ProCurve Identity Driven Manager - Hewlett Packardh20628. · 1-5. About ProCurve Identity Driven Manager. Introduction. What’s New in IDM 2.3. ProCurve Identity Driven Manager version

www.procurve.com

User’s Guide

ProCurve Identity Driven ManagerSoftware Release 2.3

Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 http://www.procurve.com

© Copyright 2008 Hewlett-Packard Development Company, LP. All Rights Reserved.

This document contains information which is protected by copyright. Reproduction, adaptation, or translation without prior permission is prohibited, except as allowed under the copyright laws.

Publication Number

5990-8851

May, 2008

Trademark Credits

Microsoft, Windows, Windows 95, and Microsoft Windows NT are registered trademarks of Microsoft Corporation. Internet Explorer is a trademark of Microsoft Corporation. Ethernet is a registered trademark of Xerox Corporation. Netscape is a registered trademark of Netscape Corporation.

Disclaimer

The information contained in this document is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

Warranty

See the Customer Support/Warranty booklet included with the product.

A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

Contents

1 About ProCurve Identity Driven Manager

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2Why IDM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3What’s New in IDM 2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5IDM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8IDM Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10Operating Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10Additional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11Upgrading from Previous Versions of PCM and IDM . . . . . . . . . . . . . 1-11

Registering Your IDM Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12Learning to Use ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Getting ProCurve Documentation From the Web . . . . . . . . . . . . . . . . 1-15ProCurve Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

2 Getting Started

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2Installing the IDM Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2Using the IDM Auto-Discover Feature . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3IDM Configuration Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3IDM Usage Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4Understanding the IDM Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

IDM GUI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6IDM Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8Using the Navigation Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9Toolbars and Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

Using IDM as a Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14Using IDM Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15Creating Report Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Configuring a Policy Action to Generate Reports . . . . . . . . . . . . . . . . 2-19IDM Session Cleanup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

User Session Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29Finding a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33User Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34

iii

Contents

IDM Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36Using Active Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . 2-38

3 Using Identity Driven Manager

IDM Configuration Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Configuration Process Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Configuring Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Configuring Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6Adding a New Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7Modifying a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11Deleting a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Configuring Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13Creating a New Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14Modifying a Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16Deleting a Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16

Configuring Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19Adding a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21Modifying a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22Deleting a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23

Configuring Access Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24Creating a New Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26Modifying an Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33

Defining Access Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35Creating an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-36Modifying an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41Deleting an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41

Configuring User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42Adding Users to an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . 3-43Changing Access Policy Group Assignments . . . . . . . . . . . . . . . . . . . 3-44Using Global Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45

Deploying Configurations to the Agent . . . . . . . . . . . . . . . . . . . . . . . . 3-49Using Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50

Defining New Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50Modifying and Deleting Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51Deleting RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52Adding New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53

Using the User Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57Importing Users from Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 3-58Importing Users from an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . 3-64Importing Users from XML files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-75

iv

Contents

4 Using the Secure Access Wizard

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Using Secure Access Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

5 Troubleshooting IDM

IDM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2Pausing the Events Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4Using Event Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4Viewing the Events Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6Setting IDM Event Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8Using Activity Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

Using Decision Manager Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

A Using ProCurve Network Access Controller with IDM

About ProCurve Network Access Controller 800 . . . . . . . . . . . . . . . A-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Using the NAC Tab Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3Setting the ProCurve NAC GUI Login . . . . . . . . . . . . . . . . . . . . . . . . . . A-4Using the NAC Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5Using the NAC Monitor Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6Using the NAC Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7

Using Local Authentication Directory on ProCurve NAC . . . . . . . A-8Adding Locally Authenticated Users . . . . . . . . . . . . . . . . . . . . . . . . . . A-9

B IDM Technical Reference

Device Support for IDM Functionality . . . . . . . . . . . . . . . . . . . . . . . . . B-1Support for Secure Access Wizard Feature . . . . . . . . . . . . . . . . . . . . . B-2

Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3Types of User Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6

v

Contents

vi

1

About ProCurve Identity Driven Manager

Chapter Contents

About ProCurve Identity Driven Manager

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2Why IDM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3What’s New in IDM 2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5IDM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8IDM Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10Operating Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10Additional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11Upgrading from Previous Versions of PCM and IDM . . . . . . . . . . . . . 1-11

Registering Your IDM Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12Learning to Use ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Getting ProCurve Documentation From the Web . . . . . . . . . . . . . . . . 1-15ProCurve Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

1-1

About ProCurve Identity Driven ManagerIntroduction

Introduction

Network usage has skyrocketed with the expansion of the Internet, wireless, and convergence technologies. This increases the burden on network manag-ers working to control network usage. Also, the complexity of large networks makes it difficult to control network access and usage by individual users.

ProCurve Identity Driven Manager (IDM) is an add-on module to the ProCurve Manager plus (PCM+) application that extends the functionality of PCM+ to include authorization control features for edge devices in networks using RADIUS servers and Web-Authentication, MAC-Authentication, or 802.1x security protocols.

Using IDM simplifies user access configuration by automatically discovering Microsoft IAS RADIUS Servers, Realms, and users. You can use IDM to monitor users on the network, and to create and assign "access policies" that work to dynamically configure edge switches and manage network resources available to individual users. Using IDM, access rights, quality of service (QoS), and VLAN enrollment are associated with a user and applied at the point of entry or "edge" of the network.

Figure 1-1. ProCurve Identity Driven Manager, Client Interface

1-2


Why IDM?

Today, access control using a RADIUS system and ProCurve devices (switches or wireless access points) is typically made up of several steps.

Figure 1-2. Current Access Control process

1. A client (user) attempts to connect to the network.

2. The edge device recognizes a connection state change, and requests identifying information about the client. This can include MAC address, username and password, or more complex information.

3. The switch forwards an access request, including the client information to the authentication server (RADIUS).

4. The RADIUS server validates the user’s identity in the user directory, which can be an Active Directory, database or flat file. Based on the validation result received from the user directory, the authentication server returns an accept or deny response to the switch.

5. If the user is authenticated, the ProCurve device grants the user access to the network. If the user is not authenticated, access is denied.

For networks using IDM, access control is enhanced to include authorization parameters along with the authentication response. IDM enhances existing network security by adding network authorization information, with access and resource usage parameters, to the existing authentication process. Using IDM you can assign access rights and connection attributes at the network switch, with dynamic configuration based on the time, place, and client that is generating the access request.

1-3


When using IDM, the authentication process proceeds as described in the first three steps, but from that point the process changes as follows:

4. The RADIUS server validates the user’s identity in the user directory. Based on the validation result received from the user directory, the authentication server returns an accept or deny response to the switch. If the user is accepted (authenticated), the IDM Agent on the RADIUS server processes the user information. IDM then inserts the network access rights configured for the user into the Authentication response sent to the switch.

5. If the user is authenticated, the switch grants the user access to the network. The (IDM) authorization information included in the authenti-cation response is used to configure VLAN access, QoS and Bandwidth parameters for the user, and what network resources the user can access based on time and location of the user’s login.

If the user is authenticated by the RADIUS server, but IDM’s authorization data indicates that the user is attempting to access the network at the wrong time, or from the wrong location or system, the user’s access request is denied by IDM.

Figure 1-3. Access Control using IDM

If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not override RADIUS authentication and default switch settings, unless you configure it to do so. You can create a "guest" profile in IDM to provide limited access for unknown users.

1-4


What’s New in IDM 2.3

ProCurve Identity Driven Manager version 2.3 includes the following new features and enhancements:

■ IDM - NPS/NAP Integration

IDM integrates with Network Policy Server (NPS), Microsoft’s RADIUS server on a Windows 2008 server, and Network Access Protection (NAP), an Endpoint Integrity offering from Microsoft that is offered as an inte-grated solution in the following tiers:

• Server tier that runs only on NPS in Windows 2008

• Client tier that performs endpoint testing in Windows Vista

■ Support for nested groups in Active Directory Synchronization

Active Directory synchronization now includes all users who are indirect members of a group via intervening nested group relationships. For additional information, see 2-40.

■ Enhanced Secure Access Wizard

• AP530 Group Configuration Check Step has been added to support AP530 access points.

• Ports to which the secure access settings will apply can now be selected from a list.

• VLANs used for authenticated and unauthenticated ports can now be selected for 802.1X, Web Auth, and MAC Auth settings.

• Redirect URL has been added to redirect users who have logged in successfully.

1-5


IDM Architecture

In IDM, when a user attempts to connect to the network through an edge switch, the user is authenticated via the RADIUS Server and user directory. Then, IDM is used to return the user’s "access profile" along with the authen-tication response from RADIUS to the switch. The IDM information is used to dynamically configure the edge switch to provide the appropriate authoriza-tions to the user, that is, what VLAN the user can access, and what resources (QoS, bandwidth) the user gets.

The following figure illustrates the IDM architecture and how it fits in with RADIUS.

Figure 1-4. IDM Architecture

IDM consists of an IDM Agent that is co-resident on the RADIUS server, and an IDM Server that is co-resident with PCM+. Configuration and access management tasks are handled via the IDM GUI on the PCM+ management workstation.

The IDM agent includes:

• A RADIUS interface that captures user authentication information from the RADIUS server and passes the applicable user data (user-name, location, time of request) to the IDM Decision Manager. The interface also passes user access parameters from IDM to the RADIUS server.

1-6


• A Decision Manager that receives the user data and checks it against user data in the local IDM data store. Based on the parameters defined in the data store for the user data received, the Decision Manager outputs access parameters for VLAN, QoS, bandwidth, and network resource access to the RADIUS interface component.

• A Local Data Store that contains information on Users and the Access Policy Groups to which the user belongs. The Access Policy Group defines the rules that determine the user’s access rights.

The IDM Server provides configuration and monitoring of Identity Driven Manager. It operates as an add-on module to PCM+, using the PCM model database to store IDM data, and a Windows GUI (client) to provide access to configuration and monitoring tools for IDM.

You use the IDM GUI to monitor IDM Agent status and users logged into the network, and to manage IDM configuration, including:

• Defining access parameters for the network, such as locations, times, network resources, and access profiles.

• Creating access profiles that define the network resources and attributes (VLAN, QoS, bandwidth) assigned to users in an Access Policy Group.

• Creating Access Policy Groups with rules (access policies) that will be assigned to users in that Group.

• Assigning users to Access Policy Groups.

• Deploying IDM configuration data to the IDM Agent on the RADIUS server.

1-7

About ProCurve Identity Driven ManagerTerminology

Terminology

Authentication The process of proving the user’s identity. In networks this involves the use of usernames and passwords, network cards (smartcards, token cards, etc.), and a device’s MAC address to determine who and/or what the "user" is.

Authentication

Server

Authentication servers are responsible for granting or denying access to the network. Also referred to as RADIUS servers because most current authenti-cation servers implement the RADIUS protocol.

Authorization The process that determines what an authenticated user can do. It establishes what network resources the user is, or is not permitted to use.

Bandwidth Amount of network resources available. Generally used to define the amount of network resources a specific user can consume at any given time. Also referred to as rate-limiting.

Client An end-node device such as a management station, workstation, or mobile PC attempting to access the network. Clients are linked to the switch through a point-to-point LAN link, either wired or wireless.

Edge Device A network device (switch or wireless access point) that connects the user to the rest of the network. The edge devices can be engaged in the process of granting user access and assigning a user’s access rights and restrictions.

Endpoint Integrity Also referred to as "Host Integrity," this refers to the use of applications that check hosts attempting to connect to the network to ensure they meet requirements for configuration and security. Generally to make sure that virus checking and spyware applications are in place and up to date.

IDM Agent The IDM Agent resides on the RADIUS server. It inspects incoming authenti-cation requests, and inserts appropriate authorization information (IDM Access Profiles) into the outgoing authentication reply.

QoS Quality of Service, relates to the priority given to outbound traffic sent from the user to the rest of the network.

RADIUS Remote Authentication Dial-in User Service, (though it also applies to authen-tication service in non-dial-in environments)

RADIUS Server A server running the RADIUS application on your network. This server receives user connection requests from the switch, authenticates users, and then returns all necessary information to the edge device.

1-8

About ProCurve Identity Driven ManagerTerminology

Realm A Realm is similar to an Active Directory Domain, but it works across non-Windows (Linux, etc.) systems. Generally specified in User-name as "user@realm."

VLAN A port-based Virtual LAN configured on the switch. When the client connec-tion terminates, the port drops its membership in the VLAN.

1-9

About ProCurve Identity Driven ManagerIDM Specifications

IDM Specifications

Supported Devices

ProCurve Identity Driven Manager (IDM) supports authorization control func-tions on the following ProCurve devices*:

ProCurve Switches:6400cl Series 6200 Series5400 Series5300xl Series 4200 Series3500 Series3400cl Series 4100gl Series2800 Series2600 Series (PWR included)6100 Series2500 Series ProCurve Wireless (420, 520wl, 530)Wireless Edge Services Module (WESM)93009400

* Not all devices support all features of IDM. Refer to Appendix A for details.

Operating Requirements

The system requirements for IDM (Server and Client installation) are:■ Minimum Processor: 2.0 GHz Intel Pentium, or equivalent■ Recommended Processor: 3.0 GHz Intel Pentium, or equivalent■ Minimum Memory: 1 GB RAM■ Recommended Memory: 2 GB RAM■ Disk Space: 500 MB free hard disk space minimum. (A total of 1 GB

will be required for PCM+ and IDM.)

■ Implementation of one of the following RADIUS services. The IDM agent will be installed on this system.

• Microsoft’s Internet Authentication Service, RADIUS authentication server on Windows 2003 Server (Enterprise or Standard Edition).

• Funk’s Steel Belted RADIUS (SBR).

1-10

About ProCurve Identity Driven ManagerIDM Specifications

■ Supported Operating Systems for PCM+ and IDM Remote Client:

• MS Windows XP Pro (Service Pack 1 or better)

• MS Windows 2000 (Server, Advanced Server, or Pro with Service Pack 4 or better)

• MS Windows 2003 (Server or Enterprise Edition)■ ProCurve Manager Plus software must be installed for IDM to operate.

The IDM software cannot be installed as a separate component.

Additional processing power and additional disk space may be required for larger networks.

Additional Requirements

■ Implementation of an access control method, using either MAC-auth, Web-auth, or an 802.1x supplicant application.

For assistance with implementation of RADIUS and access control meth-ods for use with ProCurve switches, refer to the Access Security Guide

that came with your switch. All ProCurve Switch manuals can also be downloaded from the ProCurve web site.

For assistance with using RADIUS and 802.1x access control methods, contact the ProCurve Elite Partner nearest you that can provide ProCurve Access Control Security solutions. You can find ProCurve Direct Elite partners on the web at:

http://hp.via.infonow.net/locator/us_partner/index.jsp

■ If you plan to restrict user access to specific network segments, you will need to configure VLANs within your network. For information on using VLANs, refer to the ProCurve Manager Network Adminis-

trator’s Guide, or the configuration guides that came with your switch.

Upgrading from Previous Versions of PCM and IDM

The installation package for PCM 2.2 contains the IDM 2.15 installation files. If you are running earlier versions of IDM you must select the IDM option during the PCM 2.2 install process. This is required to support changes made in the underlying PCM and IDM databases.

1-11

About ProCurve Identity Driven ManagerRegistering Your IDM Software

If you have not purchased an IDM 2.0 or newer license, your installation will include the IDM interface changes made for IDM 2.0, but all new functionality (FUNK SBR support, User Import/Export, Access Control, and Endpoint integrity support) will be disabled until you purchase and register an IDM license.

If you want to test the IDM 2.2 functionality using the 30-day trial provided with the PCM 2.2 Auto-update package, you need to install the software on a separate system that has no previous IDM version installed or in use.

When you upgrade to IDM 2.2, you need to manually install the IDM Agent upgrade on each of your RADIUS Servers. Refer to “Installing the IDM Agent” on page 2-2 for detailed instructions.

Registering Your IDM Software

The ProCurve Manager installation CD includes a fully operable version of the PCM application, and a 30 day trial version of the PCM+ application and the IDM application. Until you have registered your IDM application, an Expiring License warning will be displayed each time you log in, similar to the following.

Figure 1-5. ProCurve Expiring License warning dialogue

Click No, Continue to close the dialogue and just start the program. Click OK to launch the Licensing administration screen.

NOTE: You must first purchase a copy of ProCurve Identity Driven Manager from your networking reseller to get the Registration ID. You do not need to re-

install the software from the purchased CD, but you need the Registration

ID from that CD to complete the registration process.

1-12

About ProCurve Identity Driven ManagerRegistering Your IDM Software

Figure 1-6. ProCurve License Administration dialogue

You can also get to this screen from the Preferences window which can be accessed from the PCM Tools menu or by clicking on the Preferences icon in the tool bar.

To register the IDM software:

1. Contact your HP Sales Representative or HP Reseller to purchase the PCM+ and IDM software. You will receive a Registration ID for the purchased software—either on the Software CD case, or a separate registration card sent with the purchase information.

2. Go to the Licensing window in PCM [Preferences->Licensing and Support ->Licensing]. Write down the Installation Identifier for the software as it appears in the upper left corner of the window. You can also leave this window open and use the “copy and paste” functions to enter the Install ID in the My ProCurve software registration window.

3. Click the Register button to go to the PCM registration web site.

4. If this is an upgrade, log in with your My ProCurve ID and password. If you are a new user, click the Register Here button, and then enter the required information to create a user account, including user name, password, company name, and E-mail address.

5. Click the My Software tab, and then select the Management Software option to display the Product Type selection links.

6. Select the ProCurve Network Management Software link to display the License Registration window.

1-13

About ProCurve Identity Driven ManagerLearning to Use ProCurve IDM

7. In the Registration window:

a. select the product to register from the Product Type pull-down menu.

b. enter the Registration ID, found on the back of the software CD case, or on the registration card you received when you purchased the software.

8. When you receive the License key, go back to the Licensing window in PCM.

Enter the License key number in the Add license field, then click Add.

To avoid data entry errors, you can copy and paste the number from the e-mail or My ProCurve (My Software) Web page.

NOTE: You must first purchase a copy of ProCurve Manager Plus and,/or Identity Driven Manager to get the Registration ID. You do not need to re-

install the software from the purchased CD, but you need the Registration

ID to complete the registration process.

Learning to Use ProCurve IDM

The following information is available for learning to use ProCurve Identity Driven Manager (IDM):

■ This User’s Guide—helps you become familiar with using the appli-cation tools for access control management.

■ Online help information—provides information through Help buttons in the application GUI that provide context-sensitive help, and a table of contents with hypertext links to additional procedures and refer-ence information.

■ ProCurve Manager, Getting Started Guide—provides details on installing the application and licensing, and an overview of ProCurve Manager functionality.

■ For additional information on configuring your network, refer to the documentation that came with your switch.

1-14


Getting ProCurve Documentation From the Web

1. Go to the Procurve website at http://www.procurve.com.

2. Click on Technical Support.

3. Click on Product manuals.

4. Click on the product for which you want to view or download a manual.

ProCurve Support

Product support is available on the Web at: http://www.procurve.com Click on Technical Support. The information available at this site includes:

• Product Manuals• Software updates• Frequently asked questions (FAQs)• Links to Additional Support information.

You can also call your HP Authorized Dealer or the nearest HP Sales and Support Office, or contact the ProCurve Elite Partner nearest you for infor-mation on ProCurve Access Control Security solutions.

You can find ProCurve Elite partners on the web at: http://hp.via.infonow.net/locator/us_partner/index.jsp

1-15

http://www.procurve.com



1-16

2

Getting Started

Chapter Contents

Getting Started

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2Installing the IDM Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2Using the IDM Auto-Discover Feature . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3IDM Configuration Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3IDM Usage Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4Understanding the IDM Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

IDM GUI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6IDM Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8Using the Navigation Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9Toolbars and Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

Using IDM as a Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14Using IDM Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15Creating Report Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Configuring a Policy Action to Generate Reports . . . . . . . . . . . . . . . . 2-19IDM Session Cleanup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

User Session Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29Finding a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33User Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34IDM Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36Using Active Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . 2-38

2-1

Getting StartedBefore You Begin

Before You Begin

If you have not already done so, please review the list of supported devices and operating requirements under “IDM Specifications” on page 1-10.

If you intend to restrict user access to specific areas of the network using VLANs, make sure you have set up your network for use of VLANs. For details on configuring VLANs, refer to the ProCurve Manager Network Administra-

tor’s Guide, or the Advanced Traffic Management Guide for your ProCurve switch

Installing the IDM Agent

The IDM application components are installed on your system when you select the IDM option from the PCM+ software CD. To install the IDM Agent on a RADIUS server:

1. If the PCM software is not on the same system as your RADIUS server, you need to configure "Client/Server" access permissions on the PCM server to allow the RADIUS server to communicate with IDM. This is done by adding the IP address of the RADIUS server to the access.txt file on the PCM server. For details, refer to the ProCurve Manager Getting Started

Guide, under "Configuring Client/Server Access Permissions."

2. Open a Web browser window on the RADIUS server and for the URL, type in the IP address of the PCM server computer, followed by a colon and the port ID 8040. For example, if the IP address of the PCM server is 10.15.20.25, then on the RADIUS server, enter http://10.15.20.25:8040 on the web browser address line.

3. In the install scripts page that appears, select the IDM Agent to download it to the RADIUS server system.

4. Run the Install.exe that is downloaded to the RADIUS server. The Install Wizard guides you through the installation process. During installation you will be prompted to enter the IP Address of the IDM Server, which is the same as the PCM Server.

You cannot install the IDM Agent on a system without the RADIUS server. Also, if the IP address of the RADIUS server is not in the access.txt file on the PCM server, you will get an alert message during the IDM Agent install.

Once installed the IDM Agent begins collecting User, Realm, and RADIUS data.

2-2


The IDM Client is included with the PCM+ software. To install a remote PCM/IDM Client, download the PCM Client to a remote PC using the same process as for installing the IDM Agent, just select the PCM Client option from the PCM server. For details, see the ProCurve Manager Getting Started Guide.

Using the IDM Auto-Discover Feature

You can manually configure the RADIUS server, Realms, and Users in IDM, or you can let IDM do the hard work for you. And, you have two options for automatically discovering users. Either enable Active Directory synchroniza-tion to import users from the Active Directory, or install the IDM Agent on the system with the RADIUS Server, then let it run to collect the information as users log into the network. Even after you begin creating configurations in IDM, both options continue to collect information on users and Realms (domains in Active Directory) and pass that information to the IDM server.

If you are using multiple RADIUS servers, you need to install an IDM Agent on each of the servers. The IDM Agent collects information only on the system where it is installed. The IDM client can display information for all RADIUS servers where the IDM Agent is installed.

When you start the IDM Client and expand the navigation tree in the IDM Home tab, you will see any discovered or defined Realms found on the RADIUS server, along with the IP Address for the RADIUS Server(s).

IDM Configuration Process Overview

To configure IDM to provide access control on your network, first let IDM run long enough to "discover" the Realms, RADIUS servers, and users on your network. Once IDM has performed these tasks for you, your configuration process would be as follows:

1. If you intend to use them, define "locations" from which users will access the network. A location may relate to port-based VLANS, or to all ports on a device. (See page 3-7)

2. If you intend to use them, define "times" at which users are allowed or denied access. This can be by day, week or even hour. (See page 3-14)

3. Define any "network resources" (systems and applications) that you want to specifically allow or restrict users from accessing.

4. If you intend to restrict a user access to specific systems, you need to set the User profile to include the MAC address for each system that the user is allowed to login on. (See page 3-54)

2-3


5. Create the Access Profiles, to set the VLAN, QoS, rate-limits (bandwidth) attributes, and the network resources that are available, to users in an Access Policy Group. (See page 3-26)

6. Create an Access Policy Group, with rules containing the Location, Time, System, and Access Profile that is applied to users when they login. (See page 3-36)

OR

If using Active Directory synchronization, add rules and Access Profiles to the Access Policy Groups automatically created by Active Directory synchronization.

7. If Active Directory synchronization is not used, assign Users to the appropriate Access Policy Group. (See page 3-43).

8. If automatic deployment is disabled, deploy the configuration policies to the IDM Agent on the RADIUS server. (See page 3-49)

IDM Usage Strategies

You can use IDM to simply monitor user activity on the network, or to apply user authentication rules to improve network security and performance. The following table identifies the IDM configuration for various deployment and usage strategies for IDM.

Table 2-1: IDM Deployment and Usage Strategies

Authenticate Authorize Strategy Description

VLAN QoS Rate-Limit

Network Resources

Monitor and report user activity.

x Enhance normal RADIUS authentication with Location, Time, and System rules

x x Provide rudimentary VLAN segregation (Unknown Users, Guests, Visitors, Contractors)

x x Provide complete VLAN placement for all Users

x x x Provide QoS and Rate-limits per User

x x x x x VLAN, QoS, and Rate-limit attributes, and accessibility of defined Network Resources for all users, based on Location, Time, and System

2-4


Understanding the IDM Model

The first thing to understand, is that IDM works within the general concept of ‘domains’ or ‘realms’. Basically, realms are very large organizational units; every user belongs to one, and only one, realm. While it is possible to have multiple realms, most organizations have only one, for example, hp.com or csuchico.edu.

The basic operational model of IDM involves Users and Groups. Every User belongs to a Group – in IDM these are called Access Policy Groups (APGs). Each APG has an Access Policy defined for it, which governs the access rights that are applied to its Users as they enter the network.

In the IDM GUI, the top level of the navigation tree is the Realm, with all other information for APGs, and RADIUS Servers beneath the Realm in the naviga-tion tree. Users are linked to the Realm to which they belong, and the Access Policy Group to which they are assigned.

The IDM configuration tools are available at the top level. The definition of times, locations, network resources, and access profiles is independent of individual Realms or Groups. You can define multiple locations, times, and network resources, then create multiple access profiles to be applied to any Access Policy Group, in any Realm that exists within IDM.

2-5

Getting StartedIDM GUI Overview

IDM GUI Overview

To use the IDM client, launch the PCM Client on your PC. Select the ProCurve Manager option from the Windows Program menu to launch the PCM Client.

The PCM Client will start up and the Login dialogue is launched.

Figure 2-1. PCM Client Login dialogue.

If you did not enter a Username or Password during install, type in the default Username, Administrator, then Click Login to complete the login and startup.

For additional information on using the PCM Client, refer to the ProCurve

Manager Network Administrator’s Guide.

2-6


Select the IDM Tree tab at the bottom left of the PCM window to display the IDM Home window.

Figure 2-2. IDM Home Window

The IDM Home display provides a quick view of IDM status in the IDM Dashboard tab, along with a navigation tree and access to menu and toolbar functions. You can resize the entire window, and/or resize the panes (sub-windows) within the Identity Management Home window frame.

NOTE: If the IDM Dashboard shows the IDM Agent Status as inactive, and the Inventory and Logins panes show no data:

■ Check the PCM Events tab for the following entry: "PCM remote client authentication failure: <ip address>"

■ Check for IDM application events related to devices "supporting" or "not supporting" the configuration.

■ Check to make sure the access.txt file on the PCM (IDM) Server system includes an IP address entry for each RADIUS server where the IDM Agent is installed. See “Installing the IDM Agent” on page 2-2 for details.

2-7


IDM Dashboard

The IDM Dashboard tab (window) contains four separate panels, described below.

Identity Management Status: The IDM Agent Status pane uses a color-coded histo-gram to indicate the number of currently active (green) and inactive (red) IDM Agents. Hovering with the mouse pointer over the bar displays the specific number.

The Users per Access Policy Group pane uses a pie-chart to indicate the percentage users currently assigned to various APGs. You can hover with the mouse pointer over the segment to display the APG name and number of assigned users.

Inventory: The Inventory panel lists the current number of Realms, RADIUS Servers, Users, Access Policy Groups, Access Profiles, Locations, and Times that are defined in IDM.

IDM Events: The IDM Events panel provides a summary of IDM Events by severity type. Hovering with the mouse pointer over the event type displays the total number of events of that type currently in the log. Clicking on the Events panel will display the IDM Events tab, with a detailed event listing.

Logins/Hour: The Logins per Hour panel is a scrolling 24-hour display that summa-rizes the total number of successful and failed IDM user logins at any given time during the past 24 hours. Information in this panel is updated every minute Hovering with the mouse pointer over the bar for a specific time period displays the specific number of logins.

2-8


Using the Navigation Tree

The navigation tree in the left pane of the IDM window provides access to IDM features using the standard Windows file navigation system. Click the nodes to expand the list and change the display in the right window panel.

Figure 2-3. IDM Navigation Tree

The IDM tree is organized as follows:

Realms: The top level of the tree lists each of the Realms that have been discovered by an IDM Agent or defined manually. Clicking on the Realms node in the tree displays the Realms List in the right panel of the window. Expanding the node displays each Realm name in the tree, and Unassigned RADIUS Servers if they exist.

Figure 2-4. Realms List tab

Clicking on the individual realm name in the tree displays the Realm Properties tab in the right panel.

2-9


Figure 2-5. Realm Properties tab

Click the Users tab, underneath the realm Properties tab, to view a list of users in the Realm that were discovered by the IDM Agent, or defined manually.

Figure 2-6. Realm Users tab

Expanding the Realm node in the tree will display the Access Policy Groups and RADIUS server nodes for the Realm.

Access Policy Groups: Click the Access Policy Group node to display the Access Policy Groups tab with a list of currently configured groups. You can also expand the node to view the APGs in the tree.

2-10


Figure 2-7. Access Policy Groups tab

Click the individual group node in the tree to display the group’s Properties.

Figure 2-8. Access Policy Group Properties tab

The Users tab underneath contains the list of users currently assigned to the Access Policy Group.

2-11


RADIUS Servers: Clicking the RADIUS Servers node displays the RADIUS List tab, with status and configuration information for each RADIUS Server in the Realm that has an IDM Agent installed, or that is manually defined.

Figure 2-9. RADIUS List tab

NOTE: If the RADIUS server is not in the IDM tree, check in the PCM Events for the following message: "PCM remote client authentication failure: <ip address>" Make sure the IP address for the RADIUS server is included in the access.txt file on the PCM server. See “Installing the IDM Agent” on page 2-2 for details.

You can expand the RADIUS Servers node to view the servers in the tree. Click the individual server to display the RADIUS Server Properties.

Figure 2-10. RADIUS Server Properties tab

2-12


The Activity Log tab underneath the properties display contains a listing of IDM application events for that RADIUS server such as server startup, server connections, user logins, IDM configuration deployment, etc.

Toolbars and Menus

Because IDM is a module within PCM, it uses the same Main Menu and Global toolbar functions. Individual tabs or windows within the IDM module also include separate component toolbars.

The functions available in the component toolbar vary based on applicable functions for that component. Toolbar icons for disabled functions are grayed out. The component toolbar options are described under the process they support in the next chapter. You can hover with the mouse to display "Tooltips" for each icon.

Using Right-Click Menus

You can also access most of the functions provided with IDM via the "right-click" menus. To use the right-click menu, select an object (node) in the navigation tree on the left of the screen, then right-click your mouse to display the menu. You can also access the right-click menus when an item is selected in a list on the tab window displays.

Figure 2-11. IDM Right-click menu

The options available in the right-click menu will vary based on the node or list item you have selected. Disabled functions are grayed out.

2-13

Getting StartedUsing IDM as a Monitoring Tool

Using IDM as a Monitoring Tool

Whether or not you configure and apply access and authorization parameters using IDM, you can use IDM to monitor user sessions on the network and generate usage reports. You can use the monitoring features along with the IDM Reports to track usage patterns, user session statistics, bandwidth usage, top users, and so on. The User session information can also be used to track current user sessions and modify the User’s access to network resources if needed.

NOTE: Session accounting must be enabled on the switch, and in IDM, for the monitoring and User session accounting in IDM to work. Refer to the section on "Radius Authentication and Accounting" in the Access and Security Guide provided with the ProCurve switch for details on enabling session accounting.

You can enable or disable IDM monitoring using the IDM Preferences. Using the IDM Preferences, you can also configure IDM to work with existing "Endpoint Integrity" applications used to determine the compliance of the authenticating clients to rules and requirements (for firewalls, anti-virus, etc.) that have been set up in the domain.

NOTE: If you are using Web-Auth or MAC-Auth for user authentication, user session statistics are unavailable from the switch and cannot be collected, unless you are using a version of firmware on the switch that supports accounting for Web-Auth and MAC-Auth sessions. Currently, only the latest versions of the 5300 support this; check the ProCurve web site for updates.

2-14

Getting StartedUsing IDM Reports

Using IDM Reports

IDM provides reports designed to help you monitor and analyze usage patterns for network resources. The report options are available from the Tools menu.

Figure 2-12. IDM Reports Menu

The Report wizard screens and report parameters vary, depending on the type of report selected.

When you select a report using the IDM Reports sub-menu, the Report wizard is launched. Use the wizard to set filter options, and selectable data elements. When you click Finish, the report is generated and the output displays on the IDM Client, similar to the following example:

2-15


Figure 2-13. Bandwidth Usage Report

You can save the report to a file, or print the report. To apply customized Report Header information for your company, use the Reports option in the global preferences. (Tools–> Preferences–> Global–> Reports)

The Schedule a report option in the Tools menu launches the Schedule Reports Policy Wizard, which lets you schedule reports to be created at recurring intervals.

Each of the available reports is summarized below, along with the report filter options, and configurable report parameters, if applicable.

Configuration Report: The Configuration Report provides information describ-ing the configuration of the IDM systems, including: Realms, RADIUS servers, Access Profiles, and Users configured in IDM. Each category is listed on a separate page. You can filter out the User configurations in the report.

Unsuccessful Login Report: The Unsuccessful Login Report lists failed system logins, which can be filtered by date. The report includes the following information:

Date Date and time when the login failed

2-16


Bandwidth Usage Report: The Bandwidth Usage Report lists bandwidth usage per User. the top 25 bandwidth users. You can filter the report to show results by top Users, dates, Realm, and Access Policy Group. This report is helpful in identifying candidates for throttling.

Note: You must have the Enable user session accounting option selected in the IDM Preferences in order to collect Bandwidth and other user session data for reports

Username Username entered to log in

Realm Realm associated with the access policy group to which the user is assigned

Friendly Name

Name of user logging in with the username

Access Policy Access policy group to which the user is assigned

Last Login Date and time the user last log in successfully

Denial Reason

Reason the login failed. Denial reasons can be generated by IDM or the RADIUS server.

2-17


The following information is provided for each user included in the Bandwidth Usage report:

IDM Statistics: The IDM Statistics report provides information on the number of logins, input bytes and output bytes, by day and hour. You can filter the report by configuring it for any one, or combination of: Realm, Access Policy Group, and Location.

Session History: The Session History Report provides details on user sessions. You can filter the report by configuring it for any one, or combination of: dates, Realm, Access Policy Group, and Location. You can also filter the report to show the top results by bandwidth only.

Once the initial report dates and filters are set, you can also configure what columns you want to include in the report. The available column headings include:

RADIUS Server IP Location MAC Address Device Device Port VLAN QOS Endpoint Integrity State BW (Bandwidth)

User MAC Addresses: The User MAC Addresses provides a listing of MAC Addresses in use, and allowed for use by Access Policy Group and User. You can filter the report to get data for any one, or combination of Realm and Access Policy Group.

Endpoint Integrity State: The Endpoint Integrity State report collects data on the Endpoint Integrity State for users along with the date, and Access Profile used. This report lets you see which User’s systems are compliant with your host integrity solution. You can filter the report by date, and by one or more of the following "State" types: Failed, Passed, and Unknown.

Username Username used to login

Realm Realm (Access Policy Group and RADIUS server) to which the user is assigned

Access Policy Group

Access Policy Group governing a user's login to the RADIUS server

Input Bytes Output Bytes Total Bytes

The number of bytes (KB) processed during the User’s session, indicating the bandwidth usage for that user.

Connection Time Length of time the user was connected (in minutes) for the session.

2-18

Getting StartedCreating Report Policies

User Report: The User Report lists information for recent sessions in which the user participated, similar to the Session History report.

To display the User Report select a username in the Users tab of the Access Policy Group or RADIUS Server window, and then click the User Report icon in the toolbar.

Creating Report Policies

You can also use the Policy Manager feature to schedule reports to be created at regular intervals, or in response to an event. For complete details on creating policies, refer to “Configuring Policies” in the ProCurve Manager

v2.3 Network Administrator’s Guide.

The basic process for creating a Report Policy is:

■ Configure the Time periods when the report policy can be executed. If no time is specified, the policy can execute at any time.

■ Alerts - Use the Scheduled Alert option to set a recurring schedule for a report to be generated. Alerts serve as the trigger used to launch an Action. Alerts can be event-driven, or scheduled to occur at a speci-fied time.

■ Action - Configure the Report Manager:GenerateReport type(s) for the policy. The following section describes the Report action types and configurable parameters and filters for each report type.

You do not need to configure the Sources or Targets for a report, Policy as you will select the device groups the policy applies to in the Report Action.

Configuring a Policy Action to Generate Reports

To configure a Policy Action to run the Security History report:

1. Click the Policy Manager icon in the toolbar to launch the Policy Configuration Manager window.

2. Click the Actions node in the Policy Manager window to display the Manage Actions panel.

2-19


Figure 2-14. Policy Manager, Actions display

The Manage Actions window displays the list of defined Actions.

3. Click New... to launch the Create Action dialog:

Figure 2-15. Policy Manager, Create Action display

2-20


4. Select the Report Manager:Generate Report Action type from the pull-down menu.

Figure 2-16. Policy Manager, Select Action

5. Type in a Name for the Action (required) and a brief Description (optional)

6. Click OK to save the Action and display the Action Properties tab. The properties you set in the previous step should appear.

2-21


Figure 2-17. Policy Manager: Report Manager Action configuration

At this point the other tabs displayed are:

Type: Lets you select the Report type you want to generate. As soon as you select a report type, additional tabs may appear in the window depending on the filter criteria for the report.

Format: Lets you set the report output format

Delivery: lets you select where the report will be sent (to file, e-mail, etc.)

7. Click the Type tab and select the IDM Report type you want included in the action. In this example, the IDM Statistics report is selected, and the Report Filter tab is added in the window.

2-22


Figure 2-18. Report Manager Action, Report type selection

8. Click the Report Filter tab to select the report criteria:

Report Filter: Lets you select the filter criteria to be applied when generating the report. The filter options will vary based on the selected report.

9. Click the Format tab to set the report output style you want to generate.

Figure 2-19. Report Manager Action: Report format selection

2-23


• PDF Produce the report in .pdf format. To view this file format, you will need Adobe Acrobat Reader, which can be downloaded free from http://www.adobe.com/products/acrobat/readstep2.html.

• HTML Produce the report in .html format, which can be viewed with any Web browser.

• CSV Produce the report using comma separated values with double quotes. This report can be viewed using WordPad, Notepad, or imported into other spreadsheet programs, such as Excel.

10. Click the Delivery tab to configure the method used to deliver the report.

Figure 2-20. Report Manager Action: Report Delivery method

E-mail is the default method. It will e-mail the report to the address specified. It also requires that you have an SMTP profile for the e-mail address. See “Creating SMTP Profiles” in the ProCurve Manager Network

Administrator’s Guide for details.

Use the pull-down menu to select a different delivery method.

Figure 2-21. Report Manager Action: Select Delivery Method

2-24


Selecting FTP as the delivery method lets you save the report on an FTP site. However, proxy support is not provided.

a. In the FTP Server field, type the IP address of the FTP site where you want to save the report.

b. In the Path field, type the complete path to the server location where you want to save the report.

c. In the Filename field, type the filename you want to assign to the report. You can automatically add a timestamp to the filename in the File-name conventions pane.

d. In the Username field, type the username used to access the FTP site.

e. In the Password field, type the password used to access the FTP site.

f. Select the Filename conventions to use:– No timestamp in file name: Name the file exactly as entered in the

Filename field. – Prepend timestamp to file name: Add the timestamp at the beginning

of the filename entered in the Filename field– Append timestamp to file name: Add the timestamp at the end of the

filename entered in the Filename field.

Selecting File as the delivery method lets you save the report in a file on the PCM server.

a. In the Path field, type the complete path to the server location where you want to save the report.

The path is relative to the server (not to the client). To save the report on the client, there must be a path from the server to the client. For example, use UNC paths, since the server runs as a service and cannot be set up easily to use mapped drives.

b. In the Filename field, type the filename you want to assign to the report.

c. Select the Filename conventions to use, as described above for FTP files.

11. Click Apply to save the Action Configuration.

12. Click Close to exit the Policy Manager window.

If you click Close before you click Apply, you will be prompted to save, or discard the configuration.

NOTE: Report output is limited to 40 pages. Therefore, to create a report on many (1000+) items, you need to create separate reports to generate all the data.

2-25


You can access User Reports by right-clicking on the user in the Users tab display in IDM, then select the report option.

IDM Session Cleanup Policy

The IDM Session Cleanup Policy is included in the PCM+ policies by default when you install IDM. The report statistics IDM reports are cleared by the Session Statistics Cleanup policy (in PCM) on the first day of each month. A special IDM Session Cleanup alert is used to define the schedule for the policy. You can edit the policy (alert) if you want to change the cleanup recurrence schedule.

To modify the IDM Session Cleanup Alert:

1. Click the Policies icon in the global (PCM and IDM) toolbar at the top of the window to display the Policy Manager window.

2. Click the Alerts node in the navigation tree to display the Manage Alerts panel.

Figure 2-22. Manage Alerts: IDM Session Cleanup selection

3. Select the IDM Session Cleanup Policy and click the Edit... button to display the properties.

2-26


Figure 2-23. IDM Session Cleanup Schedule properties

4. Click the Schedule tab to review and edit the schedule parameters.

Figure 2-24. IDM Session Cleanup Schedule, alert configuration

2-27


5. Set the Start Date for enforcement of the policy. The default is the start date and time for IDM. You can type in a new date and time, or use the arrows to increase or decrease the date and time entries. Note that the time clock uses 24 hour format; thus a time of 22:00 is used to indicate a start time of 10:00 pm.

To trigger the IDM Session Cleanup policy to run immediately, click the checkbox for Run at first opportunity if schedule missed.

6. You can change the session cleanup interval using the Recurrence pattern options:

7. Click the radio button to select No end date, End by, or Maximum occurrences to identify when the schedule should end.

• If you select No end date, the schedule will run at the selected intervals until the policy is changed or deleted.

• If you selected End by, click the up and down arrows in the End by field until the desired end date and time are shown.

• If you selected Maximum occurrences, type the number of times the policy should be enforced before it is disabled automatically.

8. Click Apply to save the changes, then Close to exit the alert configuration.

If you select... The action is...

Never No further action is required (Policy definition is saved, but will not be enforced).

One time No further action is required (the currently scheduled time is used with no recurrences).

Hourly Type the number of hours and minutes to wait between session cleanup. If you do not want the policy enforced on Saturdays and Sundays, check the Skip weekend checkbox.

Daily Type the number of days to wait between session cleanups. If you do not want the policy enforced on Saturdays and Sundays, check the Skip weekend checkbox.

Weekly Check the boxes for the days of the week you want to enforce the policy.

Monthly Click the Last day of the month button to enforce the schedule on the last day of the month.ORClick the Day button and use the up or down arrows to select the day of the month.

2-28

Getting StartedUser Session Information

User Session Information

You can use IDM to just monitor the network, and receive detailed information about user's access to the network. The User Session information provides statistics about exactly *how* the network is being used (when the user logged in and out, where a user logged in from, and how much bandwidth they consumed, for example). Based on the User Session information, you can adjust access rights for users, further restricting or providing additional network resources and access attributes as needed.

To review user session information,

1. Navigate to the Realm the user belongs to, and display the Users tab.

2. Click the Show User’s session status button in the Users tab toolbar to display the Session Information window.

Figure 2-25. IDM Session Cleanup Schedule, alert configuration

2-29


The Session List provides a listing of recent sessions, including the following information:

The User Properties tab of the User Status window contains the following information:

Click the Session Information tab to view additional user session information.

Active True if the user is currently logged in for this session or False if the session has ended

Login Time Date and time the user logged in

Login Successful

True if the user logged in successfully or False if login failed

Location Name of the location where the user logged in

Access Profile Access profile assigned to the access policy group governing the user’s permissions during the session

Realm Realm to which the user is currently assigned.

Username Username used to login

Friendly Name Name of the user to which the username is assigned

MAC Address MAC address of the computer where the user logged in

Last login time Date and time of the most recent user login

Login Count Total number of times the user logged in during the report period.

2-30


The Session Information tab of the User Status window contains the following information:

To track the user’s login location information for the session, click the Location Information tab.

Is Active True if the user is currently logged in for this session or False if the session has ended

RADIUS Server IP address of the RADIUS server that authenticated the user

Login was successful True if the user logged in successfully or False if login failed

Reason login was unsuccessful

If the login was unsuccessful, the reason the RADIUS server or IDM denied the login (e.g., access policy group not found for user or username/password incorrect)

Session start Date and time the user logged in

Session end time Date and time the user logged out or the session was ended

Termination cause Reason the RADIUS server ended the session (e.g., user logout, connection interruption, or idle timer expiration)

Input octets Bytes received by the user during the session

Output octets Bytes sent by the user during the session

2-31


Figure 2-26. Location Information tab

The Location Information tab of the User Status window contains the following information:

Click the Disable port or Enable port links to disable or re-enable the port used for the session. For example, if you want to prevent the user from logging in at a specific device or force the user to re-authenticate, you would use the Disable port function. If you need to re-enable the port so the user can resume the session, use the Enable port function.

Click the Access Information tab to display details about the access attributes applied to the user session.

Figure 2-27. Access Information tab

Location name Name of the location where the user logged in

Device address IP address of the device used to login

Device port Port on the device used for the session

2-32


The Access Information tab of the User Status window contains the following information:

Finding a User

The Find User feature lets you search for and display information about a user by name or MAC address. The displayed information is similar to User Session Status information.

To find information for a user or MAC address:

1. In the IDM navigation tree, right-click the Realms or Access Policy Groups folder to which the user or computer is assigned. Select Find User from the right-click menu.

This launches the Find User window.

Figure 2-28. Find User

Access Policy Group Access policy group that governs user permissions for the session.

Access Profile Access profile assigned to the access policy group.

QoS assigned Quality of service or priority for outbound traffic. QoS ranges from lowest to highest.

Rate limit assigned Maximum bandwidth allocated to user by the access profile.

VLAN assigned The VLAN to which access is given. The DEFAULT_VLAN(1) is equivalent to allowing access on the entire network.

ACL The access control rules that were applied to the user's session on the switch or access point.

2-33


2. In the Username field, type the complete user name of the user you want to find and display information (This field is not case-sensitive.),

OR

In the MAC address field, type the MAC address of the computer for which you want to find and display information. The MAC address can be separated by a vertical bar (|), hyphen, or colon or typed with no spaces.

3. Click the Only show active sessions checkbox to get only the information on active sessions for the user.

4. Click Find to display information for the specified user or computer.

5. Click Close to exit the window.

User Reports

To review information for multiple sessions, run the User Report.

1. Select a username in the Users tab of the Access Policy Group or RADIUS Server window.

2. Click the User Report icon in the toolbar. This launches the Report Wizard, Report Filter window.

Figure 2-29. Report Wizard, Report Filter

2-34


3. Click the check boxes to select the data columns. If wireless settings are enabled the WLAN and BSSID options also appear.

4. Click Finish to run the report.

The report is displayed in a separate window on the IDM Client.

2-35


IDM Preferences

The IDM Preferences window is used to set up global attributes for session accounting and archiving, as well as enabling the Endpoint Integrity option.

Click the Tools menu and select Identity Management to display the Preferences, Global:Identity Management window.

Figure 2-30. Global Preferences for IDM

Click on the option check boxes to select (check) or deselect (blank) the option.

2-36


1. The Configuration Deployment option is used to automatically deploy IDM configuration settings (Access Profiles, Locations, Times, Network Resources) to the IDM agent. The default preference is to allow automatic configuration deployment.

Click to select the Disable automatic deploy to IDM agents option if you do not want to use automatic IDM configuration deployment. If you "disable" the Configuration Deployment option. in order for IDM configuration changes to take affect you will need to manually deploy the configuration to the IDM agent(s).

2. The Wireless Settings option is used to allow configuration of Identity Management features for select ProCurve wireless devices. The default preference has the Enable enhanced wireless support option selected. When this option is deselected (no check mark), wireless configuration options will not be visible and will not be applicable in rule evaluation

3. To enable Endpoint integrity, check the Enable Endpoint Integrity checkbox. This will enable the Endpoint Integrity option in the Access Rules defini-tions, and you can configure an Access Rule with one of the Endpoint Integrity options (Pass, Fail or ANY). When you enable Endpoint Integrity and set the attribute in a Global Access Rule or Access Policy Group rule, the IDM agent will look for the RADIUS attribute in the supplicant’s authentication request and act accordingly, applying the defined access rule based on the endpoint integrity system response.

4. To collect information about user logins and logouts, check the Enable User session accounting checkbox. This box must be checked if you want to collect data for user logins and bandwidth usage, which is used for the Bandwidth and User reports.

5. To generate user session start and stop events and display them in the IDM Events list, check the Generate Session Start and Stop Events box. This option does not affect accounting or collection of session history and statistical information. Turning this option off will reduce the load on your IDM server and the GUI by eliminating two-thirds of the events created for every user login and logout.

6. To reset all session accounting information whenever the server is restarted, check the Reset accounting statistics when the management server starts box. When this option is selected, IDM closes any open sessions and resets the RADIUS Server totals to zero when the server restarts.

If the status of users—logged on or off—seems incorrect, it is possible that the session accounting is out of sync. Use the Reset accounting statistics option to correct the problem. This immediately closes any open sessions (this has no effect on the user, only on the IDM accounting), and resets user login counts on the RADIUS server to zero.

2-37


Existing accounting records are not removed by the Reset procedures, the only effect is that currently open sessions are closed.

7. To ignore capability override warnings generated by switches that don't support certain capabilities (e.g., VLAN, QoS, Bandwidth, and ACL over-rides), check the Ignore device capability warnings checkbox.

8. To send only those attributes supported by the device, check the Only send supported device attributes to device checkbox.

9. If you wish to archive accounting records older than a specified time period, uncheck the Disable session archiving box, and set the desired archival time period in the Archive user sessions older than x days field.

10. To archive the user session archive file in a location other than the default IDM data archive directory, type the desired path in the Archive file directory field. The default path is: C:\Program Files\Hewlett-Packard\PNM\server\idm\data

11. If you do not want to add a timestamp to the archive filename, uncheck the Use timestamp in archive filename option.

If a timestamp is not used in the archive filename, the existing archive file is overwritten each time user sessions are archived.

a. To insert a timestamp in the front of the archive filename, check the Prepend timestamp to archive filename option.

b. To add a timestamp to the end of the archive filename, check the Append timestamp to archive filename option.

12. Click Ok to save your changes and exit the window.

Click Apply to save your changes and leave the Preferences window open.

Click Cancel to close the window without saving changes.

Using Active Directory Synchronization

The Active Directory Synchronization (AD Sync) feature provides the ability to receive change notifications from the active directory server for the domain the management server is logged into. The Active Directory Synchronization will automatically update the IDM database with changes made in your Active Directory, including new users, changes to existing users, and deletion of users.

To enable automatic synchronization from Active Directory to IDM, navigate to the Preferences-> Identity Management -> User Directory Settings window.

2-38


Figure 2-31. Identity Management Preferences: User Directory Settings.

1. Click the checkbox to select the Enable automatic Active Directory synchronization option. When the Active Directory synchronization is selected, the remaining fields in the display are enabled.

Current status of the connection between IDM and Active Directory (AD Status) is displayed at the bottom of the window.

2. Type in the Username, Domain, and Password for the Active Directory domain administrator. You must enter the Active Directory Username and Domain name. The Password entry is optional.

3. If displayed, select the Groups to synchronize.

2-39


4. To Add a group to the "Groups to Synchronize" list, click Add or Remove Groups... to display the Add or Remove Groups dialog.

Figure 2-32. Active Directory Synchronization: Add or Remove Groups

The Active Directory is queried for all groups in the domain and the groups are displayed in the "Groups in Active Directory" list.

NOTE: When adding or removing groups remember that synchronization includes all users who are indirect members of a group via intervening nested group relationships. In addition, users belonging to more than one AD group are added to the IDM group with the higher priority. For example, User 1 in the following example is imported into Group ALL if IDM synchronizes on Group ALL. Or, if IDM synchronizes on Group A or Group B, User 1 is imported into the group with the higher priority. If IDM synchronizes on Group d or Group y, the User 1 is not imported.

2-40


5. Select the Active Directory Groups you want to Synchronize to IDM, then click the >> button to move the groups to the "Groups to Synchronize" list. Use the Filter field to locate a group easily.

To remove groups from the synchronization, select the group in the "Groups to Synchronize" and click the << button to move it to the "Groups in Active Directory" list.

6. Click OK to save the Groups to Synchronize and return to the User Directory Settings window.

7. To accommodate users who are members of multiple groups, ensure the listed groups are in the desired order. To reorder a group, select the group and click the Move up or Move down button.

A user can belong to only one Access Policy Group. IDM associates users with the first group in the group list that the user is a member of. Therefore, order is important.

8. Click Apply to save the settings without exiting the window. Click OK to save the settings and close the window.

An Access Policy Group is created for each selected Active Directory group, and all users that belong to the selected groups will be imported from the Active Directory server. into the appropriate Access Policy Group. Changes to users in the selected groups will be imported (synchro-nized) as long as the Active Directory Synchronization is enabled.

Operating Notes:

■ If a user belongs to more than one Active Directory group, the user is imported into the IDM Access Policy Group with the highest priority (set in User Directory Settings Preferences).

■ If an Active Directory group is deleted while Active Directory synchronization is enabled, the associated Access Policy Group is deleted. If that group is the priority IDM Access Policy Group for a user who belongs to more than one Active Directory group, the user is automatically reassigned to the next highest priority Access Policy Group. Users who do not belong to more than one Active Directory group are reassigned to the default Access Policy Group for the Realm.

■ If an Active Directory group is deleted while Active Directory synchronization is disabled, the associated Access Policy Group is NOT deleted when synchronization is enabled. However, all users will be reassigned to other groups (next highest priority or default Access Policy Group for the Realm) as part of the resynchronization process.

2-41


■ Users deleted from Active Directory while synchronization is disabled are assigned to the default Access Policy group during the resynchronization process (instead of being deleted). This prevents users who were added by another method from being deleted.

■ Within a Realm, Access Policy Group names must be unique. If Access Policy Groups are being created manually within the same Realm, use naming conventions to ensure these names do not conflict with Active Directory group names.

■ Performance for the import from Active Directory to IDM varies depending on your environment. Using a 1.86 GHz processor with 2MB RAM, importing 20,000 Active Directory users in 75 groups takes approximately 65 minutes. A similar test that imported 10,000 of 20,000 users by selecting 2 of the 75 groups completed in 30 minutes.

■ Once the initial synchronization is completed, IDM monitors all changes to the Active Directory which much less system resources. If Active Directory synchronization is disabled or IDM is restarted, all groups must be resynchronized.

■ Importing only relevant groups can reduce the import time signifi-cantly. Selecting only groups of users for which access policies are defined instead of selecting the Domain Users group (which includes all users in the domain) can significantly reduce the amount of information that must be maintained in IDM and synchronized with Active Directory.

■ When Active Directory is queried for the "Add or Remove Groups" function in IDM, it may take several seconds to display the list of available groups. An hourglass is displayed when such an extended process is occurring. Performance will vary depending on your envi-ronment. Using a 1.86 GHZ Intel Core2 Duo processor with 2MB RAM takes approximately 30 seconds to present a list of 20,000 groups.

■ If an error occurs while attempting to read the Active Directory, an entry is made in the IDM events log, and IDM attempts to reconnect to Active Directory once per minute.

2-42

3

Using Identity Driven Manager

Chapter Contents

IDM Configuration Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Configuration Process Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Configuring Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Configuring Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6Adding a New Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7Modifying a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11Deleting a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Configuring Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13Creating a New Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14Modifying a Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16Deleting a Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16

Configuring Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19Adding a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21Modifying a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22Deleting a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23

Configuring Access Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24Creating a New Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26Modifying an Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33

Defining Access Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35Creating an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-36Modifying an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41Deleting an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41

Configuring User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42Adding Users to an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . 3-43Changing Access Policy Group Assignments . . . . . . . . . . . . . . . . . . . 3-44Using Global Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45

Deploying Configurations to the Agent . . . . . . . . . . . . . . . . . . . . . . . . 3-49Using Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50

Defining New Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50Modifying and Deleting Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51

3-1

Using Identity Driven Manager

Deleting RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52Adding New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53

Using the User Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57Importing Users from Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 3-58Importing Users from an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . 3-64Importing Users from XML files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-75

3-2

Using Identity Driven ManagerIDM Configuration Model

IDM Configuration Model

As described in the IDM model on page 2-5, everything relates to the top level, or Realm. Each User in the Realm belongs to an Access Policy Group (APG). The APG has an Access Policy defined for it that governs the access rights that are applied to its Users as they enter the network.

The Access Policy is defined using a set of Access Rules. These rules take four inputs:

• Location (where is the user accessing the network from?)

• Time (what time is the user accessing the network?)

• System (from what system is the user accessing the network?)

Using these input parameters, IDM evaluates each of the rules. When a matching rule is found, then the access rights (called an Access Profile) associated with that rule are applied to the user. The Access Profile defines access provided to the network once the user is authenticated, including:

• VLAN—what VLANs the user can access.

• QoS—"Quality of Service," from lowest to highest.

• Rate-limits—bandwidth that is available for the user.

• Network Resources—resources the user can access, by IP address and/or protocol. These resources must be defined, similarly to the Locations and Times used in the access rules.

Thus, based on the rules defined in the APG, the user gets the appropriate level of access to the network.

In summary, for identity driven management each user in a Realm belongs to one Access Policy Group. The Access Policy Group defines the rules that are evaluated to determine the access policies that are applied at the switch when the user connects to the network.

Configuration Process Review

Assuming that you opted to enable Active Directory synchronization or let IDM run long enough to discover the Realm, users, and RADIUS server, your configuration process will be:

1. Define "locations" (optional) from which users access the network. The location may relate to port-based VLANS, or to all ports on a switch.

3-3


2. Define "times" (optional) at which users will be allowed or denied access. This can be by day, week or even hour.

3. If you intend to restrict a user’s access to specific systems, based on the system they use to access the network, you need to modify the User profile to include the MAC address for each system from which the user is allowed to login.

4. Define the Network Resources that users will have access to, or will be denied from using, if applicable.

5. Create the Access Profiles to set the VLAN, QoS, rate-limits (Bandwidth), and network resources that are applied to users in Access Policy Groups.

6. If you don’t use Active Directory synchronization, create the Access Policy Groups, with rules containing the Location, Time, System, and Access Profile that will be applied to users when they login.

OR

If using Active Directory synchronization, add rules and access profiles to the Access Policy Groups that were created by Active Directory syn-chronization.

7. If you do not use Active Directory synchronization, assign Users to the appropriate Access Policy Group.

8. If you do not use automatic deployment, deploy the configuration to the IDM Agent on the RADIUS Server. The authorization controls can then be applied when IDM detects an authenticated user login. If you do not use automatic deployment and do not manually deploy the IDM configuration to the Agent on the RADIUS server, the configuration will not be applied

NOTE: If you want to modify or delete an Access Policy Group, or the locations, times, or access profiles used in the Access Policy Group, make sure your changes will not adversely affect users assigned to that group.

Configuring Identity Management

All of the elements described for configuring user access in IDM are available in the Identity Management Configuration window.

To launch the Identity Management Configuration window:

1. Right-click on the Identity Management navigation tree, and select the Configure Identity Management... option from the menu, or

3-4


2. Click the Configure Identity Management icon in the Realms window toolbar.

The Identity Management Configuration default display is the Access Profiles pane with the Default Access Profile.

Figure 3-1. Identity Management Configuration, default display

Click the node in the navigation tree to display the defined configuration parameters and add or edit new configuration parameters, as described in the following sections.

3-5

Using Identity Driven ManagerConfiguring Locations

Configuring Locations

Locations in IDM identify the switch and/or ports on the switch and wireless access points where users connect to the network. Users generally are allowed to log in to the network from a variety of locations, IDM allows you to create customized locations to match specific environments.

For example, a generalized company "location" may include all of the ports on a switch, or multiple switches through which users can connect to the net-work. You can define a lobby location as a single switch, or a single port on the switch, in order to restrict access to the network for visitors attaching to the network in the lobby.

To configure a location:

1. Click the Locations node in the Identity Management Configuration navigation tree to display the Locations panel.

Figure 3-2. Locations panel

Tip : IDM also lets you include wireless devices in the location configuration. The "Enable Enhanced Wireless Support" option in IDM Preferences add a wireless devices tab to the Create a new Locations window.

3-6


Adding a New Location

To create a new location:

1. Click the New Location icon in the toolbar to display the new locations window.

Figure 3-3. Create a New Location display

2. Type in a Name for the location.

3. Type in a Description for the location.

To add wired devices to the location:

4. Click Add device... to open the New Device window, and define the devices and/or port combinations that will be included in the location.

See “To Add a Wireless Device to a Location” on page 3-9 for details on support for wireless locations.

3-7


Figure 3-4. New Device window

5. Enter the Device to be added using the Device Selection pull-downs, or select the Manually enter device address option.

Using the Device Selection option:

a. Select a device group using the pull-down menu. This will enable the Select Device pull-down menu in the next field.

b. Select a device from the pull-down list of available devices. The list is populated with the IP address or DNS name for all (PCM managed) devices in the selected group.

Using the Manually enter device address option:

a. Click the check box to enable the data entry field below it.

b. Type in the IP address or DNS name of the device to be added.

Note: If PMM is licensed, this dialog will not show wireless device. You must add wireless devices from the "Wireless Devices" tab on the "New Location Dialog" If PMM is not licensed, wireless devices will appear in this dialog. However, you will not be able to select any ports, the only option will be "Any port"

3-8


6. Use the Port Selection to define the ports on the device that will be associated with the location.

• Click to select Any port on the switch, or

• Click Select ports, then use the pull down lists to select the Begin and End ports on the device that will be associated with the new location.

If you manually entered the device address, the Begin port and End port pull-down menus are disabled, and you must manually enter the ports.

7. Click Ok to save the New Device settings to the Location, and close the window.

NOTE: If a switch in the device list is not configured to authenticate with the RADIUS server, the settings in IDM will have no affect.

You can type in an IP address for non-ProCurve devices and if the device uses industry standard RADIUS protocols, the settings should work; however, HP does not provide support for IDM configurations with non-ProCurve devices.

8. The Device address and ports information is displayed in the New Location window.

9. Repeat steps 4 through 7 to add additional devices to the Location, or click OK to save the new Location and close the window.

To Add a Wireless Device to a Location:

10. Click the Wireless devices tab:

3-9


Figure 3-5. Create a New Location, Wireless Devices display

11. Click Add Device... to display the Wireless Devices Selection dialog.

Figure 3-6. Select Wireless Device for a location

12. All discovered Radios and radio ports are displayed.

3-10


Click the check box to select the radio ports to be included in the location, and then click OK to save the selection and return to the Create a new Location (Wireless Devices tab) window.

13. Click OK in the Create a new Location window to save and exit, or repeat the steps to add additional devices to the location.

Modifying a Location

To edit the information for an existing Location:

1. Click the Locations node in the Identity Management Configuration navigation tree to display the Locations panel, with the list of defined locations.

2. Double-click on a location in the navigation tree, or in the Locations list to open the (modify) location panel.

You can also select the location in the list, then click the Edit Location icon in the toolbar to display the Location in edit mode

3. Edit the location Name and Description as needed.

4. To edit the device configuration for the location

• To Modify the device settings, select the device in the list, then click Edit device... to display the Modify Device window.

The Modify Device window contains the same fields as the New Device window. You can edit the ports associated with the location, or you can choose a different device and reset the ports for the new device. Click OK to save your changes and close the window.

The changes are displayed in the Location panel.

• To add another device, click Add Device.

• To delete a device, select the device in the list, then click Delete Device.

5. Click OK to save the location changes and close the Locations window.

Click Cancel to close the window without saving the changes. The original location configuration will be maintained.

NOTE: When modifying Locations, make sure all devices for the location are config-ured with the appropriate VLANs. If you Modify a Location that is part of a VLAN (subnet) and that Location is currently used in an Access Policy Group rule, IDM will check to make sure that the VLAN exists. If not, an error message is displayed.

3-11


Deleting a Location

To remove an existing Location:

1. Click the Locations node in the Identity Management Configuration navigation tree to display the Locations panel, with the list of defined locations.

2. Click on a location in the list to select it.

3. Click on the Delete Location icon in the toolbar to remove the location.

The first time you use the Delete Location option, a warning pop-up is displayed. Click Ok to continue, or Cancel to stop the delete process.

4. The location is removed from the Locations list.

NOTE: If you modify or delete a Location, check to make sure that the changes do not adversely affect users in Access Policy Groups where the Location is used.

3-12

Using Identity Driven ManagerConfiguring Times

Configuring Times

Times are used to define the hours and days when a user can connect to the network. When included in the Access Policy Group rules, the time can be used to allow or deny access from specific locations at specific time. For example, students might be allowed network access from the "Classroom" location during weekdays, from 9:00 am to 5:00 pm, but denied access from the Classroom at any other time.

To configure a Time:

1. Click the Times node in the Identity Management Configuration naviga-tion tree to display the Times panel.

Figure 3-7. Identity Management Configuration, Times panel

The Times window lists the name and description of defined times. Double-click the time in the list, or select the time in the navigation tree to display the Time’s properties, including:

Name Name used to identify the time

Description Brief description of the time

Time Time of day when the access policy group is active.

Days of week Days of the week when the access policy group is active

Range Dates during which the "Time" will be in effect. A start date must be specified.

3-13


Figure 3-8. Times Properties

Creating a New Time

To configure a Time:

1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel.

2. Click the Add New Time toolbar icon to display the Create a new Time window.

3-14


Figure 3-9. Create a New Time

3. Define the properties for the new time.

Name Name used to identify the time

Description Brief description of the time

Time Time of day when user will be accepted on the network. To allow access the entire day, click the All day radio button. To restrict access to specific hours of the day, click the From radio button and type the beginning and ending times. The ending time must be later than the beginning time. AM or PM must be specified.

Days of week Days of the week that a user will be accepted or rejected on the network. Click the radio button next to the desired days. Click the Custom radio button to enable the day(s) of the week check boxes.

Range Dates during which the time will be in effect. Select the Start Date and then click the No End Date radio button, or select the End Date.

Table 3-1. IDM Time parameters

3-15


4. Click Ok to save the new "Time" and close the panel. The new time appears in the Times window.

Modifying a Time


2. Click on a Time in the navigation tree to display the Time details in edit mode, similar to the Create a new Time panel.

You can also select the Time in the list then click the Modify Time icon in the toolbar to display the modify panel.

3. Modify the time parameters, as described in Table 3-1 on page 3-15.

4. Click Ok to save your changes and close the window

NOTE: If you modify or delete a Time, check to make sure that the changes do not adversely affect users in Access Policy Groups where the Time is used.

Deleting a Time

To remove an existing Time:

1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel with the list of defined Times.

2. Click on a Time in the list to select it.

3. Click on the Delete Time icon in the toolbar to remove the location.

The first time you use the Delete Time option, a warning pop-up is displayed. Click Ok to continue, or Cancel to stop the delete process.

4. The Time is removed from the Times list.

3-16


Defining Holidays

To add holidays for use when defining Times in IDM:


2. Click the Holidays icon in the toolbar to launch the Holidays window.

Figure 3-10. Holidays window

3. Click Add. to launch the Add Holidays window.

Figure 3-11. Add Holiday

4. The Date field defaults to the current date. You can use the field buttons to increase or decrease the date. You can also type in a new date.

5. In the Description field, enter the text that will identify the holiday in the Holidays list.

6. Click OK to save the holiday and close the window.

The new holiday appears in the Holidays list.

To edit a Holiday, select it in the Holidays list, then click Edit... This launches the Edit Holiday window, similar to the Add Holiday window.

3-17


To delete a Holiday, select it in the Holidays list, then click Delete... Click Yes in the confirmation pop-up to complete the process.

3-18

Using Identity Driven ManagerConfiguring Network Resources

Configuring Network Resources

The Network Resources in IDM are used to permit or deny traffic to and from specified sources and destination. This is done by configuring an IP-based filter based on either:

■ The IP address (individual address or subnet address) of the source or destination, or

■ The protocol (IP, ICMP, VRRP, etc.)

■ The TCP or UDP port (i.e., based on protocol and application, such as Telnet or HTTP)

For example, you can create a Network Resource to restrict "guest accounts" so that they only have access to the external Internet, and no access to internal resources. Or you can define a resource that allows HR employees to access the payroll systems, and denies access to all other employees.

Network Resource features can be used only for switches that support IDM-based ACLs. To date, this includes only the 5300 version E.10.02 and greater; check the ProCurve web site (www.procurve.com) for more information.

To configure a Network Resource:

1. Click the Network Resources node in the Identity Management Configuration navigation tree to display the Network Resources panel.

Figure 3-12. Network Resources

3-19


The Network Resources window lists the name and parameters for defined resources, including:

Double-click the Network Resource in the list, or select it in the navigation tree on the left to display individual Network Resource configuration details.

Figure 3-13. Network Resource Configuration Details

Note that when you open the window, it is in "Edit" mode. You can modify the entries in the display fields, and the changes are automatically saved when you click Close. For details on the field entries, refer to the definitions under “Adding a Network Resource” on the next page.

Name Name used to identify the resource

IP Address IP Address for the switch associated with the resource ("any" if the resource is being filtered by protocol).

Network Mask The subnet mask for the IP Address.

Ports Device port(s) associated with the resource or Any if the resource is being filtered by protocol. Ports can be selected by number, or friendly port name. Refer to the section on "Using Friendly (Optional) Port Names" in the Management and Configuration Guide for your switch for details.

Protocol The Protocol (UDP, TCP, or IP) used to filter access to the resource.

3-20


Adding a Network Resource

To define a Network Resource:


2. Click the Add Network Resource toolbar icon to display the Define Network Resource window.

.

Figure 3-14. Define Network Resource

3. Define the properties for the network resource.

Name Name used to identify the network resource

Description Brief description of the network resource (optional)

Resource Attributes:

IP Address: To filter by device address, uncheck the Any Address checkbox and type the IP address for the switch associated with the resource in the IP Address field. Use the Any address option if you will be filtering by Protocol and application port only, and not by specific device or port.

Mask: The subnet mask for the IP Address (if used). Use the up/down buttons [▲, ▼] to set the mask number.

Table 3-2. IDM Network Resource parameters

3-21


* Valid Friendly port names supported in IDM include: ftp, syslog, ldap, http, imap4, imap3, nntp, pop2, pop3, smtp, ssl, telnet, bootpc, bootps, ssh, dhcp, ntp, radius, rip, snmpsnmp-trap, tftp.

Note: If you are setting a resource to represent an application port such as "dhcp" or "smtp" or "http", you must make sure that you set the correct protocol, either TCP or UDP. If you do not set the correct protocol, the rule will not operate as intended at the switch or access point.

4. Click Ok to save the Network Resource definition and close the window.

All entries are saved immediately upon entry. This allows you to configure several IDM features without closing and reopening the Configure Identity Management window

Click Cancel to close the window without saving your changes.

Modifying a Network Resource

To edit a Network Resource:


2. Click in the list to select the network resource to edit, then click the Edit Network Resource toolbar icon to display the Define Network Resource win-dow.

3. Edit the properties as needed. Refer to “Adding a Network Resource” on the previous page for definitions.

4. Click Ok to save the Network Resource definition and close the window.

Protocol: Select UDP, TCP, or IP to identify the protocol used to filter access to the resource. Protocol can be used alone or with an IP address and port parameters to define the network resource access.To use a custom protocol number for a network resource, check the Enter protocol number checkbox and type the protocol number (0-137)

Port: Any port is selected by default, which means all ports associated to the IP address are included in the network resource definition. To specify a port for the network resource, click the Any port checkbox to de-select it and enable the Port field. Enter the port number, or friendly port name* used for the resource.

Table 3-2. IDM Network Resource parameters

3-22


Deleting a Network Resource

To delete a Network Resource:


2. Click in the list to select the network resource to edit, then click the Delete Network Resource toolbar icon.

3. Click Yes in the confirmation pop-up to complete the process.

The selected network resource is removed from the Network Resources list display.

3-23

Using Identity Driven ManagerConfiguring Access Profiles

Configuring Access Profiles

IDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rate-limits) and Network Resource access rules that are applied to the user when they are authenticated on the network. This is where the real benefits of "access control" are realized. When users log in, the Access Profile dynamically configures the switch or wireless access point settings to provide the proper network access and resources for the user.

To begin, click the Access Profiles node in the Identity Management Configuration navigation tree to display the Access Profiles window.

Figure 3-15. Access Profiles window

The Access Profiles window lists defined Access Profiles, including:

The Access Profile tells the switch to override any local settings for the port the user is accessing with the settings specified in IDM.

Name Name used to identify the profile

VLAN VLAN to which users are assigned when they log in

QoS The "Quality of Service" setting

Bandwidth The rate limits for outbound traffic

Description Brief description of the profile

3-24


3-25


Click the Access Profile node in the navigation tree, or double-click on a profile in the list to display the details of the selected profile.

Figure 3-16. Access Profile details

The Name, Description, and Access Attributes are the same as defined in the Access Profiles list.

The Network Resources section lists the Network Resources included in the profile:

Creating a New Access Profile

1. Click the Access Profiles node in the Identity Management Configuration navigation tree to display the Access Profiles window.

Priority The order in which the network resource rules are evaluated; the first one to match each incoming packet is applied

Action Indicates if access to the Network Resource is allowed or denied.

Resource The defined network resource name.

Accounting Tells the switch to keep a count of the number of hits using this rule.

3-26


2. Click the Add Access Profile icon in the toolbar to display the Create a new Access Profile window.

Figure 3-17. Create Access Profile

3. Define the attributes for the Access Profile:

NOTE: If you are assigning any VLAN other than the default VLAN, ensure that the VLAN is configured correctly on the all switches to which this access profile will be applied before defining the access profile.

Name Name used to identify the Access Profile

Description Brief description of the Access Profile

VLAN Type in the VLAN or select one from the pull-down menu, which lists VLANs configured in PCM. The DEFAULT_VLAN(1) allows access across all segments on the network. If another VLAN is specified, the user is only allowed access to that network segment.

QoS The Quality of Service, or "priority" given to outbound traffic under this profile. Select the setting from the pull-down menu.

Bandwidth The rate-limits applied for this profile. Use the up-down arrows to increase or decrease the Bandwidth setting. The default setting is 1000 Kbps (1 Mbps) NOTE: This is translated to a percentage of bandwidth at the switch.

Don’t Override Select this option for any of the Access Attribute parameters to use the current settings at the switch when the user logs in.

3-27


The VLAN that gets set for a user will override the statically configured VLAN, as well as the auth-vid which may have been configured for that port. Note also that if an unauth-vid is set and the user is rejected by IDM for any reason, the port is opened and the VLAN is set to the unauth-vid.

4. To assign the Network Resources, click Edit... This launches the Network Resource Assignment Wizard.

Figure 3-18. Network Resource Assignment Wizard

5. Click Next to continue to the Allowed Network Resources window.

3-28


Figure 3-19. Network Resource Assignment Wizard, Allowed Network Resources

6. To permit access to Network Resources:

a. Select the Resource in the Available Resources list. Use shift-click to select multiple resources.

b. Move the Available Resource(s) to the Allowed Resources list (click >>)

c. Click Next to continue to the Denied Resources window.

3-29


Figure 3-20. Network Resource Assignment Wizard, Denied Network Resources

7. To deny access to Network Resources:

a. Select the Resource in the Available Resources list. Use shift-click to select multiple resources.

b. Move the Available Resource(s) to the Denied Resources list (click >>)

c. Click Next to continue to the Priority Assignment window.

3-30


Figure 3-21. Network Resource Assignment Wizard, Priority Assignment

8. Set the priority (order of evaluation) for the Network Resources. To change the priority, click the Resource in the list, then click Move down or Move up. The first rule to match is the one that will be applied.

9. Click Next to continue to the Default Access window.

Figure 3-22. Network Resource Assignment Wizard, Default Access

3-31


10. Select the option to tell IDM what to do if there are no matches found in the network resource access rules.

11. Click Next to continue to the Resource Accounting window.

Figure 3-23. Network Resource Assignment Wizard, Resource Accounting

12. Click the check box to enable the Accounting function (optional). This enables tracking of hits on this resource on the switch or access point. Use CLI on the switch to review the hits.

13. Click Next to continue to the Summary window.

3-32


Figure 3-24. Network Resource Assignment Wizard, Summary

14. Click Finish to save the Network Resource Assignments to the Access Profile and close the wizard.

Click Back to return to a previous window to change the assignment, or

Click Cancel to close the wizard without saving the changes.

Click Start Over to return to the start of the Network Assignment Wizard.

Modifying an Access Profile

To modify an existing Access Profile:


2. Click on an Access Profile in the list to select it.

3. Click the Modify Access Profile icon in the toolbar to display the Modify Access Profile window. The Modify window shows the details of the Access Profile, similar to the Create a new Access Profile window.

4. Modify the access profile parameters, as described for creating a new profile. Click the Edit... button to change the Network Resource Assign-ments using the wizard.

5. Click Ok to save your changes and close the window

3-33


The changes are displayed in the Access Profiles list.

NOTE: When modifying Access Profiles, make sure the appropriate VLANs are con-figured on the network and at the switch. If you Modify the VLAN attribute in an Access Profile that is currently used in an Access Policy Group rule, IDM will check that the VLAN exists. If not, an error message is displayed.

Deleting an Access Profile

To remove an existing Access Profile:


2. Click on an Access Profile in the list to select it.

3. Click on the Delete Access Profile icon in the toolbar to remove it.

The first time you use the Delete option, a warning pop-up is displayed. Click Ok to continue, or Cancel to stop the delete process.

NOTE: Before you modify or delete an Access Profile, make sure that your changes will not adversely affect users in Access Policy Groups where the profile is used.

3-34

Using Identity Driven ManagerDefining Access Policy Groups

Defining Access Policy Groups

An Access Policy Group (APG) contains rules that define the VLAN, rate-limit (bandwidth), quality of service, and network resource access rules for users in the group, based on the time, location, and system from which the user logs in. You can also create rules to work in conjunction with third-party endpoint integrity (Host Integrity) applications to verify that systems attempting to connect to the network meet security requirements.

Each rule in an Access Policy includes the following parameters:

• Location - identifies the switch and/or switch ports where users connect to the network. Location can identify physical wiring connec-tions or VLANs configured to segment the network

• Time

• System

• Endpoint Integrity

• Access Profile

Multiple access policy groups can be added to a realm, and multiple access profiles, locations, and times can be referenced and configured in an access policy group.

Access policy groups can be created manually or automatically if Active Directory synchronization is enabled. However, Access Policy Group names must be unique within a Realm.

When a user assigned to the APG is authenticated on the RADIUS Server, the IDM Agent applies the appropriate rule, which can cause the switch or access point to accept or reject the user, and modifies the RADIUS reply to provide the appropriate network access to the user.

You can create an APG that does not have any limitations, that is, it allows "Any" location, time, system, and accepts the default switch settings for VLAN, QoS, and Bandwidth. This would allow you to use IDM to monitor logins and network resource usage by user, without limiting user access to the network.

3-35


To begin, expand the Realms node to display the Access Policy Group node in the IDM tree. Click to display the Access Policy Groups tab.

Figure 3-25. Access Policy Groups display

You can expand the Access Policy Group (APG) node in the tree, and click the individual APG node to display the policy Properties tab.

Figure 3-26. Access Policy Group Properties tab

Creating an Access Policy Group

1. Click the Access Policy Group node in the IDM tree to display the Access Policy Groups tab.

2. Click the Add Policy Group icon in the toolbar to display the New Access Policy Group window.

3-36


Figure 3-27. New Access Policy Group

3. Type in a Name and Description for the Access Policy Group.

4. Click New... to display the New Access Rule dialogue.

Figure 3-28. New Access Rule

5. Select an option from the pull down menu for each field. When all the parameters are set, click OK to save the Access Rule configuration and close the dialogue.

The parameters for Access Rules are described in the following table.

3-37


6. Repeat the process for each rule you want to apply to the APG.

7. The Access rules are evaluated in the order (priority) they are listed in the Access Rules table. Use Move Up or Move Down buttons to arrange the rules in the order you want them to be evaluated. IDM checks each rule in the list until a match on all input parameters is found, then applies the corresponding access profile to the user.

For example, if you want to allow a user to login in from any system during the work week (Mon. - Fri.), but you want to deny access to users on the weekend, you would: • Create a Time for the weekend, • Create an Access Profile to be applied during weekdays, "Default"• Define two rules for the APG, similar to the following:

Location Time System Access ProfileANY weekend ANY REJECT ANY weekday ANY Default

When the user is authenticated, IDM checks the Access Policies in the order listed. If it is Saturday or Sunday, the user’s access is denied. On any other day, the user is allowed on the network. If the order were reversed, IDM would never read the second rule because the first rule would provide a match every day of the week.

8. Click OK to save the Access Policy Group and close the window.

Location Lists the Locations you created by name, and the "ANY" option. If you select ANY and the access profile for the rule points to a VLAN, ensure that the VLAN is configured on every switch to which users in this access policy group will be connecting

Time Lists the Times you created by name, and the ANY option.

System Systems from which the user can log in. ANY allows user to login in on any system.OWN restricts users to systems defined for that user. See “Configuring User Systems” on page 3-54 for detail.

WLANS Lists the WLANs in the network, and an "ANY" option. Note that this works only if ProCurve Mobility Manager is installed and the Enhanced Wireless Support option is selected in the Preferences for Identity Management.

Access Profile

Lists the Access Profiles you created by name, the Default Access Profile, and a REJECT option. Select REJECT if the rule will prohibit a user from logging in.

3-38


IDM will verify that the rules in the APG are valid. If a rule includes a defined VLAN (from the Access Profile) and the VLAN does not exist on the network or devices for the location(s), an error message is returned and you must fix the problem before the APG can be saved.

Click Cancel to close the window without saving the Access Policy Group configuration.

9. The new Access Policy Group is listed in the Access Policy Groups tab.

Assigning Rules to an Auto-generated Access Policy Group

Active Directory synchronization automatically creates Access Policy Groups with the default values of:

• Any Location

• Any Time

• Any System

• Any WLAN

• Any Endpoint Integrity

• Default Access Profile

To assign specific rules to an Access Policy Group, see Modifying an Access Policy Group (page 3-41).

Using IDM with Endpoint Integrity Systems

You can create access profiles in IDM to work in conjunction with endpoint integrity (host integrity) applications to verify that systems attempting to connect to the network meet security requirements. To use the Endpoint Integrity support options you need to select the Endpoint Integrity option in the IDM Preferences window (Tools->Preferences->Identity Management).

With the Endpoint Integrity preference set, the Endpoint Integrity option will appear in the Access Rules windows.

3-39


Figure 3-29. Access Rule with Endpoint Integrity options

Select the Endpoint Integrity option to use with the access rule, as described i the following list.

• Select ANY to apply the access rule regardless of the status passed from the endpoint integrity system.

• Select PASS to apply the access rule in cases where the system the user is logged in on passes the endpoint integrity check.

• Select FAIL to apply the access rule in cases where the system the user is logged in on fails the endpoint integrity check.

• Select INFECTED to apply the access rule in cases where the system the user is logged in on has been identified as infected by the endpoint integrity system.

• Select UNKNOWN to apply the access rule in cases where the system the user is logged has an endpoint integrity status setting of "unknown".

For example, if you want to restrict access to a specific (remediation) VLAN when the endpoint integrity check fails, create a Location that specifies the remediation VLAN, then create an access rule that will put the user on that Location if the Host Integrity value is FAIL.

3-40


Modifying an Access Policy Group


2. Click on an Access Policy Group Name to select it.

3. Click the Modify Policy Group icon in the toolbar to display the Modify Access Policy Group window.

4. Modify the Rules as needed by selecting different options from the pull-down menus for each field. (see page 3-16 for field definitions).

5. Click Ok to save your changes and close the window.

Click Cancel to close the window without saving the Access Policy Group changes.

Deleting an Access Policy Group


2. Click on an Access Policy Group Name to select it.

3. Click the Delete Policy Group icon in the toolbar to delete the Access Policy Group.

If Active Directory synchronization is enabled, a deleted Access Policy Group will be recreated when IDM is resynchronized or detects a change to the related Active Directory group unless you remove the Active Directory group from the User Directory Settings.

3-41

Using Identity Driven ManagerConfiguring User Access

Configuring User Access

The process of configuring User access to network resources using IDM is simplified through IDM’s ability to learn User information from the Active Directory or RADIUS server, and the use of Access Policy Groups.

If Active Directory synchronization is enabled, IDM creates an Access Policy Group for each Active Directory group selected in User Directory Settings preferences and adds the users assigned to the Active Directory group to that Access Policy Group in IDM. Users are assigned to Access Policy Groups based on the rules explained in Using Active Directory Synchronization (see page 2-38)

If you do not use Active Directory synchronization, once you have configured the Access Policy Groups, you simply assign users to an APG. The next time the user attempts to log in to the network, IDM uses the rules in the user’s Access Policy Group to dynamically configure the edge switch to provide the appropriate access to the network.

Click the Users tab on the Access Policy Group or Realm window to display the list of users.

Figure 3-30. Users tab

3-42


The Users list identifies every defined user and contains the following infor-mation for each user:

Adding Users to an Access Policy Group

To assign a user to an access policy group:

1. Expand the Realms node, then click the individual Realm to display the Users tab, or expand the realm to display access policy groups. Click the Users tab in the individual Realm or Access Policy Group window.

2. Select the users in the list, then click the Add Users to APG icon in the toolbar to display the Select Access Policy Group window.

Figure 3-31. Select Access Policy Group

3. In the Assign selected Users to Access Policy Group: field, use the pull-down menu to select the access policy group to which you want to assign the user(s).

If you select the Default Access Policy Group from the assignment pull-down menu, users can log into RADIUS servers, but they are not governed by access policy group rules. IDM will still collect and display event informa-tion for users in the Default APG, as long as they are authenticated by the RADIUS server.

Logged In Icon indicates whether the user is currently logged in: User is logged in. User is logged out. The icon is greyed out if session accounting is disabled.

Username Name given to User’s login account.

Friendly Name User’s friendly name, if defined, else this is same as Username.

Realm Realm in which the user logs in.

Access Policy Group Access policy group to which the user is assigned.

Last Login Attempt Date and time the user last attempted to log in, regardless if the login failed or succeeded.

3-43


4. Click Ok to save the assignments and close the window.

The new APG assignments are displayed in the Users list.

Changing Access Policy Group Assignments

To re-assign users to a different APG:

1. Click the access policy group or realm in the IDM tree, and then click the Users tab in the Access Policy Group or Realm window.

2. Select the users in the list, then click the Add Users to APG icon in the toolbar to display the Select Access Policy Group window.

3. Select a different option from the Assign selected Users to Access Policy Group pull-down menu.

4. Click Ok in the confirmation pop-up, then click OK in the Select Access Policy Group window to save your changes and close the window.

The new APG assignments are displayed in the Users list.

3-44


Using Global Rules

Global Rules can be used to provide an "exception process" to the normal processing of access rules via Access Policy Groups. IDM will check for Global Rules and apply them to the designated users before processing any access rules found in Access Policy Groups. For example, you can use a Global Rule to deny access to the network during a specific time period, such as a site shutdown or during periods when network maintenance is being done.

Global Rules are typically used to apply to all users in a realm. They can also be defined to apply to a single user or access policy group. Global Rules should not take the place of existing rules defined within the Access Policy Groups; they are intended for special use cases.

To display global rules, click on the Realm in the IDM navigation tree, then click the Global Rules tab in the Realm display.

Figure 3-32. Global Rules tab

The Global Rules tab provides the following data about defined global rules:

Target User(s) or access policy group to which the rule applies

Location Location where the rule is used

Time Time that the rule is used

System System where the rule is used

WLAN WLAN where the rule is used. Appears only if the Enhanced Wireless Support option is set in Preferences for Identity Management

Endpoint Integrity

Indicates the endpoint integrity status used by the rule. This appears only if the Endpoint Integrity option is set in Preferences for Identity Management

3-45


Creating a Global Rule is similar to creating Access Rules for an Access Profile Group.

To create a global rule:

1. In the navigation tree, click on the realm that will use the global rule, then click the Global Rules tab in the Realm’s display.

2. Click the Add Global Rule button to display the New Global Rule window.

Figure 3-33. Global Rules dialog

1. Select the Target Properties• To use the global rule for all users in the realm, select the All Users

• To use the global rule for a specific user, select Single User and type in the user name.

• To use the global rule for an access policy group, click Access Policy Group, and select the group from the drop-down menu.

Note: If you want to create a global rule for multiple users or multiple groups, you do this by creating multiple rules, each referencing a single user, or group.

Access Profile Access profile governing user permissions during the session

3-46


2. Set the Access Properties for the Global Rule. This is similar to the process used to define Access Policy Rules when you create an Access Policy Group (see page 3-36)

a. Select the Location where the global rule will be applied, or "ANY".

b. Select the Time when the global rule will be used, or "ANY".

c. Select the System where the global rule will be used, or "ANY"

d. Select the WLAN where the global rule will be used, or "ANY" Note that this option only appears if the "Enable Enhanced wireless support" option is set in the Preferences for Identity Management.

e. In the Access Profile field, select the access profile where the global rule will be used.

f. If Endpoint integrity is enabled, select the option that indicates when the rule will be applied, relative to the endpoint integrity status (Pass, Fail, or Any)

3. Click Ok to save your changes and close the New Global Rule window

4. The new global rule appears in the Global Rules list.

5. Similar to access rules, the global rules are evaluated in the order they are listed in the Global Rules table. Use the Move Up or Move Down button in the toolbar to arrange the rules in the order you want them to be applied. IDM checks each rule in the list until a match on all parameters is found, then applies the matching rule.

Changing Global Rules

To edit Global Rules:

1. Navigate to the Global Rules window.

2. Select the rule you want to modify in the Rules list.

3. Click the Edit Global Rule icon to display the Edit Global Rules window.

4. Change the desired values, as explained for New Global Rule.

5. Click Ok to save the changes and close the Edit Global Rules window.

To delete a Global Rule:

1. Navigate to the Global Rules window.

2. Select the rule you want to delete in the Rules list.

3. Click the Delete Global Rule icon in the toolbar.

3-47


4. Click Yes in the confirmation pop-up to complete the process.

The rule is removed from the Global Rules list.

3-48

Using Identity Driven ManagerDeploying Configurations to the Agent

Deploying Configurations to the Agent

An option in the IDM Preferences allows you to automatically deploy config-uration changes to the IDM agent. Or, you can manually deploy changes made to Access Profiles, Locations, Times, or Network Resource configurations.

If automatic deployment is disabled, you need to deploy the configuration information to the IDM Agent once you have configured the Access Policy Groups and assigned users. The Access Policy Group assignments (including the locations, times, and Access Profiles) are not applied until they get deployed to the IDM Agent on the RADIUS server, and the user logs in again.

Deployment overwrites and replaces the current configuration for that realm, on that RADIUS server.

To manually deploy the IDM authorization policy configuration:

1. Right-click on the Realms node in the IDM tree

2. Select the Deploy current policy to this realm option to display the Deploy to RADIUS Servers window.

Figure 3-34. Deploy to RADIUS Servers

3. Click Deploy to write the access policy information to the IDM Agent for the selected Realms and the respective RADIUS Servers.

4. Click Close to exit the window.

After the new access policy configurations are deployed, the deployment warning on the IDM Dashboard display is removed.

3-49

Using Identity Driven ManagerUsing Manual Configuration

Using Manual Configuration

It is simplest to let the IDM Agent run and collect information about Realms, including RADIUS servers and users in the Realm from the RADIUS server, but you can also manually define information about the Realm, RADIUS servers, and users in the IDM GUI.

Defining New Realms

If you have configured a new Realm that uses a RADIUS server on which you have installed an IDM Agent, you can let the Agent learn the Realm information automatically, or you can define the Realm using the IDM GUI.

To define a realm:

1. Click the Add Realm icon on the toolbar to display the New Realm window.

Figure 3-35. Add Realm

2. Enter the information for the Realm:

• Type the Name used to identify the realm.

• In the Alias field, type an alternate name that can be used for the realm. For example a fully qualified realm Name can be idm.main.procurve and the Alias can be IDM. This is most useful when using IDM with Active Directory; and you should make sure that the IDM realm alias matches the Active Directory "NETBIOS" name.

• Type a brief Description of the realm to help identify the realm.

• To set the realm as the default realm, click the Use as default Realm check box. The default realm is used when IDM cannot determine the realm for a RADIUS server or user login.

3-50


3. Click Ok to save the Realm information and close the window. The new Realm appears in the Realms list, and the IDM Tree.

Modifying and Deleting Realms

To modify an existing Realm:

1. Select the Realm in the Realms list.

2. Click the Modify Realm icon on the Realm list toolbar to display the Modify Realm window. (similar to the New Realm window).

3. Edit entries as needed for the Realm:

• The Name used to identify the realm.

• The realm Description.

• To set the realm as the default realm, click the Use as default Realm check box. The default realm is used when IDM cannot determine the realm for a RADIUS server or user login.

4. Click Ok to save the Realm changes and close the window.

The Realm modifications appears in the Realm List and Realm Properties tab.

To delete a Realm:

1. Select the Realm in the Realm List.

2. Click the Delete Realm icon in the toolbar.

A confirmation dialog will display.

Click Yes to complete the realm delete process.

The selected realm, and the associated users will be removed from the Realm list and IDM Tree.

3-51


Deleting RADIUS Servers

To delete an existing RADIUS Server:

NOTE: Before you can completely delete the RADIUS server, you need to uninstall the IDM Agent on the server. Otherwise, the RADIUS server may be re-discovered, causing it to re-appear in the IDM tree.

1. Use the IDM Tree to navigate to the RADIUS List window, and select the RADIUS Server you want to delete in the list.

2. Click the Delete RADIUS icon on the Radius List toolbar.

3. A pop-up confirmation dialog is displayed:

Figure 3-36. Delete RADIUS Server Confirmation dialog

4. Click Yes to complete the delete process and close the window.

The RADIUS Server is removed from the RADIUS List and the IDM Tree.

3-52


Adding New Users

You can let the IDM Agent automatically learn about the users from the Active Directory or RADIUS server on which it is installed, or you can define user accounts in the IDM Client. You can also use the IDM User Import feature in the Tools menu.

Adding users in IDM: Manual Process

To add a new User in IDM:

1. Click the Users tab on the Access Policy Groups or Realms window, and then click the New User button to display the Define a new user window.

Figure 3-37. New User dialog

2. Enter the information for the User

• Username: The user’s login name (required).

• Friendly Name: Friendly name for the user.

• Realm: Select the Realm the user "belongs" to, if different from the default realm.

• Access Policy Group: Select the Access Policy Group to which the user belongs. This sets the access profile that is applied when the user logs in to the network. The default is NONE.

• Description: Enter additional text describing the user if needed.

3-53


3. If you want to restrict the user’s access to specific systems, click the Systems tab to configure system permissions. Otherwise click OK to save the user and close the window.

Configuring User Systems

4. To restrict the user’s access to specific systems, click the Systems tab.

Figure 3-38. User Systems tab display

You select from systems shown in the All Systems list, and click the >> button to move them to the Allowed Systems list. The user will be restricted to the selected systems.

5. To add a new user system click Add. to display the New User system dialog.

Figure 3-39. New User system dialog

6. Enter the MAC Address of the system (in any format) from which the user is allowed to login to the network, then click OK. The system information is displayed in the New User window.

3-54


If the user is allowed to login from more than one system, repeat the process for each system.

7. When the User’s Systems are defined, click OK to save the new user information and close the window.

The new user appears in the Users List.

NOTE: Access Policy Group settings are not applied to the user until you deploy the new configuration to the IDM Agent on the RADIUS server. See “Deploying Configurations to the Agent” on page 3-49 for details.

Modifying and Deleting Users

To modify an existing User:

1. Select the User in the User List and click the Modify User icon in the toolbar.

2. The Modify User window (similar to the Define a new user window) displays.

3. Edit entries as needed for the User:

• Username: The user’s login name (required).

• Friendly Name: Friendly name for the user.

• Realm: Select the Realm the user "belongs" to, if different from the default realm.

• Access Policy Group: Select the Access Policy Group to which the user belongs. This sets the access profile that is applied when the user logs in to the network. The default is NONE.

• Description: Enter additional text describing the user if needed.

• Add, Modify, or Delete User System information as needed.– To edit User Systems information, select the System in the list,

then click Modify to display the Systems window and change the MAC Address.

– To delete a User System, select the System in the list, then click Delete.

The changes appear in the System’s List for the user.

4. Click OK to save the new user information and close the window.

NOTE: Changes in Access Policy Group settings are not applied to the user until you Deploy the new configuration to the IDM Agent on the RADIUS server. See “Deploying Configurations to the Agent” on page 3-49 for details.

3-55


Deleting a User

1. Select the User in the User List

2. Click the Delete User icon in the toolbar.

3. Click Yes in the Confirmation pop-up to complete the process.

The user is removed from the User List.

3-56

Using Identity Driven ManagerUsing the User Import Wizard

Using the User Import Wizard

The IDM User Import Wizard lets you add users to IDM from another source, such as an Active directory or LDAP server. The IDM Import Wizard also synchronizes the IDM user database with the import source directory, and allows you to delete users from the IDM user database that are not found in the import source directory. IDM does this by copying the list of users from the directory to an XML file, comparing users in the XML file to users in the IDM user database, and listing the differences for you to add or remove the mismatched users in the IDM user database.

Importing an existing company directory or user database has the following benefits:

• Easier initial setup, because all users in the company directory can be automatically added to the IDM directory.

• If the company directory contains group assignments, users can be automatically assigned to the appropriate policy group (based on membership in the company directory).

• When a user is removed from the company directory, they are auto-matically removed from the IDM user database. In addition, when a user's group membership is changed in the company directory, their network access policy group is automatically changed accordingly.

• Automating user import and synchronization leaves less room for error and reduces tedious work.

The basic import procedure is listed below, though the specific windows you see will vary based on the import data source.

1. Select the Source Type (Active directory, LDAP server, or XML file)

2. Define the source parameters.

a. for Active directory, select the Group Scope to import.

b. for LDAP server, supply the server details, username, and password.

c. for XML, supply the filename (including the directory path). This file must exist on the IDM Server system.

3. IDM extracts the user information from the data source, based on the defined parameters.

4. Select the Users, and groups (if applicable) to be added to IDM.

5. Select any Users to be removed from IDM.

6. Commit the changes to IDM.

3-57


Importing Users from Active Directory

Importing users from Active Directory with the IDM Import Wizard synchro-nizes IDM users with those in Active Directory, similar to enabling Active Directory synchronization. However, if you use the Wizard to import users, user changes in Active Directory are not monitored. And, you cannot select specific Active Directory groups, as with Active Directory synchronization. Therefore, we recommend using Active Directory synchronization instead of using the Import Wizard to import users from Active Directory.

To import user information into IDM from an Active Directory:

1. Select IDM User Import option from the Tools drop-down list in the global toolbar. This launches the IDM User Import Wizard.

Figure 3-40. IDM User Import Wizard

2. Click Next to continue to the Data Source selection window.

3-58


Figure 3-41. IDM User Import Wizard, Data Source

3. Click the radio button to select the Active Directory data source.

4. Click Next to continue to the Group Scope window.

Figure 3-42. IDM User Import Wizard, Group Scope

3-59


5. Select the scope of Active Directory groups that you want to import user data from.

6. Click Next to continue to the Extracting User and Group information window.

Figure 3-43. IDM User Import Wizard, Extracting User and Group Information

7. When the display indicates the data extraction is done, click Next to continue to the Import Groups window.

Group Description

All Import users from all Active Directory groups

Global Import users from the Global Active Directory group. This will also get user data from any custom defined group in your Active directory.

Universal Import users from the Universal Active Directory group

Domain Local Import users from the Domain Local Active Directory group

System Import users from the System Active Directory group

3-60


Figure 3-44. IDM User Import Wizard, Import Groups

8. Click the Select checkbox to choose the groups you want to import from the Active Directory to IDM. If there is no checkbox, the group already exists in IDM and does not need to be selected.

9. Click Next to continue to the Add Users window.

3-61


Figure 3-45. IDM User Import Wizard, Add Users

10. Click the Select checkbox to choose the users you want to import from the Active Directory to IDM.

The current Import data is compared to the existing user list in IDM. If no new (additional) users are found in the import data, the user list is empty.

If any user exists in more than one Active Directory group, you will be prompted to select the group the user will belong to in IDM.

Figure 3-46. Group Selection dialoga. Select the group from the drop down list.

3-62


If you have a large number of users that belong to multiple groups, click the checkbox to Assign all users to selected group. This will assign all the users to the selected group in a single step, and you will not need to repeat the group selection for each user.

b. Click Next to continue. Repeat the process for each user.

c. Click Finish to save the Group Selections and exit the pop-up.

d. Click Back to change the previous selection.

11. Click Next to continue to the Remove Users window.

The Import data is compared to the existing user list in IDM. Any users that exist in IDM, that are not found in the Import data, are listed. Select any users you want to delete from IDM. This window operates similarly to the Add Users window.

12. Click Next to continue to the Users and Groups Commitment window.

Figure 3-47. IDM User Import Wizard, Users and Groups Commitment

13. Click Go to save the selected group and user data (adds and deletes) to IDM.

14. When the commit data function is done, click Next to continue to the Import Complete window.

3-63


Figure 3-48. IDM User Import Wizard, Import Complete

A summary of the IDM Import displays.

15. Click Finish to exit the wizard.

Importing Users from an LDAP Server

The IDM Import Wizard includes support for using Windows 2003 LDAP service to import users from an MS Active directory. You can also import user data from other LDAP V3 (version 3) servers, (e.g., Netscape® LDAP server).

To import user information into to IDM from an LDAP Server:

1. Select the IDM User Import option from the Tools drop-down list in the global toolbar to launch the IDM User Import Wizard.

2. Click Next to continue to the Data Source selection window.

3. Click the radio button to select the LDAP Server data source.

4. Click Next to continue to the LDAP Authentication window.

3-64


Figure 3-49. IDM User Import Wizard, LDAP Authenticationa. To use the SSL authentication method, check the Use SSL checkbox.

Note: To use SSL, ensure that your LDAP server supports SSL. The X509 certificate for your LDAP server must be installed in your Java trust store, and the PCM server must be restarted after installing the certificate. Contact your (LDAP) Administrator to get the certificate. The trust store is available under the installation directory of PCM. For example, if PCM is installed under Program files\Hewlett-Packard, type:

C:> cd c:\Program files\Hewlett-Packard\PNM\jre\ lib\security

C:> ..\..\bin\keytool –import –file <ldapcertfile> -alias myldapcert –keystore cacerts –keypass <certifi-cate password> -trustcacerts –storepass <keystore password>

The default keystore password is changeit.

3-65


b. Select the LDAP Authentication type to be used with the imported user data:

c. Click Next to continue to the Authentication details window:

The Authentication details will vary based on the Authentication type selected; however, all LDAP Authentication methods require the following information:

• Server – The IP Address or DNS name (fully qualified domain name) of the LDAP server. The IP address can be used for Simple, Anonymous, and Kerberos-V5 authentication in non-SSL mode.

• Domain – The domain name that will be used to create the Realm in IDM.

• Base DN – The Base Distinguished Name. This is the node in the directory where the search for users will begin. For example, for the domain "hp.com" the Base DN entry would be: dc=hp,dc=com

For Simple Authentication

Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password. Values for these fields can be obtained from the LDAP server administrator.

Authentication Description

Simple Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password.

Digest-MD5 In Digest MD5, the server generates a challenge and the client responds with a shared secret (password).

Kerberos-V5 Based on Internet standard security, Kerberos V5 authentication is used with either a password or a smart card for interactive logon.

External-TLS External authentication uses authentication services provided by lower level network services such as TLS.

Anonymous No authentication is required by LDAP server.

3-66


Figure 3-50. IDM User Import Wizard, Simple Authentication

To set up Simple authentication:

1. In the Server field, type the IP address or DNS name of the LDAP server

2. In the Domain field, type the domain name. (It will be used to create a realm in IDM.)

3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree.

4. In the User field, type the user's DN used to access the LDAP server.

5. In the Password field, type the password associated with the user.

6. Click Next to continue to the Extract Users and Groups window.

Using Digest-MD5 Authentication

The SASL Digest MD5 authentication window is used to define the LDAP data source for Digest-MD5. In Digest-MD5, the server generates a challenge and the client responds with a shared secret (password). Values for these fields can be obtained from the LDAP server administrator.

3-67


Figure 3-51. IDM User Import Wizard, SASL Digest MD5 Authentication

To set up Digest MD5 authentication:

1. In the Server field, type the DNS name of the LDAP server.

2. In the Domain field, type the domain name. It is used to create a realm in IDM.


4. In the User field, type the user DN used to access the LDAP server.



Using Kerberos-V5 Authentication

The SASL Kerberos V5 authentication window is used to define the LDAP data source for Kerberos. Kerberos V5 authentication requires that your LDAP server is setup with a KDC (Key Distribution Center). Please contact your LDAP server administrator for details.

3-68


Figure 3-52. IDM User Import Wizard, SASL Kerberos V5 Authentication

To set up Kerberos V5 authentication:

1. In the Server field, type the IP address or DNS name of the LDAP server.

2. In the Domain field, type the domain name. It will be used to create a realm in IDM.


4. In the User field, type the user name used to access the LDAP server.


6. In the Config file field, type the complete path and filename of the config-uration file that identifies the domain of the KDC.


Using External Authentication

The SASL External authentication window is used to define the external LDAP data source. External authentication uses an X509 certificate for user authen-tication. The LDAP X509 User Certificate must be installed in a keystore on the IDM server, and the LDAP server’s certificate must be stored in the trust store under your JRE installation on the IDM server. See page 3-70 for details on importing LDAP X509 User certificates for use with IDM.

3-69


Figure 3-53. IDM User Import Wizard, SASL External Authentication

To set up External authentication:

1. In the Server field, type the DNS name of the LDAP server.

2. In the Domain field, type the domain name. It is used to create a realm in IDM.


4. In the Keystore field, type the keystore file name.

For JKS, the Keystore is the location on the IDM server where you installed the keystore. (for example: c:\idmuser\mykeystore) For PKCS12, enter the PKCS certificate in the Keystore field,.

5. In the Password field, type the password.

For JKS, enter the password of the keystore on the IDM Server. For PKCS12, enter the PKCS12 key in the Password field

6. Select the Type: either jks, or pkcs12.


Importing LDAP X509 User Certificates into a Keystore:

3-70


If you are using a JKS Keystore, the X509 User Certificate must be installed in a keystore on the IDM server. You can get the X509 User Certificate from your LDAP Administrator.

For example, if the X509 User Certificate is " myldapcert.cer" and the alias is "mycert", use the following command to import the certificate in a keystore in c:\idmuser\mykeystore on your IDM server:

C:\idmuser> keytool -import -file myldapcert.cer -alias mycert -trustcacerts -keystore .\mykeystore

If you are using a PKCS12 keystore, ask your LDAP Administrator to provide you PKCS12 certificate along with the key. Enter the PKCS certificate in the Keystore field, and enter the PKCS12 key in the Password field.

Using Anonymous Authentication

The LDAP Anonymous Authentication window is used to define the LDAP data source. Values for these fields can be obtained from the LDAP server admin-istrator.

Figure 3-54. IDM User Import Wizard, Anonymous Authentication

To set up an LDAP server with anonymous authentication:

1. In the Server field, type the IP address of the LDAP server.

2. In the Domain field, type the domain name.

3-71


3. Optionally, in the Base DN field, type the Distinguished Name. IDM will search only for users and groups from this node of a directory tree.


The remainder of the process for importing users from LDAP Servers is the same as described for importing users from Active Directories.

• Select the Groups and Users to Import to IDM.

• Select Users to remove from IDM (if applicable)

• Commit the selected groups and users (adds and deletes) to IDM.

Editing IDM Configuration for LDAP Import

The IDM server includes several configuration files that contain information used to import User information from LDAP files. The default configuration settings will work if you are using MS Active Directory as the LDAP Server directory. If you are using any other LDAP directory source (for example Novell Edirectory) you will need to modify the LDAP Directory settings in:

~Program Files\Hewlett-Packard\PNM\server\config\IDMImportServerComp.scp

Following is an example of the DMImportServerComp.scp file for reference. Comments are indicated by "//".

LDAP_SERVER_CONFIG {PORT=389 //Port where LDAP server receives bind request.SSL_PORT=636 // Port where LDAP server receives SSL bind requests. BATCH_SIZE=50 // Internal to IDM.COUNT_LIMIT=0 // Internal to IDM.

SASL_CONFIGURATION { // This section is for SSL configuration: Digest MD5, Kerberos V5 and External.QOP=auth-conf,auth-int,auth

// Quality of protection. Valid values are 1 and more of "auth-conf", auth-int", "auth" separated by ",".

ENCRYPTION_STRENGTH=high,medium,low // Strength of encryption. Valid values are 1 and more of "high", "medium", "low" separated by ",".

MUTUAL_AUTHENTICATION=true // If both LDAP server and IDM server wants to authenticate each other.

}

KERBEROS_JAAS_CONFIG { // This section is for Kerberos authentication method. KERBEROS_AUTH_MODULE=IDMKerberos

3-72


// Kerberos authentication module name. If this entry is changed, you must also change the module name in idm_kerberos_jass.conf file.KERBEROS_JAAS_CONFIG_FILE=config/idm_kerberos_jaas.conf // configuration file for JAAS Kerberos configuration.

} }

(Example continued on next page)

3-73


LDAP_DIRECTORY_CONFIG { // Configuration for LDAP directory. Following values are for Active Directory. Change as needed per object class and attributes in LDAP directory being used.

USER { // User objectOBJECT_CLASS=User // User object classLOGON_NAME=sAMAccountName // Login name attribute. COMMON_NAME=cn // Common Name attributeDESCRIPTION=description // User description attributeDISPLAY_NAME=displayName // User display name attribute}GROUP { // Group objectOBJECT_CLASS=Group // Object class for GroupCOMMON_NAME=cn // common name attributeDESCRIPTION=description // Group Description attributeMEMBER=member // Group member attributeUSER_MEMBER_ATTRIBUTE=cn // User attribute used to link member users

from Group objects.}

}

You would modify the LDAP_Server_Config section only if your LDAP server is using other than the standard port (389). Similarly, if you select any of SASL or Kerberos authentication methods, edit the related sections of the config file as needed to match custom configurations.

3-74


Importing Users from XML files

If you select to import users from an XML File, the XML Data Source window displays.

NOTE: The XML file containing user data must reside on the IDM server to use this option and contain information similar to the data shown in the “XML User Import File Example” on page 3-76.

Figure 3-55. IDM User Import Wizard, XML Data Source

To identify the XML file:

1. In the File name field, type the complete path and name of the XML file.


The remainder of the process for importing users from LDAP Servers is the same as described for importing users from Active Directories.

a. Select the Groups and Users to Import to IDM.

b. Select Users to remove from IDM (if applicable)

c. Commit the selected groups and users (adds and deletes) to IDM.

3-75


XML User Import File Example

XML files used to import user data to IDM should have the following format.

<?xml version='1.0' encoding='ISO-8859-7' ?> <DirData> <Domain name="domain name"> <User name="username" description="user description" displayName="user display name" /> ... ... <Group name="group name" description="group description"> <Member name="username"/> </Group> <Group name="other group" description="other group description"> </Group> </Domain> </DirData>

The description and displayName for the User element and the description for the Group element are optional.

Some Group elements may not have Member elements, for example the "other group" in the above example.

3-76

4

Using the Secure Access Wizard

Chapter Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Using Secure Access Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

4-1

Using the Secure Access WizardOverview

Overview

The Secure Access Wizard (SAW) feature in IDM is designed to simplify the initial setup of IDM by reducing the complexity of securing the network edge. SAW facilitates the process of securing the network edge by targeting a group of devices and using a highly intuitive GUI to configure network access rather than configuring each device via CLI. Some major features of SAW include:

■ Setting the RADIUS server IP address and shared secret for a group of devices.

■ Setting the authentication methods for a group of devices.

■ Configuring the authentication methods.

Once you have decided to deploy IDM, you now need to secure the network edge by enforcing 802.1X, Web-Auth, MAC-Auth, or any combination of the three (if supported). There are several steps involved when a securing an edge device, in no particular order they are:

■ All supplicant ports need to be configured with 802.1X, Web-Auth or MAC-Auth (preferably 802.1X for a more secure environment).

■ If 802.1X is chosen, the next step is choosing the authentication protocol, EAP or CHAP.

■ Enabling session accounting so that IDM correctly detects user login and log out.

■ Optionally setting the interim update period.

■ Optionally setting the re-authentication time-out.

■ Adding the RADIUS server and the shared secret (key).

■ Activating the port authenticator.

These steps need to be executed on all edge devices and will vary between wired and wireless devices.

Supported Devices

The Secure Access Wizard feature is on ProCurve devices that support use of 802.1X, Web-Auth, and MAC-Auth access control methods. For a complete list of what features are supported on each device, refer to the tables in Appendix A under “Device Support for IDM Functionality”.

4-2

Using the Secure Access WizardUsing Secure Access Wizard

Using Secure Access Wizard

NOTE: The following section provides instructions on using the Secure Access Wiz-ard to configure access security settings on ProCurve devices that support port-based user authentication using 802.1X, Web-Auth, or MAC-Auth. For a more complete description of implementation of these user authentication features, please refer to the Access and Security Guide for the switch. Switch guides are available on the Web at: http://www.hp.com/rnd/support/manuals.

1. To launch the Secure Access Wizard, select the option from the Tools menu on the global (PCM/IDM) toolbar.

This launches the Secure Access Wizard "Welcome"

Figure 4-1. Secure Access Wizard, Welcome display

When you first open the wizard, the Load Settings and Load template buttons are disabled. Once you have created and saved an access control configuration, these buttons will be enabled.

■ You can also launch the wizard by selecting a device in the PCM Devices list and clicking the Secure Access Wizard button in the tab toolbar, or

■ Right-click on a device node in the PCM navigation tree and select the Secure Access Wizard option in the right-click menu.

4-3

http://www.hp.com/rnd/support/manuals/


2. Click Next to continue to the Device Selection window.

Note: If you do not have a licensed copy of the ProCurve Mobility Manager software and there are wireless devices discovered by PCM, the Excluded Devices window displays, with the list of devices, model, and installed switch software version. Use the Device Capabilities link to determine if you can upgrade the device software to a version that will support the secure access settings.

.

Figure 4-2. Secure Access Wizard, Device Selection example

3. The Available Devices list is populated with all discovered ProCurve devices that support use of 801.X Authentication. You can filter the list to display devices for one device group (model) by selecting the device group from the pull-down menu.

Select a device (or devices) in the Available devices list, then click >> to move it to the Selected Devices list.

Tip : To begin, ProCurve recommends that you select only one or two devices, and then save the security access settings as a template that can be applied for other devices of the same type.

4-4


4. Click Next to continue to the next window.

5. If you selected one or more AP530 wireless devices, the 530 Group Configuration Check Step window appears and displays information about each selected AP530 that supports the group configuration feature. One AP530 will be selected as the Master device and will be the only AP530 configured. (The group configuration feature propagates the new settings from the Master device to the other AP530s, including those with group configuration disabled.)

Ensure the correct device is selected as the Master device and click Next. Or, to select another device as the Master device, check the Master device checkbox next to the desired device.

Figure 4-3. Secure Access Wizard, 530 Group Configuration example

6. Click Next to continue to the Authentication Method Selection window.

The Authentication Method Selection window lists the selected devices, and the authentication methods that can be used on each device. It lists the device name, model and software version installed. The device listing can be sorted according to device model, name, software version, or authentication method.

Authentication method support varies from device to device and between firmware versions. For example, some devices support two authentica-tion methods per port while some devices only support one. For devices

4-5


that support two authentication methods per port, the options are 801.X and Web-Auth or MAC-Auth, thus the Web-Auth and MAC-Auth columns are mutually exclusive for each row. Additionally, devices that do not support Web-Auth or MAC-Auth will have those cells disabled and display-ing "Not supported".

Figure 4-4. Secure Access Wizard, Authentication Method Selection example

7. Click the check box to select the authentication method (802.1X, Web-Auth, or MAC-Auth) to be used for user (client) access to the device.

Click the Select All option at the top of the column to apply the same authentication method to all devices that support it. The button works as a toggle between the Select all and Unselect all options when clicked

Some devices support simultaneous use of two authentication methods on a single port. The wizard will allow you to select only the combination of authentication methods allowed on the device type.

8. Click Next to continue to the Port Selection window.

The Port Selection window lists the devices for which you need to specify the ports where the access authentication will be applied. You can type each port number or click Select Ports to select them from a list.

4-6


Figure 4-5. Secure Access Wizard, Port Selection example

9. To select ports from a list, click the Select Ports button and then click the Select all button to select all ports or check the Selected checkbox for each port to which the secure access settings will apply.Double-clicking a row selects or unselects the port.

Figure 4-6. Secure Access Wizard, Select Ports

4-7


When the desired ports are selected, click OK to validate and save your selections.

10. To manually enter port numbers, in the Port to secure field, type the ports to which the secure access settings will apply.

Enter any combination of single port numbers and port ranges separated by commas. For example, type A1,A3-A5,A7 to apply the access settings on ports A1, A3, A4, A5, and A7.

The port entries are validated, and if any entry is invalid a text message indicating the error appears below the data entry fields for the device.

The Ports that will not be secured field contains a read-only list of the ports excluded from the secure access settings. These typically include inter-switch ports, ports with an authentication method already configured, and ports connected to devices (such as printers) that do not support network access.

You can click the Reset to clear all data, and auto-populate the “Ports to secure:" field with ports on the device that can be secured. Ports that are excluded will appear in the "Ports that will not be secured" field.

Repeat the process for each device listed in the window. For a long list of devices, a scroll bar lets you move down the list as needed.

11. Click Next to continue. The next window display will vary based on the devices and authentication methods selected.

• If you selected a wireless device, the WLAN selection window dis-plays, as described in step 9.

• If you selected only wired devices, the authentication configuration window displays. – For 802.1X, go to step 12.– For Web-Auth, go to step 13.– For MAC-Auth, go to step 14.

12. The WLAN selection window displays the list of Wireless devices you selected. Click a device to expand the list to show the WLANs (SSIDs) configured on the device.

4-8


Figure 4-7. Secure Access Wizard, WLAN Selection example

13. Click the check box for each SSID (WLAN) to which the secure access settings will be applied. (A check mark indicates the SSID is selected)

Click the check box for the device to apply secure access settings to all SSIDs on the device.

14. Click Next to continue to the authentication configuration window:

• For 802.1X, go to step 12 (below).

• For Web-Auth, go to step 13.

• For MAC-Auth, go to step 14.

15. The 802.1X configuration window lets you select the authentication method to be applied in the secure access settings for the selected devices.

4-9


Figure 4-8. Secure Access Wizard, 802.1X Configuration display

The configuration options displayed will vary based on the selected device set: wired, wireless, or both.

a. Click the radio buttons to select the authentication method for the selected device types. Only one method can be applied.

For Wired devices the 802.1X authentication options are:– Use EAP-capable RADIUS– Use CHAP (MD5)-capable RADIUS

For Wireless devices the 802.1X authentication options are:– WPA - TKIP – WPA2 - TKIP– WPA2 - CCMP (AES)– WPA2 - Mixed mode AES-TKIP

You can refer to the "Using ProCurve Mobility Manager" chapter in the ProCurve Manager v2.3 Network Administrator’s Guide for a more complete description of the wireless (WLAN) security settings.

b. Click the Advanced Settings for Wired 802.1X to configure the advanced settings.

4-10


Figure 4-9. Secure Access Wizard, Advanced Settings for Wired 802.1X

c. Click the check box to select the setting to configure, then enter the parameter to be applied.

When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired 802.1X defaults.

Advanced 802.1X settings for wired devices include:

TX period - The period of time the switch waits until retransmission of EAPOL PDU (default 30 sec.). Valid values are 1-65353.

Logoff period - The period of time (seconds) after which a client will be considered removed from the port for a lack of activity. Disabled by default, valid values are 0-999999999, 0 is disabled

Supplicant timeout - The authentication server response timeout (default 30 sec). Valid values are 1 - 300.

Server timeout - The authentication server response timeout (default 30 sec). Valid values are 1-300.

Max requests - The maximum number of times the switch retransmits authentication requests. Valid values are 1-10, the default value is 2.

4-11


Re-auth period - The re-authentication timeout (in seconds, default 0), set to 0 to disable re-authentication. Valid values are 0-999999999.

Client limit - The maximum number of clients to allow on one port simultaneously, default is 1

Quiet period - The period of time the switch does not try to acquire a supplicant. Valid values are 0-65535, the default value is 60 sec.

Unauth-vid - The VLAN to which the port is assigned when the user has not been authorized by 802.1x authentication. Valid values are any defined VLAN, the default value is VLAN 1.

Auth-vid - The VLAN to which the port is assigned when the user has been authorized by 802.1x authentication. Valid values are any defined VLAN, the default value is VLAN 1.

If a device does not support the selected setting, the value you set will appear in the SAW display, but will not be configured on that device.

d. Click OK to save the advanced settings and close the window.

e. Click Next in the configuration window to continue to the Authentication Servers step.

16. The Web-Auth Configuration window lets you select the RADIUS authen-tication method to be applied in the secure access settings for Wireless Services Modules (2.x or higher).

Figure 4-10. Secure Access Wizard, Web-Auth Configuration

4-12


a. Click the radio button to select the RADIUS authentication protocol. Only one method can be applied, either:– Use PAP-capable RADIUS server for Web-Auth– Use CHAP-capable RADIUS server for Web-Auth

b. Click the Advanced Settings for Wired Web-Auth to configure the advanced settings for Web-Auth on wired devices. (see figure 4-11 on the next page)

c. Click the check box to select the setting to configure, then enter the parameter to be applied.

When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired Web-Auth defaults.

Figure 4-11. Secure Access Wizard, Advanced Wired Web-Auth

Advanced Web-Auth settings for wired devices include:

4-13


DHCP address and mask - The base address and mask for the temporary pool used by DHCP (base DHCP address default is 192.168.0.0, and the mask default is 24 - 255.255.255.0).

Redirect URL - The URL that the user should be redirected to after successful login. The default is no redirect (blank field).

DHCP lease - The lease length (days) of the IP address issued by DHCP (default 10). Valid values are 5-25.

Client limit - The maximum number of clients to allow on one port simultaneously, default is 1




Max retries - Set number of times a client can enter their credentials before authentication is considered to have failed (default 3). Valid values are 1 - 10.



Unauth-vid - The VLAN to which the port is assigned when the user has not been authorized by web authentication. Valid values are any defined VLAN, the default value is VLAN 1.

Auth-vid - The VLAN to which the port is assigned when the user has been authorized by web authentication. Valid values are any defined VLAN, the default value is VLAN 1.

SSL login - Set whether to allow SSL login (https on port 443). This is disabled (No) by default.

Allow client moves - Set whether to allow client moves between ports. The default is disabled (No).



4-14



17. The MAC-Auth Configuration window lets you select the MAC Address format to be applied for RADIUS requests in the secure access settings for the selected devices.

Figure 4-12. Secure Access Wizard, MAC-Auth Configuration display

a. Click the radio button to select the MAC address format.

b. Click the Advanced Settings for Wired MAC-Auth to configure the advanced settings for MAC-Auth on wired devices.

4-15


Figure 4-13. Secure Access Wizard, Advanced (wired) Mac-Auth settings

c. Click the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired MAC-Auth defaults.

Advanced MAC-Auth settings for wired devices include:

Address limit - The port's maximum number of authenticated MAC addresses, default is 1.






Allow address moves - Set whether MAC can move between ports. The default is disabled (No).

4-16


Unauth-vid - The VLAN to which the port is assigned when the user has not been authorized by MAC authentication. Valid values are any defined VLAN, the default value is VLAN 1.

Auth-vid - The VLAN to which the port is assigned when the user has been authorized by MAC authentication. Valid values are any defined VLAN, the default value is VLAN 1.




18. The next step for configuring Secure Access Settings is to define the Authentication Servers that will be used.

Figure 4-14. Secure Access Wizard, RADIUS Servers configuration

The Authentication Servers step lets you enter the IP addresses of the RADIUS servers to be used for authentication. Most ProCurve devices support three RADIUS server, but some, such as the wireless products, supports only two.

a. Click the check box for a RADIUS server to enable the server IP address field, and then enter the IP address for the server.

The IP address will be validated. If it is invalid or a duplicated IP, a text message indicating the error is displayed. You cannot continue until a valid IP address is entered.

4-17


Note: If you had previously configured other RADIUS servers for authentication with the device, that information will be over-written by the Secure Access Wizard. The SAW will attempt to remove enough currently configured RADIUS servers to “make room” for the ones configured in the SAW. So, if you already have three RADIUS servers configured on a device, and then the you configure two new RADIUS servers via the SAW, when the settings are applied the SAW will remove the first two servers from the device configuration.

19. Click Next to continue to the RADIUS Server Shared Secret window.

Figure 4-15. Secure Access Wizard, RADIUS Shared secret display

20. If you want to use the same RADIUS shared secret (password) for all the selected devices, click the Use for all devices check box.

Enter the RADIUS shared secret to be used for access authentication. Re-enter the shared secret in the Confirm shared secret field.

4-18


If not using the same shared secret on all the devices, enter the Radius shared secret for each device in the list. Use the scroll bar as needed to move down the list. You will not be able to continue until the RADIUS shared secret is set for each device in the list.

21. When you have entered the RADIUS shared secret, click Next to validate your entries and continue to the Save Settings (selection) window.

Figure 4-16. Secure Access Wizard, Save Settings selection

22. Click the link to Save settings..., or Save as template..., and launch the Save Settings dialog to provide a name for the saved settings file.

The data fields are the same for both the Save Settings, and Save Template dialog.

4-19


Figure 4-17. Secure Access Wizard, Save Settings dialog

23. Type in a Name to apply to the secure access settings file, and (optionally) a description.

You can use the same name for a "save template" and a "save settings" file, but no two "saved templates", or "saved settings" files can have the same name.

24. Click the check box to select the Include RADIUS shared secrets if you want shared secrets you specified included in the saved settings file. This option is not available if no RADIUS server IP address was entered in the access settings.

Note: The “include shared secrets” option is only applicable for settings. Also, these settings are saved to PCM's database, and not saved to a separate file.

25. Click OK to save the file name and close the dialog, and return to the Save Settings window.

When the security settings are saved, the next time the user launches the Secure Access Wizard, the buttons in the Welcome dialog (figure 4-1 on page 4-3) will be enabled. Clicking the buttons will launch the Save Settings dialog with the list of saved configurations. You can then select the saved access security settings for editing or to be deleted.

26. Click Next in the Save Settings window to continue to the Configuration Preview.

4-20


Figure 4-18. Secure Access Wizard, Configuration Preview display

27. Review the access security configuration settings, using the scroll bar as needed to move through the information.

28. If the configurations are correct, click Next to apply the settings to the devices.

If you need to change something in the configuration, use the Back button(s) to return to the step where edits will be made, or click Cancel to exit the wizard without saving the secure access settings.

29. After you click Next in the Configuration Preview screen, The Applying Security Settings window displays.

4-21


Figure 4-19. Secure Access Wizard, Applying Settings status

This window displays the progress of applying the security settings to the selected devices, and will indicate if any errors occur during the process.

Click the View Log button to display process status messages and errors.

Click Abort to halt application of the security settings before the process is started on the next device in the list. Once started the process will be completed for the current device, regardless of the Abort request.

4-22

5

Troubleshooting IDM

Chapter Contents

IDM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2Pausing the Events Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4Using Event Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4Viewing the Events Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6Setting IDM Event Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8Using Activity Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

Using Decision Manager Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

5-1

Troubleshooting IDMIDM Events

IDM Events

The IDM Events window is used to view and manage IDM events generated by the IDM application or the IDM Agent installed on a RADIUS server. This window helps you quickly identify IDM-related problems in your network.

To view the IDM events, click the Events tab in the IDM Home display.

Figure 5-1. IDM Events tab display

The IDM Events tab works similarly to the PCM Events tab. It lists the IDM events currently contained in the database. The default listing event is cate-gorized by the level of severity.

5-2


Sortable columns of information are available for each event:

You can sort the Events listing by Source, Severity, Status or Date. Click the desired column heading to sort in descending order. Click the column heading again to sort in ascending order. A down pointer in the column heading indicates descending order, and an up pointer indicates ascending order.

The Event Log is trimmed at the level specified in the IDM Preferences window; by default there will be 1000 events in the event log.

Select an event in the Events listing to display the Event Details at the bottom of the window.

Figure 5-2. IDM Event Details

Column Heading Description

Source This column contains the name or IP address of the component or device that generated the event.

Severity The Severity column shows the severity of each event. Events are categorized into five levels of severity.

Status The Status column identifies whether the event has been acknowledged. A check mark in the blue square indicates that the event has been acknowledged. NOTE: The Status column shows only unacknowledged events if events are deleted automatically after being acknowledged. See IDM Event Settings for additional information.

Date The Date column lists the date and time when the event occurred, given in MM/DD/YY/HH:MM format.

Description The Description column provides a short description of the event. The description is derived from a list of predefined descriptions based on the event type.

5-3


The details provide additional event description information. The details will vary based on the type of event. Use the scroll bar or drag the top border of the Event Details section to review the entire event description.

Acknowledging an event indicates that you are aware of the event but it has not been resolved. Depending on the IDM event settings, the event is then removed from the event list or the status of the event is updated in the Events window.

To acknowledge an event:

1. Click the Events tab on the IDM Dashboard window to navigate to the IDM Events window.

2. Select the events to be acknowledged.

3. Click the Acknowledge Event icon in the toolbar.

To delete an IDM event:

1. Click the Events tab on the IDM Dashboard window to display the IDM Events window.

2. Select the event(s) to be deleted.

3. Click the Delete Event icon in the toolbar.

Deleting an event removes the event from the Events list and reduces the Event count in the IDM Dashboard window.

Pausing the Events Display

The events table entries continuously scroll to display the events just received. You can Pause the display if needed to review event text. Simply click the "Pause" button in the events toolbar;

The Pause will toggle to the "Resume" icon. Click the resume button to restart the events display. The button will toggle back to the Pause icon.

Using Event Filters

The events shown in the Events tab view can be filtered to show only specific events based on the device that generated the event, severity, dates and times of occurrence, or description.

Use the "Filters" section at the top of the Events tab to create the filter. You can use any single parameter, or a combination of parameters.

5-4


Figure 5-3. Events Filter display

■ To filter by Source, type in the Source type or name that you want to include. Events from all other sources will be excluded.

■ To filter by Description, type in the description text you want to include. Events that do not have the text in the description will be excluded.

■ To filter by date and time, use the From: and To: fields to enter the starting date and time (From), and ending date and time (To), that you want to include. Click to select the Enable date filter option. All events that occur before or after the date and time set in the date filter will be excluded from the event list.

You can type in a date and time, or use the calendar button to select the date, then highlight the time and use the buttons to increase or decrease hours and minutes.

■ To filter by event severity, use the sliding scale to select the events to be included. As you move the slide from left to right, event types to the left of the slider are excluded from the display.

■ Click the checkbox to select the Acknowledged events filter option. Events that are not acknowledged will be excluded from the display.

To save a defined filter:

1. Set the filter parameters.

2. Click the Save filter... button.

3. In the filter name pop-up, type in a name for the filter.

4. The filter settings are saved under the filter name, which appears in the Saved filters drop-down menu.

Once you save the filter definition, you can apply it at any time by selecting it from the Saved Filter drop down list.

Note that event filters configured in PCM 2.1 are not migrated to PCM 2.2

Click on Clear filter settings link to restore the default event list display.

You can hide the Event Filters section by clicking the Hide Filters button in the toolbar. This button works as a toggle, click it again to display the filters.

5-5


Viewing the Events Archive

The Archived Events window lists details for each event in the Archive Log, which contains events that have been deleted. The events displayed can be filtered by the date the event was generated. The Archived Events window also lets you generate an Archived Events Report that can be saved to disk or printed.

Archiving of IDM events can be disabled on the IDM Event Preferences window. Therefore, the Archived IDM Events window and report may not contain any events.

Click the Event Archive icon in the Events toolbar to display the Archived Events window.

Figure 5-4. IDM Event Archive display

5-6


The Archived Events window provides the following information for each event:

You can select the date range for displayed events by clicking the Date drop-down arrow and selecting the desired date range from the drop-down list. A new date range begins when PCM is restarted.

To further filter archived events, in the Filter field type the text of the filter you want to use. The display will list only events containing the filter text in any of the data fields.

To generate a report from the Event Archive:

To generate a report that can be printed or saved to disk, click Generate Report. This will create and display a report with the data from the Archive Event view.

To display the next page, click the > button in the bottom left corner. Or, to display the previous page, click the < button.

To print the report, click the print button and complete the standard Windows print screen.

To save the report to an .htm or .html file, click the save (disk) button, and complete the standard Windows save screen. Be sure to include the .htm or .html file extension in the filename.

By default the saved file location is Program Files/Hewlett-Packard/PNM/client.

To close the window, click the Windows X button in the upper right corner.

Column Description

Source System, or IP address of the device that originated the event

Severity Severity level of the event: Informational, Warning, Minor, Major, Critical (listed in order of severity from lowest to highest)

Date Received Time and date the event was received

Description Descriptive information contained in the event

5-7


Setting IDM Event Preferences

Use the IDM Event Preferences to set up archiving and automatic deletion of events from the IDM Events tab and RADIUS Server Activity Logs.

To configure preference settings for IDM events:

1. Select the Identity Management, Events option in the Global Preferences window (Tools–>Preferences–>Identity Management–>Events) to display the IDM Events Settings window.

Figure 5-5. Preferences, IDM Events

2. Use the up or down arrow in the Max number of events field to increase or decrease the size of the events database that will be displayed. When the maximum number of events is exceeded, the oldest event is deleted to make room for the new event. The minimum number is 100, and the maximum number is 10,000.

3. To automatically remove acknowledged events from the Events table, click the Automatically delete acknowledged events box.

4. Click to select or deselect the Archive IDM events option.

5-8


5. Use the Severity Percentages to set the events types you want to maintain in the database. These percentages are based on the overall size set in the Max number of events field, and must equal 100 percent. For example,

Figure 5-6. Setting Event Preferences: Severity Percentages

In the example in figure 5-6, if the Max number of events is set to 1000, and that number is exceeded,

• 600 Informational events will be maintained. If there are more than 600, the oldest events will be archived to make space for new Warning events.

• 100 Warning events will be maintained. If there are more than 100, the oldest warning events will be archived to make space for new Warning events.

• 100 Minor events will be maintained, and so on.

If you want to make sure you maintain all of the Critical and Major events, you can set the total of the two types to 100 (say 60 and 40 respectively), and set the other severity types to 0 percent. If the maximum of 1000 is exceeded, the first event types to get archived will be Informational, then Warning, then Minor, and so on as needed to maintain up to 600 Critical and 400 Major events in the event display.

6. Click Ok to save the IDM Event Settings and close the window.

IDM’s event archive is /server/logs/IDMEventMgrServer-ServerArchivedEvents.log In a default installation the directory is /Program Files/Hewlett-Packard/PNM.

5-9


Using Activity Logs

IDM also provides an Activity Log you can use to monitor events for specific RADIUS servers. To view the Activity Log for a RADIUS Server,

1. Expand the IDM tree to display the RADIUS Server node.

2. Select the RADIUS server, then click the Activity Log tab.

Figure 5-7. RADIUS Server Activity Log

The Activity Log provides information similar to the IDM Events, except that the entries are specific to the selected server. See “IDM Events” on page 5-2 for additional information. You can acknowledge and delete events, but you cannot "filter" entries in the Activity Log.

5-10

Troubleshooting IDMUsing Decision Manager Tracing

Using Decision Manager Tracing

IDM provides a tracing tool (DMConfig.prp) and log file (DM-IDMDM.log) to assist with troubleshooting IDM problems that may occur. These files are included on the IDM Agent when it is installed on the RADIUS server. Note that the Decision Manager (DM) is an internal component of the IDM Agent.

The default configuration has the tracing options turned off because of the performance degradation when tracing is used.

To turn on tracing, edit the DMConfig.prp file on the RADIUS server. The default directory location is \Program Files\Hewlett-Packard\PNM\agent\logs.

Available logging options in DMConfig.prp are:

Log_dm_cache = true/false: True will log IDM configuration deployment events, including the configuration file data content. The default setting is false, IDM configuration deployment logging is turned off.

Log_radius_requests = true/false: True will log RADIUS requests and the IDM agent response to RADIUS. If the request is accepted then it also logs the access policy group, policy rule and access profile that is sent to RADIUS. The default setting is false, RADIUS requests are not logged.

Log_radius_acc_events = true/false: True will log session accounting events, such as session start and stop. The default setting is false, session events are not logged.

When logging is turned on, data is sent to the DM-IDMDM.log file. The default directory location is \Program Files\Hewlett-Packard\PNM\agent\logs.

Use this file for tracing purposes, to capture the following information:

■ What RADIUS requests are received and the IDM agent response to the request, including the time (in milliseconds) it took the IDM agent to serve the RADIUS request.

■ A list of accounting events (like session start/stop) being sent by RADIUS to the IDM agent, and whether or not the IDM agent could post them properly to the IDM server.

■ Configuration deployments to the IDM Agent, along with the actual configuration image.

5-11

Troubleshooting IDMUsing Decision Manager Tracing

Miscellaneous

For authenticating a MAC-Auth user using Funk Steel Belted RADIUS (SBR) with IDM, the password should be specified in lower-case (in the SBR User directory). If upper-case characters are used in the password, you may get the following error:

"MAC-Auth user gets rejected because of incorrect password".

The MAC-Auth user will be rejected by SBR and eventually by IDM2.0.

You can use the validate tool on SBR to verify if the MAC-Auth user password is in lower-case. If it is not, enter the MAC-Auth user password (MAC Address itself), in lower case.

5-12

A

Using ProCurve Network Access Controller with IDM

About ProCurve Network Access Controller 800

The ProCurve Network Access Controller 800 (ProCurve NAC) provides a comprehensive access control solution. Used in conjunction with ProCurve Manager Plus and Identity Driven Manager applications, the ProCurve NAC serves to:

■ Protect the network and resources from unauthorized or harmful users and/or systems.

■ Provide adaptive and appropriate network access based on roles

■ Enforce policies regarding required and prohibited software

The ProCurve NAC appliance comes pre-loaded with FreeRADIUS server software, IDM Agent software, and Endpoint Integrity testing software, designed to provide more security for your network with less complexity.

The ProNAC appliance can be deployed as a complete access control solution, or you can use it to provide the RADIUS server for use with IDM for user authentication.

The ProNAC software includes a graphical user interface (GUI) you can access from within the PCM+ or IDM Windows displays. This interface can be used to configure parameters on the ProNAC appliance, including RADIUS, and full backup and restore. It also provides the interface to utilize the endpoint integrity testing available with licensed versions of the ProNAC software.

A five-user license is provided with the ProNAC appliance that allows you to access the GUI for basic configuration tasks. In order to apply the endpoint integrity solution to clients on your network, you will need to purchase additional ProNAC software licenses from your authorized HP ProCurve representative, or direct from ProCurve. Additional information is available on the Web at www.procurve.com

A-1



Using ProCurve Network Access Controller with IDMAbout ProCurve Network Access Controller 800

Before You Begin

For information on installing the ProCurve NAC appliance, please refer to the ProCurve Network Access Controller 800 Hardware Install Guide, and/or the information provided with your "ProCurve Network Access Controller End-point Integrity Implementation Startup Service"

Use of the ProCurve NAC requires that you already have a licensed version of PCM+ 2.2 and IDM 2.2 installed.

The following section describes the support provided in PCM+ and IDM for basic management and configuration functions on the ProCurve NAC. For additional details on using the ProNAC endpoint integrity solution, please refer to the online help in the ProNAC GUI, or the ProCurve Network Access Controller 800 User’s Guide, available on the Web at : www.hp.com/rnd/support/manuals.

A-2

http://www.hp.com/rnd/support/manuals/index.htm

http://www.hp.com/rnd/support/manuals/index.htm

Using ProCurve Network Access Controller with IDMUsing the NAC Tab Displays

Using the NAC Tab Displays

Once the ProCurve NAC appliance is installed on the network, PCM discovery will ’find’ the appliance and create a node in the PCM navigation tree. A folder for the ProCurve Network Access Controllers is also created in the IDM tree, under the Realms folder at the same level as a RADIUS server, with nodes for each NAC (master server) device.

Clicking on a device node in the ProCurve Network Access Controller group in the PCM display will launch the Device tabs display, with the addition of the NAC Home tab.

Clicking on a device node in the ProCurve Network Access Controller group in the IDM display will launch the same tabs as the RADIUS Servers display: a Properties tab and Activity (event log) tab, with the addition of the NAC Home, NAC Monitor, and NAC Activity tabs.

Figure A-1. Example of ProNAC device in IDM

A-3


Setting the ProCurve NAC GUI Login

In addition to the "NAC" tabs in the IDM window, the Global Preferences for Identity Management are expanded to include support for automatic login to the ProCurve Network Access Controller application via PCM and IDM.

Figure A-2. ProCurve NAC parameters in Preferences for Identity Management

The ProCurve NAC Web GUI Credentials allow you to enter a Username and Password for log in to the NAC Web GUI.

If you do not enter the ProCurve NAC login information in the Preferences for Identity Management, you will be prompted to enter your login name and password when you first access any of the "NAC" tabs from the IDM display.

A-4


Using the NAC Home Tab

The NAC Home tab launches the ProCurve NAC GUI within the IDM display.

Figure A-3. Network Access Controller (NAC Home) display.

From this point you can access all of the functionality provided with the ProCurve Network Access Controller application. For details on using the application, refer to the online help, or the ProCurve Network Access Control-

ler 800 User’s Guide.

A-5


Using the NAC Monitor Tab

In addition to the NAC Home tab, integration of ProNAC 800 with IDM provides a NAC Monitor and NAC Configuration tab.

Click the NAC Monitor tab to launch the ProCurve NAC "System Monitor" window within the IDM display.

Figure A-4. ProCurve NAC 800 System Monitor (NAC Monitor) display.

The NAC Monitor window provides information on the Network Access Controllers deployed for the endpoint integrity solution, including: status for Enforcement Clusters, Enforcement Servers, access mode, endpoint test status, etc.

A-6


For additional details, refer to the online help, or the section describing the System Monitor in the ProCurve Network Access Controller 800 User’s Guide.

Using the NAC Configuration Tab

Click the NAC Configuration tab to launch the Network Access Controller 800 system configuration tab in the IDM display.

Figure A-5. ProCurve NAC 800 System Configuration (NAC Configuration) display.

The ProCurve NAC 800 System Configuration window provides access to the tools needed to configure the RADIUS server, as well as configuration of Servers, User accounts, Licensing, and Quarantining methods for use in endpoint integrity testing.

A-7

Using ProCurve Network Access Controller with IDMUsing Local Authentication Directory on ProCurve NAC

This window also provides access to Maintenance tools, including the system backup and restore functions. For a detailed description of available features, refer to the online help, or the ProCurve Network Access Controller 800 User’s

Guide.

Regardless of your implementation of the ProCurve NAC 800 appliance, it is important that you perform a system backup on a regular schedule. This backup can then be used to restore the ProNAC system configuration and database files in the event of corruption or other error, or help to configure a new system in the event of an emergency.

Using Local Authentication Directory on ProCurve NAC

When using the ProCurve NAC 800 appliance for RADIUS authentication and the IDM Agent, you can enable a Local Authentication Directory for the realm that the ProCurve NAC supports.

To enable Local Authentication Directory on a ProCurve NAC:

1. Navigate to the Realm that contains the ProCurve NAC appliance, and then use the right-click menu to select the Modify Realm option, or

Click on the Realm that contains the ProCurve NAC appliance, and then click the "Modify Realm" button in the Properties tab toolbar.

This launches the Local Authentication Directory dialog.

Figure A-6. Modify Realm dialog with ProCurve NAC device support

A-8


2. Click the check box to Enable Local Authentication for ProCurve NAC devices. A check mark indicates the option is selected.

3. Click OK to save the configuration and close the window.

The Enable Local Authentication option will only appear if:

■ The RADIUS service for the realm is supplied by the RADIUS server on the ProCurve NAC appliance, and

■ The IDM Agent is installed on the same ProCurve NAC appliance as the RADIUS server.

Adding Locally Authenticated Users

The only difference in IDM between a user that is locally authenticated on a ProCurve NAC, and a user that is authenticated by an enterprise user directory is a password. That is, you must enter a password when creating a locally authenticated user. This is due to a NOT NULL constraint on the password column of the user table on the ProNAC database.

Once you enable the Local Authentication Directory, to add a "locally authen-ticated" user, simply navigate to the Users tab and select the New User or Modify User button to launch the user configuration dialog.

1. To launch the New User dialog:

a. Expand the Realms node in the IDM tree to display the ProCurve Network Access Controllers Node

b. Right-click on the Network Access Controller node and select the New User Option

Alternately, you can:

a. Expand the Realms node in the IDM tree to display the ProCurve Network Access Controllers Node

b. Click the node for the ProCurve Network Access Controller to display the appliances.

c. Click the node for the NAC appliance to display the Properties and Users tab, then click the Users tab.

d. Click the New User button in the toolbar.

You can also select a user in the Users tab then click the "Modify User" button to add or modify the password for existing users.

A-9


Figure A-7. User Properties, with Local Authentication Directory

2. Enter the user information as you regularly would (see “Adding New Users” on page 3-53), then click the Set password... link to launch the user password dialog.

3. Type in the Password that will be used for authentication on the local directory. Re-enter the same password in the Confirm Password field.

4. Click OK to save the password and close the dialog, and then click OK in the User configuration dialog to save the User and Password and close the window.

A-10

B

IDM Technical Reference

Device Support for IDM Functionality

Due to variations in hardware and software configuration of various ProCurve Devices, not all IDM [Access Profile] features are supported on all devices. The following table indicates IDM functionality supported by ProCurve Device type at the time this manual was printed.

For the 2600 series, release H.08.53 (or newer) of the device software is required for QoS support in IDM.

For the 2800 series, release I.08.55 (or newer) of the device software is required for QoS support in IDM.

The 9300 series and 6100 series are not "edge" switches thus are not included in the table.

ProCurve unmanaged switches do not support IDM, including: 2700 series, 2300 series, 2124, and 408.

Please check the ProCurve Web site (www.procurve.com) for the latest information on supported features and devices.

IDM Functions:Device Type:

VLAN QoS Bandwidth Network Resources

5300xl series X X X X

4100gl series X

3400cl series X X X

2600 series, 2600PWR, 2800 series X X

2500 Series X

420 Wireless Access Point X

B-1

IDM Technical ReferenceDevice Support for IDM Functionality

Support for Secure Access Wizard Feature

ProCurve Device ACL's VLAN QoS BW MAC Web 802.1X 802.1X 802.1XAuth Auth port-based supplicant

420 AP X X X X (15)520 AP530 AP X X X X X X2500 series X (5) X X (6) X (6)2600 series (PWR included) X X X (4) X (3) X X (7) X (7)2800 series X X X (2) X (2) X X (8) X (8)3400cl X X X X X X X (10) X (10)3500 X X X X X X X X X4100gl series X X X (9) X (9)4200 X X X X X X X X6100 series X (12) X (12)6108 X X6200 X X X X6400cl X X X X X X X5300xl X (1) X X X X X X X (11) X (11)5400 X X X X X X X X X9300 X (13)9400 X (14)WESM 1.0 X XWESM 2.0 X X X

(4) requires software revision H.07.54 or greater(3) requires software revision H.08.53 or greater(2) requires software revision I.08.51 or greater

(15) requires software revision 2.1.0 or greater(14) requires software revision 02.1.00c or greater(13) requires software revision 07.1.24 or greater(12) requires software revision H.07.41 or greater

IDM Device Feature Matrix

(1) requires software revision E.10.05 or greater

(11) requires software revision E.05.04 or greater(10) requires software revision M.08.51 or greater(9) requires software revision G.04.04 or greater(8) requires software revision I.07.31 or greater(7) requires software revision H.07.41 or greater(6) requires software revision F.04.08 or greater(5) requires software revision F.05.14 or greater

B-2

IDM Technical ReferenceBest Practices

Best Practices

Authentication Methods

The IDM application is designed to support RADIUS server implementation with 802.1x using supplicants, as well as Web-auth and MAC-auth. However to gain the full benefits of using IDM, HP advises that you implement RADIUS using an 802.1x supplicant.

If you use Web-auth or MAC-auth, you can still use IDM to provide authoriza-tion and access control, but the user session accounting will not work. This is because current version of Web-Auth and MAC-auth do not support session accounting features on the ProCurve devices. Specifically, the switches will not report session-stop events. If you are using Web-auth or MAC-auth, it is best to turn off session accounting. See “IDM Preferences” on page 2-36 for details. The drawback is that this will also disable the IDM usage reports.

Domain Names

If you are using Active Directory, and your standard Active Directory Domain Name is different than its pre-Windows 2000 Domain Name, then these two Domain Names may appear as different Realms to IDM. This will only be true if users log into IDM using different formats (e.g. "OLDDOMAIN\user" versus "user@NewDomain"). Under most circumstances, this will never be a prob-lem.

It is best if the Active Directory Domain Name is the same as the pre-Windows 2000 format (e.g. use simple names without special characters). However, if this is not the case, you can mitigate the problem by having users log in using a standard format (either "DOMAIN\user" or user@domain, but not both).

Multiple RADIUS Server Implementation

If you are using multiple RADIUS servers, with users logging in through each, they should be discovered by IDM. However, if one of the servers is being used as a "back-up" system (not just for load-balancing), the back-up server may not appear correctly in IDM. This is because IDM is not "aware" of the server until a user logs into it.

You can use the manual configuration method to define the RADIUS server to IDM. “Deleting RADIUS Servers” on page 3-52 for details. The server will then appear in the IDM tree, and event logs for the server are available.

B-3


Handling Unknown or Unauthorized users

If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not override RADIUS authentication and default switch settings, unless you con-figure it to do so. Also, if IDM rejects the user, but you have set "unauth-vid", then the port will still be opened and the VLAN will be set to the unauth-vid. You can also create a "guest" profile in IDM to provide limited access for unknown users.

Allowing vs. Rejecting Access

When evaluating the rules for the Access Policy Group when a user logs in, IDM is looking to match all three of the parameters (Location, Time, System). If it does not get a match on all three, it will go to the next rule in the list. When a match on all three parameters is found, the Access Profile for that rule is applied.

There are two ways to look at the process of restricting user access using Access Profiles in Access Policy Group (APG) rules.

A. Create rules that allow access.

B. Create rules that reject access.

For example, to create an APG to allow access during the standard work week, you can create a Time that defines the work week, then create an Access Policy to be applied during that time. In this example, a Default policy was created. The APG to allow user access during the work week would then look like this:

Users in the group will be allowed access as long as they are logging in during the times set for the Work week. At any other time, the user will be denied access, and an IDM event will be logged for the reason that no matching rules were found in the APG.

To create a rule that denies access on the weekend, while allowing access during the work week, you will need a Time to define the weekend. You will also need an Access Policy to define the access at all other times. In the Access Profile Group, you would enter two rules, similar to the following:

B-4


In this instance, if the user attempts to login in during the times specified for the Weekends, they will be rejected, and an IDM event will be logged indicating that the APG had a specific Reject rule set to deny access.

If the user logs in at times not specified for the weekend, since the time in the first rule does not match, IDM moves to the second rule. Since all parameters match, the user is allowed on the network and the "Default" Access Profile settings are applied at the switch.

The other important piece in this process is the order of the rules. In the second example, if you change the order of the rules, users would be allowed access all the time.

The two examples above are quite simple. However, in instances where you want to be able to restrict user access to specific areas of the network at specific times, or restrict network resources to users at specific times and locations, the decision to use the "allow" vs. "reject" method and the ordering of the rules becomes more complex.

Rate-Limiting

The option for rate-limiting using the Bandwidth option in Access Profiles works like this:

• When the Access Profile is applied, IDM sends a rate-limit in Kbps to the switch.

• The switch takes the value passed from IDM and converts it to a rate percentage, based on the port link speed.

If the value passed to the switch by IDM is greater than the port link speed, the switch will ignore the parameter received from IDM. To avoid problems, avoid using low rate-limit policies on the switch, or make sure that the IDM rate-limits do not exceed the link speeds of ports in your network.

B-5

IDM Technical ReferenceTypes of User Events

Types of User EventsThe USER_FAILED_LOGIN event happens whenever RADIUS sends IDM a message of an unsuccessful login. This can have various sources, which you can review in the Event Details. It can be either because IAS didn’t let the user log in (bad username, password, etc.) or because IDM rejected the login.

The IDM reasons for denied access that are currently defined include:

//Port is missing or invalid port public static int INVALID_PORT = 1;

//Switch information is missing or invalid switch ip address public static int INVALID_SWITCH_IP = 2;

//User name is missing or invalid user name public static int INVALID_USER_NAME = 3;

//Unknown Realm for DM public static int REALM_NOT_FOUND = 4;

//Realm config data is not found in DM cache public static int REALM_CACHE_NOT_FOUND = 5;

//Access policy group is not found for a user public static int APG_NOT_FOUND = 6;

//An access policy group doesn't have any policy rules public static int NO_RULES_IN_APG = 7;

//Time constraint is not satisfied public static int TIME_DOES_NOT_PERMIT = 8;

//Location constraint is not satisfied public static int LOCATION_DOES_NOT_PERMIT = 9;

//Unknown user to IDM DM public static int UNKNOWN_USER = 10;

//No rules in APG can allow user to login to network public static int NO_RULES_MATCH = 11;

//Reject profile encountered public static int REJECT_PROFILE = 12;

//Unknown reason public static int UNKNOWN_REASON = 20;

For additional information, refer to the MS IAS documentation to see what the possible values are for user logins that are rejected or failed by RADIUS

B-6

Index

Numerics

802.1X configuration, SAW 4-9

A

Access Attributes 3-26Access attributes 3-27Access Information 2-32Access Policy

order 3-38Access Policy Group 3-35

Assignments 3-44delete 3-41edit 3-41new 3-36, 3-39working with B-4

Access Profile 3-24attributes 3-27delete 3-34edit 3-33new 3-26override 3-27parameters 3-27

Access Security settingsdeleting, editing 4-20

Active directory import 3-57Active Directory Synchronization 2-38

Add or Remove Groups 2-40AD Sync

remove groups 2-41Advanced Settings for Wired 802.1X 4-10Advanced Settings for Wired MAC-Auth 4-15Advanced Settings for Wired Web-Auth 4-13Agent, IDM 1-6Allowing access B-4Anonymous Authentication 3-71APG 3-35APG, assign user 3-43Authentication 1-8Authentication Method Selection 4-5Authentication Methods B-3Authentication Server 1-8Authentication Servers, SAW 4-17

Authorization 1-8

B

Bandwidth 1-8Bandwidth Usage Report 2-17

C

Configuration Model 3-3Configuration Report 2-16

D

Decision Manager 1-7delete 3-12Deploy IDM configurations 3-49Digest-MD5 authentication 3-67Disable user 2-32Domain Names B-3

E

Edge Device 1-8Endpoint integrity

enabling 2-37Endpoint Integrity State 2-18Endpoint Integrity support 3-39Event Preferences 5-8Events 5-2

acknowledge 5-4delete 5-4filtering 5-4types B-6

Excluded Devices, SAW 4-4External authentication 3-69

F

Friendly port names 3-22

G

Global Rule 3-46

Index–1

Global Rules 3-45, 3-47

H

Holidays 3-17

I

IDM Agenttracing 5-11

IDM authorization policy 3-49IDM model 3-3IDM Statistics 2-18Import

from Active Directory 3-58Import procedure 3-57Importing Users 3-58

with XML files 3-75

K

Kerberos V5 authentication 3-68

L

LDAP Authentication 3-66LDAP Directory settings 3-72LDAP Server

Digest-MD5 Authentication 3-67External Authentication 3-69Kerberos-V5 Authentication 3-68Simple Authentication 3-66

LDAP server import 3-57LDAP_Server_Config 3-74Local Authentication Directory A-8Locally Authenticated Users, adding A-9Locations 3-6, 3-12

Devices 3-7modify 3-11new 3-7

Login, ProCurve NAC A-4

M

MAC-Auth Configuration, SAW 4-15MAC-Auth with SBR 5-12Multiple RADIUS Servers B-3

N

NAC Configuration A-7NAC Home A-5NAC Monitor A-6Navigation 2-9Nested groups 2-40Network Access Controller A-1Network Resource

new 3-21properties 3-21

Network Resource Assignment 3-28Network Resource, configuring 3-19Network Resources 3-19

P

port disable 2-32Port Selection, SAW 4-6Preferences 2-36

endpoint integrity support 2-37ProCurve NAC A-1ProNAC appliance A-1Properties, ProCurve NAC A-3

Q

QoS 1-8

R

RADIUS 1-8RADIUS Activity Log 5-10RADIUS Server

delete 3-52RADIUS shared secret 4-18Rate-Limiting B-4Realm 1-9

delete 3-51edit 3-51

Realmsnew 3-50

Rejecting access B-4Remove Groups from Synchronization 2-41Report Action 2-19Report Delivery 2-24Report format 2-24Report Policy 2-19Rules sequence 3-38

Index–2

Rules, evaluation 3-38

S

SASL Digest MD5 authentication 3-67Save Settings, SAW 4-19Save Template, SAW 4-19SAW 4-2Secure Access Wizard 4-2Session Cleanup 2-26Session History 2-18Session Information 2-31Session List 2-30Simple authentication 3-66Switch Override 3-27

T

Target Properties 3-46Times 3-13

changing 3-16delete 3-16new 3-14properties 3-15

Tracing, Decision Manager 5-11

U

Unauthorized users B-4Unknown users B-4Unsuccessful Login Report 2-16User

add to IDM 3-53edit IDM 3-55

User Access 3-42User Directory Settings 2-38User Import

LDAP Server 3-64User Import Wizard 3-57User Location Information 2-31User MAC Addresses 2-18user password, local authentication A-9User Properties 2-30User Report 2-19User Session information 2-29User Systems 3-54Users tab 3-42

W

warranty 1-iiWeb-Auth Configuration, SAW 4-12WLAN selection, SAW 4-8

X

XML file, user import 3-75XML Import File format 3-76

Index–3

© Copyright 2008 Hewlett-Packard Development Company, L.P.

May 2008

Manual Part Number5990-8851

Documents

ProCurve Identity Driven Manager - Hewlett Packardh20628. · 1-5. About ProCurve Identity Driven Manager. Introduction. What’s New in IDM 2.3. ProCurve Identity Driven Manager version