Hp Identity Driven Manager Software Series Manuel d'utilisateur

ProCurve Identity Driven Manager User’s GuideSoftware Release 2.0

1-6About ProCurve Identity Driven ManagerIntroduction• A Decision Manager that receives the user data and checks it against user data in the local IDM

3-46Using Identity Driven ManagerUsing Manual ConfigurationModifying and Deleting RADIUS ServersTo modify an existing RADIUS Server:1. Use the IDM Tre

3-47Using Identity Driven ManagerUsing Manual ConfigurationAdding New UsersYou can let the IDM Agent automatically learn about the users from the RADI

3-48Using Identity Driven ManagerUsing Manual Configuration3. If you want to restrict the user’s access to specific systems, click New System... to di

3-49Using Identity Driven ManagerUsing Manual ConfigurationNOTE: Access Policy Group settings are not applied to the user until you deploy the new con

3-50Using Identity Driven ManagerUsing the User Import WizardUsing the User Import WizardThe IDM User Import Wizard lets you add users to IDM from ano

3-51Using Identity Driven ManagerUsing the User Import WizardImporting Users from Active DirectoryTo import user information into IDM from an Active D

3-52Using Identity Driven ManagerUsing the User Import Wizard3. Click the radio button to select the Active Directory data source.4. Click Next to con

3-53Using Identity Driven ManagerUsing the User Import Wizard5. Select the scope of Active Directory groups that you want to import user data from. 6.

3-54Using Identity Driven ManagerUsing the User Import Wizard8. Click the Select checkbox to choose the groups you want to import from the Active Dire

3-55Using Identity Driven ManagerUsing the User Import Wizard10. Click the Select checkbox to choose the users you want to import from the Active Dire

1-7About ProCurve Identity Driven ManagerTerminologyTerminologyAuthentication The process of proving the user’s identity. In networks this involves th

3-56Using Identity Driven ManagerUsing the User Import Wizardb. Click Next to continue. Repeat the process for each user. c. Click Finish to save the

3-57Using Identity Driven ManagerUsing the User Import Wizard A summary of the IDM Import displays. 15. Click Finish to exit the wizard.Importing User

3-58Using Identity Driven ManagerUsing the User Import Wizarda. To use the SSL authentication method, check the Use SSL checkbox.Note: To use SSL, ens

3-59Using Identity Driven ManagerUsing the User Import Wizardb. Select the LDAP Authentication type to be used with the imported user data:c. Click Ne

3-60Using Identity Driven ManagerUsing the User Import WizardFor Simple AuthenticationSimple authentication, which is not very secure, sends the LDAP

3-61Using Identity Driven ManagerUsing the User Import WizardUsing Digest-MD5 AuthenticationThe SASL Digest MD5 authentication window is used to defin

3-62Using Identity Driven ManagerUsing the User Import WizardUsing Kerberos-V5 AuthenticationThe SASL Kerberos V5 authentication window is used to def

3-63Using Identity Driven ManagerUsing the User Import WizardUsing External AuthenticationThe SASL External authentication window is used to define th

3-64Using Identity Driven ManagerUsing the User Import Wizard7. Click Next to continue to the Extract Users and Groups window. Importing LDAP X509 Use

3-65Using Identity Driven ManagerUsing the User Import WizardUsing Anonymous AuthenticationThe LDAP Anonymous Authentication window is used to define

1-8About ProCurve Identity Driven ManagerTerminologyRealm A Realm is similar to an Active Directory Domain, but it works across non-Windows (Linux, et

3-66Using Identity Driven ManagerUsing the User Import WizardEditing IDM Configuration for LDAP ImportThe IDM server includes several configuration fi

3-67Using Identity Driven ManagerUsing the User Import Wizard LDAP_DIRECTORY_CONFIG { // Configuration for LDAP directory. Following values are for A

3-68Using Identity Driven ManagerUsing the User Import WizardImporting Users from XML filesIf you select to import users from an XML File, the XML Dat

3-69Using Identity Driven ManagerUsing the User Import WizardXML User Import File ExampleXML files used to import user data to IDM should have the fol

3-70Using Identity Driven ManagerUsing the User Import Wizard

4-14Troubleshooting IDMChapter ContentsIDM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2Using Event Fi

4-2Troubleshooting IDMIDM EventsIDM Events The IDM Events window is used to view and manage IDM events generated by the IDM application or the IDM Age

4-3Troubleshooting IDMIDM EventsYou can sort the Events listing by Source, Severity, Status or Date. Click the desired column heading to sort events i

4-4Troubleshooting IDMIDM Events3. Click the Acknowledge Event icon in the toolbar.To delete an IDM event:1. Click the Events tab on the IDM Dashboard

4-5Troubleshooting IDMIDM Events2. In the Manage Filters window, click New to display the New Filter window.3. Click the Filter Type drop-down arrow a

1-9About ProCurve Identity Driven ManagerIDM SpecificationsIDM SpecificationsSupported DevicesProCurve Identity Driven Manager (IDM) supports authoriz

4-6Troubleshooting IDMIDM Events6. In the Criteria field, enter the criteria used to select events. The Criteria field works in conjunction with the O

4-7Troubleshooting IDMIDM Events4. Modify the filter attributes.5. Click Ok to save your changes and close the Modify Filters window.The changes to th

4-8Troubleshooting IDMIDM Events2. To delete IDM events once they are acknowledged, select the "Auto delete acknowledged events" checkbox.3.

4-9Troubleshooting IDMUsing Decision Manager TracingUsing Decision Manager TracingIDM provides a tracing tool (DMConfig.prp) and log file (DM-IDMDM.lo

4-10Troubleshooting IDMUsing Decision Manager TracingMiscellaneousFor authenticating a MAC-Auth user using Funk Steel Belted RADIUS (SBR) with IDM, th

A-1AIDM Technical ReferenceDevice Support for IDM FunctionalityDue to variations in hardware and software configuration of various ProCurve Devices, n

A-2IDM Technical ReferenceBest PracticesBest PracticesAuthentication MethodsThe IDM application is designed to support RADIUS server implementation wi

A-3IDM Technical ReferenceBest PracticesHandling Unknown or Unauthorized usersIf a user is authenticated in RADIUS, but is unknown to IDM, IDM will no

A-4IDM Technical ReferenceBest Practices In this instance, if the user attempts to login in during the times specified for the Weekends, they will be

A-5IDM Technical ReferenceTypes of User EventsTypes of User EventsThe USER_FAILED_LOGIN event happens whenever RADIUS sends IDM a message of an unsucc

1-10About ProCurve Identity Driven ManagerIDM Specifications ProCurve Manager Plus software must be installed for IDM to operate. The IDM software ca

A-6IDM Technical ReferenceTypes of User EventsThis page is intentionally unused

Index–1IndexAAccess Attributes 3-22Access attributes 3-23Access Information 2-32Access Policyorder 3-34Access Policy Group 3-31Assignments

Index–2Importing Users 3-51with XML files 3-68KKerberos V5 authentication 3-62LLDAP Authentication 3-59LDAP Directory settings 3-66LDAP Ser

Index–3User Access 3-37User ImportLDAP Server 3-57User Import Wizard 3-50User Location Information 2-31User MAC Addresses 2-20User Propertie

1-11About ProCurve Identity Driven ManagerIDM SpecificationsWhen you upgrade to IDM 2.0, you need to manually install the IDM Agent upgrade on your RA

1-12About ProCurve Identity Driven ManagerRegistering Your IDM SoftwareRegistering Your IDM SoftwareThe ProCurve Manager installation CD includes a fu

1-13About ProCurve Identity Driven ManagerRegistering Your IDM SoftwareFigure 2. ProCurve License Administration dialogueYou can also get to this scre

1-14About ProCurve Identity Driven ManagerRegistering Your IDM SoftwareThe window is refreshed and the registration information, including your Licens

1-15About ProCurve Identity Driven ManagerLearning to Use ProCurve IDMLearning to Use ProCurve IDMThe following information is available for learning

Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 http://www.procurve.com© Copyright 2004, 2005 Hewlett-Pack

1-16About ProCurve Identity Driven ManagerProCurve Support

2-12Getting StartedChapter ContentsBefore You Begin . . . . . . . . . . . . . . . . . . . . . . . 2-2Installing the IDM Agent . . . . . . . . . . . .

2-2Getting StartedBefore You BeginBefore You BeginIf you have not already done so, please review the list of supported devices and operating requireme

2-3Getting StartedBefore You BeginThe IDM Client is included with the PCM+ software. To install a remote PCM/IDM Client, download the PCM Client to a

2-4Getting StartedBefore You Begin5. Create the Access Profiles, to set the VLAN, QoS, rate-limits (bandwidth) attributes, and the network resources t

2-5Getting StartedBefore You BeginUnderstanding the IDM ModelThe first thing to understand, is that IDM works within the general concept of ‘domains’

2-6Getting StartedIDM GUI OverviewIDM GUI OverviewTo use the IDM client, launch the PCM Client on your PC. Select the ProCurve Manager option from the

2-7Getting StartedIDM GUI OverviewSelect the IDM Tree tab at the bottom left of the PCM window to display the IDM Home window.Figure 2-2. IDM Home Win

2-8Getting StartedIDM GUI OverviewIDM DashboardThe IDM Dashboard tab (window) contains four separate panels, described below.Identity Management Statu

2-9Getting StartedIDM GUI OverviewUsing the Navigation TreeThe navigation tree in the left pane of the IDM window provides access to IDM features usin

iiiContents1 About ProCurve Identity Driven ManagerIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2-10Getting StartedIDM GUI OverviewFigure 2-4. Realm Properties tabClick the Users tab, underneath the realm Properties tab, to view a list of users i

2-11Getting StartedIDM GUI OverviewAccess Policy Groups: Click the Access Policy Group node to display the Access Policy Groups tab with a list of cur

2-12Getting StartedIDM GUI OverviewRADIUS Servers: Clicking the RADIUS Servers node displays the RADIUS List tab, with status and configuration inform

2-13Getting StartedIDM GUI OverviewThe Activity Log tab underneath the properties display contains a listing of IDM application events for that RADIUS

2-14Getting StartedUsing IDM as a Monitoring ToolUsing IDM as a Monitoring ToolWhether or not you configure and apply access and authorization paramet

2-15Getting StartedUsing IDM as a Monitoring ToolIDM PreferencesThe IDM Preferences window is used to set up global attributes for session accounting

2-16Getting StartedUsing IDM as a Monitoring Toolthe IDM agent will look for the RADIUS attribute in the supplicant’s authentication request and act a

2-17Getting StartedUsing IDM as a Monitoring Tool9. If you do not want to add a timestamp to the archive filename, uncheck the Use timestamp in archiv

2-18Getting StartedUsing IDM ReportsUsing IDM ReportsIDM provides reports designed to help you monitor and analyze usage patterns for network resource

2-19Getting StartedUsing IDM ReportsYou can save the report to a file, or print the report. To apply customized Report Header information for your com

ivContents3 Using Identity Driven ManagerIDM Configuration Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2Co

2-20Getting StartedUsing IDM ReportsThe following information is provided for each user included in the Bandwidth Usage report:IDM Statistics: The IDM

2-21Getting StartedUsing IDM ReportsUser Report: The User Report lists information for recent sessions in which the user participated, similar to the

2-22Getting StartedUsing IDM Reports.a. Enter the Start date and time. b. Click one of the radio buttons to select the Recurrence Pattern.c. Click to

2-23Getting StartedUsing IDM Reports 5. Click to select the Report Type from the list.6. Click Next to continue to the Report Filter window..

2-24Getting StartedUsing IDM Reports7. Depending on the report type, select the Report Filters, to configure what data is included in the report. For

2-25Getting StartedUsing IDM Reports 9. Click the radio button to select the Report Format for output: PDF, HTML, or CSV (comma separated values).10.

2-26Getting StartedUsing IDM Reports11. Select the Delivery method: FTP, File, or Email from the pull-down menu. Then set the parameters needed to def

2-27Getting StartedUsing IDM ReportsIDM Session Cleanup PolicyThe IDM Session Cleanup Policy is included in the PCM+ policies by default when you inst

2-28Getting StartedUsing IDM Reports4. Set the Start Date for enforcement of the policy. The default is the start date and time for IDM. You can type

2-29Getting StartedUser Session InformationUser Session InformationYou can use IDM to just monitor the network, and receive detailed information about

1-11 About ProCurve Identity Driven ManagerChapter ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2-30Getting StartedUser Session InformationThe Session List provides a listing of recent sessions, including the following information: The User Prop

2-31Getting StartedUser Session InformationThe Session Information tab of the User Status window contains the following information:To track the user’

2-32Getting StartedUser Session InformationThe Location Information tab of the User Status window contains the following information:Click the Disable

2-33Getting StartedUser Session InformationFinding a UserThe Find User feature lets you search for and display information about a user by name or MAC

2-34Getting StartedUser Session InformationIn the MAC address field, type the MAC address of the computer for which you want to find and display infor

3-13Using Identity Driven ManagerChapter ContentsIDM Configuration Model. . . . . . . . . . . . . . . . . . . . . . . . 3-2Configuration Process Revi

3-2Using Identity Driven ManagerIDM Configuration ModelIDM Configuration Model As described in the IDM model on page 2-5, everything relates to the to

3-3Using Identity Driven ManagerIDM Configuration Model3. If you intend to restrict a user’s access to specific systems, based on the system they use

3-4Using Identity Driven ManagerIDM Configuration ModelFigure 3-1. Identity Management Configuration, default displayClick the node in the navigation

3-5Using Identity Driven ManagerConfiguring LocationsConfiguring LocationsLocations in IDM identify the switch and/or ports on the switch and wireless

1-2About ProCurve Identity Driven ManagerIntroductionIntroductionNetwork usage has skyrocketed with the expansion of the Internet, wireless, and conve

3-6Using Identity Driven ManagerConfiguring LocationsAdding a New LocationTo create a new location:1. Click the New Location icon in the toolbar to di

3-7Using Identity Driven ManagerConfiguring Locations5. Enter the Device to be added using the Device Selection pull-downs, or select the Manually ent

3-8Using Identity Driven ManagerConfiguring LocationsNOTE: If a switch in the device list is not configured to authenticate with the RADIUS server, th

3-9Using Identity Driven ManagerConfiguring LocationsNOTE: When modifying Locations, make sure all devices for the location are config-ured with the a

3-10Using Identity Driven ManagerConfiguring TimesConfiguring TimesTimes are used to define the hours and days when a user can connect to the network.

3-11Using Identity Driven ManagerConfiguring TimesCreating a New TimeTo configure a Time:1. Click the Times node in the Identity Management Configurat

3-12Using Identity Driven ManagerConfiguring Times3. Define the properties for the new time. 4. Click Ok to save the new "Time" and close th

3-13Using Identity Driven ManagerConfiguring TimesModifying a Time1. Click the Times node in the Identity Management Configuration navigation tree to

3-14Using Identity Driven ManagerConfiguring TimesDefining HolidaysTo add holidays for use when defining Times in IDM: 1. Click the Times node in the

3-15Using Identity Driven ManagerConfiguring Times

1-3About ProCurve Identity Driven ManagerIntroductionWhy IDM?Today, access control using a RADIUS system and ProCurve devices (switches or wireless ac

3-16Using Identity Driven ManagerConfiguring Network ResourcesConfiguring Network ResourcesThe Network Resources in IDM are used to permit or deny tra

3-17Using Identity Driven ManagerConfiguring Network ResourcesThe Network Resources window lists the name and parameters for defined resources, includ

3-18Using Identity Driven ManagerConfiguring Network ResourcesAdding a Network ResourceTo define a Network Resource:1. Click the Network Resources nod

3-19Using Identity Driven ManagerConfiguring Network Resources* Valid Friendly port names supported in IDM include: ftp, syslog, ldap, http, imap4, im

3-20Using Identity Driven ManagerConfiguring Network ResourcesTo Delete a Network Resource: 1. Click the Network Resources node in the Identity Manage

3-21Using Identity Driven ManagerConfiguring Access ProfilesConfiguring Access ProfilesIDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rat

3-22Using Identity Driven ManagerConfiguring Access ProfilesClick the Access Profile node in the navigation tree, or double-click on a profile in the

3-23Using Identity Driven ManagerConfiguring Access ProfilesCreating a New Access Profile1. Click the Access Profiles node in the Identity Management

3-24Using Identity Driven ManagerConfiguring Access ProfilesNOTE: If you are assigning any VLAN other than the default VLAN, ensure that the VLAN is c

3-25Using Identity Driven ManagerConfiguring Access Profiles6. To permit access to Network Resources:a. Select the Resource in the Available Resources

1-4About ProCurve Identity Driven ManagerIntroductionWhen using IDM, the authentication process proceeds as described in the first three steps, but fr

3-26Using Identity Driven ManagerConfiguring Access Profiles7. To deny access to Network Resources:a. Select the Resource in the Available Resources l

3-27Using Identity Driven ManagerConfiguring Access Profiles8. Set the priority (order of evaluation) for the Network Resources. To change the priorit

3-28Using Identity Driven ManagerConfiguring Access Profiles11. Click Next to continue to the Resource Accounting window. 12. Click the check box to e

3-29Using Identity Driven ManagerConfiguring Access Profiles14. Click Finish to save the Network Resource Assignments to the Access Profile and close

3-30Using Identity Driven ManagerConfiguring Access ProfilesNOTE: When modifying Access Profiles, make sure the appropriate VLANs are con-figured on t

3-31Using Identity Driven ManagerDefining Access Policy GroupsDefining Access Policy GroupsAn Access Policy Group (APG) contains rules that define the

3-32Using Identity Driven ManagerDefining Access Policy GroupsTo begin, expand the Realms node to display the Access Policy Group node in the IDM tree

3-33Using Identity Driven ManagerDefining Access Policy Groups3. Type in a Name and Description for the Access Policy Group.4. Click New... to display

3-34Using Identity Driven ManagerDefining Access Policy Groups6. Repeat the process for each rule you want to apply to the APG.7. The Access rules are

3-35Using Identity Driven ManagerDefining Access Policy GroupsUsing IDM with Endpoint Integrity SystemsYou can create access profiles in IDM to work i

1-5About ProCurve Identity Driven ManagerIntroductionIDM ArchitectureIn IDM, when a user attempts to connect to the network through an edge switch, th

3-36Using Identity Driven ManagerDefining Access Policy GroupsModifying an Access Policy Group1. Click the Access Policy Group node in the IDM tree to

3-37Using Identity Driven ManagerConfiguring User AccessConfiguring User AccessThe process of configuring User access to network resources using IDM i

3-38Using Identity Driven ManagerConfiguring User AccessAdding Users to an Access Policy GroupTo assign a user to an access policy group:1. Expand the

3-39Using Identity Driven ManagerConfiguring User AccessUsing Global RulesGlobal Rules can be used to provide an "exception process" to the

3-40Using Identity Driven ManagerConfiguring User Access Creating a Global Rule is similar to creating Access Rules for an Access Profile Group.To cre

3-41Using Identity Driven ManagerConfiguring User Accessa. Select the Location where the global rule will be applied, or "ANY".b. Select the

3-42Using Identity Driven ManagerDeploying Configurations to the AgentDeploying Configurations to the AgentOnce you have configured the Access Policy

3-43Using Identity Driven ManagerUsing Manual ConfigurationUsing Manual Configuration It is simplest to let the IDM Agent run and collect information

3-44Using Identity Driven ManagerUsing Manual ConfigurationModifying and Deleting RealmsTo modify an existing Realm:1. Select the Realm in the Realms

3-45Using Identity Driven ManagerUsing Manual ConfigurationDefining RADIUS ServersYou can let the IDM Agent learn about the RADIUS server on which it