Management and Configuration Guide (Includes ACM xl) 2005-12
5-36 ProCurve Secure Access 700wl Series Management and Configuration Guide
Configuring Authentication
NT Domain Logon
NT Domain logon requires that the 700wl Series system be able to monitor (or “sniff”) packets going
between an unauthenticated client (or reauthenticating client) and the network. When the 700wl Series
system detects that a successful authentication has occurred, it then provides access rights based on the
Access Policy associated with the Connection Profile and Identity Profile that apply to that client.
NT Domain logon does not require configuration as anAuthentication Service within the 700wl Series
system. You simply need to include it as a selected service in the appropriate Authentication Policy.
However, there are a number of considerations when using NT Domain Logon for authentication.
NT Domain logon does not work with clients whose IP addresses are NAT’ed. If you plan to use NT
Domain Logon, the following conditions apply:
• You must have an external DHCP server available to provide real IP addresses for your clients. See
“Global Network Setup” on page 6-17 for more information.
• Access Policies associated with those clients must specify the Network Address Translation setting
of
When Necessary (see “Creating or Editing an Access Policy” on page 4-39 for more information).
• In Access Policies associated both with unknown and authenticated clients that use NT Domain
logon, the appropriate Allowed Traffic filters must be enabled, depending on the type of traffic used
for the organization’s Microsoft Domain implementation:
— The Kerberos Allowed Traffic filter
— The SMB Allowed Traffic filters (SMB 137, SMB 138, and SMB 139)
— An Allowed Traffic filter to allow (
dst port 389) for LDAP.
The Kerberos and SMB Allowed Traffic filters are predefined, and are enabled in the
Unauthenticated Access Policy, which is the default policy for unknown clients. These must be
enabled in any other Access Policies that may be in force when a client is required to reauthenticate.
The Allowed Traffic Filter for LDAP must be created and then enabled in the appropriate Access
Policies.
Note:
Cached Logon requests from Windows clients are not supported because the 700wl Series system
cannot reliably detect a logon in a cached request. To the client, the logon will appear to succeed, but the
700wl Series system will consider the client to be unauthenticated. If this is a problem, disable cached
logon through the Windows registry on the client. Go to
MY Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
and set CachedLogonsCount to “0”.
Identity Profiles and NT Domain Membership
Users who are authenticated using NT Domain Logon can be associated with an Identity Profile based
on the NT Domain under which they were authenticated. To accomplish this, you must create an
Identity Profile whose name matches exactly the name of the domain. Users that authenticate under that
domain will then automatically be associated with the Identity Profile of the same name, and you can
specify an appropriate Access Policy based on the Identity Profile.
When using the monitored NT Logon feature with an Active Directory enabled Microsoft server
(Windows 2000 Server, 2003 Server, etc.) two Identity Profiles must be created matching both the SMB
and the FQDN (Fully Qualified Domain Name) version of the Microsoft domain name, if a correlation
between a Microsoft domain and Identity Profile is desired. Each of these Identity Profiles should use