User Manual
Page 4
... RADIUS Servers 3-46 Adding New Users 3-47 Adding users in IDM: Manual Process 3-47 Modifying and Deleting Users 3-49 Using the User Import Wizard 3-50 Importing Users from Active Directory 3-51 Importing Users from an LDAP Server 3-57 Importing Users from XML files 3-68 4 Troubleshooting IDM IDM Events 4-2 Using Event Filters 4-4 Using Activity Logs 4-8 Using Decision Manager Tracing 4-9 Miscellaneous 4-10 A IDM Technical Reference Device Support for IDM Functionality A-1 Best Practices A-2 Types of User Events...
... RADIUS Servers 3-46 Adding New Users 3-47 Adding users in IDM: Manual Process 3-47 Modifying and Deleting Users 3-49 Using the User Import Wizard 3-50 Importing Users from Active Directory 3-51 Importing Users from an LDAP Server 3-57 Importing Users from XML files 3-68 4 Troubleshooting IDM IDM Events 4-2 Using Event Filters 4-4 Using Activity Logs 4-8 Using Decision Manager Tracing 4-9 Miscellaneous 4-10 A IDM Technical Reference Device Support for IDM Functionality A-1 Best Practices A-2 Types of User Events...
User Manual
Page 6
... of service (QoS), and VLAN enrollment are associated with the expansion of the Internet, wireless, and convergence technologies. This increases the burden on the network, and to create and assign "access policies" that extends the functionality of PCM+ to control network usage. ProCurve Identity Driven Manager, Client Interface 1-2 You can use IDM to monitor users on network managers working to include authorization control features for edge devices in networks using RADIUS servers and Web-Authentication, MAC...
... of service (QoS), and VLAN enrollment are associated with the expansion of the Internet, wireless, and convergence technologies. This increases the burden on the network, and to create and assign "access policies" that extends the functionality of PCM+ to control network usage. ProCurve Identity Driven Manager, Client Interface 1-2 You can use IDM to monitor users on network managers working to include authorization control features for edge devices in networks using RADIUS servers and Web-Authentication, MAC...
User Manual
Page 7
... include MAC address, username and password, or more complex information. 3. Based on the time, place, and client that is generating the access request. 1-3 A client (user) attempts to connect to the network. If the user is enhanced to include authorization parameters along with access and resource usage parameters, to the authentication server (RADIUS). 4. Today, access control using IDM, access control is authenticated, the ProCurve device grants the user access to the network. 2. The switch forwards an access request...
... include MAC address, username and password, or more complex information. 3. Based on the time, place, and client that is generating the access request. 1-3 A client (user) attempts to connect to the network. If the user is enhanced to include authorization parameters along with access and resource usage parameters, to the authentication server (RADIUS). 4. Today, access control using IDM, access control is authenticated, the ProCurve device grants the user access to the network. 2. The switch forwards an access request...
User Manual
Page 8
... access for the user, and what network resources the user can create a "guest" profile in the user directory. If the user is used to configure VLAN access, QoS and Bandwidth parameters for unknown users. 1-4 If the user is accepted (authenticated), the IDM Agent on the RADIUS server processes the user information. Figure 1-3. Based on time and location of the user's login. The RADIUS server validates the user's identity in IDM to the switch...
... access for the user, and what network resources the user can create a "guest" profile in the user directory. If the user is used to configure VLAN access, QoS and Bandwidth parameters for unknown users. 1-4 If the user is accepted (authenticated), the IDM Agent on the RADIUS server processes the user information. Figure 1-3. Based on time and location of the user's login. The RADIUS server validates the user's identity in IDM to the switch...
User Manual
Page 9
... network through an edge switch, the user is authenticated via the IDM GUI on the RADIUS server, and an IDM Server that is co-resident with PCM+. Configuration and access management tasks are handled via the RADIUS Server and user directory. The IDM information is , what VLAN the user can access, and what resources (QoS, bandwidth) the user gets. The IDM agent includes: • A RADIUS interface that is used...
... network through an edge switch, the user is authenticated via the IDM GUI on the RADIUS server, and an IDM Server that is co-resident with PCM+. Configuration and access management tasks are handled via the RADIUS Server and user directory. The IDM information is , what VLAN the user can access, and what resources (QoS, bandwidth) the user gets. The IDM agent includes: • A RADIUS interface that is used...
User Manual
Page 11
... network. This server receives user connection requests from the user to the rest of usernames and passwords, network cards (smartcards, token cards, etc.), and a device's MAC address to determine who and/or what the "user" is not permitted to date. It establishes what an authenticated user can do. Generally used to the rest of network resources a specific user can be engaged in place and up to use. Edge Device A network device (switch or wireless access point) that check...
... network. This server receives user connection requests from the user to the rest of usernames and passwords, network cards (smartcards, token cards, etc.), and a device's MAC address to determine who and/or what the "user" is not permitted to date. It establishes what an authenticated user can do. Generally used to the rest of network resources a specific user can be engaged in place and up to use. Edge Device A network device (switch or wireless access point) that check...
User Manual
Page 14
... support changes made for IDM to the Access Security Guide that has no previous IDM version installed or in the underlying PCM and IDM databases. Additional processing power and additional disk space may be installed as a separate component. You can provide ProCurve Access Control Security solutions. If you want to test the IDM 2.0 functionality using VLANs, refer to configure VLANs within your switch. Upgrading from the ProCurve web site. About ProCurve Identity Driven Manager IDM Specifications...
... support changes made for IDM to the Access Security Guide that has no previous IDM version installed or in the underlying PCM and IDM databases. Additional processing power and additional disk space may be installed as a separate component. You can provide ProCurve Access Control Security solutions. If you want to test the IDM 2.0 functionality using VLANs, refer to configure VLANs within your switch. Upgrading from the ProCurve web site. About ProCurve Identity Driven Manager IDM Specifications...
User Manual
Page 22
... the IDM Agent install. Open a Web browser window on the RADIUS server and for the URL, type in the access.txt file on the PCM server to allow the RADIUS server to the RADIUS server system. 4. For example, if the IP address of supported devices and operating requirements under "Configuring Client/Server Access Permissions." 2. Getting Started Before You Begin Before You Begin If you have set up your network for your ProCurve switch Installing the IDM...
... the IDM Agent install. Open a Web browser window on the RADIUS server and for the URL, type in the access.txt file on the PCM server to allow the RADIUS server to the RADIUS server system. 4. For example, if the IP address of supported devices and operating requirements under "Configuring Client/Server Access Permissions." 2. Getting Started Before You Begin Before You Begin If you have set up your network for your ProCurve switch Installing the IDM...
User Manual
Page 23
...: 1. This can let IDM do the hard work for you begin creating configurations in the IDM Home tab, you need to specific systems, you will access the network. To install a remote PCM/ IDM Client, download the PCM Client to a remote PC using multiple RADIUS servers, you intend to all RADIUS servers where the IDM Agent is included with the IP Address for installing the IDM Agent, just select the...
...: 1. This can let IDM do the hard work for you begin creating configurations in the IDM Home tab, you need to specific systems, you will access the network. To install a remote PCM/ IDM Client, download the PCM Client to a remote PC using multiple RADIUS servers, you intend to all RADIUS servers where the IDM Agent is included with the IP Address for installing the IDM Agent, just select the...
User Manual
Page 34
... you configure and apply access and authorization parameters using IDM, you can use the monitoring features along with the IDM Reports to track usage patterns, user session statistics, bandwidth usage, top users, and so on. Currently, only the latest versions of firmware on the switch that have been set up in the Access and Security Guide provided with the ProCurve switch for Web-Auth and MAC-Auth sessions. Using...
... you configure and apply access and authorization parameters using IDM, you can use the monitoring features along with the IDM Reports to track usage patterns, user session statistics, bandwidth usage, top users, and so on. Currently, only the latest versions of firmware on the switch that have been set up in the Access and Security Guide provided with the ProCurve switch for Web-Auth and MAC-Auth sessions. Using...
User Manual
Page 36
... Getting Started Using IDM as a Monitoring Tool the IDM agent will reduce the load on your IDM server and the GUI by the Reset procedures, the only effect is that currently open sessions are not removed by eliminating two-thirds of the events created for every user login and logout. 4. To ignore capability override warnings generated by the device, check the Only send supported device...
... Getting Started Using IDM as a Monitoring Tool the IDM agent will reduce the load on your IDM server and the GUI by the Reset procedures, the only effect is that currently open sessions are not removed by eliminating two-thirds of the events created for every user login and logout. 4. To ignore capability override warnings generated by the device, check the Only send supported device...
User Manual
Page 40
... the User's session, indicating the bandwidth usage for the session. You can filter the report by Access Policy Group and User. Getting Started Using IDM Reports The following "State" types: Failed, Passed, and Unknown. 2-20 Connection Time Length of MAC Addresses in minutes) for that user. The available column headings include: RADIUS Server IP MAC Address Device Port QOS BW (Bandwidth) Location Device VLAN Endpoint Integrity State User MAC Addresses: The User MAC Addresses provides a listing of time the user was connected (in use by configuring it...
... the User's session, indicating the bandwidth usage for the session. You can filter the report by Access Policy Group and User. Getting Started Using IDM Reports The following "State" types: Failed, Passed, and Unknown. 2-20 Connection Time Length of MAC Addresses in minutes) for that user. The available column headings include: RADIUS Server IP MAC Address Device Port QOS BW (Bandwidth) Location Device VLAN Endpoint Integrity State User MAC Addresses: The User MAC Addresses provides a listing of time the user was connected (in use by configuring it...
User Manual
Page 53
... Realms or Access Policy Groups folder to which access is assigned. Select Find User from lowest to highest. Getting Started User Session Information Access Policy Group Access policy group that were applied to the user's session on the entire network. QoS ranges from the right-click menu. QoS assigned Quality of the user you search for a user or MAC address: 1. ACL The access control rules that governs user permissions for outbound traffic. The displayed...
... Realms or Access Policy Groups folder to which access is assigned. Select Find User from lowest to highest. Getting Started User Session Information Access Policy Group Access policy group that were applied to the user's session on the entire network. QoS ranges from the right-click menu. QoS assigned Quality of the user you search for a user or MAC address: 1. ACL The access control rules that governs user permissions for outbound traffic. The displayed...
User Manual
Page 73
... a network resource, check the Enter protocol number checkbox and type the protocol number (0-137) Port: Any port is selected by default, which means all ports associated to de-select it and enable the Port field. Enter the port number, or friendly port name* used for the network resource, click the Any port checkbox to the IP address are included in the Identity Management Configuration navigation tree to define the network resource access. If you set...
... a network resource, check the Enter protocol number checkbox and type the protocol number (0-137) Port: Any port is selected by default, which means all ports associated to de-select it and enable the Port field. Enter the port number, or friendly port name* used for the network resource, click the Any port checkbox to the IP address are included in the Identity Management Configuration navigation tree to define the network resource access. If you set...
User Manual
Page 75
... network. Using Identity Driven Manager Configuring Access Profiles Configuring Access Profiles IDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rate-limits) and Network Resource access rules that are applied to the user when they log in QoS The "Quality of Service" setting Bandwidth The rate limits for outbound traffic Description Brief description of "access control" are realized. When users log in, the Access Profile dynamically configures the switch or wireless access point settings to provide the proper network access and resources for the port the user...
... network. Using Identity Driven Manager Configuring Access Profiles Configuring Access Profiles IDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rate-limits) and Network Resource access rules that are applied to the user when they log in QoS The "Quality of Service" setting Bandwidth The rate limits for outbound traffic Description Brief description of "access control" are realized. When users log in, the Access Profile dynamically configures the switch or wireless access point settings to provide the proper network access and resources for the port the user...
User Manual
Page 120
... LDAP Server directory. Using Identity Driven Manager Using the User Import Wizard Editing IDM Configuration for LDAP Import The IDM server includes several configuration files that contain information used to IDM. BATCH_SIZE=50 // Internal to import User information from LDAP files. COUNT_LIMIT=0 // Internal to modify the LDAP Directory settings in: ~Program Files\Hewlett-Packard\PNM\server\config\IDMImportServerComp.scp Following is changed, you must also change the module name...
... LDAP Server directory. Using Identity Driven Manager Using the User Import Wizard Editing IDM Configuration for LDAP Import The IDM server includes several configuration files that contain information used to IDM. BATCH_SIZE=50 // Internal to import User information from LDAP files. COUNT_LIMIT=0 // Internal to modify the LDAP Directory settings in: ~Program Files\Hewlett-Packard\PNM\server\config\IDMImportServerComp.scp Following is changed, you must also change the module name...
User Manual
Page 135
ProCurve unmanaged switches do not support IDM, including: 2700 series, 2300 series, 2124, and 408. Please check the ProCurve Web site (www.procurve.com) for the latest information on all IDM [Access Profile] features are not included in the table. A-1 Device Type: IDM Functions: 5300xl series 4100gl series 3400cl series 2600 series, 2600PWR, 2800 series 2500 Series 420 Wireless Access Point VLAN X X X X X X QoS Bandwidth Network Resources X X X X X X For the 2600 series, release H.08.53 (or newer) of the device software is...
ProCurve unmanaged switches do not support IDM, including: 2700 series, 2300 series, 2124, and 408. Please check the ProCurve Web site (www.procurve.com) for the latest information on all IDM [Access Profile] features are not included in the table. A-1 Device Type: IDM Functions: 5300xl series 4100gl series 3400cl series 2600 series, 2600PWR, 2800 series 2500 Series 420 Wireless Access Point VLAN X X X X X X QoS Bandwidth Network Resources X X X X X X For the 2600 series, release H.08.53 (or newer) of the device software is...
User Manual
Page 136
... Technical Reference Best Practices Best Practices Authentication Methods The IDM application is designed to provide authorization and access control, but not both). Specifically, the switches will also disable the IDM usage reports. "OLDDOMAIN\user" versus "user@NewDomain"). Multiple RADIUS Server Implementation If you implement RADIUS using a standard format (either "DOMAIN\user" or user@domain, but the user session accounting will never be true if users log...
... Technical Reference Best Practices Best Practices Authentication Methods The IDM application is designed to provide authorization and access control, but not both). Specifically, the switches will also disable the IDM usage reports. "OLDDOMAIN\user" versus "user@NewDomain"). Multiple RADIUS Server Implementation If you implement RADIUS using a standard format (either "DOMAIN\user" or user@domain, but the user session accounting will never be true if users log...
User Manual
Page 138
... port link speed, the switch will be able to restrict user access to use the "allow" vs. The other important piece in instances where you change the order of the rules becomes more complex. If the user logs in at times not specified for rate-limiting using low rate-limit policies on the network and the "Default" Access Profile settings are quite simple. Since all the time. To avoid problems...
... port link speed, the switch will be able to restrict user access to use the "allow" vs. The other important piece in instances where you change the order of the rules becomes more complex. If the user logs in at times not specified for rate-limiting using low rate-limit policies on the network and the "Default" Access Profile settings are quite simple. Since all the time. To avoid problems...
User Manual
Page 142
... Locations 3-5, 3-9 Devices 3-6 modify 3-8 new 3-6 M MAC-Auth with SBR 4-10 Multiple RADIUS Servers A-2 N Navigation 2-9 Network Resource new 3-18 properties 3-18 Network Resource Assignment 3-24 Network Resource, configuring 3-16 Network Resources 3-16 P port disable 2-32 Preferences 2-15 endpoint integrity support 2-15 Q QoS 1-7 Index-2 R RADIUS 1-7 RADIUS Activity Log 4-8 RADIUS Server delete 3-46 edit definition 3-46 new 3-45 Rate-Limiting A-3 Realm 1-8 delete 3-44 edit 3-44 Realms new 3-43 Rejecting access A-3 Reports...
... Locations 3-5, 3-9 Devices 3-6 modify 3-8 new 3-6 M MAC-Auth with SBR 4-10 Multiple RADIUS Servers A-2 N Navigation 2-9 Network Resource new 3-18 properties 3-18 Network Resource Assignment 3-24 Network Resource, configuring 3-16 Network Resources 3-16 P port disable 2-32 Preferences 2-15 endpoint integrity support 2-15 Q QoS 1-7 Index-2 R RADIUS 1-7 RADIUS Activity Log 4-8 RADIUS Server delete 3-46 edit definition 3-46 new 3-45 Rate-Limiting A-3 Realm 1-8 delete 3-44 edit 3-44 Realms new 3-43 Rejecting access A-3 Reports...