Filter
Top Products
Configuring Rights
The network administrator configures network access control policies by defining Identity Profiles,
Connection Profiles and Access Policies, or by modifying existing profiles and policies.
• An Identity Profile is associated with a set of one or more individual users and devices, and a user may
belong to more than one Identity Profile. For clients authenticated through an external authentication
service, the client may match an Identity Profile if the Identity Profile name matches a group or domain
name returned by the authentication process. For clients included in the built-in database, the Rights
Administrator can assign those clients to Identity Profiles. The client matches the assigned Identity
Profile upon successful authentication.
There are four predefined Identity Profiles: “Authenticated,” “Guest,” “Any,” and “Access Points.”
— A client that is successfully authenticated, but does not match any other Identity Profile, matches
the “Authenticated” profile.
— A user that logs in as a Guest (through the web-based logon page) matches the “Guest” profile.
— A client that does not match any other Identity Profile automatically matches “Any.” The “Any”
Identity Profile always appears in the last row of the Rights Assignment Table.
— The MAC addresses of Access Points and other network equipment can be added to the built-in
database and associated with the “Access Points” Identity Profile. Those MAC addresses then
immediately match the Access Points Identity Profile when they connect to the 700wl Series
system.
— The MAC addresses of regular clients can also be stored in the built-in database as “MAC Address
Users.” When these clients connect, they are recognized by their MAC address and bypass the
authentication process. A MAC address user does NOT match the Authenticated Identity Profile,
as they are not authenticated. If a MAC Address client has not been specifically associated with an
Identity Profile in the built-in database, they will continue to match the Any Identity Profile by
default.
The administrator can create additional Identity Profiles as needed. The Authenticated and Any
profiles cannot be modified or deleted.
• A Connection Profile describes a set of physical or logical connection paths to the 700wl Series system
during a specific time frame. A Connection Profile consists of one or more ports on one or more Access
Controllers, Time Windows, and optionally a VLAN ID. If a VLAN ID is defined, only traffic that
includes the specified VLAN tag will match the Connection Profile. The administrator can create
Connection Profiles as needed to differentiate between physical locations, VLANs, and/or Time
Windows. There is one predefined Connection Profile, “Any,” which includes all Access Controllers
and ports, matches any VLAN tag, and is valid at all times (24 hours a day, 7 days a week). The Rights
Administrator can create Connection Profiles as needed to differentiate between physical locations,
Time Windows, or VLANs.
A client matches a Connection Profile if the Access Controller port through which she is connected
is included in that Connection Profile, the VLAN tag associated with her packets match the VLAN
ID specified for the profile, and the time at which she connects is within the Time Window defined
for the profile. A client that does not match any other Connection Profile automatically matches
“Any.” The “Any” Connection Profile always appears in the last row of the Rights Assignment
Table.
Connection Profiles are used in two ways in the 700wl Series system:
— The Connection Profile is also used to determine the method by which an unknown
(unauthenticated) client should be authenticated. This is discussed later in “Authentication in the
700wl Series System” on page 5-1.
— As discussed previously they are used in conjunction with the Identity Profile to determine the
access rights granted to an authenticated client.
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 4-3