Defining access policy groups – HP Identity Driven Manager Software Series User Manual

3-41

Using Identity Driven Manager

Defining Access Policy Groups

Defining Access Policy Groups

An Access Policy Group (APG) contains rules that define the VLAN, rate-limit
(bandwidth), quality of service, and network resource access rules for users in the
group, based on the time, location, and system from which the user logs in. You can
also create rules to work in conjunction with third-party endpoint integrity (Host
Integrity) applications to verify that systems attempting to connect to the network
meet security requirements.

Each rule in an Access Policy includes the following parameters:

•

Location - identifies the switch and/or switch ports where users connect to
the network. Location can identify physical wiring connections to segment
the network

•

Time

•

System

•

Endpoint Integrity

•

Access Profile

Multiple access policy groups can be added to a domain, and multiple access profiles,
locations, and times can be referenced and configured in an access policy group.

Access policy groups can be created manually or automatically if Active Directory
synchronization is enabled. However, Access Policy Group names must be unique
within a Domain.

When a user assigned to the APG is authenticated on the RADIUS Server, the IDM
Agent applies the appropriate rule, which can cause the switch or access point to
accept or reject the user, and modifies the RADIUS reply to provide the appropriate
network access to the user.

You can create an APG that does not have any limitations, that is, it allows “Any”
location, time, system, and accepts the default switch settings for VLAN, QoS, and
Bandwidth. This would allow you to use IDM to monitor logins and network resource
usage by user, without limiting user access to the network.