beautypg.com

Best practices – HP Identity Driven Manager Software Licenses User Manual

Page 183

background image

B-3

IDM Technical Reference

Best Practices

Best Practices

Authentication Methods

The IDM application is designed to support RADIUS server implementation
with 802.1x using supplicants, as well as Web-auth and MAC-auth. However
to gain the full benefits of using IDM, HP advises that you implement RADIUS
using an 802.1x supplicant.

If you use Web-auth or MAC-auth, you can still use IDM to provide authoriza-
tion and access control, but the user session accounting will not work. This
is because current version of Web-Auth and MAC-auth do not support session
accounting features on the ProCurve devices. Specifically, the switches will
not report session-stop events. If you are using Web-auth or MAC-auth, it is
best to turn off session accounting. See “IDM Preferences” on page 2-33 for
details. The drawback is that this will also disable the IDM usage reports.

Domain Names

If you are using Active Directory, and your standard Active Directory Domain
Name is different than its pre-Windows 2000 Domain Name, then these two
Domain Names may appear as different Realms to IDM. This will only be true
if users log into IDM using different formats (e.g. "OLDDOMAIN\user" versus
"user@NewDomain"). Under most circumstances, this will never be a prob-
lem.

It is best if the Active Directory Domain Name is the same as the pre-Windows
2000 format (e.g. use simple names without special characters). However, if
this is not the case, you can mitigate the problem by having users log in using
a standard format (either "DOMAIN\user" or user@domain, but not both).

Multiple RADIUS Server Implementation

If you are using multiple RADIUS servers, with users logging in through each,
they should be discovered by IDM. However, if one of the servers is being used
as a "back-up" system (not just for load-balancing), the back-up server may
not appear correctly in IDM. This is because IDM is not "aware" of the server
until a user logs into it.

You can use the manual configuration method to define the RADIUS server to
IDM. “Deleting RADIUS Servers” on page 3-49 for details. The server will then
appear in the IDM tree, and event logs for the server are available.

This manual is related to the following products: