Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
21222324252627282930
1-12
Access Control Concepts
Network Access Control Technologies
NASs, which you learned about earlier in the AAA section, are also PEPs. The
term NAS is typically used when discussing RADIUS. For consistency, how-
ever, this chapter will use the term PEP when discussing RADIUS.
The PEP has two roles:
Access request generator—Forces endpoints to provide basic informa-
tion about themselves (credentials) before accessing network resources.
The PEP uses this information to compose an access request on the
endpoints behalf.
Access decision enforcer—Enforces access decisions by opening or
blocking a port, assigning an endpoint to a particular VLAN, or applying
other dynamic settings.
Because the PEP is responsible for initiating and enforcing the access
control method, evaluating the PEP’s capabilities is often one of the first
steps you should take when designing a network access control solution.
This design guide focuses on the many capabilities offered by ProCurve
Networking PEPs, which include both wired switches and wireless APs,
as well as the Wireless Edge Services Module.
Policy Decision Point (PDP)
Simply put, the PDP makes access decisions. It has three roles:
Translator—Converts security policies into device-specific instructions
that PEPs can understand. The most basic instruction is whether to enable
or disable a port, but these instructions can include settings such as the
VLAN for the port.
Resolver—Settles policy conflicts that arise as a result of divergent
request needs such as requests for a port to be assigned simultaneously
to two VLANs.
Information aggregator—Collects information from PEPs for manage-
ment and monitoring purposes.
The typical PDP is an authentication server, which might be a software
application installed on a computer, a stand-alone appliance, or even a server
built into a PEP such as the Wireless Edge Services Module. An endpoint
integrity solution, or network access controller, is also a PDP.
The PDPs discussed in this guide are:
RADIUS servers
Network access controllers