HP Access Control Client Software manual T e

N o t e

N o t e

Access Control Concepts

ProCurve NAC 800

By default the NAC 800 intercepts all DHCP requests. In a network that uses DHCP relay, however, you can configure the NAC 800 to respond to only those requests with source IP addresses in the quarantine and non- quarantine subnets. (The source IP address originates from the DHCP relay device; the endpoint, of course, does not yet have one).

5.Initially, an endpoint has the Unknown posture. The NAC 800 sends a DHCP reply that has a configuration for the quarantine subnet.

The actual process differs slightly depending on whether your network implements DHCP relay. The NAC 800 immediately replies to a broadcast DHCP request. On the other hand, it simply drops a relayed request destined to the network DHCP server. The DHCP relay device then sends a DHCP request to the NAC 800’s IP address (which is configured as a secondary helper address). The NAC 800 replies to that request.

6.The NAC 800 (or one of the NAC 800s in a cluster) tests the endpoint, and the endpoint gains a new posture.

7.If the endpoint has proven to be Healthy (or granted the Check-up posture):

a.The NAC 800 forces it to release the address in the quarantine subnet.

b.The endpoint again sends a DHCP request.

c.The NAC 800 intercepts the request, but because the endpoint has the Healthy or Check-up posture, the NAC 800 forwards the request to the network DHCP server.

d.The DHCP server replies, sending the endpoint an IP address in one of the network’s normal user VLANs.

8.If the endpoint is assigned the Quarantine or Infected posture, the NAC 800 continues to respond to its DHCP requests with an IP address in the quarantine subnet.

Establishing the Quarantine Subnet. Some network access controllers quarantine endpoints completely: they assign endpoints IP addresses in a subnet that does not exist in the private network. For example, a network uses the 10.1.0.0/16 range, and the quarantine subnet is 192.168.1.0/24. Should a quarantined user attempt to reach a resource on the network, network devices see the invalid IP address and drop the traffic. The problem with this approach is that users cannot reach any resources—including those that help them become compliant.