Manualshelf

Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
4-2 ProCurve Secure Access 700wl Series Management and Configuration Guide
Configuring Rights
Access Rights in the 700wl Series System
The 700wl Series system allows network administrators to define highly flexible access control policies
that grant network access to a client based on who the client is, where they connect to the 700wl Series
system, and the time of day when they make the connection.
The 700wl Series system uses a client’s identity (user name or MAC address) to match the client to an
Identity Profile. It uses the client’s Location (Access Controller port or client’s MAC address), the Time
Window in which the connection exists, and optionally, a VLAN tag, to match the client to a Connection
Profile. The combination of the Identity Profile and Connection Profile determines the Access Policy
that is used to enforce access rights (the ability to pass traffic into the network) for the client.
Access rights are implemented in the 700wl Series system through the Rights Assignment Table. Each
row in the table consists of an Identity Profile, a Connection Profile, and an Access Policy (see
Figure 4-1).
Figure 4-1. Rights Assignment Table—Initial Configuration
When a client connects to the 700wl Series system, the system searches the Rights Assignment Table
from the top down until it matches the client to both an Identity Profile and a Connection Profile. The
Access Policy associated with the matching row determines the access rights that are granted to that
client.
A client may be associated with several different Identity Profiles (and possibly different Connection
Profiles) during the life of its connection to the 700wl Series system. Each time the client’s identity or
location changes, the 700wl Series system does a new search of the table to match the client to an
Identity Profile and Connection Profile, and to determine the Access Policy it should apply as a result.
For example, when a client first connects to the system, it typically does not match any of the established
Identity Profiles. The table match falls through to one of the bottom rows in the table where the new
client matches on the “Any” Identity Profile. The Any Identity Profile is typically associated with the
“Unauthenticated” Access Policy, which grants rights that allow the client to log on and attempt
authentication. (See “Authentication in the 700wl Series System” on page 5-1 for a discussion of how
authentication is handled.)
With a successful logon and authentication, the client has a new identity (its user name, and in some
cases a group or domain affiliation) and now matches a different Identity Profile (for example, the