In a departure from most NAC solutions, ProCurve’s RADIUS server isn't a server at all, but a plug-in that integrates directly to Windows' Network Policy Server and FreeRADIUS on Linux, as well as HP’s own RADIUS appliance.
Because Identity Driven Manager is integrated into HP’s network management tools, it brings a great deal of visibility to the whole NAC infrastructure, collecting logon and logoff information from switches and maintaining profiles and history information on every user.
Identity Driven Manager works most naturally with Windows Active Directory, and has a plug-in that handles directory synchronisation between Active Directory and Identity Driven Manager.
To leverage HP's built-in security capabilities, Identity Driven Manager lets you define network access profiles for each user or Active Directory group. These can provide standard VLAN assignment, but also QoS profiles, rate limiting and access control lists.
The sophistication of Identity Driven Manager’s access control rules (and the simplicity of building ACLs) makes it one of the strongest solutions for a NAC deployment focusing on fine-grained access controls. We were also told that new HP wireless access points (released after our testing had already started) also support the access control features of Identity Driven Manager. For Cisco switches, only VLAN assignment is supported.
Identity Driven Manager is especially well named, because it really focuses on identity and gives very little thought to end-point security checking. HP doesn’t actually include an end-point security checker, but it does integrate fully with Microsoft’s NAP client, as well as with third-party end-point security checkers.
HP's Identity Driven Manager depends heavily on HP switches for some NAC features that might have been included, such as a captive portal for guests who do not authenticate with 802.1X. When web-based authentication is enabled on a switch port, the switch provides a primitive captive portal, and Identity Driven Manager will still be consulted, giving the network manager the option to handle access controls on guest users as well, although there are no guest management features in Identity Driven Manager.
There is also no real support for MAC-based authentication (as might be used with VoIP phones and printers), creating a requirement for the network manager to manually separate out these devices from the NAC solution. This makes it less of a full-featured solution for large-scale NAC deployments.
HP's NAC will be most attractive to existing HP switch customers. One of the advantages of Identity Driven Manager, though, is that it is simple both in concept and in management. Rather than depending heavily on magical back-door configuration of devices, Identity Driven Manager offers a simple 802.1X-based NAC solution that marries authentication, some end-point security features, and strong access controls in a very cost-effective package.