Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

181

182

183

184

185

186

187

188

189

190

3-72

Designing Access Controls

Choose Endpoint Integrity Testing Methods

The PCU network administrators also want to use the NAC EI agent for the

public wired and private wireless zones. Although some students and guest

users may refuse to download an agent to their endpoint, the PCU network

administrators still want to offer this option. As a backup testing method, the

network administrators will use the ActiveX testing method. They think most

users accessing the network in these zones will make heavy use of the Internet,

so their Web browsers will typically be open.

Table 3-47. Testing Method by Post-Connect Testing

User Sophistication

User sophistication can be a factor for testing methods if users have such low

sophistication that they are overly bothered by downloads and installations,

or conversely, when they are so sophisticated that they know how to avoid

having their endpoints retested (post-connect testing).

What can you reasonably expect your users to do? Can they download and

install the NAC EI agent? For the majority of users, this process should not be

too taxing. However, if you are setting up endpoint integrity for your Windows

domain users, you could use Active Directory to automatically install the agent

on the endpoints so that users would not have to perform this task.

The agentless testing method is generally not a good option for users who are

not part of your Windows domain. To use this method, you or the users must

supply the admin credentials. Because you will not know these credentials, it

is left to the users to enter them on the end-user access screen. However, some

users will not know which username and password they enter for the admin

credentials. (And if they do, they may be loath to enter them.)

The agentless testing method also requires very minimal setup on the end-

point. File and print sharing must be enabled so that the necessary ports are

open. The configuration required is very minor, but if your users are incapable

or unwilling to do it, you will have to set up the configuration yourself or select

another testing method.

The ActiveX testing method requires ActiveX and JavaScript support on the

users’ Web browsers. If the Web browsers already have this support, no user

interaction is required. If not, this support must be added.

Factor Public Wired Private Wired Public Wireless Private Wireless Remote

Post-connect testing NAC EI agent

ActiveX

NAC EI agent

Agentless

NAC EI agent

ActiveX

NAC EI agent

Agentless

NAC EI agent

Agentless