beautypg.com

Best practices – HP Identity Driven Manager Software Series User Manual

Page 220

background image

A-4

IDM Technical Reference
Best Practices

Best Practices

Authentication Methods

The IDM application is designed to support RADIUS server implementation with
802.1X using supplicants, as well as Web-auth and MAC-auth. However to gain the
full benefits of using IDM, HP advises that you implement RADIUS using an 802.1X
supplicant.

Domain Names

If you are using Active Directory, and your standard Active Directory Domain Name
is different than its pre-Windows 2000 Domain Name, then these two Domain Names
may appear as different Domains to IDM. This will only be true if users log into IDM
using different formats (for example “OLDDOMAIN\user” versus “user@NewDo-
main”). Under most circumstances, this will never be a problem.

It is best if the Active Directory Domain Name is the same as the pre-Windows 2000
format (for example use simple names without special characters). However, if this
is not the case, you can mitigate the problem by having users log in using a standard
format (either “DOMAIN\user” or user@domain, but not both).

Multiple RADIUS Server Implementation

If you are using multiple RADIUS servers, with users logging in through each, they
should be discovered by IDM. However, if one of the servers is being used as a “back-
up” system (not just for load-balancing), the back-up server may not appear correctly
in IDM. This is because IDM is not “aware” of the server until a user logs into it.

You can use the manual configuration method to define the RADIUS server to IDM.
“Deleting RADIUS Servers” on page

3-75 for details. The server will then appear in

the IDM tree, and event logs for the server are available.

Handling Unknown or Unauthorized users

If a user is authenticated in RADIUS, but is unknown to IDM, IDM will not override
RADIUS authentication and default switch settings, unless you configure it to do so.
Also, if IDM rejects the user, but you have set “unauth-vid”, then the port will still
be opened and the VLAN will be set to the unauth-vid. You can also create a “guest”
profile in IDM to provide limited access for unknown users.

See also other documents in the category HP Software: