Security Solutions
3-79
Designing Access Controls
Choose RADIUS Servers
RADIUS Servers in a Network Without Endpoint
Integrity
The first PDPs discussed in this chapter are RADIUS servers, which provide
these authentication, authorization, and accounting (AAA) services:
■ Authenticate end-users—verify that users are who they claim to be
■ Authorize end-users—grant users rights based on their identities
■ Create accounting records—collect information about end-user activ-
ity, including when users connect, how long they connect, and which
resources they consume
ProCurve Networking offers RADIUS services in these devices:
■ ProCurve NAC 800
■ ProCurve Wireless Edge Services Module internal RADIUS server (sup-
porting up to 500 users in the local database)
■ ProCurve AP 530 internal RADIUS server (supporting up to 100 users)
In addition, ProCurve devices have been validated with these RADIUS servers:
■ Juniper
®
Networks (formerly Funk) Steel-Belted RADIUS (SBR)
■ Microsoft
®
Internet Authentication Service (IAS)
You might have a different RADIUS server that will function with ProCurve
devices. However, decision trees in this section will cover only the servers
listed above.
Choose Which Devices Will Play the Role of PDP
As you may remember, a device can play multiple access control roles. The
same device can be PEP and PDP, and a PDP can store policies and credentials
locally. You must consider which devices will play which roles in your
network.
The endpoint will always be a separate device—the device seeking network
access. The basic combinations for the other three components are:
■ General—All three components reside on separate devices. Endpoints
connect to switches and APs (PEPs), which send authentication requests
to one or more external RADIUS servers (PDPs). The RADIUS servers
check credentials (and possibly limited policies) against a directory
service. Additional policies can be configured on the RADIUS server
through IDM.