Filter
Top Products
Configuring Authentication
enabled in any other Access Policies that may be in force when a client is required to reauthenticate.
The Allowed Traffic Filter for LDAP must be created and then enabled in the appropriate Access
Policies.
Note: Cached Logon requests from Windows clients are not supported because the 700wl Series
system cannot reliably detect a logon in a cached request. To the client, the logon will appear to
succeed, but the 700wl Series system will consider the client to be unauthenticated. If this is a problem,
disable cached logon through the Windows registry on the client. Go to
MY Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
and set
CachedLogonsCount to —0“.
Identity Profiles and NT Domain Membership
Users who are authenticated using NT Domain Logon can be associated with an Identity Profile based on
the NT Domain under which they were authenticated. To accomplish this, you must create an Identity
Profile whose name matches exactly the name of the domain. Users that authenticate under that domain
will then automatically be associated with the Identity Profile of the same name, and you can specify an
appropriate Access Policy based on the Identity Profile.
When using the monitored NT Logon feature with an Active Directory enabled Microsoft server
(Windows 2000 Server, 2003 Server, etc.) two Identity Profiles must be created matching both the SMB and
the FQDN (Fully Qualified Domain Name) version of the Microsoft domain name, if a correlation
between a Microsoft domain and a 700wl Series Identity Profile is desired. Each of these Identity Profiles
should use the same Access Policy in the Rights Assignment Table to define access rights for users that
match the Identity Profile.
Microsoft maintains both SMB and FQDN domain names on their Active Directory enabled servers in
order to maintain full backwards compatibility with legacy Windows clients. Moreover, Microsoft clients
will, at times, send logon requests containing the SMB version of the domain, and, at other times, send
logon requests containing the FQDN version of the domain. Consequently, the creation of both of these
Identity Profiles accommodates the existence of both of these names.
External Identity Retrieval
With most of the Authentication Services supported by the 700wl Series system, group identity
information can be retrieved along with a successful authentication. The group identity information is
used to match the user to an Identity Profile. However, if the service you use for authentication does not
provide group identity information, it is possible to retrieve group identity information from an LDAP
service, post-authentication, in a second operation. The retrieved group identity is used to automatically
associate the user with the Identity Profile of the same name, and you can specify an appropriate Access
Policy based on the Identity Profile.
Note that you must have Identity Profiles configured that match exactly the group identity names that
can be retrieved from the external LDAP service.
For example, suppose you elect to use 802.1x authentication against a RADIUS service that does not
maintain group information for its users, but you also have an LDAP service available that does maintain
that information. In this case you could retrieve group identity information from the LDAP directory
service for each user that is successfully authenticated.
Setting up post-authentication group identity retrieval involves two procedures:
5-28 HP ProCurve Secure Access 700wl Series Management and Configuration Guide