Access Control Concepts

ProCurve NAC 800

6.If the credentials are correct, IAS contacts the NAC 800 and requests the endpoint’s integrity posture. (You can learn how to configure the IAS server to do so in the ProCurve Access Control Implementation Guide.)

7.Initially, the posture is Unknown. IAS calls the SAIASConnector (a file installed on the IAS server). The connector should contain a policy that associates the Unknown posture with a test VLAN. IAS sends this VLAN assignment to the PEP.

8.Detecting the endpoint that has been placed on the test VLAN, the NAC 800 begins to check its compliance with NAC policies.

The NAC 800 needs to receive mirrored DHCP traffic on its port 2 to detect the endpoint.

N o t e

In a cluster of ESs, any ES can test the endpoint; they share information

 

with each other.

 

 

9.When the testing is completed, the endpoint has gained a new posture. The NAC 800 sends a message to the PEP to force the user to reauthenticate.

10.Steps 2 to 7 repeat. Now, however, the user is assigned to a new VLAN based on its new posture:

If the endpoint has the Healthy posture (complies with your policies) or the Check-up posture (granted temporary access), the user receives his or her normal dynamic VLAN assignment.

If, on the other hand, the endpoint has the Quarantine or Infected posture, the user is placed in the quarantine or infected VLAN.

Network access in the quarantine and infected VLANs is limited, typically to remediation services, in one or several of these ways:

The endpoint is assigned (via dynamic settings) a rate limit and list of accessible resources.

The NAC 800 acts as the endpoint’s DNS server and redirects the user’s Web browser away from all sites (except a limited list of accessible services).

Network infrastructure devices might impose static ACLs on the quarantine VLAN.

1-47