Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
211212213214215216217218219220
3-100
Designing Access Controls
Add ProCurve IDM
Add Users
Earlier, in “Choose Which Devices Will Play the Role of PDP” on page 3-79,
you considered the location of your credential/policy repository. When you
add IDM to the network, the credential repository remains where it is, usually
in a directory. However, IDM now stores additional policies for users.
In the next section, you’ll learn about setting up those policies in access policy
groups. First, however, IDM needs to learn about your networks users so
that you can place them in the proper groups. IDM can learn about users in
several ways:
Automatically, by detecting users that log in to RADIUS servers that run
the IDM agent
Automatically, by synchronizing with Active Directory
This option does require some initial manual setup.
Manually, by the administrator downloading users from another directory
service
Manually, by the administrator manually creating each user
The first option is the easiest but requires you to run IDM for several days
before configuring policies. Synchronizing IDM with select groups in Active
Directory is also relatively easy—and it allows IDM to automatically update
its list of users. For other directories, manually downloading a complete list
of users is a viable alternative. However, you might need to do so periodically
to add new users. Manually adding users is feasible only in the smallest
networks.
Remember: even when you add users manually, IDM manages user policies,
not credentials. But there is an exception: you can configure the NAC 800’s
local database through IDM. In this case, you set the users password through
IDM, and the NAC 800 (managed by IDM) is a “turnkey” server, storing all
policies and credentials.
Create Access Policy Groups
Access policy groups assign rights to user groups based on several factors
such as access time, location, and endpoint integrity. You will learn how to
design these groups in “User Groups and Policies” on page 3-106. First,
however, you must select an EAP method if your network enforces 802.1X
authentication.