3Com DUA1550-0AAA02 - Manual

8 A BOUT T HIS G UIDE Conventions Table 1 and Table 2 list conventions that are used throughout this guide. Related Documentation In addition to this guide, each 3Com Network Access Manager provides on-line help which can be accessed through the application. This guide contains the instructions you ...

1 I NTRODUCTION This chapter provides: ■ an overview of how 3Com Network Access Manager integrates with Microsoft’s IAS and Active Directory, ■ an explanation of Rules, Rule Priority and RADIUS response, ■ an explanation of 3Com Network Access Manager’s role in authentication and authorization, ■ a ...

10 C HAPTER 1: I NTRODUCTION ■ Moving specific users or computers (e.g. a PC infected with a virus) into an isolated network. Figure 1 illustrates the integration of 3Com Network Access Manager with Microsoft's Internet Authentication Service (IAS) and Microsoft's Active Directory. Figure 1 3Com Net...

3Com Network Access Manager Overview 11 authorized computers or users that represent a security threat to the network. For example, a PC infected with a virus or a worm, or a user launching a DoS attack on the network. Further examples of how 3Com Network Access Manager can be used to improve the se...

12 C HAPTER 1: I NTRODUCTION and are familiar with MAC addresses and IEEE 802.1X authentication. Typical tasks for a network administrator using 3Com Network Access Manager include: ■ editing security profiles for users, groups and computers to include VLAN, QoS profile and EFW policy information, ■...

3Com Network Access Manager Overview 13 3Com EFW Policy Support 3Com Network Access Manager provides support for 3Com EFW Policy Server v2.5, which adds the concept of user-based Embedded Firewall (EFW) policies rather than just NIC-based EFW policies. For example, the policy which is downloaded to ...

Concepts and Terminology 15 systems. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for network access servers (desktop switches and wireless access points acting as radius clients), see Figure 2. Remote Access Policy For 3Com Network Access Man...

16 C HAPTER 1: I NTRODUCTION Only one pre-defined rule, the Default Rule, is supplied as standard. The Default Rule is used whenever an authentication finds that a user, group or computer is not a member of any other rule. Further rules are added by the Network Administrator to implement the require...

Concepts and Terminology 17 The two forms of RADIUS authentication supported by 3Com Network Access Manager are: ■ MAC-address based authentication, for example RADA (RADIUS Authenticated Device Access). ■ IEEE 802.1X authentication, also known as dot1X, 802.1X and Network Login. MAC-address based A...

18 C HAPTER 1: I NTRODUCTION Authorization Once a user has successfully authenticated, the authorization process determines which VLANs and QoS to return to the switch, as follows: 1 From the authentication rule selected, if any VLAN has been specified, return the VLAN ID in the RADIUS response. 2 F...

Devices Supported 19 Table 4 lists suitable edge port security modes and their typical use within a network.The case studies in Chapter 4 explain how these port security modes operate to control network access. Table 4 Edge Port Security Modes Compatible With 3Com Network Access Manager Port Securit...

2 I NSTALLING 3C OM N ETWORK A CCESS M ANAGER This chapter covers: ■ the operating systems and required PC configurations that are compatible with the 3Com Network Access Manager components, ■ the tasks that need to be performed before installing and running 3Com Network Access Manager, ■ how to ins...

22 C HAPTER 2: I NSTALLING 3C OM N ETWORK A CCESS M ANAGER Table 6 lists the configuration requirements of PCs that will have 3Com Network Access Manager components installed. .NET Framework v1.1 is included as part of Windows Server 2003. For Windows 2000 and Windows XP Professional, you can check ...

Before Installation 23 Before Installation You must perform the following tasks on your network before installing and setting up 3Com Network Access Manager: 1 Install and configure Microsoft Internet Authentication Service (IAS), a Install IAS on one or more Windows 2000 servers or Windows 2003 ser...

24 C HAPTER 2: I NSTALLING 3C OM N ETWORK A CCESS M ANAGER Installing 3Com Network Access Manager Follow the instructions in this section to install 3Com Network Access Manager. Overview 3Com Network Access Manager comprises five components: ■ Internet Authentication Server component consisting of a...

Installing 3Com Network Access Manager 25 Follow these steps to install the 3Com Network Access Manager components: 1 Insert the 3Com Network Access Manager CD in the PC’s CDROM drive. If Autorun is enabled on the PC, the installation starts automatically and you can skip steps 2 and 3. 2 From the S...

26 C HAPTER 2: I NSTALLING 3C OM N ETWORK A CCESS M ANAGER 5 Select Next , the End User License Agreement will display, Figure 4. Figure 4 End User Licence Agreement dialog To continue the installation select I accept the terms of the license agreement , and press the Next button. Otherwise, select ...

Installing 3Com Network Access Manager 27 Figure 5 Choose Destination Location 7 On the next dialog, Figure 6, select the 3Com Network Access Manager components to install on the PC. Ticked components will be installed. Un-ticked components will not be installed. The Next button will be grayed out u...

28 C HAPTER 2: I NSTALLING 3C OM N ETWORK A CCESS M ANAGER Figure 6 Component Selection 8 On the next dialog, Figure 7, select Install to start the installation, or Back to return to the previous dialog.

Installing 3Com Network Access Manager 29 Figure 7 Confirmation of Installation 9 The Installer will check the hard disk space available on the PC. If sufficient disk space is available, the installer will install the components selected. If insufficient disk space is available, an error message is ...

30 C HAPTER 2: I NSTALLING 3C OM N ETWORK A CCESS M ANAGER Figure 9 Installation Complete With the exception of installing the Active Directory component, any problems encountered during installation will result in an error message being displayed and the installation aborted. You will need to manua...

Installing 3Com Network Access Manager 31 4 The splash screen will display followed by the Maintenance dialog, see Figure 10. Figure 10 Maintenance dialog 5 Click on the Modify button to change the components installed on the PC. a The Select Components dialog will display. b Tick the components to ...

32 C HAPTER 2: I NSTALLING 3C OM N ETWORK A CCESS M ANAGER on the Maintenance Complete dialog that the Active Directory components are already present in Active Directory. This will not affect Active Directory. Figure 11 Maintenance Complete dialog 7 Click Finish to exit the Maintenance program. If ...

3 G ETTING S TARTED This chapter describes: ■ how to configure 3Com Network Access Manager after installation, using the Network Administrator User Interface, ■ how to configure the User Interface for Network Operators. Before configuring 3Com Network Access Manager, make sure you have created a Rem...

36 C HAPTER 3: G ETTING S TARTED Figure 14 Network Administrator User Interface Decrease Rule Priority Increase Rule Priority New Rule New QoS Profile New EFW Policy New VLAN Active Directory Domain Recalculate EFW Membership items known to the systemin the Details pane The Tree pane. tree to displa...

Using The Network Administrator User Interface 37 Setting Up 3Com Network Access Manager To configure 3Com Network Access Manager after installation, follow these steps: Before adding entries for VLANs, QoS profiles and EFW policies in 3Com Network Access Manager make sure that the VLANs, QoS profil...

38 C HAPTER 3: G ETTING S TARTED Figure 15 VLANs View Detail Pane. Creating A New VLAN To create a new VLAN entry in 3Com Network Access Manager, follow these steps: 1 Either click VLANs in the Tree pane and click the New VLAN button on the Tool bar, or right-click VLANs in the Tree pane and select ...

Using The Network Administrator User Interface 39 You can now: ■ associate rules with this VLAN if the rules have already been created, see “Changing Rule Properties”. Deleting An Existing VLAN To delete an existing VLAN entry in 3Com Network Access Manager, follow these steps: 1 Click on VLANs in t...

40 C HAPTER 3: G ETTING S TARTED 4 Click OK This completes changing the ID for an existing VLAN entry in 3Com Network Access Manager. Displaying Rules Associated With A VLAN To display the rules associated with a VLAN, follow these steps: 1 Click on VLANs in the Tree pane. The Details pane on the ri...

Using The Network Administrator User Interface 41 Figure 16 QoS Profiles View Detail Pane Creating A New QoS Profile To create a new QoS profile entry in 3Com Network Access Manager, follow these steps: 1 Either click QoS Profiles in the Tree pane and click the New QoS Profile button on the Tool bar...

42 C HAPTER 3: G ETTING S TARTED This completes creating a new QoS profile entry in 3Com Network Access Manager. You can now: ■ associate rules with this QoS profile if the rules have already been created, see “Changing Rule Properties”. Deleting An Existing QoS Profile To delete an existing QoS pro...

Using The Network Administrator User Interface 43 The ID should be a string of characters that match the ID assigned to the QoS profile in the network access device (switch or wireless access point). 4 Click OK or Cancel. This completes changing the ID for an existing QoS profile entry in 3Com Netwo...

44 C HAPTER 3: G ETTING S TARTED Figure 17 EFW Policies View Detail Pane Creating A New EFW Policy Before creating an EFW policy in 3Com Network Access Manager make sure that the EFW policy has already been created in the EFW Policy Server. To create a new EFW policy entry in 3Com Network Access Man...

Using The Network Administrator User Interface 45 This completes creating a new EFW policy entry in 3Com Network Access Manager. You can now: ■ associate rules with this EFW policy if the rules have already been created, see “Changing Rule Properties”. Deleting An Existing EFW Policy To delete an ex...

46 C HAPTER 3: G ETTING S TARTED 3 Select the Members tab, a list of rules associated with the EFW policy will be displayed in the window. 4 Click OK or Cancel. This completes displaying the rules associated with an EFW policy. Rules View Clicking on Rules in the Tree pane displays in the Detail pan...

Using The Network Administrator User Interface 47 Creating A New Rule To create a new rule, assign a priority and network access response to the rule, follow these steps: 1 Either click Rules in the Tree pane and click the New Rule button on the Tool bar, or right-click Rules in the Tree pane and se...

48 C HAPTER 3: G ETTING S TARTED Figure 19 Security Tab For A Rule c Repeat steps 7a and 7b for each group and user permitted to assign the rule. Table 7 Selecting Appropriate Rule Permissions Role Rule Permissions Network Administrator(s) or Network Operator(s) allowed to associate the rule with a ...

Using The Network Administrator User Interface 49 8 Select the Action tab and configure the action attributes for the rule, Figure 20. Figure 20 Action Tab For A Rule a You changed the Priority setting for the rule in step 5. There is no need to change it again unless you need to assign a different ...

50 C HAPTER 3: G ETTING S TARTED To understand the effect of this action, you need to be aware of how the edge port security is set up on the network. In some port modes, the response may appear illogical, for instance, Allow can be used to implement a blacklist. c If Network Access is set to Allow ...

Using The Network Administrator User Interface 51 Controlling Permission To Apply A Rule Selecting who has permission to apply a rule, is performed when the rule is created. Permissions can be changed after a rule is created, providing the user or group making the change has write permission for the...

52 C HAPTER 3: G ETTING S TARTED 4 Click OK . 5 If EFW policies are used, click on the Recalculate EFW Membership button in the Tool bar after changing the rule priorities. Changing Rule Properties Selecting the properties for a rule is performed when the rule is created. Rule properties can be chan...

Using The Network Administrator User Interface 53 To add or remove computers associated with a rule, refer to “Displaying And Changing The Rules And MAC Address Associated With A Computer”. Users View Clicking on Users in the Tree pane displays in the Detail pane a list of Users which already exist ...

54 C HAPTER 3: G ETTING S TARTED Associating Rules With A User All users in the domain will have the Default Rule applied until they are associated with other rules created with 3Com Network Access Manager. To associate a rule(s) with a user, follow these steps: 1 Either click on Users in the Tree p...

56 C HAPTER 3: G ETTING S TARTED Displaying And Changing Rules Associated With A User To display and change the rules associated with a user, follow these steps: 1 Either click on Users in the Tree pane or if you have created Organizational Units to structure your users, click on the organizational ...

Using The Network Administrator User Interface 57 Groups View Clicking on Groups in the Tree pane displays in the Detail pane a list of Groups which already exist in the domain, see Figure 23. Alternatively if you have created Organizational Units to structure your groups, click on the organizationa...

58 C HAPTER 3: G ETTING S TARTED Associating Rules With A Group All groups in the domain will have the Default Rule applied until they are associated with other rules created with 3Com Network Access Manager. To associate a rule(s) with a group, follow these steps: 1 Either click on Groups in the Tr...

Using The Network Administrator User Interface 59 5 Click OK This completes associating rules with a group. Displaying And Changing Rules Associated With A Group To display and change the rules associated with a group, follow these steps: 1 Either click on Groups in the Tree pane or if you have crea...

60 C HAPTER 3: G ETTING S TARTED DO NOT change rule membership using the Members Of tab. Creating A New Group To create a new group in the system, you will need to use a tool such as the “Active Directory Users and Computers” administration tool. You cannot create groups through 3Com Network Access ...

Using The Network Administrator User Interface 61 Figure 25 Computers View Detail Pane Entering MAC Addresses For A Computer To use MAC-address based authentication, the computers in the domain need to have their MAC addresses entered into 3Com Network Access Manager. To enter the MAC address(es) fo...

62 C HAPTER 3: G ETTING S TARTED Associating Rules With A Computer Ensure you have entered the MAC address of the computer in your network, before associating rules with the computer. 3Com Network Access Manager will only apply a rule to the computer if the RADIUS request includes the MAC address as...

64 C HAPTER 3: G ETTING S TARTED Displaying And Changing The Rules And MAC Address Associated With A Computer To display and change the rules and MAC addresses associated with a computer, follow these steps: 1 Either click on Computers in the Tree pane or if you have created Organizational Units to ...

Using The Network Administrator User Interface 65 7 Click OK. This completes displaying and changing the rules and MAC addresses associated with a computer. Creating A New Computer To add a computer to the system, you will need to use a tool such as the “Active Directory Users and Computers” adminis...

66 C HAPTER 3: G ETTING S TARTED Using The Operator User Interface Network Operators use the standard Active Directory Users and Computers interface, accessed from Programs>Administrative Tools>Active Directory Users and Computers . 3Com Network Access Manager adds a new tab, named Network Acc...

Using The Operator User Interface 69 Displaying And Changing The Rule Associated With A Computer To display and change the rules associated with a computer, follow these steps: 1 Click on Computers in the Tree pane. The Details pane on the right will list all of the computers that the Network Operat...

4 U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK This chapter provides: ■ six case studies on how 3Com Network Access Manager can be setup to provide different levels of security on a network. Case Study Assumptions All of the case studies described in this chapter assume the following: ■...

72 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK Case Study 1 - Controlling User Access To The Network This case study describes the tasks that need to be performed in order to control user access to the network using IEEE 802.1X. This method of authentication is based on the...

Case Study 1 - Controlling User Access To The Network 73 Network Operator Tasks The following provides an overview of the tasks for a network operator responsible for controlling user access to the network domain. On being informed that a specific user or group needs to be granted access to the netw...

74 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK What Happens When A User Logs In The following takes place when a user connects and logs into the network domain. 1 The user’s PC connects to the network and the user logs in with a username. 2 The IEEE 802.1X client on the PC ...

Case Study 2 - Restricting Network Access To Known Computers 75 Case Study 2 - Restricting Network Access To Known Computers This case study describes the tasks that need to be performed in order to restrict network access to known computers, using MAC-address based authentication. It is an example ...

Case Study 2 - Restricting Network Access To Known Computers 77 5 Click OK and exit the Active Directory Users and Computers interface. On being informed that a specific PC needs to be denied access to the network, use the Active Directory Users and Computers interface to perform the following: 1 Ei...

Case Study 3 - Blocking A Specific PC From The Network 79 When a PC needs to be blacklisted: 1 Enter the MAC address for the computer that needs to be blacklisted. For information on entering MAC addresses, see “Entering MAC Addresses For A Computer”in Chapter 3. 2 Associate the Blacklist rule with ...

Case Study 4 - Hot Desking 81 Case Study 4 - Hot Desking Combining Auto VLAN with IEEE 802.1X enables users to login anywhere on the network, and always have access to their network (for example, the Engineering VLAN, or Marketing VLAN). This makes hot-desking viable, as users can change desks and s...

Case Study 5 - Removing Infected Devices From The Network 85 When a PC needs to be isolated for the first time: 1 Enter the MAC address for the computer that needs to be removed from the network. For information on entering MAC addresses, see “Entering MAC Addresses For A Computer”in Chapter 3. 2 As...

86 C HAPTER 4: U SING 3C OM N ETWORK A CCESS M ANAGER W ITHIN A N ETWORK What Happens The following takes place when a PC connects to the network. 1 The switch checks the MAC address of the PC with Active Directory. a If the PC is on the Isolation list, IAS replies Accept with the VLAN ID of the Iso...

Case Study 6 - Combining Hot Desking With Host Filtering 87 Case Study 6 - Combining Hot Desking With Host Filtering This case study describes the tasks that need to be performed in order to set up hot desking with the ability to filter out specific hosts. This configuration allows infected PCs to b...

Case Study 6 - Combining Hot Desking With Host Filtering 89 What Happens When A User Logs In The following takes place when a user connects and logs into the network domain. 1 The switch checks both the PC and the user with Active Directory. 2 If the Isolation rule has been applied to the PC, IAS re...

5 P ROBLEM S OLVING This chapter covers: ■ checking the Windows Event Viewer for obvious problems, ■ resolving problems related to setting up 3Com Network Access Manager. Checking the Event Viewer If you experience network access or RADIUS authentication problems on your network, first check the Win...

92 C HAPTER 5: P ROBLEM S OLVING Figure 29 System Event Log Figure 30 3Com Network Access Manager Authorization Log

Checking the Event Viewer 93 Figure 31 Event detail Identifying Where The Problem Lies 3Com Network Access Manager is dependent on IAS. A problem with 3Com Network Access Manager may be caused by an underlying issue with IAS. If that is the case then it will be IAS that logs an event and not 3Com Ne...

94 C HAPTER 5: P ROBLEM S OLVING Problems Related to Setting Up This section details possible problems that you might experience when setting up and using 3Com Network Access Manager. Each problem is described by a symptom, an explanation of the cause of the problem and a suggestion on what to do to...

98 C HAPTER 5: P ROBLEM S OLVING The Network Access tab, accessible by right-clicking Users or Groups or Computers in the Tree pane and selecting Properties does not show the actual rule being applied to the user, group or computer. You may not have been granted read permission for the rule which is...

A C REATING A R EMOTE A CCESS P OLICY For 3Com Network Access Manager to authenticate users and computers accessing the network, an IAS Remote Access Policy must first be created. This appendix provides step by step instructions on creating an IAS remote policy, refer to section: ■ Using Microsoft W...

102 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 2 Right-click Remote Access Policies in the Tree pane and select New Remote Access Policy, see Figure 33. Figure 33 New Remote Access Policy 3 Type the name of the new policy, see Figure 34. Click Next. Figure 34 Add A New Remote Access Policy

Using Microsoft Windows 2000 Server Operating System 103 You now need to add a condition that will cause the Remote Access Policy to run. 4 On the Conditions dialog, click Add. On the Select Attribute dialog select Client Vendor and click Add , see Figure 35. Figure 35 Selecting Attributes for Remot...

104 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY Figure 36 Selecting 3Com as Client-Vendor for Remote Access Policy 6 On the Conditions dialog, Figure 37, click Next Figure 37 Setting Policy Conditions on Remote Access Policy

Using Microsoft Windows 2000 Server Operating System 105 7 On the Permissions dialog, Figure 38, select Grant remote access permission and click Next . Figure 38 Granting Remote Access Permission

106 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 8 You now need to specify the profiles of the users who match the condition you have specified. Click the Edit Profile button, see Figure 39. Figure 39 Editing the Profile

Using Microsoft Windows 2000 Server Operating System 107 9 Select the Authentication tab, and select Encrypted authentication (CHAP) and Unencrypted authentication (PAP, SPAP), see Figure 40, according to your network security policy and the devices on your network. Figure 40 Selecting Encryption Me...

108 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 10 Select the Advanced tab and click Add, see Figure 41. Figure 41 Editing the Dial-in Profile

Using Microsoft Windows 2000 Server Operating System 109 11 Select Vendor Specific from the list of RADIUS attributes and click Add, see Figure 42. Figure 42 Adding Vendor-Specific Attributes

110 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 12 On the Multivalued Attribute Information dialog, see Figure 43, click Add Figure 43 Multivalued Attribute Information Dialog

Using Microsoft Windows 2000 Server Operating System 111 13 Select 3Com from the pull down list, click YES. It conforms and click C onfigure Attribute , see Figure 44 Figure 44 Configuring Vendor-Specific Attribute

112 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 14 Type 9 as the Vendor assigned value , select Decimal as the Attribute format , and type 1 as the Attribute value. See Figure 45 . Click OK Figure 45 Vendor Assigned Attributes for 3Com 15 Click OK to close the Vendor-Specific Attribute Informat...

Using Microsoft Windows 2000 Server Operating System 113 20 After viewing the Online Help, click Finish . The remote access policy that you have just created will be added to the list of policies, see Figure 47 Figure 47 New Remote Access Policy Added to List 21 Select the new remote access policy f...

116 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY Figure 50 New Remote Access Policy Wizard. 4 Select Set up a custom policy and type the name of the policy. Click Next.

Using Microsoft Windows Server 2003 Operating System 117 Figure 51 Set Up A Custom Policy You now need to add a condition that will cause the Remote Access Policy to run. 5 On the Policy Conditions dialog, click Add. On the Select Attribute dialog select Client Vendor and click Add , see Figure 52.

Using Microsoft Windows Server 2003 Operating System 121 9 You now need to specify the profiles of the users who match the condition you have specified. Click the Edit Profile button, see Figure 56. Figure 56 Editing the Profile

122 A PPENDIX A: C REATING A R EMOTE A CCESS P OLICY 10 Select the Authentication tab, and select both Encrypted authentication (CHAP) and Unencrypted authentication (PAP, SPAP), see Figure 57, according to your network security policy and the devices on your network. Figure 57 Selecting Encryption ...

B O BTAINING S UPPORT FOR Y OUR 3C OM P RODUCTS 3Com offers product registration, case management, and repair services through eSupport.3com.com . You must have a user name and password to access these services, which are described in this appendix. Register Your Product to Gain Service Benefits To ...

130 A PPENDIX B: O BTAINING S UPPORT FOR Y OUR 3C OM P RODUCTS Purchase Extended Warranty and Professional Services To enhance response times or extend your warranty benefits, you can purchase value-added services such as 24x7 telephone technical support, software upgrades, onsite assistance, or adv...

Contact Us 131 Telephone Technical Support and Repair To obtain telephone support as part of your warranty and other service benefits, you must first register your product at: http://eSupport.3com.com/ When you contact 3Com for assistance, please have the following information ready: ■ Product model...

I NDEX Numerics 3Com Enterprise Management Suite 233Com Knowledgebase tool 1293Com Network Access Manager authorization log 91before setting up 37changing installation 30devices supported 18edge port security modes 18installation 24interfaces 11network administrator responsibilities 11network operat...