HP Identity Driven Manager Software Series User Manual

B-5

IDM Technical Reference

Best Practices

In this instance, if the user attempts to login in during the times specified for
the Weekends, they will be rejected, and an IDM event will be logged indicating
that the APG had a specific Reject rule set to deny access.

If the user logs in at times not specified for the weekend, since the time in the
first rule does not match, IDM moves to the second rule. Since all parameters
match, the user is allowed on the network and the "Default" Access Profile
settings are applied at the switch.

The other important piece in this process is the order of the rules. In the second
example, if you change the order of the rules, users would be allowed access
all the time.

The two examples above are quite simple. However, in instances where you
want to be able to restrict user access to specific areas of the network at
specific times, or restrict network resources to users at specific times and
locations, the decision to use the "allow" vs. "reject" method and the ordering
of the rules becomes more complex.

Rate-Limiting

The option for rate-limiting using the Bandwidth option in Access Profiles
works like this:

•

When the Access Profile is applied, IDM sends a rate-limit in Kbps to
the switch.

•

The switch takes the value passed from IDM and converts it to a rate
percentage, based on the port link speed.

If the value passed to the switch by IDM is greater than the port link speed,
the switch will ignore the parameter received from IDM. To avoid problems,
avoid using low rate-limit policies on the switch, or make sure that the IDM
rate-limits do not exceed the link speeds of ports in your network.