Release Notes 4.1.4.4

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Clarifications and Usage Notes

Any Identity Profile and presumably gets rights based on the “Unauthenticated” Access

Policy. On the other hand, a Registered Guest is an authenticated user, because its name and

password are in the user database, although it is assigned to the Guest Identity Profile. In this

case, if the Connection Profile associated with the Guest Identity Profile expires, the

Registered Guest will match the default “Authenticated” Identity Profile and get rights based

on the Access Policy associated with that Identity Profile. (18719)

• Using a Cisco VPN client with Extended Authentication, and with IPSec enabled in the

Access Policy, the client is unable to browse to the 42.0.0.1 address. This is because in this

particular case the client attempts to use the 42.x.x.x outer tunnel address rather than sending

this traffic through the IPSec tunnel. (18750)

• If you configure an IP address range for VPN tunneling (via the IP Address Assignment page

under the VPN icon) you must also set “Allow Static IP” in the relevant Access Policies

(including the Unauthenticated Access Policy). (18869)

• In a configuration with multiple Access Controllers, with all ports configured to use real IP

addresses, if a client connects to a port that has been configured with a port subnet range, the

client will receive a real IP address within that range. If that client then roams to an Access

Controller that does not have that subnet range configured, no traffic will be passed for that

client. This is because there is no routing information on the new (roamed-to) Access

Controller for the port subnet range. The client will eventually time out and receive a new

real IP address from the common pool on the roamed-to Access Controller, and will then be

able to pass traffic, even after it roams back to the first Access Controller. This problem can

be avoided by configuring the same port subnet range on every Access Controller that a client

might roam to. The subnet range can be configured on any port on the Access Controller --

even a port that is not active. Just adding the port subnet is sufficient to get the proper routing

information created.

• Access Points should be configured to get a real IP address via DHCP, rather than using their

default IP address. If the default IP address conflicts with one of the 700wl Series system

internal addresses, the AP may not reliably stay connected to the system.

• There are several issues related to using IPTV multicast streams:

▫ The IPTV stream may not stop immediately when the client is logged out. This is as

expected due to the IPTV protocol. (18829)

▫ If multiple clients are using the same IPTV stream, the stream will continue for users that

log out as long as one client using the same stream remains logged in. (18830)

▫ Multicast streams such as IPTV and VPN tunneling (IPSec, L2TP, or PPTP) are

incompatible. Multicasting will not work for clients using VPN tunneling. (18832)

• When using NT Domain Logon, if a client is unable to contact the NT Domain Server

immediately, for example if it has yet to receive an IP address, the client will resort to a

cached logon. However, a cached logon cannot be sniffed, so the 700wl Series system will

not detect that the client has logged on, even though the NT logon appears to succeed on the

client. It is possible to work around this problem by disabling cached logon through the

Windows registry. This can be accomplished by setting

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\

WinLogon\cachedlogonscount

to "0" (zero).

• The ProCurve Secure Access 700wl Series products require version 3.0 or greater of the

Network Time Protocol (NTP). Be sure your NTP server is running version 3.0 or greater,

and verify that you have IP connectivity from the 700wl Series product to your NTP server.