Filter
Top Products
Configuring Rights
Time Window in which the connection exists, and optionally, a VLAN tag, to match the client to a
Connection Profile. The combination of the Identity Profile and Connection Profile determines the Access
Policy that is used to enforce access rights (the ability to pass traffic into the network) for the client.
Access rights are implemented in the 700wl Series system through the Rights Assignment Table. Each row
in the table consists of an Identity Profile, a Connection Profile, and an Access Policy (see Figure 4-1).
Figure 4-1. Rights Assignment Table–Initial Configuration
When a client connects to the 700wl Series system, the system searches the Rights Assignment Table from
the top down until it matches the client to both an Identity Profile and a Connection Profile. The Access
Policy associated with the matching row determines the access rights that are granted to that client.
A client may be associated with several different Identity Profiles (and possibly different Connection
Profiles) during the life of its connection to the 700wl Series system. Each time the client’s identity or
location changes, the 700wl Series system does a new search of the table to match the client to an Identity
Profile and Connection Profile, and to determine the Access Policy it should apply as a result.
For example, when a client first connects to the system, it typically does not match any of the established
Identity Profiles. The table match falls through to one of the bottom rows in the table where the new client
matches on the “Any” Identity Profile. The Any Identity Profile is typically associated with the
“Unauthenticated” Access Policy, which grants rights that allow the client to log on and attempt
authentication. (See
“Authentication in the 700wl Series System” on page 5-1 for a discussion of how
authentication is handled.)
With a successful logon and authentication, the client has a new identity (its user name, and in some cases
a group or domain affiliation) and now matches a different Identity Profile (for example, the
“Authenticated” profile in the default case). It is granted a new set of rights based on the Access Policy in
the row that matches the client’s new Identity Profile and Connection Profile.
If the client roams such that its wireless connection moves to a port that is included in a different
Connection Profile, a new table search occurs, and the client will match a different row in the Rights
Assignment Table, based on the combination of the same Identity Profile but a different Connection
Profile. This may result in a different set of rights if the Access Policy in the new matching row is different
from the Access Policy in the old row.
4-2 HP ProCurve Secure Access 700wl Series Management and Configuration Guide