Security Solutions
3-85
Designing Access Controls
Choose RADIUS Servers
As you make your decision, take into consideration the design you have
chosen for combining access control components. Clearly, some combina-
tions do not work with some architectures. For example, you cannot both
integrate all components on PEPs and fully centralize policies. Table 3-66
shows valid choices.
If your answers to the questions below drive you toward an architecture not
supported by your component combination, you should return to “Choose
Which Devices Will Play the Role of PDP” on page 3-79 and rethink your
choice.
Table 3-66. Access Control Architecture Options for Component Combinations
Consider your needs and answer these questions:
1. How fully integrated are your sites? Do the same policies apply to every
site? Do you have sufficient IT resources to manage policies at each site
separately?
If standardizing policies is important to you, you should probably choose
the multi-site fully centralized or the multi-site distributed AAA option.
The main difference between these two options is that, in the first,
RADIUS servers are located centrally and, in the second, RADIUS servers
are located at each site.
For the general, integrated server, and integrated server/proxy combina-
tions, a directory service at the central location is the credential reposi-
tory. For the turnkey server and integrated server/proxy to turnkey server
combinations, one or two RADIUS servers at the central site store creden-
tials and policies for the entire network. (They would have the IDM agent.
See “Add ProCurve IDM” on page 3-98.)
Access Control
Component
Combination
Single-Site Multi-Site
Autonomous
Multi-Site Fully
Distributed
Multi-Site
Distributed AAA
with Centralized
Policies
Multi-Site Fully
Centralized
General XXXXX
Integrated server X X X
Integrated server/
proxy
XX XX
Turnkey server X X X X
Integrated server/
proxy with turnkey
server
XX XX
Fully integrated X X