The profile of attributes applied for each client (MAC address) session is
stored in the hpicfUsrProfile MIB, which serves as the configuration interface
for Network Immunity Manager. A client profile consists of NIM-configured,
RADIUS-assigned, and statically configured parameters. Using show
commands for 802.1X, web or MAC authentication, you can verify which
RADIUS -assigned and statically configured parameters are supported and if
they are supported on a per-port or per-client basis.
A NIM policy accesses the hpicfUsrProfileMIB through SNMP to perform the
following actions:
■
Bind (or unbind) a profile of configured attributes to the MAC address of
a client device on an authenticated or unauthenticated port.
Configure or unconfigure an untagged VLAN for use in an authenticated
■
or unauthenticated client session.
Note that the attribute profile assigned to a client is often a combination of
NIM-configured, RADIUS-assigned, and statically configured settings.
Precedence is always given to the temporarily applied NIM-configured
parameters over RADIUS-assigned and locally configured parameters.
For information on Network Immunity Manager, go to the HP ProCurve
Networking Web site at www.procurve.com/solutions, click on Security, and
then click on Security Products.
Arbitrating Client-Specific Attributes
In previous releases, client-specific authentication parameters for 802.1X
Web, and MAC authentication are assigned to a port using different criteria.
A RADIUS-assigned parameter is always given highest priority and overrides
statically configured local passwords. 802.1X authentication parameters
override Web or MAC authentication parameters.
DCA stores three levels of client-specific authentication parameters and
prioritizes them according to the following hierarchy of precedence:
1.
NIM access policy (applied through SNMP)
2.
RADIUS-assigned
a.
802.1X authentication
b. Web or MAC authentication
3.
Statically (local) configured
Security Overview
Precedence of Security Options
1-19