HP J4813A User Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Software
  5. J4813A
  6. User manual

HP J4813A User Manual

User manual
Hide thumbs Also See for J4813A:
Table of Contents

Advertisement

Quick Links

ProCurve
Identity Driven Manager
Software Release 2.0
User's Guide

Advertisement

Table of Contents
loading

Related Manuals for HP J4813A

Summary of Contents for HP J4813A

  • Page 1 ProCurve Identity Driven Manager Software Release 2.0 User’s Guide...
  • Page 2 Publication Number performance, or use of this material. 5990-8851 Hewlett-Packard assumes no responsibility for the use or November, 2005 reliability of its software on equipment that is not furnished by Hewlett-Packard. Warranty...

  • Page 3: Table Of Contents

    Contents 1 About ProCurve Identity Driven Manager Introduction ........... . 1-2 Why IDM? .
  • Page 4 Contents 3 Using Identity Driven Manager IDM Configuration Model ........3-2 Configuration Process Review .

  • Page 5: About Procurve Identity Driven Manager

    About ProCurve Identity Driven Manager Chapter Contents Introduction ......... 1-2 Why IDM? .

  • Page 6: Introduction

    About ProCurve Identity Driven Manager Introduction Introduction Network usage has skyrocketed with the expansion of the Internet, wireless, and convergence technologies. This increases the burden on network manag- ers working to control network usage. Also, the complexity of large networks makes it difficult to control network access and usage by individual users.

  • Page 7: Why Idm

    About ProCurve Identity Driven Manager Introduction Why IDM? Today, access control using a RADIUS system and ProCurve devices (switches or wireless access points) is typically made up of several steps. Figure 1-2. Current Access Control process A client (user) attempts to connect to the network. The edge device recognizes a connection state change, and requests identifying information about the client.
  • Page 8 About ProCurve Identity Driven Manager Introduction When using IDM, the authentication process proceeds as described in the first three steps, but from that point the process changes as follows: The RADIUS server validates the user’s identity in the user directory. Based on the validation result received from the user directory, the authentication server returns an accept or deny response to the switch.

  • Page 9: Idm Architecture

    About ProCurve Identity Driven Manager Introduction IDM Architecture In IDM, when a user attempts to connect to the network through an edge switch, the user is authenticated via the RADIUS Server and user directory. Then, IDM is used to return the user’s "access profile" along with the authen- tication response from RADIUS to the switch.
  • Page 10 About ProCurve Identity Driven Manager Introduction • A Decision Manager that receives the user data and checks it against user data in the local IDM data store. Based on the parameters defined in the data store for the user data received, the Decision Manager outputs access parameters for VLAN, QoS, bandwidth, and network resource access to the RADIUS interface component.

  • Page 11: Terminology

    About ProCurve Identity Driven Manager Terminology Terminology Authentication The process of proving the user’s identity. In networks this involves the use of usernames and passwords, network cards (smartcards, token cards, etc.), and a device’s MAC address to determine who and/or what the "user" is. Authentication Authentication servers are responsible for granting or denying access to the Server...
  • Page 12 About ProCurve Identity Driven Manager Terminology Realm A Realm is similar to an Active Directory Domain, but it works across non- Windows (Linux, etc.) systems. Generally specified in User-name as "user@realm." VLAN A port-based Virtual LAN configured on the switch. When the client connec- tion terminates, the port drops its membership in the VLAN.

  • Page 13: Idm Specifications

    About ProCurve Identity Driven Manager IDM Specifications IDM Specifications Supported Devices ProCurve Identity Driven Manager (IDM) supports authorization control func- tions on the following ProCurve devices*: ProCurve Switches: ■ 5300xl Series (5304, 5308, 5348, 5372) 3400cl Series (3424, 3448) 4100gl Series (4104, 4108, 4124) 2800 Series (2824, 2848) 2600 Series (2650, 2626, 2650-PWR, 2626-PWR, 2608-PWR, 6108) 2500 Series (2512, 2524)

  • Page 14: Additional Requirements

    About ProCurve Identity Driven Manager IDM Specifications ProCurve Manager Plus software must be installed for IDM to operate. ■ The IDM software cannot be installed as a separate component. Additional processing power and additional disk space may be required for larger networks.
  • Page 15 About ProCurve Identity Driven Manager IDM Specifications When you upgrade to IDM 2.0, you need to manually install the IDM Agent upgrade on your RADIUS Server. Refer to “Installing the IDM Agent” on page 2- 2 for detailed instructions. 1-11...

  • Page 16: Registering Your Idm Software

    About ProCurve Identity Driven Manager Registering Your IDM Software Registering Your IDM Software The ProCurve Manager installation CD includes a fully operable version of the PCM application, and a 30 day trial version of the PCM+ application and the IDM application. Until you have registered your IDM application, an Expiring License warning will be displayed each time you log in, similar to the following.
  • Page 17 About ProCurve Identity Driven Manager Registering Your IDM Software Figure 2. ProCurve License Administration dialogue You can also get to this screen from the Preferences window which can be accessed from the PCM Tools menu or by clicking on the Preferences icon in the tool bar.
  • Page 18 About ProCurve Identity Driven Manager Registering Your IDM Software The window is refreshed and the registration information, including your License key is displayed. The license key is also sent to you via e-mail. To get the license key for the next software package, click Generate Another License and repeat the process in step 5, above.

  • Page 19: Learning To Use Procurve Idm

    About ProCurve Identity Driven Manager Learning to Use ProCurve IDM Learning to Use ProCurve IDM The following information is available for learning to use ProCurve Identity Driven Manager (IDM): ■ This User’s Guide—helps you become familiar with using the appli- cation tools for access control management.
  • Page 20 About ProCurve Identity Driven Manager ProCurve Support 1-16...

  • Page 21: Getting Started

    Getting Started Chapter Contents Before You Begin ..... . . 2-2 Installing the IDM Agent ... . . 2-2 Using the IDM Auto-Discover Feature .

  • Page 22: Before You Begin

    Getting Started Before You Begin Before You Begin If you have not already done so, please review the list of supported devices and operating requirements under “IDM Specifications” on page 1-9. If you intend to restrict user access to specific areas of the network using VLANs, make sure you have set up your network for use of VLANs.

  • Page 23: Using The Idm Auto-Discover Feature

    Getting Started Before You Begin The IDM Client is included with the PCM+ software. To install a remote PCM/ IDM Client, download the PCM Client to a remote PC using the same process as for installing the IDM Agent, just select the PCM Client option from the PCM server.

  • Page 24: Idm Usage Strategies

    Getting Started Before You Begin Create the Access Profiles, to set the VLAN, QoS, rate-limits (bandwidth) attributes, and the network resources that are available, to users in an Access Policy Group. (See page 3-23) Create an Access Policy Group, with rules containing the Location, Time, System, and Access Profile that is applied to users when they login.

  • Page 25: Understanding The Idm Model

    Getting Started Before You Begin Understanding the IDM Model The first thing to understand, is that IDM works within the general concept of ‘domains’ or ‘realms’. Basically, realms are very large organizational units; every user belongs to one, and only one, realm. While it is possible to have multiple realms, most organizations have only one, for example, hp.com or csuchico.edu.

  • Page 26: Idm Gui Overview

    Getting Started IDM GUI Overview IDM GUI Overview To use the IDM client, launch the PCM Client on your PC. Select the ProCurve Manager option from the Windows Program menu to launch the PCM Client. The PCM Client will start up and the Login dialogue is launched. Figure 2-1.
  • Page 27 Getting Started IDM GUI Overview Select the IDM Tree tab at the bottom left of the PCM window to display the IDM Home window. Figure 2-2. IDM Home Window The IDM Home display provides a quick view of IDM status in the IDM Dashboard tab, along with a navigation tree and access to menu and toolbar functions.

  • Page 28: Idm Dashboard

    Getting Started IDM GUI Overview IDM Dashboard The IDM Dashboard tab (window) contains four separate panels, described below. Identity Management Status: The IDM Agent Status pane uses a color-coded histo- gram to indicate the number of currently active (green) and inactive (red) IDM Agents.

  • Page 29: Using The Navigation Tree

    Getting Started IDM GUI Overview Using the Navigation Tree The navigation tree in the left pane of the IDM window provides access to IDM features using the standard Windows file navigation system. Click the nodes to expand the list and change the display in the right window panel. The IDM tree is organized as follows: Realms: The top level of the tree lists each of the Realms that have been discovered by an IDM Agent or defined manually.
  • Page 30 Getting Started IDM GUI Overview Figure 2-4. Realm Properties tab Click the Users tab, underneath the realm Properties tab, to view a list of users in the Realm that were discovered by the IDM Agent, or defined manually. Figure 2-5. Realm Users tab N O T E : There will be no auto-discovered Realm, Users, or RADIUS server until a user has logged in to the network.
  • Page 31 Getting Started IDM GUI Overview Access Policy Groups: Click the Access Policy Group node to display the Access Policy Groups tab with a list of currently configured groups. You can also expand the node to view the APGs in the tree. Figure 2-6.
  • Page 32 Getting Started IDM GUI Overview RADIUS Servers: Clicking the RADIUS Servers node displays the RADIUS List tab, with status and configuration information for each RADIUS Server in the Realm that has an IDM Agent installed, or that is manually defined. Figure 2-8.

  • Page 33: Toolbars And Menus

    Getting Started IDM GUI Overview The Activity Log tab underneath the properties display contains a listing of IDM application events for that RADIUS server such as server startup, server connections, user logins, IDM configuration deployment, etc. Toolbars and Menus Because IDM is a module within PCM, it uses the same Main Menu and Global toolbar functions.

  • Page 34: Using Idm As A Monitoring Tool

    Getting Started Using IDM as a Monitoring Tool Using IDM as a Monitoring Tool Whether or not you configure and apply access and authorization parameters using IDM, you can use IDM to monitor user sessions on the network and generate usage reports. You can use the monitoring features along with the IDM Reports to track usage patterns, user session statistics, bandwidth usage, top users, and so on.

  • Page 35: Idm Preferences

    Getting Started Using IDM as a Monitoring Tool IDM Preferences The IDM Preferences window is used to set up global attributes for session accounting and archiving, as well as enabling the Endpoint Integrity option. Click the Tools menu and select Identity Management to display the Global Prefer- ences-Identity Management window.
  • Page 36 Archive user sessions older than x days field. 8. To archive the user session archive file in a location other than the default IDM data archive directory, type the desired path in the Archive file directory field. The default path is: C:\Program Files\Hewlett-Packard\PNM\server\idm\data 2-16...
  • Page 37 Getting Started Using IDM as a Monitoring Tool If you do not want to add a timestamp to the archive filename, uncheck the Use timestamp in archive filename option. If a timestamp is not used in the archive filename, the existing archive file is overwritten each time user sessions are archived.

  • Page 38: Using Idm Reports

    Getting Started Using IDM Reports Using IDM Reports IDM provides reports designed to help you monitor and analyze usage patterns for network resources. The report options are available from the Tools menu. The Report wizard screens and report parameters vary, depending on the type of report selected.
  • Page 39 Getting Started Using IDM Reports You can save the report to a file, or print the report. To apply customized Report Header information for your company, use the Reports option in the global preferences. (Tools–> Preferences–> Global–> Reports) The Schedule a report option in the Tools menu launches the Schedule Reports Policy Wizard, which lets you schedule reports to be created at recurring intervals.
  • Page 40 Getting Started Using IDM Reports The following information is provided for each user included in the Bandwidth Usage report: Username Username used to login Realm Realm (Access Policy Group and RADIUS server) to which the user is assigned Access Policy Access Policy Group governing a user's login to the RADIUS server Group Input Bytes...

  • Page 41: Scheduling A Report

    Getting Started Using IDM Reports User Report: The User Report lists information for recent sessions in which the user participated, similar to the Session History report. To display the User Report select a username in the Users tab of the Access Policy Group or RADIUS Server window, and then click the User Report icon in the toolbar.
  • Page 42 Getting Started Using IDM Reports Enter the Start date and time. b. Click one of the radio buttons to select the Recurrence Pattern. Click to select the End date option. Enter the End by date and time, and Maximum occurrences as needed. d.
  • Page 43 Getting Started Using IDM Reports Click to select the Report Type from the list. Click Next to continue to the Report Filter window. 2-23...
  • Page 44 Getting Started Using IDM Reports Depending on the report type, select the Report Filters, to configure what data is included in the report. For most reports you can filter by one or more or the following: Dates, Realms, Access Policy Group, Location, or Users Use the All Dates option to set the Start Date and End Date for data to be included in the report.
  • Page 45 Getting Started Using IDM Reports Click the radio button to select the Report Format for output: PDF, HTML, or CSV (comma separated values). 10. Click Next to continue to the Report Delivery Method window. 2-25...
  • Page 46 Getting Started Using IDM Reports 11. Select the Delivery method: FTP, File, or Email from the pull-down menu. Then set the parameters needed to define the delivery option (FTP server, filename and path etc.) The wizard displays data entry fields for the selected delivery method.

  • Page 47: Idm Session Cleanup Policy

    Getting Started Using IDM Reports IDM Session Cleanup Policy The IDM Session Cleanup Policy is included in the PCM+ policies by default when you install IDM. The report statistics IDM reports are cleared by the Session Statistics Cleanup policy (in PCM) on the first day of each month. You can edit the policy if you want to change the cleanup recurrence schedule.
  • Page 48 Getting Started Using IDM Reports Set the Start Date for enforcement of the policy. The default is the start date and time for IDM. You can type in a new date and time, or use the arrows to increase or decrease the date and time entries.

  • Page 49: User Session Information

    Getting Started User Session Information User Session Information You can use IDM to just monitor the network, and receive detailed information about user's access to the network. The User Session information provides statistics about exactly *how* the network is being used (when the user logged in and out, where a user logged in from, and how much bandwidth they consumed, for example).
  • Page 50 Getting Started User Session Information The Session List provides a listing of recent sessions, including the following information: Active True if the user is currently logged in for this session or False if the session has ended Login Time Date and time the user logged in Login True if the user logged in successfully or False if login failed Successful...
  • Page 51 Getting Started User Session Information The Session Information tab of the User Status window contains the following information: Is Active True if the user is currently logged in for this session or False if the session has ended RADIUS Server IP address of the RADIUS server that authenticated the user Login was successful True if the user logged in successfully or False if login failed Reason login was...
  • Page 52 Getting Started User Session Information The Location Information tab of the User Status window contains the following information: Location name Name of the location where the user logged in Device address IP address of the device used to login Device port Port on the device used for the session Click the Disable port or Enable port links to disable or re-enable the port used for the session.

  • Page 53: Finding A User

    Getting Started User Session Information Access Policy Group Access policy group that governs user permissions for the session. Access Profile Access profile assigned to the access policy group. QoS assigned Quality of service or priority for outbound traffic. QoS ranges from lowest to highest.
  • Page 54 Getting Started User Session Information In the MAC address field, type the MAC address of the computer for which you want to find and display information. The MAC address can be separated by a vertical bar (|), hyphen, or colon or typed with no spaces. Click the Only show active sessions checkbox to get only the information on active sessions for the user.

  • Page 55: Using Identity Driven Manager

    Using Identity Driven Manager Chapter Contents IDM Configuration Model......3-2 Configuration Process Review ....3-2 Configuring Locations .

  • Page 56: Idm Configuration Model

    Using Identity Driven Manager IDM Configuration Model IDM Configuration Model As described in the IDM model on page 2-5, everything relates to the top level, or Realm. Each User in the Realm belongs to an Access Policy Group (APG). The APG has an Access Policy defined for it that governs the access rights that are applied to its Users as they enter the network.

  • Page 57: Configuring Identity Management

    Using Identity Driven Manager IDM Configuration Model If you intend to restrict a user’s access to specific systems, based on the system they use to access the network, you need to modify the User profile to include the MAC address for each system from which the user is allowed to login.
  • Page 58 Using Identity Driven Manager IDM Configuration Model Figure 3-1. Identity Management Configuration, default display Click the node in the navigation tree to display the defined configuration parameters and add or edit new configuration parameters, as described in the following sections.

  • Page 59: Configuring Locations

    Using Identity Driven Manager Configuring Locations Configuring Locations Locations in IDM identify the switch and/or ports on the switch and wireless access points where users connect to the network. Users generally are allowed to log in to the network from a variety of locations, IDM allows you to create customized locations to match specific environments.
  • Page 60 Using Identity Driven Manager Configuring Locations Adding a New Location To create a new location: New Location Click the icon in the toolbar to display the new locations window. Type in a Name for the location. Type in a Description for the location. Click Add device...
  • Page 61 Using Identity Driven Manager Configuring Locations Enter the Device to be added using the Device Selection pull-downs, or select the Manually enter device address option. Device Selection Using the option: Select a device group using the pull-down menu. This will enable the Select Device pull-down menu in the next field.
  • Page 62 Using Identity Driven Manager Configuring Locations N O T E : If a switch in the device list is not configured to authenticate with the RADIUS server, the settings in IDM will have no affect. You can type in an IP address for non-ProCurve devices and if the device uses industry standard RADIUS protocols, the settings should work;...
  • Page 63 Using Identity Driven Manager Configuring Locations N O T E : When modifying Locations, make sure all devices for the location are config- ured with the appropriate VLANs. If you Modify a Location that is part of a VLAN (subnet) and that Location is currently used in an Access Policy Group rule, IDM will check to make sure that the VLAN exists.

  • Page 64: Configuring Times

    Using Identity Driven Manager Configuring Times Configuring Times Times are used to define the hours and days when a user can connect to the network. When included in the Access Policy Group rules, the time can be used to allow or deny access from specific locations at specific time. For example, students might be allowed network access from the "Classroom"...
  • Page 65 Using Identity Driven Manager Configuring Times Creating a New Time To configure a Time: Times Identity Management Configuration Click the node in the navigation Times tree to display the panel. Add New Time Create a new Time Click the toolbar icon to display the window.
  • Page 66 Using Identity Driven Manager Configuring Times Define the properties for the new time. Name Name used to identify the time Description Brief description of the time Time Time of day when user will be accepted on the network. To allow access the entire day, click the All day radio button.
  • Page 67 Using Identity Driven Manager Configuring Times Modifying a Time Times Identity Management Configuration Click the node in the navigation tree to display the Times panel. Time Click on a in the navigation tree to display the Time details in edit Create a new Time mode, similar to the panel.
  • Page 68 Using Identity Driven Manager Configuring Times Defining Holidays To add holidays for use when defining Times in IDM: Times Identity Management Configuration Click the node in the navigation tree to display the Times panel. Holidays Click the Holidays icon in the toolbar to launch the window.
  • Page 69 Using Identity Driven Manager Configuring Times 3-15...

  • Page 70: Configuring Network Resources

    Using Identity Driven Manager Configuring Network Resources Configuring Network Resources The Network Resources in IDM are used to permit or deny traffic to and from specified sources and destination. This is done by configuring an IP-based filter based on either: ■...
  • Page 71 Using Identity Driven Manager Configuring Network Resources Network Resources window lists the name and parameters for defined resources, including: Name Name used to identify the resource IP Address IP Address for the switch associated with the resource ("any" if the resource is being filtered by protocol).
  • Page 72 Using Identity Driven Manager Configuring Network Resources Adding a Network Resource To define a Network Resource: Network Resources Identity Management Configuration Click the node in the Network Resources navigation tree to display the panel. Add Network Resource Define Network Click the toolbar icon to display the Resource window.
  • Page 73 Using Identity Driven Manager Configuring Network Resources Protocol: Select UDP, TCP, or IP to identify the protocol used to filter access to the resource. Protocol can be used alone or with an IP address and port parameters to define the network resource access. To use a custom protocol number for a network resource, check the Enter protocol number checkbox and type the protocol number (0-137) Port: Any port is selected by default, which means all ports associated to...
  • Page 74 Using Identity Driven Manager Configuring Network Resources To Delete a Network Resource: Network Resources Identity Management Configuration Click the node in the Network Resources navigation tree to display the panel. Delete Click in the list to select the network resource to edit, then click the Network Resource toolbar icon.

  • Page 75: Configuring Access Profiles

    Using Identity Driven Manager Configuring Access Profiles Configuring Access Profiles IDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rate-limits) and Network Resource access rules that are applied to the user when they are authenticated on the network. This is where the real benefits of "access control"...
  • Page 76 Using Identity Driven Manager Configuring Access Profiles Access Profile Click the node in the navigation tree, or double-click on a profile in the list to display the details of the selected profile. Figure 3-3. Name Description Access Attributes , and are the same as defined in the Access Profiles list.
  • Page 77 Using Identity Driven Manager Configuring Access Profiles Creating a New Access Profile Access Profiles Identity Management Configuration Click the node in the navigation tree to display the Access Profiles window. Add Access Profile Create a new Click the icon in the toolbar to display the Access Profile window.
  • Page 78 Using Identity Driven Manager Configuring Access Profiles N O T E : If you are assigning any VLAN other than the default VLAN, ensure that the VLAN is configured correctly on the all switches to which this access profile will be applied before defining the access profile. The VLAN that gets set for a user will override the statically configured VLAN, auth-vid as well as the...
  • Page 79 Using Identity Driven Manager Configuring Access Profiles To permit access to Network Resources: Available Resources Select the Resource in the list. Use shift-click to select multiple resources. Available Resource Allowed Resources b. Move the (s) to the list (click >>) Click Next to continue to the Denied Resources window.
  • Page 80 Using Identity Driven Manager Configuring Access Profiles To deny access to Network Resources: Available Resources Select the Resource in the list. Use shift-click to select multiple resources. Available Resource Denied Resources b. Move the (s) to the list (click >>) Click Next to continue to the Priority Assignment window.
  • Page 81 Using Identity Driven Manager Configuring Access Profiles Set the priority (order of evaluation) for the Network Resources. To change the priority, click the Resource in the list, then click Move down or Move up. The first rule to match is the one that will be applied. Click Next to continue to the Default Access window.
  • Page 82 Using Identity Driven Manager Configuring Access Profiles 11. Click Next to continue to the Resource Accounting window. 12. Click the check box to enable the Accounting function (optional). This enables tracking of hits on this resource on the switch or access point.
  • Page 83 Using Identity Driven Manager Configuring Access Profiles 14. Click Finish to save the Network Resource Assignments to the Access Profile and close the wizard. Back Click to return to a previous window to change the assignment, or Cancel Click to close the wizard without saving the changes. Start Over Click to return to the start of the Network Assignment Wizard.
  • Page 84 Using Identity Driven Manager Configuring Access Profiles N O T E : When modifying Access Profiles, make sure the appropriate VLANs are con- figured on the network and at the switch. If you Modify the VLAN attribute in an Access Profile that is currently used in an Access Policy Group rule, IDM will check that the VLAN exists.

  • Page 85: Defining Access Policy Groups

    Using Identity Driven Manager Defining Access Policy Groups Defining Access Policy Groups An Access Policy Group (APG) contains rules that define the VLAN, rate-limit (bandwidth), quality of service, and network resource access rules for users in the group, based on the time, location, and system from which the user logs in.
  • Page 86 Using Identity Driven Manager Defining Access Policy Groups Realms Access Policy Group To begin, expand the node to display the node in the Access Policy Groups IDM tree. Click to display the tab. Access Policy Group You can expand the (APG) node in the tree, and click the Properties individual APG node to display the policy...
  • Page 87 Using Identity Driven Manager Defining Access Policy Groups Type in a Name and Description for the Access Policy Group. New Access Rule Click New... to display the dialogue. Select an option from the pull down menu for each field. Location Lists the Locations you created by name, and the "ANY"...
  • Page 88 Using Identity Driven Manager Defining Access Policy Groups Access Lists the Access Profiles you created by name, the Default Profile Access Profile, and a REJECT option. Select REJECT if the rule will prohibit a user from logging in. Repeat the process for each rule you want to apply to the APG. The Access rules are evaluated in the order (priority) they are listed in the Access Rules table.
  • Page 89 Using Identity Driven Manager Defining Access Policy Groups Using IDM with Endpoint Integrity Systems You can create access profiles in IDM to work in conjunction with endpoint integrity (host integrity) applications to verify that systems attempting to connect to the network meet security requirements. To use the Endpoint Integrity support options you need to select the Endpoint Integrity option in Tools->Preferences->Identity Management the IDM Preferences window (...
  • Page 90 Using Identity Driven Manager Defining Access Policy Groups Modifying an Access Policy Group Access Policy Group Access Click the node in the IDM tree to display the Policy Groups tab. Click on an Access Policy Group Name to select it. Modify Policy Group Modify Access Click the...

  • Page 91: Configuring User Access

    Using Identity Driven Manager Configuring User Access Configuring User Access The process of configuring User access to network resources using IDM is simplified through IDM’s ability to learn User information from the RADIUS server, and the use of Access Policy Groups. Once you have configured the Access Policy Groups, you simply assign users to an APG.
  • Page 92 Using Identity Driven Manager Configuring User Access Adding Users to an Access Policy Group To assign a user to an access policy group: Realms Expand the node, then click the individual Realm to display the Users tab, or expand the realm to display access policy groups. Click the Users Realm Access Policy Group...

  • Page 93: Using Global Rules

    Using Identity Driven Manager Configuring User Access Using Global Rules Global Rules can be used to provide an "exception process" to the normal processing of access rules via Access Policy Groups. IDM will check for Global Rules and apply them to the designated users before processing any access rules found in Access Policy Groups.
  • Page 94 Using Identity Driven Manager Configuring User Access Creating a Global Rule is similar to creating Access Rules for an Access Profile Group. To create a global rule: In the navigation tree, click on the realm that will use the global rule, then Global Rules Realm click the...
  • Page 95 Using Identity Driven Manager Configuring User Access Select the Location where the global rule will be applied, or " ". b. Select the Time when the global rule will be used, or " ". Select the System where the global rule will be used, or " "...

  • Page 96: Deploying Configurations To The Agent

    Using Identity Driven Manager Deploying Configurations to the Agent Deploying Configurations to the Agent Once you have configured the Access Policy Groups and assigned users, you need to deploy the configuration information to the IDM Agent. The Access Policy Group assignments (including the locations, times, and Access Pro- files) are not applied until they get deployed to the IDM Agent on the RADIUS server, and the user logs in again.

  • Page 97: Using Manual Configuration

    Using Identity Driven Manager Using Manual Configuration Using Manual Configuration It is simplest to let the IDM Agent run and collect information about Realms, including RADIUS servers and users in the Realm from the RADIUS server, but you can also manually define information about the Realm, RADIUS servers, and users in the IDM GUI.

  • Page 98: Modifying And Deleting Realms

    Using Identity Driven Manager Using Manual Configuration Modifying and Deleting Realms To modify an existing Realm: Realm Select the in the Realms list. Modify Realm Modify Click the icon on the Realm list toolbar to display the Realm window. (similar to the New Realm window). Edit entries as needed for the Realm: Name •...

  • Page 99: Defining Radius Servers

    Using Identity Driven Manager Using Manual Configuration Defining RADIUS Servers You can let the IDM Agent learn about the RADIUS server on which it is installed, or you can define the RADIUS Server in the IDM Client. N O T E : You can have multiple RADIUS servers within your Realm.

  • Page 100: Modifying And Deleting Radius Servers

    Using Identity Driven Manager Using Manual Configuration Modifying and Deleting RADIUS Servers To modify an existing RADIUS Server: RADIUS List Use the IDM Tree to navigate to the window, and select the RADIUS Server you want to edit in the list. Modify RADIUS Modify Click the...

  • Page 101: Adding New Users

    Using Identity Driven Manager Using Manual Configuration Adding New Users You can let the IDM Agent automatically learn about the users from the RADIUS server on which it is installed, or you can define user accounts in the IDM Client. You can also use the IDM User Import feature in the Tools menu. Adding users in IDM: Manual Process To add a new User in IDM: Users...
  • Page 102 Using Identity Driven Manager Using Manual Configuration If you want to restrict the user’s access to specific systems, click New System... to display the User’s System dialog. Otherwise click OK to save the user and close the window. Configuring User Systems To restrict the user’s access to specific systems, click New System...

  • Page 103: Modifying And Deleting Users

    Using Identity Driven Manager Using Manual Configuration N O T E : Access Policy Group settings are not applied to the user until you deploy the new configuration to the IDM Agent on the RADIUS server. See “Deploying Configurations to the Agent” on page 3-42 for details. Modifying and Deleting Users To modify an existing User: User...

  • Page 104: Using The User Import Wizard

    Using Identity Driven Manager Using the User Import Wizard Using the User Import Wizard The IDM User Import Wizard lets you add users to IDM from another source, such as an Active directory or LDAP server. The IDM Import Wizard also synchronizes the IDM user database with the import source directory, and allows you to delete users from the IDM user database that are not found in the import source directory.

  • Page 105: Importing Users From Active Directory

    Using Identity Driven Manager Using the User Import Wizard Importing Users from Active Directory To import user information into IDM from an Active Directory: IDM User Import Tools Select option from the drop-down list in the global toolbar. This launches the IDM User Import Wizard. Data Source Click Next to continue to the selection window.
  • Page 106 Using Identity Driven Manager Using the User Import Wizard Click the radio button to select the Active Directory data source. Group Scope Click Next to continue to the window. 3-52...
  • Page 107 Using Identity Driven Manager Using the User Import Wizard Select the scope of Active Directory groups that you want to import user data from. Group Description Import users from all Active Directory groups Global Import users from the Global Active Directory group. This will also get user data from any custom defined group in your Active directory.
  • Page 108 Using Identity Driven Manager Using the User Import Wizard Select Click the checkbox to choose the groups you want to import from the Active Directory to IDM. If there is no checkbox, the group already exists in IDM and does not need to be selected. Add Users Click Next to continue to the window.
  • Page 109 Using Identity Driven Manager Using the User Import Wizard Select 10. Click the checkbox to choose the users you want to import from the Active Directory to IDM. The current Import data is compared to the existing user list in IDM. If no new (additional) users are found in the import data, the user list is empty.
  • Page 110 Using Identity Driven Manager Using the User Import Wizard b. Click Next to continue. Repeat the process for each user. Click Finish to save the Group Selections and exit the pop-up. d. Click Back to change the previous selection. Remove Users 11.

  • Page 111: Importing Users From An Ldap Server

    Using Identity Driven Manager Using the User Import Wizard A summary of the IDM Import displays. 15. Click Finish to exit the wizard. Importing Users from an LDAP Server The IDM Import Wizard includes support for using Windows 2003 LDAP service to import users from an MS Active directory.
  • Page 112 Administrator to get the certificate. The trust store is available under the installation directory of PCM. For example, if PCM is installed under Program files\Hewlett-Packard, type: C:> cd c:\Program files\Hewlett-Packard\PNM\jre\ lib\security C:> ..\..\bin\keytool –import –file <ldapcertfile> - alias myldapcert –keystore cacerts –keypass <certifi- cate password>...
  • Page 113 Using Identity Driven Manager Using the User Import Wizard b. Select the LDAP Authentication type to be used with the imported user data: Authentication Description Simple Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password.
  • Page 114 Using Identity Driven Manager Using the User Import Wizard For Simple Authentication Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password. Values for these fields can be obtained from the LDAP server administrator.
  • Page 115 Using Identity Driven Manager Using the User Import Wizard Using Digest-MD5 Authentication SASL Digest MD5 authentication window is used to define the LDAP data source for Digest-MD5. In Digest-MD5, the server generates a challenge and the client responds with a shared secret (password). Values for these fields can be obtained from the LDAP server administrator.
  • Page 116 Using Identity Driven Manager Using the User Import Wizard Using Kerberos-V5 Authentication SASL Kerberos V5 authentication window is used to define the LDAP data source for Kerberos. Kerberos V5 authentication requires that your LDAP server is setup with a KDC (Key Distribution Center). Please contact your LDAP server administrator for details.
  • Page 117 Using Identity Driven Manager Using the User Import Wizard Using External Authentication SASL External authentication window is used to define the external LDAP data source. External authentication uses an X509 certificate for user authen- tication. The LDAP X509 User Certificate must be installed in a keystore on the IDM server, and the LDAP server’s certificate must be stored in the trust store under your JRE installation on the IDM server.
  • Page 118 Using Identity Driven Manager Using the User Import Wizard Extract Users and Groups Click Next to continue to the window. Importing LDAP X509 User Certificates into a Keystore: If you are using a JKS Keystore, the X509 User Certificate must be installed in a keystore on the IDM server.
  • Page 119 Using Identity Driven Manager Using the User Import Wizard Using Anonymous Authentication Anonymous Authentication The LDAP window is used to define the LDAP data source. Values for these fields can be obtained from the LDAP server admin- istrator. To set up an LDAP server with anonymous authentication: In the Server field, type the IP address of the LDAP server.
  • Page 120 If you are using any other LDAP directory source (for example LDAP Directory Novell Edirectory) you will need to modify the settings in: ~Program Files\Hewlett-Packard\PNM\server\config\IDMImportServerComp.scp DMImportServerComp.scp file Following is an example of the for reference. Comments are indicated by "//".
  • Page 121 Using Identity Driven Manager Using the User Import Wizard LDAP_DIRECTORY_CONFIG { // Configuration for LDAP directory. Following values are for Active Directory. Change as needed per object class and attributes in LDAP directory being used. // User object USER { // User object class OBJECT_CLASS=User // Login name attribute.

  • Page 122: Importing Users From Xml Files

    Using Identity Driven Manager Using the User Import Wizard Importing Users from XML files XML Data Source If you select to import users from an XML File, the window displays. The XML file containing user data must reside on the IDM server to use this option and contain information similar to the data shown in the “XML User Import File Example”...
  • Page 123 Using Identity Driven Manager Using the User Import Wizard XML User Import File Example XML files used to import user data to IDM should have the following format. <?xml version='1.0' encoding='ISO-8859-7' ?> <DirData> <Domain name="domain name"> <User name="username" description="user description" displayName="user display name"...
  • Page 124 Using Identity Driven Manager Using the User Import Wizard 3-70...
  • Page 125 Troubleshooting IDM Chapter Contents IDM Events ......... 4-2 Using Event Filters .

  • Page 126: Troubleshooting Idm

    Troubleshooting IDM IDM Events IDM Events The IDM Events window is used to view and manage IDM events generated by the IDM application or the IDM Agent installed on a RADIUS server. This window helps you quickly identify IDM-related problems in your network. To view the IDM events, click the Events tab in the IDM Home display.
  • Page 127 Troubleshooting IDM IDM Events Date The Date column lists the date and time when the event occurred, given in MM/DD/YY/HH:MM format. Description The Description column provides a short description of the event. The description is derived from a list of predefined descriptions based on the event type.

  • Page 128: Using Event Filters

    Troubleshooting IDM IDM Events Click the Acknowledge Event icon in the toolbar. To delete an IDM event: Click the Events tab on the IDM Dashboard window to display the IDM Events window. Select the event(s) to be deleted. Click the Delete Event icon in the toolbar. Deleting an event removes the event from the Events list and reduces the Event count in the IDM Dashboard window.
  • Page 129 Troubleshooting IDM IDM Events In the Manage Filters window, click New to display the New Filter window. Click the Filter Type drop-down arrow and select the type of filter to be created. Possible types are: Severity Use this parameter to filter out lower or higher severity events, or to view events for only one severity level.
  • Page 130 Troubleshooting IDM IDM Events In the Criteria field, enter the criteria used to select events. The Criteria field works in conjunction with the Operator field. For example, to filter out Informational events, the Filter options would look like this: When the filter is activated, only events with a severity greater than Informational are displayed.
  • Page 131 Troubleshooting IDM IDM Events Modify the filter attributes. Click Ok to save your changes and close the Modify Filters window. Manage Filters The changes to the filter appear in the " " list. Click Ok to close the Manage Filters window. To delete an event filter: Click the Configure Filters icon on the Events toolbar to display the Manage Filters window.

  • Page 132: Using Activity Logs

    Click Ok to save the IDM Event Settings and close the window. /server/logs/IDMEventMgrServer-ServerArchivedEvents.log IDM’s event archive is /Program Files/Hewlett-Packard/PNM. In a default installation the directory is Using Activity Logs IDM also provides an Activity Log you can use to monitor events for specific RADIUS servers.

  • Page 133: Using Decision Manager Tracing

    DMConfig.prp To turn on tracing, edit the file on the RADIUS server. The default \Program Files\Hewlett-Packard\PNM\agent\logs. directory location is Available logging options in DMConfig.prp are: Log_dm_cache = true/false: True will log IDM configuration deployment events, including the configuration file data content.

  • Page 134: Miscellaneous

    Troubleshooting IDM Using Decision Manager Tracing Miscellaneous For authenticating a MAC-Auth user using Funk Steel Belted RADIUS (SBR) with IDM, the password should be specified in lower-case (in the SBR User directory). If upper-case characters are used in the password, you may get the following error: "MAC-Auth user gets rejected because of incorrect password".

  • Page 135: A Idm Technical Reference

    IDM Technical Reference Device Support for IDM Functionality Due to variations in hardware and software configuration of various ProCurve Devices, not all IDM [Access Profile] features are supported on all devices. The following table indicates IDM functionality supported by ProCurve Device type at the time this manual was printed.

  • Page 136: Best Practices

    IDM Technical Reference Best Practices Best Practices Authentication Methods The IDM application is designed to support RADIUS server implementation with 802.1x using supplicants, as well as Web-auth and MAC-auth. However to gain the full benefits of using IDM, HP advises that you implement RADIUS using an 802.1x supplicant.
  • Page 137 IDM Technical Reference Best Practices Handling Unknown or Unauthorized users If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not override RADIUS authentication and default switch settings, unless you con- figure it to do so. Also, if IDM rejects the user, but you have set "unauth-vid", then the port will still be opened and the VLAN will be set to the unauth-vid.
  • Page 138 IDM Technical Reference Best Practices In this instance, if the user attempts to login in during the times specified for the Weekends, they will be rejected, and an IDM event will be logged indicating that the APG had a specific Reject rule set to deny access. If the user logs in at times not specified for the weekend, since the time in the first rule does not match, IDM moves to the second rule.

  • Page 139: Types Of User Events

    IDM Technical Reference Types of User Events Types of User Events The USER_FAILED_LOGIN event happens whenever RADIUS sends IDM a message of an unsuccessful login. This can have various sources, which you can review in the Event Details. It can be either because IAS didn’t let the user log in (bad username, password, etc.) or because IDM rejected the login.
  • Page 140 IDM Technical Reference Types of User Events This page is intentionally unused...

  • Page 141: Index

    Index Deploy IDM configurations 3-42 Digest-MD5 authentication 3-61 Access Attributes 3-22 Disable user 2-32 Access attributes 3-23 Domain Names A-2 Access Information 2-32 Access Policy order 3-34 Access Policy Group 3-31 Edge Device 1-7 Assignments 3-38 Endpoint integrity delete 3-36 enabling 2-15 edit 3-36 Endpoint Integrity State 2-20...
  • Page 142 Importing Users 3-51 with XML files 3-68 RADIUS 1-7 RADIUS Activity Log 4-8 RADIUS Server delete 3-46 Kerberos V5 authentication 3-62 edit definition 3-46 new 3-45 Rate-Limiting A-3 Realm 1-8 LDAP Authentication 3-59 delete 3-44 LDAP Directory settings 3-66 edit 3-44 LDAP Server Realms Digest-MD5 Authentication 3-61...
  • Page 143 User Access 3-37 User Import LDAP Server 3-57 User Import Wizard 3-50 User Location Information 2-31 User MAC Addresses 2-20 User Properties 2-30 User Report 2-21 User Session information 2-29 User Systems 3-48 Users tab 3-37 warranty 1-ii XML file, user import 3-68 XML Import File format 3-69 Index–3...

This manual is also suitable for:

Procurve identity driven manager

Table of Contents