Introduction
Clients that are successfully authenticated, Employees in Figure 1-1, are typically associated with Access
Policies that provide access to secure network resources. Clients that are not successfully authenticated,
Untrusted Users, are typically associated with an Access Policy that allows only the ability to logon. The
700wl Series system also provides a Guest logon feature and Access Policy, that can be used to provide
limited network access to users designated as Guests, for example, Internet access via the network with
no intranet access.
Access Policies are defined and maintained by the Access Control Server, but are administered by the
Access Controller. Once a client has been identified and the appropriate Access Policy has been returned
to the Access Controller, the Access Controller is responsible for filtering client traffic and either
forwarding it to its destination, redirecting it to the appropriate alternate destination, or dropping it. The
Access Control Server does not get involved again unless something occurs that requires a renewal of the
client’s rights, such as expiration of their existing rights, or roaming to a different location.
In addition to being the repository for the Authentication Policies, Access Policies, and other system
configuration information, the Access Control Server maintains status for every Access Controller. This
includes status for every client connected to the 700wl Series system and every client session.
700wl Series Functions
The 700wl Series system provides central control of Access Controllers, and clients. The key system
functions are: client authentication, rights management, Wireless Data Privacy, roaming support, NAT,
and VLANs.
Client Authentication
The 700wl Series system provides a great deal of flexibility in authenticating users. The system supports
three types of authentication:
• Browser-based logon: With browser-based logon, the first time a client attempts an HTTP access, the
Access Controller presents a browser-based logon page. After the user enters a logon ID and password,
the Rights Manager authenticates the client using one or more Authentication services, such as an
LDAP database, RADIUS server, Kerberos service, or through the Rights Manager’s own built-in
authentication database.
• VPN logon: With VPN logon, the client initiates a connection to the network using L2TP or PPTP. The
Access Controller uses the login information provided by the VPN client for authentication via
RADIUS or the built-in database. In this case, the user does not see the HP ProCurve logon page.
• Monitored logon: The 700wl Series system supports both 802.1x logon and NT Domain logon. In both
these cases, the system simply forwards the packets on to the RADIUS or NT Domain server, and
monitors the response to determine whether the client has been successfully authenticated.
Once the client has been authenticated, rights for the client are requested from the Rights Manager.
The Rights Manager uses the concept of Authentication Policies, which are ordered lists of one or more
authentication services. By defining multiple Authentication Policies, you can use different authentication
methods for users logging in through different locations or at different times.
The 700wl Series system supports the following authentication services, any of which can be used in an
Authentication Policy:
• LDAP directory services, such as Active Directory or iPlanet LDAP server
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 1-3