Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
31323334353637383940
1-19
Access Control Concepts
Network Access Control Technologies
Web-Auth
Like MAC-Auth, Web-Auth enables end-users to authenticate and connect to
the network without special utilities or configurations on their endpoints. The
endpoints require a Web browser only. However, unlike MAC-Auth, a user
must participate in the authentication process, entering credentials—a user-
name and password—in a Web page.
The network access control decision is based on the validity of the username
and password. The PEP enforces the decision by binding these credentials to
the source MAC address; it then allows or blocks traffic from this address
based on the success of the request that is generated from these credentials.
Process. The exact process by which an end-user authenticates and con-
nects to the network depends on the Web-Auth implementation on the PEP.
In general, these steps occur:
1. The user’s endpoint connects to a PEP. The PEP might allow the endpoint
to transmit certain background traffic such as DHCP and Domain Name
System (DNS) requests, or the PEP might assign the endpoint a DHCP
address itself.
2. The user opens a Web browser, and the PEP redirects the browser to the
Web-Auth login page, which might be stored on the PEP or on a private
Web server.
3. The user enters and submits credentials (username and password) as
instructed on this login page.
4. The PEP receives the user’s credentials and records the MAC address of
the endpoint that sent them. The PEP generates an access request con-
taining the users credentials as well as other information about the access
attempt and forwards the request to the authentication server.
5. The authentication server, or PDP, verifies the username and password
against its own or a centrally managed data store. The authentication
server may also retrieve policy information, such as rules for the times
the user is allowed on the network or rules specifying authorization
instructions (for example, a VLAN assignment).
6. The authentication server returns an accept or deny response to the PEP,
based on the results of step 5.