Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
71727374757677787980
1-59
Access Control Concepts
ProCurve IDM
Note The IDM server and the PCM+ server can run on the same hardware as the
RADIUS server and the IDM agent. For example, you could install PCM+/IDM,
IAS, and the IDM agent on the same Windows Server 2003.
However, IDM often controls multiple RADIUS servers running on other
devices. Those RADIUS servers also require the IDM agent. You must install
the IDM agent on a third-party RADIUS server, but the NAC 800 automatically
includes the agent.
In short, IDM allows you to set up a network access policy at the center of
your network and apply it dynamically at the edges. For example:
You can allow contract workers access to the network only from their
desks within normal working hours on weekdays; but you can allow your
full-time employees access at any time and from anywhere on your
network.
You can allow guests network access only from lobbies or conference
rooms, and you can restrict them to Internet connections with limited
bandwidth. Employees, on the other hand, have access to all their normal
network resources at full speed even from those same lobbies and con-
ference rooms.
You can limit access to sensitive network resources (such as accounting
and personnel servers or patient information databases) to employees
from the appropriate departments while denying access to employees
from other departments. For example, a security policy could dictate that
a certain user has access to Accounting Department resources. The
RADIUS server sends the PEP instructions specifying the correct ACLs to
apply to the user’s port.
You can alter the resources that users can access depending on the WLAN
through which they connect. For example, your organization might offer
two wireless networks: one, intended for employees, that enforces WPA2
security and one, intended for guests, that enforces Web-Auth and no
encryption. As long as employees connect to the proper WLAN, they
receive all their normal rights. However, if they happen to connect to the
guest WLAN, they cannot access sensitive data (which must always be
encrypted).
You can assign users with non-compliant endpoints to a quarantine VLAN,
which allows the users to download patches but do nothing else, while
users with compliant endpoints are placed in their normal user VLAN. You
can assign endpoints infected with malware to another VLAN, and end-
points waiting to be tested to a fourth VLAN still.
The figure below shows the difference between the standard RADIUS process
and the process with IDM.