Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

251

252

253

254

255

256

257

258

259

260

3-140

Designing Access Controls

Lay Out the Network

The switch to which APs or RPs connect needs the capacity to handle the

traffic. A wireless radio has a maximum data rate of 54 Mbps (and an actual

data rate of about 32 Mbps maximum), so a 100-Mbps switch port can easily

serve an AP or RP with one or two radios.

It is best to enforce authentication as close to the connection point as possible,

so, unless you have a legacy AP that does not support your access control

method, you should set up the access control on the AP and not the switch.

Therefore, there are no further requirements on the switch. However, to

prevent users from connecting rogue APs to the switch, you might want to

activate 802.1X on the switch ports. All ProCurve APs and RPs include 802.1X

supplicants (with EAP-MD5).

Private Wired Zone

The private wired zone uses wired connections. It is the typical zone for office

environments, where users work at their own desks and the IT department

has a relatively high degree of control over equipment. The typical endpoint

in this environment is a workstation, but employees might also plug laptops

into Ethernet ports both at their desks and in places such as conference rooms.

Table 3-113. Private Wired Zone Policies

Access Control Method. 802.1X is the preferred access control method for

the private wired zone. The use of 802.1X authentication provides strong

access control security, and the IT department has enough control to require

and support 802.1X supplicant software on all workstations and laptops in this

zone.

You might enable MAC-Auth on select ports in the private wired zone, provid-

ing access for headless devices (such as printers) without 802.1X supplicants.

(See “Public Wired Zone” on page 3-131 for a design for these endpoints.)

Endpoint Integrity. 802.1X is the best endpoint integrity deployment

method if you are already enforcing 802.1X authentication. Quarantining fits

into the overall access control policies, and the quarantine VLAN is just

another VLAN assignment, this one issued according to a user’s endpoint

integrity posture.

Zone Access Control

Method

EI Deployment Testing Method Authentication

Protocol

Encryption

Private wired • 802.1X

•MAC-Auth

(for headless

devices)

802.1X • NAC EI agent

• Agentless

•PEAP-

MS-CHAPv2

•EAP-TTLS

•EAP-TLS

none