![[Contents]](FIGURE/CONTENT.GIF)
![[Glossary]](FIGURE/GLOSS.GIF)
![[Index]](FIGURE/INDEX.GIF)
![[Back]](FIGURE/FRONT.GIF)
![[Next]](FIGURE/AFTER.GIF)
Job Management Partner 1/Client Security Control Description, User's Guide and Operator's Guide
This section describes how to set up an authentication server by installing and setting up the following programs:
- Microsoft Internet Authentication Service or Network Policy Server
- JP1/CSC - Agent
- Note
- Before installing and setting up JP1/CSC - Agent, make sure that you have performed the operations described in 13.2.3 Setting up the network control device (dynamic VLAN environment) or 13.2.4 Setting up the network control device (static VLAN environment).
- Organization of this subsection
- (1) Installing Microsoft Internet Authentication Service or Network Policy Server
- (2) Setting up Microsoft Internet Authentication Service or Network Policy Server
- (3) Installing JP1/CSC - Agent
- (4) Setting up JP1/CSC - Agent
(1) Installing Microsoft Internet Authentication Service or Network Policy Server
Install Microsoft Internet Authentication Service or Network Policy Server on the authentication server. These products can be found on the installation media for the prerequisite version of Windows. For details about installing Microsoft Internet Authentication Service and Network Policy Server, refer to the documentation on the Microsoft Support site or Windows help.
(2) Setting up Microsoft Internet Authentication Service or Network Policy Server
Set up Microsoft Internet Authentication Service or Network Policy Server. Perform the following settings before you set up Microsoft Internet Authentication Service or Network Policy Server to link with JP1/CSC:
- Connection request policy settings
Set the policy name and policy conditions.
- Remote access policy settings
Set the policy name, access method, and authentication method.
In a dynamic VLAN environment, for Tunnel-Pvt-Group-ID in the remote access policy, specify the VLAN-ID of the corporate network to which safe clients are connected. This VLAN-ID is used if a switch is used to create a VLAN.
- RADIUS client settings
Set the IP address, client vendor, shared key, and other items for the switch.
To set up Microsoft Internet Authentication Service and Network Policy Server to link with JP1/CSC:
- Setting up to store passwords using reversible encryption
- If IEEE 802.1X authentication is used, set an attribute that uses reversible encryption to store passwords. The procedure for setting this attribute differs depending on whether Active Directory is installed on the authentication server.
- When Active Directory is installed
Open the Domain Controller Security Policy console, click Security Settings, Account Policy, and then Password Policy, and enable Store passwords using reversible encryption.
Any passwords that were registered before you enabled Store passwords using reversible encryption must be reset. To do this, open Active Directory Users and Computers, select Users, and then click the relevant user. You must then assign the password again.
- When Active Directory is not installed
Open the Local Security Policy console, click Security Settings, Account Policy and then Password Policy, and enable Store passwords using reversible encryption.
- Setting the authentication protocol for remote access policies
- If IEEE 802.1X authentication is used, select either MD5-Challenge or Protected EAP [PEAP] as the remote access policy authentication method. This setting is unnecessary if MAC authentication is used.
For details about setting up Microsoft Internet Authentication Service and Network Policy Server, refer to the documentation on the Microsoft Support site or Windows help.
(3) Installing JP1/CSC - Agent
Install JP1/CSC - Agent on the authentication server.
For details about installing JP1/CSC - Agent, see 5.7.1 Installing JP1/CSC - Agent.
- Note
- If your OS is Windows Server 2008, the NETWORK SERVICE user must have Full Control access permission for the following folders:
- JP1/CSC - Agent-installation-folder\log
- JP1/CSC - Agent-installation-folder\trace
- JP1/CSC - Agent-installation-folder\radius\log
(4) Setting up JP1/CSC - Agent
After installing JP1/CSC - Agent, be sure to set up JP1/CSC - Agent before starting it.
You can set the information required for JP1/CSC - Agent setup by using the Client Security Control - Agent Setup dialog box.
The Client Security Control - Agent Setup dialog box has two tabbed pages, which can be selected by clicking the corresponding tab. The following figure shows the Client Security Control - Agent Setup dialog box.
Figure 13-7 Client Security Control - Agent Setup dialog box
The following table lists the items that can be set in the Client Security Control - Agent Setup dialog box.
Table 13-5 Items that can be set in the Client Security Control - Agent Setup dialog box
Tab selected Description Basic Settings tab This tab is used to display settings information for JP1/CSC - Agent environments already set up, and to change environment settings. IAS tab This tab is used only if linkage to an authentication server is used. It is used to display settings information for JP1/CSC - Agent environments, and to change environment settings.
This page appears if Internet Authentication Service is specified for Network control product information on the Basic Settings page.
- #
- The settings for linkage to an authentication server are specified on the Basic Settings and IAS pages in the Client Security Control - Agent Setup dialog box.
To display the Client Security Control - Agent Setup dialog box and edit the settings:
- Click the Start button, and choose Programs, Client Security Control, and then Agent Setup.
The Client Security Control - Agent Setup dialog box appears.
- Select the pages and set values for the items.
When you select an item, a box appears below the item list. You can either enter a value or string directly in this box or select a value from the pull-down menu.
For details, see (a) Operations that can be performed on the Basic Settings page and (b) Operations that can be performed on the IAS page.
- Click the OK button.
The contents you specified are set for the JP1/CSC - Agent environment. The Client Security Control - Agent Setup dialog box closes.
To close this dialog box without performing any environment settings, click the Cancel button.
(a) Operations that can be performed on the Basic Settings page
Use the Basic Settings page to display and change the environment settings for JP1/CSC - Agent.
The following figure shows the Basic Settings page.
Figure 13-8 Basic Settings page
The following table lists the items that can be set in the Basic Settings page.
Table 13-6 Items that can be displayed and set on the Basic Settings page
Item Description Specifiable values Default for initial environment setup Manager communication environment information IP address The IP address for JP1/CSC - Manager. IPv4 format (xxx.xxx.xxx.xxx) -- Port number The port number JP1/CSC - Manager uses to communicate with JP1/CSC - Agent. Enter the same port number as specified in Port number for receiving requests under Manager communication environment information, in the Basic Settings page of JP1/CSC - Manager. 1024 to 65535 22340 Agent communication environment information Port number The port number of JP1/CSC - Agent. Enter the same port number as that registered for Port number in the Add agent information window of JP1/CSC - Manager. 1024 to 65535 22345 Network control product information Name The name of the linked network control product. Internet Authentication Service# Network Monitor Log information Log file size Specify the maximum size (in kilobytes) of the JP1/CSC - Agent log files. 1 to 2097151 1024 Number of log files Specify the maximum number of JP1/CSC - Agent log files. 1 to 999 10 Cluster information Cluster environment Specify whether to run JP1/CSC - Agent in a cluster environment. Use / Do not use Do not use Logical IP address Specify a logical IP address to use in the cluster environment. IPv4 format (xxx.xxx.xxx.xxx) -- Shared disk Specify the path for the shared disk used in the cluster environment. Full path -- Audit log information Audit log Specify whether to output audit logs. Output / Do not output Do not output
- Legend:
- --: No default provided
- #
- For Network Policy Server also, specify Internet Authentication Service.
- Note
- You must stop the Microsoft IAS service before selecting Network control product information. If you select this item while the Microsoft IAS service is running, an error message will appear when you click the OK button. This also applies to Network Policy Server.
- Reference note
- The log information contains information about startup and termination of JP1/CSC - Agent, as well as connection information for the network control product.
(b) Operations that can be performed on the IAS page
On the IAS page, you can view and change the JP1/CSC - Agent environment settings for linkage to an authentication server (Microsoft Internet Authentication Service or Network Policy Server).
Be sure to stop the Microsoft IAS before changing any settings on the IAS page. If you fail to do so, an error will occur, and the changes will not be applied. This also applies to Network Policy Server.
The following figure shows the IAS page.
Figure 13-9 IAS page
The following table lists the items that can be checked and set in the IAS page.
Table 13-7 Items that can be displayed and set on the IAS page
Item Description Specifiable values Default for initial environment setup Connection information for unregistered asset Network type Specify the connection destination for clients not registered in the connection control list.
- To have such clients connect to the quarantined network, specify Quarantined.
- To deny such clients access to the network, specify Refused.
- To have such clients connect to the corporate network, specify Normal.
- To have such clients connect to the unauthenticated network, specify Unauthenticated.
Quarantined / Refused / Normal / Unauthenticated Quarantined Connection information for refused asset Network type Specify the connection destination for clients listed as rejected in the connection control list.
- To have such clients connect to the quarantined network, specify Quarantined.
- To deny such clients access to the network, specify Refused.
- To have such clients connect to the unauthenticated network, specify Unauthenticated.
Quarantined / Refused / Unauthenticated Quarantined VLAN information#1 Quarantined VLAN Specify the VLAN-ID of the quarantined network. 1 to 4095#2 10 Refused VLAN Specify a VLAN-ID that is not assigned to any network on the switch. 1 to 4095#2 10 Connection history information Connection history file size The size of the file in which the connection history of clients is recorded.
Specify the maximum size (in kilobytes).1 to 2097151 1024 Number of connection history files Specify the maximum number of connection history files to be created. 1 to 999 100 Message notification information Message notification#3,#4 Specify whether a message is to be sent notifying clients of the network to which they are connected. Notify / Do not notify Do not notify When the network is normal Enter the body of the message to be sent to clients that are connected to the corporate network, as a string of 1,024 or fewer bytes. Character string The machine is connected to a normal network. When the network is quarantined Enter the body of the message to be sent to clients that are connected to the quarantined network, as a string of 1,024 or fewer bytes. Character string The machine is connected to a quarantined network because a vulnerability was detected. Implement necessary measures, and restart the machine. Notification command The command used to send notification messages to clients.
Enter the command line as a string of 1,024 or fewer bytes.Character string net send %1 %2#5
- #1
- You cannot set the VLAN-ID of the corporate network (normal VLAN) from JP1/CSC - Agent. The VLAN-ID specified for the Tunnel-Pvt-Group-ID attribute in the remote access policy of Microsoft Internet Authentication Service or Network Policy Server is used for the corporate network.
- #2
- The valid range for VLAN-IDs depends on the switch model that you use. Be sure to specify a VLAN-ID for the refusal LAN that is within the valid range.
- For details, see the manual for the switch.
- #3
- If you set message notification to Notify, a message is sent each time the client is authenticated (or re-authenticated).
- #4
- You cannot use message notification when the authentication server is running Windows Server 2008.
- #5
- %1 and %2 are variables that take the following values:
- %1: The IP address of the client to which the message is sent.
- %2: One of the character strings specified in message notification information, specific to either the normal network or quarantined network.
- Reference note
- By setting Connection information for unregistered asset to Refused, you can prevent clients not in the connection control list and unauthorized PCs from connecting to the network.
- However, when you add a new client to the network, information about the client is not automatically registered in the connection control list. In this case, inventory information must be obtained from an offline machine.
- For details, see 14.2.6 Adding a new client to the network.
All Rights Reserved. Copyright (C) 2009, 2011, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated
![[Figure]](FIGURE/ZU131100.GIF)
![[Figure]](FIGURE/ZU131200.GIF)
![[Figure]](FIGURE/ZU131300.GIF)