ProCurve Identity Driven Manager

Size: px
Start display at page:

Download "ProCurve Identity Driven Manager"

Transcription

1 User s Guide ProCurve Identity Driven Manager Software Release 2.3

2 Copyright 2008 Hewlett-Packard Development Company, LP. All Rights Reserved. This document contains information which is protected by copyright. Reproduction, adaptation, or translation without prior permission is prohibited, except as allowed under the copyright laws. Publication Number May, 2008 Disclaimer The information contained in this document is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard. Trademark Credits Microsoft, Windows, Windows 95, and Microsoft Windows NT are registered trademarks of Microsoft Corporation. Internet Explorer is a trademark of Microsoft Corporation. Ethernet is a registered trademark of Xerox Corporation. Netscape is a registered trademark of Netscape Corporation. Warranty See the Customer Support/Warranty booklet included with the product. A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer. Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California

3 Contents 1 About ProCurve Identity Driven Manager Introduction Why IDM? What s New in IDM IDM Architecture Terminology IDM Specifications Supported Devices Operating Requirements Additional Requirements Upgrading from Previous Versions of PCM and IDM Registering Your IDM Software Learning to Use ProCurve IDM Getting ProCurve Documentation From the Web ProCurve Support Getting Started Before You Begin Installing the IDM Agent Using the IDM Auto-Discover Feature IDM Configuration Process Overview IDM Usage Strategies Understanding the IDM Model IDM GUI Overview IDM Dashboard Using the Navigation Tree Toolbars and Menus Using IDM as a Monitoring Tool Using IDM Reports Creating Report Policies Configuring a Policy Action to Generate Reports IDM Session Cleanup Policy User Session Information Finding a User User Reports iii

4 Contents IDM Preferences Using Active Directory Synchronization Using Identity Driven Manager IDM Configuration Model Configuration Process Review Configuring Identity Management Configuring Locations Adding a New Location Modifying a Location Deleting a Location Configuring Times Creating a New Time Modifying a Time Deleting a Time Configuring Network Resources Adding a Network Resource Modifying a Network Resource Deleting a Network Resource Configuring Access Profiles Creating a New Access Profile Modifying an Access Profile Defining Access Policy Groups Creating an Access Policy Group Modifying an Access Policy Group Deleting an Access Policy Group Configuring User Access Adding Users to an Access Policy Group Changing Access Policy Group Assignments Using Global Rules Deploying Configurations to the Agent Using Manual Configuration Defining New Realms Modifying and Deleting Realms Deleting RADIUS Servers Adding New Users Using the User Import Wizard Importing Users from Active Directory Importing Users from an LDAP Server Importing Users from XML files iv

5 Contents 4 Using the Secure Access Wizard Overview Supported Devices Using Secure Access Wizard Troubleshooting IDM IDM Events Pausing the Events Display Using Event Filters Viewing the Events Archive Setting IDM Event Preferences Using Activity Logs Using Decision Manager Tracing Miscellaneous A Using ProCurve Network Access Controller with IDM About ProCurve Network Access Controller A-1 Before You Begin A-2 Using the NAC Tab Displays A-3 Setting the ProCurve NAC GUI Login A-4 Using the NAC Home Tab A-5 Using the NAC Monitor Tab A-6 Using the NAC Configuration Tab A-7 Using Local Authentication Directory on ProCurve NAC A-8 Adding Locally Authenticated Users A-9 B IDM Technical Reference Device Support for IDM Functionality B-1 Support for Secure Access Wizard Feature B-2 Best Practices B-3 Types of User Events B-6 v

6 Contents vi

7 1 About ProCurve Identity Driven Manager Chapter Contents About ProCurve Identity Driven Manager Introduction Why IDM? What s New in IDM IDM Architecture Terminology IDM Specifications Supported Devices Operating Requirements Additional Requirements Upgrading from Previous Versions of PCM and IDM Registering Your IDM Software Learning to Use ProCurve IDM Getting ProCurve Documentation From the Web ProCurve Support

8 About ProCurve Identity Driven Manager Introduction Introduction Network usage has skyrocketed with the expansion of the Internet, wireless, and convergence technologies. This increases the burden on network managers working to control network usage. Also, the complexity of large networks makes it difficult to control network access and usage by individual users. ProCurve Identity Driven Manager (IDM) is an add-on module to the ProCurve Manager plus (PCM+) application that extends the functionality of PCM+ to include authorization control features for edge devices in networks using RADIUS servers and Web-Authentication, MAC-Authentication, or 802.1x security protocols. Using IDM simplifies user access configuration by automatically discovering Microsoft IAS RADIUS Servers, Realms, and users. You can use IDM to monitor users on the network, and to create and assign "access policies" that work to dynamically configure edge switches and manage network resources available to individual users. Using IDM, access rights, quality of service (QoS), and VLAN enrollment are associated with a user and applied at the point of entry or "edge" of the network. Figure 1-1. ProCurve Identity Driven Manager, Client Interface 1-2

9 About ProCurve Identity Driven Manager Introduction Why IDM? Today, access control using a RADIUS system and ProCurve devices (switches or wireless access points) is typically made up of several steps. Figure 1-2. Current Access Control process 1. A client (user) attempts to connect to the network. 2. The edge device recognizes a connection state change, and requests identifying information about the client. This can include MAC address, username and password, or more complex information. 3. The switch forwards an access request, including the client information to the authentication server (RADIUS). 4. The RADIUS server validates the user s identity in the user directory, which can be an Active Directory, database or flat file. Based on the validation result received from the user directory, the authentication server returns an accept or deny response to the switch. 5. If the user is authenticated, the ProCurve device grants the user access to the network. If the user is not authenticated, access is denied. For networks using IDM, access control is enhanced to include authorization parameters along with the authentication response. IDM enhances existing network security by adding network authorization information, with access and resource usage parameters, to the existing authentication process. Using IDM you can assign access rights and connection attributes at the network switch, with dynamic configuration based on the time, place, and client that is generating the access request. 1-3

10 About ProCurve Identity Driven Manager Introduction When using IDM, the authentication process proceeds as described in the first three steps, but from that point the process changes as follows: 4. The RADIUS server validates the user s identity in the user directory. Based on the validation result received from the user directory, the authentication server returns an accept or deny response to the switch. If the user is accepted (authenticated), the IDM Agent on the RADIUS server processes the user information. IDM then inserts the network access rights configured for the user into the Authentication response sent to the switch. 5. If the user is authenticated, the switch grants the user access to the network. The (IDM) authorization information included in the authentication response is used to configure VLAN access, QoS and Bandwidth parameters for the user, and what network resources the user can access based on time and location of the user s login. If the user is authenticated by the RADIUS server, but IDM s authorization data indicates that the user is attempting to access the network at the wrong time, or from the wrong location or system, the user s access request is denied by IDM. Figure 1-3. Access Control using IDM If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not override RADIUS authentication and default switch settings, unless you configure it to do so. You can create a "guest" profile in IDM to provide limited access for unknown users. 1-4

11 About ProCurve Identity Driven Manager Introduction What s New in IDM 2.3 ProCurve Identity Driven Manager version 2.3 includes the following new features and enhancements: IDM - NPS/NAP Integration IDM integrates with Network Policy Server (NPS), Microsoft s RADIUS server on a Windows 2008 server, and Network Access Protection (NAP), an Endpoint Integrity offering from Microsoft that is offered as an integrated solution in the following tiers: Server tier that runs only on NPS in Windows 2008 Client tier that performs endpoint testing in Windows Vista Support for nested groups in Active Directory Synchronization Active Directory synchronization now includes all users who are indirect members of a group via intervening nested group relationships. For additional information, see Enhanced Secure Access Wizard AP530 Group Configuration Check Step has been added to support AP530 access points. Ports to which the secure access settings will apply can now be selected from a list. VLANs used for authenticated and unauthenticated ports can now be selected for 802.1X, Web Auth, and MAC Auth settings. Redirect URL has been added to redirect users who have logged in successfully. 1-5

12 About ProCurve Identity Driven Manager Introduction IDM Architecture In IDM, when a user attempts to connect to the network through an edge switch, the user is authenticated via the RADIUS Server and user directory. Then, IDM is used to return the user s "access profile" along with the authentication response from RADIUS to the switch. The IDM information is used to dynamically configure the edge switch to provide the appropriate authorizations to the user, that is, what VLAN the user can access, and what resources (QoS, bandwidth) the user gets. The following figure illustrates the IDM architecture and how it fits in with RADIUS. Figure 1-4. IDM Architecture IDM consists of an IDM Agent that is co-resident on the RADIUS server, and an IDM Server that is co-resident with PCM+. Configuration and access management tasks are handled via the IDM GUI on the PCM+ management workstation. The IDM agent includes: A RADIUS interface that captures user authentication information from the RADIUS server and passes the applicable user data (username, location, time of request) to the IDM Decision Manager. The interface also passes user access parameters from IDM to the RADIUS server. 1-6

13 About ProCurve Identity Driven Manager Introduction A Decision Manager that receives the user data and checks it against user data in the local IDM data store. Based on the parameters defined in the data store for the user data received, the Decision Manager outputs access parameters for VLAN, QoS, bandwidth, and network resource access to the RADIUS interface component. A Local Data Store that contains information on Users and the Access Policy Groups to which the user belongs. The Access Policy Group defines the rules that determine the user s access rights. The IDM Server provides configuration and monitoring of Identity Driven Manager. It operates as an add-on module to PCM+, using the PCM model database to store IDM data, and a Windows GUI (client) to provide access to configuration and monitoring tools for IDM. You use the IDM GUI to monitor IDM Agent status and users logged into the network, and to manage IDM configuration, including: Defining access parameters for the network, such as locations, times, network resources, and access profiles. Creating access profiles that define the network resources and attributes (VLAN, QoS, bandwidth) assigned to users in an Access Policy Group. Creating Access Policy Groups with rules (access policies) that will be assigned to users in that Group. Assigning users to Access Policy Groups. Deploying IDM configuration data to the IDM Agent on the RADIUS server. 1-7

14 About ProCurve Identity Driven Manager Terminology Terminology Authentication Authentication Server Authorization Bandwidth Client Edge Device Endpoint Integrity IDM Agent QoS RADIUS RADIUS Server The process of proving the user s identity. In networks this involves the use of usernames and passwords, network cards (smartcards, token cards, etc.), and a device s MAC address to determine who and/or what the "user" is. Authentication servers are responsible for granting or denying access to the network. Also referred to as RADIUS servers because most current authentication servers implement the RADIUS protocol. The process that determines what an authenticated user can do. It establishes what network resources the user is, or is not permitted to use. Amount of network resources available. Generally used to define the amount of network resources a specific user can consume at any given time. Also referred to as rate-limiting. An end-node device such as a management station, workstation, or mobile PC attempting to access the network. Clients are linked to the switch through a point-to-point LAN link, either wired or wireless. A network device (switch or wireless access point) that connects the user to the rest of the network. The edge devices can be engaged in the process of granting user access and assigning a user s access rights and restrictions. Also referred to as "Host Integrity," this refers to the use of applications that check hosts attempting to connect to the network to ensure they meet requirements for configuration and security. Generally to make sure that virus checking and spyware applications are in place and up to date. The IDM Agent resides on the RADIUS server. It inspects incoming authentication requests, and inserts appropriate authorization information (IDM Access Profiles) into the outgoing authentication reply. Quality of Service, relates to the priority given to outbound traffic sent from the user to the rest of the network. Remote Authentication Dial-in User Service, (though it also applies to authentication service in non-dial-in environments) A server running the RADIUS application on your network. This server receives user connection requests from the switch, authenticates users, and then returns all necessary information to the edge device. 1-8

15 About ProCurve Identity Driven Manager Terminology Realm VLAN A Realm is similar to an Active Directory Domain, but it works across non- Windows (Linux, etc.) systems. Generally specified in User-name as A port-based Virtual LAN configured on the switch. When the client connection terminates, the port drops its membership in the VLAN. 1-9

16 About ProCurve Identity Driven Manager IDM Specifications IDM Specifications Supported Devices ProCurve Identity Driven Manager (IDM) supports authorization control functions on the following ProCurve devices*: ProCurve Switches: 6400cl Series 6200 Series 5400 Series 5300xl Series 4200 Series 3500 Series 3400cl Series 4100gl Series 2800 Series 2600 Series (PWR included) 6100 Series 2500 Series ProCurve Wireless (420, 520wl, 530) Wireless Edge Services Module (WESM) * Not all devices support all features of IDM. Refer to Appendix A for details. Operating Requirements The system requirements for IDM (Server and Client installation) are: Minimum Processor: 2.0 GHz Intel Pentium, or equivalent Recommended Processor: 3.0 GHz Intel Pentium, or equivalent Minimum Memory: 1 GB RAM Recommended Memory: 2 GB RAM Disk Space: 500 MB free hard disk space minimum. (A total of 1 GB will be required for PCM+ and IDM.) Implementation of one of the following RADIUS services. The IDM agent will be installed on this system. Microsoft s Internet Authentication Service, RADIUS authentication server on Windows 2003 Server (Enterprise or Standard Edition). Funk s Steel Belted RADIUS (SBR). 1-10

17 About ProCurve Identity Driven Manager IDM Specifications Supported Operating Systems for PCM+ and IDM Remote Client: MS Windows XP Pro (Service Pack 1 or better) MS Windows 2000 (Server, Advanced Server, or Pro with Service Pack 4 or better) MS Windows 2003 (Server or Enterprise Edition) ProCurve Manager Plus software must be installed for IDM to operate. The IDM software cannot be installed as a separate component. Additional processing power and additional disk space may be required for larger networks. Additional Requirements Implementation of an access control method, using either MAC-auth, Web-auth, or an 802.1x supplicant application. For assistance with implementation of RADIUS and access control methods for use with ProCurve switches, refer to the Access Security Guide that came with your switch. All ProCurve Switch manuals can also be downloaded from the ProCurve web site. For assistance with using RADIUS and 802.1x access control methods, contact the ProCurve Elite Partner nearest you that can provide ProCurve Access Control Security solutions. You can find ProCurve Direct Elite partners on the web at: If you plan to restrict user access to specific network segments, you will need to configure VLANs within your network. For information on using VLANs, refer to the ProCurve Manager Network Administrator s Guide, or the configuration guides that came with your switch. Upgrading from Previous Versions of PCM and IDM The installation package for PCM 2.2 contains the IDM 2.15 installation files. If you are running earlier versions of IDM you must select the IDM option during the PCM 2.2 install process. This is required to support changes made in the underlying PCM and IDM databases. 1-11

18 About ProCurve Identity Driven Manager Registering Your IDM Software If you have not purchased an IDM 2.0 or newer license, your installation will include the IDM interface changes made for IDM 2.0, but all new functionality (FUNK SBR support, User Import/Export, Access Control, and Endpoint integrity support) will be disabled until you purchase and register an IDM license. If you want to test the IDM 2.2 functionality using the 30-day trial provided with the PCM 2.2 Auto-update package, you need to install the software on a separate system that has no previous IDM version installed or in use. When you upgrade to IDM 2.2, you need to manually install the IDM Agent upgrade on each of your RADIUS Servers. Refer to Installing the IDM Agent on page 2-2 for detailed instructions. Registering Your IDM Software The ProCurve Manager installation CD includes a fully operable version of the PCM application, and a 30 day trial version of the PCM+ application and the IDM application. Until you have registered your IDM application, an Expiring License warning will be displayed each time you log in, similar to the following. Figure 1-5. ProCurve Expiring License warning dialogue Click No, Continue to close the dialogue and just start the program. Click OK to launch the Licensing administration screen. NOTE: You must first purchase a copy of ProCurve Identity Driven Manager from your networking reseller to get the Registration ID. You do not need to reinstall the software from the purchased CD, but you need the Registration ID from that CD to complete the registration process. 1-12

19 About ProCurve Identity Driven Manager Registering Your IDM Software Figure 1-6. ProCurve License Administration dialogue You can also get to this screen from the Preferences window which can be accessed from the PCM Tools menu or by clicking on the Preferences icon in the tool bar. To register the IDM software: 1. Contact your HP Sales Representative or HP Reseller to purchase the PCM+ and IDM software. You will receive a Registration ID for the purchased software either on the Software CD case, or a separate registration card sent with the purchase information. 2. Go to the Licensing window in PCM [Preferences->Licensing and Support ->Licensing]. Write down the Installation Identifier for the software as it appears in the upper left corner of the window. You can also leave this window open and use the copy and paste functions to enter the Install ID in the My ProCurve software registration window. 3. Click the Register button to go to the PCM registration web site. 4. If this is an upgrade, log in with your My ProCurve ID and password. If you are a new user, click the Register Here button, and then enter the required information to create a user account, including user name, password, company name, and address. 5. Click the My Software tab, and then select the Management Software option to display the Product Type selection links. 6. Select the ProCurve Network Management Software link to display the License Registration window. 1-13

20 About ProCurve Identity Driven Manager Learning to Use ProCurve IDM 7. In the Registration window: a. select the product to register from the Product Type pull-down menu. b. enter the Registration ID, found on the back of the software CD case, or on the registration card you received when you purchased the software. 8. When you receive the License key, go back to the Licensing window in PCM. Enter the License key number in the Add license field, then click Add. To avoid data entry errors, you can copy and paste the number from the or My ProCurve (My Software) Web page. NOTE: You must first purchase a copy of ProCurve Manager Plus and,/or Identity Driven Manager to get the Registration ID. You do not need to reinstall the software from the purchased CD, but you need the Registration ID to complete the registration process. Learning to Use ProCurve IDM The following information is available for learning to use ProCurve Identity Driven Manager (IDM): This User s Guide helps you become familiar with using the application tools for access control management. Online help information provides information through Help buttons in the application GUI that provide context-sensitive help, and a table of contents with hypertext links to additional procedures and reference information. ProCurve Manager, Getting Started Guide provides details on installing the application and licensing, and an overview of ProCurve Manager functionality. For additional information on configuring your network, refer to the documentation that came with your switch. 1-14

21 About ProCurve Identity Driven Manager Learning to Use ProCurve IDM Getting ProCurve Documentation From the Web 1. Go to the Procurve website at 2. Click on Technical Support. 3. Click on Product manuals. 4. Click on the product for which you want to view or download a manual. ProCurve Support Product support is available on the Web at: Click on Technical Support. The information available at this site includes: Product Manuals Software updates Frequently asked questions (FAQs) Links to Additional Support information. You can also call your HP Authorized Dealer or the nearest HP Sales and Support Office, or contact the ProCurve Elite Partner nearest you for information on ProCurve Access Control Security solutions. You can find ProCurve Elite partners on the web at:

22 About ProCurve Identity Driven Manager Learning to Use ProCurve IDM 1-16

23 2 Getting Started Chapter Contents Getting Started Before You Begin Installing the IDM Agent Using the IDM Auto-Discover Feature IDM Configuration Process Overview IDM Usage Strategies Understanding the IDM Model IDM GUI Overview IDM Dashboard Using the Navigation Tree Toolbars and Menus Using IDM as a Monitoring Tool Using IDM Reports Creating Report Policies Configuring a Policy Action to Generate Reports IDM Session Cleanup Policy User Session Information Finding a User User Reports IDM Preferences Using Active Directory Synchronization

24 Getting Started Before You Begin Before You Begin If you have not already done so, please review the list of supported devices and operating requirements under IDM Specifications on page If you intend to restrict user access to specific areas of the network using VLANs, make sure you have set up your network for use of VLANs. For details on configuring VLANs, refer to the ProCurve Manager Network Administrator s Guide, or the Advanced Traffic Management Guide for your ProCurve switch Installing the IDM Agent The IDM application components are installed on your system when you select the IDM option from the PCM+ software CD. To install the IDM Agent on a RADIUS server: 1. If the PCM software is not on the same system as your RADIUS server, you need to configure "Client/Server" access permissions on the PCM server to allow the RADIUS server to communicate with IDM. This is done by adding the IP address of the RADIUS server to the access.txt file on the PCM server. For details, refer to the ProCurve Manager Getting Started Guide, under "Configuring Client/Server Access Permissions." 2. Open a Web browser window on the RADIUS server and for the URL, type in the IP address of the PCM server computer, followed by a colon and the port ID For example, if the IP address of the PCM server is , then on the RADIUS server, enter on the web browser address line. 3. In the install scripts page that appears, select the IDM Agent to download it to the RADIUS server system. 4. Run the Install.exe that is downloaded to the RADIUS server. The Install Wizard guides you through the installation process. During installation you will be prompted to enter the IP Address of the IDM Server, which is the same as the PCM Server. You cannot install the IDM Agent on a system without the RADIUS server. Also, if the IP address of the RADIUS server is not in the access.txt file on the PCM server, you will get an alert message during the IDM Agent install. Once installed the IDM Agent begins collecting User, Realm, and RADIUS data. 2-2

25 Getting Started Before You Begin The IDM Client is included with the PCM+ software. To install a remote PCM/ IDM Client, download the PCM Client to a remote PC using the same process as for installing the IDM Agent, just select the PCM Client option from the PCM server. For details, see the ProCurve Manager Getting Started Guide. Using the IDM Auto-Discover Feature You can manually configure the RADIUS server, Realms, and Users in IDM, or you can let IDM do the hard work for you. And, you have two options for automatically discovering users. Either enable Active Directory synchronization to import users from the Active Directory, or install the IDM Agent on the system with the RADIUS Server, then let it run to collect the information as users log into the network. Even after you begin creating configurations in IDM, both options continue to collect information on users and Realms (domains in Active Directory) and pass that information to the IDM server. If you are using multiple RADIUS servers, you need to install an IDM Agent on each of the servers. The IDM Agent collects information only on the system where it is installed. The IDM client can display information for all RADIUS servers where the IDM Agent is installed. When you start the IDM Client and expand the navigation tree in the IDM Home tab, you will see any discovered or defined Realms found on the RADIUS server, along with the IP Address for the RADIUS Server(s). IDM Configuration Process Overview To configure IDM to provide access control on your network, first let IDM run long enough to "discover" the Realms, RADIUS servers, and users on your network. Once IDM has performed these tasks for you, your configuration process would be as follows: 1. If you intend to use them, define "locations" from which users will access the network. A location may relate to port-based VLANS, or to all ports on a device. (See page 3-7) 2. If you intend to use them, define "times" at which users are allowed or denied access. This can be by day, week or even hour. (See page 3-14) 3. Define any "network resources" (systems and applications) that you want to specifically allow or restrict users from accessing. 4. If you intend to restrict a user access to specific systems, you need to set the User profile to include the MAC address for each system that the user is allowed to login on. (See page 3-54) 2-3

26 Getting Started Before You Begin 5. Create the Access Profiles, to set the VLAN, QoS, rate-limits (bandwidth) attributes, and the network resources that are available, to users in an Access Policy Group. (See page 3-26) 6. Create an Access Policy Group, with rules containing the Location, Time, System, and Access Profile that is applied to users when they login. (See page 3-36) OR If using Active Directory synchronization, add rules and Access Profiles to the Access Policy Groups automatically created by Active Directory synchronization. 7. If Active Directory synchronization is not used, assign Users to the appropriate Access Policy Group. (See page 3-43). 8. If automatic deployment is disabled, deploy the configuration policies to the IDM Agent on the RADIUS server. (See page 3-49) IDM Usage Strategies You can use IDM to simply monitor user activity on the network, or to apply user authentication rules to improve network security and performance. The following table identifies the IDM configuration for various deployment and usage strategies for IDM. Authenticate Authorize Strategy Description VLAN QoS Rate- Limit Network Resources Monitor and report user activity. x Enhance normal RADIUS authentication with Location, Time, and System rules x x Provide rudimentary VLAN segregation (Unknown Users, Guests, Visitors, Contractors) x x Provide complete VLAN placement for all Users x x x Provide QoS and Rate-limits per User x x x x x VLAN, QoS, and Rate-limit attributes, and accessibility of defined Network Resources for all users, based on Location, Time, and System Table 2-1: IDM Deployment and Usage Strategies 2-4

27 Getting Started Before You Begin Understanding the IDM Model The first thing to understand, is that IDM works within the general concept of domains or realms. Basically, realms are very large organizational units; every user belongs to one, and only one, realm. While it is possible to have multiple realms, most organizations have only one, for example, hp.com or csuchico.edu. The basic operational model of IDM involves Users and Groups. Every User belongs to a Group in IDM these are called Access Policy Groups (APGs). Each APG has an Access Policy defined for it, which governs the access rights that are applied to its Users as they enter the network. In the IDM GUI, the top level of the navigation tree is the Realm, with all other information for APGs, and RADIUS Servers beneath the Realm in the navigation tree. Users are linked to the Realm to which they belong, and the Access Policy Group to which they are assigned. The IDM configuration tools are available at the top level. The definition of times, locations, network resources, and access profiles is independent of individual Realms or Groups. You can define multiple locations, times, and network resources, then create multiple access profiles to be applied to any Access Policy Group, in any Realm that exists within IDM. 2-5

28 Getting Started IDM GUI Overview IDM GUI Overview To use the IDM client, launch the PCM Client on your PC. Select the ProCurve Manager option from the Windows Program menu to launch the PCM Client. The PCM Client will start up and the Login dialogue is launched. Figure 2-1. PCM Client Login dialogue. If you did not enter a Username or Password during install, type in the default Username, Administrator, then Click Login to complete the login and startup. For additional information on using the PCM Client, refer to the ProCurve Manager Network Administrator s Guide. 2-6

29 Getting Started IDM GUI Overview Select the IDM Tree tab at the bottom left of the PCM window to display the IDM Home window. Figure 2-2. IDM Home Window The IDM Home display provides a quick view of IDM status in the IDM Dashboard tab, along with a navigation tree and access to menu and toolbar functions. You can resize the entire window, and/or resize the panes (sub-windows) within the Identity Management Home window frame. NOTE: If the IDM Dashboard shows the IDM Agent Status as inactive, and the Inventory and Logins panes show no data: Check the PCM Events tab for the following entry: "PCM remote client authentication failure: <ip address>" Check for IDM application events related to devices "supporting" or "not supporting" the configuration. Check to make sure the access.txt file on the PCM (IDM) Server system includes an IP address entry for each RADIUS server where the IDM Agent is installed. See Installing the IDM Agent on page 2-2 for details. 2-7

30 Getting Started IDM GUI Overview IDM Dashboard The IDM Dashboard tab (window) contains four separate panels, described below. Identity Management Status: The IDM Agent Status pane uses a color-coded histogram to indicate the number of currently active (green) and inactive (red) IDM Agents. Hovering with the mouse pointer over the bar displays the specific number. The Users per Access Policy Group pane uses a pie-chart to indicate the percentage users currently assigned to various APGs. You can hover with the mouse pointer over the segment to display the APG name and number of assigned users. Inventory: The Inventory panel lists the current number of Realms, RADIUS Servers, Users, Access Policy Groups, Access Profiles, Locations, and Times that are defined in IDM. IDM Events: The IDM Events panel provides a summary of IDM Events by severity type. Hovering with the mouse pointer over the event type displays the total number of events of that type currently in the log. Clicking on the Events panel will display the IDM Events tab, with a detailed event listing. Logins/Hour: The Logins per Hour panel is a scrolling 24-hour display that summarizes the total number of successful and failed IDM user logins at any given time during the past 24 hours. Information in this panel is updated every minute Hovering with the mouse pointer over the bar for a specific time period displays the specific number of logins. 2-8

31 Getting Started IDM GUI Overview Using the Navigation Tree The navigation tree in the left pane of the IDM window provides access to IDM features using the standard Windows file navigation system. Click the nodes to expand the list and change the display in the right window panel. Figure 2-3. IDM Navigation Tree The IDM tree is organized as follows: Realms: The top level of the tree lists each of the Realms that have been discovered by an IDM Agent or defined manually. Clicking on the Realms node in the tree displays the Realms List in the right panel of the window. Expanding the node displays each Realm name in the tree, and Unassigned RADIUS Servers if they exist. Figure 2-4. Realms List tab Clicking on the individual realm name in the tree displays the Realm Properties tab in the right panel. 2-9

32 Getting Started IDM GUI Overview Figure 2-5. Realm Properties tab Click the Users tab, underneath the realm Properties tab, to view a list of users in the Realm that were discovered by the IDM Agent, or defined manually. Figure 2-6. Realm Users tab Expanding the Realm node in the tree will display the Access Policy Groups and RADIUS server nodes for the Realm. Access Policy Groups: Click the Access Policy Group node to display the Access Policy Groups tab with a list of currently configured groups. You can also expand the node to view the APGs in the tree. 2-10

33 Getting Started IDM GUI Overview Figure 2-7. Access Policy Groups tab Click the individual group node in the tree to display the group s Properties. Figure 2-8. Access Policy Group Properties tab The Users tab underneath contains the list of users currently assigned to the Access Policy Group. 2-11

34 Getting Started IDM GUI Overview RADIUS Servers: Clicking the RADIUS Servers node displays the RADIUS List tab, with status and configuration information for each RADIUS Server in the Realm that has an IDM Agent installed, or that is manually defined. Figure 2-9. RADIUS List tab NOTE: If the RADIUS server is not in the IDM tree, check in the PCM Events for the following message: "PCM remote client authentication failure: <ip address>" Make sure the IP address for the RADIUS server is included in the access.txt file on the PCM server. See Installing the IDM Agent on page 2-2 for details. You can expand the RADIUS Servers node to view the servers in the tree. Click the individual server to display the RADIUS Server Properties. Figure RADIUS Server Properties tab 2-12

35 Getting Started IDM GUI Overview The Activity Log tab underneath the properties display contains a listing of IDM application events for that RADIUS server such as server startup, server connections, user logins, IDM configuration deployment, etc. Toolbars and Menus Because IDM is a module within PCM, it uses the same Main Menu and Global toolbar functions. Individual tabs or windows within the IDM module also include separate component toolbars. The functions available in the component toolbar vary based on applicable functions for that component. Toolbar icons for disabled functions are grayed out. The component toolbar options are described under the process they support in the next chapter. You can hover with the mouse to display "Tooltips" for each icon. Using Right-Click Menus You can also access most of the functions provided with IDM via the "rightclick" menus. To use the right-click menu, select an object (node) in the navigation tree on the left of the screen, then right-click your mouse to display the menu. You can also access the right-click menus when an item is selected in a list on the tab window displays. Figure IDM Right-click menu The options available in the right-click menu will vary based on the node or list item you have selected. Disabled functions are grayed out. 2-13

36 Getting Started Using IDM as a Monitoring Tool Using IDM as a Monitoring Tool Whether or not you configure and apply access and authorization parameters using IDM, you can use IDM to monitor user sessions on the network and generate usage reports. You can use the monitoring features along with the IDM Reports to track usage patterns, user session statistics, bandwidth usage, top users, and so on. The User session information can also be used to track current user sessions and modify the User s access to network resources if needed. NOTE: Session accounting must be enabled on the switch, and in IDM, for the monitoring and User session accounting in IDM to work. Refer to the section on "Radius Authentication and Accounting" in the Access and Security Guide provided with the ProCurve switch for details on enabling session accounting. You can enable or disable IDM monitoring using the IDM Preferences. Using the IDM Preferences, you can also configure IDM to work with existing "Endpoint Integrity" applications used to determine the compliance of the authenticating clients to rules and requirements (for firewalls, anti-virus, etc.) that have been set up in the domain. NOTE: If you are using Web-Auth or MAC-Auth for user authentication, user session statistics are unavailable from the switch and cannot be collected, unless you are using a version of firmware on the switch that supports accounting for Web-Auth and MAC-Auth sessions. Currently, only the latest versions of the 5300 support this; check the ProCurve web site for updates. 2-14

37 Getting Started Using IDM Reports Using IDM Reports IDM provides reports designed to help you monitor and analyze usage patterns for network resources. The report options are available from the Tools menu. Figure IDM Reports Menu The Report wizard screens and report parameters vary, depending on the type of report selected. When you select a report using the IDM Reports sub-menu, the Report wizard is launched. Use the wizard to set filter options, and selectable data elements. When you click Finish, the report is generated and the output displays on the IDM Client, similar to the following example: 2-15

38 Getting Started Using IDM Reports Figure Bandwidth Usage Report You can save the report to a file, or print the report. To apply customized Report Header information for your company, use the Reports option in the global preferences. (Tools > Preferences > Global > Reports) The Schedule a report option in the Tools menu launches the Schedule Reports Policy Wizard, which lets you schedule reports to be created at recurring intervals. Each of the available reports is summarized below, along with the report filter options, and configurable report parameters, if applicable. Configuration Report: The Configuration Report provides information describing the configuration of the IDM systems, including: Realms, RADIUS servers, Access Profiles, and Users configured in IDM. Each category is listed on a separate page. You can filter out the User configurations in the report. Unsuccessful Login Report: The Unsuccessful Login Report lists failed system logins, which can be filtered by date. The report includes the following information: Date Date and time when the login failed 2-16

39 Getting Started Using IDM Reports Username Realm Friendly Name Access Policy Last Login Denial Reason Username entered to log in Realm associated with the access policy group to which the user is assigned Name of user logging in with the username Access policy group to which the user is assigned Date and time the user last log in successfully Reason the login failed. Denial reasons can be generated by IDM or the RADIUS server. Bandwidth Usage Report: The Bandwidth Usage Report lists bandwidth usage per User. the top 25 bandwidth users. You can filter the report to show results by top Users, dates, Realm, and Access Policy Group. This report is helpful in identifying candidates for throttling. Note: You must have the Enable user session accounting option selected in the IDM Preferences in order to collect Bandwidth and other user session data for reports 2-17

40 Getting Started Using IDM Reports The following information is provided for each user included in the Bandwidth Usage report: Username Realm Access Policy Group Input Bytes Output Bytes Total Bytes Connection Time Username used to login Realm (Access Policy Group and RADIUS server) to which the user is assigned Access Policy Group governing a user's login to the RADIUS server The number of bytes (KB) processed during the User s session, indicating the bandwidth usage for that user. Length of time the user was connected (in minutes) for the session. IDM Statistics: The IDM Statistics report provides information on the number of logins, input bytes and output bytes, by day and hour. You can filter the report by configuring it for any one, or combination of: Realm, Access Policy Group, and Location. Session History: The Session History Report provides details on user sessions. You can filter the report by configuring it for any one, or combination of: dates, Realm, Access Policy Group, and Location. You can also filter the report to show the top results by bandwidth only. Once the initial report dates and filters are set, you can also configure what columns you want to include in the report. The available column headings include: RADIUS Server IP Location MAC Address Device Device Port VLAN QOS Endpoint Integrity State BW (Bandwidth) User MAC Addresses: The User MAC Addresses provides a listing of MAC Addresses in use, and allowed for use by Access Policy Group and User. You can filter the report to get data for any one, or combination of Realm and Access Policy Group. Endpoint Integrity State: The Endpoint Integrity State report collects data on the Endpoint Integrity State for users along with the date, and Access Profile used. This report lets you see which User s systems are compliant with your host integrity solution. You can filter the report by date, and by one or more of the following "State" types: Failed, Passed, and Unknown. 2-18

41 Getting Started Creating Report Policies User Report: The User Report lists information for recent sessions in which the user participated, similar to the Session History report. To display the User Report select a username in the Users tab of the Access Policy Group or RADIUS Server window, and then click the User Report icon in the toolbar. Creating Report Policies You can also use the Policy Manager feature to schedule reports to be created at regular intervals, or in response to an event. For complete details on creating policies, refer to Configuring Policies in the ProCurve Manager v2.3 Network Administrator s Guide. The basic process for creating a Report Policy is: Configure the Time periods when the report policy can be executed. If no time is specified, the policy can execute at any time. Alerts - Use the Scheduled Alert option to set a recurring schedule for a report to be generated. Alerts serve as the trigger used to launch an Action. Alerts can be event-driven, or scheduled to occur at a specified time. Action - Configure the Report Manager:GenerateReport type(s) for the policy. The following section describes the Report action types and configurable parameters and filters for each report type. You do not need to configure the Sources or Targets for a report, Policy as you will select the device groups the policy applies to in the Report Action. Configuring a Policy Action to Generate Reports To configure a Policy Action to run the Security History report: 1. Click the Policy Manager icon in the toolbar to launch the Policy Configuration Manager window. 2. Click the Actions node in the Policy Manager window to display the Manage Actions panel. 2-19

42 Getting Started Creating Report Policies Figure Policy Manager, Actions display The Manage Actions window displays the list of defined Actions. 3. Click New... to launch the Create Action dialog: Figure Policy Manager, Create Action display 2-20

43 Getting Started Creating Report Policies 4. Select the Report Manager:Generate Report Action type from the pull-down menu. Figure Policy Manager, Select Action 5. Type in a Name for the Action (required) and a brief Description (optional) 6. Click OK to save the Action and display the Action Properties tab. The properties you set in the previous step should appear. 2-21

44 Getting Started Creating Report Policies Figure Policy Manager: Report Manager Action configuration At this point the other tabs displayed are: Type: Lets you select the Report type you want to generate. As soon as you select a report type, additional tabs may appear in the window depending on the filter criteria for the report. Format: Lets you set the report output format Delivery: lets you select where the report will be sent (to file, , etc.) 7. Click the Type tab and select the IDM Report type you want included in the action. In this example, the IDM Statistics report is selected, and the Report Filter tab is added in the window. 2-22

45 Getting Started Creating Report Policies Figure Report Manager Action, Report type selection 8. Click the Report Filter tab to select the report criteria: Report Filter: Lets you select the filter criteria to be applied when generating the report. The filter options will vary based on the selected report. 9. Click the Format tab to set the report output style you want to generate. Figure Report Manager Action: Report format selection 2-23

46 Getting Started Creating Report Policies PDF HTML CSV Produce the report in.pdf format. To view this file format, you will need Adobe Acrobat Reader, which can be downloaded free from Produce the report in.html format, which can be viewed with any Web browser. Produce the report using comma separated values with double quotes. This report can be viewed using WordPad, Notepad, or imported into other spreadsheet programs, such as Excel. 10. Click the Delivery tab to configure the method used to deliver the report. Figure Report Manager Action: Report Delivery method is the default method. It will the report to the address specified. It also requires that you have an SMTP profile for the address. See Creating SMTP Profiles in the ProCurve Manager Network Administrator s Guide for details. Use the pull-down menu to select a different delivery method. Figure Report Manager Action: Select Delivery Method 2-24

47 Getting Started Creating Report Policies Selecting FTP as the delivery method lets you save the report on an FTP site. However, proxy support is not provided. a. In the FTP Server field, type the IP address of the FTP site where you want to save the report. b. In the Path field, type the complete path to the server location where you want to save the report. c. In the Filename field, type the filename you want to assign to the report. You can automatically add a timestamp to the filename in the Filename conventions pane. d. In the Username field, type the username used to access the FTP site. e. In the Password field, type the password used to access the FTP site. f. Select the Filename conventions to use: No timestamp in file name: Name the file exactly as entered in the Filename field. Prepend timestamp to file name: Add the timestamp at the beginning of the filename entered in the Filename field Append timestamp to file name: Add the timestamp at the end of the filename entered in the Filename field. Selecting File as the delivery method lets you save the report in a file on the PCM server. a. In the Path field, type the complete path to the server location where you want to save the report. The path is relative to the server (not to the client). To save the report on the client, there must be a path from the server to the client. For example, use UNC paths, since the server runs as a service and cannot be set up easily to use mapped drives. b. In the Filename field, type the filename you want to assign to the report. c. Select the Filename conventions to use, as described above for FTP files. 11. Click Apply to save the Action Configuration. 12. Click Close to exit the Policy Manager window. If you click Close before you click Apply, you will be prompted to save, or discard the configuration. NOTE: Report output is limited to 40 pages. Therefore, to create a report on many (1000+) items, you need to create separate reports to generate all the data. 2-25

48 Getting Started Creating Report Policies You can access User Reports by right-clicking on the user in the Users tab display in IDM, then select the report option. IDM Session Cleanup Policy The IDM Session Cleanup Policy is included in the PCM+ policies by default when you install IDM. The report statistics IDM reports are cleared by the Session Statistics Cleanup policy (in PCM) on the first day of each month. A special IDM Session Cleanup alert is used to define the schedule for the policy. You can edit the policy (alert) if you want to change the cleanup recurrence schedule. To modify the IDM Session Cleanup Alert: 1. Click the Policies icon in the global (PCM and IDM) toolbar at the top of the window to display the Policy Manager window. 2. Click the Alerts node in the navigation tree to display the Manage Alerts panel. Figure Manage Alerts: IDM Session Cleanup selection 3. Select the IDM Session Cleanup Policy and click the Edit... button to display the properties. 2-26

49 Getting Started Creating Report Policies Figure IDM Session Cleanup Schedule properties 4. Click the Schedule tab to review and edit the schedule parameters. Figure IDM Session Cleanup Schedule, alert configuration 2-27

50 Getting Started Creating Report Policies 5. Set the Start Date for enforcement of the policy. The default is the start date and time for IDM. You can type in a new date and time, or use the arrows to increase or decrease the date and time entries. Note that the time clock uses 24 hour format; thus a time of 22:00 is used to indicate a start time of 10:00 pm. To trigger the IDM Session Cleanup policy to run immediately, click the checkbox for Run at first opportunity if schedule missed. 6. You can change the session cleanup interval using the Recurrence pattern options: If you select... Never One time Hourly Daily Weekly Monthly The action is... No further action is required (Policy definition is saved, but will not be enforced). No further action is required (the currently scheduled time is used with no recurrences). Type the number of hours and minutes to wait between session cleanup. If you do not want the policy enforced on Saturdays and Sundays, check the Skip weekend checkbox. Type the number of days to wait between session cleanups. If you do not want the policy enforced on Saturdays and Sundays, check the Skip weekend checkbox. Check the boxes for the days of the week you want to enforce the policy. Click the Last day of the month button to enforce the schedule on the last day of the month. OR Click the Day button and use the up or down arrows to select the day of the month. 7. Click the radio button to select No end date, End by, or Maximum occurrences to identify when the schedule should end. If you select No end date, the schedule will run at the selected intervals until the policy is changed or deleted. If you selected End by, click the up and down arrows in the End by field until the desired end date and time are shown. If you selected Maximum occurrences, type the number of times the policy should be enforced before it is disabled automatically. 8. Click Apply to save the changes, then Close to exit the alert configuration. 2-28

51 Getting Started User Session Information User Session Information You can use IDM to just monitor the network, and receive detailed information about user's access to the network. The User Session information provides statistics about exactly *how* the network is being used (when the user logged in and out, where a user logged in from, and how much bandwidth they consumed, for example). Based on the User Session information, you can adjust access rights for users, further restricting or providing additional network resources and access attributes as needed. To review user session information, 1. Navigate to the Realm the user belongs to, and display the Users tab. 2. Click the Show User s session status button in the Users tab toolbar to display the Session Information window. Figure IDM Session Cleanup Schedule, alert configuration 2-29

52 Getting Started User Session Information The Session List provides a listing of recent sessions, including the following information: Active Login Time Login Successful Location Access Profile True if the user is currently logged in for this session or False if the session has ended Date and time the user logged in True if the user logged in successfully or False if login failed Name of the location where the user logged in Access profile assigned to the access policy group governing the user s permissions during the session The User Properties tab of the User Status window contains the following information: Realm Realm to which the user is currently assigned. Username Username used to login Friendly Name MAC Address Last login time Name of the user to which the username is assigned MAC address of the computer where the user logged in Date and time of the most recent user login Login Count Total number of times the user logged in during the report period. Click the Session Information tab to view additional user session information. 2-30

53 Getting Started User Session Information The Session Information tab of the User Status window contains the following information: Is Active RADIUS Server True if the user is currently logged in for this session or False if the session has ended IP address of the RADIUS server that authenticated the user Login was successful True if the user logged in successfully or False if login failed Reason login was unsuccessful Session start Session end time Termination cause Input octets Output octets If the login was unsuccessful, the reason the RADIUS server or IDM denied the login (e.g., access policy group not found for user or username/password incorrect) Date and time the user logged in Date and time the user logged out or the session was ended Reason the RADIUS server ended the session (e.g., user logout, connection interruption, or idle timer expiration) Bytes received by the user during the session Bytes sent by the user during the session To track the user s login location information for the session, click the Location Information tab. 2-31

54 Getting Started User Session Information Figure Location Information tab The Location Information tab of the User Status window contains the following information: Location name Device address Device port Name of the location where the user logged in IP address of the device used to login Port on the device used for the session Click the Disable port or Enable port links to disable or re-enable the port used for the session. For example, if you want to prevent the user from logging in at a specific device or force the user to re-authenticate, you would use the Disable port function. If you need to re-enable the port so the user can resume the session, use the Enable port function. Click the Access Information tab to display details about the access attributes applied to the user session. Figure Access Information tab 2-32

55 Getting Started User Session Information The Access Information tab of the User Status window contains the following information: Access Policy Group Access Profile QoS assigned Rate limit assigned VLAN assigned ACL Access policy group that governs user permissions for the session. Access profile assigned to the access policy group. Quality of service or priority for outbound traffic. QoS ranges from lowest to highest. Maximum bandwidth allocated to user by the access profile. The VLAN to which access is given. The DEFAULT_VLAN(1) is equivalent to allowing access on the entire network. The access control rules that were applied to the user's session on the switch or access point. Finding a User The Find User feature lets you search for and display information about a user by name or MAC address. The displayed information is similar to User Session Status information. To find information for a user or MAC address: 1. In the IDM navigation tree, right-click the Realms or Access Policy Groups folder to which the user or computer is assigned. Select Find User from the right-click menu. This launches the Find User window. Figure Find User 2-33

56 Getting Started User Session Information 2. In the Username field, type the complete user name of the user you want to find and display information (This field is not case-sensitive.), OR In the MAC address field, type the MAC address of the computer for which you want to find and display information. The MAC address can be separated by a vertical bar ( ), hyphen, or colon or typed with no spaces. 3. Click the Only show active sessions checkbox to get only the information on active sessions for the user. 4. Click Find to display information for the specified user or computer. 5. Click Close to exit the window. User Reports To review information for multiple sessions, run the User Report. 1. Select a username in the Users tab of the Access Policy Group or RADIUS Server window. 2. Click the User Report icon in the toolbar. This launches the Report Wizard, Report Filter window. Figure Report Wizard, Report Filter 2-34

57 Getting Started User Session Information 3. Click the check boxes to select the data columns. If wireless settings are enabled the WLAN and BSSID options also appear. 4. Click Finish to run the report. The report is displayed in a separate window on the IDM Client. 2-35

58 Getting Started User Session Information IDM Preferences The IDM Preferences window is used to set up global attributes for session accounting and archiving, as well as enabling the Endpoint Integrity option. Click the Tools menu and select Identity Management to display the Preferences, Global:Identity Management window. Figure Global Preferences for IDM Click on the option check boxes to select (check) or deselect (blank) the option. 2-36

59 Getting Started User Session Information 1. The Configuration Deployment option is used to automatically deploy IDM configuration settings (Access Profiles, Locations, Times, Network Resources) to the IDM agent. The default preference is to allow automatic configuration deployment. Click to select the Disable automatic deploy to IDM agents option if you do not want to use automatic IDM configuration deployment. If you "disable" the Configuration Deployment option. in order for IDM configuration changes to take affect you will need to manually deploy the configuration to the IDM agent(s). 2. The Wireless Settings option is used to allow configuration of Identity Management features for select ProCurve wireless devices. The default preference has the Enable enhanced wireless support option selected. When this option is deselected (no check mark), wireless configuration options will not be visible and will not be applicable in rule evaluation 3. To enable Endpoint integrity, check the Enable Endpoint Integrity checkbox. This will enable the Endpoint Integrity option in the Access Rules definitions, and you can configure an Access Rule with one of the Endpoint Integrity options (Pass, Fail or ANY). When you enable Endpoint Integrity and set the attribute in a Global Access Rule or Access Policy Group rule, the IDM agent will look for the RADIUS attribute in the supplicant s authentication request and act accordingly, applying the defined access rule based on the endpoint integrity system response. 4. To collect information about user logins and logouts, check the Enable User session accounting checkbox. This box must be checked if you want to collect data for user logins and bandwidth usage, which is used for the Bandwidth and User reports. 5. To generate user session start and stop events and display them in the IDM Events list, check the Generate Session Start and Stop Events box. This option does not affect accounting or collection of session history and statistical information. Turning this option off will reduce the load on your IDM server and the GUI by eliminating two-thirds of the events created for every user login and logout. 6. To reset all session accounting information whenever the server is restarted, check the Reset accounting statistics when the management server starts box. When this option is selected, IDM closes any open sessions and resets the RADIUS Server totals to zero when the server restarts. If the status of users logged on or off seems incorrect, it is possible that the session accounting is out of sync. Use the Reset accounting statistics option to correct the problem. This immediately closes any open sessions (this has no effect on the user, only on the IDM accounting), and resets user login counts on the RADIUS server to zero. 2-37

60 Getting Started User Session Information Existing accounting records are not removed by the Reset procedures, the only effect is that currently open sessions are closed. 7. To ignore capability override warnings generated by switches that don't support certain capabilities (e.g., VLAN, QoS, Bandwidth, and ACL overrides), check the Ignore device capability warnings checkbox. 8. To send only those attributes supported by the device, check the Only send supported device attributes to device checkbox. 9. If you wish to archive accounting records older than a specified time period, uncheck the Disable session archiving box, and set the desired archival time period in the Archive user sessions older than x days field. 10. To archive the user session archive file in a location other than the default IDM data archive directory, type the desired path in the Archive file directory field. The default path is: C:\Program Files\Hewlett-Packard\PNM\server\idm\data 11. If you do not want to add a timestamp to the archive filename, uncheck the Use timestamp in archive filename option. If a timestamp is not used in the archive filename, the existing archive file is overwritten each time user sessions are archived. a. To insert a timestamp in the front of the archive filename, check the Prepend timestamp to archive filename option. b. To add a timestamp to the end of the archive filename, check the Append timestamp to archive filename option. 12. Click Ok to save your changes and exit the window. Click Apply to save your changes and leave the Preferences window open. Click Cancel to close the window without saving changes. Using Active Directory Synchronization The Active Directory Synchronization (AD Sync) feature provides the ability to receive change notifications from the active directory server for the domain the management server is logged into. The Active Directory Synchronization will automatically update the IDM database with changes made in your Active Directory, including new users, changes to existing users, and deletion of users. To enable automatic synchronization from Active Directory to IDM, navigate to the Preferences-> Identity Management -> User Directory Settings window. 2-38

61 Getting Started User Session Information Figure Identity Management Preferences: User Directory Settings. 1. Click the checkbox to select the Enable automatic Active Directory synchronization option. When the Active Directory synchronization is selected, the remaining fields in the display are enabled. Current status of the connection between IDM and Active Directory (AD Status) is displayed at the bottom of the window. 2. Type in the Username, Domain, and Password for the Active Directory domain administrator. You must enter the Active Directory Username and Domain name. The Password entry is optional. 3. If displayed, select the Groups to synchronize. 2-39

62 Getting Started User Session Information 4. To Add a group to the "Groups to Synchronize" list, click Add or Remove Groups... to display the Add or Remove Groups dialog. Figure Active Directory Synchronization: Add or Remove Groups The Active Directory is queried for all groups in the domain and the groups are displayed in the "Groups in Active Directory" list. NOTE: When adding or removing groups remember that synchronization includes all users who are indirect members of a group via intervening nested group relationships. In addition, users belonging to more than one AD group are added to the IDM group with the higher priority. For example, User 1 in the following example is imported into Group ALL if IDM synchronizes on Group ALL. Or, if IDM synchronizes on Group A or Group B, User 1 is imported into the group with the higher priority. If IDM synchronizes on Group d or Group y, the User 1 is not imported. 2-40

63 Getting Started User Session Information 5. Select the Active Directory Groups you want to Synchronize to IDM, then click the >> button to move the groups to the "Groups to Synchronize" list. Use the Filter field to locate a group easily. To remove groups from the synchronization, select the group in the "Groups to Synchronize" and click the << button to move it to the "Groups in Active Directory" list. 6. Click OK to save the Groups to Synchronize and return to the User Directory Settings window. 7. To accommodate users who are members of multiple groups, ensure the listed groups are in the desired order. To reorder a group, select the group and click the Move up or Move down button. A user can belong to only one Access Policy Group. IDM associates users with the first group in the group list that the user is a member of. Therefore, order is important. 8. Click Apply to save the settings without exiting the window. Click OK to save the settings and close the window. An Access Policy Group is created for each selected Active Directory group, and all users that belong to the selected groups will be imported from the Active Directory server. into the appropriate Access Policy Group. Changes to users in the selected groups will be imported (synchronized) as long as the Active Directory Synchronization is enabled. Operating Notes: If a user belongs to more than one Active Directory group, the user is imported into the IDM Access Policy Group with the highest priority (set in User Directory Settings Preferences). If an Active Directory group is deleted while Active Directory synchronization is enabled, the associated Access Policy Group is deleted. If that group is the priority IDM Access Policy Group for a user who belongs to more than one Active Directory group, the user is automatically reassigned to the next highest priority Access Policy Group. Users who do not belong to more than one Active Directory group are reassigned to the default Access Policy Group for the Realm. If an Active Directory group is deleted while Active Directory synchronization is disabled, the associated Access Policy Group is NOT deleted when synchronization is enabled. However, all users will be reassigned to other groups (next highest priority or default Access Policy Group for the Realm) as part of the resynchronization process. 2-41

64 Getting Started User Session Information Users deleted from Active Directory while synchronization is disabled are assigned to the default Access Policy group during the resynchronization process (instead of being deleted). This prevents users who were added by another method from being deleted. Within a Realm, Access Policy Group names must be unique. If Access Policy Groups are being created manually within the same Realm, use naming conventions to ensure these names do not conflict with Active Directory group names. Performance for the import from Active Directory to IDM varies depending on your environment. Using a 1.86 GHz processor with 2MB RAM, importing 20,000 Active Directory users in 75 groups takes approximately 65 minutes. A similar test that imported 10,000 of 20,000 users by selecting 2 of the 75 groups completed in 30 minutes. Once the initial synchronization is completed, IDM monitors all changes to the Active Directory which much less system resources. If Active Directory synchronization is disabled or IDM is restarted, all groups must be resynchronized. Importing only relevant groups can reduce the import time significantly. Selecting only groups of users for which access policies are defined instead of selecting the Domain Users group (which includes all users in the domain) can significantly reduce the amount of information that must be maintained in IDM and synchronized with Active Directory. When Active Directory is queried for the "Add or Remove Groups" function in IDM, it may take several seconds to display the list of available groups. An hourglass is displayed when such an extended process is occurring. Performance will vary depending on your environment. Using a 1.86 GHZ Intel Core2 Duo processor with 2MB RAM takes approximately 30 seconds to present a list of 20,000 groups. If an error occurs while attempting to read the Active Directory, an entry is made in the IDM events log, and IDM attempts to reconnect to Active Directory once per minute. 2-42

65 3 Using Identity Driven Manager Chapter Contents IDM Configuration Model Configuration Process Review Configuring Identity Management Configuring Locations Adding a New Location Modifying a Location Deleting a Location Configuring Times Creating a New Time Modifying a Time Deleting a Time Configuring Network Resources Adding a Network Resource Modifying a Network Resource Deleting a Network Resource Configuring Access Profiles Creating a New Access Profile Modifying an Access Profile Defining Access Policy Groups Creating an Access Policy Group Modifying an Access Policy Group Deleting an Access Policy Group Configuring User Access Adding Users to an Access Policy Group Changing Access Policy Group Assignments Using Global Rules Deploying Configurations to the Agent Using Manual Configuration Defining New Realms Modifying and Deleting Realms

66 Using Identity Driven Manager Deleting RADIUS Servers Adding New Users Using the User Import Wizard Importing Users from Active Directory Importing Users from an LDAP Server Importing Users from XML files

67 Using Identity Driven Manager IDM Configuration Model IDM Configuration Model As described in the IDM model on page 2-5, everything relates to the top level, or Realm. Each User in the Realm belongs to an Access Policy Group (APG). The APG has an Access Policy defined for it that governs the access rights that are applied to its Users as they enter the network. The Access Policy is defined using a set of Access Rules. These rules take four inputs: Location (where is the user accessing the network from?) Time (what time is the user accessing the network?) System (from what system is the user accessing the network?) Using these input parameters, IDM evaluates each of the rules. When a matching rule is found, then the access rights (called an Access Profile) associated with that rule are applied to the user. The Access Profile defines access provided to the network once the user is authenticated, including: VLAN what VLANs the user can access. QoS "Quality of Service," from lowest to highest. Rate-limits bandwidth that is available for the user. Network Resources resources the user can access, by IP address and/or protocol. These resources must be defined, similarly to the Locations and Times used in the access rules. Thus, based on the rules defined in the APG, the user gets the appropriate level of access to the network. In summary, for identity driven management each user in a Realm belongs to one Access Policy Group. The Access Policy Group defines the rules that are evaluated to determine the access policies that are applied at the switch when the user connects to the network. Configuration Process Review Assuming that you opted to enable Active Directory synchronization or let IDM run long enough to discover the Realm, users, and RADIUS server, your configuration process will be: 1. Define "locations" (optional) from which users access the network. The location may relate to port-based VLANS, or to all ports on a switch. 3-3

68 Using Identity Driven Manager IDM Configuration Model 2. Define "times" (optional) at which users will be allowed or denied access. This can be by day, week or even hour. 3. If you intend to restrict a user s access to specific systems, based on the system they use to access the network, you need to modify the User profile to include the MAC address for each system from which the user is allowed to login. 4. Define the Network Resources that users will have access to, or will be denied from using, if applicable. 5. Create the Access Profiles to set the VLAN, QoS, rate-limits (Bandwidth), and network resources that are applied to users in Access Policy Groups. 6. If you don t use Active Directory synchronization, create the Access Policy Groups, with rules containing the Location, Time, System, and Access Profile that will be applied to users when they login. OR If using Active Directory synchronization, add rules and access profiles to the Access Policy Groups that were created by Active Directory synchronization. 7. If you do not use Active Directory synchronization, assign Users to the appropriate Access Policy Group. 8. If you do not use automatic deployment, deploy the configuration to the IDM Agent on the RADIUS Server. The authorization controls can then be applied when IDM detects an authenticated user login. If you do not use automatic deployment and do not manually deploy the IDM configuration to the Agent on the RADIUS server, the configuration will not be applied NOTE: If you want to modify or delete an Access Policy Group, or the locations, times, or access profiles used in the Access Policy Group, make sure your changes will not adversely affect users assigned to that group. Configuring Identity Management All of the elements described for configuring user access in IDM are available in the Identity Management Configuration window. To launch the Identity Management Configuration window: 1. Right-click on the Identity Management navigation tree, and select the Configure Identity Management... option from the menu, or 3-4

69 Using Identity Driven Manager IDM Configuration Model 2. Click the Configure Identity Management icon in the Realms window toolbar. The Identity Management Configuration default display is the Access Profiles pane with the Default Access Profile. Figure 3-1. Identity Management Configuration, default display Click the node in the navigation tree to display the defined configuration parameters and add or edit new configuration parameters, as described in the following sections. 3-5

70 Using Identity Driven Manager Configuring Locations Configuring Locations Locations in IDM identify the switch and/or ports on the switch and wireless access points where users connect to the network. Users generally are allowed to log in to the network from a variety of locations, IDM allows you to create customized locations to match specific environments. For example, a generalized company "location" may include all of the ports on a switch, or multiple switches through which users can connect to the network. You can define a lobby location as a single switch, or a single port on the switch, in order to restrict access to the network for visitors attaching to the network in the lobby. To configure a location: 1. Click the Locations node in the Identity Management Configuration navigation tree to display the Locations panel. Figure 3-2. Locations panel Tip: IDM also lets you include wireless devices in the location configuration. The "Enable Enhanced Wireless Support" option in IDM Preferences add a wireless devices tab to the Create a new Locations window. 3-6

71 Using Identity Driven Manager Configuring Locations Adding a New Location To create a new location: 1. Click the New Location icon in the toolbar to display the new locations window. Figure 3-3. Create a New Location display 2. Type in a Name for the location. 3. Type in a Description for the location. To add wired devices to the location: 4. Click Add device... to open the New Device window, and define the devices and/or port combinations that will be included in the location. See To Add a Wireless Device to a Location on page 3-9 for details on support for wireless locations. 3-7

72 Using Identity Driven Manager Configuring Locations Figure 3-4. New Device window 5. Enter the Device to be added using the Device Selection pull-downs, or select the Manually enter device address option. Using the Device Selection option: a. Select a device group using the pull-down menu. This will enable the Select Device pull-down menu in the next field. b. Select a device from the pull-down list of available devices. The list is populated with the IP address or DNS name for all (PCM managed) devices in the selected group. Using the Manually enter device address option: a. Click the check box to enable the data entry field below it. b. Type in the IP address or DNS name of the device to be added. Note: If PMM is licensed, this dialog will not show wireless device. You must add wireless devices from the "Wireless Devices" tab on the "New Location Dialog" If PMM is not licensed, wireless devices will appear in this dialog. However, you will not be able to select any ports, the only option will be "Any port" 3-8

73 Using Identity Driven Manager Configuring Locations 6. Use the Port Selection to define the ports on the device that will be associated with the location. Click to select Any port on the switch, or Click Select ports, then use the pull down lists to select the Begin and End ports on the device that will be associated with the new location. If you manually entered the device address, the Begin port and End port pull-down menus are disabled, and you must manually enter the ports. 7. Click Ok to save the New Device settings to the Location, and close the window. NOTE: If a switch in the device list is not configured to authenticate with the RADIUS server, the settings in IDM will have no affect. You can type in an IP address for non-procurve devices and if the device uses industry standard RADIUS protocols, the settings should work; however, HP does not provide support for IDM configurations with non-procurve devices. 8. The Device address and ports information is displayed in the New Location window. 9. Repeat steps 4 through 7 to add additional devices to the Location, or click OK to save the new Location and close the window. To Add a Wireless Device to a Location: 10. Click the Wireless devices tab: 3-9

74 Using Identity Driven Manager Configuring Locations Figure 3-5. Create a New Location, Wireless Devices display 11. Click Add Device... to display the Wireless Devices Selection dialog. Figure 3-6. Select Wireless Device for a location 12. All discovered Radios and radio ports are displayed. 3-10

75 Using Identity Driven Manager Configuring Locations Click the check box to select the radio ports to be included in the location, and then click OK to save the selection and return to the Create a new Location (Wireless Devices tab) window. 13. Click OK in the Create a new Location window to save and exit, or repeat the steps to add additional devices to the location. Modifying a Location To edit the information for an existing Location: 1. Click the Locations node in the Identity Management Configuration navigation tree to display the Locations panel, with the list of defined locations. 2. Double-click on a location in the navigation tree, or in the Locations list to open the (modify) location panel. You can also select the location in the list, then click the Edit Location icon in the toolbar to display the Location in edit mode 3. Edit the location Name and Description as needed. 4. To edit the device configuration for the location To Modify the device settings, select the device in the list, then click Edit device... to display the Modify Device window. The Modify Device window contains the same fields as the New Device window. You can edit the ports associated with the location, or you can choose a different device and reset the ports for the new device. Click OK to save your changes and close the window. The changes are displayed in the Location panel. To add another device, click Add Device. To delete a device, select the device in the list, then click Delete Device. 5. Click OK to save the location changes and close the Locations window. Click Cancel to close the window without saving the changes. The original location configuration will be maintained. NOTE: When modifying Locations, make sure all devices for the location are configured with the appropriate VLANs. If you Modify a Location that is part of a VLAN (subnet) and that Location is currently used in an Access Policy Group rule, IDM will check to make sure that the VLAN exists. If not, an error message is displayed. 3-11

76 Using Identity Driven Manager Configuring Locations Deleting a Location To remove an existing Location: 1. Click the Locations node in the Identity Management Configuration navigation tree to display the Locations panel, with the list of defined locations. 2. Click on a location in the list to select it. 3. Click on the Delete Location icon in the toolbar to remove the location. The first time you use the Delete Location option, a warning pop-up is displayed. Click Ok to continue, or Cancel to stop the delete process. 4. The location is removed from the Locations list. NOTE: If you modify or delete a Location, check to make sure that the changes do not adversely affect users in Access Policy Groups where the Location is used. 3-12

77 Using Identity Driven Manager Configuring Times Configuring Times Times are used to define the hours and days when a user can connect to the network. When included in the Access Policy Group rules, the time can be used to allow or deny access from specific locations at specific time. For example, students might be allowed network access from the "Classroom" location during weekdays, from 9:00 am to 5:00 pm, but denied access from the Classroom at any other time. To configure a Time: 1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel. Figure 3-7. Identity Management Configuration, Times panel The Times window lists the name and description of defined times. Doubleclick the time in the list, or select the time in the navigation tree to display the Time s properties, including: Name Description Time Name used to identify the time Brief description of the time Time of day when the access policy group is active. Days of week Days of the week when the access policy group is active Range Dates during which the "Time" will be in effect. A start date must be specified. 3-13

78 Using Identity Driven Manager Configuring Times Figure 3-8. Times Properties Creating a New Time To configure a Time: 1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel. 2. Click the Add New Time toolbar icon to display the Create a new Time window. 3-14

79 Using Identity Driven Manager Configuring Times Figure 3-9. Create a New Time 3. Define the properties for the new time. Name Description Time Days of week Name used to identify the time Brief description of the time Time of day when user will be accepted on the network. To allow access the entire day, click the All day radio button. To restrict access to specific hours of the day, click the From radio button and type the beginning and ending times. The ending time must be later than the beginning time. AM or PM must be specified. Days of the week that a user will be accepted or rejected on the network. Click the radio button next to the desired days. Click the Custom radio button to enable the day(s) of the week check boxes. Range Table 3-1. IDM Time parameters Dates during which the time will be in effect. Select the Start Date and then click the No End Date radio button, or select the End Date. 3-15

80 Using Identity Driven Manager Configuring Times 4. Click Ok to save the new "Time" and close the panel. The new time appears in the Times window. Modifying a Time 1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel. 2. Click on a Time in the navigation tree to display the Time details in edit mode, similar to the Create a new Time panel. You can also select the Time in the list then click the Modify Time icon in the toolbar to display the modify panel. 3. Modify the time parameters, as described in Table 3-1 on page Click Ok to save your changes and close the window NOTE: If you modify or delete a Time, check to make sure that the changes do not adversely affect users in Access Policy Groups where the Time is used. Deleting a Time To remove an existing Time: 1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel with the list of defined Times. 2. Click on a Time in the list to select it. 3. Click on the Delete Time icon in the toolbar to remove the location. The first time you use the Delete Time option, a warning pop-up is displayed. Click Ok to continue, or Cancel to stop the delete process. 4. The Time is removed from the Times list. 3-16

81 Using Identity Driven Manager Configuring Times Defining Holidays To add holidays for use when defining Times in IDM: 1. Click the Times node in the Identity Management Configuration navigation tree to display the Times panel. 2. Click the Holidays icon in the toolbar to launch the Holidays window. Figure Holidays window 3. Click Add. to launch the Add Holidays window. Figure Add Holiday 4. The Date field defaults to the current date. You can use the field buttons to increase or decrease the date. You can also type in a new date. 5. In the Description field, enter the text that will identify the holiday in the Holidays list. 6. Click OK to save the holiday and close the window. The new holiday appears in the Holidays list. To edit a Holiday, select it in the Holidays list, then click Edit... This launches the Edit Holiday window, similar to the Add Holiday window. 3-17

82 Using Identity Driven Manager Configuring Times To delete a Holiday, select it in the Holidays list, then click Delete... Click Yes in the confirmation pop-up to complete the process. 3-18

83 Using Identity Driven Manager Configuring Network Resources Configuring Network Resources The Network Resources in IDM are used to permit or deny traffic to and from specified sources and destination. This is done by configuring an IP-based filter based on either: The IP address (individual address or subnet address) of the source or destination, or The protocol (IP, ICMP, VRRP, etc.) The TCP or UDP port (i.e., based on protocol and application, such as Telnet or HTTP) For example, you can create a Network Resource to restrict "guest accounts" so that they only have access to the external Internet, and no access to internal resources. Or you can define a resource that allows HR employees to access the payroll systems, and denies access to all other employees. Network Resource features can be used only for switches that support IDMbased ACLs. To date, this includes only the 5300 version E and greater; check the ProCurve web site ( for more information. To configure a Network Resource: 1. Click the Network Resources node in the Identity Management Configuration navigation tree to display the Network Resources panel. Figure Network Resources 3-19

84 Using Identity Driven Manager Configuring Network Resources The Network Resources window lists the name and parameters for defined resources, including: Name IP Address Network Mask Ports Protocol Name used to identify the resource IP Address for the switch associated with the resource ("any" if the resource is being filtered by protocol). The subnet mask for the IP Address. Device port(s) associated with the resource or Any if the resource is being filtered by protocol. Ports can be selected by number, or friendly port name. Refer to the section on "Using Friendly (Optional) Port Names" in the Management and Configuration Guide for your switch for details. The Protocol (UDP, TCP, or IP) used to filter access to the resource. Double-click the Network Resource in the list, or select it in the navigation tree on the left to display individual Network Resource configuration details. Figure Network Resource Configuration Details Note that when you open the window, it is in "Edit" mode. You can modify the entries in the display fields, and the changes are automatically saved when you click Close. For details on the field entries, refer to the definitions under Adding a Network Resource on the next page. 3-20

85 Using Identity Driven Manager Configuring Network Resources Adding a Network Resource To define a Network Resource: 1. Click the Network Resources node in the Identity Management Configuration navigation tree to display the Network Resources panel. 2. Click the Add Network Resource toolbar icon to display the Define Network Resource window.. Figure Define Network Resource 3. Define the properties for the network resource. Name Description Name used to identify the network resource Brief description of the network resource (optional) Resource Attributes: IP Address: To filter by device address, uncheck the Any Address checkbox and type the IP address for the switch associated with the resource in the IP Address field. Use the Any address option if you will be filtering by Protocol and application port only, and not by specific device or port. Mask: The subnet mask for the IP Address (if used). Use the up/down buttons [, ] to set the mask number. Table 3-2. IDM Network Resource parameters 3-21

86 Using Identity Driven Manager Configuring Network Resources Protocol: Select UDP, TCP, or IP to identify the protocol used to filter access to the resource. Protocol can be used alone or with an IP address and port parameters to define the network resource access. To use a custom protocol number for a network resource, check the Enter protocol number checkbox and type the protocol number (0-137) Port: Any port is selected by default, which means all ports associated to the IP address are included in the network resource definition. To specify a port for the network resource, click the Any port checkbox to de-select it and enable the Port field. Enter the port number, or friendly port name* used for the resource. Table 3-2. IDM Network Resource parameters * Valid Friendly port names supported in IDM include: ftp, syslog, ldap, http, imap4, imap3, nntp, pop2, pop3, smtp, ssl, telnet, bootpc, bootps, ssh, dhcp, ntp, radius, rip, snmpsnmp-trap, tftp. Note: If you are setting a resource to represent an application port such as "dhcp" or "smtp" or "http", you must make sure that you set the correct protocol, either TCP or UDP. If you do not set the correct protocol, the rule will not operate as intended at the switch or access point. 4. Click Ok to save the Network Resource definition and close the window. All entries are saved immediately upon entry. This allows you to configure several IDM features without closing and reopening the Configure Identity Management window Click Cancel to close the window without saving your changes. Modifying a Network Resource To edit a Network Resource: 1. Click the Network Resources node in the Identity Management Configuration navigation tree to display the Network Resources panel. 2. Click in the list to select the network resource to edit, then click the Edit Network Resource toolbar icon to display the Define Network Resource window. 3. Edit the properties as needed. Refer to Adding a Network Resource on the previous page for definitions. 4. Click Ok to save the Network Resource definition and close the window. 3-22

87 Using Identity Driven Manager Configuring Network Resources Deleting a Network Resource To delete a Network Resource: 1. Click the Network Resources node in the Identity Management Configuration navigation tree to display the Network Resources panel. 2. Click in the list to select the network resource to edit, then click the Delete Network Resource toolbar icon. 3. Click Yes in the confirmation pop-up to complete the process. The selected network resource is removed from the Network Resources list display. 3-23

88 Using Identity Driven Manager Configuring Access Profiles Configuring Access Profiles IDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rate-limits) and Network Resource access rules that are applied to the user when they are authenticated on the network. This is where the real benefits of "access control" are realized. When users log in, the Access Profile dynamically configures the switch or wireless access point settings to provide the proper network access and resources for the user. To begin, click the Access Profiles node in the Identity Management Configuration navigation tree to display the Access Profiles window. Figure Access Profiles window The Access Profiles window lists defined Access Profiles, including: Name VLAN QoS Bandwidth Description Name used to identify the profile VLAN to which users are assigned when they log in The "Quality of Service" setting The rate limits for outbound traffic Brief description of the profile The Access Profile tells the switch to override any local settings for the port the user is accessing with the settings specified in IDM. 3-24

89 Using Identity Driven Manager Configuring Access Profiles 3-25

90 Using Identity Driven Manager Configuring Access Profiles Click the Access Profile node in the navigation tree, or double-click on a profile in the list to display the details of the selected profile. Figure Access Profile details The Name, Description, and Access Attributes are the same as defined in the Access Profiles list. The Network Resources section lists the Network Resources included in the profile: Priority Action Resource Accounting The order in which the network resource rules are evaluated; the first one to match each incoming packet is applied Indicates if access to the Network Resource is allowed or denied. The defined network resource name. Tells the switch to keep a count of the number of hits using this rule. Creating a New Access Profile 1. Click the Access Profiles node in the Identity Management Configuration navigation tree to display the Access Profiles window. 3-26

91 Using Identity Driven Manager Configuring Access Profiles 2. Click the Add Access Profile icon in the toolbar to display the Create a new Access Profile window. Figure Create Access Profile 3. Define the attributes for the Access Profile: Name Description VLAN QoS Bandwidth Don t Override Name used to identify the Access Profile Brief description of the Access Profile Type in the VLAN or select one from the pull-down menu, which lists VLANs configured in PCM. The DEFAULT_VLAN(1) allows access across all segments on the network. If another VLAN is specified, the user is only allowed access to that network segment. The Quality of Service, or "priority" given to outbound traffic under this profile. Select the setting from the pull-down menu. The rate-limits applied for this profile. Use the up-down arrows to increase or decrease the Bandwidth setting. The default setting is 1000 Kbps (1 Mbps) NOTE: This is translated to a percentage of bandwidth at the switch. Select this option for any of the Access Attribute parameters to use the current settings at the switch when the user logs in. NOTE: If you are assigning any VLAN other than the default VLAN, ensure that the VLAN is configured correctly on the all switches to which this access profile will be applied before defining the access profile. 3-27

92 Using Identity Driven Manager Configuring Access Profiles The VLAN that gets set for a user will override the statically configured VLAN, as well as the auth-vid which may have been configured for that port. Note also that if an unauth-vid is set and the user is rejected by IDM for any reason, the port is opened and the VLAN is set to the unauth-vid. 4. To assign the Network Resources, click Edit... This launches the Network Resource Assignment Wizard. Figure Network Resource Assignment Wizard 5. Click Next to continue to the Allowed Network Resources window. 3-28

93 Using Identity Driven Manager Configuring Access Profiles Figure Network Resource Assignment Wizard, Allowed Network Resources 6. To permit access to Network Resources: a. Select the Resource in the Available Resources list. Use shift-click to select multiple resources. b. Move the Available Resource(s) to the Allowed Resources list (click >>) c. Click Next to continue to the Denied Resources window. 3-29

94 Using Identity Driven Manager Configuring Access Profiles Figure Network Resource Assignment Wizard, Denied Network Resources 7. To deny access to Network Resources: a. Select the Resource in the Available Resources list. Use shift-click to select multiple resources. b. Move the Available Resource(s) to the Denied Resources list (click >>) c. Click Next to continue to the Priority Assignment window. 3-30

95 Using Identity Driven Manager Configuring Access Profiles Figure Network Resource Assignment Wizard, Priority Assignment 8. Set the priority (order of evaluation) for the Network Resources. To change the priority, click the Resource in the list, then click Move down or Move up. The first rule to match is the one that will be applied. 9. Click Next to continue to the Default Access window. Figure Network Resource Assignment Wizard, Default Access 3-31

96 Using Identity Driven Manager Configuring Access Profiles 10. Select the option to tell IDM what to do if there are no matches found in the network resource access rules. 11. Click Next to continue to the Resource Accounting window. Figure Network Resource Assignment Wizard, Resource Accounting 12. Click the check box to enable the Accounting function (optional). This enables tracking of hits on this resource on the switch or access point. Use CLI on the switch to review the hits. 13. Click Next to continue to the Summary window. 3-32

97 Using Identity Driven Manager Configuring Access Profiles Figure Network Resource Assignment Wizard, Summary 14. Click Finish to save the Network Resource Assignments to the Access Profile and close the wizard. Click Back to return to a previous window to change the assignment, or Click Cancel to close the wizard without saving the changes. Click Start Over to return to the start of the Network Assignment Wizard. Modifying an Access Profile To modify an existing Access Profile: 1. Click the Access Profiles node in the Identity Management Configuration navigation tree to display the Access Profiles window. 2. Click on an Access Profile in the list to select it. 3. Click the Modify Access Profile icon in the toolbar to display the Modify Access Profile window. The Modify window shows the details of the Access Profile, similar to the Create a new Access Profile window. 4. Modify the access profile parameters, as described for creating a new profile. Click the Edit... button to change the Network Resource Assignments using the wizard. 5. Click Ok to save your changes and close the window 3-33

98 Using Identity Driven Manager Configuring Access Profiles The changes are displayed in the Access Profiles list. NOTE: When modifying Access Profiles, make sure the appropriate VLANs are configured on the network and at the switch. If you Modify the VLAN attribute in an Access Profile that is currently used in an Access Policy Group rule, IDM will check that the VLAN exists. If not, an error message is displayed. Deleting an Access Profile To remove an existing Access Profile: 1. Click the Access Profiles node in the Identity Management Configuration navigation tree to display the Access Profiles window. 2. Click on an Access Profile in the list to select it. 3. Click on the Delete Access Profile icon in the toolbar to remove it. The first time you use the Delete option, a warning pop-up is displayed. Click Ok to continue, or Cancel to stop the delete process. NOTE: Before you modify or delete an Access Profile, make sure that your changes will not adversely affect users in Access Policy Groups where the profile is used. 3-34

99 Using Identity Driven Manager Defining Access Policy Groups Defining Access Policy Groups An Access Policy Group (APG) contains rules that define the VLAN, rate-limit (bandwidth), quality of service, and network resource access rules for users in the group, based on the time, location, and system from which the user logs in. You can also create rules to work in conjunction with third-party endpoint integrity (Host Integrity) applications to verify that systems attempting to connect to the network meet security requirements. Each rule in an Access Policy includes the following parameters: Location - identifies the switch and/or switch ports where users connect to the network. Location can identify physical wiring connections or VLANs configured to segment the network Time System Endpoint Integrity Access Profile Multiple access policy groups can be added to a realm, and multiple access profiles, locations, and times can be referenced and configured in an access policy group. Access policy groups can be created manually or automatically if Active Directory synchronization is enabled. However, Access Policy Group names must be unique within a Realm. When a user assigned to the APG is authenticated on the RADIUS Server, the IDM Agent applies the appropriate rule, which can cause the switch or access point to accept or reject the user, and modifies the RADIUS reply to provide the appropriate network access to the user. You can create an APG that does not have any limitations, that is, it allows "Any" location, time, system, and accepts the default switch settings for VLAN, QoS, and Bandwidth. This would allow you to use IDM to monitor logins and network resource usage by user, without limiting user access to the network. 3-35

100 Using Identity Driven Manager Defining Access Policy Groups To begin, expand the Realms node to display the Access Policy Group node in the IDM tree. Click to display the Access Policy Groups tab. Figure Access Policy Groups display You can expand the Access Policy Group (APG) node in the tree, and click the individual APG node to display the policy Properties tab. Figure Access Policy Group Properties tab Creating an Access Policy Group 1. Click the Access Policy Group node in the IDM tree to display the Access Policy Groups tab. 2. Click the Add Policy Group icon in the toolbar to display the New Access Policy Group window. 3-36

101 Using Identity Driven Manager Defining Access Policy Groups Figure New Access Policy Group 3. Type in a Name and Description for the Access Policy Group. 4. Click New... to display the New Access Rule dialogue. Figure New Access Rule 5. Select an option from the pull down menu for each field. When all the parameters are set, click OK to save the Access Rule configuration and close the dialogue. The parameters for Access Rules are described in the following table. 3-37

102 Using Identity Driven Manager Defining Access Policy Groups Location Time System WLANS Access Profile Lists the Locations you created by name, and the "ANY" option. If you select ANY and the access profile for the rule points to a VLAN, ensure that the VLAN is configured on every switch to which users in this access policy group will be connecting Lists the Times you created by name, and the ANY option. Systems from which the user can log in. ANY allows user to login in on any system. OWN restricts users to systems defined for that user. See Configuring User Systems on page 3-54 for detail. Lists the WLANs in the network, and an "ANY" option. Note that this works only if ProCurve Mobility Manager is installed and the Enhanced Wireless Support option is selected in the Preferences for Identity Management. Lists the Access Profiles you created by name, the Default Access Profile, and a REJECT option. Select REJECT if the rule will prohibit a user from logging in. 6. Repeat the process for each rule you want to apply to the APG. 7. The Access rules are evaluated in the order (priority) they are listed in the Access Rules table. Use Move Up or Move Down buttons to arrange the rules in the order you want them to be evaluated. IDM checks each rule in the list until a match on all input parameters is found, then applies the corresponding access profile to the user. For example, if you want to allow a user to login in from any system during the work week (Mon. - Fri.), but you want to deny access to users on the weekend, you would: Create a Time for the weekend, Create an Access Profile to be applied during weekdays, "Default" Define two rules for the APG, similar to the following: Location Time System Access Profile ANY weekend ANY REJECT ANY weekday ANY Default When the user is authenticated, IDM checks the Access Policies in the order listed. If it is Saturday or Sunday, the user s access is denied. On any other day, the user is allowed on the network. If the order were reversed, IDM would never read the second rule because the first rule would provide a match every day of the week. 8. Click OK to save the Access Policy Group and close the window. 3-38

103 Using Identity Driven Manager Defining Access Policy Groups IDM will verify that the rules in the APG are valid. If a rule includes a defined VLAN (from the Access Profile) and the VLAN does not exist on the network or devices for the location(s), an error message is returned and you must fix the problem before the APG can be saved. Click Cancel to close the window without saving the Access Policy Group configuration. 9. The new Access Policy Group is listed in the Access Policy Groups tab. Assigning Rules to an Auto-generated Access Policy Group Active Directory synchronization automatically creates Access Policy Groups with the default values of: Any Location Any Time Any System Any WLAN Any Endpoint Integrity Default Access Profile To assign specific rules to an Access Policy Group, see Modifying an Access Policy Group (page 3-41). Using IDM with Endpoint Integrity Systems You can create access profiles in IDM to work in conjunction with endpoint integrity (host integrity) applications to verify that systems attempting to connect to the network meet security requirements. To use the Endpoint Integrity support options you need to select the Endpoint Integrity option in the IDM Preferences window (Tools->Preferences->Identity Management). With the Endpoint Integrity preference set, the Endpoint Integrity option will appear in the Access Rules windows. 3-39

104 Using Identity Driven Manager Defining Access Policy Groups Figure Access Rule with Endpoint Integrity options Select the Endpoint Integrity option to use with the access rule, as described i the following list. Select ANY to apply the access rule regardless of the status passed from the endpoint integrity system. Select PASS to apply the access rule in cases where the system the user is logged in on passes the endpoint integrity check. Select FAIL to apply the access rule in cases where the system the user is logged in on fails the endpoint integrity check. Select INFECTED to apply the access rule in cases where the system the user is logged in on has been identified as infected by the endpoint integrity system. Select UNKNOWN to apply the access rule in cases where the system the user is logged has an endpoint integrity status setting of "unknown". For example, if you want to restrict access to a specific (remediation) VLAN when the endpoint integrity check fails, create a Location that specifies the remediation VLAN, then create an access rule that will put the user on that Location if the Host Integrity value is FAIL. 3-40

105 Using Identity Driven Manager Defining Access Policy Groups Modifying an Access Policy Group 1. Click the Access Policy Group node in the IDM tree to display the Access Policy Groups tab. 2. Click on an Access Policy Group Name to select it. 3. Click the Modify Policy Group icon in the toolbar to display the Modify Access Policy Group window. 4. Modify the Rules as needed by selecting different options from the pulldown menus for each field. (see page 3-16 for field definitions). 5. Click Ok to save your changes and close the window. Click Cancel to close the window without saving the Access Policy Group changes. Deleting an Access Policy Group 1. Click the Access Policy Group node in the IDM tree to display the Access Policy Groups tab. 2. Click on an Access Policy Group Name to select it. 3. Click the Delete Policy Group icon in the toolbar to delete the Access Policy Group. If Active Directory synchronization is enabled, a deleted Access Policy Group will be recreated when IDM is resynchronized or detects a change to the related Active Directory group unless you remove the Active Directory group from the User Directory Settings. 3-41

106 Using Identity Driven Manager Configuring User Access Configuring User Access The process of configuring User access to network resources using IDM is simplified through IDM s ability to learn User information from the Active Directory or RADIUS server, and the use of Access Policy Groups. If Active Directory synchronization is enabled, IDM creates an Access Policy Group for each Active Directory group selected in User Directory Settings preferences and adds the users assigned to the Active Directory group to that Access Policy Group in IDM. Users are assigned to Access Policy Groups based on the rules explained in Using Active Directory Synchronization (see page 2-38) If you do not use Active Directory synchronization, once you have configured the Access Policy Groups, you simply assign users to an APG. The next time the user attempts to log in to the network, IDM uses the rules in the user s Access Policy Group to dynamically configure the edge switch to provide the appropriate access to the network. Click the Users tab on the Access Policy Group or Realm window to display the list of users. Figure Users tab 3-42

107 Using Identity Driven Manager Configuring User Access The Users list identifies every defined user and contains the following information for each user: Logged In Username Friendly Name Realm Access Policy Group Last Login Attempt Icon indicates whether the user is currently logged in: User is logged in. User is logged out. The icon is greyed out if session accounting is disabled. Name given to User s login account. User s friendly name, if defined, else this is same as Username. Realm in which the user logs in. Access policy group to which the user is assigned. Date and time the user last attempted to log in, regardless if the login failed or succeeded. Adding Users to an Access Policy Group To assign a user to an access policy group: 1. Expand the Realms node, then click the individual Realm to display the Users tab, or expand the realm to display access policy groups. Click the Users tab in the individual Realm or Access Policy Group window. 2. Select the users in the list, then click the Add Users to APG icon in the toolbar to display the Select Access Policy Group window. Figure Select Access Policy Group 3. In the Assign selected Users to Access Policy Group: field, use the pull-down menu to select the access policy group to which you want to assign the user(s). If you select the Default Access Policy Group from the assignment pull-down menu, users can log into RADIUS servers, but they are not governed by access policy group rules. IDM will still collect and display event information for users in the Default APG, as long as they are authenticated by the RADIUS server. 3-43

108 Using Identity Driven Manager Configuring User Access 4. Click Ok to save the assignments and close the window. The new APG assignments are displayed in the Users list. Changing Access Policy Group Assignments To re-assign users to a different APG: 1. Click the access policy group or realm in the IDM tree, and then click the Users tab in the Access Policy Group or Realm window. 2. Select the users in the list, then click the Add Users to APG icon in the toolbar to display the Select Access Policy Group window. 3. Select a different option from the Assign selected Users to Access Policy Group pull-down menu. 4. Click Ok in the confirmation pop-up, then click OK in the Select Access Policy Group window to save your changes and close the window. The new APG assignments are displayed in the Users list. 3-44

109 Using Identity Driven Manager Configuring User Access Using Global Rules Global Rules can be used to provide an "exception process" to the normal processing of access rules via Access Policy Groups. IDM will check for Global Rules and apply them to the designated users before processing any access rules found in Access Policy Groups. For example, you can use a Global Rule to deny access to the network during a specific time period, such as a site shutdown or during periods when network maintenance is being done. Global Rules are typically used to apply to all users in a realm. They can also be defined to apply to a single user or access policy group. Global Rules should not take the place of existing rules defined within the Access Policy Groups; they are intended for special use cases. To display global rules, click on the Realm in the IDM navigation tree, then click the Global Rules tab in the Realm display. Figure Global Rules tab The Global Rules tab provides the following data about defined global rules: Target Location Time System WLAN Endpoint Integrity User(s) or access policy group to which the rule applies Location where the rule is used Time that the rule is used System where the rule is used WLAN where the rule is used. Appears only if the Enhanced Wireless Support option is set in Preferences for Identity Management Indicates the endpoint integrity status used by the rule. This appears only if the Endpoint Integrity option is set in Preferences for Identity Management 3-45

110 Using Identity Driven Manager Configuring User Access Access Profile Access profile governing user permissions during the session Creating a Global Rule is similar to creating Access Rules for an Access Profile Group. To create a global rule: 1. In the navigation tree, click on the realm that will use the global rule, then click the Global Rules tab in the Realm s display. 2. Click the Add Global Rule button to display the New Global Rule window. Figure Global Rules dialog 1. Select the Target Properties To use the global rule for all users in the realm, select the All Users To use the global rule for a specific user, select Single User and type in the user name. To use the global rule for an access policy group, click Access Policy Group, and select the group from the drop-down menu. Note: If you want to create a global rule for multiple users or multiple groups, you do this by creating multiple rules, each referencing a single user, or group. 3-46

111 Using Identity Driven Manager Configuring User Access 2. Set the Access Properties for the Global Rule. This is similar to the process used to define Access Policy Rules when you create an Access Policy Group (see page 3-36) a. Select the Location where the global rule will be applied, or "ANY". b. Select the Time when the global rule will be used, or "ANY". c. Select the System where the global rule will be used, or "ANY" d. Select the WLAN where the global rule will be used, or "ANY" Note that this option only appears if the "Enable Enhanced wireless support" option is set in the Preferences for Identity Management. e. In the Access Profile field, select the access profile where the global rule will be used. f. If Endpoint integrity is enabled, select the option that indicates when the rule will be applied, relative to the endpoint integrity status (Pass, Fail, or Any) 3. Click Ok to save your changes and close the New Global Rule window 4. The new global rule appears in the Global Rules list. 5. Similar to access rules, the global rules are evaluated in the order they are listed in the Global Rules table. Use the Move Up or Move Down button in the toolbar to arrange the rules in the order you want them to be applied. IDM checks each rule in the list until a match on all parameters is found, then applies the matching rule. Changing Global Rules To edit Global Rules: 1. Navigate to the Global Rules window. 2. Select the rule you want to modify in the Rules list. 3. Click the Edit Global Rule icon to display the Edit Global Rules window. 4. Change the desired values, as explained for New Global Rule. 5. Click Ok to save the changes and close the Edit Global Rules window. To delete a Global Rule: 1. Navigate to the Global Rules window. 2. Select the rule you want to delete in the Rules list. 3. Click the Delete Global Rule icon in the toolbar. 3-47

112 Using Identity Driven Manager Configuring User Access 4. Click Yes in the confirmation pop-up to complete the process. The rule is removed from the Global Rules list. 3-48

113 Using Identity Driven Manager Deploying Configurations to the Agent Deploying Configurations to the Agent An option in the IDM Preferences allows you to automatically deploy configuration changes to the IDM agent. Or, you can manually deploy changes made to Access Profiles, Locations, Times, or Network Resource configurations. If automatic deployment is disabled, you need to deploy the configuration information to the IDM Agent once you have configured the Access Policy Groups and assigned users. The Access Policy Group assignments (including the locations, times, and Access Profiles) are not applied until they get deployed to the IDM Agent on the RADIUS server, and the user logs in again. Deployment overwrites and replaces the current configuration for that realm, on that RADIUS server. To manually deploy the IDM authorization policy configuration: 1. Right-click on the Realms node in the IDM tree 2. Select the Deploy current policy to this realm option to display the Deploy to RADIUS Servers window. Figure Deploy to RADIUS Servers 3. Click Deploy to write the access policy information to the IDM Agent for the selected Realms and the respective RADIUS Servers. 4. Click Close to exit the window. After the new access policy configurations are deployed, the deployment warning on the IDM Dashboard display is removed. 3-49

114 Using Identity Driven Manager Using Manual Configuration Using Manual Configuration It is simplest to let the IDM Agent run and collect information about Realms, including RADIUS servers and users in the Realm from the RADIUS server, but you can also manually define information about the Realm, RADIUS servers, and users in the IDM GUI. Defining New Realms If you have configured a new Realm that uses a RADIUS server on which you have installed an IDM Agent, you can let the Agent learn the Realm information automatically, or you can define the Realm using the IDM GUI. To define a realm: 1. Click the Add Realm icon on the toolbar to display the New Realm window. Figure Add Realm 2. Enter the information for the Realm: Type the Name used to identify the realm. In the Alias field, type an alternate name that can be used for the realm. For example a fully qualified realm Name can be idm.main.procurve and the Alias can be IDM. This is most useful when using IDM with Active Directory; and you should make sure that the IDM realm alias matches the Active Directory "NETBIOS" name. Type a brief Description of the realm to help identify the realm. To set the realm as the default realm, click the Use as default Realm check box. The default realm is used when IDM cannot determine the realm for a RADIUS server or user login. 3-50

115 Using Identity Driven Manager Using Manual Configuration 3. Click Ok to save the Realm information and close the window. The new Realm appears in the Realms list, and the IDM Tree. Modifying and Deleting Realms To modify an existing Realm: 1. Select the Realm in the Realms list. 2. Click the Modify Realm icon on the Realm list toolbar to display the Modify Realm window. (similar to the New Realm window). 3. Edit entries as needed for the Realm: The Name used to identify the realm. The realm Description. To set the realm as the default realm, click the Use as default Realm check box. The default realm is used when IDM cannot determine the realm for a RADIUS server or user login. 4. Click Ok to save the Realm changes and close the window. The Realm modifications appears in the Realm List and Realm Properties tab. To delete a Realm: 1. Select the Realm in the Realm List. 2. Click the Delete Realm icon in the toolbar. A confirmation dialog will display. Click Yes to complete the realm delete process. The selected realm, and the associated users will be removed from the Realm list and IDM Tree. 3-51

116 Using Identity Driven Manager Using Manual Configuration Deleting RADIUS Servers To delete an existing RADIUS Server: NOTE: Before you can completely delete the RADIUS server, you need to uninstall the IDM Agent on the server. Otherwise, the RADIUS server may be rediscovered, causing it to re-appear in the IDM tree. 1. Use the IDM Tree to navigate to the RADIUS List window, and select the RADIUS Server you want to delete in the list. 2. Click the Delete RADIUS icon on the Radius List toolbar. 3. A pop-up confirmation dialog is displayed: Figure Delete RADIUS Server Confirmation dialog 4. Click Yes to complete the delete process and close the window. The RADIUS Server is removed from the RADIUS List and the IDM Tree. 3-52

117 Using Identity Driven Manager Using Manual Configuration Adding New Users You can let the IDM Agent automatically learn about the users from the Active Directory or RADIUS server on which it is installed, or you can define user accounts in the IDM Client. You can also use the IDM User Import feature in the Tools menu. Adding users in IDM: Manual Process To add a new User in IDM: 1. Click the Users tab on the Access Policy Groups or Realms window, and then click the New User button to display the Define a new user window. Figure New User dialog 2. Enter the information for the User Username: The user s login name (required). Friendly Name: Friendly name for the user. Realm: Select the Realm the user "belongs" to, if different from the default realm. Access Policy Group: Select the Access Policy Group to which the user belongs. This sets the access profile that is applied when the user logs in to the network. The default is NONE. Description: Enter additional text describing the user if needed. 3-53

118 Using Identity Driven Manager Using Manual Configuration 3. If you want to restrict the user s access to specific systems, click the Systems tab to configure system permissions. Otherwise click OK to save the user and close the window. Configuring User Systems 4. To restrict the user s access to specific systems, click the Systems tab. Figure User Systems tab display You select from systems shown in the All Systems list, and click the >> button to move them to the Allowed Systems list. The user will be restricted to the selected systems. 5. To add a new user system click Add. to display the New User system dialog. Figure New User system dialog 6. Enter the MAC Address of the system (in any format) from which the user is allowed to login to the network, then click OK. The system information is displayed in the New User window. 3-54

119 Using Identity Driven Manager Using Manual Configuration If the user is allowed to login from more than one system, repeat the process for each system. 7. When the User s Systems are defined, click OK to save the new user information and close the window. The new user appears in the Users List. NOTE: Access Policy Group settings are not applied to the user until you deploy the new configuration to the IDM Agent on the RADIUS server. See Deploying Configurations to the Agent on page 3-49 for details. Modifying and Deleting Users To modify an existing User: 1. Select the User in the User List and click the Modify User icon in the toolbar. 2. The Modify User window (similar to the Define a new user window) displays. 3. Edit entries as needed for the User: Username: The user s login name (required). Friendly Name: Friendly name for the user. Realm: Select the Realm the user "belongs" to, if different from the default realm. Access Policy Group: Select the Access Policy Group to which the user belongs. This sets the access profile that is applied when the user logs in to the network. The default is NONE. Description: Enter additional text describing the user if needed. Add, Modify, or Delete User System information as needed. To edit User Systems information, select the System in the list, then click Modify to display the Systems window and change the MAC Address. To delete a User System, select the System in the list, then click Delete. The changes appear in the System s List for the user. 4. Click OK to save the new user information and close the window. NOTE: Changes in Access Policy Group settings are not applied to the user until you Deploy the new configuration to the IDM Agent on the RADIUS server. See Deploying Configurations to the Agent on page 3-49 for details. 3-55

120 Using Identity Driven Manager Using Manual Configuration Deleting a User 1. Select the User in the User List 2. Click the Delete User icon in the toolbar. 3. Click Yes in the Confirmation pop-up to complete the process. The user is removed from the User List. 3-56

121 Using Identity Driven Manager Using the User Import Wizard Using the User Import Wizard The IDM User Import Wizard lets you add users to IDM from another source, such as an Active directory or LDAP server. The IDM Import Wizard also synchronizes the IDM user database with the import source directory, and allows you to delete users from the IDM user database that are not found in the import source directory. IDM does this by copying the list of users from the directory to an XML file, comparing users in the XML file to users in the IDM user database, and listing the differences for you to add or remove the mismatched users in the IDM user database. Importing an existing company directory or user database has the following benefits: Easier initial setup, because all users in the company directory can be automatically added to the IDM directory. If the company directory contains group assignments, users can be automatically assigned to the appropriate policy group (based on membership in the company directory). When a user is removed from the company directory, they are automatically removed from the IDM user database. In addition, when a user's group membership is changed in the company directory, their network access policy group is automatically changed accordingly. Automating user import and synchronization leaves less room for error and reduces tedious work. The basic import procedure is listed below, though the specific windows you see will vary based on the import data source. 1. Select the Source Type (Active directory, LDAP server, or XML file) 2. Define the source parameters. a. for Active directory, select the Group Scope to import. b. for LDAP server, supply the server details, username, and password. c. for XML, supply the filename (including the directory path). This file must exist on the IDM Server system. 3. IDM extracts the user information from the data source, based on the defined parameters. 4. Select the Users, and groups (if applicable) to be added to IDM. 5. Select any Users to be removed from IDM. 6. Commit the changes to IDM. 3-57

122 Using Identity Driven Manager Using the User Import Wizard Importing Users from Active Directory Importing users from Active Directory with the IDM Import Wizard synchronizes IDM users with those in Active Directory, similar to enabling Active Directory synchronization. However, if you use the Wizard to import users, user changes in Active Directory are not monitored. And, you cannot select specific Active Directory groups, as with Active Directory synchronization. Therefore, we recommend using Active Directory synchronization instead of using the Import Wizard to import users from Active Directory. To import user information into IDM from an Active Directory: 1. Select IDM User Import option from the Tools drop-down list in the global toolbar. This launches the IDM User Import Wizard. Figure IDM User Import Wizard 2. Click Next to continue to the Data Source selection window. 3-58

123 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, Data Source 3. Click the radio button to select the Active Directory data source. 4. Click Next to continue to the Group Scope window. Figure IDM User Import Wizard, Group Scope 3-59

124 Using Identity Driven Manager Using the User Import Wizard 5. Select the scope of Active Directory groups that you want to import user data from. Group All Global Universal Domain Local System Description Import users from all Active Directory groups Import users from the Global Active Directory group. This will also get user data from any custom defined group in your Active directory. Import users from the Universal Active Directory group Import users from the Domain Local Active Directory group Import users from the System Active Directory group 6. Click Next to continue to the Extracting User and Group information window. Figure IDM User Import Wizard, Extracting User and Group Information 7. When the display indicates the data extraction is done, click Next to continue to the Import Groups window. 3-60

125 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, Import Groups 8. Click the Select checkbox to choose the groups you want to import from the Active Directory to IDM. If there is no checkbox, the group already exists in IDM and does not need to be selected. 9. Click Next to continue to the Add Users window. 3-61

126 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, Add Users 10. Click the Select checkbox to choose the users you want to import from the Active Directory to IDM. The current Import data is compared to the existing user list in IDM. If no new (additional) users are found in the import data, the user list is empty. If any user exists in more than one Active Directory group, you will be prompted to select the group the user will belong to in IDM. Figure Group Selection dialog a. Select the group from the drop down list. 3-62

127 Using Identity Driven Manager Using the User Import Wizard If you have a large number of users that belong to multiple groups, click the checkbox to Assign all users to selected group. This will assign all the users to the selected group in a single step, and you will not need to repeat the group selection for each user. b. Click Next to continue. Repeat the process for each user. c. Click Finish to save the Group Selections and exit the pop-up. d. Click Back to change the previous selection. 11. Click Next to continue to the Remove Users window. The Import data is compared to the existing user list in IDM. Any users that exist in IDM, that are not found in the Import data, are listed. Select any users you want to delete from IDM. This window operates similarly to the Add Users window. 12. Click Next to continue to the Users and Groups Commitment window. Figure IDM User Import Wizard, Users and Groups Commitment 13. Click Go to save the selected group and user data (adds and deletes) to IDM. 14. When the commit data function is done, click Next to continue to the Import Complete window. 3-63

128 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, Import Complete A summary of the IDM Import displays. 15. Click Finish to exit the wizard. Importing Users from an LDAP Server The IDM Import Wizard includes support for using Windows 2003 LDAP service to import users from an MS Active directory. You can also import user data from other LDAP V3 (version 3) servers, (e.g., Netscape LDAP server). To import user information into to IDM from an LDAP Server: 1. Select the IDM User Import option from the Tools drop-down list in the global toolbar to launch the IDM User Import Wizard. 2. Click Next to continue to the Data Source selection window. 3. Click the radio button to select the LDAP Server data source. 4. Click Next to continue to the LDAP Authentication window. 3-64

129 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, LDAP Authentication a. To use the SSL authentication method, check the Use SSL checkbox. Note: To use SSL, ensure that your LDAP server supports SSL. The X509 certificate for your LDAP server must be installed in your Java trust store, and the PCM server must be restarted after installing the certificate. Contact your (LDAP) Administrator to get the certificate. The trust store is available under the installation directory of PCM. For example, if PCM is installed under Program files\hewlett-packard, type: C:> cd c:\program files\hewlett-packard\pnm\jre\ lib\security C:>..\..\bin\keytool import file <ldapcertfile> - alias myldapcert keystore cacerts keypass <certificate password> -trustcacerts storepass <keystore password> The default keystore password is changeit. 3-65

130 Using Identity Driven Manager Using the User Import Wizard b. Select the LDAP Authentication type to be used with the imported user data: Authentication Simple Digest-MD5 Kerberos-V5 External-TLS Anonymous Description Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password. In Digest MD5, the server generates a challenge and the client responds with a shared secret (password). Based on Internet standard security, Kerberos V5 authentication is used with either a password or a smart card for interactive logon. External authentication uses authentication services provided by lower level network services such as TLS. No authentication is required by LDAP server. c. Click Next to continue to the Authentication details window: The Authentication details will vary based on the Authentication type selected; however, all LDAP Authentication methods require the following information: Server The IP Address or DNS name (fully qualified domain name) of the LDAP server. The IP address can be used for Simple, Anonymous, and Kerberos-V5 authentication in non-ssl mode. Domain The domain name that will be used to create the Realm in IDM. Base DN The Base Distinguished Name. This is the node in the directory where the search for users will begin. For example, for the domain "hp.com" the Base DN entry would be: dc=hp,dc=com For Simple Authentication Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password. Values for these fields can be obtained from the LDAP server administrator. 3-66

131 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, Simple Authentication To set up Simple authentication: 1. In the Server field, type the IP address or DNS name of the LDAP server 2. In the Domain field, type the domain name. (It will be used to create a realm in IDM.) 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. In the User field, type the user's DN used to access the LDAP server. 5. In the Password field, type the password associated with the user. 6. Click Next to continue to the Extract Users and Groups window. Using Digest-MD5 Authentication The SASL Digest MD5 authentication window is used to define the LDAP data source for Digest-MD5. In Digest-MD5, the server generates a challenge and the client responds with a shared secret (password). Values for these fields can be obtained from the LDAP server administrator. 3-67

132 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, SASL Digest MD5 Authentication To set up Digest MD5 authentication: 1. In the Server field, type the DNS name of the LDAP server. 2. In the Domain field, type the domain name. It is used to create a realm in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. In the User field, type the user DN used to access the LDAP server. 5. In the Password field, type the password associated with the user. 6. Click Next to continue to the Extract Users and Groups window. Using Kerberos-V5 Authentication The SASL Kerberos V5 authentication window is used to define the LDAP data source for Kerberos. Kerberos V5 authentication requires that your LDAP server is setup with a KDC (Key Distribution Center). Please contact your LDAP server administrator for details. 3-68

133 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, SASL Kerberos V5 Authentication To set up Kerberos V5 authentication: 1. In the Server field, type the IP address or DNS name of the LDAP server. 2. In the Domain field, type the domain name. It will be used to create a realm in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. In the User field, type the user name used to access the LDAP server. 5. In the Password field, type the password associated with the user. 6. In the Config file field, type the complete path and filename of the configuration file that identifies the domain of the KDC. 7. Click Next to continue to the Extract Users and Groups window. Using External Authentication The SASL External authentication window is used to define the external LDAP data source. External authentication uses an X509 certificate for user authentication. The LDAP X509 User Certificate must be installed in a keystore on the IDM server, and the LDAP server s certificate must be stored in the trust store under your JRE installation on the IDM server. See page 3-70 for details on importing LDAP X509 User certificates for use with IDM. 3-69

134 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, SASL External Authentication To set up External authentication: 1. In the Server field, type the DNS name of the LDAP server. 2. In the Domain field, type the domain name. It is used to create a realm in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. In the Keystore field, type the keystore file name. For JKS, the Keystore is the location on the IDM server where you installed the keystore. (for example: c:\idmuser\mykeystore) For PKCS12, enter the PKCS certificate in the Keystore field,. 5. In the Password field, type the password. For JKS, enter the password of the keystore on the IDM Server. For PKCS12, enter the PKCS12 key in the Password field 6. Select the Type: either jks, or pkcs Click Next to continue to the Extract Users and Groups window. Importing LDAP X509 User Certificates into a Keystore: 3-70

135 Using Identity Driven Manager Using the User Import Wizard If you are using a JKS Keystore, the X509 User Certificate must be installed in a keystore on the IDM server. You can get the X509 User Certificate from your LDAP Administrator. For example, if the X509 User Certificate is " myldapcert.cer" and the alias is "mycert", use the following command to import the certificate in a keystore in c:\idmuser\mykeystore on your IDM server: C:\idmuser> keytool -import -file myldapcert.cer -alias mycert -trustcacerts -keystore.\mykeystore If you are using a PKCS12 keystore, ask your LDAP Administrator to provide you PKCS12 certificate along with the key. Enter the PKCS certificate in the Keystore field, and enter the PKCS12 key in the Password field. Using Anonymous Authentication The LDAP Anonymous Authentication window is used to define the LDAP data source. Values for these fields can be obtained from the LDAP server administrator. Figure IDM User Import Wizard, Anonymous Authentication To set up an LDAP server with anonymous authentication: 1. In the Server field, type the IP address of the LDAP server. 2. In the Domain field, type the domain name. 3-71

136 Using Identity Driven Manager Using the User Import Wizard 3. Optionally, in the Base DN field, type the Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. Click Next to continue to the Extract Users and Groups window. The remainder of the process for importing users from LDAP Servers is the same as described for importing users from Active Directories. Select the Groups and Users to Import to IDM. Select Users to remove from IDM (if applicable) Commit the selected groups and users (adds and deletes) to IDM. Editing IDM Configuration for LDAP Import The IDM server includes several configuration files that contain information used to import User information from LDAP files. The default configuration settings will work if you are using MS Active Directory as the LDAP Server directory. If you are using any other LDAP directory source (for example Novell Edirectory) you will need to modify the LDAP Directory settings in: ~Program Files\Hewlett-Packard\PNM\server\config\IDMImportServerComp.scp Following is an example of the DMImportServerComp.scp file for reference. Comments are indicated by "//". LDAP_SERVER_CONFIG { PORT=389 //Port where LDAP server receives bind request. SSL_PORT=636 // Port where LDAP server receives SSL bind requests. BATCH_SIZE=50 // Internal to IDM. COUNT_LIMIT=0 // Internal to IDM. SASL_CONFIGURATION { // This section is for SSL configuration: Digest MD5, Kerberos V5 and External. QOP=auth-conf,auth-int,auth // Quality of protection. Valid values are 1 and more of "auth-conf", authint", "auth" separated by ",". ENCRYPTION_STRENGTH=high,medium,low // Strength of encryption. Valid values are 1 and more of "high", "medium", "low" separated by ",". MUTUAL_AUTHENTICATION=true // If both LDAP server and IDM server wants to authenticate each other. } KERBEROS_JAAS_CONFIG { // This section is for Kerberos authentication method. KERBEROS_AUTH_MODULE=IDMKerberos 3-72

137 Using Identity Driven Manager Using the User Import Wizard } // Kerberos authentication module name. If this entry is changed, you must also change the module name in idm_kerberos_jass.conf file. KERBEROS_JAAS_CONFIG_FILE=config/ idm_kerberos_jaas.conf // configuration file for JAAS Kerberos configuration. } (Example continued on next page) 3-73

138 Using Identity Driven Manager Using the User Import Wizard LDAP_DIRECTORY_CONFIG { // Configuration for LDAP directory. Following values are for Active Directory. Change as needed per object class and attributes in LDAP directory being used. USER { // User object OBJECT_CLASS=User // User object class LOGON_NAME=sAMAccountName // Login name attribute. COMMON_NAME=cn // Common Name attribute DESCRIPTION=description // User description attribute DISPLAY_NAME=displayName // User display name attribute } GROUP { // Group object OBJECT_CLASS=Group // Object class for Group COMMON_NAME=cn // common name attribute DESCRIPTION=description // Group Description attribute MEMBER=member // Group member attribute USER_MEMBER_ATTRIBUTE=cn // User attribute used to link member users from Group objects. } } You would modify the LDAP_Server_Config section only if your LDAP server is using other than the standard port (389). Similarly, if you select any of SASL or Kerberos authentication methods, edit the related sections of the config file as needed to match custom configurations. 3-74

139 Using Identity Driven Manager Using the User Import Wizard Importing Users from XML files If you select to import users from an XML File, the XML Data Source window displays. NOTE: The XML file containing user data must reside on the IDM server to use this option and contain information similar to the data shown in the XML User Import File Example on page Figure IDM User Import Wizard, XML Data Source To identify the XML file: 1. In the File name field, type the complete path and name of the XML file. 2. Click Next to continue to the Extract Users and Groups window. The remainder of the process for importing users from LDAP Servers is the same as described for importing users from Active Directories. a. Select the Groups and Users to Import to IDM. b. Select Users to remove from IDM (if applicable) c. Commit the selected groups and users (adds and deletes) to IDM. 3-75

140 Using Identity Driven Manager Using the User Import Wizard XML User Import File Example XML files used to import user data to IDM should have the following format. <?xml version='1.0' encoding='iso '?> <DirData> <Domain name="domain name"> <User name="username" description="user description" displayname="user display name" /> <Group name="group name" description="group description"> <Member name="username"/> </Group> <Group name="other group" description="other group description"> </Group> </Domain> </DirData> The description and displayname for the User element and the description for the Group element are optional. Some Group elements may not have Member elements, for example the "other group" in the above example. 3-76

141 4 Using the Secure Access Wizard Chapter Contents Overview Supported Devices Using Secure Access Wizard

142 Using the Secure Access Wizard Overview Overview The Secure Access Wizard (SAW) feature in IDM is designed to simplify the initial setup of IDM by reducing the complexity of securing the network edge. SAW facilitates the process of securing the network edge by targeting a group of devices and using a highly intuitive GUI to configure network access rather than configuring each device via CLI. Some major features of SAW include: Setting the RADIUS server IP address and shared secret for a group of devices. Setting the authentication methods for a group of devices. Configuring the authentication methods. Once you have decided to deploy IDM, you now need to secure the network edge by enforcing 802.1X, Web-Auth, MAC-Auth, or any combination of the three (if supported). There are several steps involved when a securing an edge device, in no particular order they are: All supplicant ports need to be configured with 802.1X, Web-Auth or MAC-Auth (preferably 802.1X for a more secure environment). If 802.1X is chosen, the next step is choosing the authentication protocol, EAP or CHAP. Enabling session accounting so that IDM correctly detects user login and log out. Optionally setting the interim update period. Optionally setting the re-authentication time-out. Adding the RADIUS server and the shared secret (key). Activating the port authenticator. These steps need to be executed on all edge devices and will vary between wired and wireless devices. Supported Devices The Secure Access Wizard feature is on ProCurve devices that support use of 802.1X, Web-Auth, and MAC-Auth access control methods. For a complete list of what features are supported on each device, refer to the tables in Appendix A under Device Support for IDM Functionality. 4-2

143 Using the Secure Access Wizard Using Secure Access Wizard Using Secure Access Wizard NOTE: The following section provides instructions on using the Secure Access Wizard to configure access security settings on ProCurve devices that support port-based user authentication using 802.1X, Web-Auth, or MAC-Auth. For a more complete description of implementation of these user authentication features, please refer to the Access and Security Guide for the switch. Switch guides are available on the Web at: 1. To launch the Secure Access Wizard, select the option from the Tools menu on the global (PCM/IDM) toolbar. This launches the Secure Access Wizard "Welcome" Figure 4-1. Secure Access Wizard, Welcome display When you first open the wizard, the Load Settings and Load template buttons are disabled. Once you have created and saved an access control configuration, these buttons will be enabled. You can also launch the wizard by selecting a device in the PCM Devices list and clicking the Secure Access Wizard button in the tab toolbar, or Right-click on a device node in the PCM navigation tree and select the Secure Access Wizard option in the right-click menu. 4-3

144 Using the Secure Access Wizard Using Secure Access Wizard 2. Click Next to continue to the Device Selection window. Note:. If you do not have a licensed copy of the ProCurve Mobility Manager software and there are wireless devices discovered by PCM, the Excluded Devices window displays, with the list of devices, model, and installed switch software version. Use the Device Capabilities link to determine if you can upgrade the device software to a version that will support the secure access settings. Figure 4-2. Secure Access Wizard, Device Selection example 3. The Available Devices list is populated with all discovered ProCurve devices that support use of 801.X Authentication. You can filter the list to display devices for one device group (model) by selecting the device group from the pull-down menu. Select a device (or devices) in the Available devices list, then click >> to move it to the Selected Devices list. Tip: To begin, ProCurve recommends that you select only one or two devices, and then save the security access settings as a template that can be applied for other devices of the same type. 4-4

145 Using the Secure Access Wizard Using Secure Access Wizard 4. Click Next to continue to the next window. 5. If you selected one or more AP530 wireless devices, the 530 Group Configuration Check Step window appears and displays information about each selected AP530 that supports the group configuration feature. One AP530 will be selected as the Master device and will be the only AP530 configured. (The group configuration feature propagates the new settings from the Master device to the other AP530s, including those with group configuration disabled.) Ensure the correct device is selected as the Master device and click Next. Or, to select another device as the Master device, check the Master device checkbox next to the desired device. Figure 4-3. Secure Access Wizard, 530 Group Configuration example 6. Click Next to continue to the Authentication Method Selection window. The Authentication Method Selection window lists the selected devices, and the authentication methods that can be used on each device. It lists the device name, model and software version installed. The device listing can be sorted according to device model, name, software version, or authentication method. Authentication method support varies from device to device and between firmware versions. For example, some devices support two authentication methods per port while some devices only support one. For devices 4-5

146 Using the Secure Access Wizard Using Secure Access Wizard that support two authentication methods per port, the options are 801.X and Web-Auth or MAC-Auth, thus the Web-Auth and MAC-Auth columns are mutually exclusive for each row. Additionally, devices that do not support Web-Auth or MAC-Auth will have those cells disabled and displaying "Not supported". Figure 4-4. Secure Access Wizard, Authentication Method Selection example 7. Click the check box to select the authentication method (802.1X, Web- Auth, or MAC-Auth) to be used for user (client) access to the device. Click the Select All option at the top of the column to apply the same authentication method to all devices that support it. The button works as a toggle between the Select all and Unselect all options when clicked Some devices support simultaneous use of two authentication methods on a single port. The wizard will allow you to select only the combination of authentication methods allowed on the device type. 8. Click Next to continue to the Port Selection window. The Port Selection window lists the devices for which you need to specify the ports where the access authentication will be applied. You can type each port number or click Select Ports to select them from a list. 4-6

147 Using the Secure Access Wizard Using Secure Access Wizard Figure 4-5. Secure Access Wizard, Port Selection example 9. To select ports from a list, click the Select Ports button and then click the Select all button to select all ports or check the Selected checkbox for each port to which the secure access settings will apply. Double-clicking a row selects or unselects the port. Figure 4-6. Secure Access Wizard, Select Ports 4-7

148 Using the Secure Access Wizard Using Secure Access Wizard When the desired ports are selected, click OK to validate and save your selections. 10. To manually enter port numbers, in the Port to secure field, type the ports to which the secure access settings will apply. Enter any combination of single port numbers and port ranges separated by commas. For example, type A1,A3-A5,A7 to apply the access settings on ports A1, A3, A4, A5, and A7. The port entries are validated, and if any entry is invalid a text message indicating the error appears below the data entry fields for the device. The Ports that will not be secured field contains a read-only list of the ports excluded from the secure access settings. These typically include interswitch ports, ports with an authentication method already configured, and ports connected to devices (such as printers) that do not support network access. You can click the Reset to clear all data, and auto-populate the Ports to secure:" field with ports on the device that can be secured. Ports that are excluded will appear in the "Ports that will not be secured" field. Repeat the process for each device listed in the window. For a long list of devices, a scroll bar lets you move down the list as needed. 11. Click Next to continue. The next window display will vary based on the devices and authentication methods selected. If you selected a wireless device, the WLAN selection window displays, as described in step 9. If you selected only wired devices, the authentication configuration window displays. For 802.1X, go to step 12. For Web-Auth, go to step 13. For MAC-Auth, go to step The WLAN selection window displays the list of Wireless devices you selected. Click a device to expand the list to show the WLANs (SSIDs) configured on the device. 4-8

149 Using the Secure Access Wizard Using Secure Access Wizard Figure 4-7. Secure Access Wizard, WLAN Selection example 13. Click the check box for each SSID (WLAN) to which the secure access settings will be applied. (A check mark indicates the SSID is selected) Click the check box for the device to apply secure access settings to all SSIDs on the device. 14. Click Next to continue to the authentication configuration window: For 802.1X, go to step 12 (below). For Web-Auth, go to step 13. For MAC-Auth, go to step The 802.1X configuration window lets you select the authentication method to be applied in the secure access settings for the selected devices. 4-9

150 Using the Secure Access Wizard Using Secure Access Wizard Figure 4-8. Secure Access Wizard, 802.1X Configuration display The configuration options displayed will vary based on the selected device set: wired, wireless, or both. a. Click the radio buttons to select the authentication method for the selected device types. Only one method can be applied. For Wired devices the 802.1X authentication options are: Use EAP-capable RADIUS Use CHAP (MD5)-capable RADIUS For Wireless devices the 802.1X authentication options are: WPA - TKIP WPA2 - TKIP WPA2 - CCMP (AES) WPA2 - Mixed mode AES-TKIP You can refer to the "Using ProCurve Mobility Manager" chapter in the ProCurve Manager v2.3 Network Administrator s Guide for a more complete description of the wireless (WLAN) security settings. b. Click the Advanced Settings for Wired 802.1X to configure the advanced settings. 4-10

151 Using the Secure Access Wizard Using Secure Access Wizard Figure 4-9. Secure Access Wizard, Advanced Settings for Wired 802.1X c. Click the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired 802.1X defaults. Advanced 802.1X settings for wired devices include: TX period - The period of time the switch waits until retransmission of EAPOL PDU (default 30 sec.). Valid values are Logoff period - The period of time (seconds) after which a client will be considered removed from the port for a lack of activity. Disabled by default, valid values are , 0 is disabled Supplicant timeout - The authentication server response timeout (default 30 sec). Valid values are Server timeout - The authentication server response timeout (default 30 sec). Valid values are Max requests - The maximum number of times the switch retransmits authentication requests. Valid values are 1-10, the default value is

152 Using the Secure Access Wizard Using Secure Access Wizard Re-auth period - The re-authentication timeout (in seconds, default 0), set to 0 to disable re-authentication. Valid values are Client limit - The maximum number of clients to allow on one port simultaneously, default is 1 Quiet period - The period of time the switch does not try to acquire a supplicant. Valid values are , the default value is 60 sec. Unauth-vid - The VLAN to which the port is assigned when the user has not been authorized by 802.1x authentication. Valid values are any defined VLAN, the default value is VLAN 1. Auth-vid - The VLAN to which the port is assigned when the user has been authorized by 802.1x authentication. Valid values are any defined VLAN, the default value is VLAN 1. If a device does not support the selected setting, the value you set will appear in the SAW display, but will not be configured on that device. d. Click OK to save the advanced settings and close the window. e. Click Next in the configuration window to continue to the Authentication Servers step. 16. The Web-Auth Configuration window lets you select the RADIUS authentication method to be applied in the secure access settings for Wireless Services Modules (2.x or higher). Figure Secure Access Wizard, Web-Auth Configuration 4-12

153 Using the Secure Access Wizard Using Secure Access Wizard a. Click the radio button to select the RADIUS authentication protocol. Only one method can be applied, either: Use PAP-capable RADIUS server for Web-Auth Use CHAP-capable RADIUS server for Web-Auth b. Click the Advanced Settings for Wired Web-Auth to configure the advanced settings for Web-Auth on wired devices. (see figure 4-11 on the next page) c. Click the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired Web- Auth defaults. Figure Secure Access Wizard, Advanced Wired Web-Auth Advanced Web-Auth settings for wired devices include: 4-13

154 Using the Secure Access Wizard Using Secure Access Wizard DHCP address and mask - The base address and mask for the temporary pool used by DHCP (base DHCP address default is , and the mask default is ). Redirect URL - The URL that the user should be redirected to after successful login. The default is no redirect (blank field). DHCP lease - The lease length (days) of the IP address issued by DHCP (default 10). Valid values are Client limit - The maximum number of clients to allow on one port simultaneously, default is 1 Re-auth period - The re-authentication timeout (in seconds, default 0), set to 0 to disable re-authentication. Valid values are Logoff period - The period of time (seconds) after which a client will be considered removed from the port for a lack of activity. Disabled by default, valid values are , 0 is disabled Quiet period - The period of time the switch does not try to acquire a supplicant. Valid values are , the default value is 60 sec. Max retries - Set number of times a client can enter their credentials before authentication is considered to have failed (default 3). Valid values are Server timeout - The authentication server response timeout (default 30 sec). Valid values are Max requests - The maximum number of times the switch retransmits authentication requests. Valid values are 1-10, the default value is 2. Unauth-vid - The VLAN to which the port is assigned when the user has not been authorized by web authentication. Valid values are any defined VLAN, the default value is VLAN 1. Auth-vid - The VLAN to which the port is assigned when the user has been authorized by web authentication. Valid values are any defined VLAN, the default value is VLAN 1. SSL login - Set whether to allow SSL login (https on port 443). This is disabled (No) by default. Allow client moves - Set whether to allow client moves between ports. The default is disabled (No). If a device does not support the selected setting, the value you set will appear in the SAW display, but will not be configured on that device. d. Click OK to save the advanced settings and close the window. 4-14

155 Using the Secure Access Wizard Using Secure Access Wizard e. Click Next in the configuration window to continue to the Authentication Servers step. 17. The MAC-Auth Configuration window lets you select the MAC Address format to be applied for RADIUS requests in the secure access settings for the selected devices. Figure Secure Access Wizard, MAC-Auth Configuration display a. Click the radio button to select the MAC address format. b. Click the Advanced Settings for Wired MAC-Auth to configure the advanced settings for MAC-Auth on wired devices. 4-15

156 Using the Secure Access Wizard Using Secure Access Wizard Figure Secure Access Wizard, Advanced (wired) Mac-Auth settings c. Click the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired MAC-Auth defaults. Advanced MAC-Auth settings for wired devices include: Address limit - The port's maximum number of authenticated MAC addresses, default is 1. Re-auth period - The re-authentication timeout (in seconds, default 0), set to 0 to disable re-authentication. Valid values are Logoff period - The period of time (seconds) after which a client will be considered removed from the port for a lack of activity. Disabled by default, valid values are , 0 is disabled Quiet period - The period of time the switch does not try to acquire a supplicant. Valid values are , the default value is 60 sec. Max requests - The maximum number of times the switch retransmits authentication requests. Valid values are 1-10, the default value is 2. Server timeout - The authentication server response timeout (default 30 sec). Valid values are Allow address moves - Set whether MAC can move between ports. The default is disabled (No). 4-16

157 Using the Secure Access Wizard Using Secure Access Wizard Unauth-vid - The VLAN to which the port is assigned when the user has not been authorized by MAC authentication. Valid values are any defined VLAN, the default value is VLAN 1. Auth-vid - The VLAN to which the port is assigned when the user has been authorized by MAC authentication. Valid values are any defined VLAN, the default value is VLAN 1. If a device does not support the selected setting, the value you set will appear in the SAW display, but will not be configured on that device. d. Click OK to save the advanced settings and close the window. e. Click Next in the configuration window to continue to the Authentication Servers step. 18. The next step for configuring Secure Access Settings is to define the Authentication Servers that will be used. Figure Secure Access Wizard, RADIUS Servers configuration The Authentication Servers step lets you enter the IP addresses of the RADIUS servers to be used for authentication. Most ProCurve devices support three RADIUS server, but some, such as the wireless products, supports only two. a. Click the check box for a RADIUS server to enable the server IP address field, and then enter the IP address for the server. The IP address will be validated. If it is invalid or a duplicated IP, a text message indicating the error is displayed. You cannot continue until a valid IP address is entered. 4-17

158 Using the Secure Access Wizard Using Secure Access Wizard Note: If you had previously configured other RADIUS servers for authentication with the device, that information will be over-written by the Secure Access Wizard. The SAW will attempt to remove enough currently configured RADIUS servers to make room for the ones configured in the SAW. So, if you already have three RADIUS servers configured on a device, and then the you configure two new RADIUS servers via the SAW, when the settings are applied the SAW will remove the first two servers from the device configuration. 19. Click Next to continue to the RADIUS Server Shared Secret window. Figure Secure Access Wizard, RADIUS Shared secret display 20. If you want to use the same RADIUS shared secret (password) for all the selected devices, click the Use for all devices check box. Enter the RADIUS shared secret to be used for access authentication. Re-enter the shared secret in the Confirm shared secret field. 4-18

159 Using the Secure Access Wizard Using Secure Access Wizard If not using the same shared secret on all the devices, enter the Radius shared secret for each device in the list. Use the scroll bar as needed to move down the list. You will not be able to continue until the RADIUS shared secret is set for each device in the list. 21. When you have entered the RADIUS shared secret, click Next to validate your entries and continue to the Save Settings (selection) window. Figure Secure Access Wizard, Save Settings selection 22. Click the link to Save settings..., or Save as template..., and launch the Save Settings dialog to provide a name for the saved settings file. The data fields are the same for both the Save Settings, and Save Template dialog. 4-19

160 Using the Secure Access Wizard Using Secure Access Wizard Figure Secure Access Wizard, Save Settings dialog 23. Type in a Name to apply to the secure access settings file, and (optionally) a description. You can use the same name for a "save template" and a "save settings" file, but no two "saved templates", or "saved settings" files can have the same name. 24. Click the check box to select the Include RADIUS shared secrets if you want shared secrets you specified included in the saved settings file. This option is not available if no RADIUS server IP address was entered in the access settings. Note: The include shared secrets option is only applicable for settings. Also, these settings are saved to PCM's database, and not saved to a separate file. 25. Click OK to save the file name and close the dialog, and return to the Save Settings window. When the security settings are saved, the next time the user launches the Secure Access Wizard, the buttons in the Welcome dialog (figure 4-1 on page 4-3) will be enabled. Clicking the buttons will launch the Save Settings dialog with the list of saved configurations. You can then select the saved access security settings for editing or to be deleted. 26. Click Next in the Save Settings window to continue to the Configuration Preview. 4-20

161 Using the Secure Access Wizard Using Secure Access Wizard Figure Secure Access Wizard, Configuration Preview display 27. Review the access security configuration settings, using the scroll bar as needed to move through the information. 28. If the configurations are correct, click Next to apply the settings to the devices. If you need to change something in the configuration, use the Back button(s) to return to the step where edits will be made, or click Cancel to exit the wizard without saving the secure access settings. 29. After you click Next in the Configuration Preview screen, The Applying Security Settings window displays. 4-21

162 Using the Secure Access Wizard Using Secure Access Wizard Figure Secure Access Wizard, Applying Settings status This window displays the progress of applying the security settings to the selected devices, and will indicate if any errors occur during the process. Click the View Log button to display process status messages and errors. Click Abort to halt application of the security settings before the process is started on the next device in the list. Once started the process will be completed for the current device, regardless of the Abort request. 4-22

163 5 Troubleshooting IDM Chapter Contents IDM Events Pausing the Events Display Using Event Filters Viewing the Events Archive Setting IDM Event Preferences Using Activity Logs Using Decision Manager Tracing Miscellaneous

164 Troubleshooting IDM IDM Events IDM Events The IDM Events window is used to view and manage IDM events generated by the IDM application or the IDM Agent installed on a RADIUS server. This window helps you quickly identify IDM-related problems in your network. To view the IDM events, click the Events tab in the IDM Home display. Figure 5-1. IDM Events tab display The IDM Events tab works similarly to the PCM Events tab. It lists the IDM events currently contained in the database. The default listing event is categorized by the level of severity. 5-2

165 Troubleshooting IDM IDM Events Sortable columns of information are available for each event: Column Heading Source Severity Status Date Description Description This column contains the name or IP address of the component or device that generated the event. The Severity column shows the severity of each event. Events are categorized into five levels of severity. The Status column identifies whether the event has been acknowledged. A check mark in the blue square indicates that the event has been acknowledged. NOTE: The Status column shows only unacknowledged events if events are deleted automatically after being acknowledged. See IDM Event Settings for additional information. The Date column lists the date and time when the event occurred, given in MM/DD/YY/HH:MM format. The Description column provides a short description of the event. The description is derived from a list of predefined descriptions based on the event type. You can sort the Events listing by Source, Severity, Status or Date. Click the desired column heading to sort in descending order. Click the column heading again to sort in ascending order. A down pointer in the column heading indicates descending order, and an up pointer indicates ascending order. The Event Log is trimmed at the level specified in the IDM Preferences window; by default there will be 1000 events in the event log. Select an event in the Events listing to display the Event Details at the bottom of the window. Figure 5-2. IDM Event Details 5-3

166 Troubleshooting IDM IDM Events The details provide additional event description information. The details will vary based on the type of event. Use the scroll bar or drag the top border of the Event Details section to review the entire event description. Acknowledging an event indicates that you are aware of the event but it has not been resolved. Depending on the IDM event settings, the event is then removed from the event list or the status of the event is updated in the Events window. To acknowledge an event: 1. Click the Events tab on the IDM Dashboard window to navigate to the IDM Events window. 2. Select the events to be acknowledged. 3. Click the Acknowledge Event icon in the toolbar. To delete an IDM event: 1. Click the Events tab on the IDM Dashboard window to display the IDM Events window. 2. Select the event(s) to be deleted. 3. Click the Delete Event icon in the toolbar. Deleting an event removes the event from the Events list and reduces the Event count in the IDM Dashboard window. Pausing the Events Display The events table entries continuously scroll to display the events just received. You can Pause the display if needed to review event text. Simply click the "Pause" button in the events toolbar; The Pause will toggle to the "Resume" icon. Click the resume button to restart the events display. The button will toggle back to the Pause icon. Using Event Filters The events shown in the Events tab view can be filtered to show only specific events based on the device that generated the event, severity, dates and times of occurrence, or description. Use the "Filters" section at the top of the Events tab to create the filter. You can use any single parameter, or a combination of parameters. 5-4

167 Troubleshooting IDM IDM Events Figure 5-3. Events Filter display To filter by Source, type in the Source type or name that you want to include. Events from all other sources will be excluded. To filter by Description, type in the description text you want to include. Events that do not have the text in the description will be excluded. To filter by date and time, use the From: and To: fields to enter the starting date and time (From), and ending date and time (To), that you want to include. Click to select the Enable date filter option. All events that occur before or after the date and time set in the date filter will be excluded from the event list. You can type in a date and time, or use the calendar button to select the date, then highlight the time and use the buttons to increase or decrease hours and minutes. To filter by event severity, use the sliding scale to select the events to be included. As you move the slide from left to right, event types to the left of the slider are excluded from the display. Click the checkbox to select the Acknowledged events filter option. Events that are not acknowledged will be excluded from the display. To save a defined filter: 1. Set the filter parameters. 2. Click the Save filter... button. 3. In the filter name pop-up, type in a name for the filter. 4. The filter settings are saved under the filter name, which appears in the Saved filters drop-down menu. Once you save the filter definition, you can apply it at any time by selecting it from the Saved Filter drop down list. Note that event filters configured in PCM 2.1 are not migrated to PCM 2.2 Click on Clear filter settings link to restore the default event list display. You can hide the Event Filters section by clicking the Hide Filters button in the toolbar. This button works as a toggle, click it again to display the filters. 5-5

168 Troubleshooting IDM IDM Events Viewing the Events Archive The Archived Events window lists details for each event in the Archive Log, which contains events that have been deleted. The events displayed can be filtered by the date the event was generated. The Archived Events window also lets you generate an Archived Events Report that can be saved to disk or printed. Archiving of IDM events can be disabled on the IDM Event Preferences window. Therefore, the Archived IDM Events window and report may not contain any events. Click the Event Archive icon in the Events toolbar to display the Archived Events window. Figure 5-4. IDM Event Archive display 5-6

169 Troubleshooting IDM IDM Events The Archived Events window provides the following information for each event: Column Source Severity Date Received Description Description System, or IP address of the device that originated the event Severity level of the event: Informational, Warning, Minor, Major, Critical (listed in order of severity from lowest to highest) Time and date the event was received Descriptive information contained in the event You can select the date range for displayed events by clicking the Date dropdown arrow and selecting the desired date range from the drop-down list. A new date range begins when PCM is restarted. To further filter archived events, in the Filter field type the text of the filter you want to use. The display will list only events containing the filter text in any of the data fields. To generate a report from the Event Archive: To generate a report that can be printed or saved to disk, click Generate Report. This will create and display a report with the data from the Archive Event view. To display the next page, click the > button in the bottom left corner. Or, to display the previous page, click the < button. To print the report, click the print button and complete the standard Windows print screen. To save the report to an.htm or.html file, click the save (disk) button, and complete the standard Windows save screen. Be sure to include the.htm or.html file extension in the filename. By default the saved file location is Program Files/Hewlett-Packard/PNM/client. To close the window, click the Windows X button in the upper right corner. 5-7

170 Troubleshooting IDM IDM Events Setting IDM Event Preferences Use the IDM Event Preferences to set up archiving and automatic deletion of events from the IDM Events tab and RADIUS Server Activity Logs. To configure preference settings for IDM events: 1. Select the Identity Management, Events option in the Global Preferences window (Tools >Preferences >Identity Management >Events) to display the IDM Events Settings window. Figure 5-5. Preferences, IDM Events 2. Use the up or down arrow in the Max number of events field to increase or decrease the size of the events database that will be displayed. When the maximum number of events is exceeded, the oldest event is deleted to make room for the new event. The minimum number is 100, and the maximum number is 10, To automatically remove acknowledged events from the Events table, click the Automatically delete acknowledged events box. 4. Click to select or deselect the Archive IDM events option. 5-8

171 Troubleshooting IDM IDM Events 5. Use the Severity Percentages to set the events types you want to maintain in the database. These percentages are based on the overall size set in the Max number of events field, and must equal 100 percent. For example, Figure 5-6. Setting Event Preferences: Severity Percentages In the example in figure 5-6, if the Max number of events is set to 1000, and that number is exceeded, 600 Informational events will be maintained. If there are more than 600, the oldest events will be archived to make space for new Warning events. 100 Warning events will be maintained. If there are more than 100, the oldest warning events will be archived to make space for new Warning events. 100 Minor events will be maintained, and so on. If you want to make sure you maintain all of the Critical and Major events, you can set the total of the two types to 100 (say 60 and 40 respectively), and set the other severity types to 0 percent. If the maximum of 1000 is exceeded, the first event types to get archived will be Informational, then Warning, then Minor, and so on as needed to maintain up to 600 Critical and 400 Major events in the event display. 6. Click Ok to save the IDM Event Settings and close the window. IDM s event archive is /server/logs/idmeventmgrserver-serverarchivedevents.log In a default installation the directory is /Program Files/Hewlett-Packard/PNM. 5-9

172 Troubleshooting IDM IDM Events Using Activity Logs IDM also provides an Activity Log you can use to monitor events for specific RADIUS servers. To view the Activity Log for a RADIUS Server, 1. Expand the IDM tree to display the RADIUS Server node. 2. Select the RADIUS server, then click the Activity Log tab. Figure 5-7. RADIUS Server Activity Log The Activity Log provides information similar to the IDM Events, except that the entries are specific to the selected server. See IDM Events on page 5-2 for additional information. You can acknowledge and delete events, but you cannot "filter" entries in the Activity Log. 5-10

173 Troubleshooting IDM Using Decision Manager Tracing Using Decision Manager Tracing IDM provides a tracing tool (DMConfig.prp) and log file (DM-IDMDM.log) to assist with troubleshooting IDM problems that may occur. These files are included on the IDM Agent when it is installed on the RADIUS server. Note that the Decision Manager (DM) is an internal component of the IDM Agent. The default configuration has the tracing options turned off because of the performance degradation when tracing is used. To turn on tracing, edit the DMConfig.prp file on the RADIUS server. The default directory location is \Program Files\Hewlett-Packard\PNM\agent\logs. Available logging options in DMConfig.prp are: Log_dm_cache = true/false: True will log IDM configuration deployment events, including the configuration file data content. The default setting is false, IDM configuration deployment logging is turned off. Log_radius_requests = true/false: True will log RADIUS requests and the IDM agent response to RADIUS. If the request is accepted then it also logs the access policy group, policy rule and access profile that is sent to RADIUS. The default setting is false, RADIUS requests are not logged. Log_radius_acc_events = true/false: True will log session accounting events, such as session start and stop. The default setting is false, session events are not logged. When logging is turned on, data is sent to the DM-IDMDM.log file. The default directory location is \Program Files\Hewlett-Packard\PNM\agent\logs. Use this file for tracing purposes, to capture the following information: What RADIUS requests are received and the IDM agent response to the request, including the time (in milliseconds) it took the IDM agent to serve the RADIUS request. A list of accounting events (like session start/stop) being sent by RADIUS to the IDM agent, and whether or not the IDM agent could post them properly to the IDM server. Configuration deployments to the IDM Agent, along with the actual configuration image. 5-11

174 Troubleshooting IDM Using Decision Manager Tracing Miscellaneous For authenticating a MAC-Auth user using Funk Steel Belted RADIUS (SBR) with IDM, the password should be specified in lower-case (in the SBR User directory). If upper-case characters are used in the password, you may get the following error: "MAC-Auth user gets rejected because of incorrect password". The MAC-Auth user will be rejected by SBR and eventually by IDM2.0. You can use the validate tool on SBR to verify if the MAC-Auth user password is in lower-case. If it is not, enter the MAC-Auth user password (MAC Address itself), in lower case. 5-12

175 A Using ProCurve Network Access Controller with IDM About ProCurve Network Access Controller 800 The ProCurve Network Access Controller 800 (ProCurve NAC) provides a comprehensive access control solution. Used in conjunction with ProCurve Manager Plus and Identity Driven Manager applications, the ProCurve NAC serves to: Protect the network and resources from unauthorized or harmful users and/or systems. Provide adaptive and appropriate network access based on roles Enforce policies regarding required and prohibited software The ProCurve NAC appliance comes pre-loaded with FreeRADIUS server software, IDM Agent software, and Endpoint Integrity testing software, designed to provide more security for your network with less complexity. The ProNAC appliance can be deployed as a complete access control solution, or you can use it to provide the RADIUS server for use with IDM for user authentication. The ProNAC software includes a graphical user interface (GUI) you can access from within the PCM+ or IDM Windows displays. This interface can be used to configure parameters on the ProNAC appliance, including RADIUS, and full backup and restore. It also provides the interface to utilize the endpoint integrity testing available with licensed versions of the ProNAC software. A five-user license is provided with the ProNAC appliance that allows you to access the GUI for basic configuration tasks. In order to apply the endpoint integrity solution to clients on your network, you will need to purchase additional ProNAC software licenses from your authorized HP ProCurve representative, or direct from ProCurve. Additional information is available on the Web at A-1

176 Using ProCurve Network Access Controller with IDM About ProCurve Network Access Controller 800 Before You Begin For information on installing the ProCurve NAC appliance, please refer to the ProCurve Network Access Controller 800 Hardware Install Guide, and/or the information provided with your "ProCurve Network Access Controller Endpoint Integrity Implementation Startup Service" Use of the ProCurve NAC requires that you already have a licensed version of PCM+ 2.2 and IDM 2.2 installed. The following section describes the support provided in PCM+ and IDM for basic management and configuration functions on the ProCurve NAC. For additional details on using the ProNAC endpoint integrity solution, please refer to the online help in the ProNAC GUI, or the ProCurve Network Access Controller 800 User s Guide, available on the Web at : manuals. A-2

177 Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays Using the NAC Tab Displays Once the ProCurve NAC appliance is installed on the network, PCM discovery will find the appliance and create a node in the PCM navigation tree. A folder for the ProCurve Network Access Controllers is also created in the IDM tree, under the Realms folder at the same level as a RADIUS server, with nodes for each NAC (master server) device. Clicking on a device node in the ProCurve Network Access Controller group in the PCM display will launch the Device tabs display, with the addition of the NAC Home tab. Clicking on a device node in the ProCurve Network Access Controller group in the IDM display will launch the same tabs as the RADIUS Servers display: a Properties tab and Activity (event log) tab, with the addition of the NAC Home, NAC Monitor, and NAC Activity tabs. Figure A-1. Example of ProNAC device in IDM A-3

178 Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays Setting the ProCurve NAC GUI Login In addition to the "NAC" tabs in the IDM window, the Global Preferences for Identity Management are expanded to include support for automatic login to the ProCurve Network Access Controller application via PCM and IDM. Figure A-2. ProCurve NAC parameters in Preferences for Identity Management The ProCurve NAC Web GUI Credentials allow you to enter a Username and Password for log in to the NAC Web GUI. If you do not enter the ProCurve NAC login information in the Preferences for Identity Management, you will be prompted to enter your login name and password when you first access any of the "NAC" tabs from the IDM display. A-4

179 Using the NAC Home Tab Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays The NAC Home tab launches the ProCurve NAC GUI within the IDM display. Figure A-3. Network Access Controller (NAC Home) display. From this point you can access all of the functionality provided with the ProCurve Network Access Controller application. For details on using the application, refer to the online help, or the ProCurve Network Access Controller 800 User s Guide. A-5

180 Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays Using the NAC Monitor Tab In addition to the NAC Home tab, integration of ProNAC 800 with IDM provides a NAC Monitor and NAC Configuration tab. Click the NAC Monitor tab to launch the ProCurve NAC "System Monitor" window within the IDM display. Figure A-4. ProCurve NAC 800 System Monitor (NAC Monitor) display. The NAC Monitor window provides information on the Network Access Controllers deployed for the endpoint integrity solution, including: status for Enforcement Clusters, Enforcement Servers, access mode, endpoint test status, etc. A-6

181 Using ProCurve Network Access Controller with IDM Using the NAC Tab Displays For additional details, refer to the online help, or the section describing the System Monitor in the ProCurve Network Access Controller 800 User s Guide. Using the NAC Configuration Tab Click the NAC Configuration tab to launch the Network Access Controller 800 system configuration tab in the IDM display. Figure A-5. ProCurve NAC 800 System Configuration (NAC Configuration) display. The ProCurve NAC 800 System Configuration window provides access to the tools needed to configure the RADIUS server, as well as configuration of Servers, User accounts, Licensing, and Quarantining methods for use in endpoint integrity testing. A-7

182 Using ProCurve Network Access Controller with IDM Using Local Authentication Directory on ProCurve NAC This window also provides access to Maintenance tools, including the system backup and restore functions. For a detailed description of available features, refer to the online help, or the ProCurve Network Access Controller 800 User s Guide. Regardless of your implementation of the ProCurve NAC 800 appliance, it is important that you perform a system backup on a regular schedule. This backup can then be used to restore the ProNAC system configuration and database files in the event of corruption or other error, or help to configure a new system in the event of an emergency. Using Local Authentication Directory on ProCurve NAC When using the ProCurve NAC 800 appliance for RADIUS authentication and the IDM Agent, you can enable a Local Authentication Directory for the realm that the ProCurve NAC supports. To enable Local Authentication Directory on a ProCurve NAC: 1. Navigate to the Realm that contains the ProCurve NAC appliance, and then use the right-click menu to select the Modify Realm option, or Click on the Realm that contains the ProCurve NAC appliance, and then click the "Modify Realm" button in the Properties tab toolbar. This launches the Local Authentication Directory dialog. Figure A-6. Modify Realm dialog with ProCurve NAC device support A-8

183 Using ProCurve Network Access Controller with IDM Using Local Authentication Directory on ProCurve NAC 2. Click the check box to Enable Local Authentication for ProCurve NAC devices. A check mark indicates the option is selected. 3. Click OK to save the configuration and close the window. The Enable Local Authentication option will only appear if: The RADIUS service for the realm is supplied by the RADIUS server on the ProCurve NAC appliance, and The IDM Agent is installed on the same ProCurve NAC appliance as the RADIUS server. Adding Locally Authenticated Users The only difference in IDM between a user that is locally authenticated on a ProCurve NAC, and a user that is authenticated by an enterprise user directory is a password. That is, you must enter a password when creating a locally authenticated user. This is due to a NOT NULL constraint on the password column of the user table on the ProNAC database. Once you enable the Local Authentication Directory, to add a "locally authenticated" user, simply navigate to the Users tab and select the New User or Modify User button to launch the user configuration dialog. 1. To launch the New User dialog: a. Expand the Realms node in the IDM tree to display the ProCurve Network Access Controllers Node b. Right-click on the Network Access Controller node and select the New User Option Alternately, you can: a. Expand the Realms node in the IDM tree to display the ProCurve Network Access Controllers Node b. Click the node for the ProCurve Network Access Controller to display the appliances. c. Click the node for the NAC appliance to display the Properties and Users tab, then click the Users tab. d. Click the New User button in the toolbar. You can also select a user in the Users tab then click the "Modify User" button to add or modify the password for existing users. A-9

184 Using ProCurve Network Access Controller with IDM Using Local Authentication Directory on ProCurve NAC Figure A-7. User Properties, with Local Authentication Directory 2. Enter the user information as you regularly would (see Adding New Users on page 3-53), then click the Set password... link to launch the user password dialog. 3. Type in the Password that will be used for authentication on the local directory. Re-enter the same password in the Confirm Password field. 4. Click OK to save the password and close the dialog, and then click OK in the User configuration dialog to save the User and Password and close the window. A-10

185 B IDM Technical Reference Device Support for IDM Functionality Due to variations in hardware and software configuration of various ProCurve Devices, not all IDM [Access Profile] features are supported on all devices. The following table indicates IDM functionality supported by ProCurve Device type at the time this manual was printed. Device Type: IDM Functions: VLAN QoS Bandwidth Network Resources 5300xl series X X X X 4100gl series X 3400cl series X X X 2600 series, 2600PWR, 2800 series X X 2500 Series X 420 Wireless Access Point X For the 2600 series, release H (or newer) of the device software is required for QoS support in IDM. For the 2800 series, release I (or newer) of the device software is required for QoS support in IDM. The 9300 series and 6100 series are not "edge" switches thus are not included in the table. ProCurve unmanaged switches do not support IDM, including: 2700 series, 2300 series, 2124, and 408. Please check the ProCurve Web site ( for the latest information on supported features and devices. B-1

186 IDM Technical Reference Device Support for IDM Functionality Support for Secure Access Wizard Feature IDM Device Feature Matrix ProCurve Device ACL's VLAN QoS BW MAC Web 802.1X 802.1X 802.1X Auth Auth port-based supplicant 420 AP X X X X (15) 520 AP 530 AP X X X X X X 2500 series X (5) X X (6) X (6) 2600 series (PWR included) X X X (4) X (3) X X (7) X (7) 2800 series X X X (2) X (2) X X (8) X (8) 3400cl X X X X X X X (10) X (10) 3500 X X X X X X X X X 4100gl series X X X (9) X (9) 4200 X X X X X X X X 6100 series X (12) X (12) 6108 X X 6200 X X X X 6400cl X X X X X X X 5300xl X (1) X X X X X X X (11) X (11) 5400 X X X X X X X X X 9300 X (13) 9400 X (14) WESM 1.0 X X WESM 2.0 X X X (1) requires software revision E or greater (2) requires software revision I or greater (3) requires software revision H or greater (4) requires software revision H or greater (5) requires software revision F or greater (6) requires software revision F or greater (7) requires software revision H or greater (8) requires software revision I or greater (9) requires software revision G or greater (10) requires software revision M or greater (11) requires software revision E or greater (12) requires software revision H or greater (13) requires software revision or greater (14) requires software revision c or greater (15) requires software revision or greater B-2

187 IDM Technical Reference Best Practices Best Practices Authentication Methods The IDM application is designed to support RADIUS server implementation with 802.1x using supplicants, as well as Web-auth and MAC-auth. However to gain the full benefits of using IDM, HP advises that you implement RADIUS using an 802.1x supplicant. If you use Web-auth or MAC-auth, you can still use IDM to provide authorization and access control, but the user session accounting will not work. This is because current version of Web-Auth and MAC-auth do not support session accounting features on the ProCurve devices. Specifically, the switches will not report session-stop events. If you are using Web-auth or MAC-auth, it is best to turn off session accounting. See IDM Preferences on page 2-36 for details. The drawback is that this will also disable the IDM usage reports. Domain Names If you are using Active Directory, and your standard Active Directory Domain Name is different than its pre-windows 2000 Domain Name, then these two Domain Names may appear as different Realms to IDM. This will only be true if users log into IDM using different formats (e.g. "OLDDOMAIN\user" versus Under most circumstances, this will never be a problem. It is best if the Active Directory Domain Name is the same as the pre-windows 2000 format (e.g. use simple names without special characters). However, if this is not the case, you can mitigate the problem by having users log in using a standard format (either "DOMAIN\user" or but not both). Multiple RADIUS Server Implementation If you are using multiple RADIUS servers, with users logging in through each, they should be discovered by IDM. However, if one of the servers is being used as a "back-up" system (not just for load-balancing), the back-up server may not appear correctly in IDM. This is because IDM is not "aware" of the server until a user logs into it. You can use the manual configuration method to define the RADIUS server to IDM. Deleting RADIUS Servers on page 3-52 for details. The server will then appear in the IDM tree, and event logs for the server are available. B-3

188 IDM Technical Reference Best Practices Handling Unknown or Unauthorized users If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not override RADIUS authentication and default switch settings, unless you configure it to do so. Also, if IDM rejects the user, but you have set "unauth-vid", then the port will still be opened and the VLAN will be set to the unauth-vid. You can also create a "guest" profile in IDM to provide limited access for unknown users. Allowing vs. Rejecting Access When evaluating the rules for the Access Policy Group when a user logs in, IDM is looking to match all three of the parameters (Location, Time, System). If it does not get a match on all three, it will go to the next rule in the list. When a match on all three parameters is found, the Access Profile for that rule is applied. There are two ways to look at the process of restricting user access using Access Profiles in Access Policy Group (APG) rules. A. Create rules that allow access. B. Create rules that reject access. For example, to create an APG to allow access during the standard work week, you can create a Time that defines the work week, then create an Access Policy to be applied during that time. In this example, a Default policy was created. The APG to allow user access during the work week would then look like this: Users in the group will be allowed access as long as they are logging in during the times set for the Work week. At any other time, the user will be denied access, and an IDM event will be logged for the reason that no matching rules were found in the APG. To create a rule that denies access on the weekend, while allowing access during the work week, you will need a Time to define the weekend. You will also need an Access Policy to define the access at all other times. In the Access Profile Group, you would enter two rules, similar to the following: B-4

189 IDM Technical Reference Best Practices In this instance, if the user attempts to login in during the times specified for the Weekends, they will be rejected, and an IDM event will be logged indicating that the APG had a specific Reject rule set to deny access. If the user logs in at times not specified for the weekend, since the time in the first rule does not match, IDM moves to the second rule. Since all parameters match, the user is allowed on the network and the "Default" Access Profile settings are applied at the switch. The other important piece in this process is the order of the rules. In the second example, if you change the order of the rules, users would be allowed access all the time. The two examples above are quite simple. However, in instances where you want to be able to restrict user access to specific areas of the network at specific times, or restrict network resources to users at specific times and locations, the decision to use the "allow" vs. "reject" method and the ordering of the rules becomes more complex. Rate-Limiting The option for rate-limiting using the Bandwidth option in Access Profiles works like this: When the Access Profile is applied, IDM sends a rate-limit in Kbps to the switch. The switch takes the value passed from IDM and converts it to a rate percentage, based on the port link speed. If the value passed to the switch by IDM is greater than the port link speed, the switch will ignore the parameter received from IDM. To avoid problems, avoid using low rate-limit policies on the switch, or make sure that the IDM rate-limits do not exceed the link speeds of ports in your network. B-5

190 IDM Technical Reference Types of User Events Types of User Events The USER_FAILED_LOGIN event happens whenever RADIUS sends IDM a message of an unsuccessful login. This can have various sources, which you can review in the Event Details. It can be either because IAS didn t let the user log in (bad username, password, etc.) or because IDM rejected the login. The IDM reasons for denied access that are currently defined include: //Port is missing or invalid port public static int INVALID_PORT = 1; //Switch information is missing or invalid switch ip address public static int INVALID_SWITCH_IP = 2; //User name is missing or invalid user name public static int INVALID_USER_NAME = 3; //Unknown Realm for DM public static int REALM_NOT_FOUND = 4; //Realm config data is not found in DM cache public static int REALM_CACHE_NOT_FOUND = 5; //Access policy group is not found for a user public static int APG_NOT_FOUND = 6; //An access policy group doesn't have any policy rules public static int NO_RULES_IN_APG = 7; //Time constraint is not satisfied public static int TIME_DOES_NOT_PERMIT = 8; //Location constraint is not satisfied public static int LOCATION_DOES_NOT_PERMIT = 9; //Unknown user to IDM DM public static int UNKNOWN_USER = 10; //No rules in APG can allow user to login to network public static int NO_RULES_MATCH = 11; //Reject profile encountered public static int REJECT_PROFILE = 12; //Unknown reason public static int UNKNOWN_REASON = 20; For additional information, refer to the MS IAS documentation to see what the possible values are for user logins that are rejected or failed by RADIUS B-6

191 Index Numerics 802.1X configuration, SAW 4-9 A Access Attributes 3-26 Access attributes 3-27 Access Information 2-32 Access Policy order 3-38 Access Policy Group 3-35 Assignments 3-44 delete 3-41 edit 3-41 new 3-36, 3-39 working with B-4 Access Profile 3-24 attributes 3-27 delete 3-34 edit 3-33 new 3-26 override 3-27 parameters 3-27 Access Security settings deleting, editing 4-20 Active directory import 3-57 Active Directory Synchronization 2-38 Add or Remove Groups 2-40 AD Sync remove groups 2-41 Advanced Settings for Wired 802.1X 4-10 Advanced Settings for Wired MAC-Auth 4-15 Advanced Settings for Wired Web-Auth 4-13 Agent, IDM 1-6 Allowing access B-4 Anonymous Authentication 3-71 APG 3-35 APG, assign user 3-43 Authentication 1-8 Authentication Method Selection 4-5 Authentication Methods B-3 Authentication Server 1-8 Authentication Servers, SAW 4-17 Authorization 1-8 B Bandwidth 1-8 Bandwidth Usage Report 2-17 C Configuration Model 3-3 Configuration Report 2-16 D Decision Manager 1-7 delete 3-12 Deploy IDM configurations 3-49 Digest-MD5 authentication 3-67 Disable user 2-32 Domain Names B-3 E Edge Device 1-8 Endpoint integrity enabling 2-37 Endpoint Integrity State 2-18 Endpoint Integrity support 3-39 Event Preferences 5-8 Events 5-2 acknowledge 5-4 delete 5-4 filtering 5-4 types B-6 Excluded Devices, SAW 4-4 External authentication 3-69 F Friendly port names 3-22 G Global Rule 3-46 Index 1

192 Global Rules 3-45, 3-47 H Holidays 3-17 I IDM Agent tracing 5-11 IDM authorization policy 3-49 IDM model 3-3 IDM Statistics 2-18 Import from Active Directory 3-58 Import procedure 3-57 Importing Users 3-58 with XML files 3-75 K Kerberos V5 authentication 3-68 L LDAP Authentication 3-66 LDAP Directory settings 3-72 LDAP Server Digest-MD5 Authentication 3-67 External Authentication 3-69 Kerberos-V5 Authentication 3-68 Simple Authentication 3-66 LDAP server import 3-57 LDAP_Server_Config 3-74 Local Authentication Directory A-8 Locally Authenticated Users, adding A-9 Locations 3-6, 3-12 Devices 3-7 modify 3-11 new 3-7 Login, ProCurve NAC A-4 M MAC-Auth Configuration, SAW 4-15 MAC-Auth with SBR 5-12 Multiple RADIUS Servers B-3 N NAC Configuration A-7 NAC Home A-5 NAC Monitor A-6 Navigation 2-9 Nested groups 2-40 Network Access Controller A-1 Network Resource new 3-21 properties 3-21 Network Resource Assignment 3-28 Network Resource, configuring 3-19 Network Resources 3-19 P port disable 2-32 Port Selection, SAW 4-6 Preferences 2-36 endpoint integrity support 2-37 ProCurve NAC A-1 ProNAC appliance A-1 Properties, ProCurve NAC A-3 Q QoS 1-8 R RADIUS 1-8 RADIUS Activity Log 5-10 RADIUS Server delete 3-52 RADIUS shared secret 4-18 Rate-Limiting B-4 Realm 1-9 delete 3-51 edit 3-51 Realms new 3-50 Rejecting access B-4 Remove Groups from Synchronization 2-41 Report Action 2-19 Report Delivery 2-24 Report format 2-24 Report Policy 2-19 Rules sequence 3-38 Index 2

193 Rules, evaluation 3-38 S SASL Digest MD5 authentication 3-67 Save Settings, SAW 4-19 Save Template, SAW 4-19 SAW 4-2 Secure Access Wizard 4-2 Session Cleanup 2-26 Session History 2-18 Session Information 2-31 Session List 2-30 Simple authentication 3-66 Switch Override 3-27 W warranty 1-ii Web-Auth Configuration, SAW 4-12 WLAN selection, SAW 4-8 X XML file, user import 3-75 XML Import File format 3-76 T Target Properties 3-46 Times 3-13 changing 3-16 delete 3-16 new 3-14 properties 3-15 Tracing, Decision Manager 5-11 U Unauthorized users B-4 Unknown users B-4 Unsuccessful Login Report 2-16 User add to IDM 3-53 edit IDM 3-55 User Access 3-42 User Directory Settings 2-38 User Import LDAP Server 3-64 User Import Wizard 3-57 User Location Information 2-31 User MAC Addresses 2-18 user password, local authentication A-9 User Properties 2-30 User Report 2-19 User Session information 2-29 User Systems 3-54 Users tab 3-42 Index 3

194 Copyright 2008 Hewlett-Packard Development Company, L.P. May 2008 Manual Part Number

ProCurve Identity Driven Manager

ProCurve Identity Driven Manager ProCurve Identity Driven Manager Software Release 2.0 User s Guide Copyright 2004, 2005 Hewlett-Packard Company All Rights Reserved. This document contains information which is protected by copyright.

More information

Identity Driven Manager 1.0. User s Guide. The safe and simple way to manage network policies

Identity Driven Manager 1.0. User s Guide. The safe and simple way to manage network policies Identity Driven Manager 1.0 User s Guide The safe and simple way to manage network policies ProCurve Identity Driven Manager Software Release 1.0 User s Guide Copyright 2004 Hewlett-Packard Company All

More information

HP PCM+ 4.0 Identity Driven Manager. User s Guide

HP PCM+ 4.0 Identity Driven Manager. User s Guide HP PCM+ 4.0 Identity Driven Manager User s Guide Copyright 2004, 2005, 2007, 2009, 2011 2012 Hewlett-Packard Development Company, LP. All Rights Reserved. Publication Number 5998-3399 August, 2012 Disclaimer

More information

QuickSpecs ProCurve Identity Driven Manager 2.2

QuickSpecs ProCurve Identity Driven Manager 2.2 Overview ProCurve Identity Driven Manager, a plug-in to, dynamically configures security and performance settings based on user, device, location, time, and client system state. IDM provides network administrators

More information

HP ProCurve Manager Plus

HP ProCurve Manager Plus HP ProCurve Manager Plus Getting Started Guide The all-in-one solution for managing HP ProCurve networks HP ProCurve Manager Plus Getting Started Guide Copyright 2003-2004 Hewlett-Packard Development

More information

Release Notes: ProCurve Identity Driven Manager Version 2.0, Update 2

Release Notes: ProCurve Identity Driven Manager Version 2.0, Update 2 Release Notes: ProCurve Identity Driven Manager Version 2.0, Update 2 ProCurve Identity Driven Manager (IDM) version 2.0 update 2 supports these products: IDM version 2.1: an update to IDM 2.0 that provides

More information

Software Update C.09.xx Release Notes for the HP Procurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M

Software Update C.09.xx Release Notes for the HP Procurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M Software Update C.09.xx Release Notes for the HP Procurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M Topics: TACACS+ Authentication for Centralized Control of Switch Access Security (page 7) CDP (page

More information

Release Notes: ProCurve Manager Version 2.2/2.2.1, Update 5

Release Notes: ProCurve Manager Version 2.2/2.2.1, Update 5 Release Notes: ProCurve Manager Version 2.2/2.2.1, Update 5 PCM version 2.2/2.2.1, Update 5 supports these products: J9056A ProCurve Manager Plus 2.2 - upgrade from PCM 1.6 license to PCM Plus 2.2 50-device

More information

ProCurve Manager Plus 2.3

ProCurve Manager Plus 2.3 ProCurve Manager Plus 2.3 is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally with easy-to-use

More information

Release Notes: ProCurve Network Immunity Manager Version 1.0, Update 3

Release Notes: ProCurve Network Immunity Manager Version 1.0, Update 3 Release Notes: ProCurve Network Immunity Manager Version 1.0, Update 3 ProCurve Network Immunity Manager (NIM) version 1.0, Update 3 supports these products: J9060A ProCurve Network Immunity Manager 1.0-50-device

More information

HP Identity Driven Manager Software Series

HP Identity Driven Manager Software Series HP Identity Driven Manager Software Series Data sheet Product overview HP Identity Driven Manager (IDM), a plug-in to HP PCM+, dynamically provisions network security and performance settings based on

More information

Release Notes: ProCurve Manager Version 2.1, Update 9

Release Notes: ProCurve Manager Version 2.1, Update 9 Release Notes: ProCurve Manager Version 2.1, Update 9 PCM version 2.1, Update 9 supports these products: J8778A ProCurve Manager Plus 2.1-100-device license J9009A ProCurve Manager Plus 2.1 - unlimited

More information

Release Notes: ProCurve Mobility Manager Version 1.0, Update 1

Release Notes: ProCurve Mobility Manager Version 1.0, Update 1 Release Notes: ProCurve Mobility Manager Version 1.0, Update 1 Installation Pre-Requisites: The ProCurve Mobility Manager (PMM 1.0) Update 1 requires that you have the following software installed and

More information

HP ProCurve Network Management. Installation and Getting Started Guide

HP ProCurve Network Management. Installation and Getting Started Guide HP ProCurve Network Management Installation and Getting Started Guide Copyright 2004, 2005, 2007, 2009 Hewlett-Packard Development Company, L.P. All Rights Reserved Publication Number 5991-8636a Version

More information

Guest Management Software Administrator Guide. Installation and Getting Started Guide Administrator Guide

Guest Management Software Administrator Guide. Installation and Getting Started Guide Administrator Guide Guest Management Software Administrator Guide Guest ProCurve Management 5400zl Switches Software Installation and Getting Started Guide Administrator Guide Guest Management Software Administrator Guide

More information

Software updates uploaded to the switch trigger an automatic switch reload.

Software updates uploaded to the switch trigger an automatic switch reload. Release Notes: Versions VA.02.02 and VB.02.02 Software for the HP ProCurve Series 1700 Switches Release VA.02.02 supports this switch: HP ProCurve Switch 1700-8 (J9079A), Release VB.02.02 supports this

More information

QuickSpecs HP ProCurve Manager Plus 3.1

QuickSpecs HP ProCurve Manager Plus 3.1 Overview HP ProCurve Manager Plus is a Microsoft Windows-based network management platform that enables mapping, configuration, and monitoring. HP ProCurve Manager Plus provides security and extensibility

More information

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE 1.0 Quest Enterprise Reporter Discovery Manager USER GUIDE 2012 Quest Software. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide

More information

Virtual Recovery Assistant user s guide

Virtual Recovery Assistant user s guide Virtual Recovery Assistant user s guide Part number: T2558-96323 Second edition: March 2009 Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company makes no warranty of any kind

More information

HP E-PCM Plus Network Management Software Series Overview

HP E-PCM Plus Network Management Software Series Overview Overview HP E-PCM Plus Network Management is a Microsoft Windows -based network management platform that enables mapping, configuration, and monitoring. HP PCM Plus provides security and extensibility

More information

Release Notes: Versions PA and PB Software for the ProCurve Series 1800 Switches

Release Notes: Versions PA and PB Software for the ProCurve Series 1800 Switches Release Notes: Versions PA.02.07 and PB.02.07 Software for the ProCurve Series 1800 Switches Release PA.02.07 supports the ProCurve Switch 1800-8G (J9029A). Release PB.02.07 supports the ProCurve Switch

More information

Release PB supports the HP ProCurve Switch G (J9028A /B).

Release PB supports the HP ProCurve Switch G (J9028A /B). Release Notes: Versions PA.03.02 and PB.03.02 Software for the HP ProCurve Series 1800 Switches Release PA.03.02 supports the HP ProCurve Switch 1800-8G (J9029A). Release PB.03.02 supports the HP ProCurve

More information

HP Intelligent Management Center SOM Administrator Guide

HP Intelligent Management Center SOM Administrator Guide HP Intelligent Management Center SOM Administrator Guide Abstract This guide contains comprehensive conceptual information for network administrators and other personnel who administrate and operate the

More information

ProCurve Switch G ProCurve Switch G

ProCurve Switch G ProCurve Switch G Management and Configuration Guide ProCurve Switch 1800-8G ProCurve Switch 1800-24G www.procurve.com ProCurve Series 1800 Switch Management and Configuration Guide Copyright 2006, 2007 Hewlett-Packard

More information

HP ProCurve Manager Plus 3.0

HP ProCurve Manager Plus 3.0 Product overview HP ProCurve Manager Plus is a Microsoft Windows-based network management platform that enables mapping, configuration, and monitoring. HP ProCurve Manager Plus 3.0 provides security and

More information

Software Feature Index for the ProCurve Switch 3500yl/5400zl/6200yl Series

Software Feature Index for the ProCurve Switch 3500yl/5400zl/6200yl Series Software Feature Index for the ProCurve Switch 3500yl/5400zl/6200yl Series For the software manual set supporting your 3500yl/5400zl/6200yl switch model, this feature index indicates which manual to consult

More information

Release Notes: Version Operating System

Release Notes: Version Operating System Release Notes: Version 2.0.29 Operating System for the HP ProCurve Wireless Access Point 420 These release notes include information on the following: Downloading access point software and documentation

More information

Release Notes: Version T Software for the ProCurve Series 2900 Switches

Release Notes: Version T Software for the ProCurve Series 2900 Switches Release Notes: Version T.11.11 Software for the ProCurve Series 2900 Switches The T.11.11 software supports these switches: ProCurve Switch 2900-24G (J9049A) and 2900-48G (J9050A) These release notes include

More information

hp l1619a smart attachment module

hp l1619a smart attachment module hp l1619a smart attachment module user s guide Smart Attachment Module 1 Notice This manual and any examples contained herein are provided as is and are subject to change without notice. Hewlett-Packard

More information

ForeScout Extended Module for Symantec Endpoint Protection

ForeScout Extended Module for Symantec Endpoint Protection ForeScout Extended Module for Symantec Endpoint Protection Version 1.0.0 Table of Contents About the Symantec Endpoint Protection Integration... 4 Use Cases... 4 Additional Symantec Endpoint Protection

More information

Dell License Manager Version 1.2 User s Guide

Dell License Manager Version 1.2 User s Guide Dell License Manager Version 1.2 User s Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either

More information

Release Notes: Version E Software for the HP Procurve Series 5300XL Switches. Release E is the second software release for these switches:

Release Notes: Version E Software for the HP Procurve Series 5300XL Switches. Release E is the second software release for these switches: Release Notes: Version E.06.01 Software for the HP Procurve Series 5300XL Switches Release E.06.01 is the second software release for these switches: HP Procurve Switch 5304XL (J4850A) HP Procurve Switch

More information

User Guide. Version R95. English

User Guide. Version R95. English Anti-Malware (Classic) User Guide Version R95 English July 20, 2017 Copyright Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept

More information

Achieving regulatory compliance with reports from ProCurve PCM, IDM, and NIM

Achieving regulatory compliance with reports from ProCurve PCM, IDM, and NIM An HP ProCurve Networking Application Note Achieving regulatory compliance with reports from ProCurve PCM, IDM, and NIM Contents 1. Introduction... 2 2. Prerequisites... 2 3. Network diagram... 2 4. Instructions

More information

ForeScout Extended Module for VMware AirWatch MDM

ForeScout Extended Module for VMware AirWatch MDM ForeScout Extended Module for VMware AirWatch MDM Version 1.7.2 Table of Contents About the AirWatch MDM Integration... 4 Additional AirWatch Documentation... 4 About this Module... 4 How it Works... 5

More information

HP StorageWorks Performance Advisor. Installation Guide. Version 1.7A

HP StorageWorks Performance Advisor. Installation Guide. Version 1.7A HP StorageWorks Performance Advisor Installation Guide Version 1.7A notice Copyright 2002-2004 Hewlett-Packard Development Company, L.P. Edition 0402 Part Number B9369-96068 Hewlett-Packard Company makes

More information

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide Microsoft Office Groove Server 2007 Groove Manager Domain Administrator s Guide Copyright Information in this document, including URL and other Internet Web site references, is subject to change without

More information

Release Notes: Version PK.1.4 Software

Release Notes: Version PK.1.4 Software Release Notes: Version PK.1.4 Software for HP V1810-48G Switches These release notes include information on the following: Downloading switch software and documentation from the Web (page 5) Updating switch

More information

Veritas System Recovery 18 Management Solution Administrator's Guide

Veritas System Recovery 18 Management Solution Administrator's Guide Veritas System Recovery 18 Management Solution Administrator's Guide Documentation version: 18 Legal Notice Copyright 2018 Veritas Technologies LLC. All rights reserved. Veritas and the Veritas Logo are

More information

ForeScout Extended Module for MobileIron

ForeScout Extended Module for MobileIron Version 1.8 Table of Contents About MobileIron Integration... 4 Additional MobileIron Documentation... 4 About this Module... 4 How it Works... 5 Continuous Query Refresh... 5 Offsite Device Management...

More information

ForeScout Extended Module for MaaS360

ForeScout Extended Module for MaaS360 Version 1.8 Table of Contents About MaaS360 Integration... 4 Additional ForeScout MDM Documentation... 4 About this Module... 4 How it Works... 5 Continuous Query Refresh... 5 Offsite Device Management...

More information

SonicWall SMA 8200v. Getting Started Guide

SonicWall SMA 8200v. Getting Started Guide SonicWall SMA 8200v Getting Started Guide Copyright 2017 SonicWall Inc. All rights reserved. SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or

More information

HP ALM. Software Version: Tutorial

HP ALM. Software Version: Tutorial HP ALM Software Version: 12.20 Tutorial Document Release Date: December 2014 Software Release Date: December 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in

More information

AST2500 ibmc Configuration Guide

AST2500 ibmc Configuration Guide AST2500 ibmc Configuration Guide Version 1.0 Copyright Copyright 2017 MITAC COMPUTING TECHNOLOGY CORPORATION. All rights reserved. No part of this manual may be reproduced or translated without prior written

More information

HP JetDirect Print Servers. HP JetAdmin. Setup Guide

HP JetDirect Print Servers. HP JetAdmin. Setup Guide R HP JetDirect Print Servers HP JetAdmin Setup Guide Setup Guide HP JetAdmin Copyright Hewlett-Packard Company 2000 All rights reserved. Reproduction, adaptation, or translation without prior written

More information

Wireless Clients and Users Monitoring Overview

Wireless Clients and Users Monitoring Overview Wireless Clients and Users Monitoring Overview Cisco Prime Infrastructure 3.1 Job Aid Copyright Page THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT

More information

HP LeftHand SAN Solutions

HP LeftHand SAN Solutions HP LeftHand SAN Solutions Support Document Installation Manuals VSA 8.0 Quick Start - Demo Version Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty

More information

HYCU SCOM Management Pack for F5 BIG-IP

HYCU SCOM Management Pack for F5 BIG-IP USER GUIDE HYCU SCOM Management Pack for F5 BIG-IP Product version: 5.5 Product release date: August 2018 Document edition: First Legal notices Copyright notice 2015-2018 HYCU. All rights reserved. This

More information

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Reviewer s guide. PureMessage for Windows/Exchange Product tour Reviewer s guide PureMessage for Windows/Exchange Product tour reviewer s guide: sophos nac advanced 2 welcome WELCOME Welcome to the reviewer s guide for NAC Advanced. The guide provides a review of the

More information

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free: EventTracker Enterprise Install Guide 8815 Centre Park Drive Publication Date: Aug 03, 2010 Columbia MD 21045 U.S. Toll Free: 877.333.1433 Abstract The purpose of this document is to help users install

More information

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6 Getting Started Guide Copyright 2017 SonicWall Inc. All rights reserved. SonicWall is a trademark or registered trademark of SonicWall Inc.

More information

exacqvision Web Service Configuration User Manual Version 9.4

exacqvision Web Service Configuration User Manual Version 9.4 exacqvision Web Service Configuration User Manual Version 9.4 www.exacq.com 1 of 12 June 12, 2018 Information in this document is subject to change without notice. Copyright 2008-2018, Exacq Technologies,

More information

Wireless Data Privacy Configuration Guide. HP ProCurve Secure Access 700wl Series.

Wireless Data Privacy Configuration Guide. HP ProCurve Secure Access 700wl Series. Wireless Data Privacy Configuration Guide HP ProCurve Secure Access 700wl Series www.hp.com/go/hpprocurve HP PROCURVE SECURE ACCESS 700WL SERIES WIRELESS DATA PRIVACY CONFIGURATION GUIDE Copyright 2003

More information

CounterACT Wireless Plugin

CounterACT Wireless Plugin CounterACT Wireless Plugin Version 1.7.0 Table of Contents About the Wireless Plugin... 4 Wireless Network Access Device Terminology... 5 How It Works... 6 About WLAN Controller/Lightweight Access Points...

More information

Wave 5.0. Wave OpenVPN Server Guide for Wave 5.0

Wave 5.0. Wave OpenVPN Server Guide for Wave 5.0 Wave 5.0 Wave OpenVPN Server Guide for Wave 5.0 2015 by Vertical Communications, Inc. All rights reserved. Vertical Communications and the Vertical Communications logo and combinations thereof and Vertical

More information

F-Secure PSB Getting Started Guide

F-Secure PSB Getting Started Guide F-Secure PSB Getting Started Guide F-Secure PSB Getting Started Guide TOC 3 Contents Chapter 1: Introduction...5 Chapter 2: Getting Started...7 Creating a new account...8 Downloading Software...9 Recovering

More information

PROMISE ARRAY MANAGEMENT ( PAM) FOR FastTrak S150 TX2plus, S150 TX4 and TX4000. User Manual. Version 1.3

PROMISE ARRAY MANAGEMENT ( PAM) FOR FastTrak S150 TX2plus, S150 TX4 and TX4000. User Manual. Version 1.3 PROMISE ARRAY MANAGEMENT ( PAM) FOR FastTrak S150 TX2plus, S150 TX4 and TX4000 User Manual Version 1.3 Promise Array Management Copyright 2003 Promise Technology, Inc. All Rights Reserved. Copyright by

More information

Managing WCS User Accounts

Managing WCS User Accounts CHAPTER 7 This chapter describes how to configure global e-mail parameters and manage WCS user accounts. It contains these sections: Adding WCS User Accounts, page 7-1 Viewing or Editing User Information,

More information

Installation on Windows Server 2008

Installation on Windows Server 2008 USER GUIDE MADCAP PULSE 4 Installation on Windows Server 2008 Copyright 2018 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software described

More information

Kaseya 2. User Guide. Version 7.0. English

Kaseya 2. User Guide. Version 7.0. English Kaseya 2 AntiMalware User Guide Version 7.0 English January 6, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as

More information

KYOCERA Net Admin Installation Guide

KYOCERA Net Admin Installation Guide KYOCERA Net Admin Guide Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable for

More information

Upgrading Software Version 3.1 to Version 4. HP ProCurve Secure Access 700wl Series.

Upgrading Software Version 3.1 to Version 4. HP ProCurve Secure Access 700wl Series. Upgrading Software Version 3.1 to Version 4 HP ProCurve Secure Access 700wl Series www.hp.com/go/hpprocurve HP PROCURVE SECURE ACCESS 700WL SERIES UPGRADING SOFTWARE VERSION 3.1 TO VERSION 4 Copyright

More information

PROCURVE SECURE ACCESS 700WL SERIES

PROCURVE SECURE ACCESS 700WL SERIES PROCURVE SECURE ACCESS 700WL SERIES MANAGEMENT AND CONFIGURATION GUIDE Copyright 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. This

More information

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features Enterprise-class endpoint protection, posture assessments and health checks Product overview ClearPass OnGuard agents perform advanced endpoint posture assessments on leading computer operating systems

More information

Connectware Manager Getting Started Guide

Connectware Manager Getting Started Guide Connectware Manager Getting Started Guide 90000699_B 2004, 2005 Digi International Inc. Digi, Digi International, the Digi logo, the Digi Connectware log, the Making Device Networking Easy logo, Digi

More information

Sophos Enterprise Console Help. Product version: 5.3

Sophos Enterprise Console Help. Product version: 5.3 Sophos Enterprise Console Help Product version: 5.3 Document date: September 2015 Contents 1 About Sophos Enterprise Console 5.3...6 2 Guide to the Enterprise Console interface...7 2.1 User interface layout...7

More information

HPE Intelligent Management Center v7.3

HPE Intelligent Management Center v7.3 HPE Intelligent Management Center v7.3 Service Operation Manager Administrator Guide Abstract This guide contains comprehensive conceptual information for network administrators and other personnel who

More information

ForeScout Extended Module for Advanced Compliance

ForeScout Extended Module for Advanced Compliance ForeScout Extended Module for Advanced Compliance Version 1.2 Table of Contents About Advanced Compliance Integration... 4 Use Cases... 4 Additional Documentation... 6 About This Module... 6 About Support

More information

HPE Intelligent Management Center

HPE Intelligent Management Center HPE Intelligent Management Center EAD Security Policy Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with the TAM

More information

Agilent OpenLAB Data Store Administration. Guide for Administrators

Agilent OpenLAB Data Store Administration. Guide for Administrators Agilent OpenLAB Data Store Administration Guide for Administrators Notices Agilent Technologies, Inc. 2013 No part of this manual may be reproduced in any form or by any means (including electronic storage

More information

HP ALM. Software Version: Tutorial

HP ALM. Software Version: Tutorial HP ALM Software Version: 12.50 Tutorial Document Release Date: September 2015 Software Release Date: September 2015 Legal Notices Warranty The only warranties for HP products and services are set forth

More information

Avalanche Remote Control User Guide. Version 4.1

Avalanche Remote Control User Guide. Version 4.1 Avalanche Remote Control User Guide Version 4.1 ii Copyright 2012 by Wavelink Corporation. All rights reserved. Wavelink Corporation 10808 South River Front Parkway, Suite 200 South Jordan, Utah 84095

More information

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3 Enterprise Vault.cloud CloudLink Google Account Synchronization Guide CloudLink 4.0.1 to 4.0.3 Enterprise Vault.cloud: CloudLink Google Account Synchronization Guide Last updated: 2018-06-08. Legal Notice

More information

Copyright 2015 Integrated Research Limited

Copyright 2015 Integrated Research Limited Prognosis IP Office Appliance Copyright Copyright 2015 Integrated Research Limited (ABN 76 003 588 449). All rights reserved. This guide is protected by copyright law and international treaties. No part

More information

Wireless LAN. SmartPass Quick Start Guide. Release 9.0. Published: Copyright 2013, Juniper Networks, Inc.

Wireless LAN. SmartPass Quick Start Guide. Release 9.0. Published: Copyright 2013, Juniper Networks, Inc. Wireless LAN SmartPass Quick Start Guide Release 9.0 Published: 2013-07-14 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All rights reserved.

More information

Patch Manager INSTALLATION GUIDE. Version Last Updated: September 25, 2017

Patch Manager INSTALLATION GUIDE. Version Last Updated: September 25, 2017 INSTALLATION GUIDE Patch Manager Version 2.1.5 Last Updated: September 25, 2017 Retrieve the latest version from: https://support.solarwinds.com/success_center/patch_manager/patch_manager_documentation

More information

Release Notes: ProCurve Management Software

Release Notes: ProCurve Management Software ProCurve Manager Plus Version 3.0 Mobility Manager Version 3.0 Identity Driven Manager Version 3.0 Network Immunity Manager Version 2.0 PCM/PCM+ v3 New Features For a description of the new features, FAQs,

More information

802.1x Radius Setup Guide Working AirLive AP with Win X Radius Server

802.1x Radius Setup Guide Working AirLive AP with Win X Radius Server OvisLink 8000VPN VPN Guide 802.1x Radius Setup Guide Working AirLive AP with Win2003 802.1X Radius Server Table of Content Secured Enterprise Wireless Environment Configuration Guide... 3 WHAT IS THIS

More information

LaserJet Pro M501 Getting Started Guide

LaserJet Pro M501 Getting Started Guide LaserJet Pro M501 Getting Started Guide 2 English... 1... 4 IMPORTANT: www.hp.com/support/ljm501 www.register.hp.com Follow Steps 1-2 on the printer hardware setup poster, and then continue with Step 3.

More information

Release Notes: Version S Software. Related Publications. for HP ProCurve 2520 Switches

Release Notes: Version S Software. Related Publications. for HP ProCurve 2520 Switches Release Notes: Version S.14.03 Software for HP ProCurve 2520 Switches Release S.14.xx supports the HP ProCurve 2520-8-PoE (J9137A) and 2520-24-PoE (J9138A) switches. These release notes include information

More information

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book] Nimsoft Service Desk Single Sign-On Configuration Guide [assign the version number for your book] Legal Notices Copyright 2012, CA. All rights reserved. Warranty The material contained in this document

More information

Symantec Ghost Solution Suite Web Console - Getting Started Guide

Symantec Ghost Solution Suite Web Console - Getting Started Guide Symantec Ghost Solution Suite Web Console - Getting Started Guide Symantec Ghost Solution Suite Web Console- Getting Started Guide Documentation version: 3.3 RU1 Legal Notice Copyright 2019 Symantec Corporation.

More information

Vyapin Office 365 Management Suite

Vyapin Office 365 Management Suite Vyapin Office 365 Management Suite Last Updated: December 2015 Copyright 2015 Vyapin Software Systems Private Limited. All rights reserved. This document is being furnished by Vyapin Software Systems Private

More information

GIFTePay XML. SecurePay. Installation & Configuration Guide. Version Part Number: (ML) (SL)

GIFTePay XML. SecurePay. Installation & Configuration Guide. Version Part Number: (ML) (SL) GIFTePay XML Installation & Configuration Guide SecurePay Version 4.00 Part Number: 8662.82 (ML) 8662.83 (SL) GIFTePay XML Installation & Configuration Guide Copyright 2009 Datacap Systems Inc. All rights

More information

Integrate Microsoft Office 365. EventTracker v8.x and above

Integrate Microsoft Office 365. EventTracker v8.x and above EventTracker v8.x and above Publication Date: March 5, 2017 Abstract This guide provides instructions to configure Office 365 to generate logs for critical events. Once EventTracker is configured to collect

More information

ChromQuest 4.2 Chromatography Data System

ChromQuest 4.2 Chromatography Data System ChromQuest 4.2 Chromatography Data System Installation Guide CHROM-97200 Revision A April 2005 2006 Thermo Electron Corporation. All rights reserved. Surveyor is a registered trademark and ChromQuest is

More information

GIFTePay XML. Chockstone. Installation & Configuration Guide. Version Part Number: (ML) (SL)

GIFTePay XML. Chockstone. Installation & Configuration Guide. Version Part Number: (ML) (SL) GIFTePay XML Installation & Configuration Guide Chockstone Version 4.00 Part Number: 8662.65 (ML) 8662.66 (SL) GIFTePay XML Installation & Configuration Guide Copyright 2009 Datacap Systems Inc. All rights

More information

Enterprise Vault.cloud Archive Migrator Guide. Archive Migrator versions 1.2 and 1.3

Enterprise Vault.cloud Archive Migrator Guide. Archive Migrator versions 1.2 and 1.3 Enterprise Vault.cloud Archive Migrator Guide Archive Migrator versions 1.2 and 1.3 Enterprise Vault.cloud: Archive Migrator Guide Last updated: 2018-01-09. Legal Notice Copyright 2018 Veritas Technologies

More information

HP IMC Smart Connect Virtual Appliance Software

HP IMC Smart Connect Virtual Appliance Software Data sheet HP IMC Smart Connect Virtual Appliance Software Key features Identity-based access, advanced device profiling, and real-time traffic quarantining Converged network support with universal policies

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

HP ProCurve Switch 212M and 224M

HP ProCurve Switch 212M and 224M HP ProCurve Switch 212M and 224M Management and Configuration Guide HP Networking For world-wide support on all HP Network Connectivity Products visit our web site at: http://www.hp.com/go/network_city

More information

ALM. Tutorial. Software Version: Go to HELP CENTER ONLINE

ALM. Tutorial. Software Version: Go to HELP CENTER ONLINE ALM Software Version: 12.55 Tutorial Go to HELP CENTER ONLINE http://admhelp.microfocus.com/alm/ Document Release Date: August 2017 Software Release Date: August 2017 ALM Legal Notices Disclaimer Certain

More information

Partner Information. Integration Overview Authentication Methods Supported

Partner Information. Integration Overview Authentication Methods Supported Partner Information Partner Name Product Name Integration Overview Authentication Methods Supported Client Integration F5 Networks FirePass VPN User Name - Security Code User Name - Password - Security

More information

Installation Guide Worksoft Certify

Installation Guide Worksoft Certify Installation Guide Worksoft Certify Worksoft, Inc. 15851 Dallas Parkway, Suite 855 Addison, TX 75001 www.worksoft.com 866-836-1773 Worksoft Certify Installation Guide Version 9.0.3 Copyright 2017 by Worksoft,

More information

LifeSize Control Installation Guide

LifeSize Control Installation Guide LifeSize Control Installation Guide January 2009 Copyright Notice 2005-2009 LifeSize Communications Inc, and its licensors. All rights reserved. LifeSize Communications has made every effort to ensure

More information

Management Software AT-S101. User s Guide. For use with the AT-GS950/8POE Gigabit Ethernet WebSmart Switch. Version Rev.

Management Software AT-S101. User s Guide. For use with the AT-GS950/8POE Gigabit Ethernet WebSmart Switch. Version Rev. Management Software AT-S101 User s Guide For use with the AT-GS950/8POE Gigabit Ethernet WebSmart Switch Version 1.0.0 613-000985 Rev. A Copyright 2008 Allied Telesis, Inc. All rights reserved. No part

More information

Implementation Guide for Symantec Endpoint Protection Small Business Edition

Implementation Guide for Symantec Endpoint Protection Small Business Edition Implementation Guide for Symantec Endpoint Protection Small Business Edition Implementation Guide for Symantec Endpoint Protection Small Business Edition The software described in this book is furnished

More information

IMC Network Traffic Analyzer 7.3 (E0504) Copyright 2015, 2017 Hewlett Packard Enterprise Development LP

IMC Network Traffic Analyzer 7.3 (E0504) Copyright 2015, 2017 Hewlett Packard Enterprise Development LP Network Traffic Analyzer 7.3 (E0504) Copyright 2015, 2017 Hewlett Packard Enterprise Development LP Table of Contents 1. What's New in this Release 2. Problems Fixed in this Release 3. Software Distribution

More information

HP ProCurve Switch 2400M and 4000M

HP ProCurve Switch 2400M and 4000M HP ProCurve Switch 2400M and 4000M Management and Configuration Guide Copyright 1998 Hewlett-Packard Company All Rights Reserved. This document contains information which is protected by copyright. Reproduction,

More information

QuickStart Guide for Managing Computers. Version

QuickStart Guide for Managing Computers. Version QuickStart Guide for Managing Computers Version 10.6.0 copyright 2002-2018 Jamf. All rights reserved. Jamf has made all efforts to ensure that this guide is accurate. Jamf 100 Washington Ave S Suite 1100

More information