Hp Identity Driven Manager Software Series Bedienungsanleitung Seite 1

HP PCM+ 4.0 Identity Driven Manager User’s Guide

1-4Welcome to Identity Driven ManagerIntroduction Figure 1-1. IDM ArchitectureIDM consists of an IDM Agent that is co-resident on the RADIUS server,

3-36Using Identity Driven ManagerConfiguring Access ProfilesFigure 3-27. Network Resource Assignment Wizard, Denied Network Resources9. To deny access

3-37Using Identity Driven ManagerConfiguring Access ProfilesFigure 3-28. Network Resource Assignment Wizard, Priority Assignment10. Set the priority (

3-38Using Identity Driven ManagerConfiguring Access ProfilesFigure 3-29. Network Resource Assignment Wizard, Default Access12. Select the option to te

3-39Using Identity Driven ManagerConfiguring Access Profiles14. Select the check box to enable one or more Accounting functions (optional). This enabl

3-40Using Identity Driven ManagerConfiguring Access Profiles3. Modify the access profile parameters, as described for creating a new profile. Click Ed

3-41Using Identity Driven ManagerDefining Access Policy GroupsDefining Access Policy GroupsAn Access Policy Group (APG) contains rules that define the

3-42Using Identity Driven ManagerDefining Access Policy GroupsTo begin, expand the Domains node to display the Access Policy Group node in the IDM tre

3-43Using Identity Driven ManagerDefining Access Policy GroupsFigure 3-33. New Access Policy Group3. Type a Name and Description for the Access Policy

3-44Using Identity Driven ManagerDefining Access Policy GroupsParameters for Access Rules are described in the following table.6. Repeat the above pr

3-45Using Identity Driven ManagerDefining Access Policy Groups8. Click OK to save the Access Policy Group and close the window.IDM will verify that th

1-5Welcome to Identity Driven ManagerIntroductionThe IDM Server provides IDM configuration and monitoring. It operates as an add-on module to PCM+, us

3-46Using Identity Driven ManagerDefining Access Policy GroupsFigure 3-35. Access Rule with Endpoint Integrity optionsSelect the Endpoint Integrity op

3-47Using Identity Driven ManagerDefining Access Policy Groups1. Select the Access Policy Group node from the IDM tree to display the Access Policy Gr

3-48Using Identity Driven ManagerConfiguring User AccessConfiguring User AccessThe process of configuring User access to network resources using IDM i

3-49Using Identity Driven ManagerConfiguring User AccessAdding Users to an Access Policy GroupTo assign a user to an access policy group:1. Expand the

3-50Using Identity Driven ManagerConfiguring User AccessChanging Access Policy Group AssignmentsTo re-assign users to a different APG:1. Select the ac

3-51Using Identity Driven ManagerConfiguring User AccessFigure 3-37. Global Rules tabThe Global Rules tab provides the following data about defined gl

3-52Using Identity Driven ManagerConfiguring User Access2. Click the Create a New Global Rule button to display the New Global Rule window.Figure 3-38

3-53Using Identity Driven ManagerConfiguring User Accessd. Select the WLAN where the global rule will be used, or ANY Note that this option only appea

3-54Using Identity Driven ManagerConfiguring Auto-Allow OUIsConfiguring Auto-Allow OUIsIn addition to traditional authentication methods, such as 802.

3-55Using Identity Driven ManagerConfiguring Auto-Allow OUIsFigure 3-39. Network Access with Auto-Allow OUIIn the picture above, the following steps t

1-6Welcome to Identity Driven ManagerTerminologyTerminologyAccess Policy Group An IDM access policy group consists of one or more rules that govern th

3-56Using Identity Driven ManagerConfiguring Auto-Allow OUIs5. If a match is found, the device is assigned to the Access Policy Group associated with

3-57Using Identity Driven ManagerConfiguring Auto-Allow OUIsTo view all Auto-Allow OUIs in an Access Policy Group:1. From the IDM navigation tree, sel

3-58Using Identity Driven ManagerConfiguring Auto-Allow OUIsMonitoring OUI Events and User Session InformationWhen an incoming user name (MAC address)

3-59Using Identity Driven ManagerConfiguring Auto-Allow OUIsFigure 3-42. Add Auto-Allow OUI3. Select a pre-loaded well-known OUI or type in your own M

3-60Using Identity Driven ManagerConfiguring Auto-Allow OUIsc. Optionally, in the Description field, type a brief description identifying the type of

3-61Using Identity Driven ManagerConfiguring Auto-Allow OUIsORType the common characters in the prefix (1-12 hexadecimal characters) in the aa:aa:aa:a

3-62Using Identity Driven ManagerConfiguring Auto-Allow OUIsEditing your own CUSTOMOUIs file (example):OUIS { xyzPhoneVendor { aa-bb-c1=

3-63Using Identity Driven ManagerConfiguring Auto-Allow OUIsMoving an OUI to Another Access Policy Group1. Navigate to the Auto-Allow OUIs tab for the

3-64Using Identity Driven ManagerConfiguring Auto-Allow OUIsAuto-Allow OUIs for 802.1x and Web AuthenticationsThe order in which the access control is

3-65Using Identity Driven ManagerConfiguring Auto-Allow OUIs

1-7Welcome to Identity Driven ManagerTerminologyEndpoint Integrity Also referred to as “Host Integrity,” this refers to the use of applications that c

3-66Using Identity Driven ManagerDeploying Configurations to the AgentDeploying Configurations to the AgentAn option in the IDM Preferences allows you

3-67Using Identity Driven ManagerUsing Manual ConfigurationUsing Manual ConfigurationIt is simplest to let the IDM Agent run and collect information a

3-68Using Identity Driven ManagerUsing Manual Configuration3. Click OK to save the Domain information and close the window. The new Domain appears in

3-69Using Identity Driven ManagerAdding RADIUS ClientsAdding RADIUS ClientsYou can add and update RADIUS clients (PCM switches and manually added clie

3-70Using Identity Driven ManagerAdding RADIUS Clients4. Select the PCM switches to be configured as RADIUS clients on the selected RADIUS servers.Fig

3-71Using Identity Driven ManagerAdding RADIUS Clientsc. Click Next.As an example, suppose two RADIUS servers (S1, S2) and two RADIUS clients (C1, C2)

3-72Using Identity Driven ManagerAdding RADIUS ClientsFigure 3-48. Add RADIUS Client Wizard, RADIUS ParametersTo configure RADIUS parameters for a sin

3-73Using Identity Driven ManagerAdding RADIUS Clientsa. In the RADIUS clients list on the left, select All RADIUS clients to configure all listed cli

3-74Using Identity Driven ManagerAdding RADIUS Clients.Figure 3-49. Add RADIUS Client Wizard, Application of Settings9. The final window of the Add RA

3-75Using Identity Driven ManagerAdding RADIUS ClientsDeleting RADIUS ServersTo delete an existing RADIUS Server:Note: Before you can completely delet

1-8Welcome to Identity Driven ManagerIDM SpecificationsIDM SpecificationsSupported DevicesFor a list of IDM 4.0 features supported on HP Networking de

3-76Using Identity Driven ManagerAdding RADIUS ClientsAdding New UsersYou can let the IDM Agent automatically learn about the users from the Active Di

3-77Using Identity Driven ManagerAdding RADIUS Clients3. To restrict the user from logging in from a system that has not been defined in IDM, click th

3-78Using Identity Driven ManagerAdding RADIUS ClientsBulk import of allowed systems for IDM usersIf the multiple MAC addresses are to be added to the

3-79Using Identity Driven ManagerAdding RADIUS ClientsALLOWED_SYSTEMS_FILENAME specifies complete path of the Comma Sepa-rated Value (CSV) file.The va

3-80Using Identity Driven ManagerAdding RADIUS ClientsNote: Changes in Access Policy Group settings are not applied to the user until you Deploy the n

3-81Using Identity Driven ManagerUsing the User Import WizardUsing the User Import WizardThe IDM User Import Wizard lets you add users to IDM from ano

3-82Using Identity Driven ManagerUsing the User Import Wizarddirectory. If you are using any other LDAP directory source (for example Novell eDirector

3-83Using Identity Driven ManagerUsing the User Import WizardFigure 3-53. IDM User Import Wizard3. Click Next to continue to the Data Source selection

3-84Using Identity Driven ManagerUsing the User Import Wizard4. Click the radio button to select the Active Directory data source.5. Click Next to con

3-85Using Identity Driven ManagerUsing the User Import Wizard6. Select the scope of Active Directory groups from which you want to import user data. 7

1-9Welcome to Identity Driven ManagerUpgrading from Previous Versions of PCM and IDMUpgrading from Previous Versions of PCM and IDMThe installation pa

3-86Using Identity Driven ManagerUsing the User Import WizardFigure 3-57. IDM User Import Wizard, Add Users11. Check the Select check box(es) to choos

3-87Using Identity Driven ManagerUsing the User Import Wizard13. Click Next to continue to the Users and Groups Commitment window.Figure 3-58. IDM Use

3-88Using Identity Driven ManagerUsing the User Import WizardFigure 3-59. IDM User Import Wizard, LDAP Authenticationa. To use the SSL authentication

3-89Using Identity Driven ManagerUsing the User Import Wizardb. Select the LDAP Authentication type to be used with the imported user data:c. Click Ne

3-90Using Identity Driven ManagerUsing the User Import WizardFigure 3-60. IDM User Import Wizard, Simple AuthenticationTo set up Simple authentication

3-91Using Identity Driven ManagerUsing the User Import WizardFigure 3-61. IDM User Import Wizard, SASL Digest MD5 AuthenticationTo set up Digest MD5 a

3-92Using Identity Driven ManagerUsing the User Import WizardFigure 3-62. IDM User Import Wizard, SASL Kerberos V5 AuthenticationTo set up Kerberos V5

3-93Using Identity Driven ManagerUsing the User Import WizardFigure 3-63. IDM User Import Wizard, SASL External AuthenticationTo set up External authe

3-94Using Identity Driven ManagerUsing the User Import WizardFor example, if the X509 User Certificate is " myldapcert.cer" and the alias i

3-95Using Identity Driven ManagerUsing the User Import WizardThe remainder of the process for importing users from LDAP Servers is the same as describ

1-10Welcome to Identity Driven ManagerLearning to Use PCM+ IDMLearning to Use PCM+ IDMThe following information is available for learning to use PCM+

3-96Using Identity Driven ManagerUsing the User Import WizardKERBEROS_JAAS_CONFIG_FILE=config/idm_kerberos_jaas.conf // configura-tion file for JAAS K

3-97Using Identity Driven ManagerUsing the User Import WizardWhen using Novell eDirectory://Configuration for LDAP directory. Following values are for

3-98Using Identity Driven ManagerUsing the User Import WizardFigure 3-65. IDM User Import Wizard, XML Data SourceTo identify the XML file: 1. In the F

3-99Using Identity Driven ManagerUsing the User Import Wizard <Group name=”group name” description=”group description”> <Member name=”u

3-100Using Identity Driven ManagerUsing the User Import Wizard Any line that begins with # character is considered a comment. Auth ID must be a val

3-101Using Identity Driven ManagerUsing the User Import Wizard"user44","444444444444","44dev","facultyGroup",&

3-102Using Identity Driven ManagerUsing the User Import Wizarda. From the global toolbar, select Tools >Preferences.b. From the Preferences navigat

3-103Using Identity Driven ManagerUsing the User Import WizardFigure 3-68. IDM User Import Wizard

3-104Using Identity Driven ManagerUsing the User Import Wizard3. Click Next to continue to the Data Source selection window. Figure 3-69. Data Source4

3-105Using Identity Driven ManagerUsing the User Import WizardFigure 3-70. CSV Data Source6. Click Next to the Extracting User and Group Information w

2-12Getting StartedBefore You BeginIf you have not already done so, please review the list of supported devices and operating requirements under “IDM

3-106Using Identity Driven ManagerUsing the User Import WizardFigure 3-71. Extracting User and Group Information7. The IDM Import Wizard now shows all

3-107Using Identity Driven ManagerUsing the User Import WizardFigure 3-72. Add Users

3-108Using Identity Driven ManagerUsing the User Import WizardFigure 3-73. Remove Users8. Without changing any settings in the Remove User’s window th

3-109Using Identity Driven ManagerUsing the User Import WizardFigure 3-74. Users and Groups Commitment9. Click Go.The devices imported to the IDM DB c

3-110Using Identity Driven ManagerUsing the User Import WizardFigure 3-75. Imported Device to IDM DB

3-111Using Identity Driven ManagerUsing the User Import Wizard10. Import Complete window appears. Click Finish.Figure 3-76. Import Complete11. In the

3-112Using Identity Driven ManagerUsing the User Import WizardFigure 3-77. Devices Added to User Tab View12. Enable the Active Directory synchronizati

3-113Using Identity Driven ManagerUsing the User Import WizardFigure 3-79. CSV File Content Error

3-114Using Identity Driven ManagerUsing the User Import Wizard

4-14Using the Secure Access WizardOverviewThe Secure Access Wizard (SAW) feature in IDM is designed to simplify the initial setup of IDM by reducing t

2-2Getting StartedBefore You Begin2. From the available downloads list, click Windows PCM/IDM Agent Installer and then click Save to download the file

4-2Using the Secure Access WizardOverviewSupported DevicesThe Secure Access Wizard feature is on PCM devices that support use of 802.1X, Web-Auth, and

4-3Using the Secure Access WizardUsing Secure Access WizardUsing Secure Access WizardNote: The following section provides instructions on using the S

4-4Using the Secure Access WizardUsing Secure Access WizardNote: If you do not have a licensed copy of the PCM Mobility Manager software and there are

4-5Using the Secure Access WizardUsing Secure Access Wizard4. Click Next to continue to the next window. 5. If you selected one or more AP530 wireless

4-6Using the Secure Access WizardUsing Secure Access WizardUse the Device Capabilities link to determine if you can upgrade the device software to a v

4-7Using the Secure Access WizardUsing Secure Access WizardFigure 4-4. Secure Access Wizard, Authentication Method Selection example14. Click the chec

4-8Using the Secure Access WizardUsing Secure Access WizardFigure 4-5. Secure Access Wizard, Port Selection example16. To select ports from a list, cl

4-9Using the Secure Access WizardUsing Secure Access WizardFigure 4-6. Secure Access Wizard, Select PortsWhen the desired ports are selected, click OK

4-10Using the Secure Access WizardUsing Secure Access Wizard• If you selected a wireless device, the WLAN selection window displays, as described in s

4-11Using the Secure Access WizardUsing Secure Access Wizard22. The 802.1X Configuration window lets you select the authentication method to be applie

2-3Getting StartedBefore You BeginFigure 2-2. Server InformationFor the Agent to communicate with the PCM server, these values MUST MATCH the values s

4-12Using the Secure Access WizardUsing Secure Access Wizardb. In the Client Limit field, select or type the maximum number of clients to allow on one

4-13Using the Secure Access WizardUsing Secure Access WizardIf a device does not support the selected setting, the value you set will appear in the SA

4-14Using the Secure Access WizardUsing Secure Access Wizard23. The Web-Auth Configuration window lets you select the RADIUS authentica-tion method se

4-15Using the Secure Access WizardUsing Secure Access WizardFigure 4-11. Secure Access Wizard, Advanced Wired Web-Auth Advanced Web-Auth settings for

4-16Using the Secure Access WizardUsing Secure Access WizardIf a device does not support the selected setting, the value you set will appear in the SA

4-17Using the Secure Access WizardUsing Secure Access WizardFigure 4-12. Secure Access Wizard, MAC-Auth Configuration displaya. Select the MAC address

4-18Using the Secure Access WizardUsing Secure Access WizardFigure 4-13. Secure Access Wizard, Advanced (wired) Mac-Auth settings c. Click the check b

4-19Using the Secure Access WizardUsing Secure Access WizardIf a device does not support the selected setting, the value you set will appear in the SA

4-20Using the Secure Access WizardUsing Secure Access Wizarda. Select the check box for a RADIUS server to enable the server IP address field, and the

4-21Using the Secure Access WizardUsing Secure Access WizardEnter the RADIUS shared secret to be used for access authentication. Re-enter the shared s

Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 http://www.procurve.com© Copyright 2004, 2005, 2007, 2009,

2-4Getting StartedBefore You Begine. To change the default Password that the Agent will use to communicate with the PCM server, clear the related Use

4-22Using the Secure Access WizardUsing Secure Access Wizard34. Click the link to Save settings or Save as template, and launch the Save Settings dial

4-23Using the Secure Access WizardUsing Secure Access WizardFigure 4-18. Secure Access Wizard, Configuration Preview display39. Review the access secu

4-24Using the Secure Access WizardUsing Secure Access WizardFigure 4-19. Secure Access Wizard, Applying Settings statusThis window displays the progre

5-15Troubleshooting IDMIDM Events The IDM Events window is used to view and manage IDM events generated by the IDM application or the IDM Agent instal

5-2Troubleshooting IDMIDM EventsThe IDM Events tab works similarly to the PCM Events tab. It lists the IDM events currently contained in the database.

5-3Troubleshooting IDMIDM EventsSelect an event in the Events listing to display the Event Details at the bottom of the window. Figure 5-2. IDM Event

5-4Troubleshooting IDMIDM EventsUsing Event FiltersThe events shown in the Events tab view can be filtered to show only specific events based on the d

5-5Troubleshooting IDMIDM Eventsb. Unselect any filters that you want to remove.c. Click Apply. 4. To clear all selections that are currently set in t

5-6Troubleshooting IDMIDM EventsFigure 5-4. IDM Event ArchiveThe Archived Events window provides the following information for each event:You can sele

5-7Troubleshooting IDMIDM EventsTo further filter archived events, in the Filter field type the text of the filter you want to use. The display will l

2-5Getting StartedBefore You BeginRADIUS Server, then let it run to collect the information as users log into the network. Even after you begin creati

5-8Troubleshooting IDMIDM EventsFigure 5-5. Preferences, IDM Events 2. Use the fields in the Retain Messages section to set the percentage of IDM even

5-9Troubleshooting IDMIDM Events4. In the Archive events older than field, select the number of days to wait before archiving IDM events.5. Use the Li

5-10Troubleshooting IDMIDM EventsFigure 5-6. RADIUS Server Activity LogThe Activity Log provides information similar to IDM Events, except that the en

5-11Troubleshooting IDMUsing Decision Manager TracingUsing Decision Manager TracingIDM provides a tracing tool (DMConfig.prp) and log file (DM-IDMDM.l

5-12Troubleshooting IDMUsing Decision Manager Tracing Configuration deployments to the IDM Agent, along with the actual config-uration image.

5-13Troubleshooting IDMQuick TipsQuick TipsPlacing IDM Server into the AD Domain If you installed a PCM/IDM server on a system that was not a member o

5-14Troubleshooting IDMQuick TipsNote: After this configuration, the snac-jboss-server.log will no longer be present in the server/log directory. Howe

A-1AIDM Technical ReferenceDevice Support for IDM FeaturesDue to variations in hardware and software configuration of various HP Networking devices, n

A-2IDM Technical ReferenceDevice Support for IDM FeaturesTable A-1. Feature/Device Support for IDM 4.0Switch/Wireless DeviceMin SW Req’d ACLs VLANs Qo

A-3IDM Technical ReferenceDevice Support for IDM FeaturesWESM 1.0 XX XXXXWESM 2.0 XXXXXXXa - F.05.14; b - F.04.08; c - H.07.54; d - H.08.53; e - H.07.

2-6Getting StartedBefore You Begin7. If Active Directory synchronization is not used, assign Users to the appropriate Access Policy Group. (See page 3

A-4IDM Technical ReferenceBest PracticesBest PracticesAuthentication MethodsThe IDM application is designed to support RADIUS server implementation wi

A-5IDM Technical ReferenceBest PracticesAllowing vs. Rejecting AccessWhen evaluating the rules for the Access Policy Group when a user logs in, IDM is

A-6IDM Technical ReferenceBest PracticesThe other important piece in this process is the order of the rules. In the second example, if you change the

A-7IDM Technical ReferenceTypes of User EventsTypes of User EventsThe USER_FAILED_LOGIN event happens whenever RADIUS sends IDM a message of an unsucc

A-8IDM Technical ReferenceTypes of User Events

Index–1IndexNumerics802.1X configuration, SAW 4-11AAccess Attributes 3-32Access attributes 3-33Access Information 2-34Access Policyorder 3-4

Index–2IndexIDM model 3-1IDM Server, placing into the AD Domain 5-13Importfrom Active Directory 3-81, 3-101Import procedure 3-80Importing Us

Index–3IndexUUnauthorized users A-4Unknown users A-4Useradd to IDM 3-76edit IDM 3-79User Access 3-48User ImportLDAP Server 3-87User Import

Index–4Index

2-7Getting StartedBefore You BeginThe basic operational model of IDM involves Users and Groups. Every User belongs to a Group and, in IDM, these are c

ProCurve 5400zl Switches Installation and Getting Startd Guide Technology for better business outcomes To learn more, visit www.hp.com/netwo

2-8Getting StartedIDM GUI OverviewIDM GUI OverviewTo use the IDM client, launch the PCM Client on your PC by selecting the PCM option from the Windows

2-9Getting StartedIDM GUI OverviewFigure 2-4. IDM DashboardThe IDM initial display provides a quick view of IDM status in the Dashboard tab, along wit

2-10Getting StartedIDM GUI OverviewIDM DashboardThe IDM Dashboard is a monitoring tool that provides a quick summary view of IDM users, RADIUS servers

2-11Getting StartedIDM GUI OverviewFigure 2-5. Domain List tabDomain TabsExpanding the Domains node and clicking a domain in the tree displays the Das

2-12Getting StartedIDM GUI OverviewDomain Properties tab: Selecting an individual domain in the tree and then clicking the Properties tab displays sum

2-13Getting StartedIDM GUI OverviewDomain Global Rules tab: Clicking this tab displays rules that override Access Policy Group rules and provides func

Contents-iContents1 Welcome to Identity Driven ManagerIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2-14Getting StartedIDM GUI OverviewFigure 2-9. Domain Users tab Expanding the Domain node in the tree will display the Access Policy Groups and RADIUS

2-15Getting StartedIDM GUI OverviewAccess Policy Groups nodeClicking the Access Policy Group node displays the Access Policy Groups tab with a list of

2-16Getting StartedIDM GUI OverviewClick the individual group node in the navigation tree to display the group’s Dash-board, Properties, Auto-Allow OU

2-17Getting StartedIDM GUI OverviewToolbars and MenusBecause IDM is a module within PCM+, it uses the same main menu and global toolbar functions. Ind

2-18Getting StartedUsing IDM as a Monitoring ToolUsing IDM as a Monitoring ToolWhether or not you configure and apply access and authorization paramet

2-19Getting StartedUsing IDM ReportsUsing IDM ReportsIDM provides reports designed to help you monitor and analyze usage patterns for network resource

2-20Getting StartedUsing IDM ReportsBy default, all user history is reset and all session history is deleted by the predefined IDM Session Cleanup pol

2-21Getting StartedUsing IDM ReportsSession History DetailsDetailed information about all login attempts, whether successful or failed. This report is

2-22Getting StartedCreating Report PoliciesCreating Report PoliciesYou can also use the Policy Manager feature to schedule reports to be created at re

2-23Getting StartedCreating Report PoliciesFigure 2-15. Policy Manager, ActionsThe Manage Actions window displays the list of defined Actions.3. Click

Contents-iiContentsShow Mitigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38IDM Preferences . . .

2-24Getting StartedCreating Report Policies4. Select the Report Manager:Generate Report Action type from the menu. Figure 2-17. Policy Manager, Select

2-25Getting StartedCreating Report PoliciesAt this point the other tabs displayed are:Type: Lets you select the Report type you want to generate. As s

2-26Getting StartedCreating Report PoliciesFigure 2-20. Report Manager Action: Report format selection10. Select how you want to generate the report f

2-27Getting StartedCreating Report PoliciesFigure 2-21. Report Manager Action: Report Delivery methodEmail is the default method. It will email the re

2-28Getting StartedCreating Report Policiese. In the Password field, type the password used to access the FTP site.f. Select the Filename conventions

2-29Getting StartedCreating Report Policies1. Click the Policy Manager button in the toolbar.ORSelect Tools > Policy Manager to launch the Policy C

2-30Getting StartedCreating Report Policies4. Click the Schedule tab to review and edit the schedule parameters.Figure 2-25. IDM Session Cleanup Sched

2-31Getting StartedCreating Report Policies7. Use the radio buttons to select No end date, End by, or Maximum occurrences to identify when the schedul

2-32Getting StartedMonitoring User Session InformationMonitoring User Session InformationYou can use IDM to just monitor the network, and receive deta

2-33Getting StartedMonitoring User Session Information3. Click the User Properties tab to view the following information:4. Click the Session Info tab

Contents-iiiContentsAdding Users to an Access Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . 3-49Changing Access Policy Group Assignm

2-34Getting StartedMonitoring User Session Information5. Click the Location Info tab to view the following information:a. Click the Disable Ethernet o

2-35Getting StartedMonitoring User Session InformationFind User SessionThe Find User Session feature let you search and display information about a us

2-36Getting StartedMonitoring User Session InformationFigure 2-27. Find User Session 2. In the Auth ID field, type the complete Auth ID that you want

2-37Getting StartedMonitoring User Session InformationFigure 2-28. Report Wizard, Report Filter3. To report on a specific time range, clear the All Da

2-38Getting StartedMonitoring User Session InformationFigure 2-29. Report Wizard, Columns to Include4. Select the check boxes to select the data colum

2-39Getting StartedMonitoring User Session InformationTo show or delete mitigations:1. In the IDM Users tab, right-click a mitigated user and choose S

2-40Getting StartedMonitoring User Session InformationClick the option check boxes to select (check) or deselect (clear) the following options. 1. Sel

2-41Getting StartedMonitoring User Session Information7. To reset all session accounting information whenever the server is restarted, select the Rese

2-42Getting StartedMonitoring User Session InformationUsing Active Directory SynchronizationThe Active Directory Synchronization (AD Sync) feature pro

2-43Getting StartedMonitoring User Session InformationFigure 2-31. Identity Management Preferences: User Directory Settings2. In the left pane of the

Contents-ivContentsPlacing IDM Server into the AD Domain . . . . . . . . . . . . . . . . . . . . . . . . . 5-13A IDM Technical ReferenceDevice Suppor

2-44Getting StartedMonitoring User Session InformationFigure 2-32. Add/Review AD Groups to SynchronizeThe Active Directory is queried for all groups i

2-45Getting StartedMonitoring User Session Informationsynchronizes on Group A or Group B, User 1 is imported into the group with the higher priority.

2-46Getting StartedMonitoring User Session Information12. An Importing Users dialog box will display the number of users being imported and a progress

2-47Getting StartedMonitoring User Session Information Within a Domain, Access Policy Group names must be unique. If Access Policy Groups are being c

2-48Getting StartedMonitoring User Session Information

3Using Identity Driven ManagerUnderstanding the IDM Configuration Model As described in the IDM model on page 2-6, everything relates to the top level

3-2Using Identity Driven ManagerUnderstanding the IDM Configuration ModelConfiguration Process ReviewAssuming that you opted to enable Active Director

3-3Using Identity Driven ManagerUnderstanding the IDM Configuration Model10. For the devices that will perform MAC authentication, you can configure A

3-4Using Identity Driven ManagerConfiguring LocationsConfiguring LocationsLocations in IDM identify the switch and/or ports on the switch and wireless

3-5Using Identity Driven ManagerConfiguring LocationsAdding a New LocationTo create a new location:1. Click the New Location button in the Locations t

1Welcome to Identity Driven ManagerIntroductionNetwork usage has skyrocketed with the expansion of the Internet, wireless, and convergence technologie

3-6Using Identity Driven ManagerConfiguring LocationsFigure 3-4. New Device window5. Use the Select Device Group list to select the Agent and device m

3-7Using Identity Driven ManagerConfiguring Locations7. Use the Port Selection section to define the ports on the device that will be associated with

3-8Using Identity Driven ManagerConfiguring LocationsFigure 3-5. Create a New Location, Wireless Devices2. Click Add Device to display the Wireless De

3-9Using Identity Driven ManagerConfiguring Locations3. Click the check box(es) to select the radio ports to be included in the location, and then cli

3-10Using Identity Driven ManagerConfiguring LocationsDeleting a LocationTo remove an existing Location:1. Select the Locations node from the Identity

3-11Using Identity Driven ManagerConfiguring TimesConfiguring TimesTimes are used to define the hours and days when a user can connect to the network.

3-12Using Identity Driven ManagerConfiguring TimesFigure 3-8. Times PropertiesCreating a New TimeTo create a new Time:1. In the Times Pane, click the

3-13Using Identity Driven ManagerConfiguring TimesFigure 3-9. Create a New Time2. Define the properties for the new time. 3. Click OK to save the new

3-14Using Identity Driven ManagerConfiguring TimesModifying a TimeTo modify a Time:1. In the Times pane, select a Time from the navigation tree to dis

3-15Using Identity Driven ManagerDevice Finger Printing2. Click Add to launch the Add Holiday window.Figure 3-11. Add Holiday3. The Date field default

1-2Welcome to Identity Driven ManagerIntroduction5. If the user is authenticated, the PCM device grants the user access to the network. If the user is

3-16Using Identity Driven ManagerDevice Finger PrintingFigure 3-12. Device Finger PrintingUser Agent To Device Types MappingThe administrator can see

3-17Using Identity Driven ManagerDevice Finger Printing• Device TypeFigure 3-13. User Agent to Device TypesNote: Users tab view reflects the device ty

3-18Using Identity Driven ManagerDevice Finger PrintingFigure 3-14. New User Agent to Device Type MappingBulk Import of User Agent Pattern MappingsTo

3-19Using Identity Driven ManagerDevice Finger Printing2. A dialog box appears to confirm before deleting the entry. If the device type being deleted

3-20Using Identity Driven ManagerDevice Finger PrintingUnder Device Type Groups node, each node represents one Device Type Group object. A Device Type

3-21Using Identity Driven ManagerDevice Finger PrintingTo edit the selected Device type group object, click any entry in Device Type Group Name.Figure

3-22Using Identity Driven ManagerDevice Finger PrintingFigure 3-17. Create a new Device Type Group2. Click Add/Remove. A dialog box appears to select

3-23Using Identity Driven ManagerDevice Finger PrintingFigure 3-18. Select Device Types3. After selecting the device types, Click Ok.4. The new group

3-24Using Identity Driven ManagerDevice Finger PrintingFigure 3-19. Edit/Delete Created GroupsModify Device Type Group To modify a new Device Type Gro

3-25Using Identity Driven ManagerConfiguring Network ResourcesIDM has pre-configured Device Type Groups for each of all the catch all patterns.• All A

1-3Welcome to Identity Driven ManagerIntroduction• An administrative GUI for configuration, events viewing and SSL certifi-cate management• A SNAC-IDM

3-26Using Identity Driven ManagerConfiguring Network ResourcesFigure 3-20. Network ResourcesThe Network Resources window lists the name and parameters

3-27Using Identity Driven ManagerConfiguring Network ResourcesFigure 3-21. Network Resources - DetailsNote When you open the details window, it is in

3-28Using Identity Driven ManagerConfiguring Network ResourcesFigure 3-22. Define Network Resource2. Define the properties for the network resource. T

3-29Using Identity Driven ManagerConfiguring Network Resources* Valid port names supported in IDM include: ftp, syslog, ldap, http, imap4, imap3, nntp

3-30Using Identity Driven ManagerConfiguring Network ResourcesI 2. Click in the list to select the network resource to delete, then click the Delete N

3-31Using Identity Driven ManagerConfiguring Access ProfilesConfiguring Access ProfilesIDM uses an Access Profile to set the VLAN, QoS, Bandwidth (rat

3-32Using Identity Driven ManagerConfiguring Access ProfilesSelect the Access Profile node from the navigation tree, or double-click a profile from th

3-33Using Identity Driven ManagerConfiguring Access Profiles2. Define the attributes for the Access Profile: Notes: If you are assigning any VLAN othe

3-34Using Identity Driven ManagerConfiguring Access Profiles3. If you want the IDM QoS attributes to override the switch attributes, use the QoS list

3-35Using Identity Driven ManagerConfiguring Access ProfilesFigure 3-26. Network Resource Assignment Wizard, Allowed Network Resources8. To permit acc