Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
141142143144145146147148149150
3-26
Designing Access Controls
Choose the Access Control Methods
Even gaming devices, such as Microsoft XBox 360, include a NIC, allowing
them to connect to a network and support MAC-Auth. As part of your security
policy, you must determine if you will allow gaming devices to access the
network, and if you do grant them access, you must create a way for users to
register their gaming devices so that you can set up MAC-Auth for them.
At PCU, for example, the network administrators plan to create a secure Web
page that guides students through the process of registering their gaming
devices. Network administrators also plan to use IDM to limit the times when
such devices can access the network. Students will be able to play games over
the network from 7 p.m. to 1 a.m.
Because the Web browser has become a standard user application, most
workstations, laptops, and smartphones support Web-Auth. But with the
emphasis on tighter security, vendors have recognized the need for 802.1X and
added 802.1X supplicants to their OSs. Even PDAs typically offer limited
802.1X support, and some new network printers include supplicants. Third-
party supplicants are also available.
However, legacy OSs, such as Windows NT or Windows ME, do not support
802.1X without special installation of a third-party supplicant. And “headless”
endpoints such as older network printers do not support an 802.1X supplicant
of any kind. If your network includes endpoints that simply do not support
802.1X, you can use MAC-Auth to secure their access but implement 802.1X
for all other endpoints.
Example
Table 3-10 lists the access control methods for the endpoints on the PCU
network.
Table 3-10. Configuration of PCU’s Endpoints
Hardware Type of Interface Operating System Access Control Method
Workstations User interface, flexible May or may not be compatible;
supplicant installation easy
Web-Auth or 802.1X
Laptops User interface, flexible May or may not be compatible;
supplicant installation easy
Web-Auth or 802.1X
PDAs and smart phones User interface, somewhat
flexible
May or may not be compatible;
supplicant installation may be
difficult
Web-Auth
IP telephone exchange Headless; inflexible n/a MAC-Auth
Printers, fax machines,
and so on
Older “headless” printers—
inflexible
Newer printers—flexible
n/a MAC-Auth or 802.1X