Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
221222223224225226227228229230
3-107
Designing Access Controls
Finalize Security Policies
The sections below describe designing policies with IDM.
Note You can also define policies by setting up RADIUS attributes manually on
RADIUS servers or on directory services that support RADIUS extensions.
Access Group Policies with IDM
If you are using IDM to manage policies, you should create one access policy
group for each different type of user you expect on your network (students,
faculty, guests, and so forth). In addition, you might need to create an access
policy group for devices such as IP telephones.
As you make a list of access policy groups, keep the following items in mind:
Each access policy group contains information on group members,
authentication criteria, and policy settings for that group; any member
assigned to a group is automatically linked to its authentication criteria
and its policies.
Each user can be assigned to only one access policy group. If you have a
user with a particular set of requirements that are not shared by other
users, you can assign that user to his or her own access policy group.
Each access group has its own policies, which consist of a set of rules.
Inputs to access group policy rules are location, time, system, WLAN, and
endpoint integrity posture.
Output from each rule is the access profile, which is described in the
section below.
Access group policy rules are processed in order. The first rule for which
an authentication request matches all the inputs is applied.
Access Profile. An access profile defines the access rights (VLAN, QoS, rate
limit, and resources [ACLs]) to be applied by the PEP to the user’s session.
You should generally create at least one access profile for each access policy
group. You might then create additional profiles that will apply to the group
under different circumstances. For example, you might create an “Employees”
profile and an “Employees_weekend” profile. If you are using endpoint integ-
rity, you must create at least one “quarantine” profile for users with non-
compliant endpoints. You might also create a “test” profile for users that have
just connected to the network and have not had their endpoint integrity
checked.
You can list the access profiles for your network in Table 3-79.