Security Overview

Precedence of Security Options

The profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrProfile MIB, which serves as the configuration interface for Network Immunity Manager. A client profile consists of NIM-configured, RADIUS-assigned, and statically configured parameters. Using show commands for 802.1X, web or MAC authentication, you can verify which RADIUS -assigned and statically configured parameters are supported and if they are supported on a per-port or per-client basis.

A NIM policy accesses the hpicfUsrProfileMIB through SNMP to perform the following actions:

Bind (or unbind) a profile of configured attributes to the MAC address of a client device on an authenticated or unauthenticated port.

Configure or unconfigure an untagged VLAN for use in an authenticated or unauthenticated client session.

Note that the attribute profile assigned to a client is often a combination of NIM-configured, RADIUS-assigned, and statically configured settings. Precedence is always given to the temporarily applied NIM-configured parameters over RADIUS-assigned and locally configured parameters.

For information on Network Immunity Manager, go to the HP ProCurve Networking Web site at www.procurve.com/solutions, click on Security, and then click on Security Products.

Arbitrating Client-Specific Attributes

In previous releases, client-specific authentication parameters for 802.1X Web, and MAC authentication are assigned to a port using different criteria. A RADIUS-assigned parameter is always given highest priority and overrides statically configured local passwords. 802.1X authentication parameters override Web or MAC authentication parameters.

DCA stores three levels of client-specific authentication parameters and prioritizes them according to the following hierarchy of precedence:

1.NIM access policy (applied through SNMP)

2.RADIUS-assigned

a.802.1X authentication

b.Web or MAC authentication

3.Statically (local) configured

1-19