Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
21222324252627282930
1-16
Access Control Concepts
Network Access Control Technologies
5. If it authenticates the user, the PDP draws on additional policy informa-
tion from the repository to authorize the user for particular resources. It
then generates device-specific configuration instructions (such as the
VLAN for the port) for the PEP.
6. The PEP configures its ports according to the instructions from the PDP.
The user’s endpoint receives the appropriate level of access.
Authentication-Based Network Access Control
Methods
This section describes the three most common methods for enforcing network
access control at the edge. Built on the architecture described in the previous
section, these methods hinge an endpoint’s level of network access on a PDP’s
decisions. These decisions are, in turn, based primarily on the validity of
credentials submitted by the user but perhaps on other policies as well.
The three methods are:
MAC authentication (MAC-Auth)—allows access based on the end-
point’s MAC address
Web authentication (Web-Auth)allows access based on credentials
submitted in a Web page
802.1X—allows access based on credentials exchanged via Extensible
Authentication Protocol (EAP)
802.1X is the most secure option. However, for reasons explained in the rest
of this guide, another method might meet your requirements. You can also
implement different methods in different areas of your network or begin by
enforcing a less secure method and eventually migrate to 802.1X. Chapter 3:
“Designing Access Controls” will give you more guidelines for your design.
MAC-Auth
MAC-Auth identifies an endpoint by its MAC address, a unique 48-bit hardware
address assigned to the network interface card (NIC) by the manufacturer at
production. MAC-Auth identifies hardware, not users—one reason that this
method is sometimes downplayed in contemporary security solutions.
MAC-Auth does not require any special capabilities on the endpoint nor any
user interaction. The PEP is entirely responsible for generating authentication
requests. The PDP makes an access control decision based on the endpoints
MAC address, and the PEP enforces the decision by allowing or blocking
traffic from the address accordingly.