HP Access Control Client Software manual Radius Attributes in Access Requests

Designing Access Controls

Finalize Security Policies

Next, create each policy. The exact steps vary, of course, depending on your RADIUS server. In general, you must:

1.Set the conditions by which the RADIUS server matches an authentication request to the policy.

The exact conditions supported depend on your RADIUS server, but they commonly include group membership (in a group defined on the RADIUS server or in a directory), time, and access method (such as wired, wireless, or remote). Often, you define the conditions manually as a certain value for an attribute in a RADIUS access request. Table 3-91 lists some such attributes. In the rightmost column, you can enter the correct value for your policy. Of course, most policies will only use one or two conditions.

Table 3-91. RADIUS Attributes in Access Requests

2.Select authentication protocols.

You need to choose the protocols (such as CHAP, PEAP, EAP-TTLS, and EAP-TLS) with which the RADIUS server authenticates users. Users’ endpoints must support the same protocol. However, many RADIUS servers allow you to choose multiple authentication protocols, any of which the endpoints can support. Check your server’s documentation for the protocols that it supports.

Remember that on the NAC 800, you do not configure an EAP method. Instead, you select the EAP type on the endpoint, and during the negoti- ation of the EAP method, the NAC 800 detects the EAP type. If the NAC 800 supports the EAP type, it automatically uses it.

You should have already chosen your authentication protocols and EAP methods in earlier steps in the design process. List your selections in Table 3-92.

3-118