HP Identity Driven Manager Software Licenses User Manual
HP PCM+ 4.0 Identity Driven Manager
User’s Guide
© Copyright 2004, 2005, 2007, 2009, 2011 2012 Hewlett-Packard
Development Company, LP.
All Rights Reserved.
Publication Number
5998-3399
August, 2012
Disclaimer
The information contained in this document is subject to change
without notice.
The only warranties for HP products and services are set forth in
the express warranty statement accompanying such products and
services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial
errors or omissions contained herein.
Trademark Credits
Microsoft, Windows, Windows XP, are Windows Vista are U.S.
registered trademarks of Microsoft Corporation.
Intel and Pentium are trademarks of Intel Corporation in the U.S.
and other countries.
Adobe is a trademark of Adobe Systems Incorporated.
Warranty
See the Customer Support/Warranty booklet included with the
product.
A copy of the specific warranty terms applicable to your Hewlett-
Packard products and replacement parts can be obtained from your
HP Sales and Service Office or authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.procurve.com
Contents
1 Welcome to Identity Driven Manager
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Why IDM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
What’s New in IDM 4.0? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
IDM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
IDM Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Operating Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Additional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Upgrading from Previous Versions of PCM and IDM . . . . . . . . . . . . . . . . . 1-9
Migrating from PCM/IDM 3.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Learning to Use PCM+ IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Getting IDM Support and Documentation From the Web . . . . . . . . . . . . 1-10
2 Getting Started
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Installing the IDM Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Checking IDM Server and Agent Connectivity . . . . . . . . . . . . . . . . . . . . . 2-4
Using the IDM Auto-Discover Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
IDM Configuration Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
IDM Usage Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Understanding the IDM Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
IDM GUI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
IDM Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Using the Navigation Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Toolbars and Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Using IDM as a Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Using IDM Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Creating Report Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Configuring a Policy Action to Generate Reports . . . . . . . . . . . . . . . . . . . 2-22
IDM Session Cleanup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28
Monitoring User Session Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
Find User Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
User Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36
Contents-i
Contents
Show Mitigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38
IDM Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Using Active Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . 2-42
Testing IDM’s AD Sync Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
3 Using Identity Driven Manager
Understanding the IDM Configuration Model . . . . . . . . . . . . . . . . . . . . . . . 3-1
Configuration Process Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Configuring Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Configuring Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Adding a New Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Modifying a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Deleting a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Configuring Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Creating a New Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Modifying a Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Deleting a Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Device Finger Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Configuring Device Finger Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
User Agent To Device Types Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Creating a New User Agent Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Bulk Import of User Agent Pattern Mappings . . . . . . . . . . . . . . . . . . . . . . 3-18
Deleting a User Agent Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Moving up User Agent Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Moving down User Agent Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Device Type Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Creating a New Device Type Group Object . . . . . . . . . . . . . . . . . . . . . . . 3-21
Modify Device Type Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Configuring Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
Adding a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27
Modifying a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Deleting a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Configuring Access Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-31
Creating a New Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32
Modifying an Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Defining Access Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Creating an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
Modifying an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46
Deleting an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47
Configuring User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48
Contents-ii
Contents
Adding Users to an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . 3-49
Changing Access Policy Group Assignments . . . . . . . . . . . . . . . . . . . . . . 3-50
Using Global Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50
Configuring Auto-Allow OUIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54
Viewing Auto-Allow OUIs and Network Access . . . . . . . . . . . . . . . . . . . 3-56
Viewing Auto-Allow User Information . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57
Monitoring OUI Events and User Session Information . . . . . . . . . . . . . . 3-58
Adding an OUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-58
About HP and Custom OUIs in Server/Config . . . . . . . . . . . . . . . . . . . . . 3-62
Modifying an OUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-63
Moving an OUI to Another Access Policy Group . . . . . . . . . . . . . . . . . . 3-63
Deleting an OUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-64
Auto-Allow OUIs for 802.1x and Web Authentications . . . . . . . . . . . . . 3-64
Deploying Configurations to the Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-66
Using Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-67
Defining New Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-67
Modifying and Deleting Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-68
Adding RADIUS Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-69
Deleting RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-75
Adding New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-76
Using the User Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-80
Importing Users from Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 3-81
Importing Users from an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . 3-87
Importing Users from XML files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-97
Importing SNAC Devices from a Comma Separated Value (CSV) file . . 3-99
4 Using the Secure Access Wizard
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Using Secure Access Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
5 Troubleshooting IDM
IDM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Pausing the Events Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Using Event Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Viewing the Events Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Setting IDM Event Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Using Activity Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Using Decision Manager Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Contents-iii
Contents
Placing IDM Server into the AD Domain . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
A IDM Technical Reference
Device Support for IDM Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
About Switch Support for MAFR and MBV . . . . . . . . . . . . . . . . . . . . . . . A-1
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Types of User Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7
Contents-iv
Welcome to Identity Driven Manager
Introduction
Network usage has skyrocketed with the expansion of the Internet, wireless, and
convergence technologies. This increases the burden on network managers working
to control network usage. Also, the complexity of large networks makes it difficult
to control network access and usage by individual users.
Identity Driven Manager (IDM) is an add-on module to the HP PCM Plus (PCM+)
application that extends the functionality of PCM+ to include authorization control
features for edge devices in networks using RADIUS servers and Web Authentication, MAC Authentication, or 802.1X security protocols.
Using IDM simplifies user access configuration by automatically discovering
RADIUS servers, domains, and users. You can use IDM to monitor users on the
network, and to create and assign access policies that dynamically configure edge
devices (wired and wireless) and manage network resources available to individual
users. Using IDM, access rights, quality of service (QoS), bandwidth throttling,
ACLs, and VLAN enrollment are associated with a user and applied at the point of
entry or “edge” of the network.
1
Why IDM?
Today, access control using a RADIUS system and PCM devices (switches or
wireless access points) is typically made up of several steps.
1. A user attempts to connect to the network.
2. The edge device recognizes a connection state change and requests identifying
information about the user. This can include MAC address, username and
password, or more complex information.
3. The switch forwards an access request, including the user information to the
authentication server (RADIUS).
4. The RADIUS server validates the user’s identity in the user directory, which can
be an Active Directory, database or flat file. Based on the validation result
received from the user directory, the authentication server returns an accept or
deny response to the switch.
Welcome to Identity Driven Manager
Introduction
5. If the user is authenticated, the PCM device grants the user access to the network.
If the user is not authenticated, access is denied.
For networks using IDM, access control is enhanced to include authorization parameters along with the authentication response. IDM enhances existing network security
by adding network authorization information, with access and resource usage parameters, to the existing authentication process. Using IDM you can assign access rights
and connection attributes at the network switch or access point, with dynamic
configuration based on the time, place, and client that is generating the access request.
When using IDM, the authentication process proceeds as described in the first three
steps, but from that point the process changes as follows:
4. The RADIUS server validates the user’s identity in the user directory. Based on
the validation result received from the user directory, the authentication server
returns an accept or deny response to the switch or access point. When using
IDM without SNAC, if the user is accepted (authenticated), the IDM Agent on
the RADIUS server processes the user information. IDM then inserts the network
access rights configured for the user into the authentication response sent to the
switch or access point.
5. If the user is authenticated, the switch or access point grants the user access to
the network. The (IDM) authorization information included in the authentication
response is used to configure VLAN access, QoS and bandwidth parameters for
the user, and what network resources the user can access based on time and
location of the user’s login.
1-2
If the user is authenticated by the RADIUS server, but IDM’s authorization data
indicates that the user is attempting to access the network at the wrong time, or
from the wrong location or system, the user’s access request is denied by IDM.
If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not
override RADIUS authentication and default switch settings, unless you configure it to do so. You can create a “guest” profile in IDM to provide limited access
for unknown users.
What’s New in IDM 4.0?
PCM+ Identity Driven Manager version 4.0 includes the following new features and
enhancements:
■ Registration Server enhancements to simplify administrative overhead in
implementing network access control
■ Simple Network Access Control (SNAC) support, including:
• IAS/NPS RADIUS server support
Welcome to Identity Driven Manager
Introduction
• An administrative GUI for configuration, events viewing and SSL certifi-
cate management
• A SNAC-IDM communication interface
• SNAC 802.1X hybrid solution support
■ Active Directory connection for verification and ongoing synchronization
■ The capability to register multiple devices per user
■ Multiple deployment support, including “SNAC + IDM” or “Classic IDM”
only
■ An integrated PCM/IDM installer
■ IDM Support for IPv6
■ Auto-allow capabilities
■ The capability to dynamically load OUIs from a file
■ IDM GUI enhancements, including “realm” labels renamed to “domain”
IDM Architecture
In IDM, when a user attempts to connect to the network through a switch or access
point, the user is authenticated via the RADIUS Server and user directory. Then, IDM
is used to return the user’s “access profile” along with the authentication response
from RADIUS to the switch. The IDM information is used to dynamically configure
the edge switch to provide the appropriate authorizations to the user, that is, what
VLAN the user can access, and what resources (QoS, bandwidth) the user gets.
The following figure illustrates the IDM architecture and how it fits in with RADIUS.
1-3
Welcome to Identity Driven Manager
Introduction
Figure 1-1. IDM Architecture
IDM consists of an IDM Agent that is co-resident on the RADIUS server, and an
IDM Server and SNAC server that are co-resident with PCM+. Configuration and
access management tasks are handled via the IDM GUI on the PCM+ management
workstation.
The IDM agent includes:
• A RADIUS interface that captures user authentication information from the
RADIUS server and passes the applicable user data (username, location,
time of request) to the IDM Decision Manager. The interface also passes
user access parameters from IDM to the RADIUS server.
• A Decision Manager that receives the user data and checks it against user
data in the local IDM data store. Based on the parameters defined in the data
store for the user data received, the Decision Manager outputs access
parameters for VLAN, QoS, bandwidth, and network resource access to the
RADIUS interface component.
• A Local Data Store that contains information on Users and the Access Policy
Groups to which the user belongs. The Access Policy Group defines the
rules that determine the user’s access rights.
1-4
Welcome to Identity Driven Manager
Introduction
The IDM Server provides IDM configuration and monitoring. It operates as an addon module to PCM+, using the PCM model database to store IDM data, and a
Windows GUI (client) to provide access to configuration and monitoring tools for
IDM.
You use the IDM GUI to monitor IDM Agent status and users logged into the network,
and to manage IDM configuration, including:
• Defining access parameters for the network, such as locations, times,
network resources, and access profiles
• Creating access profiles that define the network resources and attributes
(VLAN, QoS, bandwidth) assigned to users in an Access Policy Group
• Creating Access Policy Groups with rules (access policies) that will be
assigned to users in that Group
• Assigning users to Access Policy Groups
• Deploying IDM configuration data to the IDM Agent on the RADIUS server
The SNAC server provides registration and administration interfaces. It communicates with Active Directory in order to verify end-user credentials, and with the IDM
server so that SNAC users who register are assigned to the appropriate Access Policy
Group, added to an IDM local data store, and distributed to all the IDM Agents for
automatic authentication throughout the network.
1-5
Welcome to Identity Driven Manager
Terminology
Terminology
Access Policy Group An IDM access policy group consists of one or more rules that govern the login times,
devices, quality of service, bandwidth, and VLANs for users assigned to the access
policy group.
Access Profile An IDM access profile sets the VLAN, quality of service, and bandwidth (rate-limits)
applied when a user logs in and is authenticated on the network.
Authentication The process of proving the user’s identity. In networks this involves the use of
usernames and passwords, network cards (smartcards, token cards, and so forth), and
a device’s MAC address to determine who and/or what the “user” is.
Authentication
Server
Authorization The process that determines what an authenticated user can do. It establishes what
Bandwidth Amount of network resources available. Generally used to define the amount of
Client An end-node device such as a management station, workstation, or mobile PC
Directory Name Directory Name (DN) is an identifier that uniquely represents an object in the X.500
Domain A domain is a group of computers and devices on a network that are administered as
Authentication servers are responsible for granting or denying access to the network.
Also referred to as RADIUS servers because most current authentication servers
implement the RADIUS protocol.
network resources the user is, or is not permitted to use.
network resources a specific user can consume at any given time. Also referred to as
rate-limiting.
attempting to access the network. Clients are linked to the switch through a point-topoint LAN link, either wired or wireless.
Directory Information Tree (DIT) [X501]. (See: domain name.) A DN is a set of
attribute values that identify the path leading from the base of the DIT to the object
that is named. An X.509 public-key certificate or CRL contains a DN that identifies
its issuer, and an X.509 attribute certificate contains a DN or other form of name that
identifies its subject.
a unit with common rules and procedures. Within the internet, domains are defined
by the IP Address. All devices sharing a common part of the IP address are said to
be in the same domain.
1-6
Edge Device A network device (switch or wireless access point) that connects the user to the rest
of the network. The edge devices can be engaged in the process of granting user
access and assigning a user’s access rights and restrictions.
Welcome to Identity Driven Manager
Terminology
Endpoint Integrity Also referred to as “Host Integrity,” this refers to the use of applications that check
hosts attempting to connect to the network to ensure they meet requirements for
configuration and security. Generally to make sure that virus checking and spyware
applications are in place and up to date.
IDM Agent The IDM Agent resides on the RADIUS server. It inspects incoming authentication
requests, and inserts appropriate authorization information (IDM Access Profiles)
into the outgoing authentication reply.
QoS Quality of Service, relates to the priority given to outbound traffic sent from the user
to the rest of the network.
RADIUS Remote Authentication Dial-in User Service, (though it also applies to authentication
service in non-dial-in environments)
RADIUS Server A server running the RADIUS application on your network. This server receives user
connection requests from the switch, authenticates users, and then returns all necessary information to the edge device.
VLAN A port-based Virtual LAN configured on the switch. When the client connection
terminates, the port drops its membership in the VLAN.
1-7
Welcome to Identity Driven Manager
IDM Specifications
IDM Specifications
Supported Devices
For a list of IDM 4.0 features supported on HP Networking devices, refer to “Device
Support for IDM Features” on page A-1.
Operating Requirements
For operating requirements, refer to the “Supported IDM Environments” section in
the PCM+ 4.0 Installation and Getting Started Guide.
Additional Requirements
■ Implementation of an access control method, using either MAC-auth, Web-
auth, or an 802.1X supplicant application.
For assistance with implementation of RADIUS and access control methods for
use with PCM switches, refer to the Access Security Guide that came with your
switch. All PCM switch manuals can also be downloaded from the PCM web
site.
1-8
For assistance with using RADIUS and 802.1X access control methods, contact
the PCM Elite Partner nearest to you that can provide PCM+ Access Control
Security solutions. You can find PCM Direct Elite partners on the Find a Partner
link at http://www.hp.com/networking.
■ If you plan to restrict user access to specific network segments, you will
need to configure VLANs within your network. For information on using
VLANs, refer to the HP PCM+ 4.0 Network Administrator’s Guide, or the
configuration guides that came with your switch.
Upgrading from Previous Versions of PCM and IDM
Welcome to Identity Driven Manager
Upgrading from Previous Versions of PCM
and IDM
The installation package for PCM+ contains the IDM 4.0 installation files. If you are
running earlier versions of IDM, you must select the IDM option during the PCM+
4.0 install process. This is required to support changes made in the underlying PCM
and IDM databases.
If you want to test the IDM 4.0 functionality using the free 60-day trial provided with
the PCM+ 4.0 auto-update package, you need to install the software on a separate
system that has no previous IDM version installed or in use.
When you upgrade to IDM 4.0, you need to manually install the IDM Agent upgrade
on each of your RADIUS Servers. Refer to “Installing the IDM Agent” on page 2-1
for detailed instructions.
Migrating from PCM/IDM 3.x
The following migration paths are supported for IDM 4.0:
■ PCM 3.0 with IDM 3.0
■ PCM 3.1 with IDM 3.01
■ PCM 3.2 with IDM 3.2
For information on migrating from these versions, refer to the PCM+ 4.0 Migration
Guide.
1-9
Welcome to Identity Driven Manager
Learning to Use PCM+ IDM
Learning to Use PCM+ IDM
The following information is available for learning to use PCM+ Identity Driven
Manager (IDM):
■ This User’s Guide—helps you become familiar with using the application
tools for access control management.
■ Online help information—provides information through Help buttons in the
application GUI that provide context-sensitive help, and a table of contents
with hypertext links to additional procedures and reference information.
■ HP PCM+ Network Management Installation and Getting Started Guide—
provides details on installing the application and licensing, and an overview
of PCM+ functionality.
■ For additional information on configuring your network, refer to the docu-
mentation that came with your switches.
Getting IDM Support and Documentation From the Web
Product support and documentation is available on the Web at:
www.hp.com/networking/support.
1-10
Information available at this site includes:
• Product Manuals
• Software updates
• Links to Additional Support information
• A Find a Partner link
You can also call your HP Authorized Dealer or the nearest HP Sales and Support
Office, or contact the partner nearest you for information on PCM+ Access Control
Security solutions.
Getting Started
Before You Begin
If you have not already done so, please review the list of supported devices and
operating requirements under “IDM Specifications” on page 1-8.
If you intend to restrict user access to specific areas of the network using VLANs,
make sure you have set up your network for use of VLANs. For details on configuring
VLANs, refer to the HP PCM+ 4.0 Network Administrator’s Guide, or the Advanced
Traffic Management Guide for your PCM+ switch.
The IDM Client is included with the PCM+ software. To install a remote PCM/IDM
Client, download the PCM Client to a remote PC using the same process as for
installing the IDM Agent and select the PCM Client option from the PCM server.
For detailed instructions, see the HP PCM+ 4.0 Network Management Installation
and Getting Started Guide.
2
Installing the IDM Agent
The IDM application components are installed as part of the PCM+ 4.0 software
installation, and enabled via a license request. The IDM Agent can be installed on a
Windows IAS or NPS RADIUS server or a supported Linux RADIUS server.
Installing on a RADIUS Server
During the installation process, you will be prompted to enter the IP address of the
PCM Server. This is needed to establish communication between the IDM Agent on
the RADIUS server, and the IDM application on the PCM Server.
The IDM Agent can only be installed on a system with the RADIUS server configured. If the RADIUS server is not found on the system, the IDM Agent installation
displays an error message, and the installation process is aborted.
On the computer where the IDM Agent will be installed:
1. Start a web browser and type the IP address of the PCM server computer followed
by a colon and the port ID 8040. For example, if the IP address of the server
computer is 10.15.20.25, enter the following URL:
http://10.15.20.25:8040
2-1
Getting Started
Before You Begin
2. From the available downloads list, click Windows PCM/IDM Agent Installer and
then click Save to download the file.
3. Once the download completes, close the download window and the web browser.
4. Open the downloaded PCM-agent-setup.exe file by double-clicking it. The
Agent Installation Wizard will then guide you through the installation.
2-2
Figure 2-1. Agent Information
On the Agent Information window of the Agent Installation Wizard:
a. Select IDM Agent.
b. Type a Name and, optionally, a Description for the Agent.
c. The IDM Agent passwords for both server-initiated connections and agent-
initiated connections must match the password used for the PCM Server.
If the PCM Server uses the default password, select the Use Factory Default
check box. If the PCM Server uses a specific password, then clear the check
box and type the same password in the Password field.
d. If you do not want to use the default Web Management Port 8080, clear the
corresponding Use Factory Default check box and enter the web management port that will be used to authenticate with the PCM server.
5. On the Server Information window, configure the Agent-server connection
settings and any required server information.
Getting Started
Before You Begin
Figure 2-2. Server Information
For the Agent to communicate with the PCM server, these values MUST MATCH
the values set on the PCM server for this Agent.
a. If the Agent will initiate connection to the PCM server, select the Agent
Initiates Connection check box. If the PCM server will initiate a connection
to the Agent, ensure this check box is not checked.
All Agents that initiate connection to the PCM server must use the same
port number and encryption type as configured in the Agent Manager Server
Setup tab.
b. To change the default Port that the Agent will use to communicate with the
PCM server, clear the related Use Default check box and type the desired
port. The default PCM server port is 51111, which can be changed to any
unused port during PCM server installation or at the PCM server.
c. If you do not want to encrypt data sent to the PCM server, clear the related
Use Default check box and select Plain Text from the Encryption list. The
default encryption method is SSL. If the PCM server is behind a firewall,
HP recommends using SSL encryption.
d. In the IP Address field, type the IP address of the PCM server if the Agent
is initiating the connection to the PCM server.
2-3
Getting Started
Before You Begin
e. To change the default Password that the Agent will use to communicate
with the PCM server, clear the related Use Default check box and type the
desired password. This must match the password set on the Agent Manager
Server Setup tab.
Once installed, the IDM Agent begins collecting User, Domain, and RADIUS data.
Installing on a Linux System
To install the IDM Agent on a supported Linux system:
1. Start a web browser, and type the IP address of the PCM server computer
followed by a colon and the port ID 8040. For example, if the IP address of the
server computer is 10.15.20.25, enter the following URL:
http://10.15.20.25:8040
2. From the list of available downloads, click IDM FreeRADIUS Agent and then
click Save to download the file.
3. Once the download completes, move the file to a location accessible by the target
Agent system, if necessary.
4. Extract the downloaded HpIdmLinuxAgentInstaller-<version>.tar.gz file to a
temporary location on the RADIUS server.
5. Change to the HpIdmLinuxAgentInstaller-<version> directory, run install.sh as
root, and then follow the prompts.
2-4
Checking IDM Server and Agent Connectivity
Check the Agent Status pane on the IDM Dashboard to verify that the IDM Server
and IDM Agent are installed and running. To do so:
1. From the bottom of the PCM navigation tree, select the Identity tab.
2. From the IDM navigation tree, select the Identity Management Home node.
3. In the right pane, select the Dashboard tab and review the Agent Status.
You can also check the Event Log for the RADIUS server for the event “RADIUS
server or Agent connected”.
Using the IDM Auto-Discover Feature
You can manually configure the RADIUS server, Domains, and Users in IDM, or
you can let IDM do the hard work for you. And, you have two options for automatically discovering users. Either enable Active Directory synchronization to import
users from the Active Directory, or install the IDM Agent on the system with the
Getting Started
Before You Begin
RADIUS Server, then let it run to collect the information as users log into the network.
Even after you begin creating configurations in IDM, both options continue to collect
information on users and Domains (domains in Active Directory) and pass that
information to the IDM server.
If you are using multiple RADIUS servers, you need to install an IDM Agent on each
of the servers. The IDM Agent collects information only on the system where it is
installed. The IDM client can display information for all RADIUS servers where the
IDM Agent is installed.
When you start the IDM Client and expand the navigation tree in the IDM Dashboard
tab, you will see any discovered or defined Domains found on the RADIUS server,
along with the IP address for the RADIUS Server(s).
IDM Configuration Process Overview
To configure IDM to provide access control on your network, first let IDM run long
enough to “discover” the Domains, RADIUS servers, and users on your network.
Once IDM has performed these tasks for you, your configuration process would be
as follows:
1. If you intend to use them, define “locations” from which users will access the
network. A location may relate to port-based VLANS, or to all ports on a device.
(See page 3-5)
2. If you intend to use them, define “times” at which users are allowed or denied
access. This can be by day, week or even hour. (See page 3-12)
3. Define any network resources (systems and applications) that you want to
specifically allow or restrict users from accessing.
4. If you intend to restrict a user access to specific systems, you need to set the
User profile to include the MAC address for each system that the user is allowed
to login on. (See page 3-77.)
5. Create the Access Profiles, to set the VLAN, QoS, rate-limits (bandwidth)
attributes, and the network resources that are available, to users in an Access
Policy Group. (See page 3-32.)
6. Create an Access Policy Group, with rules containing the Location, Time,
System, and Access Profile that is applied to users when they login. (See page
3-42.)
OR
If using Active Directory synchronization, add rules and Access Profiles to the
Access Policy Groups automatically created by Active Directory synchronization.
2-5
Getting Started
Before You Begin
7. If Active Directory synchronization is not used, assign Users to the appropriate
Access Policy Group. (See page 3-49).
8. If automatic deployment is disabled, deploy the configuration policies to the
IDM Agent on the RADIUS server. (See page 3-66)
9. Configure Auto-allow OUIs for the devices that will perform MAC authentica-
tion. (See page 3-54)
IDM Usage Strategies
You can use IDM to simply monitor user activity on the network, or to apply user
authentication rules to improve network security and performance. The following
table identifies the IDM configuration for various deployment and usage strategies
for IDM.
Table 2-1. IDM Deployment and Usage Strategies
Authorize
Authenticate
VLAN QoS Rate-
Limit
Network
Resources
x
xx
xx
xxx
xxxxx
Strategy Description
Monitors and reports user
activity.
Enhances normal RADIUS
authentication with Location,
Time, and System rules
Provides rudimentary VLAN
segregation (Unknown Users,
Guests, Visitors, Contractors)
Provides complete VLAN
placement for all Users
Provides QoS and Rate-limits per
User
Provides VLAN, QoS, and Ratelimit attributes, and accessibility
of defined Network Resources for
all users, based on Location, Time,
and System
2-6
Understanding the IDM Model
The first thing to understand is that IDM works within the general concept of
“domains.” Basically, domains are very large organizational units; every user belongs
to one, and only one, domain. While it is possible to have multiple domains, most
organizations have only one, for example, hp.com or csuchico.edu.
Getting Started
Before You Begin
The basic operational model of IDM involves Users and Groups. Every User belongs
to a Group and, in IDM, these are called Access Policy Groups (APGs). Each APG
has an Access Policy defined for it, which governs the access rights that are applied
to its Users as they enter the network.
In the IDM GUI, the top level of the navigation tree is the Domain, with all other
information for APGs, and RADIUS Servers beneath the Domain in the navigation
tree. Users are linked to the Domain to which they belong, and the Access Policy
Group to which they are assigned.
The IDM configuration tools are available at the top level. The definition of times,
locations, network resources, and access profiles is independent of individual
Domains or Groups. You can define multiple locations, times, and network resources,
then create multiple access profiles to be applied to any Access Policy Group, in any
Domain that exists within IDM.
2-7
Getting Started
IDM GUI Overview
IDM GUI Overview
To use the IDM client, launch the PCM Client on your PC by selecting the PCM
option from the Windows Program menu. The PCM Client will start up and the Login
window will be launched.
Figure 2-3. PCM Login
If you did not enter a Username or Password during install, type in the default
Username, Administrator, then click Login.
For additional information on using the PCM Client, refer to the HP PCM+ 4.0
Network Administrator’s Guide.
Click the Identity tab at the bottom left of the PCM window to display the IDM
Dashboard.
Note: You can also access the IDM Dashboard by selecting the Network Management
Home node from the PCM navigation tree and clicking the Identity Driven Manager
tab at the top of the right pane.
2-8
Getting Started
IDM GUI Overview
Figure 2-4. IDM Dashboard
The IDM initial display provides a quick view of IDM status in the Dashboard tab,
along with an Events tab, navigation tree, and access to menu and toolbar functions.
You can resize the entire window, and/or resize the panes (sub-windows) within the
Identity Management Home window frame.
Notes: If the IDM Dashboard shows the IDM Agent Status as inactive, and the Inventory
and Logins panes show no data:
■ Check the PCM Events tab for the following entry:
PCM remote client authentication failure: <ip address>
■ Check for IDM application events related to devices “supporting” or “not
supporting” the configuration.
2-9
Getting Started
IDM GUI Overview
IDM Dashboard
The IDM Dashboard is a monitoring tool that provides a quick summary view of
IDM users, RADIUS servers, and events. The Dashboard can be viewed:
• From within PCM by selecting Network Management Home and clicking
the Identity Driven Manager tab.
• By clicking the Identity tab at the bottom of the PCM navigation tree.
The Dashboard tab contains the following panes of status information:
Table 2-2. IDM Dashboard Status Information
Pane Displays...
Events The total number of outstanding IDM events and the number of IDM
Access Policy Group
Assignment
Agent Status A color-coded graph showing the number of currently active and
Logins per Hour A scrolling 24-hour display that summarizes the total number of
SNAC status SNAC-IDM connection status
AD status IDM-AD connection status
Users Logged In A scrolling 24-hour display that shows the total number of users logged
events in each state. Clicking anywhere in the IDM Events pane or
clicking the Events tab displays the IDM Events window, which
contains detailed information about each event.
A pie chart showing the number of users assigned to each Access
Policy Group. Mousing over a section of this chart displays information
for the group and its users.
inactive IDM agents installed on RADIUS servers.
successful and failed IDM user logins at any given time during the past
24 hours. Information in this pane is updated every minute.
in at any given time during the past 24 hours. Information in this pane
is updated every minute.
2-10
Using the Navigation Tree
The navigation tree in the left pane of the IDM window provides access to IDM
features using the standard Windows file navigation system. Click the nodes to
expand the list and change the display in the right window pane.
Domains List
The top level of the tree lists each of the Domains that have been discovered by an
IDM Agent or defined manually. Clicking on the Domains node in the tree displays
the Domain List in the right pane of the window. Expanding the node displays each
Domain name in the tree, and assigned RADIUS Servers if they exist.
Getting Started
IDM GUI Overview
Figure 2-5. Domain List tab
Domain Tabs
Expanding the Domains node and clicking a domain in the tree displays the Dash-
board tab in the right pane, along with the Properties, Global Rules, Auto-Allow OUIs
and Users tabs.
Figure 2-6. Domain - Dashboard tab
Domain Dashboard tab: The Domain Dashboard is a monitoring tool that provides
a quick summary view of IDM users and Agents. The Dashboard tab is similar to the
IDM Dashboard but contains statistics for the selected domain only.
Table 2-3. Domain Dashboard Status Information
Pane Displays...
Agent Status A color-coded graph showing the number of currently active and
Access Policy Group
Assignment
inactive IDM agents installed on RADIUS servers.
The number of users assigned to each Access Policy Group in the
domain and the total number of those users that are currently logged
in. You can hide the legend for this pane by clearing the Legend check
box.
2-11
Getting Started
IDM GUI Overview
Table 2-3. Domain Dashboard Status Information (Continued)
Pane Displays...
Top talkers Input octets (bytes), output octets, or both. Use the list in this pane to
Users logged in A scrolling 24-hour display that shows the total number of users logged
Successful logins
per Access Policy
Logins per hour A scrolling 24-hour display that summarizes the total number of
select whether to display input octets, output octets, or both. You can
hide the legend for this pane by clearing the Legend check box.
in at any given time during the past 24 hours. Information in this pane
is updated every minute.
A pie chart showing the number of successful and failed IDM user
logins to each Access Policy Group during the selected time period.
Use the list in this pane to select the time period reflected in the chart.
Mousing over a section of this chart displays information for the group
and its users. You can also hide the legend for the chart by clearing the
Legend check box.
successful and failed IDM user logins at any given time during the past
24 hours. Information in this pane is updated every minute.
Domain Properties tab: Selecting an individual domain in the tree and then clicking
the Properties tab displays summary information about a Domain and its assignments. It also shows when the Domain was last deployed, which is especially useful
when you've made recent changes or are investigating IDM events.
2-12
Figure 2-7. Domain - Properties tab
The following information is shown on the Domain Properties tab:
Table 2-4. Domain Properties Information
Field Displays...
Domain Name Name used to identify the Domain
Domain Alias Alternate name for the Domain (usually the NETBIOS name)
Is Default Domain Whether the Domain is set as the default Domain: true means this
Domain is the default Domain and false means it is not. The default
Domain is used when IDM cannot determine the Domain for a RADIUS
server or user login.
Getting Started
IDM GUI Overview
Table 2-4. Domain Properties Information (Continued)
Field Displays...
Last Deployed Date and time the policy was last deployed. Use this field to ensure
Number of Access
Policy Groups
Number of RADIUS
Servers
Number of RADIUS
Users
Description Brief description of the Domain
that the current Domain attributes have been deployed.
Total number of Access Policy Groups currently assigned to the
Domain
Total number of RADIUS servers assigned to the Domain
Total number of users assigned to Access Policy Groups used for the
Domain and currently logged in
Domain Global Rules tab: Clicking this tab displays rules that override Access
Policy Group rules and provides functions to configure and prioritize global rules.
See “Using Global Rules” on page 3-50.
Domain Auto-Allow OUIs tab: Clicking this tab displays automatic authentication
information for static devices based on their MAC address prefix (in addition to the
traditional authentication methods such as 802.1X Mac-Auth, and Web-Auth that
IDM supports).
Figure 2-8. Domain - Auto-Allow OUIs tab
Domain Users tab: Clicking this tab displays a list of users in the Domain that were
discovered by the IDM Agent, or defined manually. There are two additional columns
added to this tab for Device Type and another for User-Agent. By default, these
columns are not shown. These columns can be displayed by administrator.
2-13
Getting Started
IDM GUI Overview
Figure 2-9. Domain Users tab
2-14
Expanding the Domain node in the tree will display the Access Policy Groups and
RADIUS server nodes for the Domain.
Filtering Support for Users tab:
Filtering functionality has been added to the users tab.Users can filter the table
content based on the following columns AuthID, Domain, Email, MAC Prefix,
Name, Owner and Phone.
Loading...