Management and Configuration Guide (Includes ACM xl) 2005-12
ProCurve Secure Access 700wl Series Management and Configuration Guide 5-3
Configuring Authentication
When the 700wl Series system receives a username and password from the logon page, the client is
forwarded to the first authentication service in the list. If the first service fails to authenticate the
client, the username and password is sent to the next service, and so on. If all services in the list fail
to authenticate the user, then the user will continue to have only unauthenticated logon rights.
• Monitored Logon
With monitored logon, the HP system passes the initial packets from the client through to the
network, and then monitors the returning packets looking for the message indicating that
authentication has been successful.
The 700wl Series system can monitor the following logon methods:
— 802.1X Logon
— NT Domain Logon
— 802.1X/WPA built-in RADIUS server
The 802.1X and NT Domain logon methods are predefined as authentication services. You can select
one or both of these methods for inclusion within an Authentication Policy.
802.1X Logon and NT Domain logon, if selected, always take priority over any other services. If the
Authentication Policy specifies either of these methods, all packets from the client are sent on to the
network, and all returned packets destined for that client are “sniffed” to detect an authentication
result. If the authentication is successful, the 700wl Series system reevaluates the client to determine
what rights should be granted (see “Access Rights in the 700wl Series System” on page 4-2 for a
detailed explanation of how this is done). If the authentication fails, the 700wl Series system will
either try the next authentication service specified in the Authentication Policy, or if no other
services are defined, will continue to provide only logon rights.
Note:
NT Domain Logon does not work with clients whose IP addresses are “NAT’ed”. If you plan
to use NT Domain Logon, the Access Policies associated with those clients must specify the Network
Address Translation setting of Never or When Necessary, but should not be set to Always. See
“NT Domain Logon” on page 5-36 for more information about the requirements for using NT Domain
logon.
The 802.1X/WPA built-in RADIUS server can be configured as a RADIUS server or as a RADIUS
proxy server. If configured as the RADIUS server, all 802.1X authentication will be handled by the
built-in RADIUS server, which supports LEAP and PEAP. If configured as a RADIUS proxy server,
all RADIUS messages will be forwarded to the remote RADIUS servers specified in the
802.1X/WPA configuration. As a proxy server, authentication requests and responses are passed
through the proxy server. If the authentication is successful, whether from the built-in RADIUS
server or from a remote RADIUS server, the 700wl Series system evaluates the client to determine
what rights should be granted (see “Access Rights in the 700wl Series System” on page 4-2 for a
detailed explanation of how this is done). If the authentication fails, the 700wl Series system will
either try an authentication service specified in the Authentication Policy, or if no other services are
defined, will continue to provide only logon rights.
Note:
If the access points are configured with a remote RADIUS server and 802.1X Logon is
selected in an Authentication Policy, then 802.1X passive will be used to monitor the 802.1X
authentication transaction.
• Wireless Data Privacy Logon
The 700wl Series system supports a third authentication mechanism—it can accept the
authentication performed by one of the Wireless Data Privacy protocols (PPTP, L2TP/IPSec,
tunneled IPSec, or SSH).