HP Identity Driven Manager Software Series User Manual
HP ProCurve Identity Driven Manager 3.0
User’s Guide
© Copyright 2004, 2005, 2007, 2009 Hewlett-Packard Development
Company, LP.
All Rights Reserved.
Publication Number
5990-8851
May, 2009
Trademark Credits
Microsoft, Windows, Windows XP, are Windows Vista are
U.S. registered trademarks of Microsoft Corporation.
Intel and Pentium aretrademarks of Intel Corporation in the
U.S. and other countries.
Adobe is a trademark of Adobe Systems Incorporated.
Disclaimer
The information contained in this document is subject to
change without notice.
The only warranties for HP products and services are set
forth in the express warranty statement accompanying such
products and services. Nothing herein should be construed
as constituting an additional warranty. HP shall not be liable
for technical or editorial errors or omissions contained
herein.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or autho-
rized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.procurve.com
Contents
1 About ProCurve Identity Driven Manager
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Why IDM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
What’s New in IDM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
IDM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
IDM Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Operating Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Additional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Upgrading from Previous Versions of PCM and IDM . . . . . . . . . . . . . 1-11
Learning to Use ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Getting ProCurve Documentation From the Web . . . . . . . . . . . . . . . . 1-13
ProCurve Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
2 Getting Started
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Installing the IDM Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Using the IDM Auto-Discover Feature . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
IDM Configuration Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
IDM Usage Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Understanding the IDM Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
IDM GUI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
IDM Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Using the Navigation Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Toolbars and Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Using IDM as a Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Using IDM Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Creating Report Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Configuring a Policy Action to Generate Reports . . . . . . . . . . . . . . . . 2-24
IDM Session Cleanup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30
User Session Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34
Finding a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
User Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38
Show Mitigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
i
Contents
IDM Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-41
Using Active Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . 2-43
3 Using Identity Driven Manager
IDM Configuration Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Configuration Process Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Configuring Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Configuring Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Adding a New Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Modifying a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Deleting a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Configuring Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Creating a New Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Modifying a Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Deleting a Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Configuring Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Adding a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
Modifying a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Deleting a Network Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Configuring Access Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Creating a New Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Modifying an Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-31
Defining Access Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33
Creating an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34
Modifying an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Deleting an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Configuring User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40
Adding Users to an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . 3-41
Changing Access Policy Group Assignments . . . . . . . . . . . . . . . . . . . 3-42
Using Global Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43
Deploying Configurations to the Agent . . . . . . . . . . . . . . . . . . . . . . . . 3-46
Using Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47
Defining New Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47
Modifying and Deleting Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48
Adding RADIUS Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-49
Deleting RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55
Adding New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56
Using the User Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-59
Importing Users from Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 3-60
Importing Users from an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . 3-64
ii
Contents
Importing Users from XML files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-74
4 Using the Secure Access Wizard
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Using Secure Access Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
5 Troubleshooting IDM
IDM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Pausing the Events Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Using Event Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Viewing the Events Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Setting IDM Event Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Using Activity Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Using Decision Manager Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
A Using ProCurve Network Access Controller with IDM
About ProCurve Network Access Controller 800 . . . . . . . . . . . . . . . A-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Using the NAC Tab Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
Setting the ProCurve NAC GUI Login . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Using the NAC Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Using the NAC Monitor Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Using the NAC Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6
Using Local Authentication Directory on ProCurve NAC . . . . . . . A-8
Adding Locally Authenticated Users . . . . . . . . . . . . . . . . . . . . . . . . . . A-9
B IDM Technical Reference
Device Support for IDM Functionality . . . . . . . . . . . . . . . . . . . . . . . . . B-1
Support for Secure Access Wizard Feature . . . . . . . . . . . . . . . . . . . . . B-2
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3
Types of User Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6
iii
Contents
iv
About ProCurve Identity Driven Manager
Chapter Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Why IDM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
What’s New in IDM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
IDM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
IDM Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Operating Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Additional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Upgrading from Previous Versions of PCM and IDM . . . . . . . . . . . . . 1-11
Learning to Use ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Getting ProCurve Documentation From the Web . . . . . . . . . . . . . . . . 1-13
ProCurve Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
1
1-1
About ProCurve Identity Driven Manager
Introduction
Introduction
Network usage has skyrocketed with the expansion of the Internet, wireless,
and convergence technologies. This increases the burden on network managers working to control network usage. Also, the complexity of large networks
makes it difficult to control network access and usage by individual users.
ProCurve Identity Driven Manager (IDM) is an add-on module to the ProCurve
Manager Plus (PCM+) application that extends the functionality of PCM+ to
include authorization control features for edge devices in networks using
RADIUS servers and Web-Authentication, MAC-Authentication, or 802.1x
security protocols.
Using IDM simplifies user access configuration by automatically discovering
RADIUS Servers, Realms, and users. You can use IDM to monitor users on the
network, and to create and assign access policies that work to dynamically
configure edge devices (wired and wireless) and manage network resources
available to individual users. Using IDM, access rights, quality of service
(QoS), bandwidth throttling, ACLs, and VLAN enrollment are associated with
a user and applied at the point of entry or "edge" of the network.
1-2
Figure 1-1. ProCurve Identity Driven Manager home
About ProCurve Identity Driven Manager
Introduction
Why IDM?
Today, access control using a RADIUS system and ProCurve devices (switches
or wireless access points) is typically made up of several steps.
Figure 1-2. Current Access Control process
1. A client (user) attempts to connect to the network.
2. The edge device recognizes a connection state change, and requests
identifying information about the client. This can include MAC address,
username and password, or more complex information.
3. The switch forwards an access request, including the client information
to the authentication server (RADIUS).
4. The RADIUS server validates the user’s identity in the user directory,
which can be an Active Directory, database or flat file. Based on the
validation result received from the user directory, the authentication
server returns an accept or deny response to the switch.
5. If the user is authenticated, the ProCurve device grants the user access to
the network. If the user is not authenticated, access is denied.
For networks using IDM, access control is enhanced to include authorization
parameters along with the authentication response. IDM enhances existing
network security by adding network authorization information, with access
and resource usage parameters, to the existing authentication process. Using
IDM you can assign access rights and connection attributes at the network
switch, with dynamic configuration based on the time, place, and client that
is generating the access request.
1-3
About ProCurve Identity Driven Manager
Introduction
When using IDM, the authentication process proceeds as described in the first
three steps, but from that point the process changes as follows:
4. The RADIUS server validates the user’s identity in the user directory.
Based on the validation result received from the user directory, the
authentication server returns an accept or deny response to the switch. If
the user is accepted (authenticated), the IDM Agent on the RADIUS server
processes the user information. IDM then inserts the network access
rights configured for the user into the Authentication response sent to the
switch.
5. If the user is authenticated, the switch grants the user access to the
network. The (IDM) authorization information included in the authentication response is used to configure VLAN access, QoS and Bandwidth
parameters for the user, and what network resources the user can access
based on time and location of the user’s login.
If the user is authenticated by the RADIUS server, but IDM’s authorization
data indicates that the user is attempting to access the network at the
wrong time, or from the wrong location or system, the user’s access
request is denied by IDM.
1-4
Figure 1-3. Access Control using IDM
If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not
override RADIUS authentication and default switch settings, unless you
configure it to do so. You can create a "guest" profile in IDM to provide
limited access for unknown users.
About ProCurve Identity Driven Manager
Introduction
What’s New in IDM 3.0
ProCurve Identity Driven Manager version 3.0 includes the following new
features and enhancements:
■ Support for PCM’s new architecture
The new architecture in PCM 3.0 lets you logically divide the network and
manage devices on remote segments of large networks connected by WAN
links that might or might not be behind a NAT firewall. For additional
information, see the HP ProCurve Manager Network Administrator’s
Guide.
■ Configuring RADIUS clients
RADIUS clients can now be added and updated on supported RADIUS
servers.
■ Support for tagged VLANs
Tagged VLANs can now be dynamically assigned to devices that support
RFC 4675 by IDM. During the 802.1X authentication process, IDM evaluates a set of administrator-defined rules to categorize the user/device and
select the Access Profile used to govern the session.
■ NIM user mitigations
NIM mitigations (actions taken in response to security threats) for users
can now be displayed and deleted in IDM.
■ IDM Agent auto updates
Software updates to IDM Agents on all platforms can now be downloaded
and installed via PCM’s auto update component.
■ Enhanced Secure Access Wizard
• Added RADIUS client selection
• Enhancements to Save Settings and Save Templates
1-5
About ProCurve Identity Driven Manager
Introduction
IDM Architecture
In IDM, when a user attempts to connect to the network through an edge
switch, the user is authenticated via the RADIUS Server and user directory.
Then, IDM is used to return the user’s "access profile" along with the authentication response from RADIUS to the switch. The IDM information is used to
dynamically configure the edge switch to provide the appropriate authorizations to the user, that is, what VLAN the user can access, and what resources
(QoS, bandwidth) the user gets.
The following figure illustrates the IDM architecture and how it fits in with
RADIUS.
1-6
Figure 1-4. IDM Architecture
IDM consists of an IDM Agent that is co-resident on the RADIUS server, and
an IDM Server that is co-resident with PCM+. Configuration and access
management tasks are handled via the IDM GUI on the PCM+ management
workstation.
The IDM agent includes:
• A RADIUS interface that captures user authentication information
from the RADIUS server and passes the applicable user data (username, location, time of request) to the IDM Decision Manager. The
interface also passes user access parameters from IDM to the RADIUS
server.
About ProCurve Identity Driven Manager
Introduction
• A Decision Manager that receives the user data and checks it against
user data in the local IDM data store. Based on the parameters defined
in the data store for the user data received, the Decision Manager
outputs access parameters for VLAN, QoS, bandwidth, and network
resource access to the RADIUS interface component.
• A Local Data Store that contains information on Users and the Access
Policy Groups to which the user belongs. The Access Policy Group
defines the rules that determine the user’s access rights.
The IDM Server provides configuration and monitoring of Identity Driven
Manager. It operates as an add-on module to PCM+, using the PCM model
database to store IDM data, and a Windows GUI (client) to provide access to
configuration and monitoring tools for IDM.
You use the IDM GUI to monitor IDM Agent status and users logged into the
network, and to manage IDM configuration, including:
• Defining access parameters for the network, such as locations, times,
network resources, and access profiles.
• Creating access profiles that define the network resources and attri-
butes (VLAN, QoS, bandwidth) assigned to users in an Access Policy
Group.
• Creating Access Policy Groups with rules (access policies) that will
be assigned to users in that Group.
• Assigning users to Access Policy Groups.
• Deploying IDM configuration data to the IDM Agent on the RADIUS
server.
1-7
About ProCurve Identity Driven Manager
Terminology
Terminology
Access Policy
Group
Access Profile An IDM access profile sets the VLAN, quality of service, and bandwidth (rate-
Authentication The process of proving the user’s identity. In networks this involves the use
Authentication
Server
Authorization The process that determines what an authenticated user can do. It establishes
Bandwidth Amount of network resources available. Generally used to define the amount
Client An end-node device such as a management station, workstation, or mobile PC
An IDM access policy group consists of one or more rules that govern the login
times, devices, quality of service, bandwidth, and VLANs for users assigned to
the access policy group.
limits) applied when a user logs in and is authenticated on the network.
of usernames and passwords, network cards (smartcards, token cards, etc.),
and a device’s MAC address to determine who and/or what the "user" is.
Authentication servers are responsible for granting or denying access to the
network. Also referred to as RADIUS servers because most current authentication servers implement the RADIUS protocol.
what network resources the user is, or is not permitted to use.
of network resources a specific user can consume at any given time. Also
referred to as rate-limiting.
attempting to access the network. Clients are linked to the switch through a
point-to-point LAN link, either wired or wireless.
Directory Name Directory Name (DN) is an identifier that uniquely represents an object in the
X.500 Directory Information Tree (DIT) [X501]. (See: domain name.) A DN is
a set of attribute values that identify the path leading from the base of the DIT
to the object that is named. An X.509 public-key certificate or CRL contains a
DN that identifies its issuer, and an X.509 attribute certificate contains a DN
or other form of name that identifies its subject.
Domain A domain is a group of computers and devices on a network that are admin-
istered as a unit with common rules and procedures. Within the internet,
domains are defined by the IP Address. All devices sharing a common part of
the IP address are said to be in the same domain.
Edge Device A network device (switch or wireless access point) that connects the user to
the rest of the network. The edge devices can be engaged in the process of
granting user access and assigning a user’s access rights and restrictions.
1-8
About ProCurve Identity Driven Manager
Terminology
Endpoint Integrity Also referred to as "Host Integrity," this refers to the use of applications that
check hosts attempting to connect to the network to ensure they meet
requirements for configuration and security. Generally to make sure that virus
checking and spyware applications are in place and up to date.
IDM Agent The IDM Agent resides on the RADIUS server. It inspects incoming authenti-
cation requests, and inserts appropriate authorization information (IDM
Access Profiles) into the outgoing authentication reply.
QoS Quality of Service, relates to the priority given to outbound traffic sent from
the user to the rest of the network.
RADIUS Remote Authentication Dial-in User Service, (though it also applies to authen-
tication service in non-dial-in environments)
RADIUS Server A server running the RADIUS application on your network. This server
receives user connection requests from the switch, authenticates users, and
then returns all necessary information to the edge device.
Realm A Realm is similar to an Active Directory Domain, but it works across non-
Windows (Linux, etc.) systems. Generally specified in User-name as
"user@realm."
VLAN A port-based Virtual LAN configured on the switch. When the client connec-
tion terminates, the port drops its membership in the VLAN.
1-9
About ProCurve Identity Driven Manager
IDM Specifications
IDM Specifications
Supported Devices
ProCurve Identity Driven Manager (IDM) supports authorization control functions on the following ProCurve devices*:
ProCurve Switches:
6400cl Series
6200 Series
5400 Series
5300xl Series
4200 Series
3500 Series
3400cl Series
4100gl Series
2800 Series
2600 Series (PWR included)
6100 Series
2500 Series
ProCurve Wireless (420, 520wl, 530)
Wireless Edge Services Module (WESM)
9300
9400
2900 Series
6600
8212zl
1-10
* Not all devices support all features of IDM. Refer to Appendix A for details.
Operating Requirements
The system requirements for IDM (Server and Client installation) are:
■ Minimum Processor: 2.0 GHz Intel Pentium, or equivalent
■ Recommended Processor: 3.0 GHz Intel Pentium, or equivalent
■ Minimum Memory: 1 GB RAM
■ Recommended Memory: 2 GB RAM
■ Disk Space: 500 MB free hard disk space minimum. (A total of 1 GB
will be required for PCM+ and IDM.)
■ Implementation of one of the following RADIUS servers. The IDM
agent and will be installed on this system.
About ProCurve Identity Driven Manager
IDM Specifications
• Microsoft Network Policy Server on Windows Server 2008 (32-bit)
• Microsoft Internet Authentication Service (IAS) on Windows Server
2003 (32-bit)
• FreeRADIUS supplied with Red Hat Enterprise Linux (4.7 and 5.2)
• FreeRADIUS supplied with SuSE Enterprise Linux (9.3 and 10.2)
• RADIUS on the ProCurve Network Access Controller 800
■ ProCurve Manager Plus software must be installed for IDM to operate.
The IDM software cannot be installed as a separate component. PCM
system requirements are provided in the HP ProCurve Network
Management Installation and Getting Started Guide.
Additional processing power and additional disk space may be required for
larger networks.
Additional Requirements
■ Implementation of an access control method, using either MAC-auth,
Web-auth, or an 802.1x supplicant application.
For assistance with implementation of RADIUS and access control methods for use with ProCurve switches, refer to the Access Security Guide
that came with your switch. All ProCurve Switch manuals can also be
downloaded from the ProCurve web site.
For assistance with using RADIUS and 802.1x access control methods,
contact the ProCurve Elite Partner nearest you that can provide ProCurve
Access Control Security solutions.
on the Find a Partner link at http://www.procurve.com
■ If you plan to restrict user access to specific network segments, you
You can find ProCurve Direct Elite partners
.
will need to configure VLANs within your network. For information
on using VLANs, refer to the HP ProCurve Manager Network Admin-
istrator’s Guide, or the configuration guides that came with your
switch.
Upgrading from Previous Versions of PCM and IDM
The installation package for PCM 3.0 contains the IDM 3.0 installation files. If
you are running earlier versions of IDM, you must select the IDM option during
the PCM 3.0 install process. This is required to support changes made in the
underlying PCM and IDM databases.
1-11
About ProCurve Identity Driven Manager
IDM Specifications
If you want to test the IDM 3.0 functionality using the 60-day trial provided
with the PCM 3.0 Auto-update package, you need to install the software on a
separate system that has no previous IDM version installed or in use.
When you upgrade to IDM 3.0, you need to manually install the IDM Agent
upgrade on each of your RADIUS Servers. Refer to “Installing the IDM Agent”
on page 2-2 for detailed instructions.
1-12
About ProCurve Identity Driven Manager
Learning to Use ProCurve IDM
Learning to Use ProCurve IDM
The following information is available for learning to use ProCurve Identity
Driven Manager (IDM):
■ This User’s Guide—helps you become familiar with using the appli-
cation tools for access control management.
■ Online help information—provides information through Help buttons
in the application GUI that provide context-sensitive help, and a table
of contents with hypertext links to additional procedures and reference information.
■ HP ProCurve Network Management Installation and Getting
Started Guide—provides details on installing the application and
licensing, and an overview of ProCurve Manager functionality.
■ For additional information on configuring your network, refer to the
documentation that came with your switches.
Getting ProCurve Documentation From the Web
IDM manuals can be downloaded from:
http://www.hp.com/rnd/support/manuals/IDM.htm
ProCurve Support
Product support is available on the Web at: http://www.procurve.com
Click on the Customer Care tab. The information available at this site includes:
• Product Manuals
• Software updates
• Links to Additional Support information.
You can also call your HP Authorized Dealer or the nearest HP Sales and
Support Office, or contact the ProCurve Elite Partner nearest you for information on ProCurve Access Control Security solutions.
You can find ProCurve Elite partners on the
http://www.procurve.com.
Find a Partner link at
1-13
About ProCurve Identity Driven Manager
Learning to Use ProCurve IDM
1-14
Getting Started
Chapter Contents
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Installing the IDM Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Using the IDM Auto-Discover Feature . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
IDM Configuration Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
IDM Usage Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Understanding the IDM Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
IDM GUI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
IDM Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Using the Navigation Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Toolbars and Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Using IDM as a Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Using IDM Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Creating Report Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Configuring a Policy Action to Generate Reports . . . . . . . . . . . . . . . . 2-24
IDM Session Cleanup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30
User Session Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34
Finding a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
User Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38
Show Mitigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
IDM Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-41
Using Active Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . 2-43
2
2-1
Getting Started
Before You Begin
Before You Begin
If you have not already done so, please review the list of supported devices
and operating requirements under “IDM Specifications” on page 1-10.
If you intend to restrict user access to specific areas of the network using
VLANs, make sure you have set up your network for use of VLANs. For details
on configuring VLANs, refer to the HP ProCurve Manager Network Admin-
istrator’s Guide, or the Advanced Traffic Management Guide for your ProCurve switch.
The IDM Client is included with the PCM Plus software. To install a remote
PCM/IDM Client, download the PCM Client to a remote PC using the same
process as for installing the IDM Agent, just select the PCM Client option from
the PCM server. For detailed instructions, see the HP ProCurve Network
Management Installation and Getting Started Guide.
Installing the IDM Agent
The IDM application components are installed on your system when you select
the IDM option during PCM+ software installation. The IDM Agent can be
installed on a RADIUS server, a supported Linux system, or a ProCurve
Network Access Controller.
2-2
If the PCM software is not on the same system as the IDM Agent, you must
configure "Client/Server" access permissions on the PCM server to allow
communication. This is done by adding the IP address of the RADIUS server,
Linux system, or ProCurve Network Access Controller to the access.txt file on
the PCM server. For details, refer to the HP ProCurve Network Management
Installation and Getting Started Guide.
On a RADIUS Server
During the installation process, you will be prompted to enter the IP address of the
PCM Server. This is needed to establish communication between the IDM Agent on the
RADIUS server, and the IDM application on the PCM Server.
The IDM Agent can only be installed on a system with the RADIUS server configured.
If the RADIUS server is not found on the system, the IDM Agent installation displays
an error message, and the installation process is aborted.
1. Start a web browser on the computer where the IDM Agent will be installed, and
type the IP address of the PCM server computer followed by a colon and the port
ID 8040. For example, if the IP address of the server computer is 10.15.20.25, enter
the following URL:
Getting Started
Before You Begin
http://10.15.20.25:8040
2. Click the Download the Windows PCM/IDM agent link, and click Save to download
the file.
3. Once the download completes, close the Download window and the web browser.
4. Open the downloaded procurve-agent-setup.exe file by double-clicking on it. The
Agent Installation Wizard will then guide you through the installation.
5. On the Agent Information window of the Agent Installation Wizard:
Figure 2-1. Agent Information
a. Select IDM Agent.
b. Type a Name and, optionally, a Description for the Agent.
c. Enter a unique password or check the Use Factory Default check box to use
the default password of “procurve”. This password is used for authenticating
with the PCM server.
d. If you do not want to use the default Web Management Port 8081, uncheck
the Use Factory Default check box and enter the web management port that
will be used to authenticate with the PCM server.
6. On the Server Information window, configure the Agent-server connection
settings and any required server information:
2-3
Getting Started
Before You Begin
Figure 2-2. Server Information
For the Agent to communicate with the PCM server, these values MUST MATCH
the values set on the PCM server for this Agent.
a. If the Agent will initiate connection to the PCM server, check the Agent
Initiates Connection check box. If the PCM server will initiate a connection to
the Agent, ensure this check box is unchecked.
All Agent that initiate connection to the PCM server must use the same port
number and encryption type as configured in the Agent Manager Server Setup
tab.
b. To change the default Port that the Agent will use to communicate with the
PCM server, uncheck the related Use Default check box and type the desired
port. The default PCM server port is 51111, which can be changed to any
unused port during PCM server installation or at the PCM server.
c. If you do not want to encrypt data s ent to the PCM server, uncheck the related
Use Default check box and select Plain Text from the Encryption drop-down list.
The default encryption method is SSL. If the PCM server is behind a firewall,
we recommend using SSL encryption.
d. In the IP Address field, type the IP address of the PCM server if the Agent is
initiating the connection to the PCM server.
e. To change the default Password that the Agent will use to communicate with
the PCM server, uncheck the related
desired port (any number of alphanumeric characters). The default password is “procurve”. This must match the password set on the Agent Manager
Server Setup tab.
Use Default check box and type the
2-4
Getting Started
Before You Begin
Once installed the IDM Agent begins collecting User, Realm, and RADIUS data.
On a Linux System or ProCurve Network Access Controller
To install the IDM Agent on a supported Linux system or ProCurve Network Access
Controller:
1. Start a web browser, and type the IP address of the PCM server computer followed
by a colon and the port ID 8040. For example, if the IP address of the server
computer is 10.15.20.25, enter the following URL:
http://10.15.20.25:8040
2. Click the Download the IDM FreeRADIUS Agent link, and click Save to download the
file.
3. Once the download completes, move the file to a location accessible by the target
Agent system, if necessary.
4. Extract the downloaded HpIdmLinuxAgentInstaller-<version>.tar.gz file to a
temporary location on the RADIUS server.
5. Change to the HpIdmLinuxAgentInstaller-<version> directory, run install.sh as
root, and then follow the prompts.
Using the IDM Auto-Discover Feature
You can manually configure the RADIUS server, Realms, and Users in IDM, or
you can let IDM do the hard work for you. And, you have two options for
automatically discovering users. Either enable Active Directory synchronization to import users from the Active Directory, or install the IDM Agent on the
system with the RADIUS Server, then let it run to collect the information as
users log into the network. Even after you begin creating configurations in
IDM, both options continue to collect information on users and Realms
(domains in Active Directory) and pass that information to the IDM server.
If you are using multiple RADIUS servers, you need to install an IDM Agent
on each of the servers. The IDM Agent collects information only on the system
where it is installed. The IDM client can display information for all RADIUS
servers where the IDM Agent is installed.
When you start the IDM Client and expand the navigation tree in the IDM
Dashboard tab, you will see any discovered or defined Realms found on the
RADIUS server, along with the IP address for the RADIUS Server(s).
2-5
Getting Started
Before You Begin
IDM Configuration Process Overview
To configure IDM to provide access control on your network, first let IDM run
long enough to "discover" the Realms, RADIUS servers, and users on your
network. Once IDM has performed these tasks for you, your configuration
process would be as follows:
1. If you intend to use them, define "locations" from which users will access
the network. A location may relate to port-based VLANS, or to all ports
on a device. (See page 3-7)
2. If you intend to use them, define "times" at which users are allowed or
denied access. This can be by day, week or even hour. (See page 3-14)
3. Define any network resources (systems and applications) that you want
to specifically allow or restrict users from accessing.
4. If you intend to restrict a user access to specific systems, you need to set
the User profile to include the MAC address for each system that the user
is allowed to login on. (See page 3-57.)
5. Create the Access Profiles, to set the VLAN, QoS, rate-limits (bandwidth)
attributes, and the network resources that are available, to users in an
Access Policy Group. (See page 3-24.)
6. Create an Access Policy Group, with rules containing the Location, Time,
System, and Access Profile that is applied to users when they login. (See
page 3-34.)
OR
If using Active Directory synchronization, add rules and Access Profiles
to the Access Policy Groups automatically created by Active Directory
synchronization.
7. If Active Directory synchronization is not used, assign Users to the
appropriate Access Policy Group. (See page 3-41).
8. If automatic deployment is disabled, deploy the configuration policies to
the IDM Agent on the RADIUS server. (See page 3-46)
IDM Usage Strategies
You can use IDM to simply monitor user activity on the network, or to apply
user authentication rules to improve network security and performance. The
following table identifies the IDM configuration for various deployment and
usage strategies for IDM.
2-6
Authenticate Authorize Strategy Description
Getting Started
Before You Begin
VLAN QoS Rate-
x
xx
xx
xxx
xxxxx
Limit
Network
Resources
Monitor and report user activity.
Enhance normal RADIUS authentication with
Location, Time, and System rules
Provide rudimentary VLAN segregation
(Unknown Users, Guests, Visitors, Contractors)
Provide complete VLAN placement for all
Users
Provide QoS and Rate-limits per User
VLAN, QoS, and Rate-limit attributes, and
accessibility of defined Network Resources for
all users, based on Location, Time, and System
Table 2-1: IDM Deployment and Usage Strategies
2-7
Getting Started
Before You Begin
Understanding the IDM Model
The first thing to understand, is that IDM works within the general concept of
‘domains’ or ‘realms’. Basically, realms are very large organizational units;
every user belongs to one, and only one, realm. While it is possible to have
multiple realms, most organizations have only one, for example, hp.com or
csuchico.edu.
The basic operational model of IDM involves Users and Groups. Every User
belongs to a Group – in IDM these are called Access Policy Groups (APGs).
Each APG has an Access Policy defined for it, which governs the access rights
that are applied to its Users as they enter the network.
In the IDM GUI, the top level of the navigation tree is the Realm, with all other
information for APGs, and RADIUS Servers beneath the Realm in the navigation tree. Users are linked to the Realm to which they belong, and the Access
Policy Group to which they are assigned.
The IDM configuration tools are available at the top level. The definition of
times, locations, network resources, and access profiles is independent of
individual Realms or Groups. You can define multiple locations, times, and
network resources, then create multiple access profiles to be applied to any
Access Policy Group, in any Realm that exists within IDM.
2-8
Getting Started
IDM GUI Overview
IDM GUI Overview
To use the IDM client, launch the PCM Client on your PC. Select the ProCurve
Manager option from the Windows Program menu to launch the PCM Client.
The PCM Client will start up and the Login dialogue is launched.
Figure 2-3. PCM Login
If you did not enter a Username or Password during install, type in the default
Username, Administrator, then Click Login to complete the login and startup.
For additional information on using the PCM Client, refer to the HP ProCurve
Manager Network Administrator’s Guide.
Select the Identity tab at the bottom left of the PCM window to display the
IDM Dashboard.
Note: You can also access the IDM Dashboard by selecting the Network Manage-
ment Home node in the PCM navigation tree and clicking the Identity-driven
Manager tab at the top of the right pane.
2-9
Getting Started
IDM GUI Overview
Figure 2-4. IDM Dashboard
The IDM initial display provides a quick view of IDM status in the Dashboard
tab, along with an Events tab, navigation tree, and access to menu and toolbar
functions. You can resize the entire window, and/or resize the panes (subwindows) within the Identity Management Home window frame.
NOTE: If the IDM Dashboard shows the IDM Agent Status as inactive, and the
Inventory and Logins panes show no data:
■ Check the PCM Events tab for the following entry:
"PCM remote client authentication failure: <ip address>"
■ Check for IDM application events related to devices "supporting" or
"not supporting" the configuration.
2-10
Loading...