TMS zl Management and Configuration Guide ST.1.1.100226
1-29
Overview
Deployment Options for Routing Mode—Threat Protection
15. Optionally, configure the TMS zl Module as a VPN gateway.
You can create site-to-site and client-to-site VPNs. See “Virtual Private
Network (VPN)” on page 1-64 for an overview and Chapter 7: “Virtual
Private Networks” for detailed instructions.
16. Optionally, configure the TMS zl Module as a member of an HA cluster
with another TMS zl Module.
See “Overview” in Chapter 8: “High Availability” for an overview and for
detailed instructions.
Access Control with Authentication
The TMS zl Module can force a user to authenticate to the network and then
control the user with user-based access policies.
The TMS zl Module can authenticate users to:
■ Its local database
■ An external RADIUS server
You can configure static, group-specific access policies on the TMS zl Module.
In this case, the TMS zl Module associates the user’s source IP address with a
user group configured on the module. If the user authenticated locally, the
module can look up the user’s group locally. Otherwise, the RADIUS server
must send the name of the group in the Filter-ID AVP of the Access-Accept
message.
The TMS zl Module can also receive dynamic access policies, which are
configured on the external RADIUS server (either manually or with HP
ProCurve Identity Driven Manager [IDM]). In this case, the TMS zl Module
applies the user-based policies to the source IP address from which the user
logged in.
Use Models for Access Control with Authentication
You can use the TMS zl Module’s authentication capabilities in several ways.
Guest Authentication. A typical use model for authentication is to control
guest access. Guests connect to a zone that does not allow any access except
to the TMS zl Module login page. After guests log in, the TMS zl Module assigns
them to the guest group. The guest group has access policies that allow the
guests limited network rights.