Access Control Concepts

Network Access Control Technologies

NASs, which you learned about earlier in the AAA section, are also PEPs. The term NAS is typically used when discussing RADIUS. For consistency, how- ever, this chapter will use the term PEP when discussing RADIUS.

The PEP has two roles:

Access request generator—Forces endpoints to provide basic informa- tion about themselves (credentials) before accessing network resources. The PEP uses this information to compose an access request on the endpoint’s behalf.

Access decision enforcer—Enforces access decisions by opening or blocking a port, assigning an endpoint to a particular VLAN, or applying other dynamic settings.

Because the PEP is responsible for initiating and enforcing the access control method, evaluating the PEP’s capabilities is often one of the first steps you should take when designing a network access control solution. This design guide focuses on the many capabilities offered by ProCurve Networking PEPs, which include both wired switches and wireless APs, as well as the Wireless Edge Services Module.

Policy Decision Point (PDP)

Simply put, the PDP makes access decisions. It has three roles:

Translator—Converts security policies into device-specific instructions that PEPs can understand. The most basic instruction is whether to enable or disable a port, but these instructions can include settings such as the VLAN for the port.

Resolver—Settles policy conflicts that arise as a result of divergent request needs such as requests for a port to be assigned simultaneously to two VLANs.

Information aggregator—Collects information from PEPs for manage- ment and monitoring purposes.

The typical PDP is an authentication server, which might be a software application installed on a computer, a stand-alone appliance, or even a server built into a PEP such as the Wireless Edge Services Module. An endpoint integrity solution, or network access controller, is also a PDP.

The PDPs discussed in this guide are:

RADIUS servers

Network access controllers

1-12

Page 25 Page 27
Page 26
Image 26
HP Access Control Client Software manual Policy Decision Point PDP
Page 25 Page 27
Top Page Image Contents