Job Management Partner 1/Client Security Control Description, User's Guide and Operator's Guide

[Contents][Glossary][Index][Back][Next]

14.2.6 Adding a new client to the network

Before you can add a client to the network, information about the client must be registered in the client control list for JP1/CSC - Agent.

When a client is first introduced into the network, it is treated as an unregistered asset because no information about it is found in the connection control list. In this case, the client is connected to the network specified by the Connection information for unregistered asset setting in JP1/CSC - Agent setup.

The following explains the operations you need to perform for each of the Connection information for unregistered asset settings (Quarantined, Rejected, Normal, and Unauthenticated).

Note
You cannot use the function for registering permitted PCs to add clients to the network.

(a) When Quarantined is set

The client is connected to the quarantined network, where security measures are implemented on the client. The client is then connected to the corporate network.

To connect an unregistered client to the corporate network:

  1. Initiate client authentication.
    An authentication request is sent to the authentication server via the switch when the client is restarted, when the Windows standard supplicant service is restarted, or when client network connection that has been disabled is enabled. Note that if sending of EAPOL-START packets is not enabled, the switch requests client authentication at the authentication interval that is set on the switch.
    Because Connection information for unregistered asset is set to Quarantined, the client is connected to the quarantined network.

  2. Implement security measures on the client by communicating with the treatment server.
    Security measures can be implemented on clients in the quarantined network, by communicating with the treatment server.
    By using the software distribution facility of JP1/Software Distribution, the administrator can distribute software from JP1/Software Distribution Manager on the management server, using JP1/Software Distribution Client (relay system) on the treatment server as a relay system. Alternatively, the client can be provided with packages for the user to install.
    For details about the software distribution facility of JP1/Software Distribution, see the manual Job Management Partner 1/Software Distribution Administrator's Guide Volume 1, for Windows systems.
    When client inventory information is updated, the latest inventory information is reported to JP1/Software Distribution Manager running on the management server, via JP1/Software Distribution Client (relay system)# running on the treatment server.
    When the client is judged safe based on the judgment policy by JP1/CSC - Manager on the management server, an action (to permit a network connection) is implemented according to the action policy. The client information is then recorded as Permit in the JP1/CSC - Agent connection control list.

    #
    JP1/Software Distribution SubManager 07-50 or later can also be used.

  3. Re-authenticate the client.
    An authentication request is sent to the authentication server via the switch when the client is restarted, when the Windows standard supplicant service is restarted, or when client network connection that has been disabled is enabled. Note that if sending of EAPOL-START packets is not enabled, the switch requests client authentication at the authentication interval that is set on the switch.
    After security measures have been completed, the client is registered as Permit in the connection control list of JP1/CSC - Agent on the authentication server, and can then connect to the corporate network.

(b) When Rejected is set

The client cannot connect to the network. Use the offline machine management functionality provided by JP1/Software Distribution to implement security measures on the client. The client can then connect to the corporate network.

To connect a rejected client to the corporate network:

  1. Initiate client authentication.
    An authentication request is sent to the authentication server via the switch when the client is restarted, when the Windows standard supplicant service is restarted, or when client network connection that has been disabled is enabled. Note that if sending of EAPOL-START packets is not enabled, the switch requests client authentication at the authentication interval that is set on the switch.
    Because Connection information for unregistered asset is set to Refused, the client cannot connect to the network.

  2. Use the offline machine management functionality of JP1/Software Distribution to implement security measures on the client.
    You can use the offline machine management functionality of JP1/Software Distribution to implement security measures on a client in an offline environment. The offline machine management functionality allows you to install software offline, and obtain inventory information from offline machines.
    For details about the offline machine management functionality of JP1/Software Distribution, see the manual Job Management Partner 1/Software Distribution Administrator's Guide Volume 1, for Windows systems.
    The inventory information obtained from the offline machine is sent to JP1/Software Distribution Manager on the management server, and the client is judged by JP1/CSC - Manager.
    If the client is judged safe based on the security policy, an action (to permit a network connection) is implemented according to the action policy. The client information is then recorded as Permit in the JP1/CSC - Agent connection control list.

  3. Re-authenticate the client.
    An authentication request is sent to the authentication server via the switch when the client is restarted, when the Windows standard supplicant service is restarted, or when client network connection that has been disabled is enabled. Note that if sending of EAPOL-START packets is not enabled, the switch requests client authentication at the authentication interval that is set on the switch.
    After security measures have been completed, the client is registered as Permit in the connection control list of JP1/CSC - Agent on the authentication server, and can then connect to the corporate network.

(c) When Normal is set

The client can already connect to the corporate network, and no special measures are necessary.

However, ensure that security measures have been implemented on the client before it connects to the network.

(d) When Unauthenticated is set

To connect the client to the corporate network:

  1. Initiate client authentication.
    When the client is restarted or client network connection that has been disabled is enabled, an authentication request is sent to the authentication server via the switch. Note, however, that if sending of EAPOL-START packets for IEEE 802.1X authentication is not set, the switch requests client authentication at the authentication interval that is set on the switch. If MAC authentication is used, the switch requests client authentication based on the maximum connection time set on the switch.
    Because Unauthenticated is set for Connection information for unregistered asset, the client is connected to the unauthenticated network.

  2. Implement security measures on the client by communicating with the treatment server.
    Security measures for a client connected to the unauthenticated network are implemented through communication with the treatment server from the unauthenticated network.
    When the software distribution function of JP1/Software Distribution is used, JP1/Software Distribution Client (relay system)# on the treatment server can be used as a relay system. The relay system allows the administrator to distribute software from JP1/Software Distribution Manager on the management server or allows the client user to install a package.
    For details about the software distribution function of JP1/Software Distribution, see the manual Job Management Partner 1/Software Distribution Administrator's Guide Volume 1, for Windows systems.
    When the client inventory is updated, the latest inventory information is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system)#.
    JP1/CSC - Manager on the management server judges whether the client is safe based on the judgment policy. If the client is judged safe, action (permit network connection) is performed according to the action policy settings. At this time, Permitted is registered as client information in the connection control list of JP1/CSC - Agent.

    #
    JP1/Software Distribution SubManager 07-50 or later can also be used.

  3. Re-authenticate the client.
    When the client is restarted or client network connection that has been disabled is enabled, an authentication request is sent to the authentication server via the switch. Note, however, that if sending of EAPOL-START packets for IEEE 802.1X authentication is not set, the switch requests client authentication at the authentication interval that is set on the switch. If MAC authentication is used, the switch requests client authentication based on the maximum connection time set on the switch.
    After security measures have been completed, the client is registered as Permit in the connection control list of JP1/CSC - Agent on the authentication server, and is able to connect to the corporate network.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2009, 2011, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated