Manuel d'utilisation / d'entretien du produit 700wl Series du fabricant HP (Hewlett-Packard)
Aller à la page of 388
www .hp .com/go/hppr oc ur v e HP Pr oCurv e Sec ur e Acces s 7 00w l S er i es Management and Co nf i gur ati on Guide.
.
HP P RO C URVE S ECUR E A CCESS 700 WL S ERIES M ANAG EMEN T AN D C ONFI GURATI ON G UIDE.
© Copyright 2 004 Hewle tt-P ac kard D e velopm ent Compa n y, L. P. The information c o ntained he r e in is subj ec t to c hange w ithout notice . This do cumen t co nt ai ns pr op riet ar y in format ion , wh ich is pr ot ected by copy ri ght.
C ONTENTS Pr efac e Chapter 1 Introdu ct ion 700wl Ser i es O v ervie w 700wl Ser i es Function s Client Au th en ti ca ti o n Clien t Access Ri gh ts W ire less D ata Pr ivacy a nd VPN Pr ot oco ls R.
Ch apt er 3 S yst e m Sta t us V i ew ing Status In form atio n V iew in g Equ ipment Status V i ewing Access Co ntrol Se rver Status V i ewing Access Co ntroll er S tatus V i ewing Access Cont ro l l.
Modifyin g the Ou tside W o rld F ilter to Res t rict Access Sett ing Up HTTP P rox y Filters Chapter 5 Configuring Authentica ti on Aut h ent i cation in the 700wl S e ri es Syste m Th e R igh ts M a.
SSL Certifica te Confi gur ing Ne tw or k I n terf ace s Co nf igurin g the Po rt S p eed and D u plex Settin gs Po rt S u bnet IP A ddres s an d Subnet Netm as k Conf igur ing SNMP Settin g th e D a .
Append ix A C ommand Line Int e rfac e Accessing the Co mmand Line I n te rf ace Con n ecting w i th a Se ria l Conso le Co nn ecti ng Usin g SSH Us ing the CL I on an Integ r ated A ccess M a na ger .
A ppendix D Appendix E Index of Commands Inde x Op ti onal El ements C-5 Lo go n P age T e mplate — A Mo re Adva nced Example C-7 Exa m ple 2 C-7 Changi ng the L o gon B u tto n N ames C-10 Exa m pl.
P REFACE This preface describes th e a udi ence, use, a n d o r gan i zatio n of th e Ma nag ement and C o nfigur at io n Guide. It al so ou tlines the d o cumen t con v enti ons , saf e ty ad vis o ries, compliance inf o rmat ion, r e lated do cumen ta t ion , support inf o rma t io n, an d re vis i on his t ory .
The f oll owing notices a nd ico ns ar e used to al ert you to im po rt ant inf o rma t ion. T ab l e 2 . No tices Ic on No ti ce T ype Aler ts yo u to... No ne Note Help ful su ggestions or info rma t ion of speci al impo rtance in ce rtain si tuations .
Cha p te r 6 – Configuring the Ne tw ork Th is ch apter de sc ribes h ow to co nf igu re the 700w l Series syst em co mpon ents s o th at they w o rk wi th yo ur enterpris e ne tw or k. Cha p te r 7 – Se tting up Wireless Data Privacy Thi s cha p ter d e scribe s h ow to e nforce securit y usi n g IPSec, L2 TP , an d PPTP .
Index of Commands The Index o f Co mmands is an al phabetized list of th e CLI co mman ds with re fer enc es to the pages wh er e they are docum ent ed.
1 I NTRODU CTIO N This chapt e r pr ovi d es a brief intr oduc tio n to th e 7 00wl Se ries s y stem™ a nd its primary f eat ures . Th e topics cover e d in this chapter include: 700w l Ser i es Ov er view . . . . . . . . . . . . . . . . . . . . . .
Introduction Figur e 1- 1 i llus t rates a 7 00wl Se ries syst em topology t hat is configu red wit h redund ant A ccess Contr ol Se rvers for fai lo ver .
Introduction Clien t s that a r e s u ccessfull y au thenticated , Em plo y ees in Figu re 1- 1, a r e typically a ssocia t ed wi th A cces s Policies t hat pr o v id e access to s e cu re network re sou r ces.
Introduction • RADIUS servers • K erbero s services • XML-RPC -b ased servi c es • T he Rig h ts Mana ger’s built- in da tabas e. This is the d efa ult au thenticatio n service. Y ou can populate it wit h user n ame s a n d pa ss words thro ugh the Rights M an a ger.
Introduction Because the 700w l Se ries syst em identi fi es clien ts by MAC addres s, it is simp le to detect w h en a device ro ams. A Li nger T imeout deter m ines the len g th of time a client has to complet e a r oam , tha t is to a ppea r at a ne w physica l lo cation af ter dis a ppea r ing fr om the o l d phys ica l lo ca tion.
Introduction Addressin g in the 7 00 wl Ser i es Syst em in C h ap ter 2, an d Chapter 4 , Conf igur ing Righ ts includ e more ex tensi ve di scussio n s o f addre ssin g consi derat io ns an d NAT .
2 U SING THE 700 WL S ERIE S S YSTEM This chapt e r pr ovi d es a brief intr oduc tio n to u s ing th e 700wl Seri es sys t em a nd its A dmini strative Console. It also provides an overview and discussion of a number of common tasks you ma y ne ed to acco mp lis h.
Us ing the 7 00wl Se ri es Syste m • P rim a ry an d se co nd ary D NS se rver add r esses • Sha red s e cret, used to en able Acces s Co nt roller s or a peer Acces s Co nt rol S e rver to es t a blis h a trus ted com mun ica t io n relatio n ship with th e A ccess Con t rol S e rver.
Usi ng the 70 0wl Se ri es S y ste m The 700wl S e ries syst em pr o v ides th r ee levels of administ rator acces s: • A N e two rk A d ministrato r ca n co nf igure th e n e tw or k para me ters t.
Us ing the 7 00wl Se ri es Syste m • E nable o r dis a ble Wi rele ss Data Privacy protocols, co nfiguring t he add res s me th od and ra nge for VPN tun n eling, a nd con fig uring IPS e c para met.
Usi ng the 70 0wl Se ri es S y ste m Note: It i s stro ngl y reco mmend ed that yo u c ha nge the built- in admini strat or l ogon n a me and pa sswor d as soon a s possible .
Us ing the 7 00wl Se ri es Syste m — L ink s wi thin the page con t ents — Rela ted To pi cs me nu di splaye d us ing the Re la ted Topics butt on R el at ed To pi cs links: these a r e presen ted.
Usi ng the 70 0wl Se ri es S y ste m Using the Ad min i strativ e Con s ole Wh en you f i rst logon to t h e A d min i strative Cons ole, your br ow ser d isp lays th e E quipment S t atu s tab of the S tat us pages (F igur e 2- 3) . Figure 2-3. Initi a l Page of the Administrative Console .
Us ing the 7 00wl Se ri es Syste m Figure 2-4. Header and Nav i gation Bars for a n Acc es s Cont ro l Server Inf o rma ti on at th e right sid e of the H ea d er ba r sho w s the userna me of th e logged in Adm i nistrator , th e IP addr es s of the Acc ess Contr o l Ser v er, an d the curr ent date a n d ti me.
Usi ng the 70 0wl Se ri es S y ste m Fo r details , refe r to Cha p ter 4 , Co nfigur ing Rig hts an d Chapter 5 , Con figurin g Authenticati on . Network The Netw ork pa ges en able co nfig uratio n of th e 700 wl Series syst em co mpon ents to work with your enterprise n e two r k.
Us ing the 7 00wl Se ri es Syste m . St at us Ri ghts N e twork VPN Main tenanc e Logs • Equi pmen t • Rig h ts Set up • Sy stem • Wireless Dat a • Sof t ware Setu p • Log Files Sta t us C.
Usi ng the 70 0wl Se ri es S y ste m Le ft Pa nel The lef t pan e l co ntain s ex plan ato r y o r descriptive text a bou t the page and its fun c tio n s. It a lso co n t ain s contr o ls f o r th e fe atur es o f the page, an d n a vigation a ids . Th e s p ecific contr o ls in the lef t panel d e pend on the f un c tio n of th e page.
Us ing the 7 00wl Se ri es Syste m Display Fil t ers and Auto Re fre s h Settings Some data, such a s the co nt en ts of the log, ca n be very l eng th y . T o contr ol the di splay o f such i n form ation you can use filters t o selecti v ely d isp lay subs et s of th e to tal in fo rma t ion.
Usi ng the 70 0wl Se ri es S y ste m Ta bles In co nf igure tables, e a ch row i n a table typically dis p lays the key ite ms that def in e th e elemen t re prese n ted by the table r ow .
Us ing the 7 00wl Se ri es Syste m Figure 2-10 . D at a Tables So rt able column • Sortable C o lum n H e ading s In som e table s you c a n so rt the items in th e ta bl e ba se d on th e table colum n s. Column hea d ings tha t a llow so rting appear as a link wh en the cursor is r o lle d over t h e col u mn na me, as sho w n in Figur e 2-10 .
Usi ng the 70 0wl Se ri es S y ste m Common Butt ons The fo llow in g ta bl e lis ts the co mmon butto ns us ed in the A dminist rative Co nsol e and gives their me anin g. T ab l e 2 - 1. Ad ministr a tive C onso l e B u ttons Button Function Fo ld er : This rep r esents a us er-defined fo lde r for sy st em c om ponents.
Us ing the 7 00wl Se ri es Syste m Basic System C on f igu r ation Tasks Wh en you have com p leted the installati on o f your 700wl Se ri es sys t em f oll owin g the instructions i n th e 7 00w l Se.
Usi ng the 70 0wl Se ri es S y ste m System Features an d Concepts The followin g sec t ions p r ovid e an introduc tion to some of th e ke y c o nc ep ts and f u nction s that a re ce ntra l to the 7 00w l Ser i es s ys tem. Ma ny o f these co nc epts a r e dis c us s ed in more detail in th e appr op ria te cha p ters later in this Guide.
Us ing the 7 00wl Se ri es Syste m Figur e 2-12 . A ccess Cont r o ller Re dir ect Pag e Ente rp rise Cl a ss R ed undan cy The 700wl S e rie s syste m suppo rt s Access Contr o l S erv er redun da n cy an d f a ilove r .
Usi ng the 70 0wl Se ri es S y ste m The c ommu ni catio n betw een the tw o peer Acce ss Co n trol Serv ers is do ne vi a a pr op rieta r y m es sag e ba se d pr otocol o ver TC P/IP . Upo n re sta r t, a n A ccess Con tro ller a t tempts to comm unica t e w i th the prima ry A ccess Contr o l S e rver.
Us ing the 7 00wl Se ri es Syste m or has s o me othe r co nf iguration inf or m ati o n you w o uld pref er n o t to lose . Th e a ct o f making i t a sec o ndary Acce ss Contr o l S e rver in a n a .
Usi ng the 70 0wl Se ri es S y ste m If a clien t is l o gged ont o th e 700wl Se ries sys t em u s ing PP TP or IPS e c encrypti on , ov er he ad re lated to packet encrypt ion ca n re duce the actual th r o ugh p ut experienced r e lativ e to the s p ecified thr o ugh p ut.
Us ing the 7 00wl Se ri es Syste m Y o u spe c ify th e a ddres si ng m ode fo r a cl ie nt thr ou g h the A cce ss Policy. The 700wl Serie s syste m d efa ult is NA T mo d e. Note: If PPTP o r L2 TP i s en abl ed in the Access Po li cy, t hen the NAT se tting only affect s ho w t he inner tunnel address is assi gned .
Usi ng the 70 0wl Se ri es S y ste m Contr o ller . If the c lien t is usin g a re al IP ad dress , all sessio n s must be tun n eled back thr o ugh the origina l A ccess C o ntr o ller. • NAT prov id es s ome a mou nt o f pr ote ctio n t o a cl ien t si nce no de vic e o ther than the A cce ss Contr o ller can talk d i rectly to th e client.
Us ing the 7 00wl Se ri es Syste m How th e 7 00 w l Serie s syste m hand les r oame d sessio n s d e pends on the protocol use d by th e client to conn ec t to the 700w l S eri es sy ste m, a nd whe t he r th e client’s IP a ddre ss has be en ma ppe d usi n g NA T or not.
Usi ng the 70 0wl Se ri es S y ste m Figure 2-13 . C onnec t ion Pro f ile for Traffic Tagged w i th VL AN 10 Y o u can then def ine a n A ccess Poli cy th a t sho u ld a pply to these clients an d create a new r o w in the Rights table tha t a ssocia tes th e A ccess Po licy with th e VLA N- s pecif i c Conn ec tio n Pr ofile.
Us ing the 7 00wl Se ri es Syste m In this cas e , A u th en ticated clients wi th VL AN 2 0 tag will match th e fi rst r o w in th e table , an d will re ceive access r i ghts base d on the A c cess Policy c rea te d fo r m e mbe r s o f tha t VL A N.
Usi ng the 70 0wl Se ri es S y ste m • C rea t e a vari atio n o f th e d e fau lt “Un a ut hen t ic ated” Access Polic y t h at in cl ud es th e s ame acces s ri gh ts (which basically o nly al low a cli e nt to req u est a u th enti ca tion) but s e t th e NAT option to When Ne cess ary an d the addressing o p tio n to Requi re DHCP .
Us ing the 7 00wl Se ri es Syste m One way to work with this limita t ion i s to pl ace a switch between the A cce ss Points a nd the Access Contr o ller , with a sep a rate c o nnection between the switch a nd the A cce ss Co ntr o ller f or ea ch VL A N.
3 S YS TEM S TAT US This ch apte r explain s how t o view th e s yst em stat us tables of th e 700wl Series syst em . Y o u can view th e stat us o f an y an d all s y stem eq ui pment (Acces s Co ntro llers and Access Co ntrol Se rvers), clien t s (users, id entified either by usern ame an d pas sword or by MAC addres s) , a n d s essions.
System Stat us Figure 3-1. Ge tting to Sta t us Information Ther e are fo ur ta bs in the s t atus mo dul e: • Equipment S t atu s presen ts an ov erview of the s t atus of the Acces s Co nt rol S e rvers and Acces s Co nt ro ll ers. Fro m this pa ge yo u can view a mo re de tail ed stat us for each Acce ss Co nt ro ll er.
System Statu s If a disp lay has more entries than will fi t on one page (based on t he R ows pe r Page filter setting), page navig a tion co ntr ols ar e ena b led to let y o u n a vigate between t h e r e sults pages. In the Clien t St atu s an d S ess io n Status view s, yo u ca n sort the dis play by the data in an y colum n .
System Stat us Viewing Acces s Contr ol Se rver Sta tus The Access Contr ol Se rver sta t us ta bl e, a s shown in Figur e 3-3, shows the f ol l owing inf o rma t ion: T ab l e 3 - 1.
System Statu s Figure 3-3. Access Control Serve r Tab for the Prima r y Access Control Serve r in a redundant configu rat ion Viewing Acces s Control ler Stat us The Access Contr oll er sta t us table d is p lays th e fo llowin g in fo rma t ion a b ou t each A cces s Con tro ller: T ab l e 3 - 2.
System Stat us Figur e 3-4. A ccess C ontr oller De tail Page The Access Con tro ller Detail pag e sho ws general sta t us in fo rma t io n f o r t h e Access Contr oll er at t h e top of the page. B e low thi s is a Sy stem Inven t ory t a b that shows th e sta t us fo r e a ch po rt on the Access Con tro ller, grouped by s l ot.
System Statu s T ab l e 3 - 3. A ccess C ontroll er Deta il Pa ge: Syste m Inven tor y Disp la y Column Des c ri pt ion Status This colu mns sh ow s: • The M AC addres s of the port • The spe ed an d dup l ex sett ing for t he port, wi th the ac tual sp ee d a nd duple x show n in paren t hes es.
System Stat us » To d isp lay the clien t sta t us , sele ct the Access Contro ller an d client type f ilt ering para meters f r om the lef t pan e l an d click Apply Fil t ers . Th e d i splay is upd ated to sho w the client s per yo ur filter setting s.
System Statu s Fil t ering Cl ient Status I n formation T o make it easier to fin d the in fo rmati on y o u need fr om a clien t sta t us pag e, yo u can f ilt er the d i splay to show only a su bset o f t h e entries .
System Stat us Figure 3-6. Clien t Detail Pa ge The f oll owing inf ormat io n is d i splayed on this pag e: T ab l e 3 - 6. Activ e Client d et ail informati on Informa t ion Descrip t io n Us er T he descri p ti ve nam e of the u ser , if known.
System Statu s T ab l e 3 - 6. Activ e Client d et ail informati on Informa t ion Descrip t io n Curre nt A c ce ss In format ion about the Acc ess Co ntroller th rough w h ich th e user is conne cte d: Co nt ro ller • Na me of the Acc ess Co ntroller (by defau l t the s ame as the IP addre ss).
System Stat us Figure 3-7. Clien t Detail pa ge showing cu r ren t righ ts in XML The Cli e nt D eta il Us er Righ ts di splay show s th e row in the Right s T a ble th at this client m at c hed , including th e Ident i ty Pr of ile, Co nn ecti on Profil e an d A ccess Policy associat ed wit h th e cli e nt.
System Statu s The V i ew A c tive S e ssio n s pa g e appear s, as s how n in Figur e 3-8. Figur e 3-8. Ses s ion Statu s Pag e » To filt er th e se ssion da ta , se lect the d e sired f ilters a nd click Apply Filte rs .
System Stat us T a bl e 3- 7. View Acti ve Se ss ions In form at ion Column Descrip tion Cli ent Sourc e Cli e nt So ur ce : The IP a ddress and p o rt of the cli ent syst em, as pl aced in the pa cket heade r by the cl ient.
System Statu s T ab l e 3 - 8. Ses s ion St at us Filtering Para met e rs Filter by: Det a ils Acc ess C ontr o ll ers Lets y ou dis play onl y ses si ons f o r a se lec t ed Acces s C ontroller. You s elect the Acces s Co ntroller fro m the drop -dow n list.
System Stat us Figure 3-9. Lic e nse In formation Page 3- 16 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
4 C ONFIGURIN G R IG HT S This ch apte r describes how network access rig h ts ar e assigned to cl ients thr o ugh th e 700wl Se ri es sys t em, and explain s ho w to co nfig ur e access co ntrol policies. The topics cover e d in th is chapter in clu de: Acce ss Ri ghts in th e 70 0wl Se ries Sy st em .
Con f iguring Righ ts T ime W i ndo w in which th e con n ectio n exists, a n d option ally , a VLA N tag, to m at c h th e client to a Connection Pr of ile .
Con f iguring Righ ts The n etwork ad m i nistrator configu re s n e two r k acces s con tro l pol i cies by defin i ng Identit y Pr of iles, Con n ection P r ofi l es a nd A cce ss Policies , or by m odif ying existing pr ofil es a nd pol i cies.
Con f iguring Righ ts • An Access P o licy defin e s aspects of how a clien t interacts w i th the n e two r k. Th e Access P o licy defin es what tra ffi c is allowed to be pa ssed int o th e ne two r k, an d what tra ffi c will be red i rected to al terna te de stinat ion s.
Con f iguring Righ ts the Cli ent S tat us t ab under the S t atus button , and clic k R efr es h U ser Rig h ts No w . Y ou ca n a l so re fresh r i gh ts f or individ ual clie nts, if appropr ia te.
Con f iguring Righ ts Connectio n Prof iles onc e the Ac cess Co ntr ollers have been ins t alled and the approp ri ate Location s ha ve been c rea ted . b. Crea te T i me Wi ndo ws that s pec ify h o urs of th e da y , days of the week, an d s o o n, to allo w or re strict ac ce ss d uri ng spe c ifie d times.
Con f iguring Righ ts Se ri es sys t em is ma tched to a ro w i n th e ta bl e based o n its Identity Pr of ile a n d Con n ectio n Prof ile, and re ceives access rights as specified by th e Access Po li cy for th at row . The 700wl S e ries syst em lo oks fo r a matching row star ti ng at th e to p o f the table, an d s tops at the f irst match.
Con f iguring Righ ts the n ew iden ti fica tion informatio n. The user w ill n ow ma tch on e o f the Identit y Pr of iles near th e top o f th e table.
Con f iguring Righ ts Note: It i s im po rt a n t that r o ws with the —A cces s Poi nt s “ Identity Prof il e appea r in the t abl e befor e ro ws that contain the — Any“ Ide n tity P r ofi l e.
Con f iguring Righ ts Figure 4-3. The New Righ ts Ass i gnment Page Ea ch fi eld on th is pag e conta ins a dr op- d own l i st f r o m wh ich you can select th e c omp on en ts o f a ro w in the Rights A ss ignmen t tab l e, as defi ned in T a ble 4-1: T ab l e 4 - 1.
Con f iguring Righ ts Ste p 2. Spe cify wh er e i n the table the n ew row shou ld be pla c ed. O r der is im porta n t in ma tch ing a clien t to a row . The default position is to place the row at the top of the table. Ste p 3. Wh en you have ma de you r se lections, cli ck Save to add th is r ow to the table.
Con f iguring Righ ts Figure 4-4. The Ide n tity Profile s Page The 700wl S e ries syst em pr o v ides th r ee predefin ed Identity P rof iles, a n d a Rights Adm inist rator ca n create a dditi onal on es .
Con f iguring Righ ts Cre at ing or Editi ng an Iden tity Prof ile T o crea te a n ew Identity P r of il e, cli c k th e New Id entity Profile... button at the bottom o f the Ide n tity Pr of ile list. T h e New Iden tity P rofil e pag e a ppea r s, as shown in F igur e 4- 5, w i th a n empty N ame fi el d.
Con f iguring Righ ts Figure 4-6. Creating a New Ide n tity Profile, w i th User lis t dis p layed Fr om th is page , w i th t h e U s ers or Netw ork Eq uipment list d i splayed , you can als o add a new user or eq ui pment item , or ed it a us er o r eq ui pment item .
Con f iguring Righ ts Lim i tin g the n umber of lo go ns per u s er d o es no t pr event a us er f rom lo g ging o n wi th th at usern ame an d pas swor d—ra th er it p r events that u s er fr om matching this Id entity Pr of ile and t h us getting rig h ts ba sed on matching th is Ident i ty Profile in th e Right s T a ble.
Con f iguring Righ ts Users in the Built -In Database Many organiz at ions ch oose to a u thenti cate their wir e less us ers a gai nst a corpora t e databa se or au thenticatio n service.
Con f iguring Righ ts T ab l e 4 - 2. Users Page Fie l d Definiti ons Fie ld D escrip t io n Ide n tity Profi l e Ass i gnment The Ide n tit y Pro f il e to which the user ha s been as si gn ed, if a ny.
Con f iguring Righ ts Figure 4-8. A ddin g a N ew U ser The f i eld s on this page a r e a s f o llows : T ab l e 4 - 3. New User Fields Fie ld D escrip t io n Name A descript ive n ame th at i den tif i es the u ser in the 700w l Series system‘ s Adm i nistra tiv e Co nsole .
Con f iguring Righ ts T ab l e 4 - 3. New User Fields Fie ld D escrip t io n User name/MAC Addre ss The user‘ s us ern ame (l ogon ID) or MAC addres s . A user may be identifie d by o ne or the o t her , not both. A usern a me may have up to 50 cha r acters .
Con f iguring Righ ts Ste p 2. Sele ct the Identity Profile to wh ich t h is us er sho u ld be assi gned by clicking th e a ppropria te checkbo x in th e Identi ty Profiles ta bl e. As a rule, yo u wo uld a ssign a user to only one Id entity Pr o fil e, s ince th e s e ar ch fo r a m a tch always s t ops at the f i rst match fo un d.
Con f iguring Righ ts corr ect ly in the system , how e ver , if you wa nt to m anage th ese d e vices f r om w i thin the 70 0w l S e ries sys t em, you m a y w ant to assign them a s p ecif ic set of a ccess righ ts.
Con f iguring Righ ts Fr om th e Network E q uipment page yo u can a l so go d ire ctly to the Ident i ty P r ofiles pag e or to t h e U s ers pag e by click i ng the link n ear th e to p of th e lef t-h an d column , ju st bel ow th e page name.
Con f iguring Righ ts The f i eld s on this page a r e a s f o llows : T ab l e 4 - 5. New Network Equip m en t Fie l ds Fie ld D escrip t io n Name A descrip t ive n ame fo r the device. Thi s nam e may b e up to 3 2 cha r ac ters in le ngth. Any 7-b it c har acters are allow e d.
Con f iguring Righ ts T o edit a Network Equip m ent en try in the bui l t-in da tabase, do the fol l owing: » Edit th e fields to chan ge the de sc riptive n ame or the MAC addres s.
Con f iguring Righ ts an in di vidual r e co r d for the MAC addres s. Fo r example, su ppo se the r e co r d identified by cn = MACS con tai ned th e fo llowin g values f o r uniq ueM e mber: uniqueM.
Con f iguring Righ ts Note: If you h av e an L D AP se r vice configur ed f or use r bind in g, that s ervice does n o t ap pear in thi s list . » To configure o r change the settings for MAC addr ess retrieval, click the configuration icon at the end of the row .
Con f iguring Righ ts Figure 4-12 . C onfiguring M AC Addres ses Retrieval Param e ters for a n LDAP Service The f i eld s on this page a r e a s f o llows : T ab l e 4 - 6.
Con f iguring Righ ts Identit y Profile m emb ersh ip in fo rma t ion ca n be associa t ed wi th a M A C ad dr ess in on e of two wa ys: • If each MA C a ddr ess h a s its ow n reco rd in the d ata base, its group identity i nfo rmati on may be k e pt a s an at tribute in th e record.
Con f iguring Righ ts Thi s mea ns tha t th e Righ ts M a nager will us e th e sea r ch st rin g fo un d in th e in itial se arch (for example, the value r e turned fr om th e uniqueMember a ttribu t e in th e MACS re co r d) to search fo r the individual MAC addr e s s r e co rd.
Con f iguring Righ ts The Conn ecti on Pr o f ile is u s ed in the Ri ghts As sig nme nt T a ble, in con cert wi th the Ident i ty P r ofil e, to determine a cli ent ’s a ccess ri ght s .
Con f iguring Righ ts » To ed it a Co nn ectio n P rof ile, cli c k the Co nn ectio n Prof ile n ame i n th e firs t co lumn of th e ta bl e, o r click the pen c il ico n at th e end of th e row. Thi s tak e s yo u d i rectly to the E di t Con n ection P r ofile page ( s ee “C reat ing or Edi ting a Connect i on Pr ofi le” on pag e 4-31) .
Con f iguring Righ ts Figure 4-14 . Creat ing a New Conn ec tion Pr of ile, the Settin gs Tab T o crea te or ed it a Co nn ectio n Pr of ile, do the f o llo wing: Ste p 1. T yp e a name fo r a new C o nne ct ion Profile . Y o u c a n c h an ge th e name o f an ex istin g Co nne ct ion Profile by typ ing a new nam e.
Con f iguring Righ ts T ab l e 4 - 9. New Connection Profi l e Se ttings T ab Co nten ts (Co n tinue d) Column D escrip t io n VLAN Identifi er How an 802.
Con f iguring Righ ts The Locatio ns ta b sho w s a list of th e cu rre ntl y def i ned Locatio n s. Th e colum ns in this l i st a r e a s fo llows : T ab l e 4 - 10. Locations T a b Column De finit i ons Column D escrip t io n Name The descr iptive na me for the Locati on.
Con f iguring Righ ts • T o sel ect all Time Win d ow s in th e list, se lect the ch eckb ox n e xt to the L o cations colu mn hea d ing . Cli c kin g thi s ch eckbo x a secon d time re moves t he checks fr om all Tim e Win dows in the list. • T o remove a Time Win d ow f rom th e pro fil e, click its checkbo x to remo ve the check .
Con f iguring Righ ts » To delete a Lo ca ti on , click th e tra sh ca n icon at th e end of the row . » To cre a te a n ew Locatio n , cli c k th e New Locatio n ... but ton at the bo tto m of th e Locatio ns list. Th is takes you to th e Ne w L o ca tio n page ( s ee “C rea t ing or E dit ing a L o cati on”) .
Con f iguring Righ ts Tim e Windo ws A T ime W indow is a sp ecificatio n of a peri od of tim e, defin e d by s p eci fic dates or date ran g es , d a ys of the week, a nd hours of th e day . T ime W i ndows m a y be us ed to limit when a Conn ectio n Profile is ava ilable a s a valid m atc h f or a c lient .
Con f iguring Righ ts Cre a ting or E d iting a Ti me Window T o create a new T ime W indow , cl ick Ne w T i me Win dow ... at the bottom of the T ime W indow list. Th e New T i me W in d ow pag e ap pears , as shown in Figur e 4 -18, wi th a bl ank n ame field and def aul t ti me set ti ng s.
Con f iguring Righ ts T ab l e 4 - 14. New Time Wi nd ow Settin gs Setting D escrip t io n Val i d D ays Specify a Tim e Wi ndow by days of the w ee k : • The defaul t is Any da y • To s pec ify p articul ar days, click the Selec t ed days rad io button, the n ch eck t he in dividual da ys of th e w e ek you w ant to incl ude.
Con f iguring Righ ts Figur e 4-21 . The Access Pol i cie s Pa ge The 700wl S e ries syst em pr ov ides five predefined Acces s Po li cies, and a Rig h ts Adm inist rator can cr eate a ddit ional ones.
Con f iguring Righ ts T ab l e 4 - 15. Acc ess Policie s T a ble C on t ent s Column D escrip t io n Al lo we d T raffi c | Gr id A list o f th e Allowed Traffi c Filte rs sel e ct ed for the Acc ess Po li cy . Cl ick Gri d in the c olumn heading to dis pla y all Ac cess Polici es and A llo w ed Tra ffic Fil t ers in a g r id format.
Con f iguring Righ ts Figur e 4-22 . A ccess Pol i cie s and Allowed Tr a ffic Filter s in a Gr id Fo rm at Ea ch ro w r e presents an A cces s Policy. Th e Allowed T r af fi c Filt ers ar e shown in colum n s. Filters th at a re enabled for the Acces s Po li cy are r e presented by checks in the appr op riate co l umn ch eckbox .
Con f iguring Righ ts Figur e 4-23 . A ccess Pol i cie s and R edir ecte d Tr a ffic Filte rs in a G r id Fo rm at Ea ch row re pr esent s an A ccess Pol i cy. The R edire ct ed T ra f fic Filters ar e s hown in co lum ns. Filters t hat are enabled f or th e Acces s Po li cy ar e r e pr es en ted by checks in the appr op riate colum n check box .
Con f iguring Righ ts Figur e 4-24 . Creat ing a N ew Ac ces s Pol i cy, the Settin g s T ab T o crea te or ed it an Acce ss Policy , Ste p 1. T y pe a n a me fo r the poli cy in th e Na me field. Y o u ca n change th e nam e o f an ex istin g A ccess Policy by typ i ng a new name .
Con f iguring Righ ts T o ad d th e modifi ed A ccess P o licy as a n e w Access Policy , le avi n g the origina l A ccess P o li cy unchanged, click Save As Copy . Th e Sav e As Co py button is ava ilable o n ly on the E di t Acce ss Policy page. Af te r a Save A s C opy th e pag e re mains d i spl ayed so yo u can m a ke a ddi tio nal chan ges.
Con f iguring Righ ts T ab l e 4 - 16. New Ac cess Po licy Settin g s T a b Conte nts Column D escrip t io n VLAN Identifi er How a V L AN Identi f ier (ta g ) shou ld be handle d: • Sele ct Remo ve.
Con f iguring Righ ts T ab l e 4 - 16. New Ac cess Pol i cy Settin g s T a b Conte nt s Column D escrip t io n Key Lengt h (PPTP only) For PPTP, th e m inimum M PPE (RC 4 ) s ess ion k ey lengt h: • Sele ct 40 b it s to allo w a 4 0 -bit o r 12 8-bit k ey.
Con f iguring Righ ts ad dr ess is valid if it f a lls wit h in tha t ad d r ess rang e. If th e addr ess d o es not fa ll w i thi n th e port’s a ddres s ran g e, N A T is used, e ven if the addres s is wi thin the Acces s Co nt roller’s su bnet.
Con f iguring Righ ts The Allowed Traffic T ab Al lowe d T r af fic fi lt ers ar e t r affic fi lt ers t h at id en tify pa cket s th at ar e permit te d t o be forwa r de d by an Acce ss Co ntro ller. If you ar e cr eati ng a new A cces s Policy, th e A llowed T r af fi c f i lters a r e d i spl a yed in alpha b etica l or der .
Con f iguring Righ ts Figur e 4-25 . Creat ing an A c ces s Policy , the A llow ed Filte r s Ta b Not e that if the filter yo u select is one of a D NS or WINS f ilter pair , you must also in clude th.
Con f iguring Righ ts The Allowed T r a f fi c li st shows all exist i ng Al low ed T ra f fi c f i lters. Thes e ar e d isp la yed in a l phabeti c al order if you are cr eating a ne w Access Policy. If you are editing an Access Poli cy, the filters included i n the policy ar e d isp layed at t h e top o f th e list.
Con f iguring Righ ts T ab l e 4 - 18. Predefine d Allowe d T r affic Filte rs Allowe d T raffic Fi lter Des c ription Int e rna l ri ght s UI Allows access to the Rig h ts Manag er page s via the Access Con t rol ler def ine d in @INTE R NAL @ (by defau l t 4 2 .
Con f iguring Righ ts Figur e 4-26 . Creat ing an A c ces s Pol i cy, the Re dir e cted Traffic Ta b The R edire cted T raffi c list shows th e fo llow ing in fo rma t ion a b out each filt er: T ab l e 4 - 19. Redir ecte d T ra ffic List De finitions Column D escrip t io n Name The nam e for the R e direct ed T r affi c Fil t er.
Con f iguring Righ ts Note: Red irec t ed T r aff ic fil t er s are eval uate d in the o rder that they ap pea r in the Redi rec t ed tr a ffic list of ea ch A c cess Policy. W hen a p acke t match es a Red irect fi lte r , it i s imm ediate ly re di re cte d to the a pprop ri ate destinati on .
Con f iguring Righ ts T ab l e 4 - 20. Predefine d Re dir ec t ed T r affic Filte rs Redire cted T r af fi c F ilter Des c ription No i n ternal IAM UI Redi rect s Integ r ate d Access M anager UI ac ce ss requires via 42 .0. 0 .1 No in ternal ri ght s UI Redi rect s Rights Man ager U I access r eques ts via 42.
Con f iguring Righ ts T o con f igur e au tom a tic H TTP P r oxy f iltering f o r thi s A ccess Policy, s e lect th e HTTP Prox y tab, a s shown in Fig ur e 4- 27, and s ele ct o r enter data in to the fields as des c ribed i n T a bl e 4 -21. Figur e 4-27 .
Con f iguring Righ ts T ab l e 4 - 21. HTTP Proxy T a b F i eld De finitions Fie l d/Column D escrip t io n • Al lo w FQDN Accept H TTP t r affic d est ined f o r the s pec ified ful ly- quali f ie d domain na me (e. g. www.domain.com ) • Al lo w Host Accept H TTP t r affic d est in ed f o r the s pe c ified host name (e .
Con f iguring Righ ts The Bandwidth Tab 70 0w l S e ries s y stem ver s ion 4 .0 pr ov ides the ability t o limit the ban d wid th av ail a bl e to each clien t to prevent network perform anc e d egr ad at ion. U s ing Access Po lici es, ban d wid th can be limited on a cli ent by client basis.
Con f iguring Righ ts Bandwi d th Rate Limit i ng i n the 700wl Ser i es system 70 0w l S e ries s y stem ver s ion 4 .0 pr ov ides band widt h rate lim iti n g ( o r “ p olicin g” ) on a per - client bas i s.
Con f iguring Righ ts The L i nger Ti meout The Lin g er tim eou t en ables the 700wl S e ries syst em to forc e a lo goff for clien ts th at ha ve di sconne cted fr om the n e two r k witho u t logging o ff.
Con f iguring Righ ts Figur e 4-29 . Creat ing an A c ces s Pol i cy, the Tim e out Tab The fields un der th e Ti me out tab ar e as fo llows: T ab l e 4 - 23.
Con f iguring Righ ts T ab l e 4 - 23. Ti meout T a b Field De finitio ns Fie ld D escrip t io n Nev e r forc e us ers to Allows c li ent session s to remain con nec ted indefini tel y wi tho u t requ irin g re au thent ic at e reauthe n tic at i on .
Con f iguring Righ ts Figure 4-30 . The Allo we d Traffic Filters Lis t The A llowed T r af fi c lis t shows th e Al low ed T raffi c filters i n al ph abeti c al or der , and includes t h e f o llow ing inf o rma t ion a b out ea ch filt er: T ab l e 4 - 24.
Con f iguring Righ ts » To delete a fil t er, cli c k the tra sh ca n ic on at th e en d of th e row . » To create a new fi lter, click th e New Fil t er ... button at the bottom of the filter list. This ta kes you to the New Filter: A l low ed Tra ffic pag e (s ee “ Cr ea t ing o r Edi ting a n A llo wed Tra ffi c Filter” ).
Con f iguring Righ ts T o creat e or edit an A llo wed T raffi c filter , d o th e fo llowin g: Ste p 1. T y pe a name f o r this f il ter . Y o u can change th e na me of an existin g A llo wed T ra ffic f ilter by typin g a new name . Ste p 2. T y pe a d e scription fo r the filter , or m odify the e xis tin g de script ion .
Con f iguring Righ ts Redirec t ed Tr affic Filters Re dir e cted T r affic fil t er s ar e traffic filt ers that i den tify pa ck et s sen t fr om a clien t that sh ou ld be r e di re cted to a n ew dest in ation.
Con f iguring Righ ts The Redir e cted T r affic li st shows th e Redir e cted T raf fic fil t er s in alph ab eti cal or der , an d inclu des th e fo llowing i nfo rmation abo u t each filter: T ab l e 4 - 25. A llowed T r a ffic List De finitions Column D escrip t io n Name The nam e for the R e direct ed T r affi c Fil t er.
Con f iguring Righ ts Figur e 4-33 . Creat ing a N ew Re dir ec t ed T r affic Filte r Y o u can create the f i lter specifica t ion in on e of two wa ys: • S peci fy the traf fic proto c ol, a nd the de stinati on IP a ddr es s an d port, o r • D efin e th e f ilter as a regu la r express i on i n tcpdump synta x.
Con f iguring Righ ts b. If the protocol re qui r es a de stinat ion port, type it in to th e Port f iel d. If the pr otoc ol d oes not support port spe c ification s , N/A appears in the po rt fi eld. Y o u can enter a sin g le port, o r us e an a s ter is k ( *) to specify all po rts.
Con f iguring Righ ts Click Canc el to re turn to th e pr evio us page witho u t maki ng a ny fu rther cha nge s. Built-in and User -defined Addres s V a ria b les Fo r us e in both All owed and Redir.
Con f iguring Righ ts T ab l e 4 - 26. Predefine d Addr ess V ariab les Addr ess V ariab le V a lue / Desc ription @INTERNAL @. The addre ss of the Acc ess C ontrol Serve r Adm inis t rative C onsole.
Con f iguring Righ ts T ab l e 4 - 27. Edi t A ddress fields Fie ld De fini ti on Na me The name of t he var i able. May b e up to 32 upperc ase al phabe tic c hara c ters (no numera ls or oth e r chara c ters). You may in clude t he —@“ at th e beginn ing and e nd, bu t do n o t need to – the syst em w ill add th em if neces sary.
Con f iguring Righ ts Figur e 4-36 . WINS Filte r s List The Filter list sho ws the DN S or WINS f ilter pairs in alph ab etica l or d er , an d includ es th e fo llowin g inf o rma t ion a b out ea ch pair: T ab l e 4 - 28. DNS or W I NS Filter Pair list definition s Column D escrip t io n Name The nam e of the filte r pair.
Con f iguring Righ ts The E di t Filter pages a r e al most identical to the New Fi lter pages, except tha t th e na me, d esc ription, a nd se rver defin i ti ons ar e d isp layed for th e fil t er yo u h ave se lected, and a Sa ve A s C opy button is provided .
Con f iguring Righ ts the list, using the multi-selec t m e cha n ism supporte d by your browser (typically Ctrl- c lick an d S h ift-click) . The 700wl S e rie s syste m selects a d e stina ti o n serve r at ran do m f r om the serv er s you h a ve selected , a t th e tim e rights are ass i gned to th e client.
Con f iguring Righ ts Figure 4-38 . H TTP Proxy Filte r s Li st The HTT P Pr ox y list show s th e H TTP Proxy f ilt er s in a l phabet ical or der , an d inclu d es the f oll ow ing inf o rma t ion a b out each f ilt er: T a bl e 4- 29. HT TP Prox y F ilt er Li st Defi ni tions Column D escrip t io n Name The nam e for the H T TP Prox y Fil t er.
Con f iguring Righ ts The E di t Filt er : HTTP Pr oxy T r af fic page is a l most identica l to the New Filter pa ge, except that th e name, des c ripti on, an d t h e fi lt er an d des tinatio n definition s ar e di splayed fo r the fi lt er you ha ve s ele cted, and a Save A s C opy button is provided .
Con f iguring Righ ts T ab l e 4 - 30. HTTP Proxy Filte r T y pe s Filter Rule T y pe Desc rip t io n • Al lo w Re g Accepts HTTP traff ic to a desti na t ion s pecified as a regular e xpr es sio n t hat eval uates to an addres s or ad dres s rang e Fo r e x am ple — (.
Con f iguring Righ ts Examp l e–Modify ing t h e —Guest Access“ Access Policy The f oll owing sections provi de exa m ples of ho w to mo dify a cce ss righ ts by edit ing the sett ing s fo r an Acce ss Policy .
Con f iguring Righ ts Ste p 2. In th e Access P o licy co lumn of th e ta bl e, click G u est A ccess to di splay the Edit Access P o licy page for the G u est Access Access Po li cy. Ste p 3. Click the Allowed T ra f fic tab to d isplay the Allowed T raff i c filters curr ently s elected for this A cce ss Policy , as show n in Figur e 4-41.
Con f iguring Righ ts Figur e 4-41 . The A llowed Tr a ffic f ilter s for the Gu es t Access A ccess Polic y Ste p 4. Fin d the r o w f or the Out s ide W o rld f ilter , as shown in Figur e 4- 41, an d click t h e checkbo x to select the f i lter . Ste p 5.
Con f iguring Righ ts Modifying the Outsi de Wor l d F i lter to R e strict Access If th e Outside W o rld A llowed T raffi c filt er is no t suf f ici e ntly re strictive f o r your network envir o nment, you can mo dify it ( o r cr ea te a new filt er) to re stri ct access to m u lti p le subn et s or IP ad dres ses.
Con f iguring Righ ts Se e Appen di x B , “ Fil ter E x press i on S y ntax” fo r deta il s of the tcpdump s y nt ax. Note: T cp dump s ynt ax is case sen sitiv e.
Con f iguring Righ ts Figur e 4-43 . C onfiguring Proxy Fil t ers to limit ac cess fo r the Gu est A c cess A c cess Policy Ste p 3. T o crea te the f ilt ers you need, click New F ilter ... . S ee “HTTP Pr oxy F ilters ” on pa ge 4-7 5 for deta ils on crea ting HT TP pr oxy f ilte r s.
5 C ONFIGURIN G A UT HENTI CATION Thi s cha pte r des c ribe s h ow cl ie nt s ar e au thenti cat e d t hrough th e 700w l Series s y st em, an d explains how to co nfig ur e authentica tion policies. The topics cover e d in th is chapter in clu de: Authenticatio n in th e 700w l Series Sys t em .
Con f iguring Authe n tic a tio n specifica t ion, d e termin e a Co nnect io n Pr ofile for the client. The client’s iden tity (who the client is) is determined thro ugh the a u thenticatio n process . This i s used to determine a n Ide n tity Pr of ile for the cl ient.
Co nfigu r ing Authenti cati on clie nt, the usernam e an d passw or d is sent to the next service , and so on. If a ll services in th e list f a il to auth en ticate the user , th en the user will con t inue to ha ve only una u thenticated logon ri ghts.
Con f iguring Authe n tic a tio n The Rights Ma nage r The configu ra tio n o f ne two r k A u thenticatio n Po licies is done th ro ugh th e Righ ts module, acce ss ed by click i ng t he Righ t s icon on the Na viga ti on ba r .
Co nfigu r ing Authenti cati on Figure 5-1. The Authe n tica tion Policies Page The A u thenticati on P o licies table show s the currently def i ned A u thenticatio n Policies . This t a ble s hows the f oll owin g inf o rma t ion a b out each A uth ent i cat i on Pol i cy: T ab l e 5 - 1.
Con f iguring Authe n tic a tio n Creati ng or Editing an Authenticati on Pol i cy T o crea te a new Au thenticatio n Policy , cli c k th e New Authe n tication Polic y.
Co nfigu r ing Authenti cati on • T o edit a n Au thenti ca tion S e rvice, click the name of th e serv ice yo u w ant to edit, o r click th e pencil icon at th e end of the row . This takes yo u directl y to the E dit Au then tication Se rvi ces page f or th e filter you selected .
Con f iguring Authe n tic a tio n Figure 5-3. The Authe n tica tion Services Page The Authenticati on Services table shows th e curr ent ly defined Authentication Services. Th is table shows the f oll owin g inf o rma t ion a b out ea ch A uth ent i cat i on Se rvice: T ab l e 5 - 2.
Co nfigu r ing Authenti cati on app ear s ( s ee Fi gur e 5- 4). The page in itially di splays t h e con fig ura t ion o p tion s f o r a n LDAP Au thenticatio n Se rvice.
Con f iguring Authe n tic a tio n Figur e 5-4 sh ows the configu ration pag e fo r configuring an LDAP service w i th non- user bin d ing . For many of the op tio ns on th e L D AP s e rvice page, th .
Co nfigu r ing Authenti cati on The in fo rma ti o n r e quir ed to conf igure a n LDAP se rvice f o r authentication is d efi ned in the f ol l owin g tables.
Con f iguring Authe n tic a tio n If y ou s e lect Non - use r bind , the r ema in ing f i eld s on th e page a r e a s fo llows : T ab l e 5 - 4. LDAP Authentic a tio n Confi guration O p tio n s, No.
Co nfigu r ing Authenti cati on » Fo r de tailed instructi ons fo r settin g up a n Ac tive Directory server, see “U sing the A cti ve Directo ry LDAP Service” on page 5- 13 . » Fo r detailed instructi on s fo r settin g up a Netscape or iPl ane t server, see “ U sin g a Netscape o r iP lanet Directo r y S erv ice” o n page 5- 14.
Con f iguring Authe n tic a tio n To use Use r binding for auth en ticatio n wh ere th e u s er lo gon ID is used a s the D N, do th e fo llowing: a. Se le ct Us er bin d from the drop-d own field. b. Enter the f ol l owin g in to the User b i nd s t ring field: < domain name >%s For example, for do ma in XY ZCor p.
Co nfigu r ing Authenti cati on Ste p 3. Specify som e ad diti onal options fo r thi s LDAP se rver : a. The t imeou t value sp ecifies t h e len g th of ti me the 700w l Seri es syst em wa its fo r a r esp onse to an au thenti cation requ est befor e it a ban dons the requ est.
Con f iguring Authe n tic a tio n Then , do the fo llow in g: Ste p 1. B e cause you a r e s en d ing a pa ssw or d i n the clear , m a ke sur e that you ar e using S S L.
Co nfigu r ing Authenti cati on Al ong with th e a u thentication re sults, you ca n obta in th e us er ’s g r oup a ffiliat ion fr om th e au thenticatio n pr oc ess. Th e r e turned grou p inform at ion will be used to match the user to an Identity Profile in the Rights A ss ignmen t table.
Con f iguring Authe n tic a tio n Figur e 5-6. Cr eating a New Au the n tic a tion Ser vi ce - K erb er os Ste p 5. Enter th e in form at ion requ ired to con fig ur e a Kerber os s e rvi ce for us e wit h au th en ticatio n as def ine d i n T a bl e 5 -7 : T ab l e 5 - 7.
Co nfigu r ing Authenti cati on Configuring a RADIUS Authenticatio n Service Note: T he 700wl Se ri es sy st em A c cess Con tro l S erver must be con f igured a s a RA DIU S cli ent o n your RADIUS serv er . T o co nf igure the 700wl Series syst em to us e a RA D I US databa se fo r us er a u th en ticatio n: Ste p 1.
Con f iguring Authe n tic a tio n The in fo rma tio n r e quired to config ur e th e RA DIU S service f o r a u th en ticatio n is defined in T a bl e 5-8 as fo llows : T ab le 5-8. RADIUS Authe n tic a tion Serv ice Co nfigu rat ion Fie l d/O p tion D escrip t io n Name Your name f o r this authentic a ti on metho d .
Co nfigu r ing Authenti cati on » To us e a RA DI US se rvi ce fo r acco un tin g , you m ust co nfig ure a RAD I US s e rver as an Authenticati on Servi ce, and check t he Support s RADIUS Accounting (RFC-2 866) on port checkb ox an d enter th e approp riate port n umb er to which th e 700 wl Se ries system sh ould send the accountin g da ta.
Con f iguring Authe n tic a tio n Fie ld Da t a Acct-Ses sio n -ID T he uniqu e ID for t h is c lient s ession Acct-Ses sio n -Ti me T he seco nds thi s cli ent wa s l ogg ed on t h is Acc ess Co ntro ller.
Co nfigu r ing Authenti cati on • T he Rights M a na g e r uses the gr ou p inf o rmat ion a nd the sta r t a n d stop times f r om the us er prof il e to tempora r ily m a p the user to a match i ng Identity Pr of ile, d u rin g th e tim e fram e def in e d by the stop an d sta r t tim e s in the pro f ile .
Con f iguring Authe n tic a tio n The informati on requ ir ed to co nf igure an XML-RPC authenticatio n se rvice i s def ine d in T a bl e 5 -9 as fo llows : T ab l e 5 - 9. XML -RPC Au then tication Ser vi ce C o nfigu rat ion Fie l d/O p tion Descrip t io n Name Your name for thi s auth ent ication me tho d.
Co nfigu r ing Authenti cati on Thes e param e ters ar e sh own in T a ble 5 -10 : T ab l e 5 - 10. Pa ra meters for Authe n tica te Call Pa rame te r Ty pe Descrip tion useri d str i ng User logon fr.
Con f iguring Authe n tic a tio n T ab l e 5 -1 1. Name/valu e Pairs Returned by Au thenticate Respons e Name Ty pe V a lue an d Descrip t io n validTi m es str i ng An a rray of s t rin gs t hat d e fine th e tim es w hen a user is gi ven the ri ghts associ ate d wi th t he g r oup.
Co nfigu r ing Authenti cati on <value><string>Monday:Wednesday:Frid ay </string></value> </member> <member><name>startDate</name> <value><stri.
Con f iguring Authe n tic a tio n enabled in any o t her A ccess P o licies that m ay be in fo rce when a clie nt is re quir ed to rea u thenticate. The Allowed T raffi c Filter f or LDA P must be c rea ted and th en en abled in the a ppr opriate A c cess Policies.
Co nfigu r ing Authenti cati on • Firs t, yo u m u st configu re an LD AP Au thentication Se rvi ce to be us ed to retrieve the g rou p ident i ty in fo rma t io n. You must specif y No n-U s er binding —eith er rootd n /rootpw b i nding or a nony mous bin din g (if th e se rvice a l lo ws anon ym ous bin d).
Con f iguring Authe n tic a tio n Logon Page C u stomization The 7 00w l S e ries syst em Rights M ana ger pr ov id es d efa ult Lo gon, L og of f , S t op, an d Gu es t Reg i stratio n pa ges th at are dis p la yed wh en users ar e to be aut h en ti ca te d usin g W e b-bas e d lo gon .
Co nfigu r ing Authenti cati on Thr o ugh the Rig h ts Manager, you can cust omize the appea r an ce of th e Lo gon, L o go f f an d St op pages in the f oll owin g ways : • You can create cus t om ized versi ons of the stan da rd Logon, Lo gof f an d Sto p pag e s by including yo ur own text a nd lo gos .
Con f iguring Authe n tic a tio n Customizing a Logon Pa ge T o creat e a new log on custo mizat ion page, d o th e fo llo win g: Ste p 1. From anywher e w i thin the Rights Manag e r, click the Logon Custo m iz atio n tab. Ste p 2. Click Ne w Logo n Custo m ization… The New Lo gon Cus t omization pag e a ppea r s, as sho wn in Figur e 5- 12.
Co nfigu r ing Authenti cati on Figure 5-12 . N ew L ogon Custo m iz ation Pag e Customizing t he Logo In the Logo s s ect ion of the N ew/Edit Lo go n Custo mizat io n pag e you can custo m ize the logo (i mage) that app ear s o n th e lo gon a nd logo ff web pages.
Con f iguring Authe n tic a tio n of a sma ll s cr een. Y ou can cha n ge this l o go to be a sm all version of yo ur own logo for us e wi th sm a ll br ow sers . T o change either log o, do the following: Ste p 1. Go to the Log os se cti on o f th e Ne w/ Edit Logon Custo m iza t ion pag e an d select the logo yo u wi sh to ch an ge.
Co nfigu r ing Authenti cati on Ste p 2. Place a check m a rk in th e A llow us ers to spe c ify auth entication policie s checkb ox if you want users to ch oose a s p ecific Authentica tion Po li cy fr om a gr ou p o f Authenticati on Po licies.
Con f iguring Authe n tic a tio n If yo u s e lect the G u est R e gis tra t ion option, the Gues t Reg i stratio n page a p pe ar s a s show n in Figur e 5 -14. Figure 5-14 . G uest Reg i stration p a ge If yo u choose to re quire gu es ts to re gister bef ore logging o n , th e fo llowin g pr oc ess will o ccur when they log on to th e system.
Co nfigu r ing Authenti cati on network. H o wever , if the user go es t o th e lo go n page a gai n w hil e he/s he is still log g ed on , th e logon page ind i cates tha t the u s er is a lread y logged on an d pr ov ides a log of f butto n.
Con f iguring Authe n tic a tio n Ste p 2. In th e textbox labeled S t op Page T ext enter the text you want t o dis p la y on the S top page. This ca n include HTM L fo rma ttin g comm an ds. Ste p 3. Click S ave . T o clear the stop p a ge text a f ter it has been se t, click Reset to Default s at the bottom of th e page.
Co nfigu r ing Authenti cati on Customiz ed Page Tem pla tes If you want to create pa ges that ar e cus tomiz ed beyo nd th e op tio ns pr ov ided on the Cus tomiz e W eb Pages by Connectio n Profile page, you can create your own templates for the L ogon, Logoff, Stop, and Gu es t R e gi stration pages .
Con f iguring Authe n tic a tio n Figure 5-17 . Lo gon C u stomization : Custo m Templ a tes Ste p 4. In the appr op riate field ( Log on Page , Logoff W i ndow , St op Page , o r Gue s t Regi stratio n Page ), t y pe the path an d na me of a .
Co nfigu r ing Authenti cati on The page will r edisp lay sh owing the lo aded image, see F igur e 5- 18. Note: T he templ a te images area shows ALL image s availa ble for use i n custom te mpl a tes, n ot just th ose you h a ve loaded for a spec if ic cu stom templ a te .
Con f iguring Authe n tic a tio n Ste p 7. T o indicate th at an imag e is to be used wi th the custo miz ed logon pa ge you are crea ti ng, check the box to the left o f th e im age. Th is no tifies th e s yst em t h at th is im ag e s hou ld be do wnlo ade d to the Access Co ntroll er with the cus tom tem p la te code.
Co nfigu r ing Authenti cati on Note: T he User Right s Simu lat or does NO T show you the ac tual r ights of a u se r who is curren tl y logged on, bu t shows y ou the r ights a user woul d h ave as if th ey wer e logge d on at a p art icula r ti me and loc at i on.
Con f iguring Authe n tic a tio n T ab l e 5 - 12. User Ri ght s Sim u lator Fie l ds Fie ld Des c ri pt ion Acc ess C ontr o ller and P o rt Th e Acc ess Cont rol l er, slot and po rt to b e used to simula te the user‘ s ph ysical c onnec tio n locatio n .
Co nfigu r ing Authenti cati on Figure 5-20 . R ights for User — ann “ i f Logged on a t the Specified Tim e a nd Lo cati on The top porti o n o f the R ights r esu lts show s t h e Identity Profi.
Con f iguring Authe n tic a tio n • If th e Identit y Pro f il e is no t w hat yo u expected: — F or user s in th e built-in database, the user m a y have bee n assigned to a dif feren t pr of ile than you exp e cted .
Co nfigu r ing Authenti cati on Figure 5-21 . The XML Representati on of User Rig h ts Traci ng Au thenticati on Ser vi ce T r ansactions The T ransactio n T racer lets you verify auth entication transaction s to one of the active authentication se rvices —LDAP , RAD I US, Ke rber os or XML-RPC.
Con f iguring Authe n tic a tio n service is wo rking correctl y , the service shoul d re turn a su cc essful r esu lt, including th e info rmation as socia ted wi th t hat user , if appropria t e. If the a u thentica tio n servi c e i s not set up correctly , you wi ll re ceive a n err o r an d in complet e re sults.
Co nfigu r ing Authenti cati on Figur e 5-23 . R esults of a trace d tr an saction Th e Re su lt Para mete rs contain any parameters returned with the au thentication, if appropriate.
Con f iguring Authe n tic a tio n » To I m port or E x po rt Rights, cli c k th e T ool s and Op tions tab visib l e at the t o p o f any Rights mo du le page, then click th e Im po rt/E xpo r t Right s link in the lef t-hand co lum n of th e page. Thi s di splays the Import/Expo r t Ri ght s pag e, as sh own in Figure 5- 24 .
Co nfigu r ing Authenti cati on Figure 5-25 . R ights Export in Progre ss p a ge While the export is in pr ogress , this pag e is r ef r eshed every 15 seconds. • T o stop th e page ref r esh, click St op Auto Refr esh . • T o cancel the import click Canc el .
Con f iguring Authe n tic a tio n Figure 5-26 . The Import/Export Rig h ts page after a s u ccess ful rig h ts e x po rt Ste p 3. Under t h e Last Righ ts Export hea d ing, click Sav e Exp o rt As.. . to save the rights export ima g e a s a f ile. This wil l sta r t the file d o wnloa d pr oces s appr op riat e to your lo ca l s y stem .
Co nfigu r ing Authenti cati on • T o stop th e page ref r esh, click St op Auto Refr esh . • T o cancel the import click Canc el . Ste p 3. Wh en the i m po rt has com p leted , anoth e r inf o rmat ional page appea r s, telling y o u the pr oces s is co mp lete.
Con f iguring Authe n tic a tio n 5- 54 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
6 C ONFIGURIN G TH E N ETWOR K This cha pter describes how to configure the 700wl Seri es system compo nents so that they w ork with your enterprise network . The topics cover ed in this cha p ter include: 700w l Ser i es Sys t em Co mpon en ts . . . .
Con f iguring the Network 700wl Series System Comp onents Wh en you f i rst click on t he Network ic on t h e S y stem Com p onents pa ge a ppea r s, as s hown in Figur e 6 -1.
Configuring the Ne twork Fr om th is list y o u can cli c k a component na m e or click the pencil icon at th e right of the r ow to edit th e component’s name and the folder to which it is assigned. For Access Control Servers, you can a lso edit settings re lated to its use in a f a ilover config urati on.
Con f iguring the Network DHCP (t he defau l t) wi ll b oot u p and run pro perl y without a shared secr et c onfig ured, b u t A cces s Con tro llers wi ll not be able to c o mmuni ca te with it.
Configuring the Ne twork Note: T he IP addr ess can b e c hang ed unde r th e Net w ork S e tu p t ab, along with o t her networ k configur ation se ttin gs.
Con f iguring the Network T ab l e 6 - 2. Edit A c cess C o ntr o l Se r ver p a ge field definitio ns Fie l d/O p tion Descrip t io n Redundan cy Preferred Prim ary Ac cess Con t rol Serv er If check.
Configuring the Ne twork Deleti ng a Peer A c cess Control S e rv er Y ou mus t d isa ble r edund ancy by editin g the P r ima ry A cces s Contr ol Se rver config uration bef ore you ca n delete the Seco ndar y Access Contro l S e rver (un che ck th e En able Redun d ancy checkb ox an d Save ).
Con f iguring the Network Editi ng t he Integra ted Acc es s Manager Configura t ion The Integra t ed A ccess Ma na ger is typically con fig ur ed wi th it s n etwork con fig ura t ion pa rame ters an.
Configuring the Ne twork The E di t Integra t ed A ccess Ma nage r page appears as shown in Fi gur e 6- 4. Figure 6-4. Edit Integ rat ed Acce ss Man a ge r pag e The fields on th e Edit Integrated Acces s Ma na ger page s how th e current s e tti ng for the In t egrat ed Acce ss Ma nager.
Con f iguring the Network T ab l e 6 - 3. Edit I n teg rat ed A cce ss Man a ge r p age fie l d d e fini tions Fie l d/O p tion Descrip t io n NAS-ID/De scr ipt i on A descri p tion for t h is unit.
Configuring the Ne twork W i th the exce pt io n of the Acces s Contro l S e rver IP addr es s an d sh ared s e cr et, Acces s Co ntro llers ar e co nfig ured cen t ra l ly fr om the A dminist rative In ter f ace o f the Acces s Co ntrol Se rver o r Integrated Acces s Manager.
Con f iguring the Network T ab l e 6 - 4. Edit A c cess C o ntr olle r page fie l ds Fie l d/Che ck bo x Desc rip t io n Name An al phanumeri c nam e f o r the Acce ss Cont rol l er. By defa ult the name is the I P addres s of the u n it . IP Addres s T he I P ad dres s of t h is Ac ces s C ontroller (re ad-only).
Configuring the Ne twork Y o u c a n mod ify an A cce ss Con tro ller’s na me, admin i strator use rn am e an d passwor d, fo ld e r , SS H access permissions, a nd the A cce s s Contr ol S erv er IP a ddres s a nd sha re d secr et. Th e IP ad dre ss an d MA C a ddres s ar e di spl aye d r ead -o nly and c an no t b e mo difi ed on th is pag e.
Con f iguring the Network Figure 6-6. New Folder Pa ge » icon To change the na m e of a fo lder, cli c k the f o lder na me in the S y stem Com p onents List, or click th e pen c il name in the Folder Na me fi el d and cl i ck Save . ( ) to the fa r right o f the folder.
Configuring the Ne twork Con f iguring Fail over with Redund ant Access Control Servers Pl eas e re ad t h e s e ction “ E nterpri s e Clas s Redu nd ancy” on pag e 2-18 in Cha pter 2, “Con fi gu ri ng t he Network” Note: Integrate d Ac cess M anag er s can not b e used as a pee r in a r ed undant c on f igu r ation.
Con f iguring the Network Ste p 4. Wh en you a r e r eady to initi a te the peer r elati onship a n d sta r t the data sy nch r o nizat ion process, check th e Enable Redu ndan cy checkbo x on the Prim ar y A ccess Con tr o l S e rver (a nd Sav e ).
Configuring the Ne twork • Under Netw ork , only th e Syst em Co mpo n ents, Netwo r k S e tup, Interf a ces, an d D a te & T ime tabs are av ailabl e.
Con f iguring the Network » To access th e Ne two r k S e tup pa ges, click th e Network icon in the Navi gation Too l bar, then sel e ct the Network Setup tab.
Configuring the Ne twork Netw or k Co mm unication–the Basic Setup Tab T o co nf igure the ba si c n et work co mm unic at ion set ting s fo r a 700wl S e ries syst em co mpon en t, do th e fo llowing: Ste p 1. Unde r the n e twork ico n , click the Ne twork Setup tab t o di spla y the Ba sic S e tu p ta b, as sho w n in Figur e 6-8.
Con f iguring the Network Edit the co nt ents of the f i elds on th is page a s appr op riate. The fields and their s e tti ngs are defin e d in Ta ble 6-5 . T ab l e 6 - 5. B asic Setup t a b fie l ds Fie ld D escrip t io n Co nf ig ur e A dro p -do w n l i st yo u u se to s pecif y h ow th is compon ent gets it s I P ad dress.
Configuring the Ne twork T ab l e 6 - 5. B asic Setup t a b fie l ds Fie ld D escrip t io n Se cond ar y DNS The IP addre ss of the secon dar y D NS se rver Primary WI NS The IP ad dre ss of the prim ary WI NS serve r Se cond a r y W INS Th e I P addr ess o f the seco ndar y WI NS serv er Ste p 3.
Con f iguring the Network Figure 6-9. Network Setup: Advance d Setup pa ge for an Integ rat ed Access Manage r 6- 22 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
Configuring the Ne twork Acc ess Control S e rver Configuration Adv a nce d Options The f oll owing settin gs a ppea r on t h is p a ge i f you a r e con f iguring a n A ccess Cont r ol Se rver or a n Integ r ated A ccess M a nager. They d o not appea r if you a re co nfiguring an A cces s Con tro ller.
Con f iguring the Network Acc ess Controlle r Advanced C onfigura tion Options The f oll owing settin gs a ppea r on t h is p a ge i f you a r e con f iguring a n A ccess Cont r ol l er or a n Int e grat ed Acce ss Ma na ger. They do no t appear if yo u are co n f iguri ng an Access Co ntro l S e rver.
Configuring the Ne twork The f oll owing are the specifica t ions in tcpd u m p synta x fo r the pred ef ined bridgin g opt i ons: T a ble 6 - 7. Tcpdump synt a x f o r p r e- def i ned bri dg i ng op.
Con f iguring the Network the client’ s rig h ts. D e pending o n t h e Wi rele ss D ata Pr iva c y m e ch an ism a nd t h e type of addr essin g in force, the client’s existing sess ions may be tunneled fro m the original Access Co ntroller to the new Acce ss Co nt roller.
Configuring the Ne twork Y o u can sp ecify a n external pr o x y s e rver , or the 700wl S e ri es syst em can act a s the pr ox y s e rver an d handle the tra ffi c acco rd ing to th e co nfig ured po rts and filters defin ed fo r each Access P oli cy.
Con f iguring the Network available, th e HTTP Proxy S e rve r on th e Ac ce ss Con t ro ller will cycle to th e ne xt ava ilable IP a ddres s . Ste p 4. In th e Proxy Server Po r t fiel d, type the TCP port n umb er used for th e pro xy se rver . Ste p 5.
Configuring the Ne twork Figur e 6-11 . N etwor k Settings: SSL Tab (In t egr at e d A c cess M a na ger or A ccess Co ntr o l S erv er only ) The informati on at the top o f the pa ge shows in form at io n abou t the curren t certi ficat e. Initially thi s will be the certifica t e gen era ted and sig n ed by HP Pr oC urve.
Con f iguring the Network Requesting a n SSL C e rtifica t e T o generate an SSL Certif ica t e S i gni n g R equ est ( CSR): Ste p 1. From th e SSL ta b, click Gene rate CSR... . The G e nerat e SSL Certif ica te Sign ing R e qu es t page appea r s, a s shown in F igu re 6- 12 , in a separate browser win d ow .
Configuring the Ne twork Figure 6-13 . The Certi f ica t e Sig n ing Request Y o u can us e th is certifica te s ignin g r e quest either to re quest a certificate fr o m a CA , o r to cr eate your own self - s igned certifica t e usin g a n SSL t oolkit, su ch a s Open SSL.
Con f iguring the Network Loa di ng t he SSL Certificate Wh en you r e ceive your certifica t e f r om the CA, you can ei ther cop y the certifica t e in fo rma t ion a nd paste it into the f i eld pr ov ided , or you ca n p l ace the cer t ificat e in a fi le an d up loa d th e file.
Configuring the Ne twork S ave and Rest ore Private Ke y The CS R yo u g e nerat e is based on a priva t e key . If the priva t e key i s los t or r ege nerated , any CS Rs based on th e origina l priva te ke y bec ome inval id. Af ter ge nerating th e CS R, you s h ould sav e th e private key o n your local system .
Con f iguring the Network Caution: Res t or i ng a s aved private k ey will inv a lidate a n SS L certif icate based o n t he cur ren t (di ffer ent) private ke y .
Configuring the Ne twork Figure 6-16 . Exa mple o f a Po rt Connection Type s e le ction list T o configure a port f o r a specific co nn ecti on type, d o the f o llowin g: Ste p 1. On the Inter fac es setup page select th e Ac cess Contr o ller to con f igur e.
Con f iguring the Network Note: If you wa nt to set a por t to half-dup lex , but half-dup lex i s no t off er ed a s an opti on in th e drop-down l is t, you will nee d to s elect a s e tti ng t hat does not sp ecify an o p ti on, and allo w the port to neg oti a te fo r ha lf -d uplex.
Configuring the Ne twork uplink p ort so that the d e fau l t u p li nk (slo t 0 p ort 2 on a 700 wl S eries sys te m) is now a downli nk port, the n tha t port w ill a ppear on th is p age. The p ort bei ng u sed as the upl ink po rt wil l not appear .
Con f iguring the Network configur ed to suppor t r o uting the addr esses you h ave c onfigured for y our por ts thr ou gh th e Ac cess Con tro ller uplink p or t. For example, if th e Access Cont r olle r’s I P a ddres s is 192. 168.2.20 w ith sub n et ma sk 2 55.
Configuring the Ne twork Figure 6-19 . SNMP Pag e Ste p 2. Se le ct the s yst em co mpon ent for w h ich yo u w ant to enable S NMP from the Sys tem Co mpon ents Li st. Ste p 3. SNMP is disabl ed by default. Select Ena b le d fr o m the SNMP drop-down menu to enable SNMP .
Con f iguring the Network Note: Inc lu de a tr a p IP add ress only if you hav e a n SNMP t rap rece iver list eni ng for thi s in for m ati on . HP proprieta r y S NMP tra p events inclu de fa n f a ilur e, fa n op erat io nal, a nd out- of -range tem p eratures .
Configuring the Ne twork Figur e 6-20 . D ate & Time Page Ste p 2. Us ing the S yst em Compo n ents List o n the lef t select th e compo n ent f o r which y o u w i sh to set th e date and ti me. Y o u can se lect a n Acces s Co ntro l Server, a single Access Co ntr ol l er, or a fo lder .
Con f iguring the Network The form at f or t he d ate is MM /DD /Y YYY . F or e xam ple, Jun e 4, 2 00 3 wou ld b e en tered as 06/04/2 003 . The for m at fo r t h e t im e is H H: MM, us ing a 24 ho ur clo c k. For e x am pl e, 6:23 PM w ould be en tered as 18:23 .
Configuring the Ne twork F i gu r e 6- 2 1 . Admi n S et u p p ag e Ste p 2. Click Ne w A dmin. .. The New A dm in page appea rs (se e Figur e 6-20). F i gu r e 6- 2 2 . Admi n S et u p p ag e Ste p 3. Fill in the f ield s a s re quir ed (s ee T a ble 6-8) and select th e a dmi nistrato r type f r om th e dr op- do wn me nu.
Con f iguring the Network T a ble 6 - 8. New / Edit Ad m i n Fi el ds Fie ld D esc ri ption Name A descrip t ive n ame th at ide n tifies th e Admini strator . It c an be the adminis trato r ‘s fu ll name o r any oth e r m ean ingfu l name. Thi s name may hav e up t o 32 char act e rs.
Configuring the Ne twork • To edit an a dmi ni strator account, click the a dmin i strator’s Nam e or Usern a me, wh ich are lin k s to the E d it A dmi n page, or click the Pencil icon at the right of th e row. The Super Ad min i str a tor can change an y of the settings f or a n a dmi nistrato r.
Con f iguring the Network 6- 46 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
7 S E TTING UP W IRELESS D AT A P RIVACY This chapter explain s how to configure the global settin gs for the security protocols. The topics covered in this ch ap ter ar e: Ov erview o f W ire les s Da ta Privac y . . . . . . . . . . . . . . . . . . .
Setting up W i reles s Data Privacy The encry p tio n policy th at define s how en cr yp tio n a pplies t o a sp ecif ic clien t is d e termi n ed thr oug h th e A cce ss Pol i cy tha t defines right s for that clien t.
Setting up Wireless Data Pr iv ac y Figur e 7-1. The Wir e less Da ta Privacy tab Global Wir el ess Data Priva cy Confi g urati o n Sele ct the W ire les s Data Priva c y proto c ols you w a nt to ena b le f o r the 7 0 0wl Se ri es sys t em. B y defa ul t, all pr ot oc ol s ar e di sa bled.
Setting up W i reles s Data Privacy The f i el ds and s e ttin gs und e r th e Configu ra tion fo r IP SE c h e ad i ng of the W ire les s Data Priva c y ta b a re as fo llows : T ab l e 7 - 1.
Setting up Wireless Data Pr iv ac y T ab l e 7 - 1. IPSec configura t ion settings Fie ld Des c ri pt ion ESP En cryp tion Sel ec t the appro p ria te alg o rit hms for ESP e ncryp tion, o r sp ecify Non e .
Setting up W i reles s Data Privacy Figure 7-2. The IPSec Certifi cate Configuration ta b By defa ult the Curr en t Certifica t e area o f th e page sho ws “No certifica t e con f igur ed.” This area wil l show i nfo rm at ion abo u t th e cer t ificat e if on e is in stal led .
Setting up Wireless Data Pr iv ac y Ste p 3. Fill in the inf o rma t ion in thi s fo rm: a. T y pe the na m e in wh ich the certifica t e should be gra nted. This can be a n in di vid ual name or a t itle su ch as “W ire le ss A d min. ” b. T y pe th e email addr es s fo r th e certificate co nt ac t.
Setting up W i reles s Data Privacy Ste p 6. Copy an d paste th e gen e rated PK CS #10 certifica t e r eq u est , includ in g the lin es ----BEGIN CERTIFICATE REQUEST---- an d ----END CE RTIFICATE REQUEST---- in to th e appr op riate field in th e r e quest form .
Setting up Wireless Data Pr iv ac y Y o u m ay n eed to enter the r e quest ID or co nf irm a tio n in form at io n yo u re ceived w h en yo u submitted your certifica t e r eq u est. Wh en your cer t ificat e is di spl ayed, fi nd the porti o ns tha t you can copy an d pas t e into the H P sys tem.
Setting up W i reles s Data Privacy Figure 7-7. The Load Certif icate s pa ge Ste p 12 . Copy an d pas te th e two certifica t es f rom your CA ’s web s i te int o th e tw o f i eld s pr ov ided , and click Save . Be sure to include the ---BEGIN CERTIFICATE--- an d ---END CERTIFICATE--- li nes.
Setting up Wireless Data Pr iv ac y Figure 7-8. The Certificate s tab show i ng a n in stall e d c e rtificate Ste p 13 . Imm ediat ely cr ea te a nd save a ba cku p of you r sy st em . This saves both the priv ate key an d the sa ved c e rtif ica t es.
Setting up W i reles s Data Privacy The defa ult is to have ad dres ses a ss ign ed by a DH CP serve r . » To configu re the IP A ddr ess assignmen t method fo r th e tunn eling proto c ols , click th e VPN ico n in the Navigation bar at the top of the Adm inistrative Console, then click t he I P Address As signmen t tab.
Setting up Wireless Data Pr iv ac y • T he first D H CP req u est is ta ke n to be a req u est f o r a n outer tun n el a ddress, a n d NAT is AL W A YS used, even if the Access P o licy specifies Neve r for the Networ k Address Translation setting .
Setting up W i reles s Data Privacy 7- 14 HP ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
8 S YS TEM M AI NTENANCE This ch apte r explain s h o w t o perf orm co mmon admini strative tasks includin g cr eatin g, stori n g, an d re sto rin g a back up f i le , upd a tin g sys tem so ft wa re, and sh uttin g down a 7 00wl Se rie s sys tem com p on en t.
System Ma inte nan ce Figur e 8-1. Softwar e Setup pag e Ste p 2. Fr om t h e Sys t em Co mpon ents list i n th e left pan el, se lect the co mpon ent ( A cces s Co ntr o l S e rver or Access Controller) for which you wa nt to restart or update the software image.
Sys t em Ma intenanc e Ac cess Contr o lle r and us i ng the Wir el ess Data Privac y proto cols will te mpo rarily lose t hei r conne cti ons, and any re mo te CLI sess ions over SSH wil l be ter mi nat ed. It is re co mmended tha t you up da te your fla sh-bas ed A ccess Cont ro llers d ur i ng tim es when system u sa ge i s low .
System Ma inte nan ce Figure 8-2. The Update Sof twa re page From the Remote Update page you can initiate a so ftware update from a remote F TP , TF TP , or HTTP se rver , o r just check to s ee if a n y updates ar e ava i lable.
Sys t em Ma intenanc e Remote Update The information that is required to upda te th e softw are image from a remote sit e is described in Ta ble 8-2 . T ab l e 8 - 2.
System Ma inte nan ce If you w ant to chec k fo r upg r ades on an alternate do wn lo ad si te, yo u must enter the a p pr opriate URL. Ste p 2. Click Ch eck for U pgr ad es .
Sys t em Ma intenanc e Se le ct Continu e to pr oc eed w i th the upgrade, or Canc el to r e turn to the previous page witho ut pr oc eed in g. Note: If your c urren tly i nst alled software i s signi.
System Ma inte nan ce If yo u enable A u to Ref r es h, the s t atus page r e fres hes appr ox imately every 1 5 se co nds, disp layi ng updated st atus in form atio n. After the do w nlo ad a nd un pack ope r ati ons are com ple te, a co mp leti on me ssage ap pear s: New ima g e s u ccessfully ins t all e d.
Sys t em Ma intenanc e Va riable Va lue update_file Fil ena me (in c l udi ng the path) o f the s o ftw ar e i mage Ple ase co nta c t H P Pro C urv e Te chnic al Support fo r informati o n o n the c u rren t do wn loada ble image. For TFTP or a nonymous FT P, the p a th is relativ e to the anon ymous F T P or TFTP ro ot .
System Ma inte nan ce Ste p 2. In the 7 0 0w l Ser i es sy st em Adm in ist ra tive Co ns ol e, under Mainte nanc e/Softw are Upd a te, select the L o cal U pda te tab to d isp lay the L o cal U pda te page, as shown in Figure 8- 5 .
Sys t em Ma intenanc e F ig u re 8-5. Th e Lo cal U p d a te T ab o f th e U p d a te So f tw a re F un c ti o n Ste p 3. In the Upl oad ed Sof twa re Versio ns table, s e le ct the r ow w h ere you w ant the n e w uploaded version to be pla ced .
System Ma inte nan ce Ste p 6. In the .vd ist File fie ld, type th e fu ll path a n d na me of the distrib u tion file you d o wnlo ad ed, or click Bro wse to lo ca te th e pr o per dir e ct o ry a n d f il e name. Note: You ca n s ave the vdis t fi le s unde r differ ent n ames, if you want.
Sys t em Ma intenanc e Caution: Res t arting an A c ce ss Contr ol S erver or Integr ate d Ac ces s Ma nager will log off a ll cli ent s on al l Ac cess Contr oll er s. If poss ib le, you s hould r est art your syst em dur i ng a ti me when few c lient s ar e activ ely con nected to the s yst em .
System Ma inte nan ce Note: Y ou c an not r est or e from the int er nal bac k up i m age. Y ou can onl y re sto re from a n exter nal fil e . T h erefore, you must save t he ba ckup im age t o a file . » To back up a s yst em co nf iguratio n , click the Ba ckup & Re st ore ta b un der the Ma int en an ce butto n.
Sys t em Ma intenanc e Figure 8-8. Backup Confirmation Click Con t inue to pr oc eed, or Can cel to re turn to the Ba cku p & Rest ore page w i tho ut cr ea ti ng th e backup im ag e. While the backup i s in prog r e ss , an info rmation pag e, as sh own i n Figur e 8-9 , is d isp layed .
System Ma inte nan ce Figur e 8-10 . B ackup & Rest ore p a ge after a succe ssfu l backu p » To s a ve the backup to a file, click Save B ackup A s .
Sys t em Ma intenanc e Figure 8-11 . R estore In Progress Confirm a tion Ste p 3. T o pr oc eed w i th the r estor e, click Continue . As pa rt of the r est or e op eration , the system i s r e st arted . Y o u will be r e qui r ed to l o g in ag ain a s ad mini st r ator .
System Ma inte nan ce Warn ing: DO NO T restore a bac k up to a dupli c ate A cce ss Cont ro l S erver that i s c onnected to the same ne twor k as the o rigi nal Access Con tro l S erv er.
Sys t em Ma intenanc e Figure 8-12 . The Shu t down/Restart tab Restart i ng a System Co mp onent Res t arting a com p onent will b riefl y s h utd o wn the un it, t h en re start it u s ing t h e Insta lled V e rs ion soft wa re imag e. This a c tio n do es not pow e r o ff the unit.
System Ma inte nan ce Figure 8-13 . R estar t Conf irmation Ste p 3. T o proceed w i th the r e sta r t, click Continu e . T o ca nc el the r est ar t, click Can cel . Shutting Dow n a System Component Sh utt ing dow n a syst em co mpon ent s h uts dow n an d po we rs of f the sele cted un it.
Sys t em Ma intenanc e Ste p 3. T o pr oc eed w i th the s h utdo wn , click Continu e . T o ca nc el the s h utdo wn, click Can cel . Resetting to Factory Def a ult Sett i ngs Res e ttin g a sy stem .
System Ma inte nan ce re store y our c onfigurat ion , you mu st r estore fr o m a b ackup image that was cr eated a nd s aved to an exter na l file be fo re the r es e t.
9 L OG S This ch apte r presents tasks y o u can perform wit h th es e types o f lo gging . V iew in g 700w l Ser ies Sy st em Lo gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9- 1 Co nf ig urin g Se ss io n Loggin g .
Logs Figure 9-1. Log file display The L og File d isp la y table shows the lo g ent r ies tha t exist at t h e momen t you r equ est the d i spla y . By defa ult , th e list is no t r efr eshed unless yo u re quest a new dis p la y by clicking the App l y Filte rs button.
Log s The log file d is p lay itself show s the f o llowin g in f o rma t ion: T ab l e 9 - 2. Log file display Column D escrip t io n (em p ty ) Thi s col umn is used to ca ll a tten t ion t o l og entrie s wi th se verity lev e ls or Crit ical or Major.
Logs — Cat e gorie s : All Categories (defau lt), Error, Info, Debug, Function Trace, Obj ect Trace, Session L og. Thi s is a mul t iple selecti on box—by us ing CRTL -c li ck or S h ift-click you ca n se lect mul t iple cat ego ries to include in a single filter.
Log s Figure 9-2. Setting Up Session L ogging Ste p 2. T y pe the i nfo rmati on and s ele ct op tion s as defined i n T a bl e 9-3. T ab l e 9 - 3. Logging Setup Fiel ds Fie l d/O p tion Des c ription Ses si on Loggin g: Enabled Settin gs for ses si on loggi ng to a rem o te sy sl og serve r.
Logs Note: Ac cura te tim e and da te r eport ing i s necessary fo r accurat e and useful l ogs. T o se t the t i me and date, use th e Date & Time t ab i n the Network area .
Log s T ab l e 9 - 4. Ses s ion Log inform ation Da ta Item De fi niti on Actual Des t inati on The actua l dest ina t ion IP addres s a nd port , if redirec t ed or t u nnell ed through an oth e r Access C ont rol l er.
Logs 9-8 H P ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
A C OMMAND L INE I NT ERF ACE Thi s a ppendi x documen t s the commands th at ar e avai la ble o n th e s e rial con s ole as part of th e Com mand Line Interf ac e (CLI). The CLI ena b les initi a l configuration an d subsequen t tr ou blesh oot in g of the 7 00wl Se rie s syste m .
Com ma nd Li ne I n terfa ce Accessing t h e C o mmand Lin e Int e rface Ther e are tw o ways to a cces s the Comm and Lin e Interface — eith e r by dir e ctl y co nn ectin g a se rial c onsole to t.
Com m and Lin e Interfac e Com m and Syn t ax Y o u m ay s ee a variety o f symbols shown as part o f th e co mm and s yntax . Thes e symbols ex plain how to enter th e comm an d, a n d you do no t type them a s part of the comm an d itsel f . T a ble A -1 summ ariz es com mand sy nt ax symbo l s.
Com ma nd Li ne I n terfa ce Th is p r oduc es the fol l owing output: "add" commands: add bridging ... Add bridging options add snmpmanager ... Add an SNMP authorize d manager add snmptrapreceiver ... Add an SNMP trap receiver T o se e de tails abo u t o n e o f th ese co mma nd s, you ca n ag ain use a que s tio n ma rk.
Com m and Lin e Interfac e set su p e ra d m in pass | en a b le | di sable < l ogin > Set the passwor d for a supera dm in. En able or di sable a supera dm in login. pass C hange the passw ord for the spe cif ie d login n am e . The supera dmin can change any p asswor d.
Com ma nd Li ne I n terfa ce s how pol icy a dmin [<login >] Sh ow a spe c ific policyad m in by spec if yin g a login, or list all policy ad min s by not specif yi ng a login. se t rem o te on | off En ables or d i sa bl es r e mote techn i cal support ac cess.
Com m and Lin e Interfac e 0 0:e0:18:7d:b5:3d 10.205.2.25 4 hrs, 50 min s s how id Displays this sys t em ’s ID, w h ich is the MAC ad dr ess of Sl ot 0 po rt 1. On a 700wl S e ries unit, the d e fa ult uplin k po rt is slo t 0 port 2 . ( S lot 0 por t 1 is the Reserved port .
-------------------- --------- ----------- Com ma nd Li ne I n terfa ce s how de viceport < d evice> Shows th e por t or slot an d po rt f or a d evic e.
Com m and Lin e Interfac e Netw ork C o nf ig ura tion Comman ds se t hostna me <hostname> Note: Th is c o mmand is su ppo rt ed on the A c cess Con tro l S erver or In teg rat ed A c cess Manage r onl y . Sets the sy ste m 's hostn am e. Th e syste m ho stnam e is als o us ed as the SN MP sys t em n a me .
Com ma nd Li ne I n terfa ce s how ip Sh ows th e current IP c o nfiguration . O u tp ut fr om this comman d looks similar to the f o llowin g : Hostname: D omain Name: xyzcorp.com I P address: 192.168.10.157/24 D HCP enabled: No D efault gateway: 192.
Com m and Lin e Interfac e se t dns <p ri mar y -ip-address> [ < secondary-ip -addr e ss> ] Note: Th is c o mmand is su ppo rt ed on the A c cess Con tro l S erver or In teg rat ed A c cess Manage r onl y .
Com ma nd Li ne I n terfa ce Sets the IP ad d re sses of th e WINS serve r s. <prim a ry -ip - addres s> The IP addres s of th e p r imary WINS s e rver f o r the s ystem. <secon dary - ip-ad d res s> Th e IP addres s of the s e c ond ary WIN S server for the s ys tem (opti onal).
Com m and Lin e Interfac e se t portmed i a {<p o rt> | < s lot > /<po r t >} "< media> [<m e dia - option>]" Se ts the port m ed ia setting fo r th e specified port o r sl ot and port. <port> | <sl o t>/<port> The po rt, or s l ot and po rt o n whi ch to set the media ty pe and optio n.
Com ma nd Li ne I n terfa ce s how porti p Displays the cur ren t IP ad dres s and netma s k settings , if set, f o r all ports in th e syste m . O u tput f rom this com m an d is s i mila r to th e f o llow i ng: Port settings Slot 1 Port 1 IP: Not set Slot 1 Port 2 IP: 192.
Com m and Lin e Interfac e Note: Th is c o mmand is not a vail able on an In tegrated A cce ss Man age r. Advanced N e twork Con f iguration St atus s how bridg i ng Sh ows th e current br idgin g settings.
Com ma nd Li ne I n terfa ce s how ac [ma c <mac-add re ss> ] Shows A c ce ss Contr o ll er settings f o r one or all A c cess Con tro llers connecte d to th e A ccess Contr ol Serve r or Integrate d A cce ss M a nag e r. Th e d efa ult is to sho w all settings fo r all A ccess Contr ol ler s.
---- ---- ---- Com m and Lin e Interfac e s how redu ndan cy Sh ow s th e current r e dund an cy (failover) settings. For exam ple: show redundancy Redundancy configured state ---- Redundancy is disabled. No peer is specified . Peering priority is 0. Retry timeout to disabled peers is 6 0 seconds.
Com ma nd Li ne I n terfa ce Advanced N e twork Con f iguration se t na t dhcp <ip-ad dress> <subnetmask> [<lease-time> [< time-unit s >] ] Se ts the NA T D H CP su bn et and lease tim e . <ip-addre ss> T he DHCP subnet ad dres s for N AT.
Com m and Lin e Interfac e rem o te date time <ip - address> <da t e> <time > Se ts the date a n d time on th e syste m at < ip-address > . <date > The c urrent dat e in yyyy/m m/d d for m at <time> T he curr ent tim e in h 24:m m format .
Com ma nd Li ne I n terfa ce rem o te reboo t <ip - address> Re bo ot t h e s y st em at < ip-address > rem o t e reb o otalt <ip > Re bo ot t h e s y st em at <ip-address> to al ternate so ftw are versio n.
Com m and Lin e Interfac e rem o te upgra d ereboot < i p-addres s> < u rl> <key > Up grades the s yst em at th e sp ecified IP addr es s an d re bo o ts th e sys t em . <url> T he URL encoded loc ati on of the so ftware releas e t o install .
Com ma nd Li ne I n terfa ce se t pptp on | off En able s or d i sable s PP TP . se t l2tp on | off En able s or d i sable s L 2 TP . se t ip secsecret [ <se c ret> <se c ret>] Se ts the IPS e c s h ared se cret. P rom pts for the s e cr et if no t enter ed on th e co m man d line.
Com m and Lin e Interfac e s how vp n Note: Even though you c an only c onf ig ure Wir eless Da ta Privacy se tti ngs from the A cce ss Contr ol Se rv er or Int egrate d Acces s M anager, you c an use the sho w v pn c o mmand from an Ac ces s Con tro ller to v iew these s e tt ing s.
Com ma nd Li ne I n terfa ce show c lien t s [ m a c < m a c -a dd ress> ] [ s ort { m ac | ip | u s er | m a chin e | p o rt | sessio n s | idle} ] [r everse] Li sts all a c tive clients. Y o u can option ally so rt th e list by a nu mber o f crite r ia .
----- ---------------- ---- --- - ----- Com m and Lin e Interfac e <stance>Deny</stance> < /ipsec> < pptp> <stance>Deny</stance> <mppe_stance>Accept</mppe_.
Com ma nd Li ne I n terfa ce If yo u res pon d Y to continue w i th the backup, th e f o llowing r emi nde r a ppea r s: NOTE: After creating the backup image, you must transf er it from this Integrated Access Manag er onto your local computer. st ore b ackup < url > [<filen a me >] Sto r es the backup o n a n other system using F TP .
Com m and Lin e Interfac e s how ba cku p Displays inf o rma t ion about the list o f lo ca l backups a nd the sta tus of a r u nning sto r e b a ckup or get backup task . Output f r om this comm an d is similar to the f o llowing: Backup image created Nov 25 17:25:22 2 002.
Com ma nd Li ne I n terfa ce reboo t Au t omati ca lly re boot after i nst al ling the upgrade. The upgrad ed software is activ a te d wh en the syste m is reboote d. ve rsion Displ ay s the ve rsion o f the s o ft wa re a va ilable for dow nlo ad a t th e specified URL.
Com m and Lin e Interfac e ca ncel up grade Ca nc els the cur rent ge t upgrade task. se t upgrade p roxy [on | off] [host <ip-a ddress> [ < port> ] ] [u ser <user> [<pass wo rd> ] ] Con fig ure a proxy ser ver f or re tri evi ng so ftw a re re le ase s via F TP .
Com ma nd Li ne I n terfa ce s hut do wn Shuts d o wn the syste m. Y o u ar e pr o m pte d to con f irm th at you want to shut dow n the syste m : This operation will shutdown this syst em and users may lose their connections.
Com m and Lin e Interfac e • info: show all i n fo rma t ion, n o tic e, wa rni ng, error, and c r itica l l og ent ries <lines> T he max im u m nu mb er o f li nes t o be display ed. Th e defau l t i s 23. <count> T he number of tim e un its to be di spl ay ed, in combina t io n w ith the <time-un it> va riable.
Com ma nd Li ne I n terfa ce T r anslat es to: nslookup –timeout=10 <hostname> ping {<i p -add ress> | <hostname >} Pings an IP ad dre ss or a h o stname . If the hostn am e is not qualif i ed, the do ma in nam e (a s spe c ifie d by the set d o ma inname co mmand) is a p pen ded .
Com m and Lin e Interfac e traceroute {<ip -add re ss > | <hostn ame > } [<h ops > [<probes > [< probe wa it> ] ] ] Displays the tr ac er oute f o r a n IP a ddre ss o r h o stname. If the hostn am e is no t q u ali f ied , the d o main na me (as specif ied by th e set dom ainname co mman d) is a ppen d ed .
Com ma nd Li ne I n terfa ce cl ear ntp s erver Cle a rs the NTP se rve r s IP a ddre ss or ho stnames. This c o mmand also dis a ble s the NT P s e rvice if it was e n able d. se t ntp on | off En able s an d d i sable s th e NTP servic e. se t datetim e <d ate > <ti m e> Manually sets the c u rrent lo ca l d a te and time.
Com m and Lin e Interfac e Co ntro ller. T o mo dif y thes e se ttin gs on an Acces s Co ntro ller, y o u m ust use the Adm inist rative Console on the m anaging A cces s Co ntro l Serve r. se t s n mp on | off T u rns S N MP su pp or t o n or of f. T u rning SNM P on en ables r e ad -o nly a c cess to the MIB .
Com ma nd Li ne I n terfa ce se t sn m p co nt ac t <c ontact> Se ts the S N MP sysContact obj e ct , def i ne d in RFC 1213 as “ t he tex tua l i dent ifi cati on of th e c ont ac t perso n fo r thi s man a ged node, tog e th e r with in fo rma t ion on how to conta ct th is perso n .
Com m and Lin e Interfac e Trap IP Address: None Authorized Managers: None HP Pr oCur ve Se cur e A ccess 700 wl Ser ies Ma nagem e nt and C onfigu r ation Gu ide A -3 7.
Com ma nd Li ne I n terfa ce A-3 8 HP ProCurve Sec u re Access 7 00wl Series Ma nagement and Con f igurati on G u id e.
B F ILT ER E XPR ESSION S YNTAX This appendix d esc ribes the syn t ax used to d efi ne us er a ccess rights ( a llow ed tra ffic f ilt ers and redir e cted tra ffi c filters ) , bridged tra ffi c, an d HTTP P r oxy fi lters. It in clu d es the f o llowing sectio ns: In trod uctio n .
Ex a mple s are: “ fddi src myHost ”, “ ip net 122.43 ”, and “ udp port 44 ”. f ddi is an alias f or et her ; th ey ar e treated identically as m ean ing “t he d a ta link level used o n the specified ne tw ork inter fac e.
T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n hos t host Tr ue if e i ther the s our ce or d est ina t ion o f the packet is hos t .
T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n ip6 proto prot ocol Tr ue if t he p acket is an IPv 6 pack et of proto col type pro t ocol .
T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n eth e r proto pro t ocol Tr ue if t he p acket is of eth e r type pro t ocol . Proto col can be a n u mb er o r one o f th e name s ip , ip6 , ar p , ra rp , atal k , aa rp , decnet , sca , lat , m opdl , mop rc , iso , stp , ip x , or netbeu i .
T ab l e B-1 . All owa ble Primi t ive s (Continued) Pr imitiv e Exp lan atio n expr relo p expr Tr ue if the r e latio n holds , wh ere • re l op is o ne o f >, <, > = , < = , =, != •.
C C REATIN G C USTOMIZE D T EM PLA T ES This Appendix explains how to develop custo m templates for the Logon page, the o ptional Logoff pop- up pa ge, a n d th e op tio na l Gu est R e gistra tion pa ge. It in clu d es the f o llowing sectio ns: In trod uctio n .
A Simple Logo n Pag e Tem p lat e Examp le The 700wl S e ries syst em logo n page, in its simp les t fo rm , co ns ists of tw o fields w h er e the user en te rs his /her user na me and pa ssword, and a bu tto n to in voke the lo gon f u ncti on .
<!-- required functions --> @satmac() @interface() @java_works() @secret() @query() </FORM> </body> </html> The tem p late f i le is a sta n da rd HTM L file with th e tmpl fun c tio ns in clu d ed.
Required Elements Form Tag <FORM action=/logon method=post name=l ogonForm> Fo r th e logon pa g e only , th ere m u st be a fo rm w i th the na m e a ttri b ute set to logonForm . The act i on an d method attribut es must a l so be se t a s sho wn.
• @satmac() . Thi s fu nction retu rn s a n INP U T element o f type hi dden, with a va lue that is th e client’ s MAC addre ss. • @interface() . This fu nctio n returns a n INPU T elem ent of type hi dden. • @java_works() . Th is func tion retu rns an INPUT element of type hid den, w i th a value of 0.
In additio n to incl uding the r ealm fi eld on th e custom log i n page, the U ser sp ec ified authenticatio n realm check box must be checked ( on the Rights M a nager Custo miz e W e b Pages by L o cati on pag e). Not e that thi s check box does n o t appea r un les s there a r e mu lt iple a u thenticatio n realms def i ned.
@set(“variable”, “value”) Sets th e val ue of a run- ti me variable. For ex ampl e, to se t th e va ri able “mo n th” t o th e month a cl ient’s righ ts ex pire , you wou ld u se: @set(&.
</head> <body bgcolor="FFFFFF"> <!-- specifies an image and a solid black line at the top of the form. The image must be stored in the Rights Manager vi a Images Upload --> <center> <img src="/images/galactic.
@secret() @query() <!-- Displays user and password fields, and three buttons, in a table - -> <table width="600" cellspacing="0" ce llpadding="1" bgcolor="#.
Figure C- 2. Th ree-button logon pa ge Chang i ng the Logon Button Nam es If yo u wa nt to ch an ge the na mes t hat a ppea r on the buttons on th e Log on page, you mu st use tw o INPU T st atements .
Example 3 <FORM action="/cgi-bin/logon" method=p ost name=logonForm> ( This is the F O RM sta t emen t re qu ir ed at the beginnin g of the Logo n fo rm .) @satmac() @interface() @java_works() @secret() @query() (Not sho wn -- Code here to set u p a tab l e, pr esent usernam e a nd pa ssword input fields etc .
Customizing th e Logon Pag e Me s s ag es Ther e ar e a num ber of inform at i ona l m essa ges th at m a y appea r on the Logo n pa ge in certain cir c umsta n ces.
Guest Registratio n Template T o co nf igure a locatio n to allo w cus tom gu est r e gis tr atio n, there ar e th r ee el emen ts that m ust be in place: • You r main custo m logon page mus t ha ve a “ R egi s ter as Guest” but t on ins t ead of th e “L ogon as a Gu es t” button .
The page gen e rated by th is tem p late is s h own i n Figur e C-3. Example 4 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTM L 4.01 Transitional//EN"> <html> <head> <title>H.
<tr> <td align="right"><font size="2"> Last Name:</font></td> <td align="left"><INPUT type="text" na me="lastname&qu.
Figure C- 3. Gues t Registration page produced by the t e mplate in Examp l e 4 Using a Logo ff Pop-Up w it h a Custo m ized L og on Page On e of option s for user logof f, in br owsers th at su pport J a va Sc ript, is to have a Lo gof f button appear in a pop-up br owse r w indow as soon as th e us er h as logged o n to th e s yst em.
The r e qui r ed elements in a Lo goff Pop-up tem p la te are: Form Tag: <FORM action=/logon method=post name=l ogoffForm> A form w i th the name lo go ff Form is r equir ed, with acti on an d method attributes set a s shown . Bu ttons: One butto n must be pres en t o n the page to enable the user to log o ff.
Thi s generates the pop- up w i nd ow show n in Figur e C-4. Figure C - 4. L ogoff pop-u p wi ndo w Wh en the user click s the L o go ff button, the L og i n wind ow is immed iat ely d isp layed in the same w i nd o w , allow in g the user to log in aga in .
Figure C -5. L ogoff confirmation wi ndow When yo u click the link , in this window , a fr esh Lo gon pag e opens in a new win do w . T o custom ize this logof f co nfir ma tio n window , you can upload a custom tem pla te in the Lo gged O ff Windo w fi eld und er th e Custo m T e mplate s tab of th e New or E d it L o go n Customiza t ion pag e.
C-2 0 HP ProCurve Sec u re Access 7 00wl Series Ma nagement and Con f igurati on G u id e.
T ROUBLES HOOTING D This appen dix presen ts tr ou bles hoot ing pr oc edur es fo r the 700w l Se ries system . T a ble D -1 s hows the sy mpto ms, pr oba b le cau se and r e commend e d act i on s for a variet y of pr oble ms .
T ab l e D-1 . Syste m Con f igurat ion T r ouble s ho oting Gu ide (Continued) RADIUS Authen tic a tion not 1. RADIUS co nfiguration in corre ct Test c lient a u thenti cat ion u s i ng T r ansactio n worki ng 2 . Use r name or p ass word no t Tr acer (u nder Rig h ts > Authe n ticat i on va lid Po lici es> Tools an d O p tions) 1.
T ab l e D-1 . Syste m Con f igurat ion T r ouble s ho oting Gu ide (Continued) Sy mpt o m(s) Proba b l e Caus e Re co mmended Action Cli ent has incorrec t ac c e ss Ri gh ts mi sc on fi gu red Fo r a connected c li ent, v i ew Cl ien t detai l ed rig h ts stat us from the Status > Cl ie nt Status page .
D-4 H P ProCurve Sec u re Ac cess 700wl Series Management an d Con f iguration G u id e.
G LOSSAR Y E Th e glossa ry d e fin es term s th at are used th ro ug ho ut the 700wl Series syst em. S ome of the foll ow in g term s are in co mmon us age bu t m a y h a ve 700wl S e ries syst em-specific m ean ings. Thes e te rm s are def ine d in co nt ext i n th e ch ap ter wh er e th ey first appear .
T erm Definition AH Authentic a tion H eader p r oto col . AH di gital ly si gns the e n ti re c o ntents of ea ch pa cket , pro t ectin g y our net wo rk agains t th ree kinds of att acks: Re play at ta ck s , w h ere a n a ttac ker c aptu r es packets , saves the m un til later, and resends t hem.
T er m Definition CLI C om m and Line Interface: 7 00wl Series sy st em Acc ess C ontr o ll ers , Integra t ed Access M anagers , a nd Acc ess Co ntrol Server s all have a command l i ne in terfac e through w h ic h they can be c ontr o lled, as an alt e rna t e t o using th e Admini st ra tive Consol e.
T erm Definition DNS Domain Na me Server - A D NS transl ate s In ternet dom ain n a me s suc h as xyzc or p. com, in to IP ad dr es ses. Down link port A port on an Access C o ntro ller or Integrated Acc ess M anage r to whic h a devic e at the ne twork edge, su ch as a W i rel ess Ac ce ss Point , sw it ch, o r hub , i s c onnec ted .
T er m Definition HTTP Prox y An Web serve r th at s i ts betwee n a clien t ap plica t ion, s uc h as a We b b r owser, a nd a real s e rver. It i n terce p ts all reque sts to the rea l se rve r to see if it ca n ful f il l the reque sts i t self. If n o t, it forwa r ds the reques t t o the real serve r .
T erm Definition IKE A part of I PSec : I KE=Int e rne t Key Exchange (Nego tia t es sessi on param e te rs for the a u the n ticatio n he ader and ESP.
T er m Definition L2F L aye r 2 Forw ardin g ; a tun neling protoc ol from Ci sc o L2 TP La yer Tw o Tunneling Prot ocol (L2TP ) is an exten s io n o f the Point- to-Po i nt Tunneli ng Pro t ocol (PPTP) u s ed to enable a v i rtu a l p r ivate netw o rk (VP N) ove r the Intern et.
T erm Definition Ou ter Tunne l Addres s The IP add res s associat ed wi th a PPT P or L 2 TP c on necti on w i thi n which the c lient traffi c is encap sulated. Thi s a ddre ss will always be a NA T‘ed a ddress , regard l es s of the grou p N AT set t ings.
T er m Definition Session red i recto rs C li ent TCP and UDP se ssion s can be red i rec t ed fro m t hei r ori g inal des t inati on IP addres s or port. SN MP Simp le N e twork Man agement Proto c ol - The net wo rk m anagemen t protocol of most m odern T CP /IP-ba sed network s.
T erm Definition tcpdum p A pr ogram tha t pri n ts out the head ers of p ackets on a network interfa ce tha t ma tch a sp ecified filt ering c r iteria .
T er m Definition We b se rver Ne tw ork host th at acts as an HTTP se rver; a c o mput er th at pr o vid es Wo rl d W i de Web s e rv ices on the Intern et; i t include s the hardw a re, op era t ing sy s t em, We b se rver s o ft w a re, TCP/IP p r oto cols, and th e Web s i te c onte nt (Web pages).
T erm Definition XML-R PC XML -RPC i s desi gn ed to b e a simp le procedural w ay for a c li ent prog ram to make functio n requests of anothe r pro g ra m. I t pro vi des sim ila r funct i onali ty to SOAP, b u t i s more limited and, general l y, much si mpler to u se.
I NDEX OF C OMMAND S A a dd s nmpman ager <hostname> | < i p-addres s> [/<m ask>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -3 5 a dd s nmpt r apre ceive r <ip-addre ss> . . . . . . . .
de lete p o licyadmin <l ogin> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A -5 de lete s nm pman ager all | <ho st name> | < i p-a ddr ess > [/ <mask>] .
remote u pgra dec heck <ip-ad dre ss> <url>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -2 1 remote u pgra der eboot < i p-a ddress > <u rl> <k ey > . . .
se t s ysl ogs erv e r < i p-address > [< fac ili ty>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1 7 se t t imez one <general-tz> <sp eci fic-tz > . . . . . .
T tra cer out e {<i p -addre ss > | <h ostna me> } [<hops > [<pro bes> [<p r obewait> ] ] ] . . . . . . . . . . . . . . .
IOC-6 H P ProCurve Sec u re Acces s 700wl Series Management and Con f iguration G u id e.
I NDEX Nu me rics 802.1Q VL AN tag sp ecifying in A cces s Policy 4-4 6 sp ecifyin g in Con n ectio n Profile 4-3 3 802.1x configuring as au thentication service 5-1 6 config uring RA DIUS for 5-1 7 moni to red logon 5- 3 802 .2 pr ot o c ol 6-2 4 802 .
changi ng us ername/ p as swor d o n Inte grated Acce ss Man a ger 6- 1 0 changi ng us ername/ p as swor d o n Inte grated Sy st em 6- 12 def a ul t name and pas sword 2-4 logging in as 2-4 logging o .
br ow ser - ba se d l o go n 1-3 , 5-2 Built -in au thentica tio n se rvi ce 5-2 built- in databa se 4- 16 a dding Acces s Poin ts 4- 22 a dding users 4- 17 ne tw or k equip m en t 4- 21 re trieving M.
Et hern et bridgin g, ena b lin g 6- 24 Expi re ti mer , See reau thenticatio n t i meo ut export rig h ts 5- 50 External 4- 51 externa l ident i ty r e trieva l 5- 28 F Failover See A cces s Co ntro l Server r e dun dan cy f ilters disp la y fi lt ers 2- 12 fo ld ers creatin g or editi ng 6- 1 3 selecting for an Access Controller 6- 12 vs.
LDAP se rvi ce au thenticatio n troubl es hooti ng D-2 con fig uring for a u th entication 5-9 con fig uring M A C ad dr ess r e trieval 4- 26 non-use r bi ndin g 5- 10 re trieving M A C a ddre ss u s.
P pa ssword chan ging fo r a dmini strato r 2-5 tr ou bles ho ot in g D-1 PD As lo gon p a ge option s 5- 33 peer Acces s Co ntro l Server con fig uring peer na m e 6-6 del e ting 6-7 PK I con fig uri.
sys l og serve r , config uring 9-5 Sess ion L o gs log entry fo rma t 9-6 viewi ng 9-6 session sta t us f iltering d i spl ay 3- 13 Se ttings tab in a Conn ection Profile 4- 32 in Acces s Policy 4- 4.
V Ve rify via DNS HT TP pr ox y f ilte r op t i on 4- 78 V irt ua l LA Ns (VLANs ) 1- 6 , 2- 24 an d IP addr es sing 2- 2 6 an d the 700 wl syst em , ov erview 2- 24 specifying t a g i n A ccess Pol i.
.
© Cop yr i ght 200 3 He w let t -P ac k ard De ve lopment C ompan y , L .P . The inf ormation contained her e in is su bject to c hange w ithout n oti ce .
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté HP (Hewlett-Packard) 700wl Series c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du HP (Hewlett-Packard) 700wl Series - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation HP (Hewlett-Packard) 700wl Series, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le HP (Hewlett-Packard) 700wl Series va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le HP (Hewlett-Packard) 700wl Series, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du HP (Hewlett-Packard) 700wl Series.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le HP (Hewlett-Packard) 700wl Series. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei HP (Hewlett-Packard) 700wl Series ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.