Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

251

252

253

254

255

256

257

258

259

260

3-135

Designing Access Controls

Lay Out the Network

correct EAP type. You should balance the greater security with the increased

number of calls the IT staff may need to field. If guests are only accessing the

Internet, 802.1X is probably unnecessary.

MAC-Auth is often unfeasible for a public wireless zone for two reasons:

■ This zone usually consists of a changing pool of endpoints, often con-

trolled by outsiders. Tracking the MAC addresses may be difficult or

impossible.

■ Hackers can easily discover valid MAC addresses by snooping wireless

traffic.

For these reasons, Web-Auth is the most common access control method for

public wireless zones. Any user is allowed to connect to the wireless network;

however, the user cannot reach private resources or the Internet until he or

she has opened a Web browser and entered valid credentials in a login page.

Guest Access. You have several options for granting guests in the public

wireless zone access to the network without having to inform them of

credentials:

■ For any AP, you can customize the Web-Auth login page to display a valid

username and password for guests.

■ If you are using the Wireless Edge Services Module, you can add the

resources for unauthenticated users to an Allow list.

You can specify up to 10 IP addresses on this list; choose another option

if guests will require more resources.

■ If you are using the AP 420 or AP 530, Web-Auth is enforced on the switch

to which the AP connects. The option available to switches applies: an

unauthenticated VLAN that grants limited access to users who fail to

authenticate.

Encryption. Often, public wireless zones do not provide encryption at all.

However, as you learned in Chapter 1: “Access Control Concepts,” you might

add encryption for higher security despite the fact that the guests must then

enter another password.

Endpoint Integrity. There are many reasons to enforce endpoint integrity

in a public wireless zone: you do not know what malware the endpoints have

picked up on another network, nor what malware they might continue to

collect by not being patched or running a firewall. However, you should take

care to set policies that a guest can be expected to meet: for example, being

free of viruses and other malware.