Security Solutions
3-30
Designing Access Controls
Choose the Access Control Methods
For the wireless zones, the APs should implement the access control methods
you select as long as they are capable of doing so. In some cases, the switch
port to which the AP connects might enforce the access control instead (the
AP might still require encryption); however, this strategy is less desirable for
several reasons:
■ When the AP implements 802.1X authentication, the EAP exchange fur-
thers the negotiation of secure per-session keys.
■ If the switch port acts as the authenticator, it can implement dynamic
settings for a single user only (the first to authenticate). An AP can enforce
different settings for each association with a different user.
■ A switch might be limited in the number of users that it can authenticate
on a single port.
Table 3-16 shows the access control methods supported by ProCurve wireless
products.
Note ProCurve Networking periodically updates the software on APs, Wireless
Edge Services Modules, and switches. Check the ProCurve Web site at http:/
/www.procurve.com to see if there is a newer software version, which delivers
new capabilities for these wireless products.
Table 3-16. Network Access Control Capabilities of ProCurve Wireless Products
Example
Most of the switches on the PCU network support 802.1X and Web-Auth. The
existing APs also support 802.1X; however, some older APs do not support
Web-Auth. Based only on the current network infrastructure, the PCU network
administrators select the access control methods shown in Table 3-17.
Table 3-17. Access Control Method by Existing Infrastructure
ProCurve Product Software Version MAC-Auth Web-Auth 802.1X
Wireless Edge Services xl Module WS.02.07 X X X
Wireless Edge Services zl Module WS.02.02 X X X
AP 530 WA.01.19 X X
AP 420 2.2.1 X X
Factor Private Wired Public Wired Private Wireless Public Wireless
Existing infrastructure 802.1X 802.1X 802.1X with WPA/
WPA2
802.1X with WPA/
WPA2