Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
261262263264265266267268269270
3-148
Designing Access Controls
Integrating all Parts of the Network Design
Integrating all Parts of the Network
Design
After you have laid out the various segments in your network, you can optimize
your design by integrating the segments into a unified whole.
Adding Access Control to an Existing Network
To guide you through all the steps of designing an access control solution, this
guide discussed the design as if you didn’t have an existing network and
existing equipment. However, you probably do have a network with a signifi-
cant number of switches and perhaps services already in place; you will need
to adapt that network to get the access control security you desire.
The design steps for adding access control to an existing network are quite
similar to the steps for building a new network. However, rather than choose
new switches and APs, as described in “Access Zones for Endpoints” on page
3-131, you would evaluate the capabilities of your existing equipment to find
out which new functions (such as dynamic port reconfiguration) you need to
add. For instance, you may be able to supplement an existing installation with
5400zl switches to provide those functions that your current equipment does
not have. In other cases, you may be able to replace an existing switch with a
5400zl switch and keep the rest of your installation intact.
As was mentioned in the steps for “Choose RADIUS Servers” on page 3-78,
“Add ProCurve IDM” on page 3-98, and “Select an EAP Method for 802.1X” on
page 3-101, your network might already provide directory services and
RADIUS services. Your guiding rule should be to use existing equipment and
the options supported by existing equipment as long as there is no compelling
reason to do otherwise.
For example, if your network already has an IAS server, there is no reason to
change to an SBR server simply to choose EAP-TTLS instead of PEAP; the two
methods are comparable. Similarly, if you already have a directory service,
you should use the directory service as the credential store.