HP Access Control Client Software N o t e, N o t e

N o t e

Access Control Concepts

Network Access Control Technologies

You can also configure the network to authorize unauthenticated users for certain—typically, very limited—rights.

In addition to considering whether a user has authenticated successfully, a

AAAserver assigns rights based on user identity and time and location of access. In other words, authorization is the mechanism that customizes a network for different types of users, providing each user with appropriate network access, rather than blanket “all or none” access.

Therefore, authorization is a particularly important component of a network access control solution. The authorization aspect of network access control also removes some of the burden from data and application access control. For example, you could set up “all or none” access to the network and then control access to application servers separately on each server. But a better solution often adds centralized network access control policies that grant users rights to appropriate services when they first access the network, preventing unauthorized traffic from ever reaching servers.

Authorization rights that are set up on AAA server are often called dynamic or user-based settings because they are assigned to individual users automatically when they connect to the network.

Rights determine:

■Which resources and services the user can and cannot access—Typically, you enforce these rights with Virtual LAN (VLAN) assignments and access control lists (ACLs).

ProCurve Identity Driven Manager (IDM) will help you set up your polices more efficiently, as described in “ProCurve IDM” on page 1-58).

As much as possible, you place resources necessary for a particular group of users in the same VLAN. ACLs, applied to routers or to edge devices, permit only the appropriate user groups access to the VLAN in question. For example, if the server with your payroll database were placed on VLAN 7, you would restrict access to this VLAN: you would allow only users in the Accounting group—thereby preventing unauthorized employ- ees from browsing the company payroll.

You can also use rights (specifically, dynamic ACLs) to control which types of services and applications users can access. TCP and UDP, two Transport Layer protocols, assign various applications to specific ports. For example, Web traffic uses TCP port 80 whereas File Transfer Protocol (FTP) traffic uses TCP port 21. To limit a set of users such as guests to browsing Web sites, simply restrict their traffic to TCP port 80.