Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

171

172

173

174

175

176

177

178

179

180

3-56

Designing Access Controls

Choose the Endpoint Integrity Deployment Method

traffic mirroring, traffic can be mirrored from a local switch to a remote

switch. This gives you greater flexibility in placing your NAC 800 in an 802.1X

deployment. (For more information, see “NAC 800 as the RADIUS Server” on

page 3-94.)

For the DHCP deployment method, you must be using DHCP, which should

not be a barrier for a network of any size.

The inline deployment method requires no specific capabilities on the network

infrastructure devices; it does require, however, a network design with stra-

tegic choke points at which the NAC 800 can be placed. For this reason, the

inline deployment method is usually used to test remote endpoints in conjunc-

tion with another deployment method for local endpoints.

Example

Considering only the capabilities and layout of the existing network infrastruc-

ture, the PCU network administrators select the deployment methods shown

in the first row below. (All existing switches and APs support 802.1X, and

switches support mirroring.)

Again, however, the administrators remember the overriding factor—the

public zones use Web-Auth—so they remove the 802.1X deployment method

from their options in the public zones. The existing network design is not well

suited for an inline deployment in either wired or wireless zones: there are no

choke points at which all traffic is bridged into the same VLAN. So the network

administrators choose DHCP.

Table 3-38. Deployment Method by Existing Network Infrastructure

Connection Type

Connection type is usually a factor only if you have remote connections. The

inline deployment method is ideal for these remote connections because

incoming traffic typically enters the network through one point only: the edge

router or VPN gateway. (As mentioned earlier, it is also possible to use inline

for wireless networks, although it is not typically recommended.)

Factor Private Wired Public Wired Private

Wireless

Public Wireless Remote

Existing network

infrastructure

802.1X 802.1X 802.1X 802.1X Inline

Existing network

infrastructure—After access

control method is considered

802.1X DHCP 802.1X DHCP Inline