Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
31323334353637383940
1-17
Access Control Concepts
Network Access Control Technologies
In theory, a MAC address is unique and unalterable and therefore a good
choice for identifying whether the endpoint should be allowed access. In
practice, however, an attacker can spoof a MAC address relatively easily.
If you are using IAS, you might encounter another problem. MAC addresses
do not conform to the rules for a typical user account. You must create an
entirely new set of pseudo-user accounts, which can be tedious and might
introduce security vulnerablities.
Despite its flaws, MAC-Auth remains the only choice for devices that have
neither user interfaces nor support for 802.1X.
Note A device without a user interface may still support 802.1X. For example, many
Voice-over-IP (VoIP) phones support EAP-Subscriber Identity Module (SIM)
and include smart cards automatically configured with authentication creden-
tials. In addition, some Hewlett-Packard (HP) printers support 802.1X.
Process. An endpoint follows this process to connect to a network that
enforces MAC-Auth:
1. The endpoint connects to a PEP and begins generating traffic, typically
Dynamic Host Configuration Protocol (DHCP) requests.
2. The PEP observes that the traffic’s source MAC address is unauthenti-
cated, so it drops the traffic.
3. The PEP generates an access request specifying the source MAC address
as the username, and, as the password, either the same MAC address or
a password configured on the PEP. The request also contains other
information, such as the port, time, and so forth. The PEP forwards the
request to an authentication server.
4. The authentication server, acting as the PDP, verifies the MAC address
against its own or a centrally managed data store. The authentication
server may also retrieve policy information, such as rules for the times
that the MAC address is allowed on the network or rules that specify
authorization instructions (for example, a VLAN assignment).
5. The authentication server returns an accept or deny response to the PEP
that is based on the results of step 4.
6. The PEP reconfigures itself dynamically to forward or block all traffic
from the MAC address depending on the access decision. If the accept
response included authorization instructions, the PEP configures itself to
enforce them—for example, assigning the endpoint’s port to the
specified VLAN.