Manualshelf

Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
ProCurve Secure Access 700wl Series Management and Configuration Guide 4-3
Configuring Rights
“Authenticated” profile in the default case). It is granted a new set of rights based on the Access Policy
in the row that matches the client’s new Identity Profile and Connection Profile.
If the client roams such that its wireless connection moves to a port in a different Connection Profile, a
new table search occurs, and the client will match a different row in the Rights Assignment Table, based
on the combination of the same Identity Profile but a different Connection Profile. This may result in a
different set of rights if the Access Policy in the new matching row is different from the Access Policy
in the old row.
The network administrator configures network access control policies by defining Identity Profiles,
Connection Profiles and Access Policies, or by modifying existing profiles and policies.
•An Identity Profile is associated with a set of one or more individual users and devices, and a user
may belong to more than one Identity Profile. For clients authenticated through an external
authentication service, the client may match an Identity Profile if the Identity Profile name matches
a group or domain name returned by the authentication process. For clients included in the built-in
database, the Rights Administrator can assign those clients to Identity Profiles. The client matches
the assigned Identity Profile upon successful authentication.
There are four predefined Identity Profiles: “Authenticated,” “Guest,” “Any,” and “Access Points.”
A client that is successfully authenticated, but does not match any other Identity Profile, matches
the “Authenticated” profile.
A user that logs in as a Guest (through the web-based logon page) matches the “Guest” profile.
A client that does not match any other Identity Profile automatically matches “Any.” The “Any”
Identity Profile always appears in the last row of the Rights Assignment Table.
The MAC addresses of Access Points and other network equipment can be added to the built-in
database and associated with the “Access Points” Identity Profile. Those MAC addresses then
immediately match the Access Points Identity Profile when they connect to the 700wl Series
system.
The MAC addresses of regular clients can also be stored in the built-in database asMAC Address
Users.” When these clients connect, they are recognized by their MAC address and bypass the
authentication process. A MAC address user does NOT match the Authenticated Identity Profile,
as they are not authenticated. If a MAC Address client has not been specifically associated with an
Identity Profile in the built-in database, they will continue to match the Any Identity Profile by
default.
The administrator can create additional Identity Profiles as needed. The Authenticated and Any
profiles cannot be modified or deleted.
•A Connection Profile describes a set of physical or logical connection paths to the 700wl Series
system during a specific time frame. A Connection Profile consists of one or more ports on one or
more Access Controllers, Time Windows, and optionally a VLAN ID. If a VLAN ID is defined, only
traffic that includes the specified VLAN tag will match the Connection Profile.
A Policy Administrator can create Connection Profiles as needed to differentiate between physical
locations, VLANs, and/or Time Windows. The predefined Connection Profile, “Any” includes all
Access Controllers and ports, matches any VLAN tag, and is valid at all times (24 hours a day, 7
days a week).
A client matches a Connection Profile if the Access Controller port through which the client is
connected is included in that Connection Profile, the VLAN tag associated with her packets matches
the VLAN ID specified for the profile, and the time at which she connects is within the Time
Window defined for the profile. A client that does not match any other Connection Profile