Management and Configuration Guide (Includes ACM xl) 2005-12
ProCurve Secure Access 700wl Series Management and Configuration Guide 5-31
Configuring Authentication
Configuring an XML-RPC Authentication Service
The 700wl Series system can use XML-RPC to request authentication and retrieve a user profile from an
external XML-RPC service. XML-RPC is a simple, portable way to make remote procedure calls using
HTTP as the transport and XML for encoding. Although related, it is not the same as general-purpose
XML. The 700wl Series system acts as an XML-RPC client, and communicates with an XML-RPC service
through HP’ XML-RPC Remote Profiles API.
Setting up the 700wl Series system to use XML-RPC for authentication and profile retrieval is a three-
part process:
• You must be running an XML-RPC service on the external system from which you want to obtain
authentication and user profiles. This service must accept an “authenticate” <methodCall> from the
HP Remote Profiles API, and to return the appropriate <messageResponse>. For a detailed
discussion of the API, including the specification of the call and response, see “The Remote Profiles
API” on page 5-33. For more information on developing the XML-RPC service, see “The XML-RPC
Service” on page 5-33.
• You must configure the Rights Manager to send authentication requests to an XML-RPC server.
This is discussed in this section.
• Through the Rights Manager you must create Identity Profiles that match each group that can be
returned in a user profile. See “Creating or Editing an Identity Profile” on page 4-11 for an
explanation of how to create Identity Profiles. The Identity Profile name must match the returned
group name exactly.
Depending on the rights you want to grant to users, you may also need to create Access Policies to
be associated with these Identity Profiles in the Rights Table.
Once the XML-RPC authentication service has been configured, the authentication and authorization
process works as follows:
• When a new user (client) connects to the 700wl Series system, the system presents a logon page, and
retrieves the client’s user identification information, including username, password, the client’s
MAC address and the Access Controller Location through which he/she connected.
• The 700wl Series system uses this information to create an XML-RPC “authenticate” <methodCall>,
which it sends to the XML-RPC service via the URL defined in the XML-RPC authentication service
configuration. The Remote Profiles API passes to the XML-RPC service a basic set of user
information (username, password, MAC address, and a few other pieces of information) that the
service can use to authenticate the client.
• The Rights Manager receives a response that indicates whether the user has been successfully
authenticated (passed or failed). If the authentication was successful, the response also contains a
“user profile” that specifies the groups to which the user belongs, and a start and stop time for each
group.
• The Rights Manager uses the group information and the start and stop times from the user profile
to temporarily map the user to a matching Identity Profile, during the timeframe defined by the
stop and start times in the profile. At other times (outside the range defined by the start and stop
times) the user will not match that Identity Profile.
For example, suppose a user profile returns a group “GroupA” with a start time of 10:00 AM and a
stop time of noon, Monday through Friday. Based on this user profile, the user will match the
Identity Profile “GroupA” between 10:00AM and noon every weekday, and will get access rights
based on the Access Policy that’s associated with that Identity Profile in the Rights Table. At any
other time of day, and on weekends, the user will not match Identity Profile “GroupA” and will not
have the rights associated with that Identity Profile.