Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
191192193194195196197198199200
3-84
Designing Access Controls
Choose RADIUS Servers
Simply as an example, consider a network with fewer users. For this network
environment, the network administrators would pose the second question:
does the network require a directory service? If it does, the administrators can
narrow their choices to these options:
General
Integrated server
Integrated server/proxy
Considering questions 3 and 4, the network administrators weigh scalability
and ease of management. They select an integrated server/proxy as a good
balance. A NAC 800 will act as the RADIUS server for wired users, and the
Wireless Edge Services xl Module’s integrated server will authenticate wire-
less users. This solution is scalable and, because all servers will check creden-
tials on the centralized directory, easy to manage. IDM will manage granular
policies. (See “Add ProCurve IDM” on page 3-98.)
Choose an Access Control Architecture
The four access control components (endpoint, PEP, PDP, and policy reposi-
tory) can be deployed in five basic architectures:
Single-site—The network consists of one site, which, of course, contains
all the components.
Multi-site autonomous—The network consists of multiple sites, and
each site contains all the components. The policy/credential repositories
do not communicate with each other.
Multi-site fully distributed—The network consists of multiple sites,
and each site contains all components; however, the policy/credential
repositories communicate with each other and contain the same policies.
Multi-site distributed AAA with centralized policiesThe network
consists of multiple sites. Each site contains endpoints, PEPs, and at least
one PDP; however, all PDPs draw on a policy/credential repository stored
at a central site.
Multi-site fully centralized—The network consists of multiple sites,
each with endpoints and PEPs. All PDPs and the policy/credential repos-
itory, however, reside at a central site.
If your network has only one site, you can move to the next section. For a
multi-site network, you must choose between the other four architectures.