Security Solutions
1-29
Access Control Concepts
Network Access Control Technologies
An AVP includes:
■ A name, which specifies the type of attribute—for example, “Username”
or “Tunnel-Private-Group-ID”
■ A value, which is the specific value for that attribute for this supplicant at
this time—for example, “Bob,” the name of the user who is attempting to
connect, or “10,” the ID of Bob’s dynamic VLAN
The RADIUS protocol defines approximately 50 attributes, including:
■ Username
■ Password
■ Type of service request
■ NAS ID
■ NAS port ID
■ NAS IP address
■ Tunnel attributes for dynamic VLAN assignment:
• Tunnel-Medium-Type (value is 802 or “6”)
• Tunnel-Type (value is VLAN)
• Tunnel-Private-Group-ID (value is set to the VLAN assignment)
RADIUS also allows vendors to define their own AVPs, which are called
vendor-specific attributes (VSAs).
Often you can implement network access control without VSAs. However, if
you want to enforce dynamic ACLs, you must configure the proper VSAs. For
example, standard AVPs suffice for assigning a guest user to a VLAN; on the
other hand, you might need VSAs to limit the guest user rights to Internet via
TCP port 80.
The AVPs for authorization instructions are stored in a policy repository,
which, as you learned, might be on the RADIUS server itself or on a directory
service. For example, eDirectory can include RADIUS extensions which
define AVPs for directory objects. Other services, such as Active Directory, do
not provide these extensions. You must set up the AVPs on the RADIUS server
itself. Because such configuration can be complicated, ProCurve Networking
recommends that you use IDM. (See “ProCurve IDM” on page 1-58.)
RADIUS and Other Authentication Protocols. Originally, RADIUS was
designed to work with PAP and CHAP, and the protocol defines attributes
specifically for PAP and CHAP passwords.