Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

211

212

213

214

215

216

217

218

219

220

3-102

Designing Access Controls

Select an EAP Method for 802.1X

The numbered decision points in the tree are discussed in the next few

paragraphs. As you read through these steps, remember:

■ You can select more than one EAP method to accommodate varying

needs. (On the NAC 800, you do not select an EAP method. Instead, you

select the EAP type on the endpoint, and during the negotiation of the

EAP method, the NAC 800 detects the EAP type. If the NAC 800 supports

the EAP type, it automatically uses it.)

■ Certain steps in the decision making process might have more or less

weight for you. For example, if your organization allocates limited funds

to IT, the most important factor to consider might be the EAP methods

that your RADIUS servers and endpoints already support. If security is

your priority, you might be willing to invest in new vendor supplicants or

an internal certificate authority (CA).

Keeping these two caveats in mind, consider the decision tree in detail:

1. Does your organization have a full public key infrastructure (PKI) system

in place?

A full PKI system lets you effectively administer the life cycle of digital

certificates for both server and client (user) applications. You can create,

validate, and revoke certificates, usually with your organization’s CA.

The appropriate EAP method for a full PKI system is EAP-TLS, the highest

security option. EAP-TLS is a mutually authenticating method in which

both servers and clients are authenticated by their digital certificates.

If you do not have a full PKI system (and are unwilling to expend time and

money to implement one), EAP-TLS is not an option for you. Consider the

next question.

2. Which devices will use EAP to authenticate? What are the capabilities of

those devices?

The two EAP methods that offer the next highest level of security are EAP-

TTLS and PEAP, both of which offer mutual authentication and tunnel

user credentials securely. If possible, you should select one of these

methods. (For wireless devices, these two protocols—or EAP-TLS—are

recommended even more strongly. EAP-Message Digest 5 (MD5) is pro-

hibited.)

The capabilities of your devices will of course restrict your choices.

On some devices, such as workstations and laptops, you can install

vendor client utilities to gain support for the method you desire. Other

devices, such as VoIP phones, printers, and network infrastructure

devices, are limited to the specific methods supported by their internal

EAP supplicant.