Filter
Top Products
Configuring Authentication
client, the username and password is sent to the next service, and so on. If all services in the list fail
to authenticate the user, then the user will continue to have only unauthenticated logon rights.
• Monitored Logon
With monitored logon, the HP system passes the initial packets from the client through to the
network, and then monitors the returning packets looking for the message indicating that
authentication has been successful.
The 700wl Series system can monitor the following logon methods:
— 802.1x
— NT Domain Logon
Both of these monitored logon methods are predefined as authentication services. You can select
one or both of these methods for inclusion within an Authentication Policy.
802.1x and NT Domain logon, if selected, always take priority over any other services. If the
Authentication Policy specifies either of these methods, all packets from the client are sent on to the
network, and all returned packets destined for that client are “sniffed” to detect an authentication
result. If the authentication is successful, the 700wl Series system re-evaluates the client to
determine what rights should be granted (see
“Access Rights in the 700wl Series System” on
page 4-1 for a detailed explanation of how this is done). If the authentication fails, the 700wl Series
system will either try the next authentication service specified in the Authentication Policy, or if no
other services are defined, will continue to provide only logon rights.
Note: NT Domain Logon does not work with clients whose IP addresses are —NAT‘ed“. If you plan
to use NT Domain Logon, the Access Policies associated with those clients must specify the
Network Address Translation setting of When Necessary, but should not be set to Always. See
—NT Domain Logon“ on page 5-27 for more information about the requirements for using NT Domain
logon.
• Wireless Data Privacy Logon
The 700wl Series system supports a third authentication mechanism—it can accept the
authentication performed by one of the Wireless Data Privacy protocols (PPTP, L2TP/IPSec,
tunneled IPSec, or SSH).
Wireless Data Privacy authentication methods may involve shared secrets or certificates, and the
Authentication Policy associated with the Connection Profile is not necessarily used (the Wireless
Data Privacy authentication may supersede it).
— When used for authentication, SSH uses the Authentication Policy associated with the Connection
Profile through which the user connected.
— L2TP and PPTP can be configured to use the Authentication Policy associated with the Connection
Profile through which the user connected, or it can use a shared secret. The shared secret is
configured in the Access Policy.
— Tunneled IPSec can be configured to use a shared secret or a public key certificate.
Because Wireless Data Privacy protocols are used for securing airwave traffic as well as for
authentication, specification of the acceptable protocols is included in the Access Policy associated
with an Identity Profile and Connection Profile pair, not the Authentication Policy. Thus, in order
to use Wireless Data Privacy logon, you must ensure that the Access Policy that specifies logon
rights (by default, the Unauthenticated Access Policy) is configured correctly to support the
appropriate types of Wireless Data Privacy logon. See
“Creating or Editing an Access Policy” on
page 4-43 for details on how to configure Wireless Data Privacy logon.
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 5-3