Manualshelf

Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
181182183184185186187188189190
ProCurve Secure Access 700wl Series Management and Configuration Guide 5-37
Configuring Authentication
the same Access Policy in the Rights Assignment Table to define access rights for users that match the
Identity Profile.
Microsoft maintains both SMB and FQDN domain names on their Active Directory enabled servers in
order to maintain full backwards compatibility with legacy Windows clients. Moreover, Microsoft
clients will, at times, send logon requests containing the SMB version of the domain, and, at other times,
send logon requests containing the FQDN version of the domain. Consequently, the creation of both of
these Identity Profiles accommodates the existence of both of these names.
External Identity Retrieval
With most of the Authentication Services supported by the 700wl Series system, group identity
information can be retrieved along with a successful authentication. The group identity information is
used to match the user to an Identity Profile. However, if the service you use for authentication does not
provide group identity information, it is possible to retrieve group identity information from an LDAP
service, post-authentication, in a second operation. The retrieved group identity is used to automatically
associate the user with the Identity Profile of the same name, and you can specify an appropriate Access
Policy based on the Identity Profile.
Note that you must have Identity Profiles configured that match exactly the group identity names that
can be retrieved from the external LDAP service.
For example, suppose you elect to use 802.1X authentication against a RADIUS service that does not
maintain group information for its users, but you also have an LDAP service available that does
maintain that information. In this case you could retrieve group identity information from the LDAP
directory service for each user that is successfully authenticated.
Setting up post-authentication group identity retrieval involves two procedures:
First, you must configure an LDAP Authentication Service to be used to retrieve the group identity
information. You must specify Non-User binding—either rootdn/rootpw binding or anonymous
binding (if the service allows anonymous bind). See “Configuring an LDAP Authentication Service”
on page 5-8 for details on how to set up an LDAP service.
Second, you specify the LDAP service(s) you want to use for group identity retrieval.
To set up post-authentication group identity retrieval from an external LDAP service, do the following:
Step 1. Under the Authentication Policies tab in the Rights Manager, click the External Identity Retrieval
Link in the left panel of the page. This displays the External Identity Retrieval page, as shown
in Figure 5-21.