Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

191

192

193

194

195

196

197

198

199

200

5-54 ProCurve Secure Access 700wl Series Management and Configuration Guide

Configuring Authentication

The top portion of the Rights results shows the Identity Profile and Connection Profile that the

user matched, based on the specified location, VLAN ID, and time, and the Access Policy that

applies to this user as a result. It also shows when the user would be forced to reauthenticate.

• If the Connection Profile is not what you expected:

— You may have entered the wrong slot and port, VLAN ID or time window into the

Rights Simulator

— The Connection Profile is defined differently than you expected

— You may have multiple overlapping Connection Profiles, and this user is matching a

Connection Profile in an earlier row in the Rights Assignment Table than you expected

• If the Identity Profile is not what you expected:

— For users in the built-in database, the user may have been assigned to a different profile

than you expected.

— If the user should match an Identity Profile based on a group or NT Domain name

returned from an external authentication service, the service may be returning a

different group name than you expected, or no matching Identity Profile has been

created to match the group or Domain.

— There may be multiple Identity Profiles that this user could match, and it is matching an

Identity Profile in an earlier row in the Rights Assignment Table than you expected.

• If the Access Policy is not what you expected, you should review your Rights Assignment

Table setup to determine whether you have multiple rows with the same Connection Profile

and Identity Profile but different Access Policies. If this is the case, the user will always match

on the first of these rows, and will never match on a later row. You should only have one row

in the Rights Assignment Table for each unique combination of Connection Profiles and

Identity Profiles.

•If the

User Authentication Ends setting is not what you expect, check the Timeout setting in the

Access Policy.

The bottom portion of the results shows the actual XML that defines the rights the user would

receive.

Tracing Authentication Service Transactions

The Transaction Tracer lets you verify authentication transactions to one of the active authentication

services—LDAP, RADIUS, Kerberos or XML-RPC. You can use this tool to verify that users are being

authenticated correctly, and that the correct information is returned from the authentication service.

To use this tool, you select the authentication service you want to test, and enter the logon name and

password of a user known to have a valid entry in the directory or service database. If the authentication

service is working correctly, the service should return a successful result, including the information

associated with that user, if appropriate. If the authentication service is not set up correctly, you will

receive an error and incomplete results.

This tool cannot be used with the built-in database, and it cannot trace transactions based on the passive

(or monitored) authentication services (802.1X and NT Domain logon)

Step 1. To use the Transaction Tracer, click the Tools and Options tab visible at the top of any Rights page.

This displays the Simulate User Rights page.