Designing Access Controls

Select an EAP Method for 802.1X

The numbered decision points in the tree are discussed in the next few paragraphs. As you read through these steps, remember:

You can select more than one EAP method to accommodate varying needs. (On the NAC 800, you do not select an EAP method. Instead, you select the EAP type on the endpoint, and during the negotiation of the EAP method, the NAC 800 detects the EAP type. If the NAC 800 supports the EAP type, it automatically uses it.)

Certain steps in the decision making process might have more or less weight for you. For example, if your organization allocates limited funds to IT, the most important factor to consider might be the EAP methods that your RADIUS servers and endpoints already support. If security is your priority, you might be willing to invest in new vendor supplicants or an internal certificate authority (CA).

Keeping these two caveats in mind, consider the decision tree in detail:

1.Does your organization have a full public key infrastructure (PKI) system in place?

A full PKI system lets you effectively administer the life cycle of digital certificates for both server and client (user) applications. You can create, validate, and revoke certificates, usually with your organization’s CA.

The appropriate EAP method for a full PKI system is EAP-TLS, the highest security option. EAP-TLS is a mutually authenticating method in which both servers and clients are authenticated by their digital certificates.

If you do not have a full PKI system (and are unwilling to expend time and money to implement one), EAP-TLS is not an option for you. Consider the next question.

2.Which devices will use EAP to authenticate? What are the capabilities of those devices?

The two EAP methods that offer the next highest level of security are EAP- TTLS and PEAP, both of which offer mutual authentication and tunnel user credentials securely. If possible, you should select one of these methods. (For wireless devices, these two protocols—or EAP-TLS—are recommended even more strongly. EAP-Message Digest 5 (MD5) is pro- hibited.)

The capabilities of your devices will of course restrict your choices. On some devices, such as workstations and laptops, you can install vendor client utilities to gain support for the method you desire. Other devices, such as VoIP phones, printers, and network infrastructure devices, are limited to the specific methods supported by their internal EAP supplicant.

3-102

Page 217 Page 219
Page 218
Image 218
HP Access Control Client Software manual Designing Access Controls
Page 217 Page 219
Top Page Image Contents