Designing Access Controls

Lay Out the Network

The switch to which APs or RPs connect needs the capacity to handle the traffic. A wireless radio has a maximum data rate of 54 Mbps (and an actual data rate of about 32 Mbps maximum), so a 100-Mbps switch port can easily serve an AP or RP with one or two radios.

It is best to enforce authentication as close to the connection point as possible, so, unless you have a legacy AP that does not support your access control method, you should set up the access control on the AP and not the switch. Therefore, there are no further requirements on the switch. However, to prevent users from connecting rogue APs to the switch, you might want to activate 802.1X on the switch ports. All ProCurve APs and RPs include 802.1X supplicants (with EAP-MD5).

Private Wired Zone

The private wired zone uses wired connections. It is the typical zone for office environments, where users work at their own desks and the IT department has a relatively high degree of control over equipment. The typical endpoint in this environment is a workstation, but employees might also plug laptops into Ethernet ports both at their desks and in places such as conference rooms.

Table 3-113. Private Wired Zone Policies

Zone

Access Control

EI Deployment

Testing Method

Authentication

Encryption

 

Method

 

 

 

Protocol

 

 

 

 

 

 

 

 

 

 

Private wired

802.1X

802.1X

NAC EI agent

PEAP-

none

 

MAC-Auth

 

Agentless

 

MS-CHAPv2

 

 

 

(for headless

 

 

 

EAP-TTLS

 

 

 

devices)

 

 

 

EAP-TLS

 

 

 

 

 

 

 

 

 

 

Access Control Method. 802.1X is the preferred access control method for the private wired zone. The use of 802.1X authentication provides strong access control security, and the IT department has enough control to require and support 802.1X supplicant software on all workstations and laptops in this zone.

You might enable MAC-Auth on select ports in the private wired zone, provid- ing access for headless devices (such as printers) without 802.1X supplicants. (See “Public Wired Zone” on page 3-131 for a design for these endpoints.)

Endpoint Integrity. 802.1X is the best endpoint integrity deployment method if you are already enforcing 802.1X authentication. Quarantining fits into the overall access control policies, and the quarantine VLAN is just another VLAN assignment, this one issued according to a user’s endpoint integrity posture.

3-140

Page 255 Page 257
Page 256
Image 256
HP Access Control Client Software manual Private Wired Zone Policies
Page 255 Page 257
Top Page Image Contents