
Designing Access Controls
Choose the Access Control Methods
Network Infrastructure Devices as 802.1X Supplicants
If you implement 802.1X on the ports at your edge switches, you will want to authenticate network infrastructure devices (such as APs or even switches) as well as endpoints. This prevents anyone from attaching rogue APs and other unauthorized devices that could compromise your network security. APs can be a particular concern because you do not want anyone to attach a rogue AP to the network and begin collecting usernames and passwords from users.
In the 802.1X authentication process, an AP (or switch) typically functions as a network access server (NAS), initiating the authentication process and forcing a supplicant to authenticate before sending traffic onto the network. To authenticate to the network, however, the AP must assume another role: it must function as the 802.1X supplicant. Before transmitting
Like endpoints, APs must have the necessary software to function as an 802.1X supplicant. You must check your AP to determine if it has a supplicant. The ProCurve AP 420 and the ProCurve Radio Ports (RPs) include an 802.1X supplicant. (Because ProCurve Networking periodically updates its wireless products, you should always check the ProCurve Web site at http://www.pro- curve.com for a current list of each product’s capabilities.)
You should evaluate what other network infrastructure devices should authen- ticate to the network. It may be less critical for switches to act as supplicants if the two connecting switches (or the wall jacks that they supply) are placed in the same secure, locked room. That way, the secure room protects the connecting ports on both switches and the cable itself.
If two connecting switches are in different buildings and connect via
Table