HP Identity Driven Manager Software Series User Manual
Page 188
B-4
IDM Technical Reference
Best Practices
Handling Unknown or Unauthorized users
If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not
override RADIUS authentication and default switch settings, unless you con-
figure it to do so. Also, if IDM rejects the user, but you have set "unauth-vid",
then the port will still be opened and the VLAN will be set to the unauth-vid.
You can also create a "guest" profile in IDM to provide limited access for
unknown users.
Allowing vs. Rejecting Access
When evaluating the rules for the Access Policy Group when a user logs in,
IDM is looking to match all three of the parameters (Location, Time, System).
If it does not get a match on all three, it will go to the next rule in the list. When
a match on all three parameters is found, the Access Profile for that rule is
applied.
There are two ways to look at the process of restricting user access using
Access Profiles in Access Policy Group (APG) rules.
A.
Create rules that allow access.
B.
Create rules that reject access.
For example, to create an APG to allow access during the standard work week,
you can create a Time that defines the work week, then create an Access Policy
to be applied during that time. In this example, a Default policy was created.
The APG to allow user access during the work week would then look like this:
Users in the group will be allowed access as long as they are logging in during
the times set for the Work week. At any other time, the user will be denied
access, and an IDM event will be logged for the reason that no matching rules
were found in the APG.
To create a rule that denies access on the weekend, while allowing access
during the work week, you will need a Time to define the weekend. You will
also need an Access Policy to define the access at all other times. In the Access
Profile Group, you would enter two rules, similar to the following: