The iLO 2 MP devices use local host time to enforce time restrictions. If the iLO 2 MP device clock is not set, the role time restriction fails (unless no time restrictions are specified on the role).

Role-based time restrictions can only be enforced if the time is set on the iLO 2 MP device. The time is normally set when the host is booted and is maintained by running the agents in the host operating system, which enables the iLO 2 MP device to compensate for leap years and minimize clock drift with respect to the host. Events such as unexpected power loss or the flashing of MP firmware can cause the iLO 2 MP device clock not to be set. Also, the host time must be correct for the iLO 2 MP device to preserve time across firmware flashes.

IP Address Range Restrictions

IP address range restrictions enable you to specify network addresses that are granted or denied access by the restriction. The address range is typically specified in a low-to-high range format. You can specify an address range to grant or deny access to a single address. Addresses that fall within the low-to-high IP address range meet the IP address restriction.

IP Address and Subnet Mask Restrictions

IP address and subnet mask restrictions enable you to specify a range of addresses that are granted or denied access by the restriction. This format has similar capabilities to those in an IP address range but can be more native to your networking environment. An IP address and subnet mask range is typically specified using a subnet address and address bit mask that identifies addresses on the same logical network.

In binary math, if the bits of a client machine address are added to the bits of the subnet mask, and these bits match the restriction subnet address, the client machine meets the restriction.

DNS-Based Restrictions

DNS-based restrictions use the network naming service to examine the logical name of the client machine by looking up machine names assigned to the client IP addresses. DNS restrictions require a functional name server. If the name service fails or cannot be reached, DNS restrictions cannot be matched and will fail.

DNS-based restrictions can limit access to a single, specific machine name or to machines sharing a common domain suffix. For example, the DNS restriction www.hp.com matches hosts that are assigned the domain name www.hp.com. However, the DNS restriction *.hp.com matches any machine originating from HP.

DNS restrictions can cause some ambiguity because a host can be multi-homed. DNS restrictions do not necessarily match one-to-one with a single system.

Using DNS-based restrictions can create some security complications. Name service protocols are insecure. Any individual with malicious intent and access to the network can place a rogue DNS service on the network, creating fake address restriction criteria. Organizational security policies should be taken into consideration when implementing DNS-based address restrictions.

Role Address Restrictions

Role address restrictions are enforced by the MP firmware, based on the client's IP network address. When the address restrictions are met for a role, the rights granted by the role apply.

Address restrictions can be difficult to manage if access is attempted across firewalls or through network proxies. Either of these mechanisms can change the apparent network address of the client, causing the address restrictions to be enforced in an unexpected manner.

How Directory Login Restrictions Are Enforced

The following figure shows how two sets of restrictions potentially limit a directory user's access to iLO 2 MP devices. User access restrictions limit a user's access to authenticate to the directory.

176 Installing and Configuring Directory Services

Page 176
Image 176
HP Integrity iLO 2 MP 5991-6005 manual How Directory Login Restrictions Are Enforced, IP Address Range Restrictions