Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

141

142

143

144

145

146

147

148

149

150

3-27

Designing Access Controls

Choose the Access Control Methods

In addition to the endpoints listed in Table 3-10, the PCU network includes a

UNIX supercomputer and servers. Authentication is not as critical for the

supercomputer and servers because they are housed in a secure, locked room

to which only a few people have keys.

You should always secure physical access to your servers so that unauthorized

users cannot access them and steal your data or change your configuration.

However, if you have a small company and cannot place the servers in a secure,

locked room, you should implement 802.1X for the server ports and password

protect each server’s console.

Basing the decision solely on endpoint compatibility factors, the PCU network

administrators decide that for workstations, Web-Auth or 802.1X would be

feasible. The headless devices must use MAC-Auth because they cannot input

credentials.

In addition, PCU has a few APs that do not have an 802.1X supplicant. The

network administrators decide to use MAC-Auth to authenticate these APs

as well.

Table 3-11 shows the access methods they selected for each zone.

Table 3-11. Access Control Method by Endpoint Capabilities

Administrative Control over Endpoints

You must next consider who controls the endpoints—particularly worksta-

tions, laptops, PDAs, and smartphones—on the network. In short,

can network

administrators require users to download software to their endpoints and to alter

settings on them?

For example, if the IT staff controls the endpoints, it is relatively easy to ensure

that each one has a supplicant for an 802.1X implementation. If end-users own

and control their endpoints, however, they may be reluctant to install and run

supplicant software for a variety of reasons. Similarly, guest users are effec-

tively outside the control of the IT department.

Table 3-12 summarizes administrative control levels.

Factor Private Wired Public Wired Private Wireless Public Wireless

Endpoint capabilities • 802.1X for all

endpoints that

support it

• MAC-Auth for

headless devices

and legacy APs

• Web-Auth for all

endpoints that

support it

• MAC-Auth for

headless devices

802.1X with WPA/

WPA2

Web-Auth