Best practices – HP Identity Driven Manager Software Series User Manual
Page 80
IDM Technical Reference
Best Practices
Best Practices
Authentication Methods
The IDM application is designed to support RADIUS server implementation
with 802.1x using supplicants, as well as Web-auth and MAC-auth. However
to gain the full benefits of using IDM, HP advises that you implement RADIUS
using an 802.1x supplicant.
If you use Web-auth or MAC-auth, you can still use IDM to provide authoriza
tion and access control, but the user session accounting will not work. This
is because current version of Web-Auth and MAC-auth do not support session
accounting features on the ProCurve devices. Specifically, the switches will
not report session-stop events. If you are using Web-auth or MAC-auth, it is
best to turn off session accounting. See “IDM Preferences” on page 2-14 for
details. The drawback is that this will also disable the IDM usage reports.
Domain Names
If you are using Active Directory, and your standard Active Directory Domain
Name is different than its pre-Windows 2000 Domain Name, then these two
Domain Names may appear as different Realms to IDM. This will only be true
if users log into IDM using different formats (e.g. "OLDDOMAIN\user" versus
"user@NewDomain"). Under most circumstances, this will never be a prob
lem.
It is best if the Active Directory Domain Name is the same as the pre-Windows
2000 format (e.g. use simple names without special characters). However, if
this is not the case, you can mitigate the problem by having users log in using
a standard format (either "DOMAIN\user" or user@domain, but not both).
Multiple RADIUS Server Implementation
If you are using multiple RADIUS servers, with users logging in through each,
they should be discovered by IDM. However, if one of the servers is being used
as a "back-up" system (not just for load-balancing), the back-up server may
not appear correctly in IDM. This is because IDM is not "aware" of the server
until a user logs into it.
You can use the manual configuration method to define the RADIUS server to
IDM. “Defining RADIUS Servers” on page 3-25 for details. The server will then
appear in the IDM tree, and event logs for the server are available.
A-2