Security Solutions
3-93
Designing Access Controls
Choose RADIUS Servers
4. Does your organization already use IAS for other functions?
If you already use IAS, there is probably no strong reason to use a different
server for RADIUS functions. But if your organization does not currently
use IAS, the NAC 800 may be a better choice for your RADIUS needs.
5. Have you decided to enforce endpoint integrity with the 802.1X deploy-
ment method? Or do you plan to introduce endpoint integrity in the future?
The NAC 800 should be your RADIUS server. See βRADIUS Servers in a
Network With Endpoint Integrity (802.1X Quarantining)β on page 3-93.
6. Do you prefer a hardware appliance to a software solution?
The NAC 800 can act as a RADIUS server without enforcing endpoint
integrity. You might prefer this hardware appliance for several reasons.
For example, you might not have a server to devote to RADIUS, or servers
might be outside of your control.
RADIUS Servers in a Network With Endpoint Integrity
(802.1X Quarantining)
Typically, the NAC 800 should act as the RADIUS server in a network that uses
endpoint integrity with 802.1X quarantining.
However, if you already use IAS as the RADIUS server, you might continue to
do so. This option simplifies management when you do not use IDM. If you do
use IDM, it is probably easier to use the NAC 800 as the RADIUS server.
IAS as the RADIUS Server
See βRADIUS Servers in a Network Without Endpoint Integrityβ on page 3-79
for guidelines in choosing the number of IAS servers and in placing them.
On each IAS server, you must download and install plug-ins to configure the
server to work with the NAC 800 or NAC 800s. (See the ProCurve Access
Control Implementation Guide.)
The number of NAC 800s that you deploy depends on the number of endpoints
that must be tested. Each NAC 800 acting as a Combination Server (CS) can
test up to 3000 endpoints. To test more endpoints, deploy a NAC 800 Manage-
ment Server (MS) and multiple NAC 800 Enforcement Servers (ESs). The ESs
each can test up 3000 endpoints.