Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
41424344454647484950
1-33
Access Control Concepts
Network Access Control Technologies
Access Control Rights—Dynamic Settings
The overview of “Authorization” on page 1-8 gave a few examples of how
rights are assigned and enforced. Let’s now look in more detail at ways to
control users’ access after they connect.
Keep in mind that you can set up these access controls in one of two ways:
Manually
Dynamically as a part of the AAA architecture—This guide will focus on
this option.
VLANs
VLANs divide users and other network devices into separate Layer 2 broadcast
domains, each isolated and relatively secure from the others; they are a
fundamental way to group and control users. Traffic cannot cross a VLAN
(subnet) boundary unless forwarded by a router, which can filter the traffic
appropriately with ACLs.
Traditionally, users are assigned to VLANs statically. That is, each user has a
single port at which he or she is expected to remain, and the user’s port is
actually assigned to the VLAN. If the user accesses the network through a
different port, he or she might be in a different VLAN. And in a wireless
network, all users that access the WLAN find themselves in the same VLAN.
The traditional model is no longer adequate for many networks because users
access the network through many different ports. For example, although
employees often connect to the network from the port at their desk, they might
also connect from conference rooms or even a remote location. In addition,
an AP, in the revolving-door wireless world, funnels a constantly shifting group
of users to a single switch port.
Your access control design and your VLAN design interconnect because the
network access control solution helps ports configure themselves for VLANs
dynamically. When a user is authorized to connect to the network, he or she
is also authorized for the correct VLAN, as determined by the authentication
server and enforced by the PEP.
Here is another advantage of dynamic VLANs: you can create rules to assign
users to different VLANs under various conditions. For example, you might
create one VLAN for users accessing the network during work hours and a
different VLAN for after-hours access.