Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

131

132

133

134

135

136

137

138

139

140

3-23

Designing Access Controls

Choose the Access Control Methods

If you have a large number of users who are technically unsophisticated, you

may need to factor in some training if you select 802.1X as the access control

method. On the other hand, if you have a large number of highly knowledge-

able users (such as university students), you will probably want to rule out

less-secure access methods and focus on 802.1X combined with strict appli-

cation and data access controls.

Table 3-6 relates users’ technical knowledge to access control methods.

Table 3-6. Access Control Method by User Sophistication Level

Incidentally, technical knowledge may be even more important as you con-

sider endpoint integrity checking. (See “Choose the Endpoint Integrity

Deployment Method” on page 3-51.)

Example

The PCU network administrators have selected the access control methods

shown in Table 3-7, based

only

on their evaluation of user sophistication. They

believe that in public zones, such as the plaza and the library, user sophistication

will vary widely. (The plaza has been identified as a public wireless zone, and

the library, a public wired and wireless zone.) Therefore, Web-Auth is probably

the best solution for these zones.

Most of the private zones are used mainly by students, whose computer skills

are fairly good to excellent. They should have no problems configuring an 802.1X

supplicant.

There is one exception, however—the administration building. In this private

wired zone, many users have only basic computer skills. Some of them might

have problems configuring an 802.1X supplicant—at least initially. The PCU

network administrators must document this exception, so they can weigh this

factor against others (such as risk tolerance) for this particular zone. If the PCU

network administrators ultimately select 802.1X for this zone (after they weigh

all the factors), they must either provide the IT resources to configure the

supplicants on behalf of users, or they must provide some training.

MAC-Auth Web-Auth 802.1X

User sophistication

needed

Low Medium-low Medium

User interaction None Enter user credentials • Enter user credentials

• Configure a supplicant in

some cases

• Download and install

supplicant in some cases