Filter
Top Products
Configuring Authentication
specification, determine a Connection Profile for the client. The client’s identity (who the client is) is
determined through the authentication process. This is used to determine an Identity Profile for the client.
The combination of the Connection Profile and Identity Profile determine the Access Policy that applies to
the client. (See
Chapter 4, “Configuring Rights” for a detailed discussion of Access Policies and access
rights.)
When a client first connects to the 700wl Series system, the system attempts to match it to an Identity
Profile and Connection Profile. In most cases, because it has not yet been authenticated, the client will
match only the default Identity Profile (“Any”). This Identity Profile typically uses an Access Policy that
allows only the access necessary to complete the logon process.
There is a “catch-all” row in the Rights Assignment Table (see “The Rights Assignment Table” on page 4-6)
that ensures the client will always match a Connection Profile (based on the Access Controller port it
connected through and the time of day) and each Connection Profile includes an Authentication Policy that
specifies how clients connecting through that Connection Profile should be authenticated.
An Authentication Policy is an ordered set of one or more authentication services. An Authentication
Service is a named instance of a particular service used for authentication, such as a specific LDAP server
or RADIUS server. You configure an Authentication Service in the 700wl Series system by specifying the
properties and parameters necessary to communicate with that service for the purpose of authenticating
clients.
The 700wl Series system provides great flexibility in the methods it supports for authenticating users who
want to log on to the network through the 700wl Series system. Users can be entered into a built-in
database, their user information can be forwarded to an external authentication service, such as an LDAP
server, or the 700wl Series system can be configured to accept the results of a successful VPN
authentication, NT Domain logon, or 802.1x logon.
The 700wl Series system supports the following types of authentication:
• Browser-based Logon
Browser-based logon is the default authentication method, with the 700wl Series system built-in
database as the default Authentication Service.
With browser-based logon, the user is presented with a logon page the first time she attempts to
access the network with a web browser. Typically the logon page allows the user to enter a
username and password. The 700wl Series system attempts to authenticate the user information
through an authentication service as specified by the Authentication Policy associated with the
client’s Connection Profile.
For use with browser-based logon, the 700wl Series system supports the following Authentication
Services:
— The Built-In Database (the default Authentication Service)
— Lightweight Directory Access Protocol (LDAP) services, including Microsoft’s Active Directory
and iPlanet’s LDAP server.
— A Remote Authentication Dial-In User Service (RADIUS)
— A Kerberos service
— An XML-RPC-based service
You can configure one or more of these services and use them in one or more Authentication
Policies. You specify the order of these services when you configure the Authentication Policy.
When the 700wl Series system receives a username and password from the logon page, the client is
forwarded to the first authentication service in the list. If the first services fails to authenticate the
5-2 HP ProCurve Secure Access 700wl Series Management and Configuration Guide