Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
51525354555657585960
1-43
Access Control Concepts
Network Access Control Technologies
The network access controller enters the 802.1X framework as either an
authentication server or a supplement to the authentication server. It inserts
checking an endpoint’s integrity into the process of making access decisions.
For example, the network access controller detects and tests all endpoints
when they first connect to the network. It then report the endpoints’ integrity
posture to network RADIUS servers, which are configured with policies that
take these postures into account. If necessary, the RADIUS server alters a
user’s assignment and places him or her in a quarantine VLAN.
The ProCurve NAC 800 includes its own built-in RADIUS server, so it can
provide both components of the solution.
DHCP. The DHCP quarantine method is designed primarily for networks with
equipment that is not 802.1X capable. Any endpoint is allowed to connect to
the network. However, the network access controller prevents non-compliant
endpoints from receiving a valid IP address. Instead, these endpoints receive
an address in the quarantine subnet, which has access only to remediation
services.
With the DHCP deployment method, part of a network access controllers role
is acting as another PEP, quarantining non-compliant endpoints. Typically, you
must position the network access controller correctly—between the DHCP
server and the rest of the network.
Note An end-user who has the technical savvy to give his or her station a valid IP
address can circumvent DHCP quarantining. This is one reason that 802.1X is
the recommended option for high security.
Inline. With inline quarantining, perhaps the most straightforward of the
three options, a network access controller physically separates endpoints
from network resources.
This option has the advantage of ease of setup as well as relatively high
security. Because the network access controller literally stands between the
endpoint and network resources, it can tightly control which endpoint traffic
passes through it.
However, deploying a network access controller between every Ethernet
workstation and its switch port is not a realistic option. And the further the
network access controller is from the endpoint, the more resources the
endpoint can access before it is tested. Inline quarantining is most viable when
many endpoints connect to your network through a single point of access.