Manuals / HP / Computer Equipment / Software

HP Access Control Client Software manual IAS as the Radius Server

Models: Access Control Client Software

1 338

Download 338 pages 18.69 Kb

Page 209

Designing Access Controls

Choose RADIUS Servers

4.Does your organization already use IAS for other functions?

If you already use IAS, there is probably no strong reason to use a different server for RADIUS functions. But if your organization does not currently use IAS, the NAC 800 may be a better choice for your RADIUS needs.

5.Have you decided to enforce endpoint integrity with the 802.1X deploy- ment method? Or do you plan to introduce endpoint integrity in the future?

The NAC 800 should be your RADIUS server. See “RADIUS Servers in a Network With Endpoint Integrity (802.1X Quarantining)” on page 3-93.

6.Do you prefer a hardware appliance to a software solution?

The NAC 800 can act as a RADIUS server without enforcing endpoint integrity. You might prefer this hardware appliance for several reasons. For example, you might not have a server to devote to RADIUS, or servers might be outside of your control.

RADIUS Servers in a Network With Endpoint Integrity (802.1X Quarantining)

Typically, the NAC 800 should act as the RADIUS server in a network that uses endpoint integrity with 802.1X quarantining.

However, if you already use IAS as the RADIUS server, you might continue to do so. This option simplifies management when you do not use IDM. If you do use IDM, it is probably easier to use the NAC 800 as the RADIUS server.

IAS as the RADIUS Server

See “RADIUS Servers in a Network Without Endpoint Integrity” on page 3-79 for guidelines in choosing the number of IAS servers and in placing them.

On each IAS server, you must download and install plug-ins to configure the server to work with the NAC 800 or NAC 800s. (See the ProCurve Access Control Implementation Guide.)

The number of NAC 800s that you deploy depends on the number of endpoints that must be tested. Each NAC 800 acting as a Combination Server (CS) can test up to 3000 endpoints. To test more endpoints, deploy a NAC 800 Manage- ment Server (MS) and multiple NAC 800 Enforcement Servers (ESs). The ESs each can test up 3000 endpoints.

3-93

Image 209

HP Access Control Client Software IAS as the Radius Server, Does your organization already use IAS for other functions?

Contents

ProCurve Solutions Page ProCurve Access Control Security Applicable ProCurve Products Contents Customer Needs Assessment Evaluate the Existing Network Environment Designing Access Controls Endpoint Capabilities and Administrative Control Page Appendix a Glossary Index Page Page Page Contents Access Control ConceptsAccess Control Concepts Introduction to Access Control Network Access Control Access Control Concepts AAA Network Access Control TechnologiesAuthentication Authorization T e NAS ID AccountingPolicy Enforcement Point PEP Network Access Control ArchitectureEndpoint Policy Decision Point PDP Access Control Concepts Policy Repository Network Access Control Architecture Network Access Control ProcessMAC-Auth Authentication-Based Network Access Control MethodsIntroduce security vulnerablities MAC-Auth Process Web-Auth Web-Auth Process 802.1X 802.1X Process MAC-Auth-None Authentication ProtocolsAuthentication Requirements PAP EAP MS-CHAPv2Access Control Concepts Access Control Concepts Radius NAS ID T e Wireless Authentication802.11 Dynamic WEP Static Wired Equivalent Privacy WEPWPA/WPA2 VLANs Access Control Rights-Dynamic SettingsDevices ACLs Endpoint Integrity Policies Endpoint IntegritySecurity Settings Pre-connect and Post-connect TestingSoftware Operating SystemTesting Methods Access Control Concepts Endpoint Requirements for Integrity Checking WMI Quarantine Methods Endpoint Integrity PostureUser’s assignment and places him or her in a quarantine Vlan T e ProCurve NAC NAC 800 as an Endpoint Integrity Only SolutionProcess for 802.1X Quarantining Endpoint Integrity Only. 802.1X DeploymentWith each other Dhcp Deployment T e IP address = 192.168.8.1/24 IP address = 192.168.9.1/24 Inline Deployment Method NAC 800 as a RADIUS-Only Solution NAC 800 as Both a Radius Server and an Endpoint Integrity SolutionAccess Control Concepts User Authenticates and Is Placed in the Test Vlan Access Control Concepts User Re-authenticates and Is Placed in the Appropriate Vlan Wlan ProCurve IDMIAS, and the IDM agent on the same Windows Server Radius Process with IDM Customer Needs Assessment Customer Needs Assessment Overview Customer Needs Assessment Employees Types of UsersGuests Temporary EmployeesNetwork Skills Network Users Recording Information about UsersTypes of Connections Wired ConnectionsWireless Connections Recording the Types of Connections Available to Users Group Permitted Connections Access Times Network ResourcesRemote Connections Access Control Zones Wireless and Wired Zones Access Control Zones Customer Needs Assessment Determine Risk Tolerance Regulations Federal Information Security Management Act Quantify Your Company’s Risk Tolerance Regulatory ComplianceAttack Vectors Vulnerability to AttacksExternal Attacks Internal AttacksTypes of Attacks Malware Viruses and Worms Customer Needs Assessment Customer Needs Assessment Edge Devices Evaluate the Existing Network EnvironmentSize Switch Vendor Firmware Location Recording Information about Network SwitchesPort Mirroring Model Number Version Supported Monitoring SpanningAP as a Supplicant Recording Information about APs EndpointsWorkstations and Laptops Customer Needs Assessment Recording Information about Workstations and Laptops Other EndpointsLaptop or Quantity User Operating Applications Workstation System NetworkRecording Information about Other Endpoints Directory ServiceRadius Servers Dchp Servers Subnets and VLANsRouting Information Sample Network Diagram Network DiagramBrowser Security Policy-Windows Determine Your Endpoint Integrity RequirementsCustomer Needs Assessment Zone Default Setting Select Security Settings for Your CompanyDefault Settings for Internet Explorer Zones Operating System-Windows Security Settings-OSSecurity Settings-Windows Software-Windows Control over Network Resources Human FactorUsers’ Cooperation IT Department WorkloadCustomer Needs Assessment Customer Needs Assessment Designing Access Controls Designing Access Controls Endpoint Capabilities and Administrative ControlSelect an EAP Method for 802.1X 106 Comprehensive Security Policy Components Designing Access Controls Example Network Process of Designing Access Control SecurityDiagram of the PCU Campus Designing Access Controls PCU Campus Zones Network Infrastructure Divided into Access Zones Advantages and Disadvantages of Access Control Methods Choose the Access Control MethodsHigh effort to Endpoints that accessHigh Security Zone Private Public Network Access Zones SecuritySecurity Concerns by Zone Wired Zone Security Concerns WEP Wireless Zone Security ConcernsWPA/WPA2 Tkip CCMP-AES Wireless SecurityWeb-Auth None by default Do your endpoints have 802.1X supplicants? Vulnerability and Risk Tolerance Technical Knowledge Characteristics Selecting an Access Control Method Based on Security NeededUser Type and Sophistication ExampleMAC-Auth Web-Auth 802.1X Access Control Method by User Sophistication LevelAccess Control Method by User Type and Sophistication Administrative WorkloadEndpoint Compatibility of Access Control Methods Access Control Method by Administrative WorkloadHardware Type of Interface Operating System 10. Configuration of PCU’s Endpoints11. Access Control Method by Endpoint Capabilities Administrative Control over EndpointsDescription 12. Administrative Control Levels13. Access Control Method by Administrative Control Level Network Infrastructure Devices 14. Authentication Method by Administrative ControlSwitch Series MAC-Auth Web-Auth 802.1X ProCurve Product Software Version MAC-Auth Web-Auth 802.1X New capabilities for these wireless products17. Access Control Method by Existing Infrastructure Network Infrastructure Devices as 802.1X Supplicants Bringing All of the Factors Together ProCurve Switches 802.1X SupplicantThem 19. Access Control Methods by FeasibilityFactor Weight Private Wired Public Wired 20. Preliminary Decisions for the Access Control Method21. Preliminary Decisions for the Access Control Method Zone Access Control Method Make Decisions about Remote Access VPN22. Access Control Methods for Each Zone Disadvantages Mitigating Factors Decide Whether to Grant Remote Access23. Disadvantages of Remote Access Advantages Explanation 24. Advantages of Remote AccessSelect VPN Options 25. Options for VPN Protocols DSA Vulnerability and Risk Assessment26. Selecting VPN Options Based on Security Needs They have? Router or firewall Administrative Workload and IT Budget Designing Access Controls Native Capabilities With VPN Client 29. Endpoint Compatibility for Remote Access30. Selecting VPN Options Based on Endpoint Existing Network InfrastructureBringing All Factors Together 32. Preliminary Decisions for VPN Options 33. PCU’s Preliminary Decisions for VPN Options Choose the Endpoint Integrity Deployment Method Access Control MethodMAC-Auth Vulnerability to Risks and Risk Tolerance 35. Deployment Method by Access Control MethodDesigning Access Controls Public Wireless Remote Factor Private Wired Public Wired36. Security Level of Deployment Methods 37. Deployment Method by Security38. Deployment Method by Existing Network Infrastructure WirelessConnection Type 39. Deployment Method by Connection Type Wireless Connection type InlineBringing the Factors Together Zone Deployment Method Factor Weight Private Wired Public Wired Remote Wireless42. Deployment Method by Zone Testing Method Advantages Disadvantages Choose Endpoint Integrity Testing Methods43. Summary of Testing Methods NAC EI Agent Requirements for Testing MethodsInstallShield Wizard for the NAC EI Agent ActiveX Advantages and Disadvantages of NAC Agent TestingRequirements for ActiveX Testing Agentless Advantages and Disadvantages of ActiveX TestingAdvantages and Disadvantages of Agentless Testing Deciding Which Testing Methods to EnableRequirements for Agentless Testing Transparent Testing Designing Access Controls Testing methods Testing with User InteractionDesigning Access Controls Administrative Control over Endpoints Factors to Consider for Testing Methods45. Testing Method by Administrative Control 44. Testing Method by Control over EndpointsFactor Public Wired Private Wired Private Wireless Remote46. Testing Methods by Post-Connect Testing Post-Connect TestingUser Sophistication 47. Testing Method by Post-Connect TestingPrivate Remote Wireless 48. Testing Method by User Sophistication49. Testing Methods for User Sophistication Agentless ActiveX NAC IE Agent Administrative Workload50. Testing Methods by Administrative Workload Network Overhead 51. Testing Methods for Administrative Workload53. Preliminary Decisions for Testing Methods 52. Testing Method by Network OverheadFactor Public Wired Bringing All of the Factors Together54. Preliminary Decisions for Testing Method Choose Radius Servers Network Authentication ArchitectureChoose Which Devices Will Play the Role of PDP Radius Servers in a Network Without Endpoint Integrity56. Integrated Server Combination 55. General Combination57. Integrated Server/Proxy Combination 58. Turnkey Server61. Alternate Integrated Server/Proxy Combination 60. Fully Integrated CombinationPEPs with Built-in PDPs PEPs with Built-in PDPs and Policy/Credential RepositoriesUsers Combination Wired Per LAN Wireless Per LAN Total WAN 65. Access Control Component Combinations 64. Scalability of Access Control Component CombinationsMost Scalable Least ScalableChoose an Access Control Architecture Designing Access Controls 67. Radius Server Locations Centralizing Policies 68. Radius Server Locations Eliminating Inter-Site Traffic 69. Radius Server Locations Reducing Inter-Site Traffic 70. Radius Server Locations for PCU Determine the Number of Radius ServersChoose Your Radius Servers and Finalize the Plan Radius Server Decision Tree Designing Access Controls Does your organization already use IAS for other functions? IAS as the Radius ServerNAC 800 as the Radius Server 73. Turnkey Server Combination for the NAC 71. General Combination for the NAC72. Integrated Server/Proxy for the NAC Wireless Edge Services Module Database Designing Access Controls Determine If You Need IDM Add ProCurve IDMIDM Overview Design Parameters for a Network with IDM Add Users Create Access Policy GroupsSelect an EAP Method for 10. EAP Method Decision FlowchartDesigning Access Controls Supplicant 75. EAP Methods Supported by 802.1X SupplicantsServer 76. EAP Methods Supported by Radius ServersEAP-TNC EAP-LEAP Not Designing Access Controls User Groups and Policies Finalize Security Policies77. Final Security Policy by Zone 78. Example Security Policy by ZoneAccess Group Policies with IDM Access Profile 79. Access ProfilesAccess Profiles 80. Dynamic VLANs81. Dynamic VLANs for PCU 83. Resources 82. Resources by Entire VlanResource Vlan ID Subnet Address Resource IP Address Protocol85. PCU Resources 84. PCU Resources by VlanAccess Profile Resources 86. Resources Allowed in Access ProfilesAccess Profile Resource 87. Resources Allowed in PCU Access ProfilesFaculty Web servers, white pages Library catalog and printer Resources Rate Limit QoS 88. Resources Allowed in Access Profiles90. Sample Access Policy Group Rules for PCU 89. Access Policy Group RulesAccess Policy Inputs Group Location Time System Outputs-Access ProfileAccess Policies without IDM Attribute Explanation Value for My Policy 91. Radius Attributes in Access RequestsAttribute Policy 1-Setting Policy 2-Setting 92. Authentication Protocols for My Policies93. Dynamic Settings for My Policies Design NAC Policy Groups Create the NAC PoliciesDesign NAC Policies 95. Tests for Minimal Endpoint Integrity 94. Tests for Minimal Endpoint IntegrityAnti-Virus Anti-Spyware Personal Firewalls Mac Firewall 96. Tests for Medium Endpoint IntegrityBrowser? Enter the required versions in Table 97. Web Browser Tests Test Settings Mozilla Firefox99. Other Tests for Hotfixes 98. Macro Security TestsMicrosoft Excel Microsoft Outlook Windows Media Mac QuickTime IISOptions Your selection 100. Windows Automatic Updates101. Tests for Applications 103. Tests for Shared Connections 102. Tests for Services104. Tests on Mac Airport Windows Bridge Network Connection Mac Internet SharingSpecified as allowed 105. Test for Windows Startup Registry Entries Lay Out the NetworkCore Resources T e Public Wired Zone Access Zones for EndpointsVlan Assignment and Other Dynamic Settings. You can set up 133 106. Public Wired Zone Policies108. Public Wireless Zone Policies Public Wireless ZoneDesigning Access Controls Product Software Version Radios Modes WLANs 109. Capabilities of ProCurve Wireless ProductsVersion Methods 802.1X Software AuthenticationEAP Method for 112. ProCurve Products That Support PoE 111. PoE Requirements on ProCurve RPs and APsLay Out the Network 113. Private Wired Zone Policies Private Wired ZoneMight otherwise be ignored MS-CHAPv2 Private Wireless Zone115. Private Wireless Zone Policies Remote Zone Designing Access Controls Number Module VPN Protocol Maximum EncryptionTunnels 3DESAdjacent Zones Combining Access Control Zone DesignsOverlapping Zones 117. VPN Capabilities of the ProCurve VPN ClientDesigning Adjacent and Overlapping Zones Integrating all Parts of the Network Design Adding Access Control to an Existing NetworkMigrating from One Solution to Another 150 ProCurve Elite Partners Services and SupportOther Resources ImplementationElements Solution Elements of Each Access Control SolutionOther Resources Numeric Appendix a GlossarySee also Dhcp deployment method and inline deployment method Appendix a Glossary Access point See APAgent See NAC EI agent Appendix a Glossary Appendix a Glossary Appendix a Glossary Digital certificate See certificate EI See endpoint integrity Enforcement See ES. server Extensible See EAP Authentication Protocol GTC See EAP-GTCInline quarantine method Appendix a Glossary Mirroring, remote See remote mirroring Lightweight See LDAP. directory access ProtocolManagement See MS. server Appendix a Glossary Appendix a Glossary PoE Peer-to-peerPermanent agent Public key See PKI. infrastructure Posture See integrity posturePre-shared key See PSK Radio port See RP Remote procedure See RPC. call Appendix a Glossary Appendix a Glossary Appendix a Glossary Appendix a Glossary Html Appendix a Glossary Appendix a Glossary Index See DNS EAP … 1-21, 1-25, 1-53 EAP GTC … See Imsi OS-X See SOX security policies TLS See WEP Contents Contents Overview ProCurve Access Control Solution Enhancements to the ProCurve Access Control Solution SMB Signing Deep Check TestingProCurve NAC Support for Rdac Post-Connect NAC TestingIntegration with Microsoft SMS Dhcp Plug-in Deployment Better synchronization with Microsoft Active Directory Identity Driven ManagerProCurve Access Control Solution NAP Components Microsoft NAPNAP enforcement point NAP clientNAP health policy server NPS Active Directory domain serviceHealth requirement servers Restricted networkNAP Enforcement Clients ECs NAP Client ArchitectureSystem Health Agents SHAs NAP AgentFigure A-4. Client-Side NAP Architecture NAP Server ArchitectureNAP Enforcement Point NAP Enforcement PointTable A-2. NAP ECs and Corresponding NAP Enforcement Points IPsec Network Access MethodsHealth Requirement Servers Figure A-5. IPsec-Protected and Unprotected Communications Figure A-6. HRA Network Access Dhcp 802.1X Authentication VPN AccessFigure A-9. Ieee 802.1X Network Access Remediation and Health Requirement Servers Updating the Access Control Design Process Existing Network Environment Choose the Endpoint Integrity SolutionExisting Network Environment Option Vulnerability to Risks and Risk ToleranceRisk Tolerance Management ResourcesInteroperability Requirements Interoperability Option Requirements Factor Weight SelectionBringing the Factors Together Choose the Endpoint Integrity Deployment Method Updating the Access Control Design Process Updating the Access Control Design Process