Defining access policy groups – HP Identity Driven Manager Software Series User Manual
Page 99
3-35
Using Identity Driven Manager
Defining Access Policy Groups
Defining Access Policy Groups
An Access Policy Group (APG) contains rules that define the VLAN, rate-limit
(bandwidth), quality of service, and network resource access rules for users
in the group, based on the time, location, and system from which the user logs
in. You can also create rules to work in conjunction with third-party endpoint
integrity (Host Integrity) applications to verify that systems attempting to
connect to the network meet security requirements.
Each rule in an Access Policy includes the following parameters:
•
Location - identifies the switch and/or switch ports where users
connect to the network. Location can identify physical wiring connec-
tions or VLANs configured to segment the network
•
Time
•
System
•
Endpoint Integrity
•
Access Profile
Multiple access policy groups can be added to a realm, and multiple access
profiles, locations, and times can be referenced and configured in an access
policy group.
Access policy groups can be created manually or automatically if Active
Directory synchronization is enabled. However, Access Policy Group names
must be unique within a Realm.
When a user assigned to the APG is authenticated on the RADIUS Server, the
IDM Agent applies the appropriate rule, which can cause the switch or access
point to accept or reject the user, and modifies the RADIUS reply to provide
the appropriate network access to the user.
You can create an APG that does not have any limitations, that is, it allows
"Any" location, time, system, and accepts the default switch settings for VLAN,
QoS, and Bandwidth. This would allow you to use IDM to monitor logins and
network resource usage by user, without limiting user access to the network.