Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

181

182

183

184

185

186

187

188

189

190

3-69

Designing Access Controls

Choose Endpoint Integrity Testing Methods

all three testing methods are selected, the order determines which end-user

access control screen is presented first to the user, which one is presented

second, and which one third. For example, if the NAC EI agent is configured

as the first testing method and the agentless is second, users will first see the

NAC EI agent installation screen. If that testing method doesn’t work (for

example, if the user refuses to download and install the NAC EI agent), the

user will next see the agentless end-user access screen, which prompts for the

endpoint’s administrator credentials.

Factors to Consider for Testing Methods

The sections below describe selecting testing methods for the five security

zones. As you read through these sections, consider what it means to ensure

that a particular method works in a particular zone. You might need to perform

particular tasks on endpoints in that zone—for example, installing the NAC

EI agent or opening ports. Or, you might publish the NAC EI agent in Active

Directory for a group of users in that zone.

You should check the cluster settings that apply to the NAC 800 cluster that

controls the zone. For example, if you are using the DHCP deployment

method, the controlling cluster contains the NAC 800 that intercepts the

endpoints’ DHCP requests.

Keep in mind that a cluster might control endpoints in more than one zone.

This should not be a problem, however, because you can enable more than

one testing method in a cluster.

To determine which testing methods you want to use, you should consider:

■ Administrative control over endpoints

■ Post-connect testing

■ User sophistication

■ Administrative workload

■ Network overhead

Administrative Control over Endpoints

The amount of administrative control you have over endpoints determines

whether or not you can configure endpoints to support a particular testing

method. For example, if you have very limited control over endpoints, you

cannot require users to download software to their endpoints. In addition, you

will not know the admin credentials for endpoints, and end-users will probably

not voluntarily provide these credentials.