HP PCM+ 4.0 Identity Driven Manager. User s Guide

Size: px
Start display at page:

Download "HP PCM+ 4.0 Identity Driven Manager. User s Guide"

Transcription

1 HP PCM+ 4.0 Identity Driven Manager User s Guide

2 Copyright 2004, 2005, 2007, 2009, Hewlett-Packard Development Company, LP. All Rights Reserved. Publication Number August, 2012 Disclaimer The information contained in this document is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statement accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Trademark Credits Microsoft, Windows, Windows XP, are Windows Vista are U.S. registered trademarks of Microsoft Corporation. Intel and Pentium are trademarks of Intel Corporation in the U.S. and other countries. Adobe is a trademark of Adobe Systems Incorporated. Warranty See the Customer Support/Warranty booklet included with the product. A copy of the specific warranty terms applicable to your Hewlett- Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer. Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California

3 Contents 1 Welcome to Identity Driven Manager Introduction Why IDM? What s New in IDM 4.0? IDM Architecture Terminology IDM Specifications Supported Devices Operating Requirements Additional Requirements Upgrading from Previous Versions of PCM and IDM Migrating from PCM/IDM 3.x Learning to Use PCM+ IDM Getting IDM Support and Documentation From the Web Getting Started Before You Begin Installing the IDM Agent Checking IDM Server and Agent Connectivity Using the IDM Auto-Discover Feature IDM Configuration Process Overview IDM Usage Strategies Understanding the IDM Model IDM GUI Overview IDM Dashboard Using the Navigation Tree Toolbars and Menus Using IDM as a Monitoring Tool Using IDM Reports Creating Report Policies Configuring a Policy Action to Generate Reports IDM Session Cleanup Policy Monitoring User Session Information Find User Session User Reports Contents-i

4 Contents Show Mitigations IDM Preferences Using Active Directory Synchronization Testing IDM s AD Sync Configuration Using Identity Driven Manager Understanding the IDM Configuration Model Configuration Process Review Configuring Identity Management Configuring Locations Adding a New Location Modifying a Location Deleting a Location Configuring Times Creating a New Time Modifying a Time Deleting a Time Device Finger Printing Configuring Device Finger Printing User Agent To Device Types Mapping Creating a New User Agent Mapping Bulk Import of User Agent Pattern Mappings Deleting a User Agent Mapping Moving up User Agent Mapping Moving down User Agent Mapping Device Type Groups Creating a New Device Type Group Object Modify Device Type Group Configuring Network Resources Adding a Network Resource Modifying a Network Resource Deleting a Network Resource Configuring Access Profiles Creating a New Access Profile Modifying an Access Profile Defining Access Policy Groups Creating an Access Policy Group Modifying an Access Policy Group Deleting an Access Policy Group Configuring User Access Contents-ii

5 Contents Adding Users to an Access Policy Group Changing Access Policy Group Assignments Using Global Rules Configuring Auto-Allow OUIs Viewing Auto-Allow OUIs and Network Access Viewing Auto-Allow User Information Monitoring OUI Events and User Session Information Adding an OUI About HP and Custom OUIs in Server/Config Modifying an OUI Moving an OUI to Another Access Policy Group Deleting an OUI Auto-Allow OUIs for 802.1x and Web Authentications Deploying Configurations to the Agent Using Manual Configuration Defining New Domains Modifying and Deleting Domains Adding RADIUS Clients Deleting RADIUS Servers Adding New Users Using the User Import Wizard Importing Users from Active Directory Importing Users from an LDAP Server Importing Users from XML files Importing SNAC Devices from a Comma Separated Value (CSV) file Using the Secure Access Wizard Overview Supported Devices Using Secure Access Wizard Troubleshooting IDM IDM Events Pausing the Events Display Using Event Filters Viewing the Events Archive Setting IDM Event Preferences Using Activity Logs Using Decision Manager Tracing Quick Tips Contents-iii

6 Contents Placing IDM Server into the AD Domain A IDM Technical Reference Device Support for IDM Features A-1 About Switch Support for MAFR and MBV A-1 Best Practices A-4 Types of User Events A-7 Contents-iv

7 1 Welcome to Identity Driven Manager Introduction Network usage has skyrocketed with the expansion of the Internet, wireless, and convergence technologies. This increases the burden on network managers working to control network usage. Also, the complexity of large networks makes it difficult to control network access and usage by individual users. Identity Driven Manager (IDM) is an add-on module to the HP PCM Plus (PCM+) application that extends the functionality of PCM+ to include authorization control features for edge devices in networks using RADIUS servers and Web Authentication, MAC Authentication, or 802.1X security protocols. Using IDM simplifies user access configuration by automatically discovering RADIUS servers, domains, and users. You can use IDM to monitor users on the network, and to create and assign access policies that dynamically configure edge devices (wired and wireless) and manage network resources available to individual users. Using IDM, access rights, quality of service (QoS), bandwidth throttling, ACLs, and VLAN enrollment are associated with a user and applied at the point of entry or edge of the network. Why IDM? Today, access control using a RADIUS system and PCM devices (switches or wireless access points) is typically made up of several steps. 1. A user attempts to connect to the network. 2. The edge device recognizes a connection state change and requests identifying information about the user. This can include MAC address, username and password, or more complex information. 3. The switch forwards an access request, including the user information to the authentication server (RADIUS). 4. The RADIUS server validates the user s identity in the user directory, which can be an Active Directory, database or flat file. Based on the validation result received from the user directory, the authentication server returns an accept or deny response to the switch.

8 Welcome to Identity Driven Manager Introduction 5. If the user is authenticated, the PCM device grants the user access to the network. If the user is not authenticated, access is denied. For networks using IDM, access control is enhanced to include authorization parameters along with the authentication response. IDM enhances existing network security by adding network authorization information, with access and resource usage parameters, to the existing authentication process. Using IDM you can assign access rights and connection attributes at the network switch or access point, with dynamic configuration based on the time, place, and client that is generating the access request. When using IDM, the authentication process proceeds as described in the first three steps, but from that point the process changes as follows: 4. The RADIUS server validates the user s identity in the user directory. Based on the validation result received from the user directory, the authentication server returns an accept or deny response to the switch or access point. When using IDM without SNAC, if the user is accepted (authenticated), the IDM Agent on the RADIUS server processes the user information. IDM then inserts the network access rights configured for the user into the authentication response sent to the switch or access point. 5. If the user is authenticated, the switch or access point grants the user access to the network. The (IDM) authorization information included in the authentication response is used to configure VLAN access, QoS and bandwidth parameters for the user, and what network resources the user can access based on time and location of the user s login. If the user is authenticated by the RADIUS server, but IDM s authorization data indicates that the user is attempting to access the network at the wrong time, or from the wrong location or system, the user s access request is denied by IDM. If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not override RADIUS authentication and default switch settings, unless you configure it to do so. You can create a guest profile in IDM to provide limited access for unknown users. What s New in IDM 4.0? PCM+ Identity Driven Manager version 4.0 includes the following new features and enhancements: Registration Server enhancements to simplify administrative overhead in implementing network access control Simple Network Access Control (SNAC) support, including: IAS/NPS RADIUS server support 1-2

9 Welcome to Identity Driven Manager Introduction An administrative GUI for configuration, events viewing and SSL certificate management A SNAC-IDM communication interface SNAC 802.1X hybrid solution support Active Directory connection for verification and ongoing synchronization The capability to register multiple devices per user Multiple deployment support, including SNAC + IDM or Classic IDM only An integrated PCM/IDM installer IDM Support for IPv6 Auto-allow capabilities The capability to dynamically load OUIs from a file IDM GUI enhancements, including realm labels renamed to domain IDM Architecture In IDM, when a user attempts to connect to the network through a switch or access point, the user is authenticated via the RADIUS Server and user directory. Then, IDM is used to return the user s access profile along with the authentication response from RADIUS to the switch. The IDM information is used to dynamically configure the edge switch to provide the appropriate authorizations to the user, that is, what VLAN the user can access, and what resources (QoS, bandwidth) the user gets. The following figure illustrates the IDM architecture and how it fits in with RADIUS. 1-3

10 Welcome to Identity Driven Manager Introduction Figure 1-1. IDM Architecture IDM consists of an IDM Agent that is co-resident on the RADIUS server, and an IDM Server and SNAC server that are co-resident with PCM+. Configuration and access management tasks are handled via the IDM GUI on the PCM+ management workstation. The IDM agent includes: A RADIUS interface that captures user authentication information from the RADIUS server and passes the applicable user data (username, location, time of request) to the IDM Decision Manager. The interface also passes user access parameters from IDM to the RADIUS server. A Decision Manager that receives the user data and checks it against user data in the local IDM data store. Based on the parameters defined in the data store for the user data received, the Decision Manager outputs access parameters for VLAN, QoS, bandwidth, and network resource access to the RADIUS interface component. A Local Data Store that contains information on Users and the Access Policy Groups to which the user belongs. The Access Policy Group defines the rules that determine the user s access rights. 1-4

11 Welcome to Identity Driven Manager Introduction The IDM Server provides IDM configuration and monitoring. It operates as an addon module to PCM+, using the PCM model database to store IDM data, and a Windows GUI (client) to provide access to configuration and monitoring tools for IDM. You use the IDM GUI to monitor IDM Agent status and users logged into the network, and to manage IDM configuration, including: Defining access parameters for the network, such as locations, times, network resources, and access profiles Creating access profiles that define the network resources and attributes (VLAN, QoS, bandwidth) assigned to users in an Access Policy Group Creating Access Policy Groups with rules (access policies) that will be assigned to users in that Group Assigning users to Access Policy Groups Deploying IDM configuration data to the IDM Agent on the RADIUS server The SNAC server provides registration and administration interfaces. It communicates with Active Directory in order to verify end-user credentials, and with the IDM server so that SNAC users who register are assigned to the appropriate Access Policy Group, added to an IDM local data store, and distributed to all the IDM Agents for automatic authentication throughout the network. 1-5

12 Welcome to Identity Driven Manager Terminology Terminology Access Policy Group Access Profile Authentication Authentication Server Authorization Bandwidth Client An IDM access policy group consists of one or more rules that govern the login times, devices, quality of service, bandwidth, and VLANs for users assigned to the access policy group. An IDM access profile sets the VLAN, quality of service, and bandwidth (rate-limits) applied when a user logs in and is authenticated on the network. The process of proving the user s identity. In networks this involves the use of usernames and passwords, network cards (smartcards, token cards, and so forth), and a device s MAC address to determine who and/or what the user is. Authentication servers are responsible for granting or denying access to the network. Also referred to as RADIUS servers because most current authentication servers implement the RADIUS protocol. The process that determines what an authenticated user can do. It establishes what network resources the user is, or is not permitted to use. Amount of network resources available. Generally used to define the amount of network resources a specific user can consume at any given time. Also referred to as rate-limiting. An end-node device such as a management station, workstation, or mobile PC attempting to access the network. Clients are linked to the switch through a point-topoint LAN link, either wired or wireless. Directory Name Directory Name (DN) is an identifier that uniquely represents an object in the X.500 Directory Information Tree (DIT) [X501]. (See: domain name.) A DN is a set of attribute values that identify the path leading from the base of the DIT to the object that is named. An X.509 public-key certificate or CRL contains a DN that identifies its issuer, and an X.509 attribute certificate contains a DN or other form of name that identifies its subject. Domain Edge Device A domain is a group of computers and devices on a network that are administered as a unit with common rules and procedures. Within the internet, domains are defined by the IP Address. All devices sharing a common part of the IP address are said to be in the same domain. A network device (switch or wireless access point) that connects the user to the rest of the network. The edge devices can be engaged in the process of granting user access and assigning a user s access rights and restrictions. 1-6

13 Welcome to Identity Driven Manager Terminology Endpoint Integrity IDM Agent QoS RADIUS RADIUS Server VLAN Also referred to as Host Integrity, this refers to the use of applications that check hosts attempting to connect to the network to ensure they meet requirements for configuration and security. Generally to make sure that virus checking and spyware applications are in place and up to date. The IDM Agent resides on the RADIUS server. It inspects incoming authentication requests, and inserts appropriate authorization information (IDM Access Profiles) into the outgoing authentication reply. Quality of Service, relates to the priority given to outbound traffic sent from the user to the rest of the network. Remote Authentication Dial-in User Service, (though it also applies to authentication service in non-dial-in environments) A server running the RADIUS application on your network. This server receives user connection requests from the switch, authenticates users, and then returns all necessary information to the edge device. A port-based Virtual LAN configured on the switch. When the client connection terminates, the port drops its membership in the VLAN. 1-7

14 Welcome to Identity Driven Manager IDM Specifications IDM Specifications Supported Devices For a list of IDM 4.0 features supported on HP Networking devices, refer to Device Support for IDM Features on page A-1. Operating Requirements For operating requirements, refer to the Supported IDM Environments section in the PCM+ 4.0 Installation and Getting Started Guide. Additional Requirements Implementation of an access control method, using either MAC-auth, Webauth, or an 802.1X supplicant application. For assistance with implementation of RADIUS and access control methods for use with PCM switches, refer to the Access Security Guide that came with your switch. All PCM switch manuals can also be downloaded from the PCM web site. For assistance with using RADIUS and 802.1X access control methods, contact the PCM Elite Partner nearest to you that can provide PCM+ Access Control Security solutions. You can find PCM Direct Elite partners on the Find a Partner link at If you plan to restrict user access to specific network segments, you will need to configure VLANs within your network. For information on using VLANs, refer to the HP PCM+ 4.0 Network Administrator s Guide, or the configuration guides that came with your switch. 1-8

15 Welcome to Identity Driven Manager Upgrading from Previous Versions of PCM and IDM Upgrading from Previous Versions of PCM and IDM The installation package for PCM+ contains the IDM 4.0 installation files. If you are running earlier versions of IDM, you must select the IDM option during the PCM+ 4.0 install process. This is required to support changes made in the underlying PCM and IDM databases. If you want to test the IDM 4.0 functionality using the free 60-day trial provided with the PCM+ 4.0 auto-update package, you need to install the software on a separate system that has no previous IDM version installed or in use. When you upgrade to IDM 4.0, you need to manually install the IDM Agent upgrade on each of your RADIUS Servers. Refer to Installing the IDM Agent on page 2-1 for detailed instructions. Migrating from PCM/IDM 3.x The following migration paths are supported for IDM 4.0: PCM 3.0 with IDM 3.0 PCM 3.1 with IDM 3.01 PCM 3.2 with IDM 3.2 For information on migrating from these versions, refer to the PCM+ 4.0 Migration Guide. 1-9

16 Welcome to Identity Driven Manager Learning to Use PCM+ IDM Learning to Use PCM+ IDM The following information is available for learning to use PCM+ Identity Driven Manager (IDM): This User s Guide helps you become familiar with using the application tools for access control management. Online help information provides information through Help buttons in the application GUI that provide context-sensitive help, and a table of contents with hypertext links to additional procedures and reference information. HP PCM+ Network Management Installation and Getting Started Guide provides details on installing the application and licensing, and an overview of PCM+ functionality. For additional information on configuring your network, refer to the documentation that came with your switches. Getting IDM Support and Documentation From the Web Product support and documentation is available on the Web at: Information available at this site includes: Product Manuals Software updates Links to Additional Support information A Find a Partner link You can also call your HP Authorized Dealer or the nearest HP Sales and Support Office, or contact the partner nearest you for information on PCM+ Access Control Security solutions. 1-10

17 2 Getting Started Before You Begin If you have not already done so, please review the list of supported devices and operating requirements under IDM Specifications on page 1-8. If you intend to restrict user access to specific areas of the network using VLANs, make sure you have set up your network for use of VLANs. For details on configuring VLANs, refer to the HP PCM+ 4.0 Network Administrator s Guide, or the Advanced Traffic Management Guide for your PCM+ switch. The IDM Client is included with the PCM+ software. To install a remote PCM/IDM Client, download the PCM Client to a remote PC using the same process as for installing the IDM Agent and select the PCM Client option from the PCM server. For detailed instructions, see the HP PCM+ 4.0 Network Management Installation and Getting Started Guide. Installing the IDM Agent The IDM application components are installed as part of the PCM+ 4.0 software installation, and enabled via a license request. The IDM Agent can be installed on a Windows IAS or NPS RADIUS server or a supported Linux RADIUS server. Installing on a RADIUS Server During the installation process, you will be prompted to enter the IP address of the PCM Server. This is needed to establish communication between the IDM Agent on the RADIUS server, and the IDM application on the PCM Server. The IDM Agent can only be installed on a system with the RADIUS server configured. If the RADIUS server is not found on the system, the IDM Agent installation displays an error message, and the installation process is aborted. On the computer where the IDM Agent will be installed: 1. Start a web browser and type the IP address of the PCM server computer followed by a colon and the port ID For example, if the IP address of the server computer is , enter the following URL: 2-1

18 Getting Started Before You Begin 2. From the available downloads list, click Windows PCM/IDM Agent Installer and then click Save to download the file. 3. Once the download completes, close the download window and the web browser. 4. Open the downloaded PCM-agent-setup.exe file by double-clicking it. The Agent Installation Wizard will then guide you through the installation. Figure 2-1. Agent Information On the Agent Information window of the Agent Installation Wizard: a. Select IDM Agent. b. Type a Name and, optionally, a Description for the Agent. c. The IDM Agent passwords for both server-initiated connections and agentinitiated connections must match the password used for the PCM Server. If the PCM Server uses the default password, select the Use Factory Default check box. If the PCM Server uses a specific password, then clear the check box and type the same password in the Password field. d. If you do not want to use the default Web Management Port 8080, clear the corresponding Use Factory Default check box and enter the web management port that will be used to authenticate with the PCM server. 5. On the Server Information window, configure the Agent-server connection settings and any required server information. 2-2

19 Getting Started Before You Begin Figure 2-2. Server Information For the Agent to communicate with the PCM server, these values MUST MATCH the values set on the PCM server for this Agent. a. If the Agent will initiate connection to the PCM server, select the Agent Initiates Connection check box. If the PCM server will initiate a connection to the Agent, ensure this check box is not checked. All Agents that initiate connection to the PCM server must use the same port number and encryption type as configured in the Agent Manager Server Setup tab. b. To change the default Port that the Agent will use to communicate with the PCM server, clear the related Use Default check box and type the desired port. The default PCM server port is 51111, which can be changed to any unused port during PCM server installation or at the PCM server. c. If you do not want to encrypt data sent to the PCM server, clear the related Use Default check box and select Plain Text from the Encryption list. The default encryption method is SSL. If the PCM server is behind a firewall, HP recommends using SSL encryption. d. In the IP Address field, type the IP address of the PCM server if the Agent is initiating the connection to the PCM server. 2-3

20 Getting Started Before You Begin e. To change the default Password that the Agent will use to communicate with the PCM server, clear the related Use Default check box and type the desired password. This must match the password set on the Agent Manager Server Setup tab. Once installed, the IDM Agent begins collecting User, Domain, and RADIUS data. Installing on a Linux System To install the IDM Agent on a supported Linux system: 1. Start a web browser, and type the IP address of the PCM server computer followed by a colon and the port ID For example, if the IP address of the server computer is , enter the following URL: 2. From the list of available downloads, click IDM FreeRADIUS Agent and then click Save to download the file. 3. Once the download completes, move the file to a location accessible by the target Agent system, if necessary. 4. Extract the downloaded HpIdmLinuxAgentInstaller-<version>.tar.gz file to a temporary location on the RADIUS server. 5. Change to the HpIdmLinuxAgentInstaller-<version> directory, run install.sh as root, and then follow the prompts. Checking IDM Server and Agent Connectivity Check the Agent Status pane on the IDM Dashboard to verify that the IDM Server and IDM Agent are installed and running. To do so: 1. From the bottom of the PCM navigation tree, select the Identity tab. 2. From the IDM navigation tree, select the Identity Management Home node. 3. In the right pane, select the Dashboard tab and review the Agent Status. You can also check the Event Log for the RADIUS server for the event RADIUS server or Agent connected. Using the IDM Auto-Discover Feature You can manually configure the RADIUS server, Domains, and Users in IDM, or you can let IDM do the hard work for you. And, you have two options for automatically discovering users. Either enable Active Directory synchronization to import users from the Active Directory, or install the IDM Agent on the system with the 2-4

21 Getting Started Before You Begin RADIUS Server, then let it run to collect the information as users log into the network. Even after you begin creating configurations in IDM, both options continue to collect information on users and Domains (domains in Active Directory) and pass that information to the IDM server. If you are using multiple RADIUS servers, you need to install an IDM Agent on each of the servers. The IDM Agent collects information only on the system where it is installed. The IDM client can display information for all RADIUS servers where the IDM Agent is installed. When you start the IDM Client and expand the navigation tree in the IDM Dashboard tab, you will see any discovered or defined Domains found on the RADIUS server, along with the IP address for the RADIUS Server(s). IDM Configuration Process Overview To configure IDM to provide access control on your network, first let IDM run long enough to discover the Domains, RADIUS servers, and users on your network. Once IDM has performed these tasks for you, your configuration process would be as follows: 1. If you intend to use them, define locations from which users will access the network. A location may relate to port-based VLANS, or to all ports on a device. (See page 3-5) 2. If you intend to use them, define times at which users are allowed or denied access. This can be by day, week or even hour. (See page 3-12) 3. Define any network resources (systems and applications) that you want to specifically allow or restrict users from accessing. 4. If you intend to restrict a user access to specific systems, you need to set the User profile to include the MAC address for each system that the user is allowed to login on. (See page 3-77.) 5. Create the Access Profiles, to set the VLAN, QoS, rate-limits (bandwidth) attributes, and the network resources that are available, to users in an Access Policy Group. (See page 3-32.) 6. Create an Access Policy Group, with rules containing the Location, Time, System, and Access Profile that is applied to users when they login. (See page 3-42.) OR If using Active Directory synchronization, add rules and Access Profiles to the Access Policy Groups automatically created by Active Directory synchronization. 2-5

22 Getting Started Before You Begin 7. If Active Directory synchronization is not used, assign Users to the appropriate Access Policy Group. (See page 3-49). 8. If automatic deployment is disabled, deploy the configuration policies to the IDM Agent on the RADIUS server. (See page 3-66) 9. Configure Auto-allow OUIs for the devices that will perform MAC authentication. (See page 3-54) IDM Usage Strategies You can use IDM to simply monitor user activity on the network, or to apply user authentication rules to improve network security and performance. The following table identifies the IDM configuration for various deployment and usage strategies for IDM. Table 2-1. IDM Deployment and Usage Strategies Authenticate x x x Authorize VLAN QoS Rate- Limit x x x x x Network Resources x x x x x Strategy Description Monitors and reports user activity. Enhances normal RADIUS authentication with Location, Time, and System rules Provides rudimentary VLAN segregation (Unknown Users, Guests, Visitors, Contractors) Provides complete VLAN placement for all Users Provides QoS and Rate-limits per User Provides VLAN, QoS, and Ratelimit attributes, and accessibility of defined Network Resources for all users, based on Location, Time, and System Understanding the IDM Model The first thing to understand is that IDM works within the general concept of domains. Basically, domains are very large organizational units; every user belongs to one, and only one, domain. While it is possible to have multiple domains, most organizations have only one, for example, hp.com or csuchico.edu. 2-6

23 Getting Started Before You Begin The basic operational model of IDM involves Users and Groups. Every User belongs to a Group and, in IDM, these are called Access Policy Groups (APGs). Each APG has an Access Policy defined for it, which governs the access rights that are applied to its Users as they enter the network. In the IDM GUI, the top level of the navigation tree is the Domain, with all other information for APGs, and RADIUS Servers beneath the Domain in the navigation tree. Users are linked to the Domain to which they belong, and the Access Policy Group to which they are assigned. The IDM configuration tools are available at the top level. The definition of times, locations, network resources, and access profiles is independent of individual Domains or Groups. You can define multiple locations, times, and network resources, then create multiple access profiles to be applied to any Access Policy Group, in any Domain that exists within IDM. 2-7

24 Getting Started IDM GUI Overview IDM GUI Overview To use the IDM client, launch the PCM Client on your PC by selecting the PCM option from the Windows Program menu. The PCM Client will start up and the Login window will be launched. Figure 2-3. PCM Login If you did not enter a Username or Password during install, type in the default Username, Administrator, then click Login. For additional information on using the PCM Client, refer to the HP PCM+ 4.0 Network Administrator s Guide. Click the Identity tab at the bottom left of the PCM window to display the IDM Dashboard. Note: You can also access the IDM Dashboard by selecting the Network Management Home node from the PCM navigation tree and clicking the Identity Driven Manager tab at the top of the right pane. 2-8

25 Getting Started IDM GUI Overview Figure 2-4. IDM Dashboard The IDM initial display provides a quick view of IDM status in the Dashboard tab, along with an Events tab, navigation tree, and access to menu and toolbar functions. You can resize the entire window, and/or resize the panes (sub-windows) within the Identity Management Home window frame. Notes: If the IDM Dashboard shows the IDM Agent Status as inactive, and the Inventory and Logins panes show no data: Check the PCM Events tab for the following entry: PCM remote client authentication failure: <ip address> Check for IDM application events related to devices supporting or not supporting the configuration. 2-9

26 Getting Started IDM GUI Overview IDM Dashboard The IDM Dashboard is a monitoring tool that provides a quick summary view of IDM users, RADIUS servers, and events. The Dashboard can be viewed: From within PCM by selecting Network Management Home and clicking the Identity Driven Manager tab. By clicking the Identity tab at the bottom of the PCM navigation tree. The Dashboard tab contains the following panes of status information: Table 2-2. IDM Dashboard Status Information Pane Events Access Policy Group Assignment Agent Status Logins per Hour SNAC status AD status Users Logged In Displays... The total number of outstanding IDM events and the number of IDM events in each state. Clicking anywhere in the IDM Events pane or clicking the Events tab displays the IDM Events window, which contains detailed information about each event. A pie chart showing the number of users assigned to each Access Policy Group. Mousing over a section of this chart displays information for the group and its users. A color-coded graph showing the number of currently active and inactive IDM agents installed on RADIUS servers. A scrolling 24-hour display that summarizes the total number of successful and failed IDM user logins at any given time during the past 24 hours. Information in this pane is updated every minute. SNAC-IDM connection status IDM-AD connection status A scrolling 24-hour display that shows the total number of users logged in at any given time during the past 24 hours. Information in this pane is updated every minute. Using the Navigation Tree The navigation tree in the left pane of the IDM window provides access to IDM features using the standard Windows file navigation system. Click the nodes to expand the list and change the display in the right window pane. Domains List The top level of the tree lists each of the Domains that have been discovered by an IDM Agent or defined manually. Clicking on the Domains node in the tree displays the Domain List in the right pane of the window. Expanding the node displays each Domain name in the tree, and assigned RADIUS Servers if they exist. 2-10

27 Getting Started IDM GUI Overview Figure 2-5. Domain List tab Domain Tabs Expanding the Domains node and clicking a domain in the tree displays the Dashboard tab in the right pane, along with the Properties, Global Rules, Auto-Allow OUIs and Users tabs. Figure 2-6. Domain - Dashboard tab Domain Dashboard tab: The Domain Dashboard is a monitoring tool that provides a quick summary view of IDM users and Agents. The Dashboard tab is similar to the IDM Dashboard but contains statistics for the selected domain only. Table 2-3. Domain Dashboard Status Information Pane Agent Status Access Policy Group Assignment Displays... A color-coded graph showing the number of currently active and inactive IDM agents installed on RADIUS servers. The number of users assigned to each Access Policy Group in the domain and the total number of those users that are currently logged in. You can hide the legend for this pane by clearing the Legend check box. 2-11

28 Getting Started IDM GUI Overview Table 2-3. Domain Dashboard Status Information (Continued) Pane Top talkers Users logged in Successful logins per Access Policy Logins per hour Displays... Input octets (bytes), output octets, or both. Use the list in this pane to select whether to display input octets, output octets, or both. You can hide the legend for this pane by clearing the Legend check box. A scrolling 24-hour display that shows the total number of users logged in at any given time during the past 24 hours. Information in this pane is updated every minute. A pie chart showing the number of successful and failed IDM user logins to each Access Policy Group during the selected time period. Use the list in this pane to select the time period reflected in the chart. Mousing over a section of this chart displays information for the group and its users. You can also hide the legend for the chart by clearing the Legend check box. A scrolling 24-hour display that summarizes the total number of successful and failed IDM user logins at any given time during the past 24 hours. Information in this pane is updated every minute. Domain Properties tab: Selecting an individual domain in the tree and then clicking the Properties tab displays summary information about a Domain and its assignments. It also shows when the Domain was last deployed, which is especially useful when you've made recent changes or are investigating IDM events. Figure 2-7. Domain - Properties tab The following information is shown on the Domain Properties tab: Table 2-4. Domain Properties Information Field Domain Name Domain Alias Is Default Domain Displays... Name used to identify the Domain Alternate name for the Domain (usually the NETBIOS name) Whether the Domain is set as the default Domain: true means this Domain is the default Domain and false means it is not. The default Domain is used when IDM cannot determine the Domain for a RADIUS server or user login. 2-12

29 Getting Started IDM GUI Overview Table 2-4. Domain Properties Information (Continued) Field Last Deployed Number of Access Policy Groups Number of RADIUS Servers Number of RADIUS Users Description Displays... Date and time the policy was last deployed. Use this field to ensure that the current Domain attributes have been deployed. Total number of Access Policy Groups currently assigned to the Domain Total number of RADIUS servers assigned to the Domain Total number of users assigned to Access Policy Groups used for the Domain and currently logged in Brief description of the Domain Domain Global Rules tab: Clicking this tab displays rules that override Access Policy Group rules and provides functions to configure and prioritize global rules. See Using Global Rules on page Domain Auto-Allow OUIs tab: Clicking this tab displays automatic authentication information for static devices based on their MAC address prefix (in addition to the traditional authentication methods such as 802.1X Mac-Auth, and Web-Auth that IDM supports). Figure 2-8. Domain - Auto-Allow OUIs tab Domain Users tab: Clicking this tab displays a list of users in the Domain that were discovered by the IDM Agent, or defined manually. There are two additional columns added to this tab for Device Type and another for User-Agent. By default, these columns are not shown. These columns can be displayed by administrator. 2-13

30 Getting Started IDM GUI Overview Figure 2-9. Domain Users tab Expanding the Domain node in the tree will display the Access Policy Groups and RADIUS server nodes for the Domain. Filtering Support for Users tab: Filtering functionality has been added to the users tab.users can filter the table content based on the following columns AuthID, Domain, , MAC Prefix, Name, Owner and Phone. 2-14

31 Getting Started IDM GUI Overview Access Policy Groups node Clicking the Access Policy Group node displays the Access Policy Groups tab with a list of currently configured groups. You can also expand the node to view the APGs in the tree. Figure Access Policy Groups tab 2-15

32 Getting Started IDM GUI Overview Click the individual group node in the navigation tree to display the group s Dashboard, Properties, Auto-Allow OUIs and Users tabs. Information displayed for the selected policy group is similar to the Domains tab displays described above. RADIUS Servers node Clicking the RADIUS Servers node displays the RADIUS List tab, with status and configuration information for each RADIUS Server in the Domain that has an IDM Agent installed, or that is manually defined. Figure RADIUS List tab You can expand the RADIUS Servers node to view the servers in the tree. Click the individual server to display the RADIUS Server Properties. Figure RADIUS Server Properties tab The Activity Log tab underneath the properties display contains a listing of IDM application events for that RADIUS server such as server startup, server connections, user logins, IDM configuration deployment, and so forth. 2-16

33 Getting Started IDM GUI Overview Toolbars and Menus Because IDM is a module within PCM+, it uses the same main menu and global toolbar functions. Individual tabs or windows within the IDM module also include separate component toolbars. The functions available in the component toolbar vary based on applicable functions for that component. Toolbar buttons for disabled functions are grayed out. The component toolbar options are described under the process they support in the next chapter. You can hover with the mouse to display Tooltips for each button. Using Right-Click Menus You can also access most of the functions provided with IDM via right-click menus. To use the right-click menu, select an object (node) in the navigation tree on the left of the screen, then right-click your mouse to display the menu. You can also access right-click menus when an item is selected in a list on the tab window displays. Figure IDM Right-click menu The options available in the right-click menu will vary based on the node or list item you have selected. Disabled functions are greyed out. 2-17

34 Getting Started Using IDM as a Monitoring Tool Using IDM as a Monitoring Tool Whether or not you configure and apply access and authorization parameters using IDM, you can use IDM to monitor user sessions on the network and generate usage reports. You can use the monitoring features along with the IDM Reports to track usage patterns, user session statistics, bandwidth usage, top users, and so on. The User session information can also be used to track current user sessions and modify the User s access to network resources if needed. Note: Session accounting must be enabled on switches, wireless controllers, and wireless access points, as well as in IDM, for the monitoring and user session accounting to work. Refer to the section on Radius Authentication and Accounting in the Access and Security Guide provided with the PCM switch for details on enabling session accounting. You can enable or disable IDM monitoring using the IDM Preferences. Using the IDM Preferences, you can also configure IDM to work with existing Endpoint Integrity applications used to determine the compliance of the authenticating clients to rules and requirements (for firewalls, anti-virus, and so forth) that have been set up in the domain. Note: If you are using Web-Auth or MAC-Auth for user authentication, user session statistics are unavailable from the switch and cannot be collected, unless you are using a version of firmware on the switch that supports accounting for Web-Auth and MAC-Auth sessions. Not all switch software versions support this. Check the HP Networking Support web site for updates. 2-18

35 Getting Started Using IDM Reports Using IDM Reports IDM provides reports designed to help you monitor and analyze usage patterns for network resources. Report options are available from the Reports >User Access Control menu at the top of the IDM main window. The Report wizard screens and report parameters vary, depending on the type of report selected. Selecting a report using the Reports >User Access Control list launches the Report wizard, which you can use to set filter options, and selectable data elements. When you click Finish, the report is generated and displayed, similar to the following example: Figure IDM Configuration Report You can save the report to a file, or print the report. To apply customized Report Header information for your company, use the Reports option in global preferences (Tools > Preferences > Reports). You can also schedule reports to be created at recurring intervals by creating a policy with PCM s policy manager, as described in Creating Report Policies on page Each of the available reports is summarized below, along with the report filter options, and configurable report parameters, if applicable. Notes: You must have the Enable user session accounting option selected in IDM Preferences in order to collect bandwidth and other user session data for reports. 2-19

36 Getting Started Using IDM Reports By default, all user history is reset and all session history is deleted by the predefined IDM Session Cleanup policy on the first day of each month at midnight. However, the IDM Session Cleanup policy can be modified to fit your needs. The following IDM reports are available: Table 2-5. IDM Reports Report Configuration Endpoint Integrity IDM Statistics Contents Detailed information for every Domain, RADIUS server, Access Policy Group, and, optionally, user that the IDM agent has learned or that have been defined in IDM. Domain information includes the most recent deployment date and number of assigned users and RADIUS servers. The RADIUS server section includes the server name, whether the server is currently active, number of successful and failed logins since midnight of the current day, and number of Domains defined on the server (similar to that shown on the RADIUS Server Properties window). The Access Policy Group section includes the Access Policy Group name, number of Domains to which the Access Policy Group is assigned, and number of users assigned to the Access Policy Group. The Users section shows the Domain and Access Policy Group to which the user is assigned, username, date and time of last login, and input, output, and total bytes used during the reporting period. To collect report data, ensure the Identity Management Preferences are set to enable user session accounting. Whether a computer used to login is in compliance with corporate standards monitored by a third-party endpoint integrity solution. If the RADIUS server used to authenticate the user has a endpoint integrity solution, the computer where the user logged in may be checked for integrity criteria such as upto-date anti-virus software and an authorized operating system. This report is especially helpful in identifying computers that require anti-virus, operating system, or other software installations/updates. Total hourly and daily logins and bandwidth usage during the reporting period. This report is especially helpful in identifying access profiles that require bandwidth adjustment and hardware components that require maintenance. 2-20

37 Getting Started Using IDM Reports Table 2-5. IDM Reports (Continued) Report Session History Details Unsuccessful Logins User Bandwidth Usage User MAC Addresses User Report Contents Detailed information about all login attempts, whether successful or failed. This report is especially helpful in identifying login failures and whether an access profile, location, or user needs to be modified in PCM. Once the initial report dates and filters are set, you can also configure what columns you want to include in the report. The available column headings include: RADIUS Server IP Location MAC Address Device Device Port VLAN QOS Endpoint Integrity State Failed system logins, which can be filtered by date. Summary of system usage by users. This report can include all users or be limited to only the top bandwidth users during the reporting period. This report is especially helpful in identifying candidates for throttling. MAC address of every computer from which the user logged in during the report period. This report is especially helpful when setting up login restrictions and for accounting purposes. Information for recent sessions in which the user participated, similar to the Session History report. To display the User Report select a username in the Users tab of the Access Policy Group or RADIUS Server window, and then click the Show User Report button in the toolbar. 2-21

38 Getting Started Creating Report Policies Creating Report Policies You can also use the Policy Manager feature to schedule reports to be created at regular intervals, or in response to an event. For complete details on creating policies, refer to Configuring Policies in the HP PCM Network Administrator s Guide. The basic process for creating a Report Policy is: Time - Configure the Time periods when the report policy can be executed. If no time is specified, the policy can execute at any time. Alerts - Use the Scheduled Alert option to set a recurring schedule for a report to be generated. Alerts serve as the trigger used to launch an Action. Alerts can be event-driven, or scheduled to occur at a specified time. Action - Configure the Report Manager:GenerateReport type(s) for the policy. The following section describes the Report action types and configurable parameters and filters for each report type. You do not need to configure the Sources or Targets for a Report Policy, since you will select the device groups the policy applies to in the Report Action. Configuring a Policy Action to Generate Reports To configure a Policy Action to run a report: 1. Click the Policy Manager button in the toolbar, OR Select Tools > Policy Manager to launch the Policy Configuration Manager window. 2. Click the Actions node in the Policy Manager window to display the Manage Actions pane. 2-22

39 Getting Started Creating Report Policies Figure Policy Manager, Actions The Manage Actions window displays the list of defined Actions. 3. Click New to launch the Create Action dialog. Figure Policy Manager, Create Action 2-23

40 Getting Started Creating Report Policies 4. Select the Report Manager:Generate Report Action type from the menu. Figure Policy Manager, Select Action 5. Type a Name for the Action (required) and a brief Description (optional). 6. Click OK to save the Action and display the Action Properties tab. The properties you set in the previous step will display. Figure Policy Manager: Report Manager Action configuration 2-24

41 Getting Started Creating Report Policies At this point the other tabs displayed are: Type: Lets you select the Report type you want to generate. As soon as you select a report type, additional tabs may appear in the window depending on the filter criteria for the report Format: Lets you set the report output format Delivery: Lets you select where the report will be sent (to file, , and so forth) 7. Click the Type tab and select the IDM Report type you want included in the action. In this example, a Network Activity report is selected, so corresponding report filter tabs will be added to the window. Figure Report Manager Action, Report Type selection 8. Click a report filter tab to select the report criteria to be applied when generating the report. The filter options will vary based on the selected report. 9. Click the Format tab. 2-25

42 Getting Started Creating Report Policies Figure Report Manager Action: Report format selection 10. Select how you want to generate the report for the following options. Table 2-6. IDM Status Report Options Select... PDF HTML CSV ODT XLS RTF To produce the report... In.pdf format. To view this file format, you will need Adobe Acrobat Reader, which can be downloaded free from reader. In.html format, which can be viewed with any Web browser. Using comma separated values with double quotes. This report can be viewed using WordPad, Notepad, or imported into other spreadsheet programs, such as Excel. In Open Office.odt format. In.xls format, which can be viewed in MS Excel spreadsheets. In.rtf format, which can be viewed in most word processing applications. 11. Click the Delivery tab to configure the method used to deliver the report. 2-26

43 Getting Started Creating Report Policies Figure Report Manager Action: Report Delivery method is the default method. It will the report to the address specified. It also requires that you have an SMTP profile for the address. See Creating SMTP Profiles in the HP PCM+ 4.0 Network Administrator s Guide for details. Use the menu to select a different delivery method. Figure Report Manager Action: Select Delivery Method Selecting FTP as the delivery method lets you save the report on an FTP site. However, proxy support is not provided. a. In the FTP Server field, type the IP address of the FTP site where you want to save the report. b. In the Path field, type the complete path to the server location where you want to save the report. c. In the Filename field, type the filename you want to assign to the report. You can automatically add a timestamp to the filename in the Filename conventions pane. d. In the Username field, type the username used to access the FTP site. 2-27

44 Getting Started Creating Report Policies e. In the Password field, type the password used to access the FTP site. f. Select the Filename conventions to use: No timestamp in file name: Name the file exactly as entered in the Filename field. Prepend timestamp to file name: Add the timestamp at the beginning of the filename entered in the Filename field. Append timestamp to file name: Add the timestamp at the end of the filename entered in the Filename field. Selecting File as the delivery method lets you save the report in a file on the PCM server. a. In the Path field, type the complete path to the server location where you want to save the report. The path is relative to the server (not to the client). To save the report on the client, there must be a path from the server to the client. For example, use UNC paths, since the server runs as a service and cannot be set up easily to use mapped drives. b. In the Filename field, type the filename you want to assign to the report. c. Select the Filename conventions to use, as described above for FTP files. 12. Click Apply to save the Action Configuration. 13. Click Close to exit the Policy Manager window. If you click Close before you click Apply, you will be prompted to save or discard the configuration. Note: Report output is limited to 40 pages. Therefore, to create a report on many (1000+) items, you need to create separate reports to generate all the data. You can access User Reports by right-clicking the user in the Users tab display in IDM and then selecting the report option. IDM Session Cleanup Policy The IDM Session Cleanup Policy is included in the PCM policies by default when you install IDM. The report statistics IDM reports are cleared by the Session Statistics Cleanup policy (in PCM) on the first day of each month. A special IDM Session Cleanup alert is used to define the schedule for the policy. You can edit the policy (alert) if you want to change the cleanup recurrence schedule. To modify the IDM Session Cleanup Alert: 2-28

45 Getting Started Creating Report Policies 1. Click the Policy Manager button in the toolbar. OR Select Tools > Policy Manager to launch the Policy Configuration Manager window. 2. Select the Alerts node from the navigation tree to display the Manage Alerts pane. Figure Manage Alerts: IDM Session Cleanup selection 3. Select the IDM Session Cleanup policy and click Edit to display the properties. Figure IDM Session Cleanup Schedule properties 2-29

46 Getting Started Creating Report Policies 4. Click the Schedule tab to review and edit the schedule parameters. Figure IDM Session Cleanup Schedule, alert configuration 5. Set the Start Date for enforcement of the policy. The default is the start date and time for IDM. You can type in a new date and time, or use the arrows to increase or decrease the date and time entries. Note that the time clock uses 24 hour format; thus a time of 22:00 is used to indicate a start time of 10:00 pm. To trigger the IDM Session Cleanup policy to run immediately, select the check box for Run at first opportunity if schedule missed. 6. You can change the session cleanup interval using the Recurrence pattern options: To select... Never One time Hourly Daily Do this... No further action is required (Policy definition is saved, but will not be enforced). No further action is required (the currently scheduled time is used with no recurrences). Type the number of hours and minutes to wait between session cleanup. If you do not want the policy enforced on Saturdays and Sundays, select the Skip weekend check box. Type the number of days to wait between session cleanups. If you do not want the policy enforced on Saturdays and Sundays, select the Skip weekend check box. 2-30

47 Getting Started Creating Report Policies To select... Weekly Monthly Do this... Select the check boxes for the days of the week you want to enforce the policy. Select Last day of the month to enforce the schedule on the last day of the month. OR Select Day and use the up or down arrows to select the day of the month. 7. Use the radio buttons to select No end date, End by, or Maximum occurrences to identify when the schedule should end. If you select No end date, the schedule will run at the selected intervals until the policy is changed or deleted. If you selected End by, use the up and down arrows in the field until the desired end date and time are shown. If you selected Maximum occurrences, type the number of times the policy should be enforced before it is disabled automatically. 8. Click Apply to save the changes, then Close to exit the alert configuration. 2-31

48 Getting Started Monitoring User Session Information Monitoring User Session Information You can use IDM to just monitor the network, and receive detailed information about user's access to the network. User Session information provides statistics about exactly how the network is being used (when the user logged in and out, where a user logged in from, and how much bandwidth they consumed, for example). Based on the User Session information, you can adjust access rights for users, further restricting or providing additional network resources and access attributes as needed. To review user session information: 1. Navigate to the user s Domain and click the Users tab. 2. Click the Show the User s session status button in the Users tab toolbar to display the Session Information window. Figure IDM User Session Information The list in the right pane of the Session Information window shows recent sessions, including the following information: Column Active Displays... Yes if the user is currently logged in for this session or No if the session has ended 2-32

49 Getting Started Monitoring User Session Information Column Login Time Login Successful Location Access Displays... The date and time the user logged in Yes if the user logged in successfully or No if login failed The name of the location where the user logged in The access profile assigned to the access policy group governing the user s permissions during the session 3. Click the User Properties tab to view the following information: Field Domain Auth ID Name MAC Address IP Address Is active Last login time Displays... The domain to which the user is currently assigned The ID given to user s login account The name of the user The MAC address of the computer where the user logged in The IP address of the computer where the user logged in. This field will only appear if DHCP snooping is enabled for the VLAN of which the client is a member, and may take some time to populate. Yes if the user is currently logged in for this session or No if the session has ended The date and time of the most recent user login Login Count The total number of times the user logged in during the report period. 4. Click the Session Info tab to view the following information: Field RADIUS Server Login was successful Reason login was unsuccessful Session start Session end time Termination cause Input octets Output octets Displays... The IP address of the RADIUS server that authenticated the user Yes if the user logged in successfully or No if login failed If the login was unsuccessful, the reason the RADIUS server or IDM denied the login (for example, access policy group not found for user or username/password incorrect) The date and time the user logged in The date and time the user logged out or the session was ended The reason the RADIUS server ended the session (for example, user logout, connection interruption, or idle timer expiration) The number of bytes received by the user during the session The number of bytes sent by the user during the session 2-33

50 Getting Started Monitoring User Session Information Field Endpoint Integrity State Displays... If endpoint integrity is enabled. whether the user must pass endpoint integrity requirements before they can log into the network 5. Click the Location Info tab to view the following information: Field Location name Device address Ethernet port BSSID SSID Displays... The name of the location where the user logged in The IP address of the device used to login The port on the device used for the session The MAC address used for wireless device The SSID in packets associated with the user a. Click the Disable Ethernet or Enable Ethernet links to disable or re-enable the port used for the session. For example, if you want to prevent the user from logging in at a specific device or force the user to re-authenticate, you would use the Disable Ethernet function. If you need to re-enable the port so the user can resume the session, use the Enable Ethernet function. 6. Click the Access Info tab to view the following information: Field Access Policy Group Access Profile QoS assigned Ingress rate limit Egress rate limit Untagged VLAN Tagged VLANs ACL Displays... The access policy group that governs user permissions for the session. The access profile assigned to the access policy group. The Quality of Service or priority for outbound traffic. QoS ranges from lowest to highest. The maximum bandwidth for inbound traffic to allocated to user by the access profile The maximum bandwidth for outbound traffic to allocated to user by the access profile The untagged VLAN to which access is given. DEFAULT_VLAN(1) is equivalent to allowing access on the entire network. The tagged VLAN to which access is given The access control rules that were applied to the user's session on the switch or access point 2-34

51 Getting Started Monitoring User Session Information Find User Session The Find User Session feature let you search and display information about a user session by Auth ID or MAC address. The displayed information is similar to User Session Status information. This information contains all the session history records associated with a given Auth ID or MAC address. If the specified Auth ID or the MAC address does not have session records in the session history, then it returns an empty result set. Note: If you want to know the devices that are registered by a given user/guest or search by Auth ID, then you may use filter feature provided at the Users tab view available at domain as well as APG node level. To find information for Auth ID or MAC address: 1. From the IDM navigation tree, right-click the Domains or Access Policy Groups node to which the user or computer is assigned and then select Find User Session from the right-click menu. This launches the Find User Session window. 2-35

52 Getting Started Monitoring User Session Information Figure Find User Session 2. In the Auth ID field, type the complete Auth ID that you want to find. OR In the MAC address field, type the MAC address of the computer for which you want to find and display information.the MAC address may be specified in any valid standard format (single dash, multi-dash, multi-colon, no delimiter, etc.) in Auth ID or MAC address fields. Note: The Find User Session functionality returns the Session History records for the user matching the Auth ID/MAC Address for all active and inactive sessions. 3. Select the Only show active sessions check box to get only the information on active sessions for the user. 4. Click Find to display information for the specified user session or computer. 5. Click Close to exit the window. User Reports To review information for multiple sessions, run the User Report: 1. Select a username in the IDM Users tab. 2. Click the Show User Report button in the toolbar. This launches the Report Wizard, Report Filter window. 2-36

53 Getting Started Monitoring User Session Information Figure Report Wizard, Report Filter 3. To report on a specific time range, clear the All Dates (no filter) check box and select the Start Date and End Date. Click Next to select the report contents. 2-37

54 Getting Started Monitoring User Session Information Figure Report Wizard, Columns to Include 4. Select the check boxes to select the data columns. If wireless settings are enabled the WLAN and BSSID options also appear. 5. Click Finish to run the report. The report is displayed in a separate window on the IDM Client. Show Mitigations The Show Mitigations window lists all NIM mitigations (actions taken to resolve security threats) for the selected user and is used to delete NIM mitigation rules. Mitigation can include prohibiting user login or limiting user capabilities by VLAN restrictions, rate limiting, Quality of Service (QoS), and so forth. Rules can also be rolled back with NIM mitigation policies. However, if a rollback timer has not been defined for the policy, the IDM mitigation rules are permanent and must be deleted through the Mitigations window. 2-38

55 Getting Started Monitoring User Session Information To show or delete mitigations: 1. In the IDM Users tab, right-click a mitigated user and choose Show mitigations to display the Mitigations window. This function is selectable for mitigated users only. Mitigated users are identified by one of the following buttons: User successfully logged in, but the session was mitigated in some way (for example, VLAN, rate limit, QoS) User login was prohibited by NIM mitigation action The Mitigations window lists each rule associated with the selected user and all MAC addresses where the user has logged in. 2. To delete a single rule, select the rules to delete and click Revoke. 3. To delete all rules, click Select All and then click Revoke. IDM Preferences The IDM Preferences window is used to set up global attributes for session accounting and archiving, as well as to enable the Endpoint Integrity option. Select Tools > Preferences > Identity Management to display the Preferences, Identity Management window. Figure Preferences - Identity Management 2-39

56 Getting Started Monitoring User Session Information Click the option check boxes to select (check) or deselect (clear) the following options. 1. Select the Configuration Deployment option to automatically deploy IDM configuration settings (Access Profiles, Locations, Times, Network Resources) to the IDM agent. The default preference is to allow automatic configuration deployment. Select the Disable automatic deploy to IDM agents option if you do not want to use automatic IDM configuration deployment. If you disable the Configuration Deployment option. in order for IDM configuration changes to take affect you will need to manually deploy the configuration to the IDM agent(s). 2. Select the Client Re-authentication option to automatically trigger re-authentication of clients upon registration, based solely on the port to which they are connected. Enabling this option should be done with care as multiple clients can be connected to a port at a time. Re-authentication is first triggered based on the port and MAC address of the client. In case of failure and if this option is not disabled, re-authentication will be triggered based on only the port to which the client is connected. 3. Select the Wireless Settings option to allow configuration of Identity Management features for select PCM wireless devices. The default preference has the Enable enhanced wireless support option checked. When this option is unchecked, wireless configuration options will not be visible and will not be applicable in rule evaluation. 4. Select the Enable Endpoint Integrity option to enable endpoint integrity in the Access Rules definitions, allowing you to configure an Access Rule with one of the Endpoint Integrity options (Pass, Fail or ANY). When you enable Endpoint Integrity and set the attribute in a Global Access Rule or Access Policy Group rule, the IDM agent will look for the RADIUS attribute in the supplicant s authentication request and act accordingly, applying the defined access rule based on the endpoint integrity system response. 5. Select the Enable User session accounting option to collect information about user logins and logouts. This must be selected if you want to collect data for user logins and bandwidth usage, which is used for the Bandwidth, Session, and User reports. 6. To generate user session start and stop events and display them in the IDM Events list, select the Generate Session Start and Stop Events check box. This option does not affect accounting or collection of session history and statistical information. Turning this option off will reduce the load on your IDM server and the GUI by eliminating two-thirds of the events created for every user login and logout. 2-40

57 Getting Started Monitoring User Session Information 7. To reset all session accounting information whenever the server is restarted, select the Reset accounting statistics when the management server starts check box. When this option is selected, IDM closes any open sessions and resets the RADIUS Server totals to zero when the server restarts. If the status of users logged on or off seems incorrect, it is possible that the session accounting is out of sync. Use the Reset accounting statistics option to correct the problem. This immediately closes any open sessions (this has no effect on the user, only on the IDM accounting), and resets user login counts on the RADIUS server to zero. Existing accounting records are not removed by the Reset procedures, the only effect is that currently open sessions are closed. 8. To ignore capability override warnings generated by switches that don't support certain capabilities (for example, VLAN, QoS, Bandwidth, and ACL overrides), select the Ignore device capability warnings check box. 9. To send only those attributes supported by the device, select the Only send supported device attributes to device check box. 10. If you wish to archive accounting records older than a specified time period, clear the Disable session archiving check box, and set the desired archival time period in the Archive user sessions older than x days field. If using SNAC for a network with a moderate number of logins (for example, 20,000 logins per day), HP recommends that you enable session archiving (clear the Disable session archiving check box). This volume will not compromise the responsiveness of IDM operations. 11. To archive the user session archive file in a location other than the default IDM data archive directory, type the desired path in the Archive file directory field. The default path is: C:\Program Files\Hewlett-Packard\PNM\server\idm\data 12. If you do not want to add a timestamp to the archive filename, clear the Use timestamp in archive filename option. If a timestamp is not used in the archive filename, the existing archive file is overwritten each time user sessions are archived. a. To insert a timestamp in the front of the archive filename, select the Prepend timestamp to archive filename option. b. To add a timestamp to the end of the archive filename, select the Append timestamp to archive filename option. 13. Click OK to save your changes and exit the window. Click Apply to save your changes and leave the Preferences window open. Click Cancel to close the window without saving changes. 2-41

58 Getting Started Monitoring User Session Information Using Active Directory Synchronization The Active Directory Synchronization (AD Sync) feature provides the ability to receive change notifications from the active directory server for the domain the management server is logged into. Active Directory Synchronization will automatically update the IDM database with changes made in your Active Directory, including new users, changes to existing users, and deletion of users. Notes: AD Sync must be enabled on the IDM server and proper groups must be synchronized. Otherwise, the default Access Policy Group is used. The User/IDM Import Wizard does not work with SNAC. To configure AD Synchronization (AD Sync): 1. From the PCM global menu, select Tools > Preferences. 2-42

59 Getting Started Monitoring User Session Information Figure Identity Management Preferences: User Directory Settings 2. In the left pane of the Preferences window, expand Identity Management and select User Directory Settings. 3. In the Identify Management: User Directory Settings pane, select the Enable automatic Active Directory synchronization check box and type the Username and Password of the Active Directory to be synchronized. Although the figure above shows an example of an administrator user being created, it is a good idea to select a user with less privileges since, in that case, a domain admin account will not be needed. Ideally a user should be created for List contents permission and for SNAC configuration. 4. Check that the Domain field displays the domain in which the user will log into the SNAC Registration Server and on which IDM is listening for AD updates. If this field is not automatically displaying a domain name, there may be a problem with the DNS service or DNS Server configuration on your system. AD sync will not work if this field is empty. 5. In the Domain Controller(s) field, enter host names or IP addresses (separated by a space) of domain controllers for this user group. Using more than one is recommended for redundancy. 6. Click Add/Remove. 2-43

60 Getting Started Monitoring User Session Information Figure Add/Review AD Groups to Synchronize The Active Directory is queried for all groups in the domain and the groups are displayed in the Groups in Active Directory list. Note: When adding or removing groups remember that synchronization includes all users who are indirect members of a group via intervening nested group relationships. In addition, users belonging to more than one AD group are added to the IDM group with the higher priority. For example, User 1 in the following example is imported into Group ALL if IDM synchronizes on Group ALL. Or, if IDM 2-44

61 Getting Started Monitoring User Session Information synchronizes on Group A or Group B, User 1 is imported into the group with the higher priority. If IDM synchronizes on Group d or Group y, the User 1 is not imported. 7. On the Add or Remove Groups window, select the groups to sync in the Groups in Active Directory column and click the >> button to move them to the Groups to Synchronize column. 8. When you have selected all the groups you want to sync, click OK. 9. On the User Directory Settings window, for each group that you have added, select whether users should be imported from AD into the IDM database. Select: Yes to import users, such as 802.1X or hybrid users OR No (SNAC Only) to not import SNAC users. SNAC users will not be imported since they are added to the IDM database when they register for SNAC 10. Click Move Up and/or Move Down to set the priority that IDM uses to apply the access level. If a user is in multiple groups in AD, IDM uses this list to determine which group s access level to apply to the user. The access profile that is applied to the user is the one for the group that is the highest in the list. 11. When you have finished making the changes, click: Apply to apply the changes and keep the window open. The status of the changes is displayed in the AD Status area. You may see a message such as Connected.. Imported 50 users. When the changes are complete, the Listening for updates message is redisplayed. OR OK to apply your changes and close the window. 2-45

62 Getting Started Monitoring User Session Information 12. An Importing Users dialog box will display the number of users being imported and a progress bar indicating how long the process is taking. When you are done monitoring the progress of your import, click Close. If you are importing users from AD into the IDM database instead of using SNAC, an Access Policy Group is created for each selected Active Directory group, and all users that belong to the selected groups will be imported from the Active Directory server into the appropriate Access Policy Group. Changes to users in the selected groups will be imported (synchronized) as long as the Active Directory Synchronization is enabled. The Importing Users dialog closes automatically when the synchronization is complete and the Preferences window remains open. Operating Notes: If a user belongs to more than one Active Directory group, the user is imported into the IDM Access Policy Group with the highest priority (set in User Directory Settings Preferences). If an Active Directory group is deleted while Active Directory synchronization is enabled, the associated Access Policy Group is deleted. If that group is the priority IDM Access Policy Group for a user who belongs to more than one Active Directory group, the user is automatically reassigned to the next highest priority Access Policy Group. Users who do not belong to more than one Active Directory group are reassigned to the default Access Policy Group for the Domain. If an Active Directory group is deleted while Active Directory synchronization is disabled, the associated Access Policy Group is NOT deleted when synchronization is enabled. However, all users will be reassigned to other groups (next highest priority or default Access Policy Group for the Domain) as part of the resynchronization process. Users deleted from Active Directory while synchronization is disabled are assigned to the default Access Policy group during the resynchronization process (instead of being deleted). This prevents users who were added by another method from being deleted. 2-46

63 Getting Started Monitoring User Session Information Within a Domain, Access Policy Group names must be unique. If Access Policy Groups are being created manually within the same Domain, use naming conventions to ensure these names do not conflict with Active Directory group names. Performance for the import from Active Directory to IDM varies depending on your environment. Using a 1.86 GHz processor with 2GB RAM, importing 20,000 Active Directory users in 75 groups takes approximately 65 minutes. A similar test that imported 10,000 of 20,000 users by selecting 2 of the 75 groups completed in 30 minutes. Once the initial synchronization is completed, IDM monitors all changes to the Active Directory which much less system resources. If Active Directory synchronization is disabled or IDM is restarted, all groups must be resynchronized. Importing only relevant groups can reduce the import time significantly. Selecting only groups of users for which access policies are defined instead of selecting the Domain Users group (which includes all users in the domain) can significantly reduce the amount of information that must be maintained in IDM and synchronized with Active Directory. When Active Directory is queried for the Add or Remove Groups function in IDM, it may take several seconds to display the list of available groups. An hourglass is displayed when such an extended process is occurring. Performance will vary depending on your environment. Using a 1.86 GHz Intel Core2 Duo processor with 2GB RAM takes approximately 30 seconds to present a list of 20,000 groups. If an error occurs while attempting to read the Active Directory, an entry is made in the IDM events log, and IDM attempts to reconnect to Active Directory once per minute. Testing IDM s AD Sync Configuration Check that IDM s AD Sync is configured and operating successfully: 1. Confirm AD Sync is configured in IDM Preferences, as explained in step 1 under Using Active Directory Synchronization on page 2-42, and that IDM is synchronized with Active Directory groups. 2. Confirm AD groups and IDM groups are synchronized (IDM groups are shown correctly in IDM). 2-47

64 Getting Started Monitoring User Session Information 2-48

65 3 Using Identity Driven Manager Understanding the IDM Configuration Model As described in the IDM model on page 2-6, everything relates to the top level, or Domain. Each User in the Domain belongs to an Access Policy Group (APG). The APG has an Access Policy defined for it that governs the access rights that are applied to its Users as they enter the network. The Access Policy is defined using a set of Access Rules. These rules take four inputs: Location (from what location where is the user accessing the network) Time (what time is the user accessing the network) System (from what system is the user accessing the network) Device type group Endpoint Integrity Using these input parameters, IDM evaluates each of the rules. When a matching rule is found, then the access rights (called an Access Profile) associated with that rule are applied to the user. The Access Profile defines access provided to the network once the user is authenticated, including: VLAN what VLANs the user can access QoS Quality of Service, from lowest to highest Rate-limits bandwidth that is available for the user Network Resources resources the user can access, by IP address and/or protocol. These resources must be defined, similarly to the Locations and Times used in the access rules Thus, based on the rules defined in the APG, the user gets the appropriate level of access to the network. In summary, for identity driven management, each user in a Domain belongs to one Access Policy Group. The Access Policy Group defines the rules that are evaluated to determine the access policies that are applied at the switch when the user connects to the network.

66 Using Identity Driven Manager Understanding the IDM Configuration Model Configuration Process Review Assuming that you opted to enable Active Directory synchronization or let IDM run long enough to discover the Domain, users, and RADIUS server, your configuration process will be: 1. Define locations (optional) from which users access the network. The location may relate to port-based VLANS, or to all ports on a switch. 2. Define times (optional) at which users will be allowed or denied access. This can be by day, week or even hour. 3. If you intend to restrict a user s access to specific systems, based on the system they use to access the network, you need to modify the User profile to include the MAC address for each system from which the user is allowed to login. 4. Define the Network Resources that users will have access to, or will be denied from using, if applicable. 5. Define device types (optional) from which users can access the network. Network access can be controlled based on the device type from which the user is logging on, by configuring access policy rules or global rules with a Device type group which includes the specific device type. 6. Create the Access Profiles to set the VLAN, QoS, rate-limits (Bandwidth), and network resources that are applied to users in Access Policy Groups. 7. If you don t use Active Directory synchronization, create the Access Policy Groups, with rules containing the Location, Time, System, and Access Profile that will be applied to users when they login. OR If using Active Directory synchronization, add rules and access profiles to the Access Policy Groups that were created by Active Directory synchronization. 8. If you do not use Active Directory synchronization, assign Users to the appropriate Access Policy Group. 9. If you do not use automatic deployment, deploy the configuration to the IDM Agent on the RADIUS Server. The authorization controls can then be applied when IDM detects an authenticated user login. If you do not use automatic deployment and do not manually deploy the IDM configuration to the Agent on the RADIUS server, the configuration will not be applied Note: If you want to modify or delete an Access Policy Group, or the locations, times, or access profiles used in the Access Policy Group, make sure your changes will not adversely affect users assigned to that group. 3-2

67 Using Identity Driven Manager Understanding the IDM Configuration Model 10. For the devices that will perform MAC authentication, you can configure Auto- Allow OUI to provide automatic authentication based on those devices MAC address prefixes. Configuring Identity Management All of the elements described for configuring user access in IDM are available in the Identity Management Configuration window. To launch the Identity Management Configuration window: 1. Right-click the Identity Management Home navigation tree, and select Configure Identity Management. OR 2. Click the Configure Identity Management button in the Domains pane toolbar. The Identity Management Configuration default display is the Access Profiles pane with the Default Access Profile. Figure 3-1. Identity Management Configuration, default display Click the node in the navigation tree to display the defined configuration parameters and add or edit new configuration parameters, as described in the following sections. 3-3

68 Using Identity Driven Manager Configuring Locations Configuring Locations Locations in IDM identify the switch and/or ports on the switch and wireless access points where users connect to the network. Users generally are allowed to log in to the network from a variety of locations, IDM allows you to create customized locations to match specific environments. For example, a generalized company "location" may include all of the ports on a switch, or multiple switches through which users can connect to the network. You can define a lobby location as a single switch, or a single port on the switch, in order to restrict access to the network for visitors attaching to the network in the lobby. To configure a location: Select the Locations node from the Identity Management Configuration navigation tree to display the Locations pane. Figure 3-2. Locations pane Note: IDM also lets you include wireless devices in the location configuration. Selecting Enable Enhanced Wireless Support in IDM Preferences adds a wireless devices tab to the Create a new Locations window. 3-4

69 Using Identity Driven Manager Configuring Locations Adding a New Location To create a new location: 1. Click the New Location button in the Locations toolbar to display the Create a new Location window. Figure 3-3. Create a New Location display 2. Type a Name for the location. 3. Type a Description for the location. To add wired devices to the location: 4. Click Add device to open the New Device window, and define the devices and/ or port combinations that will be included in the location. See To add a wireless device to a Location on page 3-7 for details on support for wireless locations. 3-5

70 Using Identity Driven Manager Configuring Locations Figure 3-4. New Device window 5. Use the Select Device Group list to select the Agent and device model that will be allocated to users logging in from the associated location. 6. Enter the device to be added. a. Using the Device Selection option: i. Use the menu to select a device group. This will enable the Select Device menu in the next field. ii. Select a device from the list of available devices. The list is populated with the IP address or DNS name for all (PCM managed) devices in the selected group. b. Using the Manually enter device address option: i. Select the check box to enable the data entry field below it. ii. Type the IP address or DNS name of the device to be added. Note: If PMM is licensed, this dialog will not show wireless device. You must add wireless devices from the Wireless Devices tab on the Create a new Location window. If PMM is not licensed, wireless devices will appear in this dialog. However, you will not be able to select any ports, the only option will be Any port. 3-6

71 Using Identity Driven Manager Configuring Locations 7. Use the Port Selection section to define the ports on the device that will be associated with the location. Click to select Any port on the switch, or Click Select ports, then use the lists to select the Begin and End ports on the device that will be associated with the new location. If you manually entered the device address, the Begin port and End port menus are disabled, and you must manually enter the ports. 8. Click OK to save the New Device settings to the Location, and close the window. Notes: If a switch in the device list is not configured to authenticate with the RADIUS server, the settings in IDM will have no affect. You can type in an IP address for non-pcm devices and if the device uses industry standard RADIUS protocols, the settings should work; however, HP does not provide support for IDM configurations with non-pcm devices. 9. The Device address and ports information is displayed in the New Location window. 10. Repeat steps 4 through 7 to add additional devices to the Location, or click OK to save the new Location and close the window. To add a wireless device to a Location: 1. On the Create a new Location window, click the Wireless devices tab. 3-7

72 Using Identity Driven Manager Configuring Locations Figure 3-5. Create a New Location, Wireless Devices 2. Click Add Device to display the Wireless Devices Dialog. All discovered Radios and radio ports are displayed. Figure 3-6. Select Wireless Device for a location 3-8

73 Using Identity Driven Manager Configuring Locations 3. Click the check box(es) to select the radio ports to be included in the location, and then click OK to save the selection and return to the Create a new Location (Wireless Devices tab) window. 4. Click OK to save and exit, or repeat the steps to add additional devices to the location. Modifying a Location To edit the information for an existing Location: 1. Select the Locations node from the Identity Management Configuration navigation tree to display the Locations pane with the list of defined locations. 2. Double-click a location from the navigation tree or from the Locations list to open the (modify) location pane. You can also select the location in the list, then click the Edit Location button in the toolbar to display the Location in edit mode. 3. Edit the location Name and Description as needed. 4. Edit the device configuration for the location as needed: To Modify the device settings, select the device in the list, then click Edit device to display the Modify Device window. The Modify Device window contains the same fields as the New Device window. You can edit the ports associated with the location, or you can choose a different device and reset the ports for the new device. Click OK to save your changes and close the window. The changes are displayed in the Location pane. To add another device, click Add Device. To delete a device, select the device in the list, then click Delete Device. 5. Click OK to save the location changes and close the Locations window. Click Cancel to close the window without saving the changes. The original location configuration will be maintained. Note: When modifying Locations, make sure all devices for the location are configured with the appropriate VLANs. If you Modify a Location that is part of a VLAN (subnet) and that Location is currently used in an Access Policy Group rule, IDM will check to make sure that the VLAN exists. If not, an error message is displayed. 3-9

74 Using Identity Driven Manager Configuring Locations Deleting a Location To remove an existing Location: 1. Select the Locations node from the Identity Management Configuration navigation tree to display the Locations pane with the list of defined locations. 2. Click a location from the list to select it. 3. Click the Delete Location button in the toolbar to remove the location. The first time you use the Delete Location option, a warning pop-up is displayed. Click OK to continue, or Cancel to stop the delete process. 4. The location is removed from the Locations list. Note: If you modify or delete a Location, check to make sure that the changes do not adversely affect users in Access Policy Groups where the Location is used. 3-10

75 Using Identity Driven Manager Configuring Times Configuring Times Times are used to define the hours and days when a user can connect to the network. When included in the Access Policy Group rules, the time can be used to allow or deny access from specific locations at specific time. For example, students might be allowed network access from the "Classroom" location during weekdays, from 9:00 am to 5:00 pm, but denied access from the Classroom at any other time. To configure a Time: 1. On the IDM main window, select Tools > Configure Times. OR Select the Times node from the Identity Management Configuration navigation tree to display the Times pane. Figure 3-7. Identity Management Configuration, Times pane The Times pane lists the name and description of defined times. Double-click the time from the list, or select the time from the navigation tree to display the Time s properties, including: Table 3-1. Times pane parameters Field/Section Name Description Time Displays... The name used to identify the time A brief description of the time The time of day when the access policy group is active. 3-11

76 Using Identity Driven Manager Configuring Times Table 3-1. Times pane parameters (Continued) Field/Section Days of week Range Displays... The days of the week when the access policy group is active The dates during which the time will be in effect. A start date must be specified. Figure 3-8. Times Properties Creating a New Time To create a new Time: 1. In the Times Pane, click the Add New Time button to display the Create a new Time window. 3-12

77 Using Identity Driven Manager Configuring Times Figure 3-9. Create a New Time 2. Define the properties for the new time. Table 3-2. IDM Time parameters Field/Section Name Description Time Days of week Range Entry Type a name used to identify the time Type a brief description of the time Select a time of day when user will be accepted on the network. To allow access the entire day, select the All day radio button. To restrict access to specific hours of the day, select the From radio button and type the beginning and ending times. The ending time must be later than the beginning time. AM or PM must be specified. Select the days of the week that a user will be accepted or rejected on the network. Select the radio button next to the desired days. Select the Custom radio button to enable the day(s) of the week check boxes. Select the dates during which the time will be in effect. Select the Start Date and then select the No End Date radio button, or select the End Date. 3. Click OK to save the new Time and close the pane. The new time appears in the Times window. 3-13

78 Using Identity Driven Manager Configuring Times Modifying a Time To modify a Time: 1. In the Times pane, select a Time from the navigation tree to display the Time details in edit mode, similar to the Create a new Time pane. You can also select the Time from the list then click the Modify Time button in the toolbar to display the modify pane. 2. Modify the time parameters, as described in Table 3-2 on page Click OK to save your changes and close the window. Note: If you modify or delete a Time, check to make sure that the changes do not adversely affect users in Access Policy Groups where the Time is used. Deleting a Time To remove an existing Time: 1. In the Times pane, click a Time from the list to select it. 2. Click the Delete Time button in the toolbar to remove the location. The first time you use the Delete Time option, a warning pop-up is displayed. Click OK to continue, or Cancel to stop the delete process. 3. The Time is removed from the Times list. Defining Holidays To add holidays for use when defining Times: 1. In the Times pane, click the Holidays button in the toolbar to launch the Holidays window. Figure Holidays window 3-14

79 Using Identity Driven Manager Device Finger Printing 2. Click Add to launch the Add Holiday window. Figure Add Holiday 3. The Date field defaults to the current date. You can use the field buttons to increase or decrease the date. You can also type a new date. 4. In the Description field, enter the text that will identify the holiday in the Holidays list. 5. Click OK to save the holiday and close the window. The new holiday appears in the Holidays list. To edit a Holiday, select it from the Holidays list, then click Edit. This launches the Edit Holiday window, which is similar to the Add Holiday window. To delete a Holiday, select it from the Holidays list, then click Delete. Click Yes in the confirmation pop-up to complete the process. Device Finger Printing Device Finger Printing Feature in IDM/SNAC helps to control user access to a network, based on the device type they use to log-on to the network. IDM is enhanced to allow configuration of access rules to the network based on device types. IDM Administrator is now able to create Device Type Group objects that can hold one or more device type and can associate Device type group object to an existing access policy rule in IDM. They can also create new access policy rule and associate device type group object to the new access policy rule. Configuring Device Finger Printing In the Identity Management Configuration window, a new node is added as Device Finger Printing. There are two nodes added to Device Finger Printing, that is, Device type groups and User-Agent to Device Types. 3-15

80 Using Identity Driven Manager Device Finger Printing Figure Device Finger Printing User Agent To Device Types Mapping The administrator can see the list of configured (both pre-loaded and user defined) User-Agent Pattern to Device Type mappings from this node. It has three columns with some default values. Position Pattern in User-Agent 3-16

81 Using Identity Driven Manager Device Finger Printing Device Type Figure User Agent to Device Types Note: Users tab view reflects the device type corresponding to the user agent pattern which is listed with the lowest position number in the above list. Creating a New User Agent Mapping To create a New User Agent Mapping 1. Enter the user agent pattern to match for in the user agent string, and the Device type (you can also enter new or select from existing types). The newly inserted pattern is inserted at the first position. Note: For the user agent pattern mapping to take effect, it has to be a part of one or more Device Type Group objects. 2. The Administrator can change the insertion of new pattern by choosing the pattern before which to insert the new pattern. Additionally, the administrator can also add the new pattern to any existing device type groups. 3-17

82 Using Identity Driven Manager Device Finger Printing Figure New User Agent to Device Type Mapping Bulk Import of User Agent Pattern Mappings To do bulk import of user-agent patterns: 1. Stop the PCM Service. 2. Update the server/config/useragentpattern file with the required patterns. 3. Edit server/config/globalprops.prp. 4. Remove the IDMDeviceFingerPrinting section. 5. Start the PCM Server service. The new patterns in the file now appears under the 'User-Agent To Device Type' node in the 'Configure Identity Management'. Since only 'bulk import' is supported and not 'bulk update', deletion of existing User- Agent Patterns can be done only through the IDM GUI. Deleting a User Agent Mapping To delete a User Agent Mapping 1. Select the user agent pattern mappings from the list, and delete. 3-18

83 Using Identity Driven Manager Device Finger Printing 2. A dialog box appears to confirm before deleting the entry. If the device type being deleted is in use in some Device Group, deletion is not allowed. Further, if pattern that is selected for deletion is one of the catch-all patterns defined in the Creating a Global Rule, then the deletion will fail again with appropriate notice. Moving up User Agent Mapping The Administrator can move a selected pattern Up in the table. However, only one pattern at a time can be moved up. A selected pattern can be moved up only till the first position. Moving down User Agent Mapping The Administrator can move a selected pattern down in the table. However, only one pattern at a time can be moved down. A selected pattern can be moved down only till the last position. Device Type Groups Device Type Groups node is selected in Identity Management Configuration window, a table of the configured Device Type Group objects is displayed on the right side of the screen.the table has the following two columns: Device Type Group Name Device Type Group Description. 3-19

84 Using Identity Driven Manager Device Finger Printing Under Device Type Groups node, each node represents one Device Type Group object. A Device Type Group object can hold either specific Device Types or a mix of various kinds of devices. The Device Type Group Name holds the unique value. Figure Device Type Groups 3-20

85 Using Identity Driven Manager Device Finger Printing To edit the selected Device type group object, click any entry in Device Type Group Name. Figure Edit Device Type Group Creating a New Device Type Group Object To create a New Device Type Group Object: 1. Enter the Device Type Group Name, Description, and then select elements from the list of Device Types. 3-21

86 Using Identity Driven Manager Device Finger Printing Figure Create a new Device Type Group 2. Click Add/Remove. A dialog box appears to select device types. 3-22

87 Using Identity Driven Manager Device Finger Printing Figure Select Device Types 3. After selecting the device types, Click Ok. 4. The new group is added to the list of existing device groups in the navigation tree. 5. Click Close to save the device type group to the database. 3-23

88 Using Identity Driven Manager Device Finger Printing Figure Edit/Delete Created Groups Modify Device Type Group To modify a new Device Type Group: 1. From the Identity Management Configuration navigation tree, select Device Finger Printing and then select Device Type Groups. 2. Edit the device type group using one of the following ways : a. Select the device type group node from the navigation tree. b. Select the device type group from the table and click Edit or Double click on the device type row in the table. 3. Navigate to the Edit screen, to modify the description of the group, and then edit the list of device types present in the group. 4. To Add/Remove device types, Click on Add/Remove. A Select Device type dialog box appears to do the required modifications. 5. Click Close to save the modifications to the device type group. 3-24

89 Using Identity Driven Manager Configuring Network Resources IDM has pre-configured Device Type Groups for each of all the catch all patterns. All Android (For all Android devices) All Windows (For all Windows devices) All Unix (For all Unix devices) All Apple (For all Apple devices) All Unknown (For all Unknown devices) The advantage of these pre-configured Device Type Group is that when registering users, if user-agent string matches one of the catch-all regex patterns, user's device type automatically becomes a member of the respective Device Type Group. As a result, the user's access to the network is immediately controlled based on the device type, without any additional effort from the Administrator. The Global Rules or Access Rules must be configured to complete the Device Finger Printing configuration. Configuring Network Resources Network Resources in IDM are used to permit or deny traffic to and from specified sources and destination. This is done by configuring an IP-based filter based on either: The IPv4 or IPv6 address (individual address or subnet address) of the source or destination, or The protocol (IP, ICMP, VRRP, and so forth) The TCP or UDP port (that is, based on protocol and application, such as Telnet or HTTP) For example, you can create a Network Resource to restrict guest accounts so that they only have access to the external Internet, and no access to internal resources. Or you can define a resource that allows HR employees to access the payroll systems, and denies access to all other employees. Note: Network Resource features can be used only for switches that support IDM-based ACLs. See Device Support for IDM Features on page A-1. To configure a Network Resource: 1. Select the Network Resources node from the Identity Management Configuration navigation tree to display the Network Resources pane. 3-25

90 Using Identity Driven Manager Configuring Network Resources Figure Network Resources The Network Resources window lists the name and parameters for defined resources, including: Table 3-3. Network Resources parameters Column Name IP Address Network Mask Ports Protocol Displays... The name used to identify the resource The IP Address for the switch associated with the resource ("any" if the resource is being filtered by protocol). The subnet mask for the IP Address. The device port(s) associated with the resource or Any if the resource is being filtered by protocol. Ports can be selected by number, or friendly port name. Refer to the section on "Using Friendly (Optional) Port Names" in the Management and Configuration Guide for your switch for details. The protocol (UDP, TCP, or IP) used to filter access to the resource. Double-click the Network Resource from the list, or select it from the navigation tree, to display individual Network Resource configuration details. 3-26

91 Using Identity Driven Manager Configuring Network Resources Figure Network Resources - Details Note When you open the details window, it is in Edit mode. You can modify the entries in the display fields, and the changes are automatically saved when you click Close. For details on the field entries, refer to the definitions under Adding a Network Resource on the next page. Adding a Network Resource To define a new Network Resource: 1. In the Network Resources pane, click the Add Network Resource button to display the Define Network Resource window. 3-27

92 Using Identity Driven Manager Configuring Network Resources Figure Define Network Resource 2. Define the properties for the network resource. Table 3-4. IDM Network Resource parameters Field/Section Entry Name The name used to identify the network resource Description A brief description of the network resource (optional) Resource Attributes: IP Address/IPv6 Address Mask Protocol To filter by device address, clear the Any Address check box, select the address type as either IP Address or IPv6 Address, and type the IP address for the switch associated with the resource in the IP Address field. Use the Any address option if you will be filtering by Protocol and application port only, and not by specific device or port. The subnet mask for the IP Address (if used). Use the up/down buttons [, ] to set the mask number. Select UDP, TCP, or IP to identify the protocol used to filter access to the resource. Protocol can be used alone or with an IP address and port parameters to define the network resource access. To use a custom protocol number for a network resource, check the Enter protocol number check box and type the protocol number (0-137) 3-28

93 Using Identity Driven Manager Configuring Network Resources Table 3-4. IDM Network Resource parameters (Continued) Field/Section Port Entry Any port is selected by default, which means all ports associated to the IP address are included in the network resource definition. To specify a port for the network resource, check the Any port check box to clear it and enable the Port field. Enter the port number, or friendly port name* used for the resource. * Valid port names supported in IDM include: ftp, syslog, ldap, http, imap4, imap3, nntp, pop2, pop3, smtp, ssl, telnet, bootpc, bootps, ssh, dhcp, ntp, radius, rip, snmpsnmp-trap, tftp. Note: If you are setting a resource to represent an application port such as dhcp or smtp or http, you must make sure that you set the correct protocol, either TCP or UDP. If you do not set the correct protocol, the rule will not operate as intended at the switch or access point. 3. Click OK to save the Network Resource definition and close the window. All entries are saved immediately upon entry. This allows you to configure several IDM features without closing and reopening the Configure Identity Management window. Click Cancel to close the window without saving your changes. Modifying a Network Resource To modify a Network Resource: 1. In the Network Resources pane, select the network resource to edit from the list, then click the Edit Network Resource button to display the Define Network Resource window. 2. Edit the properties as needed. Refer to Adding a Network Resource on the previous page for definitions. 3. Click OK to save the Network Resource definition and close the window. Deleting a Network Resource To delete a Network Resource: 1. In the Network Resources pane, select the network resource to edit from the list, then click the Edit Network Resource button to display the Define Network Resource window. 3-29

94 Using Identity Driven Manager Configuring Network Resources I 2. Click in the list to select the network resource to delete, then click the Delete Network Resource button. 3. Click Yes in the confirmation pop-up to complete the process. The selected network resource is removed from the Network Resources list display. 3-30

95 Using Identity Driven Manager Configuring Access Profiles Configuring Access Profiles IDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rate-limits) and Network Resource access rules that are applied to the user when they are authenticated on the network. This is where the real benefits of "access control" are realized. When users log in, the Access Profile dynamically configures the switch or wireless access point settings to provide the proper network access and resources for the user. To begin, select the Access Profiles node from the Identity Management Configuration navigation tree to display the Access Profiles window. Figure Access Profiles window The Access Profiles window lists defined Access Profiles, including: Table 3-5. Access Profiles parameters Column Name Untagged VLAN QoS Ingress Rate Limit Egress Rate Limit Displays... The name used to identify the profile The bame of the untagged VLAN to which users in the group are assigned when they log in The Quality of Service setting The maximum amount of traffic (in Kbps) allowed from this user The maximum amount of traffic (in Kbps) allowed to this user The Access Profile tells the switch to override any local settings for the port the user is accessing with the settings specified in IDM. 3-31

96 Using Identity Driven Manager Configuring Access Profiles Select the Access Profile node from the navigation tree, or double-click a profile from the list to display the details of the selected profile.the Name, Description, and Access Attributes are the same as defined in the Access Profiles list. The Network Resources section lists the Network Resources included in the profile: Table 3-6. Access Profile - Network Resources parameters Column Priority Action Resource Accounting Displays... The order in which the network resource rules are evaluated; the first one to match each incoming packet is applied If access to the Network Resource is allowed or denied. The defined network resource name. Whether or not the switch will count the number of hits using this rule. Creating a New Access Profile To create a new Access Profile: 1. On the Access Profiles window, click the Add Access Profile button in the toolbar to display the Create a new Access Profile window. Figure Create Access Profile 3-32

97 Using Identity Driven Manager Configuring Access Profiles 2. Define the attributes for the Access Profile: Table 3-7. New Access Profile parameters Field/Section Name Description Untagged VLAN or Tagged VLANs QoS Ingress rate-limit Egress rate-limit Entry Type a name used to identify the Access Profile Type a brief description of the Access Profile Select the type of VLAN used for the access profile. To select an untagged VLAN, check the Untagged VLAN check box and select the VLAN that can be accessed from the list. Selecting a VLAN from the list grants the user access to that network segment only. To select a tagged VLAN, check the Tagged VLAN check box and click Edit. When the VLAN Selection window appears, select the tagged VLANs to be accessed from the Available VLANs list and click >> to select them. When all tagged VLANS that can be accessed are displayed in the Selected VLANs list, click OK to close the window and return to the Identity Management Configuration window. Keep the following in mind when selecting VLANs: The list of VLANs is derived from the VLANs that PCM discovers. Therefore, you should run Discovery to populate the VLAN list before creating a new Access Profile. Untagged VLANs and tagged VLANs are mutually exclusive, meaning the customer cannot select the same VLAN for untagged and tagged. The VLAN set for a user overrides the statically configured VLAN, as well as the auth-vid that may have been configured for that port. If an unauth-vid is set and the user is rejected by IDM for any reason, the port is opened and the VLAN is set to the unauth-vid. Select the Quality of Service, or priority given to outbound traffic under this profile. Select the setting from the pull-down menu. Select the rate-limits applied for this profile. Use the up-down arrows to increase or decrease the bandwidth setting. The default setting is 1000 Kbps (1 Mbps) AP1 Note: This is translated to a percentage of bandwidth at the switch. Notes: If you are assigning any VLAN other than the default VLAN, ensure that the VLAN is configured correctly on the all switches to which this access profile will be applied before defining the access profile. The VLAN that gets set for a user will override the statically configured VLAN, as well as the auth-vid which may have been configured for that port. Note also that if an unauth-vid is set and the user is rejected by IDM for any reason, the port is opened and the VLAN is set to the unauth-vid. 3-33

98 Using Identity Driven Manager Configuring Access Profiles 3. If you want the IDM QoS attributes to override the switch attributes, use the QoS list to select the quality of service or priority for outbound traffic of users in groups associated with the access profile. QoS ranges from lowest to highest, with Normal being the default. 4. In the Ingress rate-limit field, select the maximum bandwidth or rate limit allocated for traffic from users assigned to the Access Policy Group using the Access Profile. The default setting is 1000 Kbps (1 Mbps), which is translated to a percentage of bandwidth at the switch. 5. In the Egress rate-limit field, select the maximum bandwidth or rate limit allocated for traffic to users assigned to the Access Policy Group using the Access Profile. The default setting is 1000 Kbps (1 Mbps), which is translated to a percentage of bandwidth at the switch. 6. To assign the Network Resources, click Edit. This launches the Network Resource Assignment Wizard. Figure Network Resource Assignment Wizard 7. Click Next to continue to the Allowed Network Resources window. 3-34

99 Using Identity Driven Manager Configuring Access Profiles Figure Network Resource Assignment Wizard, Allowed Network Resources 8. To permit access to Network Resources: a. Select the Resource from the Available Resources list. Use shift-click to select multiple resources. b. Move the Available Resource(s) to the Allowed Resources list (click >>). c. Click Next to continue to the Denied Network Resources window. 3-35

100 Using Identity Driven Manager Configuring Access Profiles Figure Network Resource Assignment Wizard, Denied Network Resources 9. To deny access to Network Resources: a. Select the Resource from the Available Resources list. Use shift-click to select multiple resources. b. Move the Available Resource(s) to the Denied Resources list (click >>) c. Click Next to continue to the Priority Assignment window. 3-36

101 Using Identity Driven Manager Configuring Access Profiles Figure Network Resource Assignment Wizard, Priority Assignment 10. Set the priority (order of evaluation) for the Network Resources. To change the priority, select the Resource from the list, then click Move down or Move up. The first rule to match is the one that will be applied. 11. Click Next to continue to the Default Access window. 3-37

102 Using Identity Driven Manager Configuring Access Profiles Figure Network Resource Assignment Wizard, Default Access 12. Select the option to tell IDM what to do if there are no matches found in the network resource access rules. 13. Click Next to continue to the Resource Accounting window. Figure Network Resource Assignment Wizard, Resource Accounting 3-38

103 Using Identity Driven Manager Configuring Access Profiles 14. Select the check box to enable one or more Accounting functions (optional). This enables tracking of hits on this resource on the switch or access point. Use CLI on the switch to review the hits. 15. Click Next to continue to the summary window. Figure Network Resource Assignment Wizard, Summary 16. Click Finish to save the Network Resource Assignments to the Access Profile and close the wizard. OR Click Back to return to a previous window to change the assignment. Click Cancel to close the wizard without saving the changes. Click Start Over to return to the start of the Network Assignment Wizard. Modifying an Access Profile To modify an Access Profile: 1. On the Access Profiles window, select an Access Profile from the list. 2. Click the Modify Access Profile button to display the Modify Access Profile window. The Modify window shows the details of the Access Profile, similar to the Create a new Access Profile window. 3-39

104 Using Identity Driven Manager Configuring Access Profiles 3. Modify the access profile parameters, as described for creating a new profile. Click Edit to change the Network Resource Assignments using the wizard. 4. Click OK to save your changes and close the window. The changes are displayed in the Access Profiles list. Note: When modifying Access Profiles, make sure the appropriate VLANs are configured on the network and at the switch. If you Modify the VLAN attribute in an Access Profile that is currently used in an Access Policy Group rule, IDM will check that the VLAN exists. If not, an error message is displayed. Deleting an Access Profile To remove an existing Access Profile: 1. On the Access Profiles window, select an Access Profile from the list. 2. Click the Delete Access Profile button in the toolbar to remove it. 3. The first time you use the Delete option, a warning pop-up is displayed. Click OK to continue, or Cancel to stop the delete process. Note Before you modify or delete an Access Profile, make sure that your changes will not adversely affect users in Access Policy Groups where the profile is used. 3-40

105 Using Identity Driven Manager Defining Access Policy Groups Defining Access Policy Groups An Access Policy Group (APG) contains rules that define the VLAN, rate-limit (bandwidth), quality of service, and network resource access rules for users in the group, based on the time, location, and system from which the user logs in. You can also create rules to work in conjunction with third-party endpoint integrity (Host Integrity) applications to verify that systems attempting to connect to the network meet security requirements. Each rule in an Access Policy includes the following parameters: Location - identifies the switch and/or switch ports where users connect to the network. Location can identify physical wiring connections to segment the network Time System Endpoint Integrity Access Profile Multiple access policy groups can be added to a domain, and multiple access profiles, locations, and times can be referenced and configured in an access policy group. Access policy groups can be created manually or automatically if Active Directory synchronization is enabled. However, Access Policy Group names must be unique within a Domain. When a user assigned to the APG is authenticated on the RADIUS Server, the IDM Agent applies the appropriate rule, which can cause the switch or access point to accept or reject the user, and modifies the RADIUS reply to provide the appropriate network access to the user. You can create an APG that does not have any limitations, that is, it allows Any location, time, system, and accepts the default switch settings for VLAN, QoS, and Bandwidth. This would allow you to use IDM to monitor logins and network resource usage by user, without limiting user access to the network. 3-41

106 Using Identity Driven Manager Defining Access Policy Groups To begin, expand the Domains node to display the Access Policy Group node in the IDM tree and then select it to display the Access Policy Groups tab. You can expand the Access Policy Group node in the tree, and select the individual APG node to display the policy Properties tab. Figure Access Policy Group Properties tab Creating an Access Policy Group To create an Access Policy Group: 1. Select the Access Policy Group node from the IDM tree to display the Access Policy Groups tab. 2. Click the New Access Policy Group button in the toolbar to display the New Access Policy Group window. 3-42

107 Using Identity Driven Manager Defining Access Policy Groups Figure New Access Policy Group 3. Type a Name and Description for the Access Policy Group. 4. Click New to display the New Access Rule dialog. Figure New Access Rule 5. Select an option for each field. When all the parameters are set, click OK to save the Access Rule configuration and close the dialogue. 3-43

108 Using Identity Driven Manager Defining Access Policy Groups Parameters for Access Rules are described in the following table. Table 3-8. Field/Section Location Time System WLAN Access Rule parameters Lists... Locations you created by name, and the ANY option. If you select ANY and the access profile for the rule points to a VLAN, ensure that the VLAN is configured on every switch to which users in this access policy group will be connecting. Times you created by name, and the ANY option. Systems from which the user can log in. ANY allows user to login in on any system. OWN restricts users to systems defined for that user. See Configuring User Systems on page 3-77 for details. WLANs in the network, and an ANY option. If PCM Mobility Manager is not installed the list is empty, but you can type in the WLAN. Device Type Group You can select Device Type Group from Device Type Group field. The default is ANY option. End Point Integrity If selected in IDM Preferences, information described in Using IDM with Endpoint Integrity Systems on page Access Profile Access Profiles you created by name, the Default Access Profile, and a REJECT option. Select REJECT if the rule will prohibit a user from logging in. 6. Repeat the above process for each rule you want to apply to the APG. 7. The Access rules are evaluated in the order (priority) they are listed in the Access Rules table. Use Move Up or Move Down to arrange the rules in the order you want them to be evaluated. IDM checks each rule in the list until a match on all input parameters is found, then applies the corresponding access profile to the user. For example, if you want to allow a user to login in from any system during the work week (Mon. - Fri.), but you want to deny access to users on the weekend, you would: Create a Time for the weekend, Create an Access Profile to be applied during weekdays, "Default" Define two rules for the APG, similar to the following: Location Time System Access Profile ANY weekend ANY REJECT ANY weekday ANY Default When the user is authenticated, IDM checks the Access Policies in the order listed. If it is Saturday or Sunday, the user s access is denied. On any other day, the user is allowed on the network. If the order were reversed, IDM would never read the second rule because the first rule would provide a match every day of the week. 3-44

109 Using Identity Driven Manager Defining Access Policy Groups 8. Click OK to save the Access Policy Group and close the window. IDM will verify that the rules in the APG are valid. If a rule includes a defined VLAN (from the Access Profile) and the VLAN does not exist on the network or devices for the location(s), an error message is returned and you must fix the problem before the APG can be saved. Click Cancel to close the window without saving the Access Policy Group configuration. 9. The new Access Policy Group is listed in the Access Policy Groups tab. Assigning Rules to an Auto-generated Access Policy Group Active Directory synchronization automatically creates Access Policy Groups with the default values of: Any Location Any Time Any System Any WLAN Any Device Type Group Any Endpoint Integrity Default Access Profile To assign specific rules to an Access Policy Group, see Modifying an Access Policy Group (page 3-46). Using IDM with Endpoint Integrity Systems You can create access profiles in IDM to work in conjunction with endpoint integrity (host integrity) applications to verify that systems attempting to connect to the network meet security requirements. To use the Endpoint Integrity support option, you need to first select it in the Endpoint Integrity option in the IDM Preferences window (Tools->Preferences > Identity Management). With the Endpoint Integrity preference set, the Endpoint Integrity option will appear in the Access Rules windows. 3-45

110 Using Identity Driven Manager Defining Access Policy Groups Figure Access Rule with Endpoint Integrity options Select the Endpoint Integrity option to use with the access rule, as described in the following list. Table 3-9. Endpoint Integrity options Select... ANY PASS FAIL INFECTED UNKNOWN To apply the access rule... Regardless of the status passed from the endpoint integrity system In cases where the system the user is logged in on passes the endpoint integrity check In cases where the system the user is logged in on fails the endpoint integrity check In cases where the system the user is logged in on has been identified as infected by the endpoint integrity system In cases where the system the user is logged has an endpoint integrity status setting of unknown For example, if you want to restrict access to a specific (remediation) VLAN when the endpoint integrity check fails, create a Location that specifies the remediation VLAN, then create an access rule that will put the user on that Location if the Host Integrity value is FAIL. Modifying an Access Policy Group To modify an Access Policy Group: 3-46

111 Using Identity Driven Manager Defining Access Policy Groups 1. Select the Access Policy Group node from the IDM tree to display the Access Policy Groups tab. 2. Select an Access Policy Group Name. 3. Click the Modify Policy Group button in the toolbar to display the Modify Access Policy Group window. 4. Modify the Rules as needed. (See page 3-16 for field definitions). 5. Click OK to save your changes and close the window. Click Cancel to close the window without saving the Access Policy Group changes. Deleting an Access Policy Group To delete an Access Policy Group: 1. Select the Access Policy Group node from the IDM tree to display the Access Policy Groups tab. 2. Select an Access Policy Group Name. 3. Click the Delete Policy Group button in the toolbar to delete the Access Policy Group. If Active Directory synchronization is enabled, a deleted Access Policy Group will be recreated when IDM is resynchronized or detects a change to the related Active Directory group unless you remove the Active Directory group from the User Directory Settings. 3-47

112 Using Identity Driven Manager Configuring User Access Configuring User Access The process of configuring User access to network resources using IDM is simplified through IDM s ability to learn User information from the Active Directory or RADIUS server, and the use of Access Policy Groups. If Active Directory synchronization is enabled, IDM creates an Access Policy Group for each Active Directory group selected in User Directory Settings preferences and adds the users assigned to the Active Directory group to that Access Policy Group in IDM. Users are assigned to Access Policy Groups based on the rules explained in Using Active Directory Synchronization (see page 2-42). If you do not use Active Directory synchronization, once you have configured the Access Policy Groups, you simply assign users to an APG. The next time the user attempts to log in to the network, IDM uses the rules in the user s Access Policy Group to dynamically configure the edge switch to provide the appropriate access to the network. Click the Users tab on the Access Policy Group or Domain window to display the list of users. (See Domain Users tab on page 14.) The Users list identifies every defined user and contains the following information for each user: Table Users list parameters Column Displays... * Whether the user is currently logged in: User is logged in. User is logged out. The button is greyed out if session accounting is disabled. Name Users full name as defined in Active Directory. Last Login Attempt Date and time the user last attempted to log in, regardless if the login failed or succeeded Auth ID Identifier used by user to access the network This will be the user machine's MAC address if MAC authentication is used for network access. It will be the user's Active Directory login account name if 802.1x authentication is used for network access. Device Device name associated to user Access Policy Group Access policy group to which the user is assigned Phone User s phone number User s Owner Active Directory login account name of the user identified by Auth ID 3-48

113 Using Identity Driven Manager Configuring User Access Table Users list parameters (Continued) Column Displays... Domain Domain in which the user logs in MAC Prefix OUI that allowed the user to access the network through the Auto Allow OUI configuration Expiration Time The expiration time for the devices that are registered by guest users. Device type It is the device that user carries to connect to the network. Useragent Useragent is the string that contains the end-user information. Adding Users to an Access Policy Group To assign a user to an access policy group: 1. Expand the Domains node, then select the individual Domain to display the Users tab, or expand the domain to display access policy groups. Click the Users tab in the individual Domain or Access Policy Group window. 2. Select the users in the list, then click the Add Users to APG button in the toolbar to display the Select Access Policy Group window. Figure Select Access Policy Group 3. In the Assign selected Users to Access Policy Group field, select the access policy group to which you want to assign the user(s). If you select the Default Access Policy Group, users can log into RADIUS servers, but they are not governed by access policy group rules. IDM will still collect and display event information for users in the Default APG, as long as they are authenticated by the RADIUS server. 4. Click OK to save the assignments and close the window. The new APG assignments are displayed in the Users list. 3-49

114 Using Identity Driven Manager Configuring User Access Changing Access Policy Group Assignments To re-assign users to a different APG: 1. Select the access policy group or domain from the IDM navigation tree, and then click the Users tab in the Access Policy Group or Domain window. 2. Select the users in the list, then click the Add Users to APG button in the toolbar to display the Select Access Policy Group window. 3. Select a different option from the Assign selected Users to Access Policy Group menu. 4. Click OK on the confirmation pop-up, then click OK on the Select Access Policy Group window to save your changes and close the window. The new APG assignments are displayed in the Users list. Note The users if once registered to the default Guest Access Policy Group, cannot be moved to any other group. Using Global Rules Global Rules can be used to provide an exception process to the normal processing of access rules via Access Policy Groups. IDM will check for Global Rules and apply them to the designated users before processing any access rules found in Access Policy Groups. For example, you can use a Global Rule to deny access to the network during a specific time period, such as a site shutdown or during periods when network maintenance is being done. Global Rules are typically used to apply to all users in a domain. They can also be defined to apply to a single user or access policy group. Global Rules should not take the place of existing rules defined within the Access Policy Groups; they are intended for special use cases. To display global rules, select the Domain from the IDM navigation tree, then click the Global Rules tab in the Domain display. 3-50

115 Using Identity Driven Manager Configuring User Access Figure Global Rules tab The Global Rules tab provides the following data about defined global rules: Table Global Rules parameters Column Target Location Time System WLAN Displays... User(s) or access policy group to which the rule applies Location where the rule is used Time that the rule is used System where the rule is used WLAN where the rule is used. Appears only if the Enhanced Wireless Support option is set in Preferences for Identity Management Endpoint Integrity Indicates the endpoint integrity status used by the rule. This appears only if the Endpoint Integrity option is set in Preferences for Identity Management Access Profile Access profile governing user permissions during the session Device type Device type group where rule is used group Creating a Global Rule is similar to creating Access Rules for an Access Profile Group. To create a global rule: 1. From the navigation tree, select the domain that will use the global rule, then click the Global Rules tab in the Domain s display. 3-51

116 Using Identity Driven Manager Configuring User Access 2. Click the Create a New Global Rule button to display the New Global Rule window. Figure Global Rules dialog 3. Select the Target Properties. To use the global rule for all users in the domain, select All Users. To use the global rule for a specific user, select Single User and type the user name in the field. To use the global rule for an access policy group, click Access Policy Group, and select the group from the menu. Note: If you want to create a global rule for multiple users or multiple groups, you do this by creating multiple rules, each referencing a single user, or group. 4. Set the Access Properties for the Global Rule. This is similar to the process used to define Access Policy Rules when you create an Access Policy Group (see page 3-42). a. Select the Location where the global rule will be applied, or ANY. b. Select the Time when the global rule will be used, or ANY. c. Select the System where the global rule will be used, or ANY. 3-52

117 Using Identity Driven Manager Configuring User Access d. Select the WLAN where the global rule will be used, or ANY Note that this option only appears if the Enable Enhanced wireless support option is set in the Preferences for Identity Management. e. Select Device type group where the global rule will be applied, or ANY.If Endpoint Integrity is Enabled, then this Device Type Group option will appear between WLAN and Endpoint Integrity option. f. In the Access Profile field, select the access profile where the global rule will be used. g. If Endpoint integrity is enabled, select the option that indicates when the rule will be applied, relative to the endpoint integrity status (PASS, FAIL, or ANY). 5. Click OK to save your changes and close the New Global Rule window. The new global rule appears in the Global Rules list. Similar to access rules, the global rules are evaluated in the order they are listed in the Global Rules table. 6. Use the Move Up or Move Down button in the toolbar to arrange the rules in the order you want them to be applied. IDM checks each rule in the list until a match on all parameters is found, then applies the matching rule. Changing Global Rules To edit Global Rules: 1. Navigate to the Global Rules window. 2. Select the rule you want to modify from the Rules list. 3. Click the Edit Global Rule button to display the Edit Global Rules window. 4. Change the desired values, as explained for New Global Rule. 5. Click OK to save the changes and close the Edit Global Rules window. To delete a Global Rule: 1. Navigate to the Global Rules window. 2. Select the rule you want to delete from the Rules list. 3. Click the Delete Global Rule button in the toolbar. 4. Click Yes on the confirmation pop-up to complete the process. The rule is removed from the Global Rules list. 3-53

118 Using Identity Driven Manager Configuring Auto-Allow OUIs Configuring Auto-Allow OUIs In addition to traditional authentication methods, such as 802.1X, Mac-Auth, and Web-Auth, IDM also provides Auto-Allow OUI, automatic authentication for static devices based on their MAC address prefix. This feature can result in a significant savings of time, since it means you no longer have to individually register or configure each of your printers, IP phones, and similar devices. You can simply set up an autoallow group corresponding to the MAC address prefix associated with the device, and they will automatically be allowed in the network with the appropriate access rights. Networks typically include several static devices like printers, which must be registered before being allowed network access. The Auto-Allow Organizationally Unique Identifier (OUI) feature is used to easily add common MAC address prefixes of static devices. Simply create an Access Policy Group and add the OUI prefix. For example, to allow all HP printers with MAC addresses beginning with A8 access to the network, you would: 1. Create an IDM Access Policy Group and add the OUI (MAC address prefix) to this Access Policy Group. 2. Optionally, create an Access Policy rule for this group to provide access controls, such as assigning the devices to a specific VLAN used for printers. Regardless of whether the Active Directory accepts or rejects access to the network, IDM checks the MAC address in the incoming RADIUS request packet against the OUIs configured under all the Access Policy Groups in a Domain. If IDM finds a matching OUI in an Access Policy Group, the device is assigned to the group and assigned its attributes. Auto-allow will authenticate devices which match the MAC-prefix whether you are using SNAC registration or Active Directory for authenticating your connecting devices. An overview of the operation of Auto-Allow OUI feature is shown in the following figure: 3-54

119 Using Identity Driven Manager Configuring Auto-Allow OUIs Figure Network Access with Auto-Allow OUI In the picture above, the following steps take place before a static device is allowed network access: 1. Using the IDM client a user adds a MAC prefix/oui to an Access Policy Group. The OUI can be added to an existing Access Policy Group or a new Access Policy Group can be created for the OUI. An OUI may contain 1 to 12 characters. 2. When a device is connected to a switch port configured for MAC-based authentication, the RADIUS request packet is sent to the RADIUS Server. The RADIUS server rejects the device because the user name (MAC address) is not in the Active Directory. 3. This request is then forwarded to the IDM Agent for authorization. 4. The IDM Agent compares this user name (MAC address) against the list of configured OUIs. 3-55

120 Using Identity Driven Manager Configuring Auto-Allow OUIs 5. If a match is found, the device is assigned to the Access Policy Group associated with that OUI. 6. The login event is logged in the IDM Event Browser and user session information is shown in the Users tab. 7. If the OUI is removed, the device is denied access to the network access when the next re-authentication timer pops up. Note: If a user name is present in the global rules, IDM users table, and OUI, the IDM Agent uses the OUI first to authenticate users. If two OUIs match the incoming user name, then the OUI with the most characters is used to authenticate the user and assign the corresponding Access Policy Group. Viewing Auto-Allow OUIs and Network Access For a Domain To view all Auto-Allow OUIs in a domain: 1. From the IDM navigation tree, click the Domains node containing the OUI. 2. In the right pane, click the Auto-Allow OUIs tab. Figure Auto-Allow OUIs for Domain For an Access Policy Group 3-56

121 Using Identity Driven Manager Configuring Auto-Allow OUIs To view all Auto-Allow OUIs in an Access Policy Group: 1. From the IDM navigation tree, select the Access Policy Group node containing the OUI. 2. Select the Auto-Allow OUIs tab. Viewing Auto-Allow User Information To view information for current users: 1. From the IDM navigation tree, select the Domain node or Access Policy Group node containing the OUI for the user information you want to view. 2. Select the Users tab. 3. To modify the user information displayed, right-click the tabs (below the buttons and above the list of users) and use the list to check or uncheck which tabs you want displayed in this view. Figure Auto-Allow OUIs for Access Policy Group 3-57

122 Using Identity Driven Manager Configuring Auto-Allow OUIs Monitoring OUI Events and User Session Information When an incoming user name (MAC address) using MAC authentication matches an OUI, the user is granted access to the network and the user is assigned to the corresponding Access Policy Group. An event is added to the IDM Event Browser indicating that the user logged in successfully. In addition, user session information displays in the Users tab for the corresponding Access Policy Group as shown in Figure Adding an OUI An Auto-Allow OUI can be added to a Domain or Access Policy Group by using: The Add OUI button on the Auto-Allow OUIs tab OR The Auto-Allow OUIs feature when creating an Access Policy Group From an Auto-Allow OUIs Tab You can add an Auto-Allow OUI to a Domain or Access Policy Group using: The Add OUI button on the Auto-Allow OUIs tab OR The Auto-Allow OUIs feature when creating an Access Policy Group Using the Auto-Allow OUIs Tab 1. Navigate to the Domains node or Access Policy Groups node where you want to add the OUI. a. Select the Domain or Access Policy Group from the navigation tree. b. Click the Auto-Allow OUIs tab. 2. On the Auto-Allow OUIs tab, click the Add OUI button to display the Add OUI window. 3-58

123 Using Identity Driven Manager Configuring Auto-Allow OUIs Figure Add Auto-Allow OUI 3. Select a pre-loaded well-known OUI or type in your own MAC prefix. To use a pre-loaded OUI: a. Select Type in your own MAC Prefix. b. In the MAC Prefix field, type the MAC prefix (1-12 hexadecimal characters) in the aa:aa:aa:aa:aa:aa, aa-aa-aa-aa-aa-aa-aa or aaaaaaaaaaaa format c. Optionally, in the Description field, enter a brief description identifying the type of device using the MAC prefix. d. From the Access Policy Group list, select the Access Policy Group to which the OUI will be assigned. e. Click OK. To enter your own MAC prefix: a. Select Type in your own MAC Prefix. b. In the MAC Prefix field, type the MAC prefix (1-12 hexadecimal characters) in the aa:aa:aa:aa:aa:aa, aa-aa-aa-aa-aa-aa-aa, or aaaaaaaaaaaa format. Duplicate entries are not allowed. However, if an OUI is contained within a longer OUI (for example, OUI contained in longer OUI A8), the OUI with the most characters is compared against the incoming user name (MAC address). 3-59

124 Using Identity Driven Manager Configuring Auto-Allow OUIs c. Optionally, in the Description field, type a brief description identifying the type of device using the MAC prefix. d. From the Access Policy Group, list select the Access Policy Group to which the OUI will be assigned. e. Click OK. Notes: HP devices are allocated MAC prefixes (OUIs) in disparate blocks. Therefore, IDM is not able to show OUIs for HP devices in the list of well-known MAC prefixes on the Add OUI window. For example, today HP books a block of 10,000 MAC prefixes. After all of these are used up for particular HP product(s), then HP books another block of MAC prefixes. This way, new models of the same HP product will have different range of MAC prefixes. When Creating an Access Policy Group OUIs can also be added to IDM when creating an Access Policy Group, as explained below. 1. When creating a new Access Policy Group, on the New Access Policy Group window, select the Auto-Allow OUIs check box to activate the OUI buttons. 2. In the OUI section of the New Access Policy Group window, click New. Figure Add Auto-Allow OUI 3. On the Add OUI window, in the MAC Prefix field, use the list to select a preloaded well known OUI. 3-60

125 Using Identity Driven Manager Configuring Auto-Allow OUIs OR Type the common characters in the prefix (1-12 hexadecimal characters) in the aa:aa:aa:aa:aa:aa or aaaaaaaaaaaa format. Duplicate entries are not allowed. However, if an OUI is contained within a longer OUI (for example, OUI contained in longer OUI A8), the OUI with the most characters is compared against the incoming user name (MAC address). 4. Optionally, in the Description field, type a brief description identifying the type of device using the MAC prefix. 5. Click OK and finish creating the Access Policy Group. Notes: HP devices are allocated MAC prefixes (OUIs) in disparate blocks. Therefore, IDM is not able to show OUIs for HP devices in the list of well-known MAC prefixes on the Add OUI window. For example, today HP books a block of 10,000 MAC prefixes. After all of these are used up for particular HP product(s), then HP books another block of MAC prefixes. This way, new models of the same HP product will have different range of MAC prefixes. About HP and Custom OUIs in Server/Config IDM uses two files in its server/config to manage OUIs: HPOUIs - This file contains all well-known vendors and their OUIs known to HP Networking at the time of IDM product release. Important: Do not edit the HPOUIs file. CUSTOMOUIs - This file contains your own OUIs. You can edit it with your own vendor specifications. IDM first reads the CUSTOMOUIs file and then the HPOUIs file. If it finds an OUI in CUSTOMOUIs as well as in HPOUIs (a duplicate), then it gives CUSTOMOUIs priority and displays it as assigned to the vendor name you have specified. For example, if the vendor name AVAYA is present in the HPOUIs file and the OUI present under this vendor is E, and the CUSTOMOUIs is edited to add a vendor as AVAYA-PHONE-HUMAN-RESOURCE and associate the same OUI E to this vendor, these changes would be reflected in the IDM client to display E under the vendor AVAYA-PHONE-HUMAN-RESOURCE instead of AVAYA. 3-61

126 Using Identity Driven Manager Configuring Auto-Allow OUIs Editing your own CUSTOMOUIs file (example): OUIS { xyzphonevendor { aa-bb-c1= aa-bb-c2= } } In the above example, xyzphonevendor is your device vendor, and aa-bb-c1 and aa-bb-c2 are the MAC prefixes manufactured by this vendor. Note: You must restart the IDM server for your CUSTOMOUIs changes to take effect. If IDM finds a vendor in CUSTOMOUIs that is not present in HPOUIs, then it adds this vendor (along with OUIs under it) to the full OUI list shown in the client. New IDM product releases will provide an updated HPOUIs file, which would overwrite your existing HPOUIs file in the event that you upgrade. However, new product releases will not contain the empty CUSTOMOUIs file to prevent overwriting your OUIs. This way, your changes are kept intact and, at the same time, HP can update its set of OUIs in your environment. Modifying an OUI 1. Navigate to the Auto-Allow OUIs tab for the Domain node or Access Policy Group node containing the OUI to be modified. a. Select the Domain or Access Policy Group from the navigation tree. b. Click the Auto-Allow OUIs tab. 2. On the Auto-Allow OUIs tab, select the OUI to be modified and click the Modify OUI button. 3. On the OUI modification window, change the desired fields, as explained in Adding an OUI on page Click OK. Note: You can also access the OUI modification window by right-clicking the OUI and selecting Modify OUI from the menu. 3-62

127 Moving an OUI to Another Access Policy Group Using Identity Driven Manager Configuring Auto-Allow OUIs 1. Navigate to the Auto-Allow OUIs tab for the Domains node or Access Policy Groups node containing the OUI to be moved. a. Select the Domain or Access Policy Group from the navigation tree. b. Click the Auto-Allow OUIs tab. 2. On the Auto-Allow OUIs tab, click the Assign OUIs to Access Policy Group button. OR Right-click the OUIs to be moved, select Assign OUIs to Access Policy Group, and then select the Access Policy Group where the OUI will be moved Note: While Auto-Allow OUIs can be more susceptible to MAC spoofing, the negative impact can also be greatly minimized by appropriately limiting the capabilities of the OUIs via IDM capabilities for QOS, rate limiting, VLAN assignment, locations and ACLs. Since devices typically Auto-Allowed (such as printers and IP phones) are often limited to particular VLANs with very restrictive ACLs, this provides a good tradeoff between ease of management and security restrictions. It is important, however, to remember to apply these limitations to minimize the impact of any possible MAC spoofing of these types of devices. Deleting an OUI 1. Navigate to the Auto-Allow OUIs tab for the Domains node or Access Policy Groups node containing the OUI to be deleted. a. Select the Domain or Access Policy Group from the navigation tree. b. Click the Auto-Allow OUIs tab. 2. On the Auto-Allow OUIs tab, select the OUIs to be deleted. Use standard Windows conventions (Shift+click or Ctrl+click) to select multiple OUIs. 3. Click the Delete OUI button to display the OUI deletion window. 4. Confirm that you want to delete the selected OUIs by clicking Yes. Note: You can also access the OUI deletion window by right-clicking the OUI and selecting Delete OUI. Deletion of an OUI will automatically delete the devices that were auto-allowed. 3-63

128 Using Identity Driven Manager Configuring Auto-Allow OUIs Auto-Allow OUIs for 802.1x and Web Authentications The order in which the access control is performed by IDM is as follows, irrespective of any authentication mechanism used. 1. Check for auto-allow OUI 2. Check for Global Rule 3. Check for Access Rule Consider that a domain user is imported from an Active Directory server, using the Active Directory synchronization into the IDM database, and the network administrator has configured an auto-allow OUI to isolate certain devices into the auto-allow group. This is helpful to isolate static devices like IP phones that perform 802.1x authentication into specific less secure groups. When a device used by a domain user performs 802.1x or web authentication, IDM first checks whether the device MAC address matches any of the configured autoallow OUIs. If it matches, then the device is assigned to the auto-allow group, and access rules associated with the auto-allow group are applied to the device. If the device MAC address does not match any of the configured auto-allow OUIs, then the Check for Global Rule and Check for Access Rule are performed. In the following figure, the OUI "001c2e" is configured on the group "autoallow- Group". The domain user "faculty" has performed 802.1x authentication with a device whose MAC address matches the OUI "001c2e". Therefore, the Name and the Auth ID fields are shown as faculty(001c2ed42200) and the user is shown in the group "autoallowgroup". The first part of the Auth ID field denotes the domain user name, and the later part denotes the MAC address of the device that has performed 802.1x/web authentication. If the same domain user "faculty" performs 802.1x or web authentication with some other device whose MAC address does not match the OUI "001c2e", then the second row in the above user table will turn green with the user "faculty" shown in its original group "facultygroup". 3-64

129 Using Identity Driven Manager Configuring Auto-Allow OUIs 3-65

130 Using Identity Driven Manager Deploying Configurations to the Agent Deploying Configurations to the Agent An option in the IDM Preferences allows you to automatically deploy configuration changes to the IDM agent. Or, you can manually deploy changes made to Access Profiles, Locations, Times, or Network Resource configurations. If automatic deployment is disabled, you need to deploy the configuration information to the IDM Agent once you have configured the Access Policy Groups and assigned users. The Access Policy Group assignments (including the locations, times, and Access Profiles) are not applied until they get deployed to the IDM Agent on the RADIUS server, and the user logs in again. Deployment overwrites and replaces the current configuration for that domain, on that RADIUS server. To manually deploy the IDM authorization policy configuration: 1. Right-click the Domains node in the IDM tree. 2. Select the Deploy current policy to this domain option to display the Deploy to RADIUS Servers window. Figure Deploy to RADIUS Servers 3. Click Deploy to write the access policy information to the IDM Agent for the selected Domains and the respective RADIUS Servers. 4. Click Close to exit the window. After the new access policy configurations are deployed, the deployment warning on the IDM Dashboard display is removed. 3-66

131 Using Identity Driven Manager Using Manual Configuration Using Manual Configuration It is simplest to let the IDM Agent run and collect information about Domains, including RADIUS servers and users in the Domain from the RADIUS server, but you can also manually define information about the Domain, RADIUS servers, and users in the IDM GUI. Defining New Domains If you have configured a new Domain that uses a RADIUS server on which you have installed an IDM Agent, you can let the Agent learn the Domain information automatically, or you can define the Domain using the IDM GUI. To define a domain: 1. In the Domains pane, click the Add Domain button on the toolbar to display the New Domain window. Figure New Domain 2. Enter the information for the Domain: a. Type the Name used to identify the domain. b. In the Alias field, type an alternate name that can be used for the domain. For example, a fully qualified domain Name can be idm.main.hp and the Alias can be IDM. This is most useful when using IDM with Active Directory; and you should make sure that the IDM domain alias matches the Active Directory NETBIOS name. c. Type a brief Description of the domain to help identify the domain. d. To set the domain as the default domain, select the Use as default Domain check box. The default domain is used when IDM cannot determine the domain for a RADIUS server or user login. 3-67

132 Using Identity Driven Manager Using Manual Configuration 3. Click OK to save the Domain information and close the window. The new Domain appears in the Domains list, and the IDM Tree. Modifying and Deleting Domains To modify an existing Domain: 1. Select the Domain from the Domains list. 2. Click the Modify Domain button on the Domain list toolbar to display the Modify Domain window. (similar to the New Domain window). 3. Edit entries as needed for the Domain: a. The Name used to identify the domain. b. The domain Description. c. To set the domain as the default domain, select the Use as default Domain check box. The default domain is used when IDM cannot determine the domain for a RADIUS server or user login. 4. Click OK to save the Domain changes and close the window. The Domain modifications appears in the Domain List and Domain Properties tab. To delete a Domain: 1. Select the Domain from the Domain List. 2. Click the Delete Domain button in the toolbar. A confirmation dialog will display. 3. Click Yes to complete the domain delete process. The selected domain, and the associated users will be removed from the Domain list and IDM Tree. 3-68

133 Using Identity Driven Manager Adding RADIUS Clients Adding RADIUS Clients You can add and update RADIUS clients (PCM switches and manually added clients) on supported RADIUS servers used to enforce RADIUS authentication. This wizard allows you configure consistent RADIUS parameters on RADIUS servers and HP PCM switches. In addition, it detects possible conflicts between parameters already configured on the servers and the parameters you are configuring. The Add RADIUS Client wizard supports the following RADIUS servers: Windows Server 2003 Windows Server 2008 To add a RADIUS client: 1. Display a RADIUS Server tab and click the Add RADIUS Client button on the window toolbar. 2. On the Welcome window, click Next. 3. On the RADIUS Server Selection window, select the check box in the Selected column for each RADIUS server for which you want to configure a client, or click Select All to select all listed servers. Figure Add RADIUS Client Wizard, RADIUS Server Selection 3-69

134 Using Identity Driven Manager Adding RADIUS Clients 4. Select the PCM switches to be configured as RADIUS clients on the selected RADIUS servers. Figure Add RADIUS Client Wizard, Device Selection a. Use the Available devices drop-down to display the devices by model. b. From the Available devices list, select the IP addresses of the PCM switches that will be added as RADIUS clients. This list displays all discovered PCM switches and their additional network interfaces (treated as manually added client). Sort the devices by IP address or Model by clicking the column heading. c. Click >> to move the selected switches to the Selected devices list. d. To add a manually added client, type the IP address of the switch in the IP Address field on the right and click Add. e. When all switches you want to add as RADIUS clients are shown in the Selected devices list, click Next. 5. If duplicate IP addresses are found, select the action to take for duplicate IP addresses. a. To update the existing client with parameters you specify, select Update All. b. To retain the existing client parameters and end the wizard, select Discard All. 3-70

135 Using Identity Driven Manager Adding RADIUS Clients c. Click Next. As an example, suppose two RADIUS servers (S1, S2) and two RADIUS clients (C1, C2) are selected in the wizard. Both C1 and C2 already exist as RADIUS clients in both S1 and S2. The Duplicate IP Addresses step will contain four rows: 1. C1 exists on S1 2. C1 exists on S2 3. C2 exists on S1 4. C2 exists on S2 Three kinds of scenarios can emerge, depending on what you select: RADIUS servers being discarded from a RADIUS client configuration. If you discard row 1, in the RADIUS Parameters step only S2 can be configured for C1 (S1 was discarded and S2 is the unique configurable RADIUS server). For C2, both S1 and S2 will be available. RADIUS clients being excluded from the wizard. If you discard rows 1 and 2, C1 will be excluded from subsequent wizard steps. Only C2 will appear in subsequent wizard steps. All RADIUS clients being excluded from the wizard. If you discard all rows (1-4), C1 and C2 will be excluded from the wizard (based on the previous point), and because no other RADIUS clients were selected, the wizard cannot continue. 6. Define the shared secret used for RADIUS client/server authentication and RADIUS server short name. The type of RADIUS client determines the number of configurations that it supports: Device Type Maximum RADIUS Server Configurations PCM Wired Device 3 PCM Wireless Device 2 Manually add IP Address 1 configuration added to all RADIUS servers that do not contain a duplicate IP address 3-71

136 Using Identity Driven Manager Adding RADIUS Clients Figure Add RADIUS Client Wizard, RADIUS Parameters To configure RADIUS parameters for a single client: a. In the RADIUS clients list on the left, select the RADIUS client that you want to configure. b. Select up to three RADIUS server parameters check boxes to represent the number of RADIUS servers where the specified client will be configured. c. For each server, use the RADIUS server list to select the short name of the RADIUS client in the RADIUS server. Only RADIUS servers that can be configured for this RADIUS client are listed (those that weren't discarded for a specific RADIUS client in the Duplicate RADIUS Client step). d. For each server, in the Shared secret and Confirmed secret fields, type the secret key that will be used to authenticate the client on the RADIUS server. e. To unmask the shared secret, select the Show secrets check box. f. Click Next. To configure RADIUS parameters for all listed clients: 3-72

137 Using Identity Driven Manager Adding RADIUS Clients a. In the RADIUS clients list on the left, select All RADIUS clients to configure all listed clients. b. Check up to three RADIUS server parameters check boxes to represent the number of RADIUS servers where the selected clients will be configured. Note: If you select All RADIUS clients, the first RADIUS server configuration will be used for wired devices, wireless devices and manually added IP addresses; the second configuration for wired and wireless devices; and the third configuration will be only used for wired devices. c. For each server, use the RADIUS server list to select the short name of RADIUS clients in the RADIUS server. Only the RADIUS servers that are configurable for all RADIUS clients are listed. d. For each server, in the Shared secret and Confirmed secret fields, type the secret key that will be used to authenticate the client on the RADIUS server. e. To unmask the shared secret, select the Show secrets check box. f. Click Next. 7. Preview the configuration and ensure the displayed parameters are correct before creating the client(s) on the RADIUS server(s). Click Next to apply the settings. The list of configuration changes can be cut and pasted to another location. 8. Apply the selected RADIUS parameters to the selected devices and RADIUS servers. The progress and result are shown as parameters and are configured on each listed PCM switch or RADIUS server. To view a log of applications, click View Log. 3-73

138 Using Identity Driven Manager Adding RADIUS Clients. Figure Add RADIUS Client Wizard, Application of Settings 9. The final window of the Add RADIUS Clients wizard provides a summary of the application process. Ensure the configuration(s) were completed successfully and click Finish to close the wizard. 3-74

139 Using Identity Driven Manager Adding RADIUS Clients Deleting RADIUS Servers To delete an existing RADIUS Server: Note: Before you can completely delete the RADIUS server, you need to uninstall the IDM Agent on the server. Otherwise, the RADIUS server may be re-discovered, causing it to re-appear in the IDM tree. 1. Use the IDM Tree to navigate to the RADIUS List window, and select the RADIUS Server you want to delete in the list. 2. Click the Delete RADIUS button on the Radius List toolbar. 3. A pop-up confirmation dialog is displayed. Figure Delete RADIUS Server Confirmation dialog 4. Click Yes to complete the delete process and close the window. The RADIUS Server is removed from the RADIUS List and the IDM Tree. 3-75

140 Using Identity Driven Manager Adding RADIUS Clients Adding New Users You can let the IDM Agent automatically learn about the users from the Active Directory or RADIUS server on which it is installed, or you can define user accounts in the IDM Client. You can also use the IDM User Import feature in the Tools menu. Adding users in IDM: Manual Process To add a new User in IDM: 1. Select the Users tab on the Access Policy Groups or Domains window, and then click the New User button to display the Define a new user window. Figure Define a new user 2. Enter information for the User: Auth ID: Type the user s username (required). Name: Optionally, type in a Name for the user. Domain: Select the Domain the user belongs to, if different from the default domain. Access Policy Group: Select the Access Policy Group to which the user belongs. This sets the access profile that is applied when the user logs in to the network. The default is NONE. Description: Optionally, type a brief text description of this user. 3-76

141 Using Identity Driven Manager Adding RADIUS Clients 3. To restrict the user from logging in from a system that has not been defined in IDM, click the Systems tab to configure system permissions. Otherwise, click OK to save the user and close the window. Configuring User Systems 1. To restrict the user s access to specific systems, click the Systems tab. Figure User Systems tab display You select from systems shown in the All Systems list, and click >> to move them to the Allowed Systems list. The user will be restricted to the selected systems. 2. To add a new user system, click Add to display the New User system dialog. 3. Enter the MAC Address of the system (in any format) from which the user is allowed to login to the network, then click OK. The system information is displayed in the New User window. If the user is allowed to login from more than one system, repeat the process for each system. 4. When the User s Systems are defined, click OK to save the new user information and close the window. The new user appears in the Users List. Note: Access Policy Group settings are not applied to the user until you deploy the new configuration to the IDM Agent on the RADIUS server. See Deploying Configurations to the Agent on page 3-66 for details. 3-77

142 Using Identity Driven Manager Adding RADIUS Clients Bulk import of allowed systems for IDM users If the multiple MAC addresses are to be added to the list of allowed systems for multiple users, then the administrator can use a feature that supports bulk import of allowed systems. The allowed systems are specified in a Comma separated value format in a file. The following attributes must be set in the C:\Program Files\Hewlett- Packard\PCM\server\config\IDMImportServerComp.scp. To read the file specified in the attribute ALLOWED_SYSTEMS_FILENAME set READ_ALLOWED_SYSTEMS_FROM_FILE to true. By default, the attribute READ_ALLOWED_SYSTEMS_FROM_FILE is set to false, and therefore the attribute ALLOWED_SYSTEMS_FILENAME is not read. 3-78

143 Using Identity Driven Manager Adding RADIUS Clients ALLOWED_SYSTEMS_FILENAME specifies complete path of the Comma Separated Value (CSV) file. The values specified in the CSV file are in the following format: <auth-id1>, <mac-address1> <auth-id1>, <mac-address2> <auth-id2>, <mac-address3>, <mac-address4> The MAC addresses can be specified in multiple lines for the same Auth ID or they can be specified in the same line. The MAC addresses can be specified in any standard format, that is, with colon (:), hyphen (-), or without any delimiters. The MAC addresses in an invalid format will be skipped. It is assumed that the specified Auth-IDs are present in the IDM database in the Default Domain. Any line that begins with # character will be treated as a comment and is skipped. After setting the attributes in the IDMImportServerComp.scp file, the server needs to be restarted for the changes to take effect. After adding the allowed systems, the deletion is only possible through IDM client using Modify User dialog. Note: For troubleshooting, see IDMImportServer-IDMImportServerLogger.log file placed in <server installed location>\server\logs. Modifying and Deleting Users To modify an existing User: 1. Select the User in the User List and then click the Modify User button in the toolbar. 2. The Modify User window (similar to the Define a new user window) displays. 3. Add, modify, or delete User System information as needed. To edit User Systems information, select the System in the list, then click Modify to display the Systems window and change the MAC Address. To delete a User System, select the System in the list, then click Delete. The changes appear in the System s List for the user. 4. Click OK to save the new user information and close the window. 3-79

144 Using Identity Driven Manager Adding RADIUS Clients Note: Changes in Access Policy Group settings are not applied to the user until you Deploy the new configuration to the IDM Agent on the RADIUS server. See Deploying Configurations to the Agent on page 3-66 for details. Deleting a User 1. Select the User in the User List. 2. Click the Delete User button in the toolbar. 3. Click Yes in the Confirmation pop-up to complete the process. The user is removed from the User List. 3-80

145 Using Identity Driven Manager Using the User Import Wizard Using the User Import Wizard The IDM User Import Wizard lets you add users to IDM from another source, such as an Active directory or LDAP server. The IDM Import Wizard also synchronizes the IDM user database with the import source directory, and allows you to delete users from the IDM user database that are not found in the import source directory. IDM does this by copying the list of users from the directory to an XML file, comparing users in the XML file to users in the IDM user database, and listing the differences for you to add or remove the mismatched users in the IDM user database. Importing an existing company directory or user database has the following benefits: It allows for easier initial setup, because all users in the company directory can be automatically added to the IDM directory. If the company directory contains group assignments, users can be automatically assigned to the appropriate policy group (based on membership in the company directory). When a user is removed from the company directory, they are automatically removed from the IDM user database. In addition, when a user's group membership is changed in the company directory, their network access policy group is automatically changed accordingly. Automating user import and synchronization leaves less room for error and reduces tedious work. It allows bulk import of SNAC devices into the IDM Database. The basic import procedure is listed below, though the specific windows you see will vary based on the import data source. 1. Select the Source Type (Active directory, LDAP server, XML file, or CSV file). 2. Define the source parameters. a. For Active directory, select the Group Scope to import. b. For LDAP server, supply the server details, username, and password. Note: The IDM server includes several configuration files that contain information used to import User information from LDAP files. The default configuration settings will work if you are using MS Active Directory as the LDAP Server 3-81

146 Using Identity Driven Manager Using the User Import Wizard directory. If you are using any other LDAP directory source (for example Novell edirectory or OpenLDAP) you will need to modify the LDAP Directory settings as described in Editing IDM Configuration for LDAP Import on page c. for XML, supply the filename (including the directory path). This file must exist on the IDM Server system. d. for CSV, supply the filename (including the directory path). This file must exist on the IDM Server system. 3. IDM extracts the user information from the data source, based on the defined parameters. 4. Select the Users, and groups (if applicable) to be added to IDM. 5. Select any Users to be removed from IDM. 6. Commit the changes to IDM. Importing Users from Active Directory Importing users from Active Directory with the IDM Import Wizard synchronizes IDM users with those in Active Directory, similar to enabling Active Directory synchronization. However, if you use the Wizard to import users, user changes in Active Directory are not monitored. And, you cannot select specific Active Directory groups, as with Active Directory synchronization. Therefore, we recommend using Active Directory synchronization instead of using the Import Wizard to import users from Active Directory. The Import Wizard option described in this section will not be enabled unless AD sync is disabled in IDM Preferences. To import user information into IDM from an Active Directory: 1. If necessary, disable AD sync. a. From the global toolbar, select Tools >Preferences. b. From the Preferences navigation tree, select Identity Management > User Directory Settings. c. In the Identity Management: User Directory Settings pane, clear the Enable automatic Active Directory synchronization check box and then click OK. 2. From the global toolbar, select Tools > IDM User Import to launch the IDM Import Wizard. 3-82

147 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard 3. Click Next to continue to the Data Source selection window. Figure IDM User Import Wizard, Data Source 3-83

148 Using Identity Driven Manager Using the User Import Wizard 4. Click the radio button to select the Active Directory data source. 5. Click Next to continue to the Group Scope window. Figure IDM User Import Wizard, Group Scope 3-84

149 Using Identity Driven Manager Using the User Import Wizard 6. Select the scope of Active Directory groups from which you want to import user data. Option All Global Universal Domain Local System Imports users from... All Active Directory groups The Global Active Directory group. This will also get user data from any custom defined group in your Active directory. The Universal Active Directory group The Domain Local Active Directory group The System Active Directory group 7. Click Next to continue to the Extracting User and Group information window. 8. When the display indicates the data extraction is done, click Next to continue to the Import Groups window. Figure IDM User Import Wizard, Import Groups 9. Check the Select check box(es) to choose the groups you want to import from the Active Directory to IDM. If there is no check box, the group already exists in IDM and does not need to be selected. 10. Click Next to continue to the Add Users window. 3-85

150 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, Add Users 11. Check the Select check box(es) to choose the users you want to import from the Active Directory to IDM. The current Import data is compared to the existing user list in IDM. If no new (additional) users are found in the import data, the user list is empty. If any user exists in more than one Active Directory group, you will be prompted to select the group the user will belong to in IDM. a. Select the group from the list. If you have a large number of users that belong to multiple groups, select the check box to Assign all users to selected group. This will assign all the users to the selected group in a single step, and you will not need to repeat the group selection for each user. b. Click Next to continue. Repeat the process for each user. c. Click Finish to save the Group Selections and exit the pop-up. d. Click Back to change the previous selection. 12. Click Next to continue to the Remove Users window. The Import data is compared to the existing user list in IDM. Any users that exist in IDM, that are not found in the Import data, are listed. Select any users you want to delete from IDM. This window operates similarly to the Add Users window. 3-86

151 Using Identity Driven Manager Using the User Import Wizard 13. Click Next to continue to the Users and Groups Commitment window. Figure IDM User Import Wizard, Users and Groups Commitment 14. Click Go to save the selected group and user data (adds and deletes) to IDM. 15. When the commit data function is done, click Next to continue to the Import Complete window. A summary of the IDM Import displays. 16. Click Finish to exit the wizard. Importing Users from an LDAP Server The IDM Import Wizard includes support for using Windows 2003 LDAP service to import users from an MS Active directory. You can also import user data from other LDAP V3 (version 3) servers, (for example, Netscape LDAP server). To import user information into to IDM from an LDAP Server: 1. From the global toolbar, select Tools > IDM User Import to launch the IDM Import Wizard. 2. Click Next to continue to the Data Source selection window. 3. Select the LDAP Server data source. 4. Click Next to continue to the LDAP Authentication window. 3-87

152 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, LDAP Authentication a. To use the SSL authentication method, select the Use SSL check box. Note: To use SSL, ensure that your LDAP server supports SSL. The X509 certificate for your LDAP server must be installed in your Java trust store, and the PCM server must be restarted after installing the certificate. Contact your (LDAP) Administrator to get the certificate. The trust store is available under the installation directory of PCM. For example, if PCM is installed under Program files\hewlett-packard, type: C:> cd c:\program files\hewlett-packard\pnm\jre\ lib\security C:>..\..\bin\keytool import file <ldapcertfile> -alias myldapcert keystore cacerts keypass <certificate password> -trustcacerts storepass <keystore password> The default keystore password is changeit. 3-88

153 Using Identity Driven Manager Using the User Import Wizard b. Select the LDAP Authentication type to be used with the imported user data: Option Simple Digest-MD5 Kerberos-V5 External-TLS Anonymous Authentication type Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password. In Digest MD5, the server generates a challenge and the client responds with a shared secret (password). Based on Internet standard security, Kerberos V5 authentication is used with either a password or a smart card for interactive logon. External authentication uses authentication services provided by lower level network services such as TLS. No authentication is required by LDAP server. c. Click Next to continue to the Authentication details window: The Authentication details will vary based on the Authentication type selected; however, all LDAP Authentication methods require the following information: Server The IP Address or DNS name (fully qualified domain name) of the LDAP server. The IP address can be used for Simple, Anonymous, and Kerberos-V5 authentication in non-ssl mode. Domain The domain name that will be used to create the Domain in IDM. Base DN The Base Distinguished Name. This is the node in the directory where the search for users will begin. For example, for the domain hp.com the Base DN entry would be: dc=hp,dc=com For Simple Authentication Simple authentication, which is not very secure, sends the LDAP server the fully qualified DN of the client (user) and the client's clear-text password. Values for these fields can be obtained from the LDAP server administrator. 3-89

154 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, Simple Authentication To set up Simple authentication: 1. In the Server field, type the IP address or DNS name of the LDAP server 2. In the Domain field, type the domain name. (It will be used to create a domain in IDM.) 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. In the User field, type the user's DN used to access the LDAP server. 5. In the Password field, type the password associated with the user. 6. Click Next to continue to the Extract Users and Groups window. Using Digest-MD5 Authentication The SASL Digest MD5 authentication window is used to define the LDAP data source for Digest-MD5. In Digest-MD5, the server generates a challenge and the client responds with a shared secret (password). Values for these fields can be obtained from the LDAP server administrator. 3-90

155 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, SASL Digest MD5 Authentication To set up Digest MD5 authentication: 1. In the Server field, type the DNS name of the LDAP server. 2. In the Domain field, type the domain name. It is used to create a domain in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. In the User field, type the user DN used to access the LDAP server. 5. In the Password field, type the password associated with the user. 6. Click Next to continue to the Extract Users and Groups window. Using Kerberos-V5 Authentication The SASL Kerberos V5 authentication window is used to define the LDAP data source for Kerberos. Kerberos V5 authentication requires that your LDAP server is setup with a KDC (Key Distribution Center). Please contact your LDAP server administrator for details. 3-91

156 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, SASL Kerberos V5 Authentication To set up Kerberos V5 authentication: 1. In the Server field, type the IP address or DNS name of the LDAP server. 2. In the Domain field, type the domain name. It will be used to create a domain in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. In the User field, type the user name used to access the LDAP server. 5. In the Password field, type the password associated with the user. 6. In the Config file field, type the complete path and filename of the configuration file that identifies the domain of the KDC. 7. Click Next to continue to the Extract Users and Groups window. Using External Authentication The SASL External authentication window is used to define the external LDAP data source. External authentication uses an X509 certificate for user authentication. The LDAP X509 User Certificate must be installed in a keystore on the IDM server, and the LDAP server s certificate must be stored in the trust store under your JRE installation on the IDM server. See page 3-93 for details on importing LDAP X509 User certificates for use with IDM. 3-92

157 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, SASL External Authentication To set up External authentication: 1. In the Server field, type the DNS name of the LDAP server. 2. In the Domain field, type the domain name. It is used to create a domain in IDM. 3. Optionally, in the Base DN field, type the Base Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. In the Keystore field, type the keystore file name. For JKS, the Keystore is the location on the IDM server where you installed the keystore. (for example: c:\idmuser\mykeystore) For PKCS12, enter the PKCS certificate in the Keystore field,. 5. In the Password field, type the password. For JKS, enter the password of the keystore on the IDM Server. For PKCS12, enter the PKCS12 key in the Password field 6. Select the Type: either jks, or pkcs Click Next to continue to the Extract Users and Groups window. Importing LDAP X509 User Certificates into a Keystore: If you are using a JKS Keystore, the X509 User Certificate must be installed in a keystore on the IDM server. You can get the X509 User Certificate from your LDAP Administrator. 3-93

158 Using Identity Driven Manager Using the User Import Wizard For example, if the X509 User Certificate is " myldapcert.cer" and the alias is "mycert", use the following command to import the certificate in a keystore in c:\idmuser\mykeystore on your IDM server: C:\idmuser> keytool -import -file myldapcert.cer -alias mycert -trustcacerts - keystore.\mykeystore If you are using a PKCS12 keystore, ask your LDAP Administrator to provide you PKCS12 certificate along with the key. Enter the PKCS certificate in the Keystore field, and enter the PKCS12 key in the Password field. Using Anonymous Authentication The LDAP Anonymous Authentication window is used to define the LDAP data source. Values for these fields can be obtained from the LDAP server administrator. Figure IDM User Import Wizard, Anonymous Authentication To set up an LDAP server with anonymous authentication: 1. In the Server field, type the IP address of the LDAP server. 2. In the Domain field, type the domain name. 3. Optionally, in the Base DN field, type the Distinguished Name. IDM will search only for users and groups from this node of a directory tree. 4. Click Next to continue to the Extract Users and Groups window. 3-94

159 Using Identity Driven Manager Using the User Import Wizard The remainder of the process for importing users from LDAP Servers is the same as described for importing users from Active Directories. Select the Groups and Users to Import to IDM. Select Users to remove from IDM (if applicable). Commit the selected groups and users (adds and deletes) to IDM. Editing IDM Configuration for LDAP Import The IDM server includes several configuration files that contain information used to import User information from LDAP files. The default configuration settings will work if you are using MS Active Directory as the LDAP Server directory. If you are using any other LDAP directory source (for example Novell edirectory or Open- LDAP) you will need to modify the LDAP Directory settings in: ~Program Files\Hewlett-Packard\PNM\server\config\ IDMImportServer- Comp.scp Following is an example of the IDMImportServerComp.scp file for reference. Comments are indicated by //. LDAP_SERVER_CONFIG { PORT=389 //Port where LDAP server receives bind request. SSL_PORT=636 // Port where LDAP server receives SSL bind requests. BATCH_SIZE=50 // Internal to IDM. COUNT_LIMIT=0 // Internal to IDM. SASL_CONFIGURATION { // This section is for SSL configuration: Digest MD5, Kerberos V5 and External. QOP=auth-conf,auth-int,auth // Quality of protection. Valid values are 1 and more of auth-conf, auth-int, auth separated by,. ENCRYPTION_STRENGTH=high,medium,low // Strength of encryption. Valid values are 1 and more of high, medium, low separated by,. MUTUAL_AUTHENTICATION=true // If both LDAP server and IDM server wants to authenticate each other. } KERBEROS_JAAS_CONFIG { // This section is for Kerberos authentication method. KERBEROS_AUTH_MODULE=IDMKerberos // Kerberos authentication module name. If this entry is changed, you must also change the module name in idm_kerberos_jass.conf file. 3-95

160 Using Identity Driven Manager Using the User Import Wizard KERBEROS_JAAS_CONFIG_FILE=config/idm_kerberos_jaas.conf // configuration file for JAAS Kerberos configuration. } } LDAP_DIRECTORY_CONFIG { When using Active Directory: // Configuration for LDAP directory. Following values are for Active Directory. Change as needed per object class and attributes in LDAP directory being used. USER { // User object OBJECT_CLASS=User // User object class LOGON_NAME=sAMAccountName // Login name attribute. COMMON_NAME=cn // Common Name attribute DESCRIPTION=description // User description attribute DISPLAY_NAME=displayName // User display name attribute } GROUP { // Group object OBJECT_CLASS=Group // Object class for Group COMMON_NAME=cn // common name attribute DESCRIPTION=description // Group Description attribute MEMBER=member // Group member attribute USER_MEMBER_ATTRIBUTE=cn // User attribute used to link member users from Group objects. } } When using OpenLDAP Directory: //Configuration for LDAP directory. Following values are for OpenLDAP Directory. Change as needed per object class and attributes in LDAP directory being used. USER { // User object OBJECT_CLASS=person // User object class LOGON_NAME=uid // Login name attribute. COMMON_NAME=cn // Common Name attribute DESCRIPTION=description // User description attribute DISPLAY_NAME=displayName // User display name attribute } GROUP { // Group object OBJECT_CLASS=groupOfNames // Object class for Group COMMON_NAME=cn // common name attribute DESCRIPTION=description // Group Description attribute MEMBER=member // Group member attribute USER_MEMBER_ATTRIBUTE=uid // User attribute used to link member users from Group objects. } } 3-96

161 Using Identity Driven Manager Using the User Import Wizard When using Novell edirectory: //Configuration for LDAP directory. Following values are for Novell edirectory. Change as needed per object class and attributes in LDAP directory being used. USER { // User object OBJECT_CLASS=User // User object class LOGON_NAME=uid // Login name attribute. COMMON_NAME=cn // Common Name attribute DESCRIPTION=description // User description attribute DISPLAY_NAME=displayName // User display name attribute } GROUP { // Group object OBJECT_CLASS=Group // Object class for Group COMMON_NAME=cn // common name attribute DESCRIPTION=description // Group Description attribute MEMBER=member // Group member attribute USER_MEMBER_ATTRIBUTE=cn // User attribute used to link member users from Group objects. } } You would modify the LDAP_Server_Config section only if your LDAP server is using other than the standard port (389). Similarly, if you select any of SASL or Kerberos authentication methods, edit the related sections of the config file as needed to match custom configurations. Importing Users from XML files If you select to import users from an XML File, the XML Data Source window displays. Note: The XML file containing user data must reside on the IDM server to use this option and contain information similar to the data shown in the XML User Import File Example on page

162 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard, XML Data Source To identify the XML file: 1. In the File name field, type the complete path and name of the XML file. 2. Click Next to continue to the Extract Users and Groups window. The remainder of the process for importing users from LDAP Servers is the same as described for importing users from Active Directories. a. Select the Groups and Users to Import to IDM. b. Select Users to remove from IDM (if applicable). c. Commit the selected groups and users (adds and deletes) to IDM. XML User Import File Example XML files used to import user data to IDM should have the following format. <?xml version='1.0' encoding='iso '?> <DirData> <Domain name= domain name > <User name= username description= user description displayname= user display name />

163 Using Identity Driven Manager Using the User Import Wizard <Group name= group name description= group description > <Member name= username /> </Group> <Group name= other group description= other group description > </Group> </Domain> </DirData> The description and displayname for the User element and the description for the Group element are optional. Some Group elements may not have Member elements, for example the other group in the above example. Importing SNAC Devices from a Comma Separated Value (CSV) file You can import SNAC devices in bulk from a Comma Separated Value (CSV) format file using the Import Users Wizard.If the owner of the device is present in the Active Directory, then the same access rights are configured for the owner in the IDM database. Following are the details of the import utility: The import utility accepts a Comma Separated Value (CSV) file as the input file to the IDM Import Users wizard. All the values specified in the CSV file must be within double quotation marks. The first line in the CSV file must be the domain name followed by all the SNAC devices that must be imported to the IDM DB. This utility is used for bulk registration of SNAC devices, where owner is already registered in the Active Directory, and is imported to the IDM DB using Active Directory Synchronization. If an incorrect group is specified, then the utility sets the correct APG to which the owner belongs. If a user with the same Auth ID already exists in the domain, then an error is reported about the duplicate Auth ID. If the owner is not present in the IDM database or it is not a valid owner (in Active Directory server), then the utility reports an error. 3-99

164 Using Identity Driven Manager Using the User Import Wizard Any line that begins with # character is considered a comment. Auth ID must be a valid MAC Address in any standard format (multi-dash, single-dash, no-delimiter, multi-colon). If duplicate entries for an Auth ID are found, then only the first line is considered and the duplicates entries are skipped. All the fields in the CSV file are compulsory. If any field is absent, then data will not be interpreted correctly by the wizard. Syntax of the CSV file: "hp.com" # "Name", "Auth ID", "Device Name", "Access Policy Group", "Owner", "Description" "user11"," ","pool HP laptop", "studentgroup", "martin", "student 101" "user22"," ", "faculty ipad", "facultygroup","sally", "faculty 10" where: martin and sally are the users which exist in the Active Directory server, and are already imported into the IDM DB. Note: This utility does not support guest devices because expiration time is not supported. It is not required to import bulk devices for guests. A guest should self register their devices based on the token generated. The value specified in the "name" and description columns will be overwritten by the friendly name and description respectively configured in the Active Directory server for that owner after Active Directory synchronization is re-enabled. The following is an example of a csv file content- Input test.csv file content: "maruti.domain" # "Name", "Auth ID", "Device Name", "Access Policy Group", "Owner", "Description" "user11","001c2eaaaaaa","devicename","studentgroup","student", "student desc" "user22"," ","22dev","facultygroup","faculty", "faculty desc" "user33"," ","33dev","studentgroup","student","student desc" 3-100

165 Using Identity Driven Manager Using the User Import Wizard "user44"," ","44dev","facultygroup","faculty","faculty desc" Note: If you are trying to export data from Microsoft Excel to a CSV file and then trying to import the CSV file into IDM database using IDM Users Import wizard, then you should comment the first line, that lists column headers, using # character in the CSV file before feeding it to the IDM Users Import wizard. For troubleshooting, see IDMImportServer-IDMImportServerLogger.log file placed in <server installed location>\server\logs. Using IDM Import User s Wizard The following figure shows Users tab view for the domain "maruti.domain", where two users are imported from the Active Directory server using Active Directory synchronization in User Directory Settings. Figure User Tab View To import user information into IDM from an Active Directory: 1. If necessary, disable AD sync

166 Using Identity Driven Manager Using the User Import Wizard a. From the global toolbar, select Tools >Preferences. b. From the Preferences navigation tree, select Identity Management > User Directory Settings. c. In the Identity Management: User Directory Settings pane, clear the Enable automatic Active Directory synchronization check box, and then click OK. Figure Preferences 2. From the global toolbar, select Tools > IDM User Import to launch the IDM Import Wizard

167 Using Identity Driven Manager Using the User Import Wizard Figure IDM User Import Wizard 3-103

168 Using Identity Driven Manager Using the User Import Wizard 3. Click Next to continue to the Data Source selection window. Figure Data Source 4. Click the radio button to select the CSV file as data source. 5. Enter the path of the CSV file. Note that this is the path on the server system

169 Using Identity Driven Manager Using the User Import Wizard Figure CSV Data Source 6. Click Next to the Extracting User and Group Information window

170 Using Identity Driven Manager Using the User Import Wizard Figure Extracting User and Group Information 7. The IDM Import Wizard now shows all the users added to the IDM DB. Click Select All, and then Click Next to the Remove User s window

171 Using Identity Driven Manager Using the User Import Wizard Figure Add Users 3-107

172 Using Identity Driven Manager Using the User Import Wizard Figure Remove Users 8. Without changing any settings in the Remove User s window that is, Deselect All Click Next to the Users and Group Commitment window

173 Using Identity Driven Manager Using the User Import Wizard Figure Users and Groups Commitment 9. Click Go.The devices imported to the IDM DB can now be seen in the Users Tab view

174 Using Identity Driven Manager Using the User Import Wizard Figure Imported Device to IDM DB 3-110

175 Using Identity Driven Manager Using the User Import Wizard 10. Import Complete window appears. Click Finish. Figure Import Complete 11. In the Users tab view all the newly added device owners appears in the last column

176 Using Identity Driven Manager Using the User Import Wizard Figure Devices Added to User Tab View 12. Enable the Active Directory synchronization from the User Directory Settings for IDM to make the Active Directory changes. Note: After re-enabling the Active Directory synchronization, the Name and Description fields are overwritten by the corresponding values configured for that owner in the Active Directory. 13. If the specified csv file does not exist, the following error appears. Figure Error Reading File 14. If the csv file content does not have correct rules listed, then the following error appears

177 Using Identity Driven Manager Using the User Import Wizard Figure CSV File Content Error 3-113

178 Using Identity Driven Manager Using the User Import Wizard 3-114

179 4 Using the Secure Access Wizard Overview The Secure Access Wizard (SAW) feature in IDM is designed to simplify the initial setup of IDM by reducing the complexity of securing the network edge. SAW facilitates the process of securing the network edge by targeting a group of devices and using a highly intuitive GUI to configure network access rather than configuring each device via CLI. Some major features of SAW include: Setting the RADIUS server IP address and shared secret for a group of devices Setting the authentication methods for a group of devices Configuring the authentication methods Once you have decided to deploy IDM, you now need to secure the network edge by enforcing 802.1X, Web-Auth, MAC-Auth, or any combination of the three (if supported). There are several steps involved when a securing an edge device, including: Configuring all supplicant ports with 802.1X, Web-Auth or MAC-Auth (preferably 802.1X for a more secure environment) If 802.1X is chosen, selecting the authentication protocol, EAP or CHAP Enabling session accounting so that IDM correctly detects user login and log out Optionally setting the interim update period Optionally setting the re-authentication time-out Adding the RADIUS server and the shared secret (key) Activating the port authenticator These steps need to be executed on all edge devices and will vary between wired and wireless devices. 4-1

180 Using the Secure Access Wizard Overview Supported Devices The Secure Access Wizard feature is on PCM devices that support use of 802.1X, Web-Auth, and MAC-Auth access control methods. For a complete list of what features are supported on each device, refer to the table in Appendix A under Device Support for IDM Features. 4-2

181 Using the Secure Access Wizard Using Secure Access Wizard Using Secure Access Wizard Note: The following section provides instructions on using the Secure Access Wizard to configure access security settings on PCM devices that support port-based user authentication using 802.1X, Web-Auth, or MAC-Auth. For a more complete description of implementation of these user authentication features, please refer to the Access and Security Guide for the switch. Switch guides are available on the Web at: 1. To launch the Secure Access Wizard, select the option from the Tools menu on the global (PCM/IDM) toolbar. You can also launch the wizard by: Selecting a device in the PCM Devices list and clicking the Secure Access Wizard button in the tab toolbar, or Right-clicking a device node in the PCM navigation tree and selecting the Secure Access Wizard option in the right-click menu This launches the Welcome to the Secure Access Wizard window. Figure 4-1. Secure Access Wizard - Welcome display When you first open the wizard, the Load Settings and Load template buttons are disabled. Once you have created and saved an access control configuration, these buttons will be enabled. 2. Click Next to continue to the Device Selection window. 4-3

182 Using the Secure Access Wizard Using Secure Access Wizard Note: If you do not have a licensed copy of the PCM Mobility Manager software and there are wireless devices discovered by PCM, the Excluded Devices window displays, with the list of devices, model, and installed switch software version. Use the Device Capabilities link to determine if you can upgrade the device software to a version that will support the secure access settings. Figure 4-2. Secure Access Wizard, Device Selection example 3. The Available Devices list is populated with all discovered PCM devices that support use of 801.X authentication. You can filter the list to display devices for one device group (model) by selecting the device group from the pull-down menu. Select a device (or devices) in the Available devices list, then click >> to move it to the Selected devices list. Note: To begin, PCM recommends that you select only one or two devices, and then save the security access settings as a template that can be applied for other devices of the same type. 4-4

183 Using the Secure Access Wizard Using Secure Access Wizard 4. Click Next to continue to the next window. 5. If you selected one or more AP530 wireless devices, the 530 Group Configuration Check Step window appears and displays information about each selected AP530 that supports the group configuration feature. One AP530 will be selected as the Master device and will be the only AP530 configured. (The group configuration feature propagates the new settings from the Master device to the other AP530s, including those with group configuration disabled.) Ensure the correct device is selected as the Master device and click Next. Or, to select another device as the Master device, select the Master device check box next to the desired device. Figure 4-3. Secure Access Wizard, 530 Group Configuration example 6. Click Next to continue to the Excluded Devices window. The secure Access Excluded Devices window of the Secure Access Wizard lists all discovered PCM devices that do not support 801.X authentication. Some reasons why a device might not support 802.1X are: The device is too old The firmware is out of date The device is not a PCM device The device is a wireless AP with no radios or SSIDs discovered 4-5

184 Using the Secure Access Wizard Using Secure Access Wizard Use the Device Capabilities link to determine if you can upgrade the device software to a version that supports the secure access settings. 7. To filter the list to display only devices for one device group (model), select the device group from the Available devices list. 8. Select a device (or devices) in the Available devices list, then click >> to move it to the Excluded devices list. 9. Repeat the preceding step until all desired devices are selected. 10. Click Next to continue to the Information Retrieval window. The Information Retrieval window of the Secure Access Wizard displays the progress of retrieving RADIUS client information from the specified RADIUS servers. 11. Ensure that information is successfully retrieved from each device. If not, close the wizard and ensure that the device is operating and communication parameters in PCM are correct. 12. Click View Log to display the detailed status of the process. If there are any errors or warnings during the retrieval, this log provides insight into what happened. 13. Click Next to continue to the Authentication Method Selection window. The Authentication Method Selection window lists the selected devices, and the authentication methods that can be used on each device. It lists the device name, model and software version installed. The device listing can be sorted according to device model, name, software version, or authentication method. Authentication method support varies from device to device and between firmware versions. For example, some devices support two authentication methods per port while some devices only support one. For devices that support two authentication methods per port, the options are 801.X and Web-Auth or MAC- Auth, thus the Web-Auth and MAC-Auth columns are mutually exclusive for each row. Additionally, devices that do not support Web-Auth or MAC-Auth will have those cells disabled and displaying Not supported. 4-6

185 Using the Secure Access Wizard Using Secure Access Wizard Figure 4-4. Secure Access Wizard, Authentication Method Selection example 14. Click the check box to select the authentication method (802.1X, Web-Auth, or MAC-Auth) to be used for user (client) access to the device. Click Select All at the top of the column to apply the same authentication method to all devices that support it. The button works as a toggle between the Select all and Unselect all options when clicked and is displayed only when more than one device is listed. Some devices support simultaneous use of two authentication methods on a single port. The wizard will allow you to select only the combination of authentication methods allowed on the device type. 15. Click Next to continue to the Port Selection window. The Port Selection window lists the devices for which you need to specify the ports where the access authentication will be applied. You can type each port number or click Select Ports to select them from a list. 4-7

186 Using the Secure Access Wizard Using Secure Access Wizard Figure 4-5. Secure Access Wizard, Port Selection example 16. To select ports from a list, click the Select Ports button and then click Select all to select all ports or select the Selected check box for each port to which the secure access settings will apply. Double-clicking a row selects or unselects the port. 4-8

187 Using the Secure Access Wizard Using Secure Access Wizard Figure 4-6. Secure Access Wizard, Select Ports When the desired ports are selected, click OK to validate and save your selections. 17. To manually enter port numbers, in the Port to secure field, type the ports to which the secure access settings will apply. Enter any combination of single port numbers and port ranges separated by commas. For example, type A1,A3-A5,A7 to apply the access settings on ports A1, A3, A4, A5, and A7. The port entries are validated, and if any entry is invalid a text message indicating the error appears below the data entry fields for the device. The Ports that will not be secured field contains a read-only list of the ports excluded from the secure access settings. These typically include inter-switch ports, ports with an authentication method already configured, and ports connected to devices (such as printers) that do not support network access. You can click Reset to clear all data, and auto-populate the Ports to secure: field with ports on the device that can be secured. Ports that are excluded will appear in the Ports that will not be secured field. Repeat the process for each device listed in the window. For a long list of devices, a scroll bar lets you move down the list as needed. 18. Click Next to continue. The next window display will vary based on the devices and authentication methods selected. 4-9

188 Using the Secure Access Wizard Using Secure Access Wizard If you selected a wireless device, the WLAN selection window displays, as described in step 9. If you selected only wired devices, the authentication configuration window displays. For 802.1X, go to step 12. For Web-Auth, go to step 13. For MAC-Auth, go to step The WLAN Selection window displays the list of Wireless devices you selected. Click a device to expand the list to show the WLANs (SSIDs) configured on the device. Figure 4-7. Secure Access Wizard, WLAN Selection example 20. Select the check box for each SSID (WLAN) to which the secure access settings will be applied. (A check mark indicates the SSID is selected) Select the check box for the device to apply secure access settings to all SSIDs on the device. 21. Click Next to continue to the authentication configuration window: For 802.1X, go to step 12 (below). For Web-Auth, go to step 13. For MAC-Auth, go to step

189 Using the Secure Access Wizard Using Secure Access Wizard 22. The 802.1X Configuration window lets you select the authentication method to be applied in the secure access settings for the selected devices. Figure 4-8. Secure Access Wizard, 802.1X Configuration display The configuration options displayed will vary based on the selected device set: wired, wireless, or both. a. Select the authentication method for the selected device types. Only one method can be applied. For Wired devices the 802.1X authentication options are: Use EAP-capable RADIUS Use CHAP (MD5)-capable RADIUS For Wireless devices the 802.1X authentication options are: WPA - TKIP WPA2 - TKIP WPA2 - CCMP (AES) WPA2 - Mixed mode AES-TKIP You can refer to the Using PCM Mobility Manager chapter in the HP PCM+ 4.0 Network Administrator s Guide for a more complete description of the wireless (WLAN) security settings. 4-11

190 Using the Secure Access Wizard Using Secure Access Wizard b. In the Client Limit field, select or type the maximum number of clients to allow on one port simultaneously (default is 1). c. Click the Advanced Settings for Wired 802.1X link to configure the advanced settings. Figure 4-9. Secure Access Wizard, Advanced Settings for Wired 802.1X d. Select the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired 802.1X defaults. Advanced 802.1X settings for wired devices include: Option TX period Logoff period Supplicant timeout Configures... The period of time the switch waits until retransmission of EAPOL PDU (default 30 sec.). Valid values are The period of time (seconds) after which a client will be considered removed from the port for a lack of activity. Disabled by default, valid values are , 0 is disabled The authentication server response timeout (default 30 sec). Valid values are

191 Using the Secure Access Wizard Using Secure Access Wizard Option Server timeout Max requests Configures... The authentication server response timeout (default 30 sec). Valid values are The maximum number of times the switch retransmits authentication requests. Valid values are 1-10, the default value is 2. Re-auth period The re-authentication timeout (in seconds, default 0), set to 0 to disable re-authentication. Valid values are Quiet period The period of time the switch does not try to acquire a supplicant. Valid values are , the default value is 60 sec. Unauth-vid Auth-vid The VLAN to which the port is assigned when the user has not been authorized by 802.1X authentication. Valid values are any defined VLAN, the default value is VLAN 1 The VLAN to which the port is assigned when the user has been authorized by 802.1X authentication. Valid values are any defined VLAN, the default value is VLAN 1. If a device does not support the selected setting, the value you set will appear in the SAW display, but will not be configured on that device. e. Click OK to save the advanced settings and close the window. f. Click Next in the configuration window to continue to the Authentication Servers step. 4-13

192 Using the Secure Access Wizard Using Secure Access Wizard 23. The Web-Auth Configuration window lets you select the RADIUS authentication method settings to be applied in the secure access settings for Wireless Services Modules (2.x or higher). Figure Secure Access Wizard, Web-Auth Configuration a. Click the radio button to select the RADIUS authentication protocol. Only one of the following methods can be applied: Use PAP-capable RADIUS server for Web-Auth Use CHAP-capable RADIUS server for Web-Auth b. Click the Advanced Settings for Wired Web-Auth link to configure the advanced settings for Web-Auth on wired devices. (See figure 4-11 on the next page). c. Click the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired Web-Auth defaults. 4-14

193 Using the Secure Access Wizard Using Secure Access Wizard Figure Secure Access Wizard, Advanced Wired Web-Auth Advanced Web-Auth settings for wired devices include: Option DHCP address and mask Redirect URL DHCP lease Client limit Configures... The base address and mask for the temporary pool used by DHCP (base DHCP address default is , and the mask default is ). The URL that the user should be redirected to after successful login. The default is no redirect (blank field). The lease length (days) of the IP address issued by DHCP (default 10). Valid values are The maximum number of clients to allow on one port simultaneously, default is 1. This option is available only when at least one device supports Client Limit in the OK status in the IDM Agent. Re-auth period The re-authentication timeout (in seconds, default 0), set to 0 to disable re-authentication. Valid values are

194 Using the Secure Access Wizard Using Secure Access Wizard Option Logoff period Quiet period Max retries Server timeout Max requests Unauth-vid Auth-vid SSL login Allow client moves Configures... The period of time (seconds) after which a client will be considered removed from the port for a lack of activity. Disabled by default, valid values are , 0 is disabled. The period of time the switch does not try to acquire a supplicant. Valid values are , the default value is 60 sec. The number of times a client can enter their credentials before authentication is considered to have failed (default 3). Valid values are The authentication server response timeout (default 30 sec). Valid values are The maximum number of times the switch retransmits authentication requests. Valid values are 1-10, the default value is 2. The VLAN to which the port is assigned when the user has not been authorized by web authentication. Valid values are any defined VLAN, the default value is VLAN 1. The VLAN to which the port is assigned when the user has been authorized by web authentication. Valid values are any defined VLAN, the default value is VLAN 1. Whether to allow SSL login (https on port 443). This is disabled (No) by default. Whether to allow client moves between ports. The default is disabled (No). If a device does not support the selected setting, the value you set will appear in the SAW display, but will not be configured on that device. d. Click OK to save the advanced settings and close the window. e. Click Next in the configuration window to continue to the Authentication Servers step. 24. On the MAC-Auth Configuration window, select the MAC Address format to be applied for RADIUS requests in the secure access settings for the selected devices. 4-16

195 Using the Secure Access Wizard Using Secure Access Wizard Figure Secure Access Wizard, MAC-Auth Configuration display a. Select the MAC address format. b. Click the Advanced Settings for Wired MAC-Auth link to configure the advanced settings for MAC-Auth on wired devices. 4-17

196 Using the Secure Access Wizard Using Secure Access Wizard Figure Secure Access Wizard, Advanced (wired) Mac-Auth settings c. Click the check box to select the setting to configure, then enter the parameter to be applied. When a parameter is configured, the Reset to default values option is enabled. Click the link to restore the advanced settings for wired MAC- Auth defaults. Advanced MAC-Auth settings for wired devices include: Option Address limit Re-auth period Logoff period Quiet period Max requests Server timeout Configures... The port's maximum number of authenticated MAC addresses. Default is 1. The re-authentication timeout (in seconds. Default is set to 0 to disable re-authentication. Valid values are The period of time (seconds) after which a client will be considered removed from the port for a lack of activity. Disabled by default. Valid values are with 0 indicating disabled The period of time the switch does not try to acquire a supplicant. Valid values are The default value is 60 seconds. The maximum number of times the switch retransmits authentication requests. Valid values are The default value is 2. The authentication server response timeout (default 30 sec). Valid values are

197 Using the Secure Access Wizard Using Secure Access Wizard Option Allow address moves Unauth-vid Auth-vid Configures... Whether MAC can move between ports. The default is disabled (No). The VLAN to which the port is assigned when the user has not been authorized by MAC authentication. Valid values are any defined VLAN, and the default value is VLAN 1. The VLAN to which the port is assigned when the user has been authorized by MAC authentication. Valid values are any defined VLAN, and the default value is VLAN 1. If a device does not support the selected setting, the value you set will appear in the SAW display, but will not be configured on that device. d. Click OK to save the advanced settings and close the window. e. Click Next in the configuration window to continue to the Authentication Servers step. 25. The next step for configuring Secure Access Settings is to define the Authentication Servers that will be used. Figure Secure Access Wizard, RADIUS Servers configuration The Authentication Servers step lets you enter the IP addresses of the RADIUS servers to be used for authentication. Most PCM devices support three RADIUS server, but some, such as the wireless products, supports only two. 4-19

198 Using the Secure Access Wizard Using Secure Access Wizard a. Select the check box for a RADIUS server to enable the server IP address field, and then enter the IP address for the server. The IP address will be validated. If it is invalid or a duplicated IP, a text message indicating the error is displayed. You cannot continue until a valid IP address is entered. Note: If you had previously configured other RADIUS servers for authentication with the device, that information will be over-written by the Secure Access Wizard. The SAW will attempt to remove enough currently configured RADIUS servers to make room for the ones configured in the SAW. So, if you already have three RADIUS servers configured on a device, and then the you configure two new RADIUS servers via the SAW, when the settings are applied the SAW will remove the first two servers from the device configuration. 26. Click Next to continue to the RADIUS Server Shared Secret window. Figure Secure Access Wizard, RADIUS Shared secret display 27. If you want to use the same RADIUS shared secret (password) for all the selected devices, select the Use for all devices check box. 4-20

199 Using the Secure Access Wizard Using Secure Access Wizard Enter the RADIUS shared secret to be used for access authentication. Re-enter the shared secret in the Confirm shared secret field. If not using the same shared secret on all the devices, enter the Radius shared secret for each device in the list. Use the scroll bar as needed to move down the list. You will not be able to continue until the RADIUS shared secret is set for each device in the list. 28. When you have entered the RADIUS shared secret, click Next to select the devices that will be added to each of the previously selected RADIUS servers as RADIUS clients. 29. To add all devices as clients to the displayed RADIUS server, click Select All. 30. To unselect all devices, click Unselect All. 31. To add specific devices as clients to the RADIUS server listed in the Target RADIUS Server column, select the check box next to the device. 32. To display additional error information about a device with an error button, mouse over the error button. 33. Click Next to validate your entries and continue to the Save Settings (selection) window. Figure Secure Access Wizard, Save Settings selection 4-21

200 Using the Secure Access Wizard Using Secure Access Wizard 34. Click the link to Save settings or Save as template, and launch the Save Settings dialog to provide a name for the saved settings file. The data fields are the same for both the Save Settings, and Save Template dialog. Figure Secure Access Wizard, Save Settings dialog 35. Type a Name to apply to the secure access settings file, and (optionally) a description. You can use the same name for a save template and a save settings file, but no two saved templates, or saved settings files can have the same name. 36. Select the Include RADIUS shared secrets check box if you want the shared secrets you specified included in the saved settings file. This option is not available if no RADIUS server IP address was entered in the access settings. Note: The Include shared secrets option is only applicable for settings. Also, these settings are saved to PCM's database, and not saved to a separate file. 37. Click OK to save the file name and close the dialog, and return to the Save Settings window. When the security settings are saved, the next time the user launches the Secure Access Wizard, the buttons in the Welcome dialog (figure 4-1 on page 4-3) will be enabled. Clicking the buttons will launch the Save Settings dialog with the list of saved configurations. You can then select the saved access security settings for editing or to be deleted. 38. Click Next in the Save Settings window to continue to the Configuration Preview. 4-22

201 Using the Secure Access Wizard Using Secure Access Wizard Figure Secure Access Wizard, Configuration Preview display 39. Review the access security configuration settings, using the scroll bar as needed to move through the information. 40. If the configurations are correct, click Next to apply the settings to the devices. If you need to change something in the configuration, use the Back button(s) to return to the step where edits will be made, or click Cancel to exit the wizard without saving the secure access settings. 41. After you click Next in the Configuration Preview screen, the Applying Security Settings window displays. 4-23

202 Using the Secure Access Wizard Using Secure Access Wizard Figure Secure Access Wizard, Applying Settings status This window displays the progress of applying the security settings to the selected devices, and will indicate if any errors occur during the process. Click View Log to display process status messages and errors. Click Abort to halt application of the security settings before the process is started on the next device in the list. Once started the process will be completed for the current device, regardless of the Abort request. 4-24

203 5 Troubleshooting IDM IDM Events The IDM Events window is used to view and manage IDM events generated by the IDM application or the IDM Agent installed on a RADIUS server. This window helps you quickly identify IDM-related problems in your network. To view the IDM events, click the Events tab in the Identity Management Home pane. Figure 5-1. IDM Events tab 5-1

204 Troubleshooting IDM IDM Events The IDM Events tab works similarly to the PCM Events tab. It lists the IDM events currently contained in the database. The default listing event is categorized by the level of severity. Sortable columns of information are available for each event: Table 5-1. Events tab parameters Column Source Severity Date Ack d Description Displays... The name or IP address of the component or device that generated the event. This column contains the name of the application component or device that generated the event. This column also contains color-coded buttons that indicate: Connected Warning Unreachable From unknown device The severity of each event. Events are categorized into five levels of severity. Informational - routine events Warning - unexpected service behavior Minor - switch error that may impact performance Major - switch error with potential of inhibiting some with operations Critical - severe switch error with the potential of halting all switch operations The date and time when the event occurred. The date is shown in the Day of Week/Month/Day/Year/Time format. Whether the event has been acknowledged. A check mark in the blue square indicates that the event has been acknowledged. The Status column only shows unacknowledged events if events are deleted automatically after being acknowledged. See IDM Event Settings for additional information. A short description of the event. The description is derived from a list of predefined descriptions based on the event type. You can sort the Events listing by Source, Severity, Status or Date. Click the desired column heading to sort in descending order. Click the column heading again to sort in ascending order. A down pointer in the column heading indicates descending order, and an up pointer indicates ascending order. The Event Log is trimmed at the level specified in the IDM Preferences window. By default there will be 1000 events in the event log. 5-2

205 Troubleshooting IDM IDM Events Select an event in the Events listing to display the Event Details at the bottom of the window. Figure 5-2. IDM Event Details The details provide additional event description information. The details will vary based on the type of event. Use the scroll bar or drag the top border of the Event Details section to review the entire event description. Acknowledging an event indicates that you are aware of the event but it has not been resolved. Depending on the IDM event settings, the event is then removed from the event list or the status of the event is updated in the Events window. To acknowledge an event: 1. Click the Events tab on the IDM Dashboard. 2. In the IDM Events pane, select the events to be acknowledged. 3. Click the Acknowledge selected events button in the toolbar. To delete an IDM event: 1. Click the Events tab on the IDM Dashboard. 2. In the IDM Events pane, select the event(s) to be deleted. 3. Click the Delete Event button in the toolbar. Deleting an event removes the event from the Events list and reduces the Event count in the IDM Dashboard window. Pausing the Events Display The events table entries continuously scroll to display the events just received. You can pause the display if needed by clicking the Pause button in the events toolbar. Selecting an event for viewing will also pause the events display. The Pause will toggle to the Resume button. Click this to restart the events display. The button will toggle back to the Pause button. 5-3

206 Troubleshooting IDM IDM Events Using Event Filters The events shown in the Events tab view can be filtered to show only specific events based on the device that generated the event, severity, dates and times of occurrence, or description. Click the Filtering button to display or hide the Filters at the top of the Events tab. You can use any single parameter, or a combination of parameters. Figure 5-3. Events Filter 1. To create a filter: a. Select a check box to activate a field. Multiple fields can be activated. b. Select each type of information you want to display. For example, if you selected the Acknowledged check box and selected Unacknowledged from the filtering pane of the Events tab, events that have been acknowledged will be excluded from the display. c. Click Apply to filter the display. d. To save the filter, click Save, type the name that will be used to identify the filter, and then click OK. The filter is added to the Load list on the Events tab, and the filter can then be activated by selecting it from the Load list. 2. To activate a saved filter: a. If the Filtering pane is not displayed, click the + next to Filtering. b. Click Load. c. Select the desired filter from the list. This activates the filter and displays only events meeting the selected filter criteria. 3. To deactivate a setting in the current filter: a. If the Filtering pane is not displayed, click the + next to Filtering. 5-4

207 Troubleshooting IDM IDM Events b. Unselect any filters that you want to remove. c. Click Apply. 4. To clear all selections that are currently set in the filters, click Clear. This does not affect saved filters. 5. To clear current entries in the Filters section (that have not yet been saved) and go back to the last saved filter settings, click Revert. This does not affect saved filters. Viewing the Events Archive The Archived Events window lists details for each event in the Archive Log, which contains events that have been deleted. The events displayed can be filtered by the date the event was generated. The Archived Events window also lets you generate an Archived Events Report that can be saved to disk or printed. Archiving of IDM events can be disabled on the IDM Event Preferences window. Therefore, the Archived IDM Events window and report may not contain any events. Click the Archived Event button in the IDM Events toolbar to display the Archived Events window. 5-5

208 Troubleshooting IDM IDM Events Figure 5-4. IDM Event Archive The Archived Events window provides the following information for each event: Table 5-2. Archived IDM Events parameters Column Source Severity Date Received Description Displays... System, or IP address of the device that originated the event Severity level of the event: Informational, Warning, Minor, Major, Critical (listed in order of severity from lowest to highest) Time and date the event was received Descriptive information contained in the event You can select the date range for displayed events by clicking the Date arrow and selecting the desired date range from the list. A new date range begins when PCM is restarted. 5-6

209 Troubleshooting IDM IDM Events To further filter archived events, in the Filter field type the text of the filter you want to use. The display will list only events containing the filter text in any of the data fields. To generate a report from the Event Archive: To generate a report that can be printed or saved to disk, click Generate Report. This will create and display a report with the data from the Archive Event view. To display the next page, click > in the bottom left corner. Or, to display the previous page, click <. To print the report, click the print button and complete the standard Windows print screen. To save the report to an.htm or.html file, click the save (disk) button, and complete the standard Windows save screen. Be sure to include the.htm or.html file extension in the filename. By default the saved file location is Program Files/Hewlett-Packard/PNM/ client. To close the window, click the Windows X button in the upper right corner. Setting IDM Event Preferences Use the IDM Event Preferences to set up archiving and automatic deletion of events from the IDM Events tab and RADIUS Server Activity Logs. To configure preference settings for IDM events: 1. Select the Identity Management, Events option in the Global Preferences window (Tools > Preferences > Identity Management > Events) to display the IDM Events Settings window. 5-7

210 Troubleshooting IDM IDM Events Figure 5-5. Preferences, IDM Events 2. Use the fields in the Retain Messages section to set the percentage of IDM event types you want to save in the Events database and display in the Events tab. These percentages are based on the overall size set in the Max number of events field, and must equal 100 percent. If the maximum events is exceeded, the first type of event to get archived will be Informational, then Warning, then Minor, and so on as needed to maintain the maximum number of events shown in the display. For example, Informational events is set to 60 percent. When the archive file reaches the archive storage limit and there are more than 600 Informational events, the oldest Informational event is deleted. To ensure you maintain all Critical and Major events, set the total of the two types to 100 percent (for example, 60 and 40), and set the other severity types to 0 percent. 3. To archive events when the maximum storage size is reached, select the Archive IDM events check box. If archiving is disabled (unchecked), events removed from the Events window are deleted. 5-8

211 Troubleshooting IDM IDM Events 4. In the Archive events older than field, select the number of days to wait before archiving IDM events. 5. Use the Limit archive storage to field to set the maximum size of the IDM event archive storage limit (1-100 Gbytes). By default, IDM event archive storage is limited to 1 gigabyte. OR To stop archiving IDM events in the Event Log, clear the Archive IDM events check box. 6. To change how often the Events tab is refreshed, select the desired seconds (5-60) using the Refresh events every up or down arrows, or type the value. By default, the Events tab is refreshed every 30 seconds. 7. To change the number of events shown on each page of the Events tab, select the number of events ( ) using the Events per page up or down arrows or type the value. 8. To save your changes and leave the Preferences window open, click Apply. OR To save your changes and exit the window, click OK. IDM s event archive is located at: /server/logs/idmeventmgrserver-serverarchivedevents.log In a default installation, the directory is /Program Files/Hewlett-Packard/PNM. Using Activity Logs IDM also provides an Activity Log you can use to monitor events for specific RADIUS servers. To view the Activity Log for a RADIUS Server, 1. Expand the IDM navigation tree to display the RADIUS Server node. 2. Select the RADIUS server, then click the Activity Log tab. 5-9

212 Troubleshooting IDM IDM Events Figure 5-6. RADIUS Server Activity Log The Activity Log provides information similar to IDM Events, except that the entries are specific to the selected server. See IDM Events on page 5-1 for additional information. You can acknowledge and delete events, but you cannot filter entries in the Activity Log. 5-10

ProCurve Identity Driven Manager

ProCurve Identity Driven Manager User s Guide ProCurve Identity Driven Manager Software Release 2.3 www.procurve.com Copyright 2008 Hewlett-Packard Development Company, LP. All Rights Reserved. This document contains information which

More information

ProCurve Identity Driven Manager

ProCurve Identity Driven Manager ProCurve Identity Driven Manager Software Release 2.0 User s Guide Copyright 2004, 2005 Hewlett-Packard Company All Rights Reserved. This document contains information which is protected by copyright.

More information

Identity Driven Manager 1.0. User s Guide. The safe and simple way to manage network policies

Identity Driven Manager 1.0. User s Guide. The safe and simple way to manage network policies Identity Driven Manager 1.0 User s Guide The safe and simple way to manage network policies ProCurve Identity Driven Manager Software Release 1.0 User s Guide Copyright 2004 Hewlett-Packard Company All

More information

HP Identity Driven Manager Software Series

HP Identity Driven Manager Software Series HP Identity Driven Manager Software Series Data sheet Product overview HP Identity Driven Manager (IDM), a plug-in to HP PCM+, dynamically provisions network security and performance settings based on

More information

Release Notes: ProCurve Identity Driven Manager Version 2.0, Update 2

Release Notes: ProCurve Identity Driven Manager Version 2.0, Update 2 Release Notes: ProCurve Identity Driven Manager Version 2.0, Update 2 ProCurve Identity Driven Manager (IDM) version 2.0 update 2 supports these products: IDM version 2.1: an update to IDM 2.0 that provides

More information

QuickSpecs ProCurve Identity Driven Manager 2.2

QuickSpecs ProCurve Identity Driven Manager 2.2 Overview ProCurve Identity Driven Manager, a plug-in to, dynamically configures security and performance settings based on user, device, location, time, and client system state. IDM provides network administrators

More information

ProCurve Manager Plus 2.3

ProCurve Manager Plus 2.3 ProCurve Manager Plus 2.3 is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally with easy-to-use

More information

Guest Management Software Administrator Guide. Installation and Getting Started Guide Administrator Guide

Guest Management Software Administrator Guide. Installation and Getting Started Guide Administrator Guide Guest Management Software Administrator Guide Guest ProCurve Management 5400zl Switches Software Installation and Getting Started Guide Administrator Guide Guest Management Software Administrator Guide

More information

HPE Intelligent Management Center v7.3

HPE Intelligent Management Center v7.3 HPE Intelligent Management Center v7.3 Service Operation Manager Administrator Guide Abstract This guide contains comprehensive conceptual information for network administrators and other personnel who

More information

HP E-PCM Plus Network Management Software Series Overview

HP E-PCM Plus Network Management Software Series Overview Overview HP E-PCM Plus Network Management is a Microsoft Windows -based network management platform that enables mapping, configuration, and monitoring. HP PCM Plus provides security and extensibility

More information

HPE Intelligent Management Center

HPE Intelligent Management Center HPE Intelligent Management Center EAD Security Policy Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with the TAM

More information

Release Notes: ProCurve Manager Version 2.2/2.2.1, Update 5

Release Notes: ProCurve Manager Version 2.2/2.2.1, Update 5 Release Notes: ProCurve Manager Version 2.2/2.2.1, Update 5 PCM version 2.2/2.2.1, Update 5 supports these products: J9056A ProCurve Manager Plus 2.2 - upgrade from PCM 1.6 license to PCM Plus 2.2 50-device

More information

Achieving regulatory compliance with reports from ProCurve PCM, IDM, and NIM

Achieving regulatory compliance with reports from ProCurve PCM, IDM, and NIM An HP ProCurve Networking Application Note Achieving regulatory compliance with reports from ProCurve PCM, IDM, and NIM Contents 1. Introduction... 2 2. Prerequisites... 2 3. Network diagram... 2 4. Instructions

More information

Software Update C.09.xx Release Notes for the HP Procurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M

Software Update C.09.xx Release Notes for the HP Procurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M Software Update C.09.xx Release Notes for the HP Procurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M Topics: TACACS+ Authentication for Centralized Control of Switch Access Security (page 7) CDP (page

More information

HP IMC Smart Connect Virtual Appliance Software

HP IMC Smart Connect Virtual Appliance Software Data sheet HP IMC Smart Connect Virtual Appliance Software Key features Identity-based access, advanced device profiling, and real-time traffic quarantining Converged network support with universal policies

More information

QuickSpecs HP ProCurve Manager Plus 3.1

QuickSpecs HP ProCurve Manager Plus 3.1 Overview HP ProCurve Manager Plus is a Microsoft Windows-based network management platform that enables mapping, configuration, and monitoring. HP ProCurve Manager Plus provides security and extensibility

More information

HP Intelligent Management Center Remote Site Management User Guide

HP Intelligent Management Center Remote Site Management User Guide HP Intelligent Management Center Remote Site Management User Guide Abstract This book provides overview and procedural information for Remote Site Management, an add-on service module to the Intelligent

More information

HP UFT Connection Agent

HP UFT Connection Agent HP UFT Connection Agent Software Version: For UFT 12.53 User Guide Document Release Date: June 2016 Software Release Date: June 2016 Legal Notices Warranty The only warranties for Hewlett Packard Enterprise

More information

ProCurve Switch G ProCurve Switch G

ProCurve Switch G ProCurve Switch G Management and Configuration Guide ProCurve Switch 1800-8G ProCurve Switch 1800-24G www.procurve.com ProCurve Series 1800 Switch Management and Configuration Guide Copyright 2006, 2007 Hewlett-Packard

More information

Release Notes: ProCurve Mobility Manager Version 1.0, Update 1

Release Notes: ProCurve Mobility Manager Version 1.0, Update 1 Release Notes: ProCurve Mobility Manager Version 1.0, Update 1 Installation Pre-Requisites: The ProCurve Mobility Manager (PMM 1.0) Update 1 requires that you have the following software installed and

More information

KYOCERA Net Admin User Guide

KYOCERA Net Admin User Guide KYOCERA Net Admin User Guide Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable

More information

HP ProCurve Manager Plus 3.0

HP ProCurve Manager Plus 3.0 Product overview HP ProCurve Manager Plus is a Microsoft Windows-based network management platform that enables mapping, configuration, and monitoring. HP ProCurve Manager Plus 3.0 provides security and

More information

HP Intelligent Management Center Branch Intelligent Management System (BIMS) User Guide

HP Intelligent Management Center Branch Intelligent Management System (BIMS) User Guide HP Intelligent Management Center Branch Intelligent Management System (BIMS) User Guide Abstract This guide contains basic information for network administrators, engineers, and operators who use the Branch

More information

Release Notes: ProCurve Manager Version 2.1, Update 9

Release Notes: ProCurve Manager Version 2.1, Update 9 Release Notes: ProCurve Manager Version 2.1, Update 9 PCM version 2.1, Update 9 supports these products: J8778A ProCurve Manager Plus 2.1-100-device license J9009A ProCurve Manager Plus 2.1 - unlimited

More information

HP Operations Manager

HP Operations Manager HP Operations Manager Software Version: 9.22 UNIX and Linux operating systems Java GUI Operator s Guide Document Release Date: December 2016 Software Release Date: December 2016 Legal Notices Warranty

More information

Operations Orchestration. Software Version: Windows and Linux Operating Systems. Central User Guide

Operations Orchestration. Software Version: Windows and Linux Operating Systems. Central User Guide Operations Orchestration Software Version: 10.70 Windows and Linux Operating Systems Central User Guide Document Release Date: November 2016 Software Release Date: November 2016 Legal Notices Warranty

More information

HP ProCurve Network Management. Installation and Getting Started Guide

HP ProCurve Network Management. Installation and Getting Started Guide HP ProCurve Network Management Installation and Getting Started Guide Copyright 2004, 2005, 2007, 2009 Hewlett-Packard Development Company, L.P. All Rights Reserved Publication Number 5991-8636a Version

More information

ALM. Tutorial. Software Version: Go to HELP CENTER ONLINE

ALM. Tutorial. Software Version: Go to HELP CENTER ONLINE ALM Software Version: 12.55 Tutorial Go to HELP CENTER ONLINE http://admhelp.microfocus.com/alm/ Document Release Date: August 2017 Software Release Date: August 2017 ALM Legal Notices Disclaimer Certain

More information

Release Notes: Version Operating System

Release Notes: Version Operating System Release Notes: Version 2.0.29 Operating System for the HP ProCurve Wireless Access Point 420 These release notes include information on the following: Downloading access point software and documentation

More information

Release Notes: ProCurve Network Immunity Manager Version 1.0, Update 3

Release Notes: ProCurve Network Immunity Manager Version 1.0, Update 3 Release Notes: ProCurve Network Immunity Manager Version 1.0, Update 3 ProCurve Network Immunity Manager (NIM) version 1.0, Update 3 supports these products: J9060A ProCurve Network Immunity Manager 1.0-50-device

More information

HP ALM Client MSI Generator

HP ALM Client MSI Generator HP ALM Client MSI Generator Software Version: 1.00 User Guide Document Release Date: October 2010 Software Release Date: October 2010 Legal Notices Warranty The only warranties for HP products and services

More information

HP Intelligent Management Center v7.1 Branch Intelligent Management System Administrator Guide

HP Intelligent Management Center v7.1 Branch Intelligent Management System Administrator Guide HP Intelligent Management Center v7.1 Branch Intelligent Management System Administrator Guide Abstract This document describes how to administer the HP IMC Branch Intelligent Management System. HP Part

More information

Software Feature Index for the ProCurve Switch 3500yl/5400zl/6200yl Series

Software Feature Index for the ProCurve Switch 3500yl/5400zl/6200yl Series Software Feature Index for the ProCurve Switch 3500yl/5400zl/6200yl Series For the software manual set supporting your 3500yl/5400zl/6200yl switch model, this feature index indicates which manual to consult

More information

HPE Intelligent Management Center

HPE Intelligent Management Center HPE Intelligent Management Center VAN Connection Manager Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators who manage the VAN

More information

HP Data Protector Media Operations 6.11

HP Data Protector Media Operations 6.11 HP Data Protector Media Operations 6.11 Getting started This guide describes installing, starting and configuring Media Operations. Copyright 2009 Hewlett-Packard Development Company, L.P. Part number:

More information

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide Microsoft Office Groove Server 2007 Groove Manager Domain Administrator s Guide Copyright Information in this document, including URL and other Internet Web site references, is subject to change without

More information

HPE ilo mobile app for ios

HPE ilo mobile app for ios HPE ilo mobile app for ios User Guide Abstract The HPE ilo mobile app provides access to the remote console, web interface, and scripting features of HPE ProLiant servers. Part Number: 689175-004 Published:

More information

HP ALM. Software Version: Tutorial

HP ALM. Software Version: Tutorial HP ALM Software Version: 12.20 Tutorial Document Release Date: December 2014 Software Release Date: December 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in

More information

HYCU SCOM Management Pack for F5 BIG-IP

HYCU SCOM Management Pack for F5 BIG-IP USER GUIDE HYCU SCOM Management Pack for F5 BIG-IP Product version: 5.5 Product release date: August 2018 Document edition: First Legal notices Copyright notice 2015-2018 HYCU. All rights reserved. This

More information

Remote Support Security Provider Integration: RADIUS Server

Remote Support Security Provider Integration: RADIUS Server Remote Support Security Provider Integration: RADIUS Server 2003-2019 BeyondTrust Corporation. All Rights Reserved. BEYONDTRUST, its logo, and JUMP are trademarks of BeyondTrust Corporation. Other trademarks

More information

Legal Notes. Regarding Trademarks KYOCERA MITA Corporation

Legal Notes. Regarding Trademarks KYOCERA MITA Corporation Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable for any problems arising from

More information

HP Enterprise Integration module for SAP applications

HP Enterprise Integration module for SAP applications HP Enterprise Integration module for SAP applications Software Version: 2.60 User Guide Document Release Date: December 2010 Software Release Date: December 2010 Legal Notices Warranty The only warranties

More information

Configuring Security Mitigation Settings for Security Bulletin HPSBPI03569 Protecting Solution Installation Settings

Configuring Security Mitigation Settings for Security Bulletin HPSBPI03569 Protecting Solution Installation Settings Technical White Paper Configuring Security Mitigation Settings for Security Bulletin HPSBPI03569 Protecting Solution Installation Settings Table of contents Overview... 2 Using the Embedded Web Server

More information

Guest Management Software V2.0.2 Release Notes

Guest Management Software V2.0.2 Release Notes Guest Management Software V2.0.2 Release Notes Abstract These release notes provide important release-related information for GMS (Guest Management Software) Version 2.0.2. GMS V2.0.2 is MSM software version

More information

HPE ALM Client MSI Generator

HPE ALM Client MSI Generator HPE ALM Client MSI Generator Software Version: 12.55 User Guide Document Release Date: August 2017 Software Release Date: August 2017 HPE ALM Client MSI Generator Legal Notices Warranty The only warranties

More information

OMi Management Pack for Microsoft SQL Server. Software Version: For the Operations Manager i for Linux and Windows operating systems.

OMi Management Pack for Microsoft SQL Server. Software Version: For the Operations Manager i for Linux and Windows operating systems. OMi Management Pack for Microsoft Software Version: 1.01 For the Operations Manager i for Linux and Windows operating systems User Guide Document Release Date: April 2017 Software Release Date: December

More information

Release Notes: Version PK.1.4 Software

Release Notes: Version PK.1.4 Software Release Notes: Version PK.1.4 Software for HP V1810-48G Switches These release notes include information on the following: Downloading switch software and documentation from the Web (page 5) Updating switch

More information

Installation Guide. OMi Management Pack for Microsoft Skype for Business Server. Software Version: 1.00

Installation Guide. OMi Management Pack for Microsoft Skype for Business Server. Software Version: 1.00 OMi Management Pack for Microsoft Skype for Business Server Software Version: 1.00 For Operations Manager i for Linux and Windows operating systems Installation Guide Document Release Date: July 2017 Software

More information

HP Operations Orchestration

HP Operations Orchestration HP Operations Orchestration Software Version: 7.20 HP Business Availability Center Integration Document Release Date: July 2008 Software Release Date: July 2008 Legal Notices Warranty The only warranties

More information

HP ALM. Software Version: Tutorial

HP ALM. Software Version: Tutorial HP ALM Software Version: 12.50 Tutorial Document Release Date: September 2015 Software Release Date: September 2015 Legal Notices Warranty The only warranties for HP products and services are set forth

More information

Managing WCS User Accounts

Managing WCS User Accounts CHAPTER 7 This chapter describes how to configure global e-mail parameters and manage WCS user accounts. It contains these sections: Adding WCS User Accounts, page 7-1 Viewing or Editing User Information,

More information

HP JetAdvantage Security Manager. User Guide

HP JetAdvantage Security Manager. User Guide HP JetAdvantage Security Manager User Guide Copyright 2017 HP Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited, except as allowed under

More information

HP Intelligent Management Center SOM Administrator Guide

HP Intelligent Management Center SOM Administrator Guide HP Intelligent Management Center SOM Administrator Guide Abstract This guide contains comprehensive conceptual information for network administrators and other personnel who administrate and operate the

More information

IDOL Site Admin. Software Version: User Guide

IDOL Site Admin. Software Version: User Guide IDOL Site Admin Software Version: 11.5 User Guide Document Release Date: October 2017 Software Release Date: October 2017 Legal notices Warranty The only warranties for Hewlett Packard Enterprise Development

More information

Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide

Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide Version 1.0 Note Before using this information and the product it supports, read the information in Appendix A Notices on

More information

Cisco CSPC 2.7.x. Quick Start Guide. Feb CSPC Quick Start Guide

Cisco CSPC 2.7.x. Quick Start Guide. Feb CSPC Quick Start Guide CSPC Quick Start Guide Cisco CSPC 2.7.x Quick Start Guide Feb 2018 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 17 Contents Table of Contents 1. INTRODUCTION

More information

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide Copyright and Trademark Statements 2014 ViewSonic Computer Corp. All rights reserved. This document contains proprietary information that

More information

HP ProLiant Agentless Management Pack (v 3.2) for Microsoft System Center User Guide

HP ProLiant Agentless Management Pack (v 3.2) for Microsoft System Center User Guide HP ProLiant Agentless Management Pack (v 3.2) for Microsoft System Center User Guide Abstract This guide provides information on using the HP ProLiant Agentless Management Pack for System Center version

More information

HP Service Test Management

HP Service Test Management HP Service Test Management for the Windows operating system Software Version: 11.00 Installation Guide Document Release Date: February 2011 Software Release Date: February 2011 Legal Notices Warranty The

More information

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. Collaboration Guide

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. Collaboration Guide HP Service Manager Software Version: 9.41 For the supported Windows and UNIX operating systems Collaboration Guide Document Release Date: September 2015 Software Release Date: September 2015 Legal Notices

More information

SafeNet Authentication Service

SafeNet Authentication Service SafeNet Authentication Service Push OTP Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have

More information

Configuring Embedded LDAP Authentication

Configuring Embedded LDAP Authentication HP Restricted Configuring Embedded LDAP Authentication configure Configuring Embedded LDAP Authentication For HP product models: LaserJet 4345mfp, LaserJet 9040mfp, LaserJet 9050mfp, LaserJet 9500mfp,

More information

HP Management Integration Framework 1.7

HP Management Integration Framework 1.7 HP Management Integration Framework 1.7 Administrator Guide Abstract This document describes the use of HP Management Integration Framework interfaces and is intended for administrators involved in the

More information

HP ALM Synchronizer for Agile Manager

HP ALM Synchronizer for Agile Manager HP ALM Synchronizer for Agile Manager Software Version: 2.10 User Guide Document Release Date: August 2014 Software Release Date: August 2014 Legal Notices Warranty The only warranties for HP products

More information

HPE Intelligent Management Center

HPE Intelligent Management Center HPE Intelligent Management Center Service Health Manager Administrator Guide Abstract This guide provides introductory, configuration, and usage information for Service Health Manager (SHM). It is for

More information

Software updates uploaded to the switch trigger an automatic switch reload.

Software updates uploaded to the switch trigger an automatic switch reload. Release Notes: Versions VA.02.02 and VB.02.02 Software for the HP ProCurve Series 1700 Switches Release VA.02.02 supports this switch: HP ProCurve Switch 1700-8 (J9079A), Release VB.02.02 supports this

More information

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features Enterprise-class endpoint protection, posture assessments and health checks Product overview ClearPass OnGuard agents perform advanced endpoint posture assessments on leading computer operating systems

More information

HP FlexFabric 5700 Switch Series

HP FlexFabric 5700 Switch Series HP FlexFabric 5700 Switch Series Security Command Reference Part number: 5998-6695 Software version: Release 2416 Document version: 6W100-20150130 Legal and notice information Copyright 2015 Hewlett-Packard

More information

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors HPE Security ArcSight Connectors SmartConnector for IP Flow (NetFlow/J-Flow) Configuration Guide October 17, 2017 SmartConnector for IP Flow (NetFlow/J-Flow) October 17, 2017 Copyright 2004 2017 Hewlett

More information

HPE Intelligent Management Center

HPE Intelligent Management Center HPE Intelligent Management Center Branch Intelligent Management System Administrator Guide Abstract This document describes how to administer the HPE IMC Branch Intelligent Management System. Part number:

More information

HP Operations Orchestration Software

HP Operations Orchestration Software HP Operations Orchestration Software Software Version: 7.51 HP SiteScope Integration Guide Document Release Date: August 2009 Software Release Date: August 2009 Legal Notices Warranty The only warranties

More information

HPE Enterprise Integration Module for SAP Solution Manager 7.1

HPE Enterprise Integration Module for SAP Solution Manager 7.1 HPE Enterprise Integration Module for SAP Solution Manager 7.1 Software Version: 12.55 User Guide Document Release Date: August 2017 Software Release Date: August 2017 HPE Enterprise Integration Module

More information

SafeNet Authentication Service

SafeNet Authentication Service SafeNet Authentication Service Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep

More information

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

VMware AirWatch Google Sync Integration Guide Securing Your  Infrastructure VMware AirWatch Google Sync Integration Guide Securing Your Email Infrastructure AirWatch v9.2 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

HP Business Availability Center

HP Business Availability Center HP Business Availability Center for the Windows and Solaris operating systems Software Version: 8.00 Embedded UCMDB Applets Using Direct Links Document Release Date: January 2009 Software Release Date:

More information

Virtual Recovery Assistant user s guide

Virtual Recovery Assistant user s guide Virtual Recovery Assistant user s guide Part number: T2558-96323 Second edition: March 2009 Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company makes no warranty of any kind

More information

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Reviewer s guide. PureMessage for Windows/Exchange Product tour Reviewer s guide PureMessage for Windows/Exchange Product tour reviewer s guide: sophos nac advanced 2 welcome WELCOME Welcome to the reviewer s guide for NAC Advanced. The guide provides a review of the

More information

HP Cloud-Managed Networking Solution Release Notes

HP Cloud-Managed Networking Solution Release Notes HP Cloud-Managed Networking Solution Release Notes Abstract These release notes provide important release-related information about the HP Cloud Network Manager and HP 365, HP 355, and HP 350 Access Points.

More information

HYCU SCOM Management Pack for F5 BIG-IP

HYCU SCOM Management Pack for F5 BIG-IP USER GUIDE HYCU SCOM Management Pack for F5 BIG-IP Product version: 5.6 Product release date: November 2018 Document edition: First Legal notices Copyright notice 2015-2018 HYCU. All rights reserved. This

More information

HP Intelligent Management Center Connection Resource Manager (Virtual Application Network Manager)

HP Intelligent Management Center Connection Resource Manager (Virtual Application Network Manager) HP Intelligent Management Center Connection Resource Manager (Virtual Application Network Manager) Administrator Guide Abstract IMC Connection Resource Manager has been renamed to Virtual Application Network

More information

HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries Abstract This document provides information about configuring the HP Enterprise Secure Key Manager (ESKM) for use with HP tape

More information

User Guide. Version R95. English

User Guide. Version R95. English Anti-Malware (Classic) User Guide Version R95 English July 20, 2017 Copyright Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept

More information

HP XP7 Performance Advisor Software Installation Guide (v6.1.1)

HP XP7 Performance Advisor Software Installation Guide (v6.1.1) HP XP7 Performance Advisor Software Installation Guide (v6.1.1) Abstract This document describes how to install and configure the HP XP7 Performance Advisor Software. This document is intended for users

More information

IDE Connector Customizer Readme

IDE Connector Customizer Readme IDE Connector Customizer Readme Software version: 1.0 Publication date: November 2010 This file provides information about IDE Connector Customizer 1.0. Prerequisites for IDE Connector Customizer The Installation

More information

SiteScope Adapter for HP OpenView Operations

SiteScope Adapter for HP OpenView Operations SiteScope Adapter for HP OpenView Operations for the UNIX and Windows Operating System Software Version: 1.00, 1.01 User s Guide Document Release Date: 24 November 2009 Software Release Date: December

More information

HP Project and Portfolio Management Center

HP Project and Portfolio Management Center HP Project and Portfolio Management Center Software Version: 9.30 HP Demand Management User s Guide Document Release Date: September 2014 Software Release Date: September 2014 Legal Notices Warranty The

More information

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access SafeNet Authentication Manager Integration Guide SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright

More information

Managing WCS User Accounts

Managing WCS User Accounts 7 CHAPTER This chapter describes how to configure global email parameters and manage WCS user accounts. It contains these sections: Adding WCS User Accounts, page 7-2 Viewing or Editing User Information,

More information

HP Roam - Business Deployment Guide

HP Roam - Business Deployment Guide HP Roam - Business Deployment Guide Copyright 2018 HP Development Company, L.P. January 2019 The information contained herein is subject to change without notice. The only warranties for HP products and

More information

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book] Nimsoft Service Desk Single Sign-On Configuration Guide [assign the version number for your book] Legal Notices Copyright 2012, CA. All rights reserved. Warranty The material contained in this document

More information

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem version 5.2.2 DataLocker Inc. July, 2017 SafeConsole Reference for SafeConsole OnPrem 1 Contents Introduction................................................ 2 How do the devices become managed by SafeConsole?....................

More information

22 August 2018 NETOP REMOTE CONTROL PORTAL USER S GUIDE

22 August 2018 NETOP REMOTE CONTROL PORTAL USER S GUIDE 22 August 2018 NETOP REMOTE CONTROL PORTAL USER S GUIDE CONTENTS 1 Overview... 3 1.1 Netop Remote Control Portal... 3 1.2 Technical Requirements... 3 2 General... 4 2.1 Authentication... 4 2.1.1 Forgot

More information

HP Deskjet 6800 series

HP Deskjet 6800 series HP Deskjet 6800 series Network Guide 網路指南 English English Edition 1 May 2004 Copyright 2004 Hewlett-Packard Development Company, L.P. Notice Reproduction, adaptation, or translation without prior written

More information

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors HPE Security ArcSight Connectors SmartConnector for Microsoft DHCP File Configuration Guide October 17, 2017 Configuration Guide SmartConnector for Microsoft DHCP File October 17, 2017 Copyright 2006 2017

More information

Security Provider Integration RADIUS Server

Security Provider Integration RADIUS Server Security Provider Integration RADIUS Server 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property

More information

Configuring the Cisco TelePresence System

Configuring the Cisco TelePresence System 3 CHAPTER Revised: August 2011, Contents This chapter contains the following sections: First Time Setup Wizard for the CTS 500 32, page 3-1 First Time Setup for All Other CTS Models, page 3-2 IP Settings,

More information

Sophos Enterprise Console Help. Product version: 5.3

Sophos Enterprise Console Help. Product version: 5.3 Sophos Enterprise Console Help Product version: 5.3 Document date: September 2015 Contents 1 About Sophos Enterprise Console 5.3...6 2 Guide to the Enterprise Console interface...7 2.1 User interface layout...7

More information

ForeScout CounterACT. Configuration Guide. Version 5.0

ForeScout CounterACT. Configuration Guide. Version 5.0 ForeScout CounterACT Core Extensions Module: Reports Plugin Version 5.0 Table of Contents About the Reports Plugin... 3 Requirements... 3 Supported Browsers... 3 Verify That the Plugin Is Running... 5

More information

HPE ALM Excel Add-in. Microsoft Excel Add-in Guide. Software Version: Go to HELP CENTER ONLINE

HPE ALM Excel Add-in. Microsoft Excel Add-in Guide. Software Version: Go to HELP CENTER ONLINE HPE ALM Excel Add-in Software Version: 12.55 Microsoft Excel Add-in Guide Go to HELP CENTER ONLINE http://alm-help.saas.hpe.com Document Release Date: August 2017 Software Release Date: August 2017 Legal

More information

Dell License Manager Version 1.2 User s Guide

Dell License Manager Version 1.2 User s Guide Dell License Manager Version 1.2 User s Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either

More information