Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
221222223224225226227228229230
3-105
Designing Access Controls
Select an EAP Method for 802.1X
4. Are you using IDM and is the NAC 800 proxying requests to another
RADIUS server?
If not, the default access method should be EAP-TTLS. EAP-TTLS and
PEAP are similar in terms of architecture and security, but EAP-TTLS
allows a greater variety of authentication methods to be tunneled and thus
provides greater flexibility.
However, EAP-TTLS and some implementations of PEAP might conceal
a user’s username. Typically, this is not a problem; in fact it increases
security. However, if you are using IDM and a NAC 800 for endpoint
integrity and the NAC 800 proxies requests to another RADIUS server,
you must ensure that the proxy RADIUS server uses the Windows imple-
mentation of PEAP. Otherwise, the IDM agent on the NAC 800 cannot
detect a user’s name and assign the correct dynamic settings.
In the PCU example, the university does not have a full PKI system—finding
it too expensive and too difficult to implement with the large numbers of
students who leave and enter each year. Given that most endpoints run
Windows and that you do not want to force students to purchase a vendor
utility, you stop the decision at step 2 and choose PEAP with MS-CHAP.