HP PCM+ 4.
© Copyright 2004, 2005, 2007, 2009, 2011, 2012 Hewlett-Packard Development Company, L.P. All Rights Reserved. Publication Number 5998-3826 September 2012 Trademark Credits Microsoft, Windows, Windows XP, are Windows Vista are U.S. registered trademarks of Microsoft Corporation. Intel and Pentium are trademarks of Intel Corporation in the U.S. and other countries. Adobe is a trademark of Adobe Systems Incorporated.
Contents 1 Welcome to Identity Driven Manager Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Why IDM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 What’s New in IDM 4.0? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 IDM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Terminology . . . .
Contents Show Mitigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IDM Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Active Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . Testing IDM’s AD Sync Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38 2-39 2-42 2-48 3 Using Identity Driven Manager Understanding the IDM Configuration Model . . . . . . . . . .
Contents Adding Users to an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . Changing Access Policy Group Assignments . . . . . . . . . . . . . . . . . . . . . . Using Global Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Auto-Allow OUIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing Auto-Allow OUIs and Network Access . . . . . . . . . . . . . . . . . . . Viewing Auto-Allow User Information . . . . .
Contents Placing IDM Server into the AD Domain . . . . . . . . . . . . . . . . . . . . . . . . . 5-13 A IDM Technical Reference Device Support for IDM Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Switch Support for MAFR and MBV . . . . . . . . . . . . . . . . . . . . . . . Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of User Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Welcome to Identity Driven Manager Introduction Network usage has skyrocketed with the expansion of the Internet, wireless, and convergence technologies. This increases the burden on network managers working to control network usage. Also, the complexity of large networks makes it difficult to control network access and usage by individual users.
Welcome to Identity Driven Manager Introduction 5. If the user is authenticated, the PCM device grants the user access to the network. If the user is not authenticated, access is denied. For networks using IDM, access control is enhanced to include authorization parameters along with the authentication response. IDM enhances existing network security by adding network authorization information, with access and resource usage parameters, to the existing authentication process.
Welcome to Identity Driven Manager Introduction • • • An administrative GUI for configuration, events viewing and SSL certificate management A SNAC-IDM communication interface SNAC 802.
Welcome to Identity Driven Manager Introduction Figure 1-1. IDM Architecture IDM consists of an IDM Agent that is co-resident on the RADIUS server, and an IDM Server and SNAC server that are co-resident with PCM+. Configuration and access management tasks are handled via the IDM GUI on the PCM+ management workstation.
Welcome to Identity Driven Manager Introduction The IDM Server provides IDM configuration and monitoring. It operates as an addon module to PCM+, using the PCM model database to store IDM data, and a Windows GUI (client) to provide access to configuration and monitoring tools for IDM.
Welcome to Identity Driven Manager Terminology Terminology Access Policy Group An IDM access policy group consists of one or more rules that govern the login times, devices, quality of service, bandwidth, and VLANs for users assigned to the access policy group. Access Profile An IDM access profile sets the VLAN, quality of service, and bandwidth (rate-limits) applied when a user logs in and is authenticated on the network. Authentication The process of proving the user’s identity.
Welcome to Identity Driven Manager Terminology Endpoint Integrity Also referred to as “Host Integrity,” this refers to the use of applications that check hosts attempting to connect to the network to ensure they meet requirements for configuration and security. Generally to make sure that virus checking and spyware applications are in place and up to date. IDM Agent The IDM Agent resides on the RADIUS server.
Welcome to Identity Driven Manager IDM Specifications IDM Specifications Supported Devices For a list of IDM 4.0 features supported on HP Networking devices, refer to “Device Support for IDM Features” on page A-1. Operating Requirements For operating requirements, refer to the “Supported IDM Environments” section in the PCM+ 4.0 Installation and Getting Started Guide. Additional Requirements ■ Implementation of an access control method, using either MAC-auth, Webauth, or an 802.
Welcome to Identity Driven Manager Upgrading from Previous Versions of PCM and IDM Upgrading from Previous Versions of PCM and IDM The installation package for PCM+ contains the IDM 4.0 installation files. If you are running earlier versions of IDM, you must select the IDM option during the PCM+ 4.0 install process. This is required to support changes made in the underlying PCM and IDM databases. If you want to test the IDM 4.0 functionality using the free 60-day trial provided with the PCM+ 4.
Welcome to Identity Driven Manager Learning to Use PCM+ IDM Learning to Use PCM+ IDM The following information is available for learning to use PCM+ Identity Driven Manager (IDM): ■ This User’s Guide—helps you become familiar with using the application tools for access control management.
2 Getting Started Before You Begin If you have not already done so, please review the list of supported devices and operating requirements under “IDM Specifications” on page 1-8. If you intend to restrict user access to specific areas of the network using VLANs, make sure you have set up your network for use of VLANs. For details on configuring VLANs, refer to the HP PCM+ 4.0 Network Administrator’s Guide, or the Advanced Traffic Management Guide for your PCM+ switch.
Getting Started Before You Begin 2. From the available downloads list, click Windows PCM/IDM Agent Installer and then click Save to download the file. 3. Once the download completes, close the download window and the web browser. 4. Open the downloaded PCM-agent-setup.exe file by double-clicking it. The Agent Installation Wizard will then guide you through the installation. Figure 2-1. Agent Information On the Agent Information window of the Agent Installation Wizard: a. Select IDM Agent. b.
Getting Started Before You Begin Figure 2-2. Server Information For the Agent to communicate with the PCM server, these values MUST MATCH the values set on the PCM server for this Agent. a. If the Agent will initiate connection to the PCM server, select the Agent Initiates Connection check box. If the PCM server will initiate a connection to the Agent, ensure this check box is not checked.
Getting Started Before You Begin e. To change the default Password that the Agent will use to communicate with the PCM server, clear the related Use Default check box and type the desired password. This must match the password set on the Agent Manager Server Setup tab. Once installed, the IDM Agent begins collecting User, Domain, and RADIUS data. Installing on a Linux System To install the IDM Agent on a supported Linux system: 1.
Getting Started Before You Begin RADIUS Server, then let it run to collect the information as users log into the network. Even after you begin creating configurations in IDM, both options continue to collect information on users and Domains (domains in Active Directory) and pass that information to the IDM server. If you are using multiple RADIUS servers, you need to install an IDM Agent on each of the servers. The IDM Agent collects information only on the system where it is installed.
Getting Started Before You Begin 7. If Active Directory synchronization is not used, assign Users to the appropriate Access Policy Group. (See page 3-49). 8. If automatic deployment is disabled, deploy the configuration policies to the IDM Agent on the RADIUS server. (See page 3-66) 9. Configure Auto-allow OUIs for the devices that will perform MAC authentication.
Getting Started Before You Begin The basic operational model of IDM involves Users and Groups. Every User belongs to a Group and, in IDM, these are called Access Policy Groups (APGs). Each APG has an Access Policy defined for it, which governs the access rights that are applied to its Users as they enter the network. In the IDM GUI, the top level of the navigation tree is the Domain, with all other information for APGs, and RADIUS Servers beneath the Domain in the navigation tree.
Getting Started IDM GUI Overview IDM GUI Overview To use the IDM client, launch the PCM Client on your PC by selecting the PCM option from the Windows Program menu. The PCM Client will start up and the Login window will be launched. Figure 2-3. PCM Login If you did not enter a Username or Password during install, type in the default Username, Administrator, then click Login. For additional information on using the PCM Client, refer to the HP PCM+ 4.0 Network Administrator’s Guide.
Getting Started IDM GUI Overview Figure 2-4. IDM Dashboard The IDM initial display provides a quick view of IDM status in the Dashboard tab, along with an Events tab, navigation tree, and access to menu and toolbar functions. You can resize the entire window, and/or resize the panes (sub-windows) within the Identity Management Home window frame.
Getting Started IDM GUI Overview IDM Dashboard The IDM Dashboard is a monitoring tool that provides a quick summary view of IDM users, RADIUS servers, and events. The Dashboard can be viewed: • From within PCM by selecting Network Management Home and clicking the Identity Driven Manager tab. • By clicking the Identity tab at the bottom of the PCM navigation tree. The Dashboard tab contains the following panes of status information: Table 2-2. IDM Dashboard Status Information Pane Displays...
Getting Started IDM GUI Overview Figure 2-5. Domain List tab Domain Tabs Expanding the Domains node and clicking a domain in the tree displays the Dashboard tab in the right pane, along with the Properties, Global Rules, Auto-Allow OUIs and Users tabs. Figure 2-6. Domain - Dashboard tab Domain Dashboard tab: The Domain Dashboard is a monitoring tool that provides a quick summary view of IDM users and Agents.
Getting Started IDM GUI Overview Table 2-3. Domain Dashboard Status Information (Continued) Pane Displays... Top talkers Input octets (bytes), output octets, or both. Use the list in this pane to select whether to display input octets, output octets, or both. You can hide the legend for this pane by clearing the Legend check box. Users logged in A scrolling 24-hour display that shows the total number of users logged in at any given time during the past 24 hours.
Getting Started IDM GUI Overview Table 2-4. Domain Properties Information (Continued) Field Displays... Last Deployed Date and time the policy was last deployed. Use this field to ensure that the current Domain attributes have been deployed.
Getting Started IDM GUI Overview Figure 2-9. Domain Users tab Expanding the Domain node in the tree will display the Access Policy Groups and RADIUS server nodes for the Domain. Filtering Support for Users tab: Filtering functionality has been added to the users tab.Users can filter the table content based on the following columns AuthID, Domain, Email, MAC Prefix, Name, Owner and Phone.
Getting Started IDM GUI Overview Access Policy Groups node Clicking the Access Policy Group node displays the Access Policy Groups tab with a list of currently configured groups. You can also expand the node to view the APGs in the tree. Figure 2-10.
Getting Started IDM GUI Overview Click the individual group node in the navigation tree to display the group’s Dashboard, Properties, Auto-Allow OUIs and Users tabs. Information displayed for the selected policy group is similar to the Domains tab displays described above. RADIUS Servers node Clicking the RADIUS Servers node displays the RADIUS List tab, with status and configuration information for each RADIUS Server in the Domain that has an IDM Agent installed, or that is manually defined.
Getting Started IDM GUI Overview Toolbars and Menus Because IDM is a module within PCM+, it uses the same main menu and global toolbar functions. Individual tabs or windows within the IDM module also include separate component toolbars. The functions available in the component toolbar vary based on applicable functions for that component. Toolbar buttons for disabled functions are grayed out. The component toolbar options are described under the process they support in the next chapter.
Getting Started Using IDM as a Monitoring Tool Using IDM as a Monitoring Tool Whether or not you configure and apply access and authorization parameters using IDM, you can use IDM to monitor user sessions on the network and generate usage reports. You can use the monitoring features along with the IDM Reports to track usage patterns, user session statistics, bandwidth usage, top users, and so on.
Getting Started Using IDM Reports Using IDM Reports IDM provides reports designed to help you monitor and analyze usage patterns for network resources. Report options are available from the Reports >User Access Control menu at the top of the IDM main window. The Report wizard screens and report parameters vary, depending on the type of report selected.
Getting Started Using IDM Reports By default, all user history is reset and all session history is deleted by the predefined IDM Session Cleanup policy on the first day of each month at midnight. However, the IDM Session Cleanup policy can be modified to fit your needs. The following IDM reports are available: Table 2-5.
Getting Started Using IDM Reports Table 2-5. IDM Reports (Continued) Report Contents Session Detailed information about all login attempts, whether successful or failed. History Details This report is especially helpful in identifying login failures and whether an access profile, location, or user needs to be modified in PCM. Once the initial report dates and filters are set, you can also configure what columns you want to include in the report.
Getting Started Creating Report Policies Creating Report Policies You can also use the Policy Manager feature to schedule reports to be created at regular intervals, or in response to an event. For complete details on creating policies, refer to “Configuring Policies” in the HP PCM Network Administrator’s Guide. The basic process for creating a Report Policy is: ■ Time - Configure the Time periods when the report policy can be executed. If no time is specified, the policy can execute at any time.
Getting Started Creating Report Policies Figure 2-15. Policy Manager, Actions The Manage Actions window displays the list of defined Actions. 3. Click New to launch the Create Action dialog. Figure 2-16.
Getting Started Creating Report Policies 4. Select the Report Manager:Generate Report Action type from the menu. Figure 2-17. Policy Manager, Select Action 5. Type a Name for the Action (required) and a brief Description (optional). 6. Click OK to save the Action and display the Action Properties tab. The properties you set in the previous step will display. Figure 2-18.
Getting Started Creating Report Policies At this point the other tabs displayed are: Type: Lets you select the Report type you want to generate. As soon as you select a report type, additional tabs may appear in the window depending on the filter criteria for the report Format: Lets you set the report output format Delivery: Lets you select where the report will be sent (to file, e-mail, and so forth) 7. Click the Type tab and select the IDM Report type you want included in the action.
Getting Started Creating Report Policies Figure 2-20. Report Manager Action: Report format selection 10. Select how you want to generate the report for the following options. Table 2-6. IDM Status Report Options Select... To produce the report... PDF In.pdf format. To view this file format, you will need Adobe Acrobat Reader, which can be downloaded free from http://get.adobe.com/ reader. HTML In.html format, which can be viewed with any Web browser.
Getting Started Creating Report Policies Figure 2-21. Report Manager Action: Report Delivery method Email is the default method. It will email the report to the address specified. It also requires that you have an SMTP profile for the email address. See “Creating SMTP Profiles” in the HP PCM+ 4.0 Network Administrator’s Guide for details. Use the menu to select a different delivery method. Figure 2-22.
Getting Started Creating Report Policies e. In the Password field, type the password used to access the FTP site. f. Select the Filename conventions to use: – No timestamp in file name: Name the file exactly as entered in the Filename field. – Prepend timestamp to file name: Add the timestamp at the beginning of the filename entered in the Filename field. – Append timestamp to file name: Add the timestamp at the end of the filename entered in the Filename field.
Getting Started Creating Report Policies 1. Click the Policy Manager button in the toolbar. OR Select Tools > Policy Manager to launch the Policy Configuration Manager window. 2. Select the Alerts node from the navigation tree to display the Manage Alerts pane. Figure 2-23. Manage Alerts: IDM Session Cleanup selection 3. Select the IDM Session Cleanup policy and click Edit to display the properties. Figure 2-24.
Getting Started Creating Report Policies 4. Click the Schedule tab to review and edit the schedule parameters. Figure 2-25. IDM Session Cleanup Schedule, alert configuration 5. Set the Start Date for enforcement of the policy. The default is the start date and time for IDM. You can type in a new date and time, or use the arrows to increase or decrease the date and time entries. Note that the time clock uses 24 hour format; thus a time of 22:00 is used to indicate a start time of 10:00 pm.
Getting Started Creating Report Policies To select... Do this... Weekly Select the check boxes for the days of the week you want to enforce the policy. Monthly Select Last day of the month to enforce the schedule on the last day of the month. OR Select Day and use the up or down arrows to select the day of the month. 7. Use the radio buttons to select No end date, End by, or Maximum occurrences to identify when the schedule should end.
Getting Started Monitoring User Session Information Monitoring User Session Information You can use IDM to just monitor the network, and receive detailed information about user's access to the network. User Session information provides statistics about exactly how the network is being used (when the user logged in and out, where a user logged in from, and how much bandwidth they consumed, for example).
Getting Started Monitoring User Session Information Column Displays... Login Time The date and time the user logged in Login Successful Yes if the user logged in successfully or No if login failed Location The name of the location where the user logged in Access The access profile assigned to the access policy group governing the user’s permissions during the session 3. Click the User Properties tab to view the following information: Field Displays...
Getting Started Monitoring User Session Information Field Displays... Endpoint Integrity State If endpoint integrity is enabled. whether the user must pass endpoint integrity requirements before they can log into the network 5. Click the Location Info tab to view the following information: Field Displays...
Getting Started Monitoring User Session Information Find User Session The Find User Session feature let you search and display information about a user session by Auth ID or MAC address. The displayed information is similar to User Session Status information. This information contains all the session history records associated with a given Auth ID or MAC address. If the specified Auth ID or the MAC address does not have session records in the session history, then it returns an empty result set.
Getting Started Monitoring User Session Information Figure 2-27. Find User Session 2. In the Auth ID field, type the complete Auth ID that you want to find. OR In the MAC address field, type the MAC address of the computer for which you want to find and display information.The MAC address may be specified in any valid standard format (single dash, multi-dash, multi-colon, no delimiter, etc.) in Auth ID or MAC address fields.
Getting Started Monitoring User Session Information Figure 2-28. Report Wizard, Report Filter 3. To report on a specific time range, clear the All Dates (no filter) check box and select the Start Date and End Date. Click Next to select the report contents.
Getting Started Monitoring User Session Information Figure 2-29. Report Wizard, Columns to Include 4. Select the check boxes to select the data columns. If wireless settings are enabled the WLAN and BSSID options also appear. 5. Click Finish to run the report. The report is displayed in a separate window on the IDM Client. Show Mitigations The Show Mitigations window lists all NIM mitigations (actions taken to resolve security threats) for the selected user and is used to delete NIM mitigation rules.
Getting Started Monitoring User Session Information To show or delete mitigations: 1. In the IDM Users tab, right-click a mitigated user and choose Show mitigations to display the Mitigations window. This function is selectable for mitigated users only.
Getting Started Monitoring User Session Information Click the option check boxes to select (check) or deselect (clear) the following options. 1. Select the Configuration Deployment option to automatically deploy IDM configuration settings (Access Profiles, Locations, Times, Network Resources) to the IDM agent. The default preference is to allow automatic configuration deployment. Select the Disable automatic deploy to IDM agents option if you do not want to use automatic IDM configuration deployment.
Getting Started Monitoring User Session Information 7. To reset all session accounting information whenever the server is restarted, select the Reset accounting statistics when the management server starts check box. When this option is selected, IDM closes any open sessions and resets the RADIUS Server totals to zero when the server restarts. If the status of users—logged on or off—seems incorrect, it is possible that the session accounting is out of sync.
Getting Started Monitoring User Session Information Using Active Directory Synchronization The Active Directory Synchronization (AD Sync) feature provides the ability to receive change notifications from the active directory server for the domain the management server is logged into. Active Directory Synchronization will automatically update the IDM database with changes made in your Active Directory, including new users, changes to existing users, and deletion of users.
Getting Started Monitoring User Session Information Figure 2-31. Identity Management Preferences: User Directory Settings 2. In the left pane of the Preferences window, expand Identity Management and select User Directory Settings. 3. In the Identify Management: User Directory Settings pane, select the Enable automatic Active Directory synchronization check box and type the Username and Password of the Active Directory to be synchronized.
Getting Started Monitoring User Session Information Figure 2-32. Add/Review AD Groups to Synchronize The Active Directory is queried for all groups in the domain and the groups are displayed in the Groups in Active Directory list. Note: 2-44 When adding or removing groups remember that synchronization includes all users who are indirect members of a group via intervening nested group relationships.
Getting Started Monitoring User Session Information synchronizes on Group A or Group B, User 1 is imported into the group with the higher priority. If IDM synchronizes on Group d or Group y, the User 1 is not imported. 7. On the Add or Remove Groups window, select the groups to sync in the Groups in Active Directory column and click the >> button to move them to the Groups to Synchronize column. 8. When you have selected all the groups you want to sync, click OK. 9.
Getting Started Monitoring User Session Information 12. An Importing Users dialog box will display the number of users being imported and a progress bar indicating how long the process is taking. When you are done monitoring the progress of your import, click Close.
Getting Started Monitoring User Session Information ■ Within a Domain, Access Policy Group names must be unique. If Access Policy Groups are being created manually within the same Domain, use naming conventions to ensure these names do not conflict with Active Directory group names. ■ Performance for the import from Active Directory to IDM varies depending on your environment. Using a 1.86 GHz processor with 2GB RAM, importing 20,000 Active Directory users in 75 groups takes approximately 65 minutes.
Getting Started Monitoring User Session Information 2-48
3 Using Identity Driven Manager Understanding the IDM Configuration Model As described in the IDM model on page 2-6, everything relates to the top level, or Domain. Each User in the Domain belongs to an Access Policy Group (APG). The APG has an Access Policy defined for it that governs the access rights that are applied to its Users as they enter the network. The Access Policy is defined using a set of Access Rules.
Using Identity Driven Manager Understanding the IDM Configuration Model Configuration Process Review Assuming that you opted to enable Active Directory synchronization or let IDM run long enough to discover the Domain, users, and RADIUS server, your configuration process will be: 1. Define locations (optional) from which users access the network. The location may relate to port-based VLANS, or to all ports on a switch. 2. Define times (optional) at which users will be allowed or denied access.
Using Identity Driven Manager Understanding the IDM Configuration Model 10. For the devices that will perform MAC authentication, you can configure AutoAllow OUI to provide automatic authentication based on those devices’ MAC address prefixes. Configuring Identity Management All of the elements described for configuring user access in IDM are available in the Identity Management Configuration window. To launch the Identity Management Configuration window: 1.
Using Identity Driven Manager Configuring Locations Configuring Locations Locations in IDM identify the switch and/or ports on the switch and wireless access points where users connect to the network. Users generally are allowed to log in to the network from a variety of locations, IDM allows you to create customized locations to match specific environments.
Using Identity Driven Manager Configuring Locations Adding a New Location To create a new location: 1. Click the New Location button in the Locations toolbar to display the Create a new Location window. Figure 3-3. Create a New Location display 2. Type a Name for the location. 3. Type a Description for the location. To add wired devices to the location: 4. Click Add device to open the New Device window, and define the devices and/ or port combinations that will be included in the location.
Using Identity Driven Manager Configuring Locations Figure 3-4. New Device window 5. Use the Select Device Group list to select the Agent and device model that will be allocated to users logging in from the associated location. 6. Enter the device to be added. Note: 3-6 a. Using the Device Selection option: i. Use the menu to select a device group. This will enable the Select Device menu in the next field. ii. Select a device from the list of available devices.
Using Identity Driven Manager Configuring Locations 7. Use the Port Selection section to define the ports on the device that will be associated with the location. • Click to select Any port on the switch, or • Click Select ports, then use the lists to select the Begin and End ports on the device that will be associated with the new location. If you manually entered the device address, the Begin port and End port menus are disabled, and you must manually enter the ports. 8.
Using Identity Driven Manager Configuring Locations Figure 3-5. Create a New Location, Wireless Devices 2. Click Add Device to display the Wireless Devices Dialog. All discovered Radios and radio ports are displayed. Figure 3-6.
Using Identity Driven Manager Configuring Locations 3. Click the check box(es) to select the radio ports to be included in the location, and then click OK to save the selection and return to the Create a new Location (Wireless Devices tab) window. 4. Click OK to save and exit, or repeat the steps to add additional devices to the location. Modifying a Location To edit the information for an existing Location: 1.
Using Identity Driven Manager Configuring Locations Deleting a Location To remove an existing Location: 1. Select the Locations node from the Identity Management Configuration navigation tree to display the Locations pane with the list of defined locations. 2. Click a location from the list to select it. 3. Click the Delete Location button in the toolbar to remove the location. The first time you use the Delete Location option, a warning pop-up is displayed.
Using Identity Driven Manager Configuring Times Configuring Times Times are used to define the hours and days when a user can connect to the network. When included in the Access Policy Group rules, the time can be used to allow or deny access from specific locations at specific time. For example, students might be allowed network access from the "Classroom" location during weekdays, from 9:00 am to 5:00 pm, but denied access from the Classroom at any other time. To configure a Time: 1.
Using Identity Driven Manager Configuring Times Table 3-1. Times pane parameters (Continued) Field/Section Displays... Days of week The days of the week when the access policy group is active Range The dates during which the time will be in effect. A start date must be specified. Figure 3-8. Times Properties Creating a New Time To create a new Time: 1. In the Times Pane, click the Add New Time button to display the Create a new Time window.
Using Identity Driven Manager Configuring Times Figure 3-9. Create a New Time 2. Define the properties for the new time. Table 3-2. IDM Time parameters Field/Section Entry Name Type a name used to identify the time Description Type a brief description of the time Time Select a time of day when user will be accepted on the network. To allow access the entire day, select the All day radio button.
Using Identity Driven Manager Configuring Times Modifying a Time To modify a Time: 1. In the Times pane, select a Time from the navigation tree to display the Time details in edit mode, similar to the Create a new Time pane. You can also select the Time from the list then click the Modify Time button in the toolbar to display the modify pane. 2. Modify the time parameters, as described in Table 3-2 on page 3-13. 3. Click OK to save your changes and close the window.
Using Identity Driven Manager Device Finger Printing 2. Click Add to launch the Add Holiday window. Figure 3-11. Add Holiday 3. The Date field defaults to the current date. You can use the field buttons to increase or decrease the date. You can also type a new date. 4. In the Description field, enter the text that will identify the holiday in the Holidays list. 5. Click OK to save the holiday and close the window. The new holiday appears in the Holidays list.
Using Identity Driven Manager Device Finger Printing Figure 3-12. Device Finger Printing User Agent To Device Types Mapping The administrator can see the list of configured (both pre-loaded and user defined) User-Agent Pattern to Device Type mappings from this node. It has three columns with some default values.
Using Identity Driven Manager Device Finger Printing • Device Type Figure 3-13. User Agent to Device Types Note: Users tab view reflects the device type corresponding to the user agent pattern which is listed with the lowest position number in the above list. Creating a New User Agent Mapping To create a New User Agent Mapping 1. Enter the user agent pattern to match for in the user agent string, and the Device type (you can also enter new or select from existing types).
Using Identity Driven Manager Device Finger Printing Figure 3-14. New User Agent to Device Type Mapping Bulk Import of User Agent Pattern Mappings To do bulk import of user-agent patterns: 1. Stop the PCM Service. 2. Update the server/config/UserAgentPattern file with the required patterns. 3. Edit server/config/globalprops.prp. 4. Remove the ‘IDMDeviceFingerPrinting’ section. 5. Start the PCM Server service.
Using Identity Driven Manager Device Finger Printing 2. A dialog box appears to confirm before deleting the entry. If the device type being deleted is in use in some Device Group, deletion is not allowed. Further, if pattern that is selected for deletion is one of the catch-all patterns defined in the Creating a Global Rule, then the deletion will fail again with appropriate notice. Moving up User Agent Mapping The Administrator can move a selected pattern Up in the table.
Using Identity Driven Manager Device Finger Printing Under Device Type Groups node, each node represents one Device Type Group object. A Device Type Group object can hold either specific Device Types or a mix of various kinds of devices. The Device Type Group Name holds the unique value. Figure 3-15.
Using Identity Driven Manager Device Finger Printing To edit the selected Device type group object, click any entry in Device Type Group Name. Figure 3-16. Edit Device Type Group Creating a New Device Type Group Object To create a New Device Type Group Object: 1. Enter the Device Type Group Name, Description, and then select elements from the list of Device Types.
Using Identity Driven Manager Device Finger Printing Figure 3-17. Create a new Device Type Group 2. Click Add/Remove. A dialog box appears to select device types.
Using Identity Driven Manager Device Finger Printing Figure 3-18. Select Device Types 3. After selecting the device types, Click Ok. 4. The new group is added to the list of existing device groups in the navigation tree. 5. Click Close to save the device type group to the database.
Using Identity Driven Manager Device Finger Printing Figure 3-19. Edit/Delete Created Groups Modify Device Type Group To modify a new Device Type Group: 1. From the Identity Management Configuration navigation tree, select Device Finger Printing and then select Device Type Groups. 2. Edit the device type group using one of the following ways : a. Select the device type group node from the navigation tree. b.
Using Identity Driven Manager Configuring Network Resources IDM has pre-configured Device Type Groups for each of all the catch all patterns.
Using Identity Driven Manager Configuring Network Resources Figure 3-20. Network Resources The Network Resources window lists the name and parameters for defined resources, including: Table 3-3. Network Resources parameters Column Displays... Name The name used to identify the resource IP Address The IP Address for the switch associated with the resource ("any" if the resource is being filtered by protocol). Network Mask The subnet mask for the IP Address.
Using Identity Driven Manager Configuring Network Resources Figure 3-21. Network Resources - Details Note When you open the details window, it is in “Edit” mode. You can modify the entries in the display fields, and the changes are automatically saved when you click Close. For details on the field entries, refer to the definitions under “Adding a Network Resource” on the next page. Adding a Network Resource To define a new Network Resource: 1.
Using Identity Driven Manager Configuring Network Resources Figure 3-22. Define Network Resource 2. Define the properties for the network resource. Table 3-4.
Using Identity Driven Manager Configuring Network Resources Table 3-4. IDM Network Resource parameters (Continued) Field/Section Entry Port Any port is selected by default, which means all ports associated to the IP address are included in the network resource definition. To specify a port for the network resource, check the Any port check box to clear it and enable the Port field. Enter the port number, or friendly port name* used for the resource.
Using Identity Driven Manager Configuring Network Resources I 2. Click in the list to select the network resource to delete, then click the Delete Network Resource button. 3. Click Yes in the confirmation pop-up to complete the process. The selected network resource is removed from the Network Resources list display.
Using Identity Driven Manager Configuring Access Profiles Configuring Access Profiles IDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rate-limits) and Network Resource access rules that are applied to the user when they are authenticated on the network. This is where the real benefits of "access control" are realized. When users log in, the Access Profile dynamically configures the switch or wireless access point settings to provide the proper network access and resources for the user.
Using Identity Driven Manager Configuring Access Profiles Select the Access Profile node from the navigation tree, or double-click a profile from the list to display the details of the selected profile.The Name, Description, and Access Attributes are the same as defined in the Access Profiles list. The Network Resources section lists the Network Resources included in the profile: Table 3-6. Access Profile - Network Resources parameters Column Displays...
Using Identity Driven Manager Configuring Access Profiles 2. Define the attributes for the Access Profile: Table 3-7. New Access Profile parameters Field/Section Entry Name Type a name used to identify the Access Profile Description Type a brief description of the Access Profile Untagged VLAN or Select the type of VLAN used for the access profile. Tagged VLANs To select an untagged VLAN, check the Untagged VLAN check box and select the VLAN that can be accessed from the list.
Using Identity Driven Manager Configuring Access Profiles 3. If you want the IDM QoS attributes to override the switch attributes, use the QoS list to select the quality of service or priority for outbound traffic of users in groups associated with the access profile. QoS ranges from lowest to highest, with Normal being the default. 4. In the Ingress rate-limit field, select the maximum bandwidth or rate limit allocated for traffic from users assigned to the Access Policy Group using the Access Profile.
Using Identity Driven Manager Configuring Access Profiles Figure 3-26. Network Resource Assignment Wizard, Allowed Network Resources 8. To permit access to Network Resources: a. Select the Resource from the Available Resources list. Use shift-click to select multiple resources. b. Move the Available Resource(s) to the Allowed Resources list (click >>). c. Click Next to continue to the Denied Network Resources window.
Using Identity Driven Manager Configuring Access Profiles Figure 3-27. Network Resource Assignment Wizard, Denied Network Resources 9. To deny access to Network Resources: 3-36 a. Select the Resource from the Available Resources list. Use shift-click to select multiple resources. b. Move the Available Resource(s) to the Denied Resources list (click >>) c. Click Next to continue to the Priority Assignment window.
Using Identity Driven Manager Configuring Access Profiles Figure 3-28. Network Resource Assignment Wizard, Priority Assignment 10. Set the priority (order of evaluation) for the Network Resources. To change the priority, select the Resource from the list, then click Move down or Move up. The first rule to match is the one that will be applied. 11. Click Next to continue to the Default Access window.
Using Identity Driven Manager Configuring Access Profiles Figure 3-29. Network Resource Assignment Wizard, Default Access 12. Select the option to tell IDM what to do if there are no matches found in the network resource access rules. 13. Click Next to continue to the Resource Accounting window. Figure 3-30.
Using Identity Driven Manager Configuring Access Profiles 14. Select the check box to enable one or more Accounting functions (optional). This enables tracking of hits on this resource on the switch or access point. Use CLI on the switch to review the hits. 15. Click Next to continue to the summary window. Figure 3-31. Network Resource Assignment Wizard, Summary 16. Click Finish to save the Network Resource Assignments to the Access Profile and close the wizard.
Using Identity Driven Manager Configuring Access Profiles 3. Modify the access profile parameters, as described for creating a new profile. Click Edit to change the Network Resource Assignments using the wizard. 4. Click OK to save your changes and close the window. The changes are displayed in the Access Profiles list. Note: When modifying Access Profiles, make sure the appropriate VLANs are configured on the network and at the switch.
Using Identity Driven Manager Defining Access Policy Groups Defining Access Policy Groups An Access Policy Group (APG) contains rules that define the VLAN, rate-limit (bandwidth), quality of service, and network resource access rules for users in the group, based on the time, location, and system from which the user logs in.
Using Identity Driven Manager Defining Access Policy Groups To begin, expand the Domains node to display the Access Policy Group node in the IDM tree and then select it to display the Access Policy Groups tab. You can expand the Access Policy Group node in the tree, and select the individual APG node to display the policy Properties tab. Figure 3-32. Access Policy Group Properties tab Creating an Access Policy Group To create an Access Policy Group: 1.
Using Identity Driven Manager Defining Access Policy Groups Figure 3-33. New Access Policy Group 3. Type a Name and Description for the Access Policy Group. 4. Click New to display the New Access Rule dialog. Figure 3-34. New Access Rule 5. Select an option for each field. When all the parameters are set, click OK to save the Access Rule configuration and close the dialogue.
Using Identity Driven Manager Defining Access Policy Groups Parameters for Access Rules are described in the following table. Table 3-8. Access Rule parameters Field/Section Lists... Location Locations you created by name, and the ANY option. If you select ANY and the access profile for the rule points to a VLAN, ensure that the VLAN is configured on every switch to which users in this access policy group will be connecting. Time Times you created by name, and the ANY option.
Using Identity Driven Manager Defining Access Policy Groups 8. Click OK to save the Access Policy Group and close the window. IDM will verify that the rules in the APG are valid. If a rule includes a defined VLAN (from the Access Profile) and the VLAN does not exist on the network or devices for the location(s), an error message is returned and you must fix the problem before the APG can be saved. Click Cancel to close the window without saving the Access Policy Group configuration. 9.
Using Identity Driven Manager Defining Access Policy Groups Figure 3-35. Access Rule with Endpoint Integrity options Select the Endpoint Integrity option to use with the access rule, as described in the following list. Table 3-9. Endpoint Integrity options Select... To apply the access rule...
Using Identity Driven Manager Defining Access Policy Groups 1. Select the Access Policy Group node from the IDM tree to display the Access Policy Groups tab. 2. Select an Access Policy Group Name. 3. Click the Modify Policy Group button in the toolbar to display the Modify Access Policy Group window. 4. Modify the Rules as needed. (See page 3-16 for field definitions). 5. Click OK to save your changes and close the window. Click Cancel to close the window without saving the Access Policy Group changes.
Using Identity Driven Manager Configuring User Access Configuring User Access The process of configuring User access to network resources using IDM is simplified through IDM’s ability to learn User information from the Active Directory or RADIUS server, and the use of Access Policy Groups.
Using Identity Driven Manager Configuring User Access Table 3-10. Users list parameters (Continued) Column Displays... Domain Domain in which the user logs in MAC Prefix OUI that allowed the user to access the network through the Auto Allow OUI configuration Expiration Time The expiration time for the devices that are registered by guest users. Device type It is the device that user carries to connect to the network. Useragent Useragent is the string that contains the end-user information.
Using Identity Driven Manager Configuring User Access Changing Access Policy Group Assignments To re-assign users to a different APG: 1. Select the access policy group or domain from the IDM navigation tree, and then click the Users tab in the Access Policy Group or Domain window. 2. Select the users in the list, then click the Add Users to APG button in the toolbar to display the Select Access Policy Group window. 3. Select a different option from the Assign selected Users to Access Policy Group menu. 4.
Using Identity Driven Manager Configuring User Access Figure 3-37. Global Rules tab The Global Rules tab provides the following data about defined global rules: Table 3-11. Global Rules parameters Column Displays... Target User(s) or access policy group to which the rule applies Location Location where the rule is used Time Time that the rule is used System System where the rule is used WLAN WLAN where the rule is used.
Using Identity Driven Manager Configuring User Access 2. Click the Create a New Global Rule button to display the New Global Rule window. Figure 3-38. Global Rules dialog 3. Select the Target Properties. • To use the global rule for all users in the domain, select All Users. • • Note: To use the global rule for a specific user, select Single User and type the user name in the field. To use the global rule for an access policy group, click Access Policy Group, and select the group from the menu.
Using Identity Driven Manager Configuring User Access d. Select the WLAN where the global rule will be used, or ANY Note that this option only appears if the Enable Enhanced wireless support option is set in the Preferences for Identity Management. e. Select Device type group where the global rule will be applied, or ANY.If Endpoint Integrity is Enabled, then this Device Type Group option will appear between WLAN and Endpoint Integrity option. f.
Using Identity Driven Manager Configuring Auto-Allow OUIs Configuring Auto-Allow OUIs In addition to traditional authentication methods, such as 802.1X, Mac-Auth, and Web-Auth, IDM also provides Auto-Allow OUI, automatic authentication for static devices based on their MAC address prefix. This feature can result in a significant savings of time, since it means you no longer have to individually register or configure each of your printers, IP phones, and similar devices.
Using Identity Driven Manager Configuring Auto-Allow OUIs Figure 3-39. Network Access with Auto-Allow OUI In the picture above, the following steps take place before a static device is allowed network access: 1. Using the IDM client a user adds a MAC prefix/OUI to an Access Policy Group. The OUI can be added to an existing Access Policy Group or a new Access Policy Group can be created for the OUI. An OUI may contain 1 to 12 characters. 2.
Using Identity Driven Manager Configuring Auto-Allow OUIs Note: 5. If a match is found, the device is assigned to the Access Policy Group associated with that OUI. 6. The login event is logged in the IDM Event Browser and user session information is shown in the Users tab. 7. If the OUI is removed, the device is denied access to the network access when the next re-authentication timer pops up.
Using Identity Driven Manager Configuring Auto-Allow OUIs To view all Auto-Allow OUIs in an Access Policy Group: 1. From the IDM navigation tree, select the Access Policy Group node containing the OUI. 2. Select the Auto-Allow OUIs tab. Viewing Auto-Allow User Information To view information for current users: 1. From the IDM navigation tree, select the Domain node or Access Policy Group node containing the OUI for the user information you want to view. 2. Select the Users tab. 3.
Using Identity Driven Manager Configuring Auto-Allow OUIs Monitoring OUI Events and User Session Information When an incoming user name (MAC address) using MAC authentication matches an OUI, the user is granted access to the network and the user is assigned to the corresponding Access Policy Group. An event is added to the IDM Event Browser indicating that the user logged in successfully.
Using Identity Driven Manager Configuring Auto-Allow OUIs Figure 3-42. Add Auto-Allow OUI 3. Select a pre-loaded well-known OUI or type in your own MAC prefix. To use a pre-loaded OUI: a. Select Type in your own MAC Prefix. b. In the MAC Prefix field, type the MAC prefix (1-12 hexadecimal characters) in the aa:aa:aa:aa:aa:aa, aa-aa-aa-aa-aa-aa-aa or aaaaaaaaaaaa format c. Optionally, in the Description field, enter a brief description identifying the type of device using the MAC prefix. d.
Using Identity Driven Manager Configuring Auto-Allow OUIs Notes: c. Optionally, in the Description field, type a brief description identifying the type of device using the MAC prefix. d. From the Access Policy Group, list select the Access Policy Group to which the OUI will be assigned. e. Click OK. HP devices are allocated MAC prefixes (OUIs) in disparate blocks. Therefore, IDM is not able to show OUIs for HP devices in the list of well-known MAC prefixes on the Add OUI window.
Using Identity Driven Manager Configuring Auto-Allow OUIs OR Type the common characters in the prefix (1-12 hexadecimal characters) in the aa:aa:aa:aa:aa:aa or aaaaaaaaaaaa format. Duplicate entries are not allowed. However, if an OUI is contained within a longer OUI (for example, OUI 00-24 contained in longer OUI 00-24-A8), the OUI with the most characters is compared against the incoming user name (MAC address). Notes: 4.
Using Identity Driven Manager Configuring Auto-Allow OUIs Editing your own CUSTOMOUIs file (example): OUIS { xyzPhoneVendor { aa-bb-c1= aa-bb-c2= } } In the above example, xyzPhoneVendor is your device vendor, and aa-bb-c1 and aa-bb-c2 are the MAC prefixes manufactured by this vendor. Note: You must restart the IDM server for your CUSTOMOUIs changes to take effect.
Using Identity Driven Manager Configuring Auto-Allow OUIs Moving an OUI to Another Access Policy Group 1. Navigate to the Auto-Allow OUIs tab for the Domains node or Access Policy Groups node containing the OUI to be moved. a. Select the Domain or Access Policy Group from the navigation tree. b. Click the Auto-Allow OUIs tab. 2. On the Auto-Allow OUIs tab, click the Assign OUIs to Access Policy Group button.
Using Identity Driven Manager Configuring Auto-Allow OUIs Auto-Allow OUIs for 802.1x and Web Authentications The order in which the access control is performed by IDM is as follows, irrespective of any authentication mechanism used. 1. Check for auto-allow OUI 2. Check for Global Rule 3.
Using Identity Driven Manager Configuring Auto-Allow OUIs 3-65
Using Identity Driven Manager Deploying Configurations to the Agent Deploying Configurations to the Agent An option in the IDM Preferences allows you to automatically deploy configuration changes to the IDM agent. Or, you can manually deploy changes made to Access Profiles, Locations, Times, or Network Resource configurations. If automatic deployment is disabled, you need to deploy the configuration information to the IDM Agent once you have configured the Access Policy Groups and assigned users.
Using Identity Driven Manager Using Manual Configuration Using Manual Configuration It is simplest to let the IDM Agent run and collect information about Domains, including RADIUS servers and users in the Domain from the RADIUS server, but you can also manually define information about the Domain, RADIUS servers, and users in the IDM GUI.
Using Identity Driven Manager Using Manual Configuration 3. Click OK to save the Domain information and close the window. The new Domain appears in the Domains list, and the IDM Tree. Modifying and Deleting Domains To modify an existing Domain: 1. Select the Domain from the Domains list. 2. Click the Modify Domain button on the Domain list toolbar to display the Modify Domain window. (similar to the New Domain window). 3. Edit entries as needed for the Domain: a. The Name used to identify the domain. b.
Using Identity Driven Manager Adding RADIUS Clients Adding RADIUS Clients You can add and update RADIUS clients (PCM switches and manually added clients) on supported RADIUS servers used to enforce RADIUS authentication. This wizard allows you configure consistent RADIUS parameters on RADIUS servers and HP PCM switches. In addition, it detects possible conflicts between parameters already configured on the servers and the parameters you are configuring.
Using Identity Driven Manager Adding RADIUS Clients 4. Select the PCM switches to be configured as RADIUS clients on the selected RADIUS servers. Figure 3-47. Add RADIUS Client Wizard, Device Selection a. Use the Available devices drop-down to display the devices by model. b. From the Available devices list, select the IP addresses of the PCM switches that will be added as RADIUS clients.
Using Identity Driven Manager Adding RADIUS Clients c. Click Next. As an example, suppose two RADIUS servers (S1, S2) and two RADIUS clients (C1, C2) are selected in the wizard. Both C1 and C2 already exist as RADIUS clients in both S1 and S2. The Duplicate IP Addresses step will contain four rows: 1. C1 exists on S1 2. C1 exists on S2 3. C2 exists on S1 4. C2 exists on S2 Three kinds of scenarios can emerge, depending on what you select: RADIUS servers being discarded from a RADIUS client configuration.
Using Identity Driven Manager Adding RADIUS Clients Figure 3-48. Add RADIUS Client Wizard, RADIUS Parameters To configure RADIUS parameters for a single client: a. In the RADIUS clients list on the left, select the RADIUS client that you want to configure. b. Select up to three RADIUS server parameters check boxes to represent the number of RADIUS servers where the specified client will be configured. c.
Using Identity Driven Manager Adding RADIUS Clients a. In the RADIUS clients list on the left, select All RADIUS clients to configure all listed clients. b. Check up to three RADIUS server parameters check boxes to represent the number of RADIUS servers where the selected clients will be configured.
Using Identity Driven Manager Adding RADIUS Clients . Figure 3-49. Add RADIUS Client Wizard, Application of Settings 9. The final window of the Add RADIUS Clients wizard provides a summary of the application process. Ensure the configuration(s) were completed successfully and click Finish to close the wizard.
Using Identity Driven Manager Adding RADIUS Clients Deleting RADIUS Servers To delete an existing RADIUS Server: Note: Before you can completely delete the RADIUS server, you need to uninstall the IDM Agent on the server. Otherwise, the RADIUS server may be re-discovered, causing it to re-appear in the IDM tree. 1. Use the IDM Tree to navigate to the RADIUS List window, and select the RADIUS Server you want to delete in the list. 2. Click the Delete RADIUS button on the Radius List toolbar. 3.
Using Identity Driven Manager Adding RADIUS Clients Adding New Users You can let the IDM Agent automatically learn about the users from the Active Directory or RADIUS server on which it is installed, or you can define user accounts in the IDM Client. You can also use the IDM User Import feature in the Tools menu. Adding users in IDM: Manual Process To add a new User in IDM: 1.
Using Identity Driven Manager Adding RADIUS Clients 3. To restrict the user from logging in from a system that has not been defined in IDM, click the Systems tab to configure system permissions. Otherwise, click OK to save the user and close the window. Configuring User Systems 1. To restrict the user’s access to specific systems, click the Systems tab. Figure 3-52. User Systems tab display You select from systems shown in the All Systems list, and click >> to move them to the Allowed Systems list.
Using Identity Driven Manager Adding RADIUS Clients Bulk import of allowed systems for IDM users If the multiple MAC addresses are to be added to the list of allowed systems for multiple users, then the administrator can use a feature that supports bulk import of allowed systems. The allowed systems are specified in a Comma separated value format in a file. The following attributes must be set in the C:\Program Files\HewlettPackard\PCM\server\config\IDMImportServerComp.scp.
Using Identity Driven Manager Adding RADIUS Clients ALLOWED_SYSTEMS_FILENAME specifies complete path of the Comma Separated Value (CSV) file. The values specified in the CSV file are in the following format: , , , , The MAC addresses can be specified in multiple lines for the same Auth ID or they can be specified in the same line.
Using Identity Driven Manager Adding RADIUS Clients Note: Changes in Access Policy Group settings are not applied to the user until you Deploy the new configuration to the IDM Agent on the RADIUS server. See “Deploying Configurations to the Agent” on page 3-66 for details. Deleting a User 1. Select the User in the User List. 2. Click the Delete User button in the toolbar. 3. Click Yes in the Confirmation pop-up to complete the process. The user is removed from the User List.
Using Identity Driven Manager Using the User Import Wizard Using the User Import Wizard The IDM User Import Wizard lets you add users to IDM from another source, such as an Active directory or LDAP server. The IDM Import Wizard also synchronizes the IDM user database with the import source directory, and allows you to delete users from the IDM user database that are not found in the import source directory.
Using Identity Driven Manager Using the User Import Wizard directory. If you are using any other LDAP directory source (for example Novell eDirectory or OpenLDAP) you will need to modify the LDAP Directory settings as described in “Editing IDM Configuration for LDAP Import” on page 3-95. c. for XML, supply the filename (including the directory path). This file must exist on the IDM Server system. d. for CSV, supply the filename (including the directory path).
Using Identity Driven Manager Using the User Import Wizard Figure 3-53. IDM User Import Wizard 3. Click Next to continue to the Data Source selection window. Figure 3-54.
Using Identity Driven Manager Using the User Import Wizard 4. Click the radio button to select the Active Directory data source. 5. Click Next to continue to the Group Scope window. Figure 3-55.
Using Identity Driven Manager Using the User Import Wizard 6. Select the scope of Active Directory groups from which you want to import user data. Option Imports users from... All All Active Directory groups Global The Global Active Directory group. This will also get user data from any custom defined group in your Active directory. Universal The Universal Active Directory group Domain Local The Domain Local Active Directory group System The System Active Directory group 7.
Using Identity Driven Manager Using the User Import Wizard Figure 3-57. IDM User Import Wizard, Add Users 11. Check the Select check box(es) to choose the users you want to import from the Active Directory to IDM. The current Import data is compared to the existing user list in IDM. If no new (additional) users are found in the import data, the user list is empty. If any user exists in more than one Active Directory group, you will be prompted to select the group the user will belong to in IDM. a.
Using Identity Driven Manager Using the User Import Wizard 13. Click Next to continue to the Users and Groups Commitment window. Figure 3-58. IDM User Import Wizard, Users and Groups Commitment 14. Click Go to save the selected group and user data (adds and deletes) to IDM. 15. When the commit data function is done, click Next to continue to the Import Complete window. A summary of the IDM Import displays. 16. Click Finish to exit the wizard.
Using Identity Driven Manager Using the User Import Wizard Figure 3-59. IDM User Import Wizard, LDAP Authentication a. Note: To use the SSL authentication method, select the Use SSL check box. To use SSL, ensure that your LDAP server supports SSL. The X509 certificate for your LDAP server must be installed in your Java trust store, and the PCM server must be restarted after installing the certificate. Contact your (LDAP) Administrator to get the certificate.
Using Identity Driven Manager Using the User Import Wizard b. c. Select the LDAP Authentication type to be used with the imported user data: Option Authentication type Simple Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password. Digest-MD5 In Digest MD5, the server generates a challenge and the client responds with a shared secret (password).
Using Identity Driven Manager Using the User Import Wizard Figure 3-60. IDM User Import Wizard, Simple Authentication To set up Simple authentication: 1. In the Server field, type the IP address or DNS name of the LDAP server 2. In the Domain field, type the domain name. (It will be used to create a domain in IDM.) 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4.
Using Identity Driven Manager Using the User Import Wizard Figure 3-61. IDM User Import Wizard, SASL Digest MD5 Authentication To set up Digest MD5 authentication: 1. In the Server field, type the DNS name of the LDAP server. 2. In the Domain field, type the domain name. It is used to create a domain in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4.
Using Identity Driven Manager Using the User Import Wizard Figure 3-62. IDM User Import Wizard, SASL Kerberos V5 Authentication To set up Kerberos V5 authentication: 1. In the Server field, type the IP address or DNS name of the LDAP server. 2. In the Domain field, type the domain name. It will be used to create a domain in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4.
Using Identity Driven Manager Using the User Import Wizard Figure 3-63. IDM User Import Wizard, SASL External Authentication To set up External authentication: 1. In the Server field, type the DNS name of the LDAP server. 2. In the Domain field, type the domain name. It is used to create a domain in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. In the Keystore field, type the keystore file name.
Using Identity Driven Manager Using the User Import Wizard For example, if the X509 User Certificate is " myldapcert.cer" and the alias is "mycert", use the following command to import the certificate in a keystore in c:\idmuser\mykeystore on your IDM server: C:\idmuser> keytool -import -file myldapcert.cer -alias mycert -trustcacerts keystore .\mykeystore If you are using a PKCS12 keystore, ask your LDAP Administrator to provide you PKCS12 certificate along with the key.
Using Identity Driven Manager Using the User Import Wizard The remainder of the process for importing users from LDAP Servers is the same as described for importing users from Active Directories. • Select the Groups and Users to Import to IDM. • Select Users to remove from IDM (if applicable). • Commit the selected groups and users (adds and deletes) to IDM.
Using Identity Driven Manager Using the User Import Wizard KERBEROS_JAAS_CONFIG_FILE=config/idm_kerberos_jaas.conf // configuration file for JAAS Kerberos configuration. } } LDAP_DIRECTORY_CONFIG { When using Active Directory: // Configuration for LDAP directory. Following values are for Active Directory. Change as needed per object class and attributes in LDAP directory being used. USER { // User object OBJECT_CLASS=User // User object class LOGON_NAME=sAMAccountName // Login name attribute.
Using Identity Driven Manager Using the User Import Wizard When using Novell eDirectory: //Configuration for LDAP directory. Following values are for Novell eDirectory. Change as needed per object class and attributes in LDAP directory being used. USER { // User object OBJECT_CLASS=User // User object class LOGON_NAME=uid // Login name attribute.
Using Identity Driven Manager Using the User Import Wizard Figure 3-65. IDM User Import Wizard, XML Data Source To identify the XML file: 1. In the File name field, type the complete path and name of the XML file. 2. Click Next to continue to the Extract Users and Groups window. The remainder of the process for importing users from LDAP Servers is the same as described for importing users from Active Directories. a. Select the Groups and Users to Import to IDM. b.
Using Identity Driven Manager Using the User Import Wizard The description and displayName for the User element and the description for the Group element are optional. Some Group elements may not have Member elements, for example the other group in the above example.
Using Identity Driven Manager Using the User Import Wizard ■ Any line that begins with # character is considered a comment. ■ Auth ID must be a valid MAC Address in any standard format (multi-dash, single-dash, no-delimiter, multi-colon). ■ If duplicate entries for an Auth ID are found, then only the first line is considered and the duplicates entries are skipped. ■ All the fields in the CSV file are compulsory. If any field is absent, then data will not be interpreted correctly by the wizard.
Using Identity Driven Manager Using the User Import Wizard "user44","444444444444","44dev","facultyGroup","faculty","faculty desc" Note: If you are trying to export data from Microsoft Excel to a CSV file and then trying to import the CSV file into IDM database using IDM Users Import wizard, then you should comment the first line, that lists column headers, using # character in the CSV file before feeding it to the IDM Users Import wizard. For troubleshooting, see IDMImportServer-IDMImportServerLogger.
Using Identity Driven Manager Using the User Import Wizard a. From the global toolbar, select Tools >Preferences. b. From the Preferences navigation tree, select Identity Management > User Directory Settings. c. In the Identity Management: User Directory Settings pane, clear the Enable automatic Active Directory synchronization check box, and then click OK. Figure 3-67. Preferences 2. From the global toolbar, select Tools > IDM User Import to launch the IDM Import Wizard.
Using Identity Driven Manager Using the User Import Wizard Figure 3-68.
Using Identity Driven Manager Using the User Import Wizard 3. Click Next to continue to the Data Source selection window. Figure 3-69. Data Source 4. Click the radio button to select the CSV file as data source. 5. Enter the path of the CSV file. Note that this is the path on the server system.
Using Identity Driven Manager Using the User Import Wizard Figure 3-70. CSV Data Source 6. Click Next to the Extracting User and Group Information window.
Using Identity Driven Manager Using the User Import Wizard Figure 3-71. Extracting User and Group Information 7. The IDM Import Wizard now shows all the users added to the IDM DB. Click Select All, and then Click Next to the Remove User’s window.
Using Identity Driven Manager Using the User Import Wizard Figure 3-72.
Using Identity Driven Manager Using the User Import Wizard Figure 3-73. Remove Users 8. Without changing any settings in the Remove User’s window that is, Deselect All Click Next to the Users and Group Commitment window.
Using Identity Driven Manager Using the User Import Wizard Figure 3-74. Users and Groups Commitment 9. Click Go.The devices imported to the IDM DB can now be seen in the Users Tab view.
Using Identity Driven Manager Using the User Import Wizard Figure 3-75.
Using Identity Driven Manager Using the User Import Wizard 10. Import Complete window appears. Click Finish. Figure 3-76. Import Complete 11. In the Users tab view all the newly added device owners appears in the last column.
Using Identity Driven Manager Using the User Import Wizard Figure 3-77. Devices Added to User Tab View 12. Enable the Active Directory synchronization from the User Directory Settings for IDM to make the Active Directory changes. Note: After re-enabling the Active Directory synchronization, the Name and Description fields are overwritten by the corresponding values configured for that owner in the Active Directory. 13. If the specified csv file does not exist, the following error appears. Figure 3-78.
Using Identity Driven Manager Using the User Import Wizard Figure 3-79.
Using Identity Driven Manager Using the User Import Wizard 3-114
4 Using the Secure Access Wizard Overview The Secure Access Wizard (SAW) feature in IDM is designed to simplify the initial setup of IDM by reducing the complexity of securing the network edge. SAW facilitates the process of securing the network edge by targeting a group of devices and using a highly intuitive GUI to configure network access rather than configuring each device via CLI.
Using the Secure Access Wizard Overview Supported Devices The Secure Access Wizard feature is on PCM devices that support use of 802.1X, Web-Auth, and MAC-Auth access control methods. For a complete list of what features are supported on each device, refer to the table in Appendix A under “Device Support for IDM Features”.
Using the Secure Access Wizard Using Secure Access Wizard Using Secure Access Wizard Note: The following section provides instructions on using the Secure Access Wizard to configure access security settings on PCM devices that support port-based user authentication using 802.1X, Web-Auth, or MAC-Auth. For a more complete description of implementation of these user authentication features, please refer to the Access and Security Guide for the switch. Switch guides are available on the Web at: http://www.
Using the Secure Access Wizard Using Secure Access Wizard Note: If you do not have a licensed copy of the PCM Mobility Manager software and there are wireless devices discovered by PCM, the Excluded Devices window displays, with the list of devices, model, and installed switch software version. Use the Device Capabilities link to determine if you can upgrade the device software to a version that will support the secure access settings. Figure 4-2. Secure Access Wizard, Device Selection example 3.
Using the Secure Access Wizard Using Secure Access Wizard 4. Click Next to continue to the next window. 5. If you selected one or more AP530 wireless devices, the 530 Group Configuration Check Step window appears and displays information about each selected AP530 that supports the group configuration feature. One AP530 will be selected as the Master device and will be the only AP530 configured.
Using the Secure Access Wizard Using Secure Access Wizard Use the Device Capabilities link to determine if you can upgrade the device software to a version that supports the secure access settings. 7. To filter the list to display only devices for one device group (model), select the device group from the Available devices list. 8. Select a device (or devices) in the Available devices list, then click >> to move it to the Excluded devices list. 9.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-4. Secure Access Wizard, Authentication Method Selection example 14. Click the check box to select the authentication method (802.1X, Web-Auth, or MAC-Auth) to be used for user (client) access to the device. Click Select All at the top of the column to apply the same authentication method to all devices that support it.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-5. Secure Access Wizard, Port Selection example 16. To select ports from a list, click the Select Ports button and then click Select all to select all ports or select the Selected check box for each port to which the secure access settings will apply. Double-clicking a row selects or unselects the port.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-6. Secure Access Wizard, Select Ports When the desired ports are selected, click OK to validate and save your selections. 17. To manually enter port numbers, in the Port to secure field, type the ports to which the secure access settings will apply. Enter any combination of single port numbers and port ranges separated by commas. For example, type A1,A3-A5,A7 to apply the access settings on ports A1, A3, A4, A5, and A7.
Using the Secure Access Wizard Using Secure Access Wizard • • If you selected a wireless device, the WLAN selection window displays, as described in step 9. If you selected only wired devices, the authentication configuration window displays. – For 802.1X, go to step 12. – For Web-Auth, go to step 13. – For MAC-Auth, go to step 14. 19. The WLAN Selection window displays the list of Wireless devices you selected. Click a device to expand the list to show the WLANs (SSIDs) configured on the device.
Using the Secure Access Wizard Using Secure Access Wizard 22. The 802.1X Configuration window lets you select the authentication method to be applied in the secure access settings for the selected devices. Figure 4-8. Secure Access Wizard, 802.1X Configuration display The configuration options displayed will vary based on the selected device set: wired, wireless, or both. a. Select the authentication method for the selected device types. Only one method can be applied. For Wired devices the 802.
Using the Secure Access Wizard Using Secure Access Wizard b. In the Client Limit field, select or type the maximum number of clients to allow on one port simultaneously (default is 1). c. Click the Advanced Settings for Wired 802.1X link to configure the advanced settings. Figure 4-9. Secure Access Wizard, Advanced Settings for Wired 802.1X d. Select the check box to select the setting to configure, then enter the parameter to be applied.
Using the Secure Access Wizard Using Secure Access Wizard Option Configures.... Server timeout The authentication server response timeout (default 30 sec). Valid values are 1-300. Max requests The maximum number of times the switch retransmits authentication requests. Valid values are 1-10, the default value is 2. Re-auth period The re-authentication timeout (in seconds, default 0), set to 0 to disable re-authentication.
Using the Secure Access Wizard Using Secure Access Wizard 23. The Web-Auth Configuration window lets you select the RADIUS authentication method settings to be applied in the secure access settings for Wireless Services Modules (2.x or higher). Figure 4-10. Secure Access Wizard, Web-Auth Configuration a. Click the radio button to select the RADIUS authentication protocol.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-11. Secure Access Wizard, Advanced Wired Web-Auth Advanced Web-Auth settings for wired devices include: Option Configures.... DHCP address The base address and mask for the temporary pool used by DHCP and mask (base DHCP address default is 192.168.0.0, and the mask default is 24 - 255.255.255.0). Redirect URL The URL that the user should be redirected to after successful login. The default is no redirect (blank field).
Using the Secure Access Wizard Using Secure Access Wizard Option Configures.... Logoff period The period of time (seconds) after which a client will be considered removed from the port for a lack of activity. Disabled by default, valid values are 0-999999999, 0 is disabled. Quiet period The period of time the switch does not try to acquire a supplicant. Valid values are 0-65535, the default value is 60 sec.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-12. Secure Access Wizard, MAC-Auth Configuration display a. Select the MAC address format. b. Click the Advanced Settings for Wired MAC-Auth link to configure the advanced settings for MAC-Auth on wired devices.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-13. Secure Access Wizard, Advanced (wired) Mac-Auth settings c. Click the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired MACAuth defaults. Advanced MAC-Auth settings for wired devices include: Option Configures....
Using the Secure Access Wizard Using Secure Access Wizard Option Configures.... Allow address Whether MAC can move between ports. The default is disabled moves (No). Unauth-vid The VLAN to which the port is assigned when the user has not been authorized by MAC authentication. Valid values are any defined VLAN, and the default value is VLAN 1. Auth-vid The VLAN to which the port is assigned when the user has been authorized by MAC authentication.
Using the Secure Access Wizard Using Secure Access Wizard a. Select the check box for a RADIUS server to enable the server IP address field, and then enter the IP address for the server. The IP address will be validated. If it is invalid or a duplicated IP, a text message indicating the error is displayed. You cannot continue until a valid IP address is entered.
Using the Secure Access Wizard Using Secure Access Wizard Enter the RADIUS shared secret to be used for access authentication. Re-enter the shared secret in the Confirm shared secret field. If not using the same shared secret on all the devices, enter the Radius shared secret for each device in the list. Use the scroll bar as needed to move down the list. You will not be able to continue until the RADIUS shared secret is set for each device in the list. 28.
Using the Secure Access Wizard Using Secure Access Wizard 34. Click the link to Save settings or Save as template, and launch the Save Settings dialog to provide a name for the saved settings file. The data fields are the same for both the Save Settings, and Save Template dialog. Figure 4-17. Secure Access Wizard, Save Settings dialog 35. Type a Name to apply to the secure access settings file, and (optionally) a description.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-18. Secure Access Wizard, Configuration Preview display 39. Review the access security configuration settings, using the scroll bar as needed to move through the information. 40. If the configurations are correct, click Next to apply the settings to the devices.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-19. Secure Access Wizard, Applying Settings status This window displays the progress of applying the security settings to the selected devices, and will indicate if any errors occur during the process. Click View Log to display process status messages and errors. Click Abort to halt application of the security settings before the process is started on the next device in the list.
5 Troubleshooting IDM IDM Events The IDM Events window is used to view and manage IDM events generated by the IDM application or the IDM Agent installed on a RADIUS server. This window helps you quickly identify IDM-related problems in your network. To view the IDM events, click the Events tab in the Identity Management Home pane. Figure 5-1.
Troubleshooting IDM IDM Events The IDM Events tab works similarly to the PCM Events tab. It lists the IDM events currently contained in the database. The default listing event is categorized by the level of severity. Sortable columns of information are available for each event: Table 5-1. Events tab parameters Column Displays... Source The name or IP address of the component or device that generated the event.
Troubleshooting IDM IDM Events Select an event in the Events listing to display the Event Details at the bottom of the window. Figure 5-2. IDM Event Details The details provide additional event description information. The details will vary based on the type of event. Use the scroll bar or drag the top border of the Event Details section to review the entire event description. Acknowledging an event indicates that you are aware of the event but it has not been resolved.
Troubleshooting IDM IDM Events Using Event Filters The events shown in the Events tab view can be filtered to show only specific events based on the device that generated the event, severity, dates and times of occurrence, or description. Click the Filtering button to display or hide the Filters at the top of the Events tab. You can use any single parameter, or a combination of parameters. Figure 5-3. Events Filter 1. To create a filter: a. Select a check box to activate a field.
Troubleshooting IDM IDM Events b. Unselect any filters that you want to remove. c. Click Apply. 4. To clear all selections that are currently set in the filters, click Clear. This does not affect saved filters. 5. To clear current entries in the Filters section (that have not yet been saved) and go back to the last saved filter settings, click Revert. This does not affect saved filters.
Troubleshooting IDM IDM Events Figure 5-4. IDM Event Archive The Archived Events window provides the following information for each event: Table 5-2. Archived IDM Events parameters Column Displays...
Troubleshooting IDM IDM Events To further filter archived events, in the Filter field type the text of the filter you want to use. The display will list only events containing the filter text in any of the data fields. To generate a report from the Event Archive: • • • • • • To generate a report that can be printed or saved to disk, click Generate Report. This will create and display a report with the data from the Archive Event view. To display the next page, click > in the bottom left corner.
Troubleshooting IDM IDM Events Figure 5-5. Preferences, IDM Events 2. Use the fields in the Retain Messages section to set the percentage of IDM event types you want to save in the Events database and display in the Events tab. These percentages are based on the overall size set in the Max number of events field, and must equal 100 percent.
Troubleshooting IDM IDM Events 4. In the Archive events older than field, select the number of days to wait before archiving IDM events. 5. Use the Limit archive storage to field to set the maximum size of the IDM event archive storage limit (1-100 Gbytes). By default, IDM event archive storage is limited to 1 gigabyte. OR To stop archiving IDM events in the Event Log, clear the Archive IDM events check box. 6.
Troubleshooting IDM IDM Events Figure 5-6. RADIUS Server Activity Log The Activity Log provides information similar to IDM Events, except that the entries are specific to the selected server. See “IDM Events” on page 5-1 for additional information. You can acknowledge and delete events, but you cannot “filter” entries in the Activity Log.
Troubleshooting IDM Using Decision Manager Tracing Using Decision Manager Tracing IDM provides a tracing tool (DMConfig.prp) and log file (DM-IDMDM.log) to assist with troubleshooting IDM problems that may occur. These files are included on the IDM Agent when it is installed on the RADIUS server. Note: that the Decision Manager (DM) is an internal component of the IDM Agent. The default configuration has the tracing options turned off because of the performance degradation when tracing is used.
Troubleshooting IDM Using Decision Manager Tracing ■ 5-12 Configuration deployments to the IDM Agent, along with the actual configuration image.
Troubleshooting IDM Quick Tips Quick Tips Placing IDM Server into the AD Domain If you installed a PCM/IDM server on a system that was not a member of the Active Directory domain, you can follow these steps to place the server inside the domain without having to reinstall PCM/IDM server. I m por tant: You must follow steps 2 and 3 in the order listed below to avoid having to reinstall PCM/IDM server. 1. If you haven’t already done so, place the PCM server machine into a domain. 2.
Troubleshooting IDM Quick Tips Note: 5-14 After this configuration, the snac-jboss-server.log will no longer be present in the server/log directory. However, the same log will be present with the default name server.log in the installation directory: Hewlett-Packard\PCM\snac\server\default\log.
A IDM Technical Reference Device Support for IDM Features Due to variations in hardware and software configuration of various HP Networking devices, not all IDM features are supported on all devices. The following table indicates IDM functionality supported by device type and minimum software requirement, if applicable, at the time this manual was published. Supported features are marked with an X.
IDM Technical Reference Device Support for IDM Features Table A-1. Feature/Device Support for IDM 4.0 Switch/Wireless Device Min SW Req’d 2500 series See footnotes 2520 S.14.30 X X 2520G J.14.54 X X 2615 and 2915 A.14.15 2600, 2626, 2650 (PWR included) See footnotes 2620 RA.15.06.0009 2800 series ACLs VLANs QoS Rate Limit MACAuth WebAuth Xa X X X X X X See footnotes X X 3400cl See footnote X X 3500 K.14.89 / K.15.06.0008 X X 3800 KA.15.03.
IDM Technical Reference Device Support for IDM Features Switch/Wireless Device Min SW Req’d ACLs VLANs WESM 1.0 X X WESM 2.0 X X QoS X Rate Limit MACAuth WebAuth 802.1X X X X X X X X X MAFR MBV a - F.05.14; b - F.04.08; c - H.07.54; d - H.08.53; e - H.07.41; f - I.08.51; g- I.08.51;h - I.07.31; i - M.08.51; j - G.04.04; k - E.10.05; l - E.05.04; m - K.15.06.0008 (with v2 interface modules); n - H.07.41; o - K.15.06.0008 (with v2 interface modules); p - 07.1.24; q - 02.1.
IDM Technical Reference Best Practices Best Practices Authentication Methods The IDM application is designed to support RADIUS server implementation with 802.1X using supplicants, as well as Web-auth and MAC-auth. However to gain the full benefits of using IDM, HP advises that you implement RADIUS using an 802.1X supplicant.
IDM Technical Reference Best Practices Allowing vs. Rejecting Access When evaluating the rules for the Access Policy Group when a user logs in, IDM is looking to match all three of the parameters (Location, Time, System). If it does not get a match on all three, it will go to the next rule in the list. When a match on all three parameters is found, the Access Profile for that rule is applied.
IDM Technical Reference Best Practices The other important piece in this process is the order of the rules. In the second example, if you change the order of the rules, users would be allowed access all the time. The two examples above are quite simple. However, in instances where you want to be able to restrict user access to specific areas of the network at specific times, or restrict network resources to users at specific times and locations, the decision to use the “allow” vs.
IDM Technical Reference Types of User Events Types of User Events The USER_FAILED_LOGIN event happens whenever RADIUS sends IDM a message of an unsuccessful login. This can have various sources, which you can review in the Event Details. It can be either because IAS didn’t let the user log in (bad username, password, and so forth) or because IDM rejected the login.
IDM Technical Reference Types of User Events A-8
Index Numerics C 802.
Index IDM model 3-1 IDM Server, placing into the AD Domain 5-13 Import from Active Directory 3-81, 3-101 Import procedure 3-80 Importing Users 3-15, 3-81 with XML files 3-97, 3-99 Port names 3-29 Port Selection, SAW 4-7 Preferences 2-39 K R Kerberos V5 authentication 3-91 RADIUS 1-7 RADIUS Activity Log 5-9 RADIUS Client 3-69 RADIUS Server delete 3-75 RADIUS shared secret 4-20 Rate-Limiting A-4 Rejecting access A-5 Report Action 2-22 Report Delivery 2-26 Report Policy 2-22 Rules sequence 3-44 Rules, eva
Index U Unauthorized users A-4 Unknown users A-4 User add to IDM 3-76 edit IDM 3-79 User Access 3-48 User Import LDAP Server 3-87 User Import Wizard 3-80 User Location Information 2-34 User Properties 2-33 User Session information 2-32 User Systems 3-77 Users tab 3-48 W warranty 1-2 Web-Auth Configuration, SAW 4-14 WLAN selection, SAW 4-10 X XML file, user import 3-98 XML Import File format 3-98 Index–3
Index Index–4
ProCurve 5400zl Switches Installation and Getting Startd Guide Technology for better business outcomes To learn more, visit www.hp.com/networking © Copyright 2004, 2005, 2007, 2009, 2011 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.
