Designing Access Controls

Lay Out the Network

Access Control Method. For truly public environments, 802.1X is generally not used because each computer must run 802.1X supplicant software. Pro- viding and administering supplicant software for guest users is cumbersome and expensive enough to make MAC-Auth or Web-Auth the generally recom- mended access control method.

Workstations that belong to the organization can authenticate with either the Web-Auth or MAC-Auth method. (You must choose one or the other for each port; concurrent operation is not allowed.) For example, a library might provide several workstations for its patrons. The library does not want those patrons to bring their own laptops and plug them into the Ethernet ports, so it uses MAC-Auth to authenticate the workstations.

Members of the public bring laptops, which are plugged into switch ports and authenticate with Web-Auth. (It is not feasible for network administrators to add the MAC address for every device introduced into the network.) When the user opens a Web browser, he or she is directed to enter his or her login credentials.

Guest Access. Depending on how public your public wired zone is, you may not want to have to inform guests of the correct credentials. You have several options:

You can create an unauthenticated VLAN that grants limited access to users that fail to authenticate.

You can customize the Web-Auth login page to display a valid username and password for guests.

VLAN Assignment and Other Dynamic Settings. You can set up the

VLAN assignment in two ways:

The switch dynamically configures the port of a successfully authenti- cated MAC address or user for the authenticated VLAN. You set the authenticated VLAN ID statically, and it applies to all authenticated users and devices.

This option may be suitable for the public wired zone because all guests receive the same level of access. However, if an employee attempts to use the port, he or she will also receive guest access.

When the RADIUS server authenticates a user (or MAC address) success- fully, it dynamically assigns the user to a VLAN by changing the configu- ration of the switch port.

This option provides more flexibility: different types of users can connect to the port and receive different rights. In addition, you can assign other dynamic settings, such as ACLs and rate limits.

3-132

Page 247 Page 249
Page 248
Image 248
HP Access Control Client Software manual Vlan Assignment and Other Dynamic Settings. You can set up
Page 247 Page 249
Top Page Image Contents