Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
141142143144145146147148149150
3-31
Designing Access Controls
Choose the Access Control Methods
Network Infrastructure Devices as 802.1X Supplicants
If you implement 802.1X on the ports at your edge switches, you will want to
authenticate network infrastructure devices (such as APs or even switches)
as well as endpoints. This prevents anyone from attaching rogue APs and other
unauthorized devices that could compromise your network security. APs can
be a particular concern because you do not want anyone to attach a rogue AP
to the network and begin collecting usernames and passwords from users.
In the 802.1X authentication process, an AP (or switch) typically functions as
a network access server (NAS), initiating the authentication process and
forcing a supplicant to authenticate before sending traffic onto the network.
To authenticate to the network, however, the AP must assume another role:
it must function as the 802.1X supplicant. Before transmitting traffic—includ-
ing stations’ traffic—onto the network, the AP must submit a valid username
and password to its NAS, which is the switch to which the AP attaches.
Like endpoints, APs must have the necessary software to function as an 802.1X
supplicant. You must check your AP to determine if it has a supplicant. The
ProCurve AP 420 and the ProCurve Radio Ports (RPs) include an 802.1X
supplicant. (Because ProCurve Networking periodically updates its wireless
products, you should always check the ProCurve Web site at http://www.pro-
curve.com for a current list of each products capabilities.)
You should evaluate what other network infrastructure devices should authen-
ticate to the network. It may be less critical for switches to act as supplicants
if the two connecting switches (or the wall jacks that they supply) are placed
in the same secure, locked room. That way, the secure room protects the
connecting ports on both switches and the cable itself.
If two connecting switches are in different buildings and connect via RJ-45
jacks that are not protected in a secure room, you should protect the ports by
implementing 802.1X on those ports and configuring the 802.1X supplicant on
the switches.
Table 3-18 shows at-a-glance which ProCurve switches include an 802.1X
supplicant.