Auto-allow ouis for 802.1x and web authentications – HP Identity Driven Manager Software Series User Manual
Page 128
3-64
Using Identity Driven Manager
Configuring Auto-Allow OUIs
Auto-Allow OUIs for 802.1x and Web Authentications
The order in which the access control is performed by IDM is as follows, irrespective
of any authentication mechanism used.
1. Check for auto-allow OUI
2. Check for Global Rule
3. Check for Access Rule
Consider that a domain user is imported from an Active Directory server, using the
Active Directory synchronization into the IDM database, and the network adminis-
trator has configured an auto-allow OUI to isolate certain devices into the auto-allow
group. This is helpful to isolate static devices like IP phones that perform 802.1x
authentication into specific less secure groups.
When a device used by a domain user performs 802.1x or web authentication, IDM
first checks whether the device MAC address matches any of the configured auto-
allow OUIs. If it matches, then the device is assigned to the auto-allow group, and
access rules associated with the auto-allow group are applied to the device. If the
device MAC address does not match any of the configured auto-allow OUIs, then
the “Check for Global Rule” and “Check for Access Rule” are performed.
In the following figure, the OUI "001c2e" is configured on the group "autoAllow-
Group". The domain user "faculty" has performed 802.1x authentication with a
device whose MAC address matches the OUI "001c2e". Therefore, the Name and
the Auth ID fields are shown as faculty(001c2ed42200) and the user is shown in the
group "autoAllowGroup".
The first part of the Auth ID field denotes the domain user name, and the later part
denotes the MAC address of the device that has performed 802.1x/web authentica-
tion.
If the same domain user "faculty" performs 802.1x or web authentication with some
other device whose MAC address does not match the OUI "001c2e", then the second
row in the above user table will turn green with the user "faculty" shown in its original
group "facultyGroup".