Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

131

132

133

134

135

136

137

138

139

140

3-19

Designing Access Controls

Choose the Access Control Methods

The remainder of this section outlines the factors you should consider when

selecting authentication and encryption methods for public or private wireless

zones.

Public Wireless Zones. With a public wireless network, the goal is usually

to provide convenient access for guests, rather than to provide strong security.

Because guests cannot access sensitive materials or confidential information

on your network, you do not need to worry about protecting the data that they

access.

If you are selecting an access control method for a public wireless zone, you

might not even enforce authentication, or you might use Web-Auth, which

does not require encryption on its own. If you decide to require encryption,

you might be willing to select a weak encryption method, such as static WEP,

which all wireless NICs support.

Private Wireless Zones. For private wireless zones, you should typically

impose the tightest access control and encryption methods possible—802.1X

with WPA/WPA2.

To determine whether your environment supports this option, ask these

questions:

Web-Auth • None by default

• Optional encryption

possible, depending

on AP

• Ideal for public zones

• User-based authentication

• No configuration on

endpoints—unless using

optional encryption

• No 802.1X supplicant required

• Web browser and user

interaction required—no

headless devices

• No encryption by default

• RADIUS server required

• No seamless roaming

MAC-Auth (local

and RADIUS)

• Optional encryption

possible, depending

on AP

• Control over which endpoints

connect to the network

• No software on the endpoint

• Possible to combine this

method with another access

control method

• Not scalable

• High administrative

overhead

• Susceptible to spoofing

• Hardware-based, rather

than user-based,

authentication

None • Static WEP

• WPA/WPA2 with

Preshared Key (PSK)

–TKIP

– CCMP-AES

• No 802.1X supplicant required

• Less configuration on endpoint

• No RADIUS server required

• Static WEP is easily cracked

• No user-based or

centralized authentication

• No dynamic settings

• Easily compromised

password (same for all

users)

Authentication

Method

Encryption Options Advantages Disadvantages