User’s Guide ProCurve Identity Driven Manager Software Release 2.3 www.procurve.
© Copyright 2008 Hewlett-Packard Development Company, LP. All Rights Reserved. This document contains information which is protected by copyright. Reproduction, adaptation, or translation without prior permission is prohibited, except as allowed under the copyright laws. Publication Number 5990-8851 May, 2008 Disclaimer The information contained in this document is subject to change without notice.
Contents 1 About ProCurve Identity Driven Manager Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Why IDM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 What’s New in IDM 2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 IDM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Terminology . . . .
Contents IDM Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36 Using Active Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . 2-38 3 Using Identity Driven Manager IDM Configuration Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Configuration Process Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Configuring Identity Management . . . . . . . . . . . . . . . . . . . .
Contents 4 Using the Secure Access Wizard Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Using Secure Access Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 5 Troubleshooting IDM IDM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents vi
1 About ProCurve Identity Driven Manager Chapter Contents About ProCurve Identity Driven Manager Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Why IDM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 What’s New in IDM 2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 IDM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About ProCurve Identity Driven Manager Introduction Introduction Network usage has skyrocketed with the expansion of the Internet, wireless, and convergence technologies. This increases the burden on network managers working to control network usage. Also, the complexity of large networks makes it difficult to control network access and usage by individual users.
About ProCurve Identity Driven Manager Introduction Why IDM? Today, access control using a RADIUS system and ProCurve devices (switches or wireless access points) is typically made up of several steps. Figure 1-2. Current Access Control process 1. A client (user) attempts to connect to the network. 2. The edge device recognizes a connection state change, and requests identifying information about the client. This can include MAC address, username and password, or more complex information. 3.
About ProCurve Identity Driven Manager Introduction When using IDM, the authentication process proceeds as described in the first three steps, but from that point the process changes as follows: 4. The RADIUS server validates the user’s identity in the user directory. Based on the validation result received from the user directory, the authentication server returns an accept or deny response to the switch.
About ProCurve Identity Driven Manager Introduction What’s New in IDM 2.3 ProCurve Identity Driven Manager version 2.
About ProCurve Identity Driven Manager Introduction IDM Architecture In IDM, when a user attempts to connect to the network through an edge switch, the user is authenticated via the RADIUS Server and user directory. Then, IDM is used to return the user’s "access profile" along with the authentication response from RADIUS to the switch.
About ProCurve Identity Driven Manager Introduction • A Decision Manager that receives the user data and checks it against user data in the local IDM data store. Based on the parameters defined in the data store for the user data received, the Decision Manager outputs access parameters for VLAN, QoS, bandwidth, and network resource access to the RADIUS interface component. • A Local Data Store that contains information on Users and the Access Policy Groups to which the user belongs.
About ProCurve Identity Driven Manager Terminology Terminology Authentication The process of proving the user’s identity. In networks this involves the use of usernames and passwords, network cards (smartcards, token cards, etc.), and a device’s MAC address to determine who and/or what the "user" is. Authentication Authentication servers are responsible for granting or denying access to the Server network.
About ProCurve Identity Driven Manager Terminology Realm A Realm is similar to an Active Directory Domain, but it works across nonWindows (Linux, etc.) systems. Generally specified in User-name as "user@realm." VLAN A port-based Virtual LAN configured on the switch. When the client connection terminates, the port drops its membership in the VLAN.
About ProCurve Identity Driven Manager IDM Specifications IDM Specifications Supported Devices ProCurve Identity Driven Manager (IDM) supports authorization control functions on the following ProCurve devices*: ProCurve Switches: 6400cl Series 6200 Series 5400 Series 5300xl Series 4200 Series 3500 Series 3400cl Series 4100gl Series 2800 Series 2600 Series (PWR included) 6100 Series 2500 Series ProCurve Wireless (420, 520wl, 530) Wireless Edge Services Module (WESM) 9300 9400 * Not all devices support all f
About ProCurve Identity Driven Manager IDM Specifications ■ ■ Supported Operating Systems for PCM+ and IDM Remote Client: • MS Windows XP Pro (Service Pack 1 or better) • MS Windows 2000 (Server, Advanced Server, or Pro with Service Pack 4 or better) • MS Windows 2003 (Server or Enterprise Edition) ProCurve Manager Plus software must be installed for IDM to operate. The IDM software cannot be installed as a separate component.
About ProCurve Identity Driven Manager Registering Your IDM Software If you have not purchased an IDM 2.0 or newer license, your installation will include the IDM interface changes made for IDM 2.0, but all new functionality (FUNK SBR support, User Import/Export, Access Control, and Endpoint integrity support) will be disabled until you purchase and register an IDM license. If you want to test the IDM 2.2 functionality using the 30-day trial provided with the PCM 2.
About ProCurve Identity Driven Manager Registering Your IDM Software Figure 1-6. ProCurve License Administration dialogue You can also get to this screen from the Preferences window which can be accessed from the PCM Tools menu or by clicking on the Preferences icon in the tool bar. To register the IDM software: 1. Contact your HP Sales Representative or HP Reseller to purchase the PCM+ and IDM software.
About ProCurve Identity Driven Manager Learning to Use ProCurve IDM 7. 8. In the Registration window: a. select the product to register from the Product Type pull-down menu. b. enter the Registration ID, found on the back of the software CD case, or on the registration card you received when you purchased the software. When you receive the License key, go back to the Licensing window in PCM. Enter the License key number in the Add license field, then click Add.
About ProCurve Identity Driven Manager Learning to Use ProCurve IDM Getting ProCurve Documentation From the Web 1. Go to the Procurve website at http://www.procurve.com. 2. Click on Technical Support. 3. Click on Product manuals. 4. Click on the product for which you want to view or download a manual. ProCurve Support Product support is available on the Web at: http://www.procurve.com Click on Technical Support.
About ProCurve Identity Driven Manager Learning to Use ProCurve IDM 1-16
2 Getting Started Chapter Contents Getting Started Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Installing the IDM Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Using the IDM Auto-Discover Feature . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 IDM Configuration Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 IDM Usage Strategies . . . . . . . . . . . . . . . . . . .
Getting Started Before You Begin Before You Begin If you have not already done so, please review the list of supported devices and operating requirements under “IDM Specifications” on page 1-10. If you intend to restrict user access to specific areas of the network using VLANs, make sure you have set up your network for use of VLANs.
Getting Started Before You Begin The IDM Client is included with the PCM+ software. To install a remote PCM/ IDM Client, download the PCM Client to a remote PC using the same process as for installing the IDM Agent, just select the PCM Client option from the PCM server. For details, see the ProCurve Manager Getting Started Guide. Using the IDM Auto-Discover Feature You can manually configure the RADIUS server, Realms, and Users in IDM, or you can let IDM do the hard work for you.
Getting Started Before You Begin 5. Create the Access Profiles, to set the VLAN, QoS, rate-limits (bandwidth) attributes, and the network resources that are available, to users in an Access Policy Group. (See page 3-26) 6. Create an Access Policy Group, with rules containing the Location, Time, System, and Access Profile that is applied to users when they login.
Getting Started Before You Begin Understanding the IDM Model The first thing to understand, is that IDM works within the general concept of ‘domains’ or ‘realms’. Basically, realms are very large organizational units; every user belongs to one, and only one, realm. While it is possible to have multiple realms, most organizations have only one, for example, hp.com or csuchico.edu. The basic operational model of IDM involves Users and Groups.
Getting Started IDM GUI Overview IDM GUI Overview To use the IDM client, launch the PCM Client on your PC. Select the ProCurve Manager option from the Windows Program menu to launch the PCM Client. The PCM Client will start up and the Login dialogue is launched. Figure 2-1. PCM Client Login dialogue. If you did not enter a Username or Password during install, type in the default Username, Administrator, then Click Login to complete the login and startup.
Getting Started IDM GUI Overview Select the IDM Tree tab at the bottom left of the PCM window to display the IDM Home window. Figure 2-2. IDM Home Window The IDM Home display provides a quick view of IDM status in the IDM Dashboard tab, along with a navigation tree and access to menu and toolbar functions. You can resize the entire window, and/or resize the panes (sub-windows) within the Identity Management Home window frame.
Getting Started IDM GUI Overview IDM Dashboard The IDM Dashboard tab (window) contains four separate panels, described below. Identity Management Status: The IDM Agent Status pane uses a color-coded histogram to indicate the number of currently active (green) and inactive (red) IDM Agents. Hovering with the mouse pointer over the bar displays the specific number. The Users per Access Policy Group pane uses a pie-chart to indicate the percentage users currently assigned to various APGs.
Getting Started IDM GUI Overview Using the Navigation Tree The navigation tree in the left pane of the IDM window provides access to IDM features using the standard Windows file navigation system. Click the nodes to expand the list and change the display in the right window panel. Figure 2-3. IDM Navigation Tree The IDM tree is organized as follows: Realms: The top level of the tree lists each of the Realms that have been discovered by an IDM Agent or defined manually.
Getting Started IDM GUI Overview Figure 2-5. Realm Properties tab Click the Users tab, underneath the realm Properties tab, to view a list of users in the Realm that were discovered by the IDM Agent, or defined manually. Figure 2-6. Realm Users tab Expanding the Realm node in the tree will display the Access Policy Groups and RADIUS server nodes for the Realm. Access Policy Groups: Click the Access Policy Group node to display the Access Policy Groups tab with a list of currently configured groups.
Getting Started IDM GUI Overview Figure 2-7. Access Policy Groups tab Click the individual group node in the tree to display the group’s Properties. Figure 2-8. Access Policy Group Properties tab The Users tab underneath contains the list of users currently assigned to the Access Policy Group.
Getting Started IDM GUI Overview RADIUS Servers: Clicking the RADIUS Servers node displays the RADIUS List tab, with status and configuration information for each RADIUS Server in the Realm that has an IDM Agent installed, or that is manually defined. Figure 2-9.
Getting Started IDM GUI Overview The Activity Log tab underneath the properties display contains a listing of IDM application events for that RADIUS server such as server startup, server connections, user logins, IDM configuration deployment, etc. Toolbars and Menus Because IDM is a module within PCM, it uses the same Main Menu and Global toolbar functions. Individual tabs or windows within the IDM module also include separate component toolbars.
Getting Started Using IDM as a Monitoring Tool Using IDM as a Monitoring Tool Whether or not you configure and apply access and authorization parameters using IDM, you can use IDM to monitor user sessions on the network and generate usage reports. You can use the monitoring features along with the IDM Reports to track usage patterns, user session statistics, bandwidth usage, top users, and so on.
Getting Started Using IDM Reports Using IDM Reports IDM provides reports designed to help you monitor and analyze usage patterns for network resources. The report options are available from the Tools menu. Figure 2-12. IDM Reports Menu The Report wizard screens and report parameters vary, depending on the type of report selected. When you select a report using the IDM Reports sub-menu, the Report wizard is launched. Use the wizard to set filter options, and selectable data elements.
Getting Started Using IDM Reports Figure 2-13. Bandwidth Usage Report You can save the report to a file, or print the report. To apply customized Report Header information for your company, use the Reports option in the global preferences. (Tools–> Preferences–> Global–> Reports) The Schedule a report option in the Tools menu launches the Schedule Reports Policy Wizard, which lets you schedule reports to be created at recurring intervals.
Getting Started Using IDM Reports Username Username entered to log in Realm Realm associated with the access policy group to which the user is assigned Friendly Name Name of user logging in with the username Access Policy Access policy group to which the user is assigned Last Login Date and time the user last log in successfully Denial Reason Reason the login failed. Denial reasons can be generated by IDM or the RADIUS server.
Getting Started Using IDM Reports The following information is provided for each user included in the Bandwidth Usage report: Username Username used to login Realm Realm (Access Policy Group and RADIUS server) to which the user is assigned Access Policy Group Access Policy Group governing a user's login to the RADIUS server Input Bytes Output Bytes Total Bytes The number of bytes (KB) processed during the User’s session, indicating the bandwidth usage for that user.
Getting Started Creating Report Policies User Report: The User Report lists information for recent sessions in which the user participated, similar to the Session History report. To display the User Report select a username in the Users tab of the Access Policy Group or RADIUS Server window, and then click the User Report icon in the toolbar. Creating Report Policies You can also use the Policy Manager feature to schedule reports to be created at regular intervals, or in response to an event.
Getting Started Creating Report Policies Figure 2-14. Policy Manager, Actions display The Manage Actions window displays the list of defined Actions. 3. Click New... to launch the Create Action dialog: Figure 2-15.
Getting Started Creating Report Policies 4. Select the Report Manager:Generate Report Action type from the pull-down menu. Figure 2-16. Policy Manager, Select Action 5. Type in a Name for the Action (required) and a brief Description (optional) 6. Click OK to save the Action and display the Action Properties tab. The properties you set in the previous step should appear.
Getting Started Creating Report Policies Figure 2-17. Policy Manager: Report Manager Action configuration At this point the other tabs displayed are: Type: Lets you select the Report type you want to generate. As soon as you select a report type, additional tabs may appear in the window depending on the filter criteria for the report. Format: Lets you set the report output format Delivery: lets you select where the report will be sent (to file, e-mail, etc.) 7.
Getting Started Creating Report Policies Figure 2-18. Report Manager Action, Report type selection 8. Click the Report Filter tab to select the report criteria: Report Filter: Lets you select the filter criteria to be applied when generating the report. The filter options will vary based on the selected report. 9. Click the Format tab to set the report output style you want to generate. Figure 2-19.
Getting Started Creating Report Policies • PDF Produce the report in .pdf format. To view this file format, you will need Adobe Acrobat Reader, which can be downloaded free from http://www.adobe.com/products/acrobat/readstep2.html. • HTML Produce the report in .html format, which can be viewed with any Web browser. • CSV Produce the report using comma separated values with double quotes. This report can be viewed using WordPad, Notepad, or imported into other spreadsheet programs, such as Excel. 10.
Getting Started Creating Report Policies Selecting FTP as the delivery method lets you save the report on an FTP site. However, proxy support is not provided. a. In the FTP Server field, type the IP address of the FTP site where you want to save the report. b. In the Path field, type the complete path to the server location where you want to save the report. c. In the Filename field, type the filename you want to assign to the report.
Getting Started Creating Report Policies You can access User Reports by right-clicking on the user in the Users tab display in IDM, then select the report option. IDM Session Cleanup Policy The IDM Session Cleanup Policy is included in the PCM+ policies by default when you install IDM. The report statistics IDM reports are cleared by the Session Statistics Cleanup policy (in PCM) on the first day of each month. A special IDM Session Cleanup alert is used to define the schedule for the policy.
Getting Started Creating Report Policies Figure 2-23. IDM Session Cleanup Schedule properties 4. Click the Schedule tab to review and edit the schedule parameters. Figure 2-24.
Getting Started Creating Report Policies 5. Set the Start Date for enforcement of the policy. The default is the start date and time for IDM. You can type in a new date and time, or use the arrows to increase or decrease the date and time entries. Note that the time clock uses 24 hour format; thus a time of 22:00 is used to indicate a start time of 10:00 pm. To trigger the IDM Session Cleanup policy to run immediately, click the checkbox for Run at first opportunity if schedule missed. 6.
Getting Started User Session Information User Session Information You can use IDM to just monitor the network, and receive detailed information about user's access to the network. The User Session information provides statistics about exactly *how* the network is being used (when the user logged in and out, where a user logged in from, and how much bandwidth they consumed, for example).
Getting Started User Session Information The Session List provides a listing of recent sessions, including the following information: Active True if the user is currently logged in for this session or False if the session has ended Login Time Date and time the user logged in Login Successful True if the user logged in successfully or False if login failed Location Name of the location where the user logged in Access Profile Access profile assigned to the access policy group governing the user’s pe
Getting Started User Session Information The Session Information tab of the User Status window contains the following information: Is Active True if the user is currently logged in for this session or False if the session has ended RADIUS Server IP address of the RADIUS server that authenticated the user Login was successful True if the user logged in successfully or False if login failed Reason login was unsuccessful If the login was unsuccessful, the reason the RADIUS server or IDM denied the login
Getting Started User Session Information Figure 2-26. Location Information tab The Location Information tab of the User Status window contains the following information: Location name Name of the location where the user logged in Device address IP address of the device used to login Device port Port on the device used for the session Click the Disable port or Enable port links to disable or re-enable the port used for the session.
Getting Started User Session Information The Access Information tab of the User Status window contains the following information: Access Policy Group Access policy group that governs user permissions for the session. Access Profile Access profile assigned to the access policy group. QoS assigned Quality of service or priority for outbound traffic. QoS ranges from lowest to highest. Rate limit assigned Maximum bandwidth allocated to user by the access profile.
Getting Started User Session Information 2. In the Username field, type the complete user name of the user you want to find and display information (This field is not case-sensitive.), OR In the MAC address field, type the MAC address of the computer for which you want to find and display information. The MAC address can be separated by a vertical bar (|), hyphen, or colon or typed with no spaces. 3.
Getting Started User Session Information 3. Click the check boxes to select the data columns. If wireless settings are enabled the WLAN and BSSID options also appear. 4. Click Finish to run the report. The report is displayed in a separate window on the IDM Client.
Getting Started User Session Information IDM Preferences The IDM Preferences window is used to set up global attributes for session accounting and archiving, as well as enabling the Endpoint Integrity option. Click the Tools menu and select Identity Management to display the Preferences, Global:Identity Management window. Figure 2-30. Global Preferences for IDM Click on the option check boxes to select (check) or deselect (blank) the option.
Getting Started User Session Information 1. The Configuration Deployment option is used to automatically deploy IDM configuration settings (Access Profiles, Locations, Times, Network Resources) to the IDM agent. The default preference is to allow automatic configuration deployment. Click to select the Disable automatic deploy to IDM agents option if you do not want to use automatic IDM configuration deployment. If you "disable" the Configuration Deployment option.
Getting Started User Session Information Existing accounting records are not removed by the Reset procedures, the only effect is that currently open sessions are closed. 7. To ignore capability override warnings generated by switches that don't support certain capabilities (e.g., VLAN, QoS, Bandwidth, and ACL overrides), check the Ignore device capability warnings checkbox. 8. To send only those attributes supported by the device, check the Only send supported device attributes to device checkbox. 9.
Getting Started User Session Information Figure 2-31. Identity Management Preferences: User Directory Settings. 1. Click the checkbox to select the Enable automatic Active Directory synchronization option. When the Active Directory synchronization is selected, the remaining fields in the display are enabled. Current status of the connection between IDM and Active Directory (AD Status) is displayed at the bottom of the window. 2.
Getting Started User Session Information 4. To Add a group to the "Groups to Synchronize" list, click Add or Remove Groups... to display the Add or Remove Groups dialog. Figure 2-32. Active Directory Synchronization: Add or Remove Groups The Active Directory is queried for all groups in the domain and the groups are displayed in the "Groups in Active Directory" list.
Getting Started User Session Information 5. Select the Active Directory Groups you want to Synchronize to IDM, then click the >> button to move the groups to the "Groups to Synchronize" list. Use the Filter field to locate a group easily. To remove groups from the synchronization, select the group in the "Groups to Synchronize" and click the << button to move it to the "Groups in Active Directory" list. 6. Click OK to save the Groups to Synchronize and return to the User Directory Settings window. 7.
Getting Started User Session Information 2-42 ■ Users deleted from Active Directory while synchronization is disabled are assigned to the default Access Policy group during the resynchronization process (instead of being deleted). This prevents users who were added by another method from being deleted. ■ Within a Realm, Access Policy Group names must be unique.
3 Using Identity Driven Manager Chapter Contents IDM Configuration Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Configuration Process Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Configuring Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Configuring Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Adding a New Location . . . . . . . . . . . . . . . . . .
Using Identity Driven Manager Deleting RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the User Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Importing Users from Active Directory . . . . . . . . . . . . . . . . . . . . . . . . Importing Users from an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . .
Using Identity Driven Manager IDM Configuration Model IDM Configuration Model As described in the IDM model on page 2-5, everything relates to the top level, or Realm. Each User in the Realm belongs to an Access Policy Group (APG). The APG has an Access Policy defined for it that governs the access rights that are applied to its Users as they enter the network. The Access Policy is defined using a set of Access Rules.
Using Identity Driven Manager IDM Configuration Model 2. Define "times" (optional) at which users will be allowed or denied access. This can be by day, week or even hour. 3. If you intend to restrict a user’s access to specific systems, based on the system they use to access the network, you need to modify the User profile to include the MAC address for each system from which the user is allowed to login. 4.
Using Identity Driven Manager IDM Configuration Model 2. Click the Configure Identity Management icon in the Realms window toolbar. The Identity Management Configuration default display is the Access Profiles pane with the Default Access Profile. Figure 3-1. Identity Management Configuration, default display Click the node in the navigation tree to display the defined configuration parameters and add or edit new configuration parameters, as described in the following sections.
Using Identity Driven Manager Configuring Locations Configuring Locations Locations in IDM identify the switch and/or ports on the switch and wireless access points where users connect to the network. Users generally are allowed to log in to the network from a variety of locations, IDM allows you to create customized locations to match specific environments.
Using Identity Driven Manager Configuring Locations Adding a New Location To create a new location: 1. Click the New Location icon in the toolbar to display the new locations window. Figure 3-3. Create a New Location display 2. Type in a Name for the location. 3. Type in a Description for the location. To add wired devices to the location: 4. Click Add device... to open the New Device window, and define the devices and/or port combinations that will be included in the location.
Using Identity Driven Manager Configuring Locations Figure 3-4. New Device window 5. Enter the Device to be added using the Device Selection pull-downs, or select the Manually enter device address option. Using the Device Selection option: a. Select a device group using the pull-down menu. This will enable the Select Device pull-down menu in the next field. b. Select a device from the pull-down list of available devices.
Using Identity Driven Manager Configuring Locations 6. Use the Port Selection to define the ports on the device that will be associated with the location. • Click to select Any port on the switch, or • Click Select ports, then use the pull down lists to select the Begin and End ports on the device that will be associated with the new location. If you manually entered the device address, the Begin port and End port pull-down menus are disabled, and you must manually enter the ports. 7.
Using Identity Driven Manager Configuring Locations Figure 3-5. Create a New Location, Wireless Devices display 11. Click Add Device... to display the Wireless Devices Selection dialog. Figure 3-6. Select Wireless Device for a location 12. All discovered Radios and radio ports are displayed.
Using Identity Driven Manager Configuring Locations Click the check box to select the radio ports to be included in the location, and then click OK to save the selection and return to the Create a new Location (Wireless Devices tab) window. 13. Click OK in the Create a new Location window to save and exit, or repeat the steps to add additional devices to the location. Modifying a Location To edit the information for an existing Location: 1.
Using Identity Driven Manager Configuring Locations Deleting a Location To remove an existing Location: 1. Click the Locations node in the Identity Management Configuration navigation tree to display the Locations panel, with the list of defined locations. 2. Click on a location in the list to select it. 3. Click on the Delete Location icon in the toolbar to remove the location. The first time you use the Delete Location option, a warning pop-up is displayed.
Using Identity Driven Manager Configuring Times Configuring Times Times are used to define the hours and days when a user can connect to the network. When included in the Access Policy Group rules, the time can be used to allow or deny access from specific locations at specific time. For example, students might be allowed network access from the "Classroom" location during weekdays, from 9:00 am to 5:00 pm, but denied access from the Classroom at any other time. To configure a Time: 1.
Using Identity Driven Manager Configuring Times Figure 3-8. Times Properties Creating a New Time To configure a Time: 3-14 1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel. 2. Click the Add New Time toolbar icon to display the Create a new Time window.
Using Identity Driven Manager Configuring Times Figure 3-9. Create a New Time 3. Define the properties for the new time. Name Name used to identify the time Description Brief description of the time Time Time of day when user will be accepted on the network. To allow access the entire day, click the All day radio button. To restrict access to specific hours of the day, click the From radio button and type the beginning and ending times. The ending time must be later than the beginning time.
Using Identity Driven Manager Configuring Times 4. Click Ok to save the new "Time" and close the panel. The new time appears in the Times window. Modifying a Time 1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel. 2. Click on a Time in the navigation tree to display the Time details in edit mode, similar to the Create a new Time panel.
Using Identity Driven Manager Configuring Times Defining Holidays To add holidays for use when defining Times in IDM: 1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel. 2. Click the Holidays icon in the toolbar to launch the Holidays window. Figure 3-10. Holidays window 3. Click Add. to launch the Add Holidays window. Figure 3-11. Add Holiday 4. The Date field defaults to the current date.
Using Identity Driven Manager Configuring Times To delete a Holiday, select it in the Holidays list, then click Delete... Click Yes in the confirmation pop-up to complete the process.
Using Identity Driven Manager Configuring Network Resources Configuring Network Resources The Network Resources in IDM are used to permit or deny traffic to and from specified sources and destination. This is done by configuring an IP-based filter based on either: ■ The IP address (individual address or subnet address) of the source or destination, or ■ The protocol (IP, ICMP, VRRP, etc.) ■ The TCP or UDP port (i.e.
Using Identity Driven Manager Configuring Network Resources The Network Resources window lists the name and parameters for defined resources, including: Name Name used to identify the resource IP Address IP Address for the switch associated with the resource ("any" if the resource is being filtered by protocol). Network Mask The subnet mask for the IP Address. Ports Device port(s) associated with the resource or Any if the resource is being filtered by protocol.
Using Identity Driven Manager Configuring Network Resources Adding a Network Resource To define a Network Resource: 1. Click the Network Resources node in the Identity Management Configuration navigation tree to display the Network Resources panel. 2. Click the Add Network Resource toolbar icon to display the Define Network Resource window. . Figure 3-14. Define Network Resource 3. Define the properties for the network resource.
Using Identity Driven Manager Configuring Network Resources Protocol: Select UDP, TCP, or IP to identify the protocol used to filter access to the resource. Protocol can be used alone or with an IP address and port parameters to define the network resource access.
Using Identity Driven Manager Configuring Network Resources Deleting a Network Resource To delete a Network Resource: 1. Click the Network Resources node in the Identity Management Configuration navigation tree to display the Network Resources panel. 2. Click in the list to select the network resource to edit, then click the Delete Network Resource toolbar icon. 3. Click Yes in the confirmation pop-up to complete the process.
Using Identity Driven Manager Configuring Access Profiles Configuring Access Profiles IDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rate-limits) and Network Resource access rules that are applied to the user when they are authenticated on the network. This is where the real benefits of "access control" are realized. When users log in, the Access Profile dynamically configures the switch or wireless access point settings to provide the proper network access and resources for the user.
Using Identity Driven Manager Configuring Access Profiles 3-25
Using Identity Driven Manager Configuring Access Profiles Click the Access Profile node in the navigation tree, or double-click on a profile in the list to display the details of the selected profile. Figure 3-16. Access Profile details The Name, Description, and Access Attributes are the same as defined in the Access Profiles list.
Using Identity Driven Manager Configuring Access Profiles 2. Click the Add Access Profile icon in the toolbar to display the Create a new Access Profile window. Figure 3-17. Create Access Profile 3. Define the attributes for the Access Profile: Name Name used to identify the Access Profile Description Brief description of the Access Profile VLAN Type in the VLAN or select one from the pull-down menu, which lists VLANs configured in PCM.
Using Identity Driven Manager Configuring Access Profiles The VLAN that gets set for a user will override the statically configured VLAN, as well as the auth-vid which may have been configured for that port. Note also that if an unauth-vid is set and the user is rejected by IDM for any reason, the port is opened and the VLAN is set to the unauth-vid. 4. To assign the Network Resources, click Edit... This launches the Network Resource Assignment Wizard. Figure 3-18. Network Resource Assignment Wizard 5.
Using Identity Driven Manager Configuring Access Profiles Figure 3-19. Network Resource Assignment Wizard, Allowed Network Resources 6. To permit access to Network Resources: a. Select the Resource in the Available Resources list. Use shift-click to select multiple resources. b. Move the Available Resource(s) to the Allowed Resources list (click >>) c. Click Next to continue to the Denied Resources window.
Using Identity Driven Manager Configuring Access Profiles Figure 3-20. Network Resource Assignment Wizard, Denied Network Resources 7. 3-30 To deny access to Network Resources: a. Select the Resource in the Available Resources list. Use shift-click to select multiple resources. b. Move the Available Resource(s) to the Denied Resources list (click >>) c. Click Next to continue to the Priority Assignment window.
Using Identity Driven Manager Configuring Access Profiles Figure 3-21. Network Resource Assignment Wizard, Priority Assignment 8. Set the priority (order of evaluation) for the Network Resources. To change the priority, click the Resource in the list, then click Move down or Move up. The first rule to match is the one that will be applied. 9. Click Next to continue to the Default Access window. Figure 3-22.
Using Identity Driven Manager Configuring Access Profiles 10. Select the option to tell IDM what to do if there are no matches found in the network resource access rules. 11. Click Next to continue to the Resource Accounting window. Figure 3-23. Network Resource Assignment Wizard, Resource Accounting 12. Click the check box to enable the Accounting function (optional). This enables tracking of hits on this resource on the switch or access point. Use CLI on the switch to review the hits. 13.
Using Identity Driven Manager Configuring Access Profiles Figure 3-24. Network Resource Assignment Wizard, Summary 14. Click Finish to save the Network Resource Assignments to the Access Profile and close the wizard. Click Back to return to a previous window to change the assignment, or Click Cancel to close the wizard without saving the changes. Click Start Over to return to the start of the Network Assignment Wizard. Modifying an Access Profile To modify an existing Access Profile: 1.
Using Identity Driven Manager Configuring Access Profiles The changes are displayed in the Access Profiles list. NOTE: When modifying Access Profiles, make sure the appropriate VLANs are configured on the network and at the switch. If you Modify the VLAN attribute in an Access Profile that is currently used in an Access Policy Group rule, IDM will check that the VLAN exists. If not, an error message is displayed. Deleting an Access Profile To remove an existing Access Profile: 1.
Using Identity Driven Manager Defining Access Policy Groups Defining Access Policy Groups An Access Policy Group (APG) contains rules that define the VLAN, rate-limit (bandwidth), quality of service, and network resource access rules for users in the group, based on the time, location, and system from which the user logs in.
Using Identity Driven Manager Defining Access Policy Groups To begin, expand the Realms node to display the Access Policy Group node in the IDM tree. Click to display the Access Policy Groups tab. Figure 3-25. Access Policy Groups display You can expand the Access Policy Group (APG) node in the tree, and click the individual APG node to display the policy Properties tab. Figure 3-26. Access Policy Group Properties tab Creating an Access Policy Group 3-36 1.
Using Identity Driven Manager Defining Access Policy Groups Figure 3-27. New Access Policy Group 3. Type in a Name and Description for the Access Policy Group. 4. Click New... to display the New Access Rule dialogue. Figure 3-28. New Access Rule 5. Select an option from the pull down menu for each field. When all the parameters are set, click OK to save the Access Rule configuration and close the dialogue. The parameters for Access Rules are described in the following table.
Using Identity Driven Manager Defining Access Policy Groups Location Lists the Locations you created by name, and the "ANY" option. If you select ANY and the access profile for the rule points to a VLAN, ensure that the VLAN is configured on every switch to which users in this access policy group will be connecting Time Lists the Times you created by name, and the ANY option. System Systems from which the user can log in. ANY allows user to login in on any system.
Using Identity Driven Manager Defining Access Policy Groups IDM will verify that the rules in the APG are valid. If a rule includes a defined VLAN (from the Access Profile) and the VLAN does not exist on the network or devices for the location(s), an error message is returned and you must fix the problem before the APG can be saved. Click Cancel to close the window without saving the Access Policy Group configuration. 9. The new Access Policy Group is listed in the Access Policy Groups tab.
Using Identity Driven Manager Defining Access Policy Groups Figure 3-29. Access Rule with Endpoint Integrity options Select the Endpoint Integrity option to use with the access rule, as described i the following list. • Select ANY to apply the access rule regardless of the status passed from the endpoint integrity system. • Select PASS to apply the access rule in cases where the system the user is logged in on passes the endpoint integrity check.
Using Identity Driven Manager Defining Access Policy Groups Modifying an Access Policy Group 1. Click the Access Policy Group node in the IDM tree to display the Access Policy Groups tab. 2. Click on an Access Policy Group Name to select it. 3. Click the Modify Policy Group icon in the toolbar to display the Modify Access Policy Group window. 4. Modify the Rules as needed by selecting different options from the pulldown menus for each field. (see page 3-16 for field definitions). 5.
Using Identity Driven Manager Configuring User Access Configuring User Access The process of configuring User access to network resources using IDM is simplified through IDM’s ability to learn User information from the Active Directory or RADIUS server, and the use of Access Policy Groups.
Using Identity Driven Manager Configuring User Access The Users list identifies every defined user and contains the following information for each user: Logged In Icon indicates whether the user is currently logged in: User is logged in. User is logged out. The icon is greyed out if session accounting is disabled. Username Name given to User’s login account. Friendly Name User’s friendly name, if defined, else this is same as Username. Realm Realm in which the user logs in.
Using Identity Driven Manager Configuring User Access 4. Click Ok to save the assignments and close the window. The new APG assignments are displayed in the Users list. Changing Access Policy Group Assignments To re-assign users to a different APG: 1. Click the access policy group or realm in the IDM tree, and then click the Users tab in the Access Policy Group or Realm window. 2.
Using Identity Driven Manager Configuring User Access Using Global Rules Global Rules can be used to provide an "exception process" to the normal processing of access rules via Access Policy Groups. IDM will check for Global Rules and apply them to the designated users before processing any access rules found in Access Policy Groups.
Using Identity Driven Manager Configuring User Access Access Profile Access profile governing user permissions during the session Creating a Global Rule is similar to creating Access Rules for an Access Profile Group. To create a global rule: 1. In the navigation tree, click on the realm that will use the global rule, then click the Global Rules tab in the Realm’s display. 2. Click the Add Global Rule button to display the New Global Rule window. Figure 3-33. Global Rules dialog 1.
Using Identity Driven Manager Configuring User Access 2. Set the Access Properties for the Global Rule. This is similar to the process used to define Access Policy Rules when you create an Access Policy Group (see page 3-36) a. Select the Location where the global rule will be applied, or "ANY". b. Select the Time when the global rule will be used, or "ANY". c. Select the System where the global rule will be used, or "ANY" d.
Using Identity Driven Manager Configuring User Access 4. Click Yes in the confirmation pop-up to complete the process. The rule is removed from the Global Rules list.
Using Identity Driven Manager Deploying Configurations to the Agent Deploying Configurations to the Agent An option in the IDM Preferences allows you to automatically deploy configuration changes to the IDM agent. Or, you can manually deploy changes made to Access Profiles, Locations, Times, or Network Resource configurations. If automatic deployment is disabled, you need to deploy the configuration information to the IDM Agent once you have configured the Access Policy Groups and assigned users.
Using Identity Driven Manager Using Manual Configuration Using Manual Configuration It is simplest to let the IDM Agent run and collect information about Realms, including RADIUS servers and users in the Realm from the RADIUS server, but you can also manually define information about the Realm, RADIUS servers, and users in the IDM GUI.
Using Identity Driven Manager Using Manual Configuration 3. Click Ok to save the Realm information and close the window. The new Realm appears in the Realms list, and the IDM Tree. Modifying and Deleting Realms To modify an existing Realm: 1. Select the Realm in the Realms list. 2. Click the Modify Realm icon on the Realm list toolbar to display the Modify Realm window. (similar to the New Realm window). 3. Edit entries as needed for the Realm: 4. • The Name used to identify the realm.
Using Identity Driven Manager Using Manual Configuration Deleting RADIUS Servers To delete an existing RADIUS Server: NOTE: Before you can completely delete the RADIUS server, you need to uninstall the IDM Agent on the server. Otherwise, the RADIUS server may be rediscovered, causing it to re-appear in the IDM tree. 1. Use the IDM Tree to navigate to the RADIUS List window, and select the RADIUS Server you want to delete in the list. 2. Click the Delete RADIUS icon on the Radius List toolbar. 3.
Using Identity Driven Manager Using Manual Configuration Adding New Users You can let the IDM Agent automatically learn about the users from the Active Directory or RADIUS server on which it is installed, or you can define user accounts in the IDM Client. You can also use the IDM User Import feature in the Tools menu. Adding users in IDM: Manual Process To add a new User in IDM: 1.
Using Identity Driven Manager Using Manual Configuration 3. If you want to restrict the user’s access to specific systems, click the Systems tab to configure system permissions. Otherwise click OK to save the user and close the window. Configuring User Systems 4. To restrict the user’s access to specific systems, click the Systems tab. Figure 3-38. User Systems tab display You select from systems shown in the All Systems list, and click the >> button to move them to the Allowed Systems list.
Using Identity Driven Manager Using Manual Configuration If the user is allowed to login from more than one system, repeat the process for each system. 7. When the User’s Systems are defined, click OK to save the new user information and close the window. The new user appears in the Users List. NOTE: Access Policy Group settings are not applied to the user until you deploy the new configuration to the IDM Agent on the RADIUS server. See “Deploying Configurations to the Agent” on page 3-49 for details.
Using Identity Driven Manager Using Manual Configuration Deleting a User 1. Select the User in the User List 2. Click the Delete User icon in the toolbar. 3. Click Yes in the Confirmation pop-up to complete the process. The user is removed from the User List.
Using Identity Driven Manager Using the User Import Wizard Using the User Import Wizard The IDM User Import Wizard lets you add users to IDM from another source, such as an Active directory or LDAP server. The IDM Import Wizard also synchronizes the IDM user database with the import source directory, and allows you to delete users from the IDM user database that are not found in the import source directory.
Using Identity Driven Manager Using the User Import Wizard Importing Users from Active Directory Importing users from Active Directory with the IDM Import Wizard synchronizes IDM users with those in Active Directory, similar to enabling Active Directory synchronization. However, if you use the Wizard to import users, user changes in Active Directory are not monitored. And, you cannot select specific Active Directory groups, as with Active Directory synchronization.
Using Identity Driven Manager Using the User Import Wizard Figure 3-41. IDM User Import Wizard, Data Source 3. Click the radio button to select the Active Directory data source. 4. Click Next to continue to the Group Scope window. Figure 3-42.
Using Identity Driven Manager Using the User Import Wizard 5. Select the scope of Active Directory groups that you want to import user data from. Group Description All Import users from all Active Directory groups Global Import users from the Global Active Directory group. This will also get user data from any custom defined group in your Active directory.
Using Identity Driven Manager Using the User Import Wizard Figure 3-44. IDM User Import Wizard, Import Groups 8. Click the Select checkbox to choose the groups you want to import from the Active Directory to IDM. If there is no checkbox, the group already exists in IDM and does not need to be selected. 9. Click Next to continue to the Add Users window.
Using Identity Driven Manager Using the User Import Wizard Figure 3-45. IDM User Import Wizard, Add Users 10. Click the Select checkbox to choose the users you want to import from the Active Directory to IDM. The current Import data is compared to the existing user list in IDM. If no new (additional) users are found in the import data, the user list is empty. If any user exists in more than one Active Directory group, you will be prompted to select the group the user will belong to in IDM. Figure 3-46.
Using Identity Driven Manager Using the User Import Wizard If you have a large number of users that belong to multiple groups, click the checkbox to Assign all users to selected group. This will assign all the users to the selected group in a single step, and you will not need to repeat the group selection for each user. b. Click Next to continue. Repeat the process for each user. c. Click Finish to save the Group Selections and exit the pop-up. d. Click Back to change the previous selection. 11.
Using Identity Driven Manager Using the User Import Wizard Figure 3-48. IDM User Import Wizard, Import Complete A summary of the IDM Import displays. 15. Click Finish to exit the wizard. Importing Users from an LDAP Server The IDM Import Wizard includes support for using Windows 2003 LDAP service to import users from an MS Active directory. You can also import user data from other LDAP V3 (version 3) servers, (e.g., Netscape® LDAP server).
Using Identity Driven Manager Using the User Import Wizard Figure 3-49. IDM User Import Wizard, LDAP Authentication a. Note: To use the SSL authentication method, check the Use SSL checkbox. To use SSL, ensure that your LDAP server supports SSL. The X509 certificate for your LDAP server must be installed in your Java trust store, and the PCM server must be restarted after installing the certificate. Contact your (LDAP) Administrator to get the certificate.
Using Identity Driven Manager Using the User Import Wizard b. Select the LDAP Authentication type to be used with the imported user data: Authentication Description c. Simple Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password. Digest-MD5 In Digest MD5, the server generates a challenge and the client responds with a shared secret (password).
Using Identity Driven Manager Using the User Import Wizard Figure 3-50. IDM User Import Wizard, Simple Authentication To set up Simple authentication: 1. In the Server field, type the IP address or DNS name of the LDAP server 2. In the Domain field, type the domain name. (It will be used to create a realm in IDM.) 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4.
Using Identity Driven Manager Using the User Import Wizard Figure 3-51. IDM User Import Wizard, SASL Digest MD5 Authentication To set up Digest MD5 authentication: 1. In the Server field, type the DNS name of the LDAP server. 2. In the Domain field, type the domain name. It is used to create a realm in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4.
Using Identity Driven Manager Using the User Import Wizard Figure 3-52. IDM User Import Wizard, SASL Kerberos V5 Authentication To set up Kerberos V5 authentication: 1. In the Server field, type the IP address or DNS name of the LDAP server. 2. In the Domain field, type the domain name. It will be used to create a realm in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4.
Using Identity Driven Manager Using the User Import Wizard Figure 3-53. IDM User Import Wizard, SASL External Authentication To set up External authentication: 1. In the Server field, type the DNS name of the LDAP server. 2. In the Domain field, type the domain name. It is used to create a realm in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4.
Using Identity Driven Manager Using the User Import Wizard If you are using a JKS Keystore, the X509 User Certificate must be installed in a keystore on the IDM server. You can get the X509 User Certificate from your LDAP Administrator. For example, if the X509 User Certificate is " myldapcert.cer" and the alias is "mycert", use the following command to import the certificate in a keystore in c:\idmuser\mykeystore on your IDM server: C:\idmuser> keytool -import -file myldapcert.
Using Identity Driven Manager Using the User Import Wizard 3. Optionally, in the Base DN field, type the Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. Click Next to continue to the Extract Users and Groups window. The remainder of the process for importing users from LDAP Servers is the same as described for importing users from Active Directories. • Select the Groups and Users to Import to IDM.
Using Identity Driven Manager Using the User Import Wizard // Kerberos authentication module name. If this entry is changed, you must also change the module name in idm_kerberos_jass.conf file. KERBEROS_JAAS_CONFIG_FILE=config/ idm_kerberos_jaas.conf // configuration file for JAAS Kerberos configuration.
Using Identity Driven Manager Using the User Import Wizard LDAP_DIRECTORY_CONFIG { // Configuration for LDAP directory. Following values are for Active Directory. Change as needed per object class and attributes in LDAP directory being used. USER { // User object OBJECT_CLASS=User // User object class LOGON_NAME=sAMAccountName // Login name attribute.
Using Identity Driven Manager Using the User Import Wizard Importing Users from XML files If you select to import users from an XML File, the XML Data Source window displays. NOTE: The XML file containing user data must reside on the IDM server to use this option and contain information similar to the data shown in the “XML User Import File Example” on page 3-76. Figure 3-55. IDM User Import Wizard, XML Data Source To identify the XML file: 1.
Using Identity Driven Manager Using the User Import Wizard XML User Import File Example XML files used to import user data to IDM should have the following format. ... ...
4 Using the Secure Access Wizard Chapter Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Using Secure Access Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Secure Access Wizard Overview Overview The Secure Access Wizard (SAW) feature in IDM is designed to simplify the initial setup of IDM by reducing the complexity of securing the network edge. SAW facilitates the process of securing the network edge by targeting a group of devices and using a highly intuitive GUI to configure network access rather than configuring each device via CLI.
Using the Secure Access Wizard Using Secure Access Wizard Using Secure Access Wizard NOTE: The following section provides instructions on using the Secure Access Wizard to configure access security settings on ProCurve devices that support port-based user authentication using 802.1X, Web-Auth, or MAC-Auth. For a more complete description of implementation of these user authentication features, please refer to the Access and Security Guide for the switch.
Using the Secure Access Wizard Using Secure Access Wizard 2. Note: Click Next to continue to the Device Selection window. If you do not have a licensed copy of the ProCurve Mobility Manager software and there are wireless devices discovered by PCM, the Excluded Devices window displays, with the list of devices, model, and installed switch software version. Use the Device Capabilities link to determine if you can upgrade the device software to a version that will support the secure access settings. .
Using the Secure Access Wizard Using Secure Access Wizard 4. Click Next to continue to the next window. 5. If you selected one or more AP530 wireless devices, the 530 Group Configuration Check Step window appears and displays information about each selected AP530 that supports the group configuration feature. One AP530 will be selected as the Master device and will be the only AP530 configured.
Using the Secure Access Wizard Using Secure Access Wizard that support two authentication methods per port, the options are 801.X and Web-Auth or MAC-Auth, thus the Web-Auth and MAC-Auth columns are mutually exclusive for each row. Additionally, devices that do not support Web-Auth or MAC-Auth will have those cells disabled and displaying "Not supported". Figure 4-4. Secure Access Wizard, Authentication Method Selection example 7. Click the check box to select the authentication method (802.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-5. Secure Access Wizard, Port Selection example 9. To select ports from a list, click the Select Ports button and then click the Select all button to select all ports or check the Selected checkbox for each port to which the secure access settings will apply. Double-clicking a row selects or unselects the port. Figure 4-6.
Using the Secure Access Wizard Using Secure Access Wizard When the desired ports are selected, click OK to validate and save your selections. 10. To manually enter port numbers, in the Port to secure field, type the ports to which the secure access settings will apply. Enter any combination of single port numbers and port ranges separated by commas. For example, type A1,A3-A5,A7 to apply the access settings on ports A1, A3, A4, A5, and A7.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-7. Secure Access Wizard, WLAN Selection example 13. Click the check box for each SSID (WLAN) to which the secure access settings will be applied. (A check mark indicates the SSID is selected) Click the check box for the device to apply secure access settings to all SSIDs on the device. 14. Click Next to continue to the authentication configuration window: • For 802.1X, go to step 12 (below). • For Web-Auth, go to step 13.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-8. Secure Access Wizard, 802.1X Configuration display The configuration options displayed will vary based on the selected device set: wired, wireless, or both. a. Click the radio buttons to select the authentication method for the selected device types. Only one method can be applied. For Wired devices the 802.1X authentication options are: – Use EAP-capable RADIUS – Use CHAP (MD5)-capable RADIUS For Wireless devices the 802.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-9. Secure Access Wizard, Advanced Settings for Wired 802.1X c. Click the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired 802.1X defaults. Advanced 802.
Using the Secure Access Wizard Using Secure Access Wizard Re-auth period - The re-authentication timeout (in seconds, default 0), set to 0 to disable re-authentication. Valid values are 0-999999999. Client limit - The maximum number of clients to allow on one port simultaneously, default is 1 Quiet period - The period of time the switch does not try to acquire a supplicant. Valid values are 0-65535, the default value is 60 sec.
Using the Secure Access Wizard Using Secure Access Wizard a. Click the radio button to select the RADIUS authentication protocol. Only one method can be applied, either: – Use PAP-capable RADIUS server for Web-Auth – Use CHAP-capable RADIUS server for Web-Auth b. Click the Advanced Settings for Wired Web-Auth to configure the advanced settings for Web-Auth on wired devices. (see figure 4-11 on the next page) c.
Using the Secure Access Wizard Using Secure Access Wizard DHCP address and mask - The base address and mask for the temporary pool used by DHCP (base DHCP address default is 192.168.0.0, and the mask default is 24 - 255.255.255.0). Redirect URL - The URL that the user should be redirected to after successful login. The default is no redirect (blank field). DHCP lease - The lease length (days) of the IP address issued by DHCP (default 10). Valid values are 5-25.
Using the Secure Access Wizard Using Secure Access Wizard e. Click Next in the configuration window to continue to the Authentication Servers step. 17. The MAC-Auth Configuration window lets you select the MAC Address format to be applied for RADIUS requests in the secure access settings for the selected devices. Figure 4-12. Secure Access Wizard, MAC-Auth Configuration display a. Click the radio button to select the MAC address format. b.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-13. Secure Access Wizard, Advanced (wired) Mac-Auth settings c. Click the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired MAC-Auth defaults.
Using the Secure Access Wizard Using Secure Access Wizard Unauth-vid - The VLAN to which the port is assigned when the user has not been authorized by MAC authentication. Valid values are any defined VLAN, the default value is VLAN 1. Auth-vid - The VLAN to which the port is assigned when the user has been authorized by MAC authentication. Valid values are any defined VLAN, the default value is VLAN 1.
Using the Secure Access Wizard Using Secure Access Wizard Note: If you had previously configured other RADIUS servers for authentication with the device, that information will be over-written by the Secure Access Wizard. The SAW will attempt to remove enough currently configured RADIUS servers to “make room” for the ones configured in the SAW.
Using the Secure Access Wizard Using Secure Access Wizard If not using the same shared secret on all the devices, enter the Radius shared secret for each device in the list. Use the scroll bar as needed to move down the list. You will not be able to continue until the RADIUS shared secret is set for each device in the list. 21. When you have entered the RADIUS shared secret, click Next to validate your entries and continue to the Save Settings (selection) window. Figure 4-16.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-17. Secure Access Wizard, Save Settings dialog 23. Type in a Name to apply to the secure access settings file, and (optionally) a description. You can use the same name for a "save template" and a "save settings" file, but no two "saved templates", or "saved settings" files can have the same name. 24. Click the check box to select the Include RADIUS shared secrets if you want shared secrets you specified included in the saved settings file.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-18. Secure Access Wizard, Configuration Preview display 27. Review the access security configuration settings, using the scroll bar as needed to move through the information. 28. If the configurations are correct, click Next to apply the settings to the devices.
Using the Secure Access Wizard Using Secure Access Wizard Figure 4-19. Secure Access Wizard, Applying Settings status This window displays the progress of applying the security settings to the selected devices, and will indicate if any errors occur during the process. Click the View Log button to display process status messages and errors. Click Abort to halt application of the security settings before the process is started on the next device in the list.
5 Troubleshooting IDM Chapter Contents IDM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Pausing the Events Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Using Event Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Viewing the Events Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 Setting IDM Event Preferences . . . . . . . .
Troubleshooting IDM IDM Events IDM Events The IDM Events window is used to view and manage IDM events generated by the IDM application or the IDM Agent installed on a RADIUS server. This window helps you quickly identify IDM-related problems in your network. To view the IDM events, click the Events tab in the IDM Home display. Figure 5-1. IDM Events tab display The IDM Events tab works similarly to the PCM Events tab. It lists the IDM events currently contained in the database.
Troubleshooting IDM IDM Events Sortable columns of information are available for each event: Column Heading Description Source This column contains the name or IP address of the component or device that generated the event. Severity The Severity column shows the severity of each event. Events are categorized into five levels of severity. Status The Status column identifies whether the event has been acknowledged. A check mark in the blue square indicates that the event has been acknowledged.
Troubleshooting IDM IDM Events The details provide additional event description information. The details will vary based on the type of event. Use the scroll bar or drag the top border of the Event Details section to review the entire event description. Acknowledging an event indicates that you are aware of the event but it has not been resolved. Depending on the IDM event settings, the event is then removed from the event list or the status of the event is updated in the Events window.
Troubleshooting IDM IDM Events Figure 5-3. Events Filter display ■ To filter by Source, type in the Source type or name that you want to include. Events from all other sources will be excluded. ■ To filter by Description, type in the description text you want to include. Events that do not have the text in the description will be excluded. ■ To filter by date and time, use the From: and To: fields to enter the starting date and time (From), and ending date and time (To), that you want to include.
Troubleshooting IDM IDM Events Viewing the Events Archive The Archived Events window lists details for each event in the Archive Log, which contains events that have been deleted. The events displayed can be filtered by the date the event was generated. The Archived Events window also lets you generate an Archived Events Report that can be saved to disk or printed. Archiving of IDM events can be disabled on the IDM Event Preferences window.
Troubleshooting IDM IDM Events The Archived Events window provides the following information for each event: Column Description Source System, or IP address of the device that originated the event Severity Severity level of the event: Informational, Warning, Minor, Major, Critical (listed in order of severity from lowest to highest) Date Received Time and date the event was received Description Descriptive information contained in the event You can select the date range for displayed events by cl
Troubleshooting IDM IDM Events Setting IDM Event Preferences Use the IDM Event Preferences to set up archiving and automatic deletion of events from the IDM Events tab and RADIUS Server Activity Logs. To configure preference settings for IDM events: 1. Select the Identity Management, Events option in the Global Preferences window (Tools–>Preferences–>Identity Management–>Events) to display the IDM Events Settings window. Figure 5-5. Preferences, IDM Events 5-8 2.
Troubleshooting IDM IDM Events 5. Use the Severity Percentages to set the events types you want to maintain in the database. These percentages are based on the overall size set in the Max number of events field, and must equal 100 percent. For example, Figure 5-6. Setting Event Preferences: Severity Percentages In the example in figure 5-6, if the Max number of events is set to 1000, and that number is exceeded, • 600 Informational events will be maintained.
Troubleshooting IDM IDM Events Using Activity Logs IDM also provides an Activity Log you can use to monitor events for specific RADIUS servers. To view the Activity Log for a RADIUS Server, 1. Expand the IDM tree to display the RADIUS Server node. 2. Select the RADIUS server, then click the Activity Log tab. Figure 5-7. RADIUS Server Activity Log The Activity Log provides information similar to the IDM Events, except that the entries are specific to the selected server.
Troubleshooting IDM Using Decision Manager Tracing Using Decision Manager Tracing IDM provides a tracing tool (DMConfig.prp) and log file (DM-IDMDM.log) to assist with troubleshooting IDM problems that may occur. These files are included on the IDM Agent when it is installed on the RADIUS server. Note that the Decision Manager (DM) is an internal component of the IDM Agent. The default configuration has the tracing options turned off because of the performance degradation when tracing is used.
Troubleshooting IDM Using Decision Manager Tracing Miscellaneous For authenticating a MAC-Auth user using Funk Steel Belted RADIUS (SBR) with IDM, the password should be specified in lower-case (in the SBR User directory). If upper-case characters are used in the password, you may get the following error: "MAC-Auth user gets rejected because of incorrect password". The MAC-Auth user will be rejected by SBR and eventually by IDM2.0.
A Using ProCurve Network Access Controller with IDM About ProCurve Network Access Controller 800 The ProCurve Network Access Controller 800 (ProCurve NAC) provides a comprehensive access control solution. Used in conjunction with ProCurve Manager Plus and Identity Driven Manager applications, the ProCurve NAC serves to: ■ Protect the network and resources from unauthorized or harmful users and/or systems.
Using ProCurve Network Access Controller with IDM About ProCurve Network Access Controller 800 Before You Begin For information on installing the ProCurve NAC appliance, please refer to the ProCurve Network Access Controller 800 Hardware Install Guide, and/or the information provided with your "ProCurve Network Access Controller Endpoint Integrity Implementation Startup Service" Use of the ProCurve NAC requires that you already have a licensed version of PCM+ 2.2 and IDM 2.2 installed.
Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays Using the NAC Tab Displays Once the ProCurve NAC appliance is installed on the network, PCM discovery will ’find’ the appliance and create a node in the PCM navigation tree. A folder for the ProCurve Network Access Controllers is also created in the IDM tree, under the Realms folder at the same level as a RADIUS server, with nodes for each NAC (master server) device.
Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays Setting the ProCurve NAC GUI Login In addition to the "NAC" tabs in the IDM window, the Global Preferences for Identity Management are expanded to include support for automatic login to the ProCurve Network Access Controller application via PCM and IDM. Figure A-2.
Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays Using the NAC Home Tab The NAC Home tab launches the ProCurve NAC GUI within the IDM display. Figure A-3. Network Access Controller (NAC Home) display. From this point you can access all of the functionality provided with the ProCurve Network Access Controller application. For details on using the application, refer to the online help, or the ProCurve Network Access Controller 800 User’s Guide.
Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays Using the NAC Monitor Tab In addition to the NAC Home tab, integration of ProNAC 800 with IDM provides a NAC Monitor and NAC Configuration tab. Click the NAC Monitor tab to launch the ProCurve NAC "System Monitor" window within the IDM display. Figure A-4. ProCurve NAC 800 System Monitor (NAC Monitor) display.
Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays For additional details, refer to the online help, or the section describing the System Monitor in the ProCurve Network Access Controller 800 User’s Guide. Using the NAC Configuration Tab Click the NAC Configuration tab to launch the Network Access Controller 800 system configuration tab in the IDM display. Figure A-5. ProCurve NAC 800 System Configuration (NAC Configuration) display.
Using ProCurve Network Access Controller with IDM Using Local Authentication Directory on ProCurve NAC This window also provides access to Maintenance tools, including the system backup and restore functions. For a detailed description of available features, refer to the online help, or the ProCurve Network Access Controller 800 User’s Guide. Regardless of your implementation of the ProCurve NAC 800 appliance, it is important that you perform a system backup on a regular schedule.
Using ProCurve Network Access Controller with IDM Using Local Authentication Directory on ProCurve NAC 2. Click the check box to Enable Local Authentication for ProCurve NAC devices. A check mark indicates the option is selected. 3. Click OK to save the configuration and close the window.
Using ProCurve Network Access Controller with IDM Using Local Authentication Directory on ProCurve NAC Figure A-7. User Properties, with Local Authentication Directory A-10 2. Enter the user information as you regularly would (see “Adding New Users” on page 3-53), then click the Set password... link to launch the user password dialog. 3. Type in the Password that will be used for authentication on the local directory. Re-enter the same password in the Confirm Password field. 4.
B IDM Technical Reference Device Support for IDM Functionality Due to variations in hardware and software configuration of various ProCurve Devices, not all IDM [Access Profile] features are supported on all devices. The following table indicates IDM functionality supported by ProCurve Device type at the time this manual was printed.
IDM Technical Reference Device Support for IDM Functionality Support for Secure Access Wizard Feature IDM Device Feature Matrix ProCurve Device ACL's VLAN QoS BW MAC Web 802.1X 802.1X Auth Auth port-based X X X 420 AP 520 AP X X X X 530 AP X (5) 2500 series X X X (4) 2600 series (PWR included) X X X (2) 2800 series X X X X 3400cl X X X X X 3500 X 4100gl series X X X X 4200 6100 series X 6108 X X 6200 X X X X X 6400cl X (1) X X X X 5300xl X X X X X 5400 9300 9400 WESM 1.0 X WESM 2.
IDM Technical Reference Best Practices Best Practices Authentication Methods The IDM application is designed to support RADIUS server implementation with 802.1x using supplicants, as well as Web-auth and MAC-auth. However to gain the full benefits of using IDM, HP advises that you implement RADIUS using an 802.1x supplicant. If you use Web-auth or MAC-auth, you can still use IDM to provide authorization and access control, but the user session accounting will not work.
IDM Technical Reference Best Practices Handling Unknown or Unauthorized users If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not override RADIUS authentication and default switch settings, unless you configure it to do so. Also, if IDM rejects the user, but you have set "unauth-vid", then the port will still be opened and the VLAN will be set to the unauth-vid. You can also create a "guest" profile in IDM to provide limited access for unknown users. Allowing vs.
IDM Technical Reference Best Practices In this instance, if the user attempts to login in during the times specified for the Weekends, they will be rejected, and an IDM event will be logged indicating that the APG had a specific Reject rule set to deny access. If the user logs in at times not specified for the weekend, since the time in the first rule does not match, IDM moves to the second rule.
IDM Technical Reference Types of User Events Types of User Events The USER_FAILED_LOGIN event happens whenever RADIUS sends IDM a message of an unsuccessful login. This can have various sources, which you can review in the Event Details. It can be either because IAS didn’t let the user log in (bad username, password, etc.) or because IDM rejected the login.
Index Numerics Authorization 1-8 802.
Global Rules 3-45, 3-47 H Holidays 3-17 I IDM Agent tracing 5-11 IDM authorization policy 3-49 IDM model 3-3 IDM Statistics 2-18 Import from Active Directory 3-58 Import procedure 3-57 Importing Users 3-58 with XML files 3-75 K Kerberos V5 authentication 3-68 L LDAP Authentication 3-66 LDAP Directory settings 3-72 LDAP Server Digest-MD5 Authentication 3-67 External Authentication 3-69 Kerberos-V5 Authentication 3-68 Simple Authentication 3-66 LDAP server import 3-57 LDAP_Server_Config 3-74 Local Authent
Rules, evaluation 3-38 W S warranty 1-ii Web-Auth Configuration, SAW 4-12 WLAN selection, SAW 4-8 SASL Digest MD5 authentication 3-67 Save Settings, SAW 4-19 Save Template, SAW 4-19 SAW 4-2 Secure Access Wizard 4-2 Session Cleanup 2-26 Session History 2-18 Session Information 2-31 Session List 2-30 Simple authentication 3-66 Switch Override 3-27 X XML file, user import 3-75 XML Import File format 3-76 T Target Properties 3-46 Times 3-13 changing 3-16 delete 3-16 new 3-14 properties 3-15 Tracing, Decis
© Copyright 2008 Hewlett-Packard Development Company, L.P.
