all s y stem eq ui pment (Acces s Co ntro llers and Access Co ntrol Se rvers), clien t s (users, id entified either by usern ame an d pas sword or by MAC addres s) , a n d s essions.
System Stat us Figure 3-1. Ge tting to Sta t us Information Ther e are fo ur ta bs in the s t atus mo dul e: • Equipment S t atu s presen ts an ov erview of the s t atus of the Acces s Co nt rol S e rvers and Acces s Co nt ro ll ers. Fro m this pa ge yo u can view a mo re de tail ed stat us for each Acce ss Co nt ro ll er.
System Statu s If a disp lay has more entries than will fi t on one page (based on t he R ows pe r Page filter setting), page navig a tion co ntr ols ar e ena b led to let y o u n a vigate between t h e r e sults pages. In the Clien t St atu s an d S ess io n Status view s, yo u ca n sort the dis play by the data in an y colum n .
System Stat us Viewing Acces s Contr ol Se rver Sta tus The Access Contr ol Se rver sta t us ta bl e, a s shown in Figur e 3-3, shows the f ol l owing inf o rma t ion: T ab l e 3 - 1.
System Statu s Figure 3-3. Access Control Serve r Tab for the Prima r y Access Control Serve r in a redundant configu rat ion Viewing Acces s Control ler Stat us The Access Contr oll er sta t us table d is p lays th e fo llowin g in fo rma t ion a b ou t each A cces s Con tro ller: T ab l e 3 - 2.
System Stat us Figur e 3-4. A ccess C ontr oller De tail Page The Access Con tro ller Detail pag e sho ws general sta t us in fo rma t io n f o r t h e Access Contr oll er at t h e top of the page. B e low thi s is a Sy stem Inven t ory t a b that shows th e sta t us fo r e a ch po rt on the Access Con tro ller, grouped by s l ot.
System Statu s T ab l e 3 - 3. A ccess C ontroll er Deta il Pa ge: Syste m Inven tor y Disp la y Column Des c ri pt ion Status This colu mns sh ow s: • The M AC addres s of the port • The spe ed an d dup l ex sett ing for t he port, wi th the ac tual sp ee d a nd duple x show n in paren t hes es.
System Stat us » To d isp lay the clien t sta t us , sele ct the Access Contro ller an d client type f ilt ering para meters f r om the lef t pan e l an d click Apply Fil t ers . Th e d i splay is upd ated to sho w the client s per yo ur filter setting s.
System Statu s Fil t ering Cl ient Status I n formation T o make it easier to fin d the in fo rmati on y o u need fr om a clien t sta t us pag e, yo u can f ilt er the d i splay to show only a su bset o f t h e entries .
System Stat us Figure 3-6. Clien t Detail Pa ge The f oll owing inf ormat io n is d i splayed on this pag e: T ab l e 3 - 6. Activ e Client d et ail informati on Informa t ion Descrip t io n Us er T he descri p ti ve nam e of the u ser , if known.
System Statu s T ab l e 3 - 6. Activ e Client d et ail informati on Informa t ion Descrip t io n Curre nt A c ce ss In format ion about the Acc ess Co ntroller th rough w h ich th e user is conne cte d: Co nt ro ller • Na me of the Acc ess Co ntroller (by defau l t the s ame as the IP addre ss).
System Stat us Figure 3-7. Clien t Detail pa ge showing cu r ren t righ ts in XML The Cli e nt D eta il Us er Righ ts di splay show s th e row in the Right s T a ble th at this client m at c hed , including th e Ident i ty Pr of ile, Co nn ecti on Profil e an d A ccess Policy associat ed wit h th e cli e nt.
System Statu s The V i ew A c tive S e ssio n s pa g e appear s, as s how n in Figur e 3-8. Figur e 3-8. Ses s ion Statu s Pag e » To filt er th e se ssion da ta , se lect the d e sired f ilters a nd click Apply Filte rs .
System Stat us T a bl e 3- 7. View Acti ve Se ss ions In form at ion Column Descrip tion Cli ent Sourc e Cli e nt So ur ce : The IP a ddress and p o rt of the cli ent syst em, as pl aced in the pa cket heade r by the cl ient.
System Statu s T ab l e 3 - 8. Ses s ion St at us Filtering Para met e rs Filter by: Det a ils Acc ess C ontr o ll ers Lets y ou dis play onl y ses si ons f o r a se lec t ed Acces s C ontroller. You s elect the Acces s Co ntroller fro m the drop -dow n list.
System Stat us Figure 3-9. Lic e nse In formation Page 3- 16 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
4 C ONFIGURIN G R IG HT S This ch apte r describes how network access rig h ts ar e assigned to cl ients thr o ugh th e 700wl Se ri es sys t em, and explain s ho w to co nfig ur e access co ntrol policies. The topics cover e d in th is chapter in clu de: Acce ss Ri ghts in th e 70 0wl Se ries Sy st em .
Con f iguring Righ ts T ime W i ndo w in which th e con n ectio n exists, a n d option ally , a VLA N tag, to m at c h th e client to a Connection Pr of ile .
Con f iguring Righ ts The n etwork ad m i nistrator configu re s n e two r k acces s con tro l pol i cies by defin i ng Identit y Pr of iles, Con n ection P r ofi l es a nd A cce ss Policies , or by m odif ying existing pr ofil es a nd pol i cies.
Con f iguring Righ ts • An Access P o licy defin e s aspects of how a clien t interacts w i th the n e two r k. Th e Access P o licy defin es what tra ffi c is allowed to be pa ssed int o th e ne two r k, an d what tra ffi c will be red i rected to al terna te de stinat ion s.
Con f iguring Righ ts the Cli ent S tat us t ab under the S t atus button , and clic k R efr es h U ser Rig h ts No w . Y ou ca n a l so re fresh r i gh ts f or individ ual clie nts, if appropr ia te.
Con f iguring Righ ts Connectio n Prof iles onc e the Ac cess Co ntr ollers have been ins t alled and the approp ri ate Location s ha ve been c rea ted . b. Crea te T i me Wi ndo ws that s pec ify h o urs of th e da y , days of the week, an d s o o n, to allo w or re strict ac ce ss d uri ng spe c ifie d times.
Con f iguring Righ ts Se ri es sys t em is ma tched to a ro w i n th e ta bl e based o n its Identity Pr of ile a n d Con n ectio n Prof ile, and re ceives access rights as specified by th e Access Po li cy for th at row . The 700wl S e ries syst em lo oks fo r a matching row star ti ng at th e to p o f the table, an d s tops at the f irst match.
Con f iguring Righ ts the n ew iden ti fica tion informatio n. The user w ill n ow ma tch on e o f the Identit y Pr of iles near th e top o f th e table.
Con f iguring Righ ts Note: It i s im po rt a n t that r o ws with the —A cces s Poi nt s “ Identity Prof il e appea r in the t abl e befor e ro ws that contain the — Any“ Ide n tity P r ofi l e.
Con f iguring Righ ts Figure 4-3. The New Righ ts Ass i gnment Page Ea ch fi eld on th is pag e conta ins a dr op- d own l i st f r o m wh ich you can select th e c omp on en ts o f a ro w in the Rights A ss ignmen t tab l e, as defi ned in T a ble 4-1: T ab l e 4 - 1.
Con f iguring Righ ts Ste p 2. Spe cify wh er e i n the table the n ew row shou ld be pla c ed. O r der is im porta n t in ma tch ing a clien t to a row . The default position is to place the row at the top of the table. Ste p 3. Wh en you have ma de you r se lections, cli ck Save to add th is r ow to the table.
Con f iguring Righ ts Figure 4-4. The Ide n tity Profile s Page The 700wl S e ries syst em pr o v ides th r ee predefin ed Identity P rof iles, a n d a Rights Adm inist rator ca n create a dditi onal on es .
Con f iguring Righ ts Cre at ing or Editi ng an Iden tity Prof ile T o crea te a n ew Identity P r of il e, cli c k th e New Id entity Profile... button at the bottom o f the Ide n tity Pr of ile list. T h e New Iden tity P rofil e pag e a ppea r s, as shown in F igur e 4- 5, w i th a n empty N ame fi el d.
Con f iguring Righ ts Figure 4-6. Creating a New Ide n tity Profile, w i th User lis t dis p layed Fr om th is page , w i th t h e U s ers or Netw ork Eq uipment list d i splayed , you can als o add a new user or eq ui pment item , or ed it a us er o r eq ui pment item .
Con f iguring Righ ts Lim i tin g the n umber of lo go ns per u s er d o es no t pr event a us er f rom lo g ging o n wi th th at usern ame an d pas swor d—ra th er it p r events that u s er fr om matching this Id entity Pr of ile and t h us getting rig h ts ba sed on matching th is Ident i ty Profile in th e Right s T a ble.
Con f iguring Righ ts Users in the Built -In Database Many organiz at ions ch oose to a u thenti cate their wir e less us ers a gai nst a corpora t e databa se or au thenticatio n service.
Con f iguring Righ ts T ab l e 4 - 2. Users Page Fie l d Definiti ons Fie ld D escrip t io n Ide n tity Profi l e Ass i gnment The Ide n tit y Pro f il e to which the user ha s been as si gn ed, if a ny.
Con f iguring Righ ts Figure 4-8. A ddin g a N ew U ser The f i eld s on this page a r e a s f o llows : T ab l e 4 - 3. New User Fields Fie ld D escrip t io n Name A descript ive n ame th at i den tif i es the u ser in the 700w l Series system‘ s Adm i nistra tiv e Co nsole .
Con f iguring Righ ts T ab l e 4 - 3. New User Fields Fie ld D escrip t io n User name/MAC Addre ss The user‘ s us ern ame (l ogon ID) or MAC addres s . A user may be identifie d by o ne or the o t her , not both. A usern a me may have up to 50 cha r acters .
Con f iguring Righ ts Ste p 2. Sele ct the Identity Profile to wh ich t h is us er sho u ld be assi gned by clicking th e a ppropria te checkbo x in th e Identi ty Profiles ta bl e. As a rule, yo u wo uld a ssign a user to only one Id entity Pr o fil e, s ince th e s e ar ch fo r a m a tch always s t ops at the f i rst match fo un d.
Con f iguring Righ ts corr ect ly in the system , how e ver , if you wa nt to m anage th ese d e vices f r om w i thin the 70 0w l S e ries sys t em, you m a y w ant to assign them a s p ecif ic set of a ccess righ ts.
Con f iguring Righ ts Fr om th e Network E q uipment page yo u can a l so go d ire ctly to the Ident i ty P r ofiles pag e or to t h e U s ers pag e by click i ng the link n ear th e to p of th e lef t-h an d column , ju st bel ow th e page name.
Con f iguring Righ ts The f i eld s on this page a r e a s f o llows : T ab l e 4 - 5. New Network Equip m en t Fie l ds Fie ld D escrip t io n Name A descrip t ive n ame fo r the device. Thi s nam e may b e up to 3 2 cha r ac ters in le ngth. Any 7-b it c har acters are allow e d.
Con f iguring Righ ts T o edit a Network Equip m ent en try in the bui l t-in da tabase, do the fol l owing: » Edit th e fields to chan ge the de sc riptive n ame or the MAC addres s.
Con f iguring Righ ts an in di vidual r e co r d for the MAC addres s. Fo r example, su ppo se the r e co r d identified by cn = MACS con tai ned th e fo llowin g values f o r uniq ueM e mber: uniqueM.
Con f iguring Righ ts Note: If you h av e an L D AP se r vice configur ed f or use r bind in g, that s ervice does n o t ap pear in thi s list . » To configure o r change the settings for MAC addr ess retrieval, click the configuration icon at the end of the row .
Con f iguring Righ ts Figure 4-12 . C onfiguring M AC Addres ses Retrieval Param e ters for a n LDAP Service The f i eld s on this page a r e a s f o llows : T ab l e 4 - 6.
Con f iguring Righ ts Identit y Profile m emb ersh ip in fo rma t ion ca n be associa t ed wi th a M A C ad dr ess in on e of two wa ys: • If each MA C a ddr ess h a s its ow n reco rd in the d ata base, its group identity i nfo rmati on may be k e pt a s an at tribute in th e record.
Con f iguring Righ ts Thi s mea ns tha t th e Righ ts M a nager will us e th e sea r ch st rin g fo un d in th e in itial se arch (for example, the value r e turned fr om th e uniqueMember a ttribu t e in th e MACS re co r d) to search fo r the individual MAC addr e s s r e co rd.
Con f iguring Righ ts The Conn ecti on Pr o f ile is u s ed in the Ri ghts As sig nme nt T a ble, in con cert wi th the Ident i ty P r ofil e, to determine a cli ent ’s a ccess ri ght s .
Con f iguring Righ ts » To ed it a Co nn ectio n P rof ile, cli c k the Co nn ectio n Prof ile n ame i n th e firs t co lumn of th e ta bl e, o r click the pen c il ico n at th e end of th e row. Thi s tak e s yo u d i rectly to the E di t Con n ection P r ofile page ( s ee “C reat ing or Edi ting a Connect i on Pr ofi le” on pag e 4-31) .
Con f iguring Righ ts Figure 4-14 . Creat ing a New Conn ec tion Pr of ile, the Settin gs Tab T o crea te or ed it a Co nn ectio n Pr of ile, do the f o llo wing: Ste p 1. T yp e a name fo r a new C o nne ct ion Profile . Y o u c a n c h an ge th e name o f an ex istin g Co nne ct ion Profile by typ ing a new nam e.
Con f iguring Righ ts T ab l e 4 - 9. New Connection Profi l e Se ttings T ab Co nten ts (Co n tinue d) Column D escrip t io n VLAN Identifi er How an 802.
Con f iguring Righ ts The Locatio ns ta b sho w s a list of th e cu rre ntl y def i ned Locatio n s. Th e colum ns in this l i st a r e a s fo llows : T ab l e 4 - 10. Locations T a b Column De finit i ons Column D escrip t io n Name The descr iptive na me for the Locati on.
Con f iguring Righ ts • T o sel ect all Time Win d ow s in th e list, se lect the ch eckb ox n e xt to the L o cations colu mn hea d ing . Cli c kin g thi s ch eckbo x a secon d time re moves t he checks fr om all Tim e Win dows in the list. • T o remove a Time Win d ow f rom th e pro fil e, click its checkbo x to remo ve the check .
Con f iguring Righ ts » To delete a Lo ca ti on , click th e tra sh ca n icon at th e end of the row . » To cre a te a n ew Locatio n , cli c k th e New Locatio n ... but ton at the bo tto m of th e Locatio ns list. Th is takes you to th e Ne w L o ca tio n page ( s ee “C rea t ing or E dit ing a L o cati on”) .
Con f iguring Righ ts Tim e Windo ws A T ime W indow is a sp ecificatio n of a peri od of tim e, defin e d by s p eci fic dates or date ran g es , d a ys of the week, a nd hours of th e day . T ime W i ndows m a y be us ed to limit when a Conn ectio n Profile is ava ilable a s a valid m atc h f or a c lient .
Con f iguring Righ ts Cre a ting or E d iting a Ti me Window T o create a new T ime W indow , cl ick Ne w T i me Win dow ... at the bottom of the T ime W indow list. Th e New T i me W in d ow pag e ap pears , as shown in Figur e 4 -18, wi th a bl ank n ame field and def aul t ti me set ti ng s.
Con f iguring Righ ts T ab l e 4 - 14. New Time Wi nd ow Settin gs Setting D escrip t io n Val i d D ays Specify a Tim e Wi ndow by days of the w ee k : • The defaul t is Any da y • To s pec ify p articul ar days, click the Selec t ed days rad io button, the n ch eck t he in dividual da ys of th e w e ek you w ant to incl ude.
Con f iguring Righ ts Figur e 4-21 . The Access Pol i cie s Pa ge The 700wl S e ries syst em pr ov ides five predefined Acces s Po li cies, and a Rig h ts Adm inist rator can cr eate a ddit ional ones.
Con f iguring Righ ts T ab l e 4 - 15. Acc ess Policie s T a ble C on t ent s Column D escrip t io n Al lo we d T raffi c | Gr id A list o f th e Allowed Traffi c Filte rs sel e ct ed for the Acc ess Po li cy . Cl ick Gri d in the c olumn heading to dis pla y all Ac cess Polici es and A llo w ed Tra ffic Fil t ers in a g r id format.
Con f iguring Righ ts Figur e 4-22 . A ccess Pol i cie s and Allowed Tr a ffic Filter s in a Gr id Fo rm at Ea ch ro w r e presents an A cces s Policy. Th e Allowed T r af fi c Filt ers ar e shown in colum n s. Filters th at a re enabled for the Acces s Po li cy are r e presented by checks in the appr op riate co l umn ch eckbox .
Con f iguring Righ ts Figur e 4-23 . A ccess Pol i cie s and R edir ecte d Tr a ffic Filte rs in a G r id Fo rm at Ea ch row re pr esent s an A ccess Pol i cy. The R edire ct ed T ra f fic Filters ar e s hown in co lum ns. Filters t hat are enabled f or th e Acces s Po li cy ar e r e pr es en ted by checks in the appr op riate colum n check box .
Con f iguring Righ ts Figur e 4-24 . Creat ing a N ew Ac ces s Pol i cy, the Settin g s T ab T o crea te or ed it an Acce ss Policy , Ste p 1. T y pe a n a me fo r the poli cy in th e Na me field. Y o u ca n change th e nam e o f an ex istin g A ccess Policy by typ i ng a new name .
Con f iguring Righ ts T o ad d th e modifi ed A ccess P o licy as a n e w Access Policy , le avi n g the origina l A ccess P o li cy unchanged, click Save As Copy . Th e Sav e As Co py button is ava ilable o n ly on the E di t Acce ss Policy page. Af te r a Save A s C opy th e pag e re mains d i spl ayed so yo u can m a ke a ddi tio nal chan ges.
Con f iguring Righ ts T ab l e 4 - 16. New Ac cess Po licy Settin g s T a b Conte nts Column D escrip t io n VLAN Identifi er How a V L AN Identi f ier (ta g ) shou ld be handle d: • Sele ct Remo ve.
Con f iguring Righ ts T ab l e 4 - 16. New Ac cess Pol i cy Settin g s T a b Conte nt s Column D escrip t io n Key Lengt h (PPTP only) For PPTP, th e m inimum M PPE (RC 4 ) s ess ion k ey lengt h: • Sele ct 40 b it s to allo w a 4 0 -bit o r 12 8-bit k ey.
Con f iguring Righ ts ad dr ess is valid if it f a lls wit h in tha t ad d r ess rang e. If th e addr ess d o es not fa ll w i thi n th e port’s a ddres s ran g e, N A T is used, e ven if the addres s is wi thin the Acces s Co nt roller’s su bnet.
Con f iguring Righ ts The Allowed Traffic T ab Al lowe d T r af fic fi lt ers ar e t r affic fi lt ers t h at id en tify pa cket s th at ar e permit te d t o be forwa r de d by an Acce ss Co ntro ller. If you ar e cr eati ng a new A cces s Policy, th e A llowed T r af fi c f i lters a r e d i spl a yed in alpha b etica l or der .
Con f iguring Righ ts Figur e 4-25 . Creat ing an A c ces s Policy , the A llow ed Filte r s Ta b Not e that if the filter yo u select is one of a D NS or WINS f ilter pair , you must also in clude th.
Con f iguring Righ ts The Allowed T r a f fi c li st shows all exist i ng Al low ed T ra f fi c f i lters. Thes e ar e d isp la yed in a l phabeti c al order if you are cr eating a ne w Access Policy. If you are editing an Access Poli cy, the filters included i n the policy ar e d isp layed at t h e top o f th e list.
Con f iguring Righ ts T ab l e 4 - 18. Predefine d Allowe d T r affic Filte rs Allowe d T raffic Fi lter Des c ription Int e rna l ri ght s UI Allows access to the Rig h ts Manag er page s via the Access Con t rol ler def ine d in @INTE R NAL @ (by defau l t 4 2 .
Con f iguring Righ ts Figur e 4-26 . Creat ing an A c ces s Pol i cy, the Re dir e cted Traffic Ta b The R edire cted T raffi c list shows th e fo llow ing in fo rma t ion a b out each filt er: T ab l e 4 - 19. Redir ecte d T ra ffic List De finitions Column D escrip t io n Name The nam e for the R e direct ed T r affi c Fil t er.
Con f iguring Righ ts Note: Red irec t ed T r aff ic fil t er s are eval uate d in the o rder that they ap pea r in the Redi rec t ed tr a ffic list of ea ch A c cess Policy. W hen a p acke t match es a Red irect fi lte r , it i s imm ediate ly re di re cte d to the a pprop ri ate destinati on .
Con f iguring Righ ts T ab l e 4 - 20. Predefine d Re dir ec t ed T r affic Filte rs Redire cted T r af fi c F ilter Des c ription No i n ternal IAM UI Redi rect s Integ r ate d Access M anager UI ac ce ss requires via 42 .0. 0 .1 No in ternal ri ght s UI Redi rect s Rights Man ager U I access r eques ts via 42.
Con f iguring Righ ts T o con f igur e au tom a tic H TTP P r oxy f iltering f o r thi s A ccess Policy, s e lect th e HTTP Prox y tab, a s shown in Fig ur e 4- 27, and s ele ct o r enter data in to the fields as des c ribed i n T a bl e 4 -21. Figur e 4-27 .
Con f iguring Righ ts T ab l e 4 - 21. HTTP Proxy T a b F i eld De finitions Fie l d/Column D escrip t io n • Al lo w FQDN Accept H TTP t r affic d est ined f o r the s pec ified ful ly- quali f ie d domain na me (e. g. www.domain.com ) • Al lo w Host Accept H TTP t r affic d est in ed f o r the s pe c ified host name (e .
Con f iguring Righ ts The Bandwidth Tab 70 0w l S e ries s y stem ver s ion 4 .0 pr ov ides the ability t o limit the ban d wid th av ail a bl e to each clien t to prevent network perform anc e d egr ad at ion. U s ing Access Po lici es, ban d wid th can be limited on a cli ent by client basis.
Con f iguring Righ ts Bandwi d th Rate Limit i ng i n the 700wl Ser i es system 70 0w l S e ries s y stem ver s ion 4 .0 pr ov ides band widt h rate lim iti n g ( o r “ p olicin g” ) on a per - client bas i s.
Con f iguring Righ ts The L i nger Ti meout The Lin g er tim eou t en ables the 700wl S e ries syst em to forc e a lo goff for clien ts th at ha ve di sconne cted fr om the n e two r k witho u t logging o ff.
Con f iguring Righ ts Figur e 4-29 . Creat ing an A c ces s Pol i cy, the Tim e out Tab The fields un der th e Ti me out tab ar e as fo llows: T ab l e 4 - 23.
Con f iguring Righ ts T ab l e 4 - 23. Ti meout T a b Field De finitio ns Fie ld D escrip t io n Nev e r forc e us ers to Allows c li ent session s to remain con nec ted indefini tel y wi tho u t requ irin g re au thent ic at e reauthe n tic at i on .
Con f iguring Righ ts Figure 4-30 . The Allo we d Traffic Filters Lis t The A llowed T r af fi c lis t shows th e Al low ed T raffi c filters i n al ph abeti c al or der , and includes t h e f o llow ing inf o rma t ion a b out ea ch filt er: T ab l e 4 - 24.
Con f iguring Righ ts » To delete a fil t er, cli c k the tra sh ca n ic on at th e en d of th e row . » To create a new fi lter, click th e New Fil t er ... button at the bottom of the filter list. This ta kes you to the New Filter: A l low ed Tra ffic pag e (s ee “ Cr ea t ing o r Edi ting a n A llo wed Tra ffi c Filter” ).
Con f iguring Righ ts T o creat e or edit an A llo wed T raffi c filter , d o th e fo llowin g: Ste p 1. T y pe a name f o r this f il ter . Y o u can change th e na me of an existin g A llo wed T ra ffic f ilter by typin g a new name . Ste p 2. T y pe a d e scription fo r the filter , or m odify the e xis tin g de script ion .
Con f iguring Righ ts Redirec t ed Tr affic Filters Re dir e cted T r affic fil t er s ar e traffic filt ers that i den tify pa ck et s sen t fr om a clien t that sh ou ld be r e di re cted to a n ew dest in ation.
Con f iguring Righ ts The Redir e cted T r affic li st shows th e Redir e cted T raf fic fil t er s in alph ab eti cal or der , an d inclu des th e fo llowing i nfo rmation abo u t each filter: T ab l e 4 - 25. A llowed T r a ffic List De finitions Column D escrip t io n Name The nam e for the R e direct ed T r affi c Fil t er.
Con f iguring Righ ts Figur e 4-33 . Creat ing a N ew Re dir ec t ed T r affic Filte r Y o u can create the f i lter specifica t ion in on e of two wa ys: • S peci fy the traf fic proto c ol, a nd the de stinati on IP a ddr es s an d port, o r • D efin e th e f ilter as a regu la r express i on i n tcpdump synta x.
Con f iguring Righ ts b. If the protocol re qui r es a de stinat ion port, type it in to th e Port f iel d. If the pr otoc ol d oes not support port spe c ification s , N/A appears in the po rt fi eld. Y o u can enter a sin g le port, o r us e an a s ter is k ( *) to specify all po rts.
Con f iguring Righ ts Click Canc el to re turn to th e pr evio us page witho u t maki ng a ny fu rther cha nge s. Built-in and User -defined Addres s V a ria b les Fo r us e in both All owed and Redir.
Con f iguring Righ ts T ab l e 4 - 26. Predefine d Addr ess V ariab les Addr ess V ariab le V a lue / Desc ription @INTERNAL @. The addre ss of the Acc ess C ontrol Serve r Adm inis t rative C onsole.
Con f iguring Righ ts T ab l e 4 - 27. Edi t A ddress fields Fie ld De fini ti on Na me The name of t he var i able. May b e up to 32 upperc ase al phabe tic c hara c ters (no numera ls or oth e r chara c ters). You may in clude t he —@“ at th e beginn ing and e nd, bu t do n o t need to – the syst em w ill add th em if neces sary.
Con f iguring Righ ts Figur e 4-36 . WINS Filte r s List The Filter list sho ws the DN S or WINS f ilter pairs in alph ab etica l or d er , an d includ es th e fo llowin g inf o rma t ion a b out ea ch pair: T ab l e 4 - 28. DNS or W I NS Filter Pair list definition s Column D escrip t io n Name The nam e of the filte r pair.
Con f iguring Righ ts The E di t Filter pages a r e al most identical to the New Fi lter pages, except tha t th e na me, d esc ription, a nd se rver defin i ti ons ar e d isp layed for th e fil t er yo u h ave se lected, and a Sa ve A s C opy button is provided .
Con f iguring Righ ts the list, using the multi-selec t m e cha n ism supporte d by your browser (typically Ctrl- c lick an d S h ift-click) . The 700wl S e rie s syste m selects a d e stina ti o n serve r at ran do m f r om the serv er s you h a ve selected , a t th e tim e rights are ass i gned to th e client.
Con f iguring Righ ts Figure 4-38 . H TTP Proxy Filte r s Li st The HTT P Pr ox y list show s th e H TTP Proxy f ilt er s in a l phabet ical or der , an d inclu d es the f oll ow ing inf o rma t ion a b out each f ilt er: T a bl e 4- 29. HT TP Prox y F ilt er Li st Defi ni tions Column D escrip t io n Name The nam e for the H T TP Prox y Fil t er.
Con f iguring Righ ts The E di t Filt er : HTTP Pr oxy T r af fic page is a l most identica l to the New Filter pa ge, except that th e name, des c ripti on, an d t h e fi lt er an d des tinatio n definition s ar e di splayed fo r the fi lt er you ha ve s ele cted, and a Save A s C opy button is provided .
Con f iguring Righ ts T ab l e 4 - 30. HTTP Proxy Filte r T y pe s Filter Rule T y pe Desc rip t io n • Al lo w Re g Accepts HTTP traff ic to a desti na t ion s pecified as a regular e xpr es sio n t hat eval uates to an addres s or ad dres s rang e Fo r e x am ple — (.
Con f iguring Righ ts Examp l e–Modify ing t h e —Guest Access“ Access Policy The f oll owing sections provi de exa m ples of ho w to mo dify a cce ss righ ts by edit ing the sett ing s fo r an Acce ss Policy .
Con f iguring Righ ts Ste p 2. In th e Access P o licy co lumn of th e ta bl e, click G u est A ccess to di splay the Edit Access P o licy page for the G u est Access Access Po li cy. Ste p 3. Click the Allowed T ra f fic tab to d isplay the Allowed T raff i c filters curr ently s elected for this A cce ss Policy , as show n in Figur e 4-41.
Con f iguring Righ ts Figur e 4-41 . The A llowed Tr a ffic f ilter s for the Gu es t Access A ccess Polic y Ste p 4. Fin d the r o w f or the Out s ide W o rld f ilter , as shown in Figur e 4- 41, an d click t h e checkbo x to select the f i lter . Ste p 5.
Con f iguring Righ ts Modifying the Outsi de Wor l d F i lter to R e strict Access If th e Outside W o rld A llowed T raffi c filt er is no t suf f ici e ntly re strictive f o r your network envir o nment, you can mo dify it ( o r cr ea te a new filt er) to re stri ct access to m u lti p le subn et s or IP ad dres ses.
Con f iguring Righ ts Se e Appen di x B , “ Fil ter E x press i on S y ntax” fo r deta il s of the tcpdump s y nt ax. Note: T cp dump s ynt ax is case sen sitiv e.
Con f iguring Righ ts Figur e 4-43 . C onfiguring Proxy Fil t ers to limit ac cess fo r the Gu est A c cess A c cess Policy Ste p 3. T o crea te the f ilt ers you need, click New F ilter ... . S ee “HTTP Pr oxy F ilters ” on pa ge 4-7 5 for deta ils on crea ting HT TP pr oxy f ilte r s.
5 C ONFIGURIN G A UT HENTI CATION Thi s cha pte r des c ribe s h ow cl ie nt s ar e au thenti cat e d t hrough th e 700w l Series s y st em, an d explains how to co nfig ur e authentica tion policies. The topics cover e d in th is chapter in clu de: Authenticatio n in th e 700w l Series Sys t em .
Con f iguring Authe n tic a tio n specifica t ion, d e termin e a Co nnect io n Pr ofile for the client. The client’s iden tity (who the client is) is determined thro ugh the a u thenticatio n process . This i s used to determine a n Ide n tity Pr of ile for the cl ient.
Co nfigu r ing Authenti cati on clie nt, the usernam e an d passw or d is sent to the next service , and so on. If a ll services in th e list f a il to auth en ticate the user , th en the user will con t inue to ha ve only una u thenticated logon ri ghts.
Con f iguring Authe n tic a tio n The Rights Ma nage r The configu ra tio n o f ne two r k A u thenticatio n Po licies is done th ro ugh th e Righ ts module, acce ss ed by click i ng t he Righ t s icon on the Na viga ti on ba r .
Co nfigu r ing Authenti cati on Figure 5-1. The Authe n tica tion Policies Page The A u thenticati on P o licies table show s the currently def i ned A u thenticatio n Policies . This t a ble s hows the f oll owin g inf o rma t ion a b out each A uth ent i cat i on Pol i cy: T ab l e 5 - 1.
Con f iguring Authe n tic a tio n Creati ng or Editing an Authenticati on Pol i cy T o crea te a new Au thenticatio n Policy , cli c k th e New Authe n tication Polic y.
Co nfigu r ing Authenti cati on • T o edit a n Au thenti ca tion S e rvice, click the name of th e serv ice yo u w ant to edit, o r click th e pencil icon at th e end of the row . This takes yo u directl y to the E dit Au then tication Se rvi ces page f or th e filter you selected .
Con f iguring Authe n tic a tio n Figure 5-3. The Authe n tica tion Services Page The Authenticati on Services table shows th e curr ent ly defined Authentication Services. Th is table shows the f oll owin g inf o rma t ion a b out ea ch A uth ent i cat i on Se rvice: T ab l e 5 - 2.
Co nfigu r ing Authenti cati on app ear s ( s ee Fi gur e 5- 4). The page in itially di splays t h e con fig ura t ion o p tion s f o r a n LDAP Au thenticatio n Se rvice.
Con f iguring Authe n tic a tio n Figur e 5-4 sh ows the configu ration pag e fo r configuring an LDAP service w i th non- user bin d ing . For many of the op tio ns on th e L D AP s e rvice page, th .
Co nfigu r ing Authenti cati on The in fo rma ti o n r e quir ed to conf igure a n LDAP se rvice f o r authentication is d efi ned in the f ol l owin g tables.
Con f iguring Authe n tic a tio n If y ou s e lect Non - use r bind , the r ema in ing f i eld s on th e page a r e a s fo llows : T ab l e 5 - 4. LDAP Authentic a tio n Confi guration O p tio n s, No.
Co nfigu r ing Authenti cati on » Fo r de tailed instructi ons fo r settin g up a n Ac tive Directory server, see “U sing the A cti ve Directo ry LDAP Service” on page 5- 13 . » Fo r detailed instructi on s fo r settin g up a Netscape or iPl ane t server, see “ U sin g a Netscape o r iP lanet Directo r y S erv ice” o n page 5- 14.
Con f iguring Authe n tic a tio n To use Use r binding for auth en ticatio n wh ere th e u s er lo gon ID is used a s the D N, do th e fo llowing: a. Se le ct Us er bin d from the drop-d own field. b. Enter the f ol l owin g in to the User b i nd s t ring field: < domain name >%s For example, for do ma in XY ZCor p.
Co nfigu r ing Authenti cati on Ste p 3. Specify som e ad diti onal options fo r thi s LDAP se rver : a. The t imeou t value sp ecifies t h e len g th of ti me the 700w l Seri es syst em wa its fo r a r esp onse to an au thenti cation requ est befor e it a ban dons the requ est.
Con f iguring Authe n tic a tio n Then , do the fo llow in g: Ste p 1. B e cause you a r e s en d ing a pa ssw or d i n the clear , m a ke sur e that you ar e using S S L.
Co nfigu r ing Authenti cati on Al ong with th e a u thentication re sults, you ca n obta in th e us er ’s g r oup a ffiliat ion fr om th e au thenticatio n pr oc ess. Th e r e turned grou p inform at ion will be used to match the user to an Identity Profile in the Rights A ss ignmen t table.
Con f iguring Authe n tic a tio n Figur e 5-6. Cr eating a New Au the n tic a tion Ser vi ce - K erb er os Ste p 5. Enter th e in form at ion requ ired to con fig ur e a Kerber os s e rvi ce for us e wit h au th en ticatio n as def ine d i n T a bl e 5 -7 : T ab l e 5 - 7.
Co nfigu r ing Authenti cati on Configuring a RADIUS Authenticatio n Service Note: T he 700wl Se ri es sy st em A c cess Con tro l S erver must be con f igured a s a RA DIU S cli ent o n your RADIUS serv er . T o co nf igure the 700wl Series syst em to us e a RA D I US databa se fo r us er a u th en ticatio n: Ste p 1.
Con f iguring Authe n tic a tio n The in fo rma tio n r e quired to config ur e th e RA DIU S service f o r a u th en ticatio n is defined in T a bl e 5-8 as fo llows : T ab le 5-8. RADIUS Authe n tic a tion Serv ice Co nfigu rat ion Fie l d/O p tion D escrip t io n Name Your name f o r this authentic a ti on metho d .
Co nfigu r ing Authenti cati on » To us e a RA DI US se rvi ce fo r acco un tin g , you m ust co nfig ure a RAD I US s e rver as an Authenticati on Servi ce, and check t he Support s RADIUS Accounting (RFC-2 866) on port checkb ox an d enter th e approp riate port n umb er to which th e 700 wl Se ries system sh ould send the accountin g da ta.
Con f iguring Authe n tic a tio n Fie ld Da t a Acct-Ses sio n -ID T he uniqu e ID for t h is c lient s ession Acct-Ses sio n -Ti me T he seco nds thi s cli ent wa s l ogg ed on t h is Acc ess Co ntro ller.
Co nfigu r ing Authenti cati on • T he Rights M a na g e r uses the gr ou p inf o rmat ion a nd the sta r t a n d stop times f r om the us er prof il e to tempora r ily m a p the user to a match i ng Identity Pr of ile, d u rin g th e tim e fram e def in e d by the stop an d sta r t tim e s in the pro f ile .
Con f iguring Authe n tic a tio n The informati on requ ir ed to co nf igure an XML-RPC authenticatio n se rvice i s def ine d in T a bl e 5 -9 as fo llows : T ab l e 5 - 9. XML -RPC Au then tication Ser vi ce C o nfigu rat ion Fie l d/O p tion Descrip t io n Name Your name for thi s auth ent ication me tho d.
Co nfigu r ing Authenti cati on Thes e param e ters ar e sh own in T a ble 5 -10 : T ab l e 5 - 10. Pa ra meters for Authe n tica te Call Pa rame te r Ty pe Descrip tion useri d str i ng User logon fr.
Con f iguring Authe n tic a tio n T ab l e 5 -1 1. Name/valu e Pairs Returned by Au thenticate Respons e Name Ty pe V a lue an d Descrip t io n validTi m es str i ng An a rray of s t rin gs t hat d e fine th e tim es w hen a user is gi ven the ri ghts associ ate d wi th t he g r oup.
Co nfigu r ing Authenti cati on <value><string>Monday:Wednesday:Frid ay </string></value> </member> <member><name>startDate</name> <value><stri.
Con f iguring Authe n tic a tio n enabled in any o t her A ccess P o licies that m ay be in fo rce when a clie nt is re quir ed to rea u thenticate. The Allowed T raffi c Filter f or LDA P must be c rea ted and th en en abled in the a ppr opriate A c cess Policies.
Co nfigu r ing Authenti cati on • Firs t, yo u m u st configu re an LD AP Au thentication Se rvi ce to be us ed to retrieve the g rou p ident i ty in fo rma t io n. You must specif y No n-U s er binding —eith er rootd n /rootpw b i nding or a nony mous bin din g (if th e se rvice a l lo ws anon ym ous bin d).
Con f iguring Authe n tic a tio n Logon Page C u stomization The 7 00w l S e ries syst em Rights M ana ger pr ov id es d efa ult Lo gon, L og of f , S t op, an d Gu es t Reg i stratio n pa ges th at are dis p la yed wh en users ar e to be aut h en ti ca te d usin g W e b-bas e d lo gon .
Co nfigu r ing Authenti cati on Thr o ugh the Rig h ts Manager, you can cust omize the appea r an ce of th e Lo gon, L o go f f an d St op pages in the f oll owin g ways : • You can create cus t om ized versi ons of the stan da rd Logon, Lo gof f an d Sto p pag e s by including yo ur own text a nd lo gos .
Con f iguring Authe n tic a tio n Customizing a Logon Pa ge T o creat e a new log on custo mizat ion page, d o th e fo llo win g: Ste p 1. From anywher e w i thin the Rights Manag e r, click the Logon Custo m iz atio n tab. Ste p 2. Click Ne w Logo n Custo m ization… The New Lo gon Cus t omization pag e a ppea r s, as sho wn in Figur e 5- 12.
Co nfigu r ing Authenti cati on Figure 5-12 . N ew L ogon Custo m iz ation Pag e Customizing t he Logo In the Logo s s ect ion of the N ew/Edit Lo go n Custo mizat io n pag e you can custo m ize the logo (i mage) that app ear s o n th e lo gon a nd logo ff web pages.
Con f iguring Authe n tic a tio n of a sma ll s cr een. Y ou can cha n ge this l o go to be a sm all version of yo ur own logo for us e wi th sm a ll br ow sers . T o change either log o, do the following: Ste p 1. Go to the Log os se cti on o f th e Ne w/ Edit Logon Custo m iza t ion pag e an d select the logo yo u wi sh to ch an ge.
Co nfigu r ing Authenti cati on Ste p 2. Place a check m a rk in th e A llow us ers to spe c ify auth entication policie s checkb ox if you want users to ch oose a s p ecific Authentica tion Po li cy fr om a gr ou p o f Authenticati on Po licies.
Con f iguring Authe n tic a tio n If yo u s e lect the G u est R e gis tra t ion option, the Gues t Reg i stratio n page a p pe ar s a s show n in Figur e 5 -14. Figure 5-14 . G uest Reg i stration p a ge If yo u choose to re quire gu es ts to re gister bef ore logging o n , th e fo llowin g pr oc ess will o ccur when they log on to th e system.
Co nfigu r ing Authenti cati on network. H o wever , if the user go es t o th e lo go n page a gai n w hil e he/s he is still log g ed on , th e logon page ind i cates tha t the u s er is a lread y logged on an d pr ov ides a log of f butto n.
Con f iguring Authe n tic a tio n Ste p 2. In th e textbox labeled S t op Page T ext enter the text you want t o dis p la y on the S top page. This ca n include HTM L fo rma ttin g comm an ds. Ste p 3. Click S ave . T o clear the stop p a ge text a f ter it has been se t, click Reset to Default s at the bottom of th e page.
Co nfigu r ing Authenti cati on Customiz ed Page Tem pla tes If you want to create pa ges that ar e cus tomiz ed beyo nd th e op tio ns pr ov ided on the Cus tomiz e W eb Pages by Connectio n Profile page, you can create your own templates for the L ogon, Logoff, Stop, and Gu es t R e gi stration pages .
Con f iguring Authe n tic a tio n Figure 5-17 . Lo gon C u stomization : Custo m Templ a tes Ste p 4. In the appr op riate field ( Log on Page , Logoff W i ndow , St op Page , o r Gue s t Regi stratio n Page ), t y pe the path an d na me of a .
Co nfigu r ing Authenti cati on The page will r edisp lay sh owing the lo aded image, see F igur e 5- 18. Note: T he templ a te images area shows ALL image s availa ble for use i n custom te mpl a tes, n ot just th ose you h a ve loaded for a spec if ic cu stom templ a te .
Con f iguring Authe n tic a tio n Ste p 7. T o indicate th at an imag e is to be used wi th the custo miz ed logon pa ge you are crea ti ng, check the box to the left o f th e im age. Th is no tifies th e s yst em t h at th is im ag e s hou ld be do wnlo ade d to the Access Co ntroll er with the cus tom tem p la te code.
Co nfigu r ing Authenti cati on Note: T he User Right s Simu lat or does NO T show you the ac tual r ights of a u se r who is curren tl y logged on, bu t shows y ou the r ights a user woul d h ave as if th ey wer e logge d on at a p art icula r ti me and loc at i on.
Con f iguring Authe n tic a tio n T ab l e 5 - 12. User Ri ght s Sim u lator Fie l ds Fie ld Des c ri pt ion Acc ess C ontr o ller and P o rt Th e Acc ess Cont rol l er, slot and po rt to b e used to simula te the user‘ s ph ysical c onnec tio n locatio n .
Co nfigu r ing Authenti cati on Figure 5-20 . R ights for User — ann “ i f Logged on a t the Specified Tim e a nd Lo cati on The top porti o n o f the R ights r esu lts show s t h e Identity Profi.
Con f iguring Authe n tic a tio n • If th e Identit y Pro f il e is no t w hat yo u expected: — F or user s in th e built-in database, the user m a y have bee n assigned to a dif feren t pr of ile than you exp e cted .
Co nfigu r ing Authenti cati on Figure 5-21 . The XML Representati on of User Rig h ts Traci ng Au thenticati on Ser vi ce T r ansactions The T ransactio n T racer lets you verify auth entication transaction s to one of the active authentication se rvices —LDAP , RAD I US, Ke rber os or XML-RPC.
Con f iguring Authe n tic a tio n service is wo rking correctl y , the service shoul d re turn a su cc essful r esu lt, including th e info rmation as socia ted wi th t hat user , if appropria t e. If the a u thentica tio n servi c e i s not set up correctly , you wi ll re ceive a n err o r an d in complet e re sults.
Co nfigu r ing Authenti cati on Figur e 5-23 . R esults of a trace d tr an saction Th e Re su lt Para mete rs contain any parameters returned with the au thentication, if appropriate.
Con f iguring Authe n tic a tio n » To I m port or E x po rt Rights, cli c k th e T ool s and Op tions tab visib l e at the t o p o f any Rights mo du le page, then click th e Im po rt/E xpo r t Right s link in the lef t-hand co lum n of th e page. Thi s di splays the Import/Expo r t Ri ght s pag e, as sh own in Figure 5- 24 .
Co nfigu r ing Authenti cati on Figure 5-25 . R ights Export in Progre ss p a ge While the export is in pr ogress , this pag e is r ef r eshed every 15 seconds. • T o stop th e page ref r esh, click St op Auto Refr esh . • T o cancel the import click Canc el .
Con f iguring Authe n tic a tio n Figure 5-26 . The Import/Export Rig h ts page after a s u ccess ful rig h ts e x po rt Ste p 3. Under t h e Last Righ ts Export hea d ing, click Sav e Exp o rt As.. . to save the rights export ima g e a s a f ile. This wil l sta r t the file d o wnloa d pr oces s appr op riat e to your lo ca l s y stem .
Co nfigu r ing Authenti cati on • T o stop th e page ref r esh, click St op Auto Refr esh . • T o cancel the import click Canc el . Ste p 3. Wh en the i m po rt has com p leted , anoth e r inf o rmat ional page appea r s, telling y o u the pr oces s is co mp lete.
Con f iguring Authe n tic a tio n 5- 54 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
6 C ONFIGURIN G TH E N ETWOR K This cha pter describes how to configure the 700wl Seri es system compo nents so that they w ork with your enterprise network . The topics cover ed in this cha p ter include: 700w l Ser i es Sys t em Co mpon en ts . . . .
Con f iguring the Network 700wl Series System Comp onents Wh en you f i rst click on t he Network ic on t h e S y stem Com p onents pa ge a ppea r s, as s hown in Figur e 6 -1.
Configuring the Ne twork Fr om th is list y o u can cli c k a component na m e or click the pencil icon at th e right of the r ow to edit th e component’s name and the folder to which it is assigned. For Access Control Servers, you can a lso edit settings re lated to its use in a f a ilover config urati on.
Con f iguring the Network DHCP (t he defau l t) wi ll b oot u p and run pro perl y without a shared secr et c onfig ured, b u t A cces s Con tro llers wi ll not be able to c o mmuni ca te with it.
Configuring the Ne twork Note: T he IP addr ess can b e c hang ed unde r th e Net w ork S e tu p t ab, along with o t her networ k configur ation se ttin gs.
Con f iguring the Network T ab l e 6 - 2. Edit A c cess C o ntr o l Se r ver p a ge field definitio ns Fie l d/O p tion Descrip t io n Redundan cy Preferred Prim ary Ac cess Con t rol Serv er If check.
Configuring the Ne twork Deleti ng a Peer A c cess Control S e rv er Y ou mus t d isa ble r edund ancy by editin g the P r ima ry A cces s Contr ol Se rver config uration bef ore you ca n delete the Seco ndar y Access Contro l S e rver (un che ck th e En able Redun d ancy checkb ox an d Save ).
Con f iguring the Network Editi ng t he Integra ted Acc es s Manager Configura t ion The Integra t ed A ccess Ma na ger is typically con fig ur ed wi th it s n etwork con fig ura t ion pa rame ters an.
Configuring the Ne twork The E di t Integra t ed A ccess Ma nage r page appears as shown in Fi gur e 6- 4. Figure 6-4. Edit Integ rat ed Acce ss Man a ge r pag e The fields on th e Edit Integrated Acces s Ma na ger page s how th e current s e tti ng for the In t egrat ed Acce ss Ma nager.
Con f iguring the Network T ab l e 6 - 3. Edit I n teg rat ed A cce ss Man a ge r p age fie l d d e fini tions Fie l d/O p tion Descrip t io n NAS-ID/De scr ipt i on A descri p tion for t h is unit.
Configuring the Ne twork W i th the exce pt io n of the Acces s Contro l S e rver IP addr es s an d sh ared s e cr et, Acces s Co ntro llers ar e co nfig ured cen t ra l ly fr om the A dminist rative In ter f ace o f the Acces s Co ntrol Se rver o r Integrated Acces s Manager.
Con f iguring the Network T ab l e 6 - 4. Edit A c cess C o ntr olle r page fie l ds Fie l d/Che ck bo x Desc rip t io n Name An al phanumeri c nam e f o r the Acce ss Cont rol l er. By defa ult the name is the I P addres s of the u n it . IP Addres s T he I P ad dres s of t h is Ac ces s C ontroller (re ad-only).
Configuring the Ne twork Y o u c a n mod ify an A cce ss Con tro ller’s na me, admin i strator use rn am e an d passwor d, fo ld e r , SS H access permissions, a nd the A cce s s Contr ol S erv er IP a ddres s a nd sha re d secr et. Th e IP ad dre ss an d MA C a ddres s ar e di spl aye d r ead -o nly and c an no t b e mo difi ed on th is pag e.
Con f iguring the Network Figure 6-6. New Folder Pa ge » icon To change the na m e of a fo lder, cli c k the f o lder na me in the S y stem Com p onents List, or click th e pen c il name in the Folder Na me fi el d and cl i ck Save . ( ) to the fa r right o f the folder.
Configuring the Ne twork Con f iguring Fail over with Redund ant Access Control Servers Pl eas e re ad t h e s e ction “ E nterpri s e Clas s Redu nd ancy” on pag e 2-18 in Cha pter 2, “Con fi gu ri ng t he Network” Note: Integrate d Ac cess M anag er s can not b e used as a pee r in a r ed undant c on f igu r ation.
Con f iguring the Network Ste p 4. Wh en you a r e r eady to initi a te the peer r elati onship a n d sta r t the data sy nch r o nizat ion process, check th e Enable Redu ndan cy checkbo x on the Prim ar y A ccess Con tr o l S e rver (a nd Sav e ).
Configuring the Ne twork • Under Netw ork , only th e Syst em Co mpo n ents, Netwo r k S e tup, Interf a ces, an d D a te & T ime tabs are av ailabl e.
Con f iguring the Network » To access th e Ne two r k S e tup pa ges, click th e Network icon in the Navi gation Too l bar, then sel e ct the Network Setup tab.
Configuring the Ne twork Netw or k Co mm unication–the Basic Setup Tab T o co nf igure the ba si c n et work co mm unic at ion set ting s fo r a 700wl S e ries syst em co mpon en t, do th e fo llowing: Ste p 1. Unde r the n e twork ico n , click the Ne twork Setup tab t o di spla y the Ba sic S e tu p ta b, as sho w n in Figur e 6-8.
Con f iguring the Network Edit the co nt ents of the f i elds on th is page a s appr op riate. The fields and their s e tti ngs are defin e d in Ta ble 6-5 . T ab l e 6 - 5. B asic Setup t a b fie l ds Fie ld D escrip t io n Co nf ig ur e A dro p -do w n l i st yo u u se to s pecif y h ow th is compon ent gets it s I P ad dress.
Configuring the Ne twork T ab l e 6 - 5. B asic Setup t a b fie l ds Fie ld D escrip t io n Se cond ar y DNS The IP addre ss of the secon dar y D NS se rver Primary WI NS The IP ad dre ss of the prim ary WI NS serve r Se cond a r y W INS Th e I P addr ess o f the seco ndar y WI NS serv er Ste p 3.
Con f iguring the Network Figure 6-9. Network Setup: Advance d Setup pa ge for an Integ rat ed Access Manage r 6- 22 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
Configuring the Ne twork Acc ess Control S e rver Configuration Adv a nce d Options The f oll owing settin gs a ppea r on t h is p a ge i f you a r e con f iguring a n A ccess Cont r ol Se rver or a n Integ r ated A ccess M a nager. They d o not appea r if you a re co nfiguring an A cces s Con tro ller.
Con f iguring the Network Acc ess Controlle r Advanced C onfigura tion Options The f oll owing settin gs a ppea r on t h is p a ge i f you a r e con f iguring a n A ccess Cont r ol l er or a n Int e grat ed Acce ss Ma na ger. They do no t appear if yo u are co n f iguri ng an Access Co ntro l S e rver.
Configuring the Ne twork The f oll owing are the specifica t ions in tcpd u m p synta x fo r the pred ef ined bridgin g opt i ons: T a ble 6 - 7. Tcpdump synt a x f o r p r e- def i ned bri dg i ng op.
Con f iguring the Network the client’ s rig h ts. D e pending o n t h e Wi rele ss D ata Pr iva c y m e ch an ism a nd t h e type of addr essin g in force, the client’s existing sess ions may be tunneled fro m the original Access Co ntroller to the new Acce ss Co nt roller.
Configuring the Ne twork Y o u can sp ecify a n external pr o x y s e rver , or the 700wl S e ri es syst em can act a s the pr ox y s e rver an d handle the tra ffi c acco rd ing to th e co nfig ured po rts and filters defin ed fo r each Access P oli cy.
Con f iguring the Network available, th e HTTP Proxy S e rve r on th e Ac ce ss Con t ro ller will cycle to th e ne xt ava ilable IP a ddres s . Ste p 4. In th e Proxy Server Po r t fiel d, type the TCP port n umb er used for th e pro xy se rver . Ste p 5.
Configuring the Ne twork Figur e 6-11 . N etwor k Settings: SSL Tab (In t egr at e d A c cess M a na ger or A ccess Co ntr o l S erv er only ) The informati on at the top o f the pa ge shows in form at io n abou t the curren t certi ficat e. Initially thi s will be the certifica t e gen era ted and sig n ed by HP Pr oC urve.
Con f iguring the Network Requesting a n SSL C e rtifica t e T o generate an SSL Certif ica t e S i gni n g R equ est ( CSR): Ste p 1. From th e SSL ta b, click Gene rate CSR... . The G e nerat e SSL Certif ica te Sign ing R e qu es t page appea r s, a s shown in F igu re 6- 12 , in a separate browser win d ow .
Configuring the Ne twork Figure 6-13 . The Certi f ica t e Sig n ing Request Y o u can us e th is certifica te s ignin g r e quest either to re quest a certificate fr o m a CA , o r to cr eate your own self - s igned certifica t e usin g a n SSL t oolkit, su ch a s Open SSL.
Con f iguring the Network Loa di ng t he SSL Certificate Wh en you r e ceive your certifica t e f r om the CA, you can ei ther cop y the certifica t e in fo rma t ion a nd paste it into the f i eld pr ov ided , or you ca n p l ace the cer t ificat e in a fi le an d up loa d th e file.
Configuring the Ne twork S ave and Rest ore Private Ke y The CS R yo u g e nerat e is based on a priva t e key . If the priva t e key i s los t or r ege nerated , any CS Rs based on th e origina l priva te ke y bec ome inval id. Af ter ge nerating th e CS R, you s h ould sav e th e private key o n your local system .
Con f iguring the Network Caution: Res t or i ng a s aved private k ey will inv a lidate a n SS L certif icate based o n t he cur ren t (di ffer ent) private ke y .
Configuring the Ne twork Figure 6-16 . Exa mple o f a Po rt Connection Type s e le ction list T o configure a port f o r a specific co nn ecti on type, d o the f o llowin g: Ste p 1. On the Inter fac es setup page select th e Ac cess Contr o ller to con f igur e.
Con f iguring the Network Note: If you wa nt to set a por t to half-dup lex , but half-dup lex i s no t off er ed a s an opti on in th e drop-down l is t, you will nee d to s elect a s e tti ng t hat does not sp ecify an o p ti on, and allo w the port to neg oti a te fo r ha lf -d uplex.
Configuring the Ne twork uplink p ort so that the d e fau l t u p li nk (slo t 0 p ort 2 on a 700 wl S eries sys te m) is now a downli nk port, the n tha t port w ill a ppear on th is p age. The p ort bei ng u sed as the upl ink po rt wil l not appear .
Con f iguring the Network configur ed to suppor t r o uting the addr esses you h ave c onfigured for y our por ts thr ou gh th e Ac cess Con tro ller uplink p or t. For example, if th e Access Cont r olle r’s I P a ddres s is 192. 168.2.20 w ith sub n et ma sk 2 55.
Configuring the Ne twork Figure 6-19 . SNMP Pag e Ste p 2. Se le ct the s yst em co mpon ent for w h ich yo u w ant to enable S NMP from the Sys tem Co mpon ents Li st. Ste p 3. SNMP is disabl ed by default. Select Ena b le d fr o m the SNMP drop-down menu to enable SNMP .
Con f iguring the Network Note: Inc lu de a tr a p IP add ress only if you hav e a n SNMP t rap rece iver list eni ng for thi s in for m ati on . HP proprieta r y S NMP tra p events inclu de fa n f a ilur e, fa n op erat io nal, a nd out- of -range tem p eratures .
Configuring the Ne twork Figur e 6-20 . D ate & Time Page Ste p 2. Us ing the S yst em Compo n ents List o n the lef t select th e compo n ent f o r which y o u w i sh to set th e date and ti me. Y o u can se lect a n Acces s Co ntro l Server, a single Access Co ntr ol l er, or a fo lder .
Con f iguring the Network The form at f or t he d ate is MM /DD /Y YYY . F or e xam ple, Jun e 4, 2 00 3 wou ld b e en tered as 06/04/2 003 . The for m at fo r t h e t im e is H H: MM, us ing a 24 ho ur clo c k. For e x am pl e, 6:23 PM w ould be en tered as 18:23 .
Configuring the Ne twork F i gu r e 6- 2 1 . Admi n S et u p p ag e Ste p 2. Click Ne w A dmin. .. The New A dm in page appea rs (se e Figur e 6-20). F i gu r e 6- 2 2 . Admi n S et u p p ag e Ste p 3. Fill in the f ield s a s re quir ed (s ee T a ble 6-8) and select th e a dmi nistrato r type f r om th e dr op- do wn me nu.
Con f iguring the Network T a ble 6 - 8. New / Edit Ad m i n Fi el ds Fie ld D esc ri ption Name A descrip t ive n ame th at ide n tifies th e Admini strator . It c an be the adminis trato r ‘s fu ll name o r any oth e r m ean ingfu l name. Thi s name may hav e up t o 32 char act e rs.
Configuring the Ne twork • To edit an a dmi ni strator account, click the a dmin i strator’s Nam e or Usern a me, wh ich are lin k s to the E d it A dmi n page, or click the Pencil icon at the right of th e row. The Super Ad min i str a tor can change an y of the settings f or a n a dmi nistrato r.
Con f iguring the Network 6- 46 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
7 S E TTING UP W IRELESS D AT A P RIVACY This chapter explain s how to configure the global settin gs for the security protocols. The topics covered in this ch ap ter ar e: Ov erview o f W ire les s Da ta Privac y . . . . . . . . . . . . . . . . . . .
Setting up W i reles s Data Privacy The encry p tio n policy th at define s how en cr yp tio n a pplies t o a sp ecif ic clien t is d e termi n ed thr oug h th e A cce ss Pol i cy tha t defines right s for that clien t.
Setting up Wireless Data Pr iv ac y Figur e 7-1. The Wir e less Da ta Privacy tab Global Wir el ess Data Priva cy Confi g urati o n Sele ct the W ire les s Data Priva c y proto c ols you w a nt to ena b le f o r the 7 0 0wl Se ri es sys t em. B y defa ul t, all pr ot oc ol s ar e di sa bled.
Setting up W i reles s Data Privacy The f i el ds and s e ttin gs und e r th e Configu ra tion fo r IP SE c h e ad i ng of the W ire les s Data Priva c y ta b a re as fo llows : T ab l e 7 - 1.
Setting up Wireless Data Pr iv ac y T ab l e 7 - 1. IPSec configura t ion settings Fie ld Des c ri pt ion ESP En cryp tion Sel ec t the appro p ria te alg o rit hms for ESP e ncryp tion, o r sp ecify Non e .
Setting up W i reles s Data Privacy Figure 7-2. The IPSec Certifi cate Configuration ta b By defa ult the Curr en t Certifica t e area o f th e page sho ws “No certifica t e con f igur ed.” This area wil l show i nfo rm at ion abo u t th e cer t ificat e if on e is in stal led .
Setting up Wireless Data Pr iv ac y Ste p 3. Fill in the inf o rma t ion in thi s fo rm: a. T y pe the na m e in wh ich the certifica t e should be gra nted. This can be a n in di vid ual name or a t itle su ch as “W ire le ss A d min. ” b. T y pe th e email addr es s fo r th e certificate co nt ac t.
Setting up W i reles s Data Privacy Ste p 6. Copy an d paste th e gen e rated PK CS #10 certifica t e r eq u est , includ in g the lin es ----BEGIN CERTIFICATE REQUEST---- an d ----END CE RTIFICATE REQUEST---- in to th e appr op riate field in th e r e quest form .
Setting up Wireless Data Pr iv ac y Y o u m ay n eed to enter the r e quest ID or co nf irm a tio n in form at io n yo u re ceived w h en yo u submitted your certifica t e r eq u est. Wh en your cer t ificat e is di spl ayed, fi nd the porti o ns tha t you can copy an d pas t e into the H P sys tem.
Setting up W i reles s Data Privacy Figure 7-7. The Load Certif icate s pa ge Ste p 12 . Copy an d pas te th e two certifica t es f rom your CA ’s web s i te int o th e tw o f i eld s pr ov ided , and click Save . Be sure to include the ---BEGIN CERTIFICATE--- an d ---END CERTIFICATE--- li nes.
Setting up Wireless Data Pr iv ac y Figure 7-8. The Certificate s tab show i ng a n in stall e d c e rtificate Ste p 13 . Imm ediat ely cr ea te a nd save a ba cku p of you r sy st em . This saves both the priv ate key an d the sa ved c e rtif ica t es.
Setting up W i reles s Data Privacy The defa ult is to have ad dres ses a ss ign ed by a DH CP serve r . » To configu re the IP A ddr ess assignmen t method fo r th e tunn eling proto c ols , click th e VPN ico n in the Navigation bar at the top of the Adm inistrative Console, then click t he I P Address As signmen t tab.
Setting up Wireless Data Pr iv ac y • T he first D H CP req u est is ta ke n to be a req u est f o r a n outer tun n el a ddress, a n d NAT is AL W A YS used, even if the Access P o licy specifies Neve r for the Networ k Address Translation setting .
Setting up W i reles s Data Privacy 7- 14 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
8 S YS TEM M AI NTENANCE This ch apte r explain s h o w t o perf orm co mmon admini strative tasks includin g cr eatin g, stori n g, an d re sto rin g a back up f i le , upd a tin g sys tem so ft wa re, and sh uttin g down a 7 00wl Se rie s sys tem com p on en t.
System Ma inte nan ce Figur e 8-1. Softwar e Setup pag e Ste p 2. Fr om t h e Sys t em Co mpon ents list i n th e left pan el, se lect the co mpon ent ( A cces s Co ntr o l S e rver or Access Controller) for which you wa nt to restart or update the software image.
Sys t em Ma intenanc e Ac cess Contr o lle r and us i ng the Wir el ess Data Privac y proto cols will te mpo rarily lose t hei r conne cti ons, and any re mo te CLI sess ions over SSH wil l be ter mi nat ed. It is re co mmended tha t you up da te your fla sh-bas ed A ccess Cont ro llers d ur i ng tim es when system u sa ge i s low .
System Ma inte nan ce Figure 8-2. The Update Sof twa re page From the Remote Update page you can initiate a so ftware update from a remote F TP , TF TP , or HTTP se rver , o r just check to s ee if a n y updates ar e ava i lable.
Sys t em Ma intenanc e Remote Update The information that is required to upda te th e softw are image from a remote sit e is described in Ta ble 8-2 . T ab l e 8 - 2.
System Ma inte nan ce If you w ant to chec k fo r upg r ades on an alternate do wn lo ad si te, yo u must enter the a p pr opriate URL. Ste p 2. Click Ch eck for U pgr ad es .
Sys t em Ma intenanc e Se le ct Continu e to pr oc eed w i th the upgrade, or Canc el to r e turn to the previous page witho ut pr oc eed in g. Note: If your c urren tly i nst alled software i s signi.
System Ma inte nan ce If yo u enable A u to Ref r es h, the s t atus page r e fres hes appr ox imately every 1 5 se co nds, disp layi ng updated st atus in form atio n. After the do w nlo ad a nd un pack ope r ati ons are com ple te, a co mp leti on me ssage ap pear s: New ima g e s u ccessfully ins t all e d.
Sys t em Ma intenanc e Va riable Va lue update_file Fil ena me (in c l udi ng the path) o f the s o ftw ar e i mage Ple ase co nta c t H P Pro C urv e Te chnic al Support fo r informati o n o n the c u rren t do wn loada ble image. For TFTP or a nonymous FT P, the p a th is relativ e to the anon ymous F T P or TFTP ro ot .
System Ma inte nan ce Ste p 2. In the 7 0 0w l Ser i es sy st em Adm in ist ra tive Co ns ol e, under Mainte nanc e/Softw are Upd a te, select the L o cal U pda te tab to d isp lay the L o cal U pda te page, as shown in Figure 8- 5 .
Sys t em Ma intenanc e F ig u re 8-5. Th e Lo cal U p d a te T ab o f th e U p d a te So f tw a re F un c ti o n Ste p 3. In the Upl oad ed Sof twa re Versio ns table, s e le ct the r ow w h ere you w ant the n e w uploaded version to be pla ced .
System Ma inte nan ce Ste p 6. In the .vd ist File fie ld, type th e fu ll path a n d na me of the distrib u tion file you d o wnlo ad ed, or click Bro wse to lo ca te th e pr o per dir e ct o ry a n d f il e name. Note: You ca n s ave the vdis t fi le s unde r differ ent n ames, if you want.
Sys t em Ma intenanc e Caution: Res t arting an A c ce ss Contr ol S erver or Integr ate d Ac ces s Ma nager will log off a ll cli ent s on al l Ac cess Contr oll er s. If poss ib le, you s hould r est art your syst em dur i ng a ti me when few c lient s ar e activ ely con nected to the s yst em .
System Ma inte nan ce Note: Y ou c an not r est or e from the int er nal bac k up i m age. Y ou can onl y re sto re from a n exter nal fil e . T h erefore, you must save t he ba ckup im age t o a file . » To back up a s yst em co nf iguratio n , click the Ba ckup & Re st ore ta b un der the Ma int en an ce butto n.
Sys t em Ma intenanc e Figure 8-8. Backup Confirmation Click Con t inue to pr oc eed, or Can cel to re turn to the Ba cku p & Rest ore page w i tho ut cr ea ti ng th e backup im ag e. While the backup i s in prog r e ss , an info rmation pag e, as sh own i n Figur e 8-9 , is d isp layed .
System Ma inte nan ce Figur e 8-10 . B ackup & Rest ore p a ge after a succe ssfu l backu p » To s a ve the backup to a file, click Save B ackup A s .
Sys t em Ma intenanc e Figure 8-11 . R estore In Progress Confirm a tion Ste p 3. T o pr oc eed w i th the r estor e, click Continue . As pa rt of the r est or e op eration , the system i s r e st arted . Y o u will be r e qui r ed to l o g in ag ain a s ad mini st r ator .
System Ma inte nan ce Warn ing: DO NO T restore a bac k up to a dupli c ate A cce ss Cont ro l S erver that i s c onnected to the same ne twor k as the o rigi nal Access Con tro l S erv er.
Sys t em Ma intenanc e Figure 8-12 . The Shu t down/Restart tab Restart i ng a System Co mp onent Res t arting a com p onent will b riefl y s h utd o wn the un it, t h en re start it u s ing t h e Insta lled V e rs ion soft wa re imag e. This a c tio n do es not pow e r o ff the unit.
System Ma inte nan ce Figure 8-13 . R estar t Conf irmation Ste p 3. T o proceed w i th the r e sta r t, click Continu e . T o ca nc el the r est ar t, click Can cel . Shutting Dow n a System Component Sh utt ing dow n a syst em co mpon ent s h uts dow n an d po we rs of f the sele cted un it.
Sys t em Ma intenanc e Ste p 3. T o pr oc eed w i th the s h utdo wn , click Continu e . T o ca nc el the s h utdo wn, click Can cel . Resetting to Factory Def a ult Sett i ngs Res e ttin g a sy stem .
System Ma inte nan ce re store y our c onfigurat ion , you mu st r estore fr o m a b ackup image that was cr eated a nd s aved to an exter na l file be fo re the r es e t.
9 L OG S This ch apte r presents tasks y o u can perform wit h th es e types o f lo gging . V iew in g 700w l Ser ies Sy st em Lo gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9- 1 Co nf ig urin g Se ss io n Loggin g .
Logs Figure 9-1. Log file display The L og File d isp la y table shows the lo g ent r ies tha t exist at t h e momen t you r equ est the d i spla y . By defa ult , th e list is no t r efr eshed unless yo u re quest a new dis p la y by clicking the App l y Filte rs button.
Log s The log file d is p lay itself show s the f o llowin g in f o rma t ion: T ab l e 9 - 2. Log file display Column D escrip t io n (em p ty ) Thi s col umn is used to ca ll a tten t ion t o l og entrie s wi th se verity lev e ls or Crit ical or Major.
Logs — Cat e gorie s : All Categories (defau lt), Error, Info, Debug, Function Trace, Obj ect Trace, Session L og. Thi s is a mul t iple selecti on box—by us ing CRTL -c li ck or S h ift-click you ca n se lect mul t iple cat ego ries to include in a single filter.
Log s Figure 9-2. Setting Up Session L ogging Ste p 2. T y pe the i nfo rmati on and s ele ct op tion s as defined i n T a bl e 9-3. T ab l e 9 - 3. Logging Setup Fiel ds Fie l d/O p tion Des c ription Ses si on Loggin g: Enabled Settin gs for ses si on loggi ng to a rem o te sy sl og serve r.
Logs Note: Ac cura te tim e and da te r eport ing i s necessary fo r accurat e and useful l ogs. T o se t the t i me and date, use th e Date & Time t ab i n the Network area .
Log s T ab l e 9 - 4. Ses s ion Log inform ation Da ta Item De fi niti on Actual Des t inati on The actua l dest ina t ion IP addres s a nd port , if redirec t ed or t u nnell ed through an oth e r Access C ont rol l er.
Logs 9-8 H P ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
A C OMMAND L INE I NT ERF ACE Thi s a ppendi x documen t s the commands th at ar e avai la ble o n th e s e rial con s ole as part of th e Com mand Line Interf ac e (CLI). The CLI ena b les initi a l configuration an d subsequen t tr ou blesh oot in g of the 7 00wl Se rie s syste m .
Com ma nd Li ne I n terfa ce Accessing t h e C o mmand Lin e Int e rface Ther e are tw o ways to a cces s the Comm and Lin e Interface — eith e r by dir e ctl y co nn ectin g a se rial c onsole to t.
Com m and Lin e Interfac e Com m and Syn t ax Y o u m ay s ee a variety o f symbols shown as part o f th e co mm and s yntax . Thes e symbols ex plain how to enter th e comm an d, a n d you do no t type them a s part of the comm an d itsel f . T a ble A -1 summ ariz es com mand sy nt ax symbo l s.
Com ma nd Li ne I n terfa ce Th is p r oduc es the fol l owing output: "add" commands: add bridging ... Add bridging options add snmpmanager ... Add an SNMP authorize d manager add snmptrapreceiver ... Add an SNMP trap receiver T o se e de tails abo u t o n e o f th ese co mma nd s, you ca n ag ain use a que s tio n ma rk.
Com m and Lin e Interfac e set su p e ra d m in pass | en a b le | di sable < l ogin > Set the passwor d for a supera dm in. En able or di sable a supera dm in login. pass C hange the passw ord for the spe cif ie d login n am e . The supera dmin can change any p asswor d.
Com ma nd Li ne I n terfa ce s how pol icy a dmin [<login >] Sh ow a spe c ific policyad m in by spec if yin g a login, or list all policy ad min s by not specif yi ng a login. se t rem o te on | off En ables or d i sa bl es r e mote techn i cal support ac cess.
Com m and Lin e Interfac e 0 0:e0:18:7d:b5:3d 10.205.2.25 4 hrs, 50 min s s how id Displays this sys t em ’s ID, w h ich is the MAC ad dr ess of Sl ot 0 po rt 1. On a 700wl S e ries unit, the d e fa ult uplin k po rt is slo t 0 port 2 . ( S lot 0 por t 1 is the Reserved port .
-------------------- --------- ----------- Com ma nd Li ne I n terfa ce s how de viceport < d evice> Shows th e por t or slot an d po rt f or a d evic e.
Com m and Lin e Interfac e Netw ork C o nf ig ura tion Comman ds se t hostna me <hostname> Note: Th is c o mmand is su ppo rt ed on the A c cess Con tro l S erver or In teg rat ed A c cess Manage r onl y . Sets the sy ste m 's hostn am e. Th e syste m ho stnam e is als o us ed as the SN MP sys t em n a me .
Com ma nd Li ne I n terfa ce s how ip Sh ows th e current IP c o nfiguration . O u tp ut fr om this comman d looks similar to the f o llowin g : Hostname: D omain Name: xyzcorp.com I P address: 192.168.10.157/24 D HCP enabled: No D efault gateway: 192.
Com m and Lin e Interfac e se t dns <p ri mar y -ip-address> [ < secondary-ip -addr e ss> ] Note: Th is c o mmand is su ppo rt ed on the A c cess Con tro l S erver or In teg rat ed A c cess Manage r onl y .
Com ma nd Li ne I n terfa ce Sets the IP ad d re sses of th e WINS serve r s. <prim a ry -ip - addres s> The IP addres s of th e p r imary WINS s e rver f o r the s ystem. <secon dary - ip-ad d res s> Th e IP addres s of the s e c ond ary WIN S server for the s ys tem (opti onal).
Com m and Lin e Interfac e se t portmed i a {<p o rt> | < s lot > /<po r t >} "< media> [<m e dia - option>]" Se ts the port m ed ia setting fo r th e specified port o r sl ot and port. <port> | <sl o t>/<port> The po rt, or s l ot and po rt o n whi ch to set the media ty pe and optio n.
Com ma nd Li ne I n terfa ce s how porti p Displays the cur ren t IP ad dres s and netma s k settings , if set, f o r all ports in th e syste m . O u tput f rom this com m an d is s i mila r to th e f o llow i ng: Port settings Slot 1 Port 1 IP: Not set Slot 1 Port 2 IP: 192.
Com m and Lin e Interfac e Note: Th is c o mmand is not a vail able on an In tegrated A cce ss Man age r. Advanced N e twork Con f iguration St atus s how bridg i ng Sh ows th e current br idgin g settings.
Com ma nd Li ne I n terfa ce s how ac [ma c <mac-add re ss> ] Shows A c ce ss Contr o ll er settings f o r one or all A c cess Con tro llers connecte d to th e A ccess Contr ol Serve r or Integrate d A cce ss M a nag e r. Th e d efa ult is to sho w all settings fo r all A ccess Contr ol ler s.
---- ---- ---- Com m and Lin e Interfac e s how redu ndan cy Sh ow s th e current r e dund an cy (failover) settings. For exam ple: show redundancy Redundancy configured state ---- Redundancy is disabled. No peer is specified . Peering priority is 0. Retry timeout to disabled peers is 6 0 seconds.
Com ma nd Li ne I n terfa ce Advanced N e twork Con f iguration se t na t dhcp <ip-ad dress> <subnetmask> [<lease-time> [< time-unit s >] ] Se ts the NA T D H CP su bn et and lease tim e . <ip-addre ss> T he DHCP subnet ad dres s for N AT.
Com m and Lin e Interfac e rem o te date time <ip - address> <da t e> <time > Se ts the date a n d time on th e syste m at < ip-address > . <date > The c urrent dat e in yyyy/m m/d d for m at <time> T he curr ent tim e in h 24:m m format .
Com ma nd Li ne I n terfa ce rem o te reboo t <ip - address> Re bo ot t h e s y st em at < ip-address > rem o t e reb o otalt <ip > Re bo ot t h e s y st em at <ip-address> to al ternate so ftw are versio n.
Com m and Lin e Interfac e rem o te upgra d ereboot < i p-addres s> < u rl> <key > Up grades the s yst em at th e sp ecified IP addr es s an d re bo o ts th e sys t em . <url> T he URL encoded loc ati on of the so ftware releas e t o install .
Com ma nd Li ne I n terfa ce se t pptp on | off En able s or d i sable s PP TP . se t l2tp on | off En able s or d i sable s L 2 TP . se t ip secsecret [ <se c ret> <se c ret>] Se ts the IPS e c s h ared se cret. P rom pts for the s e cr et if no t enter ed on th e co m man d line.
Com m and Lin e Interfac e s how vp n Note: Even though you c an only c onf ig ure Wir eless Da ta Privacy se tti ngs from the A cce ss Contr ol Se rv er or Int egrate d Acces s M anager, you c an use the sho w v pn c o mmand from an Ac ces s Con tro ller to v iew these s e tt ing s.
Com ma nd Li ne I n terfa ce show c lien t s [ m a c < m a c -a dd ress> ] [ s ort { m ac | ip | u s er | m a chin e | p o rt | sessio n s | idle} ] [r everse] Li sts all a c tive clients. Y o u can option ally so rt th e list by a nu mber o f crite r ia .
----- ---------------- ---- --- - ----- Com m and Lin e Interfac e <stance>Deny</stance> < /ipsec> < pptp> <stance>Deny</stance> <mppe_stance>Accept</mppe_.
Com ma nd Li ne I n terfa ce If yo u res pon d Y to continue w i th the backup, th e f o llowing r emi nde r a ppea r s: NOTE: After creating the backup image, you must transf er it from this Integrated Access Manag er onto your local computer. st ore b ackup < url > [<filen a me >] Sto r es the backup o n a n other system using F TP .
Com m and Lin e Interfac e s how ba cku p Displays inf o rma t ion about the list o f lo ca l backups a nd the sta tus of a r u nning sto r e b a ckup or get backup task . Output f r om this comm an d is similar to the f o llowing: Backup image created Nov 25 17:25:22 2 002.
Com ma nd Li ne I n terfa ce reboo t Au t omati ca lly re boot after i nst al ling the upgrade. The upgrad ed software is activ a te d wh en the syste m is reboote d. ve rsion Displ ay s the ve rsion o f the s o ft wa re a va ilable for dow nlo ad a t th e specified URL.
Com m and Lin e Interfac e ca ncel up grade Ca nc els the cur rent ge t upgrade task. se t upgrade p roxy [on | off] [host <ip-a ddress> [ < port> ] ] [u ser <user> [<pass wo rd> ] ] Con fig ure a proxy ser ver f or re tri evi ng so ftw a re re le ase s via F TP .
Com ma nd Li ne I n terfa ce s hut do wn Shuts d o wn the syste m. Y o u ar e pr o m pte d to con f irm th at you want to shut dow n the syste m : This operation will shutdown this syst em and users may lose their connections.
Com m and Lin e Interfac e • info: show all i n fo rma t ion, n o tic e, wa rni ng, error, and c r itica l l og ent ries <lines> T he max im u m nu mb er o f li nes t o be display ed. Th e defau l t i s 23. <count> T he number of tim e un its to be di spl ay ed, in combina t io n w ith the <time-un it> va riable.
Com ma nd Li ne I n terfa ce T r anslat es to: nslookup –timeout=10 <hostname> ping {<i p -add ress> | <hostname >} Pings an IP ad dre ss or a h o stname . If the hostn am e is not qualif i ed, the do ma in nam e (a s spe c ifie d by the set d o ma inname co mmand) is a p pen ded .
Com m and Lin e Interfac e traceroute {<ip -add re ss > | <hostn ame > } [<h ops > [<probes > [< probe wa it> ] ] ] Displays the tr ac er oute f o r a n IP a ddre ss o r h o stname. If the hostn am e is no t q u ali f ied , the d o main na me (as specif ied by th e set dom ainname co mman d) is a ppen d ed .
Com ma nd Li ne I n terfa ce cl ear ntp s erver Cle a rs the NTP se rve r s IP a ddre ss or ho stnames. This c o mmand also dis a ble s the NT P s e rvice if it was e n able d. se t ntp on | off En able s an d d i sable s th e NTP servic e. se t datetim e <d ate > <ti m e> Manually sets the c u rrent lo ca l d a te and time.
Com m and Lin e Interfac e Co ntro ller. T o mo dif y thes e se ttin gs on an Acces s Co ntro ller, y o u m ust use the Adm inist rative Console on the m anaging A cces s Co ntro l Serve r. se t s n mp on | off T u rns S N MP su pp or t o n or of f. T u rning SNM P on en ables r e ad -o nly a c cess to the MIB .
Com ma nd Li ne I n terfa ce se t sn m p co nt ac t <c ontact> Se ts the S N MP sysContact obj e ct , def i ne d in RFC 1213 as “ t he tex tua l i dent ifi cati on of th e c ont ac t perso n fo r thi s man a ged node, tog e th e r with in fo rma t ion on how to conta ct th is perso n .
Com m and Lin e Interfac e Trap IP Address: None Authorized Managers: None HP Pr oCur ve Se cur e A ccess 700 wl Ser ies Ma nagem e nt and C onfigu r ation Gu ide A -3 7.
Com ma nd Li ne I n terfa ce A-3 8 HP ProCurve Sec u re Access 7 00wl Series Ma nagement and Con f igurati on G u id e.
B F ILT ER E XPR ESSION S YNTAX This appendix d esc ribes the syn t ax used to d efi ne us er a ccess rights ( a llow ed tra ffic f ilt ers and redir e cted tra ffi c filters ) , bridged tra ffi c, an d HTTP P r oxy fi lters. It in clu d es the f o llowing sectio ns: In trod uctio n .
Ex a mple s are: “ fddi src myHost ”, “ ip net 122.43 ”, and “ udp port 44 ”. f ddi is an alias f or et her ; th ey ar e treated identically as m ean ing “t he d a ta link level used o n the specified ne tw ork inter fac e.
T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n hos t host Tr ue if e i ther the s our ce or d est ina t ion o f the packet is hos t .
T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n ip6 proto prot ocol Tr ue if t he p acket is an IPv 6 pack et of proto col type pro t ocol .
T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n eth e r proto pro t ocol Tr ue if t he p acket is of eth e r type pro t ocol . Proto col can be a n u mb er o r one o f th e name s ip , ip6 , ar p , ra rp , atal k , aa rp , decnet , sca , lat , m opdl , mop rc , iso , stp , ip x , or netbeu i .
T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n expr relo p expr Tr ue if the r e latio n holds , wh ere • re l op is o ne o f >, <, > = , < = , =, != •.
C C REATIN G C USTOMIZE D T EM PLA T ES This Appendix explains how to develop custo m templates for the Logon page, the o ptional Logoff pop- up pa ge, a n d th e op tio na l Gu est R e gistra tion pa ge. It in clu d es the f o llowing sectio ns: In trod uctio n .
A Simple Logo n Pag e Tem p lat e Examp le The 700wl S e ries syst em logo n page, in its simp les t fo rm , co ns ists of tw o fields w h er e the user en te rs his /her user na me and pa ssword, and a bu tto n to in voke the lo gon f u ncti on .
<!-- required functions --> @satmac() @interface() @java_works() @secret() @query() </FORM> </body> </html> The tem p late f i le is a sta n da rd HTM L file with th e tmpl fun c tio ns in clu d ed.
Required Elements Form Tag <FORM action=/logon method=post name=l ogonForm> Fo r th e logon pa g e only , th ere m u st be a fo rm w i th the na m e a ttri b ute set to logonForm . The act i on an d method attribut es must a l so be se t a s sho wn.
• @satmac() . Thi s fu nction retu rn s a n INP U T element o f type hi dden, with a va lue that is th e client’ s MAC addre ss. • @interface() . This fu nctio n returns a n INPU T elem ent of type hi dden. • @java_works() . Th is func tion retu rns an INPUT element of type hid den, w i th a value of 0.
In additio n to incl uding the r ealm fi eld on th e custom log i n page, the U ser sp ec ified authenticatio n realm check box must be checked ( on the Rights M a nager Custo miz e W e b Pages by L o cati on pag e). Not e that thi s check box does n o t appea r un les s there a r e mu lt iple a u thenticatio n realms def i ned.
@set(“variable”, “value”) Sets th e val ue of a run- ti me variable. For ex ampl e, to se t th e va ri able “mo n th” t o th e month a cl ient’s righ ts ex pire , you wou ld u se: @set(&.
</head> <body bgcolor="FFFFFF"> <!-- specifies an image and a solid black line at the top of the form. The image must be stored in the Rights Manager vi a Images Upload --> <center> <img src="/images/galactic.
@secret() @query() <!-- Displays user and password fields, and three buttons, in a table - -> <table width="600" cellspacing="0" ce llpadding="1" bgcolor="#.
Figure C- 2. Th ree-button logon pa ge Chang i ng the Logon Button Nam es If yo u wa nt to ch an ge the na mes t hat a ppea r on the buttons on th e Log on page, you mu st use tw o INPU T st atements .
Example 3 <FORM action="/cgi-bin/logon" method=p ost name=logonForm> ( This is the F O RM sta t emen t re qu ir ed at the beginnin g of the Logo n fo rm .) @satmac() @interface() @java_works() @secret() @query() (Not sho wn -- Code here to set u p a tab l e, pr esent usernam e a nd pa ssword input fields etc .
Customizing th e Logon Pag e Me s s ag es Ther e ar e a num ber of inform at i ona l m essa ges th at m a y appea r on the Logo n pa ge in certain cir c umsta n ces.
Guest Registratio n Template T o co nf igure a locatio n to allo w cus tom gu est r e gis tr atio n, there ar e th r ee el emen ts that m ust be in place: • You r main custo m logon page mus t ha ve a “ R egi s ter as Guest” but t on ins t ead of th e “L ogon as a Gu es t” button .
The page gen e rated by th is tem p late is s h own i n Figur e C-3. Example 4 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTM L 4.01 Transitional//EN"> <html> <head> <title>H.
<tr> <td align="right"><font size="2"> Last Name:</font></td> <td align="left"><INPUT type="text" na me="lastname&qu.
Figure C- 3. Gues t Registration page produced by the t e mplate in Examp l e 4 Using a Logo ff Pop-Up w it h a Custo m ized L og on Page On e of option s for user logof f, in br owsers th at su pport J a va Sc ript, is to have a Lo gof f button appear in a pop-up br owse r w indow as soon as th e us er h as logged o n to th e s yst em.
The r e qui r ed elements in a Lo goff Pop-up tem p la te are: Form Tag: <FORM action=/logon method=post name=l ogoffForm> A form w i th the name lo go ff Form is r equir ed, with acti on an d method attributes set a s shown . Bu ttons: One butto n must be pres en t o n the page to enable the user to log o ff.
Thi s generates the pop- up w i nd ow show n in Figur e C-4. Figure C - 4. L ogoff pop-u p wi ndo w Wh en the user click s the L o go ff button, the L og i n wind ow is immed iat ely d isp layed in the same w i nd o w , allow in g the user to log in aga in .
Figure C -5. L ogoff confirmation wi ndow When yo u click the link , in this window , a fr esh Lo gon pag e opens in a new win do w . T o custom ize this logof f co nfir ma tio n window , you can upload a custom tem pla te in the Lo gged O ff Windo w fi eld und er th e Custo m T e mplate s tab of th e New or E d it L o go n Customiza t ion pag e.
C-2 0 HP ProCurve Sec u re Access 7 00wl Series Ma nagement and Con f igurati on G u id e.
T ROUBLES HOOTING D This appen dix presen ts tr ou bles hoot ing pr oc edur es fo r the 700w l Se ries system . T a ble D -1 s hows the sy mpto ms, pr oba b le cau se and r e commend e d act i on s for a variet y of pr oble ms .
T ab l e D-1 . Syste m Con f igurat ion T r ouble s ho oting Gu ide (Continued) RADIUS Authen tic a tion not 1. RADIUS co nfiguration in corre ct Test c lient a u thenti cat ion u s i ng T r ansactio n worki ng 2 . Use r name or p ass word no t Tr acer (u nder Rig h ts > Authe n ticat i on va lid Po lici es> Tools an d O p tions) 1.
T ab l e D-1 . Syste m Con f igurat ion T r ouble s ho oting Gu ide (Continued) Sy mpt o m(s) Proba b l e Caus e Re co mmended Action Cli ent has incorrec t ac c e ss Ri gh ts mi sc on fi gu red Fo r a connected c li ent, v i ew Cl ien t detai l ed rig h ts stat us from the Status > Cl ie nt Status page .
D-4 H P ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
G LOSSAR Y E Th e glossa ry d e fin es term s th at are used th ro ug ho ut the 700wl Series syst em. S ome of the foll ow in g term s are in co mmon us age bu t m a y h a ve 700wl S e ries syst em-specific m ean ings. Thes e te rm s are def ine d in co nt ext i n th e ch ap ter wh er e th ey first appear .
T erm Definition AH Authentic a tion H eader p r oto col . AH di gital ly si gns the e n ti re c o ntents of ea ch pa cket , pro t ectin g y our net wo rk agains t th ree kinds of att acks: Re play at ta ck s , w h ere a n a ttac ker c aptu r es packets , saves the m un til later, and resends t hem.
T er m Definition CLI C om m and Line Interface: 7 00wl Series sy st em Acc ess C ontr o ll ers , Integra t ed Access M anagers , a nd Acc ess Co ntrol Server s all have a command l i ne in terfac e through w h ic h they can be c ontr o lled, as an alt e rna t e t o using th e Admini st ra tive Consol e.
T erm Definition DNS Domain Na me Server - A D NS transl ate s In ternet dom ain n a me s suc h as xyzc or p. com, in to IP ad dr es ses. Down link port A port on an Access C o ntro ller or Integrated Acc ess M anage r to whic h a devic e at the ne twork edge, su ch as a W i rel ess Ac ce ss Point , sw it ch, o r hub , i s c onnec ted .
T er m Definition HTTP Prox y An Web serve r th at s i ts betwee n a clien t ap plica t ion, s uc h as a We b b r owser, a nd a real s e rver. It i n terce p ts all reque sts to the rea l se rve r to see if it ca n ful f il l the reque sts i t self. If n o t, it forwa r ds the reques t t o the real serve r .
T erm Definition IKE A part of I PSec : I KE=Int e rne t Key Exchange (Nego tia t es sessi on param e te rs for the a u the n ticatio n he ader and ESP.
T er m Definition L2F L aye r 2 Forw ardin g ; a tun neling protoc ol from Ci sc o L2 TP La yer Tw o Tunneling Prot ocol (L2TP ) is an exten s io n o f the Point- to-Po i nt Tunneli ng Pro t ocol (PPTP) u s ed to enable a v i rtu a l p r ivate netw o rk (VP N) ove r the Intern et.
T erm Definition Ou ter Tunne l Addres s The IP add res s associat ed wi th a PPT P or L 2 TP c on necti on w i thi n which the c lient traffi c is encap sulated. Thi s a ddre ss will always be a NA T‘ed a ddress , regard l es s of the grou p N AT set t ings.
T er m Definition Session red i recto rs C li ent TCP and UDP se ssion s can be red i rec t ed fro m t hei r ori g inal des t inati on IP addres s or port. SN MP Simp le N e twork Man agement Proto c ol - The net wo rk m anagemen t protocol of most m odern T CP /IP-ba sed network s.
T erm Definition tcpdum p A pr ogram tha t pri n ts out the head ers of p ackets on a network interfa ce tha t ma tch a sp ecified filt ering c r iteria .
T er m Definition We b se rver Ne tw ork host th at acts as an HTTP se rver; a c o mput er th at pr o vid es Wo rl d W i de Web s e rv ices on the Intern et; i t include s the hardw a re, op era t ing sy s t em, We b se rver s o ft w a re, TCP/IP p r oto cols, and th e Web s i te c onte nt (Web pages).
T erm Definition XML-R PC XML -RPC i s desi gn ed to b e a simp le procedural w ay for a c li ent prog ram to make functio n requests of anothe r pro g ra m. I t pro vi des sim ila r funct i onali ty to SOAP, b u t i s more limited and, general l y, much si mpler to u se.
I NDEX OF C OMMAND S A a dd s nmpman ager <hostname> | < i p-addres s> [/<m ask>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -3 5 a dd s nmpt r apre ceive r <ip-addre ss> . . . . . . . .
de lete p o licyadmin <l ogin> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A -5 de lete s nm pman ager all | <ho st name> | < i p-a ddr ess > [/ <mask>] .
remote u pgra dec heck <ip-ad dre ss> <url>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -2 1 remote u pgra der eboot < i p-a ddress > <u rl> <k ey > . . .
se t s ysl ogs erv e r < i p-address > [< fac ili ty>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1 7 se t t imez one <general-tz> <sp eci fic-tz > . . . . . .
T tra cer out e {<i p -addre ss > | <h ostna me> } [<hops > [<pro bes> [<p r obewait> ] ] ] . . . . . . . . . . . . . . .
IOC-6 H P ProCurve Sec u re Acces s 700wl Series Management and Con f iguration G u id e.
I NDEX Nu me rics 802.1Q VL AN tag sp ecifying in A cces s Policy 4-4 6 sp ecifyin g in Con n ectio n Profile 4-3 3 802.1x configuring as au thentication service 5-1 6 config uring RA DIUS for 5-1 7 moni to red logon 5- 3 802 .2 pr ot o c ol 6-2 4 802 .
changi ng us ername/ p as swor d o n Inte grated Acce ss Man a ger 6- 1 0 changi ng us ername/ p as swor d o n Inte grated Sy st em 6- 12 def a ul t name and pas sword 2-4 logging in as 2-4 logging o .
br ow ser - ba se d l o go n 1-3 , 5-2 Built -in au thentica tio n se rvi ce 5-2 built- in databa se 4- 16 a dding Acces s Poin ts 4- 22 a dding users 4- 17 ne tw or k equip m en t 4- 21 re trieving M.
Et hern et bridgin g, ena b lin g 6- 24 Expi re ti mer , See reau thenticatio n t i meo ut export rig h ts 5- 50 External 4- 51 externa l ident i ty r e trieva l 5- 28 F Failover See A cces s Co ntro l Server r e dun dan cy f ilters disp la y fi lt ers 2- 12 fo ld ers creatin g or editi ng 6- 1 3 selecting for an Access Controller 6- 12 vs.
LDAP se rvi ce au thenticatio n troubl es hooti ng D-2 con fig uring for a u th entication 5-9 con fig uring M A C ad dr ess r e trieval 4- 26 non-use r bi ndin g 5- 10 re trieving M A C a ddre ss u s.
P pa ssword chan ging fo r a dmini strato r 2-5 tr ou bles ho ot in g D-1 PD As lo gon p a ge option s 5- 33 peer Acces s Co ntro l Server con fig uring peer na m e 6-6 del e ting 6-7 PK I con fig uri.
sys l og serve r , config uring 9-5 Sess ion L o gs log entry fo rma t 9-6 viewi ng 9-6 session sta t us f iltering d i spl ay 3- 13 Se ttings tab in a Conn ection Profile 4- 32 in Acces s Policy 4- 4.
V Ve rify via DNS HT TP pr ox y f ilte r op t i on 4- 78 V irt ua l LA Ns (VLANs ) 1- 6 , 2- 24 an d IP addr es sing 2- 2 6 an d the 700 wl syst em , ov erview 2- 24 specifying t a g i n A ccess Pol i.
.
© Cop yr i ght 200 3 He w let t -P ac k ard De ve lopment C ompan y , L .P . The inf ormation contained her e in is su bject to c hange w ithout n oti ce .
An important point after buying a device HP (Hewlett-Packard) 700wl Series (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought HP (Hewlett-Packard) 700wl Series yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data HP (Hewlett-Packard) 700wl Series - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, HP (Hewlett-Packard) 700wl Series you will learn all the available features of the product, as well as information on its operation. The information that you get HP (Hewlett-Packard) 700wl Series will certainly help you make a decision on the purchase.
If you already are a holder of HP (Hewlett-Packard) 700wl Series, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime HP (Hewlett-Packard) 700wl Series.
However, one of the most important roles played by the user manual is to help in solving problems with HP (Hewlett-Packard) 700wl Series. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device HP (Hewlett-Packard) 700wl Series along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
