Designing Access Controls

Choose RADIUS Servers

Table 3-55. General Combination

PEPs

PDPs

Policy/Credential Repository

Switch

Software RADIUS server

Directory service

AP

 

(optionally managed by

 

Wireless Edge Services

 

IDM)

 

NAC 800 (optionally

 

 

Module

 

 

 

 

managed by IDM)

 

 

 

 

 

 

Integrated server—The RADIUS servers are built in to PEPs. They check credentials (and possibly limited policies) by binding to a central directory service.

Table 3-56. Integrated Server Combination

PEPs with Built-in PDPs

Policy/Credential Repository

Wireless Edge Services Module

Directory service

 

 

Integrated server/proxy—RADIUS servers are built in to PEPs. The built-in RADIUS servers proxy requests to one or more external RADIUS servers, which check credentials (and possibly limited policies) against a directory service. Additional policies can be configured on the RADIUS server through IDM.

Table 3-57. Integrated Server/Proxy Combination

PEPs with Built-in PDPs

Proxy PDPs

Policy/Credential Repository

AP 530

• Software RADIUS server

Directory service

Wireless Edge Services

(optionally managed by

 

 

Module

IDM)

 

NAC 800 (optionally managed by IDM)

Turnkey server—PEPs send authentication requests to one or more “turnkey” RADIUS servers, called “turnkey” because they store all creden- tials and policies. IDM is a good option for configuring policies on the turnkey RADIUS server. The RADIUS server requires a local database for storing credentials; however, IDM can manage local databases for NAC 800s.

Table 3-58. Turnkey Server

PEPs

PDP with Policy/Credential Repository

 

 

Switch

AP

Wireless Edge Services Module

Software RADIUS server using a local credential database and managed by IDM

NAC 800 managed by IDM

3-80

Page 196
Image 196
HP Access Control Client Software General Combination, Integrated Server Combination, Integrated Server/Proxy Combination