EAD Security Check Configuration Examples

EAD Security Check Configuration Examples
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained
herein is subject to change without notice. The only warranties for HP products and services are
set forth in the express warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
Contents
Introduction ··································································································································································· 1 Prerequisites ·································································································································································· 1 Example: Configuring EAD to perform security check for access users ··································································· 1 Network requirements ······················································································································································ 1 Requirements analysis······················································································································································· 2 Software version used ······················································································································································ 2 Configuration restrictions and guidelines ·······················································································································2 Configuring check items ··················································································································································· 3 Configuring URL control ··········································································································································· 3 Configuring PC software control ····························································································································6 Configuring an anti-virus software policy for Symantec ······················································································ 8 Configuring a security level ·········································································································································· 10 Configuring a security policy ········································································································································ 11 Associating the security policy with an access service ······························································································ 13 Assigning the access service to an access user ·········································································································· 14 Adding the switch to UAM as an access device ········································································································ 15 Configuring the switch ··················································································································································· 16 Verifying the configuration ············································································································································ 17 Triggering 802.1X authentication ······················································································································· 17 Verifying the URL control policy ··························································································································· 20 Verifying PC software control groups ················································································································· 20 Verifying anti-virus software control ···················································································································· 22 i
Introduction
This document provides examples for configuring EAD to work with UAM to perform security check for
endpoint users.
The examples apply to scenarios that provide endpoint users with security policy services typically on an
enterprise network or campus network.
Prerequisites
Before you configure the EAD security policy, make sure the following:
•
The PC, switch, IMC are communicating correctly.
•
The iNode client has been installed on the PC.
•
The switch supports the 802.1X protocol.
Example: Configuring EAD to perform security
check for access users
Network requirements
As shown in Figure 1, UAM and EAD components are deployed on the same server at 192.168.0.87. An
endpoint user attempts to access the network by using an 802.1X connection in the iNode client on a
Windows PC.
The switch manages the 802.1X user in an ISP domain named 391 and includes the domain name in the
user names that are sent for authentication.
The user accesses the network by using an account named qwert001.
To enhance security, configure EAD to work with UAM to do the following:
•
Prevent the endpoint user from accessing URLs 192.168.1.163 and 192.168.1.164, which contain
sensitive data.
•
Check whether AccChecker is running on the PC. If it is not running, EAD immediately restricts the
user access to a quarantine network for remediation.
•
Check whether XDict is running on the PC. If it is installed, EAD immediately logs out the endpoint
user.
•
Check whether Symantec is running and using the correct anti-virus engine and virus definition
versions. If it is not, the iNode client immediately restricts the user access to a quarantine network
for remediation.
•
Monitor the endpoint in real time. If a violation is detected, the endpoint user is given 10 minutes to
fix it.
1
Figure 1 Network diagram
Requirements analysis
To manage the 802.1X user in the ISP domain 391, complete the following configurations:
•
On UAM, configure the service suffix as 391 for the access service to be assigned to the access user
account qwert001.
•
On the switch, configure the ISP domain 391 for LAN users and configure the user-name-format
with-domain command.
•
In the iNode client running on the PC, create an 802.1X connection to use the account name
qwert001@391 for authentication.
Software version used
This configuration example was created and verified on the following:
•
IMC UAM 7.0 (E0103)
•
IMC EAD 7.0 (E0103)
•
S7502E Comware Software, Version 5.20, Release 6701P01
•
iNode PC 7.0 (E0102)
Configuration restrictions and guidelines
When you add the switch to UAM as an access device, follow these restrictions and guidelines:
•
Make sure the parameters you configure for the access device in UAM are the same as the CLI
configuration on the switch, such as the authentication and accounting ports and shared key.
•
If you want to select the switch from the resource pool as an access device, make sure it is already
added to the IMC Platform manually or through auto discovery.
2
Configuring check items
A security policy includes one or more security check items. This example uses the following check items:
URL control, PC software control, and anti-virus software control.
Configuring URL control
Adding the forbidden URLs to a URL group
You can add IP URL groups, domain URL groups, or both. This example uses IP URL groups.
To add an IP URL group:
1.
Click the User tab.
2.
From the navigation tree, select User Security Policy > Endpoint Access Control > IP URL Group.
The IP URL group list displays all IP URL groups.
3.
Click Add.
The Add IP URL Group page appears.
4.
Configure basic information about the IP URL group, as shown in Figure 2:
a. In the IP URL Group Name field, enter test_01.
b. Use the default settings of other parameters in the Basic Information area.
Figure 2 Adding an IP URL group
5.
Configure IP URL items as shown in Figure 3:
a. In the IP URL Item List area, click Add.
The Add IP URL Item window appears.
b. Enter 192.168.1.163 and 192.168.1.164 in the Start IP and End IP fields, respectively.
c. Click OK.
6.
Click OK.
3
Figure 3 Adding an IP URL item
Configuring a URL control policy
1.
Click the User tab.
2.
From the navigation tree, select User Security Policy > Endpoint Access Control > URL Control
Policy.
The URL control policy list displays all URL control policies.
3.
Click Add.
The Add URL Control Policy page appears.
4.
Configure basic information about the URL control policyas shown in Figure 4:
a. In the URL Control Policy Name field, enter test_URL.
b. Use the default settings of other parameters in the Basic Information area.
4
Figure 4 Adding a URL control policy
5.
Configure IP URL check items as shown in Figure 5:
a. In the IP URL check Item List area, click Add.
The Add IP URL Group window appears.
b. Select test_01 from the IP URL Group Name list and select Deny from the Action list.
c. Click OK.
6.
Click OK.
Figure 5 Adding the URL Group
5
Configuring PC software control
This example uses MD5 to check software processes.
Calculating MD5 digests for AccChecker and XDict
1.
Click the User tab.
2.
From the navigation tree, select User Security Policy > Software Control Group > PC Software.
The PC Software page appears, as shown in Figure 6.
Figure 6 PC Software management page
3.
Click the MD5 Tool link in the PC software control group list to download and store the MD5 tool
locally.
4.
Double-click FileMD5Digest.exe in the local path to run the MD5 tool.
5.
On the MD5 Digest Calculator window as shown in Figure 7, do the following:
a. Click Select Executable File and browse to the file AccChecker.exe.
b. Click Calculate MD5 Digest to calculate the MD5 digest for AccChecker.
c. Click Copy to copy the MD5 digest to the clipboard.
d. Click Close.
6.
Calculate the MD5 digest for XDict in the same way you calculate the MD5 digest for AccChecker.
Figure 7 Calculating the MD5 digest for AccChecker
6
Configuring PC software control groups for AccChecker and XDict
1.
Click the User tab.
2.
Select User Security Policy > Software Control Group > PC Software from the navigation tree.
The PC Software page appears.
3.
Click Add.
The Add PC Software page appears.
4.
Configure PC software control group parameters as shown in Figure 8:
a. In the Group Name field, enter AccChecker.exe.
b. From the Type list, select Process.
c. In the Description field, enter AccChecker.
d. From the Default Action for Check Failure list, select Isolate.
e. Use the default settings of other parameters.
Figure 8 Adding a PC software control group
5.
In the Process Information area, click Add to configure the process parameters on the Add Process
window as shown in Figure 9:
a. In the Process Name field, enter AccChecker.exe.
b. In the Operating System field, select Windows in the dropdown list.
c. In the Check Type field, select MD5 in the dropdown list.
d. In the MD5 Digest field, paste the MD5 digest that is previously calculated.
e. Use the default settings of other parameters.
f. Click OK.
7
Figure 9 Adding a process
6.
Click OK.
7.
Add a PC software control group named XDict.exe for XDict in the same way you add the PC
software control group for AccChecker.
Configuring an anti-virus software policy for Symantec
1.
Click the User tab.
2.
From the navigation tree, select User Security Policy > Security Software Policy > Anti-Virus
Software Policy.
The anti-virus software policy list displays all anti-virus software policies.
3.
Click Add.
The Add Anti-Virus Software Policy page appears.
4.
Configure the basic information for the anti-virus software policy as shown in Figure 10:
a. In the Policy Name field, enter test_Anti-Virus.
b. Use the default settings of other parameters.
8
Figure 10 Adding anti-virus software policy
5.
In the Windows area, select Check and click the Modify icon
11.
for Symantec, as shown in Figure
The Anti-Virus Software Settings window appears.
Figure 11 Selecting a anti-virus software
6.
Configure anti-virus software parameters as shown in Figure 12:
a. In the Anti-Virus Software field, enter Symantec.
b. Select Check anti-virus engine version and select an anti-virus engine version format. This
example uses Date or dotted format.
c. Select a version from the Version Check Mode list: Specified Version or Auto Adaptive.
−
Specified Version—The version check is passed if the version is higher than the specified
version. If not, the version check fails.
When the version check mode is Specified Version and the version format is Date format,
either enter the date manually or click the Calendar icon
of Anti-Virus Engine field to select a date.
next to the Lowest Version
When the version check mode is Specified Version and the version format is Dotted format,
enter the version in the Lowest Version of Anti-Virus Engine field.
9
−
Auto Adaptive—The version check is passed if the version has been updated within the
adaptation period. If not, the version check fails.
When the version check mode is Auto Adaptive and the version format is Date format,
manually enter the adaptation period in the Adaptation Period (in days) field.
d. Select Check virus definition version and configure virus definition version parameters in the
same way you configure anti-virus engine version parameters.
e. Click OK.
7.
Click OK.
Figure 12 Configuring anti-virus software parameters
Configuring a security level
1.
Click the User tab.
2.
Select User Security Policy > Security Level from the navigation tree.
The Security Level List displays all security levels.
3.
Click Add.
The Add Security Level page appears.
4.
In the Basic Information area, enter test_Level in the Security Level Name field (see Figure 13).
10
5.
Leave the Action After field empty, as shown in Figure 13. The Action After field takes effect only
for the Isolate and Kick Out actions that are configured for check items. When a violation is
detected, the iNode client immediately isolates or logs off the endpoint user.
Figure 13 Configuring the basic information
6.
In the Check PC Software Control area, select Isolate for the PC software control group
AccChecker.exe and select Kick Out for the PC software control group xDict.exe, as shown
in Figure 14.
Figure 14 Configuring PC software control
7.
In the Check Anti-Virus Software area, select Isolate from the Anti-Virus Software Not Installed list,
Anti-Virus Client Runtime Error list, Old Anti-Virus Software/Engine Version list, and Old Virus
Definition Version list, as shown in Figure 15.
Figure 15 Configuring anti-virus software check
8.
Use the default settings of other areas.
9.
Click OK.
Configuring a security policy
1.
Click the User tab.
2.
Select User Security Policy > Security Policy from the navigation tree.
The security policy list displays all security policies.
3.
Click Add.
The Add Security Policy page appears.
4.
In the Basic Information area, configure basic information parameters as shown in Figure 16:
a. In the Policy Name field, enter test_EAD.
b. Select test_Level from the Security Level list.
c. Select Monitor in Real Time and enter 10 in the Process After field.
d. Use the default settings of other parameters.
11
Figure 16 Configuring basic information
5.
In the Isolation Mode area, configure isolation mode parameters as shown in Figure 17:
a. Select Configure Isolate Mode.
b. Select Deploy ACLs to Access Device.
c. In the For Non-HP ProCurve area, enter 3021 and 3020 in the Security ACL and Isolation ACL
field, respectively.
d. Use the default settings of other parameters.
Figure 17 Configuring the isolate mode
6.
In the URL Control area, configure URL control parameters as shown in Figure 18:
a. Select Enable URL Access Control.
b. Select test_URL from the URL Control Policy list.
c. Use the default settings of other parameters.
Figure 18 Configuring URL control
7.
In the PC Software Control area, configure PC software control parameters as shown in Figure 19:
a. Select Check PC Software Control.
b. Select AccChecker.exe and select Running Required from the Check Type list.
c. Select XDict.exe and select Running Forbidden from the Check Type list.
d. In the Server Address field, enter 192.168.0.87.
e. In the Failure Notification field, enter the notification message to be displayed on the user
endpoint when PC software does not meet the requirements.
12
Figure 19 Configuring PC software control
8.
In the Anti-Virus Software Control area, configure anti-virus software control parameters as shown
in Figure 20:
a. Select Check Anti-Virus Software.
b. Select test_Anti-Virus from the Anti-Virus Software Policy list.
c. In the Server Address field, enter 192.168.0.87.
d. In the Failure Notification field, enter the notification message to be displayed on the user
endpoint when the anti-virus software does not meet the requirements.
Figure 20 Configuring anti-virus software control
9.
Use the default settings of other areas.
10. Click OK.
Associating the security policy with an access
service
1.
Click the User tab.
2.
From the navigation tree, select User Access Policy > Access Service.
The Access Service configuration page appears.
3.
In the access service list, click Add.
The Add Access Service page appears.
4.
Configure access service parameters as shown in Figure 21:
a. In the Service Name field, enter test_service.
b. In the Service Suffix field, enter 391.
c. From the Default Security Policy list, select test_EAD.
d. Use the default settings of other parameters.
5.
Click OK.
13
Figure 21 Adding an access service
Assigning the access service to an access user
1.
Click the User tab.
2.
From the navigation tree, select Access User > All Access User.
The access user management page appears.
3.
Click Add.
The Add Access User page appears.
4.
Configure access user parameters as shown in Figure 22:
a. In the User Name field, click Select to select an existing user account from the IMC Platform, or
click Add User to add a new IMC Platform user. (Details not shown.)
This example uses a user named test.
b. In the Account Name field, enter qwert001.
c. Enter the same password in Password and Confirm Password fields. This example uses 234.
d. In the Access Service area, select the service named test_service.
e. Use the default settings of other parameters.
5.
Click OK.
14
Figure 22 Adding an access user
Adding the switch to UAM as an access device
1.
Click the User tab.
2.
From the navigation tree, select User Access Policy > Access Device Management > Access Device.
The Access Device configuration page appears.
3.
In the access device list, click Add.
The Add Access Device page appears.
4.
Configure access device parameters as shown in Figure 23 and Figure 24:
a. In the Authentication Port field, enter 1812.
b. In the Accounting Port field, enter 1813.
c. In the Shared Key field, enter 123 as the shared key used by the access device and UAM to
authenticate each other.
d. Use the default settings of other parameters in the Access Configuration area.
15
Figure 23 Adding an access device
5.
Add the switch to UAM as shown in Figure 24:
a. In the Device List area, click Add Manually.
b. On the Add Access Device Manually window that appears, enter 192.168.30.50 in the Start IP
field.
c. Click OK.
You can also click Select to select the switch from the resource pool. (Details not shown.)
6.
Click OK.
Figure 24 Adding an access device manually
Configuring the switch
1.
Log in to the switch through Telnet and enter system view.
2.
Configure a RADIUS scheme.
# Create RADIUS scheme named 390.
<Device> system-view
[Device] radius scheme 390
# Specify the IP address of the UAM server as the primary authentication server and the primary
accounting server. Set the ports for authentication and accounting to 1812 and 1813,
respectively.
[Device-radius-390] primary authentication 192.168.0.87 1812
[Device-radius-390] primary accounting 192.168.0.87 1813
16
# Set the shared key for secure communication with the server to 123 in plain text.
[Device-radius-390] key authentication 123
[Device-radius-390] key accounting 123
# Specify the source IP address for outgoing RADIUS packets.
[Device-radius-390] nas-ip 192.168.30.50
# Specify the RADIUS server type as extended to support UAM.
[Device-radius-390] server-type extended
# Include domain names in the usernames to be sent to the RADIUS servers.
[Device-radius-390] user-name-format with-domain
[Device-radius-390] quit
3.
Configure an ISP domain.
# Create an ISP domain named 391.
[Device] domain 391
# Configure the switch to use the authentication, authorization, and accounting methods in
RADIUS scheme 391 for login users in the domain.
[Device-isp-391] authentication lan-access radius-scheme 390
[Device-isp-391] authorization lan-access radius-scheme 390
[Device-isp-391] accounting login radius-scheme 390
[Device-isp-391] quit
4.
Configure 802.1X authentication.
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on port Ethernet 1/0/3.
[Device] dot1x interface Ethernet 1/0/3
5.
Configure ACLs.
# Create ACL 3020 to permit only packets destined for 192.168.0.87.
[Device] acl number 3020
[Device-acl-adv-3020] rule 1 permit ip destination 192.168.0.87 0
[Device-acl-adv-3020] rule 2 deny ip
[Device-acl-adv-3020] quit
# Create ACL 3021 to permit all packets.
[Device] acl number 3021
[Device-acl-adv-3021] rule 1 permit ip
[Device-acl-adv-3021] quit
Verifying the configuration
Triggering 802.1X authentication
1.
In the iNode client of the PC, create an 802.1X connection named My 802.1X Connection and
configure account parameters as shown in Figure 25:
a. In the Username field, enter qwert001@391.
b. In the Password field, enter the password that you specify when you configure the access
service.
17
c. Use the default settings of other parameters.
For more information about creating 802.1X connections, see iNode Client Online Help.
Figure 25 Creating an 802.1X connection
2.
Trigger 802.1X authentication:
a. On the iNode client, double-click My 802.1X Connection.
The 802.1X authentication connection window appears, as shown in Figure 26
18
Figure 26 802.1X authentication connection
b. Click Connect.
The iNode client begins to authenticate the identity of the endpoint user. When the identity
authentication is complete, the iNode client begins to perform security check for the endpoint user.
The check results are displayed in the Authentication Information area, as shown in Figure 27.
Figure 27 Authentication information
19
Verifying the URL control policy
Enter http://192.168.1.163:8080/imc in the address bar.
The iNode client displays the message that access to 192.168.1.163 is prohibited.
Figure 28 Access prohibited information
Verifying PC software control groups
1.
Trigger 802.1X authentication without running AccChecker. The following occur:
{
{
The iNode client displays the check failure message in the Authentication Information area, as
shown in Figure 29.
The endpoint user is restricted to a quarantine area, and the security check details page
appears as shown in Figure 30.
Figure 29 PC software control group check failed
20
Figure 30 Security check result details page
2.
Disconnect the 802.1X connection. Run XDict and trigger 802.1X authentication. The following
occur:
{
{
The iNode client displays the check failure message in the Authentication Information area, as
shown in Figure 31.
The endpoint user is logged out, and the security check details page appears as shown
in Figure 32.
Figure 31 PC software control group check failed
21
Figure 32 Security check result details page
Verifying anti-virus software control
1.
Run Symantec without updating the anti-virus engine. Make sure the version of the anti-virus
engine is lower than the lowest version required by EAD.
For more information about configuring the lowest version of anti-virus engine, see Configuring an
anti-virus software policy for Symantec.
2.
Trigger 802.1X authentication. The following occur:
{
{
The iNode client displays the check failure message in the Authentication Information area, as
shown in Figure 33
The endpoint user is restricted to a quarantine area, and the security check details page
appears as shown in Figure 34.
Figure 33 Anti-virus software check failed
22
Figure 34 Security check result
23
Open as PDF
Similar pages