HP Access Control Client Software manual Administrative Control over Endpoints

Designing Access Controls

Choose the Access Control Methods

In addition to the endpoints listed in Table 3-10, the PCU network includes a UNIX supercomputer and servers. Authentication is not as critical for the supercomputer and servers because they are housed in a secure, locked room to which only a few people have keys.

You should always secure physical access to your servers so that unauthorized users cannot access them and steal your data or change your configuration. However, if you have a small company and cannot place the servers in a secure, locked room, you should implement 802.1X for the server ports and password protect each server’s console.

Basing the decision solely on endpoint compatibility factors, the PCU network administrators decide that for workstations, Web-Auth or 802.1X would be feasible. The headless devices must use MAC-Auth because they cannot input credentials.

In addition, PCU has a few APs that do not have an 802.1X supplicant. The network administrators decide to use MAC-Auth to authenticate these APs as well.

Table 3-11 shows the access methods they selected for each zone.

Table 3-11. Access Control Method by Endpoint Capabilities

Administrative Control over Endpoints

You must next consider who controls the endpoints—particularly worksta- tions, laptops, PDAs, and smartphones—on the network. In short, can network administrators require users to download software to their endpoints and to alter settings on them?

For example, if the IT staff controls the endpoints, it is relatively easy to ensure that each one has a supplicant for an 802.1X implementation. If end-users own and control their endpoints, however, they may be reluctant to install and run supplicant software for a variety of reasons. Similarly, guest users are effec- tively outside the control of the IT department.

Table 3-12 summarizes administrative control levels.

3-27