Manualshelf

Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
ProCurve Secure Access 700wl Series Management and Configuration Guide 1-3
Introduction
encryption requirements. Access Policies can be configured to “expire” after a specified length of time,
or at a specific time, forcing the client to reauthenticate.
Clients that are successfully authenticated, such as the Employees in Figure 1-1, are typically associated
with Access Policies that provide access to secure network resources. Clients that are not successfully
authenticated,( shown as Untrusted Users in Figure 1-1) are usually associated with an Access Policy
that allows only the ability to logon. The 700wl Series system also provides a Guest logon feature and
Access Policy, that can be used to provide limited network access to users designated as Guests—for
example, Internet access via the network with no intranet access.
Access Policies are defined and maintained by the Access Control Server, but are administered by the
Access Controller. Once a client has been identified and the appropriate Access Policy has been
returned to the Access Controller, the Access Controller is responsible for filtering client traffic and
either forwarding it to its destination, redirecting it to the appropriate alternate destination, or dropping
it. The Access Control Server does not get involved again unless something occurs that requires a
renewal of the client’s rights, such as expiration of their existing rights, or roaming to a different
location.
In addition to being the repository for the Authentication Policies, Access Policies, and other system
configuration information, the Access Control Server maintains status for every Access Controller. This
includes status for every client connected to the 700wl Series system and every client session.
700wl Series Functions
The 700wl Series system provides central control of Access Controllers, and clients. The key system
functions are: client authentication, rights management, Wireless Data Privacy, roaming support, NAT,
and VLANs.
Client Authentication
The 700wl Series system provides a great deal of flexibility in authenticating users. The system supports
three types of authentication:
Browser-based logon: With browser-based logon, the first time a client attempts an HTTP access,
the Access Controller presents a browser-based logon page. After the user enters a logon ID and
password, the Rights Manager authenticates the client using one or more Authentication services,
such as an LDAP database, RADIUS server, Kerberos service, or through the Rights Manager’s own
built-in authentication database.
VPN logon: With VPN logon, the client initiates a connection to the network using L2TP or PPTP.
The Access Controller uses the login information provided by the VPN client for authentication via
RADIUS or the built-in database. In this case, the user does not see the ProCurve logon page.
Monitored logon: The 700wl Series system supports both 802.1X logon and NT Domain logon. In
both these cases, the system simply forwards the packets on to the RADIUS or NT Domain server,
and monitors the response to determine whether the client has been successfully authenticated.
Once the client has been authenticated, rights for the client are requested from the Rights Manager.
The Rights Manager uses the concept of Authentication Policies, which are ordered lists of one or more
authentication services. By defining multiple Authentication Policies, you can use different
authentication methods for users logging in through different locations or at different times.