TMS zl Management and Configuration Guide ST.1.0.090213

1-27

Overview

Deployment Options for Routing Mode—Threat Protection

You can create site-to-site and client-to-site VPNs. See “Virtual Private

Network (VPN)” on page 1-57 for an overview and Chapter 7: “Virtual

Private Networks” for detailed instructions.

16. Optionally, configure the TMS zl Module as a member of an HA cluster

with another TMS zl Module.

See “Overview” in Chapter 8: “High Availability” for an overview and for

detailed instructions.

Access Control with Authentication

The TMS zl Module can force a user to authenticate to the network and then

control the user with access policies that are specific to that user’s group.

The TMS zl Module can authenticate users to:

■ Its local database

■ An external RADIUS server

You can configure static, group-specific access policies on the TMS zl Module.

In this case, the TMS zl Module associates the user’s source IP address with a

user group configured on the module. If the user authenticated locally, the

module can look up the user’s group locally. Otherwise, the RADIUS server

must send the name of the group in the Filter-ID AVP of the Access-Accept

message.

Use Models for Access Control with Authentication

A typical use model for authentication is to control guest access. Guests

connect to a zone that does not allow any access except to the TMS zl Module

group. The guest group has access policies that allow the guests limited

network rights.

Another use for the module’s authentication capability is to authenticate VPN

users. The users log in with XAUTH or with L2TP. The module then controls

the remote user’s access according to the user’s group.

Deployment Location for Access Control with Authentication

When the TMS zl Module is controlling internal users (or guests who connect

internally), you should typically install it in a ProCurve Series 5400zl or

ProCurve 8212zl switch in a core location. When the module controls remote