Configuration process review, Configuration process review -2 – HP Identity Driven Manager Software Licenses User Manual

3-2

Using Identity Driven Manager
Understanding the IDM Configuration Model

Configuration Process Review

Assuming that you opted to enable Active Directory synchronization or let IDM run
long enough to discover the Domain, users, and RADIUS server, your configuration
process will be:

1. Define locations (optional) from which users access the network. The location

may relate to port-based VLANS, or to all ports on a switch.

2. Define times (optional) at which users will be allowed or denied access. This

can be by day, week or even hour.

3. If you intend to restrict a user’s access to specific systems, based on the system

they use to access the network, you need to modify the User profile to include
the MAC address for each system from which the user is allowed to login.

4. Define the Network Resources that users will have access to, or will be denied

from using, if applicable.

5. Define device types (optional) from which users can access the network.

Network access can be controlled based on the device type from which the user
is logging on, by configuring access policy rules or global rules with a Device
type group which includes the specific device type.

6. Create the Access Profiles to set the VLAN, QoS, rate-limits (Bandwidth), and

network resources that are applied to users in Access Policy Groups.

7. If you don’t use Active Directory synchronization, create the Access Policy

Groups, with rules containing the Location, Time, System, and Access Profile
that will be applied to users when they login.

OR

If using Active Directory synchronization, add rules and access profiles to the
Access Policy Groups that were created by Active Directory synchronization.

8. If you do not use Active Directory synchronization, assign Users to the appro-

priate Access Policy Group.

9. If you do not use automatic deployment, deploy the configuration to the IDM

Agent on the RADIUS Server. The authorization controls can then be applied
when IDM detects an authenticated user login. If you do not use automatic
deployment and do not manually deploy the IDM configuration to the Agent on
the RADIUS server, the configuration will not be applied

N o t e :

If you want to modify or delete an Access Policy Group, or the locations, times,
or access profiles used in the Access Policy Group, make sure your changes will
not adversely affect users assigned to that group.